The Evolving Information Security Organization
Download
Report
Transcript The Evolving Information Security Organization
Welcome
HITRUST 2014 Conference
April 22, 2014
The Evolving Information Security
Organization – Challenges and Successes
Jason Taule, Chief Security and Privacy Officer, FEi Systems (Moderator)
Robert Booker, Vice President and Chief Information Security Officer, UnitedHealth Group
Erick Rudiak, Information Security Officer, Express Scripts
Roy Mellinger, Vice President, IT Security and Chief Information Security Officer, WellPoint
Omar Khawaja, Vice President and Chief Information Security Officer, Highmark
Chief Information Security Office
HITRUST 2014 Conference
The Evolving Information Security Organization
Challenges and Successes
Tuesday – April 22, 2014
Roy R. Mellinger, CISSP – ISSAP, ISSMP, CIM
Vice President, IT Security
Chief Information Security Officer
The Evolving Information Security Organization
Operational
Compliance
Risk
Enterprise Risk Management
Security Viewed as a
Business Enabler
Translating Business Needs
into Security Requirements
Translating Security
Requirements into
Technical Security Controls
Operating Technical
Security Controls
Security Threat
Management
IT
Compliance
IT
Risk
Enterprise
Risk
17
The Evolving Information Security Organization
CYBER THREAT MANAGEMENT
24x7 Security Operations Center (SOC)
End to End DLP (Data Loss Prevention) Strategy
Tracking of Malware Threats and Coding Techniques
Effective Firewalls, IDS / IPS Strategy Implementations
Effective Security and Event Log Management & Monitoring
Robust Safeguarding Polices, Programs and Processes
18
The Evolving Information Security Organization
Hacking Then
Hacking Now
Automated / Sophisticated Malware
Individual or Computer Clubs/ Groups
Manual efforts with Social Engineering
- Success = Badge Of Honor
- Personal Monetary Gain or
to pay for / fund hacking
activity
War Protesting and Civil Disobedience
Anti-Establishment Rhetoric
Social Rebels and Misfits
Hactivism – Freedom of Speech,
Statements to Influence Change, Sway
Public Opinion and Publicize Views
Criminal – Drug Cartels, Domestic and
Foreign Organized Crime for Identity
Theft and Financial Fraud
Espionage – IP, Business Intelligence,
Technology, Military / Political Secrets
Terrorism – Sabotage, Disruption and
Destruction
Nation-State – Intelligence Gathering,
Disruptive Tactics, Clandestine Ops,
Misinformation, Warfare Strategies, and
Infrastructure Destruction
FRINGE . . . . . . . . . . . 30 YEARS . . . . . . . MAINSTREAM
19
The Evolving Information Security Organization
Initial compromise — spear phishing via
email, planting malware on a target website
or social engineering.
Establish Foothold — plant administrative
software and create back doors to allow for
stealth access.
Escalate Privileges — use exploits and
password cracking tools to gain privileges on
victim computer and network.
Internal Reconnaissance — collect info on
network and trust relationships.
Move Laterally — expand control to other
workstations and servers. Harvest data.
Maintain Presence — ensure continued
control over access channels and credentials
acquired in previous steps.
Complete Mission — exfiltrate stolen data
from victim's network.
20
The Evolving Information Security Organization
Cyber Threat Management
Conventional Approach
Paradigm Shift: Cyber Threat
Management
Controls Coverage
Protect ALL information assets
Protect your MOST IMPORTANT assets
(Crown Jewels) based on risk assessments
Controls Focus
Preventive Controls (anti-virus,
firewalls, intrusion prevention, etc.)
Detective Controls (monitoring, behavioral
logic, data analytics)
Perspective
Perimeter Based
Data Centric
Goal of Logging
Compliance Reporting
Threat Detection
Security Incident
Management
Piecemeal – Find and neutralize
malware or infected nodes
BIG PICTURE – Find and dissect attack
patterns to understand threat
Threat Management
Collect information on Malware
Develop a deep understanding of attackers
targets and modus operandi related to YOUR
org’s network and information assets
Success Defined By:
No attackers get into the network
Attackers sometimes get in; BUT are
detected as early as possible and impact is
minimized
21
The Evolving Information
Security Organization –
Challenges and Successes
Omar Khawaja
April 23, 2014
Who is Highmark?
23
Risk is increasing
•
•
•
•
(Assets
X
Vulnerabilities
•
•
-
•
More data (EMRs)
More collaboration (ACOs)
More regulation (FTC)
Our weaknesses are increasing…
•
•
X
Threats)
Controls
Our information is increasing in value…
More suppliers (Cloud)
More complexity (ACA)
Opportunities to attack are increasing…
•
•
More access (consumer portals)
More motivated attackers
Becoming increasingly difficult to secure
•
•
•
•
•
Multiple Compliance Requirements
Evolving Compliance Requirements
Unclear Compliance Requirements
Less visibility
Less control
Security org needs to evolve
From…
• Explaining the “what”
To…
• Explaining the "why"
• Growing the security org
• Growing security in the org
• Creating more security
processes
• Making security part of more
processes
• Telling them what to do
• Assisting them with their job
• Protecting everything equally
• Differentiated controls
• Measuring what matters to
security org
• Reporting on what matters to
audience
Questions?