robert garigue ciso briefing.ppt

7/25/2019 Robert Garigue CISO Briefing.ppt

1/63

Page1

Robert Garigue

VP and Chief Information Security Ocer

Controlling Order and Disorder

The evolving role of the CISO within

the new structures of Information Systems


2/63

Page2

Outline of our expedition

Background and AnalysisFrameworks

!u"ine"" model"

#he nature of the threat"

The strategic information securityframework

$n%ironmental factor" Information "ecurity proce""e"

Evolution of information securityfunctions

&lignment and Integrationchallenge"

$merging ne' ri"(" and concern"

Reections on the nature andevolving role of the ChiefInformation Security !cer

Travels in a foreign land


3/63

Page)

!*O +inancial Group

, +ounded in 1-1. +ir"t Canadian !an(

, /ighly di%er"i0ed 0nancial in"titution

retail ban(ing

'ealth management

in%e"tment ban(ing

, &""et" of 23 billion at October )14255)

, )64555 employee"

, Strong pre"ence in 7S *id89e"tthrough /arri" !an(corp

, O%er"ea" oce" around the 'orld


4/63

Page6

*etric" of the :igital !*O

255; *ainframe"

2.3; Open Sy"tem !u"ine""Critical &pplication"

). 555 :e"(top"

255 "upport "er%er"

3555 main net'or( de%ice"

13 #erabyte" of data

"torage 5


5/63

Page

*yth" and Realitie"

+or "ome the 'orld i" amultidimen"ional place

>and for other> it i" "till ?at>

#here are al'ay" *yth" and

Realitie"@


6/63

Page3

&n e%ol%ing organiAational context B Information Society

Some of the e' Realitie"B

, Information ba"ed producti%ity

, Computer mediated deci"ion"

, Ri"e of the (no'ledge 'or(er

, et'or( centric "tructure" and%alue chain"

, Command and Controlhierarchie" are di"placed byCooperati%e4 Commutati%eand Coordinated organiAation"

, Da burden "hared i" a burdenhal%ed @@ an intellectual a""et"hared i" one doubledE


7/63

Page.

#he Integrated Informational Value8Chain

Linked

ComplementaryInterdependent

Linked

ComplementaryInterdependent

From Goods or Services

To

Goods with Services

From Goods or Services

To

Goods with Services


8/63

Page-

Information +lo'" B /ealth Care $co"y"tem


9/63

PageF

Physical

Process

#he impact 'ill be felt in the three realm" of cyber"pace

Content


10/63

Page15

#he $%olution of the oo"phere #eilhard de Chardin H

Mobile and Peer to PeerClient ServerMain Frame

focusOrganizations

(command and control)

Individuals

(cooperation coordination

and communication)

Ubiquitous

Trusted

Affective

Advisory

Always on

Social


11/63

Page11

It i" full of Ri"(B #he"e are the "hape of D#hing" o':eadE


12/63

Page12

!ut there 'ill al'ay" be con?ict bet'eenOpen "y"tem" and Clo"ed "y"tem">@ Violent con?ict >

Pablo Picasso. Guernica.!"#$% Oil on canvas% &useo del Prado &adrid Spain


13/63

Page1)

ero8day %iru"Slammer )5 minute" later
http://www.silicondefense.com/research/worms/sql-after.gifhttp://www.silicondefense.com/research/worms/sql-before.gif


14/63

Page16

Information SecurityB & ne' oxymoron

Information

Security

The de'ate
http://www.robertaweir.com/http://www.thinkingbaptists.com/forums


15/63

Page1

&rgument" +or Getting +unding BJe%el" of *aturity of the OrganiAation

Fear" #ncertainty and $es%air&

D#he /ac(er"4 %iru"4 'ill get u"unle""@@E

The 'eard (entality&

D#he (ing need" #axe"E>

The Analytical RI )

DIn%e"tment in Intru"ion Pre%entionSy"tem" are better thanE>

Arguments that have yet tocomeB

D!ecau"e 'e can ta(e on morebu"ine"" and manage more ri"("E

bra(e" enable car" can go fa"terH


16/63

Page13

Information Security *anaging $xpectation"Sometime" it i" Ku"t a communication i""ue>


17/63

Page1.

Con"eLuence &B Information Security Ocera" #he Me"ter

See" a lot

Can tell the (ing he ha" noclothe"

Can tell the (ing he really i"

ugly

:oe" not get (illed by the (ing

ice to ha%e around but>ho'much "ecurity impro%ement

come" from thi" N


18/63

Page1-

Con"eLuence !B Information Security Ocera" Road ill

Change" happened fa"ter thathe 'a" able to mo%e

:id not read the "ign"

Good intention" 'ent

unful0lled

& brutal 'ay to ending apromi"ing career

Sad to ha%e around but>ho'

much "ecurity impro%ementcome" from thi" N


19/63

Page1F

*aybe a better model for CISOB Charlemagne

,ing of the +ran(" and /oly Roman $mperor

conLueror of the Jombard" and Saxon" .628-16H8 reunited much of $urope after the :ar( &ge"@

,/e "et up other "chool"4 opening them topea"ant boy" a" 'ell a" noble"@ Charlemagnene%er "topped "tudying@ /e brought an $ngli"hmon(4 &lcuin4 and other "cholar" to hi" court 8encouraging the de%elopment of a "tandard"cript@

,/e "et up money "tandard" to encouragecommerce4 tried to build a Rhine8:anube canal4and urged better farming method"@ /e e"pecially'or(ed to "pread education and Chri"tianity ine%ery cla"" of people@

,/e relied on Counts4 (argravesand (issi$ominito help him@

(argraves8 Guard the frontier di"trict" of theempire@ *argra%e" retained4 'ithin their o'n

Kuri"diction"4 the authority of du(e" in the feudalarm of the empire@

(issi $omini8 *e""enger" of the ing@


20/63

Page25

no'ledge of Dri"(y thing"E i" of "trategic %alue

/o' to (no' today tomorro'Q"un(no'n N

/o' to "tructure information"ecurity proce""e" in anorganiAation "o a" to identify andaddre"" the $# categorie" ofri"(" N

This is the mandate of information security.


21/63

Page21

#he Interconnected Societie"B the critical Infra"tructure

TELECOM SERVICES LAER

TRA!SPORT SERVICES LAER

TERRAI! LAER

FEAT"RE LAER

P#SICAL $AC%$O!E LAER

&EO&RAP#ICAL MAP LAER

OPERATIO!S

LAER

TEC#!ICAL

APLICATIO!

LAER

CONTROL

LAYER

(eopolitical 'oundaries)

(*levation)

(+and ,se Cities -uildings Towers)

(Ca'les .i'er /outes Satellites)

(SO0*T /ings 1T& PST0)

(Internet Data 2oice .a3)

Sector

'e(endent

La)ers

Common

La)ers

TELECOM "TILITIES

$illin* +

Resource

Plannin*

Load

$alancin*

Reliabilit)

SS, SCA'A

$illin* +

Resource

Plannin*

FI!A!CIAL

$illin* +

Pa)ment

Internet

$an-in*

Financial

Services

"tilities

Stoc- Financial

E/c0an*es

POS TerminalsATMs

&OV #EALT#CARE

$illin*

Administration

'ia*nostics

Electronic

Records

#os(itals

Labs +Clinics

P0armacies

#L,

LAERS

Le*islation

Ta/ation

La1 2 Order

Secure

c0annels

Prov3 and Fed

Services

&rid Pi(eline

Monitorin* +

Control


22/63

Page22

Indicator" and 'arning"$xternal en%ironment B the rate" of e%olution"

13 ne' mal'are product"launched e%ery dayB%iru"e"4 'orm"4 troKanhor"e"4 "py'are etc

. ne' %ulnerabilitie"

di"co%ered e%ery day

25 minute" guaranty

Probe" again"t +inancialIn"titution" 'eb "ite"

launched e%ery 3 "econd"

Social engineering i" onthe ri"eB People are the'ea( lin(

Hackers

Script kiddiesIndustrial espionae

Cy!er"terrorists#

Competitors

Suppliers


23/63

Page2)

Indicator" and 'arning" B #hreat" and target"

The McKinsey Quarterly, 2002 Numer 2 Ris! an" resilience

'aniel F. Lo0me)er3 4im McCror)3 and Sof)a Po*reb


24/63

Page26

*anufacturing exploit"B #he electronic Petrie :i"h*al'are B "py'are ; troKan ; "pam ; exploit" ; "ocialengineering


25/63

Page2

Indicator" and 'arning"/o' money 'a" lo"t Rough order of magnitude RO*H

Source$ CFI%F&I 'eport ())*

+*) ,S !ased corporations# overnment and educ. inst.


26/63

Page23

Identity #heft in Canada


27/63

Page2.

/ac(ing !elief"

Identity Theft

One of the fa"te"t gro'ing crime"@Stati"tic" Canada report" 1)4)Fca"e"4 21@ million lo""e" in 255)

&ccount ta(eo%er credit card"4 ban(account"H

&pplication fraud open ne' account"'ith %ictimQ" I:H

Indu"try need" impro%ed identitymanagement "olution" and "trongpublic a'arene""

*hishingu"ing email "cam" to collectcon0dential informationH

ey i""ue"B detection4 "hutting do'nbogu" "ite"4 cu"tomer a'arene""

!an(" are po"ting 'arning" on theirpublic "ite"4 and updating "ecuritypage information 'ith DT&E type ofinformation@


