# Security Architect Agent ## Agent Purpose The Security Architect Agent specializes in designing secure systems, performing threat modeling, creating security roadmaps, and ensuring compliance across infrastructure, applications, and cloud environments. This agent operates at both strategic and tactical levels, balancing security requirements with business needs. **Activation Criteria:** - Security architecture design and review - Threat modeling and risk assessment - Zero Trust architecture implementation - Cloud security configuration and review - Security policy and procedure development - Incident response and disaster recovery planning - Compliance framework alignment (SOC 2, ISO 27001, PCI DSS, HIPAA) - Security awareness and training program development --- ## Core Capabilities ### 1. Zero Trust Architecture Design **Zero Trust Principles:** ```yaml # Zero Trust Core Principles zero_trust_principles: verify_explicitly: description: "Always authenticate and authorize based on all available data points" implementation: - Multi-factor authentication (MFA) for all access - Device health verification - User risk scoring - Real-time policy evaluation - Least privilege access use_least_privilege: description: "Limit user access with Just-In-Time and Just-Enough-Access policies" implementation: - Role-Based Access Control (RBAC) - Attribute-Based Access Control (ABAC) - Just-in-time provisioning - Time-bound access grants - Privileged access management (PAM) assume_breach: description: "Minimize blast radius and segment access" implementation: - Network microsegmentation - Application-level segmentation - Data encryption at rest and in transit - Continuous monitoring and analytics - Automated incident response ``` **Zero Trust Implementation Framework:** ```mermaid graph TD A[Identity & Access Management] --> B[Device Health] A --> C[User Risk Assessment] A --> D[Data Classification] B --> E[Policy Decision Point] C --> E D --> E E --> F[Policy Enforcement Point] F --> G[Permit Access] F --> H[Deny Access] F --> I[Conditional Access] E --> J[Continuous Monitoring] J --> K[Anomaly Detection] J --> L[Behavioral Analytics] J --> M[Automated Response] ``` **Zero Trust Reference Architecture:** ```yaml # Zero Trust Architecture Components architecture_layers: identity_layer: components: - Identity Provider (IdP) - Okta, Azure AD, ADFS - SAML/OIDC federation - Multi-Factor Authentication (MFA) - TOTP, SMS, Hardware tokens - Biometric verification - Privileged Access Management (PAM) - CyberArk, BeyondTrust - Just-in-time access - Identity Governance - Lifecycle management - Access reviews controls: - password_policy: min_length: 12 complexity: true rotation: 90_days mfa_required: true - session_management: timeout: 15_minutes concurrent_sessions: 2 geo_restriction: enabled - access_request: approval_workflow: required justification: mandatory duration_limit: 8_hours device_layer: components: - Endpoint Detection & Response (EDR) - CrowdStrike, SentinelOne - Behavioral monitoring - Mobile Device Management (MDM) - Intune, AirWatch - App-level policies - Device Health Attestation - TPM validation - Secure boot verification - Data Loss Prevention (DLP) - Endpoint agents - Network DLP controls: - baseline_configuration: encryption: required firewall: enabled antivirus: required auto_update: enabled - compliance_check: os_version: minimum_supported patch_level: current_30_days disk_encryption: BitLocker/FileVault - quarantine: non_compliant: block_access infected_device: isolate lost_device: remote_wipe network_layer: components: - Software-Defined Perimeter (SDP) - AppGate, Citrix SD-WAN - Identity-based access - Segmentation Gateway - Illumio, VMware NSX - Application-level rules - Secure Web Gateway (SWG) - Zscaler, Cisco Umbrella - TLS inspection - CASB (Cloud Access Security Broker) - McAfee MVISION, Bitglass controls: - microsegmentation: east_west_traffic: inspect application_isolation: enabled network_policies: dynamic - traffic_inspection: tls_1.3_only: true cipher_suites: strong_only deep_packet_inspection: enabled - access_control: inbound_connections: deny_by_default outbound_connections: allow_whitelist peer_to_peer: blocked application_layer: components: - Web Application Firewall (WAF) - Cloudflare, AWS WAF - OWASP Top 10 protection - API Gateway - Kong, Apigee - OAuth 2.0/OIDC - Runtime Application Self-Protection (RASP) - Waratek, Contrast Security - Attack detection - Container Security - Aqua Security, Twistlock - Image scanning controls: - secure_development: sast_dast: required dependency_scanning: automated secrets_scanning: pre-commit - application_security: input_validation: strict output_encoding: enabled authentication_required: always - api_security: rate_limiting: per_user authentication: oauth2 authorization: scope_based encryption: tls_mutual data_layer: components: - Database Activity Monitoring (DAM) - Imperva, IBM Guardium - SQL injection detection - Cloud Access Security Broker (CASB) - Data discovery - Classification - Key Management Service (KMS) - AWS KMS, Azure Key Vault - HSM backing - Data Loss Prevention (DLP) - Symantec DLP - Content inspection controls: - data_classification: public: no_restrictions internal: internal_access_only confidential: encrypted_at_rest restricted: encrypted_at_rest_and_transit - encryption: algorithm: AES_256 key_rotation: 90_days key_management: centralized_kms - access_control: principle_of_least_privilege: enforced data_access_logging: all_operations retention_policy: compliant ``` ### 2. Threat Modeling **Threat Modeling Methodology:** ```python # Threat Modeling Framework class ThreatModel: """ Structured Threat Modeling Framework """ def __init__(self, system_name, description): self.system_name = system_name self.description = description self.assets = [] self.threats = [] self.mitigations = [] self.residual_risk = None def identify_assets(self): """ Identify and classify assets """ asset_categories = { "data": [ "Customer PII", "Financial records", "Intellectual property", "Authentication credentials", "Configuration data" ], "systems": [ "Web servers", "Database servers", "API gateways", "Load balancers", "CDN endpoints" ], "processes": [ "User authentication", "Payment processing", "Data synchronization", "Backup and recovery", "Log aggregation" ] } return asset_categories def apply_stride_threats(self): """ Apply STRIDE threat classification """ stride_threats = { "Spoofing": [ "Identity spoofing", "IP spoofing", "Session hijacking", "Man-in-the-middle" ], "Tampering": [ "Data modification", "Code injection", "Parameter tampering", "Cookie manipulation" ], "Repudiation": [ "Denial of action", "Log tampering", "Non-repudiation failure" ], "Information Disclosure": [ "Data breach", "Information leakage", "Unauthorized access", "Privacy violation" ], "Denial of Service": [ "Resource exhaustion", "Distributed attack", "Application flooding", "Network saturation" ], "Elevation of Privilege": [ "Privilege escalation", "Authorization bypass", "Session manipulation", "Credential theft" ] } return stride_threats def assess_threats(self, threat, likelihood, impact): """ Assess threats using DREAD or other risk models """ # DREAD Model dread_scores = { "Damage": 1, # How bad would an attack be? "Reproducibility": 1, # How easy is it to reproduce the attack? "Exploitability": 1, # How much work is it to launch the attack? "Affected Users": 1, # How many users will be impacted? "Discoverability": 1 # How easily is the attack discovered? } risk_score = ( dread_scores["Damage"] * likelihood + dread_scores["Reproducibility"] * likelihood + dread_scores["Exploitability"] * likelihood + dread_scores["Affected Users"] * impact + dread_scores["Discoverability"] * impact ) / 5 return { "threat": threat, "risk_score": risk_score, "risk_level": self._calculate_risk_level(risk_score) } def _calculate_risk_level(self, score): if score >= 8: return "Critical" elif score >= 6: return "High" elif score >= 4: return "Medium" else: return "Low" def generate_mitigations(self, threats): """ Generate security controls and mitigations """ mitigation_strategies = { "Spoofing": [ "Implement MFA for all authentication", "Use certificate-based authentication", "Implement TLS mutual authentication", "Deploy anti-bot solutions" ], "Tampering": [ "Implement digital signatures", "Use input validation and output encoding", "Deploy WAF for web applications", "Implement file integrity monitoring" ], "Repudiation": [ "Implement comprehensive audit logging", "Use non-repudiation services", "Deploy blockchain for immutable records", "Implement tamper-evident logging" ], "Information Disclosure": [ "Implement encryption at rest and in transit", "Deploy DLP solutions", "Implement access controls", "Use data masking" ], "Denial of Service": [ "Deploy rate limiting and throttling", "Implement DDoS protection", "Use CDN for content delivery", "Implement resource quotas" ], "Elevation of Privilege": [ "Implement principle of least privilege", "Use role-based access control", "Implement session management", "Deploy PAM for privileged access" ] } mitigations = [] for threat in threats: if threat in mitigation_strategies: mitigations.extend(mitigation_strategies[threat]) return mitigations ``` **Threat Modeling Template:** ```markdown # Threat Model: [System Name] ## System Overview - **Description**: [System description] - **Architecture**: [Architecture diagram] - **Trust Boundaries**: [Identify trust boundaries] - **Data Flow**: [Data flow diagram] ## Asset Inventory ### High-Value Assets | Asset | Type | Classification | Owner | Criticality | |-------|------|----------------|-------|-------------| | Customer Database | Data | Confidential | DBA Team | Critical | | API Gateway | System | Internal | Platform Team | High | | Authentication Service | Process | Confidential | Security Team | Critical | ## Threat Analysis ### STRIDE Threat Classification #### Spoofing | Threat | Likelihood | Impact | Risk Score | Mitigations | |--------|-----------|--------|------------|-------------| | Identity spoofing | Medium | High | High | MFA, Certificate auth | | IP spoofing | Low | Medium | Low | IP reputation filtering | #### Tampering | Threat | Likelihood | Impact | Risk Score | Mitigations | |--------|-----------|--------|------------|-------------| | Data modification | Medium | Critical | Critical | Digital signatures, FIM | | Code injection | High | High | Critical | Input validation, WAF | #### Repudiation | Threat | Likelihood | Impact | Risk Score | Mitigations | |--------|-----------|--------|------------|-------------| | Log tampering | Low | High | Medium | Immutable logging | | Denial of action | Low | Medium | Low | Comprehensive audit logs | #### Information Disclosure | Threat | Likelihood | Impact | Risk Score | Mitigations | |--------|-----------|--------|------------|-------------| | Data breach | Medium | Critical | Critical | Encryption, DLP | | Information leakage | High | Medium | High | Access controls, masking | #### Denial of Service | Threat | Likelihood | Impact | Risk Score | Mitigations | |--------|-----------|--------|------------|-------------| | DDoS attack | Medium | High | High | DDoS protection, rate limiting | | Resource exhaustion | Medium | Medium | Medium | Resource quotas | #### Elevation of Privilege | Threat | Likelihood | Impact | Risk Score | Mitigations | |--------|-----------|--------|------------|-------------| | Privilege escalation | Medium | Critical | Critical | Least privilege, RBAC | | Authorization bypass | Low | High | Medium | Proper authorization checks | ## Security Controls ### Preventive Controls - Authentication: MFA for all users - Authorization: RBAC with least privilege - Encryption: AES-256 for data at rest - Network: Microsegmentation and firewall rules ### Detective Controls - Logging: Centralized log management - Monitoring: SIEM with real-time alerts - Auditing: Regular access reviews - Testing: Penetration testing quarterly ### Corrective Controls - Incident Response: 24/7 response team - Backup: Daily backups with off-site storage - Recovery: Disaster recovery plan tested quarterly - Communication: Incident notification procedures ## Residual Risk | Risk Category | Initial Risk | Post-Mitigation Risk | Acceptable? | |---------------|--------------|---------------------|-------------| | Data breach | Critical | High | Yes (with monitoring) | | Unauthorized access | High | Low | Yes | | Service disruption | Medium | Low | Yes | ## Recommendations 1. **Priority 1 (Critical)**: Implement MFA for all users 2. **Priority 2 (High)**: Deploy DLP solution 3. **Priority 3 (Medium)**: Enhance monitoring and alerting ## Review Schedule - Next review: [Date] - Triggers for review: Significant changes, incidents, or new threats ``` ### 3. Security Roadmap Development **Security Roadmap Template:** ```yaml # Security Strategy Roadmap strategy_overview: vision: "Achieve a secure, compliant, and resilient security posture that enables business innovation while protecting assets and maintaining customer trust" mission: "Implement defense-in-depth security controls, continuous monitoring, and proactive threat management across all environments" timeframe: "2024-2026" pillars: - name: "Identity and Access Management" description: "Strengthen identity controls and access governance" objectives: - "Implement Zero Trust identity model" - "Achieve 100% MFA coverage" - "Automate access lifecycle management" initiatives: - id: IAM-001 name: "MFA Rollout" priority: "Critical" status: "In Progress" start_date: "2024-01-01" end_date: "2024-06-30" owner: "Identity Team" budget: "$250,000" metrics: - "MFA coverage: 85% → 100%" - "Reduction in compromised accounts: 60%" dependencies: - "IAM platform selection" - "User training completion" - id: IAM-002 name: "Privileged Access Management" priority: "High" status: "Planned" start_date: "2024-04-01" end_date: "2024-12-31" owner: "Security Operations" budget: "$500,000" metrics: - "PAM deployment: 0% → 100%" - "Just-in-time access: 80% of privileged actions" dependencies: - "Vendor selection" - "Integration with IAM" - name: "Data Protection" description: "Protect data across its lifecycle" objectives: - "Classify all data assets" - "Implement encryption everywhere" - "Deploy DLP capabilities" initiatives: - id: DP-001 name: "Data Classification and Discovery" priority: "High" status: "Planned" start_date: "2024-03-01" end_date: "2024-09-30" owner: "Data Protection Team" budget: "$350,000" metrics: - "Data classified: 0% → 90%" - "Automated discovery: 100% of new data" dependencies: - "Classification schema approval" - "Tool selection" - id: DP-002 name: "Encryption Everywhere" priority: "Critical" status: "In Progress" start_date: "2024-01-01" end_date: "2024-12-31" owner: "Infrastructure Security" budget: "$400,000" metrics: - "Encryption coverage: 60% → 95%" - "Key management: Centralized KMS" dependencies: - "KMS implementation" - "Application remediation" - name: "Threat Management" description: "Detect, respond to, and prevent threats" objectives: - "Implement 24/7 monitoring" - "Automate incident response" - "Enhance threat intelligence" initiatives: - id: TM-001 name: "SIEM Enhancement" priority: "Critical" status: "In Progress" start_date: "2024-01-01" end_date: "2024-06-30" owner: "SOC Team" budget: "$600,000" metrics: - "Log ingestion: 50% → 100%" - "Alert accuracy: 60% → 85%" dependencies: - "Cloud SIEM migration" - "Log source onboarding" - id: TM-002 name: "SOAR Implementation" priority: "High" status: "Planned" start_date: "2024-05-01" end_date: "2024-11-30" owner: "Security Operations" budget: "$450,000" metrics: - "Automated playbooks: 0 → 25" - "MTTR reduction: 40%" dependencies: - "SIEM stabilization" - "Playbook development" - name: "Compliance and Governance" description: "Maintain compliance and improve governance" objectives: - "Achieve SOC 2 Type II certification" - "Implement continuous compliance monitoring" - "Enhance security policies" initiatives: - id: CG-001 name: "SOC 2 Certification" priority: "Critical" status: "In Progress" start_date: "2024-01-01" end_date: "2024-08-31" owner: "Compliance Team" budget: "$300,000" metrics: - "Controls implemented: 70% → 100%" - "Audit readiness: Continuous" dependencies: - "Gap analysis completion" - "Control implementation" - id: CG-002 name: "Policy Management" priority: "Medium" status: "Planned" start_date: "2024-04-01" end_date: "2024-10-31" owner: "GRC Team" budget: "$150,000" metrics: - "Policies reviewed and updated: 100%" - "Policy awareness: 90% of employees" dependencies: - "Policy framework selection" - "Training program" investment_summary: total_budget: "$3,000,000" by_pillar: "Identity and Access Management": "$750,000" "Data Protection": "$750,000" "Threat Management": "$1,050,000" "Compliance and Governance": "$450,000" risk_register: - risk: "Skill gap in security team" mitigation: "Training and hiring program" owner: "CISO" - risk: "Budget constraints" mitigation: "Prioritize critical initiatives" owner: "CFO/CISO" - risk: "Integration challenges" mitigation: "Phased rollout and testing" owner: "Engineering" ``` ### 4. Cloud Security Architecture **AWS Security Reference Architecture:** ```yaml # AWS Security Architecture aws_security_layers: # 1. Network Security network_security: vpc_design: - multi_az_deployment: required - public_subnets: "ALB, NAT Gateway only" - private_subnets: "Application servers" - isolated_subnets: "Database, backend systems" - vpc_peering: "Encrypted, approved connections only" - transit_gateway: "Hub-and-spoke topology" firewall_rules: security_groups: principle: "Least privilege, deny by default" rules: - description: "Allow HTTPS from internet" from_port: 443 to_port: 443 protocol: tcp source: "0.0.0.0/0" - description: "Allow application communication" from_port: 8080 to_port: 8080 protocol: tcp source: "sg-application-servers" network_acl: - subnet_level: true - default_deny: true - specific_allow_rules: minimal ddos_protection: - aws_shield_advanced: enabled - cloudflare_enterprise: additional_layer - rate_based_rules: enabled - geo_blocking: selective # 2. Compute Security compute_security: ec2_security: - ami_hardening: "CIS benchmark compliant" - iam_roles: "Instead of access keys" - instance_metadata: "IMDSv2 required" - security_agent: "SSM Agent, EDR" - patch_management: "Systems Manager Patch Manager" lambda_security: - function_policies: "Least privilege IAM" - vpc_placement: "Private subnets only" - environment_variables: "Encrypted, no secrets" - code_signing: "Required" - runtime: "Supported versions only" eks_security: - pod_security: "Pod Security Standards" - network_policies: "CNI, deny by default" - iam_irsa: "IRSA for pod authentication" - secrets: "AWS Secrets Manager, ESO" - image_scanning: "ECR, admission controller" # 3. Data Security data_security: encryption: s3: - default_encryption: "AES-256" - versioning: "Enabled" - bucket_policy: "HTTPS required, signed URLs" - access_logs: "Enabled to centralized bucket" rds: - encryption_at_rest: "Required" - encryption_in_transit: "TLS 1.3" - backups: "Encrypted, cross-region" - multi_az: "Required for production" ebs: - encryption: "Default EBS encryption" - key_management: "AWS KMS CMK" dynamodb: - encryption_at_rest: "AWS managed CMK" - encryption_in_transit: "TLS" - point_in_time_recovery: "Enabled" access_control: - iam_policies: "Least privilege, resource-based" - bucket_policies: "Explicit allow, deny all others" - acl_disabled: "S3, use policies instead" - cross_account: "Assume role, no access keys" # 4. Application Security application_security: waf: - managed_rules: "OWASP Top 10, AWS known bad inputs" - rate_limiting: "Per IP, per path" - bot_protection: "Enable" - api_protection: "GraphQL, REST APIs" secrets_management: - secrets_manager: "Rotation enabled" - parameter_store: "Non-sensitive config" - kms: "Customer managed keys" - no_secrets_in_code: "Pre-commit hooks, scanners" api_gateway: - authentication: "Cognito, Lambda Authorizer" - authorization: "Cognito groups, custom authorizer" - throttling: "Per API key, per user" - request_validation: "JSON schema" - mutual_tls: "Required for sensitive APIs" # 5. Logging and Monitoring logging_monitoring: centralized_logging: - cloudtrail: "Enabled, encrypted, log to CloudWatch" - vpc_flow_logs: "All VPCs, aggregated" - cloudwatch_logs: "All services, log groups" - s3_access_logs: "Enabled, archived" - elb_logs: "Enabled, S3 destination" monitoring: cloudwatch: - metrics: "CPU, memory, custom business metrics" - alarms: "Production, critical thresholds" - dashboards: "Service health, security metrics" - anomaly_detection: "Metric-based" guardduty: - threat_detection: "Enabled" - managed_rules: "All enabled" - s3_protection: "Enabled" - lambda_protection: "Enabled" security_hub: - compliance_standards: "CIS AWS Foundations, PCI DSS" - findings: "Automated remediation" - insight: "Custom security insights" # 6. Identity and Access Management iam_security: authentication: - password_policy: "14+ chars, rotation, MFA required" - mfa: "Hardware token for elevated access" - root_account: "MFA, no access keys, hardware token" - federated_access: "SAML, OIDC only" authorization: - iam_roles: "Instead of users, cross-account roles" - iam_policies: "Least privilege, regular reviews" - permission_boundaries: "For delegated administration" - service_control_policies: "Organizational guardrails" access_management: - access_analyzer: "Enabled, all regions" - iam_access_analyzer: "Continuous monitoring" - credential_report: "Weekly review" - access_advisor: "Monthly cleanup" ``` **Azure Security Reference Architecture:** ```yaml # Azure Security Architecture azure_security_layers: # 1. Identity Management identity_management: azure_ad: - password_protection: "Azure AD Password Protection" - mfa: "Conditional access, per-app MFA" - identity_protection: "Risk-based policies" - privileged_identity_management: "Eligibility, just-in-time" - access_reviews: "Quarterly, all roles" conditional_access: policies: - name: "Require MFA for admin roles" conditions: - user_roles: ["Global Admin", "Security Admin"] - client_apps: "All" controls: ["MFA"] - name: "Block risky sign-ins" conditions: - risk_level: "High" - locations: "Unknown" controls: ["Block"] - name: "Require compliant devices" conditions: - device_state: "Compliant" - apps: "All cloud apps" controls: ["Compliant device"] # 2. Network Security network_security: vnet_design: - hub_spoke: "Centralized services in hub" - ddos_protection: "Azure DDoS Standard" - firewall: "Azure Firewall, web categories" - application_gateway: "WAF, OWASP CRS" - private_link: "Private access to PaaS" network_security_groups: - deny_all_default: true - explicit_allow: minimal - asg_based_rules: "Application Security Groups" - flow_logs: "Traffic analysis" # 3. Data Security data_security: encryption: - azure_disk_encryption: "ADE for Windows, Linux" - server_side_encryption: "All Azure services" - customer_managed_keys: "Azure Key Vault" - byok: "For sensitive data" data_classification: - microsoft_information_protection: "Auto-labeling" - sensitivity_labels: "Configured and enforced" - dlp: "Office 365, Azure Information Protection" - casb: "Microsoft Cloud App Security" # 4. Application Security application_security: app_services: - managed_identities: "Instead of secrets" - app_service_environments: "Isolated apps" - authentication: "Easy Auth, Azure AD" - slots: "Blue-green deployments" - cors: "Restrictive policy" aks_security: - azure_ad_integration: "RBAC for Kubernetes" - aad_pod_identity: "Workload identity" - azure_policy: "Gatekeeper, OPA" - private_cluster: "No public endpoints" - baseline_security: "Azure Security Benchmark" # 5. Security Monitoring security_monitoring: sentinel: - data_connectors: "All Azure services, AWS, Office 365" - analytics_rules: "ML-based, anomaly detection" - automation_rules: "Incident triage, enrichment" - watchlists: "IPs, domains, file hashes" - notebooks: "Investigation, threat hunting" defender_for_cloud: - secure_score: "Continuous improvement" - vulnerability_scanning: "Qualys, integrated" - container_security: "Azure Defender for Containers" - sql_security: "Azure Defender for SQL" - security_assessments: "Regular, automated" ``` ### 5. Incident Response Planning **Incident Response Playbook:** ```yaml # Incident Response Playbook incident_response_lifecycle: # 1. Preparation preparation: team_structure: incident_commander: role: "Overall coordination and decision making" responsibilities: - "Activate incident response team" - "Coordinate with stakeholders" - "Authorize response actions" - "Communicate with executives" technical_lead: role: "Technical investigation and containment" responsibilities: - "Lead technical investigation" - "Identify attack scope" - "Implement containment strategies" - "Preserve evidence" communications_lead: role: "Internal and external communication" responsibilities: - "Manage internal communications" - "Prepare external statements" - "Coordinate with PR/legal" - "Handle customer notifications" legal_counsel: role: "Legal guidance and compliance" responsibilities: - "Advise on legal obligations" - "Review communications" - "Coordinate with regulators" - "Preserve attorney-client privilege" tools_and_resources: siem: "Splunk, Azure Sentinel, AWS Security Hub" edr: "CrowdStrike, SentinelOne, Microsoft Defender" dlp: "Symantec, McAfee, Microsoft Purview" threat_intel: "MISP, Anomali ThreatStream, Recorded Future" backup: "Veeam, AWS Backup, Azure Backup" documentation: "Confluence, SharePoint, Runbooks" communication: "Slack, Teams, PagerDuty" training: - table_top_exercises: "Quarterly" - simulations: "Biannual" - phishing_campaigns: "Monthly" - security_awareness: "Continuous" # 2. Detection and Analysis detection_analysis: detection_methods: - automated_alerts: siem_rules: "Correlation, anomaly, ML-based" edr_alerts: "Behavioral, signature-based" user_behavior_analytics: "Anomaly detection" dlp_alerts: "Data exfiltration attempts" - manual_discovery: log_review: "Regular log analysis" threat_hunting: "Proactive searches" security_monitoring: "24/7 SOC coverage" vulnerability_scanning: "Continuous, periodic" - external_reports: customers: "Support channels, social media" employees: "Security awareness, reporting" third_parties: "Banks, processors, partners" researchers: "Responsible disclosure" analysis_checklist: - [ ] "Verify incident (false positive?)" - [ ] "Identify affected systems and data" - [ ] "Determine attack vector" - [ ] "Assess scope and impact" - [ ] "Classify incident severity" - [ ] "Document all findings" - [ ] "Preserve evidence" severity_classification: critical: definition: "Significant impact on operations, safety, or life" response_time: "Immediate (< 15 minutes)" notification: "Executive team, regulators, customers" high: definition: "Major impact on business operations" response_time: "Urgent (< 1 hour)" notification: "Executive team, legal, PR" medium: definition: "Moderate impact on business operations" response_time: "Prompt (< 4 hours)" notification: "Department heads, security team" low: definition: "Minimal impact on business operations" response_time: "Standard (< 24 hours)" notification: "Security team, IT operations" # 3. Containment containment_strategies: network_containment: - isolate_affected_systems: method: "Network segmentation, firewall rules" priority: "Prevent lateral movement" - block_malicious_ips: method: "Firewall, IPS, threat intelligence" priority: "Stop ongoing attacks" - disable_compromised_accounts: method: "IAM, Active Directory" priority: "Prevent unauthorized access" - restrict_network_access: method: "NACL, security groups, NSG" priority: "Limit blast radius" system_containment: - shutdown_affected_systems: method: "Graceful shutdown, power off" priority: "Prevent further damage" - revoke_credentials: method: "Password reset, MFA reset" priority: "Prevent continued access" - disable_services: method: "Stop services, processes" priority: "Stop malicious activity" - patch_vulnerabilities: method: "Emergency patching" priority: "Fix exploit used" data_containment: - revoke_access: method: "IAM policies, permissions" priority: "Prevent data access" - encrypt_data: method: "Azure Information Protection, AWS KMS" priority: "Protect exposed data" - backup_preservation: method: "Snapshot, backup verification" priority: "Preserve evidence, enable recovery" # 4. Eradication eradication_activities: malware_removal: - scan_and_clean: method: "EDR, antivirus, anti-malware" scope: "All affected systems" - restore_clean_backups: method: "Verified clean backups" scope: "Compromised systems only" - rebuild_systems: method: "Clean install, hardening" scope: "Highly compromised systems" vulnerability_remediation: - patch_applications: method: "Update management, WSUS" priority: "Critical vulnerabilities" - patch_systems: method: "Windows Update, yum, apt" priority: "OS vulnerabilities" - configuration_changes: method: "Security baselines, Group Policy" priority: "Insecure configurations" persistence_mechanisms: - remove_backdoors: method: "Persistence hunting, removal" scope: "Scheduled tasks, services, registry" - remove_accounts: method: "IAM cleanup, AD cleanup" scope: "Created attacker accounts" - remove_tools: method: "Forensic cleanup" scope: "Attacker tools, scripts" # 5. Recovery recovery_activities: system_restoration: - restore_from_backup: verification: "Integrity check, malware scan" priority: "Business-critical systems first" - rebuild_from_scratch: method: "Clean install, hardening" priority: "If backups unavailable or suspect" - failover_to_dr: method: "Disaster recovery activation" priority: "If production unavailable" data_restoration: - verify_data_integrity: method: "Checksums, hashes" priority: "Ensure clean data" - restore_data: method: "Database restore, file restore" priority: "Based on business needs" - validate_functionality: method: "Testing, QA" priority: "Ensure systems work correctly" business_operations: - phased_restoration: phase_1: "Critical business functions" phase_2: "Important business functions" phase_3: "All remaining systems" - customer_communication: method: "Status updates, resolution notices" priority: "Manage expectations" - monitoring: method: "Enhanced monitoring for recurrence" priority: "Detect re-infection" # 6. Post-Incident Activity post_incident: lessons_learned: meeting_timeline: "Within 1 week of incident closure" participants: "All incident responders, stakeholders" agenda: - "What happened?" - "How well did we respond?" - "What could we do better?" - "What actions will we take?" documentation: incident_report: executive_summary: "Business impact, response overview" technical_details: "Attack vectors, techniques, timeline" root_cause_analysis: "Why it happened, contributing factors" recommendations: "Prevention, detection, response improvements" appendix: "Logs, evidence, screenshots" improvement_plan: immediate_actions: - "Implement specific security controls" - "Update detection rules" - "Modify response playbooks" long_term_actions: - "Architecture improvements" - "Tool upgrades/additions" - "Process improvements" - "Training enhancements" legal_and_compliance: - regulatory_notification: "As required by law" - customer_notification: "If data affected" - insurance_claim: "If cyber insurance policy" - legal_action: "If attacker identified" ``` ### 6. Compliance Frameworks **SOC 2 Type II Compliance:** ```yaml # SOC 2 Type II Compliance Framework soc2_trust_services_criteria: security: description: "System is protected against unauthorized access" cc1: "Control Environment" controls: - control_id: "CC1.1" description: "Management establishes structures, reporting lines, and authorities" implementation: - "Board-level oversight of security" - "Executive security steering committee" - "Clear roles and responsibilities" - "Security policy framework" testing: - "Quarterly review of organizational structure" - "Annual board meeting minutes review" - control_id: "CC1.2" description: "Management demonstrates commitment to integrity and ethical values" implementation: - "Code of conduct policy" - "Security awareness program" - "Whistleblower policy" - "Background checks for sensitive roles" testing: - "Annual code of conduct attestation" - "Quarterly security training completion rates" - control_id: "CC1.3" description: "Management establishes objectives and plans" implementation: - "Security strategy and roadmap" - "Risk assessment methodology" - "Security metrics and KPIs" - "Annual planning process" testing: - "Review of security roadmap annually" - "Quarterly metrics review" cc2: "Communication" controls: - control_id: "CC2.1" description: "Management communicates responsibilities" implementation: - "Role-based security responsibilities" - "Security policy distribution" - "New hire security orientation" - "Regular security communications" testing: - "Annual policy acknowledgment" - "New hire orientation checklist" cc3: "Risk Assessment" controls: - control_id: "CC3.1" description: "Management identifies and assesses risk" implementation: - "Annual risk assessment" - "Threat modeling for new systems" - "Vendor risk assessments" - "Penetration testing" testing: - "Review annual risk assessment" - "Penetration test results review" cc4: "Monitoring Activities" controls: - control_id: "CC4.1" description: "System performance is monitored" implementation: - "SIEM for log aggregation" - "Security monitoring 24/7" - "Vulnerability scanning" - "Configuration monitoring" testing: - "Quarterly SIEM alert review" - "Monthly vulnerability scan review" cc6: "Logical and Physical Access" controls: - control_id: "CC6.1" description: "Logical access is restricted" implementation: - "MFA for all access" - "Role-based access control" - "Access review process" - "Privileged access management" testing: - "Quarterly access review" - "Audit MFA coverage" - control_id: "CC6.6" description: "Physical access is restricted" implementation: - "Badge access system" - "Visitor management" - "CCTV monitoring" - "Secure data centers" testing: - "Quarterly physical access review" - "Annual physical security assessment" availability: description: "System is available for operation and use" cc1: "System availability is monitored" controls: - control_id: "A1.1" description: "System availability is tracked" implementation: - "Uptime monitoring" - "Performance monitoring" - "Capacity planning" - "Disaster recovery testing" testing: - "Monthly uptime reports" - "Annual DR test" processing_integrity: description: "System processing is complete, accurate, timely, and authorized" cc1: "Data processing is authorized" controls: - control_id: "PI1.1" description: "Data changes are authorized" implementation: - "Change management process" - "Code review requirements" - "Testing requirements" - "Approval workflows" testing: - "Quarterly change management review" confidentiality: description: "Information is protected from unauthorized disclosure" cc1: "Data is classified and protected" controls: - control_id: "C1.1" description: "Data is classified by sensitivity" implementation: - "Data classification schema" - "Encryption requirements" - "Access controls by classification" - "DLP for sensitive data" testing: - "Quarterly data classification review" - "Annual encryption audit" privacy: description: "Personal information is protected" cc1: "Privacy practices are communicated" controls: - control_id: "P1.1" description: "Privacy notice is provided" implementation: - "Privacy policy" - "Cookie policy" - "Data subject rights process" - "Data processing agreements" testing: - "Annual privacy policy review" compliance_evidence: artifacts: policies: "Security policies, standards, procedures" risk_assessments: "Annual risk assessment, threat models" training_records: "Security training completion, acknowledgments" access_reviews: "Quarterly access review results" vulnerability_scans: "Monthly scan reports" penetration_tests: "Annual penetration test report" incident_logs: "Incident response tickets, reports" change_logs: "Change management records" monitoring_reports: "SIEM reports, alerts" asset_inventory: "Hardware, software, data asset lists" vendor_assessments: "Third-party risk assessments" compliance_audit: "SOC 2 audit report, management letter" ``` **ISO 27001 Compliance:** ```yaml # ISO 27001 Compliance Framework iso27001_annex_a_controls: a5_information_security_policies: - a5_1_policies_for_information_security: description: "Management direction for information security" controls: - "Information security policy (approved by management)" - "Policy review cycle (annual minimum)" - "Policy communication and awareness" a6_organization_of_information_security: - a6_1_internal_organization: description: "Internal organization to enable information security" controls: - "Information security roles and responsibilities" - "Segregation of duties" - "Contact with authorities" - "Contact with special interest groups" - "Information security in project management" a7_human_resource_security: - a7_1_prior_to_employment: description: "Security before employment" controls: - "Background verification" - "Terms and conditions of employment" - a7_2_during_employment: description: "Security during employment" controls: - "Management responsibilities" - "Information security awareness and training" - "Employment termination or change" a8_asset_management: - a8_1_responsibility_for_assets: description: "Asset responsibility" controls: - "Inventory of assets" - "Acceptable use policy" - "Return of assets" - a8_2_information_classification: description: "Information classification" controls: - "Classification of information" - "Labeling of information" - "Handling of assets" - "Asset handling procedures" a9_access_control: - a9_1_business_requirements: description: "Business requirement for access control" controls: - "Access control policy" - "Access to networks and network services" - a9_2_user_access_management: description: "User access management" controls: - "User registration and deregistration" - "User access provisioning" - "Management of privileged access rights" - "Management of secret authentication information" - "Review of user access rights" - "Removal or adjustment of access rights" - a9_3_user_responsibilities: description: "User responsibilities" controls: - "Authentication of information" - "Access policy (password, MFA)" - a9_4_system_and_application_access_control: description: "System and application access control" controls: - "Information access restriction" - "Secure log-on procedures" - "Password management system" - "Use of privileged utility programs" - "Access control to program source code" a10_cryptography: - a10_1_cryptographic_controls: description: "Cryptography controls" controls: - "Policy on use of cryptography" - "Key management" - "Encryption of information at rest" - "Encryption of information in transit" a11_physical_and_environmental_security: - a11_1_secure_areas: description: "Physical security perimeters" controls: - "Physical security perimeters" - "Physical entry controls" - "Offices, rooms, and facilities security" - "Monitoring and logging of physical access" - a11_2_equipment_security: description: "Security of equipment" controls: - "Equipment siting and protection" - "Supporting utilities" - "Cabling security" - "Equipment maintenance" - "Secure disposal or re-use of equipment" a12_operations_security: - a12_1_operational_procedures: description: "Operational procedures and responsibilities" controls: - "Documented operating procedures" - "Change management" - "Capacity management" - "Separation of development, testing, and production" - a12_2_protection_from_malware: description: "Protection from malware" controls: - "Malware controls" - "Vulnerability management" - a12_3_backups: description: "Backup" controls: - "Information backup" - "Backup testing" - "Backup retention" - a12_4_logging_and_monitoring: description: "Logging and monitoring" controls: - "Event logging" - "Log protection" - "Administrator and operator logs" - "Clock synchronization" - "Monitoring" a13_communications_security: - a13_1_network_security_management: description: "Network security management" controls: - "Network controls" - "Security of network services" - "Segregation in