welcome hitrust 2014 conference april 22, 2014

Welcome

HITRUST 2014 ConferenceApril 22, 2014

The Evolving Information Security Organization – Challenges and Successes

Jason Taule, Chief Security and Privacy Officer, FEi Systems (Moderator)Robert Booker, Vice President and Chief Information Security Officer, UnitedHealth Group

Erick Rudiak, Information Security Officer, Express ScriptsRoy Mellinger, Vice President, IT Security and Chief Information Security Officer, WellPoint

Omar Khawaja, Vice President and Chief Information Security Officer, Highmark

Chief Information Security Office

HITRUST 2014 ConferenceThe Evolving Information Security Organization

Challenges and SuccessesTuesday – April 22, 2014

Roy R. Mellinger, CISSP – ISSAP, ISSMP, CIMVice President, IT Security

Chief Information Security Officer

17

The Evolving Information Security Organization

Enterprise Risk ManagementSecurity Viewed as a

Business Enabler

Translating Business Needs into Security Requirements

Translating Security Requirements into

Technical Security Controls

Operating Technical Security Controls

RiskOperational Compliance

Security ThreatManagement

ITCompliance

ITRisk

EnterpriseRisk

Fighting Fires

Contai

ning

Anticipatin

g

Fires

Fires

Preventing

Fires

18


CYBER THREAT MANAGEMENT 24x7 Security Operations Center (SOC)

End to End DLP (Data Loss Prevention) Strategy

Tracking of Malware Threats and Coding Techniques

Effective Firewalls, IDS / IPS Strategy Implementations

Effective Security and Event Log Management & Monitoring

Robust Safeguarding Polices, Programs and Processes

19


Hacking Now Automated / Sophisticated Malware Hactivism – Freedom of Speech,

Statements to Influence Change, Sway Public Opinion and Publicize Views

Criminal – Drug Cartels, Domestic and Foreign Organized Crime for Identity Theft and Financial Fraud

Espionage – IP, Business Intelligence, Technology, Military / Political Secrets

Terrorism – Sabotage, Disruption and Destruction

Nation-State – Intelligence Gathering, Disruptive Tactics, Clandestine Ops, Misinformation, Warfare Strategies, and Infrastructure Destruction

Individual or Computer Clubs/ Groups Manual efforts with Social Engineering

Success = Badge Of Honor Personal Monetary Gain or to

pay for / fund hacking activity

Hacking Then

War Protesting and Civil Disobedience Anti-Establishment Rhetoric Social Rebels and Misfits

FRINGE MAINSTREAM. . . . . . . . . . . 30 YEARS . . . . . . .

20


Initial compromise — spear phishing via email, planting malware on a target website or social engineering.

Establish Foothold — plant administrative software and create back doors to allow for stealth access.

Escalate Privileges — use exploits and password cracking tools to gain privileges on victim computer and network.

Internal Reconnaissance — collect info on network and trust relationships.

Move Laterally — expand control to other workstations and servers. Harvest data.

Maintain Presence — ensure continued control over access channels and credentials acquired in previous steps.

Complete Mission — exfiltrate stolen data from victim's network.

21


Cyber Threat Management Conventional Approach Paradigm Shift: Cyber Threat

ManagementControls Coverage Protect ALL information assets Protect your MOST IMPORTANT assets

(Crown Jewels) based on risk assessments

Controls Focus Preventive Controls (anti-virus, firewalls, intrusion prevention, etc.)

Detective Controls (monitoring, behavioral logic, data analytics)

Perspective Perimeter Based Data Centric

Goal of Logging Compliance Reporting Threat Detection

Security Incident Management

Piecemeal – Find and neutralize malware or infected nodes

BIG PICTURE – Find and dissect attack patterns to understand threat

Threat Management Collect information on Malware Develop a deep understanding of attackers targets and modus operandi related to YOUR org’s network and information assets

Success Defined By: No attackers get into the network Attackers sometimes get in; BUT are detected as early as possible and impact is minimized

Omar KhawajaApril 23, 2014

The Evolving Information Security Organization –

Challenges and Successes

23

Who is Highmark?

Risk is increasing• Our information is increasing in value…

• More data (EMRs)• More collaboration (ACOs)• More regulation (FTC)

• Our weaknesses are increasing…• More suppliers (Cloud)• More complexity (ACA)

• Opportunities to attack are increasing…• More access (consumer portals)• More motivated attackers

• Becoming increasingly difficult to secure• Multiple Compliance Requirements• Evolving Compliance Requirements• Unclear Compliance Requirements• Less visibility • Less control

(Assets

Vulnerabilities

Threats)

Controls

X

X

-

Security org needs to evolve From…• Explaining the “what”

• Growing the security org

• Creating more security processes

• Telling them what to do

• Protecting everything equally

• Measuring what matters to security org

To…• Explaining the "why"

• Growing security in the org

• Making security part of more processes

• Assisting them with their job

• Differentiated controls

• Reporting on what matters to audience

Questions?

welcome hitrust 2014 conference april 22, 2014

Documents

chief security

security requirements

privacy officer

cimvice president

business intelligence

business enabler

business needs

victims network