Track 2, session 5, aligning security with business kartik shahani

Cloud Meets Big Data1

16-17 November 2011. Grand Hyatt - Mumbai

Aligning Security to Business

Aligning Security to Business

2© Copyright 2011 EMC Corporation. All rights reserved.



Challenge: Expanding Identities

ContractorsPrivileged

UsersPrivileged

UsersPrivileged

UsersPrivileged

Users

BusinessAnalytics

EnterpriseApplications

Replica BackupDisk

Backup Tape

SharePointeRoom, etc.

File Server

DiskArrays

ProductionDatabaseInternal

Employees

Customer Entry Points

Channels

Customers

Partner Entry Points

Partners

Channels

Remote Employees

Channels

VPN

Apps/DB StorageFS/CMSNetworkEndpoint





Partners


CustomersRemote Employees

VPN

Internal Employees

Business Analytics

Enterprise Apps

Replica

Production

Backup Disk

Backup Tape

Disk ArraysSharePointeRoom, etc.

File Server


UsersPrivileged

UsersPrivileged

UsersPrivileged

Users

Challenge: Expanding Infrastructure

Cloud

Virtualization

Mobility





Internal Employees

Challenge: Increasing Threats

BusinessAnalytics

EnterpriseApplications

Replica BackupDisk

Backup Tape

SharePointeRoom, etc.

File Server

DiskArrays

ProductionDatabase

Privileged Users


UsersPrivileged

Users


Channels

Customers


Partners

Channels

Remote Employees

Channels

VPN


IP Sent to non trusted

userStolen IP

App, DB or Encryption Key

HackFraud

Stolen Credentials

Endpoint theft/loss

Network LeakEmail-IM-HTTP-

FTP-etc.

PrivilegedUser Breach

InappropriateAccess

Privileged UsersTapes lost or stolen

Data LeakVia USB/Print

Public Infrastructure Access Hack

UnintentionalDistribution

(Semi) Trusted User Misuse

Discarded disk exploited




Dark CloudDark Cloud

StolenCards Shop

Fraud ForumDiscussion

MuleNetwork

PhishingAttacks

TrojansAttacks

StolenCredentialsDatabase

Financial Institutes

Cloud

The Dark Cloud




Corporations are a new target for Cybercriminals

• Cybercriminals increasingly targeting corporations

• Value of extracted corporate resources is on the rise

• Social networks make it easier to launch targeted attacks

• Corporations required to harden their infrastructure




Online Financial Fraud targeted at Financial Institutes

TechnicalInfrastructure

Cash OutFraudster

Identity Harvester

OperationalInfrastructure

CommunicationFraud forum / chat room

User Account

Tools Hosting Delivery Mules Drops Monetizing

Phishing

Trojans

Pharming

Physical Theft / Card Skimming

Other Social EngineeringTechniques

PurchaseOnline

MoneyTransfer throughInternet Banking

ATM withdrawal

IVR/MobileChannel WithdrawalMechanisms




Question

Do you think Banks should implement a stronger form of authenticationTo identify online banking customers (other than user name & Password)when they log on and transact?

A. Yes

B. NO

C. I have no preference




Consumers Want Stronger Security for Online Banking

Impact: Stronger Security Can Drive Portal Usage




CSO/CIO Balancing Act

Brand Protection

Customer Services

Information Protection

Regulatory Controls

Globalization

CustomerProtection

Innovation

Productivity

Business EnablementBusiness Requirement




Enable BlockAuthorized customersPartnersEmployees

HarmfulemployeesCriminalsSpies

Identities Information

Public SensitiveMarketing

EarningsProduct Info

HealthrecordsIP/ PIIFinancial

Infrastructure

Endpoints

Internet

Corporate networks

Applications

Databases and files

Storage

Managing Information Infrastructure Security

Ensure the right people have access to the right information

over a trusted infrastructure

in a system/process that is

easy and efficient to manage




The RSA Approach Comprehensive Solutions

Identities Servers/AppsInformation

Enforce - Protect

Consoles

Map Monitor

Policy Aggregate

GRC Real Time Analytics

SIEM

Orchestrate - Monitor

Actionable




Question

In the light of the RSA approach to Risk Management, do you feel?

A. Proactive solution is the way forward

B. Benefits seem marginal compared to the effort and cost

C. I am happy with the current setup




Reserve Bank of India - Guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds

• Information Technology Governance• Information Security• IT Operations• It Services Outsourcing• IS Audit• Cyber Frauds• Business Continuity Planning• Customer Education• Legal Issues

GRC

– Audit Management

– Policy Management

– User Awareness / communication tool

– Incident Management

Security Operations Centre

BS25599 compliance

Risk Based Authentication and Transaction Monitoring

Requirements Tools




Customer Case Study

Deliver innovative online banking services to maintain industry-leading position. Combat growing threat of online fraud

Get Visibility of the network and have proactive action taken

Ensure Compliance as per regulator and corporate governance

BEFORENEEDS

Investing in customer banking protection with an online anti-fraud strategy

“…RSA Adaptive Authentication and RSA FraudAction have accelerated the route to market for our enhanced online banking security features…”

, SVP and CISO, Information Security

Group,

AFTER

15 MENU

Easy-to-implement , convenient risk-based authentication fraud down by 80%

24x7 monitoring and alerting on online/network security risks

Layered approach resulted in >60% reduction in phishing attacks and accelerated route to market with GRC

PROGRESSIVE BANK




Information Security RSA

Objective 1:“Deliver innovative online banking services to maintain industry-leading position. Combat

growing threat of online fraud”






2FA / IPV DLP

Layer 1Identities Servers/AppsInformation

Enforce - Protect

Multi factor authentication &RE DLP




Protection with Multiple Layers and of Multiple

Channels

FraudAction Anti-Phishing

FraudAction Anti-Trojan

FraudAction Intelligence

Identity Verification

Adaptive Authentication Adaptive Authentication

for eCommerce Identity Verification

Adaptive Authentication

ACS Services Transaction

Monitoring Adaptive

Authentication for eCommerce

Identity Verification

Access Manager Adaptive Authentication Transaction Monitoring Identity Verification




Protecting Fraud Channels using Multifactor Authentication

Protected Applications: Retail Net Banking and CardsFinancial Transa

ctions

Money Transfers Internal/NEFT /RTGS• Int

ernal

• External (TPT)

Visa Money TransferBill Payment Electronic Payment InterfaceThird Party Credit CardCredit Card• Aut

o Pay

• Enhance Credit Limit

• Get Loan / Cash

Support Financial

Add Payee/ Beneficiary• T

PT

• TPCC

Update Profile• A

ddress

• Mobile /Email

Stop ChequesRequest Cheque book

Non Fi

nanci

al

View StatementRequest Statement

Analyze Access Risk Create risk score for access to sensitive resources

Risk Engine

Adaptive AuthenticationTransactions, URLs, Logins, Web services

Challenge Questions

Web Channel

Mobile Channel

IVR

EPI Channel

Ecommerce




RSA Adaptive Authentication with Transaction Monitoring




Securing Identities and Access using MultifactorRSA Authentication and Access Solutions

Multi-Factor User AuthenticationStrong Authentication for access to sensitive resources

Analyze Access RiskCreate risk score for access to sensitive resources

RSA Adaptive Authentication

Resource(s)(logins, URLs, web services, etc.)

Low Risk

Username/Password

Higher Risk

RSA SecurID HW RSA SecurID SW On-Demand

Trusted External Users

Manage Trust RelationshipsEstablish and control trust between organizations

RSA Federated Identity Manager

SAMLAssertion

Multi-Access ControlControl access to multiple resources

RSA Access Manager

RSA Authentication Manager




DLP Covers Your Entire Infrastructure

DISCOVER

MONITOR

EDUCATE

ENFORCE

DLP Network

DLP Datacenter DLP Endpoint

Email Web File shares Connected PCs

DLP Enterprise Manager

SharePoint Databases

Disconnected PCs




RSA Risk Remediation Manager (RRM)

RSA DLP Datacenter

SharePoint

Databases

Endpoints

NAS/SAN

Agents

Temp Agents

Grid

Virtual Grid

File Servers

RSA DLPRRM

File Activity Tools

GRC Systems

Apply DRM

Encrypt

Delete / Shred

Change Permissions

Policy Exception

Business Users

Discover Sensitive Data

Manage Remediation Workflow

Apply Controls




RSA Data Loss Prevention Suite

24

Enforce

Allow, Notify, Block, Encrypt

Enforce

Allow, Justify, Block on Copy, Save As, Print, USB, Burn, etc.

Remediate

Delete, Move, Quarantine

Discover

Local drives, PST files, Office files, 300+ file types

Monitor

Email, webmail, IM/Chat, FTP, HTTP/S, TCP/IP

Discover

File shares, SharePoint sites, Databases, SAN/NAS

DLP Enterprise Manager

DLP Datacenter DLP Network DLP Endpoint

Unified Policy Mgmt & Enforcement

Incident Workflow Dashboard & Reporting

User & System Administration

eDRM (e.g. RMS) Encryption Access Controls





Objective 2:“Get Visibility of the network and have proactive action taken”





Layer 1

Layer 2

Enforce - Protect

Consoles

Map Monitor

Aggregate



Enforce - Protect

Multifactor Authentication &RE DLP




How SIEM Enhances Security Operations

Automatic Processes(System)

Incident Management(Analyst)

asset, exposure, incident, vulnerability reportsWeb SOC monitorWeb SOC monitor

Incident Big Board

Security Operations Dashboard

Risk and Operations Efficiency Monitoring(Manager)

configuration management tools

scanners

patch info

bulk imports

applicationsserversfirewalls intrusion detection

events

Asset DBAsset DB

Vulnerabiltiy KnowledgeBaseVulnerabiltiy KnowledgeBase

Log RepositoryLog Repository

Workflow Management

Workflow Management

open, reassign, add logs, notate, escalate, close incident

NotificationNotification

correlation, alerting, auto assignment, prioritization, escalation

CVEs




RSA Security Incident Management in Action

Events occur on critical systems indicating a potential security breach.1

RSA enVision

enVision collects the events for immediate triage and reporting.2

RSA Connector Framework

RSA Archer Incident Management

Based on Event Rules, an Alert is triggered and security administrators are notified. The RSA Connector Framework automatically creates an Incident in RSA Archer Incident Management associating the specific Event data to the Incident.

3

The CISO has complete visibility through the entire process via dashboards and reporting.5

DevicesApplicationsBusinessProcesses

BusinessHierarchy Product/Services FacilitiesInformation

RSA Archer Enterprise Management

Security Administrators use the Incident Management capabilities in RSA Archer along with information from the RSA Archer Enterprise Management to assess the situation. An investigation is initiated and the incident is tracked and resolved.

4




WebFarm

FWs IDSs Apps Scanners

IPDBAssetDB

LogsVAReports

Real-time Correlation/Base-lining

Events

False IDS Alert Suppression

EventTrace

EE

AssetVulnerabilities

Auto-Escalation

Open Task

Close Task

TicketingSystem

Escalate Task

Task TriageAlerter

VulnerabilityKB

Task DB

VAMReporting

Asset ReportsExposure ReportsIncident ReportsVulnerability KB Reports

Web SOC Monitor

1. Incident\Risk Big Board2. SOC Efficiency Monitor

BulkImports

CMDBs& ConfigManagers

Discovered Changes

ConfigActions

Auto-assignmentAuto-prioritizationAuto-escalation

FeedbackLoop

EE

EE

ReassignAnnotate

Collaborative Incident Management

EventTrace

Watchlists

RSA enVision Enterprise/Security Operations Model

Log Collection

ReportingCorrelation




RSA enVision Deployment…to a distributed, enterprise-wide architecture

Cisco IPSOracleFinancial

Storage Device

Trend MicroAntivirus

Cisco IPSWindowsWorkstation

NetscreenFirewall

WindowsServer

OracleFinancial

Storage Device

Manage Manage Manage Manage

Analyze Analyze

Collect Collect Collect Collect Collect Collect Collect Collect Collect CollectRemotely

WindowsServers

ScheduledReportsRealtime

Correlation

Ad HocReports

RealtimeAlerting

RealtimeAlerting

eMailAlerts

Stockholm

Mexico India Europe China

Collect Remotely

Local Collection with Global Analysis

Fine Grain Role-Based Access Control





Objective 3:“Ensure Compliance as per regulator and corporate governance”





Layer 1

Layer 2

Layer 3


Enforce - Protect

Consoles

Map Monitor

Policy Aggregate

RSA Archer (eGRC)


Real Time Analytics

SIEM(Netwitness)

Panorama(Envision)




Supports complete incident lifecycle management from identification to resolution.IncidentsInvestigations

RSA enVision

The Security Incident Management Solution

Incident Events

DevicesApplicationsBusinessProcesses

BusinessHierarchy Product/Services Facilities

Brings business context of asset information to Incident Management for prioritization and reporting events in the context of IT GRC.

Information

Infrastructure Audit Trail

Event Database Event Rules

enV

isio

n

Co

llec

tor

sAlertsReporting

Collects and manages event data; Identifies critical issues from log data.

RSA Connector Framework

RSA Archer Incident Management

RSA Archer Enterprise Management

Seamlessly integrates SEIM infrastructure and GRC platform.

