2. It takes twenty years to build a reputation and five minutes
to ruin it. If you think about that, you'll do things differently
– Warren Buffett
3. of a Hyper-Connected World
THREATS
•
•
•
•
•
Unsecured peer-to-peer access
Mobile Threats - malware and SMS fraud
Advanced Persistent Threats (APTs)
Non-malicious breaches
Denial of Service (DoS)
EVOLUTION OF CONNECTIVITY
•
•
•
•
•
Local and wide area networks
Various flavors of Wi-Fi
Intelligent devices
Internet of things
Cloud technologies
4. Measuring Up to the Challenge:
The Path from Tactics to Strategy.
History of Threat Evolution … and Threat Defense
Viruses
and
worms
Malware and
phishing attacks
Cyber attack missions utilizing
Advanced Persistent Threats
(APT) have redefined the rules
of engagement
1990
2000
NOW
5. Tactical Approach Creates
Unbalanced Response Posture
UNNECESSARY WEAKNESSES IN KEY AREAS OF
VULNERABILITY
• Key Assumption: Complete protection against all threats and
vulnerabilities is beyond the tactical capabilities of most
enterprise IT security programs.
…Trying to do so generates a tactics-based
response stance…
6. Strategic Approach Creates
Targeted Response Posture
STRENGTH IN AREAS OF CONCERN AND VULNERABILITY
• The future of IT security requires an approach that assumes
those who want to get in will get in.
…With this in mind, your organization
must embrace principles that guide a
strategy – where do you invest?
7. Cyber Security – A Strategic Imperative
• Businesses Depend on Technology
• Highly complex
• A Boardroom level concern
• Innovation
• A constant factor with major effects
• Challenges security management
• Cyber Threats
•
•
•
•
It is the State-of-Affairs
Necessitates C-Suite decision-making and risk management
Requires new thinking for protection
Speed of action and ability to adapt is critical
10. Cyber Readiness
•
•
•
Threat defense maturity model and gap analysis
Alignment with business priorities
Remediation recommendations as part of a risk-based security model
12. How does an organization
approach the security challenge
and meet the never ending
demand?
Determine Your Readiness
Commit to a Plan
Invest for Impact
13. Determining Security Capability
• “Capability” determination is the degree to which;
• Institutionalized – a process has been ingrained in the way work is
defined, executed, and managed
• Repeatable – a commitment and consistency to performing the security
process
• Expectation – you know what to expect in terms of organizational reaction
and ability with high level of confidence
• Value of knowing and managing readiness level is to answer important
questions on;
• Can we effectively manage our security posture?
• How do we maintain levels of protection and ultimately our success?
• Are we adaptive to changing risk environments?
14. Cyber Security Maturity Model
Systematically Build and Improve Enterprise Cyber Security Capabilities
Optimizing
Quantitative
Quantitative /
Qualitative
Intuitive
Ad Hoc/ Chaotic
Dependent on
heroics;
institutional
capabilities
lacking, not of the
organization
Initial
Level 1
Process
established and
repeating; reliance
on people is
reduced
Repeatable
Level 2
Policies, processes
and
standards defined
and formalized
across the
organization
Defined
Level 3
Risks measured
and managed
quantitatively and
aggregated on an
enterprise-wide
basis
Managed
Level 4
Organization
focused
on continuous
improvement of
security risk
management
Optimized
Level 5
15. Example: Security Domains
Domains can be selected based the organizational
needs, business drivers, or identified as challenges
Cyber Security Policy
2. Organization of Cyber Security
3. Governance, Risk, and Compliance
4. Asset and Information Management
5. Operations Security
6. Access Control
7. Mobile Technology
8. Breach Response
9. Business Continuity
10. Others as needed
1.
16. Example: Summary of Organization Score
Security
Domains
Maturity
Rating
1
Cyber Security Policy
Organization of Cyber Security
Governance, Risk, and Compliance
Asset and Information…
Operations Security
Access Control
Mobile Technology
Breach Response
Business Continuity
Overall
Current Level
2
3
2
Goal Level
4
5
4.4
17. Example: Operations Security
1
Documented Procedures
3rd Party Management
System Plan & Acceptance
Malicious Code Protection
Backup Process
Network Security
Media Handling
Monitoring
Overall
•
•
•
Key Observations
Network security function is
fragmented between operations
Monitoring is mostly manual
System development not separated
2
3
4
5
Current Level
Goal Level
2
5
Actions to Reach Maturity Level 5
1) Restructure monitoring roles and
responsibilities
2) Identify security technology to
automate log and audits reviews
18. Example: Access Control
1
Access Need Controls
User Access Mgt
User Responsibilities
Network Access
Operating System Access
Application Access
Overall
•
•
Key Observations
Access procedures do not address
urgent scenarios of termination
Privilege access wide and
prevalent and lacks management
2
3
4
5
Current Level
Goal Level
2.3
4.3
Actions to Reach Maturity Level 4
1) Review policy and implement
strong well defined procedures
2) Control privilege access and
establish decision authority
19. Example: Roadmap for Readiness Improvements
Re-Evaluate Cyber
Readiness and
Maturity
Implement Medium
Priority
Capabilities
Security Capability
Monitor and
Evaluate
Assess Compliance
and Certify
Formalize
Plan for
Readiness
Improvements
Implement High
Priority
Capabilities
3 Months
Review Security
Architecture
6 Months
12+ Months
20. Summary
Make investments that matter the
most!
•
•
•
Cyber Security is a Must for all businesses – it’s a question of
readiness
Program effectiveness for enterprise-wide requires a process
with structure and formal decision-making
Understand where you are today and where you want to go
Tim: You can freestyle regarding how organizations responded to these threats
Tim: Trying to figure out who would want to attack a particular organization and why. Developing a strategic stance begins with the answers to those questions.Until you have a sound understanding of why you’ll never be able to defend yourself effectively against targeted attacks. Targeted attacks are different from accidental hacks. A threat actor diligently seeks out a target to exploit for personal or financial gain as opposed to a hacker getting lucky at airport where he/she infects a random user with malware by spoofing a WiFi service.Are they interested in you because you have access to another organization that is a high value target or are you the high value target. What are they really interested in? Money, Intellectual Property, Trade secrets, access to other higher value targets, politically information, crippling a countries defenses in cyber warfare