MAY 20, 2019Los Angeles, California

FUTURE WORLD: WHAT WILL CYBERSECURITY LOOK LIKE IN THE

FUTURE?

May 19-22, 2019 • Los Angeles, California113th Annual Conference

Learn more by visiting us at gfoa.org • #GFOA2019

Mike BaileyFinance Consultant, Municipal Research and Services Center

Dan FryeSVP Corporate SecuritySierra-Cedar

Cindy CompertDistinguished Engineer and Security CTO, U.S. Public Sector Market CTO, Data Security & Privacy, IBM SecurityIBM

Future World:The Future of Information SecurityDan FryeSenior Vice President, Corporate Securitylinkedin.com/in/danfrye/

The Cloud has created new opportunities for a decentralized “Things-as-Code” model that will fundamentally change business processes and how security is injected into the organization.

Authentication will be the new perimeter and Identity will be the new firewall.

Security leaders will need to apply supply chain principles to secure the data flows used by the business.

What I want you to remember

https://aws.amazon.com/compliance/shared-responsibility-model/

AWS Security Products

https://www.csoonline.com/article/3200024/cybersecurity-labor-crunch-to-hit-35-million-unfilled-jobs-by-2021.html

DETECTION & RESPONSE

PREVENTION

PROBLEM

https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf

https://www.esecurityplanet.com/network-security/security-automation-and-orchestration-soar.html

https://www.csoonline.com/article/3390683/how-a-data-driven-approach-to-security-helps-a-small-healthcare-team-embrace-automation.html

Invest in the skills and talent necessary to develop security-as-code, infrastructure-as-code, and business-process-as-code.

Lesson #1

https://www.cnet.com/news/gates-predicts-death-of-the-password/

https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/

https://xkcd.com/936/

“At Microsoft only 10 percent of our users enter a password on a given day.”

https://www.microsoft.com/security/blog/2019/05/08/3-investments-improve-identity-management-microsoft/

https://techcrunch.com/tag/authentication/

Traditional Network Security Model

Zero TrustSecurityModel

https://www.centrify.com/education/what-is-zero-trust-privilege/

Organizations have to fundamentally change their approach to identity, access, and authorization.

Lesson #2

https://hbr.org/2016/09/bad-data-costs-the-u-s-3-trillion-per-year

What if someone injected data or

manipulated data in a data source?

Security leaders need to account for data risk. What outcomes could happen if data integrity fails?

Lesson #3

Future World:The Future of Information Security

Dan Fryelinkedin.com/in/danfrye/

Cindy E. Compert, CIPT/M

Distinguished Engineer & Security CTO US Public Sector Market

CTO Data Security & Privacy, IBM Security

@CCBigData

May 20, 2019

Contents

• A little R&R• Scary Attacks• AI and Cloud take flight• More R&R• Advice for working with your

CISO

Making the Shift: R&R

Scary Attacks

29

From Ransomware… to CryptojackingRouter Fries Egg

https://www.cnet.com/news/this-cryptocurrency-mining-router-was-hot-enough-to-serve-me-fried-eggs-black-hat-defcon/

31

The Brave Little Toasterbecomes reality

Change is coming..

32

Steps you can take

Cryptojacking:• Train• Patch• Monitor

IoT:• Implement real-time inventory• Patch • Assess entire infrastructure• Isolate infrastructure and network• Consider behavioral monitoring

solutions

https://searchhealthit.techtarget.com/tip/Cryptojacking-emerging-as-a-new-threat-to-healthcare

AI and Cloud Take Flight

AI Security Examples

• Approach: Model behaviors and identify emerging and past threats and risks

• Applications: Network, user, endpoint, app and data, cloud

Predictive Analytics

• Approach: Curation of intelligence and contextual reasoning

• Applications: Structured and unstructured (NLP) data sources

Intelligence Consolidation

• Approach: Reason about security events for triage and response

• Applications: Cognitive SOC analyst, orchestration, automation and digital guardian

Trusted Advisors & Response

Example: AI advisorCExample: Threat enrichmentBExample: User Behavior AnalyticsA

AI: Steps you can take

Understand Identify Use Cases Pilot

Test your hypotheses in a controlled scenario. Get help

from experts. Compare outcomes.

Understand AI capabilities and how they might help you accelerate security

processes

Identify use cases and measure current

processes

Let’s change the way we think about hybrid cloud security

There are 3 key phases to the cloud adoption journey

© 2019 IBM Corporation

Baseline & Strategy

Formally starting on cloud journey, or just starting to move workloads to cloud

Hybrid Environment

Well into cloud transformation or primarily in a hybrid steady-state operation

Cloud / Multi-Cloud

Full cloud transformation or born-in-the-cloud organizations

Many organizations will be faced with the hybrid reality.

Shared security responsibility model has expectations of the customer

© 2019 IBM Corporation

Customer / Tenant Responsibility Cloud Service Provider Responsibility / Native Controls

ON-PREMISES CLOUD

Cloud Native Controls available

Endpoint Security

Application Controls

Identity & Access Management

Data Protection & Encryption

Network Controls

Operating System

Virtualization Layer

Network Infrastructure

Storage

Physical Infrastructure

Endpoint Security

Application Controls

Identity & Access Management

Data Protection & Encryption

Network Controls

Operating System

Virtualization Layer

Network Infrastructure

Storage

Physical Infrastructure

Hybrid Cloud Security: Steps you can take

Protect data Enhance Productivity Ensure Compliance

Enable compliance visibility and reporting into both your

cloud and on-premises environments

Bring your own security controls to strengthen security of your cloud

service providers

Build security into the design, so you don’t lose

productivity going back and incorporating it later

Only

of security budget allocated to cyber resilience activities

of highly ranked resilient organizations are very confident in their ability to prevent a cyberattack

use automation significantly or moderately

increase in threat sharing from 2017 to 2018

Cybersecurity shifts to resilience

77% of Enterprises Don’t Have a Cybersecurity Incident Response Plan

IBM Security / © 2019 IBM Corporation 41

Practice worst case scenarios

4 Keys to R.I.S.K.

IdentifyRepeat Sustain KPI’s

Partner with your CISO• Invest in security according to

value/risk• Know thy data, know thy risk• A security strategy with timelines

is critical• Communicate cyber risk to the

business in specific scenarios

cindycompert@us.ibm.com

@CCBigData

Thank you

IBM Security / © 2019 IBM Corporation 45