Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Cybersecurity-Real World Approach FINAL 2-24-16

Download as PPTX, PDF
James Rutt
James Rutt

The document provides an overview of cybersecurity strategy and recommendations for implementation from Jim Rutt, CTO of the Dana Foundation. It discusses that defense in depth alone is not enough given cloud computing and smartphones. It recommends justifying investments with metrics, focusing on user education, and preparing for tools that will be available in 1-3 years. Broad types of security incidents and why cybersecurity is more than an IT problem are outlined. A strategy for program management includes reviewing legislation, gaining executive support, choosing a framework, organizing implementation, risk assessment, and defensive measures and training.

Related slideshows

Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security Governance
 
The IBM X-Force 2016 Cyber Security Intelligence Index
The IBM X-Force 2016 Cyber Security Intelligence IndexThe IBM X-Force 2016 Cyber Security Intelligence Index
The IBM X-Force 2016 Cyber Security Intelligence Index
 
1 of 20
CYBERSECURITY STRATEGY: A REAL WORLD APPROACH Jim Rutt CTO Dana Foundation February 24, 2016
MY BACKGROUND • 20 Years in technology • Wide vertical experience in Finance, Healthcare, Pharmaceutical and Nonprofit. • Plenty of experience in the practical and governance side of security including major incident response (9/11, 2003 power outage, 2 hurricanes, and miscellaneous breaches.)
WE LIVE IN DIFFERENT TIMES • Defense in depth alone won’t work, there is no more border to defend thanks to the rise of cloud and smartphones. • FUD will only get you so much budget leeway, we have to get smarter with empirical metrics and data to win the resources we need. • Education of the end user is one of the most important facets of a cybersecurity strategy, yet there are limits to efficacy here. • Its time to stop putting toothpaste back in the tube after its been squeezed out (audit remediation post-production deployments) • You need to prepare now to justify the tools coming out in 1-3 years-skating to where the puck is going, not where it has been.
4 BROAD TYPES OF SECURITY INCIDENTS •Natural Disaster (9/11, 2003 Power Outage) •Malicious Attack •Internal Attack •Human Error (Unintentional)**
ITS MORE THAN JUST AN “I.T.” PROBLEM 1) “Its an IT Problem” 2) Its not worth the time to explain to executive management 3) Most of the investment is pure technology 4) You can’t measure ROI 5) Cybersecurity is a one-time project 6) Policies alone will CYA
DIFFERENCE BETWEEN “INFORMATION SECURITY” AND “CYBERSECURITY” • Chief difference is really in vertical used (gov’t vs. finance vs. healthcare) • Information security also encompasses non-digital media which doesn’t exactly fall under cybersecurity. • Barring those differences, the two terms have become interchangeable in the public vernacular.
STRATEGY FOR CYBERSECURITY PROGRAM MANAGEMENT 1. Review of relevant legislation 2. Define benefits and get executive management support 3. Choose a framework 4. Organize implementation 5. Risk Assessment 6. Implementation of Defensive Measures 7. Training and Awareness
1. LEGISLATION • For VNS, most likely HIPAA is the primary concern. • Primarily concerned with the protection of PHI. • Along with HITECH Act, lays out timelines for communication of breaches • Wealth of information/templates to cover most of the salient points needed for compliance. (NOREX) • Long-time focus in the payer community so heightened awareness gives credibility to all regulatory efforts that you drive. • PRACTICAL APPLICATION: • Engage NOREX to fill policy and template gaps (better than writing from scratch) • 3rd party sources on regulatory subjects. • Engage internal audit AT START OF PROJECTS, NOT WHEN PRODUCTION IS EXPOSED. • Coordination with in house compliance and risk executives to close remaining gaps.
2. EXECUTIVE SUPPORT • You’ll need resources to execute (some great tools you’ll see today!) • You need to be able to talk their language, not the Vulcan we speak. • Our internal metrics aren’t on your typical executives radar! PRACTICAL APPLICATION: • Use implementation of cybersecurity related processes into business process to show direct correlation (and by proxy justification)
