View
225
Download
0
Category
Preview:
Citation preview
@NTXISSA
Top 10 Trends in TRM
Jon Murphy, CISSP, CBCP, NSA‐IAM/IEM, ITILv3, CHS‐V, MBA
Na4onal Prac4ce Lead, TRM Consul4ng & Services
Alexander Open Systems (AOS)
April 24, 2015
@NTXISSA
Disclaimer
All thoughts and opinions expressed in this presenta4on, or by Jon Murphy directly, are his own and should NOT be interpreted as those of Alexander Open Systems (AOS), or any other organiza4on that might be men4oned. The men4on of any organiza4ons should not be interpreted as endorsement.
Some material contained herein was obtained and is used with the express wriRen permission of AOS, and other organiza4ons and MAY NOT be used or reproduced in any way without each of these par4es’ express wriRen consent in advance.
@NTXISSA
Overview
• What is TRM
• The Top Ten Trends
• Why You Need IT
• Where Are You
• Conceptual Solu4ons
• What The Future May Hold
• More Resources
• Q & A
@NTXISSA
Why Technology Risk Management (TRM)
• TRM includes: • IT Sec
• BC/DR
• Governance & Compliance
• Exponen4al Growth of Threats • D&D Insiders
• Outside Hackers (Commercial, Organized Crime, State Sponsored)
• Compe4tor Espionage
• Con4nuously Growing Regula4ons & Requirements
• Increases are a mandatory cost of doing business
• FFIEC, SOx, HIPAA, PCI, GLBA, Dodd‐Frank, NERC, OCC, etc…
• Volume reduc4on, Fines, and jail 4me for failure to comply
• Cost of data breach up 23% ‐ as much as $20,000 a day
• Ever increasing expecta4ons for “adequate” safeguards by consumers and courts
@NTXISSA NTX ISSA Cyber Security Conference – April 24‐25, 2015 5
What’s Your Biggest Exposure?
# 3 Paper
# 1 Employee Negligence
# 2 Hacking
@NTXISSA
Top Ten Trends
1. Hacks may become data destrucTon aUacks
2. Threat actors are becoming more sophisTcated
3. AUacks and resultant legislaTon will push industry standards around cyber risks and improve threat intelligence informaTon sharing
@NTXISSA
Top Ten Trends ‐cntd
4. PredicTve threat intelligence analyTcs are criTcal
5. Third Party Service Provider Risk Management is becoming an increasingly important concern among firms
6. TRM must become a board‐level issue
7. Embracing and adapTng to the new “boundless network,” is inevitable and we must also invest in training its workforce to properly access and protect corporate data
@NTXISSA
Top Ten Trends ‐ cmpltd
8. IdenTty and Access Management are ever
increasingly a key security control area
9. Cyber benchmarking is imperaTve
10. TRM is not MERELY a Technology Issue
@NTXISSA
Why would strangers want your info?
1. Iden4ty thei for resale or immediate profit
2. Damage reputa4on of compe4tor
3. Steal intellectual property
4. Blackmail
5. Cyber Crime –
Its An Epidemic;
The Na4on’s Top Cop
Says So
@NTXISSA
We Help Clients Progress
Their Maturity Level
Technology Risk Management Maturity Model
Level 1:
Threat Defense
• Security is “necessary evil”
• Reactive and de-
centralized monitoring • Tactical point products
Level 2:
Checkboxes and
Defense-in-Depth
• Check-box mentality • Collect data needed
primarily for
compliance • Tactical threat
defenses enhanced with layered security controls
Level 3:
Risk-Based Security
• Proactive and assessment based
• Collect data needed to
assess risk and detect advanced threats
• Security tools integrated with common data and
management platform
Level 4:
Business-Oriented
• Security fully embedded in enterprise processes
• Data fully integrated with business context;
drives decision-making • Security tools
integrated with
business tools
TACTICAL
STRATEGIC Approach
Scope
Technology
@NTXISSA
What concrete steps can you undertake?
Seven acTon items to start:
1. Get and stay informed
2. Learn the cultural risk appe4te
3. Create a risk register and matrix
4. Perform a self assessment
5. Create an incident response plan
6. Add layers to defense in depth
7. Get help
@NTXISSA
Get & Stay Informed
1. Associa4ons – e.g.; ISSA, InfoSec Community
on LinkedIn
2. Blogs – e.g.; hRp://www.vogelitlawblog.com/
3. NewsleRers – e.g.; Info Risk Today
@NTXISSA
Learn The Cultural Risk AppeTte
• The amount and type of risk that an organiza4on is willing
to take in order to meet their strategic objec4ves.
• Both formally and informally set and driven by leadership,
SO?
1. Has leadership experienced cyber crime personally?
2. Is there an enterprise risk management office?
3. Is security the realm of some lowly network admin in the
bowels of the M.I.S. department?
@NTXISSA
1. List all the realis4c bad things that could happen
2. Rank them by likelihood (1‐Least to 5‐most) and
3. Impact (1‐Least to 5‐most)
4. Plot them in a matrix
5. Concentrate on the 5/5s
5 / 5s
Create a Risk Register & Matrix
@NTXISSA
Perform A RVA Self Assessment
• Have the business do it first
• Then involve an IT Pro
• BeRer yet, involve a risk management Pro
• Use a recognized methodology & tool,
e.g.; Shared Assessments
@NTXISSA
• Create an incident response plan
1. Use the list from ac4on item 3
2. Either create an overarching plan as guide to every thing on the list or a plan for each
3. The plan should contain:
1. Who can invoke the plan
2. When to invoke the plan
3. Who does what
4. Alternate roles & responsibili4es
5. How to do what
6. What is BAU
4. Don’t forget the post mortem for lesson learned
You can’t run . . .
or do this !
@NTXISSA
1. Bad guys and insiders are geqng more savvy by the day
2. One – three layers of tech defense is the norm (NOT ENOUGH)
3. Technology, process, and people must interact op4mally
4. Prepare for the worst and hope for beRer
5. You need professional exper4se
The educa4on you’ve undertaken will quickly tell you:
@NTXISSA
Reasonable Security HW/Systems to Deploy:
Next Genera4on Firewalls
Encryp4on
Updated Soiware Patches
Complex Passwords
Mul4‐factor Authen4ca4on
Device/Appliance Inventory
Intrusion Preven4on/
Detec4on
An4‐malware
@NTXISSA
AddiTonal Resources
Ponemon Ins4tute hRp://www.ponemon.org/
Shared Assessments™ hRp://sharedassessments.org/about/
ISO 31000 hRp://www.iso.org/iso/catalogue_detail?csnumber=43170
AOS Security Consul4ng hRp://www.aos5.com/security/
Recommended