building a security & compliance strategy with the cloud · big data big data is extremely...
TRANSCRIPT
Building a Security & Compliance Strategy
with the Cloud
AGENDA
Introductions
Definition and Overview
Current Threat Landscape
Current Compliance Landscape
Shared Responsibility
Five Steps
Final Thoughts
Questions
2
SAJEEV PRELISNational Director | Risk Management & Security
MBA, MS, QSA, PCIP, CCSFP, CISA, CGEIT, CRISCOver 20 years of IT Risk, Compliance, and Data Security experience. 12 years with Accretive Solutions
Industries: banking, healthcare, retail, manufacturing, entertainment, oil & gas, telecom, and service providers.
3
JEFF SCHILLINGChief Security Officer | ARMOR
Former Chief of Operations of the DOD’s Global NetOps Center for JTF-GNO (Cyber Command)Former Global SOC Director for U.S. Army Cyber Command
Former Director of Global Incident Response, SecureWorks
ACCRETIVE SOLUTIONS OVERVIEW
Accretive Solutions is a national professional services firm providing Consulting, Staffing and Outsourcing solutions to a variety of
organizations from start-ups to the Fortune 500.
4
Accounting &Finance
Governance &Compliance
InformationTechnology
BusinessTransformation
700+CONSULTING
PROFESSIONALS
10MARKETS
NATIONWIDE
900+CLIENTS
• Born in the cloud in 2009
• 1,200 clients in 42 countries
• 24x7x365 Security Operations Center
• Data centers in Dallas, Phoenix, London, Amsterdam, and Singapore
• ISO 27001 certified
• SOC II annual audit
• AWS Security Competency and Microsoft Azure Gold Partner
• PCI, HITRUST, GDPR compliance
5
C E R T I F I E D
FOR
ARMOR OVERVIEW
WHAT IS THE CLOUD
6
CLOUD DEFINITION
Cloud computing is a model for enabling ubiquitous, convenient, on-demand networkaccess to a shared pool of configurable computing resources (e.g., networks, servers,storage, applications, and services) that can be rapidly provisioned and released withminimal management effort or service provider interaction. – NIST Definition
Three Cloud Service Delivery Models: 1. Infrastructure as a Service (IaaS)
2. Platform as a Service (PaaS)
3. Software as a Service (SaaS)
Four Cloud Service Deployment Models1. Public
2. Private
3. Community
4. Hybrid 7
SECURITY vs. COMPLIANCE
8
Security (Program) A collection of controls
designed to mitigate risk
and protect data.
Compliance
Reporting on how your
security program meets a
minimum specific set of
requirements.
We can’t stress this enough:Security ≠ Compliance
COMPLIANCE-DRIVEN vs. RISK-DRIVEN SECURITY
9
Company A Company BGoal: Bare minimum to meet compliance standard Goal: Strong security practices using compliance requirements
as a foundation
Objective: Maintain the bare minimum to pass compliance audits/assessments
Objective: Keep the company’s data secure
Culture: Viewed as additional work to prepare for an audit/assessment. “Check the Box” for compliance
Culture: Built into standard operating procedures. Compliance becomes a natural byproduct of strong security practices
Talent: High IT resource turnover, hard to attract and retain security experience.
Talent: Low turnover, easy to attract and retain security experience
Assessment Cost and Time: Increases due to lack of compliance in routine areas, can result in frequent extensions and extra reporting to key stakeholders (clients, banks, boards)
Assessment time and cost: Typically decreases relative to other companies of equal size and industry, makes it easier to achieve multiple compliance standards and increase market reputation / confidence
Risk: High - More potential for incidents/breaches, fines, fraud, poor market reputation, or loss of business
Risk: Low - Less potential for incidents/breaches, good market reputation, increased business opportunities
CURRENT THREAT LANDSCAPE
10
11
40%
2017 GLOBAL CYBERSECURITY CHALLENGES
3.2M RECORD BREACHES YTD910BN Record breaches in the last 10 years.
INCREASE IN HACKS 2015-2016https://www.bloomberg.com/news/articles/2017-01-19/data-breaches-hit-record-in-2016-as-dnc-wendy-s-co-hacked
$4M
$4M AVERAGE COST OF DATA BREACHPer Ponemon Institute.Cost of Breaches: http://www-03.ibm.com/security/data-breach/
AVERAGE HEALTHCARE LOSSHealthcare companies lose an average of $355 per each stolen record$355
AVERAGE TRANSPORTATION LOSSTransportation companies may lose $129 per record $129
3.2M
910BN
99Days
Dwell
“Sophisticated intelligence integration, automation, and threat hunting should be the end-state goal for organizations facing significant business risks and exposure to cyber attacks. “Per Mandiant M-Trends 2017 report
CURRENT CYBER SECURITY OUTLOOK
12
2016
Cloud Services
TRENDSRansomware
SpearPhishing
KnownVulnerabilities
Internet of Thinks (IoT)
Data Security is being discussed in every board room
Companies cannot pass on the responsibility for protecting their data – do your due diligence
13
DID YOU KNOW…?
68%OF FUNDS LOST AS A RESULT
OF A CYBER ATTACK WERE DECLARED UNRECOVERABLE
170 DAYSAverage time to detect a malicious or criminal attack
176%Increase in the number of cyber attacks, with an average of 138 successful attacks per week.
$12.7 MILLIONAverage annualized cost of a cyber crime attack in the US. 96% increase from 2010
May 12, 2016 https://heimdalsecurity.com/blog/10-surprising-cyber-security-facts-that-may-affect-your-online-safety/
14
PHISHING EMAIL EXAMPLE
15
(1) Original Email Received: Checked separate Docusignapplication – nothing there
(2) Sent a separate email: retyped the client email address from CRM Source.
(3) Response received seconds after sending: Called the client – their email account had been compromised.
PHISHING EMAIL EXAMPLE 2
16
Big Data
Big Data is extremely large data sets that may be analyzed computationally to reveal patterns, trends, and associations, especially relating to human behavior and interactions
Data, Data Every ware…
Production Servicers
Test Servers
Dev Servers
Decommissioned servers
Backups
Third parties
Printers, phones, tablets
FUN FACT: Google is estimated to hold somewhere between 10-15 EXABYTES of data.
COMPLIANCE LANDSCAPE
17
COMPLIANCE LANDSCAPE
18
SOX
Sarbanes-Oxley 404
HIPAAHealth Insurance Portability and
Accountability Act
FFIEC
The Federal Financial Institutions Examination Council
ISO
International Organization for Standardization
FCPA
Foreign Corrupt Practices Act
FISMA
Federal Information Security Management Act
GDPR
Replacement to Safe Harbor
State Privacy Laws
Varies by state
PCI DSS
Payment Card Industry Data Security Standard
HITRUST
Common Security Framework (CSF) for Healthcare
SOC 1 & 2
System Organization Control
NERC CIP
Guidelines to help protect power grids.
SHARED RESPONSIBILITY CONSIDERATIONS
19
UNDERSTANDING SHARED RESPONSIBILITY
20
That means the biggest threat to your cloud is “you don’t know what you don’t know.”
Top Strategic Predictions for 2016 and Beyond – Gartner 2016
95%OF CLOUD SECURITY FAILURES THROUGH
2020 WILL BE THE CUSTOMERS FAULT.
FIVE STEPS FOR MAINTAINING COMPLIANCE AND IMPROVING SECURITY PRACTICES
21
KNOW WHAT YOUR SECURING
22
You have to know what you’re defending before you can defend it. Through a bit of self-reflection, you can do just that.
Questions to ask:
• What are we securing? (Be thorough)
• How do we purge data in a secure fashion?
• How much security do we need?
• Where do we secure it? (On-premises, cloud)
• How do we monitor security
DETERMINE YOUR INTERNAL CAPABILITIES
23
Just like knowing your data, it’s critical to know your internal capabilities – and limitations.
Questions to ask:
• What is your budget capacity today and in the future?
• How do you attract and keep sought after resources?
• How do you train staff on the latest tools and techniques?
CHOOSE YOUR SERVICE PROVIDER CAREFULLY
24
If you’ve elected to outsource services, it’s essential that you complete due diligence before handing over your data to a third party.
Third party due diligence aspects to consider:
• Review the provider’s shared responsibility matrix to verify covered tasks. You’ll be responsible for anything not covered.
• Verify geographic data housing considerations.
• Where does the data reside? (On shore vs. Off shore)
• How effective is their network operations center (NOC)?
• How good are they at supporting forensic needs (e.g. adequate log details, access to logs, law enforcement support)?
MONITOR AND MAINTAIN
25
Maintenance is key when ensuring security and compliance in the cloud. Keeping an eye on the people and processes protecting your data will ensure consistent – and reliable – coverage.
Periodic maintenance includes:
• Review of vendor responsibility matrices
• Incorporating proper security controls into your corporate DNA
• Frequent testing of internal staff on security best practices
No matter how much you spend, educate, monitor and plan, you’ll neve be 100% secure. However, there is a surefire way to stay ahead of threats.
Threat prevention steps:
• Identify your threat vectors
• Write / review / test your incident responses / DR BCP / communication plans
• Test, test and test again
• Never stop training your employees on the importance of security and the roles they play
PLAN FOR WHEN NOT IF
26
FINAL THOUGHTS
27
Know where you stand: Not everyone is ready to go to the cloud
Do your due diligence on your partners
Make data security part of your culture
Implement a monitoring program
Plan for WHEN
28
QUESTIONS