it grc is a complex problem that spans the enterprise …
DESCRIPTION
Denver User Group Symantec Control Compliance Suite Update and Roadmap Ronnie Blewer, Senior Product Manager July 21, 2010. IT GRC Is A Complex Problem That Spans The Enterprise …. TECHNICAL CONTROLS. Automation of controls testing for managed and unmanaged assets Wide variety of platforms - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: IT GRC Is A Complex Problem That Spans The Enterprise …](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56815eda550346895dcd77c1/html5/thumbnails/1.jpg)
1
Denver User GroupSymantec Control Compliance Suite Update and Roadmap
Ronnie Blewer, Senior Product ManagerJuly 21, 2010
![Page 2: IT GRC Is A Complex Problem That Spans The Enterprise …](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56815eda550346895dcd77c1/html5/thumbnails/2.jpg)
• Automation of controls testing for managed and unmanaged assets
• Wide variety of platforms• Asset/issue prioritization
• Translate controls into questionnaires
• Gather data from vendors / partners
• Manage approval
PROCEDURAL CONTROLS
IT GRC Is A Complex Problem That Spans The Enterprise …
• Translate mandates into controls
• Reduce overlapping controls across mandates
• Prioritize controls
POLICY• Customizable, single
pane of glass visibility• Audit-ready evidence• Dynamic analysis• Flexible distribution
REPORT
• Automated integration with ticketing systems
• Closed- and open-loop remediation
• Precise tracking
REMEDIATE
• Asset information, controls data from other devices & apps
3rd PARTY DATA• Identification of Sensitive Data
• Protect Data in Motion• Realtime Incident Mgt• Configuration Protection
REALTIMECONTROLS
TECHNICAL CONTROLS
ASSETS CONTROLS
EVIDENCE
2
![Page 3: IT GRC Is A Complex Problem That Spans The Enterprise …](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56815eda550346895dcd77c1/html5/thumbnails/3.jpg)
ASSETS CONTROLS
EVIDENCE
An Integrated, Comprehensive Approach to IT GRC
3rd PARTY EVIDENCE
REALTIMECONTROLS
TECHNICAL CONTROLS
3
NEW
POLICY PROCEDURAL CONTROLS REPORT REMEDIATE
IMPROVED
IMPROVED
• Symantec™ Control Compliance Suite Standards Manager
• Symantec™ Control Compliance Suite Vulnerability Manager
• Symantec™ Control Compliance Suite Policy Manager
• Symantec™ Control Compliance Suite Response Assessment Manager
• Symantec™ Control Compliance Suite
(Infrastructure)
• Symantec™ ServiceDesk 7.0
• Symantec Data Loss Prevention Suite
• Symantec SIM• Symantec Critical
System Protection
• Symantec™ Control Compliance Suite
(Infrastructure)NEW
![Page 4: IT GRC Is A Complex Problem That Spans The Enterprise …](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56815eda550346895dcd77c1/html5/thumbnails/4.jpg)
Control Compliance Suite Version 10.0
4
Web 2.0 Dashboards
Centralized Evidence Collection & Management
Integration with Data Loss Prevention
CCS Vulnerability Manager
![Page 5: IT GRC Is A Complex Problem That Spans The Enterprise …](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56815eda550346895dcd77c1/html5/thumbnails/5.jpg)
CCS 10.0 Dynamic Risk and Security Analytics
• Dashboards consists of multiple Panels
• Panels are visualizations of KPIs
• Ability to create Panels
• Ability to customize Dashboards
5Symantec Confidential
![Page 6: IT GRC Is A Complex Problem That Spans The Enterprise …](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56815eda550346895dcd77c1/html5/thumbnails/6.jpg)
Web 2.0 Dashboards
Web 2.0 Dashboards
Integration with Data Loss Prevention
3rd Party Evidence Automation
Dynamic Dashboards Panel View Types
6
![Page 7: IT GRC Is A Complex Problem That Spans The Enterprise …](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56815eda550346895dcd77c1/html5/thumbnails/7.jpg)
Web 2.0 Dashboards
Web 2.0 Dashboards
Integration with Data Loss Prevention
3rd Party Evidence Automation
Web-BasedDynamic Dashboards
• More customizable and flexible– User definable panels
are visualizations of KPIs– Customizable
dashboards contain multiple panels
– Variable panel sizing– Maximize a panel– Layout, filters persisted
7
![Page 8: IT GRC Is A Complex Problem That Spans The Enterprise …](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56815eda550346895dcd77c1/html5/thumbnails/8.jpg)
Centralized Evidence Collection & Management
Web 2.0 Dashboards
Integration with Data Loss Prevention
3rd Party Evidence Automation
External Evidence System
8
Evidence Provider
CCS External Evidence System
Connect to evidence provider
1Collect evidence
2
3 Format & store data
4 Map data to policies and regulations
CCS CONTROL COMPLIANCE
SUITE
Trigger data evaluation
5
Trigger reporting job
5
• Integrate third party evidence for a comprehensive view of compliance and risk posture
• Automation for ease of use and lower operational costs
![Page 9: IT GRC Is A Complex Problem That Spans The Enterprise …](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56815eda550346895dcd77c1/html5/thumbnails/9.jpg)
9
Integration with Data Loss Prevention
Web 2.0 Dashboards
Integration with Data Loss Prevention
3rd Party Evidence Automation
CCS Integration with Data Loss Prevention
• Use DLP discovery information to identify assets for compliance assessment
• Show data leakage information side-by-side with CCS data
• Key Benefits– Discover critical assets– Prioritize compliance
assessments & remediation– Get a comprehensive view of
compliance & security posture
![Page 10: IT GRC Is A Complex Problem That Spans The Enterprise …](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56815eda550346895dcd77c1/html5/thumbnails/10.jpg)
CCS Vulnerability Manager
Web 2.0 Dashboards
Integration with Data Loss Prevention
3rd Party Evidence Automation
Control Compliance Suite Vulnerability Manager – New Module!
