Comprehensive Risk Management
for a Cyber-Secure Organization
Presented by
Joe Hessmiller
Director
Computer Aid, Inc.
The Take-Away
• Security is a Process.
• All Three Information Security Control Areas (Physical,
Technical and Administrat...
At the End of this Presentation
You Will Be Able to…
• Present to Stakeholders the Need for
Automated Support for Informat...
Bad Things Happen to Good
Systems
http://seekingalpha.com/article/1324971-pandemic-cyber-
security-failures-open-an-histor...
The REAL Challenge of Information Security:
Preventing Human Error through Situational Awareness
“Industry has done a grea...
Security is a Process
“If we've learned anything from the past couple of years, it's that
computer security flaws are inev...
A Complex Process
Physical Logical Administrative
Preventative
Detective
Corrective
Deterrent
Recovery
Compensating
Control Application Area...
Useful Policies DO Exist
Standards Exist for “Mature”
Policies and Procedures
http://www.pkfavantedge.com/wp-
content/uplo...
Even Specific Security
Standards Exist
NIST SP 800-100 Information
Security Handbook: A Guide for
Managers
ISO 27002 Infor...
Checklist Resources Available
http://www.slideshare.net/ATBHATTI/audit-checklist-for-
information-systems-14849697
Automated Tools Focused on
Specific Threats Exist
• Fireeye: Malware Protection Service (MPS)
• Microsoft: Systems Managem...
But, Automation Has a Long
Way to Go
Automation possibilities in information security management 2011,
http://www.sba-rese...
We Need Comprehensive
Monitoring and Control
Effective automation
can address the
challenges.
Part of the solution is
cons...
What Does Comprehensive Information
Security Automation Look Like?
Controls,
Mechanisms
Standards,
Guidelines
The “Missing” Link in
Information Security Automation
Incorporate:
• “Hard” Data from Automated Systems with
• Human Feedb...
Comprehensive, At-a-Glance
Insight Into Info Security Conditions
Accountability = Behavior Change
• Periodic Assessment
– Reminders of “Should Do’s
– Validation of “Did Do”s
– Two-way Fee...
Why Automate Control
Functionality
• So It Will be Done Comprehensively
• So It Will Be Done Consistently
• So it Will Be ...
Upcoming SlideShare
Loading in …5
×

Automation of Information (Cyber) Security

800 views

Published on

Automation, security

Published in: Software, Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
800
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Automation of Information (Cyber) Security