28/63

Page2-

$mergent Complexity B Spam Space a" Ri"(


29/63

Page2F

Structuring Ri"("&n OrganiAational Ri"( CategoriAation #axonomy


30/63

Page)5

Structuring Ri"("Regulatory $n%ironmentB 'here are the control" N

Per"onal Information Protection and $lectronic

:ocument" &ct PIP$:&H 8 Canada Gramm8Jeach8!liley +inancial Ser%ice"

*oderniAation &ct GJ!&H 8 7@S California Ja' S!1)-3 8 California /IPP& /ealthH Oce of the Superintendent of +inancial

In"titution" OS+IH Canada 8 Guideline !15 #he +inancial Ser%ice" &uthority +S&H

$ngland 8 OS Section 6

+ederal +inancial In"titution" $xaminationCouncil ++I$CH 8 7@ S@ Oce of the Comptroller of the Currency

OCCH 8 7@S@ OCC 2551 8 6. #he !an( &ct 8 OS+I Canada Guideline"

!34 !.4 !15 +ederal +inancial In"titution" $xamination

Council ++I$CH 8 7@S@ SP8 Policy Sarbane"8 Oxley &ct SOH 8 7@S@ !ill 1F- 8 Canada

S$C Rule 1.a86 !a"el II &ccord $uropean 7nion :irecti%e" on Information

Security CanadaQ" ational Security Program Patriot &ct 8 7S

Privacy

Security


31/63

Page)1

Regulatory Penaltie" T +ine" Grid

ame of Regulatory

*andate

Some Potential

Penaltie"

Potential +ine"

SO& 25 year" in pri"on 1 million

!a"el II Regulatory agencypenaltie"B %ary by G825country

Regulatory agency0ne"B %ary by G825country

/IP&& 15 year" in pri"on 254555GJ!& 15 year" in pri"on 1 million

Patriot &ct 25 year" in pri"on 1 million

:od 51@2 +ailure to Lualify for:o: contract Contractbreach +&R penaltie"

Contract penaltie"

California S! 1)-3 7nfair trade practicela' penaltie"B %ary by"tate

Pri%ate ci%il and cla""action" unfair tradepractice la' 0ne"B %aryby "tate

S$C Rule 1.a86 Su"pen"ion=expul"ion 1 million;


32/63


33/63

Page))

Information Security organiAation a" re"ult of the(no'ledge tran"fer proce""

The 1nowlede

Transfer Cycle

Technical Threats

Passive /eal time

4igh

Organizationa

l

Complexity/C

apabilit y

+ow

Virtual Private !et1or-s

Fire1alls

Virus Scanners

Intrusion 'etection

Monitorin*

Vulnerabilit) Anal)sis

Real Time Res(onse

Role base identit)

Access mana*ement

'i*ital Ri*0ts

Mana*ementSecurity Functions


34/63

Page)6

no'ledge tran"fer

The 1nowledeTransfer Cycle (

&74

IS

C&/

FI CI'T

8 other

&anks

2endors

FI'ST

Proects

PS0CP

C/3C0'TClientsand

&usinesses

wireless

Info%infra

structure

,tilities

Health

Telecom

%no1led*e net1or-s

Passive /eal time

4igh

Organizationa

l

Complexity/C

apabilit y

+ow

Virtual Private !et1or-s

Fire1alls

Virus Scanners

Intrusion 'etection

Monitorin*

Vulnerabilit) Anal)sis

Real Time Res(onse

Role base identit)

Access mana*ement

'i*ital Ri*0ts

Mana*ementSecurity Functions


35/63

Page)

Network Protection

Operating System Protection

User Access

Control and Authorization

Object Integrity

Content Certiication

!igital Signatures

Control +rame'or( i" a hierarchy of accountability"tructure"

PrivacyPrivacy

SecuritySecurity

&usiness

/pplications

Clients%,sers

4perational

Support

Content control

Access

Management

PerimeterProtection

Infra

structure

Info

structure


36/63

Page)3

Information Security *anagement +rame'or(

RIS=COS#

S#R$GICRIS J$V$JB JO9

#&C#IC&JRIS J$V$JB *$:I7*

OP$RIO&JRIS J$V$JB /IG/

!u"ine""ReLuirement"

:e"ign :e%elopment Implementation Operation"

S#R$GIC

Go%ernance

and policie"

, Policie", Standard", Procedure", Guideline", &'arene"", Re"earch

#&C#IC&J

&pplication="y"tem

de%elopment anddeployment

, :e"ign re%ie'", IS "olution", :ue care, Ri"( acceptance, e' technology in"ertion

OP$RO&J

&cti%e "ecurity

po"ture

, &nti%iru" management

, Vulnerability a""e""ment"

, Intru"iondetection, Incident

re"pon"e

OP$RO&J

IS "er%ice"

, &cce"" management

, eymanagement, Security to(en management

, Otheroperational

"er%ice"

/is5 curves


37/63

Page).

