+ All Categories
Home > Documents > Unified Security Governance

Unified Security Governance

Date post: 22-Jan-2018
Category:
Upload: can-demirel
View: 479 times
Download: 1 times
Share this document with a friend
30
Can Demirel Public Version V1.0.0 Unified Security Governance
Transcript
Page 1: Unified Security Governance

Can DemirelPublic Version V1.0.0

Unified Security Governance

Page 2: Unified Security Governance

Agenda• Unified Security Governance• Setting up Cross Functional Team• Scope & Milestones• Analysis• Process design & Implementation• Unified Vulnerability Management• Security Operation Center

Page 3: Unified Security Governance

• Governance: Doing the right job

• Management: Doing the job right

Page 4: Unified Security Governance

• What is your job? (Not your linkedin title)

– Reports, Presentation, Budget Planning, Tracking

unsolved vulnerabilities

Or

– Security operations, find vulnerabilities, process

design and manage processes

Page 5: Unified Security Governance

• Complexity has a cost.– Infrastructure

– Technology

– Design

– Process

– Analysis tools

– Supplier

Page 6: Unified Security Governance

Role Tasks Personal Characteristics[1]

Project Sponsor Solve project conflicts

Leadership

Top management commitment

Ensure project plan still applicable

Enterprising , Social

Project Lead Coordinate all team

Organize periodic meetings

Update project plan

Escalate problems when necessary

Conventional, Social

Technical Lead Planning technical need and assuring them

Assign tasks to technical team

Review technical team results

Realistic, Creative

Technical Team Accomplish given tasks Realistic

[1] http://sourcesofinsight.com/6-personality-and-work-environment-

types/

Page 7: Unified Security Governance

• Scope matters.

– Cost

– Time

– KPI

Photo credit:Bernhard Schambeck Feature China/Barcroft Mediahttp://www.dailymail.co.uk/news/article-2170881/Chinese-tightrope-walker-plummets-ground-trying-high-wire-stunt-backwards-AND-

blindfolded.html

Page 8: Unified Security Governance

• If you are new in the town.

– Computer Based

• Review all external/internal DNS host records

• Review all firewall rules

• Review all router/switch configuration

• Review suppliers/hosting records

Page 9: Unified Security Governance

• Human Based– Face to face interview to all possible business partners

including;• Company departments

• Top management

• Suppliers

• Paper Based– Review all written rules/policies/procedures about this

domain • Probably nothing is written

Page 10: Unified Security Governance

• Your scope is shining.

Need milestones?

• Yet another project

going to graveyard?

Page by Tom Parker http://tevp.net

Page 11: Unified Security Governance

• Analysis

– Penetration Tests

– Security Review

• Process Design & Implementation

• Unified Vulnerability Management

• Security Operation Center

Page 12: Unified Security Governance

• External pentest

• Local area network pentest

• Web Application pentest

• Web Services pentest

• Mobile Application pentest

• Wireless pentest

• VOIP pentest

• ERP/SAP pentest

• SCADA Pentest

• Code Review

• Social Engineering

• Load, performance, Denial of Service tests

Page 13: Unified Security Governance

• Local area network

review

• WAN/MPLS Review

• OS Security Review

• Database Security

Review

• Active Directory and

Services Review

• IPS Review

• Firewall Review

• WLC Review

• Virtualization Security Review

• Any other security platform review– Proxy, DDOS

protection…

Page 14: Unified Security Governance

• We need to talk and

write some papers!

http://theberry.com/2013/09/06/run-forrest-run-24-photos/

Page 15: Unified Security Governance

• Risk Management

• Asset Management

• Incident Management

• Access Management

• Password Management

• Project Management

• Secure-SDLC

• HR Security

• Physical Security

• Change & ConfigurationManagement

• Capacity Management

• Supplier Management

• And many more…

Page 16: Unified Security Governance

• Handling– Users

– Assets

– Scans

– Vulnerability Database & Correlation

– Task Management

– Cyber Intelligence

– Alarms

– Logging and Log Management

– Reports

Photo credit:Bernhard Schambeck Photography

www.bernhardschambeck.de

Page 17: Unified Security Governance

• Your platform should allow you to;

– Create different type users&rolees

– Create different groups

Page 18: Unified Security Governance

• Your platform should allow you to;

– Define assets in any type

– Define asset groups by asset attribute

– Define ownership

– Auto discover

Page 19: Unified Security Governance

• Your platform should allow you to;

– Define asset/asset group scan

– Manage scan&scan results in one platform

– Integrate historical scans

– Define compliance based scans

– Define and handle passive vulnerability scan

Page 20: Unified Security Governance

• Your platform should allow you to;

– Define your vulnerabilities in any language

– Group your vulnerabilities

– Define Manuel vulnerability and so on

Page 21: Unified Security Governance

• Your platform should allow you to;

– Integration to GRC

– Integration to ticketing mechanism

– Assign vulnerabilities manually or

automatically

– Assign vulnerabilities based on assets

Page 22: Unified Security Governance

• Your platform should allow you to;

– Track domain records

– Track SSL information

– Track information disclosure over internet

– Track social media

Page 23: Unified Security Governance

• Your platform should allow you to;

– Define asset based alarms

– Define vulnerability based alarms

– Define scan based alarms

– Define SLA based alarms

– Define cyber intelligence based alarms

Page 24: Unified Security Governance

• Your platform should allow you to;

– Collect log on your platform

– Integration to Central Log Management

Page 25: Unified Security Governance

• Give me’ some

nice reports!

• Make it simple!

Photo credit: https://jaxenter.com/deploying-microservice-how-to-handle-complexity-122336.html

Page 26: Unified Security Governance

• Your platform should allow you to;

– Create reports in desired language

– Create report templates

– Filter your report based on asset, vulnerability or

any other parameter

– Compare your reports by given parameter

Page 27: Unified Security Governance

Photo credit: forums.archeagegame.com ArcheAge NA Server Connectivity Issues:

• Evebody talks

about it!

• To much

information will kill

you in the end!

Page 28: Unified Security Governance

• Centralized log management

• Scenario!!!

• Incident management

• Big data analysis!

• Forensics

Page 29: Unified Security Governance
Page 30: Unified Security Governance

• http://sourcesofinsight.com/6-personality-and-work-environment-types/

• IT Governance Institute, CobIT 5.0

• IS0 27001:2013 Information technology— Security techniques — Information security management systems — Requirements

• Bedirhan Urgun, IstSec 2015 Bilgi Güvenliği Konferansı, Etkin Zafiyet Yönetimi

• http://www.slideshare.net/bgasecurity/stsec-2015-norm-shield-why

• Çağatay IŞIKCI, Zafiyet Yönetim Sistemi, Bilgi Güvenliği Notları

• https://www.bilgiguvenligi.gov.tr/is-surekliligi/zaafiyet-yonetimi-sistemi-zys.html


Recommended