Information Security Cost Effective Managed Services

40
Leveraging Managed Services for Cost effective Infosec Operations +973-36040991 jorge.sebastiao@i ts.ws

description

 

Transcript of Information Security Cost Effective Managed Services

Page 1: Information Security Cost Effective Managed Services

Leveraging Managed Services for Cost effective Infosec

Operations

+973-36040991 [email protected]

Page 2: Information Security Cost Effective Managed Services

ICT Security 2009 - Risks•79% - don’t believe Security Software of Digital Signature provides Sufficient Protection

•50% - Organization not protected against Malware based on attack trends

•62% - not enough time resources to address vulnerabilities

•66% - out of work during recession will lead to more people joining cyber-criminal underground

Page 3: Information Security Cost Effective Managed Services

ICT Security 2009 – Arms Race•41% - increase in sophistication of attacks

•45% - increase in phishing attacks on employees

•49% - (financial services) increase in technical sophistication of attacks

•63% - infected web site biggest cause of compromise of online security

Page 4: Information Security Cost Effective Managed Services

“Every morning in Africa a gazelle wakes up. It knows it must outrun the fastest lion or it will be killed. Every morning in Africa a lion wakes up. It knows it must run faster than the slowest gazelle or it will starve. It doesn’t matter if you’re a gazelle or a lion: when the sun comes up, you had better be running.”

- H.H. Sheikh Mohammed Bin Rashid Al Maktoum.

Quote

Page 5: Information Security Cost Effective Managed Services

Securing Information Today Threats

Environmental

NaturalDisasters

Unintended results(The “OOPS” factor)

Cyber terrorism Viruses

ThreatsIndustrialEspionage

Page 6: Information Security Cost Effective Managed Services

Securing Information TodayBusiness Risks

Employee &

customer

privacy

Legislativeviolations

Financial loss

Intellectualcapital

LitigationPublic

Image/TrustBusiness

Risks

Page 8: Information Security Cost Effective Managed Services

Do you have risk mgmt plan?

Page 9: Information Security Cost Effective Managed Services

ICT Risks are changing

Page 10: Information Security Cost Effective Managed Services

Hacking is now a business

Criminals

Page 11: Information Security Cost Effective Managed Services

Hacker don’t follow rules?

Page 12: Information Security Cost Effective Managed Services

More sophisticated Attacks

Page 13: Information Security Cost Effective Managed Services

Business vs Inforsec Priorities

Page 14: Information Security Cost Effective Managed Services

Security focus on Business

Page 15: Information Security Cost Effective Managed Services

Views of Security and Risk Management

Business ViewService and ContinuityCustomer Focus

Managing RisksOperation Risk Controls AuditingGovernance & Compliance

IT InfrastructureDisaster RecoveryHigh Availability

Page 16: Information Security Cost Effective Managed Services

Risk Management

Elimination

Reduction/Controls

Transfer/Outsource

Insurance

ResidualNot all risk can be eliminated via controls

Page 17: Information Security Cost Effective Managed Services

Better Incidence Response & AvailabilityBest PracticesQuick troubleshootingKnowledge baseHigher Availability

Efficient Security OperationsSupport

Availability of qualified resourcesInfrastructure protectionInfosec, BCM, ITIL Best Practices24x7x365 MonitoringVendor ManagementManaged People, Process, Technology

Why should you care?

Page 18: Information Security Cost Effective Managed Services

Scope of Management &Value

Page 19: Information Security Cost Effective Managed Services

Technology

Process People

Technology is not enough

Page 20: Information Security Cost Effective Managed Services

Process

Technology

People

SLA 24x7x365 Industry Best Practices ITIL based processes

Data Center Best Practices Latest Monitoring tools State of the Art knowledge base Secure technology

Certified and Trained Staff Technical Experts Cross Training Onsite and Offsite

Holistic Implementation

Page 21: Information Security Cost Effective Managed Services

Infosec:Global Delivery Services - GDS• On-site & Off-site resource Mix• Fully managed and supported environment• Enterprise Management Solution (EMS)• Predictable cost model• Performance & Trend analysis• Alert, Monitoring, Notification & Escalation • Training and Knowledge Transfer• 24x7x365 with SLA

Page 22: Information Security Cost Effective Managed Services

Managed Services Provide Agility

• Knowledge Base

• Incidence diagnosis

• Root Cause analysis

• Quicker Response

• Response Planning

• Certified Resources

• Single Vendor Management

Page 23: Information Security Cost Effective Managed Services

Infrastructure Best Practices

Page 24: Information Security Cost Effective Managed Services

3 key Drivers for outsourcing

Page 25: Information Security Cost Effective Managed Services

100% Onsite

100%Offsite

0%Onsite

0%Offsite

Traditional ITO/FMManagedServices Centralized Management

Decentralized Management

FlexibleManaged Services

Approach

Flexibility

Page 26: Information Security Cost Effective Managed Services

Network Platforms DatabaseStorage

Applications

Business Relationship and Supplier Management

Capacity planning and Financial Management

Service Level Management

Service Continuity, Security

Capacity and Availability Management

Change, Configuration and Release Management

Monitoring, Incident and Problem ManagementLevel-1Resolution Processes80-100% Offsite

Level-2Operational Processes20-80% Offsite

Level-3Strategic Processes100% Onsite

Cost Effective Management Mix

Page 27: Information Security Cost Effective Managed Services

PoliciesProcesses,

Process Diagrams &

Models

Procedures and Guidelines

Templates, Forms, Checklists

Self Help, Knowledge Articles, Project Artifacts

How to achieve organization goals and

objectives

Organization Goals and Objectives

How to perform the activities that are needed

Artifacts used to perform activities

References to use for efficient performance

Best Practices Structure

Page 28: Information Security Cost Effective Managed Services

Managed Services Framework

Desktop Network Servers Databases Storage Applications

Monitoring, Automation Tools

ITIL Compliant Best Practices

Aggregated Reporting / Portal / I2MP, Service Desk

Redundancy / High Availability / Disaster Recovery

Onsite Offsite Vendor A Vendor B Call CenterCenter of

Excellence

Page 29: Information Security Cost Effective Managed Services

Implementation ContinuousDetection Response• 24x7x365 • Security monitoring• Managed Services• Automatic Alerting• Incidence Response• Vulnerability

Assessment• Patch Management• Forensic Analysis• Integration

Incident Response

Analyse

Contain

Eliminate

Restore

Lessons

Policy Refine Policy

Continuous Monitoring

T-1 T 0 T 1 T 1 T 3 T 4 T N

Communicate

Page 30: Information Security Cost Effective Managed Services

CIO Security Metrics

Page 31: Information Security Cost Effective Managed Services

Security = Time Protection

DetectionResponse

SECURITYP>D+R

Anti-virus

VPN

Firewall

Access Control

Intrusion Prevention

Managed Services

Patch Mgmt

CIRT

Vulnerability Testing

Intrusion Detection

Log Correlation

CCTV

Page 32: Information Security Cost Effective Managed Services

Security in Depth

Page 33: Information Security Cost Effective Managed Services

Security in Depth Revised

People Technology Process

Prevent

Respond/Recover

Detect

Page 34: Information Security Cost Effective Managed Services

Structured Delivery Managed Services

Page 35: Information Security Cost Effective Managed Services

SETA = Security +Training + Awareness + Education

Know

ledg

e fil

ls g

aps

Page 36: Information Security Cost Effective Managed Services

TransformationOptimization

DueDiligence

Steady StateTransition

Plan

Structured Implementation

Page 37: Information Security Cost Effective Managed Services

Risk Analysis Matrix

Pro

bab

ilit

y o

f L

ikel

iho

od

Severity of Consequence

High

Medium

Low

Low Medium High

Area of Major

Concern

Focus on Risk

Page 38: Information Security Cost Effective Managed Services

Focus on Risk

High Medium Low

Hig

h

A B C

Med

ium

B B C

Lo

w C C D

Business Impact

Vu

lner

abili

ty

Page 39: Information Security Cost Effective Managed Services

ICTSecurity

SkilledResources

LogicalPhysical Integration

Best Practices

ContinuousModel

Security with 20/20 Vision

Page 40: Information Security Cost Effective Managed Services

Questions

+973-36040991 [email protected]