Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1
2
Network + Technology + Customers = $$ 3
Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available Technology (malware authors) 3) Money!! 4) Minimal Awareness 4
Before jumping in what is Cybercrime exactly? The simple answer is It is complicated Council of Europe - Cybercrime Treaty defines it as: data used for criminal purposes, all the way to copyright infringement While United Nations include Fraud, Forgery and unauthorized access as Cybercrimes. Symantec Any crime using a computer, hardware device or network where the computer is an agent, facilitator or target of the crime. 5
6
Is Mauritius under attack? SPAM ZOMBIE MALICIOUS CODE 7
8
Robert Mueller, FBI Director RSA Conference 2011 There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.
What This All Means to Business Technology and business are indelibly linked. 80% of new business growth to customers is via Internet Eliminating all risk is impossible and it impedes agility. 1. Organizations need to define their risk appetite 2. Goal is to become Cyber Resilient 10
What is Cyber Resilience? Some existing definitions : 1. Resilience is defined as the ability of an ecosystem to return to its original state after being disturbed. (Wikipedia) 2. Cyber-resilience is the organization's capability to withstand negative impacts due to known, predictable, unknown, unpredictable, uncertain and unexpected threats from activities in cyberspace. (Information Forum) 3. Cyber-resilience is defined as the ability of systems and organizations to withstand cyber events, measured by the combination of mean time to failure and mean time to recovery. (Word Economic Forum) Cyber CIA Cyber Resilience Defined Process Governance Framework Multiple stakeholders 11
Source: ISF - Cyber Strategies
HOW CAN WE IDENTIFY AND PRIORITIZE THE KEY THREATS WHEN THERE ARE SO MANY? 13
IF AN ATTACK IS SUCCESSFUL HOW CAN WE RESPOND QUICKLY TO CONTAIN THE IMPACT AND RECOVER? 14
HOW CAN WE BEST USE THE RESOURCES AND CAPABILITIES WE HAVE TO PROTECT OUR ORGANIZATION? 15
HOW CAN WE MEASURE AND DEMONSTRATE THE VALUE OF OUR SPENDING ON SECURITY? 16
What is Driving Cyber Phenomena? Hyper Connected World Rapid IT Evolution Agile Targeted Threat Cyber Risk Increased dependency on connected services and information exchange IT platforms, devices & services evolving at a pace we have never seen before Threats & Actors leveraging hyper connectivity, IT evolution and weak traditional boundary style security approaches INCREASEED BUSINESS IMPACT (i.e. Online & On- Demand Web and Cloud Services) (i.e. Mobile, Virtualisation, Social Media Technologies) (i.e. APT s, Hackitivism, Insider Abuse, Reputation Damage) Cyber Threats & Cyber Resiliency Blueprint
What does that mean for our approach to? Changing the focus for Cyber Cyber Assessment IT Control & Visibility External Threat Intelligence Business Awareness & Involvement Advanced Threat Protection Traditional Approach 85% Incident Response, Malware Analysis & Forensics Enhanced Intelligence Exchange & Sharing Cyber Threats & Cyber Resiliency Blueprint
19
Increasing benefits and influence Management Maturity Model Defined is not enough Risk Reactive Mode: Respond to incidents and requests Awareness Mode: More comprehensive security controls, beginning to integrate in silos Informed Mode: More holistic view of threat landscape, & IT infrastructure, look for efficiencies Innovative Mode: Measurable and auditable IT, proactive, and preventative risk-based approach Strategic Mode: Innovative offerings, business alignment, dynamic Functional Maturity IT NOT VALUED IT Seen as TACTICAL Resource IT Seen as a COMMODITY IT Seen as an ENABLER IT seen as a PARTNER 1 2 3 4 5 Initial Repeatable Defined Managed Optimised Cyber Threats & Cyber Resiliency Blueprint
The Cyber Risk Reality Cyber Risk: An overlapping set of Business & Technical Challenges Cyber Risk Challenges Requirements for Cyber Resilience Lack of Business Ownership Organisational ownership does not support the desired level of cyber resilience Business Ownership People & Process Evolving Technologies Architecture Poor cyber security appreciation, inappropriate staff behaviours & non compliance to security policies Evolving IT Trends (Cloud, mobility, virtualisation & Web 2.0) increase complexity & cost to defend against cyber risks Weakly integrated security architectures & disparate security technologies provide opportunities for targeted cyber attacks Education, Awareness & Monitoring Effective Strategy Lack of Visibility Lack of situational awareness results in poor incident visibility Integrated Information Centric Solutions 21
Where can I get help with my Strategy? Navigate the maze of cyber strategies, standards & guidance Nation State Cyber Regulation, Directives and Strategies US Directives EU Directives EU State Cyber Strategies (UK) Organisational Cyber Standards PAS 555 ISO 2700X ISF SOGP Some excellent guidance but find what fits your organization Cyber Frameworks & Best Practices Cyber Technical Standards & Advisories NIST 2013 Framework ENISA COBIT NIST technical Standards NERC Standards CSIRT (CERT) CSIS Standards CSA Cloud Standard SCAP STIX Cyber Guidance & Tools World Economic Forum (WEF) CESG/BIS 10 Steps to Cyber National Checklist Program Cyber Diagnostic Tools Consultancies & Vendors Cyber Threats & Cyber Resiliency Blueprint
For Less Mature Organizations Get The Basics Right CESG 10 Steps to Cyber Cyber guidance from CESG (Communications- Electronics Group), the UK Government's National Technical Authority for Information Assurance. Get Assessed against the CESG Guidance with the Symantec CyberV Risk Calculator Cyber Threats & Cyber Resiliency Blueprint
For More Mature Organizations Adopt a Cyber Standard WEF Framework Framework, Principals and Guidelines Traditional Controls Based Standard ISO 27001 PAS 555 New outcome based Standard from Cyber Alliance Cyber Threats & Cyber Resiliency Blueprint
For All Organizations Leverage Partners & Vendors To Help Less Mature More Mature All Symantec CyberV Risk Calculator Aligned to CESG 10 Steps to Cyber Provides rapid assessment of Cyber Resilience against CESG Guidance Identifies areas of prioirty Symantec Enterprise CyberV Assessment Detailed Cyber Resilience Assessment Assess current and desired state of Cyber Resilience Provides detailed report inc prioities and recommendations on achieving cyber resilience CyberV Assessments Endorsed and Supported by the ISF Symantec Technical Cyber Assessments Threat Monitroing Service Vulnerability Assessment Taregtted Attack Assessment Data Loss and Discovery Assessment Malicious Activity Assessment Cyber Threats & Cyber Resiliency Blueprint
High-Level Information Domains Governance Practices Processes & Procedures Threat/ Vulnerability Awareness & Management Configuration and Patch Management Architecture & Planning Policies & Procedures Provisioning & Implementation Strategy Governance & Definition of Roles Secure Operations Identity Management Program Metrics & Quality Policy and Regulatory Compliance Management Logging, Monitoring, & Reporting Executive Sponsorship Risk Management Audit Function Legal Framework Partner & Third Party Integration Information Classification Organization Awareness Business Continuity Asset Management Personnel Contingency / Disaster Planning Incident Handling & Response Physical Media Control & Handling Backup, Recovery, & Archiving Infrastructure Mobility & Wireless Secure Network Design Remote & Extranet Connections Secure Builds & Host Hardening Network & System Malicious Code Protection Perimeter Directory Services Authentication & Authorization Application Product Secure Design and Coding Privacy Confidentiality & Segmentation Encryption Secure Communications Intrusion Detection & Prevention Data Data Integrity Storage Clustering and Data Availability Cyber Threats & Cyber Resiliency Blueprint 26
Immediate Risk Reduction Initiatives Infrastructure Operations & Management Critical Information Protection IT Policies & Procedures User Protection & Awareness Critical Server Protection Network Protection Mobile Endpoint Patch Management Monitoring Incident Response & Management Operations Threat & Vulnerability Management Early Warning System Data Backup Data Encryption Data Protection Emergency Response Risk Management Crisis Management Forensics Governance & Compliance Identity & Access Management 2 Factor Authentication Awareness & Training Cyber Threats & Cyber Resiliency Blueprint 27
Risk Reduction Level Low High IT Initiatives vs. Risk Reduction Short Term Value Realization Long Term Infrastructure Operations & Management Critical Information Protection IT security Policies and Procedures User Protection & Awareness The Size of the bubble represents the effort & investment required to implement / improve the initiative. Cyber Threats & Cyber Resiliency Blueprint 28
Call to Action! 1. Establish your risk profile and know your exposure 2. Make the people part of Cyber Resilience Educate the employee s Educate the supply chain 3. Use Cyber Resilience as long term strategic competitive advantage. 4. Reference existing frameworks / Engage vendors 29
Partner With Symantec We Know We protect 1 billion systems around the world We review 8 billion email messages and 1.4 billion web requests a day The Largest IT Company in the world Track 60,000+ vulnerabilities for over 16,000 vendors and 43,000 products 30