7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
1/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 1
Cybersecurity
Toward a StrategicApproach to Cyber Risk
Andy Purdy
Chief Cybersecurity Strategist
May 18, 2010
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
2/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 2
1 What is the current cyber risk?
Summary
2 Learn lessons from experience.
3 What approach should we take?
4 What capabilities do we need?
5 Risk management for organizations and countries
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
3/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 3
What is the currentcyber risk?
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
4/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 4
What is Cyber?
Cyber is the ability to operatein cyberspace to achieve theresults that you intend and notthose intended by youradversaries, competitors or
cyber criminals.
1
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
5/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 5
In this brave new world we tread
November 2002 (Geopolitics): The rise of the BotnetsA DDOSby an army of citizen-zombie computer attacks
April 2004 (Sasser): Widespread outages around the world
Agence France-Presse (AFP) blocked satellite communications, Delta Airlines cancelseveral trans-atlantic flights, Ifand Sampo Bankclose130 offices, also impactedGoldman Sachs, Deutsche Post, European Commission, Lund University Hospital
January 2010 (Google discloses): The NYT, April 2010
losses included one of Googles crown jewels, a password system that controls accessby millions of users worldwide to almost all of the companys Web services, including e-mail and business applications
Looking into the Future:
APT/Botnets/Integrity Attacks/Convergence of Threats to Converged Infrastructures
1
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
6/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 6
cheerfully, into the unknown
4G Wireless Broadband Networks: LTE and Wimax 100 Mbit/s on the move, and 1 Gbit/s stationary - the world goes wireless
Tens of billions of devices (smart phones, metering)
Convergence in technology and infrastructure: sharing same threats
Voice Video Data: using a common protocol (IP), sharing a common infrastructure, and the risks
All national infrastructures (energy, transportation) using the same ICT infrastructure
Threats that transfer between data - video - telephony
Cloud Computing: A shared ICT infrastructureshared risks
1
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
7/38CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 7
Premises
Experience is only valuable if we learn from it and act on it Information sharing is not enough
A strategic approach to the cyber challenge is essential
Stakeholder collaboration is critical at each level
Threat information is important, but risk should be the driver Risk management is critical for organizations, nations, and the global
information infrastructure
1
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
8/38CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 8
Summary of Cyber Risk
The use of innovative technology and interconnected networks inoperations improves productivity and efficiency, but also increases thevulnerability to cyber threats if cybersecurity is not addressed andintegrated appropriately.
A spectrum of malicious actors routinely conducts attacks against thecyber infrastructure using cyber attack tools.
Because of the interconnected nature of the ICT infrastructure, theseattacks could spread quickly and have a debilitating effect.
1
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
9/38CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 9
Learn lessons fromexperience.
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
10/38CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 10
Industry concerns?
Data vulnerability due to the sizable increase in data volumes, flows, and interfaces
System security resulting from converged, automated, and integrated environments
New devices that may be immature and have security limitations
Consumer privacy from increased connectivity, devices, and intelligence
Potential fraud from insufficient tamper protection
Overall increase in the complexity of a utilitys compliance profile
Adapted from EPRI source image
2
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
11/38CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 11
Introduction
Cybersecurity a National Security Imperative and Global BusinessIssue
Nations and critical infrastructure owners and operators are dependenton Cyber for national security, economic well-being, public safety and
law enforcement, and privacy. Major companies must ensure the resiliency of their operations, protect
their reputations and the privacy of their customers, differentiate theirbrand, and meet compliance obligations.
Innovative technologies and information assurance strategies must be
implemented by government and private companies through fullyintegrated, end-to-end cyber solutions
2
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
12/38CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 12
Secure ICT also Represents
Technological advantage Opportunity to gain competitive advantage
Opportunity to help shape the global cyber environment in support of USinterests
An exciting field for our emerging technology
An additional foundation for academic excellence
2
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
13/38CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 13
What approach shouldwe take?
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
14/38CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 14
A Strategic View of ICT Security
There is no real separation in cyberspace; we share a commonenvironment with allies, partners, adversaries, and competitors.
It is important to understand computer network defense, and be informedby exploitation and attack.
Security is more about architecture and integration than about
deployment of more products to build perimeter defenses.
