The SANS Technology Institute

Security Laboratory

Security Laboratory: Defense In Depth Series

Hybrid Threats - June 18th, 2008
Can you build a Defense in Depth architecture without an architect? - Updated May 13th, 2008
The Attack Surface Problem - November 6th, 2007
The Uniform Method of Protection to Achieve Defense-in-Depth - February 26th, 2007
Security Convergence and The Uniform Method of Protection to Achieve Defense in Depth - September 7th, 2007
Protected Enclaves Defense-in-Depth - February 26th, 2007
Information Centric Approach to Defense-in-Depth - February 26th, 2007
Vector Oriented Defense in Depth - February 26th, 2007
Role Based Access Control to Achieve Defense in Depth - Updated December 26th, 2007

Can you build a Defense in Depth architecture without an architect?

May 13th, 2008
By Stephen Northcutt, J. Michael Butler and the GIAC Advisory Board
Version 1.1

Of course you are not going to get very far with an architectural approach to Defense in Depth without an architect. Unfortunately, the industry is still unclear as to exactly what an IT Security Architect is. The concept is, however, starting to mature. Certifications have been developed for IT Security Architects, and training courses are offered by various organizations to help prepare one to be a Security Architect.[1] The (ISC)² organization has created an ISSAP (Information Systems Security Architecture Professional) certification[2]. The SABSA organization has three levels of certifications for Security Architects: Foundation, Practitioner, and Master. There are job opportunities for positions labeled as "Security Architects," although many times they sound more like engineers than architects. Though specific knowledge about systems and networks is important, an architect should have the ability to assemble and disassemble pieces of knowledge to/from a whole.

There are architecture standards documents as well, available from various standards organization. URL links to five of those organizations appear below. They are the SABSA (Sherwood Applied Business Security Architecture)[3], the Information Security Forum (ISF)[4], the Department of Defense Architecture Framework (DoDAF)[5], the Zachman Institute for Framework Advancement (ZIFA)[6], and the NIST SP800-39, which lists in its "improvements" to the SP800-39 draft: "Providing specific linkages from the NIST Risk Management Framework to the Federal Enterprise Architecture to help ensure the seamless integration of information security into organizational missions and business processes."[7] One framework may be more appropriate than another for a specific line of business. Such decisions as to which framework is right for your organization are best made as a cooperative effort between business management and a Security Architect who brings needed experience and expertise to the decision making process. Trying to apply one model or another to one's business without the benefit of an 'expert' could lead to decisions being made, not because a particular direction is best long term for the organization, but because the framework we chose said we have to do it that way.


Engineer and Architect compared
An engineer can tell you how your network should be designed. An architect can tell you why it should be designed that way, and will be able to suggest changes based on your specific needs.

An engineer can tell you which protocols companies use for what tasks.

An architect can explain why those protocols make the most sense, and usually explain what came before them.

In building trades, a mason knows brick and stone, an electrician knows wiring, and steelworkers are experts at constructing skeletons for a building. The architect will often know less detail of each trade, but knows enough about them all to design the blueprints. Again, it is not the knowledge that sets the architect apart - it is his ability to cohesively apply disparate knowledge to form a unified whole.

In computer security, by dint of having "come up through the ranks," most security architects actually do know more about the details than anyone they work with - it is a meritocracy of sorts. In my experience, security architects are distinguished by having more expertise in more areas than engineers, because they're the people that sought out how things work whenever they touched something.

The key attributes of an architect

• Can analyze the business operations of the organization.
• Can then design a security solution which suits the risk appetite and the real threats that the organization faces.

Ideal persons to help you interview a candidate for an architect position

• IT Manager
• Network Manager
• Systems Manager
• Applications Manager

Interviewing an engineer for an network architecture position
We interviewed a number of GIAC Advisory Board members who have been working as architects for major enterprises as to what they look for an architecture position. They recommend that you be careful about giving candidates a real world problem (even pretending it is 'made up') as this could be dangerous to a company either from a PR or security perspective if it got posted on the Internet in some way. There are a number of practical assignments defining a mythical company called "GIAC Enterprises", if you Google for GIAC Enterprises you can get some scenarios to use for the exercise. Here are some questions they recommend asking:

Do you have a home network setup? Please describe it to me.

When designing an architect/infrastructure for security we have to be at least "aware" of the various
protocols/technologies used within Corporate America. Please tell me a bit about:

• Equal cost paths for egress traffic
• High Availability Design issues
• Packet shaping
• The role of the network in compliance
• What ideas do you have to improve our DR/BCP

Please tell me a bit about each of the technologies below and when and why you might use them:

• OSPF
• EIGRP
• MPLS
• RIP
• GRE
• IPv6
• Proxy ARP
• Static routing

Give them just the hex of a packet and ask them to read it to you. We teach managers to do this with prospective employees in the course we author and teach, Management 512.

Interviewing an engineer for an security architecture position

• What threats do you perceive in this company's environment?
• What are the assets and/or business processes (5 maximum) you think are the most critical ones for the organization?
• What assets do you think are the most exposed?
• Identify the weakest links in the system as a whole (Networks, Systems, Applications, Data, Users).What basic access controls would you design into the network (relevant to my business)
• What if any IH procedures would you put into place regarding the network.
• If you were an attacker, what would you be after?
• If you were an attacker what would your business model be? That is, how can an attacker make money by attacking us.
  
• If you were an attacker, how would you go about penetrating us?
  
• What architectural solutions (Protection, Detection and Reaction) would you propose for the different components (Networks, Systems, Applications, Data, Users) to address the threats and mitigate the risks?
• Draw for me a high level (network) diagram that shows your proposed architectural changes and solutions.
• Develop an implementation plan for those solutions (short, middle, long term).
• Out of the solutions you mentioned, what are the 5 ones that add the greatest value?
• Show me how would you adapt your solutions and what would you prioritize according to different budgets: $1.000, $10.000 or $100.000
• What are the solutions that you think would be more difficult to implement (due to technical, budget or cultural reasons)?
• What policy / cultural changes do you think are needed (if any) for your long term plan to succeed?
• Propose a couple of security solutions that would enable this company to improve business by doing something it can't currently do.

More general questions

• If we are looking more more of general purpose architect, consider some of these questions. If our organization wants to field a new ecommerce sites, can you describe a couple different scenarios or approaches to the architecture. What are the primary tradeoffs between architectures? What vendors would you use and why?
• Get your technical folks to help you identify a real world problem your organization is facing. Can the candidate engineer a "duct-tape" solution to temporarily address the issue. You don't want a candidate that is always relying on spending $$$ to accomplish a task.
• Please explain a recently announced vulnerability of your choice, and what solutions your would implement to mitigate the threat?
• Here is a whiteboard and some markers... draw me a diagram, design, or something of your choice using these tools to communicate a concept, architecture, or something of your choice.
• Tell be about your experience with the open-source movement? What sources do you use to find information on new products related to network monitoring, for example.
• Say there was a network problem, what are the basic steps you would go though to in order to troubleshoot the problem?
• What architectures, software, or deployment strategies have you used successfully in the past, but would no longer use. Please tell us why.
• Sell us on yourself. What are your strongest personal assets? What specific attributes would you be bringing into the organization that will make a positive contribution to our overall success?
• Tell us about an instance when you had to communicate an idea/process/procedure to a customer that you know will be resistant to you? What was your initial approach? Did you have to change your approach? What was the outcome?
• What approach do you take when you need to learn about a technology. Do you consider yourself a life long learner? Why?
• What was the one question we did not ask that you came prepared to answer?

Sample Candidate Profile & Requirements
Candidate has substantial experience researching, authoring, and implementing security configuration standards across multiple platforms. Candidate's experience includes a successful track record of evangelizing standards, managing and/or creating the standards compliance and remediation processes, as well as presenting the value propositions of standards-based security management to senior leaders within a Fortune 500 organization or similar scale environment.

The self-directed individual represents COMPANY as a participant in industry working groups and standards bodies. Candidate's familiarity with security industry standards, working group processes, and content lifecycle management adds great value COMPANY. Active participation in - or contribution to - OASIS, Liberty Alliance Project, NIST, Center for Internet Security, or other similar open forum working groups and committees demonstrates candidate's ability to advance COMPANY's concerns within the broader security industry.

