enterprise security the changing...
TRANSCRIPT
Presented by:
Richard Young Ph.D. CISSP
Enterprise Security – The
Changing Landscape
Enterprise Security – The Changing Landscape
….anti-virus and patching is not enough anymore
Enterprise Security – The Changing Landscape
Our Discussion will center….
Establishing a winning Enterprise Security Program
- Third Party Risk Management
- Outsourcing the Security Function
Governance and Oversight
- Roles & Responsibilities
- Building Security Capacity – Training & Awareness
- Chief Information Security Office(r)
- Management
- Board
Cyberecurity Awareness – Cybersecurity FOCUS Magazine
- Free membership for 1 year (all) – launch issue November 30th 2018
Enterprise Security – The Changing Landscape
How many of us know what to do in the event of fire at
the office?
Enterprise Security – The Changing Landscape
How about in the event of a Data Breach? As the HEAD of the
organization what do you do?
Enterprise Security – The Changing Landscape
Does your organization have a Resilience Plan?
(which articulates…)
- The ability to quickly adapt to disruptions, while
- maintaining continuous business operations
- safeguarding people,
- assets and overall brand
Enterprise Security – The Changing Landscape
How does a robust Enterprise Security Program help your
organization?
✓ reduces the risk of unauthorized access to information technology systems and data
Enterprise Security Management
Enterprise security management is an incredibly
complicated task. ... (in the wake of 21st century threats and incursions)
While data-security once was a question of
implementing a few IT solutions, today,
Enterprise security management involves an
ecosystem of cyber security
Strategy Products People
Technology Services Process
Compliance
Enterprise Security – The Changing Landscape Which of the following statements best describes your organization's
computer security?
Enterprise Security – The Changing Landscape
Does your organization have a data recovery plan to implement in the event of catastrophic data loss?
Enterprise Security – The Changing Landscape In your opinion, what are the computer security issues that your
organization needs to address?
Enterprise Security – The Changing Landscape
The Risks are Real…!
o Lost laptops and portable storage devices
o Data/Information “left” on public computers
o Data/Information intercepted in transmission
o Spyware, “malware,” “keystroke logging”
o Unprotected computers infected within seconds
of being connected to the network
o Thousands of attacks on campus networks every day
Enterprise Security Program
Links in the Security Chain: Management, Operational, and Technical Controls
Adversaries attack the weakest link…where is yours?
“Security is NOT a destination BUT a journey which is continuous”
The Golden RulesBuilding an Effective Enterprise
Information Security Program
Develop an enterprise-wide information security strategy and game plan
Get corporate “buy in” for the enterprise information security program—effective programs start at the top
Build information security into the infrastructure of the enterprise
Establish level of “due diligence” for information security
Focus initially on mission/business case impacts—bring in threat information only when specific and credible
The Golden RulesBuilding an Effective Enterprise
Information Security Program
Create a balanced information security program with management, operational, and technical security controls
Employ a solid foundation of security controls first, then build on that foundation guided by an assessment of risk
Avoid complicated and expensive risk assessments that rely on flawed assumptions or unverifiable data
Harden the target; place multiple barriers between the adversary and enterprise information systems
Be a good consumer—beware of vendors trying to sell “single point solutions” for enterprise security problems
The Golden RulesBuilding an Effective Enterprise
Information Security Program
Don’t be overwhelmed with the enormity or complexity of
the information security problem—take one step at a time
and build on small successes
Don’t tolerate indifference to enterprise information
security problems
And finally…
Manage enterprise risk—don’t try to avoid it!
What You Need To Know
IT resources to be managed
What’s available on your network
Policies, laws & regulations
Security Awareness
Risk Assessment, Mitigation, & Monitoring
Resources to help you
Governance & Oversight
Governance Oversight
Director of Infrastructure and
Security
Enterprise Security Committee
CIO / CSO
Guest SpeakersRegular ReportingConferences
Board of Directors
Sr. Security ManagerSecurity Workgroups
Enterprise Security Committee
Enterprise Security
Committee
Work Groups
Enterprise Security Framework
NIST Framework
Enterprise Security Framework (example)
Why Breaches Happen
▪ Configuration Errors
▪ “Weak” defaults
▪ Easy passwords
▪ “Bugs”
▪ Input validation
▪ Installing suspectapplications
▪ Clicking maliciouslinks
▪ Phishing Emails
▪ Watering Hole attacks
Many Organizations Do Not Monitor
Published Vulnerabilities
Take Ownership of Your Security
Security leaders should be more
accountable than ever before
Cyber Crime Survey
Source: CSO magazine, CERT Division of the Software Engineering Institute at Carnegie
Mellon University, PwC, and the US Secret Service, March-April 2014
Building Enterprise Security Capacity
Building Security Capacity The rise of the (CISO) "on-demand" Chief Information Security Officer
o As companies strive to improve their levels of security in the midst of
increasing cyber threats, many are finding it difficult to recruit sufficient
numbers of skilled staff
o Deploying and maintaining an effective IT security infrastructure is no easy
task and people with the knowledge and experience needed are in short
supply
For organizations unable to find a permanent CISO, an alternative is to take a
different tactic and source the needed skills using an 'on-demand' approach
Working with the organization, this on-demand CISO can undertake a
✓ Forensic examination of the existing security infrastructure that is in place
and make recommendations for its enhancement