3
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
15/38CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 15
Public Policy Challenge
Nations are dependent on cyber for national security, economic well-being, public safety, and law enforcement
Risk is real but not visible and obvious
Authority/control is spread among multiple entities in the public andprivate sectors
ICT is international
Individuals and organizations are reactive and tactical, not proactive andstrategic
We do not learn lessons from the past
3
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
16/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 16
Learn Lessons from Experience
Recognize the value of lessons learned to enhance preparedness Systematize after-action processes for exercises AND real-world events
Take a pro-active, strategic approach to risk
A robust risk management program can facilitate and prioritize planning,decision-making, and resource allocation
A strategic approach to ICT risk management should be grounded inarchitectural, design, and process principles
Stakeholders should be engaged in the assessment and mitigation of ICTrisk, spending on research & development, & cyber incident responseand recovery preparedness
3
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
17/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 17
Regulatory Enviroment Upcoming Challenges for PrivateSector and Critical Infrastructure?
Legislative perspective: has the private sector done enough to securetheir own facilities?
Executive perspective: concern about government and criticalinfrastructure relative to cyber threats.
Power/Utility, transportation, and other critical infrastructure sectors of
significant cyber concern. Private sector favors voluntary, private-sector developed standards,
incentives, and safe harbor provisions rather than regulations
3
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
18/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 18
The New Reality
Global recognition that national health and security is permanently intertwinedwith the internet.
National governments across the globe are intending to actively address cybersecurity risks to specified private-sector infrastructures of interest supportingnational programs and critical infrastructure segments.
Examples of the national health and security requirement in evidence
Transglobal Secure Collaboration Program (TSCP) voluntary collaborative program(funded by membership contributions)
Governments US, UK, Netherlands
Companies BAE, Boeing, EADS, Lockheed Martin, Northrup Grumman, Rolls Royce,Raytheon
U.S. Defense Industrial Base (DIB) a threshold of capabilities defined by U.S. DoD toprotect Controlled Unclassified Information (CUI) used in Defense contracts
Established and monitored by US DoD (as expressed in the DIB Cyber SecurityBenchmark and DIB CONOPS)
One-to-one framework agreements, funded by individual companies
U.S. Comprehensive National Cybersecurity Initiative (CNCI)
Activities of European Network Information Security Agency (ENISA)
3
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
19/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 19
What capabilities do weneed?
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
20/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 20
What is missing nationally and internationally?
What do we need to worry about and what do we need to do about it? We need to
know our risk posture,
identify requirements for addressing that risk that are generated
by a public-private collaboration, andMake it easy to hold stakeholders accountable.
4
4
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
21/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 21
What is needed nationally and internationally?
A strategic approach to facilitate public/private collaboration andinformation sharing to set requirements, and resource, execute, and trackprogress on:
ICT risk;
ICT preparedness;
Malicious activity and cyber crime; and
Research and development.
4
4
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
22/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 22
How should the challenge of ICT risk and preparedness beaddressed?
Stakeholders at the organizational, national ,and intl levels must worktogether
to identify critical functions,
assess and mitigate risk, and
plan, and build capacity for, response and recovery Use standards to drive risk reduction
Exercise to identify gaps and improve
Pursue innovation
Use this process to identify requirements to drive resource allocation forrisk mitigation, response preparedness, and research and development
4
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
23/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 23
Risk management for
organizations andcountries
5
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
24/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 24
Protecting your Organization, Clients, and Costumers
Use lessons learned from Advanced Persistent Threats (APTs) and othersophisticated attackers to strengthen active defense
Work in public-private partnerships to strategically collaborate and shareinformation about threat and risk
5
5
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
25/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 25
Strategic Approach to Malicious Cyber Activity
An initiative to promote a strategic approach by government (not justlaw enforcement) and the private sector against malicious cyber activity
Need to build national and international information sharing capabilities tocollect, preserve, analyze, and share information on malicious actorsAND enablers using a federated data-sharing model.
Need good national and international data on cyber crime.
