2010 05 18 csc webinarcybersecurity 110120072905 phpapp01

7/29/2019 2010 05 18 Csc Webinarcybersecurity 110120072905 Phpapp01

1/38

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 1

Cybersecurity

Toward a StrategicApproach to Cyber Risk

Andy Purdy

Chief Cybersecurity Strategist

May 18, 2010


2/38


1 What is the current cyber risk?

Summary

2 Learn lessons from experience.

3 What approach should we take?

4 What capabilities do we need?

5 Risk management for organizations and countries


3/38


What is the currentcyber risk?


4/38


What is Cyber?

Cyber is the ability to operatein cyberspace to achieve theresults that you intend and notthose intended by youradversaries, competitors or

cyber criminals.

1


5/38


In this brave new world we tread

November 2002 (Geopolitics): The rise of the BotnetsA DDOSby an army of citizen-zombie computer attacks

April 2004 (Sasser): Widespread outages around the world

Agence France-Presse (AFP) blocked satellite communications, Delta Airlines cancelseveral trans-atlantic flights, Ifand Sampo Bankclose130 offices, also impactedGoldman Sachs, Deutsche Post, European Commission, Lund University Hospital

January 2010 (Google discloses): The NYT, April 2010

losses included one of Googles crown jewels, a password system that controls accessby millions of users worldwide to almost all of the companys Web services, including e-mail and business applications

Looking into the Future:

APT/Botnets/Integrity Attacks/Convergence of Threats to Converged Infrastructures

1


6/38


cheerfully, into the unknown

4G Wireless Broadband Networks: LTE and Wimax 100 Mbit/s on the move, and 1 Gbit/s stationary - the world goes wireless

Tens of billions of devices (smart phones, metering)

Convergence in technology and infrastructure: sharing same threats

Voice Video Data: using a common protocol (IP), sharing a common infrastructure, and the risks

All national infrastructures (energy, transportation) using the same ICT infrastructure

Threats that transfer between data - video - telephony

Cloud Computing: A shared ICT infrastructureshared risks

1


7/38CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk Page 7

Premises

Experience is only valuable if we learn from it and act on it Information sharing is not enough

A strategic approach to the cyber challenge is essential

Stakeholder collaboration is critical at each level

Threat information is important, but risk should be the driver Risk management is critical for organizations, nations, and the global

information infrastructure

1



Summary of Cyber Risk

The use of innovative technology and interconnected networks inoperations improves productivity and efficiency, but also increases thevulnerability to cyber threats if cybersecurity is not addressed andintegrated appropriately.

A spectrum of malicious actors routinely conducts attacks against thecyber infrastructure using cyber attack tools.

Because of the interconnected nature of the ICT infrastructure, theseattacks could spread quickly and have a debilitating effect.

1



Learn lessons fromexperience.



Industry concerns?

Data vulnerability due to the sizable increase in data volumes, flows, and interfaces

System security resulting from converged, automated, and integrated environments

New devices that may be immature and have security limitations

Consumer privacy from increased connectivity, devices, and intelligence

Potential fraud from insufficient tamper protection

Overall increase in the complexity of a utilitys compliance profile

Adapted from EPRI source image

2



Introduction

Cybersecurity a National Security Imperative and Global BusinessIssue

Nations and critical infrastructure owners and operators are dependenton Cyber for national security, economic well-being, public safety and

law enforcement, and privacy. Major companies must ensure the resiliency of their operations, protect

their reputations and the privacy of their customers, differentiate theirbrand, and meet compliance obligations.

Innovative technologies and information assurance strategies must be

implemented by government and private companies through fullyintegrated, end-to-end cyber solutions

2



Secure ICT also Represents

Technological advantage Opportunity to gain competitive advantage

Opportunity to help shape the global cyber environment in support of USinterests

An exciting field for our emerging technology

An additional foundation for academic excellence

2



What approach shouldwe take?



A Strategic View of ICT Security

There is no real separation in cyberspace; we share a commonenvironment with allies, partners, adversaries, and competitors.

It is important to understand computer network defense, and be informedby exploitation and attack.

Security is more about architecture and integration than about

deployment of more products to build perimeter defenses.

3



Public Policy Challenge

Nations are dependent on cyber for national security, economic well-being, public safety, and law enforcement

Risk is real but not visible and obvious

Authority/control is spread among multiple entities in the public andprivate sectors

ICT is international

Individuals and organizations are reactive and tactical, not proactive andstrategic

We do not learn lessons from the past

3


16/38


Learn Lessons from Experience

Recognize the value of lessons learned to enhance preparedness Systematize after-action processes for exercises AND real-world events

Take a pro-active, strategic approach to risk

A robust risk management program can facilitate and prioritize planning,decision-making, and resource allocation

A strategic approach to ICT risk management should be grounded inarchitectural, design, and process principles

Stakeholders should be engaged in the assessment and mitigation of ICTrisk, spending on research & development, & cyber incident responseand recovery preparedness

3


17/38


Regulatory Enviroment Upcoming Challenges for PrivateSector and Critical Infrastructure?

Legislative perspective: has the private sector done enough to securetheir own facilities?

Executive perspective: concern about government and criticalinfrastructure relative to cyber threats.

Power/Utility, transportation, and other critical infrastructure sectors of

significant cyber concern. Private sector favors voluntary, private-sector developed standards,

incentives, and safe harbor provisions rather than regulations

3


18/38


The New Reality

Global recognition that national health and security is permanently intertwinedwith the internet.

National governments across the globe are intending to actively address cybersecurity risks to specified private-sector infrastructures of interest supportingnational programs and critical infrastructure segments.

Examples of the national health and security requirement in evidence

Transglobal Secure Collaboration Program (TSCP) voluntary collaborative program(funded by membership contributions)

Governments US, UK, Netherlands

Companies BAE, Boeing, EADS, Lockheed Martin, Northrup Grumman, Rolls Royce,Raytheon

U.S. Defense Industrial Base (DIB) a threshold of capabilities defined by U.S. DoD toprotect Controlled Unclassified Information (CUI) used in Defense contracts

Established and monitored by US DoD (as expressed in the DIB Cyber SecurityBenchmark and DIB CONOPS)

One-to-one framework agreements, funded by individual companies

U.S. Comprehensive National Cybersecurity Initiative (CNCI)

Activities of European Network Information Security Agency (ENISA)

3


19/38


What capabilities do weneed?


20/38


What is missing nationally and internationally?

What do we need to worry about and what do we need to do about it? We need to

know our risk posture,

identify requirements for addressing that risk that are generated

by a public-private collaboration, andMake it easy to hold stakeholders accountable.

4

4


21/38


What is needed nationally and internationally?

A strategic approach to facilitate public/private collaboration andinformation sharing to set requirements, and resource, execute, and trackprogress on:

ICT risk;

ICT preparedness;

Malicious activity and cyber crime; and

Research and development.

4

4


22/38


How should the challenge of ICT risk and preparedness beaddressed?

Stakeholders at the organizational, national ,and intl levels must worktogether

to identify critical functions,

assess and mitigate risk, and

plan, and build capacity for, response and recovery Use standards to drive risk reduction

Exercise to identify gaps and improve

Pursue innovation

Use this process to identify requirements to drive resource allocation forrisk mitigation, response preparedness, and research and development

4


23/38


Risk management for

organizations andcountries

5


24/38


Protecting your Organization, Clients, and Costumers

Use lessons learned from Advanced Persistent Threats (APTs) and othersophisticated attackers to strengthen active defense

Work in public-private partnerships to strategically collaborate and shareinformation about threat and risk

5

5


25/38


Strategic Approach to Malicious Cyber Activity

An initiative to promote a strategic approach by government (not justlaw enforcement) and the private sector against malicious cyber activity

Need to build national and international information sharing capabilities tocollect, preserve, analyze, and share information on malicious actorsAND enablers using a federated data-sharing model.

Need good national and international data on cyber crime.

