Defending against modern cyber threats

Transcription

1 Defending against modern cyber threats Protecting Critical Assets October 2011 Accenture, its logo, and High Performance Delivered are trademarks of Accenture.

2 Agenda 1. The seriousness of today s situation 2. Key principles for successful implementation 2

3 What keeps CIO s awake at 3 am?

4 Impact of IT Trends on security Market pressures are putting incredible pressure on executives to protect their organisations while allowing for maximum business agility whilst doing so at an appropriate cost Consumerisation Open Collaboration Globalisation Threat Professionalisation Managing Compliance Trends Infiltration of consumer technology in the enterprise Extending the perimeter to partners and customers Interaction without borders Growing security threat from organised crime Proliferation of regulatory and compliance mandates Security Implications Ensuring security without limiting new modes of work and interaction Ensuring that critical assets are still protected Managing increased complexity from country and industry specific regulations Managing increased cost of prevention Staying compliant without hampering business agility Cost Pressures Growing need to reduce cost whilst increasing business value of IT Managing increased number and sophistication of threats with less 4

5 The Cyber Security Challenge What is my threat profile? How does the changing IT landscape impact my threat profile? What is the baseline compliance or security? How to measure success compliance, the (believed) absence of breaches, metrics? How to respond to Board queries about cyber preparedness? What are the most critical investments today? What needs to change in six months? 5

6 An integrated approach is required to manage the changing threat landscape We envision a security-aware enterprise that continuously analyses and monitors the environment in real time, adapting defenses in response to a changing threat environment. Enabling Capability Characteristics Process-Automated Responses Analytics-Driven Security Enablement of Virtual Resources 6

7 Optimising Security Operations Security operations tend to focus on monitoring low-level events and troubleshooting networks. Invariably the emphasis is on compliance which is a narrow scope and makes it impossible to lean forward on emerging threats. Performance Is about the right staffing, the right metrics and the right planning and coordination with other parts of the organisation e.g. budget, acquisition and enterprise architecture. Enhanced Operational Support Extract Value From Technology Is about integration of new technology components and appropriately providing ongoing maintenance and support including the people and processes. Is about analytics and workflow and a move away from a compliance attitude and into higher performance outcomes that seek to get the most out of solutions. Enterprise Risk Is about vulnerabilities, global threats and compliance. It s knowing what is a priority and acting with purpose while recognising what is drain on resources. 7

8 Next Generation Security Operations: A Journey Organisations should plan for a journey. The security strategy should include plans to deliberately move up the maturity curve over time Compliance Compliance and Sustainment Compliance Sustainment and Continuous Monitoring 0 Initial 1 - Managed 2 - Defined 3 - Quantitatively Managed Processes are unpredictable, poorly Controlled, and reactive. Little to no security infrastructure and tools. Processes are tailored for the organisation, but reactive. Dedicated teams are established. Security infrastructure exists, but may not be leveraged as per best practices or business requirements. Processes are tailored for the organisation and include proactive practices. Security infrastructure is aligned with operational objectives and management of tools is governed. Integration between security tools and monitoring capabilities is well defined Processes are measured and controlled. Processes are directed by workflow capabilities. Security is integrated with Solutions Engineering and Delivery across the organisation. The focus is on extracting actionable intelligence from security infrastructure. Organisations have an plan for sourcing and on-boarding advanced capabilities Use Cases / Effectiveness Profile Adaptive and Reflex-Like 4 - Optimizing Security Services is directed when and where they are needed. Response to threats requires less IT time as automation and consolidated human interfaces drive efficiencies. The organisation becomes highly adaptive to changing conditions of evolving threats and new business demands or opportunities. Security operations and resources are available as a service. Virtual teams can quickly scale on demand. 8

9 Enabling Capability Characteristics The Three Do s The strategic security objectives will change with each organisation; however, the three to-do s remain the same. See More Do More Surge to meet Demand Key security principle: incidents and accidents always involve a chain of events, a series of underlying causes Enriched and actionable intelligence to minimise errors and optimise decisions Fusion and abstract presentation of information at all levels of C2 Privacy-enhancements to limit collection and retention of sensitive information Activities defined and governed as automated processes, human-in-theloop tasks or sense and respond autonomously Single control pane with programmatic and visually intuitive interfaces Knowledge bases to detect, defer, defend and prevent attacks e.g. deliberately leave a network port open to deceive an adversary A diversity of expertise sourced to counter sophisticated threats Taps high-powered computing to analyse large volumes of data or surge bandwidth Hardware, software and processes can grow and shrink to manage costs and scale to meet mission requirements

10 Communications Environment / Message Bus Configuration System Asset System Performance System Geographical Information System Cross-Domain Correlation System See More : Bringing it all together under a single pane of glass Helpdesk Personnel IS Analyst NOC Engineer IOC Portal System Systems Engineer SOC Operator Client Personnel Vendor/3 rd Party Human Computer Interactions User defined dashboards Portal System Intelligent Rules Builder Service Desk System Incident Service Desk System Problem Request Change Knowledgebase IAM DLP NMS SIEM PSIM SMS AMS Data and Platforms IOC Portal System Routers Switches Firewalls Servers Desktops Telecom Power Data Services Applications Cloud Services Web Services 3 rd party Feeds 10

11 See More: Analytics-Driven Security You have to look at the thousands of things that lead up to the accident in the first place. The approach is to climb-up the analytics curve and recognise brand new attacks that have no signature. To chase something one has little knowledge of requires advanced pattern and behavior detection capabilities. Objectives: Fuse structured and unstructured information from beyond the firewall; Use statistical analysis to make predictions and adjust priorities; Leverage cyber intelligence as a core competency. 11

12 Do More: Process-Automated Responses Automation, when applied smartly, can reduce manpower needs or reduce the workload that is made available to staff and decision makers. Key decisions are rapidly propagated across all elements of the enterprise regardless of provider. Objectives: Align stakeholders in the decision making process; Reduce the number of steps to perform a step in the work-flow of a response ; Reduces the noise of unimportant events that is presented to operators and analysts; Adapt responses to risk tolerance of the enterprise. 12

13 Surge to meet the demand: Enablement of Virtual Resources The concept of virtualisation extends to people, technology and processes. Virtual staffing makes it easier to recruit and retain top talent as they are not limited to staff available in geographic region. Sourcing of infrastructure and applications as-a-service reduces cost and gives the illusion of infinite capability. Objectives: Staffing the best security professionals from across the enterprise On-demand use of the latest tools, tactics and techniques Manage operations as a service with the ability to surge to absorb sudden events 13

14 Key principles for successful implementation 1. Start with the key threat scenarios 2. Build agility in the process framework 3. Build a learning organisation 4. Actively manage the change 5. Build a hard-nosed culture of security 6. Branding is key 14

15 1. Start with the key threat scenarios Prioritisation: initially focus on the critical security issues based on the threat profile of the organisation. This translates into a focus on the critical infrastructure of the organisation. Leverage tools and technologies which could help organisations respond to those threat scenario. Build a model to proactively change the threat scenarios based on the changing threat landscape, stay ahead of the curve. Engage with Risk teams, Business owners, audit and process owners. 15

16 2. Build agility in the process framework Build an agile process model which enables the team to respond to incidents in real time and take proactive actions. Implement structured support processes for the ongoing management of the technology platform. Ensure the incident management process links all the stakeholders like Incident managers, application support team and third parties into a seamless model for responding to unauthorised activities. 16

17 3. Build a learning organisation Changing threat landscape needs an organisation which can quickly learn and adopt to the changing scenario. A Knowledge management system for capturing, reviewing and storing historical information for better analysis and identification. This is not only a technology issue, a significant change is required within the organisation, as Business stakeholder needs to be embedded. Build a virtualised team across the organisation to quickly respond to an unauthorised activity. 17

18 4. Actively manage the change. Key stakeholders across Business and IT need to be part of the journey. Monitoring needs senior management support as the output could lead to legal, HR or other disciplinary actions. Monitoring has data piracy impact and hence its important to engage with Legal, staff council and workers council at the onset. Business Process owners and Application owners needs to be onboarded as security issues could be occurring due to Process gaps or incorrectly configured application landscape. Engage with third parties supporting your Business IT landscape, Joint Ventures who have access to Business applications and internal IT staff. Alignment across Business increases awareness and faster response to security incidents; thereby protecting organisation. 18

19 5. Build a hard-nose culture of security Clearly, explicitly define who is responsible for cyber security. Ensure a holistic approach to information management and protection. Consider your organisation a steward, not an owner of personal data. Implement strong data protection policies. Data protection policies matter* 19

20 6. Branding is key - do not call a SOC a SOC The focus of operations is on service restoration and not on data confidentiality and integrity. Security Operations name creates a misnomer within the organisation about its function and services it delivers. The right branding, attracts and helps to retain the right talent within the organisation. Cyber defence team ensures the businesses view it as a team of highly skilled professional which increases business engagement. 20

21 End-State State Vision: A Synergised Security Operations Capability A common interface and operating environment for security products, consolidated cross-product reporting, policy configuration and single sign-on access. Security Policies & Standards Event Monitoring & Analysis Core Security Operations Configuration System Hardening & Compliance Security Risk Vulnerability & Reporting Patch Technology & Architecture Data Backup & Recovery Incident Response Investigation & Forensics See More Do More Performance Enhancement Surge to Meet Demand 21

22 Contact us Anthony Robinson UKI Security Lead