CYBERSECURITY –The next frontier

Robert E Stroud CGEIT CRISC

VP, Strategy and Innovation CA Technologies

International President, ISACA

@RobertEStroud

Robert.Stroud@ca.com

August 2014

www.isaca.org/cyber

© 2014 CA. ALL RIGHTS RESERVED.

Robert E Stroud CGEIT CRISCInternational President ISACA

Vice President Strategy & Innovation CA Technologies

Futurist, Author, Public Speaker & Industry GeeK

15 years Banking

Contributor to numerous industry frameworks, standards

and good practices

Former Director itSMF International &

itSMF USA

Robert.Stroud@ca.com

@RobertEStroud

© 2014 CA. ALL RIGHTS RESERVED.

Please do keep mobile devices on during this session!

@RobertEStroud #LeadIT

Source: http://www.securedgenetworks.com/secure-edge-networks-blog/bid/84023/10-Ways-Mobile-Device-Management-Can-Help-Your-School

© 2014 CA. ALL RIGHTS RESERVED.

ISACA

“Trust in, and value from,

information systems”

– Global association serving 115,000 IT security, assurance, governance and risk professionals

– Established in 1969

– Members in 180 countries

– 200+ chapters

© 2014 CA. ALL RIGHTS RESERVED.

January 12th, 2010 The world changedThe Advanced Persistent Threat

http://www.eweek.com/c/a/Security/Google-China-and-the-Anatomy-of-the-Aurora-

Attack-255807/

http://www.theguardian.com/technology/blog/2010/jan/20/google-china

© 2014 CA. ALL RIGHTS RESERVED.

APT’s are impacting us in many ways

© 2014 CA. ALL RIGHTS RESERVED.

APT’s are accelerating

© 2014 CA. ALL RIGHTS RESERVED.Scource: http://heartbleed.com

Watch the video here on Heartbleed: https://www.youtube.com/watch?v=8oI_laHhGjE

© 2014 CA. ALL RIGHTS RESERVED.

Advanced Persistent Threats?

© 2014 CA. ALL RIGHTS RESERVED.

Evolution of Attacks

© 2014 CA. ALL RIGHTS RESERVED.

The APT Lifecycle

© 2014 CA. ALL RIGHTS RESERVED.

Stages of an APT

© 2014 CA. ALL RIGHTS RESERVED.

How well do security

professionals

understand APTs?

How are they

affecting different

industries and

organizations

throughout the

world?

What is being done

to prevent them?

In Q4 of 2012, ISACA

launched the APT

Awareness Survey

19%

Asia

32%

8%

3%38%Europe / Africa

North America

Latin America

Oceania

© 2014 CA. ALL RIGHTS RESERVED.

42.5% of respondents

were familiar…

28.6%, somewhat

familiar…

And only 25.1% very

familiar about APTs.

Overall, 96.2% were

somewhat familiar with

APTs…

But most importantly:

AWARENESS

of respondents

understood APTs as a

very credible, serious

threat to national security

and economic stability

93.6%

25%

42%

29%

4%

Very Familiar

Familiar

Somewhat Familiar

Not at All Familiar

© 2014 CA. ALL RIGHTS RESERVED.

Although just 21.6%

of respondents

reported having been

victims of an APT

attack

63% – three times

that amount –

believe it’s only a

matter of time before

their business is

targeted.

Suffering with an APT

63%BELIEVE IT’S

ONLY A MATTER

OF TIME BEFORE

THEIR BUSINESS IS TARGETED.

© 2014 CA. ALL RIGHTS RESERVED.

How are

people handling

the threats? Most respondents are

using technology in a

risk based layered

approach to prevent

and combat APTs.

94.9% Anti-Virus / Anti-Malware

92.8% Network Tech (Firewalls, etc.)

71.2% IPS

© 2014 ISACA. All rights reserved

© 2014 CA. ALL RIGHTS RESERVED.

There aren’t enough

precautions being

taken against the threat

of an APT.

Up to 81.8% of survey

takers have not

updated their

agreements with

vendors who provide

protection against APT.

And 67.3% reported

that they haven’t held

any APT awareness

training programs for

their employees.

A Troubling

Lack of

Initiative

Has your enterprise increased

security training as a result of

APTs?

Very Likely

Likely

Not Very likely

Not at All Likely

0% 20% 40% 60% 80%

Yes

No

© 2014 CA. ALL RIGHTS RESERVED.

APTs are serious threats.

We need more consideration

to their consequences.Enterprises must adopt more technology awareness

training, vendor management, incident management

and increased attention from executives.

© 2014 ISACA. All rights reserved

© 2014 CA. ALL RIGHTS RESERVED.

Cybersecurity – more than defense you need “offence”!

Safe harbours will continue to exist

Traditional prevention and detection is not enough you need to move from defensive to offensive

Governments cannot prevent intrusions

Data loss is inevitable

Attacks will continue

Companies often breached for years

New approaches required

Castle Image: http://www.castles.org/Kids_Section/Castle_Story/parts.htm

Image: http://hot1047.com/adrian-peterson-buys-snowmobiles-for-offensive-line/

© 2014 CA. ALL RIGHTS RESERVED.

© 2014 CA. ALL RIGHTS RESERVED.

If you have IP you are a target!

Assume you are breached

Prepare for the inevitable

Start planning

Define your “Win” Delay the ‘Threat’ from reaching its goal

Minimize the loss

Improvise as you go along

Are your approaches outdated? If so

review and revise!

© 2014 CA. ALL RIGHTS RESERVED.

Transitioning to the “new normal”

Build a team

Establish key relationships

Determine Authorities within and

outside organisation

Inventory Existing Technologies

Standardize the Investigation

Process

Training and Governance

Establish & Develop Critical

Capabilities

© 2014 CA. ALL RIGHTS RESERVED.

CYBERSECURITY –The next frontier

Robert E Stroud CGEIT CRISC

VP, Strategy and Innovation CA Technologies

International President, ISACA

@RobertEStroud

Robert.Stroud@ca.com

August 2014

www.isaca.org/cyber

© 2014 CA. ALL RIGHTS RESERVED.