Information security trends and concerns

Information Security: Trends and Concerns

Dealing with Change and Facing Reality

John Napier

JUNE 2009

Ronin Consulting

Major Trends 2009-2010

Increasingly complex regulatory environment

Increased focus of attacks on specific targets

Mass accumulation of system access

Increased threats to privacy and reputational risk

The “extended enterprise” and cloud computing

The evolution of “security” into risk management

Major Trends 2009-2010

Increasingly complex regulatory environment

Increased focus of attacks on specific targets

Increased threats to privacy and reputational risk

Mass accumulation of system access

The “extended enterprise” and cloud computing

The evolution of “security” into risk management

…And a rapidly changing market and financial landscape

A dose of reality

0

20

40

60

80

100

120

140

2005 2006 2007 2008 2009

0

100

200

300

400

500

600

700

800

Financial realities have changes

Increasing push to rationalize IT spend

How to balance the need to reduce risk with the need to be fiscally responsible?

In good times as well as in bad

Driving Productivity in IT Security

Get more efficient with operations Zero-based budgeting Automate and streamline the commodities “fix the plumbing” – eliminate variance

Prioritize risk investments Focus on risk reduction and achievability

Leverage a small set of meaningful metrics

Risk Area Major Initiative

Regulatory Complexity

Attack focus and sophistication

Privacy & Reputational Risk

Access accumulation

The “Extended Enterprise”

Evolution of Security into Risk Management

Automated Compliance

Change in Protection Models

Data Management and Risk Avoidance

Automation & Role-based Access

“Virtual Desktop” and Data-centric security models

Risk prioritization model & better use of metrics

Areas of Focus for 2009-2010

#1: Increased regulatory complexity

The past few years have seen an increase in regulations and compliance requirements

Gramm-Leach-Bliley compliance FFIEC Guidance on Authentication Interagency White Paper Breach notification statutes PCI Compliance Sarbanes-Oxley Pending legislation

This has required more rigor of existing programs

#1: Increasing regulatory complexity (cont’d)

Moving from manual to “continuous assessment”, automating where possible

BUSINESS INITIATIVES

CONTROLS

ASSESSABLE ENTITIES

TOOLS

RISK SCORE

#1: Increasing regulatory complexity (cont’d)

LoB Compliance and Non-Compliance

Scorecards

Aggregated Compliance and Non-Compliance

Scorecard

Data can be presented by

entity or control

Likelih

ood (P

rob

ability

)

Vu

lnera

bilitie

s

Imp

act

AssessableEntities

Th

reats

Contro

ls

Risk

LOB SpecificProcess & Analysis Common Firm wide Controls & Processes

Policie

s &S

tan

dard

s

IT Controls IT Control Rating

Control #1 1 or 2

Control #2 3

Control #3 1 or 2

Control #4 4 or 5

Control #5 1 or 2

Lob #5

IT Controls IT Control Rating

Control #1 1 or 2

Control #2 3

Control #3 1 or 2

Control #4 4 or 5

Control #5 1 or 2

Lob #4

IT Controls IT Control Rating

Control #1 1 or 2

Control #2 3

Control #3 1 or 2

Control #4 4 or 5

Control #5 1 or 2

Lob #3

IT Controls IT Control Rating

Control #1 1 or 2

Control #2 3

Control #3 1 or 2

Control #4 4 or 5

Control #5 1 or 2

Lob #2

IT Controls IT Control Rating

Control #1 1

Control #2 3

Control #3 2

Control #4 4

Control #5 1

Lob #1

Entity # 1

Entity # 2

Entity # 3

Entity # 4

Entity # 5

Entities

IT Controls IT Control Rating

Control #1 1

Control #2 3

Control #3 2

Control #4 4

Control #5 1

Firmwide

Entity # 1

Entity # 2

Entity # 3

Entity # 4

Entity # 5

Entities

10 10

#2: Increased focus of attacks

Dam

ag

e

Breadth of impact

Viruses

(1990 – present)

Worms

(2000 – present)

Phishing & Pharming

(2003 – present)

Spearphishing & Malware

(2006 - present)

11 11

#2: Increased focus of attacks (cont’d)

Profiteers

Espionage

Hacktivism

Innovation, Efficiency to

combat commoditization

Data exfiltration

Web defacement,

denial of service

BotnetsSimple exploits

“Designer Malware”

#2: Increased focus of attacks (cont’d)

We see an interesting dichotomy:

Widespread exploitation of old vulnerabilities

Microdistribution of sophisticated, targeted malware

So, we need to adapt our protection models

Incessant, rigorous followup on baseline protection

Blacklisting vs. whitelisting – does either one really work?

