Your SlideShare is downloading. ×
Information security trends and concerns
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Information security trends and concerns

520
views

Published on

JP Morgan Presentation on Information Security Trends and Concerns by John Napier, PMP, CSM of Ronin Consulting

JP Morgan Presentation on Information Security Trends and Concerns by John Napier, PMP, CSM of Ronin Consulting

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
520
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. JUNE 2009 Information Security: Trends and Concerns  Dealing with Change and Facing Reality Ronin Consulting John Napier
  • 2. Major Trends 2009-2010  Increasingly complex regulatory environment  Increased focus of attacks on specific targets  Mass accumulation of system access  Increased threats to privacy and reputational risk  The “extended enterprise” and cloud computing  The evolution of “security” into risk management
  • 3. Major Trends 2009-2010  Increasingly complex regulatory environment  Increased focus of attacks on specific targets  Increased threats to privacy and reputational risk  Mass accumulation of system access  The “extended enterprise” and cloud computing  The evolution of “security” into risk management …And a rapidly changing market and financial landscape
  • 4. A dose of reality  Financial realities have changes  Increasing push to rationalize IT spend 140 800 700 120 600 100 500 80 400 60 300 40 200 20 100 0 0 2005 2006 2007 2008 2009  How to balance the need to reduce risk with the need to be fiscally responsible?  In good times as well as in bad
  • 5. Driving Productivity in IT Security Get more efficient with operations  Zero-based budgeting  Automate and streamline the commodities  ―fix the plumbing‖ – eliminate variance Prioritize risk investments  Focus on risk reduction and achievability Leverage a small set of meaningful metrics
  • 6. Areas of Focus for 2009-2010 Risk Area Major Initiative  Regulatory Complexity  Automated Compliance  Attack focus and  Change in Protection Models sophistication  Privacy & Reputational Risk  Data Management and Risk Avoidance  Access accumulation  Automation & Role-based Access  The “Extended Enterprise”  “Virtual Desktop” and Data- centric security models  Evolution of Security into Risk Management  Risk prioritization model & better use of metrics
  • 7. #1: Increased regulatory complexity The past few years have seen an increase in regulations and compliance requirements  Gramm-Leach-Bliley compliance  FFIEC Guidance on Authentication  Interagency White Paper  Breach notification statutes  PCI Compliance  Sarbanes-Oxley  Pending legislation This has required more rigor of existing programs
  • 8. #1: Increasing regulatory complexity (cont’d) Moving from manual to ―continuous assessment‖, automating where possible BUSINESS INITIATIVES ASSESSABLE ENTITIES RISK SCORE CONTROLS TOOLS
  • 9. #1: Increasing regulatory complexity (cont’d) Assessable Entities Policies & Standards LOB Specific Process & Analysis Lob #5 Controls Impact Likelihood (Probability) Vulnerabilities Threats Risk LoB Compliance and NonCompliance Scorecards #4 IT Controls Lob IT Control Rating #3 ITControl #1 Lob IT Control Rating Controls 1 or 2 #2 ITControl #1 Lob IT Control Rating Controls 1 or32 Control #2 ITControl #1 Lob IT Control Rating Controls #1 1 or 2 Control #2 3 Control #3 1 or 2 1 or Rating ITControl #1 Controls IT Control 32 Entities #2 Control #3 Control #4 1 4 or 5 or 2 Control Control 1 Control # #2 1 3or 2 Entity #1 #3 Control #4 1 4 or 5 Control #5 Control 1 or 2 Control 2 1 4 or 5 Control # #3 3or 2 Entity #2 #4 Control #5 Control 1 or 2 Control 3 4 1 or 2 Control # #4 2or 5 Entity #3 #5 Control Control 4 1 or 2 Control # #5 4 Entity #4 Control # 5 Entity #5 Aggregated Compliance and Non-Compliance Scorecard Firmwide IT Controls Entities IT Control Rating Control # 1 Entity #1 1 Control # 2 Entity #2 3 Control # 3 Entity #3 2 Control # 4 Entity #4 4 Control # 5 Entity #5 1 1 Data can be presented by entity or control Common Firm wide Controls & Processes
  • 10. #2: Increased focus of attacks Breadth of impact Worms (1990 – present) (2000 – present) Damage Viruses Spearphishing & Malware Phishing & Pharming (2003 – present) (2006 - present) 9 9
  • 11. #2: Increased focus of attacks (cont’d) Data exfiltration Innovation, Efficiency to combat commoditization Espionage Profiteers Hacktivism Botnets Simple exploits “Designer Malware” Web defacement, denial of service 10 10
