cybersecurity-real world approach final 2-24-16
TRANSCRIPT
CYBERSECURITY STRATEGY: A REAL WORLD APPROACHJim RuttCTODana FoundationFebruary 24, 2016
MY BACKGROUND• 20 Years in technology•Wide vertical experience in Finance, Healthcare, Pharmaceutical and Nonprofit.• Plenty of experience in the practical and governance side of security including major incident response (9/11, 2003 power outage, 2 hurricanes, and miscellaneous breaches.)
WE LIVE IN DIFFERENT TIMES• Defense in depth alone won’t work, there is no more border to defend
thanks to the rise of cloud and smartphones.• FUD will only get you so much budget leeway, we have to get smarter
with empirical metrics and data to win the resources we need.• Education of the end user is one of the most important facets of a
cybersecurity strategy, yet there are limits to efficacy here.• Its time to stop putting toothpaste back in the tube after its been
squeezed out (audit remediation post-production deployments)• You need to prepare now to justify the tools coming out in 1-3 years-
skating to where the puck is going, not where it has been.
4 BROAD TYPES OF SECURITY INCIDENTS
•Natural Disaster (9/11, 2003 Power Outage)•Malicious Attack• Internal Attack•Human Error (Unintentional)**
ITS MORE THAN JUST AN “I.T.” PROBLEM
1) “Its an IT Problem”2) Its not worth the time to explain to executive management3) Most of the investment is pure technology4) You can’t measure ROI5) Cybersecurity is a one-time project6) Policies alone will CYA
DIFFERENCE BETWEEN “INFORMATION SECURITY” AND “CYBERSECURITY”
• Chief difference is really in vertical used (gov’t vs. finance vs. healthcare)• Information security also encompasses non-digital media which doesn’t exactly fall under cybersecurity.• Barring those differences, the two terms have become interchangeable in the public vernacular.
STRATEGY FOR CYBERSECURITY PROGRAM MANAGEMENT
1. Review of relevant legislation2. Define benefits and get executive management support3. Choose a framework4. Organize implementation5. Risk Assessment6. Implementation of Defensive Measures7. Training and Awareness
1. LEGISLATION• For VNS, most likely HIPAA is the primary concern.• Primarily concerned with the protection of PHI.• Along with HITECH Act, lays out timelines for communication of breaches • Wealth of information/templates to cover most of the salient points needed for
compliance. (NOREX)• Long-time focus in the payer community so heightened awareness gives credibility
to all regulatory efforts that you drive.• PRACTICAL APPLICATION:
• Engage NOREX to fill policy and template gaps (better than writing from scratch)• 3rd party sources on regulatory subjects.• Engage internal audit AT START OF PROJECTS, NOT WHEN PRODUCTION IS EXPOSED.• Coordination with in house compliance and risk executives to close remaining gaps.
2. EXECUTIVE SUPPORT• You’ll need resources to execute (some great tools you’ll see today!)• You need to be able to talk their language, not the Vulcan we speak.• Our internal metrics aren’t on your typical executives radar!
PRACTICAL APPLICATION:• Use implementation of cybersecurity related processes into business
process to show direct correlation (and by proxy justification)
3. CHOOSE FRAMEWORK
• Many frameworks available (ITIL, ISO 27001, COBIT,NIST SP 800, etc)• ISO 27001 is a good framework for those not bound by any conflicting regulatory
requirements.• Provides defensive posture for both internal and external audit functions.• Key is to keep it simple enough but provide a structure to show governance.
PRACTICAL APPLICATION:• I’ve found ISO 27001 easier to follow then ITIL in my experience. Quicker time to
implementation. Free starter toolkits at http://www.iso27001security.com/html/toolkit.html
• Formal certification is not necessary in all cases.
4. ORGANIZE IMPLEMENTATION• Basic project management of your cybersecurity strategy, using the framework of
your choice as your project plan.• Budget properly from a time and human resource. straightforward.• Basic PMP 101.PRACTICAL APPLICATION:• Identifying budgetable items and tying directly to framework deliverables speeds
approval of said line items (especially using an ISO standard framework) because of the implied justification.
• Tools available (ex: ISO 27001 from previous slide).• ROSI(Return on Investment) calculator:
http://advisera.com/27001academy/free-tools/free-return-security-investment-calculator/
5.RISK ASSESSMENT• Essentially you are identifying those risks that are tolerable and those that must be
eliminated. Not all risk can or should be eliminated.• Use of a risk matrix can be used in conjunction with framework items at a minimum to
address know risks and grade their severity.
PRACTICAL APPLICATION:• There are dozens of risk matrix templates out there, but a good risk matrix I’ve
modeled my work after: http://anahiayala.com/2011/12/14/crisis-mapping-and-cybersecurity-part-ii-risk-assessment/
• Vendor rating (partner relationships/”supply chain”): companies like RiskRecon can give great insight on trustworthiness and risk assessment for your upstream/downstream partnerships.
6.IMPLEMENTATION OF DEFENSIVE MEASURES
• You need to be searching out the most advanced tools and the newest technologies to at least stay on par with the ever evolving threats persistent in the wild.
• A broader view is required as there are no borders as in the past. Defense in depth strategies alone are not enough.
• Incident response/BC/DR should be practiced regularly.PRACTICAL APPLICATION:• Our move to a 100% cloud-based infrastructure has offloaded a number of
risk variables onto respective providers. Tremendous cost and time savings from self-remediation of garden-variety risk-based issues.
• Examples of actual tools we’ve adopted are at the end of this presentation.
7. TRAINING AND AWARENESS• As stated before, end users are the weakest link in the chain of cybersecurity
program management.• Key is not to overwhelm, but to promote awareness• End users are already overwhelmed by the rate in change in technology in general,
and they are fearful for their livelihoods as this change progresses..• Wherever possible, you have to adopt the posture of protecting your end user base
from themselves. They aren’t always equipped to cover all the gaps themselves.PRACTICAL APPLICATION:• We are looking into using gamification as a means to keep security awareness at the
forefront of end-user computing activities without “shoving it down their throats” • Phishing-type programs have some impact, but I question the ROI on these.• “Think before you Click” campaigns are much more effective (and cheaper).
Dana
iLand
Ektron Hosting
AD Hosting
Salesforce
FC
Base Product
Portals
UCD Supporting Apps
Linkpoint
Drawloop
Docusign
Timesheets (summer
2016)
Base Licenses
User
SFC
Okta Office 365
Exchange
Sharepoint
Yammer
Zendesk Egnyte Security
Ensilo
Vera
Skycure
Netskope
Menlo Security
Azure
GP
Papersave
NETSKOPE: SEPTEMBER 2014• Cloud Security Access Broker.• Policy based enforcement.• Also great for understanding
what other SaaS/PaaS applications (other than corporate sanctioned) are used/preferred by constituents.
• Beginnings of cloud based DLP for Dana.
MENLO SECURITY: JANUARY 2015• Proxy-based Content
Isolation.• Prevents rogue/malware from
being directly rendered.• Zero impact on end users.• Policy enforcement built-in.• Traditional Content filtration
also built-in.
VERA: NOVEMBER 2014• File based access control.• Can be enforced
organization wide or ad hoc.
• MOST IMPORTANT: Allows tracking of content as it moves outside your control.
ENSILO: SEPTEMBER 2015• Real-time, exfiltration
prevention platform.• Endpoint based.• Very easy to deploy.• In lab tests, stopped every
piece of ransomware and APT we threw against it.
THE END