Jason Witty
SVP, Chief Information Security Officer
U.S. Bancorp
The Expanding Internet – Past 15 years
2013THE SUPERHIGHWAY, Circa 1998
1 3
2
1
2
3
Analogy 1998 2013
Cars  Billions (1,0...
“Digital Currency”
Setting the Stage: The Global Economy
Global Overview
Broad Money
$65.5 trillion
Monetary Base
$16.1 tr...
Innovative Trends to Watch
 Mobile Computing
 Social Networking
 Cloud
Developing Innovative Trends & Opportunities
Cloud
Social Digital
banking
45%
Ranking in top ten
strategic technologies
li...
Setting the Stage: Social Media
Social networking
Content communities
Blogs / microblogs
Virtual / game worlds
Collaborati...
Rapidly Evolving Cyberthreat Motivation
MOTIVATION PROGRESSION LINE
HACKTIVISTS NATION-STATESFRAUDSTERS
THEFT DISRUPTION D...
Cybersecurity Threats: Actor Groups
• Cybercrime is a mature industry with marketing, support, advertising, R&D,
and econo...
Strategies Must Be Intelligence-Driven
Regulatory Intelligence
Expect we provide evidence of a STRONG
information security...
Threat Intelligence Service Architecture
Financial Industry
FS-ISACBITSFSSCC
Malware Intelligence
Vulnerability Intelligen...
Strategies Must Be Comprehensive
DEVICES
Are secure and patched regularly to keep secure over time
THIRD PARTIES
& VENDORS...
Managing Risks Associated
with Cloud Computing
Cloud Computing: Real or Hype?
 Both!
 Next Phase of the Internet
 Early „90s – Mid „00s: Compute
Connectivity (network...
Nightmare Scenario
 June 2009 – UK IaaS provider, VAServ has 100,000
customer websites deleted at one time
 Initial repo...
Virtualized N-Tier Control Equivalence
“Old Way” “New Way”
HypervisorInternet
Users
Presentation
Layer
Data Layer
How do w...
Managing Risks in the Cloud
Copyright © 2013 Cloud Security Alliance
Managing Risks in the Cloud
 Popular best practices for securing cloud
computing
 Flagship research project
 V2.1 relea...
Cybersecurity Trends to Watch
 Nation-States a Game-Changer
 Advanced Malware / Tactics
 Denial-of-Service
Questions?
Contact: jason.witty@usbank.com
Upcoming SlideShare
Loading in …5
×

Jason Witty, SVP & CISO at US Bank - Next eneration information security meets the board of directors

3,849 views

Published on

Jason Witty, SVP & CISO at US Bank spoke at the CIO North America Event June 2013

Published in: Technology, Business
  • Be the first to comment

Jason Witty, SVP & CISO at US Bank - Next eneration information security meets the board of directors

  1. 1. Jason Witty SVP, Chief Information Security Officer U.S. Bancorp
  2. 2. The Expanding Internet – Past 15 years 2013THE SUPERHIGHWAY, Circa 1998 1 3 2 1 2 3 Analogy 1998 2013 Cars  Billions (1,000,000,000)  60 mph  Quintillions (1,000,000,000,000,000,000)  60,000 mph Lanes  4  4,000 On/Off Ramps  Millions (1,000,000)  Hundreds of Millions (800,000,000)
  3. 3. “Digital Currency” Setting the Stage: The Global Economy Global Overview Broad Money $65.5 trillion Monetary Base $16.1 trillion Gold Reserves $1.8 trillion Capital stock (bonds, stocks) $212 trillion U.S. Overview Broad Money $10.3 trillion Monetary Base $2.6 trillion Gold Reserves $462.8 billion Combined Market Value (bonds, Stocks) $47.6 trillion Approximate percentage of digital currency in the global market93.6% Cash and gold available as a proportion of banking & commerce funds6.4% Physical reserves (printed money, gold, etc.)Sources: CIA World Fact-book as of YE 2011 ; Global Capital stock est. by McKinsey FS-ISAC: For Official Use Only | 3
  4. 4. Innovative Trends to Watch  Mobile Computing  Social Networking  Cloud
  5. 5. Developing Innovative Trends & Opportunities Cloud Social Digital banking 45% Ranking in top ten strategic technologies list, according to Gartner Mobile of U.S. adults own a smartphone 15% annual growth of U.S. Bank retail mobile channel 1 Billion Approximate number of users on Facebook 62% of adults globally use social media 1 Facebook-based virtual bank, and Facebook online banking apps New sign-ups for Square’s smartphone- based payment card- processing service 2015 the year when online banking becomes the new norm 1m phone owners used mobile banking services in last year21% #1 $40 Billion Estimated spend by business on cloud computing this year Flexible… Collaborative… Disruptive… Enabling… 60% of the public cloud will serve software by 2016 PayPal account holders100m
  6. 6. Setting the Stage: Social Media Social networking Content communities Blogs / microblogs Virtual / game worlds Collaborative projects Locational Facebook Most popular 1bn users LinkedIn Professionals 175m users Google+ Integrated apps 500m users Myspace Entertainment 25m users Klout Measures influence YouTube Video 1tr views Flickr Image gallery 80m visitors Pinterest Scrapbooking 25m visitors LiveJournal User generated 1.7m users DeviantArt Art portfolios 36m visitors Instagram Photo editing 100m users Twitter Microblog 500m users Tumblr User generated 77m blogs Huffington Post News / political blogging content provider 54m visitors monthly Steam Service 54m users Xbox Live Microsoft 35m users WoW Gaming 10m players Second Life Virtual world 1m users Habbo Virtual chat 10m users Reddit Social news 43m users Wikipedia Crowd-sourced Encyclopedia 1.5bn users Coursera educational 1m students Kickstarter Virtual chat 73k projects Foursquare Mobile / geo 20m users Reposting/Retweeting: No delete key on the Internet Smartphones Geographic data Key tenet *user counts approximate as of Nov 2012
  7. 7. Rapidly Evolving Cyberthreat Motivation MOTIVATION PROGRESSION LINE HACKTIVISTS NATION-STATESFRAUDSTERS THEFT DISRUPTION DESTRUCTION
  8. 8. Cybersecurity Threats: Actor Groups • Cybercrime is a mature industry with marketing, support, advertising, R&D, and economies of scale Insiders Hacktivists Nation-states • Can be difficult to detect • Usually low-tech, relying on access privileges • Responsible for 58% of all data stolen in 2011 • 2011 targets included CIA, FBI, Visa, MasterCard, Sony, Amazon, others • Since 2010, nation-state linked malware increased from 1 to 9; 5 in 2012 • Malware for espionage, creating breach opportunities, even sabotage Organized crime
  9. 9. Strategies Must Be Intelligence-Driven Regulatory Intelligence Expect we provide evidence of a STRONG information security program Employee Intelligence Strive for excellence and are interested in how and where they WORK. Shareholder Intelligence Require we protect revenue to enable GROWTH Business Line Intelligence Require AGILITY and fast time to market to meet business goals and customer demand Cyber-Threat Intelligence Exploit vulnerabilities and require the capability of a MATURE prevention and recovery response environment Customer Intelligence Place TRUST in us and demand we are careful stewards of their data FS-ISAC: For Official Use Only | 9
  10. 10. Threat Intelligence Service Architecture Financial Industry FS-ISACBITSFSSCC Malware Intelligence Vulnerability Intelligence Microsoft Vulnerabilities MSDN OWASPCommon Vulnerabilities & Exposures Cyber Threat Intelligence Fraud & Phishing IntelligenceGovernment Agencies Homeland Security USSS Other Agencies FBI FS-ISAC: For Official Use Only | 10
  11. 11. Strategies Must Be Comprehensive DEVICES Are secure and patched regularly to keep secure over time THIRD PARTIES & VENDORS Control parity is risk-based and protections are appropriate NETWORKS Are monitored 24x7 IDENTITY & ACCESS Is appropriate based on job role INDUSTRY & PARTNERSHIPS Provide actionable cost-effective threat and risk intelligence DATA & INFORMATION Is secure at rest and in transit CUSTOMERS & CLIENTS Are educated on cyber-risks and their role protecting their devices APPLICATIONS Are secure in development and production
  12. 12. Managing Risks Associated with Cloud Computing
  13. 13. Cloud Computing: Real or Hype?  Both!  Next Phase of the Internet  Early „90s – Mid „00s: Compute Connectivity (networks abound)  Mid „00s – Mid „20s: Compute Utility  Overhyped in the short term, underhyped in the long term Convert NY Times Articles (1851-1922) TIFF->PDF Nov 1, 2007 - Derek Gottfrid – NY Times “Thanks to the swell people at Amazon, I got access to a few more machines and churned through all 11 million articles in just under 24 hours using 100 EC2 instances, and generated another 1.5TB of data to store in S3.”
  14. 14. Nightmare Scenario  June 2009 – UK IaaS provider, VAServ has 100,000 customer websites deleted at one time  Initial reports “attacked by zero-day exploit in version 2.0.7992 of the LXLabs-developed HyperVM.”  50% of VAServ customers lost all data: Had opted for unmanaged service – no backups  CEO of HyperVM Suicide  Hypervisor Password “Web Host Hack Deletes 100k Sites” SOURCES •http://en.wikipedia.org/wiki/HyperVM •http://www.theregister.co.uk/2009/06/08/webhost_attack •http://www.thewhir.com/web-hosting- news/060809_Web_Host_Hack_Deletes_100k_Sites
  15. 15. Virtualized N-Tier Control Equivalence “Old Way” “New Way” HypervisorInternet Users Presentation Layer Data Layer How do we ensure control parity? Internet Users FW WAF NIDS / IPS FW WAF NIDS / IPS
  16. 16. Managing Risks in the Cloud Copyright © 2013 Cloud Security Alliance
  17. 17. Managing Risks in the Cloud  Popular best practices for securing cloud computing  Flagship research project  V2.1 released 12/2009  V3 released 11/2011 Guidance: cloudsecurityalliance.org/guidance Copyright © 2013 Cloud Security Alliance
  18. 18. Cybersecurity Trends to Watch  Nation-States a Game-Changer  Advanced Malware / Tactics  Denial-of-Service
  19. 19. Questions? Contact: jason.witty@usbank.com

×