Security in Todays Business Environment

1
Security in Todays Business Environment
2
Overview

• Todays Business Climate
• Threats and Vulnerabilities
• Regulatory Landscape
• Simplifying the Business of Security
• Controlling Access
• Managing People, Process Technology
• Aligning Security to Business Objectives

3
Todays Business Climate

• Running a business in the 21st Century isnt
  easy!
• Security Regulations are abound
• 62 of companies spend more on compliance than
  protection
• Evolution of technology and business demands has
  resulted in highly diverse environments
• Managing increasing number of vulnerabilities in
  the face of sophisticated threats
• Difficulties in aligning People, Process and
  Technology
• Challenges in leveraging security knowledge and
  business process

Source RedSiren
4
Three Simple Security Perspectives

• The Unlawful (Vulnerability Sensitive)
• Increasing sophistication
• Unprecedented collaboration
• Growing aggressiveness
• Harmful impacts
• The Law (Compliance Driven)
• Increasing number of regulations
• International impacts
• Operational challenges
• Lack of investment predictability
• Security Posture (Risk Adverse)
• Segmentation of people, process, and technology
• Poor visibility
• Inability to determine effectiveness
• Inability to align to business objectives

5
Security and Business Infrastructure
6
Diversity is a Double Edge Blade

• Value to the business
• Provides foundation for best of breed solutions
• Supports business initiatives
• Allows for evolutionary investment strategies
• Allows organizations respond to market changes
• But what does this mean to security?
• Increased technical gaps
• Leads to fragmented processes
• Difficultly in gaining visibility
• Complicates command and control
• Security Nemeses
• Inconsistency and Complexity
• Result Vulnerable Security Posture

7
More Malware, More Hackers
8
Exploiting Our Weakest Links
9
Where the Money is
10
Less Time
11
A Regulated Environment

• Security Regulations are abound
• HIPAA for HealthCare
• GLBA FFIEC for Financial
• Sarbanes-Oxley for US public companies
• CyberSecurity for Utilities
• SB-1386 (AB-700)
• Notification of Risk to Personal Data Act
  (NORPDA)
• Multiple Privacy regulations
• US, Canada, Japan, EU, and others
• Industry reports suggest 80B over the next 5
  years in compliance expenditures

Source AMR Research
12
Current Status

• Securitys omnipresence challenges meaningful
  management in the light of business objectives
• Security is segmented process, risk, policy,
  technology
• Focus is applied when demands surface, examples
• Firewalls IDS were significant during the
  network attacks of the 90s
• Today, regulations demand more emphasis on
  process and documentation
• Meanwhile Increased sophistication and number of
  threats continue to challenge the IT environment
• Result - regardless of vulnerability or
  regulation
• Security has become complex and painful
• Misalignment between process and technology
• Inability to bind security investments to larger
  business imperatives

13
CIO Worries

• I worry about a hacker gaining access to our
  Oracle data base and coping social security
  numbers
• I worry about, a converged network, if the
  network goes down you loose both voice and data,
  increasing the risk and worry
• I worry about staff, I can't protect the network
  from internal sabotage, disgruntled network
  administrators, IT personal, etc
• I worry about new computers being plugged into
  the network after they have been off net
• I worry about the new wide range of handheld IP
  devices which people plug in at will from near
  and far flung locations
• I worry about employees working at home bridging
  networks via WLANs opening up access to our
  network

Source Nick Lippis, Trusted Networks Symposium
14
Cycle of Security Pain

• Security investments based on FUD
• Executives growing weary
• Less talk, more revenue
• Diminishing expectations of security investments
• More money? What did you do with the last
  check?
• Constant deluge of new security problems
• Regulatory compliance challenges
• Cultural challenges inside and outside IT

15
Information Security in Business Terms

• What organizations really want from security
• Simplicity Simplified management and focus
• Predictability In systems and investments
• Effectiveness Does what is supposed to for the
  business
• Enablers
• Visibility In controls, industry, compliance,
  activity, events, and threat status
• Alignment People, process, and technology
  focused in the same direction
• Results
• Confidence Make changes with a clear
  understanding of the impact to business
  operations, risk, and compliance
• Efficiency Leverage proven business processes
  and automation

16
Getting There

• Technical / Tactical
• Build Success Early
• Vulnerability Management
• Identity Management

• Management
• Organize and Architect
• Information Security Management Framework

• Technical / Strategic
• Actionable Foundation
• Integrated Security Operations Capability
• Network Access Control

• Business Management
• Balanced Approach to the Business
• Security Services Management

17
Vulnerability Management

• Information driven
• Internal status
• Industry status
• Events, warnings, etc.
• Based on Data Acquisition and Employment
• Collaboration Tools
• Testing, validation, deployment
• Comprehensive Reporting
• Basic concept
• Apply flexible business process to dynamics in
  technology
• Integrate with multiple systems to drive
  automation
• Support meaningful communication and collaboration

18
Vulnerability Mgt. Architecture
19
Identity Management

• Combination of Technology and Processes
• Comprehensive control over who has access to IT
  resources
• Controls authorization and entitlement of
  resource use
• A business solution, not simply a technical
  solution
• Highly pervasive, highly effective

20
Business Enablement
21
Elements of Identity Management

• Identity Consolidation and Synchronization
• Credential Provisioning and Management
• Delegation of Administration
• Authentication and Access Management Profile
  Management
• Auditing and Monitoring
• Single Sign-on
• User self-service

22
Positive Business Impacts

• Increased IT Operational Costs
• Roughly 48 of help desk calls are password
  resets
• User management consumers 5.25 of all IT
  productivity
• Most user admin tasks (moves, adds, changes)
  takes 10x longer than necessary
• Additional security risks
• Only 70 of users deleted on departure
• New users provisioned to 16 apps, on departure
  deleted from 10

Source Metagroup/PwC Survey
23
Security Policy Challenges

• Security Policies
• Controls
• People, Process, and Technology security
  requirements
• Management
• The on-going capability to organize, maintain,
  and distribute
• Enforcement
• The ability to ensure policies are being followed
  by people and technology
• Feedback Loop
• Learning from the application of the policies
• Challenges in Policy
• Misalignment of policy to technology
• Diversity complicates comprehensive security
  management
• Difficult to manage people and processes
  consistently

24
Information Security Management Gap
25
Information Security Management Framework

• Information Security Management System
• Supports the Information Security Program by the
  identification, selection, and deployment of
  controls in order to mitigate information
  security risk
• Security Service Orientation
• Controls Optimization
• Logical Controls
• Organizational Controls
• Technical Controls
• Process Management
• Governance Processes
• Reporting and Validation

26
Framework Characteristics

• Policy
• A high level, implementation neutral, conceptual
  goal that addresses who and what
• Program
• Supports policy by managing multiple plans
• Plan
• Supports program by defining activities or
  projects
• Standard
• Supports policy goals, AND implements procedural
  vision by defining requirements that can be
  implemented and measured. Standards offer
  implementation detail and therefore should be
  protected
• Process
• Supports standards by presenting methodology to
  meet requirements
• Procedure
• Supports process by offering reliable, repeatable
  technique for predictable outcome
• Specifications
• Supports standards by defining specific criteria
  that control devices must meet in order to be
  considered for use
• Guidelines
• Supports standards by best practice advice on
  how to meet requirements

27
ISMF Visualization
28
Deeper Look

• Define control areas horizontally
• Define security services vertically
• Intersection is
• Roles Responsibilities
• Policies and processes
• Standards
• Metrics

29
Driving Relationships

• Quality and Reporting will expose operational
  efficiencies and actionable patterns
• This is especially true for Incident Management

30
Obscurity to Operational

• The framework provides the policy structure
• Defines security goals
• Defines controls
• Defines management
• Frameworks Achilles Heal
• Technical enforcement
• Comprehensive feedback loop
• Information systems need alignment
• Systems do not speak security natively to one
  another
• People Security managers cannot effectively
  access information
• Options
• Integrated Security Operations
• Network Access Control

31
Integrated Security Operations Center

• Currently seeing significant trends in this area
• Companies are leveraging their NOC investment to
  support security objectives
• There are several definitions for integration
• Should practice separation of duties
• Leverage existing infrastructure
• Alignment of tools, i.e.
• Ticketing systems linked to incident response
• Asset and change control linked to patch
  management
• Challenge areas
• Culture
• Whose problem?, Who fixes it, Who pays for
  it?
• Process
• When does security take the initiative?
• Technology
• What tools do I have the I can leverage?, How can
  I work security into my product management
  lifecycle?

32
Integrated Security Operations Center
33
ISOC Business Value

• Proactive problem identification and response,
  reducing the cost and impact of threats
• Faster response
• Faster recovery
• Potentially a cost-effective alternative to
  outsourcing
• Opportunities for efficiencies through
  automation, work flow improvement, centralized
  enterprise intelligence
• Significant security advantages
• Visibility
• Command and Control
• Potential problems
• Do you have the skills necessary?
• What phase is your NOC in?

34
Network Access/Admission Control (NAC)

• Cisco started the flood
• 48 vendors participating in the group
• Represents a rebirth of the networks role in
  security
• Leverages the network for what it can really
  accomplish
• Network touches everything
• Enabler for threats, Enabler for business defense
• Intelligent networking
• Provides conduit for upper-layer security
  services
• Binds security policy to network capability
• Investigates systems, services, applications, and
  users prior to association
• Isolates potential threats
• Establishes an Expectation Envelope

35
Next Big Step

• Vulnerability management reduces exposure
• Identity management offers flexibility and
  security
• ISOC increases visibility, command and control
• Advances in network security offer proactive
  controls
• Result
• Proactive, Focused, Compliant. Measurable
• Utilizing metrics for Long-Term security
  Management
• Its Here, Start now
• NIST sp800-55
• Security Working Group (Gov. Reform Committee, US
  House of Rep. (1/2005) (43 pages of Security
  Metrics)
• Report of the Best Practices and Metrics Team
• http//reform.house.gov/TIPRC/

36
Security Services Management

• Service Measurement alignment to the business
• Metrics Strategy
• Defines the layer between business initiatives
  and services
• Defines optimal level
• Too much or too little can be a bad thing
• Reporting
• Metrics Alignment
• Business owners and industry specifics
• Governance and approval
• Key Performance Indicators
• Whats being measured

37
Metrics Example

• Vulnerability to System Ratio (Tech)
• Understanding the pervasiveness of known
  vulnerabilities
• Number of Vulnerabilities
• Criticality level
• Affected system/data classification and role
• Patch Rate (Tech Proc)
• Managing the window of vulnerability, test,
  deployment, verify
• Number of patches available, pipeline, tested
• Percentage of deployment
• Percentage validated

• People Process CMM (PP)
• Understanding the level of maturity and
  effectiveness of management practices
• Localized control management
• Completeness of control processes documentation
• Process interaction
• Compliance Rate (Tech)
• Feedback from the technical infrastructure on the
  adoption of policies
• Percentage of polices obtained
• Percentage in compliance
• Percentage validated

38
Balanced Perspective
39
Bringing it Together
40
Supporting the Business
Business Aware Security
41
Thank You!
jim.tiller_at_ins.comwww.INS.com (ISC)2
Journalwww.infosectoday.com