Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Breaking down the cyber security framework closing critical it security gaps


Published on

Cyber crime is pervasive and here to stay. Whether you work in the Public Sector, Private Sector, are the CEO for a Fortune 500 Company or trying to sustain a SMB everyone is under attack. This February, President Obama, issued an executive order aimed at protecting critical business and government infrastructure due to the scale and sophistication of IT security threats that have grown at an explosive rate. Organizations and Government agencies have to contend with industrialized attacks, which, in some cases, rival the size and sophistication of the largest legitimate computing efforts. In addition, they also have to guard against a more focused adversary with the resources and capabilities to target highly sensitive information, often through long-term attack campaigns. Many security executives are struggling to answer questions about the most effective approach.

Published in: Technology, Business
  • Be the first to comment

Breaking down the cyber security framework closing critical it security gaps

  1. 1. IBM & Deloitte Joint Webinar Breaking Down the Cyber Security Framework: Closing Critical IT Security Gaps Oct 22, 2013 © 2013 IBM Corporation 1 © 2012 IBM Corporation
  2. 2. IBM Security Systems Speakers: IBM & Deloitte Joint Webinar Harry D. Raduege, Jr., Lt. General (USAF, Ret) Chairman, Deloitte Center for Cyber Innovation Topic of discussion: Breaking down the Cyber Security Framework Tom Turner , VP, Marketing & Business Development, IBM Security Division Topic of discussion: Closing Critical IT Security Gaps 2 © 2013 IBM Corporation
  3. 3. Breaking Down the Cyber Security Framework
  4. 4. Cyber – A phenomenon that changed the world Cyberspace Cyber Attack Cyber Insurance Cyber War Cyberattack Cyber-Alert Cyber Bullying Cyber crime Cyber-ethics Cyber FININT Cyberpower Cybersecurity Cyber-Commerce Cyber Law 4 Cyber Espionage Cyber Communication Copyright © 2013 Deloitte Development LLC. All rights reserved.
  5. 5. The world of cybersecurity Threats Targets Counters • Identity theft • Information manipulation (e.g. Malware) • Cyber Assaults/Bullying • Advanced Persistent Threats (APTs) • Information theft • Crime (e.g., Credit card fraud) • Insider • Espionage • Cyber attack • Transnational • Attack of software “boomerangs” • Terrorism • Government (Federal, State, and Local); e.g., – E-Government – E-Commerce • Industry; e.g., – Aerospace & Defense – Banking & finance – Health care – Insurance – Manufacturing – Oil & Gas – Power Grid – Retail – Telecommunications – Utilities • Universities/Colleges • Individuals • Cyber workforce • Advanced network and resilience controls • Outbound traffic monitoring • Dynamic situational awareness • Open source Information • Risk intelligence & management − Forensic analysis − Data analytics • Financial intelligence (FININT) • Tighter laws & enforcement • Expanded diplomacy • Legislation? You should assume that your information network has been or will be compromised. 5 Copyright © 2013 Deloitte Development LLC. All rights reserved.
  6. 6. Cybersecurity – Key points and impacts of the U.S. President’s Executive Order (February 2013) Information Sharing Privacy • Opens up information-sharing program to other sectors • Requires Federal government information-sharing programs with private sector • Mandates strong privacy and civil liberties protections • Directs regular assessments of agency activities • Requires development of a Cybersecurity Framework Cybersecurity Standards • Develops voluntary critical infrastructure cybersecurity program and adoption incentives • Identifies regulatory gaps Critical Infrastructure Review 6 • Identifies critical infrastructure at greatest risk • Changes the definition of critical infrastructure Copyright © 2013 Deloitte Development LLC. All rights reserved.
  7. 7. Currently, there are 16 U.S. industry sectors defined as critical infrastructure 85% of critical infrastructure is in private sector hands 1 Trends exposing industry to increased risk • Interconnectedness of sectors • Proliferation of exposure points • Concentration of assets Critical infrastructure sectors Agriculture and Food Dams Information Technology Banking and Financial Services Defense Industrial Base Nuclear Reactors, Materials and Waste Chemical Emergency Services Transportation Systems Commercial Facilities Energy Water and Wastewater Systems Communications Government Facilities Critical Manufacturing Healthcare and Public Health 1 GAO Report, Critical Infrastructure Protection: Sector Plans and Sector Councils Continue to Evolve. July 2007, 7 Copyright © 2013 Deloitte Development LLC. All rights reserved.
  8. 8. Helping the CISO respond to Cyber Security: Closing Critical IT Security Gaps
  9. 9. IBM Security Systems Evolving CISO Landscape 9 © 2013 IBM Corporation
  10. 10. IBM Security Systems CISO Challenge: Competing priorities 14%increase 83% of in Web application vulnerabilities enterprises have difficulty filling security roles from 2011 to 2012 Common Vulnerabilities and Exposures 10 Increase in compliance mandates © 2013 IBM Corporation
  11. 11. IBM Security Systems CISO Challenge: Inadequate tools 85 tools from 45 vendors 1 45 Only out of malware samples detected 11 © 2013 IBM Corporation
  12. 12. IBM Security Systems CISO Challenge: Business pressures 75%+of organizations are using at least one cloud platform 70% of CISOs are concerned about Cloud and mobile security 12 © 2013 IBM Corporation
  13. 13. IBM Security Systems CISO Challenge: Evolving Threats INTERNAL 43% of C-level execs say that negligent insiders are their biggest concern 13 EXTERNAL PAYOFFS 59 % increase in critical web browser vulnerabilities $78 M stolen from bank accounts in Operation High Roller © 2013 IBM Corporation
  14. 14. IBM Security Systems Q: A: Have you had an attack that was difficult to detect? 45% Yes + 21% Don’t know 66% Don’t have Why is this happening? • Not collecting right security data • Don’t have context • Don’t have baseline for normal • Lack vulnerability awareness visibility needed to stop advanced attacks 14 © 2013 IBM Corporation
  15. 15. IBM Security Systems Advantage: 15 Attacker © 2013 IBM Corporation
  16. 16. IBM Security Systems CISO:Your move 16 © 2013 IBM Corporation
  17. 17. IBM Security Systems Focus 17 Intelligence Innovation © 2013 IBM Corporation
  18. 18. IBM Security Systems USERS Focus TRANSACTIONS 18 ASSETS © 2013 IBM Corporation
  19. 19. IBM Security Systems Focus on users, not devices Implement identity intelligence Pay special attention to trusted insiders 60,000 employees Provisioning took up to 2 weeks No monitoring of privileged users USERS Privileged Identity Management Monitoring and same-day de-provisioning for privileged users  100+ 19 © 2013 IBM Corporation
  20. 20. IBM Security Systems Discover critical business data Harden and secure repositories Monitor and prevent unauthorized access Thousands of databases containing HR, ERP, credit card, and other PII in a world where 98% of breaches hit databases ASSETS Database Access and Monitoring Secured 2,000 $21M critical databases 20 Saved in compliance costs © 2013 IBM Corporation
  21. 21. IBM Security Systems Identify most critical transactions Monitor sessions, users, and devices Look for anomalies and attacks 30 Million customers in an industry where $3.4B industry losses from online fraud 85% of breaches go undetected TRANSACTIONS Advanced Fraud Protection on over 1 million customer endpoints Zero instances of fraud occurred 21 © 2013 IBM Corporation
  22. 22. IBM Security Systems ANALYTICS Intelligence INTEGRATION 22 VISIBILITY © 2013 IBM Corporation
  23. 23. IBM Security Systems Don’t rely on signature detection Use baselines and reputation Fully inspect content and communications Identify entire classes of ANALYTICS by analyzing Pattern matching 23 Mutated threats 250+ protocols and file types Context, clustering, baselining, machine learning, and heuristics © 2013 IBM Corporation
  24. 24. IBM Security Systems Get full coverage, No more blind spots Reduce VISIBILITY 24 Reduce and prioritize alerts Produce detailed activity reports 2 Million logs and events per day to 25 high priority offenses © 2013 IBM Corporation
  25. 25. IBM Security Systems Eliminate silos and point solutions Build upon a common platform Share information between controls 8 Million subscribers with an integrated Platform Monitor threats across INTEGRATION Siloed Point Products 25 Integrated Platforms © 2013 IBM Corporation
  26. 26. IBM Security Systems IBM Security Framework Intelligence Integration Expertise Professional, Managed, and Cloud Services 26 © 2013 IBM Corporation
  27. 27. IBM Security Systems CISO: Checkmate! 27 © 2013 IBM Corporation
  28. 28. + Smart apart. Smarter together. Copyright© 2013
  29. 29. Thank you. For more information, you can contact: Paul Avallone – Charlie Kenney –
  30. 30. This presentation contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this presentation, rendering business, financial, investment, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Copyright © 2011 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited