security in today’s business environment jim tiller cso & managing vice president of security...
TRANSCRIPT
Security in Today’s Business Environment
Jim TillerCSO & Managing Vice President of
Security ServicesTuesday, June 7, 2005
Jim TillerCSO & Managing Vice President of
Security ServicesTuesday, June 7, 2005
2
Overview
Today’s Business Climate
Threats and Vulnerabilities
Regulatory Landscape
Simplifying the Business of Security
Controlling Access
Managing People, Process & Technology
Aligning Security to Business Objectives
3
Today’s Business Climate
Running a business in the 21st Century isn’t easy!
Security Regulations are abound 62% of companies spend more on compliance than protection*
Evolution of technology and business demands has resulted in highly diverse environments
Managing increasing number of vulnerabilities in the face of sophisticated threats
Difficulties in aligning People, Process and Technology
Challenges in leveraging security knowledge and business process
*Source: RedSiren
4
Three Simple Security Perspectives
The Unlawful (Vulnerability Sensitive) Increasing sophistication
Unprecedented collaboration
Growing aggressiveness
Harmful impacts
The Law (Compliance Driven) Increasing number of regulations
International impacts
Operational challenges
Lack of investment predictability
Security Posture (Risk Adverse) Segmentation of people, process, and technology
Poor visibility
Inability to determine effectiveness
Inability to align to business objectives
5
Pre 1980’s 1980’s 1990’s 2000’s
Security and Business InfrastructureD
ivers
ity o
f IT
an
d S
ecu
rity
Mainframes
Business security incorporated into the
system
If SAP didn’t do it, the company didn’t
do it
Client / Server
Security begins to diverge as systems
become more distributed
Processes became departmental
Multi-Tier Application Architecture
Traditional application
development complicates security
visibility
Application Specific
Vendors Partners
Clients
BusinessInterconnectivity
Business demands strain IT and Security
in the light of diversity
Complex data value chain
6
Diversity is a Double Edge Blade
Value to the business Provides foundation for best of breed solutions Supports business initiatives Allows for evolutionary investment strategies Allows organizations respond to market changes
But what does this mean to security? Increased technical gaps Leads to fragmented processes Difficultly in gaining visibility Complicates command and control
Security Nemeses Inconsistency and Complexity Result – Vulnerable Security Posture
7
More Malware, More Hackers
8
Exploiting Our Weakest Links
9
Where the Money is
10
Less Time
11
A Regulated Environment
Security Regulations are abound HIPAA for HealthCare
GLBA & FFIEC for Financial
Sarbanes-Oxley for US public companies
CyberSecurity for Utilities
SB-1386 (AB-700) Notification of Risk to Personal Data Act
(NORPDA)
Multiple Privacy regulations US, Canada, Japan, EU, and others
Industry reports suggest $80B over the next 5 years in compliance expenditures*
– Michael Rasmussen, principal analyst, Forrester
“
”
Organizations face an increasing amount of liability and regulations, like HIPAA, Gramm-Leach-Bliley and SB 1386. Even in the case of Sarbanes-Oxley, you've got disclosure requirements. They all have pretty harsh penalties, and your liabilities don't stop when you outsource. They only grow.
*Source: AMR Research
12
Current Status
Security’s omnipresence challenges meaningful management in the light of business objectives
Security is segmented: process, risk, policy, technology Focus is applied when demands surface, examples:
Firewalls & IDS were significant during the network attacks of the 90s Today, regulations demand more emphasis on process and documentation
Meanwhile… Increased sophistication and number of threats continue to challenge the IT environment
Result - regardless of vulnerability or regulation… Security has become complex and painful
Misalignment between process and technology
Inability to bind security investments to larger business imperatives
13
CIO Worries
I worry about a hacker gaining access to our Oracle data base and coping social security numbers
I worry about, a converged network, if the network goes down you loose both voice and data, increasing the risk and worry
I worry about staff, I can't protect the network from internal sabotage, disgruntled network administrators, IT personal, etc
I worry about new computers being plugged into the network after they have been off net
I worry about the new wide range of handheld IP devices which people plug in at will from near and far flung locations
I worry about employees working at home bridging networks via WLANs opening up access to our network
Source: Nick Lippis, Trusted Networks Symposium
14
Cycle of Security Pain
Security investments based on “FUD”
Executives growing wearyLess talk, more revenue
Diminishing expectations of security investments “More money? What did you do with the last check?”
