name managing threats in the digital age - addressing ... · managing threats in the digital age -...
TRANSCRIPT
Name
Title:
Glen GoodingDirector, Institute for Advanced SecurityAsia Pacific
Managing threats in the Digital Age - Addressing security, risk and compliance in the C-Suite
The Planet is getting more…Smart
Supply ChainsSmart
CountriesSmart
RetailSmart Water
ManagementSmart
WeatherSmart
Energy Grids
Smart Oil Field
TechnologiesSmart
RegionsSmart
HealthcareSmart Traffic
SystemsSmart
CitiesSmart
Food Systems
INSTRUMENTED INTERCONNECTED INTELLIGENT
EVERYTHING IS EVERYWHEREContinued movement of business to new platforms including cloud, virtualization, mobile, social business and more.
EVERYTHING IS EVERYWHEREContinued movement of business to new platforms including cloud, virtualization, mobile, social business and more.
CONSUMERIZATION OF ITWith the advent of Enterprise 2.0 and social business, the line between personal and professional hours, devices and data has disappeared.
CONSUMERIZATION OF ITWith the advent of Enterprise 2.0 and social business, the line between personal and professional hours, devices and data has disappeared.
DATA EXPLOSIONThe age of Big Data –
the explosion of digital information –
has arrived and is facilitated by the pervasiveness of applications accessed from everywhere.
DATA EXPLOSIONThe age of Big Data –
the explosion of digital information –
has arrived and is facilitated by the pervasiveness of applications accessed from everywhere.
ATTACK SOPHISTICATIONThe speed and dexterity of attacks has increased coupled with new motivations from cyber crime to state sponsored to terror inspired.
ATTACK SOPHISTICATIONThe speed and dexterity of attacks has increased coupled with new motivations from cyber crime to state sponsored to terror inspired.
An explosion of breaches has opened 2011 marking this year as “The Year of the Security Breach.”
A secure Web presence has become the Achilles heel of Corporate IT Security
IBM’s Rational Application Security Group research tested 678 sites (Fortune 500) – 40% contained client-side vulnerabilities
Mass endpoint exploitation happening not only through browser vulnerabilities, but also malicious movies and documents
IBM Managed Security Services show favorite attacker methods are SQL injection, and the brute forcing of passwords, databases, and Windows shares
EVOLVING THREATS 2011 X-Force Mid-Year Trend And Risk Report
Cyber attacks
Organized crime
Corporate espionage
State-sponsored attacks
External threats
Sharp rise in external attacks from non-traditional sources
Administrative mistakes
Careless inside behavior
Internal breaches
Disgruntled employee actions
Internal threats
Ongoing risk of careless and malicious insider behavior
National regulations
Industry standards
Local mandates
Compliance
Growing need to address an increasing number of mandates
Impacting innovation
Security challenges are impacting innovation
Cloud Computing Mobile Computing Social Business Business Analytics
The impact of a breach is now not contained to IT, but reverberates across the corporation
CxO
priority
Security risks
Potential impact
CEO
Maintain competitive differentiation
Misappropriation of intellectual property
Misappropriation of business sensitive data
Loss of market share and reputation
Legal exposure
CFO/COO
Comply with regulations
Failure to address regulatory requirements
Audit failure
Fines and criminal charges
Financial loss
CIO
Expand use of mobile devices
Data proliferation
Unsecured endpoints and inappropriate access
Loss of data confidentiality, integrity and/or availability
CHRO
Enable global labor flexibility
Release of sensitive data
Careless insider behavior
Violation of employee privacy
CMO
Enhance the brand
Stolen personal information from customers or employees
Loss of customer trust
Loss of brand reputation
Increasingly, companies are appointing CROs
and CISOs
with a direct line to the Audit Committee
The Result: Security is becoming a board room discussion
Business Results
AuditRisk
Impact of hacktivism
Legal ExposureSupply Chain
Sony estimates potential $1B long term impact – $171M / 100 customers
Epsilon breach impacts 100 national brands
TJX estimates $150M class action settlement in release of credit / debit card info
Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony …
Zurich Insurance PLc fined £2.275M ($3.8M) for the loss and exposure of 46K customer records
BrandImage
Bank data breach discloses 24K private banking customers
Can this happen to us?
It’s time to start thinking differently about security.
People
Data
Applications
Infrastructure
Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers
Systems applications Web applications Web 2.0 Mobile apps
Structured Unstructured At rest In motion
77% of firms feel cyber-attacks harder to detect and 34% low confidence to prevent
75% felt effectiveness would increase with end-to-end solutions
The attack surface for a typical business is growing at an exponential rate
SecurityIntelligence
Proactive
Aut
omat
ed
BasicBasic
Optimized
Optimized
Man
ual
Reactive
Organizations use predictive and automated security analytics to drive toward security intelligence
Security is layered into the IT fabric and business operations
Organizations employ perimeter protection, which
regulates access and feeds manual
reportingProficient
Proficient
In this “new normal”, IBM is helping organizations usher in an era of Security Intelligence
People Data Applications Infrastructure
Optimized
Governance, risk and complianceAdvanced correlation and deep analytics
Role based analytics
Identity governance
Privileged user controls
Data flow analytics
Data governance
Secure app engineering processes
Fraud detection
Advanced network monitoring
Forensics / data mining
Secure systems
ProficientUser provisioning
Strong authentication
Access monitoring
Data loss prevention
Application firewall
Source code scanning
Asset mgmt
Endpoint / network security
management
Basic Centralized directory
Encryption
Access controlApplication scanning
Perimeter security
Anti-virus
SecurityIntelligence
Optimize security across domains
GETTING TO SECURITY INTELLIGENCE: A Three Point Plan
GET INFORMED
Take a structured approach to assessing business and IT risks
GET ALIGNED
Implement and enforce security excellence across the extended enterprise
GET SMART
Deploy intelligent controls and analytics within and across key domains
Take a structured approach to assessing business and IT risks
ADDRESSING RISK MANAGEMENT
Align and integrate IT risk into the business’
Enterprise Risk Management framework
Identify key threats and compliance mandates
Implement and enforce a risk management process and common controls framework
Execute incident management processes when crises occurs
Get Informed
Implement and enforce security excellence across the extended enterprise
17
EXTENDED ENTERPRISE
PARTNERSCUSTOMERS REGULATORSEMPLOYEES AUDITORS
Get Aligned
Deploy intelligent controls and analytics within and across key domains
Complex, low-latency Cybersecurity analytics with InfoSphere Streams
21B events per day correlated in Managed Security Services leveraging Cognos
Identity Governance to help demonstrate
compliance
Next generation network security
designed to integrate web, content, and
network activity
Hybrid scanning capabilities from
Rational AppScan
SPSS Predictive Analytics reducing the cost of a client’s audit
investigations by
60%
Get Smart
IBM’s unique security expertise and approach…
21 billion events monitored per day
4,000+ managed services customers
10 security development labs
9 security operations centers
6,000+ technical experts
20+ leadership recognitions
2010 Security Company of the Year
SECURITY APPROACH
GET ALIGNED
GET INFORMED
GET SMART
UNIQUE EXPERTISE
… is combined with IBM’s depth of capabilities, and with Q1 Labs, IBM will have the most complete portfolio in IT security
Security Consulting
Managed
Services
X-Force
and IBM Research
IBM Security PortfolioIBM Security Portfolio
People Data Applications Infrastructure
IT Infrastructure –
Operational Security Domains
IT Security and Compliance Analytics & Reporting
QRadar
SIEMQRadar
Log ManagerQRadar
Risk ManagerIBM Privacy, Audit and
Compliance Assessment Services
Identity & Access Management Suite
Federated Identity Manager
Enterprise Single Sign-On
Identity Assessment, Deployment and Hosting Services
Guardium Database Security
Optim Data Masking
Key Lifecycle Manager
Data Security Assessment Service
Encryption and DLP Deployment
AppScan Source Edition
AppScan Standard Edition
Security Policy Manager
Application Assessment Service
AppScan OnDemand Software as a Service
Network Intrusion Prevention
DataPower Security Gateway
QRadar
Anomaly Detection / QFlow
Managed Firewall, Unified Threat and Intrusion Prevention Services
Endpoint Manager (BigFix)
zSecure, Server and Virtualization Security
Penetration Testing Services
Native Server Security (RACF, IBM Systems)
Network Endpoint
Enterprise Governance, Risk and Compliance Management
IBM OpenPages Algorithmics (recent acquisition) i2 Corporation (recent acquisition)
Let me leave you with 10 thoughts… If X-Force were running the IT Department