Information Security: Trends and Concerns Dealing with Change and Facing Reality John Napier JUNE 2009 Ronin Consulting
Dec 04, 2014
Information Security: Trends and Concerns
Dealing with Change and Facing Reality
John Napier
JUNE 2009
Ronin Consulting
Major Trends 2009-2010
Increasingly complex regulatory environment
Increased focus of attacks on specific targets
Mass accumulation of system access
Increased threats to privacy and reputational risk
The “extended enterprise” and cloud computing
The evolution of “security” into risk management
Major Trends 2009-2010
Increasingly complex regulatory environment
Increased focus of attacks on specific targets
Increased threats to privacy and reputational risk
Mass accumulation of system access
The “extended enterprise” and cloud computing
The evolution of “security” into risk management
…And a rapidly changing market and financial landscape
A dose of reality
0
20
40
60
80
100
120
140
2005 2006 2007 2008 2009
0
100
200
300
400
500
600
700
800
Financial realities have changes
Increasing push to rationalize IT spend
How to balance the need to reduce risk with the need to be fiscally responsible?
In good times as well as in bad
Driving Productivity in IT Security
Get more efficient with operations Zero-based budgeting Automate and streamline the commodities “fix the plumbing” – eliminate variance
Prioritize risk investments Focus on risk reduction and achievability
Leverage a small set of meaningful metrics
Risk Area Major Initiative
Regulatory Complexity
Attack focus and sophistication
Privacy & Reputational Risk
Access accumulation
The “Extended Enterprise”
Evolution of Security into Risk Management
Automated Compliance
Change in Protection Models
Data Management and Risk Avoidance
Automation & Role-based Access
“Virtual Desktop” and Data-centric security models
Risk prioritization model & better use of metrics
Areas of Focus for 2009-2010
#1: Increased regulatory complexity
The past few years have seen an increase in regulations and compliance requirements
Gramm-Leach-Bliley compliance FFIEC Guidance on Authentication Interagency White Paper Breach notification statutes PCI Compliance Sarbanes-Oxley Pending legislation
This has required more rigor of existing programs
#1: Increasing regulatory complexity (cont’d)
Moving from manual to “continuous assessment”, automating where possible
BUSINESS INITIATIVES
CONTROLS
ASSESSABLE ENTITIES
TOOLS
RISK SCORE
#1: Increasing regulatory complexity (cont’d)
LoB Compliance and Non-Compliance
Scorecards
Aggregated Compliance and Non-Compliance
Scorecard
Data can be presented by
entity or control
Likelih
ood (P
rob
ability
)
Vu
lnera
bilitie
s
Imp
act
AssessableEntities
Th
reats
Contro
ls
Risk
LOB SpecificProcess & Analysis Common Firm wide Controls & Processes
Policie
s &S
tan
dard
s
IT Controls IT Control Rating
Control #1 1 or 2
Control #2 3
Control #3 1 or 2
Control #4 4 or 5
Control #5 1 or 2
Lob #5
IT Controls IT Control Rating
Control #1 1 or 2
Control #2 3
Control #3 1 or 2
Control #4 4 or 5
Control #5 1 or 2
Lob #4
IT Controls IT Control Rating
Control #1 1 or 2
Control #2 3
Control #3 1 or 2
Control #4 4 or 5
Control #5 1 or 2
Lob #3
IT Controls IT Control Rating
Control #1 1 or 2
Control #2 3
Control #3 1 or 2
Control #4 4 or 5
Control #5 1 or 2
Lob #2
IT Controls IT Control Rating
Control #1 1
Control #2 3
Control #3 2
Control #4 4
Control #5 1
Lob #1
Entity # 1
Entity # 2
Entity # 3
Entity # 4
Entity # 5
Entities
IT Controls IT Control Rating
Control #1 1
Control #2 3
Control #3 2
Control #4 4
Control #5 1
Firmwide
Entity # 1
Entity # 2
Entity # 3
Entity # 4
Entity # 5
Entities
10 10
#2: Increased focus of attacks
Dam
ag
e
Breadth of impact
Viruses
(1990 – present)
Worms
(2000 – present)
Phishing & Pharming
(2003 – present)
Spearphishing & Malware
(2006 - present)
11 11
#2: Increased focus of attacks (cont’d)
Profiteers
Espionage
Hacktivism
Innovation, Efficiency to
combat commoditization
Data exfiltration
Web defacement,
denial of service
BotnetsSimple exploits
“Designer Malware”
#2: Increased focus of attacks (cont’d)
We see an interesting dichotomy:
Widespread exploitation of old vulnerabilities
Microdistribution of sophisticated, targeted malware
So, we need to adapt our protection models
Incessant, rigorous followup on baseline protection
Blacklisting vs. whitelisting – does either one really work?