5
5
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
26/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 26
Government Cyber Security Involvement
Government needs to help define domestic, EU, and allied ICT interests Using those interests, Government needs to create stronger interagency
and inter-governmental policy process and policy (guiding principles)
Collective interests need to be represented consistently in all internationalfora concerned with global cyber security and cyber governance; if not,
global policy and governance may not conform to national andinternational interests
Your country, EU, and its allies, need a consistent approach to the ICTrisk in critical infrastructure
Focus on security standards, rather than prescribed processes (i.e., define how secure tobe, not how to be secure)
Recognize that the threat is advanced and dynamic; a cookbook approach will not adaptsufficiently well to such a threat
Sensitize private sector and public to the threat; recognize thatadversaries do not reserve their most advanced technologies for use onlyagainst our Government
5
5
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
27/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 27
Private Sector Role
Request government to facilitate information exchange and enhancedcollaboration.
What actions are advisable?
What incentives would help bring those actions about?
5
5
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
28/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 28
The Model-Portfolio A Different Way to View the Problem
An integrated set of capabilities consistent to a model new to the industry fit-forpurpose - to demands of a complex global problem
The security stack - defines the problem complexity and thesophistication needed in the solution
Demonstrated ability to scale to the full dimensions of the problem
Demonstrated ability to leverage our government knowledge applied toour commercial delivery
Allows us to see the gaps determine how we close them
5
5
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
29/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 29
Making a better case for Why CSC
Cyber security is a core competency of CSC in both commercial and public sectors
Comprehensive capability the full range of the security stack
Cross-leverage what we know - between commercial and public sectors
Commercial Sector
Public Sector
SOCs to Fortune 500s
Defense Industrial Base
Worldwide presenceISO 27001 preparations
Nation State-Threats
Groundbreaker
Forensics training
Biometric Access
System Certification
Phys-Lgical Access
Personnel Quals
5
5
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
30/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 30
The Exercise ofNational Sovereignty
Situational AwarenessExternal to the PerimeterDetermine Source Adjust Defenses
IntegratedSecurity Overlay
Prevent-Detect-Response
Functional Technologies
A New Idea: The Security Stack as a Modelfor how wepresent organize determine gaps integrate. Only CSC and IBMcan make this case
The Security Stack
Assured Systemsand Content
Layer 4 Functional TechnologiesEthical hacking integrating
government capabilities
Layer 2 Functional TechnologiesSecurity Incident/Event Manager
OOB managed devices
Perimeter defenses (f/w)
Intrusion detection/prevention
Data Loss Prevention
Honeypots
Layer 1 Functional TechnologiesCMDB
White listing
PIV-based biometric access
Single Sign On
Data encryption and key management
Vulnerability assessment
Layer 3 Functional TechnologiesWorldwide monitoring
Attestation adjusting the defenses
Cyber Security Services
Security consulting
understand and manage risk
Security integration led by
solution architects
Managed Security Services
Forensics analysis assessments
Certification and accreditation
Security training - cyber experts
Product and system evaluation
common criteria
Penetration testing ethical
hacking
Compliance
Disaster Recovery / B-Continuity
5
5
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
31/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 31
CSC Cyber Security Overview (1 of 3)
More than 1,400 full-time security professionals globally
Security and compliance services to
More than150 Commercial clients globally in more than 40 counties Many Fortune 500 companies including many with PCI compliance
U.S. federal agencies and many state and local government clients
Non-U.S. government clients (UK Royal Mail, UK National Health Services)
Wide range of security offerings
Managed Security/SOC services Endpoint Protection
Messaging Security
Data loss prevention
Compliance Monitoring/Enforcement
Vulnerability, Risk and regulatory assessments
Forensic and Investigative Response
Identity and Access management and biometrics
Security engineering, integration, and testing
Disaster recovery and business continuity
5
5
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
32/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 32
CSC Cyber Security Overview (2 of 3)
SSE-CMM Level 4 Information Security Practices by
independent third party Defense Security Service (DSS) Cogswell Award for 5 of
past 10 years
Achieved ISO 2700 certification for the CSC-managed EPAsecurity program
Many CSC data centers and service delivery centers
achieved third party ISO 27001 certification Major provider of vulnerability assessments, risk
assessments and security accreditation services to Federalagencies
Active SAS 70 audit program
Operates DoD Cyber Investigative Training Academy
Biometric engineering services to DoD
Operates certified Common Criteria Test Laboratories in theU.S., Australia and Germany under ISO15408
Operates FIPS 140-2 NVLAP certified Cryptographic ModuleTest Laboratory
5
5
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
33/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 33
CSC Security Operations Centers (SOCs) (3 of 3)Managed Secur i ty Services Del ivery around the Globe in al l Regions
Commercial SOC Operations North America (Newark, DE) Newark 33 customers UK (Chesterfield) -- 15 customers Australia (Sydney) 9 customers India (Hyderabad) 17 customers Malaysia and Hong Kong 2 customers
U.S. Federal SOC/CERT/CSIRT Support Defense Information Systems Agency (DISA) U.S. Air Force
U.S. Army Dept of Homeland Security EPA NOAA
Monitor and manage thousands ofsecurity devices worldwide
Network/Host IDS/IPS Audit Log Storage/Monitoring Security Event Management Security Incident Response Services Technical Compliance Monitoring Vulnerability Scanning and Alerting End Point Security Management Managed Encryption Services Data Loss Prevention Forensic Response
Sydney,
Australia
Consistent and effective 7x24 securitymonitoring, detection, response and recovery
Hyderabad, India
Chesterfield, UK
Newark, DE
Marlton , NJ
Annapolis
Junction, MD
Kuala Lumpur
Hong Kong
5
5
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
34/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 34
Representative Cyber Security Clients
Public Sector: Internal Revenue Service,
FAA, USDA, Dept. of Education,Environmental Protection Agency, Dept ofEnergy, Department of Homeland Security,Australian Department of Immigration andCitizenship, Prime Minister and Cabinet,Department of the Attorney General andTransport Accident Commission; CanadianTreasury Board Secretariat, CommunicationSecurity Establishment Canada, Public SafetyCanada, Canada Revenue Agency, TransportCanada, DISA, DCITA, U.S. Army, U.S. Navy,U.S. Marine Corps, U.S. STRATCOM, Office ofSecretary of Defense, Biometric FusionCenter, U.K. Ministry of Defense, DanishMinistry of Defense
Aerospace & Defense: Textron, Raytheon,Boeing, Hawker Beechcraft, UTC, GeneralDynamics, Spirit Aerospace
Financial and Insurance Services:Allianz,AMP, Dunn and Bradstreet, Maybank, ToyotaFinancial Services, Zurich, PartnerRe,Alliancez, AMP, IMB, GE Capital, Toyota
Financial Services
Retail & Distribution: Coles, Myer, David
Jones, Estee Lauder, Cargill, Astro
Travel & Transportation: Railcorp,Bombardier
Health Services: National E-Health TransitionAuthority, University of Pennsylvania HealthSystems, UK National Health Service, NobelBiocare, Ascension Health, ConsolidatedMedicaid/Medicare (CMS), Virginia and NorthCarolina, Medicare/Medicaid InformationSystems, eMed of New York, Stellaris Health
Manufacturing: BlueSteel, OneSteel, Delphi,Chrysler, Freescale, Westinghouse, Motorola,Nissan, Xerox, Bombardier, Nissan
Chemical, Energy & Natural Resources:Powercor, BHPB, Rio Tinto, Alcoa, WoodsidePetroleum, Newmont Mining, Shell, DuPont,BHP Billiton Petroleum, Watercorp, WesternPower, Exelon, Basell, Invista, Anglian Water,National Grid, Urenco, BNFL
5
5
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
35/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 35
CSC Strategic Security Partners
CSCs formal partnership with leading security vendors
Special discounts on industry leading security tools
Responsive procurement
Insight into emerging security technology
Increase depth of managed security services
5
http://www.microsoft.com/learninghttp://www.ibm.com/us/en/http://www.microsoft.com/learninghttp://www.cisco.com/en/US/hmpgs/index.htmlhttp://www.emc.com/index.jsphttp://www.mcafee.com/http://www.symantec.com/index.jsp7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
36/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 36
Thank you for your attention!
ContactAndy Purdy
Chief Cybersecurity Strategist
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
37/38
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 37
Further webinars
15.06.10 / 15:30 -16:30 Uhr / Gesellschaftlicher Wandel
"Social Media machen - Tipps & Tricks zur Planung und Durchfhrung"
Quelle: www.de.csc.com
7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01
38/38