intelligent security: defending the digital business
DESCRIPTION
Companies need to move their cyber security efforts away from traditional defensive approaches toward a proactive stance aligned with the organization’s business objectives. Explore the five most common issues companies will face to achieve this stance, and approaches to dealing with them.TRANSCRIPT
Intelligent Security: Defending the Digital Business
Defending the Digital Business
Executive Summary
2Copyright © 2014 Accenture All rights reserved.
Today
Key Business Challenges
•Missing link between business goals and security capabilities•Compliance providing a false sense of security•Enterprises are reaping the benefits of enhancing business functionality through cloud, mobile, and social, but struggle governing the extensions to the enterprise•Increasingly sophist security talent to address current security needs
A new tomorrow
Approach to Intelligent Security
• Assess the security program’s capability and identify leap-ahead opportunities • Manage complexity and integrate the enterprise • Become agile• Accelerate toward security intelligence • Develop end-to-end delivery and flexible sourcing strategies
How to get there
Security Call to Action
•The first step is assessing current posture and adopting a business-aligned security strategy•Retain staff experienced with security architecture planning and design, tools and integration to drive successful outcomes•Establishing an end-to-end delivery capability, underpinned by a pre-integrated security solution set allows organizations to modularly select for their specific threat areas and adoption pace•Move to extract more value from the data they already collect and analyze
Key business challenges
3Copyright © 2014 Accenture All rights reserved.
Business challenges to security for today’s enterprise
4Copyright © 2014 Accenture All rights reserved.
Despite all the effort and resources that organizations invest in traditional information security approaches, many still fall prey to the latest cyber threats, or find they are unprepared to deal with rapidly blurring enterprise boundaries
Five most common issues companies will have taking a proactive security stance
Keeping pace with persistent threats
Governing the extended enterprise despite blurring boundaries
Thinking outside the compliance (check) box
Missing the link between business and security
Addressingthe securitysupply/demandimbalance
Missing the link between business and security 1
• Untethered programs can drift and become largely ineffective
• Some security executives might struggle to draw a clear line between the protection provided and its impact on the company’s customer satisfaction, loyalty and revenue
• The Security team may lack a logical road map for changing the organization’s view of the security function as simply an inhibitor or cost center
5Copyright © 2014 Accenture All rights reserved.
Business Security
Protecting the business should be the first and foremost goal of any security program, but most enterprises do not make it a core competency
Thinking outside of the compliance (check) box
6Copyright © 2014 Accenture All rights reserved.
Compliance
•Audit centric
•Controls based
•Driven largely by regulatory requirements
•Sample based
•Scope limited by audit domain
•Evaluated on a quarterly or annual basis
Security
•Business centric
•Controls based
•Driven by business requirements
•Scope is holistic-includes enterprise, 3rd parties, suppliers, partners
•Evaluated on near-real time basis
Unfortunately, compliance does not ensure security. Instead, enterprises should view compliance as the minimum acceptable cyber security “bar” they need to clear…
2
Governing the extended enterprise despite blurring boundaries
7Copyright © 2014 Accenture All rights reserved.
Typical Day in the Extended Enterprise
CloudReal-time provisioning of servers to support testing of a cloud CRM system
MobileGranting mobile access to new capabilities for field representatives
Social networkRollout of a business social network for sales, product and marketing collaboration
• What are the appropriate frameworks and policies?
• Should I allow personal devices? Which devices and do I let everyone do it?
• How do I enable and monitor aaS components being introduced to my environment?
• How will I reach my customers with the correct messages?
• What do I need to do to make sure exposed by this new enterprise?
While business adoption has been widespread and rapid, many security organizations struggle to establish the appropriate frameworks, policies and controls to protect the expansions and contractions now common in extended IT environments
3
Most organizations focus on:
• Monitoring – Difficulty in prioritizing critical events and handling uncertainty
• Static controls – Standard controls don’t help once the attacker is in
For which cyber-threat are you prepared?
Opportunistic Acts Mob Determined actors
Attacker profile:
•Will move on if thwarted
•Will make mistakes
•Can be creative
Attacker profile:
•Emotional and not disciplined
•Not after the crown jewels
•Not well backed
Attacker profile:
•Failure is not an option
•Need only one vulnerability
•Stick with it mentality
8Copyright © 2014 Accenture All rights reserved.
As the threats become more persistent, they become harder to identify
Keeping pace with persistent threats4
9Copyright © 2014 Accenture All rights reserved.
Most organizations lack sufficient security talent to address their current needs
Skill Shortages
•Lack of the appropriate skills to execute required tasks
•Hiring premiums for cyber security resources
Career Development
•Skilled resources are eager to keep skills sharp and maintain exposure to new technologies
Firefighting
•Misalignment of security programs to strategic business objectives cause practitioners to burn-out from constant troubleshooting
Addressing the security supply/demand imbalance 5
Net result
Compliance driven (or audit scope driven) security scope can cause organizations to implicitly and unknowingly accept a significant amount of cyber-security risk
10Copyright © 2014 Accenture All rights reserved.
Perceived Risk Actual Risk
Specific regulatory risk Specific regulatory risk
Compliance risk Compliance risk
Enterprise security risk
Implicitly accepted risk Enterprise security risk
11Copyright © 2014 Accenture All rights reserved.
Approach to Intelligent Security
12Copyright © 2014 Accenture All rights reserved.
