Data Protection Strategy

Bob Maley, CEO, Strategic CISO & former CISO, State of Pennsylvania

Cyber Protection Strategy

StrategicCISO.com

Tactical or Strategic? Vendor Driven or business driven Reactive or proactive

The trouble is that criminals seem to be able to stay one step ahead, and the law-abiding have to spend to much time trying to catch up– Nigel Phair, Cybercrime, The Reality of the Threat, page 178

StrategicCISO.com

Securing Endpoints?

StrategicCISO.com

Data wants to be free What are your endpoints Data classificationIt’s what you don’t know you

don’t know that gets you Email Business Processes Data transfers

It’s in the cloud already

StrategicCISO.com

Google Amazon Web Services

Security Trends – Current View

StrategicCISO.com- CONFIDENTIAL -

Endpoint Suites Network UTM ApplicationSecurity

VulnerabilityManagement

Product BProduct C

Product A

[Other PointProducts]

Security Information and Event Management

• Alerts • Log Mgt • Event Correlation • Compliance Certification

Governance Risk and Compliance

• User Policy Compliance • Compliance Workflow and Reporting• Remediation Workflow and Reporting

Anti-Virus

HIPS

Local Firewall

NA

C

Patch Managem

ent

Endpoint DLP

Firewall

IDS

AV Gatew

ay

Full Disk Encryption

Anti-Spam

Net D

LPD

B Encryption

IAM

/ Single Sign-On

UR

L Filter

DA

M

Vulnerability Scanning

Web A

pp Scanning

Code Scanning

WAF

Penetration Testing

DB

Scanning

Config A

udit

Scanning (web and/or network) products identify potential weaknesses– Data overload including false positives/negatives – not most critical threats– Does not prove exploitability, limited-view point solution, single vector

IT-GRC gathers information to aggregate and report– Mostly used for higher-level policy and governance with little “R”

SIEM aggregates real data, dash-boarding, drill-down, etc.– SIM/SEM correlates and presents what has happened (via alert), but doesn’t tell

you if your defenses are working– Operational data, not situational. Just incidents or log data from past events

Security Risk Mgmt is simulator/model– Correlates scanned, imported and entered data to infer highest risk

vulnerabilities, doesn’t do actual testing– Network only and works on models vs. a real test of the security

DLP detects and prevents transmission of confidential information

To date, the critical challenge of how to provide insight into actual risks across multiple layers of infrastructure still remains!StrategicCISO.com

Security – Future View

StrategicCISO.com- CONFIDENTIAL -

Endpoint Suites Network UTM ApplicationSecurity

VulnerabilityManagement

IT Security ManagementVendors: IBM, HP, Cisco, Computer Associates, Symantec, McAfee

Product BProduct C

Product A

[Other PointProducts]

Comprehensive Security Test and Measurement

• Verify and Validate Security Controls

• Measure Real-world Threat Readiness

• Measure Security Effectiveness

Security Information and Event Management

• Alerts • Log Mgt • Event Correlation • Compliance Certification

Governance Risk and Compliance

• User Policy Compliance • Compliance Workflow and Reporting• Remediation Workflow and Reporting

Anti-Virus

HIPS

Local Firewall

NA

C

Patch Managem

ent

Endpoint DLP

Firewall

IDS

AV Gatew

ay

Full Disk Encryption

Anti-Spam

Net D

LPD

B Encryption

IAM

/ Single Sign-On

UR

L Filter

DA

M

Vulnerability Scanning

Web A

pp Scanning

Code Scanning

WAF

Penetration Testing

DB

Scanning

Config A

udit

Cyber Strategy Musings (WordPress) The Key of Knowledge – Book 2

The second area of knowledge in this key is “Knowing your environment”. 

By Extension – Know Your Strategy

Know your Strategy

StrategicCISO.com

Your Guide

StrategicCISO.com

What are your critical business assets?Data / Asset ClassificationYou can’t protect

everythingFocus on the most

important assets

Key of Knowledge

StrategicCISO.com

Anti-Virus and Firewalls are not enough

Evaluate your existing controls

StrategicCISO.com

Compliance Checklists are not enough Network Solutions was PCI compliant

before breachAngela Moscaritolo, July 27, 2009

Web hosting firm Network Solutions on Friday announced that, despite its being PCI compliant, a breach had compromised approximately 573,928 individuals' credit card information.

http://www.scmagazineus.com/network-solutions-was-pci-compliant-before-breach/article/140642/

Evaluate your existing controls

StrategicCISO.com

Layered Security – The Castle Model

Evaluate your existing controls

StrategicCISO.com

The Symantec Global Internet Threat Report, which covers trends in 2009, says attackers are aggressively targeting employees' social networking profiles to help target key personnel inside targeted companies. Meanwhile, Web-based attacks targeting PDF views accounted for half of all Web-based attacks last year, up from 11 percent in 2008.

And malware creation increased thanks to more automated tools, according to Symantec, which says it identified more than 240 million new malware programs last year, a 100 percent increase over 2008

Understand the threatReport: Targeted Attacks Evolve, New Malware Variants Spike By 100 Percent

New Symantec Global Internet Threat Report shows evolution of targeted attacks, prevalence of Web-borne attacks, increase in malware variants in 2009

Apr 20, 2010 By Kelly Jackson HigginsDarkReading

http://www.darkreading.com/vulnerability_management/security/antivirus/showArticle.jhtml?articleID=224500064

Insider Threats

Understand the threat

StrategicCISO.com

U.S. government agencies have been bracing for a deluge of thousands more classified documents since the leak of helicopter cockpit video of a 2007 firefight in Baghdad. That was blamed on a U.S. Army intelligence analyst, Spc. Bradley Manning, 22, of Potomac, Md. He was charged with releasing classified information this month. Manning had bragged online that he downloaded 260,000 classified U.S. cables and transmitted them to Wikileaks.org. 

Officials Scramble to Review Emerging Afghan War Documents for 'Damage'Published July 26, 2010 | FoxNews.com

http://www.foxnews.com/politics/2010/07/26/damage-control-leak-afghan-war-docs/

Understand the Threat

StrategicCISO.com

Know your threat matrix

Understand the threat

StrategicCISO.com

Determine your organizations risk tolerance

Know your vulnerabilities Understand how the threats apply

Develop your Risk Strategy

StrategicCISO.com

Compliance requirementsProtect your valuable data

Put systems in place that protect your data as it moves

Proactive intelligence on your environmentDiscover your real vulnerabilities

Break the malware cycle

Develop your protection Strategy

The barbarians will get in

StrategicCISO.com

Operationalize Security Use Managed Services / Cloud Services

where practicable Use automated systems

Understand the overhead

StrategicCISO.com

Complexity can break security

StrategicCISO.com

Be an enabler of business Connect to your Enterprise Risk

Management Show how it affects the bottom line

Understand your organization’s business need

StrategicCISO.com

Response and remediation Robust Incident Response Plan

Response not react

Don’t merely remediate

Execute

StrategicCISO.com

Real time Protection Find the barbarians that get past the gate New Technologies

Execute

StrategicCISO.com

Execute - Test

StrategicCISO.com

Col. John Boyd’s OODA Loop

Evaluate

StrategicCISO.com

Metrics INCREASING CYBER-SITUATIONAL

AWARENESS VIA ENTERPRISE METRICS Core Security Technologies Blog

Today’s ferocious cybersecurity environment is dynamic. One of the challenges that organizations, both public and private sector, have encountered in attempting to mature their IT security and risk management plans has been a lack of methods to calculate truly relevant metrics that would allow for them to better understand and benchmark their security standing over time.

http://blog.coresecurity.com/2010/04/29/increasing-cyber-situational-awareness-via-enterprise-level-metrics/

Evaluate

StrategicCISO.com

The Future of Data Protection

StrategicCISO.com

Contact Information

Bob.Maley@StrategicCISO.com

Questions