1 / 41

Security in Today’s Business Environment

Jim Tiller CSO & Managing Vice President of Security Services Tuesday, June 7, 2005 Security in Today’s Business Environment Overview Today’s Business Climate Threats and Vulnerabilities Regulatory Landscape Simplifying the Business of Security Controlling Access

jaden
Télécharger la présentation

Security in Today’s Business Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Jim TillerCSO & Managing Vice President of Security Services Tuesday, June 7, 2005 Security in Today’s Business Environment

  2. Overview • Today’s Business Climate • Threats and Vulnerabilities • Regulatory Landscape • Simplifying the Business of Security • Controlling Access • Managing People, Process & Technology • Aligning Security to Business Objectives

  3. Today’s Business Climate • Running a business in the 21st Century isn’t easy! • Security Regulations are abound • 62% of companies spend more on compliance than protection* • Evolution of technology and business demands has resulted in highly diverse environments • Managing increasing number of vulnerabilities in the face of sophisticated threats • Difficulties in aligning People, Process and Technology • Challenges in leveraging security knowledge and business process *Source: RedSiren

  4. Three Simple Security Perspectives • The Unlawful (Vulnerability Sensitive) • Increasing sophistication • Unprecedented collaboration • Growing aggressiveness • Harmful impacts • The Law (Compliance Driven) • Increasing number of regulations • International impacts • Operational challenges • Lack of investment predictability • Security Posture (Risk Adverse) • Segmentation of people, process, and technology • Poor visibility • Inability to determine effectiveness • Inability to align to business objectives

  5. Vendors Partners BusinessInterconnectivity Business demands strain IT and Security in the light of diversity Complex data value chain Clients Multi-Tier Application Architecture Traditional application development complicates security visibility Application Specific Diversity of IT and Security Security begins to diverge as systems become more distributed Processes became departmental Client / Server Mainframes Business security incorporated into the system If SAP didn’t do it, the company didn’t do it Pre 1980’s 1980’s 1990’s 2000’s Security and Business Infrastructure

  6. Diversity is a Double Edge Blade • Value to the business • Provides foundation for best of breed solutions • Supports business initiatives • Allows for evolutionary investment strategies • Allows organizations respond to market changes • But what does this mean to security? • Increased technical gaps • Leads to fragmented processes • Difficultly in gaining visibility • Complicates command and control • Security Nemeses • Inconsistency and Complexity • Result – Vulnerable Security Posture

  7. More Malware, More Hackers

  8. Exploiting Our Weakest Links

  9. Where the Money is

  10. Less Time

  11. Organizations face an increasing amount of liability and regulations, like HIPAA, Gramm-Leach-Bliley and SB 1386. Even in the case of Sarbanes-Oxley, you've got disclosure requirements. They all have pretty harsh penalties, and your liabilities don't stop when you outsource. They only grow. ” – Michael Rasmussen, principal analyst, Forrester A Regulated Environment • Security Regulations are abound • HIPAA for HealthCare • GLBA & FFIEC for Financial • Sarbanes-Oxley for US public companies • CyberSecurity for Utilities • SB-1386 (AB-700) • Notification of Risk to Personal Data Act (NORPDA) • Multiple Privacy regulations • US, Canada, Japan, EU, and others • Industry reports suggest $80B over the next 5 years in compliance expenditures* *Source: AMR Research

  12. Current Status • Security’s omnipresence challenges meaningful management in the light of business objectives • Security is segmented: process, risk, policy, technology • Focus is applied when demands surface, examples: • Firewalls & IDS were significant during the network attacks of the 90s • Today, regulations demand more emphasis on process and documentation • Meanwhile… Increased sophistication and number of threats continue to challenge the IT environment • Result - regardless of vulnerability or regulation… • Security has become complex and painful • Misalignment between process and technology • Inability to bind security investments to larger business imperatives

  13. CIO Worries • I worry about a hacker gaining access to our Oracle data base and coping social security numbers • I worry about, a converged network, if the network goes down you loose both voice and data, increasing the risk and worry • I worry about staff, I can't protect the network from internal sabotage, disgruntled network administrators, IT personal, etc • I worry about new computers being plugged into the network after they have been off net • I worry about the new wide range of handheld IP devices which people plug in at will from near and far flung locations • I worry about employees working at home bridging networks via WLANs opening up access to our network Source: Nick Lippis, Trusted Networks Symposium

  14. Cycle of Security Pain • Security investments based on “FUD” • Executives growing weary • Less talk, more revenue • Diminishing expectations of security investments • “More money? What did you do with the last check?” • Constant deluge of “new” security problems • Regulatory compliance challenges • Cultural challenges inside and outside IT

  15. Information Security in Business Terms • What organizations really want from security • Simplicity – Simplified management and focus • Predictability – In systems and investments • Effectiveness – Does what is supposed to for the business • Enablers • Visibility – In controls, industry, compliance, activity, events, and threat status • Alignment – People, process, and technology focused in the same direction • Results • Confidence – Make changes with a clear understanding of the impact to business operations, risk, and compliance • Efficiency – Leverage proven business processes and automation

  16. Establish meaningful, early-win technical solutions Align People & Process to meet multiple Regulations Increase technical visibility, command and control Employ metrics to measure against the business goals Getting There • Technical / Tactical “Build Success Early” • Vulnerability Management • Identity Management • Management “Organize and Architect” • Information Security Management Framework • Technical / Strategic “Actionable Foundation” • Integrated Security Operations Capability • Network Access Control • Business Management • “Balanced Approach to the Business” • Security Services Management

  17. Vulnerability Management • Information driven • Internal status • Industry status • Events, warnings, etc. • Based on Data Acquisition and Employment • Collaboration & Tools • Testing, validation, deployment • Comprehensive Reporting • Basic concept: • Apply flexible business process to dynamics in technology • Integrate with multiple systems to drive automation • Support meaningful communication and collaboration

  18. Service Driven Provisioning System Service Support System Inputs Policy & Profile Server Asset Database System Owners Vulnerability Data Service (CVE) Abstraction Layer Management XML, SOAP IDS / IPSVirus Collaboration Business Processes Partners Patches & Service Packs Enable Activity Reporting & Metrics Auditing Service Reporting Web Services Systems & Applications Infrastructure Systems Vulnerability Mgt. Architecture

  19. Identity Management • Combination of Technology and Processes • Comprehensive control over who has access to IT resources • Controls authorization and entitlement of resource use • A business solution, not simply a technical solution • Highly pervasive, highly effective

  20. T h r e a t s Hackers Access Policies & Profiles Customers C o m m u n i t i e s Employees Auditing Partners Process & Business Management S e r v i c e s Smart Cards, SSO Certificates Distributed Resources Web Services R e s o u r c e s Applications Partner Resources Business Enablement

  21. Elements of Identity Management • Identity Consolidation and Synchronization • Credential Provisioning and Management • Delegation of Administration • Authentication and Access Management Profile Management • Auditing and Monitoring • Single Sign-on • User self-service

  22. Positive Business Impacts • Increased IT Operational Costs • Roughly 48% of help desk calls are password resets • User management consumers 5.25% of all IT productivity • Most user admin tasks (moves, adds, changes) takes 10x longer than necessary • Additional security risks • Only 70% of users deleted on departure • New users provisioned to 16 apps, on departure deleted from 10 Source: Metagroup/PwC Survey

  23. Security Policy Challenges • Security Policies • Controls • People, Process, and Technology security requirements • Management • The on-going capability to organize, maintain, and distribute • Enforcement • The ability to ensure policies are being followed by people and technology • Feedback Loop • Learning from the application of the policies • Challenges in Policy • Misalignment of policy to technology • Diversity complicates comprehensive security management • Difficult to manage people and processes consistently

  24. Policy Process & Documentation ISMS Framework Technology Enforcement Gaps Alignment Gaps Feedback Gaps People (Roles & Responsibilities) Information Security Management Gap

  25. Information Security Management Framework • Information Security Management System • Supports the Information Security Program by the identification, selection, and deployment of controls in order to mitigate information security risk • Security Service Orientation • Controls Optimization • Logical Controls • Organizational Controls • Technical Controls • Process Management • Governance Processes • Reporting and Validation

  26. Framework Characteristics • Policy • A high level, implementation neutral, conceptual goal that addresses who and what • Program • Supports policy by managing multiple plans • Plan • Supports program by defining activities or projects • Standard • Supports policy goals, AND implements procedural vision by defining requirements that can be implemented and measured. Standards offer implementation detail and therefore should be protected • Process • Supports standards by presenting methodology to meet requirements • Procedure • Supports process by offering reliable, repeatable technique for predictable outcome • Specifications • Supports standards by defining specific criteria that control devices must meet in order to be considered for use • Guidelines • Supports standards by “best practice” advice on how to meet requirements

  27. ISMF Visualization

  28. Deeper Look • Define control areas horizontally • Define security services vertically • Intersection is: • Roles & Responsibilities • Policies and processes • Standards • Metrics

  29. Driving Relationships • Quality and Reporting will expose operational efficiencies and actionable patterns • This is especially true for Incident Management

  30. Obscurity to Operational • The framework provides the policy structure • Defines security goals • Defines controls • Defines management • Framework’s Achilles’ Heal • Technical enforcement • Comprehensive feedback loop • Information systems need alignment • Systems do not speak “security” natively to one another • People & Security managers cannot effectively access information • Options • Integrated Security Operations • Network Access Control

  31. Integrated Security Operations Center • Currently seeing significant trends in this area • Companies are leveraging their NOC investment to support security objectives • There are several definitions for “integration” • Should practice separation of duties • Leverage existing infrastructure • Alignment of tools, i.e…. • Ticketing systems linked to incident response • Asset and change control linked to patch management • Challenge areas • Culture • “Whose problem?”, “Who fixes it”, “Who pays for it?” • Process • When does security take the initiative? • Technology • What tools do I have the I can leverage?, How can I work security into my product management lifecycle?

  32. Integrated Security Operations Center

  33. ISOC Business Value • Proactive problem identification and response, reducing the cost and impact of threats • Faster response • Faster recovery • Potentially a cost-effective alternative to outsourcing • Opportunities for efficiencies through automation, work flow improvement, centralized enterprise intelligence • Significant security advantages • Visibility • Command and Control • Potential problems • Do you have the skills necessary? • What “phase” is your NOC in?

  34. Network Access/Admission Control (NAC) • Cisco started the flood • 48 vendors participating in the group • Represents a rebirth of the network’s role in security • Leverages the network for what it can really accomplish • Network touches everything • Enabler for threats, Enabler for business defense • Intelligent networking • Provides conduit for upper-layer security services • Binds security policy to network capability • Investigates systems, services, applications, and users prior to association • Isolates potential threats • Establishes an “Expectation Envelope”

  35. Next Big Step • Vulnerability management reduces exposure • Identity management offers flexibility and security • ISOC increases visibility, command and control • Advances in network security offer proactive controls • Result • Proactive, Focused, Compliant…. Measurable • Utilizing metrics for Long-Term security Management • It’s Here, Start now • NIST sp800-55 • Security Working Group (Gov. Reform Committee, US House of Rep. (1/2005) (43 pages of Security Metrics) • Report of the Best Practices and Metrics Team • http://reform.house.gov/TIPRC/

  36. Security Services Management • Service Measurement & alignment to the business • Metrics Strategy • Defines the layer between business initiatives and services • Defines optimal level • Too much or too little can be a bad thing • Reporting • Metrics Alignment • Business owners and industry specifics • Governance and approval • Key Performance Indicators • What’s being measured

  37. Metrics Example • Vulnerability to System Ratio (Tech) • Understanding the pervasiveness of known vulnerabilities • Number of Vulnerabilities • Criticality level • Affected system/data classification and role • Patch Rate (Tech & Proc) • Managing the window of vulnerability, test, deployment, verify • Number of patches available, pipeline, tested • Percentage of deployment • Percentage validated • People & Process CMM (P&P) • Understanding the level of maturity and effectiveness of management practices • Localized control management • Completeness of control processes & documentation • Process interaction • Compliance Rate (Tech) • Feedback from the technical infrastructure on the adoption of policies • Percentage of polices obtained • Percentage in compliance • Percentage validated

  38. Balanced Perspective

  39. Business Imperatives Security Alignment Business Alignment Align Security to Assets Flexible & Proactive Controls Identity ManagementVulnerability Management Operational Integrity Gain Awareness of Investment Effectiveness, Predictability of Effort Security Services Management (SSM) Service Level Enhanced Visibility Command and Control Increased Security Integrated Security OperationsCapability (ISOC) Risk Management HIPAA Sarbanes-Oxley GLBA Regulatory Compliance People & Process (ISMF) Bringing it Together

  40. Technical Architecture IT executives will be seeing more demands to specify and quantify not just efforts and actions, but performance. Try to benchmark your cybersecurity performance against outside measures. The key is to develop ways of demonstrating—specifically, quantifiably, and defensibly—your impact on your organization's cybersecurity. ” Security Services Framework Security Services Management – Jeffrey Hunker, professor of technology and public policy, Carnegie Mellon University Supporting the Business Business Aware Security

  41. Thank You! jim.tiller@ins.comwww.INS.com (ISC)2 Journalwww.infosectoday.com

More Related