Candidate is familiar with threats, vulnerabilities, and exposures across diverse systems, and successfully communicates this data in terms of operational risk and business relevance. Candidate brings to COMPANY extensive background creating and executing closed-loop vulnerability management practices, and can leverage such experience in coordinating individuals with competing priorities across multiple departments to mitigate risk.

The ideal candidate has 5-7 years experience in the <WHATEVER> industry. Familiarity with types of products offered by COMPANY, and the core business processes needed to deliver <WHATEVER> services, is essential in making security relevant to the lines of business the team supports.

Candidate can demonstrate a proven track record of communicating and working proactively and professionally with internal and external auditors, <INSERT FEDERAL EXAMINER GROUP HERE IF APPLICABLE>, and other groups responsible for ensuring that an organization is properly protecting the interests of its customers, shareholders, and employees.

Candidate is familiar with software development lifecycle methodologies. Demonstrated experience gathering and documenting business and technical requirements for implementation by internal development teams and/or external vendors shows that candidate can lead others in meeting COMPANY's security requirements.

Candidate must bring extensive experience leading and/or significantly contributing to cross-departmental technology projects. The candidate leverages an understanding of industry-standard project management methodologies, experience with project financial controls, and the ability to communicate the financial justification for security projects to deliver on COMPANY's Information Security Strategy.

Candidate has lead, or significantly contributed to, enterprise projects to deliver security information management solutions. Candidate shows experience building an infrastructure to aggregate, deduplicate, and correlate massive streams of security log data; candidate has delivered processes and procedures to triage, analyze, and take action on such information; and candidate has designed management reporting to instrument and continuously improve security information management.

Candidate's significant experience with network security controls such as routers, switches, firewalls, intrusion management solutions, network access control, and related solutions is required when coordinating delivery of holistic security in partnership with COMPANY's Network Engineering group(s). Extensive understanding of network protocols, data flow analysis, and network design and troubleshooting assist the candidate in leading others to successfully deliver a security program.

Candidate's familiarity with application security practices such as secure coding and secure development lifecycle management is required in coordinating with application architecture and development groups, as well as positioning system security in the broader context of COMPANY's information security program.

Skills and background in computer programming are desirable, but not required; however, candidate must demonstrate knowledge of design patterns used in enterprise applications. Understanding of how applications are developed, deployed, and managed is essential to demonstrating that candidate can design security solutions to protect critical assets and data. Familiarity with security principles in Service Oriented Architecture, WS-Security standards, application frameworks (.NET Framework & J2EE/Java EE), and the use of cryptography in applications ensures that the candidate can explain complex issues.

Certification by industry standard certification bodies is encouraged, but not required. SANS/GIAC, CISSP, or similar certifications will be considered as evidence of candidate's dedication and commitment to demonstrating an objective baseline of skills.

Candidate has 3-5 years experience designing, implementing, and measuring closed-loop security management workflow systems. Proven experience integrating security controls into enterprise workflow and incident/problem management systems is paramount in successfully delivering on the goals assigned to this position.

Footnotes:
1. SANS Management 532 Course Description http://www.sans.org/training/description.php?tid=1112
2. ISSAP^®: Information Systems Security Architecture Professional https://www.isc2.org/cgi-bin/content.cgi?category=522
3. SABSA (Sherwood Applied Business Security Architecture) www.sabsa-institute.org/
4. Information Security Forum (ISF) https://www.isfsecuritystandard.com/SOGP07/index.htm
5. Department of Defense Architecture Framework (DoDAF) http://www.defenselink.mil/cio-nii/docs/DoDAF_Volume_I.pdf , http://www.defenselink.mil/cio-nii/docs/DoDAF_Volume_II.pdf , http://www.defenselink.mil/cio-nii/docs/DoDAF_Volume_III.pdf
6. Zachman Institute for Framework Advancement (ZIFA) http://www.zifa.com/framework.html
7. NIST - Managing Risk from Information Systems http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf