Date post: | 22-Jan-2018 |
Category: |
Documents |
Upload: | can-demirel |
View: | 479 times |
Download: | 1 times |
Can DemirelPublic Version V1.0.0
Unified Security Governance
Agenda• Unified Security Governance• Setting up Cross Functional Team• Scope & Milestones• Analysis• Process design & Implementation• Unified Vulnerability Management• Security Operation Center
• Governance: Doing the right job
• Management: Doing the job right
• What is your job? (Not your linkedin title)
– Reports, Presentation, Budget Planning, Tracking
unsolved vulnerabilities
Or
– Security operations, find vulnerabilities, process
design and manage processes
• Complexity has a cost.– Infrastructure
– Technology
– Design
– Process
– Analysis tools
– Supplier
Role Tasks Personal Characteristics[1]
Project Sponsor Solve project conflicts
Leadership
Top management commitment
Ensure project plan still applicable
Enterprising , Social
Project Lead Coordinate all team
Organize periodic meetings
Update project plan
Escalate problems when necessary
Conventional, Social
Technical Lead Planning technical need and assuring them
Assign tasks to technical team
Review technical team results
Realistic, Creative
Technical Team Accomplish given tasks Realistic
[1] http://sourcesofinsight.com/6-personality-and-work-environment-
types/
• Scope matters.
– Cost
– Time
– KPI
Photo credit:Bernhard Schambeck Feature China/Barcroft Mediahttp://www.dailymail.co.uk/news/article-2170881/Chinese-tightrope-walker-plummets-ground-trying-high-wire-stunt-backwards-AND-
blindfolded.html
• If you are new in the town.
– Computer Based
• Review all external/internal DNS host records
• Review all firewall rules
• Review all router/switch configuration
• Review suppliers/hosting records
• Human Based– Face to face interview to all possible business partners
including;• Company departments
• Top management
• Suppliers
• Paper Based– Review all written rules/policies/procedures about this
domain • Probably nothing is written
• Your scope is shining.
Need milestones?
• Yet another project
going to graveyard?
Page by Tom Parker http://tevp.net
• Analysis
– Penetration Tests
– Security Review
• Process Design & Implementation
• Unified Vulnerability Management
• Security Operation Center
• External pentest
• Local area network pentest
• Web Application pentest
• Web Services pentest
• Mobile Application pentest
• Wireless pentest
• VOIP pentest
• ERP/SAP pentest
• SCADA Pentest
• Code Review
• Social Engineering
• Load, performance, Denial of Service tests
• Local area network
review
• WAN/MPLS Review
• OS Security Review
• Database Security
Review
• Active Directory and
Services Review
• IPS Review
• Firewall Review
• WLC Review
• Virtualization Security Review
• Any other security platform review– Proxy, DDOS
protection…
• We need to talk and
write some papers!
http://theberry.com/2013/09/06/run-forrest-run-24-photos/
• Risk Management
• Asset Management
• Incident Management
• Access Management
• Password Management
• Project Management
• Secure-SDLC
• HR Security
• Physical Security
• Change & ConfigurationManagement
• Capacity Management
• Supplier Management
• And many more…
• Handling– Users
– Assets
– Scans
– Vulnerability Database & Correlation
– Task Management
– Cyber Intelligence
– Alarms
– Logging and Log Management
– Reports
Photo credit:Bernhard Schambeck Photography
www.bernhardschambeck.de
• Your platform should allow you to;
– Create different type users&rolees
– Create different groups
• Your platform should allow you to;
– Define assets in any type
– Define asset groups by asset attribute
– Define ownership
– Auto discover
• Your platform should allow you to;
– Define asset/asset group scan
– Manage scan&scan results in one platform
– Integrate historical scans
– Define compliance based scans
– Define and handle passive vulnerability scan
• Your platform should allow you to;
– Define your vulnerabilities in any language
– Group your vulnerabilities
– Define Manuel vulnerability and so on
• Your platform should allow you to;
– Integration to GRC
– Integration to ticketing mechanism
– Assign vulnerabilities manually or
automatically
– Assign vulnerabilities based on assets
• Your platform should allow you to;
– Track domain records
– Track SSL information
– Track information disclosure over internet
– Track social media
• Your platform should allow you to;
– Define asset based alarms
– Define vulnerability based alarms
– Define scan based alarms
– Define SLA based alarms
– Define cyber intelligence based alarms
• Your platform should allow you to;
– Collect log on your platform
– Integration to Central Log Management
• Give me’ some
nice reports!
• Make it simple!
Photo credit: https://jaxenter.com/deploying-microservice-how-to-handle-complexity-122336.html
• Your platform should allow you to;
– Create reports in desired language
– Create report templates
– Filter your report based on asset, vulnerability or
any other parameter
– Compare your reports by given parameter
Photo credit: forums.archeagegame.com ArcheAge NA Server Connectivity Issues:
• Evebody talks
about it!
• To much
information will kill
you in the end!
• Centralized log management
• Scenario!!!
• Incident management
• Big data analysis!
• Forensics
• http://sourcesofinsight.com/6-personality-and-work-environment-types/
• IT Governance Institute, CobIT 5.0
• IS0 27001:2013 Information technology— Security techniques — Information security management systems — Requirements
• Bedirhan Urgun, IstSec 2015 Bilgi Güvenliği Konferansı, Etkin Zafiyet Yönetimi
• http://www.slideshare.net/bgasecurity/stsec-2015-norm-shield-why
• Çağatay IŞIKCI, Zafiyet Yönetim Sistemi, Bilgi Güvenliği Notları
• https://www.bilgiguvenligi.gov.tr/is-surekliligi/zaafiyet-yonetimi-sistemi-zys.html