  1. 1. Comprehensive Risk Management for a Cyber-Secure Organization Presented by Joe Hessmiller Director Computer Aid, Inc.
  2. 2. The Take-Away • Security is a Process. • All Three Information Security Control Areas (Physical, Technical and Administrative) Rely Heavily on Comprehensive Monitoring to Be Effective • Automation is Key to Continuously Monitoring Threat Vulnerabilities (Conditions of Failure) • Automation is Key to Modifying Behavior by Persistent Enforcing and Reinforcing of Security Practices
  3. 3. At the End of this Presentation You Will Be Able to… • Present to Stakeholders the Need for Automated Support for Information Security ‘Ensurance’ • Present to Stakeholders an Effective Approach to Automating Information Security ‘Ensurance’
  4. 4. Bad Things Happen to Good Systems http://seekingalpha.com/article/1324971-pandemic-cyber- security-failures-open-an-historic-opportunity-for-investors Major Violations Occur Too Frequently
  5. 5. The REAL Challenge of Information Security: Preventing Human Error through Situational Awareness “Industry has done a great job of increasing productivity and reducing costs, Habibi says, but the time has come to focus on preventing human error. He sees human reliability as the next area ripe for optimization across industry. Optimization is sorely needed here, according to Habibi, because industry has “essentially created a monster of complex information systems combining ERP, production management and real-time systems.” A key concept of human reliability, according to Habibi is “situation awareness.” Habibi says that situation awareness is essential to preventing errors because it addresses the physical environment (e.g., control room ergonomics, lighting, temperature, comfort, traffic, noise.), organizational culture (e.g., policies and procedures, shift schedules, reporting, work ethic, motivation, training, knowledge and skills) and the human-automation relationship.” The Human Reliability Challenge, David Greenfield, Director of Content/Editor-in-Chief , AutomationWorld, April 25, 2013 http://www.automationworld.com/safety/human-reliability-challenge
  6. 6. Security is a Process “If we've learned anything from the past couple of years, it's that computer security flaws are inevitable. Systems break, vulnerabilities are reported in the press, and still many people put their faith in the next product, or the next upgrade, or the next patch. "This time it's secure." So far, it hasn't been. Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products. The trick is to reduce your risk of exposure regardless of the products or patches. The Process of Security, by Bruce Schneier, Information Security, April 2000
  7. 7. A Complex Process
  8. 8. Physical Logical Administrative Preventative Detective Corrective Deterrent Recovery Compensating Control Application Areas Functionality Information Security Matrix A Complex Process Organized Into Information Security Matrix Areas of Vulnerability Responses to Threats
  9. 9. Useful Policies DO Exist Standards Exist for “Mature” Policies and Procedures http://www.pkfavantedge.com/wp- content/uploads/2013/COBIT_Security.pdf http://cmmiinstitute.com/assets/Security-and- CMMI-SVC.pdf
  10. 10. Even Specific Security Standards Exist NIST SP 800-100 Information Security Handbook: A Guide for Managers ISO 27002 Information Security – Code of Practice
  11. 11. Checklist Resources Available http://www.slideshare.net/ATBHATTI/audit-checklist-for- information-systems-14849697
  12. 12. Automated Tools Focused on Specific Threats Exist • Fireeye: Malware Protection Service (MPS) • Microsoft: Systems Management Server (SMS) and Active Directory (AD) • TripWire (nCircle): IP360 and Configuration Compliance Manager • AlienVault: Unified Security Management • Symantec: Protection Suite Enterprise Edition (ED), NetBackup and Veritas Cluster Server (VCS) • PfSense • APC Infrastruxure • VMware vSphere • Honeywell: NOTIFIER fire alarm systems, Access control systems and Intrusion detection systems “Hard” Data Sources
  13. 13. But, Automation Has a Long Way to Go Automation possibilities in information security management 2011, http://www.sba-research.org/wp-content/uploads/publications/PID1947709.pdf
  14. 14. We Need Comprehensive Monitoring and Control Effective automation can address the challenges. Part of the solution is consolidating information security monitoring data into a comprehensive risk management platform for analysis and reporting. Another part of the solution is getting ALL of the important data. This includes feedback on information security conditions from the people in the process. Then, the main part is possible; changing behaviors BY monitoring and control. Administrative Control Silo Physical Control Silo Logical Control Silo Automated Conditions Monitoring and Analysis System
  15. 15. What Does Comprehensive Information Security Automation Look Like? Controls, Mechanisms Standards, Guidelines
  16. 16. The “Missing” Link in Information Security Automation Incorporate: • “Hard” Data from Automated Systems with • Human Feedback for • COMPREHENSIVE Information Security Assessment and • REINFORCEMENT of Information Security Policies Automated Security Control Room ‘Hard’ Data From Monitoring Systems ‘Soft’ Data From Human Assessments
  17. 17. Comprehensive, At-a-Glance Insight Into Info Security Conditions
  18. 18. Accountability = Behavior Change • Periodic Assessment – Reminders of “Should Do’s – Validation of “Did Do”s – Two-way Feedback • Situational Awareness • Behaviors Change “What gets measured, gets done.”
  19. 19. Why Automate Control Functionality • So It Will be Done Comprehensively • So It Will Be Done Consistently • So it Will Be Done Effectively • So It Will Be Done Efficiently • So We Will Have Comprehensive Data for Analysis • BEHAVIOR WILL BE CHANGED

×