Lloyds 360 Risk InsightLloyds 360 Risk InsightDec 2010Dec 2010

Malcolm HarkinsMalcolm HarkinsChief Information and Security Officer

General Manager Intel Information Risk and Security

Legal Notices

This presentation is for informational purposes only. INTEL MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

BunnyPeople, Celeron, Celeron Inside, Centrino, Centrino logo, Core Inside, FlashFile, i960, InstantIP, Intel, Intel logo, Intel386, Intel486, Intel740, IntelDX2, IntelDX4, IntelSX2, Intel Core, Intel Inside, Intel Inside logo, Intel. Leap ahead., Intel. Leap ahead. logo, Intel NetBurst, Intel NetMerge, Intel NetStructure, Intel SingleDriver, Intel SpeedStep, Intel StrataFlash, Intel Viiv, Intel vPro, Intel XScale, IPLink, Itanium, Itanium Inside, MCS, MMX, Oplus, OverDrive, PDCharm, Pentium, Pentium Inside, skoool, Sound Mark, The Journey Inside, VTune, Xeon, and Xeon Inside are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

*Other names and brands may be claimed as the property of others.

Copyright © 2009, Intel Corporation. All rights reserved.

“The Perfect Storm”

Vulnerabilities

Threats

Controls

Assets

BusinessImpacts

ConfidentialityIntegrity

Availability

which protect against

exploit

exposing to a loss of

causing

which are mitigated by

increase

reduce

AssuranceIdentity Mgmt

Which requires

That increase the need for

causing

Legislation

causing

BusinessBusiness

RisksRisks

Intrusion Cycle

SpywareSpyware

SpamSpam

PhishingPhishing

PeoplePeople

TechnologTechnologyy

AdversaryAdversary

Hacker GroupHacker Group

Organized CrimeOrganized Crime

Cyber MilitiaCyber Militia

Nation StateNation State

Cyber TerrorismCyber Terrorism

Tradecraft, Tools, Methods – not that different Tradecraft, Tools, Methods – not that different

but the motivation and purpose can differbut the motivation and purpose can differ

AssetsAssetsThe WebThe Web

Irrefutable Laws of Information Security

1) Information wants to be free– People want to talk, post, and share

*Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources *Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources

Irrefutable Laws of Information Security

1) Information wants to be free– People want to talk, post, and share

2) Code wants to be wrong– We will never have 100% error free s/w

*Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources *Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources

Irrefutable Laws of Information Security

1) Information wants to be free– People want to talk, post, and share

2) Code wants to be wrong– We will never have 100% error free s/w

3) Services want to be on– Some background processes will need to be on

*Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources *Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources

Irrefutable Laws of Information Security

1) Information wants to be free– People want to talk, post, and share

2) Code wants to be wrong– We will never have 100% error free s/w

3) Services want to be on– Some background processes will need to be on

4) Users want to click– If they are connected to the internet, people will click on things

*Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources *Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources

Irrefutable Laws of Information Security

1) Information wants to be free– People want to talk, post, and share

2) Code wants to be wrong– We will never have 100% error free s/w

3) Services want to be on– Some background processes will need to be on

4) Users want to click– If they are connected to the internet, people will click on things

5) Even a security feature can be used for harm– Laws 2, 3, 4 even apply to security capabilities

*Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources *Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources

Irrefutable Laws of Information Security

1) Information wants to be free– People want to talk, post, and share

2) Code wants to be wrong– We will never have 100% error free s/w

3) Services want to be on– Some background processes will need to be on

4) Users want to click– If they are connected to the internet, people will click on things

5) Even a security feature can be used for harm– Laws 2, 3, 4 even apply to security capabilities

Compromise is inevitable under any compute Compromise is inevitable under any compute modelmodel

Managing the risk and surviving is the keyManaging the risk and surviving is the key*Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources *Phil Venables 2008, adapted from Scott Culp 2000, Pete Lindstrom 2008, and other sources

So how do you manage the risk and So how do you manage the risk and survive?survive?

Infrastructure Infrastructure ProtectionProtection

Identity & Identity & Access MgmtAccess Mgmt

Security Business Security Business IntelligenceIntelligence

Data ProtectionData Protection

PredictPredict

DetectDetect

RespondRespond

PreventPrevent

Data EnclavingData EnclavingData EnclavingData Enclaving

Risk Based PrivilegesRisk Based PrivilegesRisk Based PrivilegesRisk Based Privileges

Predictive AnalyticsPredictive AnalyticsPredictive AnalyticsPredictive Analytics

Endpoint ProtectionEndpoint ProtectionEndpoint ProtectionEndpoint Protection

Central Logging ServiceCentral Logging ServiceCentral Logging ServiceCentral Logging Service

Data Correlation/AlertingData Correlation/AlertingData Correlation/AlertingData Correlation/Alerting

Browser SecurityBrowser SecurityBrowser SecurityBrowser Security

Training & AwarenessTraining & AwarenessTraining & AwarenessTraining & Awareness

Granular Trust EnablementMulti-Level Trust

Key Messages The world has changed, it’s no longer flat

– Mobility and Collaboration is dissolving the internet border– Cloud Computing is dissolving the Data Center border– Consumerization will dissolve the enterprise border

The threat landscape is growing in complexity– Targeted intrusions and attacks leveraging wide-range of vulnerabilities and

growing in sophistication– Government focus growing – “Industry can’t self-regulate”

The dynamic nature of the ecosystem requires a more fluid but more granular security model

Security investment needs to keep pace w/changing landscape

Protect, Enable, and Manage the RiskProtect, Enable, and Manage the Risk