SlideShare une entreprise Scribd logo

Information security trends and concerns

Télécharger en tant que PPTX, PDF
John Napier
John Napier

The document discusses major trends in information security from 2009-2010. It identifies six major trends: 1) Increasingly complex regulatory environment, 2) Increased focus of attacks on specific targets, 3) Increased threats to privacy and reputational risk, 4) Mass accumulation of system access, 5) The evolution of cloud computing and the "extended enterprise", and 6) The evolution of security into an enterprise risk management function. The document provides analysis and recommendations for addressing each of these trends.

Technologie
1  sur  22
JUNE 2009 Information Security: Trends and Concerns  Dealing with Change and Facing Reality Ronin Consulting John Napier
Major Trends 2009-2010  Increasingly complex regulatory environment  Increased focus of attacks on specific targets  Mass accumulation of system access  Increased threats to privacy and reputational risk  The “extended enterprise” and cloud computing  The evolution of “security” into risk management
Major Trends 2009-2010  Increasingly complex regulatory environment  Increased focus of attacks on specific targets  Increased threats to privacy and reputational risk  Mass accumulation of system access  The “extended enterprise” and cloud computing  The evolution of “security” into risk management …And a rapidly changing market and financial landscape
A dose of reality  Financial realities have changes  Increasing push to rationalize IT spend 140 800 700 120 600 100 500 80 400 60 300 40 200 20 100 0 0 2005 2006 2007 2008 2009  How to balance the need to reduce risk with the need to be fiscally responsible?  In good times as well as in bad
Driving Productivity in IT Security Get more efficient with operations  Zero-based budgeting  Automate and streamline the commodities  ―fix the plumbing‖ – eliminate variance Prioritize risk investments  Focus on risk reduction and achievability Leverage a small set of meaningful metrics
Areas of Focus for 2009-2010 Risk Area Major Initiative  Regulatory Complexity  Automated Compliance  Attack focus and  Change in Protection Models sophistication  Privacy & Reputational Risk  Data Management and Risk Avoidance  Access accumulation  Automation & Role-based Access  The “Extended Enterprise”  “Virtual Desktop” and Data- centric security models  Evolution of Security into Risk Management  Risk prioritization model & better use of metrics
#1: Increased regulatory complexity The past few years have seen an increase in regulations and compliance requirements  Gramm-Leach-Bliley compliance  FFIEC Guidance on Authentication  Interagency White Paper  Breach notification statutes  PCI Compliance  Sarbanes-Oxley  Pending legislation This has required more rigor of existing programs
#1: Increasing regulatory complexity (cont’d) Moving from manual to ―continuous assessment‖, automating where possible BUSINESS INITIATIVES ASSESSABLE ENTITIES RISK SCORE CONTROLS TOOLS
#1: Increasing regulatory complexity (cont’d) Assessable Entities Policies & Standards LOB Specific Process & Analysis Lob #5 Controls Impact Likelihood (Probability) Vulnerabilities Threats Risk LoB Compliance and NonCompliance Scorecards #4 IT Controls Lob IT Control Rating #3 ITControl #1 Lob IT Control Rating Controls 1 or 2 #2 ITControl #1 Lob IT Control Rating Controls 1 or32 Control #2 ITControl #1 Lob IT Control Rating Controls #1 1 or 2 Control #2 3 Control #3 1 or 2 1 or Rating ITControl #1 Controls IT Control 32 Entities #2 Control #3 Control #4 1 4 or 5 or 2 Control Control 1 Control # #2 1 3or 2 Entity #1 #3 Control #4 1 4 or 5 Control #5 Control 1 or 2 Control 2 1 4 or 5 Control # #3 3or 2 Entity #2 #4 Control #5 Control 1 or 2 Control 3 4 1 or 2 Control # #4 2or 5 Entity #3 #5 Control Control 4 1 or 2 Control # #5 4 Entity #4 Control # 5 Entity #5 Aggregated Compliance and Non-Compliance Scorecard Firmwide IT Controls Entities IT Control Rating Control # 1 Entity #1 1 Control # 2 Entity #2 3 Control # 3 Entity #3 2 Control # 4 Entity #4 4 Control # 5 Entity #5 1 1 Data can be presented by entity or control Common Firm wide Controls & Processes
#2: Increased focus of attacks Breadth of impact Worms (1990 – present) (2000 – present) Damage Viruses Spearphishing & Malware Phishing & Pharming (2003 – present) (2006 - present) 9 9
#2: Increased focus of attacks (cont’d) Data exfiltration Innovation, Efficiency to combat commoditization Espionage Profiteers Hacktivism Botnets Simple exploits “Designer Malware” Web defacement, denial of service 10 10
#2: Increased focus of attacks (cont’d) We see an interesting dichotomy:  Widespread exploitation of old vulnerabilities  Microdistribution of sophisticated, targeted malware So, we need to adapt our protection models  Incessant, rigorous followup on baseline protection  Blacklisting vs. whitelisting – does either one really work?  Better visibility: cross-device correlation of security events
#3: Privacy and Reputational Risk Data Protection Initiative  Cover all data, initial focus on Areas of Focus PII  Balance reduction in risk and achievability  Slow down the velocity of leakage of confidential data  Combination of awareness, technology, and process controls When data leaves the firm When data is on portable media When data is widely available
#3: Privacy and Reputational Risk (cont’d)  Prioritize efforts based on reducing potential “velocity” of data leakage  Migration to tapeless backup  Core-to-Bunker, Remote-to-Core  Controls on portable devices  Laptop encryption  Removable media controls  Filtering of Personably Identifiable Information (PII)  Email, FTP, HTTP filtering at gateways  Discovery of PII on fileshares  Application PII remediation
#4: Identity & Access Management  Many incidents and most SOX findings are driven by access issues  Privileged access  Access certification  Offboarding / Transfers  Significant employee impact  Onboarding  General provisioning  Complicated and not well-understood  Exponentially complex in large organizations 14 14
#4: Identity & Access Management (cont’d) Role Level Access Request Auditability Component Level Access Request With Links To Automation Low Ease of Use High Rule Driven Access (No Request Required) Component Level Access Request Low Scalability Cost Saving High
#5: The extended enterprise  Companies have become hopelessly ―entangled‖  ―Deperimeterization‖ of the corporate network  The rise of ―Cloud Computing‖  Third-party dependencies abound  Most firms have Service Provider assessment programs  What happens when you leave?  Cloud Providers: XaaS  Software-as-a-Service (SaaS) is mainstream  Platform-as-a-Service and Infrastructure-as-a-Service  On-demand computing will be the norm 16 16
#5: The extended enterprise (cont’d)  ―Anywhere Access‖  Increasingly mobile workforce  Don’t assume a Windows-based PC  Desktop virtualization is increasingly prevalent  Access from non-corporate PCs? Re-evaluate ―network-centric‖ security     How to address the ―outside insider‖ Need to migrate to application- and data-centric views Data obfuscation and DLP solutions Digital Rights Management (DRM): ready for prime time?
#6: The evolution of ―security‖ into Risk Management You want a valve that doesn’t leak, and you do everything possible to try to develop one. But the real world provides you with a leaky valve. You have to determine how much leaking you can tolerate.” - Arthur Rudolph, creator of the Saturn V rocket. 18 18
#6: Evolution of ―security‖ into risk management Achievability / Impact Quadrant  How do you (ILLUSTRATIVE ONLY)  How do you measure the impact of risk mitigation initiatives? Data Privacy Vulnerability Management Privileged Access Control (App) Infrastructure Logical Access Solutions Privileged Access Control (Infra.) Environment Separation Monitoring Service (Internal) Risk Reduction quantify the risk associated with an exposure? High Encryption Application Development Secure Perimeter Infrastructure Infrastructure Secure Builds ID Recertification (Platform) Change Event Management Virus Management Monitoring Service (Perimeter) ID Recertification (Application) Source Code Management Remote Computing ID Admin Tools & Processes OSP Review Infrastructure Monitoring Solutions Awareness Information Owner Identification High Low Achievability 19 19
The challenge ahead  IT security has “grown up” – seat at the table  Must apply traditional IT management rigor in order to be given the chance to succeed at executing strategy  Continue to evolve out protection measures to keep up with the evolution of the threat  Put evergreen processes and systems in place to ensure completeness and consistency of controls  Need to develop models to make intelligent, fact-based decisions about risk prioritization and capital allocation “If you don’t like change, you’ll like irrelevance even less” — Tom Peters 20 20
Thank You from Ronin Consulting, LLC Q&A 21 21

Recommandé

Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial Industry
William McBorrough
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
IBM Security
 
True Cost of Data Breaches
True Cost of Data BreachesTrue Cost of Data Breaches
True Cost of Data Breaches
Matthew Rosenquist
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
IBM Security
 
Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...
Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...
Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...
IBM Security
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015
Paul Ferrillo
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
IBM Security
 

Recommandé

Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial Industry
William McBorrough
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
IBM Security
 
True Cost of Data Breaches
True Cost of Data BreachesTrue Cost of Data Breaches
True Cost of Data Breaches
Matthew Rosenquist
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
IBM Security
 
Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...
Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...
Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...
IBM Security
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015
Paul Ferrillo
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
IBM Security
 
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and OverviewTripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire
 
The 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach StudyThe 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach Study
IBM Security
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
IBM Security
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
Patrick Bouillaud
 
An Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesAn Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security Practices
Jerry Harding
 
Key Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence IndexKey Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence Index
IBM Security
 
Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014
Symantec
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Matthew Rosenquist
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
IBM Security
 
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityCisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
NetworkCollaborators
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
sraina2
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
wbesse
 
What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?
PECB
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021
Management Events
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Precisely
 
Pivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityPivotal Role of HR in Cybersecurity
Pivotal Role of HR in Cybersecurity
Matthew Rosenquist
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
TechBiz Forense Digital
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security Landscape
Arrow ECS UK
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprises
Taranggg11
 
Cyber Security Vendor Risk Management /Supply Chain Risk Management
Cyber Security Vendor Risk Management /Supply Chain Risk ManagementCyber Security Vendor Risk Management /Supply Chain Risk Management
Cyber Security Vendor Risk Management /Supply Chain Risk Management
Mafazo: Digital Solutions
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11
Michael Ofarrell
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA Presentation
Marc Crudgington, MBA
 

Contenu connexe

Tendances

The 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach StudyThe 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach Study
IBM Security
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
IBM Security
 
An Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesAn Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security Practices
Jerry Harding
 
Key Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence IndexKey Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence Index
IBM Security
 
Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014
Symantec
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Matthew Rosenquist
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
IBM Security
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
sraina2
 
What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?
PECB
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Precisely
 

Tendances (20)

Tripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and OverviewTripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
 
The 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach StudyThe 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach Study
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
An Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesAn Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security Practices
 
Key Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence IndexKey Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence Index
 
Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
 
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityCisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
 
What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
 
Pivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityPivotal Role of HR in Cybersecurity
Pivotal Role of HR in Cybersecurity
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security Landscape
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprises
 
Cyber Security Vendor Risk Management /Supply Chain Risk Management
Cyber Security Vendor Risk Management /Supply Chain Risk ManagementCyber Security Vendor Risk Management /Supply Chain Risk Management
Cyber Security Vendor Risk Management /Supply Chain Risk Management
 

Similaire à Information security trends and concerns

Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
sucesuminas
 
Don't risk it presentation
Don't risk it presentationDon't risk it presentation
Don't risk it presentation
Vincent Kwon
 
Cyber Hacking in Healthcare & The Best Practices for Securing ePHI in 2015
Cyber Hacking in Healthcare & The Best Practices for Securing ePHI in 2015Cyber Hacking in Healthcare & The Best Practices for Securing ePHI in 2015
Cyber Hacking in Healthcare & The Best Practices for Securing ePHI in 2015
eFax Corporate®
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Cristian Garcia G.
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
Reza Kopaee
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 

Similaire à Information security trends and concerns (20)

Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA Presentation
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
 
Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011
 
Don't risk it presentation
Don't risk it presentationDon't risk it presentation
Don't risk it presentation
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
 
Cyber Hacking in Healthcare & The Best Practices for Securing ePHI in 2015
Cyber Hacking in Healthcare & The Best Practices for Securing ePHI in 2015Cyber Hacking in Healthcare & The Best Practices for Securing ePHI in 2015
Cyber Hacking in Healthcare & The Best Practices for Securing ePHI in 2015
 
Matt_Cyber Security Core Deck September 2016.pptx
Matt_Cyber Security Core Deck September 2016.pptxMatt_Cyber Security Core Deck September 2016.pptx
Matt_Cyber Security Core Deck September 2016.pptx
 
It's Time to Rethink Your Endpoint Strategy
It's Time to Rethink Your Endpoint StrategyIt's Time to Rethink Your Endpoint Strategy
It's Time to Rethink Your Endpoint Strategy
 
Managing Mobile Menaces
Managing Mobile MenacesManaging Mobile Menaces
Managing Mobile Menaces
 
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation Strategies
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentation
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
HPE-Security update talk presented in Vienna to partners on 15th April 2016
HPE-Security update talk presented in Vienna to partners on 15th April 2016HPE-Security update talk presented in Vienna to partners on 15th April 2016
HPE-Security update talk presented in Vienna to partners on 15th April 2016
 

Plus de John Napier

Plus de John Napier (8)

JP Morgan Remote to Core Implementation
JP Morgan Remote to Core ImplementationJP Morgan Remote to Core Implementation
JP Morgan Remote to Core Implementation
 
JP Morgan North American Remote to Core Justification
JP Morgan North American Remote to Core JustificationJP Morgan North American Remote to Core Justification
JP Morgan North American Remote to Core Justification
 
John Napier PMP, CSM Infrastructure Migration Projects
John Napier PMP, CSM Infrastructure Migration ProjectsJohn Napier PMP, CSM Infrastructure Migration Projects
John Napier PMP, CSM Infrastructure Migration Projects
 
Implementing a project delivery framework
Implementing a project delivery frameworkImplementing a project delivery framework
Implementing a project delivery framework
 
American Electric Power Ercot kickoff
American Electric Power Ercot kickoffAmerican Electric Power Ercot kickoff
American Electric Power Ercot kickoff
 
JP Morgan Data Center Technology Town Hall 2008
JP Morgan Data Center Technology Town Hall 2008JP Morgan Data Center Technology Town Hall 2008
JP Morgan Data Center Technology Town Hall 2008
 
Bio nano elements of early stage valuation and value growth
Bio nano elements of early stage valuation and value growthBio nano elements of early stage valuation and value growth
Bio nano elements of early stage valuation and value growth
 
Lurie children’s hospital opening day
Lurie children’s hospital opening dayLurie children’s hospital opening day
Lurie children’s hospital opening day
 

Dernier

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Dernier (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Information security trends and concerns

  • 1. JUNE 2009 Information Security: Trends and Concerns  Dealing with Change and Facing Reality Ronin Consulting John Napier
  • 2. Major Trends 2009-2010  Increasingly complex regulatory environment  Increased focus of attacks on specific targets  Mass accumulation of system access  Increased threats to privacy and reputational risk  The “extended enterprise” and cloud computing  The evolution of “security” into risk management
  • 3. Major Trends 2009-2010  Increasingly complex regulatory environment  Increased focus of attacks on specific targets  Increased threats to privacy and reputational risk  Mass accumulation of system access  The “extended enterprise” and cloud computing  The evolution of “security” into risk management …And a rapidly changing market and financial landscape
  • 4. A dose of reality  Financial realities have changes  Increasing push to rationalize IT spend 140 800 700 120 600 100 500 80 400 60 300 40 200 20 100 0 0 2005 2006 2007 2008 2009  How to balance the need to reduce risk with the need to be fiscally responsible?  In good times as well as in bad
  • 5. Driving Productivity in IT Security Get more efficient with operations  Zero-based budgeting  Automate and streamline the commodities  ―fix the plumbing‖ – eliminate variance Prioritize risk investments  Focus on risk reduction and achievability Leverage a small set of meaningful metrics
  • 6. Areas of Focus for 2009-2010 Risk Area Major Initiative  Regulatory Complexity  Automated Compliance  Attack focus and  Change in Protection Models sophistication  Privacy & Reputational Risk  Data Management and Risk Avoidance  Access accumulation  Automation & Role-based Access  The “Extended Enterprise”  “Virtual Desktop” and Data- centric security models  Evolution of Security into Risk Management  Risk prioritization model & better use of metrics
  • 7. #1: Increased regulatory complexity The past few years have seen an increase in regulations and compliance requirements  Gramm-Leach-Bliley compliance  FFIEC Guidance on Authentication  Interagency White Paper  Breach notification statutes  PCI Compliance  Sarbanes-Oxley  Pending legislation This has required more rigor of existing programs
  • 8. #1: Increasing regulatory complexity (cont’d) Moving from manual to ―continuous assessment‖, automating where possible BUSINESS INITIATIVES ASSESSABLE ENTITIES RISK SCORE CONTROLS TOOLS
  • 9. #1: Increasing regulatory complexity (cont’d) Assessable Entities Policies & Standards LOB Specific Process & Analysis Lob #5 Controls Impact Likelihood (Probability) Vulnerabilities Threats Risk LoB Compliance and NonCompliance Scorecards #4 IT Controls Lob IT Control Rating #3 ITControl #1 Lob IT Control Rating Controls 1 or 2 #2 ITControl #1 Lob IT Control Rating Controls 1 or32 Control #2 ITControl #1 Lob IT Control Rating Controls #1 1 or 2 Control #2 3 Control #3 1 or 2 1 or Rating ITControl #1 Controls IT Control 32 Entities #2 Control #3 Control #4 1 4 or 5 or 2 Control Control 1 Control # #2 1 3or 2 Entity #1 #3 Control #4 1 4 or 5 Control #5 Control 1 or 2 Control 2 1 4 or 5 Control # #3 3or 2 Entity #2 #4 Control #5 Control 1 or 2 Control 3 4 1 or 2 Control # #4 2or 5 Entity #3 #5 Control Control 4 1 or 2 Control # #5 4 Entity #4 Control # 5 Entity #5 Aggregated Compliance and Non-Compliance Scorecard Firmwide IT Controls Entities IT Control Rating Control # 1 Entity #1 1 Control # 2 Entity #2 3 Control # 3 Entity #3 2 Control # 4 Entity #4 4 Control # 5 Entity #5 1 1 Data can be presented by entity or control Common Firm wide Controls & Processes
  • 10. #2: Increased focus of attacks Breadth of impact Worms (1990 – present) (2000 – present) Damage Viruses Spearphishing & Malware Phishing & Pharming (2003 – present) (2006 - present) 9 9
  • 11. #2: Increased focus of attacks (cont’d) Data exfiltration Innovation, Efficiency to combat commoditization Espionage Profiteers Hacktivism Botnets Simple exploits “Designer Malware” Web defacement, denial of service 10 10
  • 12. #2: Increased focus of attacks (cont’d) We see an interesting dichotomy:  Widespread exploitation of old vulnerabilities  Microdistribution of sophisticated, targeted malware So, we need to adapt our protection models  Incessant, rigorous followup on baseline protection  Blacklisting vs. whitelisting – does either one really work?  Better visibility: cross-device correlation of security events