Better visibility: cross-device correlation of security events

Shift in attacks – most are easily addressed

How do we focus our efforts on the more difficult to address?

How do we mine the existing data we have to find things before they happen?

#3: Privacy and Reputational Risk

Cover all data, initial focus on PII

Balance reduction in risk and achievability

Slow down the velocity of leakage of confidential data

Combination of awareness, technology, and process controls

Data Protection Initiative

When data leaves the firm

When data is on portable media

When data is widely available

Are

as

of

Focu

s

#3: Privacy and Reputational Risk (cont’d)

Prioritize efforts based on reducing potential “velocity” of data leakage

Migration to tapeless backup Core-to-Bunker, Remote-to-Core

Controls on portable devices Laptop encryption Removable media controls

Filtering of Personably Identifiable Information (PII) Email, FTP, HTTP filtering at gateways Discovery of PII on fileshares

Application PII remediation

15 15

#4: Identity & Access Management

Many incidents and most SOX findings are driven by access issues

Privileged access Access certification Offboarding / Transfers

Significant employee impact Onboarding General provisioning Complicated and not well-understood

Exponentially complex in large organizations

#4: Identity & Access Management (cont’d)

Component LevelAccess Request

Role Level Access Request

Rule Driven Access (No Request Required)

Low High

Low

Hig

h

ScalabilityCost Saving

Ease

of

Use

Audit

abili

ty

Component Level Access Request With Links To Automation

17 17

#5: The extended enterprise

Companies have become hopelessly “entangled” “Deperimeterization” of the corporate network The rise of “Cloud Computing”

Third-party dependencies abound Most firms have Service Provider assessment

programs What happens when you leave?

Cloud Providers: XaaS Software-as-a-Service (SaaS) is mainstream Platform-as-a-Service and Infrastructure-as-a-Service On-demand computing will be the norm

#5: The extended enterprise (cont’d)

“Anywhere Access” Increasingly mobile workforce Don’t assume a Windows-based PC Desktop virtualization is increasingly prevalent Access from non-corporate PCs?

Re-evaluate “network-centric” security How to address the “outside insider” Need to migrate to application- and data-centric

views Data obfuscation and DLP solutions Digital Rights Management (DRM): ready for prime

time?

19 19

#6: The evolution of “security” into Risk Management

You want a valve that doesn’t leak, and you do everything possible to try to develop one. But the real world provides you with a leaky valve. You have to determine how much leaking you can tolerate.”

- Arthur Rudolph, creator of the Saturn V rocket.

20 20

#6: Evolution of “security” into risk management

How do you quantify the risk associated with an exposure?

How do you measure the impact of risk mitigation initiatives?

Ris

k R

edu

ctio

n

Achievability

Achievability / Impact Quadrant

(ILLUSTRATIVE ONLY)

Low High

High

Encryption

Virus Management

Monitoring Service (Perimeter)

Remote Computing

Awareness

Information Owner Identification

Secure Perimeter Infrastructure

Vulnerability Management

Infrastructure Secure Builds

Change Event Management

Source Code Management

ID Admin Tools & Processes

ID Recertification (Application)

ID Recertification (Platform)

Infrastructure Monitoring Solutions

Privileged Access Control (Infra.)

Privileged Access Control (App)

Environment Separation

Monitoring Service (Internal)

OSP Review

Infrastructure Logical Access Solutions

Application Development

Data Privacy

21 21

The challenge ahead

IT security has “grown up” – seat at the table

Must apply traditional IT management rigor in order to be given the chance to succeed at executing strategy

Continue to evolve out protection measures to keep up with the evolution of the threat

Put evergreen processes and systems in place to ensure completeness and consistency of controls

Need to develop models to make intelligent, fact-based decisions about risk prioritization and capital allocation

“If you don’t like change, you’ll like irrelevance even less”

— Tom Peters

22 22

Thank You from Ronin Consulting, LLC

Q & A