SESSION ID:SESSION ID:
#RSAC
Rashmi Knowles CISSP
Business-Driven Security:Building a Risk-Based CyberSecurityProgram
SP01-T07
Field CTORSA@knowlesRashmi
#RSAC
Attacks are more sophisticated
S E C U R I T Y I S A
BUSINESSPROBLEM
Perimeter has disappeared
CEO/Board inspection
Lack of ROI for defense
Complexity has become the enemy
Digital Diet
Digital Hospitals
Digital Schools
Digital Homes
Digital Parks
DigitalTransportation
Digital Traffic
Digital Water
Digital Grid
Digital EmergencyFire Services
Digital Education
Digital Police
Digital Emergency
Health Services
Digital PublicWorks
Digital Social Services
DigitalEconomic
Development
Digital Services (Permitting, Licensing, Inspection, & Zoning)
Digital TourismDigital
Administration
DigitalCulture (Arts,
Libraries, Open Spaces)
New World of Connected Living
Digital Fitness
Digital Health
Securing the Human
7.5BW O R L D ’ S P O P U L AT I O N
3.4BI N T E R N E T U S E R S
60BD I G I TA L I D E N T I T I E S
3B+A C C O U N T C R E D E N T I A L S C O M P R O M I S E DI N 2 0 1 6 *
95%O F W E B A P PAT TA C K S U S E D S T O L E N C R E D E N T I A L S *
*Verizon Data Breach Investigations Report 2015* IDC
Identity is THE Most Consequential Attack Vector
#RSAC
SOX
SAE 16 SOCPCI DSS
ISO
GDPR
Country Regs
The Alphabet Soup of Regulations
HIPAA FERC NERC
FFIECOCC
NIST CSF State RegsGLBA
#RSAC
Effort
Cost
Violations
Volume of Regulatory Change
25,155 New Regulations
$727 Billion
The economic impact of new
regulations460 Million
New hours of paperwork required
as a result of new regulations
U.S. Federal Regulations since 2008
O RGAN I ZATI ONS AR E ST R U GGL I NG TO M EET T HEI R R EGU L ATORY O B L I GAT I ONS
Today’s Regulatory Compliance Challenges
#RSACBusiness Dependence: F i e r c e C o m p e t i t i o n t o I n n o v a t e
92%
Digital initiatives are critical to success
Organizations that adopt mobile apps have higher growth
rates
44%T E C H N O L O G Y I S AM I S S I O N a n d B U S I N E S SE N A B L E R
S E C U R I T Y M U S T B E AM I S S I O N a n d B U S I N E S SE N A B L E R
#RSAC
Two Sides of Opportunity
8
Business Risk
IT & Security Risk
Regulatory Risk
3rd Party Risk
Business Resiliency
Business Growth
Digital Transformation
Market Expansion
New Partners
M & A
#RSAC
9
Risk Complexity
increasing
Velocity of risk increasing
Magnitude of risk increasingM A N A G I N G R I S K
I S ABUSINESS
A N D A TECHNOLOGY
C H A L L E N G E
#RSAC
Today’s Security is Not Working
Dissatisfied withthe response time
90%70%
Know theywere compromised
this past year
75%
Found out they were compromised from a 3rd
Party
1 RSA Cybersecurity Poverty Index 20162 RSA Threat Detection Effectiveness Survey 2016
3 RSA Estimate based on multiple studies
#RSAC
13
SECURIT Y TECHNOLOGY
Where business leaders are focusing
Where most securityvendors are focusing
BUSINESS RISK
Account lockoutsWeb shell deletionsBuffer overflowsSQL injectionsCross-site scriptingDDOS IDS / IPS events
How bad is it?Who was it?How did they get in?What information was taken?What are the legal implications?Is it under control? What are the damages?
#RSAC
14
Technology risk
The Technology perspective… The Business perspective…
Business risk
• What is the important data?• Where is the important data?• What are the most critical applications?• How important is this part of the
infrastructure?• What does this security event impact?• Where are we vulnerable?• Who are the 3rd parties the business rely on?• What happens if IT services are disrupted?
• What part of the business strategy isthe most critical?
• Where are our biggest risk areas?• What is our risk appetite and tolerance?• What are our regulatory obligations?• What are the most valuable pieces
of our business? • How bad could it be?• Are we effectively managing our risks to
achieve our objectives?
#RSAC
The Wedges in The Gap
15
Lack of ownership
Outdated reporting
Manual processes
Inconsistent controls
Information silos
Limited risk visibility
#RSAC
A Modern Investigation
AttackBegins
SystemIntrusion
Attacker Surveillance
Cover-upComplete
Access Probe
Leap Frog Attacks
Complete
TargetAnalysis
TIME
AttackSet-up
Discovery/ Persistence
Maintain foothold
Cover-up Starts
• Are we seeing suspicious transactions against sensitive/high value apps/assets
Sources
WFD Transaction
Monitoring SIEM
Transactions
• Has the server been manipulated?
• Is it vulnerable? Has its config changed recently?
• Is it compliant with policy?
Sources
GRC System Config Mgmt Vul. Mgmt
Infrastructure
Are there traffic anomalies to/from these servers Protocol Distribution Encryption Suspicious destinations
Sources Netflow Network Forensics Web Proxy Logs SIEM
Traffic
• Which users were logged onto them Have their priv. been
escalated? Where did they log in What else did they
touch?Sources
Active Directory Netflow Server Logs Asset Management SIEM
Identity
• What kind of data does this system store, transmit, process?
• Is this a regulatory issue? High value IP?
Information
Sources
DLP Data Classification GRC
#RSAC
….Lead to Risk in the Business
17
Unresolved issues
Inaccurate insights &
misinformation
High costs & inefficiency
Holes & gaps
Disconnected data & lack of
context
Poor business decisions& missed
opportunities
#RSAC
Lack of context &ability to prioritize
Multiple disconnected point solutions
Alert fatigue
FW
A/V
IDS / IPS
SIEM
NGFW
Sandbox
GWSECURITY EXCLUSION
2FA
Accessmgmt
PAM
PROV
SSO
Federation
SECURITY INCLUSION
GRC
VULNMGMT
CMDB
Spreadsheets
BUSINESS / ITRISK MANAGEMENT
Why Does the Gap Exist?
#RSAC
New Requirements
19
Business Context
Full Visibility Rapid Insight Aligned to Business Priorities
Efficient, Comprehens
ive Response
#RSAC
More strategically manage
business risk
T R A N S F O R M AT I O N A L S E C U R I T Y S T R AT E G Y
Make security teams much more
operationally impactful
New Requirements
#RSAC
I N C L U S I O N & E X C L U S I O N
S E C U R I T YT E C H N O L O G Y
B U S I N E S S R I S K M A N A G E M E N T
B U S I N E S S -D R I V E N
S E C U R I T Y
L I N K S EC U R I T Y I N C I D E N T S W I T H B U S I N E S S C O N T E X T TO R E S P O N D FA S T E R A N D P R OT EC T W H AT M AT T E RS M O S T
#RSAC
The Maturity Journey
SILOEDPoint solutions, multiple
management consoles, basic reporting
Meetregulatory obligations
COMPLIANCE
MANAGEDIntegrated security, expanded visibility, improved analysis /
metrics
ManageKnown & unknown risks
RISK
ADVANTAGEDFully risk aware, identify
opportunity
Makerisk-based decisions
OPPORTUNITIES
#RSAC
What’s the Reality?
This the reactive stage:Layered defensesFire fightingSilo’d strategiesDuplicated approaches to complianceTactical risk managementFocus on immediate threatsBusiness as usual approach
SILOEDPoint solutions, multiple
management consoles, basic reporting
Meetregulatory obligations
COMPLIANCE
#RSAC
Moving from Silo to Managed
• Integrate Security Data Sources to provide visibility
• Implement improved analytics capabilities
• Implement Incident management processes
SILOEDPoint solutions, multiple
management consoles, basic reporting
Meetregulatory obligations
COMPLIANCE
MANAGEDIntegrated security, expanded visibility, improved analysis /
metrics
ManageKnown & unknown risks
RISK
#RSAC
Moving from Managed to Advantaged
• Prioritising effectively through business context and awareness when incidents and events occur
• Managing the known threats and are ready for emerging threats
• Security fully aligned with the business
MANAGEDIntegrated security, expanded visibility, improved analysis /
metrics
ManageKnown & unknown risks
RISK
ADVANTAGEDFully risk aware, identify
opportunity
Makerisk-based decisions
OPPORTUNITIES
#RSAC
Advantaged Level - Technology
27
Embrace data collection and visibility
Real-time incident detection
Understand Business Context
Deep knowledge of your hunting ground
Hunting tools to provide data science
Practiced procedures
#RSAC
Advantaged Level - People
28
Security team has clear roles
Collect and analyse threat intelligence that is unique to the organisation
Business Risk Analysts/language
Regular staff rotation
24/7 follow the sun coverage
Embrace 3rd parties to augment incident response teams
#RSAC
Advantaged Level - Process
29
Continuous process of detection, investigation and response
Incident Response policy and procedures
NIST, VERIS and SANS Institute
Well practiced Breach response procedures
Action
Action
Asset
Attribute
Hacking Misure
Social
Environment
Confidentiality
Physical
Availabilty
Possession
Utility
External
Integrity
Partner
Internal
Type
Function
#RSAC
Getting Results…..
Solution that turns security issues into Business Driven actions giving you priority, results and progress.
Security Issue
Analytics
Action
Metrics
Visibility + Analytics = Priority
Priority + Action = Results
Results + Metrics = Progress
#RSAC
Incident Detection And Response Maturity
Technology
Maturity Level
People
Process
Siloed
65%
Reactive, not specialists, IT function
No prioritisation, focus on compliance, asset value vs level of
risk
Perimeter, signature based Disparate tools
Managed
25%
Incident responders, full time CIRC or SOC mgr, General Threat Intel
Security & risk drivers not compliance
Using SIEM, incident mgmt, external Threat Intel
Advantaged
10%
Clear roles, business & risk analysts, business language
Key business priorities, qualitative and quantitative measures
Integrated platform for detection, investigation and
response
#RSAC
Characteristics of Security Maturity
Step 1:Threat Defense
Step 2:Siloed
Step 3:Managed
Step 4:Advantaged
VISIBILITY
COLLABORATION
RISK