a simple approach to infusing business- centricity into
TRANSCRIPT
A Simple Approach to Infusing Business-Centricity into Your Security Program
One We Can All Implement
Omar Khawaja
April 6th, 2010
Why Business-Centric Security?
• Enables security organization to understand what’s important
• Enables stronger communication with business owners
Security is a cost center – the Business pays the bills!
2
Security LeadersCare Most About…
3
…the Business!
Breach Prevention
Compliance
Costs…
The Business cares about RiskSecurity is about Risk
ThreatsVulner-abilities
Assets“Risk”
4
• Knowledge based on interviews and self-reporting
• Depends on context
Challenging to get meaningful risk
picture w/o accurate valuation
of assets
• Mature technologies
• Automated
• Industry standards
• “Same” for everyone
• Can be normalized
Security LeadersCare Most About…
5
The Business Cares About Data!
• Requires preventing data from being breached
Breach Prevention
• HIPAA, GLBA, PCI, State Breach Laws , etc. govern specific types of dataCompliance
• of securing data
• of maintaining compliance
• of enabling business in the information ageCosts…
Greatest opportunity for improvement!
The Business cares about RiskSecurity is about Risk
ThreatsVulner-abilities
Assets“Risk”
6
• Mature technologies
• Automated
• Industry standards
• “Same” for everyone
• Can be normalized
• Knowledge based on interviews and self-reporting
• Depends on context
Challenging to get meaningfulrisk picture w/o
accurate valuation of
assets
What’s Missing?ISO 27002 Control Areas
7
II. A
SS
ES
S
H
M
M
L
L
LH
H
M
M
M
M L
L
L
L
L
L
Data-Centric ApproachApplication Security
8
I. B
AS
EL
INE
H M L H
H
M M
M
M
M
L
L
LL
L
L
L
L
Application
Risk
Assessment
Data
Discovery
Application
Vulnerability
Network
Vulnerability
Baseline
ScanningSDLC
Assessment
Application
Vulnerability
Scan
H
M
M
L
L
LH
H
M
M
M
M
Application
Vulnerability
Assessment
SDLC
Assessment
H
H
H M
M
M
Penetration
Test
Source Code
Review
H
H
H
Enterprise
Application
Assessment
Host-Build
Assessment
III. C
ER
TIF
Y
H L
H M
M
Application
Certification
Program
H
L
M
High Risk Application
Medium Risk Application
Low Risk Application
H M L H
H
M M
M
M
M
L
L
LL
L
L
L
L
H
M
M
L
L
LH
H
M
M
M
M L
L
L
L
L
L
H
M
M
L
L
LH
H
M
M
M
M H
H
H M
M
M H
H
H
H L
H M
M
Data-Centric ApproachVulnerability Management
Situation
• Too many “high” vulnerabilities identified
• Impact of each vulnerability is unclear
Challenge
• Which vulnerabilities should be addressed first?
Remedy
• Assign value to each system based on associated data sets
Result
• Address vulnerabilities in order of system value
9
Data-Centric ApproachSecurity Operations
Situation
• Too many event logs, threats and alerts
Challenge
• Which should be addressed first?
Remedy
• Assign value to each system based on associated data sets
Result
• Address event logs, threats and alerts in order of system value
10
Data-Centric ApproachCompliance
Situation
• Dealing with multiple compliance requirements is complex and costly
Challenge
• What systems need to be compliant?
• Are the required systems compliant?
Remedy
• Establish compliance perimeter by discovering which systems store / process governed data types
• Validate data is being encrypted
• Understand how governed data flows through an enterprise
Result
• Fewer systems within scope of compliance
11
How do you get the data?
INFORMATION“What is the discovered data,
and who does it belong to?”
BUSINESSPROCESSES
ASSETS
“How is the identified information
used, and why is it important?”
IDENTIFY
CLASSIFY
Location
Content
Context
DATA“Where is the data?” DISCOVER
Two-thirds of 285 millions breached
records were not known to be stored on the systems prior to the
breach.
Source: Verizon 2009 Data Breach
Investigations Report
Data Centric ApproachAddresses…
13
…the Same Things the
Business Cares About!
Breach Prevention
Compliance
Costs
• Staying out of the headlines
• Adhere to legal / contractual requirements
• Minimizing total cost of effective security
Finally…
• Data-Centric is Business-Centric!
• Addresses CSOs’ key concerns
• Can be applied to most components of an ISMS
• Security teams see the bigger picture
• Changes the conversation
14
A data-centric approach arms
you with the necessary
insights to do the right things… not just to do things
right!