Building a Security & Compliance Strategy

with the Cloud

AGENDA

Introductions

Definition and Overview

Current Threat Landscape

Current Compliance Landscape

Shared Responsibility

Five Steps

Final Thoughts

Questions

2

SAJEEV PRELISNational Director | Risk Management & Security

MBA, MS, QSA, PCIP, CCSFP, CISA, CGEIT, CRISCOver 20 years of IT Risk, Compliance, and Data Security experience. 12 years with Accretive Solutions

Industries: banking, healthcare, retail, manufacturing, entertainment, oil & gas, telecom, and service providers.

3

JEFF SCHILLINGChief Security Officer | ARMOR

Former Chief of Operations of the DOD’s Global NetOps Center for JTF-GNO (Cyber Command)Former Global SOC Director for U.S. Army Cyber Command

Former Director of Global Incident Response, SecureWorks

ACCRETIVE SOLUTIONS OVERVIEW

Accretive Solutions is a national professional services firm providing Consulting, Staffing and Outsourcing solutions to a variety of

organizations from start-ups to the Fortune 500.

4

Accounting &Finance

Governance &Compliance

InformationTechnology

BusinessTransformation

700+CONSULTING

PROFESSIONALS

10MARKETS

NATIONWIDE

900+CLIENTS

• Born in the cloud in 2009

• 1,200 clients in 42 countries

• 24x7x365 Security Operations Center

• Data centers in Dallas, Phoenix, London, Amsterdam, and Singapore

• ISO 27001 certified

• SOC II annual audit

• AWS Security Competency and Microsoft Azure Gold Partner

• PCI, HITRUST, GDPR compliance

5

C E R T I F I E D

FOR

ARMOR OVERVIEW

WHAT IS THE CLOUD

6

CLOUD DEFINITION

Cloud computing is a model for enabling ubiquitous, convenient, on-demand networkaccess to a shared pool of configurable computing resources (e.g., networks, servers,storage, applications, and services) that can be rapidly provisioned and released withminimal management effort or service provider interaction. – NIST Definition

Three Cloud Service Delivery Models: 1. Infrastructure as a Service (IaaS)

2. Platform as a Service (PaaS)

3. Software as a Service (SaaS)

Four Cloud Service Deployment Models1. Public

2. Private

3. Community

4. Hybrid 7

SECURITY vs. COMPLIANCE

8

Security (Program) A collection of controls

designed to mitigate risk

and protect data.

Compliance

Reporting on how your

security program meets a

minimum specific set of

requirements.

We can’t stress this enough:Security ≠ Compliance

COMPLIANCE-DRIVEN vs. RISK-DRIVEN SECURITY

9

Company A Company BGoal: Bare minimum to meet compliance standard Goal: Strong security practices using compliance requirements

as a foundation

Objective: Maintain the bare minimum to pass compliance audits/assessments

Objective: Keep the company’s data secure

Culture: Viewed as additional work to prepare for an audit/assessment. “Check the Box” for compliance

Culture: Built into standard operating procedures. Compliance becomes a natural byproduct of strong security practices

Talent: High IT resource turnover, hard to attract and retain security experience.

Talent: Low turnover, easy to attract and retain security experience

Assessment Cost and Time: Increases due to lack of compliance in routine areas, can result in frequent extensions and extra reporting to key stakeholders (clients, banks, boards)

Assessment time and cost: Typically decreases relative to other companies of equal size and industry, makes it easier to achieve multiple compliance standards and increase market reputation / confidence

Risk: High - More potential for incidents/breaches, fines, fraud, poor market reputation, or loss of business

Risk: Low - Less potential for incidents/breaches, good market reputation, increased business opportunities

CURRENT THREAT LANDSCAPE

10

11

40%

2017 GLOBAL CYBERSECURITY CHALLENGES

3.2M RECORD BREACHES YTD910BN Record breaches in the last 10 years.

INCREASE IN HACKS 2015-2016https://www.bloomberg.com/news/articles/2017-01-19/data-breaches-hit-record-in-2016-as-dnc-wendy-s-co-hacked

$4M

$4M AVERAGE COST OF DATA BREACHPer Ponemon Institute.Cost of Breaches: http://www-03.ibm.com/security/data-breach/

AVERAGE HEALTHCARE LOSSHealthcare companies lose an average of $355 per each stolen record$355

AVERAGE TRANSPORTATION LOSSTransportation companies may lose $129 per record $129

3.2M

910BN

99Days

Dwell

“Sophisticated intelligence integration, automation, and threat hunting should be the end-state goal for organizations facing significant business risks and exposure to cyber attacks. “Per Mandiant M-Trends 2017 report

CURRENT CYBER SECURITY OUTLOOK

12

2016

Cloud Services

TRENDSRansomware

SpearPhishing

KnownVulnerabilities

Internet of Thinks (IoT)

Data Security is being discussed in every board room

Companies cannot pass on the responsibility for protecting their data – do your due diligence

13

DID YOU KNOW…?

68%OF FUNDS LOST AS A RESULT

OF A CYBER ATTACK WERE DECLARED UNRECOVERABLE

170 DAYSAverage time to detect a malicious or criminal attack

176%Increase in the number of cyber attacks, with an average of 138 successful attacks per week.

$12.7 MILLIONAverage annualized cost of a cyber crime attack in the US. 96% increase from 2010

May 12, 2016 https://heimdalsecurity.com/blog/10-surprising-cyber-security-facts-that-may-affect-your-online-safety/

14

PHISHING EMAIL EXAMPLE

15

(1) Original Email Received: Checked separate Docusignapplication – nothing there

(2) Sent a separate email: retyped the client email address from CRM Source.

(3) Response received seconds after sending: Called the client – their email account had been compromised.

PHISHING EMAIL EXAMPLE 2

16

Big Data

Big Data is extremely large data sets that may be analyzed computationally to reveal patterns, trends, and associations, especially relating to human behavior and interactions

Data, Data Every ware…

Production Servicers

Test Servers

Dev Servers

Decommissioned servers

Backups

Third parties

Printers, phones, tablets

FUN FACT: Google is estimated to hold somewhere between 10-15 EXABYTES of data.

COMPLIANCE LANDSCAPE

17

COMPLIANCE LANDSCAPE

18

SOX

Sarbanes-Oxley 404

HIPAAHealth Insurance Portability and

Accountability Act

FFIEC

The Federal Financial Institutions Examination Council

ISO

International Organization for Standardization

FCPA

Foreign Corrupt Practices Act

FISMA

Federal Information Security Management Act

GDPR

Replacement to Safe Harbor

State Privacy Laws

Varies by state

PCI DSS

Payment Card Industry Data Security Standard

HITRUST

Common Security Framework (CSF) for Healthcare

SOC 1 & 2

System Organization Control

NERC CIP

Guidelines to help protect power grids.

SHARED RESPONSIBILITY CONSIDERATIONS

19

UNDERSTANDING SHARED RESPONSIBILITY

20

That means the biggest threat to your cloud is “you don’t know what you don’t know.”

Top Strategic Predictions for 2016 and Beyond – Gartner 2016

95%OF CLOUD SECURITY FAILURES THROUGH

2020 WILL BE THE CUSTOMERS FAULT.

FIVE STEPS FOR MAINTAINING COMPLIANCE AND IMPROVING SECURITY PRACTICES

21

KNOW WHAT YOUR SECURING

22

You have to know what you’re defending before you can defend it. Through a bit of self-reflection, you can do just that.

Questions to ask:

• What are we securing? (Be thorough)

• How do we purge data in a secure fashion?

• How much security do we need?

• Where do we secure it? (On-premises, cloud)

• How do we monitor security

DETERMINE YOUR INTERNAL CAPABILITIES

23

Just like knowing your data, it’s critical to know your internal capabilities – and limitations.

Questions to ask:

• What is your budget capacity today and in the future?

• How do you attract and keep sought after resources?

• How do you train staff on the latest tools and techniques?

CHOOSE YOUR SERVICE PROVIDER CAREFULLY

24

If you’ve elected to outsource services, it’s essential that you complete due diligence before handing over your data to a third party.

Third party due diligence aspects to consider:

• Review the provider’s shared responsibility matrix to verify covered tasks. You’ll be responsible for anything not covered.

• Verify geographic data housing considerations.

• Where does the data reside? (On shore vs. Off shore)

• How effective is their network operations center (NOC)?

• How good are they at supporting forensic needs (e.g. adequate log details, access to logs, law enforcement support)?

MONITOR AND MAINTAIN

25

Maintenance is key when ensuring security and compliance in the cloud. Keeping an eye on the people and processes protecting your data will ensure consistent – and reliable – coverage.

Periodic maintenance includes:

• Review of vendor responsibility matrices

• Incorporating proper security controls into your corporate DNA

• Frequent testing of internal staff on security best practices

No matter how much you spend, educate, monitor and plan, you’ll neve be 100% secure. However, there is a surefire way to stay ahead of threats.

Threat prevention steps:

• Identify your threat vectors

• Write / review / test your incident responses / DR BCP / communication plans

• Test, test and test again

• Never stop training your employees on the importance of security and the roles they play

PLAN FOR WHEN NOT IF

26

FINAL THOUGHTS

27

Know where you stand: Not everyone is ready to go to the cloud

Do your due diligence on your partners

Make data security part of your culture

Implement a monitoring program

Plan for WHEN

28

QUESTIONS