3. CHOOSE FRAMEWORK • Many frameworks available (ITIL, ISO 27001, COBIT,NIST SP 800, etc) • ISO 27001 is a good framework for those not bound by any conflicting regulatory requirements. • Provides defensive posture for both internal and external audit functions. • Key is to keep it simple enough but provide a structure to show governance. PRACTICAL APPLICATION: • I’ve found ISO 27001 easier to follow then ITIL in my experience. Quicker time to implementation. Free starter toolkits at http://www.iso27001security.com/html/toolkit.html • Formal certification is not necessary in all cases.
4. ORGANIZE IMPLEMENTATION • Basic project management of your cybersecurity strategy, using the framework of your choice as your project plan. • Budget properly from a time and human resource. straightforward. • Basic PMP 101. PRACTICAL APPLICATION: • Identifying budgetable items and tying directly to framework deliverables speeds approval of said line items (especially using an ISO standard framework) because of the implied justification. • Tools available (ex: ISO 27001 from previous slide). • ROSI(Return on Investment) calculator: http://advisera.com/27001academy/free-tools/free- return-security-investment-calculator/
5.RISK ASSESSMENT • Essentially you are identifying those risks that are tolerable and those that must be eliminated. Not all risk can or should be eliminated. • Use of a risk matrix can be used in conjunction with framework items at a minimum to address know risks and grade their severity. PRACTICAL APPLICATION: • There are dozens of risk matrix templates out there, but a good risk matrix I’ve modeled my work after: http://anahiayala.com/2011/12/14/crisis-mapping-and- cybersecurity-part-ii-risk-assessment/ • Vendor rating (partner relationships/”supply chain”): companies like RiskRecon can give great insight on trustworthiness and risk assessment for your upstream/downstream partnerships.
6.IMPLEMENTATION OF DEFENSIVE MEASURES • You need to be searching out the most advanced tools and the newest technologies to at least stay on par with the ever evolving threats persistent in the wild. • A broader view is required as there are no borders as in the past. Defense in depth strategies alone are not enough. • Incident response/BC/DR should be practiced regularly. PRACTICAL APPLICATION: • Our move to a 100% cloud-based infrastructure has offloaded a number of risk variables onto respective providers. Tremendous cost and time savings from self- remediation of garden-variety risk-based issues. • Examples of actual tools we’ve adopted are at the end of this presentation.
7. TRAINING AND AWARENESS • As stated before, end users are the weakest link in the chain of cybersecurity program management. • Key is not to overwhelm, but to promote awareness • End users are already overwhelmed by the rate in change in technology in general, and they are fearful for their livelihoods as this change progresses.. • Wherever possible, you have to adopt the posture of protecting your end user base from themselves. They aren’t always equipped to cover all the gaps themselves. PRACTICAL APPLICATION: • We are looking into using gamification as a means to keep security awareness at the forefront of end-user computing activities without “shoving it down their throats” • Phishing-type programs have some impact, but I question the ROI on these. • “Think before you Click” campaigns are much more effective (and cheaper).
Dana iLand Ektron Hosting AD Hosting Salesforce FC Base Product Portals UCD Supporting Apps Linkpoint Drawloop Docusign Timesheets (summer 2016) Base Licenses User SFC Okta Office 365 Exchange Sharepoint Yammer Zendesk Egnyte Security Ensilo Vera Skycure Netskope Menlo Security Azure GP Papersave
NETSKOPE: SEPTEMBER 2014 • Cloud Security Access Broker. • Policy based enforcement. • Also great for understanding what other SaaS/PaaS applications (other than corporate sanctioned) are used/preferred by constituents. • Beginnings of cloud based DLP for Dana.
MENLO SECURITY: JANUARY 2015 • Proxy-based Content Isolation. • Prevents rogue/malware from being directly rendered. • Zero impact on end users. • Policy enforcement built-in. • Traditional Content filtration also built-in.
VERA: NOVEMBER 2014 • File based access control. • Can be enforced organization wide or ad hoc. • MOST IMPORTANT: Allows tracking of content as it moves outside your control.
ENSILO: SEPTEMBER 2015 • Real-time, exfiltration prevention platform. • Endpoint based. • Very easy to deploy. • In lab tests, stopped every piece of ransomware and APT we threw against it.
THE END

More Related Content

Cybersecurity-Real World Approach FINAL 2-24-16

  • 1. CYBERSECURITY STRATEGY: A REAL WORLD APPROACH Jim Rutt CTO Dana Foundation February 24, 2016
  • 2. MY BACKGROUND • 20 Years in technology • Wide vertical experience in Finance, Healthcare, Pharmaceutical and Nonprofit. • Plenty of experience in the practical and governance side of security including major incident response (9/11, 2003 power outage, 2 hurricanes, and miscellaneous breaches.)
  • 3. WE LIVE IN DIFFERENT TIMES • Defense in depth alone won’t work, there is no more border to defend thanks to the rise of cloud and smartphones. • FUD will only get you so much budget leeway, we have to get smarter with empirical metrics and data to win the resources we need. • Education of the end user is one of the most important facets of a cybersecurity strategy, yet there are limits to efficacy here. • Its time to stop putting toothpaste back in the tube after its been squeezed out (audit remediation post-production deployments) • You need to prepare now to justify the tools coming out in 1-3 years-skating to where the puck is going, not where it has been.
  • 4. 4 BROAD TYPES OF SECURITY INCIDENTS •Natural Disaster (9/11, 2003 Power Outage) •Malicious Attack •Internal Attack •Human Error (Unintentional)**
  • 5. ITS MORE THAN JUST AN “I.T.” PROBLEM 1) “Its an IT Problem” 2) Its not worth the time to explain to executive management 3) Most of the investment is pure technology 4) You can’t measure ROI 5) Cybersecurity is a one-time project 6) Policies alone will CYA
  • 6. DIFFERENCE BETWEEN “INFORMATION SECURITY” AND “CYBERSECURITY” • Chief difference is really in vertical used (gov’t vs. finance vs. healthcare) • Information security also encompasses non-digital media which doesn’t exactly fall under cybersecurity. • Barring those differences, the two terms have become interchangeable in the public vernacular.
  • 7. STRATEGY FOR CYBERSECURITY PROGRAM MANAGEMENT 1. Review of relevant legislation 2. Define benefits and get executive management support 3. Choose a framework 4. Organize implementation 5. Risk Assessment 6. Implementation of Defensive Measures 7. Training and Awareness
  • 8. 1. LEGISLATION • For VNS, most likely HIPAA is the primary concern. • Primarily concerned with the protection of PHI. • Along with HITECH Act, lays out timelines for communication of breaches • Wealth of information/templates to cover most of the salient points needed for compliance. (NOREX) • Long-time focus in the payer community so heightened awareness gives credibility to all regulatory efforts that you drive. • PRACTICAL APPLICATION: • Engage NOREX to fill policy and template gaps (better than writing from scratch) • 3rd party sources on regulatory subjects. • Engage internal audit AT START OF PROJECTS, NOT WHEN PRODUCTION IS EXPOSED. • Coordination with in house compliance and risk executives to close remaining gaps.
  • 9. 2. EXECUTIVE SUPPORT • You’ll need resources to execute (some great tools you’ll see today!) • You need to be able to talk their language, not the Vulcan we speak. • Our internal metrics aren’t on your typical executives radar! PRACTICAL APPLICATION: • Use implementation of cybersecurity related processes into business process to show direct correlation (and by proxy justification)
  • 10. 3. CHOOSE FRAMEWORK • Many frameworks available (ITIL, ISO 27001, COBIT,NIST SP 800, etc) • ISO 27001 is a good framework for those not bound by any conflicting regulatory requirements. • Provides defensive posture for both internal and external audit functions. • Key is to keep it simple enough but provide a structure to show governance. PRACTICAL APPLICATION: • I’ve found ISO 27001 easier to follow then ITIL in my experience. Quicker time to implementation. Free starter toolkits at http://www.iso27001security.com/html/toolkit.html • Formal certification is not necessary in all cases.
