Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
16 May, 2016
Emerging Trends in Information RiskJ.R. CunninghamSr. Executive Director, Executive Solutions
2Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Next Steps
Our Founding Principles:
• Support the business: Security strategy must be aligned to the business and have the visibility and support needed from leadership
• Community Collaboration: It takes a community to be successful, don’t go at it alone
• Call for Change: A compliance based program will fail, the time has come to change the status quo
• Improve the Industry: Continuous evaluation and improvement of people, process and technology are the foundation of a security program
Executive SolutionsAn elite street team of seasoned security and risk executives who have built some of the
largest successful security programs in the world
3Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
AD HOCINFRASTRUCTUREBASED
COMPLIA NCEBASED
THREATBASED
RISK BASED/DATA CENTRIC BUSINESS
ALIGNEDXShortcut =
Failure to Pass
The Security Journey
Business Aligned Strategy: Create a security program that enables your organization by understanding the business objectives, compliance objectives, threats and material risks..
4Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
IT Organization, Systems and Infrastructure
Business Strategy
Organizational Culture
Global Social and Political Forces
Adversaries and Threats
Government and Industry
Regulations
Six Forces of Security: Strategy Influencers
5Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Executive Management / Board – NACD
PRINCIPLE 1: Cyber security is an enterprise-wide risk management issue, not just an IT issue.
PRINCIPLE 2: Understand legal implications of cyber risks.
PRINCIPLE 3:Have regular updates and access to cyber security experts.
PRINCIPLE 4:Establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
PRINCIPLE 5: Discussion of which risks to avoid, accept, mitigate or transfer through cyber insurance.
• APPENDIX A Questions directors can ask management once a cyber breach is found • APPENDIX B Questions directors can ask to assess the board’s “Cyber Literacy” • APPENDIX C Sample cyber risk dashboards • APPENDIX D Questions for the board to ask management about cyber security
Source: nacdonline.org
Guidance from the National Association of Corporate Directors (NACD)
6Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Disappearing Boundaries
– Actors can locate and attack from anywhere
– Very difficult to trace and identify actors
– Socially connected networks provide cheap and easy intelligence to plan an attack
Why does it seem the problem is getting worse?
Increasing Risk Adjusted Returns
– Cost of launching an attack has drastically decreased
– “Victimless” crime that is “safer” than drug dealing
Method of Attack Changes Frequently
– Targeted phishing campaigns to gain login credentials
– Trusted third-party relationships to bypass controls
– Malicious insider still concern
We can not fight today’s cyber warfare with yesterday’s tactics
7Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Common Challenges
• Large number of days between the breach and detection
• Most companies learn of a breach from an external entity
Balancing risk and ability to leverage
technology for growth• Increasing number of
online interchanges (customer and 3rd party)
• Commercialization of IT, proliferation of mobile and cloud technology
• Users expectations for access from anywhere with any device, e.g. BYOD
• Threat mapping and analysis
• Driving security strategy• Lack of clarity of
information security role within the business
Clear understanding of the threats
Defense can lag behind attack
methods
8Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Who exactly are the bad guys?
Information Security is the preservation of confidentiality, integrity, and availability of information and information systems
Organized Criminals Hacktivists Groups Nation-States Competitors Internal / External
Mot
ivat
ion Financial gain - Sale
information on black market. Use trusted partner data for further attacks
Politics, ideology, business disruption, or reputation
Politics, economics, intellectual property, or military advantage
Intellectual property, competitive advantage
Financial gain, intellectual property, or malicious destruction, non-malicious actions
Targ
etIn
form
atio
n
Personal Identifiable Information (PII), Personal Health Information (PHI),Trusted Partner Information, FinancialAccounts
Destroy data or disrupt business to lose credibility, influence, competitiveness, or stock value
Intellectual Property, Competitive Formulas and Processes
Intellectual Property, Growth, M&A Plans, Financial Results, Pricing, Competitive Formulas and Processes
Combination of all groups
Acto
r
9Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Business Goals and Strategies
Enterprise Operational Risk
Threat Strategy
Information Risk Business Operational Risk Reputation Risk Legal and Regulatory
Risk
Changing R
egulations New
Threats
Control Fram
ework
Enterprise Information Risk Management
Program Management
Governance Risk Management and
Compliance
Network and Security Systems Data Protection Security
Operations
Identity and Access
Management
Application Security
Incident Response
Business Continuity
Physical and Personnel Security
Business Aligned Security Program
Our Approach C
hanging Regulations
New
Threats
Business Goals and Strategies
Program Mgmt.
Governance and Risk
Mgmt.
Network and
Systems Security
Data Protection
Security Operations
Identity and Access Mgmt.
Application Security
Incident Response
Business Continuity
Physical and
Personnel Security
Security Service Control Objective
Enterprise Information Risk Management
Threat Strategy
Reputation Risk
Information Risk
Business Operations Risk
Legal and Regulatory Risk
Enterprise Operational Risk
Control Framework
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
Supplier
Customer Data Pulled
Credentials Out
POS Software Distribution System
Supplier System
THE ATTACKER’S
TARGET
Credentials Used to
Get Inside
POS Data
Pulled
Moved to Internal Server
Escalates Privileges
Data Exfiltratedin Pieces
Lateral Movement
External Server
A Not-So-Hypothetical Attack – How it Happened
11Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Batman’s Threat Situation (Courtesy of MIT)
http://web.mit.edu/tweilu/www/eff-ssd-mockup/threatmodel.html
12Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Highly Immature
Immature
SomewhatImmature
Mature
Security Threat Assessment ExampleAdvanced Threat – Chopping the enemy’s activities up into bite-sized pieces
People Process Technology Metrics
Recon Lure Exploit Injection Movement Data Exfiltration Resurrection
13Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Protecting the ‘Critical Assets’
1. Review business objectives, goals and strategy
2. Determine the information and processes that are critical to current and future business success (high value asset)
3. Identify primary threats that would critically impact these assets including relative financial impact, if successful
4. Assess the security controls that are in place or planned to mitigate risk
5. Recommend phase activities to address control gaps
RG-JR
A Simple Methodology with Business Collaboration
14Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Changing Role of the IT and Security Professional
14
The focus has changed from protecting the IT infrastructure to managing the information risk to the organization
Securing the Organization
SecuritySecure the internal organization
Understand and manage the risk of third parties
Understand and manage regulatory risks
Communicate information risk in business terms
Business Acumen
Regulatory Compliance Management
Third-Party Risk Management
Information Security
Risk
15Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Management Framework
Organization & GovernanceAn executive priority with a formal program that takes both a top down and bottom up approach to meet business needs
Data and Information Technology InfrastructureData in known locations, consistent, complete, appropriately segregated from users, and risks are auditable
Defined ProgramStrong processes for risk identification, measurement, reporting, monitoring and development of adequate controls
16Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Key Attributes
SecureUse risk prioritized controls to meet requirements of industry standards and regulations, and protect against current and emerging risks
ResilientThe ability to repair damage caused by a security event and return to normal operations with minimal disruption
VigilantPromote situational awareness that will detect anomalies and violations of security protocols
17Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Questions?
www.optiv.com