Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
OSB50: Operational Security: State of the Union
1.
2. Operational Security:
State of the Union
Chris Duvall, The Chertoff Group
Rob Juncker, VP of R&D, Ivanti
Chris Goettl, Manager of Product Management, Security, Ivanti
3. State of the Union
Chris Duvall
Director, The Chertoff Group
4. Are we secure? How do we know?
How are we doing versus our peers?
Do we have appropriate controls on sensitive data?
How should we prioritize our security investments?
Can security help us create competitive advantage?
The questions we hear from senior leaders…
5. The Three T’s of the Digital Economy
Technology
New platforms
driving innovation
and risk
Technology
New platforms
driving innovation
and risk
Threat
The bad guys are in
– and some are
yours
Threat
The bad guys are in
– and some are
yours
Trust
…is eroding.
Privacy does matter
Trust
…is eroding.
Privacy does matter
Impacting Strategy, Policy, & Opinions
6. The Second T - Threat
• Nation States
• Criminals and Gangs
• Hacktivists
• Lone Wolves
From Outside
• Supply chain
• Embedded technologies
• Insecure software
• Vendor Indifference
Your
Information
and
Infrastructure
• Poor cyber hygiene
• Clueless users
• Disgruntled employees
From Inside
• Theft
• Policy violations
• Poor controls
• Unauthorized use
Who
How
7. Five Trends and Implications
Less Control over Data and Devices
Networks are More and Less
Secure
The World of InSecure Things
Government Will Not be Coming to
the Rescue
Security is Both a Risk and an
Opportunity
Cloud
“TECH”TONIC
SHIFTS
Mobility
Internet of
Things
Artificial
Intelligence
Open Source
8. Chertoff Group & Ivanti Survey Results
BOTH
Only
Security
Security
Alerts
Only IT
Privilege
Management
Setting IT Access
Control Policies
Application
Whitelisting
Server OS
Patching
Who owns these tasks in your organization?
10. Security Risk Management Guidance: Must Be Applied in the Real World
eCommerce company with strong security scoreeCommerce company with strong security score
The NIST Cybersecurity Framework, BitSight, Security ScoreCard, PCI DSS, third party assessments, pen tests, MSSPs
are all effective tools … as long as you understand the limitations of what they tell you
The NIST Cybersecurity Framework, BitSight, Security ScoreCard, PCI DSS, third party assessments, pen tests, MSSPs
are all effective tools … as long as you understand the limitations of what they tell you
Pen test successfully accesses core customer
databases
Pen test successfully accesses core customer
databases
Large retailer with seemingly strong policy framework, 24x7
SOC, PCI compliance
Large retailer with seemingly strong policy framework, 24x7
SOC, PCI compliance Significant breach of PCI dataSignificant breach of PCI data
eCommerce company with vulnerability management program,
two-factor authentication, MSSP and pen test program
eCommerce company with vulnerability management program,
two-factor authentication, MSSP and pen test program Significant ransomware compromiseSignificant ransomware compromise
Financial services company with mature security program (e.g.,
application whitelisting) and strong security score
Financial services company with mature security program (e.g.,
application whitelisting) and strong security score
Pen test captures numerous sensitive
credentials
Pen test captures numerous sensitive
credentials
Manufacturing company with MSSP & data loss prevention toolsManufacturing company with MSSP & data loss prevention tools Significant theft of intellectual propertySignificant theft of intellectual property
Fortune 50 company that conformed program to NIST
Cybersecurity Framework
Fortune 50 company that conformed program to NIST
Cybersecurity Framework
Pen test compromises Active Directory
Domain Controller
Pen test compromises Active Directory
Domain Controller
Security Risk and Program PERCEPTION Security Risk and Program REALITY
Significant vulnerabilities can lurk behind seemingly adequate security performance
11. We Take a Risk-Based Approach Focused around Business Impact and Threat
Reconnaissance,
Weaponization
Entry
Entry
C2
Communications
Lateral
Movement,
Persistence,
Escalation
Exfiltration
Corruption
Destruction
1. The starting point is understanding an enterprise’s inherent risk profile…
2. We then consider how assets could be compromised…
3. We then consider whether an effective program is in place to manage cyber risk…
Governance Controls Evaluation
The nature
of the
threat and
how it can
cause
harm
Critical
assets and
the impact
of a
compromise
How
business
and
technology
drivers
impact risk
12. What Makes This So Hard? Six Risks to Achieving Cyber Effectiveness
By tailoring an assessment to these risks, we help address them head-on
Proprietary & Confidential | 12
Governance
Controls
Evaluation
Strategy
Oversight
Risk Management
Risk Reduction
Value
Internet Proximity Foundational
Level of
Effectiveness
Level of
Implementation
Gaps in Inherent Risk
Understanding
Gaps in Inherent Risk
Understanding
Flawed Planning
Process
Flawed Planning
Process
Operational BurdensOperational Burdens
Dependencies on IT
Staff
Dependencies on IT
Staff
Lack of Stakeholder
Alignment
Lack of Stakeholder
Alignment
Lack of Control
Transparency
Lack of Control
Transparency
EffectivenessRisks
11
22
33
44
55
66
13. Established Frameworks Define “Best” Security Controls
ProcessProcess
TechnologyTechnology
PeoplePeople
And are widely understood by security teams…
Using a risk management framework such as…
…to look at your organization’s…
…is the most effective path to comprehensive risk
management.
