Compensating Controls and Architecture - Paiet/Tech-Journal-for-Everything GitHub Wiki

Security data analytics

• Data aggregation and correlation

  • Rounding up logs in a centralized area
  • Separates the logs into their respective categories
  • Each system can act as a supplement to the other systems
    • More intensely monitored systems may catch things that lesser monitored systems don't
    • Lesser monitored systems may be targeted in a way more heavily monitored systems aren't; potentially catching esoteric attacks

• Trend analysis

  • Looks at the overall state of the systems and tries to predict unexpected changes
    • Also can give you an idea of where the state of security may go
    • EXAMPLE
      • Predict that XSS vulns are on the rise
      • React by implementing stronger XSS safeguards

• Historical analysis

  • Used as data for Trend analysis
  • Could reveal where you're most likely to be attacked in the future

• Manual review

• Firewall log

• Syslogs

• Authentication logs

• Event logs

  • Logon success Event ID 4624
  • Logon Failure Event ID 4625

Compensating Controls and Architecture Pt.2

• Defense in depth

• Personnel

  • Training
    • Security Awareness Training
  • Dual control
    • Missile Keys ala Wargames
    • Takes cooperation before action occurs
      • Limits accidents
      • Safeguards sensitive/critical processes from threat actor
  • Separation of duties
    • Cuts down on abuse
  • Cross training
    • Allows for the loss of personnel without disrupting productivity
      • Vacation
      • Sick/Maternity leave
      • Sabbatical
      • Resignation/Termination
  • Mandatory vacation
    • Allows you to discover malfeasance
      • Any issues will become apparent to anyone that is covering duties for vacationing employee
    • Very effective when combined with Separation of Duties
  • Third party/consultants
    • Common example is Cloud Services
    • Now it's "THEIR" problem? (Maybe/in some instances)
    • Considerations
      • Sufficient background investigation
      • Arrange proper access to necessary networks and/or systems
      • Data
        • Encryption?
        • Shared or dedicated storage?
        • Any sharing of resources with other customers
      • Employee Hiring Standards
        • Vigorous background checks?
      • Incident Response and Notifications
        • When and how will you be notified in case of an incident?
  • Succession planning
    • How to handle the sudden loss of a critical worker or manager/supervisor
      • Cross training
      • Keep potential replacements in mind
    • Losing critical worker could...
      • Deprive company of expert skill sets
      • Cause important tasks to be neglected/not done

Compensating Controls and Architecture Pt.3

• Processes
  • Continual improvement
    • Ensures that processes never become outdated
  • Scheduled reviews
  • Retirement of processes
    • Why retire a process?
      • Relevancy
      • Redundancy
      • New/Better policy took its place
• Technologies
  • Automated reporting
  • Security appliances
    • Firewalls
    • IDS/IPS
    • Web App Firewall
    • UTM (Unified Threat Management)
    • NGVW (NextGen Firewall)
  • Security suites
    • AV/AntiMalware
      • Kaspersky
      • Symantec
      • Sophos
    • Centralized management
      • Client deployment
      • Health status
      • Reporting
      • Dashboards
      • Task management
  • Outsourcing
    • Security as a Service (SECaaS)
      • Subscription based security
        • Local install not required
          • Agent install may be required
        • All the oldies but goldies
          • AV, Data Protection, Email, IDS, etc.
            • https://www.virustotal.com/#/home/upload
  • Cryptography
    • Secures data at rest and on the wire
    • Look at how encryption is deployed
      • Are there any points at which data is left unencrypted as it travels
        • Cashes
        • Buffers
      • Encryption should be end to end
    • Protect private keys
• Other security concepts
  • Network design
    • Traditional On-Prem services
    • Cloud connectivity / Remote Connectivity
      • SaaS
      • PaaS
      • Security concerns
        • Underlying hardware and OS security is up to Service Provider
        • Some security controls can be afforded the client
          • AWS Security Group
    • Directly Connected Remote Network
      • Cloud service (IaaS) that VPNs into Local environment
        • Provide failover VPN link if possible
  • Network segmentation
    • Separation of secure networks from insecure/less secure networks
    • Devices that help with this
      • Switches
      • Routers
      • Firewalls
    • Switches
      • Create VLANs on internal networks
      • Multilayer switches can provide traffic control with ACLs
    • Routers
      • Provide us with ACLs for controlling network traffic
    • Firewall
      • Single Firewall
        • Sits between DMZ and Internal network
      • Multi-Interface Firewall
        • Service-leg DMZ
      • Multi-Firewall