Contenu connexe Similaire à Breaking down the cyber security framework closing critical it security gaps (20) Plus de IBM Security (20) Breaking down the cyber security framework closing critical it security gaps1. IBM & Deloitte Joint Webinar
Breaking Down the Cyber Security Framework:
Closing Critical IT Security Gaps
Oct 22, 2013
© 2013 IBM Corporation
1
© 2012 IBM Corporation
2. IBM Security Systems
Speakers: IBM & Deloitte Joint Webinar
Harry D. Raduege, Jr., Lt. General (USAF, Ret) Chairman,
Deloitte Center for Cyber Innovation
Topic of discussion: Breaking down the Cyber Security
Framework
Tom Turner , VP, Marketing & Business Development, IBM
Security Division
Topic of discussion: Closing Critical IT Security Gaps
2
© 2013 IBM Corporation
4. Cyber – A phenomenon that changed the world
Cyberspace
Cyber Attack
Cyber Insurance
Cyber War Cyberattack
Cyber-Alert
Cyber Bullying
Cyber crime
Cyber-ethics
Cyber FININT
Cyberpower
Cybersecurity
Cyber-Commerce
Cyber Law
4
Cyber Espionage
Cyber Communication
Copyright © 2013 Deloitte Development LLC. All rights reserved.
5. The world of cybersecurity
Threats
Targets
Counters
• Identity theft
• Information manipulation
(e.g. Malware)
• Cyber Assaults/Bullying
• Advanced Persistent
Threats (APTs)
• Information theft
• Crime
(e.g., Credit card fraud)
• Insider
• Espionage
• Cyber attack
• Transnational
• Attack of software
“boomerangs”
• Terrorism
• Government (Federal,
State, and Local); e.g.,
– E-Government
– E-Commerce
• Industry; e.g.,
– Aerospace & Defense
– Banking & finance
– Health care
– Insurance
– Manufacturing
– Oil & Gas
– Power Grid
– Retail
– Telecommunications
– Utilities
• Universities/Colleges
• Individuals
• Cyber workforce
• Advanced network and
resilience controls
• Outbound traffic monitoring
• Dynamic situational
awareness
• Open source Information
• Risk intelligence &
management
− Forensic analysis
− Data analytics
• Financial intelligence
(FININT)
• Tighter laws & enforcement
• Expanded diplomacy
• Legislation?
You should assume that your information network has been or will
be compromised.
5
Copyright © 2013 Deloitte Development LLC. All rights reserved.
6. Cybersecurity – Key points and impacts of the U.S.
President’s Executive Order (February 2013)
Information
Sharing
Privacy
• Opens up information-sharing program to other sectors
• Requires Federal government information-sharing programs with
private sector
• Mandates strong privacy and civil liberties protections
• Directs regular assessments of agency activities
• Requires development of a Cybersecurity Framework
Cybersecurity
Standards
• Develops voluntary critical infrastructure cybersecurity program
and adoption incentives
• Identifies regulatory gaps
Critical
Infrastructure
Review
6
• Identifies critical infrastructure at greatest risk
• Changes the definition of critical infrastructure
Copyright © 2013 Deloitte Development LLC. All rights reserved.
7. Currently, there are 16 U.S. industry sectors defined
as critical infrastructure
85% of critical infrastructure is in private sector hands 1
Trends exposing industry to increased risk
• Interconnectedness of sectors
• Proliferation of exposure points
• Concentration of assets
Critical infrastructure sectors
Agriculture and Food
Dams
Information Technology
Banking and Financial
Services
Defense Industrial
Base
Nuclear Reactors,
Materials and Waste
Chemical
Emergency Services
Transportation
Systems
Commercial Facilities
Energy
Water and Wastewater
Systems
Communications
Government Facilities
Critical Manufacturing
Healthcare and Public
Health
1 GAO Report, Critical Infrastructure Protection: Sector Plans and Sector Councils Continue to Evolve. July 2007, http://www.gao.gov/assets/100/95010.pdf
7
Copyright © 2013 Deloitte Development LLC. All rights reserved.
8. Helping the CISO respond to Cyber
Security: Closing Critical IT Security
Gaps
10. IBM Security Systems
CISO Challenge: Competing priorities
14%increase
83% of
in Web application
vulnerabilities
enterprises have
difficulty filling
security roles
from 2011 to 2012
Common
Vulnerabilities
and Exposures
10
Increase in
compliance
mandates
© 2013 IBM Corporation
11. IBM Security Systems
CISO Challenge: Inadequate tools
85 tools
from
45 vendors
1
45
Only
out of
malware samples
detected
11
© 2013 IBM Corporation
12. IBM Security Systems
CISO Challenge: Business pressures
75%+of organizations
are using at least one
cloud platform
70% of CISOs are
concerned about Cloud
and mobile security
12
© 2013 IBM Corporation
13. IBM Security Systems
CISO Challenge: Evolving Threats
INTERNAL
43%
of C-level execs
say that negligent
insiders are their
biggest concern
13
EXTERNAL
PAYOFFS
59
%
increase
in critical
web browser
vulnerabilities
$78
M
stolen from
bank accounts
in Operation
High Roller
© 2013 IBM Corporation
14. IBM Security Systems
Q:
A:
Have you had an
attack that was
difficult to detect?
