Key Success Factor of InfoSec: o Architecture – In 3 slides

o SOC - 2 Slides

o Defense in Depth – 1 slides

o Data Centric Security – 2 slides

Confidentiality

Architecture

Law

Mgt Ops Tech

Regu

latio

n

Stan

dard

Polic

y

IntegrityAvailability

2

Public or External or Internet Firewalls (Inbound + outbound)

Zone 1 (Public Srv) DNS, NTP,, Proxy

Http, Https,

Zone 2 (Online banking)

SMTP In, SMTP out , MIME Sweeper

Zone 4- Staff Facilitation

SSLVPN, BYOD, Extranet etc.

Zone 3 (SOC)IDS admin, SIEM

adminFirewall admin,

Terminal Concentrators of

other DMZ

Internal or Intranet Firewall

Zone 4Core Switch

Zone 5 Channels

Zone 6 Mainframe

Zone 7 HRMS

Zone 8 Enterprise Backup

Key Success Fector• At minimum DMZ must be between at least 2 stage of firewalls, • NIDS and NIPS sensor placement must be across the constituency, serial terminals.• Legacy Network topologies shall also be under constituency.• SOC must be strategic and separate from Enterprise Domain controller.

Basic Security Architecture

3

Key Success Factors• If organization is offering access to sensitive data to external parties such as the general public or another

institution. The data is probably being provided through an interactive Web portal and/or machine-to-machine Web services. In either case, there are common elements to the monitoring architecture, so we must address both at the same time.

Architecture – Firewalls Deployment

I worked on Riyad Bank and Emirates–KSA firewall deployments.

4

KSF • Many SOCs tend to focus their monitoring

resources on the “front door” to their network, such as their Internet gateways. While this is usually the top priority but it’s really just the beginning.

• Further; We leverage email and Web content detonation to detect zero-day attacks from Web pages and email attachments.

• Each Zone Must have dedicated NIDS and Each Server within that Zone must have HIDS

Architecture – Sensor Deployment

I worked on Riyad Bank sensors and SIEM deployments.

5

SOC - Basic

SOC

Head

Tier-1

Tier-2Intel n

Trending SOC Admin

Engineer

(re)Act DecideOrientObserv

e

KSF• Do not break apart the five ‘atomic

SOC functions’ into disparate organizations; this will almost always work to the detriment of the CND mission.

KSF• An analyst required to maintain context

and sense of ‘what is normal’ and ‘abnormal behaviour’ on the hosts and networks, and able to respond in a relevant or timely manner.

KSF • An effective SOC should have a charter and set of authorities

signed by constituency executive(s) in order to press for the resources and cooperation

• needed to execute its mission.

I worked on HSBC, Riyad Bank SOC deployments.

6

Incident Analysis + Knowledge Base

(re)Action & Reporting

Event Generator / Sensors /Pollers

Collection

Database and formatted Message D-Box

C-Box

E- Box

E- Box

C-Box

E-Box E-Box

A-Box K-Box

R-box

SOC - SIEM

Valid

atio

n- Collect and process raw events - Determine base events of interest- Turn sensors and filter as needed-Additional analysis, as needed

Disp

ositi

on

- Add contextual data and remove false +ves- Determine if elevation needed -Provide feedback to additional tuning - Additional analysis, as needed

Resp

onse - Add incident

to final report - Alert Appropriately - Feedback to lower tiers

KSF• In order for the SOC’s SIEM installation

to succeed, the SOC must make a sustained staffing investment to leverage it effectively.

• Perimeter network monitoring.• Insider threat and audit.• APT detection.• Configuration monitoring.• Workflow and escalation.• Incident analysis and network

forensics.• Cyber intel fusion.• Trending.• Cyber SA.• Policy compliance.

I worked on RB, NCB SIEM deployments.

7

Defense in Depth Concept

Deploy Baseline

Deploy Integrity Tech

Deploy HIDS

Perform EPT

Group in NIDS

Anat

omy

of

IT sy

stem- Binary Filed

- Configuration Files- Registry Files - Services - Data

KSF• In a layered security Baseline or system hardening is the ‘last man

standing’ .• In Registry Run key is of special interest of Malware.• Service that are not need must be disabled at kernel level to down

grade attack vector.

I worked on Baselining all IT asset of NCB .

CorrectionDetectionVA,PT, SIEMPrevention

(basline , FW)

8

ClassificationPolicy

Leak Control at Mail Gateway (@xyz.co.kw)

Leak Control at Automation (USB,CD, etc.)

Leak Control at Internet Gateway (Gmail,

SkyDrive, etc.)

KSF• With the advent of perimeter blurring focus on securing

data rather end points. In enterprise network to identify gateways for end user information transfer, Hence deploy DLP technologies that best suit to organizational existing technology investments.

• Web DLP technology should read classification metatags and integrate with SSL Offloaders Technology to process monitor traffic going to (Gmail, Sky Drive, SFTP protocols)

• Mail DLP technology should read information classification metatags and integrate with mail servers.

• DLP end-user clients required to be deployed on all PCs, should read metatags and check information transfer.

• SIEM can be integrated at all gateways to monitor leakage trends

Data Centric Security

I worked on leak proofing KFH bank.

9

KSA

3rd Party

Circle of Trust

Untrusted

Circle

Partners

Federation

Circle of trust Oman

UAE

Qatar

Bahrain

KSA

xyz Inc. (Kuwait)

Org

Circle of trust

Examples of LinkedIn, Google, FB :

Data Centric Security

Policy

I worked on leak proofing KFH bank.

Data Classification s per trust range

KSF• Technology need to know the data, to know ‘How’ and

‘Where’ to manage n protect it. • The term ‘Leak’ refers to the breach of boundaries by

respective classification. • Federation also constitutes the constituency of each

classification.• Develop department specific special features.

Thank you