the big picture on security frank o’keeffe regional information security manager microsoft...

21
The Big Picture on Security Frank O’Keeffe Regional Information Security Manager Microsoft Corporation

Upload: miles-atkinson

Post on 16-Dec-2015

223 views

Category:

Documents


0 download

TRANSCRIPT

The Big Picture on Security

Frank O’KeeffeRegional Information Security ManagerMicrosoft Corporation

Agenda

• Introduction• What is Information Security• Evolving Threat Landscape• Information Security at Microsoft• Conclusions• Questions

Volunteers for extra assignmentsWorks late hoursTakes work homeNever takes a vacationInterested in what co-workers are doing

The ideal employee“Potential Spy”- NSA

Why do we need securityIrish bank's stolen laptops contain 10,000 customer files

Agence France-Presse Posted date: April 22, 2008

DUBLIN--Four laptop computers stolen from one of Ireland's largest commercial banks contain the unencrypted details of some 10,000 customers, the bank said on Tuesday.

UK health agency loses 31,000 patients records

Monday, June 23, 2008

Unencrypted laptops containing 31,000 patient records have been lost by two NHS trusts.

A laptop containing 11,000 patient records was stolen from a GP’s home in Wolverhampton. And St George’s Hospital in London has admitted that six laptops were stolen from its filing cabinets at the start of the month, containing the records of 20,000 patients.

Sixteen NI government laptops lost

BBC News

May 23, 2008

“A total of 16 laptop computers have disappeared from executive departments in the past year.

They were among a total of 38 electronic devices that were listed as lost or stolen since the start of May 2007.”

Opposition party press release:

October 1, 2008

“"I find it incredible to discover that 19 laptops, 3 desktops, at least 9 Blackberry mobile phones and 4 portable storage devices have been lost across the Departments in 2008. On average, a device that could contain sensitive information about people is lost nearly every week.”

Agenda

• Introduction• What is Information Security• Evolving Threat Landscape• Information Security at Microsoft• Conclusions• Questions

What is Information Security

People

Processes

Technology

Awareness and Training

Employee exit

Reference Checks

Employee On boarding

Access based on business need

Vulnerability Management

Network segmentation

Intrusion detection

Encryption

Anti-malware

Policies and Standards

Incident Response Separation of Duties

Systems Development Lifecycle

Agenda

• Introduction• What is Information Security• Evolving Threat Landscape• Information Security at Microsoft• Conclusions• Questions

Evolving Threat Landscape

Local Area NetworksFirst PC virusBoot sector virusesCreate notorietyor cause havocSlow propagation16-bit DOS

1986–1995

Internet EraMacro virusesScript virusesCreate notorietyor cause havocFaster propagation32-bit Windows

1995–2000

BroadbandprevalentSpyware, SpamPhishingBotnetsRootkits Financial motivationInternet wide impact32-bit Windows

2000–2005

Hyper jackingPeer to PeerSocial engineeringApplication attacksFinancial motivationTargeted attacks64-bit Windows

2006+

Evolving Threat Landscape

National Interest

Personal Gain

Personal Fame

Curiosity

Amateur Expert Specialist

Largest area by volume

Largest area by $ lost

Script-Kiddy

Largest segment by

$ spent on defense

Fastest growing segment

AuthorVandal

Thief

Spy

Trespasser

Crime On The Rise

Hardware

O/S

Drivers

Applications

GUI

User

Physical

Examples:• Spyware• Rootkits• Application

attacks• Phishing/Social

engineering• Decreasing patch

window• Zero-day attacks

Attacks Getting More SophisticatedTraditional defenses are inadequate

Troj

an

Downl

oade

r/Dro

pper

Expl

oit

Wor

m

Keylog

gers

&c

Back

door

Viru

s

Root

kit

0

40,000

80,000

120,000

160,000

Increasingly Sophisticated MalwareAnti-malware alone is not sufficient

Number of variants from over 7,000 malware families (1H07)

Source: Microsoft Security Intelligence Report (January – June 2007)

mainframeclient/server

Internet

mobility

C2CB2C

B2B

Pre-1980s 1980s 1990s 2000s

Nu

mb

er

of

Dig

ital ID

s

Exponential Growth of IDsIdentity and access management challenging

Agenda

• Introduction• What is Information Security• Evolving Threat Landscape• Information Security at Microsoft• Conclusions• Questions

DublinRedmond

• 3,000,000+ internal e-mail messages per day • 99.99% availability

• 106,000 end users• 98 countries/regions• 441 buildings• 132 Internet Connected Offices

• 360,000+ PCs and devices

• 1.9-terabyte database single instance SAP

• 42,000,000+ remote connections/month

• 116,000+ e-mail accounts

Singapore

Microsoft IT Environment

Information Security Drivers

Security of Information AssetsPrivacy ProtectionIndustry Mandates

Mobile DevicesCollaboration ToolsDogfooding

Global Business ModelCustomer RequirementsSupplier Requirements

Business

Regulations

Technology

Risk

Value

Microsoft Information Security Concerns

• Regulatory and statutory compliance• Mobility of data• Unauthorized access to data• Malicious software• Supporting an evolving client

Security Teams

Information Security Embedded in the

Business

Microsoft IT Information

Security

Trustworthy Computing

On Line Services Information

Security

Stakeholders

Risk Management

Policy

Compliance

Product Security

Forensics and investigationsNetwork monitoring

Hotmail

MSN

Windows Live

Security ChampionsPrivacy Champions

Security Policy: A Layered Approach

Microsoft Information Security Program (MISP)

Accountabilities that require Microsoft to operate a security program Establishes framework for a risk- & policy-based approach to protecting assets

Information Security Policy

Contains principles for protecting and properly using corporate resources Supports specific BU security standards, operating procedures, and guidelines

Information Security Standards

Provide requirements and prescriptive guidance that enables users to comply with the Information Security Policy

Information Security Challenges – Where’s the Data

Data

In Transit

In Databases

In Spreadshee

tsOn a

network share

On my phone

On my laptop

Through web applications

Outsourced to 3rd party

Case Study - BitLocker

Strategy and Preparation Deployment

Pilot to determine best deployment method

Focus on high-risk mobile users

Executive Support TPM + PIN preferred model (otherwise USB start-up key)

Policy requires personal presence BitLocker image developed

Multiple hardware types Install fairs to drive deployment

Helpdesk and support technicians trained

New laptops “BitLocker ready”

Scripts to monitor compliance Recovery enabled through Active Directory

Targeted user education Support materials for self-install

Technet – IT Showcase - Deployment Planning for BitLocker Drive Encryption for Windows Vista

Microsoft needed to reduce the likelihood of its intellectual property and personally identifiable information (PII) from being stolen from employees' computers. Additionally, Microsoft wanted to demonstrate for its customers how to protect against these threats.

Agenda

• Introduction• What is Information Security• Evolving Threat Landscape• Information Security at Microsoft• Conclusions• Questions

Conclusions

• Security must support business objectives

• Requires Leadership Visibility and Support

• Controls based on Risk• Combines People, Processes,

Technology• Focus on Vital Assets and Data

Questions

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.