enterprise security the changing...

Presented by:

Richard Young Ph.D. CISSP

Enterprise Security – The

Changing Landscape

Enterprise Security – The Changing Landscape

….anti-virus and patching is not enough anymore


Our Discussion will center….

Establishing a winning Enterprise Security Program

- Third Party Risk Management

- Outsourcing the Security Function

Governance and Oversight

- Roles & Responsibilities

- Building Security Capacity – Training & Awareness

- Chief Information Security Office(r)

- Management

- Board

Cyberecurity Awareness – Cybersecurity FOCUS Magazine

- Free membership for 1 year (all) – launch issue November 30th 2018


How many of us know what to do in the event of fire at

the office?


How about in the event of a Data Breach? As the HEAD of the

organization what do you do?


Does your organization have a Resilience Plan?

(which articulates…)

- The ability to quickly adapt to disruptions, while

- maintaining continuous business operations

- safeguarding people,

- assets and overall brand


How does a robust Enterprise Security Program help your

organization?

✓ reduces the risk of unauthorized access to information technology systems and data

Enterprise Security Management

Enterprise security management is an incredibly

complicated task. ... (in the wake of 21st century threats and incursions)

While data-security once was a question of

implementing a few IT solutions, today,

Enterprise security management involves an

ecosystem of cyber security

Strategy Products People

Technology Services Process

Compliance

Enterprise Security – The Changing Landscape Which of the following statements best describes your organization's

computer security?


Does your organization have a data recovery plan to implement in the event of catastrophic data loss?

Enterprise Security – The Changing Landscape In your opinion, what are the computer security issues that your

organization needs to address?


The Risks are Real…!

o Lost laptops and portable storage devices

o Data/Information “left” on public computers

o Data/Information intercepted in transmission

o Spyware, “malware,” “keystroke logging”

o Unprotected computers infected within seconds

of being connected to the network

o Thousands of attacks on campus networks every day

Enterprise Security Program

Links in the Security Chain: Management, Operational, and Technical Controls

Adversaries attack the weakest link…where is yours?

“Security is NOT a destination BUT a journey which is continuous”

The Golden RulesBuilding an Effective Enterprise

Information Security Program

Develop an enterprise-wide information security strategy and game plan

Get corporate “buy in” for the enterprise information security program—effective programs start at the top

Build information security into the infrastructure of the enterprise

Establish level of “due diligence” for information security

Focus initially on mission/business case impacts—bring in threat information only when specific and credible



Create a balanced information security program with management, operational, and technical security controls

Employ a solid foundation of security controls first, then build on that foundation guided by an assessment of risk

Avoid complicated and expensive risk assessments that rely on flawed assumptions or unverifiable data

Harden the target; place multiple barriers between the adversary and enterprise information systems

Be a good consumer—beware of vendors trying to sell “single point solutions” for enterprise security problems



Don’t be overwhelmed with the enormity or complexity of

the information security problem—take one step at a time

and build on small successes

Don’t tolerate indifference to enterprise information

security problems

And finally…

Manage enterprise risk—don’t try to avoid it!

What You Need To Know

IT resources to be managed

What’s available on your network

Policies, laws & regulations

Security Awareness

Risk Assessment, Mitigation, & Monitoring

Resources to help you

Governance & Oversight

Governance Oversight

Director of Infrastructure and

Security

Enterprise Security Committee

CIO / CSO

Guest SpeakersRegular ReportingConferences

Board of Directors

Sr. Security ManagerSecurity Workgroups

Enterprise Security Committee

Enterprise Security

Committee

Work Groups

Enterprise Security Framework

NIST Framework

Enterprise Security Framework (example)

Why Breaches Happen

▪ Configuration Errors

▪ “Weak” defaults

▪ Easy passwords

▪ “Bugs”

▪ Input validation

▪ Installing suspectapplications

▪ Clicking maliciouslinks

▪ Phishing Emails

▪ Watering Hole attacks

Many Organizations Do Not Monitor

Published Vulnerabilities

Take Ownership of Your Security

Security leaders should be more

accountable than ever before

Cyber Crime Survey

Source: CSO magazine, CERT Division of the Software Engineering Institute at Carnegie

Mellon University, PwC, and the US Secret Service, March-April 2014

Building Enterprise Security Capacity

Building Security Capacity The rise of the (CISO) "on-demand" Chief Information Security Officer

