Information security trends and concerns

50 %
50 %
Information about Information security trends and concerns

Published on March 1, 2014

Author: JohnNapierPMP



JP Morgan Presentation on Information Security Trends and Concerns by John Napier, PMP, CSM of Ronin Consulting

JUNE 2009 Information Security: Trends and Concerns  Dealing with Change and Facing Reality Ronin Consulting John Napier

Major Trends 2009-2010  Increasingly complex regulatory environment  Increased focus of attacks on specific targets  Mass accumulation of system access  Increased threats to privacy and reputational risk  The “extended enterprise” and cloud computing  The evolution of “security” into risk management

Major Trends 2009-2010  Increasingly complex regulatory environment  Increased focus of attacks on specific targets  Increased threats to privacy and reputational risk  Mass accumulation of system access  The “extended enterprise” and cloud computing  The evolution of “security” into risk management …And a rapidly changing market and financial landscape

A dose of reality  Financial realities have changes  Increasing push to rationalize IT spend 140 800 700 120 600 100 500 80 400 60 300 40 200 20 100 0 0 2005 2006 2007 2008 2009  How to balance the need to reduce risk with the need to be fiscally responsible?  In good times as well as in bad

Driving Productivity in IT Security Get more efficient with operations  Zero-based budgeting  Automate and streamline the commodities  ―fix the plumbing‖ – eliminate variance Prioritize risk investments  Focus on risk reduction and achievability Leverage a small set of meaningful metrics

Areas of Focus for 2009-2010 Risk Area Major Initiative  Regulatory Complexity  Automated Compliance  Attack focus and  Change in Protection Models sophistication  Privacy & Reputational Risk  Data Management and Risk Avoidance  Access accumulation  Automation & Role-based Access  The “Extended Enterprise”  “Virtual Desktop” and Data- centric security models  Evolution of Security into Risk Management  Risk prioritization model & better use of metrics

#1: Increased regulatory complexity The past few years have seen an increase in regulations and compliance requirements  Gramm-Leach-Bliley compliance  FFIEC Guidance on Authentication  Interagency White Paper  Breach notification statutes  PCI Compliance  Sarbanes-Oxley  Pending legislation This has required more rigor of existing programs

#1: Increasing regulatory complexity (cont’d) Moving from manual to ―continuous assessment‖, automating where possible BUSINESS INITIATIVES ASSESSABLE ENTITIES RISK SCORE CONTROLS TOOLS

#1: Increasing regulatory complexity (cont’d) Assessable Entities Policies & Standards LOB Specific Process & Analysis Lob #5 Controls Impact Likelihood (Probability) Vulnerabilities Threats Risk LoB Compliance and NonCompliance Scorecards #4 IT Controls Lob IT Control Rating #3 ITControl #1 Lob IT Control Rating Controls 1 or 2 #2 ITControl #1 Lob IT Control Rating Controls 1 or32 Control #2 ITControl #1 Lob IT Control Rating Controls #1 1 or 2 Control #2 3 Control #3 1 or 2 1 or Rating ITControl #1 Controls IT Control 32 Entities #2 Control #3 Control #4 1 4 or 5 or 2 Control Control 1 Control # #2 1 3or 2 Entity #1 #3 Control #4 1 4 or 5 Control #5 Control 1 or 2 Control 2 1 4 or 5 Control # #3 3or 2 Entity #2 #4 Control #5 Control 1 or 2 Control 3 4 1 or 2 Control # #4 2or 5 Entity #3 #5 Control Control 4 1 or 2 Control # #5 4 Entity #4 Control # 5 Entity #5 Aggregated Compliance and Non-Compliance Scorecard Firmwide IT Controls Entities IT Control Rating Control # 1 Entity #1 1 Control # 2 Entity #2 3 Control # 3 Entity #3 2 Control # 4 Entity #4 4 Control # 5 Entity #5 1 1 Data can be presented by entity or control Common Firm wide Controls & Processes

#2: Increased focus of attacks Breadth of impact Worms (1990 – present) (2000 – present) Damage Viruses Spearphishing & Malware Phishing & Pharming (2003 – present) (2006 - present) 9 9

#2: Increased focus of attacks (cont’d) Data exfiltration Innovation, Efficiency to combat commoditization Espionage Profiteers Hacktivism Botnets Simple exploits “Designer Malware” Web defacement, denial of service 10 10

#2: Increased focus of attacks (cont’d) We see an interesting dichotomy:  Widespread exploitation of old vulnerabilities  Microdistribution of sophisticated, targeted malware So, we need to adapt our protection models  Incessant, rigorous followup on baseline protection  Blacklisting vs. whitelisting – does either one really work?  Better visibility: cross-device correlation of security events

#3: Privacy and Reputational Risk Data Protection Initiative  Cover all data, initial focus on Areas of Focus PII  Balance reduction in risk and achievability  Slow down the velocity of leakage of confidential data  Combination of awareness, technology, and process controls When data leaves the firm When data is on portable media When data is widely available

