Creating a Defensible - ISACA a... · Creating a Defensible Information Security Strategy. 1. ... 4 Risk Mitigation Considerations Hayden M. McKaskle ... Cyber Policy Review & Design

Proprietary and Confidential — External Use Only

1 Risk Mitigation Considerations Hayden M. McKaskle


Creating a DefensibleInformation Security Strategy

November 17, 2017

Hayden M. McKaskle




Risk Mitigation Considerations Hayden M. McKaskle

Kroll Overview

Creating a Defensible Information Security Strategy

1



Cyber SecurityIncident ResponseData Breach Notification

Kroll Overview

Our History & Expertise >40 years of experience 55 Offices across 26 Countries 1,100+ employees

OUR SOLUTIONS

SPAN

Investigations

Compliance

InformationSecurity & Assurance

Physical Security

Due Diligence



Globally Recognized Leader

World renowned planning and investigative experience combined with state of the art technological tools

Recognized experts previously with the FBI, federal and state law enforcement, cybersecurity consulting and research firms, and large corporate cybersecurity teams

Foundation of Capabilities

Global Incident Response Partner by Carbon Black (Bit9)

Leader of Notification Industry“The Forrester WaveTM Report

Best Cyber Security Consultancy

Now 2017 – 5 years running!



End To End InfoSec Lifecycle Services

Prepare & Prevent

Investigate & Respond

Remediate & Restore

Proactiveand

ReactiveCapabilities

Risk Assessments

Maturity Reviews

CISO Advisory Services

Cyber Policy Review & Design

Cyber Awareness Training

Incident Response Plan and Tabletop Exercises

Penetration Testing

Vulnerability Scanning

Third Party Cyber Audits and Reviews

QSA Services

CyberDetectER ThreatMonitoring

Computer Forensics

Incident ResponseManagement

Data Collection & Preservation

Data Recovery & Forensic Analysis

Malware and Advanced Persistent Threat Detection

Cyber Litigation Support

CyberDetectER Threat Monitoring

PFI Services

B2B: Data Breach Response Notification Letters

Call Center Services

Credit Monitoring (Kroll Branded)

Identity Theft Restoration (Kroll Branded)

Identity Monitoring (Kroll Branded)

B2B2C: Consumer ID Theft Protection Services IDShield Powered by Kroll (e.g.

LegalShield)

ID Theft Smart (e.g. HSB)

ID Theft Defense (e.g. Primerica)



Data Breach Victims Everywhere….



Attack Vectors Evolve



Threats Growing ExponentiallyGlobal Pandemics Becoming the New Normal



And the incident is just the beginning…

Regulatory Agencies and State AG’s Levying Fines Against Victims



Record Breaking Fines…



The Compliance Machine

http://www.ftc.gov/Walgreens

http://www.ftc.gov/Walgreens

http://www.google.com/url?sa=i&rct=j&q=office+of+civil+rights+logo&source=images&cd=&cad=rja&docid=xzyDlNkd5J54KM&tbnid=-8BlzaK8FZEoIM:&ved=0CAUQjRw&url=http://www.leadingage.org/newsletter.aspx?id=8272&ei=ICFzUdzaHdK2qAH79YHwDQ&bvm=bv.45512109,d.aWM&psig=AFQjCNEaxdXWQgJbn-5KnremIVQaeAogzA&ust=1366585993080087

http://www.google.com/url?sa=i&rct=j&q=office+of+civil+rights+logo&source=images&cd=&cad=rja&docid=xzyDlNkd5J54KM&tbnid=-8BlzaK8FZEoIM:&ved=0CAUQjRw&url=http://www.leadingage.org/newsletter.aspx?id=8272&ei=ICFzUdzaHdK2qAH79YHwDQ&bvm=bv.45512109,d.aWM&psig=AFQjCNEaxdXWQgJbn-5KnremIVQaeAogzA&ust=1366585993080087



20 CSC is Minimum Standard

The 20 Critical Security Controls “identify a minimum level of information security that all organizations that collect or maintain personal information should meet.

The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.

California Data Breach Report (Feb 2016) Attorney Gen. Kamala D. Harris




Risk Mitigation Considerations Hayden M. McKaskle



2



Strategic Components

Set the Narrative

Leverage a Framework

Demonstrate Maturity




Set the Narrative





What is Your Narrative?

Reasonable Measures Implemented

Attacker Used Extraordinary Methods

Rapidly Detect and Effectively Respond



InfoSec Theory Evolution

Perimeter

Defense In Depth

Assumption of Breach



Assumptions of Breach Theory

Issue“With enough time,

resources and commitment, any attacker will be able to

penetrate a network.”

SolutionAssess the risk and impact related to the various data workflows in the network.



Where is your sensitive/ regulated data?

Creation

Transmission

Reproduction

Physical Transport

Storage

Disposal

Intellectual Property




Set the Narrative





Leverage A Framework



Benefits and Caveats of Cybersecurity Framework

Caveats Benefits



Using the Same Language: Executives to Operations

Current Cybersecurity Posture

Target State for Cybersecurity

Priorities & Repeatable Process

Progress Toward Target State

Internal and External Stakeholders



Framework Core: Functional & Risk-Based What assets need

protection

What safeguards are available?

What techniques can identify incidents?

What techniques can contain impacts of incidents?

What techniques can restore capabilities?




Set the Narrative





Framework Implementation Tiers

Tier 1 Partial

Tier 2 Risk-Informed

Tier 3 Repeatable

Tier 4Adaptive

FRAMEWORK IMPLEMENTATION TIERS

TIER 1 Partial Risk-management is ad hoc, with limited awareness of risks and no collaboration with others

TIER 2 Risk Informed

Risk-management processes and program are in place but are not integrated enterprise-wide; collaboration is understood but organization lacks formal capabilities

TIER 3 Repeatable Formal policies for risk-management processes and programs are in place enterprise-wide, with partial external collaboration

TIER 4 Adaptive Risk-management processes and programs are based on lessons learned and embedded in culture, proactive collaboration



Typical Assessment Maturity Findings PEOPLE

Highly balkanized organization structure Strong personnel with good knowledge base Lack of well defined roles and responsibilities Inability to detect and respond to an incident rapidly

PROCESSES Lack of a formal IR policy Existing processes are not well defined (event types, tripwires, containment, etc.) Immature operation procedures Lack of functional documentation including guidelines

TECHNOLOGY Overreliance on a tool based strategy



Tool Based Strategy?

Technical Controls Operations Governance

Most Data Breaches Occur When This Strategy Is Used!



Most Effective Strategy to Mitigate Risk!

Governance Operations Technical Controls



Summary

Have a narrative before the incident

Choose and implement a cybersecurity framework

Use governance structures to operationalize the framework

InfoSec Maturity= detect and respond capability



Future War Stories



Discussion

Hayden McKaskleDirector, Cyber Security & Breach Notification100 Centerview DriveNashville, TN [email protected](o) 615.577.6758 (c) 615-806-5357

mailto:[email protected]

Documents

Creating a Defensible - ISACA a... · Creating a Defensible Information Security Strategy. 1. ... 4 Risk Mitigation Considerations Hayden M. McKaskle ... Cyber Policy Review & Design