Miguel Sanchez presented on risk based security and self protection technologies. He discussed how the threat landscape has changed and the need for a proactive, risk based approach. This involves a multi-tiered risk management process including framing risks at the organizational, mission, and system levels. Emerging technologies like runtime application self protection can help applications protect themselves by monitoring for threats during execution.
3. First Communications: At A Glance
Technology Provider since 1998,
serving thousands of Businesses
throughout the Midwest
24x7x365 Network Management
Center (NMC)
Data Center and Colocation Facilities
in Cleveland and Downtown Chicago
Serving Diverse Businesses ranging
from SMB to Enterprise
Headquartered in Akron, Ohio
Our Mission
To Empower our customers through leading-edge technology solutions delivered with a first-class
experience.
4. Today’s Topic Agenda
• Current State of Information Security
• Overview of Risk Based Security
models
• Risk Management Process
• Multi-tiered Risk Management Model
• Three levels of Risk Management
• Runtime Application Self Protection
5. Current State of Information Security
• The threat landscape has changed considerably over the
past few years due to the disappearance of the
perimeter defense for the following reasons:
– Change
– Mobility and consumerization
– Ecosystem
– Cloud
– Infrastructure
6. Current State of Information Security
• The growing attacking power of cyber
criminals has increased significantly and are
not just some hackers operating out of
someone’s basement anymore
• We need to take into consideration the
following threats:
– Criminal syndicates
– State sponsored attackers
– Hactivists
– Lone wolf hacker
7. Perimeter Security
• One of the first and most basic lines of network
perimeter defense is a firewall.
– A device that inspects inbound and outbound traffic on a
network.
• In addition to firewalls, traditional responses to new
threats has been to add stand-alone security
technologies to the network.
8. Next Generation Firewalls
• There have been tremendous advancements in the Next
Generation Firewalls that should be a part of any Information
Security Plan that include the following Unified Threat
Management (UTM) capabilities:
• Stateful Packet Inspection
• Application Control
• Intrusion Detection/Prevention
• Data Loss Prevention
• Content Filtering
• Anti-malware/Anti-spam
• IPv6 support
• Virtualized environments
• Endpoint security
• VPN
9. Information Security:
Reactive to Proactive
For most small to medium organizations,
Information Security is a Reactive vs a
Proactive process.
•How many breaches do you hear in the
news of compromised systems that are
discovered weeks or months after the
actual event?
•How do we get to a model that is more
proactive and workable for various
organizations regardless of size?
10. Information Security Constraints
What are some of the constraints for
implementing effective Information Security?
•Shrinking budgets
•Lack of security focus
•Lack of resources
•Lack of a common approach to information security
11. Risk based Security
• There has been a steady and slow change at the way
organizations approach Information Security using a
Risk Based model.
• Today’s CSO/CISOs are being asked to prioritize risks—
by identifying which ones need to be addressed and
which ones should be accepted as the cost of doing
business.
12. Risk Based Security
What are some of the factors that drive a Risk
Based Security model:
•Compliance
•Recent security event
•Threat landscape
•Proactive approach
13. What are the top drivers for your Information
Security / Risk Management program?
Wisegate Community Viewpoints
14. Risk Management Model
Risk management is the ongoing process of identifying,
assessing, and responding to risk.
•Managing Risk
– Businesses and Organizations need to understand the likelihood
or the probability that an event will occur and it’s resulting
consequence or impact.
•Risk Tolerance
– Using the Risk Management Model, organizations can determine
the acceptable level of risk for the delivery of services and this
can be expressed as their risk tolerance.
15. Risk Management Process
• There are several Risk Management frameworks that
organizations are using including NIST SP 800-39. ITIL,
ISO 27000 Series, PCI, HIPPA, Internally Developed
systems or a combination of others.
• For this discussion we will be using the NIST SP 800-39
framework
16. Risk Management Process
• Managing risk is a complex and multifaceted process. It requires the
involvement of the entire organization using a Multitiered Risk
Management Process.
• Risk management is a comprehensive process that requires
organizations to:
17. Frame Risk
Establishing a realistic and credible risk frame
requires organizations to identify the following:
•Risk assumptions
•Risk constraints
•Risk tolerance
•Priorities and trade-offs
18. Assess Risk
• The Risk Assessment component identifies:
– Threats
– Vulnerabilities
– Consequences/impact
– The likelihood that harm will occur.
