cyber risk management: addressing the challenge · cyber risk management: addressing the challenge...
TRANSCRIPT
CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE
SIMON CRUMPLIN, FOUNDER & CEO
INFORMATION SECURITY PAINS
RESPONSIBILITY WITHOUT AUTHORITY AUTHORITY WITHOUT UNDERSTANDING
INVENTORY TO MANAGE BUSINESS FUNCTIONS TO MANAGE
ALERTS WITHOUT MEANING THREATS WITHOUT CONTEXT
ASSETS SPREAD ACROSS MULTI-CLOUD, MULTI-SERVICE ENVIRONMENTS BREACHES, & THEIR COST, INCREASING
LEGACY TOOLS ARE STATIC, VERTICAL & SILOED
REGULATIONS, & THEIR CONSEQUENCES, INCREASING
SERVICES ON BARE METAL, VIRTUAL, CONTAINER, SERVER-LESS BUSINESS RISK INCREASING
MISALIGNED
CISO BUSINESS
BUSINESS RISK INTELLIGENCE?
Security has to connect to the business as it is a business risk.
Bringing anomalous business practices into governance brings control. Embed operational
security into IT operations, forming control frameworks that don’t inhibit the
business.
If we can define normal, and reduce the ‘noise', we can operate an effective security service and inform the business of risk that relates to them.
Gaining accountability in the business for
their behaviours.
THE PROBLEM
1
3
2
4
5
6
7
Too much tech; not
enough budget for one
of everything!
What are my risks?
EVIDENCE is needed
to validate risk.
How do we (IT)
engage with the
business?
What is my SOC
missing, why is it so
reactive?
Which business function
is generating the most
RISK?Are all these threats
RELEVANT?
SECURITY is not just
about BAD; how do I
know what WRONG is?
CLEAR FRAMEWORK TO CATEGORISE AND COMMUNICATE RISK
Determine priorities for remediation.
Engage with the business to govern risk.
Define appropriate response playbook’s and SLA’s with the business.
Inform stage of attack.
Identify gaps in visibility and control.
Operate a security service that informs business risk.
Data Movement
User Privilege
Network Communications
Software Configurations
Build
SERVER-01 and SERVER-02 exposed to the internet.
RISK CATEG
ORIES / KILL CH
AIN
STAG
ES
PC Hunter and SQL installed and run on multiple hosts.
Brute force attack begins on SERVER-01.
BIOS account adds other accounts to various privileged groups.
Ransomware Distributed and Executed.
Cylance Uninstalled.
Type 10 and 12 connections from external (Russian and British) IP’s.
Account enumeration conducted by SERVICE account.
INCIDENT TIMELINE AGAINST KILL CHAIN
SMART APPLICATION & CYBER RISK AUDITGAINING CONTROL - APPROACH
NEAR INCIDENT RESPONSE (NIR)
SECURE BY DESIGN = OPERATIONALLY SECURE
If we can help people get control of hygiene, posture and operational risk through the CRA process, we can embed security within IT operations rather than as an overlay.
I. Continuous improvement.II. System Admin priorities.III. Alerting framework to catch
misuse.IV. Benchmarking business functions
by risk. V. Reduction of operational risk.VI. Reduction of attack surface.VII. Policy, Controls and Procedures.
AUDIT APPROACH - CYBER MATURITY JOURNEY
IDENTIFY PREVENT DEFEND RESPOND RECOVER
DATA Tools Movement Access Investigate Restore
USER Rights Abuse Credentials Limit ACL
NETWORK Anomalies Communications Services Restrict Provision
SERVICE RAT Creation Use Control Baseline
BUILD Vulnerabilities Exploitation Change Patch Rebuild
AUDIT INTERPRET CONTROL REMEDIATE POLICY
Kill
Chai
n / R
isk C
ateg
orie
s
NIST 800 / ISO 27002
CRA OUTPUT – SMART ANALYTICS
The results are delivered through SMART, our interactive analytics tool that packages your data by user, host, business unit, operating system, software versions, risk category etc. to provide valuable insight into current posture and IT Hygiene.
CYBER RISK AUDIT
CRA ENDPOINT CRA NETWORK CRA LIVE
SCOPE
Endpoint (Workstation & Server)AD Objects (Computer, User & Groups)Anti-Virus Logs
Communications(Firewall, IDS, ADDS, DHCP, VPN)
AD AuthenticationCommunicationsExternal IntelligenceCASB Logs
OUTPUT
Hosts of Interest (HOI)HOI RemediationPosture & Hygiene Remediation Work PackagesPolicy Remediation & AugmentationAsset InventoryAlerting with context for SIEM/SOCValidation of Current Investments versus Priorities for Security Strategy
BehavioursPolicy Violations3rd Party RiskAnomaliesInsider / MisuseLive Data and Analyses Hygiene Work Packages
Security Operations
RED TEAM EXERCISESValidation of progress & controls.
AUDIT to identify risk,
determine posture &
compromise.
ALERTING FRAMEWORK
to inform on reoccurrence.
AUGMENT SOC/SIEM
REMEDIAL ACTIONS
HOI investigation, hygiene &
posture activities and good practice.
Re-Audit User, Network, Data Movement, Policy
Violation.Optional enrichment to
monitor behaviour.
CONTINUOUS IMPROVEMENT & ASSURANCE
WIN A FREE CYBER RISK AUDIT
Drop your business card at the front for a chance to win…
A GILL SAILING JACKET FOR
ALL THE RUNNERS UP
ANY QUESTIONS?
WHAT IS THE SMART APPLICATION?
ASSURANCE
COMPLIANCE
POSTURE
STANDARDS HYGIENE
THE SMART APPLICATION PROVIDES INSIGHT INTO…