CYBERSECURITY STRATEGY: A REAL WORLD APPROACHJim RuttCTODana FoundationFebruary 24, 2016

MY BACKGROUND• 20 Years in technology•Wide vertical experience in Finance, Healthcare, Pharmaceutical and Nonprofit.• Plenty of experience in the practical and governance side of security including major incident response (9/11, 2003 power outage, 2 hurricanes, and miscellaneous breaches.)

WE LIVE IN DIFFERENT TIMES• Defense in depth alone won’t work, there is no more border to defend

thanks to the rise of cloud and smartphones.• FUD will only get you so much budget leeway, we have to get smarter

with empirical metrics and data to win the resources we need.• Education of the end user is one of the most important facets of a

cybersecurity strategy, yet there are limits to efficacy here.• Its time to stop putting toothpaste back in the tube after its been

squeezed out (audit remediation post-production deployments)• You need to prepare now to justify the tools coming out in 1-3 years-

skating to where the puck is going, not where it has been.

4 BROAD TYPES OF SECURITY INCIDENTS

•Natural Disaster (9/11, 2003 Power Outage)•Malicious Attack• Internal Attack•Human Error (Unintentional)**

ITS MORE THAN JUST AN “I.T.” PROBLEM

1) “Its an IT Problem”2) Its not worth the time to explain to executive management3) Most of the investment is pure technology4) You can’t measure ROI5) Cybersecurity is a one-time project6) Policies alone will CYA

DIFFERENCE BETWEEN “INFORMATION SECURITY” AND “CYBERSECURITY”

• Chief difference is really in vertical used (gov’t vs. finance vs. healthcare)• Information security also encompasses non-digital media which doesn’t exactly fall under cybersecurity.• Barring those differences, the two terms have become interchangeable in the public vernacular.

STRATEGY FOR CYBERSECURITY PROGRAM MANAGEMENT

1. Review of relevant legislation2. Define benefits and get executive management support3. Choose a framework4. Organize implementation5. Risk Assessment6. Implementation of Defensive Measures7. Training and Awareness

1. LEGISLATION• For VNS, most likely HIPAA is the primary concern.• Primarily concerned with the protection of PHI.• Along with HITECH Act, lays out timelines for communication of breaches • Wealth of information/templates to cover most of the salient points needed for

compliance. (NOREX)• Long-time focus in the payer community so heightened awareness gives credibility

to all regulatory efforts that you drive.• PRACTICAL APPLICATION:

• Engage NOREX to fill policy and template gaps (better than writing from scratch)• 3rd party sources on regulatory subjects.• Engage internal audit AT START OF PROJECTS, NOT WHEN PRODUCTION IS EXPOSED.• Coordination with in house compliance and risk executives to close remaining gaps.

2. EXECUTIVE SUPPORT• You’ll need resources to execute (some great tools you’ll see today!)• You need to be able to talk their language, not the Vulcan we speak.• Our internal metrics aren’t on your typical executives radar!

PRACTICAL APPLICATION:• Use implementation of cybersecurity related processes into business

process to show direct correlation (and by proxy justification)

3. CHOOSE FRAMEWORK

• Many frameworks available (ITIL, ISO 27001, COBIT,NIST SP 800, etc)• ISO 27001 is a good framework for those not bound by any conflicting regulatory

requirements.• Provides defensive posture for both internal and external audit functions.• Key is to keep it simple enough but provide a structure to show governance.

PRACTICAL APPLICATION:• I’ve found ISO 27001 easier to follow then ITIL in my experience. Quicker time to

implementation. Free starter toolkits at http://www.iso27001security.com/html/toolkit.html

• Formal certification is not necessary in all cases.

4. ORGANIZE IMPLEMENTATION• Basic project management of your cybersecurity strategy, using the framework of

your choice as your project plan.• Budget properly from a time and human resource. straightforward.• Basic PMP 101.PRACTICAL APPLICATION:• Identifying budgetable items and tying directly to framework deliverables speeds

approval of said line items (especially using an ISO standard framework) because of the implied justification.

• Tools available (ex: ISO 27001 from previous slide).• ROSI(Return on Investment) calculator:

http://advisera.com/27001academy/free-tools/free-return-security-investment-calculator/

5.RISK ASSESSMENT• Essentially you are identifying those risks that are tolerable and those that must be

eliminated. Not all risk can or should be eliminated.• Use of a risk matrix can be used in conjunction with framework items at a minimum to

address know risks and grade their severity.

PRACTICAL APPLICATION:• There are dozens of risk matrix templates out there, but a good risk matrix I’ve

modeled my work after: http://anahiayala.com/2011/12/14/crisis-mapping-and-cybersecurity-part-ii-risk-assessment/

• Vendor rating (partner relationships/”supply chain”): companies like RiskRecon can give great insight on trustworthiness and risk assessment for your upstream/downstream partnerships.

6.IMPLEMENTATION OF DEFENSIVE MEASURES

• You need to be searching out the most advanced tools and the newest technologies to at least stay on par with the ever evolving threats persistent in the wild.

• A broader view is required as there are no borders as in the past. Defense in depth strategies alone are not enough.

• Incident response/BC/DR should be practiced regularly.PRACTICAL APPLICATION:• Our move to a 100% cloud-based infrastructure has offloaded a number of

risk variables onto respective providers. Tremendous cost and time savings from self-remediation of garden-variety risk-based issues.

• Examples of actual tools we’ve adopted are at the end of this presentation.

7. TRAINING AND AWARENESS• As stated before, end users are the weakest link in the chain of cybersecurity

program management.• Key is not to overwhelm, but to promote awareness• End users are already overwhelmed by the rate in change in technology in general,

and they are fearful for their livelihoods as this change progresses..• Wherever possible, you have to adopt the posture of protecting your end user base

from themselves. They aren’t always equipped to cover all the gaps themselves.PRACTICAL APPLICATION:• We are looking into using gamification as a means to keep security awareness at the

forefront of end-user computing activities without “shoving it down their throats” • Phishing-type programs have some impact, but I question the ROI on these.• “Think before you Click” campaigns are much more effective (and cheaper).

Dana

iLand

Ektron Hosting

AD Hosting

Salesforce

FC

Base Product

Portals

UCD Supporting Apps

Linkpoint

Drawloop

Docusign

Timesheets (summer

2016)

Base Licenses

User

SFC

Okta Office 365

Exchange

Sharepoint

Yammer

Zendesk Egnyte Security

Ensilo

Vera

Skycure

Netskope

Menlo Security

Azure

GP

Papersave

NETSKOPE: SEPTEMBER 2014• Cloud Security Access Broker.• Policy based enforcement.• Also great for understanding

what other SaaS/PaaS applications (other than corporate sanctioned) are used/preferred by constituents.

• Beginnings of cloud based DLP for Dana.

MENLO SECURITY: JANUARY 2015• Proxy-based Content

Isolation.• Prevents rogue/malware from

being directly rendered.• Zero impact on end users.• Policy enforcement built-in.• Traditional Content filtration

also built-in.

VERA: NOVEMBER 2014• File based access control.• Can be enforced

organization wide or ad hoc.

• MOST IMPORTANT: Allows tracking of content as it moves outside your control.

ENSILO: SEPTEMBER 2015• Real-time, exfiltration

prevention platform.• Endpoint based.• Very easy to deploy.• In lab tests, stopped every

piece of ransomware and APT we threw against it.

THE END