Broadest and Deepest Coverage
Most Accurate Results with Detailed Proof
Comprehensive and Exploitable Risk
Actionable Insight and Remediation Plan
Rapid and Flexible Deployment
Superior Performance and Scalability
10
![Page 11: IT GRC Is A Complex Problem That Spans The Enterprise …](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56815eda550346895dcd77c1/html5/thumbnails/11.jpg)
CCS Vulnerability Manager
Web 2.0 Dashboards
Integration with Data Loss Prevention
3rd Party Evidence Automation
Actionable Insight
• Problem:– There are too many bulletins, too many patches, too many alerts to know
what to start with– Traditional VA products have limited database, web application coverage
• Solution:– Ability to identify where the most serious risks are based on smart heuristics
• How CCS Vulnerability Manager addresses the need– End-to-end coverage from OS database web app browser client side
vulnerability assessment– Vulnerability chaining to find cumulative effects of multiple risks– Advanced risk scoring methodology – Temporal Risk and Exploitability
metrics to identify what to fix first– Integrated remediation guidance to drive response
11
![Page 12: IT GRC Is A Complex Problem That Spans The Enterprise …](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56815eda550346895dcd77c1/html5/thumbnails/12.jpg)
Network andOperating Systems
12
CCS Vulnerability Manager
Web 2.0 Dashboards
Integration with Data Loss Prevention
3rd Party Evidence Automation
• More than 54,000 checks across 14,000+ vulnerabilities• Agent-less Scanning
– Credentialed and non-credentialed scanning
– High-performance
– Safe checks do not impact scan target performance or reliability
• Microsoft
– Updated vulnerability checks within 24 hours of Microsoft Patch Tuesday
– Detects vulnerabilities based on what the system is running, versus what is installed
• Red Hat Enterprise Linux
– Supported for backported patches reduces false positive
• Other General Coverage
– Includes Adobe Flash, Adobe Reader, Cisco IOS, Mozilla Firefox, Solaris, Sun JVM, Unix
![Page 13: IT GRC Is A Complex Problem That Spans The Enterprise …](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56815eda550346895dcd77c1/html5/thumbnails/13.jpg)
CCS Vulnerability Manager
Web 2.0 Dashboards
Integration with Data Loss Prevention
3rd Party Evidence Automation
Web Application Scanning
• 4th Generation Web Spider– Server & Client Side VA checks– Authenticated and Unauthenticated
application level scanning– SQL Injection– Directory Traversal– Parameter Manipulation
• Dynamic Web 2.0/AJAX Scanning– JavaScript static analysis (Browser Emulation)– Detects all forms of XSS (including DOM-based XSS)– Understands Web Services
• Fully integrated into core scanning platform
13
“58% of vulnerabilities affect Web applications”
“73% of vulnerabilities are easily exploitable”
Source: Symantec
![Page 14: IT GRC Is A Complex Problem That Spans The Enterprise …](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56815eda550346895dcd77c1/html5/thumbnails/14.jpg)
CCS Vulnerability Manager
Web 2.0 Dashboards
Integration with Data Loss Prevention
3rd Party Evidence Automation
Database Scanning
• Authenticated and unauthenticated scanning of database vulnerabilities
• Audits database for– Security vulnerabilities– Configuration vulnerabilities– Operational vulnerabilities
• General database vulnerability checks for a wide spectrum of databases
14
“Database Servers represent 75% of all breached records”
Source: Verizon
![Page 15: IT GRC Is A Complex Problem That Spans The Enterprise …](https://reader035.vdocuments.mx/reader035/viewer/2022062301/56815eda550346895dcd77c1/html5/thumbnails/15.jpg)
Thank you!
SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLYCopyright © 2010 Symantec Corporation. All rights reserved.
15
Ronnie BlewerSr. Product [email protected]