SV ISACA

1
ProactiveEnterprise Security ManagementIf it
aint fixed, lets break it

• SV - ISACA
• Aaron Davies-Morris, CISSP
• Sr. Director Business Development
• Preventsys, Inc.

2
Outline

• How Are We Managing Security Now?
• Why Arent We Managing Proactively Now?
• Why is Reactive Management Not Working?
• Move to Proactive Enterprise Security Management

3
How Are We Managing Security Now?
Exposure
Risk
Awareness
Remediation Efforts
Time
4
Were not.Were Reacting
IT security is defeated
5
Were NotWere being Overwhelmed
Real-time security isnt fast enough
6
Were NotWere Searching
Stop looking for a silver bullet
7
Were NotWereNot Enabled.
Todays vulnerability management and IP tools
fall short
8
Why Arent We Managing Proactively Now?

• Manual tasks means auditing doesnt scale A
  small (often less than 2) of the network is
  sampled empirically however, hackers dont
  sample!
• Automated data gathering produces huge volumes of
  information - unmanageable
• Manual analysis requires careful examination of
  data by skilled and experienced personnel
• Report generation requires different skill sets
  and is time consuming
• Recommendations often met with skepticism
• Assessment process is so time consuming that
  results are stale by the time the work is
  complete
• Analysis is arbitrary and subjective, dependant
  on skills and motivations of auditor
• Infrequent audits mean that remediation efforts
  come in huge increments that often are beyond the
  capabilities of already taxed IT departments
  eating an elephant
• Policy (the roadmap) documents are cumbersome and
  expensive to create/update
• It is Challenging to operationalize your
  plan/program
• There is a lack of consistency to security
  implementations
• Exceptions to policy are not noticed or
  documented who owns the risk?
• IT staff ends up making significant risk
  management decisions without support from
  empowered decision makers

9
Why is Reactive Management Not Working

• Some types of common auditing activities
• Snapshot Assessment Activities
• Traditional IT Audit
• Attack and Penetration Testing
• Security Assessments
• IDS/IPS
• Too much noise
• Challenging to get effective coverage
• SIM
• Created to solve IDS problems
• Better IDS analysis
• Manages security by autopsy
• Very effective at managing incident response
• VM
• Not broad enough
• One assessment source is not enough
• Technical issues are not the only security
  problems
• Attacks are changing
• Vectors are increasing

10
How Should We Be?
Exposure
Awareness
Risk Acceptance or Remediation
Risk
Remediation Efforts
Time
11
Move to Proactive Enterprise Security Mgmt

• Stop the security threats before they become
  incidents
• Ensure business continuity and avoid network
  disruptions
• Manage the complete security lifecycle across
  the network
• Control and ensure security compliance

12
Key components of an enterprise security
management system
13
Communicate Clearly
14
Set Priorities
15
Make it Dynamic
16
Make it Comprehensive
17
Create a Control Center
18
Shift your Expectations

• New Reality
• Proactively fixing riskiest exposures first
• Continually managing security as a normal process
• Equipped to successfully preempt attacks

• Accepted Norm
• Overwhelmed by number of vulnerabilities
• False sense of security by firewalls and IPS
• Automated Intrusion prevention isnt practical

19
IT Security Management A Lifecycle Process
20
Proactive Enterprise Security Management

• Discover Assess
• Gather info uniformly and with great frequency
  using multiple technical and human information
  sources
• Define rules robust policy in both English and
  machine-compatible format
• Correlate in the context of your rules and ease
  your burden
• Prioritize - Provide a mechanism to code business
  logic into gathered info and rapidly decided what
  to
• Learn with specificity what must be fixed (and
  why!)
• Automate analysis based on higher order topics
  (architecture, comp. controls)
• Eliminate spreadsheets, guessing and
  head-in-the-sand!
• Shield/Mitigate
• Allocate reactions based on vuln, asset, threat,
  probability of threat, and compensating controls
  in a rapid manner with ability to measure whats
  done
• Monitor Maintain
• Gain assurance that operational aspects of
  security are sound
• Manage the process of security and remediation
• Provide comprehensive upward visibility
• Avoid gross negligence

21
The Benefits

• Offloads analysis from humans, radically
  increases scope and frequency of audits while
  decreasing costs
• Proactive approach leverages advances in scanner
  techniques
• Information presented as violations of pre-stated
  rules, therefore much easier to place in business
  context
• Enables risk management approach to security,
  removes arbitrary judgments
• Increases regulatory compliance, reduces exposure
  to negligence
• The timeliness of information increases
  dramatically, which allows for much faster root
  cause elimination

Increased coverage, applied consistently brings a
much more structured approach to solving todays
problems.
22
Thank You!

• Questions? Comments?
• Aaron Davies-Morris
• adm_at_preventsys.com
• 760.268.7821
• Preventsys, Inc.
• http//www.preventsys.com
• Carlsbad, CA