lloyds 360 risk insight dec 2010 malcolm harkins malcolm harkins chief information and security...
TRANSCRIPT
Lloyds 360 Risk InsightLloyds 360 Risk InsightDec 2010Dec 2010
Malcolm HarkinsMalcolm HarkinsChief Information and Security Officer
General Manager Intel Information Risk and Security
Legal Notices
This presentation is for informational purposes only. INTEL MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
BunnyPeople, Celeron, Celeron Inside, Centrino, Centrino logo, Core Inside, FlashFile, i960, InstantIP, Intel, Intel logo, Intel386, Intel486, Intel740, IntelDX2, IntelDX4, IntelSX2, Intel Core, Intel Inside, Intel Inside logo, Intel. Leap ahead., Intel. Leap ahead. logo, Intel NetBurst, Intel NetMerge, Intel NetStructure, Intel SingleDriver, Intel SpeedStep, Intel StrataFlash, Intel Viiv, Intel vPro, Intel XScale, IPLink, Itanium, Itanium Inside, MCS, MMX, Oplus, OverDrive, PDCharm, Pentium, Pentium Inside, skoool, Sound Mark, The Journey Inside, VTune, Xeon, and Xeon Inside are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
*Other names and brands may be claimed as the property of others.
Copyright © 2009, Intel Corporation. All rights reserved.
“The Perfect Storm”
Vulnerabilities
Threats
Controls
Assets
BusinessImpacts
ConfidentialityIntegrity
Availability
which protect against
exploit
exposing to a loss of
causing
which are mitigated by
increase
reduce
AssuranceIdentity Mgmt
Which requires
That increase the need for
causing
Legislation
causing
BusinessBusiness
RisksRisks
Intrusion Cycle
SpywareSpyware
SpamSpam
PhishingPhishing
PeoplePeople
TechnologTechnologyy
AdversaryAdversary
Hacker GroupHacker Group
Organized CrimeOrganized Crime
Cyber MilitiaCyber Militia
Nation StateNation State
Cyber TerrorismCyber Terrorism
Tradecraft, Tools, Methods – not that different Tradecraft, Tools, Methods – not that different
but the motivation and purpose can differbut the motivation and purpose can differ
AssetsAssetsThe WebThe Web
Irrefutable Laws of Information Security
1) Information wants to be free– People want to talk, post, and share
*Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources *Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources
Irrefutable Laws of Information Security
1) Information wants to be free– People want to talk, post, and share
2) Code wants to be wrong– We will never have 100% error free s/w
*Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources *Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources
Irrefutable Laws of Information Security
1) Information wants to be free– People want to talk, post, and share
2) Code wants to be wrong– We will never have 100% error free s/w
3) Services want to be on– Some background processes will need to be on
*Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources *Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources
Irrefutable Laws of Information Security
1) Information wants to be free– People want to talk, post, and share
2) Code wants to be wrong– We will never have 100% error free s/w
3) Services want to be on– Some background processes will need to be on
4) Users want to click– If they are connected to the internet, people will click on things
*Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources *Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources
Irrefutable Laws of Information Security
1) Information wants to be free– People want to talk, post, and share
2) Code wants to be wrong– We will never have 100% error free s/w
3) Services want to be on– Some background processes will need to be on
4) Users want to click– If they are connected to the internet, people will click on things
5) Even a security feature can be used for harm– Laws 2, 3, 4 even apply to security capabilities
*Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources *Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources
Irrefutable Laws of Information Security
1) Information wants to be free– People want to talk, post, and share
2) Code wants to be wrong– We will never have 100% error free s/w
3) Services want to be on– Some background processes will need to be on
4) Users want to click– If they are connected to the internet, people will click on things
5) Even a security feature can be used for harm– Laws 2, 3, 4 even apply to security capabilities
Compromise is inevitable under any compute Compromise is inevitable under any compute modelmodel
Managing the risk and surviving is the keyManaging the risk and surviving is the key*Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources *Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources
So how do you manage the risk and So how do you manage the risk and survive?survive?
Infrastructure Infrastructure ProtectionProtection
Identity & Identity & Access MgmtAccess Mgmt
Security Business Security Business IntelligenceIntelligence
Data ProtectionData Protection
PredictPredict
DetectDetect
RespondRespond
PreventPrevent
Data EnclavingData EnclavingData EnclavingData Enclaving
Risk Based PrivilegesRisk Based PrivilegesRisk Based PrivilegesRisk Based Privileges
Predictive AnalyticsPredictive AnalyticsPredictive AnalyticsPredictive Analytics
Endpoint ProtectionEndpoint ProtectionEndpoint ProtectionEndpoint Protection
Central Logging ServiceCentral Logging ServiceCentral Logging ServiceCentral Logging Service
Data Correlation/AlertingData Correlation/AlertingData Correlation/AlertingData Correlation/Alerting
Browser SecurityBrowser SecurityBrowser SecurityBrowser Security
Training & AwarenessTraining & AwarenessTraining & AwarenessTraining & Awareness
Granular Trust EnablementMulti-Level Trust
Key Messages The world has changed, it’s no longer flat
– Mobility and Collaboration is dissolving the internet border– Cloud Computing is dissolving the Data Center border– Consumerization will dissolve the enterprise border
The threat landscape is growing in complexity– Targeted intrusions and attacks leveraging wide-range of vulnerabilities and
growing in sophistication– Government focus growing – “Industry can’t self-regulate”
The dynamic nature of the ecosystem requires a more fluid but more granular security model
Security investment needs to keep pace w/changing landscape
Protect, Enable, and Manage the RiskProtect, Enable, and Manage the Risk