Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05

  1. 1. Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via e-mail: Gartner is a registered trademark of Gartner, Inc. or its affiliates. Information Security Technology and Services Claudio Neiva Research Director – Network Security
  2. 2. Fear, Uncertainty and Doubt
  3. 3. Brasil
  4. 4. DDoS Attacks Increasing in Size; Frequency of Attacks Is High Source: Arbor Networks — Worldwide Infrastructure Security Report 2013 0 20 40 60 80 100 120 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 0 5 10 15 20 25 30 35 40 45 50 Most Common Motivations Behind DDOSLargest Bandwidth Attacks Reported
  5. 5. Phishing e-mails Phishing e-mails vary in quality, payload, and purpose, but they all share the same initial goal: get the user to take action Source: Verizon 2013 security report
  6. 6. Likely Impacts • Loss of availability: 1. Several hours 2. Several days 3. Forever • Confidentiality failure: 1. Embarrassment 2. Privacy loss, fine and PR damage 3. Loss of competitive advantage • Data loss: 1. Recoverable in several days 2. Partially corrupted data 3. Never fully recoverable
  7. 7. Confidentiality and Accessibility Cannot Be Simultaneously Optimized Confidentiality Accessibility/Availability • Secrecy and reliability are negatively linked goals • Time and money can partially raise the overall level of both Nobody can see data Everybody can see data Optimized Trade-off Curve
  8. 8. Business Security
  9. 9. Consumer Security
  10. 10. Low Risk High Cost High Maturity What Is Appropriate Risk? There is no such thing as "perfect protection" Manufacturing Healthcare Financial Services Production Engineering High Risk Low Cost Low Maturity … More risk! Business Model More customers, more locations, more complexity, more aggressive use of personally identifiable information in marketing, more regulatory scrutiny, … Station Access Govern
  11. 11. The Nexus of Forces Is Driving Innovation in Government Extreme Networking Rampant Access Global Class Delivery Rich Context, Deep Insights
  12. 12. Data Loss Prevention Secure Web Gateway Secure Web Gateway Risk Security Application Testing Security Information and Event Management Cryptography Firewalls Managed Security Services Intrusion Prevention Mobile Security Endpoint Protection Social Media Security Monitoring Digital Surveillance Information Security and the Nexus of Forces Identity and Access Management NEXUS NEXUS
  13. 13. The 4 Phases of BYOD (Device or Disaster?) Don't Ask, Don't Tell Corporate-Owned Devices Only Focus: Productivity • Desktop Virtualization • Adoption of New Enterprise-Grade Services • Enterprise App Stores • Self-Service and P2P Platforms Focus: Data Protection, Cost • BYO Policies • Formal Mobile Support Roles • MDM • NAC • Limited Support • Extend Existing Capabilities Realization of the Personal Cloud • Context Awareness • Identity-Aware NAC • Workspace Aggregators • "Walk-Up" Services Avoid AdoptAccommodate Assimilate
  14. 14. How's This Working for You? 2002 2010 2018 Security is in the control of IT & Operations Security is in the control of business units and users
  15. 15. Strategic Planning Assumption By 2018, 70% of mobile professionals will conduct all of their work on personal smart devices. Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and will be detectable via security monitoring. By 2020, 75% of enterprises' information security budgets will be allocated for rapid detection and response approaches, up from less than 10% in 2012.
  16. 16. Can Your Board Handle the Truth? 100% of U.S. public company boards are required annually to disclose their ability to oversee risk, yet … fewer than 2% of U.S.-based companies, and fewer than 9% of global companies, actually have robust and mature risk oversight practices.
  17. 17. You Must Get Right
  18. 18. Information Security Privacy Risk Management Business Continuity Management Compliance Identity and Access Management
  19. 19. Identity Single-Sign-On Auto provisionamento Hootsuite – Redes Sociais GRC & Auditing Analise de Vulnerabilidades Pentest Auditoria interna PCI Gestão de Risco Legal & Policy Revisão de Política Contrato para fornecedores Contrato para colaboradores Information Security Management Scenario Software Auditoria de código Fortify - Métodos Ágeis Whitelisting SO Assessment Endpoint VPN NAC AV, Malware & Host IPS DLP & Criptografia Proxy Internet AntiSpam Awareness E-learning Hotspots E-mails educativos Palestras Treinamentos específicos Intel & Operation SOC SIEM Perimeter IPS Firewall Firewall Aplicação (WAF) VPN Gestão de Segurança da Informação Composto por diversas áreas da empresa, não é exclusivo da TI. Incorpora a Segurança da Informação, TI, mas também usuários, controladores, auditoria, RH, Jurídico etc. A segurança deve estar presente em cada um, a preocupação deve ser de todos. Política de Segurança  Documenta as responsabilidades de cada um, os pontos de atenção e os controles necessários.  Para os controles define procedimentos e checklists para implantação e monitoramento Perímetro: primeira barreira – reativa – entre a Internet e redes internas. Base em redes.  IPS: bloqueia ataques de volume ou diversos;  Firewall: realiza o controle de acesso  WAF: blinda aplicações Web  VPN permite acesso externo como se estivesse na rede interna. Software – segunda barreira – proativa – código e aplicações seguras  Auditoria de código: com ferramenta adequada realizado pela equipe de segurança  Fortify: parte do processo de desenvolvimento com deploy ágil  Whitelisting: controle das aplicações o servidor de aplicação pode executar  Assessment: validação cíclica dos servidores de aplicação quanto a checklists Endpoint – proteção de estacoes, notebooks e dispositivos moveis  VPN: permite o acesso externo seguro  NAC: permite o acesso interno seguro  AV, Anti-malware, Host IPS, DLP e Criptografia: protege a estação e os dados  Proxy e AntiSpam: protege o usuário e a produtividade Conscientização e educação dos usuários  e-learning e e-mail educativos com curiosidades e dicas  Hotspots de tecnologia (folhetos, paineis)  Palestras e treinamentos realizados pela área  Palestras e treinamentos contratados Gestão de Identidade  Single-sign-on: login automático em aplicações após o login no Windows  Auto provisionamento: criação e exclusão de contas em único workflow  Hootsuite: gestão de acesso a perfis de redes sociais Inteligência e Gestão de Logs  SIEM: concentração de logs e aplicação de regras de segurança e de negocio no correlacionamento dos eventos detectados  SOC: equipe especializada em monitorar incidentes e executar tarefas operacionais de segurança da informação GRC e Auditoria  Auditoria, PCI e Gestão de Risco: monitoramento das vulnerabilidades e gestão dos riscos  Analise de vulnerabilidades: analise manual de todos os ativos de informação da empresa por consultoria especializada  Pentest: teste de intrusão manual nas vulnerabilidades encontradas e input para gestão de riscos Legal e Política  Revisões cíclicas da Política: reuniões entre pessoas chaves do comitê de segurança ou similar para elaboração de Políticas e aprovação  Contrato para fornecedores: contrato com os requisitos de segurança impostos aos fornecedores de ativos de informação  Contrato para colaboradores: adendo ao contrato de trabalho regulando o uso de ativos de TI Implemented GapRevision Information Security – Framework
  20. 20. From Control-Centric Security to People-Centric Security Policy Rules People Punishment Control Rights Principles Policy Responsibilities People Monitor Educate
  21. 21. Kickin' it old school • Threat-based • Tool-focused • Tactical • Reactive • Project-oriented • Ignored by business • Take ownership of risk The new paradigm • Risk-based • Process-focused • Strategic • Proactive • Programmatic • Engaged with business • Educate about risk New Goals of Information Security The function of information security management is to support the business's ability to deliver on its goals in a risk-resilient manner. Cost Center Value-Add
  22. 22. Transform: Mapping KRIs and KPIs Revenue Loss Miss the Quarter Leading Indicator That… Leading Indicator That… Leading Indicator That… Critical Application Fault Supply Chain Support Application Key Risk Indicator Open Incidents Poor Patching Negative Impact KPI Supply Chain Slows CRO/CISO CIO The Business
  23. 23. Reading Gartner’s reports, but not speaking to an analyst Path to Failure:
  24. 24. What product and vendor selection tools are appropriate for my enterprise?
  25. 25. Gartner Methodologies Gartner IT Market Clock Gartner Hype Cycle Gartner MarketScope Gartner Magic Quadrant Technology Evolution Market Overview Gartner Critical Capabilities Should you move or wait? Maintain or retire? Evaluate risks in emerging and mature markets Map providers against business requirements Identify use cases and compare vendors
  26. 26. Recommended Gartner Research  The Structure and Scope of an Effective Information Security Program Tom Scholtz (G00210133)  Security Management Strategy Planning Best Practices Tom Scholtz (G00223694)  The Security Processes You Must Get Right Rob McMillan (G00209848)  Seven Techniques for More Proactive Risk and Security Management Tom Scholtz (G00224578)  The Keep-It-Simple Approach for CIO Risk Reporting to the Board Richard Hunter, French Caldwell (G00211351)  Introducing Risk-Adjusted Value Management Paul E. Proctor, Michael Smith (G00225409)  The Gartner Business Risk Model: A Framework for Integrating Risk and Performance Paul E. Proctor, Michael Smith (G00214758)  Information Security and Risk Governance: Forums and Committees Tom Scholtz, F. Christian Byrnes (G00207477) For more information, stop by Experience Gartner Research Zone.