• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Breaking down the cyber security framework closing critical it security gaps
 

Breaking down the cyber security framework closing critical it security gaps

on

  • 787 views

Cyber crime is pervasive and here to stay. Whether you work in the Public Sector, Private Sector, are the CEO for a Fortune 500 Company or trying to sustain a SMB everyone is under attack. This ...

Cyber crime is pervasive and here to stay. Whether you work in the Public Sector, Private Sector, are the CEO for a Fortune 500 Company or trying to sustain a SMB everyone is under attack. This February, President Obama, issued an executive order aimed at protecting critical business and government infrastructure due to the scale and sophistication of IT security threats that have grown at an explosive rate. Organizations and Government agencies have to contend with industrialized attacks, which, in some cases, rival the size and sophistication of the largest legitimate computing efforts. In addition, they also have to guard against a more focused adversary with the resources and capabilities to target highly sensitive information, often through long-term attack campaigns. Many security executives are struggling to answer questions about the most effective approach.

Statistics

Views

Total Views
787
Views on SlideShare
787
Embed Views
0

Actions

Likes
0
Downloads
72
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • http://www.dhs.gov/critical-infrastructure-sectors <br /> Homeland Security Presidential Directive (HSPD) 7 established a national policy for Federal departments and agencies to identify and prioritize U.S. critical infrastructure and key resources, and to protect them from terrorist attacks. Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience advances a national policy to strengthen and maintain secure, functioning, and resilient critical infrastructure. This directive supersedes Homeland Security Presidential Directive 7. PPD-21 identifies 16 critical infrastructure sectors. <br /> Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, and Water& Wastewater Systems <br />
  • Let’s take a look at the “CISO Landscape” <br /> The role of the CISO is changing. It’s not just a technologist role. The CISO is just as likely to have an MBA as a degree in computer science. Building a team, forecasting, budgeting, understanding the regulatory environment, managing to metrics all become a factor. And the CISO has to be able to go in front of the board and explain how the importance of security strategy and how it is aligned to the business strategy of the organization. <br /> But… there are challenges… <br />
  • 1 <br />

Breaking down the cyber security framework closing critical it security gaps Breaking down the cyber security framework closing critical it security gaps Presentation Transcript

  • IBM & Deloitte Joint Webinar Breaking Down the Cyber Security Framework: Closing Critical IT Security Gaps Oct 22, 2013 © 2013 IBM Corporation 1 © 2012 IBM Corporation
  • IBM Security Systems Speakers: IBM & Deloitte Joint Webinar Harry D. Raduege, Jr., Lt. General (USAF, Ret) Chairman, Deloitte Center for Cyber Innovation Topic of discussion: Breaking down the Cyber Security Framework Tom Turner , VP, Marketing & Business Development, IBM Security Division Topic of discussion: Closing Critical IT Security Gaps 2 © 2013 IBM Corporation
  • Breaking Down the Cyber Security Framework
  • Cyber – A phenomenon that changed the world Cyberspace Cyber Attack Cyber Insurance Cyber War Cyberattack Cyber-Alert Cyber Bullying Cyber crime Cyber-ethics Cyber FININT Cyberpower Cybersecurity Cyber-Commerce Cyber Law 4 Cyber Espionage Cyber Communication Copyright © 2013 Deloitte Development LLC. All rights reserved.
  • The world of cybersecurity Threats Targets Counters • Identity theft • Information manipulation (e.g. Malware) • Cyber Assaults/Bullying • Advanced Persistent Threats (APTs) • Information theft • Crime (e.g., Credit card fraud) • Insider • Espionage • Cyber attack • Transnational • Attack of software “boomerangs” • Terrorism • Government (Federal, State, and Local); e.g., – E-Government – E-Commerce • Industry; e.g., – Aerospace & Defense – Banking & finance – Health care – Insurance – Manufacturing – Oil & Gas – Power Grid – Retail – Telecommunications – Utilities • Universities/Colleges • Individuals • Cyber workforce • Advanced network and resilience controls • Outbound traffic monitoring • Dynamic situational awareness • Open source Information • Risk intelligence & management − Forensic analysis − Data analytics • Financial intelligence (FININT) • Tighter laws & enforcement • Expanded diplomacy • Legislation? You should assume that your information network has been or will be compromised. 5 Copyright © 2013 Deloitte Development LLC. All rights reserved.
  • Cybersecurity – Key points and impacts of the U.S. President’s Executive Order (February 2013) Information Sharing Privacy • Opens up information-sharing program to other sectors • Requires Federal government information-sharing programs with private sector • Mandates strong privacy and civil liberties protections • Directs regular assessments of agency activities • Requires development of a Cybersecurity Framework Cybersecurity Standards • Develops voluntary critical infrastructure cybersecurity program and adoption incentives • Identifies regulatory gaps Critical Infrastructure Review 6 • Identifies critical infrastructure at greatest risk • Changes the definition of critical infrastructure Copyright © 2013 Deloitte Development LLC. All rights reserved.
  • Currently, there are 16 U.S. industry sectors defined as critical infrastructure 85% of critical infrastructure is in private sector hands 1 Trends exposing industry to increased risk • Interconnectedness of sectors • Proliferation of exposure points • Concentration of assets Critical infrastructure sectors Agriculture and Food Dams Information Technology Banking and Financial Services Defense Industrial Base Nuclear Reactors, Materials and Waste Chemical Emergency Services Transportation Systems Commercial Facilities Energy Water and Wastewater Systems Communications Government Facilities Critical Manufacturing Healthcare and Public Health 1 GAO Report, Critical Infrastructure Protection: Sector Plans and Sector Councils Continue to Evolve. July 2007, http://www.gao.gov/assets/100/95010.pdf 7 Copyright © 2013 Deloitte Development LLC. All rights reserved.
  • Helping the CISO respond to Cyber Security: Closing Critical IT Security Gaps
  • IBM Security Systems Evolving CISO Landscape 9 © 2013 IBM Corporation
  • IBM Security Systems CISO Challenge: Competing priorities 14%increase 83% of in Web application vulnerabilities enterprises have difficulty filling security roles from 2011 to 2012 Common Vulnerabilities and Exposures 10 Increase in compliance mandates © 2013 IBM Corporation
  • IBM Security Systems CISO Challenge: Inadequate tools 85 tools from 45 vendors 1 45 Only out of malware samples detected 11 © 2013 IBM Corporation
  • IBM Security Systems CISO Challenge: Business pressures 75%+of organizations are using at least one cloud platform 70% of CISOs are concerned about Cloud and mobile security 12 © 2013 IBM Corporation
  • IBM Security Systems CISO Challenge: Evolving Threats INTERNAL 43% of C-level execs say that negligent insiders are their biggest concern 13 EXTERNAL PAYOFFS 59 % increase in critical web browser vulnerabilities $78 M stolen from bank accounts in Operation High Roller © 2013 IBM Corporation
  • IBM Security Systems Q: A: Have you had an attack that was difficult to detect? 45% Yes + 21% Don’t know 66% Don’t have Why is this happening? • Not collecting right security data • Don’t have context • Don’t have baseline for normal • Lack vulnerability awareness visibility needed to stop advanced attacks 14 © 2013 IBM Corporation
  • IBM Security Systems Advantage: 15 Attacker © 2013 IBM Corporation
  • IBM Security Systems CISO:Your move 16 © 2013 IBM Corporation
  • IBM Security Systems Focus 17 Intelligence Innovation © 2013 IBM Corporation
  • IBM Security Systems USERS Focus TRANSACTIONS 18 ASSETS © 2013 IBM Corporation
  • IBM Security Systems Focus on users, not devices Implement identity intelligence Pay special attention to trusted insiders 60,000 employees Provisioning took up to 2 weeks No monitoring of privileged users USERS Privileged Identity Management Monitoring and same-day de-provisioning for privileged users  100+ 19 © 2013 IBM Corporation
  • IBM Security Systems Discover critical business data Harden and secure repositories Monitor and prevent unauthorized access Thousands of databases containing HR, ERP, credit card, and other PII in a world where 98% of breaches hit databases ASSETS Database Access and Monitoring Secured 2,000 $21M critical databases 20 Saved in compliance costs © 2013 IBM Corporation
  • IBM Security Systems Identify most critical transactions Monitor sessions, users, and devices Look for anomalies and attacks 30 Million customers in an industry where $3.4B industry losses from online fraud 85% of breaches go undetected TRANSACTIONS Advanced Fraud Protection on over 1 million customer endpoints Zero instances of fraud occurred 21 © 2013 IBM Corporation
  • IBM Security Systems ANALYTICS Intelligence INTEGRATION 22 VISIBILITY © 2013 IBM Corporation
  • IBM Security Systems Don’t rely on signature detection Use baselines and reputation Fully inspect content and communications Identify entire classes of ANALYTICS by analyzing Pattern matching 23 Mutated threats 250+ protocols and file types Context, clustering, baselining, machine learning, and heuristics © 2013 IBM Corporation
  • IBM Security Systems Get full coverage, No more blind spots Reduce VISIBILITY 24 Reduce and prioritize alerts Produce detailed activity reports 2 Million logs and events per day to 25 high priority offenses © 2013 IBM Corporation
  • IBM Security Systems Eliminate silos and point solutions Build upon a common platform Share information between controls 8 Million subscribers with an integrated Platform Monitor threats across INTEGRATION Siloed Point Products 25 Integrated Platforms © 2013 IBM Corporation
  • IBM Security Systems IBM Security Framework Intelligence Integration Expertise Professional, Managed, and Cloud Services 26 © 2013 IBM Corporation
  • IBM Security Systems CISO: Checkmate! 27 © 2013 IBM Corporation
  • + Smart apart. Smarter together. Copyright© 2013
  • Thank you. For more information, you can contact: Paul Avallone – pavallone@deloitte.com Charlie Kenney – Charles.kenney@us.ibm.com
  • This presentation contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this presentation, rendering business, financial, investment, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Copyright © 2011 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited