Instructional Objectives

Information Security Governance & Compliance Assessment Essentials: Strategies for Staying Current with Technology

Douglas Brown – CISM, CISSP, Security Solutions Architect HP Security and Risk Management HP Services

Instructional objectives

• Share enabling technologies taxonomy as it applies to the P5 Model • Familiarize one’s self with common technologies encountered during security engagements • Understand HP’s security product portfolio • Understand HP’s strategy in selecting and aligning with 3rd party partners • Know where to go for “quick” education on security tools

5/25/2007 2

1 Agenda

• Assessing technology controls • Technology types • Emerging technologies • Enabling technologies • Applying enabling technologies • HP security technologies • Consultant resources • Security technology predictions • Breakout

5/25/2007 3

Assessing Technology Controls

2 Assessing technology controls

• Role and responsibility − Understand technology in place to manage/mitigate threats • Why are they using it? • How are they using it? • How could they use it better? − Recognize that you won’t know every technology in use • Clients expect us to know every single tool as an expert • Use probing questions to mask lack of awareness of a particular technology

5/25/2007 5

Technology ecosystem

Firewall Rules Management What to observe? Firewall Reporting Policy • What product is used? Firewall • How is it used? • How is it supported? P4 Firewall Failover • How is it managed? Engineer Mode • What end products are produced? • How is it documented? Firewall • Is it operationalized? Firewall Log Health Monitoring Monitoring • What’s its success track record? Device Management • Does the technology introduce new threats?

5/25/2007 6

3 What drives technology decisions?

• Legal/regulatory requirements − SOX-compliant tools? • Analyst reports − Burton, Gartner, etc. • Previous product experience • Aggressive sales pursuits

5/25/2007 7

Technology Types

4 General

• Hardware − Appliances − Firmware − Functionality (baked-in security) • Software − 3rd party (COTS) WhereWhere willwill youyou encounterencounter securitysecurity − Open source productsproducts && tools?tools? − Primary vs. secondary applications • Services − Hosted − Managed − Outsourced

5/25/2007 9

Hardware

• Appliances − Stand-alone solutions • firewall − Integrated approaches • Firewall, IDS/IPS, content filtering • Firmware − Embedded security functionality • HP Protect Tools − TPM chip • Functionality − Baked-in security • IEEE, ISO standards − Bolted-on

5/25/2007• Aftermarket 10

5 Software

• 3rd Party (COTS) − General commercial products OEMOEM vs.vs. PrivatePrivate • HP, Symantec, etc. LabelingLabeling − Open source-based COTS products • Guardian Digital, Inc. − Product assurance-rated products • TREP, FIPS, NIAP, DIAP Common Criteria • Free range products − Freeware products http://www.snapfiles.com − Shareware products − Open source developed • Dragon, SNORT, etc. • Primary vs. secondary functionality

5/25/2007 11

Services

• Hosted Security Service Provider (HSSP) − Generally single stack solution oriented • Secure e-mail, secure websites − IronPort, MessageLabs, SurfControl • Managed Security Services Provider (MSSP) − Security operations centers • IDS monitoring, firewall rules management, SPAM filtering − IBM (ISS), SecureWorks, Symantec, etc. • Customer Premise Equipment (CPE) • Managed Services Providers (MSP) − Generalist who bundles security offers from OEMs • AT&T, HP, BellSouth, etc.

5/25/2007 12

6 Emerging Technologies

2007 – 2010 trends

• End-point devices, users, web applications will draw the most enemy fire • The hardened perimeter will be replaced by more effective distributed secured control points • Vendors will offer many reactive solutions, but customers will create more proactive, information- centric security architectures • Organizations will spend more on privacy, but fall further behind and experience more data breaches

5/25/2007 14

7 15 2007 to 2010 trends – contd.

•Key business trends −Dollar signs dominate attacks −Compliance programs meet increasing regulatory complexity •Key technology trends −“Perimeters” = strategic, business-driven, control points −Declaring war on the false positive −Information centrism – security as a core aspect of the information management lifecycle −Getting proactive • Planning, architecture, and process −Work with and understand the business −Business continuity and incident response plans −De-siloization: share information, share intelligence 5/25/2007 15

2007 to 2010 trends – contd.