5

5


26/38


Government Cyber Security Involvement

Government needs to help define domestic, EU, and allied ICT interests Using those interests, Government needs to create stronger interagency

and inter-governmental policy process and policy (guiding principles)

Collective interests need to be represented consistently in all internationalfora concerned with global cyber security and cyber governance; if not,

global policy and governance may not conform to national andinternational interests

Your country, EU, and its allies, need a consistent approach to the ICTrisk in critical infrastructure

Focus on security standards, rather than prescribed processes (i.e., define how secure tobe, not how to be secure)

Recognize that the threat is advanced and dynamic; a cookbook approach will not adaptsufficiently well to such a threat

Sensitize private sector and public to the threat; recognize thatadversaries do not reserve their most advanced technologies for use onlyagainst our Government

5

5


27/38


Private Sector Role

Request government to facilitate information exchange and enhancedcollaboration.

What actions are advisable?

What incentives would help bring those actions about?

5

5


28/38


The Model-Portfolio A Different Way to View the Problem

An integrated set of capabilities consistent to a model new to the industry fit-forpurpose - to demands of a complex global problem

The security stack - defines the problem complexity and thesophistication needed in the solution

Demonstrated ability to scale to the full dimensions of the problem

Demonstrated ability to leverage our government knowledge applied toour commercial delivery

Allows us to see the gaps determine how we close them

5

5


29/38


Making a better case for Why CSC

Cyber security is a core competency of CSC in both commercial and public sectors

Comprehensive capability the full range of the security stack

Cross-leverage what we know - between commercial and public sectors

Commercial Sector

Public Sector

SOCs to Fortune 500s

Defense Industrial Base

Worldwide presenceISO 27001 preparations

Nation State-Threats

Groundbreaker

Forensics training

Biometric Access

System Certification

Phys-Lgical Access

Personnel Quals

5

5


30/38


The Exercise ofNational Sovereignty

Situational AwarenessExternal to the PerimeterDetermine Source Adjust Defenses

IntegratedSecurity Overlay

Prevent-Detect-Response

Functional Technologies

A New Idea: The Security Stack as a Modelfor how wepresent organize determine gaps integrate. Only CSC and IBMcan make this case

The Security Stack

Assured Systemsand Content

Layer 4 Functional TechnologiesEthical hacking integrating

government capabilities

Layer 2 Functional TechnologiesSecurity Incident/Event Manager

OOB managed devices

Perimeter defenses (f/w)

Intrusion detection/prevention

Data Loss Prevention

Honeypots

Layer 1 Functional TechnologiesCMDB

White listing

PIV-based biometric access

Single Sign On

Data encryption and key management

Vulnerability assessment

Layer 3 Functional TechnologiesWorldwide monitoring

Attestation adjusting the defenses

Cyber Security Services

Security consulting

understand and manage risk

Security integration led by

solution architects

Managed Security Services

Forensics analysis assessments

Certification and accreditation

Security training - cyber experts

Product and system evaluation

common criteria

Penetration testing ethical

hacking

Compliance

Disaster Recovery / B-Continuity

5

5


31/38


CSC Cyber Security Overview (1 of 3)

More than 1,400 full-time security professionals globally

Security and compliance services to

More than150 Commercial clients globally in more than 40 counties Many Fortune 500 companies including many with PCI compliance

U.S. federal agencies and many state and local government clients

Non-U.S. government clients (UK Royal Mail, UK National Health Services)

Wide range of security offerings

Managed Security/SOC services Endpoint Protection

Messaging Security

Data loss prevention

Compliance Monitoring/Enforcement

Vulnerability, Risk and regulatory assessments

Forensic and Investigative Response

Identity and Access management and biometrics

Security engineering, integration, and testing

Disaster recovery and business continuity

5

5


32/38


CSC Cyber Security Overview (2 of 3)

SSE-CMM Level 4 Information Security Practices by

independent third party Defense Security Service (DSS) Cogswell Award for 5 of

past 10 years

Achieved ISO 2700 certification for the CSC-managed EPAsecurity program

Many CSC data centers and service delivery centers

achieved third party ISO 27001 certification Major provider of vulnerability assessments, risk

assessments and security accreditation services to Federalagencies

Active SAS 70 audit program

Operates DoD Cyber Investigative Training Academy

Biometric engineering services to DoD

Operates certified Common Criteria Test Laboratories in theU.S., Australia and Germany under ISO15408

Operates FIPS 140-2 NVLAP certified Cryptographic ModuleTest Laboratory

5

5


33/38


CSC Security Operations Centers (SOCs) (3 of 3)Managed Secur i ty Services Del ivery around the Globe in al l Regions

Commercial SOC Operations North America (Newark, DE) Newark 33 customers UK (Chesterfield) -- 15 customers Australia (Sydney) 9 customers India (Hyderabad) 17 customers Malaysia and Hong Kong 2 customers

U.S. Federal SOC/CERT/CSIRT Support Defense Information Systems Agency (DISA) U.S. Air Force

U.S. Army Dept of Homeland Security EPA NOAA

Monitor and manage thousands ofsecurity devices worldwide

Network/Host IDS/IPS Audit Log Storage/Monitoring Security Event Management Security Incident Response Services Technical Compliance Monitoring Vulnerability Scanning and Alerting End Point Security Management Managed Encryption Services Data Loss Prevention Forensic Response

Sydney,

Australia

Consistent and effective 7x24 securitymonitoring, detection, response and recovery

Hyderabad, India

Chesterfield, UK

Newark, DE

Marlton , NJ

Annapolis

Junction, MD

Kuala Lumpur

Hong Kong

5

5


34/38


Representative Cyber Security Clients

Public Sector: Internal Revenue Service,

FAA, USDA, Dept. of Education,Environmental Protection Agency, Dept ofEnergy, Department of Homeland Security,Australian Department of Immigration andCitizenship, Prime Minister and Cabinet,Department of the Attorney General andTransport Accident Commission; CanadianTreasury Board Secretariat, CommunicationSecurity Establishment Canada, Public SafetyCanada, Canada Revenue Agency, TransportCanada, DISA, DCITA, U.S. Army, U.S. Navy,U.S. Marine Corps, U.S. STRATCOM, Office ofSecretary of Defense, Biometric FusionCenter, U.K. Ministry of Defense, DanishMinistry of Defense

Aerospace & Defense: Textron, Raytheon,Boeing, Hawker Beechcraft, UTC, GeneralDynamics, Spirit Aerospace

Financial and Insurance Services:Allianz,AMP, Dunn and Bradstreet, Maybank, ToyotaFinancial Services, Zurich, PartnerRe,Alliancez, AMP, IMB, GE Capital, Toyota

Financial Services

Retail & Distribution: Coles, Myer, David

Jones, Estee Lauder, Cargill, Astro

Travel & Transportation: Railcorp,Bombardier

Health Services: National E-Health TransitionAuthority, University of Pennsylvania HealthSystems, UK National Health Service, NobelBiocare, Ascension Health, ConsolidatedMedicaid/Medicare (CMS), Virginia and NorthCarolina, Medicare/Medicaid InformationSystems, eMed of New York, Stellaris Health

Manufacturing: BlueSteel, OneSteel, Delphi,Chrysler, Freescale, Westinghouse, Motorola,Nissan, Xerox, Bombardier, Nissan

Chemical, Energy & Natural Resources:Powercor, BHPB, Rio Tinto, Alcoa, WoodsidePetroleum, Newmont Mining, Shell, DuPont,BHP Billiton Petroleum, Watercorp, WesternPower, Exelon, Basell, Invista, Anglian Water,National Grid, Urenco, BNFL

5

5


35/38


CSC Strategic Security Partners

CSCs formal partnership with leading security vendors

Special discounts on industry leading security tools

Responsive procurement

Insight into emerging security technology

Increase depth of managed security services

5
http://www.microsoft.com/learninghttp://www.ibm.com/us/en/http://www.microsoft.com/learninghttp://www.cisco.com/en/US/hmpgs/index.htmlhttp://www.emc.com/index.jsphttp://www.mcafee.com/http://www.symantec.com/index.jsp


36/38


Thank you for your attention!

ContactAndy Purdy

Chief Cybersecurity Strategist

[email protected]

[email protected]


37/38


Further webinars

15.06.10 / 15:30 -16:30 Uhr / Gesellschaftlicher Wandel

"Social Media machen - Tipps & Tricks zur Planung und Durchfhrung"

Quelle: www.de.csc.com


38/38

2010 05 18 csc webinarcybersecurity 110120072905 phpapp01

Documents