45% Yes
+ 21% Don’t
know
66% Don’t have
Why is this happening?
• Not collecting right security data
• Don’t have context
• Don’t have baseline for normal
• Lack vulnerability awareness
visibility needed
to stop advanced
attacks
14
© 2013 IBM Corporation
19. IBM Security Systems
Focus on users,
not devices
Implement identity
intelligence
Pay special attention
to trusted insiders
60,000 employees
Provisioning took up to 2 weeks
No monitoring of privileged users
USERS
Privileged Identity Management
Monitoring and same-day
de-provisioning
for
privileged users
100+
19
© 2013 IBM Corporation
20. IBM Security Systems
Discover critical
business data
Harden and
secure repositories
Monitor and prevent
unauthorized access
Thousands of databases containing
HR, ERP, credit card, and other PII
in a world where 98%
of breaches hit databases
ASSETS
Database Access and Monitoring
Secured
2,000
$21M
critical databases
20
Saved
in compliance costs
© 2013 IBM Corporation
21. IBM Security Systems
Identify most
critical transactions
Monitor sessions,
users, and devices
Look for anomalies
and attacks
30 Million customers in an industry where
$3.4B industry losses from online fraud
85% of breaches go undetected
TRANSACTIONS
Advanced Fraud Protection
on over 1 million customer endpoints
Zero instances of fraud
occurred
21
© 2013 IBM Corporation
23. IBM Security Systems
Don’t rely on
signature detection
Use baselines
and reputation
Fully inspect content
and communications
Identify entire classes of
ANALYTICS by analyzing
Pattern
matching
23
Mutated threats
250+ protocols and file types
Context, clustering, baselining,
machine learning, and heuristics
© 2013 IBM Corporation
24. IBM Security Systems
Get full coverage,
No more blind spots
Reduce
VISIBILITY
24
Reduce and
prioritize alerts
Produce detailed
activity reports
2 Million logs and events per day
to 25 high priority offenses
© 2013 IBM Corporation
25. IBM Security Systems
Eliminate silos and
point solutions
Build upon a
common platform
Share information
between controls
8 Million subscribers
with an integrated Platform
Monitor threats across
INTEGRATION
Siloed
Point Products
25
Integrated
Platforms
© 2013 IBM Corporation
26. IBM Security Systems
IBM Security Framework
Intelligence
Integration
Expertise
Professional, Managed,
and Cloud Services
26
© 2013 IBM Corporation
29. Thank you.
For more information, you can contact:
Paul Avallone – pavallone@deloitte.com
Charlie Kenney – Charles.kenney@us.ibm.com
30. This presentation contains general information only and is based on the experiences and
research of Deloitte practitioners. Deloitte is not, by means of this presentation, rendering
business, financial, investment, or other professional advice or services. This presentation is not
a substitute for such professional advice or services, nor should it be used as a basis for any
decision or action that may affect your business. Before making any decision or taking any action
that may affect your business, you should consult a qualified professional advisor. Deloitte, its
affiliates, and related entities shall not be responsible for any loss sustained by any person who
relies on this presentation.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of
member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description
of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed
description of the legal structure of Deloitte LLP and its subsidiaries.
Copyright © 2011 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited
Notes de l'éditeur http://www.dhs.gov/critical-infrastructure-sectors
Homeland Security Presidential Directive (HSPD) 7 established a national policy for Federal departments and agencies to identify and prioritize U.S. critical infrastructure and key resources, and to protect them from terrorist attacks. Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience advances a national policy to strengthen and maintain secure, functioning, and resilient critical infrastructure. This directive supersedes Homeland Security Presidential Directive 7. PPD-21 identifies 16 critical infrastructure sectors.
Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, and Water& Wastewater Systems
Let’s take a look at the “CISO Landscape”
The role of the CISO is changing. It’s not just a technologist role. The CISO is just as likely to have an MBA as a degree in computer science. Building a team, forecasting, budgeting, understanding the regulatory environment, managing to metrics all become a factor. And the CISO has to be able to go in front of the board and explain how the importance of security strategy and how it is aligned to the business strategy of the organization.
But… there are challenges…
1