Agile Cyber Security Security For The Real World, Architectural . - Cisco
Agile Cyber Security –Security for the Real World, Architectural ApproachOsama Al-ZoubiSenior Manger, Systems EngineeringFahad AljutailySenior Solution Architect, Security
Market TrendsWelcome to the New World
We Are Entering a New Era Welcome to the New World 80 billion connected99% of “things” are5 connected devicesdevices by 2020unconnectedfor every user by 2020The Network Is the Platform to Connect the Previously UnconnectedEvery company becomes a Technology company,every company becomes a security companyCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014
Connect the Unconnected .Mobility Changes Everything!Mobile traffic increasing50 % will be wireless by13X by 20172015Cisco’s total mobile devicecount grew 109% in 24months.159%Mobile dataLast year’s mobile data usageTablets will generate almost aswas eight times the size of themuch data in 2016 as the entireInternet in 2000global mobile network in 2012traffic grew“Mobility is More than Just the Device”Mobility is to get complete control over a dynamic, mobileenvironmentCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014ANY USER I want aniPhone withemail,calendar, andcontacts.Jan 2010ANYTIMEANYWHEREANY DEVICE I want WebExMeetingCenter andJabber IM onmy iPhone.Jan 2011 I wantAnyConnectand enterpriseapps.Jan 2012
Cloud etPublicSocialMediaHybridBig DataE-mailsoftware69 %oftotal datacenter trafficwill be Cloudtraffic by 2017personal cloudtrafficfrom 1.7 EB in 2012to 20 EB in 2017Machine toMachineConnectionsIs expected togrow 5 TimesCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014
Enormous, Fast, and ComplexEverything is generating data Big Data1 Trillion sensors 150 for every person onEarth, By 2030Big data is doubling thedigital universe every2 yearsGrowth of the Digital Universe10 271,000x10 242012Cisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014Digital Universe2030Digital UniverseValueVarietyVolumeVelocity
New Work Environment , New Security icRemotelyToday’s dynamic computing environment creates new attack vectors.Cisco Connect, Riyadh, Saudi Arabia, April 29-30, 20147
Threat EvolutionSophisticated, Enormous, and Complex
The Security ProblemChangingBusiness ModelsCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014DynamicThreat LandscapeComplexityand Fragmentation
The Industrialization of HackingSophisticated Attacks,Complex LandscapeHacking Becomesan IndustryPhishing, rmsSpyware and RootkitsAPTs Cyberware1990–20002000–20052005–TodayToday Cisco Connect, Riyadh, Saudi Arabia, April 29-30, 20142020
New Threat Landscape70% of52%of breaches affectingall organizationsinvolved hacking.breaches werediscovered by externalparties who thennotified the victim.40%Incorporatedmalware66% 1T/yeartook months ormore to discoverprivate sectorrevenue loss fromcyber espionage76%of network intrusionsexploited weakor stolen credentials75%are consideredopportunistic attacksCisco Connect, Riyadh, Saudi Arabia, April 29-30, 201440%of breachesare Malware52%of breaches areHacking75%driven by financialmotives
Our VisionAgile Security .Security For The New WorldNew security model primedfor toughest customerchallengesSupreme talent& innovative portfolioelementsProtecting yourSafety, Securityand Reputation
The New Security ParadigmTechnologyPeoplePoliciesMonitoring /EngagementSecurity OperationIncident ResponseThe New Security ParadigmCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014
The New Security ParadigmTechnologyPeoplePoliciesMonitoring /EngagementSecurity OperationIncident ResponseThe New Security ParadigmCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014
Security is a Process Enterprise Security Program Model You need to have a programand a framework to workwithin. This is from O-ESA: Four rings Four domains Each domain is made of anumber ofactivities/processes. Comprehensive anddeployable OpenCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014Taken from O-ESADocument
Security is a Process Enterprise Security kCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014
Security is a Process Information Security Management System (ISMS)Supporting Organizational Structures(Roles, committees, staffing, knowledge, etc.)Management Approval and SupportStrategyCisco Connect, Riyadh, Saudi Arabia, April 29-30, es
Security is a Process The Incident Response Policy Should be part of your incident response preparation phase.Incident Response PolicyStatement of management commitmentPurposeScopeDefinitionsOrganizational structure and identification of roles, responsibilities, and levels of authorityPrioritization or severity ratings of incidentsEffectiveness measuresCisco Connect, Riyadh, Saudi Arabia, April 29-30, 201418
Security is a Process Using technology to deliver on Policy Requirement Desired PolicySimplifies policy implementationWho can talk to whomEnhances security and reduces complexityWho can talk to which systemsWhich systems can talk to other systemsAccelerates Server ProvisioningProtect data by defining procedures, guidelinesPatientRecordsEmployeeIntranet Doctor / iPad Guest / Laptop Guest / iPad Arabia, April 29-30, Cisco Connect, Riyadh, Saudi2014Doctor / Laptop Internet Ensure that vulnerabilities are identified
Security is a Process Using technology to deliver on Policy Requirement ConfidentialPatient RecordsWho: DoctorWhat: LaptopWhere: OfficeInternal EmployeeIntranetWho: DoctorWhat: iPadWhere: OfficeInternetWho: DoctorWhat: iPadWhere: Coffee Transform “plain English” rules into network policy Secure Access based on user, device, location, etc. Leverage TrustSec-enabled HW to enforce at ingress Securing access is more than simply deploying point solutions.In a rapidly changing environment, enterprises need anenterprise-class product from a strategic partner.Cisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014
The New Security ParadigmTechnologyPeoplePoliciesMonitoring /EngagementSecurity OperationIncident ResponseThe New Security ParadigmCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014
Security is a Process Starting with People Enabling Security Managing Risks Information Security AwarenessEven the best information security policies, procedures, orcontrols are useless if employees are tricked not to follow them65% of companies and employees in the Middle East do nothave the knowledge of the security risksThreats designed to take advantage of users’ trust in systems,applications, and the people and businesses they know are nowpermanent fixtures in the cyber worldCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014
The New Security ParadigmTechnologyPeoplePoliciesMonitoring /EngagementSecurity OperationIncident ResponseThe New Security ParadigmCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014
The New Security ModelEvaluate victim’scountermeasuresSurveyCraft context-aware malware topenetrate victim’s eDeploy malware.Move laterally,establishsecondaryaccessCheck malware works & evadesvictim’s countermeasuresDeploy malware. Move laterally,establish secondary accessAccomplishThe mission: Extractdata, destroy, plantevidence,compromise.Cisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014The mission: Extract data,destroy, plant evidence,compromise.
