IT Risk Management

2,336
-1

Published on

Enterprises are dependent on IT and need to cross IT silos for consistent risk management

IT Risk Management

  1. 1. +IT Risk ManagementInformation Security & Privacy Conference - ParisChristopher Muffat16 February 2012© SecRisk Consulting Ltd – Christopher Muffat 2012
  2. 2. + Agenda  Overview  Why Care About IT-related Risk?  IT Incidents: the Quiz (IT Happened!)  What’s IT Risk?  How to manage it?  Threat & Incident Management  Insight 2011: Verizon Study  The Challenge – Visibility on complex IT Infrastructure.  Internal Threat  External Threat  Fraud & Investigation  IT Risk Governance  IT Risk : the Technology Centric legacy.  Integrating IT Risk within ERM  IT Risk Management: the Hidden Benefit  Question ?© SecRisk Consulting Ltd – Christopher Muffat 2012
  3. 3. + Overview IT Risk Management© SecRisk Consulting Ltd – Christopher Muffat 2012
  4. 4. + Overview Why Care About IT-related Risk?  Enterprises are dependent on IT  Need to cross IT silos of risk management  Important to integrate with existing levels of risk management practices© SecRisk Consulting Ltd – Christopher Muffat 2012
  5. 5. + Overview Why Care About IT-related Risk?  An IT risk management program is crucial in not only managing the enterprises exposure to risks, but also improving overall business decision making.  Enterprises must periodically assess and continuously improve their risk management maturity levels.© SecRisk Consulting Ltd – Christopher Muffat 2012
  6. 6. + Overview Getting visibility on IT Risk© SecRisk Consulting Ltd – Christopher Muffat 2012
  7. 7. + Overview IT Risk Management: What? Visibility on IT Risk.  The domain of IT Risk can be visually represented as 4 intersecting landscapes of:  Threat  Asset  Impact  Control  understand and manage risk The organization’s capability to requires information from each landscape.  Security metrics, then, should create knowledge that improves management’s capability to make decisions and execute on them.© SecRisk Consulting Ltd – Christopher Muffat 2012
  8. 8. + Overview IT Risk Management: What? Visibility on IT Risk.  Business Impact  IT Control  Operational  Preventative  Legal  Detective  Reputation  Limitative  Asset Landscape:  IT Threat  Information  Compromising Integrity  IT Infrastructure  Confidentiality Involving Data Breach  Business Processes  Availability Disruption of IT Services© SecRisk Consulting Ltd – Christopher Muffat 2012
  9. 9. + Overview IT Risk Management: How? 3 Essentials Activities  Risk Governance  Responsibility and accountability for risk  Risk appetite and tolerance  Awareness and communication  Risk culture  Risk Evaluation  Risk scenarios  Business impact descriptions  Risk Response  Key risk indicators (KRIs)  Risk response definition and prioritization© SecRisk Consulting Ltd – Christopher Muffat 2012
  10. 10. + Overview IT Risk Management: How? Standards and Frameworks.  Type of Standards and Frameworks available:  Enterprise risk management oriented  IT Security oriented  Hybrid: Risk-IT (ISACA)© SecRisk Consulting Ltd – Christopher Muffat 2012
  11. 11. + Overview IT Risk Management: How? e-GRC: From tactical to strategic tool  The e-GRC platform market has expanded from a tactical focus on regulatory compliance to a strategic focus on enterprise risk management.  Many vendors are looking toward the next market phase, which includes adding or integrating with business performance management and score carding capabilities. Source: Gartner© SecRisk Consulting Ltd – Christopher Muffat 2012
  12. 12. + Overview IT Risk Incident: The QUIZ© SecRisk Consulting Ltd – Christopher Muffat 2012
  13. 13. + Overview IT Risk Management: IT Happened Rogue & Unauthorized Trading 2011: Rogue trader has caused it an 2008: The trading loss incident for estimated loss of €2 billion, stunning breach of trust, forgery and a beleaguered banking industry that unauthorized use of the banks has proven vulnerable to computers. unauthorized trades.  Financial Loss: €2 Billions  Financial Loss: €5 Billions  Reputation impact: *****  Reputation impact: *****© SecRisk Consulting Ltd – Christopher Muffat 2012
  14. 14. + Overview IT Risk Management: IT Happened Data leakage 2010: Worldwide electronic leader 2008: Failing to properly manage had to interrupt its gaming network the risks associated with the security during 23 days, due to hacking acts, of customer information, in the due to data leakage of 100 millions context of an outsourcing program client accounts, 58 claims. in South Africa.  Financial Loss: €130 M  Financial Loss: €2 M (FSA Fine)  Reputation impact: *****  Reputation impact: **© SecRisk Consulting Ltd – Christopher Muffat 2012
