waldemar [email protected] key elements of … · key elements of information security policy...

IT creates business valueUnrestricted © Siemens AG 2014

Key elements of InformationSecurity PolicyInformation Security @ Siemens(Risk Management in modern organizations)

waldemar [email protected]

09/2014

Unrestricted © Siemens AG 2014 GS IT ISEC

IT creates business value

Welcome to the Information Security TeamAbout us

Our Information Security Community

• secures the biggest Active Directoryservice worldwide

• protects about 60 Global Data Centers,120 Internet Access Points and over400.000 end user devices

• remediates over 20.000 securityvulnerabilities and incidents every year

• blocks over 850.000 malware emails (e.g.viruses) and 16 million spam mails everymonth

We are a global team and can leverage onknow how and experience on a worldwidelevel§ ~ 180 employees§ AAE: ~25 employees§ Americas: ~30 employees§ Europe: ~ 125 employees

Ongoing PR!O Program Activities• Rollout of global Cyber Defense Centers• Implement risk focused governance model and

re-aligned global community• Execute Golden Nugget protection• Enhance InfoSec Risk Management process /

ACP• Supplier Management for InfoSec• Redesign and implement Vulnerability

Management• Design of Resource Islands• …Major Regional InfoSec Projects• Enabling secure IT Infrastructure of the Future

(IIoF), e.g. IT services in the cloud• Piloting the protection for critical information by

Data Leakage Prevention (DLP) services• …

Security Services steered by ISEC:

• Cyber Defense Centers (CDC)

• Vulnerability Management

• Computer Emergency Response Team(CERT, provided by CT RTC ITS)

• Corporate Security Training Service

CoE ISEC guides and drives InfoSec strategy, governance and execution Siemens-wide as defined by Siemens Chief Information Security Officer (CISO).

Security Services governed by ISEC

• Identity Management

• Malware Protection

• Encryption

• Business Partner Access

• InfoSec Dash

09/2014



CoE Information SecurityOur Vision, Mission and Collaboration Principles

Vision & Mission

Collaboration Principles

The CoE Information Security drives the strategy, governance and execution for Siemens informationSecurity (InfoSec) and IT Cyber Security globally.We collaborate with IT Business Partner organizations (IT BP’s) to gather and respond to businessInfoSec demands, as well as to collaborate with IT Centers of Expertise (CoE’s) in the implementationof InfoSec policies and solutions to protect Siemens and its most critical assets.

At Siemens, Siemens comes first!

We are decisive, takemoderate risks, take initiative,

and are accountable

We support the business toadequate protect their critical

knowledge / information!

Business Partners and CoEs have asingle point of contact for all topics

regarding Information Security!

We promote open, candiddiscussion and

decision-making

We are One ISEC!

We reducecommunication distortion

at all levels

09/2014



Siemens InfoSec Ecosystem

IT | CSO | CT PS | CT ITS

IT ISEC

Monitoring

Customers(e.g. BT servicing

customer)

Cloud(e.g. Philos) Internet

Partners /Communities

(e.g. MAYA)

Basic HygieneNew Admin conceptEnhanced CriteriaSpecial Networks

Measure PlansInfoSec PoliciesEndpoint ProtectionNetwork Protection (eg,Resource Islands)Identity Management (eg,AD redesign)Data Protection (eg, DLP)Vulnerability Management(IPINS new)Cyber Defense Center (e.g.threat intel,, SIEM, longterm analytics)

Wha

tW

eD

o GN Protection

Risk ManagementACP ProcessInfoSec Concepts

HowW

eD

oIt

Applications

Infrastructure

R&D

Supply ChainSecurity

Factories

Mobility

Endpoints

09/2014



Big picture of Information Security

Implement,Monitor, Evaluate

and RefineInformation Security

Concept

“GoldenNuggets”

Information Security Concept

Criticality of an enterprise asset drives thefocus on security

Protect

Malware Protection

Network Segmentation

Basic Hygiene(e.g. vulnerability

management, patching)

Asset

ClassificationBusiness identifies

critical assets Infrastructureassets

Tailored Information SecurityConcept

Foundational Informationsecurity

Detect

Cyber Threat Intelligence

Security Information andEvent Monitoring (SIEM)

Real-Time and TrendingAnalytics

React

Incident Handling

Forensics

ContinuousImprovement

09/2014



The foundation of Information Security@Siemenshas already effective components (Part 1)

Corporate Entitlement

§ Basis for secure communication and storage ofconfidential data and a precondition for trustworthyand secure transactions

§ Data encryption, authentication, digital signature

§ > 350.000 peopleequipped with PKI cards

Siemens Public Key Infrastructure (PKI)

AIR Program

EAGLE - In-house high-security data center

§ Provides web-based authentication for Siemensemployees, external business partners and Siemenscustomers

§ Efficiently protects approx. 600 web-basedapplications by using adequateauthentication methods, e.g. strong2-factor authentication (PKI) forcritical applications

§ Highest security level§ High process maturity§ Proven organizational practices§ Carefully chosen employees§ High performance§ Regional extensions§ Flexibility & agility (e.g. Active

Directory insourcing, “Geheimschutz”)to operate Siemens’ ‘mission critical’ services globally

§ Initiated by the Managing Board (Tone from the Top)§ Business involvement in CEO workshops§ Outside-In Check (Booz Allen Hamilton maturity

assessment) showed that InfoSec@Siemens is onthe right way, but has to close some gaps

09/2014



The foundation of Information Security@Siemenshas already effective components (Part 2)

Re-Insourcing of critical network services

§ Yearly web-based InfoSec training with approx.300.000 users to raise and keep up awareness

§ 10 InfoSec one pagers available - practical guidanceon what needs to be observed in specific situations(e.g. social media, e-mailcommunication, mobile devices)

§ Best practice awareness campaigns inseveral Sectors and Clusters

InfoSec Training

PR!O Program

SAP Single-Sign On

§ After critical events (AD, Netpro incidents) CITdecided to re-insource the crucial network services§ Active Directory Forest Root§ Central Administration Exchange§ Top-level Domain Name Service

into EAGLE

§ Transition finished in 04/2013

§ Project initiated by the CIO Board in 02/2012 tosignificantly improve SAP security

§ PKI login secures access through strong 2-factorauthentication (PKI-login)

§ Encryption of communication between SAP andenvironment

§ Implementationcompleted in 09/2013

§ 100% Protection is impossible, due to constantlychanging threats and attacker capabilities. Thereforecontinous development of InfoSec is needed

§ PR!O focuses on the most important topics to protectSiemens’ critical assets


Situational AwarenessCyber Defense CenterDeep Dive

CyberDefense

Center

09/2014



Situational Awareness provides a comprehensiveoverview of the security state

• *Malware, Patching, Firewalls, Asset Inventories, …

Internet Gateway Mail Gateway

VulnerabilityManagement

Security Information andEvent Monitoring (SIEM)

Threat Intelligence

Risk and EventAnalysis

ResourceIslands

Basic Hygiene(Protect)

Are our assetsvulnerable?

What are current threatsfor Siemens?

Are attackers in our networks?

Clients

Siemens Network

Transparency(Golden Nuggets, ACP,

Asset Inventories)

Processdiscipline

Initiateadequateactions

(e.g. IncidentHandling)

Situational Awareness(Detect)

ThreatIntelligenceExternal Input

…

Incident Handling &Projects(React)

09/2014



…. and the current InfoSec Threat landscape

Threat Highlights• Some is known

• A lot is unknown

• We must learn to operate in acompromised environment

Viewpoint

Supply Chain InterventionChinese hackers poison inventoryscanners at key worldwidelogistics firms and extractshipment data ("ZombieZero")

Energy Infrastructure Infiltration(Siemens software exploited)Russian attackers target gridoperators, petroleum pipelineoperators, electricity generationfirms to steal data and potentiallymount sabotage operations

SCADA and ICS systemsHackedCalifornia firm targeted byHavex, a remote access trojan,using watering hole tactics tomaximize breach and install 88variants of the malware

09/2014



Threat Intelligence PlatformProvides interface of and owns

“What & How” of adversary info

Data Sources

Technical & OperationalSituational Awareness leverages robust processes, advanced tools,and experienced Cyber Analysts

GainProxies

GainCoreFW

GainCoreAD

GainURA

GainEmail

DBAccess

GoldenNugget

SAPAccess

ResrcIsland

GainDHCP

GainDNS

IDS

Analytics Platformbusiness logic + data + analysis

Complex Queries

ComplexCorrelations

Algebraic & Statistical analysis

Long-term trendanalysis

Baseline anomalydetection

Indicators(dB)

ThreatIntelligence(Context)

Results in

Discovery of incidentscope, indicators and

intelligence

Cyber ThreatInvestigation

Stakeholders informed;incident remediated;lessons learned ID’d

Incident Handling

ScopeScope ScopeExtendScopeExtend

ToolTool ProcessProcess

Internal LessonsLearned Sharing

“Expertise”

Cyber Analyst

leverages experience,analytics results,

indicators, and threatintelligence

“Incident Cycle”

Cyber Analyst determinesTrue Positives initiating aninvestigation and incident “Investigation Cycle”

Cyber Analyst uses existingindicators and threat

intelligence to reveal newindicators and new

intelligence within aninvestigation

“SIEM Cycle”

Cyber Analystcreates content

and triages alerts

CyberAnalyst

Internal &External

IntelligenceSharing

Internal &External

IntelligenceSharing

SIEM Platformbusiness logic + data

Real-TimeMonitoring

Rules Engine

Workflow

Alerting

LogNormalization

Anonymize /tokenize


Thank you / Questions

waldemar [email protected] key elements of … · key elements of information security policy...

Documents