Vision for Intelligent Security
• Driven by a comprehensive security strategy that is aligned to business goals and objectives
• Core business assets protected by robust enterprise security controls
• Layered on top are extended enterprise safeguards focused on enabling cloud, mobile and social network adoption
• Advanced analytics incorporate cyber threat intelligence to enable proactive, accelerated action
• Security metrics to measure enablement of business outcomes
As organizations shift from a compliance-centered security mindset to an active cyber security stance, security teams need to adapt to keep pace with evolving business objectives
13Copyright © 2014 Accenture All rights reserved.
Taking the next steps to address Intelligent Security for the digital enterprise
Determine where the organization currently standsand the level of resources required to support meaningful transformation
Assess security capability, identify opportunities
Evolve the security program vision: establish an end-to-end enterprise security program and integrate it with existing enterprise architecture processes to reduce complexity levels and produce outcomes valued by the business
Manage complexity and integrate the enterprise
Embrace the cloud and other emerging technologies to boost IT agility and reach customers faster, capitalize on efficiency and cost benefits and do so within risk tolerances
Become agile
Adapt to handle new threats to the enterprise by developing threat-centered operations by developing a deep understanding of adversaries, their goals and techniques
Accelerate toward security intelligence
Plan a delivery and operational strategy for each of the security services they offer to make a clear-eyed assessment of internal competencies for designing, building and deploying elements of a cyber-security program
Develop end-to-enddelivery and sourcing
Leading companies develop effective cyber security measures to handle vulnerabilities and mount an active defense calculated to meet and deflect attacker advances
Before leaders can adopt a business-centered cyber security stance, they need to determine where their organizations currently stand and the level of resources required to support meaningful transformation
14Copyright © 2014 Accenture All rights reserved.
Assess the security program’s capability and identify leap-ahead opportunities
Threat Understanding •Standardize security operational processes•Rationalize security tools•Implement threat and vulnerability model
Phase 1
Active Defense and Response •Isolate and research threat actor activities •Adapt security capability to address evolving threat language•Trigger orchestrated, adaptive responses that pre-empt threats
Phase 3
Contextualize and Detect•Map assets to threats and impact, utilizing analytics techniques to detect indicators of compromise or attack•Optimize and automate both technology and IT process•Integrate security analytics and intelligence with security operations, align to business outcomes
Phase 2
15Copyright © 2014 Accenture All rights reserved.
Establish an end-to-end enterprise security program and integrate it with existing enterprise architecture processes to reduce complexity levels and produce outcomes valued by the business
Manage complexity and integrate the enterprise
• Establish a new vision of how security integrates and works with IT and the business, effectively creating a security operating model
• Integrate the security operating model into the overall enterprise architecture, technology and processes
16Copyright © 2014 Accenture All rights reserved.
Embrace the cloud and other emerging technologies to boost IT agility and reach customers faster, capitalize on efficiency and cost benefits and do so within risk tolerances
Become Agile
Consistently apply technical controls for and from the cloud to the extended enterprise
Craft contractual arrangements to address third-party service provider risk
Share responsibilities with cloud, mobile and social providers to improve agility in security operations
1
2
3
…drive strategy based on how the business may be attacked
…seek to understand the shifting threat landscape
…adapt to pre-empt threats targeting the business
Threat-centric Strategy
Threat-centric Architecture
Threat-centric Operations
17Copyright © 2014 Accenture All rights reserved.
Accelerate toward security intelligence
Leaders adapt to handle new threats to the enterprise by developing threat-centered operations—developing a deep understanding of adversaries, their goals and techniques
– Leverage existing instrumentation in the enterprises with threat intelligence feeds and additional security event data sources to improve event triage and response performance
– Identify business initiatives / activities of interest to Threat Actors
– Incorporation of Threat Management teams in Security Monitoring & Response
Common User Names – a visualization of the top 100 users names used in a brute force attack
• Employ advanced analytics to deliver “context awareness”
• Assume an active defense stance that increases the level of effort required by an attacker and delivers adaptive, intelligent responses
Advanced security analytics provide graphic tools to help teams analyze large data sets visually, supporting rapid, active defense responses
18Copyright © 2014 Accenture All rights reserved.
Develop end-to-end delivery and flexible sourcing strategies
Effective security organizations plan a delivery and operational strategy for each of the security services they offer
Considerations for Delivery
and Sourcing
Determine which services to keep in-house vs. outsource to external provider
Assess the enterprise’s internal competencies for designing, building and deploying elements of a cyber-security program
Justify sourcing decisions based on the overall risk tolerance, business case and commercial strategy based on security - business alignment
Selecting partners that will help meet security-business goals
Dynamic sourcing approach to address security coverage while helping leadership focus energy on active defense and proactive security capabilities and business enablement
19Copyright © 2014 Accenture All rights reserved.
Security call to action
20Copyright © 2014 Accenture All rights reserved.
In industries worldwide, security leaders seek effective ways to improve their ability to defend against cyber security threats, reduce the risk of inadvertent data disclosures, achieve and maintain regulatory compliance, and ultimately enhance the value they deliver to their business counterparts and shareholders
Taking action
Assess current posture and adopt a business-aligned security strategy
Retain staff experienced with security architecture planning and design, tools and integration to drive successful outcomes
Establish an end-to-end delivery capability, underpinned by a pre-integrated security solution set allows organizations to modularly select for their specific threat areas and adoption pace
Move to extract more value from the data they already collect and analyze
Focus on managing the risk environment instead of concentrating strictly on compliance at the expense of strategically securing business growth, value and innovation
Create a clear and complete picture of defense strategies and synthesized security data to help security leaders make rapid, intelligent security decisions based on business goals
21Copyright © 2014 Accenture All rights reserved.
Visit www.accenture.com/IntelligentInfrastructures
for more information