  • 12. #2: Increased focus of attacks (cont’d) We see an interesting dichotomy:  Widespread exploitation of old vulnerabilities  Microdistribution of sophisticated, targeted malware So, we need to adapt our protection models  Incessant, rigorous followup on baseline protection  Blacklisting vs. whitelisting – does either one really work?  Better visibility: cross-device correlation of security events
  • 13. #3: Privacy and Reputational Risk Data Protection Initiative  Cover all data, initial focus on Areas of Focus PII  Balance reduction in risk and achievability  Slow down the velocity of leakage of confidential data  Combination of awareness, technology, and process controls When data leaves the firm When data is on portable media When data is widely available
  • 14. #3: Privacy and Reputational Risk (cont’d)  Prioritize efforts based on reducing potential “velocity” of data leakage  Migration to tapeless backup  Core-to-Bunker, Remote-to-Core  Controls on portable devices  Laptop encryption  Removable media controls  Filtering of Personably Identifiable Information (PII)  Email, FTP, HTTP filtering at gateways  Discovery of PII on fileshares  Application PII remediation
  • 15. #4: Identity & Access Management  Many incidents and most SOX findings are driven by access issues  Privileged access  Access certification  Offboarding / Transfers  Significant employee impact  Onboarding  General provisioning  Complicated and not well-understood  Exponentially complex in large organizations 14 14
  • 16. #4: Identity & Access Management (cont’d) Role Level Access Request Auditability Component Level Access Request With Links To Automation Low Ease of Use High Rule Driven Access (No Request Required) Component Level Access Request Low Scalability Cost Saving High
  • 17. #5: The extended enterprise  Companies have become hopelessly ―entangled‖  ―Deperimeterization‖ of the corporate network  The rise of ―Cloud Computing‖  Third-party dependencies abound  Most firms have Service Provider assessment programs  What happens when you leave?  Cloud Providers: XaaS  Software-as-a-Service (SaaS) is mainstream  Platform-as-a-Service and Infrastructure-as-a-Service  On-demand computing will be the norm 16 16
  • 18. #5: The extended enterprise (cont’d)  ―Anywhere Access‖  Increasingly mobile workforce  Don’t assume a Windows-based PC  Desktop virtualization is increasingly prevalent  Access from non-corporate PCs? Re-evaluate ―network-centric‖ security     How to address the ―outside insider‖ Need to migrate to application- and data-centric views Data obfuscation and DLP solutions Digital Rights Management (DRM): ready for prime time?
  • 19. #6: The evolution of ―security‖ into Risk Management You want a valve that doesn’t leak, and you do everything possible to try to develop one. But the real world provides you with a leaky valve. You have to determine how much leaking you can tolerate.” - Arthur Rudolph, creator of the Saturn V rocket. 18 18
  • 20. #6: Evolution of ―security‖ into risk management Achievability / Impact Quadrant  How do you (ILLUSTRATIVE ONLY)  How do you measure the impact of risk mitigation initiatives? Data Privacy Vulnerability Management Privileged Access Control (App) Infrastructure Logical Access Solutions Privileged Access Control (Infra.) Environment Separation Monitoring Service (Internal) Risk Reduction quantify the risk associated with an exposure? High Encryption Application Development Secure Perimeter Infrastructure Infrastructure Secure Builds ID Recertification (Platform) Change Event Management Virus Management Monitoring Service (Perimeter) ID Recertification (Application) Source Code Management Remote Computing ID Admin Tools & Processes OSP Review Infrastructure Monitoring Solutions Awareness Information Owner Identification High Low Achievability 19 19
  • 21. The challenge ahead  IT security has “grown up” – seat at the table  Must apply traditional IT management rigor in order to be given the chance to succeed at executing strategy  Continue to evolve out protection measures to keep up with the evolution of the threat  Put evergreen processes and systems in place to ensure completeness and consistency of controls  Need to develop models to make intelligent, fact-based decisions about risk prioritization and capital allocation “If you don’t like change, you’ll like irrelevance even less” — Tom Peters 20 20
  • 22. Thank You from Ronin Consulting, LLC Q&A 21 21

×