Published on March 1, 2014
JUNE 2009 Information Security: Trends and Concerns Dealing with Change and Facing Reality Ronin Consulting John Napier
Major Trends 2009-2010 Increasingly complex regulatory environment Increased focus of attacks on specific targets Mass accumulation of system access Increased threats to privacy and reputational risk The “extended enterprise” and cloud computing The evolution of “security” into risk management
Major Trends 2009-2010 Increasingly complex regulatory environment Increased focus of attacks on specific targets Increased threats to privacy and reputational risk Mass accumulation of system access The “extended enterprise” and cloud computing The evolution of “security” into risk management …And a rapidly changing market and financial landscape
A dose of reality Financial realities have changes Increasing push to rationalize IT spend 140 800 700 120 600 100 500 80 400 60 300 40 200 20 100 0 0 2005 2006 2007 2008 2009 How to balance the need to reduce risk with the need to be fiscally responsible? In good times as well as in bad
Driving Productivity in IT Security Get more efficient with operations Zero-based budgeting Automate and streamline the commodities ―fix the plumbing‖ – eliminate variance Prioritize risk investments Focus on risk reduction and achievability Leverage a small set of meaningful metrics
Areas of Focus for 2009-2010 Risk Area Major Initiative Regulatory Complexity Automated Compliance Attack focus and Change in Protection Models sophistication Privacy & Reputational Risk Data Management and Risk Avoidance Access accumulation Automation & Role-based Access The “Extended Enterprise” “Virtual Desktop” and Data- centric security models Evolution of Security into Risk Management Risk prioritization model & better use of metrics
#1: Increased regulatory complexity The past few years have seen an increase in regulations and compliance requirements Gramm-Leach-Bliley compliance FFIEC Guidance on Authentication Interagency White Paper Breach notification statutes PCI Compliance Sarbanes-Oxley Pending legislation This has required more rigor of existing programs
#1: Increasing regulatory complexity (cont’d) Moving from manual to ―continuous assessment‖, automating where possible BUSINESS INITIATIVES ASSESSABLE ENTITIES RISK SCORE CONTROLS TOOLS
#1: Increasing regulatory complexity (cont’d) Assessable Entities Policies & Standards LOB Specific Process & Analysis Lob #5 Controls Impact Likelihood (Probability) Vulnerabilities Threats Risk LoB Compliance and NonCompliance Scorecards #4 IT Controls Lob IT Control Rating #3 ITControl #1 Lob IT Control Rating Controls 1 or 2 #2 ITControl #1 Lob IT Control Rating Controls 1 or32 Control #2 ITControl #1 Lob IT Control Rating Controls #1 1 or 2 Control #2 3 Control #3 1 or 2 1 or Rating ITControl #1 Controls IT Control 32 Entities #2 Control #3 Control #4 1 4 or 5 or 2 Control Control 1 Control # #2 1 3or 2 Entity #1 #3 Control #4 1 4 or 5 Control #5 Control 1 or 2 Control 2 1 4 or 5 Control # #3 3or 2 Entity #2 #4 Control #5 Control 1 or 2 Control 3 4 1 or 2 Control # #4 2or 5 Entity #3 #5 Control Control 4 1 or 2 Control # #5 4 Entity #4 Control # 5 Entity #5 Aggregated Compliance and Non-Compliance Scorecard Firmwide IT Controls Entities IT Control Rating Control # 1 Entity #1 1 Control # 2 Entity #2 3 Control # 3 Entity #3 2 Control # 4 Entity #4 4 Control # 5 Entity #5 1 1 Data can be presented by entity or control Common Firm wide Controls & Processes
#2: Increased focus of attacks Breadth of impact Worms (1990 – present) (2000 – present) Damage Viruses Spearphishing & Malware Phishing & Pharming (2003 – present) (2006 - present) 9 9
#2: Increased focus of attacks (cont’d) Data exfiltration Innovation, Efficiency to combat commoditization Espionage Profiteers Hacktivism Botnets Simple exploits “Designer Malware” Web defacement, denial of service 10 10
#2: Increased focus of attacks (cont’d) We see an interesting dichotomy: Widespread exploitation of old vulnerabilities Microdistribution of sophisticated, targeted malware So, we need to adapt our protection models Incessant, rigorous followup on baseline protection Blacklisting vs. whitelisting – does either one really work? Better visibility: cross-device correlation of security events
#3: Privacy and Reputational Risk Data Protection Initiative Cover all data, initial focus on Areas of Focus PII Balance reduction in risk and achievability Slow down the velocity of leakage of confidential data Combination of awareness, technology, and process controls When data leaves the firm When data is on portable media When data is widely available
