Addressing Evolving Threats & Responses in a MITA 3.0 World Robert Myles, CISSP, CISM

Addressing Evolving Threats & Responses in a MITA 3.0 World Robert Myles, CISSP, CISM National Practice Manager, State & Local Government 1

Founded in 1982 IPO in 1989 Approximately 21,500 Employees Operations in 48 Countries #379 on the 2013 Fortune 500 100 Percent of Fortune 500 Companies are Customers $6.9 Billion Revenue in FY2013; Approximately 52% Outside of the U.S. More Than 1,900 Global Patents Invests 14% of Annual Revenue in R&D* Operates one of the world s largest storage clouds 100 PB and growing at 5 PB per quarter * R&D Investments is Non GAAP

Robert Myles, CISSP, CISM USCG Retired Recovering CISO with 15 years in Health Care, Academic Medical Centers & Financial services Public Health/Public Safety Practice Manager, National responsibility for State, Local Government 23 Years in Information Security 27 years in Health Care 30 years in IT CISSP (2001), CISM (2004) Committees: NASCIO, NACO, IJIS, MS ISAC, THSA, HIMSS P&S CyberSecurity Taskforce 3

Today s Healthcare Challenges Healthcare an industry facing multiple, interrelated challenges Regulatory Pressures Mobility & Consumerization of Healthcare HIE Expansion EMR/EHR Adoption Cyber Threats in Healthcare Exponential Storage Growth and Data Consolidation 4

5

Technology Trends DATA GROWTH CONSUMERIZATION Mobile Social IT IFICATION KEY TRENDS CLOUD VIRTUALIZATION THREAT LANDSCAPE 6

Always On and Everywhere Digital World Enhances or Replaces Much of the Physical World What are the challenges? Consumer space has eclipsed the enterprise technology environment and outpaced the large enterprise ability to manage the security perimeter and mobile environment. Presentation Identifier Goes Here 7

Technology Trends DATA GROWTH CONSUMERIZATION Mobile Social IT IFICATION KEY TRENDS CLOUD VIRTUALIZATION THREAT LANDSCAPE 8

Mass scale Targeted Attack Campaign 1200+ attacks 10 days in April/May 2012 Over 20 companies hit KEY Attacker Subject MD5 Target Server Mailer Sender IP Date

Technology Trends DATA GROWTH CONSUMERIZATION Mobile Social IT IFICATION KEY TRENDS CLOUD VIRTUALIZATION THREAT LANDSCAPE 10

Information Explosion 2.7 zetabytes Store it Back it up Discover it Report it

Social Media 12 12

Changes In Working Style 80%1 65%2 52% 3 New apps deployed in the cloud Enterprises allow mobile access to their network Workers use three or more devices Sources: 1. IDC Predictions 2012: Competing for 2020, Frank Gens, IDC, December 2011 2. The Impact of Mobile Devices on Information Security: A Survey of IT Professionals, Check Point, January 2012 3. Info Workers Using Mobile And Personal Devices For Work Will Transform Personal Tech Markets, Frank E. Gillett, Forrester Research, February 22, 2012 13

State and Local Government Mobility NASCIO 2012 Survey 79% of state and local CIOs have mobility documented in their strategic plans Government Technology Survey 58% of state and local CIOs anticipate increased mobility spending in 2012 Lone Star State Launches Mobile Website Roughly 70% of new visitors are new users Golden State Creates Template for Launching Ready Made Mobile Applications Californians accessing the internet by mobile phones has doubled (from 19% to 40%) in 3 years The Result: Massive Influx of sensitive public data entering the mobile environment m.ca.gov 14

Just One Problem BYOD BYOD Full Control Info/App Access Only Managed Unmanaged Current State 2010 177M Corp PCs 300M Smartphones 15M Tablets 2015 246M Corp PCs 293M Personal PCs 1017M Smartphones 326M Tablets Desired State App Centric Device Centric Organization owned Personally owned Devices Data Sources: Gartner, & IDC 15

Characteristics of a Brave New World Relentless Threats Targeted Threats Internet Security Threat Report 2013 :: Volume 18 16

Targeted Attacks in 2012 Internet Security Threat Report 2013 :: Volume 18 17

Threat Landscape Who is behind malware attacks right now Hackers Cyber Criminals Cyber Spies Hactivists 18

Specialization of Skill In The Attack Chain Reconnaissance: Know your Targets Incursion: Gain Access Discovery: Create a Map to the Asset Capture: Take Control of the Asset Exfiltration: Steal or Destroy Asset

Targeted Attacks by Company Size 50% 2,501+ 50% 1 to 2,500 Employees 2,501+ 2% 3% 5% 9% 1,501 to 2,500 1,001 to 1,500 501 to 1,000 251 to 500 50% 31% 1 to 250 18% in 2011 Greatest growth in 2012 is at companies with <250 employees Internet Security Threat Report 2013 :: Volume 18 20

Most Dangerous New Threat Vectors Exploiting personal information on profile pages Lead to a malware hosted site from a legitimate social website 97% of the time Malicious code spreading by sending direct messages and status updates 315 mobile vulnerabilities discovered in 2011 (up 93%) Mobile malware collects personal data, tracks locations, sends text messages 96% of lost phones result in data breach 21

Spear Phishing Watering Hole Attack Send an email to a person of interest Infect a website and lie in wait for them Targeted Attacks predominantly start as spear phishing attacks In 2012, Watering Hole Attacks emerged (popularized by the Elderwood Gang) Internet Security Threat Report 2013 :: Volume 18 22

Effectiveness of Watering Hole Attacks Watering Hole Attack in 2012 Infected 500 Companies All Within 24 Hours Watering Hole attacks are targeted at specific groups Can capture a large number of victims in a very short time Internet Security Threat Report 2013 :: Volume 18 23

Cyber Security Spend US Federal Government spend: 18% of IT budget ($76B) Source: OMB Oversight Report 2012 Banks and Financial sector: 15% of IT budget Source: IDC Intelligent Economy and State of Security Report 2011 Most States spend approximately 1.5% of their overall IT budget on cyber security as compared to Private Sector who spends on average approximately 15% of the IT budget. 24

Public Sector Landscape STATE Department of Revenue 3.2 million records exposed. Approximately $25M to remediate STATE 280,000 people affected after hacker breaks into server due to configuration error. Approximately $10M to remediate STATE $1.7M payout after hard drive is stolen containing Medicaid beneficiary information STATE Misplaced USB drive containing PHI for 280,000 Medicaid recipients. Fines Pending COMPANY $1.2M settlement for HIPAA Violations Failure to protect PHI data 344,579 Individuals Breach Cause Web based 17% Phishing 22% SQL injection 28% Theft of data 28% Criminal Insider 33% Viruses, 50% 0% 20% 40% 60% States have the responsibility of protecting their constituent s identities and their information 25

The strategies of the past will not support the infrastructure of today and for the future FERPA GLBA SOX FISMA IRS 1075 HIPAA Privacy HIPAA Security PCI ARRA/HITECH PPACA HIPAA Omnibus Rule 26

Where is your Data? http://thedatamap.org/ 27

Enterprise Information Centric Model Policy Compliance Identity Remediation Reporting Classification Threats Encryption Ownership Discovery 28

MMIS Risk Management Drivers MITA 3.0 Business, Information, & Technical Architecture S&P integrated across the enterprise HIPAA guided Policies State S&P Federal S&P Private Industry Requirements Meaningful Use Use cases RBAC to data level Secure data privacy, authentication and non repudiation Automate compliance Global threat w/ IDS/IPS Data management 29

Deploying a MITA Aligned MMIS Framework HIPAA Administrative Safeguards 1. Security Management Process 2. Assigned Security Responsibility 3. Workforce Security 4. Information Access Management 5. Security Awareness and Training HIPAA Technical Safeguard Requirements 1. Access Control 2. Audit Controls 3. Integrity HIPAA Physical Safeguard Requirements 1. Facility Access Controls 6. Security Incident Procedures 7. Contingency Plan 8. Evaluation 9. Business Associate Contracts and Other Arrangements 4. Person or Entity Authentication 5. Transmission Security 3. Workstation Security 2. Workstation Use 4. Device and Media Controls 30

Use case mappings Data management to optimize recoverability and minimize cost RBAC to the Data level Data use compliance and enforcement Automate compliance management & Continuous Monitoring Global threat intelligence applied to perimeter security Secure data privacy, authentication and nonrepudiation 31