Constant deluge of “new” security problems
Regulatory compliance challenges
Cultural challenges inside and outside IT
15
Information Security in Business Terms
What organizations really want from security Simplicity – Simplified management and focus Predictability – In systems and investments Effectiveness – Does what is supposed to for the business
Enablers Visibility – In controls, industry, compliance, activity, events, and
threat status Alignment – People, process, and technology focused in the
same direction
Results Confidence – Make changes with a clear understanding of the
impact to business operations, risk, and compliance Efficiency – Leverage proven business processes and
automation
16
Getting There
Technical / Tactical“Build Success Early” Vulnerability Management Identity Management
Management“Organize and Architect” Information Security Management
Framework
Business Management “Balanced Approach to the Business” Security Services Management
Technical / Strategic“Actionable Foundation” Integrated Security Operations Capability Network Access Control
Establish meaningful, early-win technical solutions
Align People & Process to meet multiple Regulations
Increase technical visibility, command and control
Employ metrics to measure against the business goals
17
Vulnerability Management
Information driven Internal status Industry status
Events, warnings, etc.
Based on Data Acquisition and Employment
Collaboration & Tools Testing, validation, deployment
Comprehensive Reporting
Basic concept: Apply flexible business process to dynamics in technology Integrate with multiple systems to drive automation Support meaningful communication and collaboration
18
Business Processes
Asset Database
Vulnerability Data Service
(CVE)
System Inputs
IDS / IPSVirus
Patches & Service Packs
XML, SOAP
System Service Support
Policy & Profile Server
Abstraction Layer
Web Services
Systems & Applications
Infrastructure
Enable
Systems
Service Driven Provisioning
Collaboration
System Owners
Management
Partners
Activity Reporting &
Metrics
Auditing
Service Reporting
Vulnerability Mgt. Architecture
19
Identity Management
Combination of Technology and Processes
Comprehensive control over who has access to IT resources
Controls authorization and entitlement of resource use
A business solution, not simply a technical solution
Highly pervasive, highly effective
20
Business Enablement
Access Policies &
Profiles
Auditing
Smart Cards, SSO
Certificates
Hackers
Partner Resources
ApplicationsWeb Services
Distributed Resources
Partners
Employees
Customers
Process & Business
Management
21
Elements of Identity Management
Identity Consolidation and Synchronization
Credential Provisioning and Management
Delegation of Administration
Authentication and Access Management Profile Management
Auditing and Monitoring
Single Sign-on
User self-service
22
Positive Business Impacts
Increased IT Operational CostsRoughly 48% of help desk calls are password resets
User management consumers 5.25% of all IT productivity
Most user admin tasks (moves, adds, changes) takes 10x longer than necessary
Additional security risksOnly 70% of users deleted on departure
New users provisioned to 16 apps, on departure deleted from 10
Source: Metagroup/PwC Survey
23
Security Policy Challenges
Security Policies Controls
People, Process, and Technology security requirements
Management The on-going capability to organize, maintain, and distribute
Enforcement The ability to ensure policies are being followed by people and
technology
Feedback Loop Learning from the application of the policies
Challenges in Policy Misalignment of policy to technology
Diversity complicates comprehensive security management
Difficult to manage people and processes consistently
24
Information Security Management Gap
Policy
Process & Documentation
People (Roles & Responsibilities)
TechnologyISMS
Framework
Feedback Gaps
Alignment Gaps
Enforcement Gaps
25
Information Security Management Framework
Information Security Management System Supports the Information Security Program by the identification,
selection, and deployment of controls in order to mitigate information security risk
Security Service Orientation
Controls Optimization Logical Controls
Organizational Controls
Technical Controls
Process Management
Governance Processes
Reporting and Validation
26
Framework Characteristics
Policy A high level, implementation neutral, conceptual goal that addresses who and what
Program Supports policy by managing multiple plans
Plan Supports program by defining activities or projects
Standard Supports policy goals, AND implements procedural vision by defining requirements
that can be implemented and measured. Standards offer implementation detail and therefore should be protected
Process Supports standards by presenting methodology to meet requirements
Procedure Supports process by offering reliable, repeatable technique for predictable outcome
Specifications Supports standards by defining specific criteria that control devices must meet in
order to be considered for use Guidelines
Supports standards by “best practice” advice on how to meet requirements
27
ISMF Visualization
28
Deeper Look
Define control areas horizontally
Define security services vertically
Intersection is: Roles & Responsibilities
Policies and processes
Standards
Metrics
29
Driving Relationships
Quality and Reporting will expose operational efficiencies and actionable patterns This is especially true for Incident Management
30
Obscurity to Operational
The framework provides the policy structure Defines security goals
Defines controls
Defines management
Framework’s Achilles’ Heal Technical enforcement
Comprehensive feedback loop
Information systems need alignment Systems do not speak “security” natively to one another
People & Security managers cannot effectively access information
Options Integrated Security Operations
Network Access Control
31
Integrated Security Operations Center
Currently seeing significant trends in this area Companies are leveraging their NOC investment to support security
objectives
There are several definitions for “integration” Should practice separation of duties Leverage existing infrastructure Alignment of tools, i.e….
Ticketing systems linked to incident response Asset and change control linked to patch management
Challenge areas Culture
“Whose problem?”, “Who fixes it”, “Who pays for it?”
Process When does security take the initiative?
Technology What tools do I have the I can leverage?, How can I work security into my
product management lifecycle?
32
Integrated Security Operations Center
NIDS Network A/V
IBM
Mainframe
RAS
Web Applications
Firewall
Databases
Boundary Points/Network Nodes
DMZ / External Facing Access Middleware / Directories Internal Resources
SecurityManagement
NetworkManagement
Managed D
evices LayerVPN Servers
Data Integration
PresentationLayer
Data Acquisition Layer
Event Correlation Layer
(HTTP/S, SNMP, SMTP, Syslog, API, XML, Logfile, custom)
Routers
ComplianceManagement
Internet
Event Correlation Engine Analysis and Filtering Event Enrichment Workflow Automation Integration with other systems
Event Correlation Layer
Ethical HackingData
Security EventCorrelation
IntelligenceServices (ISAC)
System /NetworkEvents
ProblemManagement
Asset / ChangeManagement
PolicyManagement
Reports
33
ISOC Business Value
Proactive problem identification and response, reducing the cost and impact of threats Faster response
Faster recovery
Potentially a cost-effective alternative to outsourcing
Opportunities for efficiencies through automation, work flow improvement, centralized enterprise intelligence
Significant security advantages Visibility
Command and Control
Potential problems Do you have the skills necessary?
What “phase” is your NOC in?
34
Network Access/Admission Control (NAC)
Cisco started the flood 48 vendors participating in the group
Represents a rebirth of the network’s role in security
Leverages the network for what it can really accomplish Network touches everything Enabler for threats, Enabler for business defense
Intelligent networking Provides conduit for upper-layer security services Binds security policy to network capability Investigates systems, services, applications, and users prior to
association Isolates potential threats Establishes an “Expectation Envelope”
35
Next Big Step
Vulnerability management reduces exposure
Identity management offers flexibility and security
ISOC increases visibility, command and control
Advances in network security offer proactive controls
Result Proactive, Focused, Compliant…. Measurable
Utilizing metrics for Long-Term security Management It’s Here, Start now
NIST sp800-55
Security Working Group (Gov. Reform Committee, US House of Rep. (1/2005) (43 pages of Security Metrics)
Report of the Best Practices and Metrics Team http://reform.house.gov/TIPRC/
36
Security Services Management
Service Measurement & alignment to the business
Metrics Strategy Defines the layer between business initiatives and services
Defines optimal level Too much or too little can be a bad thing
Reporting
Metrics Alignment Business owners and industry specifics
Governance and approval
Key Performance Indicators What’s being measured
37
Metrics Example
Vulnerability to System Ratio (Tech) Understanding the pervasiveness
of known vulnerabilities Number of Vulnerabilities Criticality level Affected system/data
classification and role
Patch Rate (Tech & Proc) Managing the window of
vulnerability, test, deployment, verify
Number of patches available, pipeline, tested
Percentage of deployment Percentage validated
People & Process CMM (P&P) Understanding the level of maturity
and effectiveness of management practices
Localized control management Completeness of control processes
& documentation Process interaction
Compliance Rate (Tech) Feedback from the technical
infrastructure on the adoption of policies
Percentage of polices obtained Percentage in compliance Percentage validated
38
Balanced Perspective
39
Bringing it Together
Business Imperatives Business AlignmentSecurity Alignment
Risk ManagementEnhanced VisibilityCommand and ControlIncreased Security
Integrated Security OperationsCapability (ISOC)
Operational IntegrityAlign Security to AssetsFlexible & Proactive Controls
Identity ManagementVulnerability Management
Service LevelGain Awareness of Investment Effectiveness, Predictability of Effort
Security Services Management (SSM)
Regulatory ComplianceHIPAASarbanes-OxleyGLBA
People & Process (ISMF)
40
Supporting the Business
Technical Architecture
Security Services
Management
Security Services
Framework
Business Aware
Security
– Jeffrey Hunker, professor of technology and public policy, Carnegie Mellon University
“
”
IT executives will be seeing more demands to specify and quantify not just efforts and actions, but performance. Try to benchmark your cybersecurity performance against outside measures. The key is to develop ways of demonstrating—specifically, quantifiably, and defensibly—your impact on your organization's cybersecurity.