Information Security ey Performance Indicator"

*olicy

umber of Policy $xception" umber of Ri"( &cceptance"

Value of Re"idual Ri"(

*rocess

umber of "ecurity i""ue" in ne'proKect"

umber of I: account"

acti%e=deadH umber of (ey" = digital certi0cate"

= to(en"

#ime to re"pond to patche"4incident"

Jo""e" due to "ecurity incident"

*eo%le

umber of certi0ed per"onnel O%erall capital in%e"tment ratio

"ecurity to I# "pend, per "y"tem

, per per"on

, per incident

Tycho -rahe (!678!89!)


38/63

Page)-

Information Security ey Performance *etric"

Ris- Acce(tance and ISM E/ce(tion Forms

5

25

65

35

-5

155

125

165

135

) 255) 6 255) 12556 2 2556 ) 2556

&cti%e IS* $xception" ;6@2 vs% vs% vs%


39/63

Page)F

A%ril (icrosoft Security *atch $e%loyment

+Servers , -orkstations . /0"111 systems re%orted2

9

:9

79

89

;9

!99

! 8 !! !8

$ays Ela%sed

3

Com%lete

Patch &nnounced

Iero day" elap"ed *aKor &rea" Complete13 day" elap"ed

U&cceleratedU #hre"hold

2 day" elap"ed

Sa""er 'ormemerge"

1. day" ela"ped

UormalU #hre"hold

2 'ee(" elap"ed

Propo"ed U&cceleratedU

#hre"hold

. day" elap"ed

&d%i"ory upgraded

Gexploit emerge"H

*icro"oft Patch :eployment

' ( 4

' $mergency &ccelerated &ccelerated

( &ccelerated &ccelerated ormal

4 &ccelerated ormal ormal

Note:

April 2004 release required 4separate patches

*atch5Incident

A%ril 6117

Critical +72

Fe8ruary 6117

Critical

9achi5 Blaster

+August 611/2

S:4 Slammer

+;anuary 611/2$ays to *atch

+


40/63

Page65

Ma5or !et1or-s

ear6uarter C7A! $7A! !esbitt$urns

Ca(italMar-ets

#arris

:99! !%;7 :%"! 8%97 #%#6

:99: @

:99: @ C7A!

Ca(ital Mar-ets !esbitt $urns


41/63

Page61

"Training

+ast


42/63

Page62

*a(ing #he Ca"e for Security In%e"tment"

Return on In%e"tment ROIH ha" failed todemon"trate it economically becau"ethere are too many %ariable"

!ene0t" hard to LuantifyB 'hatQ"the %alue of good healthN

Stati"tical data unreliable and

changing fa"t Co"t a%oidance not the "ame a"

co"t "a%ing"

#he Dlanguage di%ideEB accounting%"@ "ecurity

Jo"" of credibility more co"tly than

lo"" of phy"ical a""et"

#echnology "ub"titution i" not a

guaranty of more capability

Total Security costs

Incidents Costs

Security Investments


43/63

Page6)

#he Security ChallengeB &lignment

Pro?ect

assessment

The -iital -ivideTwo solitudes# in virtual isolation

Security services IT processes

1nti2irus

Patches

2ulnera'ility

1ssessments

Incident

management

Intrusiondetection1pplication

security

1ccess

management

ey

management

1pplicationdevelopment 1rchitecture

Pro'lem management

Incident

management

Change

managementService level

Configuration.irewall rules

Capacity1vaila'ility

IT Service

continuity


44/63

Page66

#hase $escri%ti&n

!% Initiation

:% 1wareness

8. Control

7% Integration

6% Optimization

Concrete evidence of development

/esources allocated

Formali9ed

Synergy 'etween processes

Continuous self improvement A

optimization

9% 1'sence 0othing present

Characteristics:

visi!le results

manaement reports

task%authorities definedactive rather than reactive

documentation

formal plannin

*aturity +rame'or( Je%el"B Stage" of $%olution of a"y"tem


45/63

Page6

*aturity +rame'or(" pedigree B #he reference frame'or(

It is better not to proceed at all than to proceed without method

'escartes

I f ti S it * t it d l ISO 1..FF


46/63

Page63

Information Security *aturity model 8 ISO 1..FFInformation #echnology Infra"tructure Jibrary I#IJHS$I C** Capability *aturity *odelH


47/63

Page6.

& propo"al for a ne' integrated ri"( frame'or(

The objective

is to lower the

overall risk

through

capability

maturity

framework

integration

Bus. Req. Design Development Operationsmplementation

ITILS0I C77IS4 Proect IS4 9::;;

'isk 7anaement throuh 7aturity Framework alinment

Organizational focus

robert garigue ciso briefing.ppt

Documents