waldemar [email protected] key elements of … · key elements of information security policy...
TRANSCRIPT
IT creates business valueUnrestricted © Siemens AG 2014
Key elements of InformationSecurity PolicyInformation Security @ Siemens(Risk Management in modern organizations)
waldemar [email protected]
09/2014
Unrestricted © Siemens AG 2014Page 2 GS IT ISEC
IT creates business value
Welcome to the Information Security TeamAbout us
Our Information Security Community
• secures the biggest Active Directoryservice worldwide
• protects about 60 Global Data Centers,120 Internet Access Points and over400.000 end user devices
• remediates over 20.000 securityvulnerabilities and incidents every year
• blocks over 850.000 malware emails (e.g.viruses) and 16 million spam mails everymonth
We are a global team and can leverage onknow how and experience on a worldwidelevel§ ~ 180 employees§ AAE: ~25 employees§ Americas: ~30 employees§ Europe: ~ 125 employees
Ongoing PR!O Program Activities• Rollout of global Cyber Defense Centers• Implement risk focused governance model and
re-aligned global community• Execute Golden Nugget protection• Enhance InfoSec Risk Management process /
ACP• Supplier Management for InfoSec• Redesign and implement Vulnerability
Management• Design of Resource Islands• …Major Regional InfoSec Projects• Enabling secure IT Infrastructure of the Future
(IIoF), e.g. IT services in the cloud• Piloting the protection for critical information by
Data Leakage Prevention (DLP) services• …
Security Services steered by ISEC:
• Cyber Defense Centers (CDC)
• Vulnerability Management
• Computer Emergency Response Team(CERT, provided by CT RTC ITS)
• Corporate Security Training Service
CoE ISEC guides and drives InfoSec strategy, governance and execution Siemens-wide as defined by Siemens Chief Information Security Officer (CISO).
Security Services governed by ISEC
• Identity Management
• Malware Protection
• Encryption
• Business Partner Access
• InfoSec Dash
09/2014
Unrestricted © Siemens AG 2014Page 3 GS IT ISEC
IT creates business value
CoE Information SecurityOur Vision, Mission and Collaboration Principles
Vision & Mission
Collaboration Principles
The CoE Information Security drives the strategy, governance and execution for Siemens informationSecurity (InfoSec) and IT Cyber Security globally.We collaborate with IT Business Partner organizations (IT BP’s) to gather and respond to businessInfoSec demands, as well as to collaborate with IT Centers of Expertise (CoE’s) in the implementationof InfoSec policies and solutions to protect Siemens and its most critical assets.
At Siemens, Siemens comes first!
We are decisive, takemoderate risks, take initiative,
and are accountable
We support the business toadequate protect their critical
knowledge / information!
Business Partners and CoEs have asingle point of contact for all topics
regarding Information Security!
We promote open, candiddiscussion and
decision-making
We are One ISEC!
We reducecommunication distortion
at all levels
09/2014
Unrestricted © Siemens AG 2014Page 4 GS IT ISEC
IT creates business value
Siemens InfoSec Ecosystem
IT | CSO | CT PS | CT ITS
IT ISEC
Monitoring
Customers(e.g. BT servicing
customer)
Cloud(e.g. Philos) Internet
Partners /Communities
(e.g. MAYA)
Basic HygieneNew Admin conceptEnhanced CriteriaSpecial Networks
Measure PlansInfoSec PoliciesEndpoint ProtectionNetwork Protection (eg,Resource Islands)Identity Management (eg,AD redesign)Data Protection (eg, DLP)Vulnerability Management(IPINS new)Cyber Defense Center (e.g.threat intel,, SIEM, longterm analytics)
Wha
tW
eD
o GN Protection
Risk ManagementACP ProcessInfoSec Concepts
HowW
eD
oIt
Applications
Infrastructure
R&D
Supply ChainSecurity
Factories
Mobility
Endpoints
09/2014
Unrestricted © Siemens AG 2014Page 5 GS IT ISEC
IT creates business value
Big picture of Information Security
Implement,Monitor, Evaluate
and RefineInformation Security
Concept
“GoldenNuggets”
Information Security Concept
Criticality of an enterprise asset drives thefocus on security
Protect
Malware Protection
Network Segmentation
Basic Hygiene(e.g. vulnerability
management, patching)
Asset
ClassificationBusiness identifies
critical assets Infrastructureassets
Tailored Information SecurityConcept
Foundational Informationsecurity
Detect
Cyber Threat Intelligence
Security Information andEvent Monitoring (SIEM)
Real-Time and TrendingAnalytics
React
Incident Handling
Forensics
ContinuousImprovement
09/2014
Unrestricted © Siemens AG 2014Page 6 GS IT ISEC
IT creates business value
The foundation of Information Security@Siemenshas already effective components (Part 1)
Corporate Entitlement
§ Basis for secure communication and storage ofconfidential data and a precondition for trustworthyand secure transactions
§ Data encryption, authentication, digital signature
§ > 350.000 peopleequipped with PKI cards
Siemens Public Key Infrastructure (PKI)
AIR Program
EAGLE - In-house high-security data center
§ Provides web-based authentication for Siemensemployees, external business partners and Siemenscustomers
§ Efficiently protects approx. 600 web-basedapplications by using adequateauthentication methods, e.g. strong2-factor authentication (PKI) forcritical applications
§ Highest security level§ High process maturity§ Proven organizational practices§ Carefully chosen employees§ High performance§ Regional extensions§ Flexibility & agility (e.g. Active
Directory insourcing, “Geheimschutz”)to operate Siemens’ ‘mission critical’ services globally
§ Initiated by the Managing Board (Tone from the Top)§ Business involvement in CEO workshops§ Outside-In Check (Booz Allen Hamilton maturity
assessment) showed that InfoSec@Siemens is onthe right way, but has to close some gaps
09/2014
Unrestricted © Siemens AG 2014Page 7 GS IT ISEC
IT creates business value
The foundation of Information Security@Siemenshas already effective components (Part 2)
Re-Insourcing of critical network services
§ Yearly web-based InfoSec training with approx.300.000 users to raise and keep up awareness
§ 10 InfoSec one pagers available - practical guidanceon what needs to be observed in specific situations(e.g. social media, e-mailcommunication, mobile devices)
§ Best practice awareness campaigns inseveral Sectors and Clusters
InfoSec Training
PR!O Program
SAP Single-Sign On
§ After critical events (AD, Netpro incidents) CITdecided to re-insource the crucial network services§ Active Directory Forest Root§ Central Administration Exchange§ Top-level Domain Name Service
into EAGLE
§ Transition finished in 04/2013
§ Project initiated by the CIO Board in 02/2012 tosignificantly improve SAP security
§ PKI login secures access through strong 2-factorauthentication (PKI-login)
§ Encryption of communication between SAP andenvironment
§ Implementationcompleted in 09/2013
§ 100% Protection is impossible, due to constantlychanging threats and attacker capabilities. Thereforecontinous development of InfoSec is needed
§ PR!O focuses on the most important topics to protectSiemens’ critical assets
IT creates business valueUnrestricted © Siemens AG 2013
Situational AwarenessCyber Defense CenterDeep Dive
CyberDefense
Center
09/2014
Unrestricted © Siemens AG 2014Page 9 GS IT ISEC
IT creates business value
Situational Awareness provides a comprehensiveoverview of the security state
• *Malware, Patching, Firewalls, Asset Inventories, …
Internet Gateway Mail Gateway
VulnerabilityManagement
Security Information andEvent Monitoring (SIEM)
Threat Intelligence
Risk and EventAnalysis
ResourceIslands
Basic Hygiene(Protect)
Are our assetsvulnerable?
What are current threatsfor Siemens?
Are attackers in our networks?
Clients
Siemens Network
Transparency(Golden Nuggets, ACP,
Asset Inventories)
Processdiscipline
Initiateadequateactions
(e.g. IncidentHandling)
Situational Awareness(Detect)
ThreatIntelligenceExternal Input
…
Incident Handling &Projects(React)
09/2014
Unrestricted © Siemens AG 2014Page 10 GS IT ISEC
IT creates business value
…. and the current InfoSec Threat landscape
Threat Highlights• Some is known
• A lot is unknown
• We must learn to operate in acompromised environment
Viewpoint
Supply Chain InterventionChinese hackers poison inventoryscanners at key worldwidelogistics firms and extractshipment data ("ZombieZero")
Energy Infrastructure Infiltration(Siemens software exploited)Russian attackers target gridoperators, petroleum pipelineoperators, electricity generationfirms to steal data and potentiallymount sabotage operations
SCADA and ICS systemsHackedCalifornia firm targeted byHavex, a remote access trojan,using watering hole tactics tomaximize breach and install 88variants of the malware
09/2014
Unrestricted © Siemens AG 2014Page 11 GS IT ISEC
IT creates business value
Threat Intelligence PlatformProvides interface of and owns
“What & How” of adversary info
Data Sources
Technical & OperationalSituational Awareness leverages robust processes, advanced tools,and experienced Cyber Analysts
GainProxies
GainCoreFW
GainCoreAD
GainURA
GainEmail
DBAccess
GoldenNugget
SAPAccess
ResrcIsland
GainDHCP
GainDNS
IDS
Analytics Platformbusiness logic + data + analysis
Complex Queries
ComplexCorrelations
Algebraic & Statistical analysis
Long-term trendanalysis
Baseline anomalydetection
Indicators(dB)
ThreatIntelligence(Context)
Results in
Discovery of incidentscope, indicators and
intelligence
Cyber ThreatInvestigation
Stakeholders informed;incident remediated;lessons learned ID’d
Incident Handling
ScopeScope ScopeExtendScopeExtend
ToolTool ProcessProcess
Internal LessonsLearned Sharing
“Expertise”
Cyber Analyst
leverages experience,analytics results,
indicators, and threatintelligence
“Incident Cycle”
Cyber Analyst determinesTrue Positives initiating aninvestigation and incident “Investigation Cycle”
Cyber Analyst uses existingindicators and threat
intelligence to reveal newindicators and new
intelligence within aninvestigation
“SIEM Cycle”
Cyber Analystcreates content
and triages alerts
CyberAnalyst
Internal &External
IntelligenceSharing
Internal &External
IntelligenceSharing
SIEM Platformbusiness logic + data
Real-TimeMonitoring
Rules Engine
Workflow
Alerting
LogNormalization
Anonymize /tokenize