Upload
dotu
View
213
Download
0
Embed Size (px)
Citation preview
Moderator
Panelists
Protecting the Castle -
Moats Don’t Work Anymore Mike Rizzo, Chief Information Officer, Boston Financial Kevin Hutchinson, Information Security Director, DST
“A Journey Through Time…”
10 Years of Information Security at Boston Financial Mike Rizzo, Chief Information Officer, Boston Financial
3
The Beginning
Let the good guys in and keep the bad guys out.
A Simple Theme in 2004…
4
Trojans
Spyware & Malware
Identity Theft
Internet Hacks
Viruses
Our Common Threats
5
Our partnership to enhance security
Global issue requiring collaborative effort
Join in creating a “community defense”
Partnerships
6
What We Did…
7
Our Security Strategy
Defense in Depth!
8
What is a Strong Password?
1908
goat
Cubs
Sox2004#1!
Back2Back!
#34Mvp05!
9
Firewall
IDS
Configuration Management
IPS
Patch MGMT
Change Control
Antivirus
Targeted Solutions but Silo Focused
Reconnaissance Spear Phishing
Credential Loss Malware
Multi-Factor Authorization
10
Managing multiple, emerging “Threat Spheres”
Making effective use of security monitoring and log review
Portable device control and auditing
Data leakage control at the desktop and the perimeter
Creating an effective wireless strategy
Enhancing security standards as businesses and networks go offshore and offsite
The consumerization of the network: controlling I-pods, I-Phones and Web 2.0
Dealing with emerging security threats and attack trends
Involving our vendors and business partners in privacy-related communications and strategies
What Were Our Biggest Challenges?
2006 to
2010
11
Email Encryption
Persistent Vulnerability Scanning
Web Extranet Applications 3rd Party Pen Test
3rd Party Firewall and Router Review
Centralized Device Control for all Workstations
Vericept Data Leakage Monitoring
Qualys Subscription Scanning Service
Merging of Intrusion Detection and Anomaly Detection Systems
Laptop and PDA Encryption
Voltage - Identity Based Encryption
Encryption Requirement for Transportable Media
USB Thumb Drives Restricted to Authorized Use
Two Factor Authentication - Remote Access
Single Sign-on DST Applications
Enhanced Due Diligence with 3rd Party Providers
What Were We Doing About It?
12
Our View of the 2011 - 2013 Landscape
92% of email spam contains a web link
74% of those links are malicious Multiple vehicles are possible to
deliver malware, PDF, Java Apps Adware is primary offender
Malware
90% of employees including executives use mobile devices
Less than 50% employ security policies on the devices
Malware targeting mobile devices grew 155% in 2011
Mobile Devices - BYOD
Data Leak Prevention (DLP)
Identity Access Management
Country Sponsored Attacks Profession Hacking Organizations
State of the Electronic Communications Environment
Secure the information and the access to that information but be device agnostic
Who can access what info from where and what can they do with it
Access to external email accounts via corporate network
Compelling new apps, e.g. social media make it easy and ‘normal’ to share information
eMail Spam Volumes and Complexity Proliferation of Internet Accessible Devices
13
Know Thy Adversary…
Sophisticated Criminal Networks
Using Online Shadow Economy -
Offering Diverse Services Replete
with Biz Models, Service
Guarantees…
The Explosive Proliferation of Malware
Botnets, iFrames, Trojans, Password
Harvesters…
External Threats
A Sophisticated,
Ever-Moving Target
Who Is The Enemy?
Subversion of Legitimate
Websites using iFrame Vulns
?
14
Know Thy Adversary…
Sophisticated Criminal Networks
Using Online Shadow Economy -
Offering Diverse Services Replete
with Biz Models, Service
Guarantees…
The Explosive Proliferation of Malware
Botnets, iFrames, Trojans, Password
Harvesters…
External Threats
A Sophisticated,
Ever-Moving Target
Who Is The Enemy?
Subversion of Legitimate
Websites using iFrame Vulns
? Criminal Hackers Evolving Faster than Internet Users
Risk was moving from Perimeter to the Desktop
!
15
We thought our primary threat was Malware, so we took these steps:
Implemented Dynamic Content Filter Solution
Implemented Next-Gen Firewall Technology
Implemented Hybrid Email Protection
Implemented Browser Sandboxing Solution
Implemented Phase 1 of Identity Access Management
Infrastructure
At the End of 2012
16
Our View of the Landscape Today
Fundamentally the landscape hasn’t changed that much since 2005. The threat vectors are similar.
Pace has changed dramatically
Complexity and persistence has increased significantly
There are more points of exposure now
Adversaries are smarter, better funded and have better tools
So are we, and now we are starting to see a community of defense form to combat a common enemy
But…
But…
17
Intelligence Sources Output Evaluate, Correlate & Prioritize
Recommendations & Response
Financial Services Information Sharing and Analysis Center (FS-ISAC)
Financial Services Sector Coordinating Council (FSSCC)
Advanced Cyber Security Center (ACSC)
Federal Entities and Agencies including the , FBI and Homeland Security
Verizon
FireEye / Mandiant Report
Vulnerability Indicators
Threat indicators
DDoS Alerts
Cyber Threat Alerts
Analysis Requests
Emerging Threat Warnings
Critical Infrastructure Protection Guidance
Security Policy Guidance
Enterprise Information Security
ISO
Information Security Threat and Vulnerability Analysis Team (ISTVAT)
Internal Task Force
Managed Security Services
Shared organization Info
Security Operations
Threat & Vulnerability Analysis Team
Threat Warnings
DDoS Alerts
Malware Signature Updates
Social Engineering Awareness
Educational Awareness
Security Policy Updates
Input for Patching Prioritization
Client Response
Crisis Communications
Operationalizing Cyber Intelligence at Boston Financial
18
Data Exchange Layer An innovative, real-time, bi-directional communications fabric providing with product integration simplicity. Security components operate as one to immediately share relevant data between endpoint, gateway, and other security products enabling security intelligence and adaptive security.
Information Security Environment at Boston Financial V10.1
Asset
Threat
Identity
Activity
BPM
Risk
Data
Location
An Orchestrated Defense
19
Risk Mitigation: Requires on going investment in solutions to improve our effectiveness in preventing or rapidly containing existing and emerging threats
1. Network Edge control – Honey pot technology - Complete
2. Data leakage prevention (DLP) solutions for email - Complete
3. Email encryption (McAfee) - Complete
4. Automate identity & access management processes – Phase 1 Complete
5. RSA Archer Governance Risk and Compliance (GRC) – Phase 1 Complete
6. Upgrading Incident Response Capabilities (3rd party partners) – In process
7. Network Access Control within our internal infrastructure - Complete
8. Implemented Risk Based Authentication for VPN connection - Complete
2015 Cybersecurity Strategic Investments
20
Strategic Plans for 2016 - 2017
Incorporate Security Incident and Event Monitoring (SIEM) within infrastructure
Enhance our endpoint to help prevent malware and zero day threats
Partner with our ISP to implement Distributed Denial of Service attack mitigation to our infrastructure
Partner with Third-party for enhanced phishing training
Enhance mobile device protection
Continue to align with the NIST standards
Upgrade/replace the Intrusion Prevention System (IPS)
1
2
3
4
5
6
7
Information Security
Privacy and Risk Overview Kevin Hutchinson, Information Security Director, DST
22
Vercie Lark Executive Vice President & Chief Information Officer
Business Unit (Product Dev.) Chief Information Officers
ALPS - B. Szydlowski AMS - M. Stubblefield Argus - M. Gentry BPS - D. Sherry Blue Door - Brokerage - W. Tyner Comms. - M. Miller & W. Marinko IFDS UK - Simon Moorhead Health Solutions - T. Hurley Retirement - L. Carnesecca
Enterprise Services Executive Leadership
Information Protection
Don Ainslie Technology R&D
Peter Clark IT Services (WWS)
Ian Harris
Chief Data Officer
Recruiting
Quality & Compliance Officer
To Be Hired
Infrastructure Alex Burbatsky
Business Planning Bill Chisholm
ERP Development Archie Wesley
23
OPEN Chief information Security Officer
Mike Mahoney Physical Security
Director
Dan Thomas Chief Privacy Officer
Derek Bridges Enterprise Risk
Officer
Amy McVay Director, Crisis
Management & BC
Information Protection Executive Leadership
Don Ainslie VP, Enterprise Security, Privacy and Risk
Kevin Hutchison Director, Security
Operations
Brian Kemp Manager, Security
Architecture
Oct 2015
24
Integrated security policies that are aligned with ISO 27001/27002 framework and migrating to the National Institute for Standards and Technology (NIST) Cybersecurity Framework
Managed through tiered enterprise governance model aligned with strategic goals and mitigating risks associated with information management
Enterprise security program for governance, risk and compliance, ensures that all associates follows the same guidelines and practices when handling customer information
Defense-in-Depth, layered approach augmented by more holistic “Threat Intelligence” and Information sharing strategies, provides multiple layers of not only protection but prevention
Information Security
25
DST Security Model
Risk Assessment
Architecture Policies & Standards
Training & Awareness
Configuration Compliance
Proactive
Surveillance
Proactive Operations
Governance & Audit
Continuous Improvement Life Cycle with a focus on getting
back to the basics
Areas of Emphasis 2015 - 2017
Risk and Compliance
Management
26
Personal Devices Desktop Login Authentication (Strong Passwords) AntiVirus, Anti Spyware, Encryption, USB Port Blocking Security Patch/ Configuration Management
Networks (Internal & External) Network Login Authentication (Strong Passwords) Firewalls & Network Access Controls & DDOS Services Data Encryption & Data Loss Prevention, Web Filtering Vulnerability Scanning & Penetration Testing Security Patching & Configuration Mgt./Auditing
Data Centers Perimeter Access Gates & Bollards, Security Guards Biometric & Badge Access Controlled Rooms 24x7 Surveillance
Servers Server Login Authentication (Strong Passwords) Vulnerability Scanning & Exploit Remediation Data Encryption & Access Monitoring/Auditing Security Patch Configuration Management
Applications & Databases Application Login Authentication (Strong Passwords Vulnerability Scanning & Exploit Remediation Database Access Monitoring/Auditing Security Patch & Configuration Management
DST Information Security – Layered Defenses
27
Proactive Risk Management: Requires proactive investment in solutions, infrastructure and skills to prevent and eliminate emerging risks while maintaining industry compliance
DST Information Security – Strategic Programs
Risk and Compliance
Management
Incremental investment in security tools and services Target
1. Application source code scanning Complete
2. Data leakage prevention (DLP) enhancements Complete
3. Database access monitoring enhancement Complete
4. Identity & access management solutions WIP
5. RSA Adaptive Authentication Solutions FY 2016
6. Security information & event management (SIEM) On going
7. Talent acquisition & recertification On going
8. Vulnerability scanning & penetration testing On going
28
DST Security & Compliance (2015 - 2018)
Strategic Programs (2-3 Years) 1. Active counter measures (Intrusion prevention)
2. Application security coding standards & certification
3. Enhanced security training & awareness programs
4. Global privacy & data leakage prevention
5. Global risk & crisis management programs
6. Logical access management enhancement
7. M&A playbook (day one & post integration standards)
8. Strengthen 3rd party security management processes
Risk and Compliance
Management