the it perspective: trends, threats and mitigations...trends, threats and mitigations ©2017 •...
TRANSCRIPT
Cybersecurity
The IT Perspective: Trends, Threats and
Mitigations
©2017 • Alberto Valentini
©2017 • Alberto Valentini
About myself
IT Security Director for Crif Group
Infrastructure Director at Crif HQ
15+ years’ experience in Information Security and IT Governance for multinational companies, as engineer, management consultant and security director
Goal: to Enable and to Protect the Business
2
©2017 • Alberto Valentini
CRIF COMPANIES AROUND THE WORLD
3
©2017 • Alberto Valentini
CRIF, THE END-TO-END KNOWLEDGE COMPANY
Information
• Credit Bureau and Data Pool
• Business Information
• Big Data
• Identification and Anti-fraud Services
• Property Information
• Insurance Services
• Information Bureau Platforms
Solutions
• Advanced & Big Data Analytics
• Risk & Management Consulting
• End-to-End Credit Management Platform
• E-commerce Solutions
Outsourcing & Processing
• Business Process Optimization
• Credit Collection
• Non Performing Loans Servicing
• Real Estate Valuation
CRIF Ratings
• Regulatory Ratings
• Credit Assessment
Personal Solutions
4
©2017 • Alberto Valentini
An ordinary day in Cybersecurity
In 24 hours we register an average of 3000 attacks against a single datacenter
What scares us the most ? What we can’t see in the map
CRIF Artificial Logical Learning Intelligence
and Online Parsing Engine
5
©2017 • Alberto Valentini
Sources of Threat by Type of Actor
Communication Monitoring
Proxy Organizations
Cybercrime
Hacktivism
Tip: Know who are your attackers
– By integrating statistics and sources of intelligence
Cybercrime is pervasive and growing for technical sophistication and Entrepreneurship
Hacktivism impacts public opinion and reputation
– Large scale , demonstrative attacks
Source: IMF and Booz/Allen/Hamilton.
6
©2017 • Alberto Valentini
Threats and opportunities in a Global MarketWhere traditional security fails
Same services in differentmarkets , with differentregulations, differentmaturity.
New competitors
Mergers and Acquisitions
Blurred boundariesbetween «inside» and «outside» the company
Lots of interconnectionswith customers, partners, service providers.
Global Market Traditional Security ??
7
©2017 • Alberto Valentini
Cyber-attacks and Cyber-defense: an asymmetrical warfare in a VUCA world
An attacker can hit continuously without expending much effort, yet the defender must devote much greater resources
There is virtually no cost to an attacker for a single or multiple failed attack, but the cost to a defender for a single successful attack is very high.
Volatility
Uncertainty
Complexity
Ambiguity
8
©2017 • Alberto Valentini
Transforming traditional practicesFocus on Strategy Execution
Adapting Risk Management
Managing costs of pervasivity
Partnership with the Business
Transforming Awareness
9
©2017 • Alberto Valentini10
Cyber Risk Aggregation Levels
The true aggregation of risks related to cyberspace goes well beyond the internal monitoring and risk management capacities of an individual company
Aggregation Level Description Examples
Internal communication
and information technology (IT)
Organization’s internal IT systems Hardware, software, servers, staff, data.
Counterparties
and business partners
Risks due to dependence on other parties,
or direct interconnections.
Relationship between financial
institutions (e.g., through interbank lending);
joint ventures; associations
Outsourcing and
contracting
Contractual relationships with external service
providers, inducing concentration risk.IT and cloud providers; outsourced legal,
HR, or consulting activities.
Technological
externalities
Disruption from or to new technologies
which are not well understoodInternet of Things; automatization of
services; artificial intelligence.
Upstream
infrastructure
Disruptions to basic infrastructure that the
financial system relies onElectricity; telecommunication; internet
access.
Feedback loops loops Interrelationships between technologies
and industries may give rise to cascading
effects.
Unknown relationships suddenly
become visible; dynamic range of failures.
External shocks Risks arising outside the system and control of
institutions, affecting large parts of cyberspace.
International conflicts; viruses,
pandemics. Nearly impossible to predict.
Source: IMF /Atlantic Council
©2017 • Alberto Valentini
Embedding Risk Management
In technology: e.g. while assessing technical vulnerabilities
– Technology, when used properly, can provide quantitative and objective risk measurement.
In processes: keep a «lean but effective» Risk Management
– Not just at Corporate Level
– Intercept risks at early stages
– Simple tools to share information
Remediate here !Alternative Controls
Here
For the IT is «more secure»For the Business: can exit the «Castle» and go to another market
11
©2017 • Alberto Valentini
Pervasivity
Modern attacks don’t target production systems directly
Often they target PC’s and employees; and then production systems
Need to get insights and security data on the whole «Surface attack»
Need to rethink IT security spending
Shadow IT; Development ad test environments;Office branches;
Can’t afford «enterprise level» security products and services everywhere
12
©2017 • Alberto Valentini
Bimodal IT: the metaphor to approach VUCA
13
©2017 • Alberto Valentini
Managing Pervasivity and Costs:Adding new building blocks to traditional security
Cloud Security Services
Open SourceSecurity
Traditional, Enterprise gradeSecurity Building Blocks
Vulnerability management
Configuration Compliance
Source Code Security
IPS-Firewall
Security Monitoring
Innovative Building blocksto extend pervasivity
Threat Intelligence
Big Data Aggregation and Standardization – Use Case driven
Security Testing
14
©2017 • Alberto Valentini
Partnership with the Business
Need to make decisionsquickly
Need to adapt continously
Provide the Business with reliable and easy to understand information, to drive decisions and take actions.
– Avoid technical «bells and whistles» and focus on keydrivers
15
©2017 • Alberto Valentini
A new approach to Security Awareness:addressing both Personal and Professional Digital Life
E-commerce frauds
Cyber Bullism
Identity theft
Insecure networks
Social media education
Profiling
Hardening personal devices
Phishing
Compliance
Data loss
Social Engineering
Metrics
ProfessionalDigital Life
PersonalDigital Life
16
Thank youfor your attention