  15. 15. + Overview IT Risk Management: IT Happened Information System Failure 2010: One of Singapores largest banks, 2010: Industrial Average of one of the G8 suffered a major IT system crash country plunged about 1000 points (around affecting the bank’s commercial and consumer 9%), only to recover flash crash losses within banking systems. The bank has been minutes, due unusual sell of E-Mini blamed by the Monetary Authority of S&P 500 contracts and high-frequency Singapore insufficient (MAS) for trades. oversight of the maintenance, functional and operational practices and controls employed by its provider IBM.  Financial Loss: US stock market Flash Crash  Financial Loss: €135 M  Reputation impact: n/a  Reputation impact: ***© SecRisk Consulting Ltd – Christopher Muffat 2012
  16. 16. + Overview IT Risk Management: IT Happened Data theft and Insider threat 2009: Personal details of 24000 2008: One of the largest worldwide Private Bank clients have been stolen and bank had lost a CD containing 180’000 given to the French tax authorities costumers’ information and have been by Herve Falciani, an IT specialist. FINMA fined by the FSA more than £3m for has reprimanded the bank for failing to adequately protect deficiencies in its internal organization confidential details from being lost or and IT controls. stolen. Lack of training, lack of IT security (no data encryption) have been highlighted as the main issue.  Financial Loss: Unknown  Financial Loss: €3,5 M (FSA Fine)  Reputation impact: *****  Reputation impact: ****© SecRisk Consulting Ltd – Christopher Muffat 2012
  17. 17. + Threat & Incident Management The Challenge: Visibility and Traceability© SecRisk Consulting Ltd – Christopher Muffat 2012
  18. 18. + Threat & Incident Management The Challenge: Visibility and Traceability  IT Threats’ visibility and traceability challenge the IT Risk & IT Security professionals due to complex IT environment and evolved attacks.  Understanding how the workstation, servers, network and application are is used, having a consolidated view and dashboard of the overall IT Risk posture is not an out-of-the-box tool.  Knowing threats and risks to the infrastructure requires a detailed, structured and/or correlated Information System’s logs.  Business-critical visibility into specific behaviors by end users for effective remediation by your security and operations teams is mandatory to ensure a reliable incident management service.© SecRisk Consulting Ltd – Christopher Muffat 2012
  19. 19. + Threat & Incident Management The Challenge: Visibility and Traceability on Threats  The different type tools:  External Threat:  Firewall  Intrusion Prevention System (IPS)  Internal Threat:  Antivirus  DLP  Desktop monitoring (Nexthink)  Incident: Fraud & Investigation:  SIEM  Forensics (Encase)© SecRisk Consulting Ltd – Christopher Muffat 2012
  20. 20. + Threat & Incident Management Technical Solution© SecRisk Consulting Ltd – Christopher Muffat 2012
  21. 21. + Threat & Incident Management External Threat Enterprise Network Firewall The enterprise network firewall market is one of the largest and most mature security markets. Network Firewall Leaders:  Juniper Network  Checkpoint Software  Cisco  McAfee  Fortinet  Palo Alto Networks The enterprise network firewall market has entered an evolutionary period, as disruption is brought on by increasingly sophisticated and targeted threats, virtualization, and business process changes.© SecRisk Consulting Ltd – Christopher Muffat 2012
  22. 22. + Threat & Incident Management External Threat Network Intrusion Prevention System (IPS) Network intrusion prevention systems (IPSs) can detect and block attacks, and can act as prepatch shields for system and application. IPSs include intrusion detection as a subset of capabilities, and have long since eclipsed the detection-only market Network IPS Leaders:  Tipping Point  McAfee  Source Fire  Cisco  Juniper Network The network IPS market continues to mature and evolve, and has become a due-diligence safeguard. Evolving threats mean that vendors that stand still risk becoming irrelevant© SecRisk Consulting Ltd – Christopher Muffat 2012
  23. 23. + Threat & Incident Management Internal Threat Malware Malware effectiveness continues to accelerate, while vendors are busy polishing increasingly ineffective solutions and doing little to fundamentally reduce the attack surface and protect users. Antivirus Leaders:  Symantec  McAfee  Trend Micro Vendors did not show considerable movement since couple of years. Malware detection accuracy has not improved significantly, while malware is improving in efficiency and volume.© SecRisk Consulting Ltd – Christopher Muffat 2012
