Next-Generation Security Operations – Preview

Next-Generation Security OperationsPreview

Welcome to Nige the Security Guy Blog: Next-Generation Security Operations.

Next Generation Operations

Disruptive Shifts and Converging Trends

The past few years have set the stage for some disruptive shifts in network security operations. These shifts are driven in part by the rise of BYOD, mobility, virtualization and the cloud, which have resulted in a new level of complexity and fragmentation with distributed systems.

APT Attack Patterns

These disruptive shifts and converging trends have fused application and network layer functions, causing a fundamental reset of the security operations function.

  • Organizations need to shift more security resources from preventing intrusion toward rapid detection and response
  • Improving detection and response requires an intelligence-driven context-aware security approach
  • Optimizing how security technologies, resources and process work together is pivotal to scaling security capabilities
  • Automation frees up analysts to focus more on higher priority risks affecting the most critical assets and data
  • SOCs need to build collaborative cross-disciplinary teams with highly specialized skill sets to combat advanced threats
  • Evolving security operations optimizes the interplay of people, processes and, technologies to enable rapid response
  • Orchestrated management of network infrastructure will be embraced as the next big thing
  • The rise of DevOps drives much needed convergence between security and IT operations to add security by design
  • Increases need to automate and optimize security operations to more effectively leverage resources/skills shortage

cockpit-dashboard-ciso

CISO Security Operations Dashboard

The Blog will cover a diverse set of practical topics that seek to consolidate, integrate, organize, and automate infrastructure into a single security model and a holistic security management system. The currently planned topics are, as follows:

  • Active Cyber Defense
  • Attack Patterns and Threat Hunting Series
  • Attack Surface Reduction Series
  • Cloud Access Security Brokers (CASB)
  • CISO: Security Operations Dashboard
  • Data Privacy Breach Management Program Series
  • Deception, Delay and, Detection
  • Incident Response Program Series
  • Security Orchestration and Automation
  • The State of SIEM and Maturity Model

Next Generation Security Operations

The era of advanced threats calls for a new approach to information security. When dedicated cyber adversaries have the means and methods to elude commonly used defenses, such as signature based detection, it is clear that conventional approaches are no longer sufficient.

The need for a Next Generation Security Operations mindset is evident across the industry. Technologies will continue to improve but in parallel we do need to ensure that we also evolve and improve our security processes as well as invaluable resources and skills. Attackers are constantly evaluating their methods and improvising new techniques. Defenders must think in those same fluid terms to keep pace.

The value proposition for a Next Generation Security Operations program includes improved security, resource utilization and, cost-effectiveness. Together with increased visibility and vigilance defensive strategies can be precisely aimed at addressing the most significant threats and protecting the most critical assets and data. Leveraging automation and orchestration the security team will have the knowledge and the cycles it needs to make informed risk decisions and invest in the right security controls.

VERIS Overview

Return on Security Investment (ROSI)

Security done right is a business enabler that dramatically reduces total cost of ownership (TCO) providing a tangible Return on Security Investment (ROSI).

IT complexity and fragmentation replaced by an adaptive modular and flexible architecture enables agility and improves your competitive edge — so the business can refocus quickly as new opportunities emerge.

Security is a process, not just a product or technology issue.

Nige the Security Guy Bio

NigetheSecurityGuy

Nigel is a Chief Security Architect with 30 years of international experience in Security Operations, Management, Research, Development and Security Services. He started his career as an assembler programmer who was contracted by the US DoD to develop secure operating systems with multi-level security and preclude covert channels. Nigel is a passionate evangelist who loves working with organizations to share thought leadership and practical strategy to help defend against advanced targeted threats.

Thanks for your Interest!

Nige the Security Guy.

Advanced Security: From Barrier to Enabler

Advanced Security – Part 1: Evolving Security from Business Barrier to Enabler

Advanced Security – Part 2

Organizations are increasingly concerned that historical industry best-practices are being stressed by the acceleration of new malware and the increasing reports of compromise via stealthy targeted attacks.

Advanced Security Enabler

Attackers are laser-focused leveraging indirect and multi-pronged exploits to steal data or wreak havoc.

“This is fundamentally due to cybercriminals doing their homework on organizations and waging a fierce, persistent campaign to find any possible way to get a foothold in the organization.”, JD Sherry, VP Trend Micro

The insider threat has primarily morphed into phishing attacks which can leverage multiple internal security weaknesses and vulnerabilities to traverse the network and ex-filtrate data or intellectual property un-detected.

At the same time the attack surface is broad since security is horizontal and increasingly distributed – it covers many threat vectors across all extended business functions and essential services throughout the whole multi-location information technology and building infrastructure. Chances are that when the infrastructure was originally deployed it was secure, clean and, well organized. But as weeks, months, and even years pass, tactical changes in technology and the IT environment have probably occurred, weakening the security posture and opening it up to attack.

Complexity Fragmentation

The result is that security infrastructure becomes much more complex and fragmented making it harder to protect. Attackers don’t discriminate and will take advantage of any gap in protection to reach their end goal. The bad guys continually evolve and innovate. All potential threat vectors need to be holistically examined and addressed across the extended enterprise. Without a proactive but practical security strategy and vital life cycle management processes in place – the system will inevitably become vulnerable and fail.

Addressing Multi-Dimensional Threats

The terms “advanced persistent threat” (APT) and “defense in depth” have been completely overhyped in the press and are distracting organizations from the very real problem of managing targeted attacks in a rational and balanced fashion.

