Welcome HITRUST 2014 Conference April 22, 2014 HITRUST Health Information Trust Alliance
The Evolving Information Security Organization Challenges and Successes Jason Taule, Chief Security and Privacy Officer, FEi Systems (Moderator) Robert Booker, Vice President and Chief Information Security Officer, UnitedHealth Group Erick Rudiak, Information Security Officer, Express Scripts Roy Mellinger, Vice President, IT Security and Chief Information Security Officer, WellPoint Omar Khawaja, Vice President and Chief Information Security Officer, Highmark HITRUST Health Information Trust Alliance
Chief Informa-on Security Office HITRUST 2014 Conference The Evolving Informa-on Security Organiza-on Challenges and Successes Tuesday April 22, 2014 Roy R. Mellinger, CISSP ISSAP, ISSMP, CIM Vice President, IT Security Chief Informa-on Security Officer
The Evolving Informa-on Security Organiza-on Operational Compliance Risk Enterprise Risk Management Security Viewed as a Business Enabler Preventing Fires Translating Business Needs into Security Requirements Translating Security Requirements into Technical Security Controls Operating Technical Security Controls Fighting Fires Security Threat Management IT Compliance IT Risk Enterprise Risk 17
The Evolving Informa-on Security Organiza-on CYBER THREAT MANAGEMENT v 24x7 Security Operations Center (SOC) v End to End DLP (Data Loss Prevention) Strategy v Tracking of Malware Threats and Coding Techniques v Effective Firewalls, IDS / IPS Strategy Implementations v Effective Security and Event Log Management & Monitoring v Robust Safeguarding Polices, Programs and Processes 18
The Evolving Informa-on Security Organiza-on Hacking Then Individual or Computer Clubs/ Groups Manual efforts with Social Engineering - Success = Badge Of Honor - Personal Monetary Gain or to pay for / fund hacking ac:vity War Protes:ng and Civil Disobedience An:- Establishment Rhetoric Social Rebels and Misfits Hacking Now Automated / Sophis:cated Malware Hac:vism Freedom of Speech, Statements to Influence Change, Sway Public Opinion and Publicize Views Criminal Drug Cartels, Domes:c and Foreign Organized Crime for Iden:ty TheM and Financial Fraud Espionage IP, Business Intelligence, Technology, Military / Poli:cal Secrets Terrorism Sabotage, Disrup:on and Destruc:on Na:on- State Intelligence Gathering, Disrup:ve Tac:cs, Clandes:ne Ops, Misinforma:on, Warfare Strategies, and Infrastructure Destruc:on FRINGE........... 30 YEARS....... MAINSTREAM 19
The Evolving Informa-on Security Organiza-on Ini-al compromise spear phishing via email, plan:ng malware on a target website or social engineering. Establish Foothold plant administra:ve somware and create back doors to allow for stealth access. Escalate Privileges use exploits and password cracking tools to gain privileges on vic:m computer and network. Internal Reconnaissance collect info on network and trust rela:onships. Move Laterally expand control to other worksta:ons and servers. Harvest data. Maintain Presence ensure con:nued control over access channels and creden:als acquired in previous steps. Complete Mission exfiltrate stolen data from vic:m's network. 20
The Evolving Informa-on Security Organiza-on Cyber Threat Management Conventional Approach Paradigm Shift: Cyber Threat Management Controls Coverage Protect ALL informa:on assets Protect your MOST IMPORTANT assets (Crown Jewels) based on risk assessments Controls Focus Preven:ve Controls (an:- virus, firewalls, intrusion preven:on, etc.) Detec:ve Controls (monitoring, behavioral logic, data analy:cs) Perspec-ve Perimeter Based Data Centric Goal of Logging Compliance Repor:ng Threat Detec:on Security Incident Management Piecemeal Find and neutralize malware or infected nodes BIG PICTURE Find and dissect aaack paaerns to understand threat Threat Management Collect informa:on on Malware Develop a deep understanding of aaackers targets and modus operandi related to YOUR org s network and informa:on assets Success Defined By: No aaackers get into the network Aaackers some:mes get in; BUT are detected as early as possible and impact is minimized 21
The Evolving Information Security Organization Challenges and Successes Omar Khawaja April 23, 2014
Who is Highmark? 23
Risk is increasing (Assets X Vulnerabilities X Threats) Our information is increasing in value More data (EMRs) More collaboration (ACOs) More regulation (FTC) Our weaknesses are increasing More suppliers (Cloud) More complexity (ACA) Opportunities to attack are increasing More access (consumer portals) More motivated attackers - Controls Becoming increasingly difficult to secure Multiple Compliance Requirements Evolving Compliance Requirements Unclear Compliance Requirements Less visibility Less control
Security org needs to evolve From Explaining the what To Explaining the "why" Growing the security org Growing security in the org Creating more security processes Making security part of more processes Telling them what to do Assisting them with their job Protecting everything equally Differentiated controls Measuring what matters to security org Reporting on what matters to audience
Questions?