f inancial m anagers s ociety c ybersecurity u pdate maranda cigna rapid7 global services manager...
TRANSCRIPT
![Page 1: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/1.jpg)
FINANCIAL MANAGERS SOCIETYCYBERSECURITY UPDATE
Maranda CignaRapid7 Global Services [email protected]
![Page 2: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/2.jpg)
Financial ServicesOutlook
![Page 3: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/3.jpg)
Security in Financial Services: An Industry Under Attack
3
• Attack frequency and intensity is on the rise
• 2014 Financial Services attacks*– 642 confirmed security incidents– 277 resulting in confirmed data loss
• Financial losses have reached into the billions
*Verizon 2015 Data Breach
Investigations Report (DBIR)
![Page 4: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/4.jpg)
Regulatory Outlook
4
• Regulators are increasing the frequency of cyber security exams
• New York Department of Financial Services announced stricter exam processes
![Page 5: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/5.jpg)
New York State Department of Financial Services
5
• Chief Security Officer – resume, training, and experience
• Security policies and procedures
• Data classification integration
• Vulnerability and patch management
• Identity and access management
• Use of multi-factor authentication
• Incident response program
• Business continuity and disaster recovery
• Vendor due diligence
• NIST Cyber Security Framework alignment
![Page 6: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/6.jpg)
Security Leadership Challenges
![Page 7: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/7.jpg)
Industry Research
7
• Gartner Worldwide Information Security Spending:– Total security spending in 2015 will be $76.9 billion
• PwC State of Information Security: – Total number of security incidents climbed to 42.8 million in 2014 (up 48%
from 2013)– Information security spending is not keeping pace
• Software Advice Group Study:– Most data breaches have minimal impact on public awareness– Breaches have limited impact upon financial reports
![Page 8: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/8.jpg)
Research Summary…
8
• We are spending more money in 2015 than ever before
• Companies are still getting breached
• People don’t remember who got breached
• Incentives are not aligned – cheaper to clean up after?
Are Boards worried about security?
![Page 9: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/9.jpg)
Board Level Awareness - Disconnect
9
• RedSeal Survey– Surveyed 350 C-level executives– Nearly 60% said they can “truthfully assure the board beyond a reasonable
doubt” their organization is secure
32%Have full visibility into global networks 79%
Say it is impossible to effectively secure what cannot be seen and understood
![Page 10: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/10.jpg)
Board Level Awareness, cont.
10
• PwC– Fewer than half (42%) of respondents say their Board actively participates in
overall security strategy
• National Association of Corporate Directors (NACD)– Current allocation of responsibility: Audit committee: 46%, Full board: 38%– Where should risk oversight be allocated: Full board: 53%, Audit committee
25%
• Veracode– 80% of respondents said cybersecurity is “frequently discussed”– 46% said “most meetings”, 35% “every meeting”
![Page 11: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/11.jpg)
Are Boards worried about security?
11
Trending that way….– Security is becoming a Board level issue– Boards need to become more aware and involved– Security leaders should be more transparent with their Board
![Page 12: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/12.jpg)
Do “Wake Up Calls” Generate Real Change?
![Page 13: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/13.jpg)
Bob Gourley’s Cyber Threat “Wake Up Calls”• 2010: Google’s Aurora attacks
• 2011: Wikileaks
• 2012: South Carolina hack into state websites
• 2013: New York Times acknowledges hacks into its papers
• 2013: Attacks on US banks
• 2013: Anonymous attacks against Federal Reserve
• 2013: Snowden insider attacks
• 2013: Target
• 2014: JP Morgan
• 2014: Sony
• 2015: Anthem attack
• 2015: IRS breach and loss of taxpayer personal info
• 2015: OPM loss of 4 million records of government employees
![Page 14: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/14.jpg)
When people suffer a heart attack,doctors recommend 3 changes
1. Smoking Cessation2. Healthy Eating3. Physical Exercise
4.3%Patients that make all 3 changes
14
![Page 15: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/15.jpg)
CHANGE IS HARD.
![Page 16: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/16.jpg)
1. Tendency to under-appreciate the future and future consequences
2. People are too quick to forget the past, or too slow to remember the negative events of the past
3. When in doubt, people will follow the advice of others who are no less prone to the same mistakes
16
Preparing for Disasters (UPenn)
People are subject to three major biases
![Page 17: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/17.jpg)
Increasing organizational security maturity
![Page 18: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/18.jpg)
Attacker Model
18
Infiltration
Reconnaissance
Persistence
Lateral Movement
Mission Target
Maintain Presence
![Page 19: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/19.jpg)
Defender Model
19
Prevention
Detection
Respond
Remediation
Clean Up
Lessons Learned
![Page 20: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/20.jpg)
Assessment and Planning Matrix
20
Infiltration Recon Persistence Lateral Movement
Mission Target
Maintain Presence
Prevent
Detect
Respond
Remediate
Clean Up
![Page 21: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/21.jpg)
Strategic Security Planning
21
• Map your program– Controls currently in place– Future projects & initiatives– Policies and expectations– Attacker-centric lens
• Measurements– How effective is your investment strategy?– Are your investments evenly distributed? (Most are highly invested in
prevention)
• Use this as a decision making and communication mechanism
![Page 22: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/22.jpg)
“If You Can’t Measure It, You Can’t Improve It”
William Thomson, Lord Kelvin
![Page 23: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/23.jpg)
Four pillars of security metrics
1. Communicate and drive performance improvement
2. Measure the effectiveness of security controls
3. Identify issues and set priorities
4. Provide increased accountability
23
![Page 24: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/24.jpg)
Security Metrics Mistakes
Oops…
Raw vulnerability counts
Top-level enterprise totals
Trending by vulnerability volume
No clear call to action
Better!
Remediation policy compliance
Numbers tied to business lines
Trending by age of vulnerability
Actionable intelligence
The same measurement, just presented differently
24
![Page 25: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/25.jpg)
Socializing Security
• Pen Testers: Planning, findings reports, recommendations
• IR Teams: Real time reporting to management, post mortem presentations, statistics
• Vuln Management Teams: Patching metrics, trending, recommended prioritizations
• Compliance: Risk assessments, controls designs
• Everyone: Quarterly planning and goals, status reports, townhalls, meetings with executives
25
![Page 26: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/26.jpg)
Compliance: An outcome of security
• Compliance should be the minimum benchmark
• Start with security best practices and the NIST Cyber Security Framework
• Continuously monitor, communicate, and collaborate
26
![Page 27: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/27.jpg)
Meaningful Partnerships
27
• You don’t need to design and build it alone!
• Leverage the experts where it matters:– IR retainers– Program development assistance– Threat simulations– Advisory services– Managed services
![Page 28: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/28.jpg)
Rapid7 Solutions
![Page 29: F INANCIAL M ANAGERS S OCIETY C YBERSECURITY U PDATE Maranda Cigna Rapid7 Global Services Manager Maranda_Cigna@Rapid7.com Maranda_Cigna@Rapid7.com](https://reader035.vdocuments.net/reader035/viewer/2022062519/5697bfd71a28abf838caeafe/html5/thumbnails/29.jpg)
29
Rapid7’s Innovative Solutions
Threat Exposure Management
Incident Detection & Response
Security Advisory Services
Reduce Your Risk of a Breach
VULNERABILITY MANAGEMENT INTRUDER ANALYTICS SECURITY ASSESSMENT
ATTACK SIMULATION
INCIDENT RESPONSE SERVICES
PROGRAM DEVELOPMENT
Find the Attacks You’re Missing Accelerate Security Improvement
Solving Critical Security Challenges
APPLICATION SECURITY TESTING