Many organizations lack a complete understanding of defense in depth which limits budget and can lead to revenue impacting events. Many well-intended vendors seeking to position their solutions confuse the concept of defense in depth even further.

Defense in depth requires a strategic security approach that is adaptive, establishes business-driven rules and — leverages people, process and systems harmoniously. Integration is vital as a holistic security management system.

People Process Policy Technology

Enabling Business by Integrating Policy, People, Process and Technology

The Advanced Security Series of blogs will take a multi-pronged approach to effectively addressing this increasing threat together with associated significant challenges by establishing a practical core foundation that supports a clearer definition of defense-in-depth as well as discussing the advanced security best-practices and continuous improvement processes needed.

Evolving From Business Barrier to Enabler

How do organizations cut through the hype, filter the noise – of fear, uncertainty and, doubt (FUD) and deal with real and present threats? How do organizations develop an affordable and practical defensible security posture that supports the business based upon available budget and resources and – enables it to grow competitively while managing risk and protecting critical assets? How do organizations develop a continuous cycle to consolidate, integrate and organize mission critical infrastructure into a sustainable core while still enabling healthy chaos = innovation and rapid deployment on the edge?

The secret to success in security is typically simplicity, to have a well-designed and organized infrastructure that provides the appropriate layer of controls while enabling users a consistent ‘policy managed’ experience regardless of location, network transport or device. The challenge is in achieving and maintaining that goal.

“Security is a business enabler, you can drive faster with good brakes.”, Nigel Willson

Security done right is a business enabler that dramatically reduces total cost of ownership (TCO) providing a tangible Return on Security Investment (ROSI). IT complexity and fragmentation replaced by an adaptive modular and flexible architecture enables agility and improves your competitive edge — so the business can refocus quickly as new opportunities emerge.

Back to Basic Security Principles

The primary purpose of creating a security architecture is to ensure that business strategy and IT security are aligned. As such, the security architecture allows traceability from the business strategy down to the underlying technology. However, many IT organizations have moved away from formal security architecture governance in favor of rapid deployment cycles and tactical changes which over time risk diverging into complexity and fragmentation – with unresolved security exceptions. As previously stated, complexity not only leads to insecurity and the increasing potential for human error but also increased cost of operations.

blueprint

A Blueprint to Evolve, become Agile, Multi-functional, and Competitive

A security architecture is a design document describing the security components that will protect the enterprise, and the ways they relate and interact with each other. It represents a strategic planning horizon and guide that defines the desired state of an organization’s infrastructure. The architecture sets the context for planning, design, and implementation. It enables a company to evolve and to become agile, multi-functional, and competitive, allowing the seamless adoption of new capabilities and applications into a common infrastructure. Security architecture also facilitates budgeting for security solutions and personnel.

In summary, the security architecture provides:

  • A way to evaluate applicability of new technologies, products, and services
  • A framework for technology decision-making
  • A macro view of IT systems and components, from the security perspective
  • A statement of direction for IT
  • A way to reduce and manage risk in the most cost-effective manner
  • A way to facilitate compatibility and easier administration of systems
  • A blueprint for future network growth
  • A way to create and document consensus
  • A methodology to force consideration of all design factors
  • A guide for the creation of an enabling infrastructure for unforeseen new applications

Adaptive Security Architecture Lifecycle

The security architecture is used as a baseline for consensus and direction but it needs to be active and capable of being updated. This process allows the security architecture to adapt and be agile to support the needs of the business. It evolves and sets future objectives.

System technology and users, data and information in the systems, risks associated with the system, business drivers, and security requirements are ever-changing. Many types of changes affect security: technological developments (whether adopted by the system owner or available for use by others); connection to external networks; a change in the value or use of information; or the emergence of a new threat. Creating an adaptive modular architecture leads to agility and flexibility as the organization grows.

Security RDA Evolution

Reference Design Architecture: Security Transformation

At the same time, using the architecture to develop an annual plan sets the stage for the projects that need to occur that year, and the improvements begin to converge towards and track with the architecture. Finally, with the proactive asset, risk, and policy management and infrastructure improvements, the security-risk profile is also managed, resulting in risk reduction. In this manner, not only does the security architecture drive the IT and network infrastructure direction, but it also enables the illustration of tangible results, winning continued support for the program.

Coming Soon

In Advanced Security – Part 2 we will further develop the theme of building a core foundation leveraging architecture and design principles together with defining a defensible security posture leveraging defense in depth as well as discuss advanced security best practices.

Nige the Security Guy Bio

NigetheSecurityGuy

Nigel is a Chief Security Architect with 30 years of international experience in Security Operations, Management, Research, Development and Security Services. He started his career as an assembler programmer who was contracted by the US DoD to develop secure operating systems with multi-level security and preclude covert channels. Nigel is a passionate evangelist who loves working with organizations to share thought leadership and practical strategy to help defend against advanced targeted threats.

Thanks for your Interest!

Nige the Security Guy.

Advanced Defense Posture Assessment

Advanced Defense Posture Assessment: Analytical Tradecraft to Evolve Detection Capability and Precision

NG-OPS Advanced Defense
Defensible Security Posture
APT Detection Framework

Multi-dimensional Targeted Threats continue to evolve and exploit vulnerabilities that lead to significant loss of data and resources for organizations of all regions and sizes. These attacks are very much today’s news. They represent a danger to an organization’s intellectual property, financial assets and reputation.

Advanced Defense Posture
The era of advanced threats calls for a new approach to information security. When dedicated cyber adversaries have the means and methods to elude commonly used defenses, such as signature based detection, it is clear that conventional approaches are no longer sufficient.