Better visibility: cross-device correlation of security events
Shift in attacks – most are easily addressed
How do we focus our efforts on the more difficult to address?
How do we mine the existing data we have to find things before they happen?
#3: Privacy and Reputational Risk
Cover all data, initial focus on PII
Balance reduction in risk and achievability
Slow down the velocity of leakage of confidential data
Combination of awareness, technology, and process controls
Data Protection Initiative
When data leaves the firm
When data is on portable media
When data is widely available
Are
as
of
Focu
s
#3: Privacy and Reputational Risk (cont’d)
Prioritize efforts based on reducing potential “velocity” of data leakage
Migration to tapeless backup Core-to-Bunker, Remote-to-Core
Controls on portable devices Laptop encryption Removable media controls
Filtering of Personably Identifiable Information (PII) Email, FTP, HTTP filtering at gateways Discovery of PII on fileshares
Application PII remediation
15 15
#4: Identity & Access Management
Many incidents and most SOX findings are driven by access issues
Privileged access Access certification Offboarding / Transfers
Significant employee impact Onboarding General provisioning Complicated and not well-understood
Exponentially complex in large organizations
#4: Identity & Access Management (cont’d)
Component LevelAccess Request
Role Level Access Request
Rule Driven Access (No Request Required)
Low High
Low
Hig
h
ScalabilityCost Saving
Ease
of
Use
Audit
abili
ty
Component Level Access Request With Links To Automation
17 17
#5: The extended enterprise
Companies have become hopelessly “entangled” “Deperimeterization” of the corporate network The rise of “Cloud Computing”
Third-party dependencies abound Most firms have Service Provider assessment
programs What happens when you leave?
Cloud Providers: XaaS Software-as-a-Service (SaaS) is mainstream Platform-as-a-Service and Infrastructure-as-a-Service On-demand computing will be the norm
#5: The extended enterprise (cont’d)
“Anywhere Access” Increasingly mobile workforce Don’t assume a Windows-based PC Desktop virtualization is increasingly prevalent Access from non-corporate PCs?
Re-evaluate “network-centric” security How to address the “outside insider” Need to migrate to application- and data-centric
views Data obfuscation and DLP solutions Digital Rights Management (DRM): ready for prime
time?
19 19
#6: The evolution of “security” into Risk Management
You want a valve that doesn’t leak, and you do everything possible to try to develop one. But the real world provides you with a leaky valve. You have to determine how much leaking you can tolerate.”
- Arthur Rudolph, creator of the Saturn V rocket.
20 20
#6: Evolution of “security” into risk management
How do you quantify the risk associated with an exposure?
How do you measure the impact of risk mitigation initiatives?
Ris
k R
edu
ctio
n
Achievability
Achievability / Impact Quadrant
(ILLUSTRATIVE ONLY)
Low High
High
Encryption
Virus Management
Monitoring Service (Perimeter)
Remote Computing
Awareness
Information Owner Identification
Secure Perimeter Infrastructure
Vulnerability Management
Infrastructure Secure Builds
Change Event Management
Source Code Management
ID Admin Tools & Processes
ID Recertification (Application)
ID Recertification (Platform)
Infrastructure Monitoring Solutions
Privileged Access Control (Infra.)
Privileged Access Control (App)
Environment Separation
Monitoring Service (Internal)
OSP Review
Infrastructure Logical Access Solutions
Application Development
Data Privacy
21 21
The challenge ahead
IT security has “grown up” – seat at the table
Must apply traditional IT management rigor in order to be given the chance to succeed at executing strategy
Continue to evolve out protection measures to keep up with the evolution of the threat
Put evergreen processes and systems in place to ensure completeness and consistency of controls
Need to develop models to make intelligent, fact-based decisions about risk prioritization and capital allocation
“If you don’t like change, you’ll like irrelevance even less”
— Tom Peters
22 22
Thank You from Ronin Consulting, LLC
Q & A