Enterprise Security: Planning Today for Tomorrows Unknown Threats

1
Enterprise Security  Planning Today for
Tomorrows Unknown Threats

• Christopher BuseChief Information Security
  OfficerState of Minnesota

2
Agenda

• Vulnerability and threat trends
• Minnesotas enterprise-wide vulnerability
  management approach
• Q A

3
Payoff

• Update on the current threat landscape
• Understanding of why the problem is simply too
  big to solve on an agency by agency basis
• Tips to form audit recommendations with serious
  impact

4
My Job

• Build a world class enterprise security program
  for the State of Minnesota
• Challenges
• Security
• Cultural
• Financial
• Human Resources

5
Our Organization
6
Threat Update
7
The Landscape is Hostile

• Exponential increase in threats
• Threats more complex and stealthy
• Perpetrated by well funded criminal groups
• Zero day is now everyday

8
Mobile Phone Attacks

• Todays phones are computes
• iPhone
• Blackberry
• Examples
• Blackjacking Exploit

9
RSA Takeaway

• Bad guys are getting much better
• Crimes of notoriety now crimes perpetrated for
  financial gain
• Almost everything bad starts by exploiting a
  vulnerability

10
Minnesotas Approach
11
What is a Vulnerability?

• Typically a logic flaw in a piece of software
• Exploited by hackers to obtain unauthorized
  access
• Over 8000 new vulnerabilities in 2006

12
Dissecting the Problem

• Vulnerabilities that we can find and fix
• In the wild long for at least a week
• Reputable vendors have signatures
• Zero day vulnerabilities
• Problems just identified
• Most likely no signatures
• Sometimes workarounds to minimize risk
• Unknown vulnerabilities
• Something bad is happening
• Scanning shows that nothing is wrong
• AV and all else is up to date

13
Plan of Attack
14
Find and Fix
15
Desired Outcome

• Develop a comprehensive vulnerability management
  program
• Promptly identify vulnerabilities
• Classify vulnerabilities, based on criticality
• Remediate issues

16
Strategy

• Invest in an Enterprise Vulnerability Management
  Solution
• Join forces with Minnesota Colleges and
  Universities to build out a common vulnerability
  management program and share a common
  vulnerability management platform

17
Personnel

• Office of Enterprise Technology and MnSCU Office
  of the Chancellor
• Oversee the program
• Maintain enterprise tools
• Provide training and technical support to
  agencies
• Analyze and disseminate security advisories
• Agencies and MnSCU Institutions
• Use the tools to assess all technology assets
• Establish vulnerability management team
• Remediate issues

18
Team Interactions
OET Central Vulnerability Management Team
Agency Vulnerability Management Team

• Network Support
• Server Support
• Workstation Support
• Application Support

19
Tools

• ip360 by nCircle
• VNE Manager appliance
• Harden BSD OS
• Web based console
• Device Profiler
• Harden BSD OS
• Flash memory
• Security Intelligence Hub (SIH)
• Oracle Database
• Canned and custom reporting
• TCO expected to be about 13 million over 12 years

20
Architecture
21
Program Status

• Software and hardware infrastructure built
• Installations complete at most large agencies
• Policies and detailed standards being finalized
• Lots of scanning activity
• External face of government
• Inside secure agency networks
• Across the WAN
• Areas to focus on next
• Mobile device vulnerabilities
• Web application vulnerabilities

22
Zero Day Exploits
23
Shootin Cattle

• World one giant herd
• Sharpshooters take aim and fire
• One cow drops
• Lead cow puts impenetrable shield to stop more
  bullets
• The herd is once again safe

Snoop Doggie Moo
24
Key Takeaways

• One cow always takes a bullet for the good of the
  team
• Its best not to be THAT cow

I Paid Da Cost To Be Da Boss
Snoop
25
Strategy

• Manage an enterprise-wide threat dissemination
  service
• Subscribe to several commercial vulnerability
  notification services
• Communicate targeted notices to agencies
• Leverage inventory date in ip360
• Communicate over secure portal

26
Status

• Targeted advisory service dependent on ip360
  inventory data
• Until ip360 fully deployed, broadcast critical
  alerts to agencies
• Plan to implement a secure portal this year

27
Unknown Vulnerabilities
28
Strategy

• Actively look for signs of anomalies
• IDS/IPS systems
• Network flows
• Security Information and Event Management (SIEM)
  system
• Quarantine machines exhibiting abnormal behavior

29
SIEM

• Real time analysis of security event data
• Identify threats
• Reporting on log data for forensic activities and
  compliance monitoring
• SIM is responsible for storage and reporting
• SEM is responsible for analysis and threat
  identification

30
(No Transcript)
31
(No Transcript)
32
Status

• Joining forces with MnSCU to build one SIEM
  solution for higher education and government
• Currently working on RFP
• Plan to have solution running by June 2009
• SIEM technology carries a hefty price tag

33
Audit Tips
34
Stuff To Consider

• Enterprise-wide vulnerability and threat
  management audit
• Problem simply too costly to solve on an agency
  by agency basis
• Scanners only address known vulnerabilities with
  signatures
• Need strategy to limit damage from zero day
  vulnerabilities
• Need to be able to recognize abnormal network
  traffic

35
Questions
chris.buse_at_state.mn.us