15. Your security risk is higher than ever.
40% 1 in 2
executives
experience a
ransomware attack
IBM
of spam contains
ransomware
IBM
$19.95/mo.
buys hackers easy-to-
use “as-a-service”
options for attacks
ZDNet
16. of recipients open phishing messages.
click on
attachments.
Verizon 2016 DBIR
17. You can’t afford to be wrong on this one.
70%93%
of data breaches
compromise
organizations in
minutes or less
of businesses hit
pay the ransom
$1B USD
in ransom paid in
2016
2016 Verizon DBIR IBM FBI estimate
18. “We have to tear down the
traditional view of what an
IT operations entity is and what
a security entity is.”
Feedback from a survey of 100 CIO/CSOs
19. “IT wants things to work smoothly,
while security wants security.
At the endpoint, they have to work
together to maintain both.”
Feedback from a survey of 100 CIO/CSOs
20. “You do not need
15 best-in-breed products
for a successful layered approach
to cybersecurity.”
Feedback from a survey of 100 CIO/CSOs
22. Make sense of endpoint security.
Report key takeaways:
Endpoint security is critical to
defend against data breaches.
Security pros seek to balance
prevention and detection.
Consolidating technologies leads
to more effective suites.
Source: Forrester TechRadar™: Endpoint Security, Q1 2017, by Chris Sherman, January 27, 2017
23. Focused strategies lead to strategic IT success.
Provide defense in depth.
• Integrate the environment to discover
the breadth of risk.
• Provide tech that reduces the attack
surface.
• Analyze data for insight into issues.
• Take action to solve problems.
Balance security with user needs.
• Learn about users and discover their
needs.
• Provide security without interfering
with jobs.
• Silently provide service through
upgrades and risk evasion.
• Increase productivity with the right
tools.
24. Our approach to security
Take actionProvide insightDiscover
Use best-in-breed tools to
act swiftly.
Clearly identify risk.
Easily find and quantify
the assets you need
secured.
Integrated, easy-to-use security offering
25. Our defense-in-depth solutions
Patch &
Vulnerability
Management
Application
Control &
Privilege
Management
Endpoint Security
Secure Program
Management
Patch and secure the
OSes and 3rd-party apps
that you can.
Prevent all other apps
from running while
practicing the principles
of least privilege.
Add advanced anti-
malware and AV
capabilities, device
control, and global
policy for all devices.
Marry security
capabilities with
workflows and asset
management processes
to complete a secure
lifecycle.
• Patch management
• Vulnerability
management
• Application control
• Privilege management
• Device control
• Anti-malware
• Threat alerting
• Asset management
• Service management
• Secure configuration
management
Discovery
26. Cut through the mass of information to the critical insights that matter.
Pre-built connectors for nearly
every tool you use
Customized connectors too
No coding, business intelligence gurus,
spreadsheets, or data silos
Tie it all together with real-time dashboard reporting.
27. Our defense-in-depth products
Patch &
Vulnerability
Management
Application
Control &
Privilege
Management
Endpoint Security
Secure Program
Management
• Ivanti Patch for
Endpoints
• Ivanti Patch for
Servers
• Ivanti Patch for SCCM
• Ivanti Application
Control for Endpoints
• Ivanti Application
Control for Servers
• Ivanti Application
control for SCCM
• Ivanti Endpoint
Security
• Ivanti Server Security
• Ivanti Service Manager
• Ivanti Asset Manager
Discovery
29. Critical Security Controls (CSC)
The Center for Internet Security
Critical Security Controls ensure
a more secure environment.