“Breaches happen in hours but often go un-detected for weeks or even months.”

Advanced targeted threats present challenges that are distinct from traditional security risks. There are too many entry points in today’s virtual enterprise, too many individual endpoint security solutions triggering alerts, too much security threat intelligence to process in real-time. More importantly, there are too few trained personnel who can spot and respond to advanced threats.

The pain points all cry out for a common holistic solution: Advanced Defense based upon Actionable Intelligence and ever evolving Analytical Tradecraft to continually improve detection capability and precision.

Detection Precision versus Cost

This blog is a part of the new Smart Practices Series complemented by the NG-OPS Advanced Security Series which will drill into greater details on the methodology and concepts used by these proposed advanced best-practices. Advanced Defense takes your organization to the next-level of detection capability.

Potential Benefits

  • Baseline and Validate Defensible Security Posture
  • Benchmark against Advanced Defense Reference Architecture (see NG-OPS Advanced Defense series)
  • Identify Gaps in Detection Capability, Visibility, Precision
  • Develop Advanced Defense Strategy & Roadmap with Continuous Analytical Improvement

Features

  • Leverage Intrusion Kill Chain
  • Advanced Defense Reference Architecture
  • APT Detection Framework
  • Defensible Actions Matrix
  • Develop Advanced Defense Strategy & Roadmap

Advanced Defense

Today’s cyber security paradigm is a reactive cycle: when a threat is exposed, it is analyzed and a counter-solution is designed with response times varying from weeks to years. The trouble is that attackers can easily reuse pieces of previous malware, modify them, and create a brand new threat, bypassing the newly updated security measures.

In today’s threat environment the only constant is change. In fact, everything is changing – the way our users work, the types of adversaries we face, and the techniques hackers use to infiltrate our networks. Such threats have become even more sophisticated than ever, bringing new risks and uncertainties that require more visibility in operations.

Attack vs Defense

The Attacker versus Defender View

The need for an Advanced Defense mindset is evident across the industry. Technologies will continue to improve but in parallel we do need to ensure that we also evolve and improve our security detection capability and precision, processes as well as invaluable resources and skills.

“Attackers are constantly evaluating their methods and improvising new techniques.
Defenders must think in those same fluid terms to keep pace.”

Advanced Defense Posture (ADP) Assessment

An ADP assessment evaluates your organization’s evolving ability to detect, contain, investigate and respond to a targeted or advanced threat. The assessment methodology is designed to help organizations to, as follows:

  • Understand defensible security posture
  • Benchmark and validate ability to address stealthy targeted threats
  • Take proactive actions to continually improve detection capability and precision
  • Use a set of indicators or behaviors to enhance situational awareness.

Leveraging the Intrusion Kill Chain

The Advanced Defense Posture assessment makes use of the Intrusion Kill Chain. In any targeted attack there are typically a pre-defined set of phases that act as a ‘signature’. The importance is not that this is a linear flow – some phases may occur in parallel, and the order of earlier phases can be interchanged – but rather how far along an adversary has progressed in order to be able to quickly detect, contain and, respond.

Intrusion Kill Chain

Simplified View of Intrusion Kill Chain

The intrusion kill chain becomes a model for actionable intelligence to help align organizational defensive capabilities to the specific processes an adversary undertakes to target your organization.

The end goal of this is to analyze the data for patterns of attack methods, behaviors of distinct hostile actors, and other indicators which can inform the development of unique adaptive and agile responses. The assessment addresses key questions, for example:

  • What scenarios do we need to be able to detect?
  • What are our options for detecting them?
  • What are the strengths and weaknesses of our detection program today?
  • What is our detection stance against specific actors?
  • What is our overall plan for detection across our enterprise?

ADP Assessment Methodology

The ADP assessment process should include:

ADP-A Methodology

Advanced Defense Posture Assessment Methodology
  • Baseline Current Defensive Posture
    • Conduct discovery sessions to clearly identify defensible architecture, key assets/services and, posture
    • Document baseline across Intrusion Kill Chain using APT Detection Framework
  • Reference Architecture Analysis
    • Identify tools, tactics, techniques  gaps and improvements in detection capability/precision using Advanced Defense Reference Architecture to establish goal  (see NG-OPS Advanced Defense series)
  • Identify Defensible Actions Matrix
    • Determine detection toolset, i.e., tactics, techniques and, procedures to Detect, Deny, Contain, Disrupt Eradicate, Deceive or, Recover
  • Develop Advanced Defense Strategy & Roadmap
    • Develop Advanced Defense Strategy & Roadmap to remediate gaps, deploy improvements and, leverage continuous improvement  (see NG-OPS Advanced Defense series)

Conclusion

Recent incidents clearly demonstrate that cybercriminals can conduct operations that involve intrusion, lateral movement, and data exfiltration in complex networks secured to current best-practices. Attackers can adapt their attack techniques to the unique circumstances of targeted environment.

This level of resourcefulness points to the realization that current best-practices and regulatory compliance are a necessary minimum baseline but are not sufficient alone. Today there is an increasing need for organizations to progressively evolve and advance from current security posture to a more defensible and advanced defense program with visibility, validation and, vigilance.

My solutions include the adoption of a security architectural and design foundation approach that compartmentalizes breaches into managed zones on networks and on endpoints. To strategically leverage the Adaptive Zone Defense series of blogs to develop an innovative architecture foundation with well-organized applications and services, managed communications and – good visibility to flows and logs that can actually detect the cyber kill chain activity and stop the breach.

This requires an ongoing lifecycle process with evolving actionable intelligence and analytical tradecraft to take the now legacy, rapidly deployed and complex infrastructure to consolidate it into a new core foundation based on the architecture/design blueprint, while continually evolving the blueprint based on new business requirements, technology solutions and, regulatory requirements, for more information see: Adaptive Security Lifecycle.

Coming Soon

  • APT Detection Indicators – Part 4: Behavioral Indicators Lifecycle
  • APT Threat Analytics – Part 3: Targets, Threat Actors, Scenarios & Modeling
  • NG-OPS Advanced Defense – Part 2: Analytical Tradecraft Practices
  • NG-OPS Advanced Defense – Part 3: Network Profiling and Validation

Thanks for your interest!

Nige the Security Guy.

NG-OPS Advanced Defense – Part 1

NG-OPS Advanced Defense – Part 1: Identifying Defense Gaps & Improving Visibility

NG-OPS Strategy Guide
Advanced Defense Posture Assessment
NG-OPS Advanced Defense – Part 2

Today’s cyber security paradigm is a reactive cycle: when a threat is exposed, it is analyzed and a counter-solution is designed. The trouble is that attackers can easily reuse pieces of previous malware, modify them, and create a brand new threat, bypassing the newly updated security measures [1].

NG-OPS Advanced Defense

There are too many APT entry points in today’s virtual enterprise, too many individual endpoint security solutions triggering alerts, too much security threat intelligence to process in real-time. More importantly, there are too few trained personnel who can spot and respond to advanced threats. The pain points all cry out for a common holistic solution: NG-OPS Advanced Defense.

APT Prevalent Dangerous

The APT Conundrum and Challenges

Many organizations suffer from a lack of detection capability and precision, holistic situational awareness and behavioral anomaly detection, i.e., visibility. There is  too broad an attack surface, gaps in defense and, integration issues that together lead to reduction in the ability to detect, contain and respond to targeted attacks.

The typical challenges include, as follows:

  • Focus on prevention approach to address threat landscape
    • Fails to address increasing attack complexity and persistence with enough efficacy
  • Investments in protection model out of balance with today’s threat landscape
    • Technologies that don’t work together
  • Uncoordinated monitoring and compilation of security events & threats
    • Flood of unmanageable data = “Loss of visibility”
  • Organizations lack visibility into defense gaps, to enhance detection capability and precision
  • Organizations have not fully leveraged the kill chain life cycle approach
    • Reason why attackers are continuing to be so successful.
  • Common security architectures and compliance regimes are not prioritizing methods to address the kill chain

Reallocate Security Spend

Re-allocate Budget to Advanced Security Capabilities

The Changing Threat Environment

There is a growing need and urgency to evolve towards Advanced Security with a continually improving Detection, Containment and Response Capability. This is fundamentally due to cybercriminals doing their homework on organizations and waging a fierce, persistent campaign to find any possible way to get a foothold. Attackers have a fine tuned malware development process that is increasing in efficiency.

  • Evolving Malware Development Process
    • Create Malicious Tool (x 1)
    • Obfuscate Malware, Create Permutations (x 10,000)
    • Test against Detection Engines (OK)
    • Deploy Un-Detected Samples
  • Availability of Malware Tools
    • Results in high degree of Attack Automation
    • From systematic identification of targets to fully automated exploitation
  • Leads to increase in opportunistic attacks
    • Attacker no longer needs expertise or special skills

Malware Development

Malware Development Increases in Efficiency

Detection is the Weakest Link

Common intrusion detection methods are lacking in their ability to detect multi-step blended and targeted attacks.

Breach Detection Timespans

The Signature of an APT

A targeted attack aka advanced persistent threat (APT) is a targeted effort to obtain or change information by means that are difficult to discover, difficult to remove and difficult to attribute.

APT Attack Kill Chain 2

First – the bad guys get in. Always. It doesn’t matter if it’s social engineering, phishing, or some contractor organizations didn’t watch closely enough.  Sooner or later they find the weak spot and they exploit it – despite all of the best plans to keep them out. Target retail stores learned this the hard way. Who would have guessed that an HVAC system could be a point of weakness?

Case Study: The Target Attack Step-by-Step

In December 2013 – Target announced that it had been breached by attackers who had gotten away with 70M customers’ Personal Identifiable Information (PII) and 40M credit cards, financial damages currently stand at $148M, and are estimated to reach $1B. A high-level summary of the steps taken mapped to the kill chain are:

Target Kill Chain

  • Install malware to steal credentials from Target’s HVAC vendor.
  • Connect using stolen credentials, enables access to Target’s application dedicated to vendors.
  • Exploit a web application vulnerability on Target’s Web interface enables the attackers to execute code on Web application server.
  • Search relevant targets for propagation by LDAP querying Active Directory from the Web application’s server.
  • Steal access token from Domain Admin of the previously connected Domain Admin from the memory of application server.
  • Create new Domain Admin account using the stolen token in AD.
  • Propagate to computers using the new Domain Admin credentials
  • Steal 70M PII. Do not find credit cards, data is extracted using SQL
  • Steal 40M Credit Cards. The data is extracted by the Kaptoxa malware from the memory of the POS system.
  • Send stolen data to an FTP server in Target’s internal network.
  • Send stolen data via FTP to attackers-controlled FTP server.

Enabling Advanced Defense

Second – once they are in, organizations better figure out how to spot them. Developing, tuning, optimizing and evolving situational awareness and behavioral analysis allows network anomalies to be used to detect the different stages of APTs using various indicators.

  • Factors associated with APT attacks include the following:
    • Sudden increases in network traffic, outbound transfers
    • Unusual patterns of activity, such as large transfers of data outside normal office hours or to unusual locations
    • Repeated queries to dynamic DNS names
    • Unusual searches of directories and files of interest to an attacker, e.g., searches of source code repositories
    • Unrecognized, large outbound files that have been compressed, encrypted password-protected
    • Detection of communications to/from bogus IP addresses
    • External accesses that do not use local proxies or requests containing API calls
    • Unexplained changes in the configurations of platforms, routers or firewalls
    • Increased volume of IDS events/alerts

Attacker Defender View

Proactive Defensive Measures to Address Unknown Threats

Coming Soon

In NG-OPS Advanced Defense – Part 2  we will further develop the concept of developing and evolving an Advanced Defense security posture that identifies any gaps, improves detection capability and precision, enables proactive defensive measures to address unknown threats and — holistically integrates and operates continuous intelligence, detection and, response.

NG-OPS Ecosystem

In order to help organizations reduce operational overhead the NG-OPS Strategy Series will also include the following blog articles (although topics will be added as the theme develops and evolves):

  • NG-OPS SOC Version 2.0: Build a Next Generation Security Operations Center to protect critical assets
  • NG-OPS Evolving a SOC Team: Building, Nurturing and Evolving Security Operations Staff
  • NG-OPS Operational Maturity: Migrating from Reactive to Dynamic Defense and Cyber Resilience
  • NG-OPS Automation & Orchestration: The Next Big Thing: Automation and Orchestration
  • NG-OPS Threat Modeling: Manage complex systems using a structured methodical framework
  • NG-OPS Risk Management 2.0: Shifting focus from technical assets to critical business processes
  • NG-OPS Smart Telemetry: Leveraging 3 levels of telemetry: End-point, Gateway and, Infrastructure
  • NG-OPS Security DevOps: The critical convergence of security and IT operations with DevOps 

This new NG-OPS Strategy Guide builds upon and enhances the current APT Strategy Guide and Security Architecture Series Guide introducing a whole new set of topics into the framework.

Nige the Security Guy Bio

NigetheSecurityGuy

Nigel is a Chief Security Architect with 30 years of international experience in Security Operations, Management, Research, Development and Security Services. He started his career as an assembler programmer who was contracted by the US DoD to develop secure operating systems with multi-level security and preclude covert channels. Nigel is a passionate evangelist who loves working with organizations to share thought leadership and practical strategy to help defend against advanced targeted threats.

Sources:

[1] Why cyber criminals are winning: The secret weapon of the black hats

[2] ISMG Advanced Persistent Threats Survey: New Strategies to Detect, Prevent, and Defend

Thanks for your interest!

Nige the Security Guy.

Security Architecture Series Guide

Security Architecture Series Guide: Navigating Security Architecture Strategy & Roadmap

The primary purpose of creating an enterprise security architecture is to ensure that business strategy and IT security are aligned. As such, enterprise security architecture allows traceability from the business strategy down to the underlying technology.

Security Architecture Series Guide

Business Value Proposition

A security architecture is a design document describing the security components that will protect the enterprise, and the ways they relate and interact with each other. It represents a strategic planning horizon and guide that defines the desired state of an organization’s infrastructure.

The architecture sets the context for planning, design, and implementation. It enables a company to evolve and to become agile, multi-functional, and competitive, allowing the seamless adoption of new capabilities and applications into a common infrastructure. Security architecture also facilitates budgeting for security solutions and personnel.

In summary, the security architecture provides:

  • A way to evaluate applicability of new technologies, products, and services
  • A framework for technology decision-making
  • A macro view of IT systems and components, from the security perspective
  • A statement of direction for IT
  • A way to reduce and manage risk in the most cost-effective manner
  • A way to facilitate compatibility and easier administration of systems
  • A blueprint for future network growth
  • A way to create and document consensus
  • A methodology to force consideration of all design factors
  • A guide for the creation of an enabling infrastructure for unforeseen new applications

This Security Architecture Series Guide blog provides an overview of the series to enable readers to facilitate navigation. The series includes the following detailed topics:

Security Architecture Series Guide

Think You’re Secure? Think Again.

Today, with the advent of APTs attackers are laser-focused on multi-pronged exploits that steal data or wreak havoc.  Security is horizontal … it covers all IT infrastructure. The result is that security infrastructure becomes much more complex and fragmented. Attackers don’t discriminate and will take advantage of any gap in protection to reach their end goal. The bad guys continually evolve and innovate. All potential threat vectors need to be examined and addressed.

pc_vs_network_vs_mobile

The secret to success in security is typically simplicity, to have a well designed and organized infrastructure that provides the appropriate layer of controls while enabling users a consistent ‘policy managed’ experience regardless of location, transport or device. The challenge is in achieving that goal. Stay tuned for more information on lessons learned and experience from the field, success stories and, practical case studies.

Think You’re Secure? Think Again.

Security Architecture Primer

The primary purpose of creating an enterprise security architecture is to ensure that business strategy and IT security are aligned. As such, enterprise security architecture allows traceability from the business strategy down to the underlying technology.

Technology Foundation

However, many IT organizations have moved away from formal security architecture governance in favor of rapid deployment cycles and tactical changes which over time risk diverging into complexity and fragmentation – with unresolved security exceptions. Complexity not only leads to insecurity and the increasing potential for human error but also increased cost of operations.