  • 13. #3: Privacy and Reputational Risk Data Protection Initiative  Cover all data, initial focus on Areas of Focus PII  Balance reduction in risk and achievability  Slow down the velocity of leakage of confidential data  Combination of awareness, technology, and process controls When data leaves the firm When data is on portable media When data is widely available
  • 14. #3: Privacy and Reputational Risk (cont’d)  Prioritize efforts based on reducing potential “velocity” of data leakage  Migration to tapeless backup  Core-to-Bunker, Remote-to-Core  Controls on portable devices  Laptop encryption  Removable media controls  Filtering of Personably Identifiable Information (PII)  Email, FTP, HTTP filtering at gateways  Discovery of PII on fileshares  Application PII remediation
  • 15. #4: Identity & Access Management  Many incidents and most SOX findings are driven by access issues  Privileged access  Access certification  Offboarding / Transfers  Significant employee impact  Onboarding  General provisioning  Complicated and not well-understood  Exponentially complex in large organizations 14 14
  • 16. #4: Identity & Access Management (cont’d) Role Level Access Request Auditability Component Level Access Request With Links To Automation Low Ease of Use High Rule Driven Access (No Request Required) Component Level Access Request Low Scalability Cost Saving High
  • 17. #5: The extended enterprise  Companies have become hopelessly ―entangled‖  ―Deperimeterization‖ of the corporate network  The rise of ―Cloud Computing‖  Third-party dependencies abound  Most firms have Service Provider assessment programs  What happens when you leave?  Cloud Providers: XaaS  Software-as-a-Service (SaaS) is mainstream  Platform-as-a-Service and Infrastructure-as-a-Service  On-demand computing will be the norm 16 16
  • 18. #5: The extended enterprise (cont’d)  ―Anywhere Access‖  Increasingly mobile workforce  Don’t assume a Windows-based PC  Desktop virtualization is increasingly prevalent  Access from non-corporate PCs? Re-evaluate ―network-centric‖ security     How to address the ―outside insider‖ Need to migrate to application- and data-centric views Data obfuscation and DLP solutions Digital Rights Management (DRM): ready for prime time?
  • 19. #6: The evolution of ―security‖ into Risk Management You want a valve that doesn’t leak, and you do everything possible to try to develop one. But the real world provides you with a leaky valve. You have to determine how much leaking you can tolerate.” - Arthur Rudolph, creator of the Saturn V rocket. 18 18
  • 20. #6: Evolution of ―security‖ into risk management Achievability / Impact Quadrant  How do you (ILLUSTRATIVE ONLY)  How do you measure the impact of risk mitigation initiatives? Data Privacy Vulnerability Management Privileged Access Control (App) Infrastructure Logical Access Solutions Privileged Access Control (Infra.) Environment Separation Monitoring Service (Internal) Risk Reduction quantify the risk associated with an exposure? High Encryption Application Development Secure Perimeter Infrastructure Infrastructure Secure Builds ID Recertification (Platform) Change Event Management Virus Management Monitoring Service (Perimeter) ID Recertification (Application) Source Code Management Remote Computing ID Admin Tools & Processes OSP Review Infrastructure Monitoring Solutions Awareness Information Owner Identification High Low Achievability 19 19
  • 21. The challenge ahead  IT security has “grown up” – seat at the table  Must apply traditional IT management rigor in order to be given the chance to succeed at executing strategy  Continue to evolve out protection measures to keep up with the evolution of the threat  Put evergreen processes and systems in place to ensure completeness and consistency of controls  Need to develop models to make intelligent, fact-based decisions about risk prioritization and capital allocation “If you don’t like change, you’ll like irrelevance even less” — Tom Peters 20 20
  • 22. Thank You from Ronin Consulting, LLC Q&A 21 21