A Practical Example to Using SABSA Extended Security-in-Depth Strategy
Download as PPTX, PDF8 likes18,018 views
The document presents an extended security-in-depth strategy based on the SABSA framework, focusing on practical applications, particularly in firewall standards. It outlines six groups of positive actions for security management, emphasizing the balance between compliance, security, and performance monitoring. Additionally, it provides insights into the purpose and functionality of firewalls within this strategy and proposes a more comprehensive approach to writing firewall standards.
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
- 1. A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
- 2. Who Am I? Allen Baranov, CISSP Information Security Professional SABSA Foundation Certified Specialist In Security Management, Security Architecture and Risk and Compliance Looking for new permanent position! See LinkedIn for more details or email me for more information! au.linkedin.com/in/allenbaranov/
- 3. This is my proposal for an extended Security-in-Depth Strategy. It is based on the one in the official SABSA documentation but extended to be more practical as you’ll see later in this presentation. Assurance • Deter • InviteNegotiate • Prevent • AllowEnforcement • Contain (Deny) • (Continue to) Allow Post Breach Enforcement • Detect and Notify • Detect and Process (Service)Activity Monitoring • Evidence & Track • Baseline and service improvementTraffic Monitoring • Recover and Restore • Monitor and Optimise (Hierarchical Storage Management) Data Availability Maint. Extended SABSA Security-in-Depth Strategy
- 4. Deter Prevent Contain Detect and Notify Evidence & Track Recover + Restore Assure Original SABSA Security-in-Depth Strategy This is the original SABSA S-i-D Strategy diagram. You will see that it has “negative” actions which (IMHO) doesn’t fit with the SABSA risk/opportunity philosophy.
- 5. … so I extended it. For each negative action, there is a positive one and I have grouped them into 6 groups. I moved Assurance to its own super group with each level feeding back to it. This is still a WIP and I am keen for feedback. Assurance • Deter • InviteNegotiate • Prevent • AllowEnforcement • Contain (Deny) • (Continue to) Allow Post Breach Enforcement • Detect and Notify • Detect and Process (Service)Activity Monitoring • Evidence & Track • Baseline and service improvementTraffic Monitoring • Recover and Restore • Monitor and Optimise (Hierarchical Storage Management) Data Availability Maint. Extended SABSA Security-in-Depth Strategy
- 6. Deconstructing the purpose of a Firewall. • Operates on the network layer. • It usually defines the border between two networks of differing levels of risk. • It investigates traffic and makes decisions on how to pass the traffic based on predefined rules (known as rulebase or policy) • It can be used for tracking connectivity. • Firewalls may also do deeper inspection into network traffic and Firewalls may be physical hardware, software, dedicated boxes, a service or a virtual machine. Practical Example - Firewalls I extended it so as to come up with a practical way to use SABSA for writing a Firewall Standard. The first thing to do is to work out exactly what a Firewall is aiming to achieve. Then to fit it into the 6 layers of the model. See next slide.
- 7. •Deter – create logical border between networks •Invite authorised traffic to be used for business purposes Negotiate Network Usage •Prevent – prevent unauthorised traffic from flowing across the network boundary •Allow – allow authorised (business enhancing) traffic across the network boundary. Enforcement of predefined rules •Contain (Deny) – Temporarily stop a compromised network leaking onto a “clean” network. •(Continue to) Allow “clean” networks to communicate until a breach is detected. Post Breach Network Management •Detect and Notify – monitor all traffic and notify of suspicious traffic. •Detect and Process – allow network traffic to pass and baseline “normal” Network Activity Monitoring •Evidence & Track – watch for anomalies on traffic flow and suspicious connections to build a profile of activities. •Baseline and service improvement – watch for opportunities to improve connectivity and gain understanding of network usage across the org. Network Traffic Monitoring •Recover and Restore – have redundant devices and network connections with automatic service continuation. •Monitor and Optimise – Look for opportunities for reducing speed in some connections and increasing speed for others. Network Availability Maint. Practical Example - Firewalls
- 8. I then took each layer and this became a section in the Standard. Note that especially the “Negotiate” section should be written as a contract with both what will be delivered and what is expected.
- 9. This way the Standards can be more comprehensive. They are also not so negative and they show the balance of what is needed for compliance and security against what is offered. The firewall standard, for example, shows that without a firewall all the benefits of the Internet would not be available. Also, while we are monitoring for bad traffic, we could also be monitoring for performance. There is one more major advantage that turns the whole SABSA philosophy on its head but I will save that one for next time… ;) For more, visit my blog – http://securethink.blogspot.com.au
- 10. …other bits and pieces What is SABSA? SABSA is a proven framework and methodology for Enterprise Security Architecture and Service Management used successfully by numerous organisations around the world. Now used globally to meet a wide variety of Enterprise needs including Risk Management, Information Assurance, Governance, and Continuity Management, SABSA has evolved since 1995 to be the 'approach of choice' for commercial organisations and Government alike. SABSA ensures that the needs of your enterprise are met completely and that security services are designed, delivered and supported as an integral part of your business and IT management infrastructure. Although copyright protected, SABSA is an open-use methodology, not a commercial product. Images All images are used with permission. Some are from the site stock.xchng (http://www.sxc.hu/)