Network Forensic Analysis• Automated Malware analysis

and prioritization • Network Session Modeling• Network Forensic Store




Introducing the NetWitness Network Security Analysis Platform

Automated Malware Analysis and Prioritization

Automated Threat Reporting, Alerting and IntegrationFreeform Analytics for Investigations and Real-time Answers

Revolutionary Visualization of Content for Rapid Review




RSA Incident Management• Industry leading Security Incident and Event

Management (SIEM) technology for the automated identification and escalation of high priority security incidents

• Industry leading Incident Management solution that can handle proactive incidents no matter how they are detected giving complete flexibility in managing incident workflow using Panorama reporting into GRC

• A GRC platform that brings unprecedented business context to Incident Management processes and incorporates security incidents into wider enterprise risk management and compliance reporting and actionable decisions.Devices

Applications

Information

BusinessProcesses




Creating Actionable Intel. from Data Overload

Incidents Feed

Envision

ITGRC: Data Governance , Risk, Incident BCM & Compliance Management

Compliance High

Access Extreme

Vulnerabilities ExtremeVA and ThreatManagement

Asset Management (CMDB)

ExceptionManagement

• Control Exception Management• Documented ExceptionsMis-Configurations High

User AccessManagement

• User Groups• Roles and Permissions

DLP Violations Feed

DLP

Asset Feed

Information Assets

Asset Feed

Assets Classification

Incidents Priority

Technical ControlsProcess Controls

Self Assessment

ISO 27001 Assessment

Process Control Testing

BS25999 Assessment

PCI DSS SAQ

RBI Compliance Assessment

ISO 27001 Assessment

BS25999 Assessment

Inputs and Process Automation Layer

•Nessus, Qualys, Veracode, External threat feeds etc.

Other Incidents

BCM Incidents

Physical SecurityIncidents

Policy Comp. Assessment




GRC Processes Automation Framework

Archer

Enterprise Management• Targets of Evaluation: Business

Processes, Business Units, Information Assets,

• Target of Reporting: Business Hierarchy:

• Asset Classification• Policy Management• Risk Register• Identification of the Risk from various

sources

Governance• Holistic GRC Reporting• Dashboard: Risk & Compliance

• Key Perf. Indicators (KPI)• Key Risks Indicators (KRI)• Key Controls

• Performance Mgmt• Process Performance• Governance (e.g. coverage)• Performance & Quality Reviews

Assessments (Risk, Compliance, Audit, BCM, and Vendor)• Audit Management• Audit Programs• Risk Assessments• Compliance Assessments• Vendor Management• BCM

Monitoring• Frauds• Monitoring of Compliance,

Vulnerabilities and Threats• Monitoring of the KRI, KPIs• Findings Management• Remediation Plan Management• Exception Management• Global SOC• Global CERT

GRC Portal• Corporate Communication• Content Delivery• Compliance, Risk , BCM and

Security Awareness, Trainings, Surveys

• Website (single entry point)• Incidents Reporting:

• Compliance, • Security/Loss event




With RSA’s Security Incident Management Solution you can:

Enabling Effective Security Incident Management

• Collect security relevant events across your infrastructure

• Prioritize incidents based upon business context

• Manage incidents and investigations proactively to combat APT

• Report on your security and compliance posture




Conclusion: End-to-End Layered Protection is required. “A Lock on the Door” is Not Enough

On-Demand

Internal SOC

Enterprise Governance Risk and Compliance




RSA overall solution implementation

Pan

ora

ma Investigations

Netwitness

AVAuth

WAF DLP

ADWLAN

EP

URL

FW

IPS

Data Enhancement

Even

t A

ggre

gati

on

Loca

tion

Identity

Div

ision

Departm

ent

Data

Asse

t Valu

e

Geo In

foR

egula

tion SOC

Th

reats

Incid

en

ts

Policie

s

Archer

HR

Legal

Eng.Business

ReportingenVision




Cloud Compliance Architecture




Positive Business Outcome

The objectives of the customer were met with a cost effective Integrated Solution

• Increase customer confidence in online transactions (30% increase YoY)

• Reduce the Fraud and AntiPhishing / Anti Trojan for customers (>60%)

• Provide 24X7 Visibility of the Network and report critical incidents

• Proactive monitoring to save against APT’s

• Automated Compliance Reporting meeting Corporate and regulations




Summary

Key Take aways:

A breach/Incident is inevitable the key is to reduce the “Window of Vulnerability”

Use technology as a Business Enhancer rather than a cost

Your technology provider is a Partner not a Vendor choose Wisely

Risk Management is Strategic not Tactical - Scalable, Adaptive , Layered

RSA –EMC Can be that Partner




Question

With the presentation as a backdrop, what course would to take?

A. I would go ahead with an Integrated solution

B. I would go ahead with a Best of Breed Solution

C. I would go ahead with a Best for Need Solution




THANK YOUTHANK YOU