Arkitektur, der understøtter risikostyring i den digitaliserede virksomhed Jan Johannsen SE Manager Nordics 2014.11.06 2014 2014 Check Check Point Point Software Software Technologies Ltd. Ltd 1
Agenda 1 2 3 4 Hvad er risikostyring? Proces Frameworks SDP Software Defined Protection SDP i praksis 2014 Check Point Software Technologies Ltd. 2
Hvad er risikostyring? Overblik/kontrol med udefra og indefra kommende faktorer, der kan påvirke forretningen - Marked - Investorer - Medarbejdere/ressourcer - Kapital - Vision/ledelse - Infrastruktur og IT Brancher, hvor sikker og stabil ITdrift er en kritisk faktor: Og så resten. : 2014 Check Point Software Technologies Ltd. 3
Hvad er risikostyring? Risici ifm. IT-drift: - Tab/forvanskning af data - Utilgængelighed, flaskehalse - Ringe kontrol med outsourcing - Hacking - Tab af kritiske kompetencer - Manglende segregering - Utilstrækkelig visibilitet - Lækage, tilsígtet/utilsigtet 2014 Check Point Software Technologies Ltd. 4
Hvad er risikostyring? Det gamle begreb, Det er kun et spørgsmål om tid før din infrastruktur bliver angrebet Skal efterhånden vendes til Det er kun et spørgsmål om tid før du opdager, at din infrastruktur allerede har været kompromitteret gennem en længere periode 2014 Check Point Software Technologies Ltd. 5
Hvad er risikostyring? Det overordnede mål: At få overblikket og kontrollen så den samlede risiko er kendt og bragt til et accepteret niveau. og at bevare dette overblik fortløbende! 2014 Check Point Software Technologies Ltd. 6
Gode proces frameworks governance model that helps in delivering value from IT and understanding and managing the risks associated with IT ISO 27005 is the name of the prime 27000 series standard covering information security risk management 2014 Check Point Software Technologies Ltd. 7
Gode proces frameworks Om Cobit og ISO 27000: Gode rammesystemer, men ingen anbefalinger vedr. implementering. does not provide or recommend a specific methodology (ISO 27000) ISMS-processen tager udgangspunkt i følgende: Plan Do Check Act 2014 Check Point Software Technologies Ltd. 8
Check Point SDP 2014 Check Point Software Technologies Ltd. 9
2014 Check Point Software Technologies Ltd. 10
2014 Check Point Software Technologies Ltd. 11
2014 Check Point Software Technologies Ltd. 12
2014 Check Point Software Technologies Ltd. 13
2014 Check Point Software Technologies Ltd. 14
2014 Check Point Software Technologies Ltd. 15
SDN An emerging network architecture, decoupling network control and data planes. Data flows between network nodes controlled via a programmable network SDN controller. SDP SDP AND SDN WORKING IN SYNERGY An overlay architecture enforcing security traffic flows within an SDN network Data flows are programmed to pass through SDP enforcement points 2014 Check Point Software Technologies Ltd. 16
Arkitektur, der understøtter risikostyring i den digitaliserede virksomhed eller Praktisk implementering af SDP 2014 Check Point Software Technologies Ltd. 17
Praktisk implementering af SDP Network Security Design and Architecture Security Analysis Operations and Management Act Check Plan Do 2014 Check Point Software Technologies Ltd. 18
Implementing the Enforcement Layer 2014 Check Point Software Technologies Ltd. 19
Praktisk implementering af SDP Network Environment Infrastructure services Topology Dataflow Network Security Design and Architecture Existing Enforcement points Data classification Growth requirements Throughput requirements 2014 Check Point Software Technologies Ltd. 20
Praktisk implementering af SDP Area Requirements Comments General business - criticality Hi-Me-Lo Sensitive data, critical business processes etc. Compliance requirements Business specific, PCI, legal Protect Corporate users/customers Provider dependency Datacenter architecture Separation/log-requirements, DDoS protection, bandwidth guarantee... MPLS, ISP s, MSP s Redundancy, hot/cold standby, Network Infrastructure, segmentation DMZ s, internal users, roaming users, security zones Requirement for protective cloud structure? Policy requirements Data, applications, internet, content Inspection, control, protection restrictions may apply Traffic flows/priority Business applications, realtime app s, Bandwidth guarantee/limitation Growth # of users/year, traffic/performance requirements, Can hardware/software scale according to need? På basis af det gennemarbejdede skema, kan der skitseres en arkitektur, der opfylder de basale krav til netværks design, access kontrol og sikkerhedsarkitektur. 2014 Check Point Software Technologies Ltd. 21
Method for Segmentation 2014 Check Point Software Technologies Ltd. 22
