View
218
Download
0
Category
Tags:
Preview:
Citation preview
The Evolving Information Security Organization – Challenges and Successes
Jason Taule, Chief Security and Privacy Officer, FEi Systems (Moderator)Robert Booker, Vice President and Chief Information Security Officer, UnitedHealth Group
Erick Rudiak, Information Security Officer, Express ScriptsRoy Mellinger, Vice President, IT Security and Chief Information Security Officer, WellPoint
Omar Khawaja, Vice President and Chief Information Security Officer, Highmark
Chief Information Security Office
HITRUST 2014 ConferenceThe Evolving Information Security Organization
Challenges and SuccessesTuesday – April 22, 2014
Roy R. Mellinger, CISSP – ISSAP, ISSMP, CIMVice President, IT Security
Chief Information Security Officer
17
The Evolving Information Security Organization
Enterprise Risk ManagementSecurity Viewed as a
Business Enabler
Translating Business Needs into Security Requirements
Translating Security Requirements into
Technical Security Controls
Operating Technical Security Controls
RiskOperational Compliance
Security ThreatManagement
ITCompliance
ITRisk
EnterpriseRisk
Fighting Fires
Contai
ning
Anticipatin
g
Fires
Fires
Preventing
Fires
18
The Evolving Information Security Organization
CYBER THREAT MANAGEMENT
24x7 Security Operations Center (SOC)
End to End DLP (Data Loss Prevention) Strategy
Tracking of Malware Threats and Coding Techniques
Effective Firewalls, IDS / IPS Strategy Implementations
Effective Security and Event Log Management & Monitoring
Robust Safeguarding Polices, Programs and Processes
19
The Evolving Information Security Organization
Hacking Now Automated / Sophisticated Malware Hactivism – Freedom of Speech,
Statements to Influence Change, Sway Public Opinion and Publicize Views
Criminal – Drug Cartels, Domestic and Foreign Organized Crime for Identity Theft and Financial Fraud
Espionage – IP, Business Intelligence, Technology, Military / Political Secrets
Terrorism – Sabotage, Disruption and Destruction
Nation-State – Intelligence Gathering, Disruptive Tactics, Clandestine Ops, Misinformation, Warfare Strategies, and Infrastructure Destruction
Individual or Computer Clubs/ Groups Manual efforts with Social Engineering
Success = Badge Of Honor Personal Monetary Gain or to
pay for / fund hacking activity
Hacking Then
War Protesting and Civil Disobedience Anti-Establishment Rhetoric Social Rebels and Misfits
FRINGE MAINSTREAM. . . . . . . . . . . 30 YEARS . . . . . . .
20
The Evolving Information Security Organization
Initial compromise — spear phishing via email, planting malware on a target website or social engineering.
Establish Foothold — plant administrative software and create back doors to allow for stealth access.
Escalate Privileges — use exploits and password cracking tools to gain privileges on victim computer and network.
Internal Reconnaissance — collect info on network and trust relationships.
Move Laterally — expand control to other workstations and servers. Harvest data.
Maintain Presence — ensure continued control over access channels and credentials acquired in previous steps.
Complete Mission — exfiltrate stolen data from victim's network.
21
The Evolving Information Security Organization
Cyber Threat Management
Conventional Approach Paradigm Shift: Cyber Threat Management
Controls Coverage Protect ALL information assets Protect your MOST IMPORTANT assets (Crown Jewels) based on risk assessments
Controls Focus Preventive Controls (anti-virus, firewalls, intrusion prevention, etc.)
Detective Controls (monitoring, behavioral logic, data analytics)
Perspective Perimeter Based Data Centric
Goal of Logging Compliance Reporting Threat Detection
Security Incident Management
Piecemeal – Find and neutralize malware or infected nodes
BIG PICTURE – Find and dissect attack patterns to understand threat
Threat Management Collect information on Malware Develop a deep understanding of attackers targets and modus operandi related to YOUR org’s network and information assets
Success Defined By: No attackers get into the network Attackers sometimes get in; BUT are detected as early as possible and impact is minimized
Omar Khawaja
April 23, 2014
The Evolving Information Security Organization –
Challenges and Successes
Risk is increasing• Our information is increasing in value…
• More data (EMRs)• More collaboration (ACOs)• More regulation (FTC)
• Our weaknesses are increasing…• More suppliers (Cloud)• More complexity (ACA)
• Opportunities to attack are increasing…• More access (consumer portals)• More motivated attackers
• Becoming increasingly difficult to secure• Multiple Compliance Requirements• Evolving Compliance Requirements• Unclear Compliance Requirements• Less visibility • Less control
(Assets
Vulnerabilities
Threats)
Controls
X
X
-
Security org needs to evolve
From…• Explaining the “what”
• Growing the security org
• Creating more security processes
• Telling them what to do
• Protecting everything equally
• Measuring what matters to security org
To…• Explaining the "why"
• Growing security in the org
• Making security part of more processes
• Assisting them with their job
• Differentiated controls
• Reporting on what matters to audience
Recommended