• The end result is a determination of risk
19. Respond to Risk
• The purpose is to provide a consistent, organization-
wide, response to risk in accordance with the
organizational risk frame by:
– Developing
– Evaluating
– Determining
– Implementing
20. Monitor Risk
• The purpose of the risk monitoring component is
to:
– Verify
– Determine ongoing effectiveness
– Identification of risk-impacting changes
21. Risk Management Process
NIST SP800-39
Information and
communications flow
Assess
Monitor Respond
Frame
Information and
communications flows
22. Making Risk Management Work
• Risk management can be broken down into
three distinct areas:
– Tier 1 Organization level (Strategic)
– Tier 2 Mission/business process level
(Tactical)
– Tier 3 Information system level (Operational)
23. Multitiered Risk Management
NIST SP800-39
Strategic Risk
Tactical Risk
• Traceability and Transparency
of Risk-Based Decisions
• Organization-Wide Risk
Awareness
• Inter-Tier and Intra-Tier
Communications
• Feedback Loop for
Continuous Improvement
25. Tier 2 Mission/Business Processes
• Tier 2 addresses risk from a business process
perspective by designing, developing, and implementing
business processes that support the business functions
defined at Tier 1.
– Risk-Aware Mission/Business Processes
– Enterprise Architecture
– Information Security Architecture
27. Tier 3 Information Systems View
• The risk management activities at Tier 3 reflect the organization’s
risk management strategy and any risk related to the cost, schedule,
and performance requirements for individual information systems
that support the mission/business functions of organizations.
• Risk management activities are also integrated into the system
development life cycle of information systems at Tier 3.
• There are typically five phases in system development life cycles: (i)
initiation; (ii) development/ acquisition; (iii) implementation; (iv)
operation/maintenance; and (v) disposal.
28. Three Levels of Risk Management
When we look at the Multitiered Risk Management model, it
is the similar to the three levels of Risk Management in
other models with the following correlations:
•Tier 1 Organization
– Risk Management strategy
•Tier 2 Business Processes
– Tactical/Architecture
•Tier 3 Information Systems
– Processes/Operational
29. Risk Management Process Applied
Across All The Tiers
NIST SP800-39
Assess
Monitor Respond
Frame
Tier 1 - Organization
Tier 2 – Mission/Business Processes
Tier 3 – Information Systems
31. Risk Based Security
We will look at a sample outline that can be used for implementing a
Risk Based Security Plan:
1.Identify what is of value
2.Collect data on that value
3.Perform a risk assessment
4.Present to the organization
5.Identify control objectives
6.Identify and select controls
7.Implement controls
8.Operate controls
9.Monitor and measure
10.Operate a feedback loop
32. Frame and Assess
• Identify what is of value
– Tangible versus intangible assets
– Collaborative effort
• Collect data on that asset
– Asset valuation
– Impact
– Threat landscapes
– Frequency and likelihood
– Vulnerabilities
33. Assess and Frame
• Perform Risk Assessment
– Objectives
– Methodology
• Present to the organization
– Key risks to the achievement of organizational goals
– Open discussion
– Not a precise prediction of future
34. Respond
• Identify Control Objectives
– A control objective is the aim or purpose of controls put in place
and intended to mitigate risk
– Best solution
• Identify and select controls
– TCO
– Flexibility
– Amount spent
– Does the control reduce the risk by an expected amount?
• Implement controls
– Ensure that implementation follows the objectives and
requirements previously set
• Operate controls
35. Monitor
• Monitor and measure
– Measure on an ongoing basis
– Focus on clearly identifiable changes in risk
• Operate a feedback loop
– Risk Based Security Management is cyclical and
ongoing
– Data collected should create a feedback loop
39. Runtime Application Self Protection
• Realistic detection rates for today’s advanced threats are typically
around 5-10 percent.
• Compounding the security threat to applications is the heavy
reliance on mobile devices for access and the use of these mobile
devices within the enterprise network.
• Applications need self-defense or as Gartner calls it, runtime
application self-protection (RASP).
40. Runtime Application Self Protection
• Runtime Application Self Protection (RASP)
– The next layer of Information Security?
– Is a security technology that is built or linked into an application
or application runtime environment
– RASP runs on the application server and monitors the execution
of the application from the stack.
– Gartner predicts “25% of Web and cloud applications will
become self-protecting, up from less than 1% today.”
41. Runtime Application Self Protection
• Applications should not be delegating — as is
done today — most of their runtime protection to
external devices.
• Applications should be capable of self-protection
— that is, have protection features built into
the application runtime environment.
42. • RASP, as with any new technology, does
have its drawbacks
– Performance
• 5-10%
– Implementation
• Web
• Virtualized environments
Runtime Application Self Protection
43. Conclusion
• A Risk Based Security model helps to
provide a flexible, fluid and ongoing
Information Security framework that needs
collaboration
• A different perspective in Information
Security
• Various models to accomplish an
organizations overall strategic objectives
44. Conclusion
• Runtime Application Self
Protection(RASP) is an emerging
technology that can address the quickly
disappearing perimeter for Information
Security
1 Change such as new product launches or the introductions of new technology are all on the rise having a complicating impact on the strength of cybersecurity.
2 Mobility and consumerization. The adoption of mobile computing has resulted in the blurring of organizational boundaries. IT is getting closer to the user and further from the organization. The use of the Internet, smartphones and tablets (in combination with BYOD) has made organizations data accessible everywhere.
3 We live and operate in an ecosystem of digitally connected entities, people and data. All increasing the likelihood of exposure to cybercrime in both the work and home environment.
4 Cloud-based services, third party data management and storage, open up new channels of risk that previously did not exist. It is very common to hear about security concerns for shadow IT.
5 Infrastructure for traditionally closed operational technology systems are now being given IP addresses. Cyber threats are now making their way out of the back-office systems and into critical infrastructures such as power generation and transportation systems which of course is a high concern for Homeland Security.
Dell Secureworks has reported over 830,000 victims of the Cryptowall ransomware with demand starting at $500 each.
We keep hearing about state sponsored Dedicated Denial of Service attacks by Russia or China.
Hactivists such as Anonymous making political statements.
And lastly, Lone wolf hacker or Black Hat who is just having some malicious fun.
The attacking power of cyber criminals is increasing at an astonishing speed. Attackers have access to significant funding; they are more patient and sophisticated than ever before;
and they are looking for vulnerabilities in the whole operating environment — including people and processes.
So what are the defenses currently in place?
1) Firewalls were the first widely deployed network security technology when the Internet was a baby. It’s basic job is to inspect that traffic and to decide what traffic is allowed to go from outside to inside, and from inside to outside. However, network traffic has changed quite a bit in the past couple decades.
2) Unfortunately, this adds complexity and cost, as each new technology means a new device to deploy, a new set of policies to configure, and a new management console to monitor.
In response to the limitations to the traditional method of network security, Next Generation Firewalls have evolved to fill the need.
NGFWs or Web Application Firewalls are an important part of an Information Security plan, but not the end all be all. It becomes an important part of an Information Security Architecture.
How do we avoid the recent data breaches of Sony Entertainment or the health care provider, Anthem. For example, in Anthem’s case, they are considered HIPPA compliant but their data was not encrypted because it didn’t need to be. Being compliant does not mean you avoid or mitigate risk and the impact or consequences that will be experienced.
In addition to less money, IT is given more responsibilities
Not every organization has a dedicated security team
Shortage of staff or lack of training
Being reactive versus proactive.
This is were having a framework is necessary to help identify your cybersecurity risks.
Compliance is a big factor for heavily regulated industries such as healthcare and financial institutions.
Could be internal or external.
Recent issued threats or assessment of a risk
Companies that are leading edge or want to do the rght thing
As you can see from the survey, compliance has the greatest response for a risk management program, but it becomes just one factor in the risk profile. Even in a risk-based program, compliance doesn’t go away entirely with the regulations still being there. Department heads and managers have to start thinking in terms of acceptable risk levels versus compliance requirements from a checklist.
It's a change in mindset of an organization. It is the moment an "ahha!“ moment for the entire organization when everyone understands the difference is.
Lets take a look at what you get with a Risk Management model.
Tolerance for risk changes over time. It is dynamic and fluid.
It needs the involvement from senior leaders/executives providing the strategic vision; to mid-level leaders planning projects; to individuals on the front lines operating the information systems.
frame risk (i.e., establish the context for risk-based decisions); (ii) assess risk; (iii) respond to risk and (iv) monitor risk on an ongoing basis
The Risk Management Process model shows a continues loop feedback across all levels. Where the risk frame is defined at the strategic level down to the front lines where Information Security systems are monitored.
The first component of risk management addresses how organizations frame risk or the risk context. The Risk Context is the environment in which risk-based decisions are made
The purpose of this step is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk.
The risk frame establishes a foundation for managing risk and the boundaries for risk-based decisions.
The second component of risk management addresses how organizations assess risk within the context of the risk frame.
Threats to organizations or threats directed through organizations against other organizations. For example, an attack on your information systems to gain access to one of your outside vendors through a company portal
Vulnerabilities internal and external. Internal could be people or systems
Consequences or impact that may occur given the potential for threats exploiting vulnerabilities
Likelihood that harm will occur.
The end result is a determination of risk (i.e., the degree of harm and likelihood of harm occurring).
The third component of risk management addresses how organizations respond to risk once that risk is determined based on the results of risk assessments.
(i) developing alternative courses of action for responding to risk;
(ii) evaluating the alternative courses of action;
(iii) determining appropriate courses of action consistent with organizational risk tolerance; and
(iv) implementing risk responses based on selected courses of action.
To support the risk response component, organizations describe the types of risk responses that can be implemented by either accepting, avoiding, mitigating, sharing, or transferring risk.
As you can see, everything revolves around identifying the Risk Frame which drives all other decisions.
The fourth component of risk management addresses how organizations monitor risk over time.
Verify that planned risk response measures are implemented and information security requirements are satisfied
Determine the ongoing effectiveness of risk response measures following implementation;
Identify risk-impacting changes to organizational information systems and the environments in which the systems operate.
Here we come back to the Risk Management Process model where the Frame Risk is at the center of the whole process. Basically, we start with identifying what is of value for an organization and the risk associated with that valuable asset.
How do we make Risk Management Work?
The risk management process is carried out seamlessly across the three tiers with the overall objective of continuous improvement in the organization’s risk-related activities with effective communication across all tiers and among all stakeholders having a shared interest in the success of the organization.
The Multitiered Risk Management approach has distinct boundaries and accountabilities with continuing communication across all tiers. From the Organization level that frames risk, to the Mission/Business processes that assess and respond to risk, down to the operational level where risk is monitored.
Governance which is the set of responsibilities and practices exercised by those responsible for an organization such as the board of directors and/or executive management.
The risk executive (function) serves as the common risk management resource. It is similar to the recommended executive position in Disaster Recovery/Business Continuity Planning. They are the single point of contact between various departments in this collaborative process.
Risk tolerance is the level of risk or degree of uncertainty that is acceptable to organizations and is a key element of the risk frame.
Investment strategies that generally reflect the long-term strategic goals and objectives of organizations.
A risk-aware mission/business process is one that explicitly takes into account the likely risk such a process would cause if implemented. Implementing risk-aware mission/business processes requires a thorough understanding of the organizational missions and business functions and the relationships among those functions and supporting processes.
Enterprise architecture establishes a clear and direct connection from investments to measurable performance improvements. It promotes the concepts of segmentation, redundancy, and elimination of single points of failure—all concepts that can help organizations manage risk more effectively .
The information security architecture is an integral part of the organization’s enterprise architecture.
It represents that portion of the enterprise architecture specifically addressing information system resilience and providing architectural information for the implementation of security capabilities.
The primary purpose of the information security architecture is to ensure that mission/business process-driven information security requirements are
Consistently and cost-effectively achieved in information systems
The environments in which those systems operate are consistent with the organizational risk management strategy.
Information security requirements defined in the segment architecture are implemented in the form of management, operational, and technical security controls.
It provides a detailed roadmap that allows traceability from the highest Tier 1 strategic level down to the Tier 3 operational level.
Here you see how the Information Security Architecture flows from Organization strategic level and into the environments of operation in the Miltitiered Risk Managed model
All information systems, including operational systems, systems under development, and systems undergoing modification, are in some phase of the system development life cycle.
The slide shows the integration of the Risk Management model with the Multitiered Risk Management process. As you can see, everything revolves around the Frame Risk component.
The bidirectional arrows in the figure indicate that the information and communication flows among the risk management components. The execution order of the components, may be flexible and respond to the dynamic nature of the risk management process as it is applied across all three tiers.
When we look at a the NIST Cybersecurity Framework, it has direct correlations with the Risk Based Management model with the Multitiered Management approach. It has distinct boundaries, but is collaborative and flexible.
