the it perspective: trends, threats and mitigations...trends, threats and mitigations ©2017 •...

Cybersecurity

The IT Perspective: Trends, Threats and

Mitigations

©2017 • Alberto Valentini


About myself

IT Security Director for Crif Group

Infrastructure Director at Crif HQ

15+ years’ experience in Information Security and IT Governance for multinational companies, as engineer, management consultant and security director

Goal: to Enable and to Protect the Business

2


CRIF COMPANIES AROUND THE WORLD

3


CRIF, THE END-TO-END KNOWLEDGE COMPANY

Information

• Credit Bureau and Data Pool

• Business Information

• Big Data

• Identification and Anti-fraud Services

• Property Information

• Insurance Services

• Information Bureau Platforms

Solutions

• Advanced & Big Data Analytics

• Risk & Management Consulting

• End-to-End Credit Management Platform

• E-commerce Solutions

Outsourcing & Processing

• Business Process Optimization

• Credit Collection

• Non Performing Loans Servicing

• Real Estate Valuation

CRIF Ratings

• Regulatory Ratings

• Credit Assessment

Personal Solutions

4


An ordinary day in Cybersecurity

In 24 hours we register an average of 3000 attacks against a single datacenter

What scares us the most ? What we can’t see in the map

CRIF Artificial Logical Learning Intelligence

and Online Parsing Engine

5


Sources of Threat by Type of Actor

Communication Monitoring

Proxy Organizations

Cybercrime

Hacktivism

Tip: Know who are your attackers

– By integrating statistics and sources of intelligence

Cybercrime is pervasive and growing for technical sophistication and Entrepreneurship

Hacktivism impacts public opinion and reputation

– Large scale , demonstrative attacks

Source: IMF and Booz/Allen/Hamilton.

6


Threats and opportunities in a Global MarketWhere traditional security fails

Same services in differentmarkets , with differentregulations, differentmaturity.

New competitors

Mergers and Acquisitions

Blurred boundariesbetween «inside» and «outside» the company

Lots of interconnectionswith customers, partners, service providers.

Global Market Traditional Security ??

7


Cyber-attacks and Cyber-defense: an asymmetrical warfare in a VUCA world

An attacker can hit continuously without expending much effort, yet the defender must devote much greater resources

There is virtually no cost to an attacker for a single or multiple failed attack, but the cost to a defender for a single successful attack is very high.

Volatility

Uncertainty

Complexity

Ambiguity

8


Transforming traditional practicesFocus on Strategy Execution

Adapting Risk Management

Managing costs of pervasivity

Partnership with the Business

Transforming Awareness

9

©2017 • Alberto Valentini10

Cyber Risk Aggregation Levels

The true aggregation of risks related to cyberspace goes well beyond the internal monitoring and risk management capacities of an individual company

Aggregation Level Description Examples

Internal communication

and information technology (IT)

Organization’s internal IT systems Hardware, software, servers, staff, data.

Counterparties

and business partners

Risks due to dependence on other parties,

or direct interconnections.

Relationship between financial

institutions (e.g., through interbank lending);

joint ventures; associations

Outsourcing and

contracting

Contractual relationships with external service

providers, inducing concentration risk.IT and cloud providers; outsourced legal,

HR, or consulting activities.

Technological

externalities

Disruption from or to new technologies

which are not well understoodInternet of Things; automatization of

services; artificial intelligence.

Upstream

infrastructure

Disruptions to basic infrastructure that the

financial system relies onElectricity; telecommunication; internet

access.

Feedback loops loops Interrelationships between technologies

and industries may give rise to cascading

effects.

Unknown relationships suddenly

become visible; dynamic range of failures.

External shocks Risks arising outside the system and control of

institutions, affecting large parts of cyberspace.

International conflicts; viruses,

pandemics. Nearly impossible to predict.

Source: IMF /Atlantic Council


Embedding Risk Management

In technology: e.g. while assessing technical vulnerabilities

– Technology, when used properly, can provide quantitative and objective risk measurement.

In processes: keep a «lean but effective» Risk Management

– Not just at Corporate Level

– Intercept risks at early stages

– Simple tools to share information

Remediate here !Alternative Controls

Here

For the IT is «more secure»For the Business: can exit the «Castle» and go to another market

11


Pervasivity

Modern attacks don’t target production systems directly

Often they target PC’s and employees; and then production systems

Need to get insights and security data on the whole «Surface attack»

Need to rethink IT security spending

Shadow IT; Development ad test environments;Office branches;

Can’t afford «enterprise level» security products and services everywhere

12


Bimodal IT: the metaphor to approach VUCA

13


Managing Pervasivity and Costs:Adding new building blocks to traditional security

Cloud Security Services

Open SourceSecurity

Traditional, Enterprise gradeSecurity Building Blocks

Vulnerability management

Configuration Compliance

Source Code Security

IPS-Firewall

Security Monitoring

Innovative Building blocksto extend pervasivity

Threat Intelligence

Big Data Aggregation and Standardization – Use Case driven

Security Testing

14


Partnership with the Business

Need to make decisionsquickly

Need to adapt continously

Provide the Business with reliable and easy to understand information, to drive decisions and take actions.

– Avoid technical «bells and whistles» and focus on keydrivers

15


A new approach to Security Awareness:addressing both Personal and Professional Digital Life

E-commerce frauds

Cyber Bullism

Identity theft

Insecure networks

Social media education

Profiling

Hardening personal devices

Phishing

Compliance

Data loss

Social Engineering

Metrics

ProfessionalDigital Life

PersonalDigital Life

16

Thank youfor your attention

the it perspective: trends, threats and mitigations...trends, threats and mitigations ©2017 •...

Documents