Embed Size (px)
DESCRIPTION
Citation preview
P A G E
Predictive Security Intelligence – Driving a Productive Partnership between security, audit and riskTuesday October 23, 2012FS-ISAC Fall Summit
Vickie Miller,Sr. Director, Information SecurityFICO
Seema Sheth-VossDirector, Solutions MarketingCore Security
P A G E
Agenda
• Overview of FICO and security organization• Security analytics journey at FICO• Parallel between FICO’s business & challenges with security data• CORE Insight solution and value• Building a resilient and predictive security architecture
P A G E
A bit about FICO
• Founded in 1956, FICO is a leading provider of credit scoring, decision management, fraud detection and credit risk score services. • The concepts that are of interest include:
− Multi-dimensional profiling capabilities − Neural networks − Adaptive analytics − Self-calibrating outlier analytics − Integration with man-made rules to detect anomalous activity − Integration with man-made rules to determine courses of action based
on the output of machine generated anomaly detection and output of man-made anomaly detection.
P A G E
Security organization at FICO
• Application Security with static and dynamic code analysis• Security Operations - logging, IDS/IPS, FIM, PVM• Governance, Risk and Compliance – internal, external audits
Defense focused
Proactive and Predictive
Need to shift and evolve to
P A G E
Challenges at FICO
Challenge of internal communication
• Managing Up!• Communicating
across the matrix and the globe
Need for operational efficiency• Multiple IT Delivery Models• Cloud• Challenges with SLAs
Need to protect our environment • Risk and Compliance
Pressure• Need for scalability
and automation in risk assessment but with the ability to react quickly
• Cost of labor and lost opportunity cost
P A G E
Parallels between our business and my team
• FICO’s business uses advanced predictive analytics in the transaction stream to prevent fraud loss.• Security uses Snort rules and packet inspection to detect
anomalous activity• FICO uses consortium of data & real-time input to detect
changing nature of fraud (Card Alert – Michaels)• Millions and millions of log files looking for event correlations.
P A G E
Security organizations lack preventative or predictive tools that other businesses have
P A G E
Predictive Security Intelligence - Taking a performance and analytics driven approach
What should we do about risks?
How do we convey the risk to get action?
What is happening? Why? What is likely?
What really matters and what doesn’t?
P A G E
Layered controls at each part of technology stack but no correlation
9
• The vast majority at the management software layer are built to defend, react or monitor
• This model has inherent gaps:− Overwhelming amounts of data− Little correlation /
communication between solutions
− By the time alerts go off, it’s too late
?
P A G E
FICO’s solutionWhat is likely to happen? Understand security posture before a breach happens
P A G E
Visualize the most likely attack paths to crown jewel assets or data
Focus on the most critical vulnerabilities which have business or reputation impact
P A G E
What really matters? Get above the noise of the security data..
Challenge: false positives and make sense of the noise..
Simulate or Test
Identify and prove critical
exposures
Remediation
Apply patches and other updates
Repeat Validate fix
effectiveness
Incident and Scan data
Discover assets , collect incident
data and scan for vulnerabilities
P A G E 1 3
Before• Small security staff• Needed to scale and enhance
testing, understand risk to most critical assets
• Getting 82,000 vulnerability signatures from scanner
• Yet only working on 300 results due to resource constraints (hopefully the right 300?)
• Yearly vulnerability management cost: $144,000
• Yearly remediation/Patch management estimate at 300 tickets passed to IT: $700,000
Value of getting above the noise of data
After• Proactively determine attack path
across 1000 assets• Identified the 30 most critical
exploitable vulnerabilities of the 82,000 worth addressing first
• Prioritize & validate vulnerabilities
Savings• VM costs per year: $43,200• Trouble tickets passed ~ 30
P A G E 1 4
Conveying risk & prompting action A balancing act between risk reduction and making security “easier” and cost efficient
Audi
t Offi
cer
“We need security to let us know whether controls are in place and working.”
Chie
f Ris
k O
ffice
r
“Security metrics need to be conveyed in language of enterprise risk.”
VP o
f IT
“The business needs new functionality, but my team is fixing things that may not even be real.”
“We’re spending a lot on tools, but I can’t say whether we’re improving our overall security posture …”
CISO
Com
plia
nce
Offi
cer “Security needs to be
an enabler, but checkbox mentality creates a divide.”
Pen
Test
Team
“We have the best team, but we can’t scale and periodic assessments quickly become outdated.”
Secu
rity
Dire
ctor
“Our security data log contains over X million records, but it’s difficult to determine what is truly most vulnerable.”
Technology
Business
P A G E
What should we do with security data?
• Security Metrics and Reporting with Continuous Assessment• Status of the safeguards• Trending• Change management• Hand-off to remediation
systems
• Enterprise Risk Management• Business continuity• Reputation
Enabling Performance Management like best practices for security
P A G E
Core Security – Our journey to Security Intelligence
• Leading provider of predictive security intelligence solutions− Established: 1996, first commercial product: Core Impact 2001− Headquartered in Boston, CoreLabs in Buenos Aires− 1,400 customers, ~200 employees
• Diverse, experienced organization driving segment leadership− Experienced management -- backgrounds include Sophos, CA, Symantec, Seagate, IBM− Active Customer Advisory Board and Core Customer Community group− Consistent award recognition from industry groups and media
• Groundbreaking research & product development− Leading-edge consulting services brings field experience− CoreLabs vulnerability research team world renowned− 9 patents approved / 12 pending
P A G E
CORE’s security intelligence solution in action
1 7
1. Environment Profiling and security data
collectionTell Insight about your
environment.
3. Threat Planning and Simulation
Insight calculates likely attack paths to your
defined assets.
2. Campaign Definition
You define critical IT assets (aka goals), scope and timing.
5. Adaptive Path Adjustment
Insight seeks new paths as systems are
compromised.
4. Threat Replication
Insight attempts to exploit vulnerabilities
along the paths.
GOAL 6. Infrastructure Change
Campaigns can automatically adapt as
you deploy new systems.
Security Verified!
Security Verified!
New system added to environment!
7. Dashboard / Reporting
Insight presents findings in terms relevant to your
organization.
P A G E
CORE Insight: Start improving the effectiveness of your vulnerability management program
Based on what I outlined above I see this type of dashboard capability as a real need for security officers. As I like to say: “You get what you measure.” Metrics change
behaviors; that’s their value. Sharing those measurements so people know the value of your efforts is a best practice – Ed Ferrara, Forrester blog in ComputerWorldUK
Blog October 8, 2012
P A G E
CORE Insight Platform tomorrow – Predictive Intelligence to your existing security ecosystem
1 9
SIEM
CORE Insight Enterprise
Security Suite
GRC
Security Data
Alerts to be Validated
Vulnerability and Threat Validation
Threat Path Vector Analysis
• Firewall• IDS/IPS
• Vuln Scan• DLP
P A G E
Intelligence and Measurement drives cross-organizational partnership
Secu
rity
Team
Audi
t and
Com
plia
nce
VP o
f IT
Ope
ratio
nal R
isk
Offi
cer
Track remediation and fix the right things
Streamline workflow and correlate data across multiple vulnerability management tools
Validate vulnerabilities and test controls
Convey cyber risk in operational terms
Strike the BalanceLet’s Predict to keep bad guys out
&Make better decisions and not
‘break the bank’
P A G E