• The most successful businesses will address compliance proactively − Involve the legal team early and intimately − Think of compliance processes as core business activities, not annoying add-ons. Goal of compliance processes is to achieve: • Transparency: the organization needs to know who did what, when, and why • Integrity: the organization needs to ensure that its processes are followed faithfully and timely • Accountability: the organization’s records need to have sufficient evidentiary value to allow third parties to discover facts and allocate rewards and penalties accurately − Include compliance in enterprise architecture • “control down, validate up” − Change compliance processes slowly; rules may change as quickly as necessary • discretionary rules support compliance with the business’ own policies • non-discretionary rules support compliance with regulations

5/25/2007 16

8 2007 to 2010 trends – contd.

•“Run to the repository” or “data dis-aggregation”? − Two countervailing trends emerging at the same time 1. E-discovery, audit evidence requirements, and explicit regulations require long-term storage and archival of data − Therefore, enterprises may increase information centralization in order to aid content protection and control − This is borne out by Microsoft’s strategy with Office 12 / SharePoint 2. On the other hand, massive amounts of ubiquitous data are created, copied, and used at disparate endpoints − Therefore, enterprises may tighten controls over information stored and managed on user systems and points of data extraction − This is borne out by acquisitions of rights management solutions and endpoint-control products; plus, aforementioned use of encryption

5/25/2007 17

2007 to 2010 trends – contd.

• “Content is king” (It’s about the data, dummy) − Security teams have moved beyond simple infrastructure protection • “Which traffic can touch which systems?” isn’t adequate • Goal: “Who can perform what actions on which type of information?” − Content protection is getting deeper and tighter • Deeper = more layers for prevention and detection • Tighter = protection closer to the useful data − The proactive enterprise should “seek … and find” • Start the process of assessing information resources: until you know what you have, information-centric protection can’t work • Use tools, but engage the business − Realize that “we need data everywhere, always, forever” won’t work 5/25/2007 18

9 Enabling Technologies

OSI model defines enabling technologies

ISO 7498-2

Security Layer Governing OSI Model Model Supporting Assessing

7 – Authentication Recovering Hardening 7 – Application 6 – Access Control 6 – Presentation Responding Authenticating

5 – Non- 5 – Session Repudiation Enabling Monitoring Accessing Technologies 4 – Transport 4 – Data Integrity

3 – Network 3 – Confidentiality Storing Detecting

2 – Data Link 2 – Assurance / Complying Blocking Availability 1 – Physical Cloaking Defending 1 – Notarization / Securing Signature

5/25/2007 20

10 OSI security layer map

ISO 7498-2 OSI Layer Model: Vulnerabilities: Layer Controls: Security Model1:

7 – Application Layer: Specifies distributed Authentication • Backdoors • Application vulnerability scanning client/server applications • Weak authentication • Secure coding standards (SDLC) • Host-based firewalls / IDS

6 – Presentation Layer: Specifies protocols Access Control • Buffer overflows • Secure coding standards for translating data format

5 – Session Layer: Specifies protocols for Non-Repudiation • Brute force attacks • Data-in-motion encryption starting and ending a communications session • Session spoofing / hijacking • Secure FTP across a network • Encrypted password exchange

4 – Transport Layer: Specifies protocols for Data Integrity • TCP / UDP exploits • Firewalls end to end error control • Fingerprinting / enumeration • Router controls

3 – Network Layer: Specifies protocols for Confidentiality • Packet spoofing • Firewalls routing messages: • ID address/ route spoofing • IPSEC • Router filtering

2 – Data Link Layer: Specifies protocols for Assurance / Availability • Promiscuous mode sniffing • MAC address filtering point-to-point transmission and error control • Wireless hacking / interception • Secure network design • WEP

1 – Physical Layer: Specifies protocols for Notarization / Signature • Denial of Service (DoS) • Biometric authentication transmission of data over physical media • Physical theft • Data storage encryption

5/25/2007 21

Enabling technology taxonomy

Governing Supporting Assessing

Recovering Hardening

Responding Authenticating

Enabling Monitoring Accessing Technologies

Storing Detecting

Complying Blocking

Cloaking Defending Securing

5/25/2007 22

11 Governing technologies

Description: Products or services that automate INFOSec program functions related to organizing security teams, reporting program status, training personnel, increasing awareness, and developing policies and procedures. Security policy builders INFOSec organization designer 4 P Taxonomy On-line security training programs Security screensavers/logon messaging Examples Dashboard creation tools Security newsletters, posters, art

Category: Product: Vendor: URL: Resource Corner:

INFOSec Policy Builder Zequel Technologies, DynamicPolicy http://www.zequel.com (Automated security policy Inc. • Governance Assessment Tool - creator / manager) http://www.educause.edu/ir/library/p df/SEC0421.pdf Dashboard / Metrics Reporting Dash Portal MarvelIT, Inc. http://marvelit.com • CERT: Governing for the (Dashboard creation software) Enterprise Portal – http://www.cert.org/governance/ Awareness Training Terra Nova Training, http://www.securitsavvy SecurIT Savvy • Governance Reference Desk – (On-line training system) Inc. .com SearchSecurity.com - http://searchsecurity.techtarget.com INFOSec Organization Creator /topics/0,295493,sid14_tax303590, http://www.Informations InformationShield Information Shield, Inc. 00.html?asrc=SS_CLA_303590&ps (Job descriptions, organization hield.com structures, mission statements) rc=CLT_14 • Google – Awareness Messaging http://www.greenidea.c http://directory.google.com/Top/Co Visible Statement Green Idea, Inc. (Screen savers / logon om/ mputers/Security/Policy/ messaging) • Wikipedia – Awareness Messaging http://en.wikipedia.org/wiki/Security The Security Awareness http://www.thesecuritya Various _awareness (News letters, art, posters, Company warenesscompany.com logos)

May 25, 2007 Enterprise Infrastructure Focus Area 23

Assessing technologies

Description: Products or services that determine an INFOSec program’s readiness and completeness through the use of scanning, penetration, hacking, configuration, and validation tools and technologies. Assessing can be applied to every component of an INFOSecConfiguration program. compliance Penetration testing tool sets P4 Taxonomy Code analyzers (source/binary) Port/network scanners Examples Firewall rule analyzer Vulnerability scanning

Category: Product: Vendor: URL: Resource Corner:

http://www.fortifysoftwa Code Analyzer Fortify Suite Fortify Software Inc. re.com (Review application code for •SecurityPark Research Libary: Ounce Audit Ounce Labs, Inc. http://www.ouncelabs.c security flaws and bugs) Authentication White Papers - om http://securitypark.bitpipe.com/rlist/t erm/Vulnerability-Assessments.html Firewall Rules Analyzer Algorithmic Security, AlgoSec Firewall http://www.algosec.co •Top 100 Network Security Tools (Validate and manage firewall Analyzer m/ – http://sectools.org/ rules) Inc. •NIST: ASSET 2.0 Self Security Configuration Analyzer NetIQ Secure Assessment Tool – (Validate and assure adherence Configuration NetIQ Corporation http://www.netiq.com http://csrc.nist.gov/asset/index.html Manager to configuration baselines) •TechRepublic: Assessment Port Scanning Reference Desk – http://insecure.org/nma http://search.techrepublic.com.com/ Nmap Opensource (Reconnaissance and network p index.php?c=1&q=security+assess mapping) ment Vulnerability Scanning •Wikipedia – http://en.wikipedia.org/wiki/IT_secur (ASP solution or tool for QualysGuard Qualys, Inc. http://qualys.com ity_assessment discovering and detecting vulnerabilities)

May 25, 2007 Enterprise Infrastructure Focus Area 24

12 Hardening technologies

Description: Products or services used to make systems exceedingly difficult to compromise. Hardening includes removing or disabling unnecessary services, maintaining current patch levels, closing network ports, and using scripts to deactivate unnecessary featuresHardening in scripts configuration files. TCP/IP stack hardening tools 4 P Taxonomy Patch management systems WLAN hardening tools Examples Secure coding Web server hardening tools

Category: Product: Vendor: URL: Resource Corner:

Application Hardening TSX-Protection (Harden executables, registry OPSWAT, Inc. http://www.opswat.com Pack •CIS Hardening Benchmarking entries, services, etc.) Tools - C&I Security http://www.cisecurity.org/bench.htm OS Hardening Scripts Hewlett-Packard http://www.hp.com/sec Practice Hardening l (Harden operating systems) Company urity Service •CERT: Secure Coding Patch Management Systems Guidelines - http://www.patchlink.co http://www.cert.org/secure-coding/ PatchLink Update PatchLink Corporation (Ensure hardware / software is m patched at most current levels) •NSA Hardening Scripts - http://iase.disa.mil/stigs/index.html TCP/IP Stack Hardening http://xaitax.de/bin/full/z •Wiki: Freeware Hardening Tools Beyond Security, Inc. (Lockdown registry and Zigstack igstack_v4.rar - configuration settings) http://wiki.castlecops.com/Lists_of_f reeware_hardening_tools WLAN Hardening •/ (Build and harden secure Enterprise AirMagnet, Inc. http://airmagenet.com wireless networks) •Wikipedia – http://en.wikipedia.org/wiki/Hardeni Web Server Hardening Syhunt™ ng Apache/PHP Syhunt Technology http://www.syhunt.com (Lockdown web services) Hardener

May 25, 2007 Enterprise Infrastructure Focus Area 25

Authenticating technologies

Description: Products or services used to authenticate and grant access to users of IT assets and resources. Authentication services include access control, identity management, and entitlement/privilege management. Authentication (N+) Identity management lifecycle P4 Taxonomy Authorization Entitlement management Examples Role Based Access Control (RBAC)

Category: Product: Vendor: URL: Resource Corner:

Entitlement Management Entitlement (Fine grain application access Management Securent, Inc. http://www.securent.net •Microsoft TechNet: based on roles and Solution (EMS) Authentication Discussion – authorizations) http://technet2.microsoft.com/Windo wsServer/en/library/78cb5d3c- Identity Management & Account d0b2-4d20-a693- Provisioning OpenView Select Hewlett-Packard http://www.hp.com/sec fa66bde1a63b1033.mspx?mfr=true Identity Company urity (Identity life cycle management) •Sender Authentication Working Group White Paper – Directory Role Assigning ConSentry Networks, http://www.consentry.c http://www.openspf.org/blobs/sende LANShield (Identify and assign identity Inc. om r-authentication-whitepaper.pdf roles to AD users) •SecurityPark Research Libary: Role Mining & Creation Authentication White Papers - Eurekify Sage http://www.eurekify.co Eurekify, Ltd. http://securitypark.bitpipe.com/rlist/t (Role Based Access Control ERM m erm/Authentication.html “RBAC” modeling) •Wikipedia – Multifactor Authentication http://en.wikipedia.org/wiki/Security http://www.authenex.co ASAS Authenex, Inc. _awareness (Token-based multifactor m authentication device)

May 25, 2007 Enterprise Infrastructure Focus Area 26

13 Accessing technologies

Description: Products or services used to authenticate and grant access to users of IT assets and resources. Authentication services include access control, identity management, and entitlement/privilege management. Card access control Identity management lifecycle P4 Taxonomy Remote access Entitlement management Examples Single Sign-on Role Based Access Control (RBAC)

Category: Product: Vendor: URL: Resource Corner:

Single Sign-on Access Control v-GO Single Sign- http://www.Passlogix.c Passlogix Inc. (Enterprise single sign- On om on/reduce password access) •BitePipe Access Control White Papers - http://www.bitpipe.com/rlist/term/Ac Facility Access Control Lenel Systems IdentityDefender http://www.lenel.com cess-Control.html (Card Access Control System) International, Inc. •SecurityPark Research Libary: Network Admission Control Authentication White Papers - http://www.securitypark.co.uk/news (NAC) Network bycategory.asp?categoryid=8&title= Admission Control Cisco Systems Inc. http://www.cisco.com (End point scanning prior to Access%20Control granted access, infected end (NAC) points quarantined) •Wikipedia – http://en.wikipedia.org/wiki/Security Token Access Control Devices _awareness http://www.rsasecurity. Secureid RSA Security, Inc. (Limit password use by com •ZDNet White Papers on Access replacing them with tokens) Control - http://whitepapers.zdnet.com/searc Single/Reduced Sign-on OpenView Select Hewlett-Packard http://www.hp.com/sec h.aspx?tags=access+control (Reduced password usage and Access Company urity self-self password resets)

May 25, 2007 Enterprise Infrastructure Focus Area 27

Detecting technologies

Description: Products or services that detect altered state conditions or violations in security policy that could lead to security breaches. Products also restrict access to unauthorized web sites, mis-configured systems, and the presence of illegal software applications.Illegal web site access detection CMDB change management 4 P Taxonomy Configuration vulnerability Patch level confirmation Examples detection Greynet application detection File state alteration detection Category: Product: Vendor: URL: Resource Corner:

Greynet Software Detection Discovery. http://www.centennialo Centennial Discovery (Detect public IM software, Dashboard nline.co.uk adware, key loggers, etc.) Application State Changes •ESET White Papers on Threat Detection - (Detect changes to files in Tripwire Enterprise Tripwire, Inc. http://www.tripwire.com http://www.eset.com/download/whit comparison to policy) epapers.php •InformationWEEK Article on Detect Illegal/Unauthorized Websense http://www.websense.c Websense, Inc. Threat Detection - Web Sites Filtering om http://www.infoworld.com/article/07/ 02/16/08TCorchsb_1.html Network Behavior Analysis http://www.mazunetwor Profiler Mazu Networks, Inc. •FaceTime Company: Overview (Traffic monitoring yields ks.com of GreyNet applications - baselines to analyze threats) http://www.facetime.com/solutions/g Vulnerability Scanning Services reynets.aspx McAfee (Detect vulnerabilities within the Foundstone On- McAfee, Inc. http://www.mcafee.com enterprise that could be Demand Service exploited)

May 25, 2007 Enterprise Infrastructure Focus Area 28

14 Blocking technologies

Description: Products or services that block unwanted network ingress/egress attempts and intrusions. Blocking technology can drop suspicious connections, disallow traffic, and filter against Malware. Blocking can be used on inbound as well as outbound communications.Firewalls DDoS defensive tools 4 P Taxonomy Intrusion Prevention Systems (IPS) Content filtering Examples Intrusion Detection Systems (IDS) Web filtering / blocking

Category: Product: Vendor: URL: Resource Corner:

IDS & IPS Network Security http://www.Symantec.c Symantec, Inc. (Detect and prevent intrusions 7100 Series om at the network or host level) Firewalls •Crime research Center: DoS Vs. Check Point http://www.checkpoint.c (Allow/disallow traffic to FireWall-1 DDoS Attacks White Paper - networks and application technologies, Ltd. om http://www.crime- through rules engine) research.org/articles/network- security-dos-ddos-attacks/ Web Filtering/Blocking Barracuda Web http://www.barracudan •Wikipedia – (Restrict access to/from URLs Barracuda Networks Filer etworks.com http://en.wikipedia.org/wiki/Content- and block content downloads) control_software & Content Blocking http://en.wikipedia.org/wiki/Firewall GTB Technologies, Inc. GTB Inspector http://www.gttb.com & (Block outgoing content to http://en.wikipedia.org/wiki/Intrusion prevent data leakage) _detection_system DDoS Detection & Blocking http://www.arbornetwor (Detect DDoS attacks and block Peakflow SP Arbor Networks, Inc. and reshape traffic to continue ks.com operations)

May 25, 2007 Enterprise Infrastructure Focus Area 29

Defending technologies

Description: Products or services that defend against Malware and other virulent code that could cause havoc. Common denominators for these products is their multi-purpose approach to threats by detecting and eliminating malicious code upon detection or infection.

Anti-virus software Malware elimination P4 Taxonomy Anti-SPAM software Threat management appliances Examples Anti-Spyware/adware Unified threat management tools

Category: Product: Vendor: URL: Resource Corner:

Anti-Malware Blue Coat http://www.bluecoat.co (scan for viruses, worms, Blue Coat Systems, Inc. spyware and Trojans entering ProxyAV 2000 m through Web-based backdoors)

Anti-Virus InterScan Trend Micro http://www.trendmicro.c Enterprise Incorporated (Virus scanning, detection, om quarantine, and removal) SuperSuite

Anti-Spyware http://www.microsoft.co Windows Defender Microsoft Corporation •Wikipedia – (Detection, blocking, and m removal of Spyware) http://en.wikipedia.org/wiki/Malware

Threat Management Appliance Astaro Security Astaro AG http://www.astaro.com (Gateway multi-threat detection Appliances reflection tool)

Unified Threat Management Symantec http://www.Symantec.c (Appliance that includes virus, Gateway Security Symantec, Inc. om SPAM, pop-up, Malware 5600 Series prevention)

May 25, 2007 Enterprise Infrastructure Focus Area 30

15 Securing technologies

Description: Products or services that automate INFOSec program functions related to organizing security teams, reporting program status, training personnel, increasing awareness, and developing policies and procedures. Encryption solutions Privacy preserving technologies 4 P Taxonomy Content protection Data Loss Protection (DLP) Examples Secure messaging tools Virtual private networks

Category: Product: Vendor: URL: Resource Corner:

Data Loss Protection (DPL) (Prevent malicious loss of Onigma McAfee, Inc. http://www.mcafee.com confidential data) Data-in-Motion Encryption http://www.apaninetwor EpiForce Apani Networks, Inc. (Encrypt data transmission ks.com •SearchSecurity.com: Data Loss - behind the firewall) http://searchsecurity.techtarget.com Digital Certificates /tip/0,289483,sid14_gci1229761,00. http://www.verisign.co html Extend SSL Verisign, Inc. (Bind entities together through m trusted paths/connections) •Ziff-Davis Buyer Guide: DPL - http://content- Digital & Enterprise Rights management.webbuyersguide.com/ Windows Rights Management (DRM & ERM) http://www.microsoft.co buyingadvice/2266- Management Microsoft Corporation m wbgcontentmanagement_buyingad (Securing document individually (WRM) or enterprise wide) vice.html Virtual Private Networks (VPN) (Securing network connections Cisco VPN SUite Cisco, Inc. http://cisco.com and data outside the firewall)

May 25, 2007 Enterprise Infrastructure Focus Area 31

Cloaking technologies

Description: Products or services used to hide or make invisible network services and/or devices in order to prevent them from being detected by hackers. Cloaking can also include impersonation of identities to further mislead attackers. IP stealth technology Network cloaking 4 P Taxonomy Static cloaking Load balancing Examples Dynamic cloaking Server masking /anonymizing

Category: Product: Vendor: URL: Resource Corner:

Anonymizing http://www.Port80softw servermask Port80 Software, Inc. (Removing identifying details are.com from web servers) IP Stealth Technology AlphaShield http://www.alphashield. AlphaShield Inc. (Make Internet devices invisible Enterprise com to hackers)

COM Security Capability http://msdn2.microsoft. •SecurityITWorld.com Article – com/en- http://security.itworld.com/nl/securit (Determines what identity the Clocking (COM) Microsoft Corporation client projects toward the server au/library/ms683778.as y_strat/11142006/ during impersonation.) px •Wikipedia – http://en.wikipedia.org/wiki/Security Network Cloaking _through_obscurity (Strips internal network Sidewinder G2 Secure Computing http://www.securecomp information in the returned Security Appliance Corporation uting.com traffic) Load Balancing (Obscure the fact there are BIG-IP F5 Networks, Inc. http://www.f5.com multiple servers by making them appear as one)

May 25, 2007 Enterprise Infrastructure Focus Area 32

16 Complying technologies

Description: Products used to report or present the state of an organization’s standards and regulatory compliance state. Approaches range from sophisticated interactive dashboards to business intelligence engines that extract compliance-related data for reporting.Compliance dashboards Compliance demonstration/proof P4 Taxonomy Compliance management Compliance testing Examples Compliance reporting Compliance attestation

Category: Product: Vendor: URL: Resource Corner:

Compliance Dashboard SailPoint Technologies, http://www.sailpoint.co (Dashboard view of policy, Compliance IQ •eWEEK Compliance Desk Inc. m identity, standards, and risk reference - compliance state) http://www.eweek.com/category2/0, Compliance Management 1874,1639143,00.asp Brabeion Brabeion Software http://www.brabeion.co •IT Compliance Institute - (Compliance standards Compliance Corporation m http://www.itcinstitute.com/ database mapped to control Center remediation and audit reporting) •IT Compliance.com: Portal for IT Compliance Issues – Compliance Reporting http://www.itcompliance.com (Business intelligence engine to Information Builders, http://www.iwaysoftwar iWay •Google – extract attribute information Inc. e.com http://directory.google.com/Top/Co related to regulatory mputers/Security/Policy/ compliance) Compliance Demonstration •Wikipedia – http://en.wikipedia.org/wiki/Complia http://www.Symantec.c (Map technical controls to Bindview Symantec, Inc. nce_%28regulation%29 Wikipedia om regulations and report on – status) http://en.wikipedia.org/wiki/Complia Compliance Testing http://www.openpages. nce_%28regulation%29 OpenPages, Inc. (Control testing and tracking) OpenPages GCM com

May 25, 2007 Enterprise Infrastructure Focus Area 33

Monitoring technologies

Description: Products or services that monitor the continuous state of hardware, software, or events related to security. Monitoring can be applied as a managed services or as an enterprise solution where agents are used to monitor security appliance states and events.