#3: Privacy and Reputational Risk (cont’d) Prioritize efforts based on reducing potential “velocity” of data leakage Migration to tapeless backup Core-to-Bunker, Remote-to-Core Controls on portable devices Laptop encryption Removable media controls Filtering of Personably Identifiable Information (PII) Email, FTP, HTTP filtering at gateways Discovery of PII on fileshares Application PII remediation
#4: Identity & Access Management Many incidents and most SOX findings are driven by access issues Privileged access Access certification Offboarding / Transfers Significant employee impact Onboarding General provisioning Complicated and not well-understood Exponentially complex in large organizations 14 14
#4: Identity & Access Management (cont’d) Role Level Access Request Auditability Component Level Access Request With Links To Automation Low Ease of Use High Rule Driven Access (No Request Required) Component Level Access Request Low Scalability Cost Saving High
#5: The extended enterprise Companies have become hopelessly ―entangled‖ ―Deperimeterization‖ of the corporate network The rise of ―Cloud Computing‖ Third-party dependencies abound Most firms have Service Provider assessment programs What happens when you leave? Cloud Providers: XaaS Software-as-a-Service (SaaS) is mainstream Platform-as-a-Service and Infrastructure-as-a-Service On-demand computing will be the norm 16 16
#5: The extended enterprise (cont’d) ―Anywhere Access‖ Increasingly mobile workforce Don’t assume a Windows-based PC Desktop virtualization is increasingly prevalent Access from non-corporate PCs? Re-evaluate ―network-centric‖ security How to address the ―outside insider‖ Need to migrate to application- and data-centric views Data obfuscation and DLP solutions Digital Rights Management (DRM): ready for prime time?
#6: The evolution of ―security‖ into Risk Management You want a valve that doesn’t leak, and you do everything possible to try to develop one. But the real world provides you with a leaky valve. You have to determine how much leaking you can tolerate.” - Arthur Rudolph, creator of the Saturn V rocket. 18 18
#6: Evolution of ―security‖ into risk management Achievability / Impact Quadrant How do you (ILLUSTRATIVE ONLY) How do you measure the impact of risk mitigation initiatives? Data Privacy Vulnerability Management Privileged Access Control (App) Infrastructure Logical Access Solutions Privileged Access Control (Infra.) Environment Separation Monitoring Service (Internal) Risk Reduction quantify the risk associated with an exposure? High Encryption Application Development Secure Perimeter Infrastructure Infrastructure Secure Builds ID Recertification (Platform) Change Event Management Virus Management Monitoring Service (Perimeter) ID Recertification (Application) Source Code Management Remote Computing ID Admin Tools & Processes OSP Review Infrastructure Monitoring Solutions Awareness Information Owner Identification High Low Achievability 19 19
The challenge ahead IT security has “grown up” – seat at the table Must apply traditional IT management rigor in order to be given the chance to succeed at executing strategy Continue to evolve out protection measures to keep up with the evolution of the threat Put evergreen processes and systems in place to ensure completeness and consistency of controls Need to develop models to make intelligent, fact-based decisions about risk prioritization and capital allocation “If you don’t like change, you’ll like irrelevance even less” — Tom Peters 20 20
Thank You from Ronin Consulting, LLC Q&A 21 21
... information security professionals must understand these five trends. ... [ Related: 5 information security trends that will dominate 2016]
Security Trends 3 Cases of InfoSec Hubris That Led to Big Breaches. Hacks happen. But ... VIDEO: Andy Ellis, chief security officer at Akamai, ...
JP Morgan Presentation on Information Security Trends and Concerns by John Napier, PMP, CSM of Ronin Consulting
Security Laboratory. ... Predictions and Trends for Information, ... The field of Information Security education is uniquely positioned to explore ...
Learn about key risk management trends, security management topics and security policy for businesses in 2016. IT Security ... of information isn ...
... 7 Top Information Security Trends For 2013 . It is good to read about what the biggest security trends of 2013 are going to be.
... in numerous ways. Perhaps the most striking is that 46 % of survey respondents said their Board participates in information security budgets, ...
The Global State of Information Security ® Survey 2016 Turnaround and transformation in cybersecurity
The information security threat landscape is constantly evolving. ... Mobile continues to be one of the most disruptive trends affecting the tech landscape ...
Website of Information Systems Security Association (ISSA) ... you current with industry trends and ... audience of information security ...