The document discusses major trends in information security from 2009-2010. It identifies six major trends: 1) Increasingly complex regulatory environment, 2) Increased focus of attacks on specific targets, 3) Increased threats to privacy and reputational risk, 4) Mass accumulation of system access, 5) The evolution of cloud computing and the "extended enterprise", and 6) The evolution of security into an enterprise risk management function. The document provides analysis and recommendations for addressing each of these trends.
2. Major Trends 2009-2010
Increasingly complex regulatory environment
Increased focus of attacks on specific targets
Mass accumulation of system access
Increased threats to privacy and reputational risk
The “extended enterprise” and cloud computing
The evolution of “security” into risk management
3. Major Trends 2009-2010
Increasingly complex regulatory environment
Increased focus of attacks on specific targets
Increased threats to privacy and reputational risk
Mass accumulation of system access
The “extended enterprise” and cloud computing
The evolution of “security” into risk management
…And a rapidly changing market and financial
landscape
4. A dose of reality
Financial realities have changes
Increasing push to rationalize IT spend
140
800
700
120
600
100
500
80
400
60
300
40
200
20
100
0
0
2005
2006
2007
2008
2009
How to balance the need to reduce risk with the need to be
fiscally responsible?
In good times as well as in bad
5. Driving Productivity in IT Security
Get more efficient with operations
Zero-based budgeting
Automate and streamline the commodities
―fix the plumbing‖ – eliminate variance
Prioritize risk investments
Focus on risk reduction and achievability
Leverage a small set of meaningful metrics
6. Areas of Focus for 2009-2010
Risk Area
Major Initiative
Regulatory Complexity
Automated Compliance
Attack focus and
Change in Protection Models
sophistication
Privacy & Reputational Risk
Data Management and Risk
Avoidance
Access accumulation
Automation & Role-based
Access
The “Extended Enterprise”
“Virtual Desktop” and Data-
centric security models
Evolution of Security into
Risk Management
Risk prioritization model &
better use of metrics
7. #1: Increased regulatory complexity
The past few years have seen an increase in regulations and
compliance requirements
Gramm-Leach-Bliley compliance
FFIEC Guidance on Authentication
Interagency White Paper
Breach notification statutes
PCI Compliance
Sarbanes-Oxley
Pending legislation
This has required more rigor of existing programs
8. #1: Increasing regulatory complexity (cont’d)
Moving from manual to ―continuous assessment‖, automating
where possible
BUSINESS
INITIATIVES
ASSESSABLE
ENTITIES
RISK SCORE
CONTROLS
TOOLS
9. #1: Increasing regulatory complexity (cont’d)
Assessable
Entities
Policies &
Standards
LOB Specific
Process & Analysis
Lob #5
Controls
Impact
Likelihood (Probability)
Vulnerabilities
Threats
Risk
LoB Compliance and NonCompliance Scorecards
#4
IT Controls Lob IT Control Rating
#3
ITControl #1 Lob IT Control Rating
Controls
1 or 2
#2
ITControl #1 Lob IT Control Rating
Controls
1 or32
Control #2
ITControl #1 Lob IT Control Rating
Controls
#1
1 or 2
Control #2
3
Control #3
1 or 2
1 or Rating
ITControl #1
Controls
IT Control 32
Entities #2
Control #3
Control #4
1 4 or 5
or 2
Control
Control 1
Control # #2
1 3or 2
Entity #1 #3
Control #4
1 4 or 5
Control #5
Control
1 or 2
Control 2
1 4 or 5
Control # #3
3or 2
Entity #2 #4
Control #5
Control
1 or 2
Control 3
4 1 or 2
Control # #4
2or 5
Entity #3 #5
Control
Control 4
1 or 2
Control # #5
4
Entity #4
Control # 5
Entity #5
Aggregated Compliance
and Non-Compliance
Scorecard
Firmwide
IT Controls
Entities
IT Control Rating
Control # 1
Entity #1
1
Control # 2
Entity #2
3
Control # 3
Entity #3
2
Control # 4
Entity #4
4
Control # 5
Entity #5
1
1
Data can be
presented by
entity or control
Common Firm wide Controls & Processes
11. #2: Increased focus of attacks (cont’d)
Data exfiltration
Innovation,
Efficiency to combat
commoditization
Espionage
Profiteers
Hacktivism
Botnets
Simple exploits
“Designer Malware”
Web
defacement,
denial of service
10 10
12. #2: Increased focus of attacks (cont’d)
We see an interesting dichotomy:
Widespread exploitation of old vulnerabilities
Microdistribution of sophisticated, targeted malware
So, we need to adapt our protection models
Incessant, rigorous followup on baseline protection
Blacklisting vs. whitelisting – does either one really work?