Security Architecture Primer

Security Architecture Baseline

Once distributed roles and responsibilities are identified and established for the security architecture project team, the next important step is to add to that foundation with a security architecture project baseline.

This blog in the series will enable organizations to create that baseline by defining and reviewing applicable regulations, security policy and standards, identifying and classifying information assets and resources, and conducting a risk and threat analysis.

Security Architecture Baseline

Risk-Aware Security Architecture

We continue the series to develop an on-going threat analysis and risk management process – as key requirements to guide architectural direction and also design/implementation to support mitigation of risks/threats via compensating controls and/or countermeasures or, enable the transfer of risk to other parties, acceptance as a business risk (exception process) or, seek avoidance.

Risk ManagementProcess

Risk-Aware Security Architecture

Develop Security Architecture

The next step is to build the security architecture and migration strategy. This strategy lays the foundation for a successful deployment and the ongoing integration of additional applications and services. We cannot emphasize enough that the quality of up-front planning is one of the biggest factors determining the success and degree of payoff from a security project.

Security Services

This section enables organizations to assemble and align the pieces necessary to develop, update, or validate a modular and flexible security architecture.

Develop Security Architecture

Product and Solution Selection

The security architecture and migration strategy (which now embodies your approved and prioritized requirements) may recommend specific products, or it may recommend going through a competitive process to select products. In either case, partner selection isn’t final until costs and schedules are nailed down, funding approved, and contracts signed.

Vendor ComparisonThe architecture is an important foundation for selecting the right vendors, partners, and approaches. However, additional tools are required during product evaluation and procurement. Relatively informal Requests for Information (RFIs) can bring the team up to speed on the advantages and disadvantages of various products. Formal requests for proposals (RFPs) should form the final basis for vendor selection and tasking.

Product and Solution Selection

Security Architecture Implementation

The security architecture defines and justifies a number of solution implementation, integration and/or improvement projects each year, based on budget, resources and, priority. As such, a master project plan should be created that takes into account identified dependencies, integration points and any parallel tasks.

Security Plan

To plan implementation of a security solution, you must identify where project execution resources will come from, develop an implementation plan, obtain buy-in for the implementation plan, and create a detailed design for the configuration and deployment of the security infrastructure.

Security Architecture Implementation

Adaptive Security Lifecycle

Infrastructure and the environments in which they operate are dynamic and continually evolving over time, especially in our rapid deployment world. Many fast-tracked organizations start out with a well-designed, orchestrated and secure architecture but organically, like Firewall rules it devolves and diverges into increasing levels of complexity and fragmentation.

Adaptive Lifecycle

Applications and systems grow exponentially creating increasingly complex connectivity and relationships that result in a spiders web of interfaces across domains. Complexity leads to insecurity, increased risk of human error and, a substantial increase in the cost of operations and maintenance. The result dramatically impacts the organizations ability to deploy rapidly and efficiently and move forward with agility.

Security done right is a business enabler that dramatically reduces total cost of ownership (TCO)
providing a tangible Return on Security Investment (ROSI).

IT complexity and fragmentation replaced by an adaptive modular and flexible architecture enables agility and
improves your competitive edge — so the business can refocus quickly as new opportunities emerge.

Security is a process, not just a product or technology issue.”

Nigel P. Willson

Adaptive Security Lifecycle

Architecture Case Study – Part 1 & 2

In the Security Architecture Series of blogs we have shared all of the steps involved in requirements gathering, baseline, product and solution selection and, through to realizing the architecture. This blog presents an Architecture Case Study that uses those principles and recommendations as a practical example. The illustration provides a conceptual simplified view of the program use case.

Defense in Depth Part 1 takes the reader from Architecture development through to the Technical Recommendation then Part 2 takes the reader from Design to Deployment strategy with Implementation and Migration.

Architecture Case Study – Part 1

Architecture Case Study – Part 2

Thanks for your interest!

Nige the Security Guy.

vCISO Smart Practices – Part 1

vCISO Smart Practices – Part 1: Enabling Success via Collaboration Infrastructure

The Internet of Things offers a tremendous opportunity for businesses to truly transform themselves by realizing the potential of data that is sitting, untapped, in existing infrastructures. The challenge to unlocking that data is the evolution towards a Secure Collaboration Infrastructure.

vCISO Smart Practices

This blog introduces our vCISO Smart Practices series which kickoff with a fundamental discussion on the importance and value of human collaboration and teamwork as a foundational cross-discipline cross-functional ‘Architecture Team’. We also offer an introduction to the blog author, Nige the Security Guy (@NigeSecurityGuy).

This blog series will later address a truly distributed security architecture that supports the Collaboration Infrastructure and applies Smart Practices to that as we evolve rapidly towards the new and exciting yet challenging IOT.

“Training often gives people solutions to problems already solved.
Collaboration addresses challenges no one has overcome before.” Marcia Conner

Sharing and Reciprocity

Collaboration and sharing is a sophisticated skill that asks people who work together to look beyond personal interests towards outcomes benefiting the whole. Collaboration and sharing is a great way to address complex challenges, since it has the potential to tap communal creativity and unleash true innovation and earn genuine buy-in.

Collaboration

Collaboration, at the conceptual level, involves:

  • Awareness – We become part of a working entity with a shared purpose
  • Motivation – We drive to gain consensus in problem solving or development
  • Participation – We participate in collaboration and we expect others to participate
  • Mediation – We negotiate and we collaborate together and find a middle point
  • Reciprocity – We share and we expect sharing in return through reciprocity
  • Reflection – We think and we consider alternatives
  • Engagement – We proactively engage rather than wait and see

Together we can build a safe and increasingly more secure environment …

 “Security done right is a business enabler that dramatically reduces total cost of ownership (TCO) providing a tangible Return on Security Investment (ROSI).

IT complexity and fragmentation replaced by an adaptive modular and flexible architecture enables agility and improves your competitive edge — so the business can refocus quickly as new opportunities emerge.” Nigel P. Willson

People Process Policy Technology

A critical success factor towards successfully deploying a collaboration infrastructure is orchestrated policy, focused resources and, well-defined process that fully leverages and unlocks technology. As a creative solutions-focused, charismatic, and passionate security evangelist Nigel Willson is available to consult as a Trusted Security Services Partner to collaboratively assist organizations to iteratively improve and optimize their security as a virtual team member in the role of vCISO, IT Security Strategist and, Architect.

Nige the Security Guy: Professional Profile

Architect Blueprint

Nigel P. Willson
Principal Security Architect
AT&T Security Solutions

Nigel Willson is a Principal Security Architect at AT&T with 30 years of experience in Security Operations, Management, Research, Development and Security Services providing thought leadership, architecture/design and practical strategy.

Nigel has responsibilities as Security SME for AT&T complex cyber security solutions across the portfolio of security consulting, managed security services and mobile security solutions.

He specializes in collaboration as both a Trusted Advisor and Virtual Chief Information Security Officer (vCISO) helping companies to evolve and improve their security capability maturity and posture in the following areas:

  • IT Security Governance, Strategy, Roadmap
  • Security Architecture & Design (including adaptive security architecture lifecycle)
  • Security Operations (including advanced threats, detection frameworks, defensible posture)
  • Threat Intelligence & Risk Management (focused on business processes)
  • Security Research & Analyst
  • Regulatory Compliance

AT&T Security Solutions is the AT&T Advanced Enterprise Solutions customer facing security opportunity team. His participation is consistently solicited by AT&T teams and AT&T customers as both a Trusted Advisor and Security SME in both the private and public sectors. Nigel joined AT&T as a Practice Director, Security via the acquisition of Callisma (AT&T Consulting Solutions) in 2005.

Prior to joining AT&T, Nigel worked as a Practice Director, Security for Avaya Converged Security as well as TCS America responsible for the development of discrete security consulting services and leading teams of security consultants. He previously worked as the Director, Security for The Walt Disney Company focused on global Internet Security for 27 business units including ABC, Disney On-Line, and ESPN.

Nigel is a former assembler programmer and reverse engineer (ethical hacker) with a diverse international background. He has worked on U.S. DoD projects developing security products and technology for the World-Wide Military Command and Control System (WWMCCS) and Military Airlift Command Deployment Flow (MACDF).

Magazine2

He is a published author of many security guides, books, magazine articles and currently operates a security-focused NigeSecurityGuy blog providing impartial practical advice and methodology on security architecture, assessments and, advanced persistent threats (APTs). Nigel also operates the ‘Solving the APT Defense Puzzle’ group on Linked-In, a reference library of useful research and topics.

Nigel was recently selected as a finalist in the InfoSec Europe 2014 Security Bloggers awards and was invited to publish an article on Leveraging Security as a Business Enabler.

Nigel’s passion is taking blog readers Back to Basics to focus on key security principles to develop a strong architectural foundation (Security Architecture Series) and from that add advanced threat defense (APT Strategy Guide) as well as security operations optimization (NG-OPS Strategy Guide).

Never doubt that a small group of thoughtful, committed citizens can change the world. Indeed, it is the only thing that ever has.”

Background Summary

  • International Background — 30 years international experience gained as security expert across England, Australia, France and, the USA.
  • Strategic Architect – Cloud-Orientated Architecture, BYOD, Mobile, Security Operations, Risk, Intelligence, Analytics, Metrics, Visualization – Situational Awareness: Detect, Contain, Investigate, Eradicate, Recover
  • Director, Security @ Disney – Establish strategic architecture team, develop successful proactive security management program.
  • Published Author – Author and co-author of many security guides, books and, magazine articles.
  • Security Consultant — 15 years thought leadership and strategy experience consulting to Fortune 500 companies.
  • Security Engineer – Developed new security protocols and products for U.S. Department of Defense (DoD), e.g., MACDF and WWMCCS. Used in Gulf War. Worked on multi-level security and covert channel prevention.
  • Reverse Engineer – Original assembler programmer, ethical hacker and reverse engineer who could analyze code and manipulate any technology, protocol or system.
  • Awards Plaque: AT&T April 2008: In Recognition of Unwavering Commitment, Steadfast Leadership and Outstanding Performance on the California State University ITRP program.

Next Generation Operations

Thanks for your Interest!

Nige the Security Guy.

NG-OPS Strategy Guide

NG-OPS Strategy Guide: Navigating the Next Generation Security Operations Ecosystem

In today’s threat environment the only constant is change. In fact, everything is changing – the way our users work, the types of adversaries we face, and the techniques hackers use to infiltrate our networks. Such threats have become even more sophisticated than ever, bringing new risks and uncertainties that require more visibility in operations — thus a Next Generation Security Operations mindset.

NG-OPS Strategy Guide

This NG-OPS Strategy Guide introduces a new blog series on the Next Generation Security Operations Ecosystem to build upon and complement our prior blog series, they are as follows:

  • Security Architecture Series
  • Security Program Best-Practice Series
  • Security Assessment Series
  • APT Strategy Series

Disruptive Shifts and Converging Trends

The past few years have set the stage for some disruptive shifts in network security operations. These shifts are driven in part by the rise of BYOD, mobility, virtualization and the cloud, which have resulted in a new level of complexity and fragmentation with distributed systems.