Prioritized list of focused
actions
Compliant with all industry
and government security
requirements
Based on experience with
actual attacks
Block initial compromises
and detect compromised
devices
30. The first 5 controls
I n v e n t o r y o f a u t h o r i z e d a n d u n a u t h o r i z e d d e v i c e s
I n v e n t o r y o f a u t h o r i z e d a n d u n a u t h o r i z e d s o f t w a r e
S e c u r e c o n f i g u r a t i o n
C o n t r o l l e d u s e o f a d m i n i s t r a t i o n p r i v i l e g e s
C o n t i n u o u s v u l n e r a b i l i t y a s s e s s m e n t a n d r e m e d i a t i o n
CIS, US-CERT, ASD, and other authorities prioritize these five elements of cyber hygiene to significantly
reduce security threats.
31. Our defense-in-depth solutions
Patch &
Vulnerability
Management
Application
Control &
Privilege
Management
Endpoint Security
Secure Program
Management
Patch and secure the
OSes and 3rd-party apps
that you can.
Prevent all other apps
from running while
practicing the principles
of least privilege.
Add advanced anti-
malware and AV
capabilities, device
control, and global
policy for all devices.
Marry security
capabilities with
workflows and asset
management processes
to complete a secure
lifecycle.
• Patch management
• Vulnerability
management
• Application control
• Privilege management
• Device control
• Anti-malware
• Threat alerting
• Asset management
• Service management
• Secure configuration
management
Discovery
32. Security Roadmap (Patch and Vuln Management)
Integrate Windows EngineContent (Single Windows Engine
across portfolio)
More content, faster
Faster more efficient engine
33. Security Roadmap (Patch and Vuln Management)
Microsoft Unified Update Platform
Express patching for Windows 10!
Smaller incremental updates
34. Security Roadmap (Patch and Vuln Management)
Expand our API strategy
Interoperability with other solutions
Pave the way for DevOps, Container Patching, Open Source
35. Our defense-in-depth solutions
Patch &
Vulnerability
Management
Application
Control &
Privilege
Management
Endpoint Security
Secure Program
Management
Patch and secure the
OSes and 3rd-party apps
that you can.
Prevent all other apps
from running while
practicing the principles
of least privilege.
Add advanced anti-
malware and AV
capabilities, device
control, and global
policy for all devices.
Marry security
capabilities with
workflows and asset
management processes
to complete a secure
lifecycle.
• Patch management
• Vulnerability
management
• Application control
• Privilege management
• Device control
• Anti-malware
• Threat alerting
• Asset management
• Service management
• Secure configuration
management
Discovery
36. Security Roadmap (Application Control & Priv Mgmt)
Integrate AC features into one engine!
Trust models (Trusted Owner, Vendor, Updater)
Memory Injection Protection
Privilege Management
37. Security Roadmap (Application Control & Priv Mgmt)
Enhance out of box experience with content
Trusted Vendors List
Server workloadsprofiles
38. Our defense-in-depth solutions
Patch &
Vulnerability
Management
Application
Control &
Privilege
Management
Endpoint Security
Secure Program
Management
Patch and secure the
OSes and 3rd-party apps
that you can.
Prevent all other apps
from running while
practicing the principles
of least privilege.
Add advanced anti-
malware and AV
capabilities, device
control, and global
policy for all devices.
Marry security
capabilities with
workflows and asset
management processes
to complete a secure
lifecycle.
• Patch management
• Vulnerability
management
• Application control
• Privilege management
• Device control
• Anti-malware
• Threat alerting
• Asset management
• Service management
• Secure configuration
management
Discovery
39. Security Roadmap (Endpoint Security)
Integrate DC features into one engine!
Deeper device control feature set
40. Security Roadmap (Endpoint Security)
Next-Gen Threat Protection
Behavior Detection of Malware
Memory Injection Protection
Continue to Enhance Detect and Respond capabilities
41. Our defense-in-depth solutions
Patch &
Vulnerability
Management
Application
Control &
Privilege
Management
Endpoint Security
Secure Program
Management
Patch and secure the
OSes and 3rd-party apps
that you can.
Prevent all other apps
from running while
practicing the principles
of least privilege.
Add advanced anti-
malware and AV
capabilities, device
control, and global
policy for all devices.
Marry security
capabilities with
workflows and asset
management processes
to complete a secure
lifecycle.
• Patch management
• Vulnerability
management
• Application control
• Privilege management
• Device control
• Anti-malware
• Threat alerting
• Asset management
• Service management
• Secure configuration
management
Discovery