SP01-T07 Business-Driven Security: Building a Risk … · Business-Driven Security: Building a...

SESSION ID:SESSION ID:

#RSAC

Rashmi Knowles CISSP

Business-Driven Security:Building a Risk-Based CyberSecurityProgram

SP01-T07

Field CTORSA@knowlesRashmi

#RSAC

Attacks are more sophisticated

S E C U R I T Y I S A

BUSINESSPROBLEM

Perimeter has disappeared

CEO/Board inspection

Lack of ROI for defense

Complexity has become the enemy

Digital Diet

Digital Hospitals

Digital Schools

Digital Homes

Digital Parks

DigitalTransportation

Digital Traffic

Digital Water

Digital Grid

Digital EmergencyFire Services

Digital Education

Digital Police

Digital Emergency

Health Services

Digital PublicWorks

Digital Social Services

DigitalEconomic

Development

Digital Services (Permitting, Licensing, Inspection, & Zoning)

Digital TourismDigital

Administration

DigitalCulture (Arts,

Libraries, Open Spaces)

New World of Connected Living

Digital Fitness

Digital Health

Securing the Human

7.5BW O R L D ’ S P O P U L AT I O N

3.4BI N T E R N E T U S E R S

60BD I G I TA L I D E N T I T I E S

3B+A C C O U N T C R E D E N T I A L S C O M P R O M I S E DI N 2 0 1 6 *

95%O F W E B A P PAT TA C K S U S E D S T O L E N C R E D E N T I A L S *

*Verizon Data Breach Investigations Report 2015* IDC

Identity is THE Most Consequential Attack Vector

#RSAC

SOX

SAE 16 SOCPCI DSS

ISO

GDPR

Country Regs

The Alphabet Soup of Regulations

HIPAA FERC NERC

FFIECOCC

NIST CSF State RegsGLBA

#RSAC

Effort

Cost

Violations

Volume of Regulatory Change

25,155 New Regulations

$727 Billion

The economic impact of new

regulations460 Million

New hours of paperwork required

as a result of new regulations

U.S. Federal Regulations since 2008

O RGAN I ZATI ONS AR E ST R U GGL I NG TO M EET T HEI R R EGU L ATORY O B L I GAT I ONS

Today’s Regulatory Compliance Challenges

#RSACBusiness Dependence: F i e r c e C o m p e t i t i o n t o I n n o v a t e

92%

Digital initiatives are critical to success

Organizations that adopt mobile apps have higher growth

rates

44%T E C H N O L O G Y I S AM I S S I O N a n d B U S I N E S SE N A B L E R

S E C U R I T Y M U S T B E AM I S S I O N a n d B U S I N E S SE N A B L E R

#RSAC

Two Sides of Opportunity

8

Business Risk

IT & Security Risk

Regulatory Risk

3rd Party Risk

Business Resiliency

Business Growth

Digital Transformation

Market Expansion

New Partners

M & A

#RSAC

9

Risk Complexity

increasing

Velocity of risk increasing

Magnitude of risk increasingM A N A G I N G R I S K

I S ABUSINESS

A N D A TECHNOLOGY

C H A L L E N G E

#RSAC

Today’s Security is Not Working

Dissatisfied withthe response time

90%70%

Know theywere compromised

this past year

75%

Found out they were compromised from a 3rd

Party

1 RSA Cybersecurity Poverty Index 20162 RSA Threat Detection Effectiveness Survey 2016

3 RSA Estimate based on multiple studies

#RSAC

Re-evaluating Strategy

~80 CISO’s re-evaluating their security strategies

%

#RSAC

Business-Driven Security

#RSAC

13

SECURIT Y TECHNOLOGY

Where business leaders are focusing

Where most securityvendors are focusing

BUSINESS RISK

Account lockoutsWeb shell deletionsBuffer overflowsSQL injectionsCross-site scriptingDDOS IDS / IPS events

How bad is it?Who was it?How did they get in?What information was taken?What are the legal implications?Is it under control? What are the damages?

#RSAC

14

Technology risk

The Technology perspective… The Business perspective…

Business risk

• What is the important data?• Where is the important data?• What are the most critical applications?• How important is this part of the

infrastructure?• What does this security event impact?• Where are we vulnerable?• Who are the 3rd parties the business rely on?• What happens if IT services are disrupted?

• What part of the business strategy isthe most critical?

• Where are our biggest risk areas?• What is our risk appetite and tolerance?• What are our regulatory obligations?• What are the most valuable pieces

of our business? • How bad could it be?• Are we effectively managing our risks to

achieve our objectives?

#RSAC

The Wedges in The Gap

15

Lack of ownership

Outdated reporting

Manual processes

Inconsistent controls

Information silos

Limited risk visibility

#RSAC

A Modern Investigation

AttackBegins

SystemIntrusion

Attacker Surveillance

Cover-upComplete

Access Probe

Leap Frog Attacks

Complete

TargetAnalysis

TIME

AttackSet-up

Discovery/ Persistence

Maintain foothold

Cover-up Starts

• Are we seeing suspicious transactions against sensitive/high value apps/assets

Sources

WFD Transaction

Monitoring SIEM

Transactions

• Has the server been manipulated?

• Is it vulnerable? Has its config changed recently?

• Is it compliant with policy?

Sources

GRC System Config Mgmt Vul. Mgmt

Infrastructure

Are there traffic anomalies to/from these servers Protocol Distribution Encryption Suspicious destinations

Sources Netflow Network Forensics Web Proxy Logs SIEM

Traffic

• Which users were logged onto them Have their priv. been

escalated? Where did they log in What else did they

touch?Sources

Active Directory Netflow Server Logs Asset Management SIEM

Identity

• What kind of data does this system store, transmit, process?

• Is this a regulatory issue? High value IP?

Information

Sources

DLP Data Classification GRC

#RSAC

….Lead to Risk in the Business

17

Unresolved issues

Inaccurate insights &

misinformation

High costs & inefficiency

Holes & gaps

Disconnected data & lack of

context

Poor business decisions& missed

opportunities

#RSAC

Lack of context &ability to prioritize

Multiple disconnected point solutions

Alert fatigue

FW

A/V

IDS / IPS

SIEM

NGFW

Sandbox

GWSECURITY EXCLUSION

2FA

Accessmgmt

PAM

PROV

SSO

Federation

SECURITY INCLUSION

GRC

VULNMGMT

CMDB

Spreadsheets

BUSINESS / ITRISK MANAGEMENT

Why Does the Gap Exist?

#RSAC

New Requirements

19

Business Context

Full Visibility Rapid Insight Aligned to Business Priorities

Efficient, Comprehens

ive Response

#RSAC

More strategically manage

business risk

T R A N S F O R M AT I O N A L S E C U R I T Y S T R AT E G Y

Make security teams much more

operationally impactful

New Requirements

#RSAC

I N C L U S I O N & E X C L U S I O N

S E C U R I T YT E C H N O L O G Y

B U S I N E S S R I S K M A N A G E M E N T

B U S I N E S S -D R I V E N

S E C U R I T Y

L I N K S EC U R I T Y I N C I D E N T S W I T H B U S I N E S S C O N T E X T TO R E S P O N D FA S T E R A N D P R OT EC T W H AT M AT T E RS M O S T

#RSAC

The Maturity Journey

#RSAC

The Maturity Journey

SILOEDPoint solutions, multiple

management consoles, basic reporting

Meetregulatory obligations

COMPLIANCE

MANAGEDIntegrated security, expanded visibility, improved analysis /

metrics

ManageKnown & unknown risks

RISK

ADVANTAGEDFully risk aware, identify

opportunity

Makerisk-based decisions

OPPORTUNITIES

#RSAC

What’s the Reality?

This the reactive stage:Layered defensesFire fightingSilo’d strategiesDuplicated approaches to complianceTactical risk managementFocus on immediate threatsBusiness as usual approach




COMPLIANCE

#RSAC

Moving from Silo to Managed

• Integrate Security Data Sources to provide visibility

• Implement improved analytics capabilities

• Implement Incident management processes




COMPLIANCE


metrics


RISK

#RSAC

Moving from Managed to Advantaged

• Prioritising effectively through business context and awareness when incidents and events occur

• Managing the known threats and are ready for emerging threats

• Security fully aligned with the business


metrics


RISK

ADVANTAGEDFully risk aware, identify

opportunity

Makerisk-based decisions

OPPORTUNITIES

#RSAC

Advantaged Level - Technology

27

Embrace data collection and visibility

Real-time incident detection

Understand Business Context

Deep knowledge of your hunting ground

Hunting tools to provide data science

Practiced procedures

#RSAC

Advantaged Level - People

28

Security team has clear roles

Collect and analyse threat intelligence that is unique to the organisation

Business Risk Analysts/language

Regular staff rotation

24/7 follow the sun coverage

Embrace 3rd parties to augment incident response teams

#RSAC

Advantaged Level - Process

29

Continuous process of detection, investigation and response

Incident Response policy and procedures

NIST, VERIS and SANS Institute

Well practiced Breach response procedures

Action

Action

Asset

Attribute

Hacking Misure

Social

Environment

Confidentiality

Physical

Availabilty

Possession

Utility

External

Integrity

Partner

Internal

Type

Function

#RSAC

Getting Results

#RSAC

Getting Results…..

Solution that turns security issues into Business Driven actions giving you priority, results and progress.

Security Issue

Analytics

Action

Metrics

Visibility + Analytics = Priority

Priority + Action = Results

Results + Metrics = Progress

#RSAC

Incident Detection And Response Maturity

Technology

Maturity Level

People

Process

Siloed

65%

Reactive, not specialists, IT function

No prioritisation, focus on compliance, asset value vs level of

risk

Perimeter, signature based Disparate tools

Managed

25%

Incident responders, full time CIRC or SOC mgr, General Threat Intel

Security & risk drivers not compliance

Using SIEM, incident mgmt, external Threat Intel

Advantaged

10%

Clear roles, business & risk analysts, business language

Key business priorities, qualitative and quantitative measures

Integrated platform for detection, investigation and

response

#RSAC

Characteristics of Security Maturity

Step 1:Threat Defense

Step 2:Siloed

Step 3:Managed

Step 4:Advantaged

VISIBILITY

COLLABORATION

RISK

SESSION ID:SESSION ID:

#RSAC

Rashmi Knowles CISSP

Thank You

SP01-T07

Field CTORSA@knowlesRashmi

SP01-T07 Business-Driven Security: Building a Risk … · Business-Driven Security: Building a...

Documents

Transcript of SP01-T07 Business-Driven Security: Building a Risk … · Business-Driven Security: Building a...