View
141
Download
0
Category
Tags:
Preview:
DESCRIPTION
Citation preview
Notes accompany this presentation. Please select Notes Page view.
These materials can be reproduced only with written approval from Gartner.
Such approvals must be requested via e-mail: vendor.relations@gartner.com.
Gartner is a registered trademark of Gartner, Inc. or its affiliates.
Information Security Technology
and Services
Claudio Neiva Research Director – Network Security
Claudio.neiva@gartner.com
Fear, Uncertainty and Doubt
Brasil
DDoS Attacks Increasing in Size;
Frequency of Attacks Is High
Source: Arbor Networks — Worldwide Infrastructure Security Report 2013
0
20
40
60
80
100
120
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
0
5
10
15
20
25
30
35
40
45
50
Most Common Motivations Behind DDOS Largest Bandwidth Attacks Reported
Phishing e-mails
Phishing e-mails vary in quality, payload, and purpose, but they all share the same initial goal: get the user to take action
Source: Verizon 2013 security report
Likely Impacts
• Loss of availability:
1. Several hours
2. Several days
3. Forever
• Confidentiality failure:
1. Embarrassment
2. Privacy loss, fine and PR damage
3. Loss of competitive advantage
• Data loss:
1. Recoverable in several days
2. Partially corrupted data
3. Never fully recoverable
Confidentiality and Accessibility
Cannot Be Simultaneously Optimized C
onfidentialit
y
Accessibility/Availability
• Secrecy and reliability are negatively linked goals
• Time and money can partially raise the overall level of both
Nobody can see data
Everybody can see data
Optimized Trade-off Curve
Business
Security
Consumer
Security
Low Risk
High Cost
High Maturity
What Is Appropriate Risk?
There is no such thing as "perfect protection"
Manufacturing Healthcare Financial Services
Production Engineering
High Risk
Low Cost
Low Maturity
… More risk!
Business Model
More customers, more locations, more complexity, more aggressive use of personally identifiable information in
marketing, more regulatory scrutiny, …
Station Access
Govern
The Nexus of Forces Is Driving Innovation
in Government
Extreme Networking
Rampant Access
Global Class Delivery
Rich Context,
Deep Insights
Data Loss Prevention
Secure Web Gateway
Secure Web Gateway
Risk
Security Application Testing
Security Information and
Event Management
Cryptography
Firewalls
Managed Security Services
Intrusion Prevention
Mobile Security
Endpoint Protection
Social Media Security
Monitoring
Digital Surveillance
Information Security and
the Nexus of Forces
Identity and Access Management
NEXUS
NEXUS
The 4 Phases of BYOD (Device or Disaster?)
Don't Ask, Don't Tell
Corporate-Owned
Devices Only
Focus:
Productivity
• Desktop
Virtualization
• Adoption of New
Enterprise-Grade
Services
• Enterprise App
Stores
• Self-Service and
P2P Platforms
Focus: Data
Protection, Cost
• BYO Policies
• Formal Mobile
Support Roles
• MDM
• NAC
• Limited Support
• Extend Existing
Capabilities
Realization of the
Personal Cloud
• Context Awareness
• Identity-Aware NAC
• Workspace
Aggregators
• "Walk-Up" Services
Avoid Adopt Accommodate Assimilate
How's This Working for You?
2002 2010 2018
Security is in the control of IT & Operations
Security is in the control of business units and users
Strategic Planning Assumption
By 2018, 70% of mobile professionals will conduct all of their work on personal smart devices.
Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and will be detectable via security monitoring.
By 2020, 75% of enterprises' information security budgets will be
allocated for rapid detection and response approaches, up from less
than 10% in 2012.
Can Your Board Handle the Truth?
100% of U.S. public company boards are required annually to disclose their
ability to oversee risk, yet …
fewer than 2% of U.S.-based companies, and fewer than 9% of global companies,
actually have robust and mature risk oversight practices.
You Must Get Right
Information Security Privacy Risk Management
Business Continuity Management
Compliance Identity and Access Management
Identity
Single-Sign-On
Auto provisionamento
Hootsuite – Redes Sociais
GRC & Auditing
Analise de Vulnerabilidades
Pentest
Auditoria interna
PCI
Gestão de Risco
Legal & Policy
Revisão de Política
Contrato para fornecedores
Contrato para colaboradores
Information Security Management
Scenario
Software
Auditoria de código
Fortify - Métodos Ágeis
Whitelisting
SO Assessment
Endpoint
VPN
NAC
AV, Malware & Host IPS
DLP & Criptografia
Proxy Internet
AntiSpam
Awareness
E-learning
Hotspots
E-mails educativos
Palestras
Treinamentos específicos
Intel & Operation
SOC
SIEM
Perimeter
IPS
Firewall
Firewall Aplicação (WAF)
VPN
Gestão de Segurança da Informação
Composto por diversas áreas da empresa, não é exclusivo da TI. Incorpora a Segurança da Informação, TI, mas também usuários, controladores, auditoria, RH, Jurídico etc.
A segurança deve estar presente em cada um, a preocupação deve ser de todos.
Política de Segurança
Documenta as responsabilidades de cada um, os pontos de atenção e os controles necessários.
Para os controles define procedimentos e checklists para implantação e monitoramento
Perímetro: primeira barreira – reativa – entre a Internet e redes internas. Base em redes.
IPS: bloqueia ataques de volume ou diversos; Firewall: realiza o controle de acesso
WAF: blinda aplicações Web VPN permite acesso externo como se estivesse na rede interna.
Software – segunda barreira – proativa – código e aplicações seguras
Auditoria de código: com ferramenta adequada realizado pela equipe de segurança Fortify: parte do processo de desenvolvimento com deploy ágil
Whitelisting: controle das aplicações o servidor de aplicação pode executar Assessment: validação cíclica dos servidores de aplicação quanto a checklists
Endpoint – proteção de estacoes, notebooks e dispositivos moveis
VPN: permite o acesso externo seguro NAC: permite o acesso interno seguro
AV, Anti-malware, Host IPS, DLP e Criptografia: protege a estação e os dados Proxy e AntiSpam: protege o usuário e a produtividade
Conscientização e educação dos usuários
e-learning e e-mail educativos com curiosidades e dicas Hotspots de tecnologia (folhetos, paineis)
Palestras e treinamentos realizados pela área Palestras e treinamentos contratados
Gestão de Identidade
Single-sign-on: login automático em aplicações após o login no Windows
Auto provisionamento: criação e exclusão de contas em único workflow
Hootsuite: gestão de acesso a perfis de redes sociais
Inteligência e Gestão de Logs
SIEM: concentração de logs e aplicação de regras de segurança e de negocio no correlacionamento dos eventos detectados
SOC: equipe especializada em monitorar incidentes e executar tarefas operacionais de segurança da informação
GRC e Auditoria
Auditoria, PCI e Gestão de Risco: monitoramento das vulnerabilidades e gestão dos riscos Analise de vulnerabilidades: analise manual de todos os ativos de informação da empresa por consultoria
especializada Pentest: teste de intrusão manual nas vulnerabilidades encontradas e input para gestão de riscos
Legal e Política
Revisões cíclicas da Política: reuniões entre pessoas chaves do comitê de segurança ou similar para elaboração de Políticas e aprovação
Contrato para fornecedores: contrato com os requisitos de segurança impostos aos fornecedores de ativos de informação
Contrato para colaboradores: adendo ao contrato de trabalho regulando o uso de ativos de TI
Implemented Gap Revision
Information Security – Framework
From Control-Centric Security
to People-Centric Security
Policy Rules
People
Punishment
Control
Rights Principles
Policy
Responsibilities
People
Monitor
Educate
Kickin' it old school • Threat-based
• Tool-focused
• Tactical
• Reactive
• Project-oriented
• Ignored by business
• Take ownership of risk
The new paradigm • Risk-based
• Process-focused
• Strategic
• Proactive
• Programmatic
• Engaged with business
• Educate about risk
New Goals of Information Security
The function of information security management is to support the business's ability to deliver on its goals in a risk-resilient manner.
Cost Center Value-Add
Transform: Mapping KRIs and KPIs
Revenue Loss
Miss the
Quarter
Leading Indicator That…
Leading Indicator That…
Leading Indicator That…
Critical Application
Fault
Supply Chain
Support Application
Key Risk Indicator
Open Incidents
Poor Patching
Negative Impact KPI
Supply Chain Slows
CRO/CISO CIO The Business
Reading Gartner’s reports, but not speaking to an
analyst
Path to Failure:
What product and vendor selection tools are appropriate for my enterprise?
Gartner Methodologies
Gartner IT Market Clock
Gartner Hype Cycle
Gartner MarketScope
Gartner Magic Quadrant
Technology Evolution
Market Overview
Gartner Critical Capabilities
Should you move or wait?
Maintain or retire?
Evaluate risks in emerging and mature markets
Map providers against business requirements
Identify use cases and compare vendors
Recommended Gartner Research
The Structure and Scope of an Effective Information Security Program Tom Scholtz (G00210133)
Security Management Strategy Planning Best Practices Tom Scholtz (G00223694)
The Security Processes You Must Get Right Rob McMillan (G00209848)
Seven Techniques for More Proactive Risk and Security Management Tom Scholtz (G00224578)
The Keep-It-Simple Approach for CIO Risk Reporting to the Board Richard Hunter, French Caldwell (G00211351)
Introducing Risk-Adjusted Value Management Paul E. Proctor, Michael Smith (G00225409)
The Gartner Business Risk Model: A Framework for Integrating Risk and Performance Paul E. Proctor, Michael Smith (G00214758)
Information Security and Risk Governance: Forums and Committees Tom Scholtz, F. Christian Byrnes (G00207477)
For more information, stop by Experience Gartner Research Zone.
Recommended