Security event monitoring Threat monitoring & reporting service 4 P Taxonomy Compliance monitoring Managed service security monitoring Examples Facilities monitoring Access & event log monitoring

Category: Product: Vendor: URL: Resource Corner:

Access and Event Logging Monitor logs for security alerting LogLogic ST & XT LogLogic, Inc. www/loglogicom and compliance purposes) Facilities Monitoring Lenel Systems OnGuard http://www.lenel.com (CCTV, HVAC, Alarm International, Inc. Surveillance and Monitoring) iDefense Security •BizForum White Paper on Security Intelligence Service http://www.verisign.co Intelligence VeriSign, Inc. Security Monitoring - m (Security Threat Monitoring) Service http://www.bizforum.org/whitepaper s/bluelance-1.htm Managed Security Services Managed Service LURHQ SecureWorks, •Project Lasso – Global Logging http://lurhq.com (Outsource IDS/IPS, Firewall, Services Inc. Standards - Content, Log Monitoring) http://www.loglogic.com/logforge/# Terminal Server Monitoring http://www.tsfactory.co RecordTS TS Factory, Inc. (Records server session m activity) Security Event Management http://www.netforensics nFX netForensics, Inc. Correlate and aggregate .com security events for analysis)

May 25, 2007 Enterprise Infrastructure Focus Area 34

17 Supporting technologies

Description: Products or services that directly or indirectly support the operationalization of security technologies. Products are aligned to the ITIL Framework and include change management, configuration management, problem management, and other. Asset management Problem management Examples P4 Taxonomy Change control Release management Configuration management Service level management

Category: Product: Vendor: URL: Resource Corner:

OpenView Asset Hewlett-Packard Identify and Inventory IT Assets http://www.hp.com Center Company

Open and Track Service Tickets OpenView Service Hewlett-Packard http://www.hp.com Related to Security Issues Desk Company

Monitor Security Appliances for OpenView Hewlett-Packard http://www.hp.com Health Status Operations Company •HP Software Listing - OpenView http://h20229.www2.hp.com/ Ensure Security Configuration Hewlett-Packard • Wikipedia – Appliances/Devices are Patch Management http://www.hp.com Company http://en.wikipedia.org/wiki/OpenVie Correctly Patch w Management OpenView Ensure Security Configuration Hewlett-Packard Appliances/Devices are http://www.hp.com Manager Inventory Company Configured Correctly Manager OpenView Maintain Security Attributes in Configuration Hewlett-Packard http://www.hp.com Application Profiles Manager Company Applications May 25, 2007 Enterprise Infrastructure Focus Area 35

Storing technologies – Group 1

Description:

4 P Taxonomy Examples

Category: Product: Vendor: URL: Resource Corner:

May 25, 2007 Enterprise Infrastructure Focus Area 36

18 Responding technologies – Group 2

Description:

4 P Taxonomy Examples

Category: Product: Vendor: URL: Resource Corner:

May 25, 2007 Enterprise Infrastructure Focus Area 37

Recovering technologies – Group 3

Description:

4 P Taxonomy Examples

Category: Product: Vendor: URL: Resource Corner:

May 25, 2007 Enterprise Infrastructure Focus Area 38

19 39 Summary

−Key business trends • Dollar signs dominate attacks • Compliance programs meet increasing regulatory complexity −Key technology trends • “Perimeters” = strategic, business-driven, control points • Declaring war on the false positive • Information centrism – security as a core aspect of the information management lifecycle −Getting proactive • Planning, architecture, and process −Work with and understand the business −Business continuity and incident response plans −De-siloization: share information, share intelligence

5/25/2007 39

Applying Enabling Technologies

20 Enabling technologies discovery

Storage Devices 1.What are the Databases threats? Applications Operating Systems Servers/Blades 2.Where do the Local Area Network threats originate? Desktops/Printers Personnel Third Party Providers 3.What are the likely Web Services impacts? Internet End-point Devices Mobility Devices 4.What is most External Users vulnerable? 5.What could be exploited? 6.What should be protected? 7.Who would be most affected?