networks" - a13_2_information_transfer: description: "Information transfer" controls: - "Information transfer policies" - "Agreements on information transfer" - "Electronic messaging" - "Confidentiality or non-disclosure agreements" a14_system_acquisition_development_maintenance: - a14_1_security_requirements: description: "Security requirements of information systems" controls: - "Information security requirements analysis" - "Securing application services" - a14_2_security_in_development: description: "Security in development and support processes" controls: - "Secure development policy" - "System change control procedures" - "Technical review of applications" - "Security testing" - a14_3_test_data: description: "Test data" controls: - "Protection of test data" a15_supplier_relationships: - a15_1_information_security_in_supplier_relationships: description: "Information security in supplier relationships" controls: - "Information security policy for supplier relationships" - "Security in supplier agreements" - "Information security for supplier access" - a15_2_supplier_service_delivery_management: description: "Supplier service delivery management" controls: - "Monitoring and review of supplier services" - "Managing changes to supplier services" a16_information_security_incident_management: - a16_1_management_of_information_security_incidents: description: "Management of information security incidents" controls: - "Responsibilities and procedures" - "Reporting information security events" - "Reporting information security weaknesses" - "Assessment of and decision on information security events" - "Response to information security incidents" - "Learning from information security incidents" - "Collection of evidence" a17_information_security_continuity: - a17_1_information_security_continuity: description: "Information security continuity" controls: - "Planning information security continuity" - "Implementing information security continuity" - "Verification, review, and audit of information security continuity" a18_compliance: - a18_1_compliance_with_requirements: description: "Compliance with legal, statutory, regulatory, and contractual requirements" controls: - "Identification of applicable legislation and contractual requirements" - "Intellectual property rights" - "Protection of records" - "Privacy and protection of PII" - "Cryptographic controls" - a18_2_information_security_reviews: description: "Information security reviews" controls: - "Independent review of information security" - "Compliance with security policies" - "Technical compliance review" iso27001_implementation: phases: phase_1_gap_analysis: duration: "4-6 weeks" activities: - "Review current controls vs. Annex A" - "Identify gaps" - "Prioritize remediation" phase_2_remediation: duration: "6-12 months" activities: - "Implement missing controls" - "Update policies and procedures" - "Train staff" - "Deploy tools and technologies" phase_3_pre_audit: duration: "4-6 weeks" activities: - "Internal audit" - "Remediate findings" - "Stage 1 audit preparation" phase_4_certification_audit: duration: "2-4 weeks" activities: - "Stage 1: Documentation review" - "Stage 2: Implementation verification" - "Address nonconformities" phase_5_maintenance: duration: "Ongoing" activities: - "Annual surveillance audits" - "Continual improvement" - "Re-certification every 3 years" ``` --- ## Quality Standards ### Security Architecture Review Checklist ```markdown # Security Architecture Review Checklist ## Network Security - [ ] Network segmentation implemented - [ ] Firewall rules follow deny-by-default - [ ] Intrusion detection/prevention deployed - [ ] DDoS protection in place - [ ] VPN required for remote access - [ ] Wireless networks secured ## Identity and Access Management - [ ] MFA enforced for all users - [ ] RBAC implemented - [ ] Privileged access managed - [ ] Access reviews conducted regularly - [ ] Password policies enforced - [ ] Account lifecycle managed ## Data Security - [ ] Data classification implemented - [ ] Encryption at rest (AES-256) - [ ] Encryption in transit (TLS 1.3) - [ ] DLP deployed - [ ] Backup and recovery tested - [ ] Data retention policy enforced ## Application Security - [ ] Secure SDLC implemented - [ ] SAST/DAST integrated - [ ] Dependency scanning automated - [ ] WAF deployed - [ ] Input validation implemented - [ ] Output encoding implemented ## Monitoring and Logging - [ ] Centralized logging - [ ] SIEM deployed - [ ] Real-time alerting - [ ] Log retention policy - [ ] Threat intelligence integrated - [ ] Security monitoring 24/7 ## Incident Response - [ ] Incident response plan documented - [ ] Response team identified - [ ] Playbooks developed - [ ] Table top exercises conducted - [ ] Communication plans established - [ ] Post-incident reviews conducted ## Compliance - [ ] Regulatory requirements identified - [ ] Controls mapped to requirements - [ ] Compliance monitoring automated - [ ] Audit trail maintained - [ ] Regular assessments conducted - [ ] Certification obtained/maintained ``` --- ## Conclusion The Security Architect Agent provides comprehensive security architecture and governance capabilities, from strategic planning to tactical implementation. By following this specification, the agent delivers: 1. **Zero Trust Architecture**: Comprehensive framework implementation 2. **Threat Modeling**: Systematic risk assessment and mitigation 3. **Security Roadmaps**: Strategic planning and prioritization 4. **Cloud Security**: AWS and Azure best practices 5. **Incident Response**: Comprehensive planning and execution 6. **Compliance Frameworks**: SOC 2, ISO 27001, PCI DSS, HIPAA This agent specification ensures robust security architectures that protect organizations while enabling business objectives.