Security in Today’s Business Environment

Jim TillerCSO & Managing Vice President of

Security ServicesTuesday, June 7, 2005

Jim TillerCSO & Managing Vice President of

Security ServicesTuesday, June 7, 2005

2

Overview

Today’s Business Climate

Threats and Vulnerabilities

Regulatory Landscape

Simplifying the Business of Security

Controlling Access

Managing People, Process & Technology

Aligning Security to Business Objectives

3

Today’s Business Climate

Running a business in the 21st Century isn’t easy!

Security Regulations are abound 62% of companies spend more on compliance than protection*

Evolution of technology and business demands has resulted in highly diverse environments

Managing increasing number of vulnerabilities in the face of sophisticated threats

Difficulties in aligning People, Process and Technology

Challenges in leveraging security knowledge and business process

*Source: RedSiren

4

Three Simple Security Perspectives

The Unlawful (Vulnerability Sensitive) Increasing sophistication

Unprecedented collaboration

Growing aggressiveness

Harmful impacts

The Law (Compliance Driven) Increasing number of regulations

International impacts

Operational challenges

Lack of investment predictability

Security Posture (Risk Adverse) Segmentation of people, process, and technology

Poor visibility

Inability to determine effectiveness

Inability to align to business objectives

5

Pre 1980’s 1980’s 1990’s 2000’s

Security and Business InfrastructureD

ivers

ity o

f IT

an

d S

ecu

rity

Mainframes

Business security incorporated into the

system

If SAP didn’t do it, the company didn’t

do it

Client / Server

Security begins to diverge as systems

become more distributed

Processes became departmental

Multi-Tier Application Architecture

Traditional application

development complicates security

visibility

Application Specific

Vendors Partners

Clients

BusinessInterconnectivity

Business demands strain IT and Security

in the light of diversity

Complex data value chain

6

Diversity is a Double Edge Blade

Value to the business Provides foundation for best of breed solutions Supports business initiatives Allows for evolutionary investment strategies Allows organizations respond to market changes

But what does this mean to security? Increased technical gaps Leads to fragmented processes Difficultly in gaining visibility Complicates command and control

Security Nemeses Inconsistency and Complexity Result – Vulnerable Security Posture

7

More Malware, More Hackers

8

Exploiting Our Weakest Links

9

Where the Money is

10

Less Time

11

A Regulated Environment

Security Regulations are abound HIPAA for HealthCare

GLBA & FFIEC for Financial

Sarbanes-Oxley for US public companies

CyberSecurity for Utilities

SB-1386 (AB-700) Notification of Risk to Personal Data Act

(NORPDA)

Multiple Privacy regulations US, Canada, Japan, EU, and others

Industry reports suggest $80B over the next 5 years in compliance expenditures*

– Michael Rasmussen, principal analyst, Forrester

“

”

Organizations face an increasing amount of liability and regulations, like HIPAA, Gramm-Leach-Bliley and SB 1386. Even in the case of Sarbanes-Oxley, you've got disclosure requirements. They all have pretty harsh penalties, and your liabilities don't stop when you outsource. They only grow.

*Source: AMR Research

12

Current Status

Security’s omnipresence challenges meaningful management in the light of business objectives

Security is segmented: process, risk, policy, technology Focus is applied when demands surface, examples:

Firewalls & IDS were significant during the network attacks of the 90s Today, regulations demand more emphasis on process and documentation

Meanwhile… Increased sophistication and number of threats continue to challenge the IT environment

Result - regardless of vulnerability or regulation… Security has become complex and painful

Misalignment between process and technology

Inability to bind security investments to larger business imperatives

13

CIO Worries

I worry about a hacker gaining access to our Oracle data base and coping social security numbers

I worry about, a converged network, if the network goes down you loose both voice and data, increasing the risk and worry

I worry about staff, I can't protect the network from internal sabotage, disgruntled network administrators, IT personal, etc

I worry about new computers being plugged into the network after they have been off net

I worry about the new wide range of handheld IP devices which people plug in at will from near and far flung locations

I worry about employees working at home bridging networks via WLANs opening up access to our network

Source: Nick Lippis, Trusted Networks Symposium

14

Cycle of Security Pain

Security investments based on “FUD”

Executives growing wearyLess talk, more revenue

Diminishing expectations of security investments “More money? What did you do with the last check?”

Constant deluge of “new” security problems

Regulatory compliance challenges

Cultural challenges inside and outside IT

15

Information Security in Business Terms

What organizations really want from security Simplicity – Simplified management and focus Predictability – In systems and investments Effectiveness – Does what is supposed to for the business

Enablers Visibility – In controls, industry, compliance, activity, events, and

threat status Alignment – People, process, and technology focused in the

same direction

Results Confidence – Make changes with a clear understanding of the

impact to business operations, risk, and compliance Efficiency – Leverage proven business processes and

automation

16

Getting There

Technical / Tactical“Build Success Early” Vulnerability Management Identity Management

Management“Organize and Architect” Information Security Management

Framework

Business Management “Balanced Approach to the Business” Security Services Management

Technical / Strategic“Actionable Foundation” Integrated Security Operations Capability Network Access Control

Establish meaningful, early-win technical solutions

Align People & Process to meet multiple Regulations

Increase technical visibility, command and control

Employ metrics to measure against the business goals

17

Vulnerability Management

Information driven Internal status Industry status

Events, warnings, etc.

Based on Data Acquisition and Employment

Collaboration & Tools Testing, validation, deployment

Comprehensive Reporting

Basic concept: Apply flexible business process to dynamics in technology Integrate with multiple systems to drive automation Support meaningful communication and collaboration

18

Business Processes

Asset Database

Vulnerability Data Service

(CVE)

System Inputs

IDS / IPSVirus

Patches & Service Packs

XML, SOAP

System Service Support

Policy & Profile Server

Abstraction Layer

Web Services

Systems & Applications

Infrastructure

Enable

Systems

Service Driven Provisioning

Collaboration

System Owners

Management

Partners

Activity Reporting &

Metrics

Auditing

Service Reporting

Vulnerability Mgt. Architecture

19

Identity Management

Combination of Technology and Processes

Comprehensive control over who has access to IT resources

Controls authorization and entitlement of resource use

A business solution, not simply a technical solution

Highly pervasive, highly effective

20

Business Enablement

Access Policies &

Profiles

Auditing

Smart Cards, SSO

Certificates

Hackers

Partner Resources

ApplicationsWeb Services

Distributed Resources

Partners

Employees

Customers

Process & Business

Management

21

Elements of Identity Management

Identity Consolidation and Synchronization

Credential Provisioning and Management

Delegation of Administration

Authentication and Access Management Profile Management

Auditing and Monitoring

Single Sign-on

User self-service

22

Positive Business Impacts

Increased IT Operational CostsRoughly 48% of help desk calls are password resets

User management consumers 5.25% of all IT productivity

Most user admin tasks (moves, adds, changes) takes 10x longer than necessary

Additional security risksOnly 70% of users deleted on departure

New users provisioned to 16 apps, on departure deleted from 10

Source: Metagroup/PwC Survey

23

Security Policy Challenges

Security Policies Controls

People, Process, and Technology security requirements

Management The on-going capability to organize, maintain, and distribute

Enforcement The ability to ensure policies are being followed by people and

technology

Feedback Loop Learning from the application of the policies

Challenges in Policy Misalignment of policy to technology

Diversity complicates comprehensive security management

Difficult to manage people and processes consistently

24

Information Security Management Gap

Policy

Process & Documentation

People (Roles & Responsibilities)

TechnologyISMS

Framework

Feedback Gaps

Alignment Gaps

Enforcement Gaps

25

Information Security Management Framework

Information Security Management System Supports the Information Security Program by the identification,

selection, and deployment of controls in order to mitigate information security risk

Security Service Orientation

Controls Optimization Logical Controls

Organizational Controls

Technical Controls

Process Management

Governance Processes

Reporting and Validation

26

Framework Characteristics

Policy A high level, implementation neutral, conceptual goal that addresses who and what

Program Supports policy by managing multiple plans

Plan Supports program by defining activities or projects

Standard Supports policy goals, AND implements procedural vision by defining requirements

that can be implemented and measured. Standards offer implementation detail and therefore should be protected

Process Supports standards by presenting methodology to meet requirements

Procedure Supports process by offering reliable, repeatable technique for predictable outcome

Specifications Supports standards by defining specific criteria that control devices must meet in

order to be considered for use Guidelines

Supports standards by “best practice” advice on how to meet requirements

27

ISMF Visualization

28

Deeper Look

Define control areas horizontally

Define security services vertically

Intersection is: Roles & Responsibilities

Policies and processes

Standards

Metrics

29

Driving Relationships

Quality and Reporting will expose operational efficiencies and actionable patterns This is especially true for Incident Management

30

Obscurity to Operational

The framework provides the policy structure Defines security goals

Defines controls

Defines management

Framework’s Achilles’ Heal Technical enforcement

Comprehensive feedback loop

Information systems need alignment Systems do not speak “security” natively to one another

People & Security managers cannot effectively access information

Options Integrated Security Operations

Network Access Control

31

Integrated Security Operations Center

Currently seeing significant trends in this area Companies are leveraging their NOC investment to support security

objectives

There are several definitions for “integration” Should practice separation of duties Leverage existing infrastructure Alignment of tools, i.e….

Ticketing systems linked to incident response Asset and change control linked to patch management

Challenge areas Culture

“Whose problem?”, “Who fixes it”, “Who pays for it?”

Process When does security take the initiative?

Technology What tools do I have the I can leverage?, How can I work security into my

product management lifecycle?

32

Integrated Security Operations Center

NIDS Network A/V

IBM

Mainframe

RAS

Web Applications

Mail

Firewall

Databases

Boundary Points/Network Nodes

DMZ / External Facing Access Middleware / Directories Internal Resources

SecurityManagement

NetworkManagement

Managed D

evices LayerVPN Servers

Data Integration

PresentationLayer

Data Acquisition Layer

Event Correlation Layer

(HTTP/S, SNMP, SMTP, Syslog, API, XML, Logfile, custom)

Routers

ComplianceManagement

Internet

Event Correlation Engine Analysis and Filtering Event Enrichment Workflow Automation Integration with other systems

Event Correlation Layer

Ethical HackingData

Security EventCorrelation

IntelligenceServices (ISAC)

System /NetworkEvents

ProblemManagement

Asset / ChangeManagement

PolicyManagement

Reports

33

ISOC Business Value

Proactive problem identification and response, reducing the cost and impact of threats Faster response

Faster recovery

Potentially a cost-effective alternative to outsourcing

Opportunities for efficiencies through automation, work flow improvement, centralized enterprise intelligence

Significant security advantages Visibility

Command and Control

Potential problems Do you have the skills necessary?

What “phase” is your NOC in?

34

Network Access/Admission Control (NAC)

Cisco started the flood 48 vendors participating in the group

Represents a rebirth of the network’s role in security

Leverages the network for what it can really accomplish Network touches everything Enabler for threats, Enabler for business defense

Intelligent networking Provides conduit for upper-layer security services Binds security policy to network capability Investigates systems, services, applications, and users prior to

association Isolates potential threats Establishes an “Expectation Envelope”

35

Next Big Step

Vulnerability management reduces exposure

Identity management offers flexibility and security

ISOC increases visibility, command and control

Advances in network security offer proactive controls

Result Proactive, Focused, Compliant…. Measurable

Utilizing metrics for Long-Term security Management It’s Here, Start now

NIST sp800-55

Security Working Group (Gov. Reform Committee, US House of Rep. (1/2005) (43 pages of Security Metrics)

Report of the Best Practices and Metrics Team http://reform.house.gov/TIPRC/

36

Security Services Management

Service Measurement & alignment to the business

Metrics Strategy Defines the layer between business initiatives and services

Defines optimal level Too much or too little can be a bad thing

Reporting

Metrics Alignment Business owners and industry specifics

Governance and approval

Key Performance Indicators What’s being measured

37

Metrics Example

Vulnerability to System Ratio (Tech) Understanding the pervasiveness

of known vulnerabilities Number of Vulnerabilities Criticality level Affected system/data

classification and role

Patch Rate (Tech & Proc) Managing the window of

vulnerability, test, deployment, verify

Number of patches available, pipeline, tested

Percentage of deployment Percentage validated

People & Process CMM (P&P) Understanding the level of maturity

and effectiveness of management practices

Localized control management Completeness of control processes

& documentation Process interaction

Compliance Rate (Tech) Feedback from the technical

infrastructure on the adoption of policies

Percentage of polices obtained Percentage in compliance Percentage validated

38

Balanced Perspective

39

Bringing it Together

Business Imperatives Business AlignmentSecurity Alignment

Risk ManagementEnhanced VisibilityCommand and ControlIncreased Security

Integrated Security OperationsCapability (ISOC)

Operational IntegrityAlign Security to AssetsFlexible & Proactive Controls

Identity ManagementVulnerability Management

Service LevelGain Awareness of Investment Effectiveness, Predictability of Effort

Security Services Management (SSM)

Regulatory ComplianceHIPAASarbanes-OxleyGLBA

People & Process (ISMF)

40

Supporting the Business

Technical Architecture

Security Services

Management

Security Services

Framework

Business Aware

Security

– Jeffrey Hunker, professor of technology and public policy, Carnegie Mellon University

“

”

IT executives will be seeing more demands to specify and quantify not just efforts and actions, but performance. Try to benchmark your cybersecurity performance against outside measures. The key is to develop ways of demonstrating—specifically, quantifiably, and defensibly—your impact on your organization's cybersecurity.

Thank You!

jim.tiller@ins.comwww.INS.com

(ISC)2 Journalwww.infosectoday.com