#3: Privacy and Reputational Risk (cont’d)  Prioritize efforts based on reducing potential “velocity” of data leakage  Migration to tapeless backup  Core-to-Bunker, Remote-to-Core  Controls on portable devices  Laptop encryption  Removable media controls  Filtering of Personably Identifiable Information (PII)  Email, FTP, HTTP filtering at gateways  Discovery of PII on fileshares  Application PII remediation

#4: Identity & Access Management  Many incidents and most SOX findings are driven by access issues  Privileged access  Access certification  Offboarding / Transfers  Significant employee impact  Onboarding  General provisioning  Complicated and not well-understood  Exponentially complex in large organizations 14 14

#4: Identity & Access Management (cont’d) Role Level Access Request Auditability Component Level Access Request With Links To Automation Low Ease of Use High Rule Driven Access (No Request Required) Component Level Access Request Low Scalability Cost Saving High

#5: The extended enterprise  Companies have become hopelessly ―entangled‖  ―Deperimeterization‖ of the corporate network  The rise of ―Cloud Computing‖  Third-party dependencies abound  Most firms have Service Provider assessment programs  What happens when you leave?  Cloud Providers: XaaS  Software-as-a-Service (SaaS) is mainstream  Platform-as-a-Service and Infrastructure-as-a-Service  On-demand computing will be the norm 16 16

#5: The extended enterprise (cont’d)  ―Anywhere Access‖  Increasingly mobile workforce  Don’t assume a Windows-based PC  Desktop virtualization is increasingly prevalent  Access from non-corporate PCs? Re-evaluate ―network-centric‖ security     How to address the ―outside insider‖ Need to migrate to application- and data-centric views Data obfuscation and DLP solutions Digital Rights Management (DRM): ready for prime time?

#6: The evolution of ―security‖ into Risk Management You want a valve that doesn’t leak, and you do everything possible to try to develop one. But the real world provides you with a leaky valve. You have to determine how much leaking you can tolerate.” - Arthur Rudolph, creator of the Saturn V rocket. 18 18

#6: Evolution of ―security‖ into risk management Achievability / Impact Quadrant  How do you (ILLUSTRATIVE ONLY)  How do you measure the impact of risk mitigation initiatives? Data Privacy Vulnerability Management Privileged Access Control (App) Infrastructure Logical Access Solutions Privileged Access Control (Infra.) Environment Separation Monitoring Service (Internal) Risk Reduction quantify the risk associated with an exposure? High Encryption Application Development Secure Perimeter Infrastructure Infrastructure Secure Builds ID Recertification (Platform) Change Event Management Virus Management Monitoring Service (Perimeter) ID Recertification (Application) Source Code Management Remote Computing ID Admin Tools & Processes OSP Review Infrastructure Monitoring Solutions Awareness Information Owner Identification High Low Achievability 19 19

The challenge ahead  IT security has “grown up” – seat at the table  Must apply traditional IT management rigor in order to be given the chance to succeed at executing strategy  Continue to evolve out protection measures to keep up with the evolution of the threat  Put evergreen processes and systems in place to ensure completeness and consistency of controls  Need to develop models to make intelligent, fact-based decisions about risk prioritization and capital allocation “If you don’t like change, you’ll like irrelevance even less” — Tom Peters 20 20

Thank You from Ronin Consulting, LLC Q&A 21 21

Add a comment

Related presentations

Related pages

5 Information Security Trends That Will Dominate 2015 | CIO

... information security professionals must understand these five trends. ... [ Related: 5 information security trends that will dominate 2016]
Read more

Information Security Trends - eSecurity Planet

Security Trends 3 Cases of InfoSec Hubris That Led to Big Breaches. Hacks happen. But ... VIDEO: Andy Ellis, chief security officer at Akamai, ...
Read more

Information security trends and concerns - Technology

JP Morgan Presentation on Information Security Trends and Concerns by John Napier, PMP, CSM of Ronin Consulting
Read more

Security Predictions 2013-2014: Emerging Trends in IT and ...

Security Laboratory. ... Predictions and Trends for Information, ... The field of Information Security education is uniquely positioned to explore ...
Read more

Risk Management & IT Security - 2016 Trends, Topics ...

Learn about key risk management trends, security management topics and security policy for businesses in 2016. IT Security ... of information isn ...
Read more

7 Top Information Security Trends For 2013 - Dark Reading

... 7 Top Information Security Trends For 2013 . It is good to read about what the biggest security trends of 2013 are going to be.
Read more

Global State of Information Security (R) Survey 2016: Key ...

... in numerous ways. Perhaps the most striking is that 46 % of survey respondents said their Board participates in information security budgets, ...
Read more

Global State of Information Security® Survey 2016: PwC

The Global State of Information Security ® Survey 2016 Turnaround and transformation in cybersecurity
Read more

10 Top Information Security Threats for the Next Two Years ...

The information security threat landscape is constantly evolving. ... Mobile continues to be one of the most disruptive trends affecting the tech landscape ...
Read more

ISSA - Information Systems Security Association

Website of Information Systems Security Association (ISSA) ... you current with industry trends and ... audience of information security ...
Read more