So how do we get started?
Of value or what matters. If you have a Disaster Recovery/Business Continuity Plan, than you have already started to identify critical information systems that need to be prioritized. This can help in the identification of risk to that value.
1a) Many of the most valuable assets are intangible and are typically not considered in technical approaches to information security. A company’s reputation is considered an intangible asset so how do you place a value on that asset? Maybe we need to ask Target for the value of this intangible asset?
1b) This requires us to step out of our techie role and step into that of sociologist. We need to survey the organization and engage those who are responsible for each line of business. We need to gather information about the organization’s revenue stream, its revenue per line of business, how each business unit is interrelated and can impact the revenue stream. We need to learn what the manager focuses on to keep their area running.
Nearly all risk analysis methodologies require key pieces of information in order to complete the analysis. Collecting this information is a process best based in observable data and can include feedback from the organization’s environment or be based on broader industry studies. The information collected does not need to be absolute and precise and in some cases the data collected will be closer to estimations.
It is important to start with a baseline that will evolve over time.
A risk assessment is the critical junction of any risk management program. It is where the various elements that affect risk are brought together and the data that has been collected is exercised. The first step is to set the objectives of the assessment. The objectives should specify the environment and assets being assessed.
Some of the things we need to look at for the Methodology to assess risk are:
The need to represent risk as a balanced combination of threats, vulnerabilities, and likelihood;
Consider a broad range of viable threats, likelihoods and vulnerabilities;
Measure risk using as much tangible data as possible;
Not attempt to be absolute or force precision but rather attempt to define the probability of events and outcomes;
Create meaningful analysis of probabilities (what is the likelihood of something happening) rather than possibilities (simply what can and what cannot happen);
Creates meaningful information on the magnitude of an event and its impact; and
Rank risk based on a normalized scale that is explicitly defined, relevant and re-usable across risk analyses of all sizes and types. Similar to the DR/BC prioritization of Information Systems.
Ultimately all decisions about the treatment of risk are up to the owners of that asset. Therefore the material needs to be presented in a manner that make the stakeholders better able and enabled to make informed decisions. The risk analysis should be presented in the context of the asset owner’s own goals and objectives and in a language they understand.
A control objective will identify the risk being addressed, and will identify ways that minimize an element of that risk— whether it is reducing threats, frequency or likelihood, or mitigating the vulnerability that makes the threat viable.
What is the total cost of ownership of the control? Besides simple capital costs, what are the long term costs of maintaining the control? What are the labor and maintenance costs? What are the costs of upgrades, changes and development?
How flexible is the control to changes in the organization or the elements that make up the risk?
Is the amount spent on the control going to be appropriate for the probable magnitude and impact of an event?
If inserted back in to the risk analysis, does the control reduce the risk by an expected amount?
As with any project, it is important to ensure that the implementation follows the objectives and requirements that were previously set forth.
This step is one that we also are very well acquainted with, and does not operate controls differently than a non-risk based methodology. RBSM does however take an additional step that measures the effectiveness of the control itself and its operation.
In order to validate that the control is satisfying the intended objectives, it is critical to measure on an ongoing basis the effectiveness of the control in relation to the original risks it is designed to mitigate. The measures must focus on clearly identifying changes in risks.
The idea is that this is a flexible model that addresses current identified risks and any future risks that might be idnetified thorugh this model.
Some of the more recent options for helping in implementing a Risk Based Security model is RASP.
1) We need to accept that, just like us, our computers cannot distinguish good from bad. Anti-virus and other security products that claim to be able to detect malware quite simply cannot keep up.
2) The BYOD growth has helped fuel some of the growth in the perimeter security spending increase, but perimeter protection simply won’t cut it in today’s intrusion landscape;
1)and is capable of controlling application execution and detecting and preventing real-time attacks. It is like learning karate for self defense and not waiting for the local police to arrive before it’s to late. Imagine what happens to malware that just bypassed the IPS on the new NGFW, but the application defends itself against it.
2)It protects from within the application, utilizing contextual insight so that you can be confident in identifying and stopping attacks that network security cannot see.
These features should see all data coming in and out of the application, all events affecting the application, all executed instructions, and all database access. Once RASP is deployed into production, the application runtime environment should be able to detect attacks and protect applications with a high level of assurance.
Not sure about legacy applications, but that was an issue too when server virtualization started taking off.