Cybersecurity and Cloud Briefing December 3, 2015

Transcription

1 Cybersecurity and Cloud Briefing

2 Wendy L. Frank, principal,, Advisory, Cybersecurity, Privacy and Risk Office (213) Former Chief Security Officer and Leader of Content Security Program for Motion Picture Association of America: - Redesigned third party/vendor security assessment program - Revised and greatly expanded Content Security Best Practices Common Guidelines - Created Cloud and Application Security Best Practices Common Guidelines Leading authority on cybersecurity and technology for over 20 years with relevant security and technology certifications including: - Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified Information Systems Manager (CISM), and Certified Information Privacy Professional/United States (CIPP/US) credentials, to name a few - Multiple certifications from Microsoft (MCSE, MCT), IBM/Lotus, etc. BSc Computer Science and BSc Accounting from Alvernia University 2

3 Methodology The Global State of Information Security Survey 2016, a worldwide study by and CIO and CSO, was conducted online from May 7, 2015 to June 12, s 18th year conducting the online survey, 13th with CIO and CSO Readers of CSO and CIO and clients of from 127 countries Responses from more than 10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors of IT and security practices More than 40 questions on topics related to privacy and information security safeguards and their alignment with the business The margin of error is less than 1%; numbers may not add to 100% due to rounding Figures in this report are based on respondents from all industries 3

4 2016 global state of information security survey highlights 91% Have adopted a risk-based cybersecurity framework 69% Use cloud-based cybersecurity services 59% Leverage big data analytics for security 65% Collaborate and partner with others to sharpen security intelligence 45% Boards participate in the overall security strategy 4

5 What is Cybersecurity? Cybersecurity represents many things to many different people Key characteristics and attributes of cybersecurity: - Broader than just information technology and extends beyond the enterprise - Increasingly vulnerable due to technology connectivity and dependency - An outside-in view of the threats and business impact facing an organization - Shared responsibility that requires cross functional disciplines in order to plan, protect, defend, react and respond It is no longer just an IT challenge it is a business imperative! 5

6 The Cyber challenge now extends beyond the enterprise Global Business Ecosystem Environmental Customer Consumer Economic Industry/ Competitors Enterprise JV/ Partners Suppliers Service Providers Legal The Evolution: Technology-led innovation has enabled business models to evolve The extended enterprise has moved beyond supply chain and consumer integration Connectivity and collaboration now extends to all facets of business Leading to: A dynamic environment that is increasingly interconnected, integrated, and interdependent Where changing business drivers create opportunity and risk Pressures and changes which create opportunity and risk Technology 6

7 Cloud trends Cloud Social Networks Information Explosion Mobility Industry Verticals as the 3 rd Cloud Platform 21% Estimated CAGR of in SaaS market through % of Sales teams will adopt public social networks by % growth every two years, reaching 44 zettabytes by % of mobile apps developed in the next 3 years will be integrated with Enterprise Apps (SAP, Oracle, Microsft) 35% High value industry solutions will become the 3 rd platform for cloud expansion. (Health, Energy, Govt.) 35% of enterprises IT dollars will be spent outside of IT by Gartner $1 of every $4 spent on applications will be consumed via the cloud by IDC 30% of all new business software purchases will be service-enabled by IDC 70% of the G2000 will still have 75% of IT resources running onsite by IDC 7

8 SaaS adoption accelerates $ $ $ $ $ 75% Integration takes center stage Enterprise systems Customs Apps Database Organizations will continue to have mixed IT environments for a long time 81% 81% of business Managers say Integration is key to achieving full benefits of cloud $3.7b By 2018, Cloud based Integration platforms will reach $3.7b (31% CAGR) 35% By 2016, 35% of large and mid-size organizations will use an IPaaS solution 8

9 SaaS view of how organizations are adopting Cloud Sanctioned IT Connected Home Grown ON - PREMISE CLOUD CyberSecurity Fabric Legacy Security Solutions Messaging & Collaboration Sales & marketing HR & Skills Finance Sharepoint Apps App Server force.com Database 9

10 Scope of Cybersecurity Technology domain convergence Information Technology Computing resources and connectivity for processing and managing data to support organizational functions and transactions Operational Technology Systems and related automation assets for the purpose of monitoring and controlling physical processes and events or supporting the creation and delivery of products and services Consumer (Products and Services) Technology Computing resources and connectivity integrated with or supporting external end-user focused products and services Cybersecurity encompasses all three technology types 10

11 Profiles of threat actors Adversary Motives Targets Impact Nation State Economic, political, and/or military advantage Trade secrets Sensitive business information Emerging technologies Critical infrastructure Loss of competitive advantage Disruption to critical infrastructure Organized Crime Immediate financial gain Collect information for future financial gains Financial / Payment Systems Personally Identifiable Information Payment Card Information Protected Health Information Costly regulatory inquiries and penalties Consumer and shareholder lawsuits Loss of consumer confidence Hacktivists Influence political and /or social change Pressure business to change their practices Corporate secrets Sensitive business information Information related to key executives, employees, customers & business partners Disruption of business activities Brand and reputation Loss of consumer confidence Insiders Personal advantage, monetary gain Professional revenge Patriotism Sales, deals, market strategies Corporate secrets, IP, R&D Business operations Personnel information Trade secret disclosure Operational disruption Brand and reputation National security impact 11

12 New and evolving threats Vulnerabilities Unpatched systems remain the primary vector of successful exploits. 99.9% of the exploited vulnerabilities were compromised more than a year after they were published. Social engineering Human element and lack of cybersecurity awareness are the most exploited weaknesses in enterprise-level attacks. Targeted Spear-phishing is still effective despite continued training, with 50% of users opening s and 11% clicking on attachments. Zero-day attacks Unpublished vulnerabilities in vendor software are a hot commodity on the dark-net. Four of the most prolific attacks of 2015 were launched using zeroday exploits. Source: /CIO & CSO Magazine Global State of Information Security Survey 2016 & Verizon 2015 Data Breach Investigations Report 12

13 New and evolving threats Malware Companies cannot cope with the volume and velocity of malware attacks occurring daily. In 2015, an estimated 170 Million of malware events were reported across the industry. Hacktivists Mostly a nuisance of the past, hacktivists target US law enforcement following police-related incidents. New data suggests that hacktivists are turning their resources for good in attempt to fight ISIS and other terrorist groups. Cybercrime Increase in Cybercrime due to monetization of PII and PHI on global black market. 79% of global companies experienced a cybercrime related incident in the past 12 months. Source: /CIO & CSO Magazine Global State of Information Security Survey 2016 & Verizon 2015 Data Breach Investigations Report 13

14 New and evolving threats Data Loss/Breach Employee, customer and internal company data are primary targets of external and internal attacks. Top industries affected are public sector and financial services. Cloud Controls and management are handed off to third-parties and cloud presence increases the potential attack surface. Attacks against cloud providers have increased 40% in Insider Threat Insider threat posed by current employees remains the second most frequently reported type of security incident. 55% of insider-related incidents were due to privilege abuse. Source: /CIO & CSO Magazine Global State of Information Security Survey 2016 & Verizon 2015 Data Breach Investigations Report 14

15 New and evolving threats DDoS Attacks Distributed Denial of Service (DDoS) attacks can disrupt business resulting in immediate loss of revenue and long-term damage to reputation. Top industries affected are public sector, retail and financial services. Web App Attacks Organized crime used Web App attacks as the primary attack vector. Bad coding habits provide an easy way in. 95% of web-based attacks used harvested user credentials stolen from user devices. Data Traversal Use of personal file sharing services (e.g., Dropbox, Box, Google Drive) allows for sensitive data to leave the company unchecked. User error is responsible for half of all sensitive data losses with policy violations accounting for 25%. Source: /CIO & CSO Magazine Global State of Information Security Survey 2016 & Verizon 2015 Data Breach Investigations Report 15

16 New and evolving threats Crimeware Physical Theft Availability of automated identity theft and social engineering tools focusing on theft of bank information or PII has put hacking abilities in the hands of criminal element. Preconfigured rootkits, keyloggers, Trojans and bots can be downloaded in abundance from many websites. Physical access to restricted company areas is the simplest and usually most effective way to penetrate their network defenses. The most effective way to prevent physical access breach is to train employees to report unusual activity and challenge visitors. Ransomware A tool for petty cyber-thieves, Ransomware is expected to be on the rise in 2015/2016 and even harder to defend against. Practicing good cyber-hygiene is the most effective way of preventing ransomware (e.g., AV, safe browsing, anti-malware). Source: /CIO & CSO Magazine Global State of Information Security Survey 2016 & Verizon 2015 Data Breach Investigations Report 16

17 Evolving perspectives Considerations for businesses adapting to the new reality Historical IT Security Perspectives Scope of the challenge Limited to your four walls and the extended enterprise Ownership and accountability Adversaries characteristics Information asset protection Today s Leading Cybersecurity Insights Spans your interconnected global business ecosystem IT led and operated Business-aligned and owned; CEO and board accountable One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain Organized, funded and targeted; motivated by economic, monetary and political gain One-size-fits-all approach Prioritize and protect your crown jewels Defense posture Protect the perimeter; respond if attacked Security intelligence and information sharing Plan, monitor, and rapidly respond when attacked Keep to yourself Public/private partnerships; collaboration with industry working groups 17

18 Top 5 Cloud Cybersecurity Use Cases - Where You Should Focus Compromised Accounts (UBA) 1 Accounts Apps 2 Cloud Malware (Apps Firewall) 4 Compliance (Reporting/Policy) 5 SecOps & Forensics (Security Admin) Data 3 Data Breach (Cloud DLP) 18

19 CISO priorities in the new Cloud stack Is the user who we think they are? Identity Cloud What s going on with Off-the-shelf & Homegrown Applications and Data in the cloud? Device Which device is being used by which identity and for what purpose? 19

20 Keeping pace with the new reality Key considerations Operating in the global business ecosystem requires you to think differently about your security program and investments. Risk and Impact Evaluation Board, Audit Committee, and Executive Leadership Business Alignment and Enablement Investment Activities Projects and Initiatives Functions and Services Security Strategy and Roadmap Security Program, Resources and Capabilities Resource Prioritization Engage and commit with the business Leadership, ownership, awareness and accountability for addressing the cyber-risks that threaten the business Alignment and enablement of business objectives Rationalize and prioritize investments Critical assets are constantly evaluated given they are fundamental to the brand, business growth and competitive advantage Threats and impact to the business are considered as investment activities are contemplated Transform and execute the security program New and enhanced capabilities are needed to meet the ever changing cybersecurity challenges A comprehensive program must be built on a strong foundation and include proactive coordination and collaboration with the business The security implications related to the convergence of Information Technology, Operational Technology and Company Products and Services are addressed 20

21 Incorporating industry Leading components into your cybersecurity program Solutions to enhance the effectiveness of your cybersecurity program Threat modeling Critical asset protection Privacy and regulatory compliance Insider and third party risk Emerging technology Board & C-suit engagement M&A cyber diligence Operational technology security Secure product & service development Customer experience & trust Threat scenario planning Breach identification & analysis Incident & crisis readiness Forensic investigation Active defense & response Strategy development Capability maturity Portfolio & investment rationalization Organization redesign Advanced analytics detection & response Secure asset management Security architecture & operations Threat & vulnerability management Identity and access management Culture and communication 21

22 Cloud Security Architecture Framework Cybersecurity Governance Cybersecurity Program Operating Policies Cybersecurity Management User Management Critical Asset Protection Technology Protection & Resiliency Objective, Strategy (Business Case, Risk & Compliance) Sponsorship (Organizational posture, Ownership, Investment & ROI) Governance Organization, Competencies, People & Skills Management Business & IT Policies, Standards & Guidelines Business & Technical Architecture, Training & Awareness Data Privacy & Security (3rd Party Operations) Internal Organization (Roles & Responsibilities, Compliance) Risk, Operations & Incident Management Processes Third party management External Organization (3rd Party Risks & Contracts) SLA Monitoring Change Management Security Audit Logging & Monitoring Incident & End Point Protection Management User Lifecycle Management (Registration, Access Provisioning), Access Management (Authentication, Authorization, SSO, Federation) Secure Gateway (API security, XML base d Firewall protection) Asset Inventory (Business, Systems and Applications) Sensitive Data Ownership & Classification (Data flows &Contextual Attributes) Acceptable Use, Internal &External Collaboration Data at rest/in transit Protection Encryption and Key Management Virtualization Security, Application Security API Management, Security model (SaaS, Public/Private/Hybrid Cloud), Threat & Vulnerability Management Cyber Response, and Business Continuity Planning 22

23 Questions Boards and CEO s should be asking Enhancing their cybersecurity strategy and capability Understanding and adapting to changes in the security risk environment Advance their security posture through a shared vision and culture 1. Is our cybersecurity program aligned with our business strategy? 2. Do we have the capabilities to identify and advise on strategic threats and adversaries targeting us? 3. Can we explain our cybersecurity strategy to our stakeholders? Our investors? Our regulators? Our ecosystem partners? 1. Do we know what information is most valuable to the business? 2. Do we know what our adversaries are after/what would they target? 3. Do we have an insider threat program? Is it inter-departmental? 4. Are we actively involved in relevant public-private partnerships? 1. How was our last security crisis identified; in-house or government identified? 2. Who leads our incident and crisis management program? Is our program cross functional/inter-departmental? 3. How often are we briefed on our cyber initiatives? Do we understand the cyber risks associated with certain business decisions and related activities? 23

24 Lessons learned from recent retail and consumer events The recent retail and consumer industry challenges apply to a broader set of companies and industry sectors Attack Method - organized and coordinated efforts to exploit a known technical vulnerability in the core infrastructure Awareness - adversaries tested and enhanced their approach over the course of months before executing their campaign; intelligence sources communicated threat elements Detection - technical indicators were undetected during the attack sequence; additionally, as is often the case, third parties (e.g. law enforcement or the banks) detect the compromise, not the company Security Posture - known companies compromised were assumed to be compliant with industry standards (e.g. PCI DSS) -- compliance does not equal security Industry Exposure attacks are often not limited to a single company; many companies within an industry sector share the same/similar profile and it is highly likely there are other targets and victims 24

25 Steps organizations can take to address Cybersecurity risks Organizations can t eliminate the risk of cyber attacks, but they can minimize their consequences. Here are 5 things leading organizations do to combat cybersecurity risks. 1 Own the Risk Cyber risk is owned by leadership and is not relegated to the IT function. Periodic cybersecurity briefings are provided to the Board and C-Suite. 2 3 Prioritize Initiatives Leadership prioritizes and monitors cybersecurity investments. Investments are made in new capability, not just technology. Crown jewels have been identified and their protection prioritized. Learn and Incorporate Leading organizations work with various external parties, share information on current threats and incorporate learnings into their own cybersecurity strategy and tactics. 4 Enhance Culture A security culture and mindset is established through training, measurement and evaluation. Behaviors and capabilities of the organization are established and reinforce the importance of cybersecurity. 5 Secure the Business Security of the business value chain including suppliers, third party providers and high-risk interconnection points has been considered. Adapt to the challenges of new and emerging digital business models. 25

26 For more information, please contact Wendy Frank Principal, Advisory, Cybersecurity, Privacy & Risk Office (213) Visit to explore the data further. The Global State of Information Security is a registered trademark of International Data Group, Inc PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. refers to the United States member firm, and may sometimes refer to the network. Each member firm is a separate legal entity. Please see for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.