Upload
tripwire
View
2.388
Download
2
Embed Size (px)
DESCRIPTION
Tripwire has released results from an extensive study focused on the state of risk-based security management with the Ponemon Institute. The study examined the disconnect between an organizations commitments to risk-based security management and its ability to develop the collaboration, communication styles and culture necessary for effective security programs across the organization. The study respondents included 749 U.S. and 571 U.K. professionals in the following areas: IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management. “Risk-based security is an extremely complex problem where predictability and outcomes are constantly changing,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “This means that even the most secure and sophisticated organizations experience risk because there are too many variables in play. Effective communication and collaboration across the organization are crucial in mitigating this risk.” The full report can be found here: http://www.tripwire.com/register/the-state-of-risk-based-security-2013-full-report/
Citation preview
One Big Threat to Cyber Security: IT Geeks Can’t Talk to ManagementREKHA SHENOYVICE PRESIDENT, MARKETING & CORPORATE DEVELOPMENT
One Big Threat to Cyber Security: IT Geeks Can’t Talk to ManagementREKHA SHENOYVICE PRESIDENT, MARKETING & CORPORATE DEVELOPMENT
THE STATE OF RISK BASED SECUIRTY
MANAGEMENT: BENCHMARK SURVEY RESULTS
HOW TO CONNECT SECURITY TO THE BUSINESS
HOW TRIPWIRE CAN HELP
AGENDA
4
The State of Risk-Based Security ManagementBenchmark survey of 1,320 security professionalsUS and UKCommissioned by TripwireConducted by Ponemon Institute
5
6
Art or Science?
7
Art or Science?
The State of Risk-Based Security Management
9
Good News: 81% Say Significant Commitment to RBSM
10
Bad News: 46% Don’t Have a Consistent Strategy
11
There is Hope: Maturity is Improving
GARTNER PREDICTS THAT BY 2014, 80% OF GLOBAL 2000
ORGANIZATIONS WILL REPORT ON RISK AND SECURITY TO THEIR
BOARDS OF DIRECTORS AT LEAST ANNUALLY.
-GARTNER, INC.“BUILDING AN EFFECTIVE IT RISK AND INFORMATION
SECURITY PRESENTATION FOR YOUR BOARD OF DIRECTORS” JUNE 2012
The CISO Challenge
13
Aligning Security & Business Needs Improvement
14
Key Objectives of RBSM: IP & Compliance
“IN THIS RESTRICTIVE ECONOMIC ENVIRONMENT, CISOS HAVE AN OPPORTUNITY TO REFRAME THE RISK DISCUSSION [WITH
MISSION OWNERS] AND BUILD A STRATEGY…
…THIS MAY SEPARATE THE SUCCESSFUL SECURITY AND RISK PROFESSIONALS, WHO CAN ADAPT STRATEGICALLY TO THE CURRENT CLIMATE, FROM THE UNSUCCESSFUL ONES, WHO
STAY MIRED IN DAY-TO-DAY SECURITY FIREFIGHTING.”
-FORRESTER RESEARCH“UNDERSTANDING SECURITY AND RISK BUDGETING FOR 2013”
JANUARY 2013
The CISO Opportunity
16
64% Respondents Don’t Communicate Security Risks
17
Do We Communicate Effectively?
Reasons Why Metrics Are Not Understood:Information too technicalMore pressing issuesOnly communicate when incident happensTakes too much time
18
The CISO needs what the CFO has….
Financial Reporting• Objective facts• Consistent definitions• Trending• Performance against goals• Performance against peers• Clear communication to
diverse audiences interally and externally
A way to describe a company’s security performance just like the CFO describes financial performance
Earnings Per Share
Revenues
Gross Margins
EBITD
A
Operating Income
Net Income
Current Assets
Accounts Receivable
Cash Flow
Current Liabilities
19
Business Metrics and Analytics
What makes a good business metric? Objective and consistently measured Preferably automated (cheapest way to gather) Typically expressed as a number or percentage Has business context Actionable
What makes a good business metric?
How to Connect Security to the Business
21
Business
Management
Users
Concerns
Systems, tests, incidents, breaches
Goals
Prioritize my work, Keep my job
21
IT SECURITY & COMPLIANCE AUTOMATION
IT SECURITY & COMPLIANCE AUTOMATION
IT SECURITY & COMPLIANCE AUTOMATION
IT SECURITY & COMPLIANCE AUTOMATION
26
Business
Management
Users Prioritize my work, Keep my job
Trends, oversight, budget, security risk Communicate value up, Manage across
Systems, tests, incidents, breaches
Concerns Goals
U.S. CONSUMER
71+7%
ORG RANK: 17/25
TARGET
85MEDIAN
76
HIGHEST SCORE
FULFILLMENT, EMEA
88
LOWEST SCORE61U.S. COMMERCIAL
WEEKLY SECURITY REPORT CARD U.S. CONSUMER DIVISION
Organizational Benchmark: 75
SECURITY POLICY STATE BY LINE OF BUSINESS
SYSTEM HARDENING REPORT, BY DIVISIONCIS Benchmark
GEOGRAPHY OWNER
APPLICATIONSERVICE
CURRENT SECURITY BREAKDOWNCONSUMER DIVISION
IT SECURITY & COMPLIANCE AUTOMATION
AGGREGATE SECURITY SCORING
32
Business
Management
Users Prioritize my work, Keep my job
Trends, oversight, budget Communicate value up, Manage down
Revenue, customers, costs, reputation Know the business is safe
Systems, tests, incidents, breaches
Concerns Goals
33
IT SECURITY & COMPLIANCE AUTOMATION
Continuously measure security & risk posture
Manage with leading indicators
Deliver confidence with robust, flexible reporting
Run Your Business Your Way
By Platform By RiskBy Region
Visualize Security & Communicate Risks
CONNECT DYNAMICALLY CONNECT SECURITY TO YOUR BUSINESS
34
Clearly Show Trends & Progress
FulfillmentFinancial Reporting
E-Commerce
35
Summary
• Start with the business initiative and goals• Identify infrastructure critical to the business
initiative• Apply foundational controls and monitor
continuously• Link security metrics to business goals• Leverage the metrics to influence the organization• Communicate effectively
Connecting Security to the Business
How Tripwire Can Help
37
$150M+Annualsales
400+employees
$Profitable
7000+customers
in 96 countries
Remain small enough to be nimble, innovative; Large enough to be the long-term leader in the SVM market
38
The leading provider of risk-based security and compliance management solutions, enabling enterprises
to effectively connect security to their business
• Broadest set of foundational security controls
• Business context with blended asset and risk scoring
• Security business intelligence with performance reporting and visualization to make better decisions
• Covering the extended enterprise
TRIPWIRECONFIDENCE: SECURED
39
Tripwire’s Vision
Make Connecting Security to the Business a reality
Deliver the SANS CSC “First Four”
Cover the extended enterprise
CONNECT
PROTECT
DETECT
Make security efforts visible,
measurable & actionable
Dynamically protect systems your organization depends upon
Detect leading indicators of breach activity across the dynamic enterprise
40
Tripwire Delivers Foundational Security Controls
Deep FIM
SecurityConfiguration Management
Vulnerability Management& Log Management
Agent-based
Agentless
Asset Discovery & Reconciliation
De
pth
of
Co
ntr
ol
HighLow Number of Devices
CRITICAL DATA
Risk & Business Criticality
BUSINESS PARTNERS
Servers Applications BYODDatabases DesktopsFirewalls Net Devices Printer Wireless
41
Tripwire’s Risk-based Security Management
SecurityConfiguration Management
Vulnerability Management& Log Management
Agent-based
Agentless
Asset Discovery& Reconciliation
CRITICAL DATA
Risk & Business Criticality
BUSINESS PARTNERS
De
pth
of
Co
ntr
ol
Servers Applications BYODDatabases DesktopsFirewalls Net Devices Printer Wireless
Low Number of Devices
THE TRIPWIRE DIFFERENCE
Deep FIM
Run Things Your Way
By Platform By RiskBy Region
Clearly Show Trends & Progress
E-Commerce
Compare to Peers
High
Inventory Hardware1 Inventory Software2
Secure Configurations for Network Devices
10
SANS 20 CSCDELIVERING THE ‘FIRST FOUR’
42
Secure Configurations for Servers & Endpoints
3
Application Security6
Boundary Defense13 Maintain & Monitor Audit Logs14
Vulnerability Assessment4
5: Malware Protection7: Wireless Device Control11: Limit & Control Net Ports
Additional Support
12: Control Admin Privileges15: ‘Need to Know’ Access16: Account Monitoring & Control
43
Tripwire Product Portfolio
SCM Solution
Agentless
Agent
FIM Solution
Agentless
Agent
Log Solution
Agentless
Agent
VM Solution
Cloud-based
On-Premise
Reporting & Visualization
Analytics Connect Security To the Business
Enable Aligned & Risk-based Security
Provide Flexible & Scalable Deployment Options
Deliver Foundational Security Controls
44
Tripwire Product Portfolio
SCM Solution
Configuration Compliance
Manager
(CCM)
Tripwire Enterprise
FIM Solution
File Integrity Monitor
Tripwire IntegrityManager
Log Solution
Log Center
LogCenter
VM Solution
PureCloud
IP360
VIA Data Mart | Suite360 Intelligence Hub Benchmark
Connect Security To the Business
Enable Aligned & Risk-based Security
Provide Flexible & Scalable Deployment Options
Deliver Foundational Security Controls
tripwire.com | @TripwireInc
THANK YOU!