Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

16 May, 2016

Emerging Trends in Information RiskJ.R. CunninghamSr. Executive Director, Executive Solutions

2Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Next Steps

Our Founding Principles:

• Support the business: Security strategy must be aligned to the business and have the visibility and support needed from leadership

• Community Collaboration: It takes a community to be successful, don’t go at it alone

• Call for Change: A compliance based program will fail, the time has come to change the status quo

• Improve the Industry: Continuous evaluation and improvement of people, process and technology are the foundation of a security program

Executive SolutionsAn elite street team of seasoned security and risk executives who have built some of the

largest successful security programs in the world

3Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

AD HOCINFRASTRUCTUREBASED

COMPLIA NCEBASED

THREATBASED

RISK BASED/DATA CENTRIC BUSINESS

ALIGNEDXShortcut =

Failure to Pass

The Security Journey

Business Aligned Strategy: Create a security program that enables your organization by understanding the business objectives, compliance objectives, threats and material risks..

4Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

IT Organization, Systems and Infrastructure

Business Strategy

Organizational Culture

Global Social and Political Forces

Adversaries and Threats

Government and Industry

Regulations

Six Forces of Security: Strategy Influencers

5Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Executive Management / Board – NACD

PRINCIPLE 1: Cyber security is an enterprise-wide risk management issue, not just an IT issue.

PRINCIPLE 2: Understand legal implications of cyber risks.

PRINCIPLE 3:Have regular updates and access to cyber security experts.

PRINCIPLE 4:Establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.

PRINCIPLE 5: Discussion of which risks to avoid, accept, mitigate or transfer through cyber insurance.

• APPENDIX A Questions directors can ask management once a cyber breach is found • APPENDIX B Questions directors can ask to assess the board’s “Cyber Literacy” • APPENDIX C Sample cyber risk dashboards • APPENDIX D Questions for the board to ask management about cyber security

Source: nacdonline.org

Guidance from the National Association of Corporate Directors (NACD)

6Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Disappearing Boundaries

– Actors can locate and attack from anywhere

– Very difficult to trace and identify actors

– Socially connected networks provide cheap and easy intelligence to plan an attack

Why does it seem the problem is getting worse?

Increasing Risk Adjusted Returns

– Cost of launching an attack has drastically decreased

– “Victimless” crime that is “safer” than drug dealing

Method of Attack Changes Frequently

– Targeted phishing campaigns to gain login credentials

– Trusted third-party relationships to bypass controls

– Malicious insider still concern

We can not fight today’s cyber warfare with yesterday’s tactics

7Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Common Challenges

• Large number of days between the breach and detection

• Most companies learn of a breach from an external entity

Balancing risk and ability to leverage

technology for growth• Increasing number of

online interchanges (customer and 3rd party)

• Commercialization of IT, proliferation of mobile and cloud technology

• Users expectations for access from anywhere with any device, e.g. BYOD

• Threat mapping and analysis

• Driving security strategy• Lack of clarity of

information security role within the business

Clear understanding of the threats

Defense can lag behind attack

methods

8Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Who exactly are the bad guys?

Information Security is the preservation of confidentiality, integrity, and availability of information and information systems

Organized Criminals Hacktivists Groups Nation-States Competitors Internal / External

Mot

ivat

ion Financial gain - Sale

information on black market. Use trusted partner data for further attacks

Politics, ideology, business disruption, or reputation

Politics, economics, intellectual property, or military advantage

Intellectual property, competitive advantage

Financial gain, intellectual property, or malicious destruction, non-malicious actions

Targ

etIn

form

atio

n

Personal Identifiable Information (PII), Personal Health Information (PHI),Trusted Partner Information, FinancialAccounts

Destroy data or disrupt business to lose credibility, influence, competitiveness, or stock value

Intellectual Property, Competitive Formulas and Processes

Intellectual Property, Growth, M&A Plans, Financial Results, Pricing, Competitive Formulas and Processes

Combination of all groups

Acto

r

9Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Business Goals and Strategies

Enterprise Operational Risk

Threat Strategy

Information Risk Business Operational Risk Reputation Risk Legal and Regulatory

Risk

Changing R

egulations New

Threats

Control Fram

ework

Enterprise Information Risk Management

Program Management

Governance Risk Management and

Compliance

Network and Security Systems Data Protection Security

Operations

Identity and Access

Management

Application Security

Incident Response

Business Continuity

Physical and Personnel Security

Business Aligned Security Program

Our Approach C

hanging Regulations

New

Threats

Business Goals and Strategies

Program Mgmt.

Governance and Risk

Mgmt.

Network and

Systems Security

Data Protection

Security Operations

Identity and Access Mgmt.

Application Security

Incident Response

Business Continuity

Physical and

Personnel Security

Security Service Control Objective

Enterprise Information Risk Management

Threat Strategy

Reputation Risk

Information Risk

Business Operations Risk

Legal and Regulatory Risk

Enterprise Operational Risk

Control Framework

Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.

Supplier

Customer Data Pulled

Credentials Out

POS Software Distribution System

Supplier System

THE ATTACKER’S

TARGET

Credentials Used to

Get Inside

POS Data

Pulled

Moved to Internal Server

Escalates Privileges

Data Exfiltratedin Pieces

Lateral Movement

External Server

A Not-So-Hypothetical Attack – How it Happened

11Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Batman’s Threat Situation (Courtesy of MIT)

http://web.mit.edu/tweilu/www/eff-ssd-mockup/threatmodel.html

12Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Highly Immature

Immature

SomewhatImmature

Mature

Security Threat Assessment ExampleAdvanced Threat – Chopping the enemy’s activities up into bite-sized pieces

People Process Technology Metrics

Recon Lure Exploit Injection Movement Data Exfiltration Resurrection

13Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Protecting the ‘Critical Assets’

1. Review business objectives, goals and strategy

2. Determine the information and processes that are critical to current and future business success (high value asset)

3. Identify primary threats that would critically impact these assets including relative financial impact, if successful

4. Assess the security controls that are in place or planned to mitigate risk

5. Recommend phase activities to address control gaps

RG-JR

A Simple Methodology with Business Collaboration

14Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Changing Role of the IT and Security Professional

14

The focus has changed from protecting the IT infrastructure to managing the information risk to the organization

Securing the Organization

SecuritySecure the internal organization

Understand and manage the risk of third parties

Understand and manage regulatory risks

Communicate information risk in business terms

Business Acumen

Regulatory Compliance Management

Third-Party Risk Management

Information Security

Risk

15Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Management Framework

Organization & GovernanceAn executive priority with a formal program that takes both a top down and bottom up approach to meet business needs

Data and Information Technology InfrastructureData in known locations, consistent, complete, appropriately segregated from users, and risks are auditable

Defined ProgramStrong processes for risk identification, measurement, reporting, monitoring and development of adequate controls

16Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Key Attributes

SecureUse risk prioritized controls to meet requirements of industry standards and regulations, and protect against current and emerging risks

ResilientThe ability to repair damage caused by a security event and return to normal operations with minimal disruption

VigilantPromote situational awareness that will detect anomalies and violations of security protocols

17Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Questions?

www.optiv.com

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.