4/21/2015. Jim Reavis CEO, Cloud Security Alliance. Cloud Security Alliance, 2015. Agenda



Similar documents
Cloud Cyber Incident Sharing Center (CISC) Jim Reavis CEO, Cloud Security Alliance

THE WHITE HOUSE Office of the Press Secretary

Preservation of longstanding, roles and missions of civilian and intelligence agencies

White Paper on Financial Industry Regulatory Climate

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

Comparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills

114 th Congress March, Cybersecurity Legislation and Executive Branch Activity I. ADMINSTRATION S CYBERSECURITY PROPOSALS

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Data Breach Response Planning: Laying the Right Foundation

Legislative Language

BSA GLOBAL CYBERSECURITY FRAMEWORK

Testimony of. Wm. Douglas Johnson. American Bankers Association. Subcommittee on Information Technology

Security Summit. Protecting Taxpayers from Identity Theft Tax Refund Fraud

FINAL // FOR OFFICIAL USE ONLY. William Noonan

Docket No. DHS , Notice of Request for Public Comment Regarding Information Sharing and Analysis Organizations

Logging In: Auditing Cybersecurity in an Unsecure World

Partnership for Cyber Resilience

Changing Legal Landscape in Cybersecurity: Implications for Business

WRITTEN TESTIMONY OF JOHN A

Technological Evolution

The U.S. Department of Homeland Security s Response to Senator Franken s July 1, 2015 letter

CYBER SECURITY A L E G A L P E R S P E C T I V E

SELECTING AN ENTERPRISE-READY CLOUD SERVICE

Presidential Summit Reveals Cybersecurity Concerns, Trends

Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA)

Implementation of the Cybersecurity Executive Order

Cyber-Security. FAS Annual Conference September 12, 2014

Coordinating Attack Response at Internet Scale (CARIS)

CYBER RISK MANAGEMENT IN THE BOATING INDUSTRY

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Information Security Program CHARTER

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

ALM Virtual Corporate Counsel Managing Cybersecurity Risks and Mitigating Data Breach Damage

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Summary of Privacy and Data Security Bills- 112 th Congress. Prepared for September 15, 2011 CT Privacy Forum

Statement National Strategy for Trusted Identities in Cybersecurity Creating Options for Enhanced Online Security and Privacy

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015

Delaware Cyber Security Workshop September 29, William R. Denny, Esquire Potter Anderson & Corroon LLP

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

State Governments at Risk: The Data Breach Reality

Report on CAP Cybersecurity November 5, 2015

INFORMATION SHARING What Companies Can Learn from Cybersecurity Resources in Pittsburgh

Law Enforcement Recommendations Regarding Amendments to the Registrar Accreditation Agreement

Actions and Recommendations (A/R) Summary

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

An Overview of Large US Military Cybersecurity Organizations

LEGAL ISSUES IN SHARING CYBER THREAT INTELLIGENCE: WHAT ARE THE REAL CONCERNS?

Cybersecurity and Privacy Hot Topics 2015

Virginia Joint Commission on Technology and Science. Cybersecurity Legislation

S. ll IN THE SENATE OF THE UNITED STATES

GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, CEO EDS Corporation

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

Cyber Risk Checklist: Compliance with Legal Obligations Grand Rapids Cyber Security Conference April 23, 2014

Testimony of PETER J. BESHAR. Executive Vice President and General Counsel. Marsh & McLennan Companies

Report: An Analysis of US Government Proposed Cyber Incentives. Author: Joe Stuntz, MBA EP 14, McDonough School of Business

Prepared testimony of W. Joseph Majka Head of Fraud Control and Investigations Visa Inc.

A New Security Dimension: Industry Experience Using Open Standards to Accelerate Threat Response

New Hampshire Cyber Crime Initiative Overview Briefing. NH Assistant Attorney General Lucy H. Carrillo Internet Crimes Prosecutor

HIPAA and Leadership. The Importance of Creating a More Compliance Focused Environment

Into the cybersecurity breach

U. S. Attorney Office Northern District of Texas March 2013

Testimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology

OFFICE OF ENTERPRISE TECHNOLOGY SERVICES QUARTERLY REPORT ON

Preventing And Dealing With Cyber Attacks And Data Breaches. Arnold & Porter LLP Lockheed Martin WMACCA February 12, 2014

CYBERSECURITY RISK MANAGEMENT

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Top 5 Global Bank Selects Resolution1 for Cyber Incident Response.

Senate Committee on Commerce, Science, and Transportation March 19, 2015, Hearing Examining the Evolving Cyber Insurance Marketplace

more dangerous. One way that private entities may defend against cyber attacks is by

Testimony of. Mr. Anish Bhimani. On behalf of the. Financial Services Information Sharing and Analysis Center (FS-ISAC) before the

Cyber Security Recommendations October 29, 2002

April 10, Ms. Melissa Hathaway Acting Senior Director for Cyberspace National Security and Homeland Security Councils. Dear Ms.

THE HARTFORD ASSET MANAGEMENT CHOICE sm POLICY NETWORK

Chairman Johnson, Ranking Member Carper, and Members of the committee:

NIST Cybersecurity Framework. ARC World Industry Forum 2014

United States House of Representatives United States House of Representatives. Washington, DC Washington, DC 20515

Legal and Ethical Issues Facing Computer & Network Security Researchers

Big Data, Big Risk, Big Rewards. Hussein Syed

The statements in this policy document establish HEALTHeLINK's expectations with respect to incident management.

DEPARTMENT OF JUSTICE WHITE PAPER. Sharing Cyberthreat Information Under 18 USC 2702(a)(3)

The Department of Homeland Security The Department of Justice

Standard: Information Security Incident Management

S. ll IN THE SENATE OF THE UNITED STATES A BILL

Cybersecurity Risk Information Sharing Program (CRISP): Bi-Directional Trust

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

Working with the FBI

CYBERSECURITY EXAMINATION SWEEP SUMMARY

Identity Theft and Medical Theft. *Christine Stagnetto-Sarmiento, Oglala Lakota College, USA

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

COMPLIANCE ALERT 10-12

Law Firm Cyber Security & Compliance Risks

Research Topics in the National Cyber Security Research Agenda

HIPAA and HITECH Compliance for Cloud Applications

Cybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015

WRITTEN TESTIMONY BEFORE THE HEARING ON FEBRUARY 4, 2014 TESTIMONY OF JOHN MULLIGAN TARGET

Transcription:

Jim Reavis CEO, Cloud Security Alliance Agenda CSA History CloudCERT White House Legislative Announcements How is CSA addressing the issue of information sharing? Cloud CISC Pilot Demo Next Steps Questions? 1

CSA History - CloudCERT CloudCERT was conceived of at the same time as the Cloud Security Alliance (CSA) Broad goal is to improve defenses of the cloud ecosystem against attackers Emphasis was placed on developing CSA due to broader scope and potential impact in industry CloudCERT initiative was formally announced 2010 Working Group has been meeting once a month since January 2011 White House Legislative Announcements Enable Cybersecurity Information Sharing Promotes private sector and government information sharing as well as private to private via Information Sharing and Analysis Organizations (ISAO s) Encourages the development of ISAO s by providing targeted liability protection that share with these entities Requires DHS, DoJ, and Privacy and Civil Liberties Board to develop disclosure guidelines 2

White House Legislative Announcements Modernize Law Enforcement Authorities to Combat Cyber Crime Enable stronger authority to shut down botnets and prosecute operators Criminalize the sale of US financial information like credit cards and bank account numbers overseas. Update the Racketeering Influenced and Corrupt Organizations Act so that it clearly applies to cyber crimes, and clarifies penalties Clarifies Computer Fraud and Abuse Act so that insignificant conduct does not fall within the scope of the statute, while making it clear it can be used to prosecute insiders. White House Legislative Announcements National Data Breach Reporting Standardize that patchwork quilt of breach laws in place among 46 states into one Federal statute, and establish a single clear and timely notice requirement to ensure companies notify their employees and customers about security breaches 3

White House Legislative Announcements White House Summit on Cyber Security and Consumer Protection Summit was held on February 13 at Stanford Convene government and private sector leaders Topics include: information sharing, creating and improving cybersecurity practices and technologies, and improving the adoption of more secure payment technologies How is addressing the issue of information sharing?. 4

The Problem Attacks are becoming incredibly sophisticated. Knowing what happened is one thing. Knowing what to look for to see if it is happening to you is key. ISAC s have had limited success ISAC model is segmented by vertical (Financial Services, Energy, etc.). View across the sectors is critical to protecting companies today. ISACs do not allow for a Cloud Segment The Problem ISAC Model requires sending sensitive data to a trusted third party. Company identity is known. Snowden incident has made sharing with trusted third parties undesirable today. Need is clear a trusted method of sharing is required. Company identity is not known so not subject to subpoena s, etc. Incident data submission is quick and simple. Rapid analysis of data including correlation with other reports and open source data Alerts sent in minutes, not days/weeks Ability to anonymously discuss attacks with others and share solutions. 5

The Solution Cloud CISC CSA Cloud Cyber Incident Sharing Center Cloud adoption is progressing at an accelerating pace. We are concerned that the lack of a robust, automated incident sharing function will inhibit the timely resolution of security incidents, hamper our ability to minimize the damage caused by incidents, and could ultimately have a serious negative impact on the industry. The CSA Cloud CISC will: Provide a truly anonymous, global cyber security incident sharing platform enterprises; Educate the public and private community on Cloud Security Develop vendor neutral best practices and technical standards Develop policies aligning Cloud CISC to industry and governmental an international basis. How to get Involved Work Group Co-chair Currently seeking leadership for this initiative 2-3 Co-chairs (1appointed by CSA) Co-chair Requirements Appointed Co-chair must be an employee of a CSA Member Company Additional Co-chairs are decided by vote Time commitment required Contact research@cloudsecurityalliance.org for additional details and questions 6

How to get Involved Work Group Participant Currently seeking Volunteers for the following areas: Sub Group to focus on Researching, Developing & Promoting Vendor Neutral Best Practices Sub Group to define technical standards for information sharing Sub Group focused on Information Sharing Policy development and outreach Sub Group that will liaise with the standard development communities (SDOs) Contact research@cloudsecurityalliance.org if you are interested in getting involved How to get Involved We need support from our CSA Provider Community to participate in Cloud CISC Pilot CALL TO ACTION: Submit Incident Report Data Data Types Title Date Region Type of Attack Known Remediation Contact pilot@cloudsecurityalliance.org if you are interested in getting involved with the pilot 7

How to get Involved CISC Pilot Participant We need support from our CSA Provider Community to participate in Cloud CISC Pilot CALL TO ACTION: Submit Incident Report Data Examples: Title Date Region Type of Attack Known Remediation How the Cloud CISC Pilot Works Anonymous Authentication When users transmit sanitized reports, we execute a public anonymous authentication protocol that: Confirms the user is a member of the community, without disclosing the identity of the user, and Delivers a mathematic proof that the user has connected with Cloud CISC and that Cloud CISC does not know identity of the user. 8

The Cloud CISC methodology allows for easy sharing while preserving complete anonymity. 4 Alerts & Review Alerts members to new report for review along with correlated, actionable information 5 Rate & Collaborate Reports are rated to increase relevance and members collaborate with Cloud CISC Coordinator. 3 Correlate & Analyze Immediately correlates report with open source and other submitted reports 1 Scrub Incident Reports of Identifying Information Protects customer PII and corporate IP mitigating discovery concerns. 2 Share Unattributable Reports Protects company identity Powered by CISC Pilot Demo. 9

Cloud CISC Next Steps Kick-Off Call & Develop a 6 month Information Sharing Pilot Starting in May/June 2015 Develop and deliver educational programs on Cloud Security and the need for information sharing for both the public and private sector ongoing based on results Identify areas of potential CSA research based on Pilot results Q1 2016 Identify best practices and need for technical standards Nov 2015 - May 2016 Identify need for policies and alignment across industries and governments. Nov 2015 May 2016??? 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information