The New Security ModelAttack MobilePoint in TimeCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014VirtualContinuousCloud
Security Control FrameworkModelSecurity Control Framework ModelTotal VisibilityComplete ControlIdentify, Monitor, Collect, Detect and Classify Users, Traffic, Applicationsand ProtocolsHarden, Strengthen Resiliency, Limit Access and Isolate Device, UsersTraffic, Applications and ProtocolsIdentify Identify, Classifyand Assign TrustLevels toSubscribers,Services andTrafficMonitor MonitorPerformanceBehaviors, Eventsand Compliancewith PoliciesCorrelate IdentifyAnomalous TrafficHardenCollect, Correlateand AnalyzeSystem-WideEvents Identify, Notifyand Report onSignificantRelated Events IsolateHarden Devices,Transport,Services andApplication StrengthenInfrastructureResiliency,Redundancy andFault Tolerance IsolateSubscribers,Systems andServicesContain andProtectCisco SCF has been accepted as an industry standardCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014Enforce Enforce SecurityPolicies Migrate SecurityEvents DynamicallyRespond toAnomalousEvents
Security Control FrameworkInternationalStandardsIndustry Standardsand Best PracticesModelIndustryRegulationsSANS 20 y Control FrameworkCiscoKnowledge andExperienceCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014Security ArchitecturePrinciples
Architectural ApproachComprehensive and IntegratedCLOUD-BASEDTHREAT INTEL &DEFENSECOMMON POLICY,MANAGEMENT TATIONLOCALMALWAREInfrastructurePARTNER APIpublicPARTNERCOMMONSHAREDANALYTICS COMPLIANCEAPIMANAGEMENT POLICYIDENTITYAPPLICATIONDEVICELOCATIONApps ESSFWIPSVPNWEBEMAILAPPLIANCES ROUTERS SWITCHES WIRELESS VIRTUALMore Integrated ApproachA MORE INTEGRATED APPROACHCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014Workloadsprivate
The New Security ParadigmTechnologyPeoplePoliciesMonitoring /VisibilitySecurity OperationIncident ResponseThe New Security ParadigmCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014
Breaches Happen in Hours But Go Undetected for Months or Even YearsSeconds MinutesHoursDaysWeeksMonthsYearsInitial Attack to InitialCompromiseIn 60% ofbreaches, datais stolen in hours54% of breachesare not discoveredfor 9%0%1%9%Initial Compromise toData ExfiltrationInitial Compromise toDiscoveryDiscovery toContainment/Restoration32%38%54%2%17%4%Timespan of events by percent of breachesCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014Source: 2013 Data Breach Investigations Report, compiled by 18 organizations that contributed data
Visibility Knowledge Protection ionsFilesCommandand emsProcessesMobileDevicesNetworkServersRouters andSwitchesCisco Connect, Riyadh, Saudi Arabia, April 29-30, ntersVirtualMachines
The New Security ParadigmTechnologyPeoplePoliciesMonitoring /EngagementSecurity OperationIncident ResponseThe New Security ParadigmCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014
Security Operation Centers Are Evolving . Attack Sophistication Device monitoringLog collection andretentionLimited devicecoverageSlow reactions toincidents 1st GenerationCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014Events correlationNetwork andsystem logcollectionCase management Feeds fromreputation servicesVulnerabilitymanagementIncident handlingcapabilities 2nd Generation3rd GenerationBig Datasophisticated securityanalyticsFeeds fromintelligence servicesCloud processingSophisticatedNetFlow analysisEarly alarmingForensics capabilities4th Generation
Security Operation Centers . For the new worldFacilitiesSecure FacilityOpen SpaceWall ScreensSeparate areas for SOCManager and meetingsInfrastructureSegregatedSecureHighly AvailableCollaboration PlatformsServicesData AnalysisAnomaly DetectionVulnerabilityManagementCollaboration entCollaborationProcessesEffective IncidentHandlingMeasurements andMetricsContinuesEnhancementTimeDay 1 SOCAccelerated MaturityThreats will not wait for you to finish buildingyour SOC!
ComplianceDeploymentVulnerability ManagementServiceAdministrationIncident ManagementEvent ManagementCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014Device andApplicationsSecurity Operation CentersWell-Defined Methodology
Security Operation CentersWell-Defined Methodology Good practices exist today to help you develop your capabilities. Incident handling requires people, process and technology.ISO/IEC 27035:2011 Information technology -- Security techniques -- Informationsecurity incident managementStandardsENISA Good Practice Guide for Incident ManagementNIST SP 800-61 Rev. 2 Computer Security Incident Handling GuideNIST SP 800-83 Rev.1Guide to Malware Incident Prevention and Handling forDesktops and Laptops.ISO/IEC 27035:2011 Information technology -- Security techniques -- Informationsecurity incident managementIncident Response and Management: NASA Information Security IncidentManagementCisco Connect, Riyadh, Saudi Arabia, April 29-30, 201436
Security Operation CentersWell-Defined Methodology Don’t buildyour incidenthandling planduring anincidentclearlyidentifiedRoles andresponsibilitiesInvolvemembers fromdifferentdepartments:IT, PR, Legal.Cisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014During anincident stickto the planCommunicationwith the rest oftheorganization.Whom, Howand what?Run incidentdrills. Practicemakes youbetterThink abouthavingsomething likea playbook!37
The Incident Response Policy Should be part of your incident response preparation phase.Incident Response PolicyStatement of management commitmentPurposeScopeDefinitionsOrganizational structure and identification of roles, responsibilities, and levels of authorityPrioritization or severity ratings of incidentsEffectiveness measuresCisco Connect, Riyadh, Saudi Arabia, April 29-30, 201438
Incident Handling –The Fundamental StepsLife of an lectionSHORT TERM GOALDataAnalysisReportingPost Incident ActivitiesIncident InvestigationLONG TERMGOALContainmentRecoveryCisco Connect, Riyadh, Saudi Arabia, April 29-30, 201439
Agile Cyber SecuritySecurity for the Real World, Architectural ApproachTechnologyPeoplePoliciesCisco Connect, Riyadh, Saudi Arabia, April 29-30, 2014Monitoring /EngagementSecurity OperationIncident Response
Thank You
Incident handling requires people, process and technology. 36 Security Operation Centers Well-Defined Methodology ISO/IEC 27035:2011 Information technology -- Security techniques -- Information security incident management ards ENISA Good Practice Guide for Incident Management NIST SP 800-61 Rev. 2 Computer Security Incident Handling Guide
1. The need for an agile way of working 6 2. The need for an agile way of working 9 3. Agile Core Values - Agile Project Management Vs. 10 Agile Event Management 4. Agile principles 12 _Agile Principles of Agile Project Management 13 _Agile Principles of VOK DAMS Agile Event Management 14 5. Agile Methods 16 _Scrum in Short 16 _Kanban in Short 18
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
1.1 Purpose of the Agile Extension to the BABOK Guide1 1.2 What is Agile Business Analysis?2 1.3 Structure6 Chapter 2:The Agile Mindset 2.1 What is an Agile Mindset?7 2.2 The Agile Mindset, Methodologies, and Frameworks8 2.3 Applying the Agile Mindset9 2.4 Agile Extension and the Agile Ma
Agile Estimating and Planning by Mike Cohn Agile Game Development with Scrum by Clinton Keith Agile Product Ownership by Roman Pichler Agile Project Management with Scrum by Ken Schwaber Agile Retrospectives by Esther Derby and Diana Larsen Agile Testing: A Practical Guide for Testers and Agile Teams by Lisa Crispin and .
Agile World View "Agility" has manydimensions other than IT It ranges from leadership to technological agility Today's focus is on organizational & enterprise agility Agile Leaders Agile Organization Change Agile Acquisition & Contracting Agile Strategic Planning Agile Capability Analysis Agile Program Management Agile Tech.
The most popular agile methodologies include: extreme programming (XP), Scrum, Crystal, Dynamic Sys-tems Development (DSDM), Lean Development, and Feature Driven Development (FDD). All Agile methods share a common vision and core values of the Agile Manifesto. Agile Methods: Some well-known agile software development methods include: Agile .
1. Agile methods are undisciplined and not measurable. 2. Agile methods have no project management. 3. Agile methods apply only to software development. 4. Agile methods have no documentation. 5. Agile methods have no requirements. 6. Agile methods only work with small colocated teams.-7. Agile methods do not include planning. 8.
The Agile Customer . 9/6/2012 6 Agile Development Team Agile Analyst . 9/6/2012 7 Agile Programmer Agile Tester . 9/6/2012 8 Agile Manager Agile Usability Designer . 9/6/2012 9 Kicking off a project The Inception Deck –Ten questions you’d be crazy not to ask before starting any