Better visibility: cross-device correlation of security events
13. #3: Privacy and Reputational Risk
Data Protection Initiative
Cover all data, initial focus on
Areas of Focus
PII
Balance reduction in risk and
achievability
Slow down the velocity of
leakage of confidential data
Combination of awareness,
technology, and process
controls
When data leaves
the firm
When data is on
portable media
When data is widely
available
14. #3: Privacy and Reputational Risk (cont’d)
Prioritize efforts based on reducing potential
“velocity” of data leakage
Migration to tapeless backup
Core-to-Bunker, Remote-to-Core
Controls on portable devices
Laptop encryption
Removable media controls
Filtering of Personably Identifiable Information
(PII)
Email, FTP, HTTP filtering at gateways
Discovery of PII on fileshares
Application PII remediation
15. #4: Identity & Access Management
Many incidents and most SOX findings are driven by access
issues
Privileged access
Access certification
Offboarding / Transfers
Significant employee impact
Onboarding
General provisioning
Complicated and not well-understood
Exponentially complex in large organizations
14 14
16. #4: Identity & Access Management (cont’d)
Role Level Access
Request
Auditability
Component Level Access
Request With Links To
Automation
Low
Ease of Use
High
Rule Driven Access (No
Request Required)
Component Level
Access Request
Low
Scalability
Cost Saving
High
17. #5: The extended enterprise
Companies have become hopelessly ―entangled‖
―Deperimeterization‖ of the corporate network
The rise of ―Cloud Computing‖
Third-party dependencies abound
Most firms have Service Provider assessment programs
What happens when you leave?
Cloud Providers: XaaS
Software-as-a-Service (SaaS) is mainstream
Platform-as-a-Service and Infrastructure-as-a-Service
On-demand computing will be the norm
16 16
18. #5: The extended enterprise (cont’d)
―Anywhere Access‖
Increasingly mobile workforce
Don’t assume a Windows-based PC
Desktop virtualization is increasingly prevalent
Access from non-corporate PCs?
Re-evaluate ―network-centric‖ security
How to address the ―outside insider‖
Need to migrate to application- and data-centric views
Data obfuscation and DLP solutions
Digital Rights Management (DRM): ready for prime time?
19. #6: The evolution of ―security‖ into Risk Management
You want a valve that
doesn’t leak, and you do
everything possible to
try to develop one. But
the real world provides
you with a leaky valve.
You have to determine
how much leaking you
can tolerate.”
- Arthur Rudolph,
creator of the Saturn V
rocket.
18 18
20. #6: Evolution of ―security‖ into risk management
Achievability / Impact Quadrant
How do you
(ILLUSTRATIVE ONLY)
How do you
measure the
impact of risk
mitigation
initiatives?
Data
Privacy
Vulnerability
Management
Privileged Access
Control (App)
Infrastructure Logical
Access Solutions
Privileged Access
Control (Infra.)
Environment
Separation
Monitoring Service
(Internal)
Risk Reduction
quantify the risk
associated with an
exposure?
High
Encryption
Application
Development
Secure Perimeter
Infrastructure
Infrastructure
Secure Builds
ID Recertification
(Platform)
Change Event
Management
Virus
Management
Monitoring Service
(Perimeter)
ID Recertification
(Application)
Source Code
Management
Remote
Computing
ID Admin Tools &
Processes
OSP Review
Infrastructure
Monitoring Solutions
Awareness
Information Owner
Identification
High
Low
Achievability
19 19
21. The challenge ahead
IT security has “grown up” – seat at the table
Must apply traditional IT management rigor in order to be
given the chance to succeed at executing strategy
Continue to evolve out protection measures to keep up
with the evolution of the threat
Put evergreen processes and systems in place to ensure
completeness and consistency of controls
Need to develop models to make intelligent, fact-based
decisions about risk prioritization and capital allocation
“If you don’t like change, you’ll like irrelevance even less”
— Tom Peters
20 20