Welcome. HITRUST 2014 Conference April 22, 2014 HITRUST. Health Information Trust Alliance

Size: px

Start display at page:

Download "Welcome. HITRUST 2014 Conference April 22, 2014 HITRUST. Health Information Trust Alliance"

Katrina Glenn
8 years ago
Views:

1 Welcome HITRUST 2014 Conference April 22, 2014 HITRUST Health Information Trust Alliance

2 The Evolving Information Security Organization Challenges and Successes Jason Taule, Chief Security and Privacy Officer, FEi Systems (Moderator) Robert Booker, Vice President and Chief Information Security Officer, UnitedHealth Group Erick Rudiak, Information Security Officer, Express Scripts Roy Mellinger, Vice President, IT Security and Chief Information Security Officer, WellPoint Omar Khawaja, Vice President and Chief Information Security Officer, Highmark HITRUST Health Information Trust Alliance

Information Security Officer, Express Scripts Roy Mellinger, Vice President, IT Security and Chief Information Security

16 Chief Informa-on Security Office HITRUST 2014 Conference The Evolving Informa-on Security Organiza-on Challenges and Successes Tuesday April 22, 2014 Roy R. Mellinger, CISSP ISSAP, ISSMP, CIM Vice President, IT Security Chief Informa-on Security Officer

17 The Evolving Informa-on Security Organiza-on Operational Compliance Risk Enterprise Risk Management Security Viewed as a Business Enabler Preventing Fires Translating Business Needs into Security Requirements Translating Security Requirements into Technical Security Controls Operating Technical Security Controls Fighting Fires Security Threat Management IT Compliance IT Risk Enterprise Risk 17

Security Requirements Translating Security Requirements into Technical Security Controls Operating

18 The Evolving Informa-on Security Organiza-on CYBER THREAT MANAGEMENT v 24x7 Security Operations Center (SOC) v End to End DLP (Data Loss Prevention) Strategy v Tracking of Malware Threats and Coding Techniques v Effective Firewalls, IDS / IPS Strategy Implementations v Effective Security and Event Log Management & Monitoring v Robust Safeguarding Polices, Programs and Processes 18

Coding Techniques v Effective Firewalls, IDS / IPS Strategy Implementations v Effective

19 The Evolving Informa-on Security Organiza-on Hacking Then Individual or Computer Clubs/ Groups Manual efforts with Social Engineering - Success = Badge Of Honor - Personal Monetary Gain or to pay for / fund hacking ac:vity War Protes:ng and Civil Disobedience An:- Establishment Rhetoric Social Rebels and Misfits Hacking Now Automated / Sophis:cated Malware Hac:vism Freedom of Speech, Statements to Influence Change, Sway Public Opinion and Publicize Views Criminal Drug Cartels, Domes:c and Foreign Organized Crime for Iden:ty TheM and Financial Fraud Espionage IP, Business Intelligence, Technology, Military / Poli:cal Secrets Terrorism Sabotage, Disrup:on and Destruc:on Na:on- State Intelligence Gathering, Disrup:ve Tac:cs, Clandes:ne Ops, Misinforma:on, Warfare Strategies, and Infrastructure Destruc:on FRINGE YEARS MAINSTREAM 19

to Influence Change, Sway Public Opinion and Publicize Views Criminal Drug Cartels, Domes:c and Foreign Organized Crime for Iden:ty TheM and Financial Fraud Espionage IP, Business Intelligence,

20 The Evolving Informa-on Security Organiza-on Ini-al compromise spear phishing via , plan:ng malware on a target website or social engineering. Establish Foothold plant administra:ve somware and create back doors to allow for stealth access. Escalate Privileges use exploits and password cracking tools to gain privileges on vic:m computer and network. Internal Reconnaissance collect info on network and trust rela:onships. Move Laterally expand control to other worksta:ons and servers. Harvest data. Maintain Presence ensure con:nued control over access channels and creden:als acquired in previous steps. Complete Mission exfiltrate stolen data from vic:m's network. 20

Escalate Privileges use exploits and password cracking tools to gain privileges on vic:m computer and network.

21 The Evolving Informa-on Security Organiza-on Cyber Threat Management Conventional Approach Paradigm Shift: Cyber Threat Management Controls Coverage Protect ALL informa:on assets Protect your MOST IMPORTANT assets (Crown Jewels) based on risk assessments Controls Focus Preven:ve Controls (an:- virus, firewalls, intrusion preven:on, etc.) Detec:ve Controls (monitoring, behavioral logic, data analy:cs) Perspec-ve Perimeter Based Data Centric Goal of Logging Compliance Repor:ng Threat Detec:on Security Incident Management Piecemeal Find and neutralize malware or infected nodes BIG PICTURE Find and dissect aaack paaerns to understand threat Threat Management Collect informa:on on Malware Develop a deep understanding of aaackers targets and modus operandi related to YOUR org s network and informa:on assets Success Defined By: No aaackers get into the network Aaackers some:mes get in; BUT are detected as early as possible and impact is minimized 21

22 The Evolving Information Security Organization Challenges and Successes Omar Khawaja April 23, 2014

23 Who is Highmark? 23

24 Risk is increasing (Assets X Vulnerabilities X Threats) Our information is increasing in value More data (EMRs) More collaboration (ACOs) More regulation (FTC) Our weaknesses are increasing More suppliers (Cloud) More complexity (ACA) Opportunities to attack are increasing More access (consumer portals) More motivated attackers - Controls Becoming increasingly difficult to secure Multiple Compliance Requirements Evolving Compliance Requirements Unclear Compliance Requirements Less visibility Less control

25 Security org needs to evolve From Explaining the what To Explaining the "why" Growing the security org Growing security in the org Creating more security processes Making security part of more processes Telling them what to do Assisting them with their job Protecting everything equally Differentiated controls Measuring what matters to security org Reporting on what matters to audience

26 Questions?

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity