Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
http://www.pwc.ch/cybersecurity
Cyber threat and cyber breach landscape 2015How to protect enterprise data appropriately?
Security Interest Group Switherland
3 March2015
Agenda
1 The future: is bright and digital 1
2 The reality: not yet there 3
3 Problem and dilemma on the way to the digital transformation
7
4 Building confidence in the digital transformation 10
5 Five steps toward an appropriate cyber security 15
6 Summary, questions and answers 22
Page
PwC
3 March2015
The future: is bright and digital
1
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
PwC
3 March2015
The future vision: ‘Digital me’ – always and everywhere!
2
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
Section 1 – The future: is bright and digital
• Information is digital
• Information is available at my fingertips anytime, anywhere, anyhow
• The lines between the digital and physical world are blurring
• Software defines everything
• Everything is connected (the ‘internet of things’)
• Velocity, flexibility, dynamic, in the cloud
The vision:
Technology supports people and the environment to make the world a better place. Reliable and secure!
PwC
3 March2015
The reality: not yet there
3
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
PwC
3 March2015
Cyber Threats are real and affect business and life
4
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
Section 2 – The reality: not yet there
91% of large organisations and
87% of smallbusinesses had
security breaches in the last year
• Cyber security is now a persistent business risk
• Organisations are undoubtedly worried about the rising tide of cybercrime
• Looking at security investments by industry shows that spending is down in most sectors, with a few notable exceptions.
• The black markets for stolen data are growing in size and complexity.
Source: PwC 2015 The Global State of Information Security Survey 2015
91%
87%
PwC
3 March2015
63% of data breaches are recognised by third parties243 days was threats present before detection (average)
5
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
Section 2 – The reality: not yet there
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
data breachesrecognised by third
parties
63%
0
50
100
150
200
250
300
350
400
Average # of days threats waspresent before detection
243
Sources:- - Verizon Breach Investigation Report http://www.verizonenterprise.com/ch/DBIR/
- Mandiant: https://www.mandiant.com/threat-landscape/
PwC
3 March2015
Greed, absence of ethics and weak prosecution / sanctions
6
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
Section 2 – The reality: not yet there
Adversary motives and tactics evolve as business strategies change and business activities are executed.
Not only the ‘good guys’ use technology for their benefit (CCaS1)!
Organized crime
Hacktivists
Nation state
Adversary
Insiders
What’s most at risk?
Input from Office of the National Counterintelligence Executive, Report to Congress on the Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011.
Emerging technologies
Executive travel
Automation
Health and safety records
Business deals information
Information and communication technology and data
Industrial ControlSystems (SCADA)
Geological surveys and industrial design (Intellectual Property)
Thirdparty connections
1) Cyber Crime as a Service
PwC
3 March2015
Problem and dilemma on the way to the digital transformation
7
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
PwC
3 March2015
What is a problem, what a dilemma
8
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
Section 3 – Problem and dilemma on the way to the digital transformation
Problem: A perceived gap between the existing state and a desired state, or
a deviation from a norm, standard, or status quo.
Dilemma: A situation in which a difficult choice has to be made between two
or more alternatives, especially ones that are equally undesirable.
Source: http://www.businessdictionary.com
# Problem areas Dilemma
1 What is the value of digital information - Value for me- Value for others/ loss when absent- How to quantify and claim
2 “Physical” and “digital” world obey to different rules
- Tangible values are absent when stolen. Copy is difficult
- Jurisdiction in the global world
3 Doing the “right” thing (ethical compass) - Who or what is the moral judge?- Greed is a strong driver
PwC
3 March2015
In a world of change, two things remain constant
9
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
Section 3 – Problem and dilemma on the way to the digital transformation
• Username/password is not sufficient to identify a person reliably
• Only because goods are paid with John Doe’s credit card doesn’t necessarily mean John Doe legally bought goods from you
Guiding principles:
1a) We need to identify the
counterparty and segregate trusted from untrusted
b) We need to identify the device used to access data and segregate trusted from untrusted
c) We need to identify the network/ environment used and segregate trusted from untrusted
The options to react to adverse situations are
a) Hide: protect data and allow access only to ‘closed user group’
b) Run away: do not use internet or at least use separate infrastructure for internet and secret data
c) Fight: detect and respond quickly and effectively
2Business relationsneed trust
PwC
3 March2015
Building confidence in the digital transformation
10
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
PwC
How can we get there?
The future is not some place we
are going, but one we are
creating. The paths are not to be
found, but made. And the activity
of making them changes both the
maker and the destination.
John H. Schaar
“ If you know the enemy and
know yourself, you need not fear
the result of a hundred battles.
If you know yourself but not the enemy,
for every victory gained you will also
suffer a defeat. If you know neither the
enemy nor yourself, you will succumb in
every battle.
Sun TzuThe Art of War
““ “
Slide 13
9 February 2015IIS – Cyber Risk • Cyber threats and cyber breaches – What do you need to consider?
PwC
3 March2015
Balance business opportunity with emerging threats
Customerexperience
Cloud-basedservices
Mobility
Big Dataanalytics
Cyber
resilience
12Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
Section 4 – Building confidence in the digital transformation
PwC
3 March2015
The dilemma: How to find the balance between innovation, functionality, compliance and security
13
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
Section 4 – Building confidence in the digital transformation
PwC
3 March2015
Two options how to avoid digital data loss: protect and monitor or detect and respond
14
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
Section 4 – Building confidence in the digital transformation
‘Crown jewels’ must be identified and their protection prioritised, monitored and adjusted accordingly.
• Technology risk strategy
• Security architecture
• Target operations model
• Security governance
• Security assessments
‘Data protection by design’ by considering people, processes and technology
• Breach indicator assessment
• Data analytics for security information
• Threat intelligence
Detect malware, attacks and data exfiltration quickly and reliably
• Incident response
• Forensic services
• Crisis management
• eDiscovery
• Data analytics
Respond to incidents efficiently and effectively. Remediate and learn.
Detect
Prevent & Protect
Respond &Remediate
PwC
3 March2015
Five steps toward an appropriate cyber security
15
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
PwC
3 March2015
Each organisation has a unique environment and therefore specific requirements
16
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
Section 5 – Five steps toward an appropriate cyber security
Technology Risks
Your business
vision
Business
processes
Business
applications
Devices,
systems and
platforms
Network and
communication
Digitaldata
Identify valuable data Identify threats & risks Apply appropriate protection
PwC
3 March2015
Five Steps toward holistic cyber security
17
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
Section 5 – Five steps toward an appropriate cyber security
Assess cyber risks and ensure risk landscape is aligned with risk appetite. Reduce, avoid or transfer inacceptable risks
Select applicable cyber threat scenarios (10-15) and analyse impact to your business data and customer data
Identify your most valuable information assets, align your cyber security strategy with business objectives and get funding
Analyse current safeguards and their effectiveness, assess vulnerabilities in your infrastructure and supply chain
Implement safeguards, monitor effectiveness, improve processes for earlier detection and reduce the time from detect to respond
1
2
3
4
5
PwC
3 March2015
How to determine cyber risks / technology risks?