Occurring in tandem, the proliferation of applications and infrastructure services inside the organization requires holistic organization into trust zones based upon risk and classification (see Adaptive Zone Defense) as well as greater policy orchestration, management and, visibility across access boundaries (inter-zone).

Next Generation Operations

The ability to translate complex business and organization goals into a set of automated data center workflows is critical to not slowing down the application delivery process. It is also an essential part of making compliance and security requirements a lot easier to manage in a very dynamic environment. Network security needs to transform into agile and adaptive end-to-end automated processes. This requires a systems approach when thinking about network security.

“The threat can be broken down into three components: intent, opportunity, and capability.
Organizations need to know, ‘What is the intent of adversaries? What are the opportunities available to them?
And what capabilities do they have to exploit the opportunities?”

Felix Mohan, Senior Vice President and
Chief Information Security Officer, Airtel

The delivery of an application can trigger a cascading series of actions to ensure that the application is delivered efficiently and in compliance with any regulatory requirements. Next-generation firewalls (NGFWs) now provide the ability to implement policies based on applications, users and content, and they can provide the appropriate hooks for automation and orchestration solutions.

These disruptive shifts and converging trends have fused application and network layer functions, causing a fundamental reset of the security operations function.

  • Organizations need to shift more security resources from preventing intrusion toward rapid detection and response
  • Improving detection and response requires an intelligence-driven context-aware security approach
  • Optimizing how security technologies, resources and process work together is pivotal to scaling security capabilities
  • Automation frees up analysts to focus more on higher priority risks affecting the most critical assets and data
  • SOCs need to build collaborative cross-disciplinary teams with highly specialized skill sets to combat advanced threats
  • Evolving security operations optimizes the interplay of people, processes and, technologies to enable rapid response
  • Orchestrated management of network infrastructure will be embraced as the next big thing
  • The rise of DevOps drives much needed convergence between security and IT operations to add security by design
  • Increases need to automate and optimize security operations to more effectively leverage resources/skills shortage

People Process Policy Technology

Reducing Operational Overhead

It’s a known fact that a lot of time is typically wasted on analyzing false positives generated by technology that is not correctly baselined, customized, tuned, optimized. Depending upon the environment, false positives can often be numerous and very difficult to verify, costing analysts valuable time determining whether or not something is an event the analyst should be worried about.

The tenets for this Next Generation Security Operations series are simple:

  • Increase visibility across the enterprise to identify active threats quickly
  • Understand the business impacts to better respond
  • Utilize resources to the fullest

“People in the SOC need ways to react faster and better — they need ways to improve the efficiency of what they do.
They need ways to reduce the amount of time between the onset of an attack and the time it’s stopped or remediated.”

Rich Mogull, founder of Securosis

NG-OPS Ecosystem

In order to help organizations reduce operational overhead the NG-OPS Strategy Series will currently include the following blog articles (although topics will be added as the theme develops and evolves):

  • NG-OPS SOC Version 2.0: Build a Next Generation Security Operations Center to protect critical assets
  • NG-OPS Evolving a SOC Team: Building, Nurturing and Evolving Security Operations Staff
  • NG-OPS Operational Maturity: Migrating from Reactive to Dynamic Defense and Cyber Resilience
  • NG-OPS Automation & Orchestration: The Next Big Thing: Automation and Orchestration
  • NG-OPS Threat Modeling: Manage complex systems using a structured methodical framework
  • NG-OPS Risk Management 2.0: Shifting focus from technical assets to critical business processes
  • NG-OPS Smart Telemetry: Leveraging 3 levels of telemetry: End-point, Gateway and, Infrastructure
  • NG-OPS Security DevOps: The critical convergence of security and IT operations with DevOps 

Please feel free to propose additional topics and/or vote for which topics should get published before the others.

This new NG-OPS Strategy Guide builds upon and enhances the current APT Strategy Guide introducing a whole new set of topics into the framework.

APT Strategy Maps

APT Strategy Guide Framework

Conclusion

The era of advanced threats calls for a new approach to information security. When dedicated cyber adversaries have the means and methods to elude commonly used defenses, such as signature based detection, it is clear that conventional approaches are no longer sufficient.

The need for a Next Generation Security Operations mindset is evident across the industry. Technologies will continue to improve but in parallel we do need to ensure that we also evolve and improve our security processes as well as invaluable resources and skills. Attackers are constantly evaluating their methods and improvising new techniques. Defenders must think in those same fluid terms to keep pace.

The value proposition for a Next Generation Security Operations program includes improved security, resource utilization and, cost-effectiveness. Together with increased visibility and vigilance defensive strategies can be precisely aimed at addressing the most significant threats and protecting the most critical assets and data. Leveraging automation and orchestration the security team will have the knowledge and the cycles it needs to make informed risk decisions and invest in the right security controls.

Thinking-Security

Orchestrating People and Process with Technology

Many enterprises are looking toward 3rd party security services to help them handle some elements of their defense. But that doesn’t mean the expertise of the SOC staff will become less important. In fact, most experts agree the next-generation security analyst will have to be smarter than ever. The security staff of the future is going to need expertise not only about the domain they’re defending, but also contextual expertise to determine what combinations of events might present a threat. On top of that, they’re going to need analytical expertise so that they can determine the source of the threat — and how to stop it

Thanks for your interest!

Nige the Security Guy.