o As companies strive to improve their levels of security in the midst of

increasing cyber threats, many are finding it difficult to recruit sufficient

numbers of skilled staff

o Deploying and maintaining an effective IT security infrastructure is no easy

task and people with the knowledge and experience needed are in short

supply

For organizations unable to find a permanent CISO, an alternative is to take a

different tactic and source the needed skills using an 'on-demand' approach

Working with the organization, this on-demand CISO can undertake a

✓ Forensic examination of the existing security infrastructure that is in place

and make recommendations for its enhancement

✓ They can also take the time to gain a deep understanding of the unique

business requirements of the organization and its employees

CISOs face a shortage of skills, lack of metrics &

strategy

83%

of enterprises have difficulty

finding

the security skills they need

of IT professionals

have no risk strategy2016 Global Reputational Risk & IT Study, IBM

51%79%

of IT executives have no measure

of security effectiveness2017 Forrester Research Study

Security MaturityBoard of

Directors

Stakeholder

s

Compliance

Mandates

Industry

Standards

Establishing an Enterprise Security

Program

Reaching security maturity – how to map

your way thereSecurity Intelligence

Predictive Analytics, Big Data Workbench, Flow Analytics

SIEM and Vulnerability Management

Log Management

Advanced Fraud Protection

People Data Applications Infrastructure

Identity governance

Fine-grained entitlements

Privileged user management

Data governance

Encryption key management

Fraud detection

Hybrid scanning and correlation

Multi-facetednetwork protection

Anomaly detection

Hardened

User provisioning

Access management

Strong authentication

Data masking / redaction

Database activity monitoring

Data loss prevention

Web application protection

Source code scanning

Virtualization security

Asset management

Endpoint / network security management

Directorymanagement

Encryption

Database access control

Applicationscanning

Perimeter security

Host security

Anti-virus

Optimized

Proficient

Basic

Need for information sharing (learn from our mistakes) – without being stigmatized…

Focus on critical points in the attack chain with

preemptive defenses on both the endpoint and networkEN

DP

OIN

TN

ETW

OR

K

Prevent malware installs

• Verify the state of applications

• Block exploit attempts used to deliver malware

Prevent control channels

• Stop direct outbound malware communications

• Protect against process hijacking

Prevent credential loss

• Block keyloggers

• Stop credential useon phishing sites

• Limit reuse of passwords

Exploit Disruption

Prevent mutated exploits

• Verify the state of network protocols

• Block unknown exploits with behavioral heuristics

Malware Quarantine

Prevent active beaconing

• Stop malware and botnet control traffic with real-time reputation and SSL inspection

User Protection

Prevent malicious apps

• Block access to malicious websites

• Protect against web application misuse

On the Endpoint

Trusteer Apex Malware

Protection

On the Network

IBM Security Network Protection

XGS

Network administrators can take a few basic steps to

fend off malicious spam attachments

Keep your spam and virus filters up to date.

Block executable attachments. In regular business environments it is unusual to send executable attachments.

Most spam filters can be configured to block executable files even when they are within zip attachments.

Use mail client software that allows disabling automatic rendering of attachments and graphics, and preloading of links—and then disable them.

Educate users on potential danger of spam, and actions to take

Every breach requires a plan of action

Forensic analytics can provide the insights to understand what is happening in the network and what steps are necessary to prevent threats.

Retrieval & Session Reconstruction

• For a selected security incident, retrieve all the packets (time bounded)

• Re-assemble into searchable documents including full payload displayed in original form

Full Packet Capture

• Capture packets off the network

• Include other, related structured and unstructured content stored within the network

Forensics Activity

• Navigate to uncover knowledge of threats

• Switch search criteria to see hidden relationships

What can you do to mitigate these

threats?

Keep up with threat intelligence

Maintain a current and accurate asset inventory

Have a patching solution that covers your entire infrastructure

Implement mitigating controls

Instrument your environment with effective detection

Create and practice a broad incident response plan

Questions CISO Wants Answered

Third Party Risk Management


Section Description Vendor Response

Roles & Responsibilities

1. Has your organization formally appointed a central point of contact for security coordination?

2. If so, whom, and what is their position within the organization?3. Are responsibilities clearly documented? i.e. job descriptions,

information security policy

External Parties

1. Do you work with third parties, such as IT service providers, that have access to your sensitive information?

2. Does your organization have Non-Disclosure agreements in place with these third parties?

3. If not, what controls does your organization have in place to monitor and assess third parties? i.e. Logging of VPN connections, Access logs, etc.

Risk Assessment & Compliance

1. Do you have a process that addresses: the identification and measurement of potential risks, mitigating controls (measures taken to reduce risk), and the acceptance or transfer (Insurance policies, warranties for example) of the remaining (residual) risk after mitigation steps have been applied?

Sample Vendor Questionnaire


Section Description Vendor Response

Enterprise Security

1. Do you have documented information security policies and procedures?

2. Do you have a formal information classification procedure? Please describe it. In particular, how would sensitive data be categorized? For example, critical, essential, and normal.

3. Have formal acceptable use rules been established for assets? Example assets include data assets, computer equipment, communications equipment, etc.

4. Do you have formal processes in place for security policy maintenance and deviation?

Legal & Compliance

1. Does a process exist to identify new laws and regulations with IT security implications? (e.g., breach notification requirements)?

2. i.e. Monitoring newsletters, Webinars, security or regulatory forums etc.

Sample Vendor Questionnaire, cont.

Contact Details

Richard G. Young Ph.D. CEGIT, CIA, CISA, CISM, CISSP, COSO90 Broad Street, 2nd FloorNew York, NY 10004USA+1 (917) 963-5536/ +263 772 475 [email protected] I www.datasecc.com

All Rights Reserved

mailto:[email protected]

http://www.datasecc.com/

enterprise security the changing...

Documents