security-invest where it matters most
DESCRIPTION
Presented at InnoTech Austin 2013. All rights reserved.TRANSCRIPT
Copyright © 2013 World Wide Technology, Inc. All rights reserved.
Mario Balakgie Principal Security Consultant16 October 2013
WWT SECURITY PRACTICE
Security – Invest Where it Matters Most
It takes twenty years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently
– Warren Buffett
Immediate Security Challengesof a Hyper-Connected World
EVOLUTION OF CONNECTIVITY
• Local and wide area networks• Various flavors of Wi-Fi• Intelligent devices• Internet of things• Cloud technologies
THREATS
• Unsecured peer-to-peer access• Mobile Threats - malware and SMS fraud• Advanced Persistent Threats (APTs)• Non-malicious breaches• Denial of Service (DoS)
Measuring Up to the Challenge:The Path from Tactics to Strategy.
History of Threat Evolution … and Threat Defense
Malware and phishing attacks
Cyber attack missions utilizing Advanced Persistent Threats
(APT) have redefined the rules of engagement
Viruses and
worms
1990 2000 NOW
Tactical Approach Creates Unbalanced Response Posture
UNNECESSARY WEAKNESSES IN KEY AREAS OF VULNERABILITY
• Key Assumption: Complete protection against all threats and vulnerabilities is beyond the tactical capabilities of most enterprise IT security programs.
…Trying to do so generates a tactics-based response stance…
Strategic Approach Creates Targeted Response Posture STRENGTH IN AREAS OF CONCERN AND VULNERABILITY
• The future of IT security requires an approach that assumes those who want to get in will get in.
…With this in mind, your organization must embrace principles that guide a strategy – where do you invest?
Cyber Security – A Strategic Imperative
• Businesses Depend on Technology• Highly complex • A Boardroom level concern
• Innovation• A constant factor with major effects• Challenges security management
• Cyber Threats• It is the State-of-Affairs• Necessitates C-Suite decision-making and risk management• Requires new thinking for protection• Speed of action and ability to adapt is critical
DIFFERENT ORGANIZATIONS • DIFFERENT VULNERABILITIES
Cyber Readiness
• Threat defense maturity model and gap analysis• Alignment with business priorities• Remediation recommendations as part of a risk-based security model
BENEFIT: Your Defense Represents on Ongoing Alignment with Your Vulnerabilities
How does an organization approach the security challenge
and meet the never ending demand?
Determine Your ReadinessCommit to a PlanInvest for Impact
Determining Security Capability• “Capability” determination is the degree to which;
• Institutionalized – a process has been ingrained in the way work is defined, executed, and managed• Repeatable – a commitment and consistency to performing the security
process• Expectation – you know what to expect in terms of organizational reaction
and ability with high level of confidence• Value of knowing and managing readiness level is to answer important
questions on;• Can we effectively manage our security posture?• How do we maintain levels of protection and ultimately our success?• Are we adaptive to changing risk environments?
Cyber Security Maturity Model
OptimizedLevel 5
InitialLevel 1
DefinedLevel 3
ManagedLevel 4
RepeatableLevel 2
Organization focused on continuous improvement of security risk management
Dependent on heroics; institutional capabilities lacking, not of the organization
Process established and repeating; reliance on people is reduced
Policies, processes and standards defined and formalized across the organization
Risks measured and managed quantitatively and aggregated on an enterprise-wide basis
Systematically Build and Improve Enterprise Cyber Security Capabilities
Ad Hoc/ Chaotic
Optimizing
Quantitative
Quantitative / Qualitative
Intuitive
Example: Security Domains
1. Cyber Security Policy2. Organization of Cyber Security3. Governance, Risk, and Compliance4. Asset and Information Management5. Operations Security6. Access Control7. Mobile Technology8. Breach Response9. Business Continuity10.Others as needed
Domains can be selected based the organizational needs, business drivers, or identified as challenges
Example: Summary of Organization Score
Cyber Security Policy
Organization of Cyber Security
Governance, Risk, and Compliance
Asset and Information Management
Operations Security
Access Control
Mobile Technology
Breach Response
Business Continuity
Overall
1 2 3 4 5
2 4.36666666666667
Goal Level Current Level
Security Domains
Maturity Rating
Example: Operations Security
Documented Procedures3rd Party Management
System Plan & AcceptanceMalicious Code Protection
Backup ProcessNetwork Security
Media HandlingMonitoring
Overall
1 1.5 2 2.5 3 3.5 4 4.5 5
2 4.6875
Goal LevelCurrent Level
Key Observations• Network security function is
fragmented between operations• Monitoring is mostly manual• System development not separated
Actions to Reach Maturity Level 5
1) Restructure monitoring roles and responsibilities
2) Identify security technology to automate log and audits reviews
Example: Access Control
Access Need Controls
User Access Mgt
User Responsibilities
Network Access
Operating System Access
Application Access
Overall
1 1.5 2 2.5 3 3.5 4 4.5 5
2.254.333333333333
33
Goal LevelCurrent Level
Key Observations• Access procedures do not address
urgent scenarios of termination• Privilege access wide and
prevalent and lacks management
Actions to Reach Maturity Level 4
1) Review policy and implement strong well defined procedures
2) Control privilege access and establish decision authority
Example: Roadmap for Readiness Improvements
Re-Evaluate Cyber Readiness and
Maturity
6 Months
Formalize Plan for
Readiness Improvements
Monitor and Evaluate
Implement High Priority
Capabilities
Assess Compliance and Certify
Implement Medium Priority
Capabilities
Se
cu
rity
Ca
pa
bil
ity
Review Security Architecture
3 Months 12+ Months
Summary
• Cyber Security is a Must for all businesses – it’s a question of readiness
• Program effectiveness for enterprise-wide requires a process with structure and formal decision-making
• Understand where you are today and where you want to go
Make investments that matter the most!
Questions?Thank you