18
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
Section 5 – Five steps toward an appropriate cyber security
Assets
Protection
Pro
tec
tio
n
Protection
Pro
tec
tio
n
Vulnerabilities
Measures
Threat
𝑹𝒊𝒔𝒌 = 𝑰𝒎𝒑𝒂𝒄𝒕 × 𝑳𝒊𝒌𝒆𝒍𝒊𝒉𝒐𝒐𝒅 ≈ 𝑨𝒔𝒔𝒆𝒕 𝑽𝒂𝒍𝒖𝒆 ×𝑽𝒖𝒍𝒏𝒆𝒓𝒂𝒃𝒊𝒍𝒊𝒕𝒚 × 𝑻𝒉𝒓𝒆𝒂𝒕 𝑳𝒊𝒌𝒆𝒍𝒊𝒉𝒐𝒐𝒅
𝑷𝒓𝒐𝒕𝒆𝒄𝒕𝒊𝒐𝒏 𝒎𝒂𝒔𝒖𝒓𝒆𝒔, 𝑺𝒂𝒇𝒆𝒈𝒖𝒂𝒓𝒅𝒔
PwC
3 March2015
What to do with identified risks ?
19
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
Section 5 – Five steps toward an appropriate cyber security
Avoid: (run away) do not further use that service and void the risk (and the opportunity)
Accept: The balance between opportunity and threat is acceptable – no additional safeguards required
Reduce: Apply additional security controls to reduce risk to an acceptable level
Transfer: Buy an insurance or use outsourcing with sufficient liability
PwC
3 March2015
There are three stages to consider in cyber security
20
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
Section 5 – Five steps toward an appropriate cyber security
1 Pre-breach(to assess)
For a real view of the current situation, a self-assessment questionnaire and a remote scan is not sufficient!
3 Post-breach(to respond)
Ensure data breaches are detected in a timely manner. Respond quickly and effectively with professional team to reduce damage
2
Databreach
Incident handling
Detection
Vulnerability handling
Triage
Announcements and alerts
Analysis
… other IM services …
Incident response
Incidentmanagement
Incidenthandling
Inter-nal
testing
Phish-ing
attack
Threat based
testing
Web and
mobile apps
Mal-ware
attack sim
Exter-nal
testing
Host based
re-views
Extensive security testing
suitVulner-abilities
PwC
Standards that might help
Security Governance and Maturity
What:
How:
A security professional may well be a cost – but does this for a living!
Main challenge
Understand the standard, adapt to your specific needs and environment, expertise
COSO / COBIT / 27001
27005 / 27003 / ITIL
Security and Service Management
What:
How:
COBIT, 27001, ITIL
ITIL, 27002,3,5,ISO 9000, NIST, ENSIA
COSO
COBIT
ITIL
ISO9000
ISO2700x
What How
Scope of coverage
Slide 23
9 February 2015IIS – Cyber Risk • Cyber threats and cyber breaches – What do you need to consider?
PwC
3 March2015
Summary, questions and answers
22
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
PwC
3 March2015
Summary and next steps
23
Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?
Section 6 – Summary, questions and answers
Tasks
2 Identify your ‘crown jewels’ and assess threats/risks/capabilities
Define, apply and monitor ‘appropriate’ cyber security measures
1 Cyber security is not a product or a status – it is a continuous practice
Detect data breach in a timely manner and react effectively3
Deliverables/artefacts
• ‘Cyber security architecture’ combining people, processes and technology
• Data classification and data ownership (controller, processor)
• Risk-based cyber security approach. Consider security as a separate layer
• Monitoring and event management, incident response, learning from incidents
PwC
Questions, comments?
Slide 26
9 February 2015IIS – Cyber Risk • Cyber threats and cyber breaches – What do you need to consider?
Jan SchreuderPwC, Partner+41 58 792 24 [email protected]
Thomas KochPwC, Director+41 58 792 29 [email protected]
Lorenz NeherPwC, Senior Manager+41 58 792 47 [email protected]
© 2015 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
PricewaterhouseCoopers has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the accuracy or completeness of the information. PricewaterhouseCoopers gives no express or implied warranties, including but not limited to any warranties of merchantability or fitness for a particular purpose or use and shall not be liable to any entity or person using this document, or have any liability with respect to this document. This report is intended for internal use only by the recipient and should not be provided in writing or otherwise to any other third party without PricewaterhouseCoopers express written consent.
visit www.pwc.ch/cybersecurity