ECONOMICS, SECURITY MANAGEMENT AND THE FUTURE INTERNET. Simon Shiu HP Labs 15 th April 2010



Similar documents
Using Security Metrics Coupled with Predictive Modeling and Simulation to Assess Security Processes

Changing the Enterprise Security Landscape

IBM X-Force 2012 Cyber Security Threat Landscape

Mobility. Exploiting and Maintaining the New Face of Engagement. Huseyin Ozel CT, HP EMEA Enterprise Mobility September 2015

Session 3: IT Infrastructure Security Track ThreatExchange Winning through collaboration. Tomas Sander HP Labs

HP Customer Support. Remote Server Management. an Outtasking Solution Outline

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.

The Business Case for Security Information Management

HP S POINT OF VIEW TO CLOUD

Accountability Model for Cloud Governance

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Helix Nebula: Secure Brokering of Cloud Resources for escience. Dr. Jesus Luna Garcia

How To Understand The Value Of Cloud Computing For An Enterprise Company

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

This presentation contains some information about future Veeam product releases, the timing and content of which are subject to change without

Cloud Security Who do you trust?

IBM X-Force 2012 Cyber Security Threat Landscape

Securing business data. CNS White Paper. Cloud for Enterprise. Effective Management of Data Security

CaaS Think as a bad guy Petr Hněvkovský, CISA, CISSP HP Enterprise Security

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

End of Support Should Not End Your Business. Challenge of Legacy Systems

THE BLUENOSE SECURITY FRAMEWORK

Security Touchpoints When Acquiring Software. Dr Carsten Huth Nadim Barsoum Dawid Sroka

Closing the Vulnerability Gap of Third- Party Patching

Internet Safety and Security: Strategies for Building an Internet Safety Wall

Hacking Crisis Highlights Crypto Chaos

Modernizing the Infrastructure: Cloud Computing, Green IT Mickey Zandi, Ph.D. Managing Director

Cloud Security Specialist Certification Self-Study Kit Bundle

Becoming a Cloud Services Broker. Neelam Chakrabarty Sr. Product Marketing Manager, HP SW Cloud Products, HP April 17, 2013

Information Security for the Rest of Us

SEIZE THE DATA SEIZE THE DATA. 2015

Matthias Kuemmel, HP Imaging and Printing Group. Date: 24/05/2011

Virtual Patching: a Proven Cost Savings Strategy

The promise of SDN. EU Future Internet Assembly March 18, Yanick Pouffary Chief Technologist HP Network Services

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CCIT Technical Support Policy

Secure Software Development Lifecycle. Security... Not getting better

Enterprise Apps: Bypassing the Gatekeeper

APPLICATION SECURITY RESPONSE: WHEN HACKERS COME A-KNOCKING

Security Operation Centre 5th generation

Continuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HEALTHCARE IN THE CLOUD

External Supplier Control Requirements

Taking control of the virtual image lifecycle process

Anatomy of a Healthcare Data Breach

HP Adaptive Backup and Recovery

Sample Vulnerability Management Policy

Strategies for assessing cloud security

HP Cloud OS. Платформа OpenStack корпоративного уровня. Иван Кровяков Архитектор облачных решений HP Центральная и Восточная Европа

Managing the Challenges of Cloud Management November 7, 2013

How To Protect A Virtual Desktop From Attack

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Cloud App Security. Tiberio Molino Sales Engineer

Teradata and Protegrity High-Value Protection for High-Value Data

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

HP Software, Big Data Rethinking Data Protection

Zak Khan Director, Advanced Cyber Defence

BYPASSING THE ios GATEKEEPER

Data Security Best Practices & Reasonable Methods

Stop advanced targeted attacks, identify high risk users and control Insider Threats

2012 Application Security Gap Study: A Survey of IT Security & Developers

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Bridge Development and Operations for faster delivery of applications

REMOVING THE BARRIERS FOR DATA CENTRE AUTOMATION

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Protecting the un-protectable Addressing Virtualisation Security Challenges

BUILDING AN EFFECTIVE VULNERABILITY MANAGEMENT PROGRAM. Henrik Åkerstrand Account Executive Nordics

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Welcome Back Roberto Casetta, Snr. Vice President International. The Story Behind The Crystal Pete Daw, Cities Urban Developer Siemens Plc

Virtual Application Networks Innovations Advance Software-defined Network Leadership

REVAMP YOUR IT CAREER AS A CLOUD SECURITY EXPERT

The Next Generation Data Centers: SPECS and The 3 rd Platform.

Software Asset Management (SWAM) Capability Description

AUTHOR: REVISION BY: ADS Lead/Manager ESYS Windows OSA

Cloud Security Who do you trust?