  24. 24. + Threat & Incident Management Internal Threat Data Loss Prevention (DLP) The Data Loss Prevention market has gone through a significant shift. Vendor consolidation has slowed, and the market has bifurcated into “high-end” enterprise capabilities and “low-end” channel capabilities offering more choices to organizations of all sizes and needs. DLP Leaders:  Symantec  McAfee  Websense  RSA DLP Strategy should address the fundamental question: Will channel DLP be sufficient to address the sensitive data requirement?© SecRisk Consulting Ltd – Christopher Muffat 2012
  25. 25. + Threat & Incident Management Fraud & Investigation Security Information Event Management (SIEM) Broad adoption of SIEM technology is driven by both security and compliance needs. Targeted attack discovery requires effective user activity, data access and application activity monitoring. SIEM Leaders:  HP/ArcSight  RSA Envison  Q1 Labs  Symentec  Loglogic SIM - Security Information Management: log management and compliance reporting. SEM - Security Event Management: real time monitoring and incident management for security-related event from network, security devices, systems and applications. SIEM provides a mix of compliance and threat management capabilities but remains difficult to implement within complex IT environment.© SecRisk Consulting Ltd – Christopher Muffat 2012
  26. 26. + Threat & Incident Management Insight© SecRisk Consulting Ltd – Christopher Muffat 2012
  27. 27. + Threat & Incident Management Insight 2011  How do breaches occur?  Who is behind data breaches?  XX% utilized some form of hacking  XX% stemmed from external agents  XX% incorporated malware  XX% implicated insiders  XX% involved physical attacks  X% involved multiple parties  XX% resulted from privilege misuse  <X% resulted from business partners  XX% employed social tactics  What commonalities exist?  XX% of victims were targets of opportunity  XX% of attacks were not highly difficult  XX% of all data was compromised from servers 2011 Study  XX % were discovered by a third party  XX% of breaches were avoidable through Source: Verizon simple or intermediate controls© SecRisk Consulting Ltd – Christopher Muffat 2012
  28. 28. + Threat & Incident Management Insight 2011  How do breaches occur?  Who is behind data breaches?  50% utilized some form of hacking  92% stemmed from external agents  49% incorporated malware  17% implicated insiders  29% involved physical attacks  9% involved multiple parties  17% resulted from privilege misuse  <1% resulted from business partners  11% employed social tactics  What commonalities exist?  83% of victims were targets of opportunity  92% of attacks were not highly difficult  76% of all data was compromised from servers 2011 Study  86 % were discovered by a third party  96% of breaches were avoidable through simple or intermediate controls© SecRisk Consulting Ltd – Christopher Muffat 2012
  29. 29. + Governance IT Risk Management© SecRisk Consulting Ltd – Christopher Muffat 2012
  30. 30. + IT Risk Governance IT Risk : the Technology Centric legacy  The technology centric legacy brought IT Risk above the ITO (Chief Information Risk Officer), which does not allow an easy way to understand the business risk requirements. IT Operation Risk Management Business Operational Internal IT Risk IT Security Continuity Risk Control© SecRisk Consulting Ltd – Christopher Muffat 2012
  31. 31. + IT Risk Governance Integrating IT Risk within ERM  Good business security and risk management requires mature continuity management, compliance, identity and access management, information security management, privacy, and risk management practices.© SecRisk Consulting Ltd – Christopher Muffat 2012
  32. 32. + IT Risk Governance Integrating IT Risk within ERM  Improvements in maturity across this 6 security and risk management domains means moving beyond a technology-centric approach to one that takes into account the enterprises business requirements and associated risks. Risk Management Information Security Compliance Privacy Identity & Access Management Business Continuity© SecRisk Consulting Ltd – Christopher Muffat 2012
  33. 33. + IT Risk Governance the Hidden Benefits  As maturity improves on IT Risk programs (based on the 6 security and risk areas), the risk posture of the organization also improves, leading to reduced costs and improved performance.  Reaching the highest level of program maturity may not be possible, but continuous process improvement to advance maturity levels is possible and necessary.© SecRisk Consulting Ltd – Christopher Muffat 2012
  34. 34. Any Question? + IT Risk Management© SecRisk Consulting Ltd – Christopher Muffat 2012
  35. 35. Thanks + Christopher Muffat christopher.muffat(at)gmail.com LinkedIn: http://uk.linkedin.com/in/informationsecurityrisk Twitter: https://twitter.com/#!/TheDataBreach© SecRisk Consulting Ltd – Christopher Muffat 2012

×