✓ They can also take the time to gain a deep understanding of the unique
business requirements of the organization and its employees
CISOs face a shortage of skills, lack of metrics &
strategy
83%
of enterprises have difficulty
finding
the security skills they need
of IT professionals
have no risk strategy2016 Global Reputational Risk & IT Study, IBM
51%79%
of IT executives have no measure
of security effectiveness2017 Forrester Research Study
Security MaturityBoard of
Directors
Stakeholder
s
Compliance
Mandates
Industry
Standards
Establishing an Enterprise Security
Program
Reaching security maturity – how to map
your way thereSecurity Intelligence
Predictive Analytics, Big Data Workbench, Flow Analytics
SIEM and Vulnerability Management
Log Management
Advanced Fraud Protection
People Data Applications Infrastructure
Identity governance
Fine-grained entitlements
Privileged user management
Data governance
Encryption key management
Fraud detection
Hybrid scanning and correlation
Multi-facetednetwork protection
Anomaly detection
Hardened
User provisioning
Access management
Strong authentication
Data masking / redaction
Database activity monitoring
Data loss prevention
Web application protection
Source code scanning
Virtualization security
Asset management
Endpoint / network security management
Directorymanagement
Encryption
Database access control
Applicationscanning
Perimeter security
Host security
Anti-virus
Optimized
Proficient
Basic
Need for information sharing (learn from our mistakes) – without being stigmatized…
Focus on critical points in the attack chain with
preemptive defenses on both the endpoint and networkEN
DP
OIN
TN
ETW
OR
K
Prevent malware installs
• Verify the state of applications
• Block exploit attempts used to deliver malware
Prevent control channels
• Stop direct outbound malware communications
• Protect against process hijacking
Prevent credential loss
• Block keyloggers
• Stop credential useon phishing sites
• Limit reuse of passwords
Exploit Disruption
Prevent mutated exploits
• Verify the state of network protocols
• Block unknown exploits with behavioral heuristics
Malware Quarantine
Prevent active beaconing
• Stop malware and botnet control traffic with real-time reputation and SSL inspection
User Protection
Prevent malicious apps
• Block access to malicious websites
• Protect against web application misuse
On the Endpoint
Trusteer Apex Malware
Protection
On the Network
IBM Security Network Protection
XGS
Network administrators can take a few basic steps to
fend off malicious spam attachments
Keep your spam and virus filters up to date.
Block executable attachments. In regular business environments it is unusual to send executable attachments.
Most spam filters can be configured to block executable files even when they are within zip attachments.
Use mail client software that allows disabling automatic rendering of attachments and graphics, and preloading of links—and then disable them.
Educate users on potential danger of spam, and actions to take
36
Every breach requires a plan of action
Forensic analytics can provide the insights to understand what is happening in the network and what steps are necessary to prevent threats.
Retrieval & Session Reconstruction
• For a selected security incident, retrieve all the packets (time bounded)
• Re-assemble into searchable documents including full payload displayed in original form
Full Packet Capture
• Capture packets off the network
• Include other, related structured and unstructured content stored within the network
Forensics Activity
• Navigate to uncover knowledge of threats
• Switch search criteria to see hidden relationships
38
What can you do to mitigate these
threats?
Keep up with threat intelligence
Maintain a current and accurate asset inventory
Have a patching solution that covers your entire infrastructure
Implement mitigating controls
Instrument your environment with effective detection
Create and practice a broad incident response plan
Questions CISO Wants Answered
Third Party Risk Management
Third Party Risk Management
Section Description Vendor Response
Roles & Responsibilities
1. Has your organization formally appointed a central point of contact for security coordination?
2. If so, whom, and what is their position within the organization?3. Are responsibilities clearly documented? i.e. job descriptions,
information security policy
External Parties
1. Do you work with third parties, such as IT service providers, that have access to your sensitive information?
2. Does your organization have Non-Disclosure agreements in place with these third parties?
3. If not, what controls does your organization have in place to monitor and assess third parties? i.e. Logging of VPN connections, Access logs, etc.
Risk Assessment & Compliance
1. Do you have a process that addresses: the identification and measurement of potential risks, mitigating controls (measures taken to reduce risk), and the acceptance or transfer (Insurance policies, warranties for example) of the remaining (residual) risk after mitigation steps have been applied?
Sample Vendor Questionnaire
Third Party Risk Management
Section Description Vendor Response
Enterprise Security
1. Do you have documented information security policies and procedures?
2. Do you have a formal information classification procedure? Please describe it. In particular, how would sensitive data be categorized? For example, critical, essential, and normal.
3. Have formal acceptable use rules been established for assets? Example assets include data assets, computer equipment, communications equipment, etc.
4. Do you have formal processes in place for security policy maintenance and deviation?
Legal & Compliance
1. Does a process exist to identify new laws and regulations with IT security implications? (e.g., breach notification requirements)?
2. i.e. Monitoring newsletters, Webinars, security or regulatory forums etc.
Sample Vendor Questionnaire, cont.
Contact Details
Richard G. Young Ph.D. CEGIT, CIA, CISA, CISM, CISSP, COSO90 Broad Street, 2nd FloorNew York, NY 10004USA+1 (917) 963-5536/ +263 772 475 [email protected] I www.datasecc.com
All Rights Reserved