Control Compliance Suite (Policy, Technical Standards and Vulnerability Modules) TECHNICAL CONTROLS Compliance Suite (Standards Manager) Compliance Suite (Vulnerability Manager) POLICY PROCEDURAL CONTROLS REPORT REMEDIATE Compliance Suite (Policy Manager) Compliance Suite (Response Assessment Manager) Compliance Suite (Infrastructure) Service Desk DATA CONTROLS Data Loss Prevention e Discovery EVIDENCE 3 rd PARTY EVIDENCE Compliance Suite (Infrastructure) ASSETS CONTROLS 32

Roles Based Access (PKI, FDR) 1 Know who is accessing 2 3 your systems Ensure both users and organizations are trusted Prevent password sharing & fraudulent access Digital Certificates (PKI) User Authentication Product Family Two Factor Authentication Fraud Detection Rules Eng. Behavior Eng. PKI service issues certificates for strong authentication, encryption and digital signing Shared cloud based two factor authentication solution offering multiple credential choices RISK SCORE Risk Based authentication and software based fraud detection Government Providers Payers HIEs 33

Data Loss Prevention & ediscovery (endpoint, storage and network) CD/DVD Email USB Devices Webmail Laptops DLP Policy Monitoring & Prevention Discovery & Protection Instant Message FTP File Servers Web servers SharePoint / Lotus Notes / Exchange Databases 34

Encryption (endpoint, server, e mail, transmission) Key manaegment Theft or loss e-mail and user shares Hard-drive or removal 35

The Needs On premise of IT Operational Threat Protection Teams Endpoints Servers Gateway Complete Endpoint Protection Data Loss Prevention Inventory & Patch Management Advanced Server Security Audit Compliance Multi platform Support Robust Mail & Web Security Messaging Data Loss Prevention Network Access Control Endpoints Servers Gateway Policy Management Centralized Control End to end Visibility Process Automation Enterprise Infrastructure 36

Off Premise Threat Protection Access Control Information Protection O 3 Cloud Visibility Control Security Compliance Private Cloud To embrace the cloud with confidence 37

High Availability: Addressing the Shift in Mission Critical Environments Simplify migration from physical Virtualize Without Compromise Ensure High Availability Enable the Private Cloud environments to x86 and new storage platforms in virtual environments Offer the mission critical availability and DR that enterprises are used to on x86 and virtualized infrastructure Manage Storage and I/O Optimization for new storage platforms and virtualized environment 38

How to address Regulatory Mandates Develop and Enforce IT Policies Symantec Control Compliance Suite, Symantec Data Loss Prevention, Symantec Network Access Control Authenticate Identities to Systems User Authentication and Managed PKI Protect confidential Information PGPGP Data Loss Prevention, NetBackup / Backup Exec, Enterprise Vault, Veritas Volume Replicator Manage the Infrastructure Protect the Infrastructure IT Management Suite including Mobile Device Management from Symantec Symantec Protection Suite, Symantec Web Gateway, Symantec Message Gateway, Symantec Security Information Manager, Symantec Critical Systems Protection 39

Stay Informed symantec.com/threatreport Security Response Website Twitter.com/threatintel 40

Thank you! Robert Myles, CISSP, CISM National Practice Manager, State & Local Government @RobertMyles Robert_Myles@Symantec.com http://www.linkedin.com/in/robertmyles/ Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. 41

Industry Recognition Security Leadership Storage and Availability Management Leadership Email Archiving (#1 market position¹¹, Leader in Gartner Magic Quadrant 12 ) E Discovery (#1 market position 13, Leader in Gartner Magic Quadrant for E Discovery Software 14 ) Core Storage Management Software (#1 market position 11 ) Storage Resource Management (Leader in Gartner Magic Quadrant for SRM Software 15 ) File System Software (#1 market position 16 ) Backup and Recovery (#1 market position 11, Leader in Gartner Magic Quadrant for Backup and Recovery 17 ) Consumer Endpoint Security (#1 market position 1 ) Endpoint Security (#1 market position 2, Leader in Gartner Magic Quadrant 3 ) Messaging Security (#1 market position 4, Leader in Gartner Magic Quadrant leader 5 ) Data Loss Prevention (#1 market position 6, Leader in Gartner Magic Quadrant 7 ) Security Management (Leader in Gartner Magic Quadrant 8 ) SSL Certificates (#1 market position 9 ) Client Management Tools (Leader in Gartner Magic Quadrant 10 ) 43