5/25/2007 41

Enabling technologies planning

Governing Supporting Assessing

Recovering Hardening

Responding Authenticating

Enabling Monitoring Accessing ++ Technologies

Storing Detecting

Complying Blocking

Cloaking Defending Securing

1. How do we govern our assets? 8. How do we secure our infrastructure? 2. How do we assess our readiness? 9. How can we make ourselves invisible to attackers? 3. Where do we harden our infrastructure? 10. How do we comply with regulations? 4. Where do we restrict access? 11. What data requires retention? 5. How do we authenticate access/entitlements? 12. How do we monitor our controls and readiness state? 6. How do we detect that we’re under attack? 13. How we respond to security breaches? 7. Where can we block threats? 14. How do we recover from security incidents? 8. How do we defend against attacks? 15. How do we support our controls to be more effective?

5/25/2007 42

21 Enabling technologies hierarchy

INFOSec Program

Information Security Defense-in-Depth Event Management Management Access Control Strategy System (EMS) System (ISMS)

Governing Cloaking Detecting Authenticating

Assessing Blocking Responding Accessing

Complying Defending Recovering

Monitoring Hardening Storing

Supporting Securing

5/25/2007 43

Enabling technologies relationships

DMZDMZ HardeningHardening

Secure Web Filtering Application E-mail Development Encryption Server/OS Reverse proxy Hardening End-PointsEnd-Points SPAM/Virus Patch Filtering Management Anti-Virus Anti-Adware NetworkNetwork PerimeterPerimeter Anti-SPAM GovernanceGovernance Anti-Pop Up Firewalls Anti-Malware Intrusion Prevention VPN Policies System (IPS) Concentrators Assessments Intrusion Detection Access Control Training & System (IDS) Lists (ACLs) Awareness Network Access Control Monitoring & (NAC) Compliance

5/25/2007 44

22 HP Security Technologies

Examples of HP enabling technologies by ISO domain

5/25/2007 46

23 HP security technologies

• OpenView Suite for Security − Select Identity − Select Access − Select Audit − Select Federation − Compliance Manager − Service Desk (Key component of ITSM/ITIL) − Network Node Manager (NNM) for Security Operations Center (SOC), Network Operations Center (NOC) − … and much more • ProtectTools Security Software Modules − http://practices.know.hp.com/C0/Defense%20and%20Security/Defe nse%20and%20Security%20Library/IT%20and%20network%20infra structure%20(horizontal)%20solutions/IT%20Security/HP%20Protec tTools%20Security%20Solution.html

5/25/2007 47

HP security technology partners

5/25/2007 48

24 Security Staff Resources

Security product vendor directory

5/25/2007 50

25 Security tools resources

Vendor White Papers Mega Security Links HP Deployed Security Products

Founded in 1998, Bitpipe, Inc. (www.bitpipe.com) created an online network of IT and business Web sites and pioneered the concept of creating multiple distribution channels for vendor- created content. http://it-ea.corp.hp.com/app/product.aspx?list=category http://www.cccl.net/pandl/pandl.html Microsoft TechNet Security Security Tools Portal Encyclopedia of Tools

http://www.microsoft.com/technet/security/default.mspx

http://en.wikipedia.org

http://sectools.org/

5/25/2007 51

Threats drive technology choices

• Vulnerabilities tracking sites: − CERT − Bugtraq − Cisco − HP − Microsoft − RedHat − SuSE − Vulndev − Securiteam − Neohapsis − ISS X-Force − National Infrastructure Protection Center − CVE − VU# Database − Security Tracker

5/25/2007 52

26 Security Technology Predictions

Top-10 security product predictions

1. The rise of 3S will merge security, systems, and storage management disciplines 2. Managed threat environments will offer criminals more scalable attack platforms 3. NAC will absorb mature content management products 4. OS authors & Service Providers will assimilate consumer security products 5. Consumer authentication will emerge as a new enterprise market

5/25/2007 54

27 Top-10 security product predictions

6. Physical & IT security will start to converge within large enterprises 7. Anti-virus and anti-spyware technologies will gradually disappear as standalone consumer products, but not brands 8. Vulnerability testing for application code will become a growing part of the SDLC 9. Security will get better, but more annoying 10. Compliance will be recognized as a new class of vulnerabilities

5/25/2007 55