Atomic Segments The smallest thing that can protect itself A process or application A host (e.g. using endpoint security) A virtual machine Very often a network when we can t effectively protect each host Interaction Enforcement point Segment boundary 2014 Check Point Software Technologies Ltd. 23
Segment Grouping Site 2014 Check Point Software Technologies Ltd. 24
Consolidation Security software Security software 2014 Check Point Software Technologies Ltd. 25
Trusted Channels Use encryption for intersegment interactions over untrusted networks Trusted Channel Trusted Channel Prevents unauthorized data access and modification 2014 Check Point Software Technologies Ltd. 26
Implementing the Control Layer 2014 Check Point Software Technologies Ltd. 27
Praktisk implementering af SDP Prevent Cyberattacks Avoid Client infections Leakage detection Threat analysis Security Analysis Zero-day detection Compliance Detect malware Data protection, roaming users 2014 Check Point Software Technologies Ltd. 28
Praktisk implementering af SDP Threat analysis Area Requirements Comments Compliance requirements Evaluate access/control policy Client threat resistance Leakage detection 3rd party business specific threat detection Security CheckUp analysis, Yearly Security Reports, general analysis Business specific, PCI, legal Need to know/nice to know/not to know Malware, botnets, zero-day, data leakage What data dynamic data classification actions? Evaluate requirements Business specific threats can relevant threats be detected/prevented? I.e. URLF-AppCtrl policy: allow ask - prevent Apply to all clients (roaming, SmartPhones etc)? Protective controls Data encryption Roaming users, data at rest, in transit etc. Logging General controls Right level of logging, consolidation/ correlation, log analysis Deployment policy, users rights, virtualization, passwords, patch-policy, backup... 2014 Check Point Software Technologies Ltd. 29
Mapping Risks and Protections Ensure all risks are mitigated Basis for building complete solution for the customer Assignment of protections to the different enforcement points 2014 Check Point Software Technologies Ltd. 30
In practice it looks more like this 2014 Check Point Software Technologies Ltd. 31
2014 Check Point Software Technologies Ltd. 32
Over 11 million malware signatures Over 2.7 million malware-infested sites Over 5,500 different botnet communication patterns 2014 Check Point Software Technologies Ltd. 33
2014 Check Point Software Technologies Ltd. 34
2014 Check Point Software Technologies Ltd. 35
Implementing the Management Layer 2014 Check Point Software Technologies Ltd. 36
Praktisk implementering af SDP Incidents reporting Log analysis Controls Delegation & Segregation Operations and Management Compliance Auditor reporting DR-plans Gap analysis 2014 Check Point Software Technologies Ltd. 37
Praktisk implementering af SDP Operation Delegation Segregation Area Requirements Comments Change procedures, service windows, agreements with 3rd party... Admin tasks vs. operator tasks Separation of important admin tasks, track records etc. Log analysis All relevant logs collected and consolidated? Should also cover proper log off-line storage Reporting Compliance Incident response Consolidation of right log data, defined targetgroups etc. Define scope of compliance measuring, gap analysis procedures etc. Team, external part, response time, procedures Target groups: IT-management, int/ext auditor, risk analysis... What type of events should create action? Recovery procedures Failover, recovery procedures/tests Defined components: Management, enforcement, connectivity... 2014 Check Point Software Technologies Ltd. 38
Layered Policy Access control and threat prevention are managed separately and can be assigned to separate teams 2014 Check Point Software Technologies Ltd. 39
Layered Policy Policy layers are evaluated independently; connections are allowed if allowed by all layers 2014 Check Point Software Technologies Ltd. 40
Layered Policy Sub-policies are evaluated if super-policy is matched. Can be delegated to other administrators. 2014 Check Point Software Technologies Ltd. 41
Automation Automation scripts bound by Least Privilege policy 2014 Check Point Software Technologies Ltd. 42
2014 Check Point Software Technologies Ltd. 43
Arkitektur, der understøtter risikostyring i den digitaliserede virksomhed MODULÆR ARKITEKTUR FLEKSIBEL OG DYNAMISK SOFTWAREMODEL SYNLIGGØRELSE AF HÆNDELSER OG AKTIVITET EFFEKTIVT MANAGEMENTLAG 2014 Check Point Software Technologies Ltd. 44
Thank You 2014 Check Point Software Technologies Ltd. 45