  • 11. 4. ORGANIZE IMPLEMENTATION • Basic project management of your cybersecurity strategy, using the framework of your choice as your project plan. • Budget properly from a time and human resource. straightforward. • Basic PMP 101. PRACTICAL APPLICATION: • Identifying budgetable items and tying directly to framework deliverables speeds approval of said line items (especially using an ISO standard framework) because of the implied justification. • Tools available (ex: ISO 27001 from previous slide). • ROSI(Return on Investment) calculator: http://advisera.com/27001academy/free-tools/free- return-security-investment-calculator/
  • 12. 5.RISK ASSESSMENT • Essentially you are identifying those risks that are tolerable and those that must be eliminated. Not all risk can or should be eliminated. • Use of a risk matrix can be used in conjunction with framework items at a minimum to address know risks and grade their severity. PRACTICAL APPLICATION: • There are dozens of risk matrix templates out there, but a good risk matrix I’ve modeled my work after: http://anahiayala.com/2011/12/14/crisis-mapping-and- cybersecurity-part-ii-risk-assessment/ • Vendor rating (partner relationships/”supply chain”): companies like RiskRecon can give great insight on trustworthiness and risk assessment for your upstream/downstream partnerships.
  • 13. 6.IMPLEMENTATION OF DEFENSIVE MEASURES • You need to be searching out the most advanced tools and the newest technologies to at least stay on par with the ever evolving threats persistent in the wild. • A broader view is required as there are no borders as in the past. Defense in depth strategies alone are not enough. • Incident response/BC/DR should be practiced regularly. PRACTICAL APPLICATION: • Our move to a 100% cloud-based infrastructure has offloaded a number of risk variables onto respective providers. Tremendous cost and time savings from self- remediation of garden-variety risk-based issues. • Examples of actual tools we’ve adopted are at the end of this presentation.
  • 14. 7. TRAINING AND AWARENESS • As stated before, end users are the weakest link in the chain of cybersecurity program management. • Key is not to overwhelm, but to promote awareness • End users are already overwhelmed by the rate in change in technology in general, and they are fearful for their livelihoods as this change progresses.. • Wherever possible, you have to adopt the posture of protecting your end user base from themselves. They aren’t always equipped to cover all the gaps themselves. PRACTICAL APPLICATION: • We are looking into using gamification as a means to keep security awareness at the forefront of end-user computing activities without “shoving it down their throats” • Phishing-type programs have some impact, but I question the ROI on these. • “Think before you Click” campaigns are much more effective (and cheaper).
  • 15. Dana iLand Ektron Hosting AD Hosting Salesforce FC Base Product Portals UCD Supporting Apps Linkpoint Drawloop Docusign Timesheets (summer 2016) Base Licenses User SFC Okta Office 365 Exchange Sharepoint Yammer Zendesk Egnyte Security Ensilo Vera Skycure Netskope Menlo Security Azure GP Papersave
  • 16. NETSKOPE: SEPTEMBER 2014 • Cloud Security Access Broker. • Policy based enforcement. • Also great for understanding what other SaaS/PaaS applications (other than corporate sanctioned) are used/preferred by constituents. • Beginnings of cloud based DLP for Dana.
  • 17. MENLO SECURITY: JANUARY 2015 • Proxy-based Content Isolation. • Prevents rogue/malware from being directly rendered. • Zero impact on end users. • Policy enforcement built-in. • Traditional Content filtration also built-in.
  • 18. VERA: NOVEMBER 2014 • File based access control. • Can be enforced organization wide or ad hoc. • MOST IMPORTANT: Allows tracking of content as it moves outside your control.
  • 19. ENSILO: SEPTEMBER 2015 • Real-time, exfiltration prevention platform. • Endpoint based. • Very easy to deploy. • In lab tests, stopped every piece of ransomware and APT we threw against it.