Security-Invest Where it Matters Most


Published on

Presented at InnoTech Austin 2013. All rights reserved.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Tim: You can freestyle regarding how organizations responded to these threats
  • Tim: Trying to figure out who would want to attack a particular organization and why. Developing a strategic stance begins with the answers to those questions.Until you have a sound understanding of why you’ll never be able to defend yourself effectively against targeted attacks. Targeted attacks are different from accidental hacks. A threat actor diligently seeks out a target to exploit for personal or financial gain as opposed to a hacker getting lucky at airport where he/she infects a random user with malware by spoofing a WiFi service.Are they interested in you because you have access to another organization that is a high value target or are you the high value target. What are they really interested in? Money, Intellectual Property, Trade secrets, access to other higher value targets, politically information, crippling a countries defenses in cyber warfare
  • Security-Invest Where it Matters Most

    1. 1. Security – Invest Where it Matters Most WWT SECURITY PRACTICE Mario Balakgie Copyright © 2013 World Wide Technology, Inc. All rights reserved. Principal Security Consultant 16 October 2013
    2. 2. It takes twenty years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently – Warren Buffett
    3. 3. of a Hyper-Connected World THREATS • • • • • Unsecured peer-to-peer access Mobile Threats - malware and SMS fraud Advanced Persistent Threats (APTs) Non-malicious breaches Denial of Service (DoS) EVOLUTION OF CONNECTIVITY • • • • • Local and wide area networks Various flavors of Wi-Fi Intelligent devices Internet of things Cloud technologies
    4. 4. Measuring Up to the Challenge: The Path from Tactics to Strategy. History of Threat Evolution … and Threat Defense Viruses and worms Malware and phishing attacks Cyber attack missions utilizing Advanced Persistent Threats (APT) have redefined the rules of engagement 1990 2000 NOW
    5. 5. Tactical Approach Creates Unbalanced Response Posture UNNECESSARY WEAKNESSES IN KEY AREAS OF VULNERABILITY • Key Assumption: Complete protection against all threats and vulnerabilities is beyond the tactical capabilities of most enterprise IT security programs. …Trying to do so generates a tactics-based response stance…
    6. 6. Strategic Approach Creates Targeted Response Posture STRENGTH IN AREAS OF CONCERN AND VULNERABILITY • The future of IT security requires an approach that assumes those who want to get in will get in. …With this in mind, your organization must embrace principles that guide a strategy – where do you invest?
    7. 7. Cyber Security – A Strategic Imperative • Businesses Depend on Technology • Highly complex • A Boardroom level concern • Innovation • A constant factor with major effects • Challenges security management • Cyber Threats • • • • It is the State-of-Affairs Necessitates C-Suite decision-making and risk management Requires new thinking for protection Speed of action and ability to adapt is critical
    9. 9. Cyber Readiness • • • Threat defense maturity model and gap analysis Alignment with business priorities Remediation recommendations as part of a risk-based security model
    10. 10. BENEFIT: Your Defense Represents on Ongoing Alignment with Your Vulnerabilities
    11. 11. How does an organization approach the security challenge and meet the never ending demand? Determine Your Readiness Commit to a Plan Invest for Impact
    12. 12. Determining Security Capability • “Capability” determination is the degree to which; • Institutionalized – a process has been ingrained in the way work is defined, executed, and managed • Repeatable – a commitment and consistency to performing the security process • Expectation – you know what to expect in terms of organizational reaction and ability with high level of confidence • Value of knowing and managing readiness level is to answer important questions on; • Can we effectively manage our security posture? • How do we maintain levels of protection and ultimately our success? • Are we adaptive to changing risk environments?
    13. 13. Cyber Security Maturity Model Systematically Build and Improve Enterprise Cyber Security Capabilities Optimizing Quantitative Quantitative / Qualitative Intuitive Ad Hoc/ Chaotic Dependent on heroics; institutional capabilities lacking, not of the organization Initial Level 1 Process established and repeating; reliance on people is reduced Repeatable Level 2 Policies, processes and standards defined and formalized across the organization Defined Level 3 Risks measured and managed quantitatively and aggregated on an enterprise-wide basis Managed Level 4 Organization focused on continuous improvement of security risk management Optimized Level 5
    14. 14. Example: Security Domains Domains can be selected based the organizational needs, business drivers, or identified as challenges Cyber Security Policy 2. Organization of Cyber Security 3. Governance, Risk, and Compliance 4. Asset and Information Management 5. Operations Security 6. Access Control 7. Mobile Technology 8. Breach Response 9. Business Continuity 10. Others as needed 1.
    15. 15. Example: Summary of Organization Score Security Domains Maturity Rating 1 Cyber Security Policy Organization of Cyber Security Governance, Risk, and Compliance Asset and Information… Operations Security Access Control Mobile Technology Breach Response Business Continuity Overall Current Level 2 3 2 Goal Level 4 5 4.4
    16. 16. Example: Operations Security 1 Documented Procedures 3rd Party Management System Plan & Acceptance Malicious Code Protection Backup Process Network Security Media Handling Monitoring Overall • • • Key Observations Network security function is fragmented between operations Monitoring is mostly manual System development not separated 2 3 4 5 Current Level Goal Level 2 5 Actions to Reach Maturity Level 5 1) Restructure monitoring roles and responsibilities 2) Identify security technology to automate log and audits reviews
    17. 17. Example: Access Control 1 Access Need Controls User Access Mgt User Responsibilities Network Access Operating System Access Application Access Overall • • Key Observations Access procedures do not address urgent scenarios of termination Privilege access wide and prevalent and lacks management 2 3 4 5 Current Level Goal Level 2.3 4.3 Actions to Reach Maturity Level 4 1) Review policy and implement strong well defined procedures 2) Control privilege access and establish decision authority
    18. 18. Example: Roadmap for Readiness Improvements Re-Evaluate Cyber Readiness and Maturity Implement Medium Priority Capabilities Security Capability Monitor and Evaluate Assess Compliance and Certify Formalize Plan for Readiness Improvements Implement High Priority Capabilities 3 Months Review Security Architecture 6 Months 12+ Months
    19. 19. Summary Make investments that matter the most! • • • Cyber Security is a Must for all businesses – it’s a question of readiness Program effectiveness for enterprise-wide requires a process with structure and formal decision-making Understand where you are today and where you want to go
    20. 20. Questions? Thank you