la gestión del riesgo en nuevos entornos
DESCRIPTION
Presentación realizada por Karen Gaines, Sales executive HP Enterprise Securtity Services, en el Evento de Ciberseguridad 2014 organizado por IDCTRANSCRIPT
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
La Gestión del Riesgo en Nuevos Entornos
Karen Gaines
HP Security Services
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
Crecimiento Online
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4
Crecimiento Online
2010
32.7% online 2,270,000,000
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5
Crecimiento Online
2020
60% online 4,800,000,000
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
50 billones Dispositivos
Smart Cities
Personas conectadas
Hogares Automatizados
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
50 billones Dispositivos
Smart Cities
Personas conectadas
Hogares Automatizados
Connected Individuals Efecto
Internet
Smart Cities
Personas conectadas
Hogares Automatizados
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8
Creamos muchísimos datos…
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
Cyber Altruism Individuals and groups driven by their social conscience, hacktivism, whistleblowing
Loss/Stolen Data Rise of CyberCrime Professional Hacktivism Advanced Persistent Threat
2010 2011 2003 2012 2004 2005 2006 2008 2007 2009 2013 2014
StuxNet 2010
AOL 2010
TJ Maxx 2010
UK Revenue & Customs 2006
Heartland 2009
Evernote 2013
NASA Shuttle Plans Dec 2006
Estonia Dark May 2007
Buckshot Yankee Nov 2008
GhostNet Mar 2009
Sony PSN Dec 2010
.CN Aug 2013
WSJ - SEA Aug 2013
Apple Aug 2011
Red October Dec 2010
Facebook 2013
Living Social 2013
Yahoo 2013
Shamoon Aug 2012
Tamper Data June 2012
Video Conferencing Aug 2012
DigiNotar Sept 2011
Kernel.org Aug 2011
HP Cyber timeline Stuxnet, was designed to seek out certain industrial control systems made by Siemens. Stuxnet took advantage of four zero-day vulnerabilities and appeared to be targeted at a uranium enrichment program in Iran.
The Russian firm Kaspersky discovered a worldwide cyber-attack dubbed “Red October,” that had been operating since at least 2007. Hackers gathered information through vulnerabilities in Microsoft’s Word and Excel programmes
Syrian Electronic Army continues to take down, hack and redirect Wall Street Journal Websites and internet facing traffic.
Facebook founder Mark Zuckerberg had his profile hacked into by an IT worker in Palestine.
Heartland, was designed to seek out certain industrial control systems made by Siemens. Stuxnet took advantage of four zero-day vulnerabilities and appeared to be targeted at a uranium enrichment program in Iran.
Shamoon - The virus has been noted as unique for having differing behaviour from other malware cyber espionage attacks. Shamoon is capable of spreading to other computers on the network, through exploitation of shared hard drives
Tamper serious vulnerability in the Hotmail service which allowed hackers to access 13 million hotmail accounts. In the same period the services Yahoo and AOL were affected by the Tamper Data hack.
The most significant breach of U.S. computer security occurred, apparently when someone working with the Pentagon's Central Command inserted an infected flash drive into a military laptop computer at a base in the Middle East.
hackers had penetrated the PlayStation network, stealing or misusing the personal information of at least 77 million users. Sony estimated that fallout from the hack cost at least $170 million.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
Cyber Cartels Continued development of sophisticated cybercriminals, convergence of traditional- and cyber-crime
Cyber Militia Active use of cyberspace as a sub-nationstate battle ground, terrorism…
Cyber Altruism Individuals and groups driven by their social conscience, hacktivism, whistleblowing
Professional Hacktivism Advanced Persistent Threat
2010 2011 2012 2009 2013 2014
StuxNet 2010
Heartland 009
Evernote 2013
ostNet 2009
Sony PSN Dec 2010
.CN Aug 2013
WSJ - SEA Aug 2013
Apple Aug 2011
Red October Dec 2010
Facebook 2013
Living Social 2013
Yahoo 2013
Shamoon Aug 2012
Tamper Data June 2012
Video Conferencing Aug 2012
DigiNotar Sept 2011
Kernel.org Aug 2011
HP Cyber timeline
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
..de media para detectar que datos han sido comprometidos 243
días
2013 Enero…………. Octubre
..de las incidencias ocurren en las aplicaciones
Desde 2010, el tiempo en resolver un ataque ha aumentado…
de las incidencias son reportados por terceros
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13
Desafíos Principales para un CISO
Riesgo Comité Marca Digital
Madurez Confianza Reputación Activos
Cumplimiento & Regulación
Nuevo Estilo de TI
Motivación de los Ataques
Las actividades más complejas para un CISO gestionar*:
34%
21%
17%
14%
5%
1%
7%
Organization’s leaders
Specific users
My own team
Regulators
Vendors/consultants
Outside hackers
Other
*Source: IDG Research
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14
Enfoque de HP para completar la seguridad de la información
Una Seguridad Íntegra
Asesorar: Riesgos inherentes a la cadena de suministro, contratos
actuales y rendimiento de los proveedores
Transformar: Describir la estrategia y el marco integrales o toma de control
Gestionar: Implementar y reportar el marco de gobierno del cumplimiento de seguridad del proveedor
Moverse desde una gestión del riesgo y seguridad de la información reactiva a una proactiva
Inteligencia de
Seguridad Procesable
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
Los Objetivos de HP Security
Gestionar el Riesgo
Aumentar Alcance
Bloquear el Adversario
• Bloquear los adversarios internos y externos
• Interrumpir la amenaza en tiempo real
• Inteligencia de la seguridad integral
• Responder rápidamente a incidencias
• Mejorar la postura del riesgo
• Conocimientos de estándares locales y globales
• Reducir coste y complejidad
• Acceso a +5000 profesionales de seguridad
• Asesoramiento a Gestión Integral
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16
Los Objetivos de HP Security
Gestionar el Riesgo
Aumentar Alcance
Bloquear el Adversario
• Bloquear los adversarios internos y externos
• Interrumpir la amenaza en tiempo real
• Inteligencia de la seguridad integral
• Responder rápidamente a incidencias
• Mejorar la postura del riesgo
• Conocimientos de estándares locales y globales
• Reducir coste y complejidad
• Acceso a +5000 profesionales de seguridad
• Asesoramiento a Gestión Integral
Servicios Gestionados de Seguridad
Consultoría de Seguridad
Tecnología de Seguridad
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17
Soluciones Respaldados por una Investigación Global
Ecosystem Partner
FSRG
ESS
• SANS, CERT, NIST, OSVDB, software & fabricantes de reputación
• 1650+ Investigadores
• 2000+ Clientes compartiendo datos
• Líder en Investigación de Seguridad
• Encontramos más vulnerabilidades que el resto del Mercado combinado
• Colaboración con equipo líderes en el mercados: DV Labs, ArcSight, Fortify, HPLabs, Application Security Center
• Colecta datos de red y seguridad globales
HP Global Research
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
18
HP detecta y protege contra 4 veces más vulnerabilidades críticas que el resto del mercado combinado, Facilitando a nuestros clientes beneficiarse de la experiencia de un proveedor global.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
19
5,000 Profesionales de la Seguridad 8 Centros de Operaciones de Seguridad #1 Investigación de la Seguridad
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20
IT Management Framework
Cloud Platform
SaaS PaaS IaaS
Change Management Patch Management
Configuration Management Capacity Management
Availability Management Incident Management
Virtualization Management
Network Security
Virtualization Security
Server Security
Storage Security
Malware Protection
Client Security
Data Protection
Access Devices
Network Security
App Security
Malware Protection
Client Security
Data Protection
Application Security
Application Security
Vulnerability Management Security Info & Event Management
Compliance Management
HP Cloud Protection. Arquitectura de Referencia. Security Solution Mapping
Account Management Access Control Management
Authentication
Key Management
Identity Provisioning Federation
Auditing
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21
IT Management Framework
Cloud Platform
SaaS PaaS IaaS
Change Management Patch Management
Configuration Management Capacity Management
Availability Management Incident Management
Virtualization Management
Network Security
Virtualization Security
Server Security
Storage Security
Malware Protection
Client Security
Data Protection
Access Devices
Network Security
App Security
Malware Protection
Client Security
Data Protection
Application Security
Application Security
Vulnerability Management Security Info & Event Management
Compliance Management
HP Cloud Protection. Arquitectura de Referencia. Security Solution Mapping
• Endpoint Protection • Data Loss Prevention
Account Management Access Control Management
Authentication
Key Management
Identity Provisioning Federation
Auditing
• Endpoint Protection • Critical Systems Protection • Web Gateway • Data Loss Prevention • Control Compliance Suite
Consulting
Support
Strategy
Consulting
Support
Strategy
• Control Compliance Suite
• Ozone
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
¡Gracias!