A Risk-based Security Program Approach: Security Enables Digital Transformation and Compliance - Michael Gutsche, Cybersecurity Strategy Peter ...

Page created by Ivan Nelson
 
CONTINUE READING
A Risk-based Security Program Approach: Security Enables Digital Transformation and Compliance - Michael Gutsche, Cybersecurity Strategy Peter ...
A Risk-based Security Program Approach: Security
Enables Digital Transformation and Compliance
Michael Gutsche, Cybersecurity Strategy
Peter Bronson, Cybersecurity Strategy

                                          #MicroFocusCyberSummit
A Risk-based Security Program Approach: Security Enables Digital Transformation and Compliance - Michael Gutsche, Cybersecurity Strategy Peter ...
This document contains forward looking statements
                             regarding future operations, product development,
FORWARD-LOOKING STATEMENTS   product capabilities and availability dates. This
                             information is subject to substantial uncertainties and is
www.microfocus.com           subject to change at any time without prior notification.
                             Statements contained in this document concerning these
                             matters only reflect Micro Focus ArcSight’s predictions
                             and / or expectations as of the date of this document and
                             actual results and future plans of Hewlett-Packard may
                             differ significantly as a result of, among other things,
                             changes in product strategy resulting from technological,
                             internal corporate, market and other changes. This is not
                             a commitment to deliver any material, code or
                             functionality and should not be relied upon in making
                             purchasing decisions.
                             User Interface depictions should be considered non-final
                             and subject to re-design and / or removal.
                             This is a rolling (up to three year) Roadmap and is subject
                             to change without notice.
A Risk-based Security Program Approach: Security Enables Digital Transformation and Compliance - Michael Gutsche, Cybersecurity Strategy Peter ...
Agenda

     State of Cyber Security and Threats

     Compliance vs. Risk Based Programs

     Cyber Security Program Approaches

     Areas of Focus to “Move the Needle”

3
A Risk-based Security Program Approach: Security Enables Digital Transformation and Compliance - Michael Gutsche, Cybersecurity Strategy Peter ...
The State of Cyber Security
and Threats
The Impact is Global
    World Economic Forum – 2018 Global Risk Report

                                           Top 10 risks in terms of likelihood

                                           #3 – Cyber attacks

               2015                                2016                                  Today
      Attack on Ukraine’s power          SWIFT attack led to the              European Aviation Safety
          grid shut down 30            theft of US$81 million from             Agency has stated their
      substations, interrupting            the central bank of                systems are subject to an
      power to 230,000 people                   Bangladesh                    average of 1,000 attacks
                                                                                    each month

                      Global interconnectedness continues to expand the attack surface

5
Cyber Damages Continue to Outpace Spend

      Cyber damages to       Cyber security            Cyber crime will                Human attack         Ransomware
        hit $6 trillion       spending to             more than triple the            surface to reach   damage costs are
      annually by 2021      exceed $1 trillion        number of unfilled              6 billion people   predicted to reach
                           from 2017 to 2021             security jobs                    by 2022           $11.5 billion
     Up from $3 trillion                                                                                      by 2019
          in 2015                                      Predicted to reach
                                                       3.5 million by 2021

                               CSO online: Top 5 cybersecurity facts, figures and statistics for 2018

6
The Reach of Cyber Attacks

     143 million customers data stolen   3 billion customers impacted    57 million customers and
       due to a vulnerability found in                                       drivers impacted
               open software             Every Yahoo customers’ data
                                         was exposed spanning 3 years   Every Uber customers’ data
      A majority of people over 18 in                                     went exposed for a year
       the U.S. data is now exposed

            Net income fell
                                         M&A impact                     $20B market
                 27%                                                    cap loss; untold
            in ONE quarter                of $350M
                                                                         amount in litigation

7
It’s no longer a
question of if, but
when your data
breach will happen
It is a new level of complexity!

        Threats      Information   Regulatory/   Infrastructure
     (internal and     Overload      Privacy       complexity
       external)                    concerns

9
Risk vs. Compliance Based
Information Security Programs
Compliance/Standards – A Subset!!
                     NIST 800-
  CSA 4.0                                  DISA             ITIL
                      53/CSF

            CIS 20                BSIMM           PCI-DSS

                      ISACA
   ILTA                                    ISF         OWASP
                     COBIT 5

                                 ISO/IEC
                                 27001/2
Know Your Enemy

      Attacks come in all shapes and sizes

                                                High
      Organized crime has become very                                         Organized crime                                Ad fraud

       sophisticated and operate like
                                                                                    IP theft          Extortion
       corporations

                                                Payout potential
      Main goal is to maximize profits and                           Bank fraud    Payment system fraud
       minimize risks
                                                                      Bug bounty

                                                                                    Medical records fraud
      Compete on quality, customer services,                                                                     Credential harvesting

                                                                                               Identity theft
       price, reputation, and innovation                                                                              Credit card fraud

                                                Low
                                                                    Cyber warfare                                             Hacktivism

      Use SDLC and are adopting SaaS                              Difficult                        Effort and risk                        Easy

12
Know Your Treasure and Where It Resides
                                                                                                     Health records your care
                                                                                                     provider manages for you

                                                              Payments made to you
Banks’ data about your
finances and accounts                                                                                        Your email
                                     Your interactions with                                               correspondence
                                       SaaS applications
                                                                          Your Telco’s information
                                                                            about your account
         Your credit rating information

                                                                                                     Your private email to and
                                                                                                       from your smartphone

            Your customers’ data.
            Your organizational data.
Additional Treasure Chests

           HR Systems                 CRM Systems               Financial Systems
             Workday                  Microsoft Dynamics              Lawson
                                          Peoplesoft

      Point of Sale Systems         Customer Portals          Credit Card Processing

               TBD                          TBD                        TBD

     “The health record is worth 10x that of a credit card number on the black market”
14
Establish a Risk-based Approach

Assess security investments and posture
     How will attacks likely occur? How will you spot them on
      each platform? What corrective action will you take?

Transform from silos to a comprehensive view                          Actionable
                                                                       Security
     On-prem traditional systems, SaaS, IaaS, and PaaS all of       Intelligence
      which should fall under the same security umbrella

Optimize to proactively improve security posture
Manage security effectively
     Including internal SLAs and SLAs related to cloud providers.
      Maintain SLAs in the context of your security program

Moving from Reactive to Proactive Information Security & Risk Management
Cyber Kill Chain
Cycle of Security – Breaking the Cyber Kill Chain
Risk Based Security Programs

Table-stakes – Good security hygiene, perimeter security,
endpoint protection
Identifying risks – Unique to each organization
Addressing the risks by implementation of programs not products
Risk based security programs enable cloud and hybrid adoption
Goal: Overall security posture improvement

              “Compliance to industry regulations should be “free bonus” to a
                           robust risk based security program.”

                        “Compliance does not equate to security”
IDENTITY
                                                            & ACCESS
                                                      • Adaptive Identity governance
                                                      • Adaptive access management
                                                      • Adaptive privileged users
                            APP                                                                  ENDPOINT
                          SECURITY                                                               SECURITY
                    • Static, Dynamic, & Runtime                                       •   Lifecycle management
                      application testing                                              •   Patching & containerization
                    • Application security-as-a-                                       •   Application virtualization
                      service                                                          •   Mobile & server management

Comprehensive                                          CYBERSECURITY,
                                                         PRIVACY &
                                                            RISK
security for the            DATA
                                                       MANAGEMENT
                                                                                                SECURITY
                          SECURITY                                                             OPERATIONS
enterprise         • Data de-identification
                     (encryption/tokenization)
                   • Key management
                                                                                           •
                                                                                           •
                                                                                           •
                                                                                               Real-time detection
                                                                                               Workflow automation
                                                                                               Open source data ingestion
                   • Hardware-based trust assurance                                        •   Hunt and investigation
                   • Messaging security                 GOVERNANCE,
                                                           RISK &
                                                        COMPLIANCE
                                                      • eDiscovery & Classification
                                                      • Information Management
#MicroFocusCyberSummit

Thank You.
#MicroFocusCyberSummit
You can also read