HP ENTERPRISE SECURITY. Protecting the Instant-On Enterprise

Big Data, Big Risk, Big Rewards. Hussein Syed

AUTOMATION. Tihomir Hrastovscak HP Software

The Protection Mission a constant endeavor

Sikkerhet Network Protector SDN app Geir Åge Leirvik HP Networking

Logical Operations CyberSec First Responder: Threat Detection and Response (CFR) Exam CFR-110

UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY

1 Introduction Product Description Strengths and Challenges Copyright... 5

HP and netforensics Security Information Management solutions. Business blueprint

Risk-Ops at Scale: Framework Operationalization to Address Business Risk

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Cloud Virtualization Specialist Certification Self-Study Kit Bundle

The future Cloud. Peter H. Moser, Jr. Manager, Portfolio Architects & Account CTOs

Improving Customer Communications by Proper Personalization

How To Protect Your Mobile Device From Attack

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Architecture & Experience

2011 Cyber Security and the Advanced Persistent Threat A Holistic View

NATO Cyber Security Capabilities & Industry Opportunities Building on Solid Foundations. Ian J West Chief, Cyber Security

Cloud Courses Description

Storage Cloud Infrastructures

Overview TECHIS Carry out risk assessment and management activities

Transcription:

ECONOMICS, SECURITY MANAGEMENT AND THE FUTURE INTERNET Simon Shiu HP Labs 15 th April 2010 1 Copyright Copyright 2010 Hewlett-Packard 2010 Development Development Company, Company, L.P. L.P.

SYNOPSIS OF THIS TALK The Application of Economic Methods to Enterprise Security Management Early work on the Application of Economic Methods to Cloud Information Stewardship Some personal thoughts on the relevance of Economic Methods to Security Management in the future internet 2

0.35 0.3 0.25 0.2 0.15 0.1 0.05 0 Malware Reports? Y Patch Available? N Workaround Available? Y Implement Workaround Malware Y N Accelerate? Y Exploit Available N Exposed? Early Mitigation? Deploy Mitigation Y Y Vulnerability Disclosed Vulnerability Assessment Test Solution Patch Deployment Accelerated Patching Emergency Patching Patch Available TODAYS SECURITY MANAGEMENT LIFECYCLE Economics/ Threats/ Investments Policy, process, people, technology & operations Proportion of vulnerabilities Risk reduced window (from disclosure time) across all vulnerabilities timeline Security Analytics Assurance & Situational Awareness Personal Environment Win/Lx/OSX Trusted Hypervisor Home Banking E-Govt Intf. Remote IT Mgmt Corporate Productivity OS Corporate Production Environment OS Corp. Soft Phone Trusted Infrastructure 3

PROBLEMS WITH SECURITY INVESTMENTS Security Investments affect multiple outcomes: budget, confidentiality, integrity, availability, In most situations these outcomes can only be predicted with high degrees of uncertainty Often the outcomes are inter-related (trade-off) and the link to investments is poorly understood Classical business justification/due diligence (Return on Security Investment, cost benefit analysis) encourages these points to be glossed over 4

ECONOMIC FRAMING: AN ANALOGY 5 The Central Bank problem How to set the interest rate to achieve satisfactory levels of inflation (f) and unemployment (e). Satisfactory is defined by a utility (or loss) function, such as: U(e,f) = F(e e*) + G(f f*) + The Security Management problem How to invest in security to achieve satisfactory levels of confidentiality (C) and availability (A) And then there is the limited budget.

PREFERENCE ELICITATION (CONSTRUCTION?) Structured Discussion (framed by initially provided components) Confidentiality Availability Cost Impact of Breaches Assurance Affect on Capital Operational Expense Expense # of Breaches # detected Breaches SLA violations F(capex,opex) 6 Agreed proxies for our utility components

OUR METHODOLOGY Problem Architectur e Preferences Problem System Model components of utility Utility things to measure problem refinement consequences of preferences 7

THE CLOUD ECO-SYSTEM Consumer Small Business Enterprise Government Department Pure Consumers Simple ISP Bundled ISP Integrated ISP Consumer/ Providers 8 CPU Infrastructur e Secure Archive Storage 24*7 Available Storage Pure Providers

STEWARDSHIP IN THE CLOUD ECO- SYSTEM Consumer Small Business Enterprise Government Department requirements expectations Simple ISP Bundled ISP Integrated ISP Confidentiality Integrity Availability incentives CPU Infrastructur e Secure Archive Storage 24*7 Available Storage Obligations preferences 9

CLOUD STEWARDSHIP ECONOMICS Key ideas that are guiding our empirical work Information Asymmetry As the service provider I know more about the costs and risks of handling your data than you or any regulator Externalities; Public/Club Goods Being secure costs me more than I gain, even though others in the community gain too. Heterogeneity of services & users How do we value bundled security characteristics & develop associated product and pricing strategies As well as applying preference, utility, system modelling to this context 10

FOUNDATIONS OF TRUST IN THE FUTURE INTERNET My Current Views Left unchecked the (IT) services market will prioritize low cost and flexibility with bad security externality effects To counter this we need organisations to become much more explicit about their (current and future) information security lifecycle and needs Sharing security information is already hard it will be harder in the services eco-system Enterprise Security Lifecycle We should think more about how adjusting incentives can improve this situation 11

Q&A 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information