Transcript Cybersecurity: How to Prevent Data Breaches and What to Do When

Comcast Infrastructure & Information Security
Breach Prevention and Mitigation
CWAG 2015 July 21,2015
Myrna Soto
SVP/Chief Infrastructure & Information Security Officer
Comcast Confidential - For Internal Use Only
About Comcast
Comcast Cable is the United States largest video, high-speed Internet and phone provider
under the Xfinity brand for residential customers.
22.37 Million Customers US Largest Video Provider
22.36 Million Customers US Largest Residential High-Speed Internet Provider
11.2 Million Customers US Fourth Largest Digital Voice/Phone Provider
27.2 Million Combined Customer Relationships ( excluding NBCU)
Operations in 39 states (out of 50) and Washington D.C.
Founded 1963
Headquartered in Philadelphia, PA
Approximately 143,000 employees
3
Comcast Across America
Employer of
choice for
139,000 1
The largest
video provider
in the U.S.
15M
4
1
Video & Data
customers
1
Leading
fiber optic
network in
the U.S.
Gigabit Pro
Comcast Cares
The industry’s
first residential
14 years,
600,000
volunteers,
3.7 Million hours
2Gbps
service
7
22M+
of Daily
Customer
Experiences
OnDemand
Views Daily
employees
Fourth
largest
residential
phone
company in
the U.S.
BILLIONS
1.2M
connected by
Internet
Essentials
1
Fastest
Xfinity
In-Home
WiFi
1
Largest
residential
broadband
provider in
the U.S.
Who we are…
• “We bring together the best in media and technology.
• We drive innovation to create the world's best entertainment and online experiences.”
Broadcast
Digital
5
Cable
Film
Parks
A Changing Landscape Drives Security
A security program must keep pace with the
evolving threat landscape in order to prevent,
detect and respond to security breaches
Escalating
and Evolving
Threats
Mobility
Number of
Connected
People &
Partners
Information
Assets &
Amount of
Valuable
Data
3
Comcast Confidential - For Internal Use Only
The Threat Landscape Is Extremely Complex
7
Comcast Confidential - For Internal Use Only
Protection is Not Enough to Prevent a Breach
The efficacy of a security program requires a comprehensive framework to minimize the
risk of a breach and the potential harm when a breach occurs
•
It’s not plausible to think all breaches can be prevented; a sufficiently motivated adversary will find
the means to breach a system
o
Easiest method: Phishing for trusted users’ log-in credentials or the trusted insider
•
The ability to rapidly detect and respond to security events & anomalies (“ability to connect the
dots”) is critical to reduce the harmful impact of a breach (i.e., prevent or minimize the loss of data)
•
Efficacy requires a mature, security program adaptive to evolving risks and threats, embedded
within the culture of the organization, with dedicated resources and strategic investment in critical
security toolsets
8
Comcast Confidential - For Internal Use Only
Information and Infrastructure Security Program Overview
Comcast employs extensive security practices and procedures throughout its Corporate infrastructure.
At a foundational level, the Corporation has established a highly talented and industry-recognized
security organization supporting Risk Management, Governance, Security Architecture, Brand
Protection, Security Operations, Security Analytics.
In addition, Comcast maintains a 24x7 Security Response Center which provides continuous monitoring
of the security assets, information stores, and systems infrastructure of the Corporation.
Comcast employs many strong policies, controls and state of the art mechanisms to detect and prevent
malware and intrusion into our Enterprise and Subscriber Delivery networks and systems. These
systems include but are not limited to:
–
–
–
–
–
–
9
Intrusion Prevention
DDoS Detection
Threat Correlation
Security Information Event Management (SEIM)
Malware Detection and Remediation
Direct Surveillance (24x7 SOC)
Comcast Confidential - For Internal Use Only
- Incident Response Process
- Penetration Testing Program
- Security Auditing Program
- Identity and Access Management
- Log collection/Analysis
- Data Science/Analytics
Patchwork of Breach Notification Laws
Variations by state have created an increasingly
unworkable situation for organizations when faced
with a breach, adding additional costs and delays
-----------------------------------------------------------• Industry-specific requirements (HIPAA, GLB, PCI)
• 47 States, District of Columbia, Guam, Puerto Rico, &
Virgin Islands
- Alabama (in process)
- Exceptions: New Mexico & South Dakota
• Variations include:
 Notification content & method
 Triggers: element of harm
 Whom to notify
 Definition of personal information
 Time limits & acceptable delays
 Covered entities
 Encryption as a safe harbor
• Ongoing changes & amendments focus on:
- Expanding definition of personal info
- Additional reporting requirements to state agencies
10
Comcast Confidential - For Internal Use Only
Appendix Material
11
Comcast Confidential - For Internal Use Only
A Framework of Policies, Controls and Practices
Identify
Understand the
environment &
threats to it
12
Identifying and classifying assets by type (e.g., PII, PCI, financial significance) and value
enables protection controls to be applied, security event prioritization based on criticality,
and rapid detection & recovery
•
•
•
•
•
•
•
•
Clear organization mission, objectives, roles, policies
Asset and data classification
Asset inventories and asset tags
External systems/connections are documented, reviewed and approved
Risk management, governance and impact analysis
Vulnerability assessment & remediation programs w/ 24x7 response to critical vulnerabilities
Automated discovery and auditing of asset configurations & changes
Security change review to review changes to all IP addressed assets
Protect
Applying adequate protection to critical assets/data at all layers, enables breach prevention
& reduces the harm of data loss or misuse
Ability to prevent
potential
cybersecurity
events
Network / Infrastructure Layer
• Network zoning model to segment authorized traffic flows and strengthen security around highly
protected zones (e.g., PCI assets); centrally managed firewalls and access control lists
• Network intrusion / malware protection at all layers (desktops, servers, gateways)
• Hardened infrastructure build & centralized configuration management
• Web & e-mail gateway malicious URL and malware detection and blocking
• Automated DDoS mitigation to filter malicious traffic to prevent disruption & performance impact
from over a million attacks per year
• Threat prevention & brand protection via security data analytics
• Timely vulnerability patching practices
• Host based filters and file system level IP restriction
• Anti-spoofing and network route filtering
• Physically secure datacenters and facilities
Comcast Confidential - For Internal Use Only
A Framework of Policies, Controls and Practices
Protect
Ability to prevent
potential
cybersecurity
events
Protect
Ability to prevent
potential
cybersecurity
events
13
Applying adequate protection to critical assets/data at all layers, enables breach prevention
& reduces harm of data loss or misuse
Data Layer
• Data loss prevention program (endpoint and network layers) for data in transit & at rest
w/automated blocking of policy violations
• Vendor/Partner risk and assurance assessments, standardized legal language in contracts
• Centrally managed databases, separately administered from applications
• Separation of test and production environments
• Data encryption (PII, PCI, financial accounts, backup tapes)
• Mobile, laptop & removable media encryption
• Mobile device management to enforce policies and configuration settings; manage theft/loss of
devices
• Robust PCI compliance program to safeguard credit card operations
• Records management program, retention schedules and disposal standards
Applying adequate protection to critical assets/data at all layers, enables breach prevention
& reduces harm of data loss or misuse
Application Layer
• Pre and post production application assessments and remediation of vulnerable code
• Dynamic and static application testing and deep code reviews
• Web and mobile application assessments
• Penetration testing to identify vulnerabilities
• Customized training for the development community to prevent weak coding practices
• Integration of security into the software development lifecycle
• Hardware vulnerability assessments (e.g., set top boxes) on devices that deliver content and
applications
Comcast Confidential - For Internal Use Only
A Framework of Policies, Controls and Practices
Protect
Ability to prevent
potential
cybersecurity
events
Detect
Timely discovery
of cybersecurity
events
14
Applying adequate protection to critical assets/data at all layers, enables breach prevention
& reduces harm of data loss or misuse
User Layer
• An informed and engaged senior management and board of directors
• Security awareness & innovative just-in-time training based upon behavioral analytics
• Real-time notifications to users for policy violations
• Role based identity management, multifactor authentication, automated provisioning and deprovisioning of user accounts, segregation and separation of duties via access controls
• Administrative privileged account management, activity logging and monitoring
• Complex passwords enforced across the entire workforce on all accounts (network, mobile
devices, phone)
• Personnel screenings for employees and contractors
Continuous monitoring, correlation of events, combined with data analytics provides
proactive and real-time alerts of cybersecurity related activities
•
•
•
•
•
•
•
•
•
•
•
•
Threat and security event correlation via a Security Information Event Management tool (SEIM)
Baseline of normal operations with defined thresholds for the network ecosystem
Direct surveillance 24x7x365, Advance threat and fraud detection, Threat intelligence
Security intelligence sharing in various public & private forums
Behavioral analytics to detect user and/network anomalies
Proactive discovery of ‘indicators of compromise’
Multiple 3rd party penetration (ethical hacking) tests to detect weaknesses
Continuous vulnerability scanning of the entire infrastructure/network in less than 24 hours
Automated and continuous policy compliance scanning
Centralized audit logging and reporting
Ability to detect known and unknown malware and ‘black-hole’ malicious IP traffic
Extensive metrics and executive reporting of cybersecurity activities and events
Comcast Confidential - For Internal Use Only
A Framework of Policies, Controls and Practices
Respond
Ability to contain
the impact of
potential
cybersecurity
events
Recover
Ability to recover
timely to normal
operations after
an event
15
Timely and effective incident response is critical to stopping a breach and containing the
impact, enabling faster recovery from malicious cybersecurity events
• Comprehensive incident response plan and periodic exercises with key stakeholders to test the
plan, pre-defined communications and escalation plans
• Clearly defined roles and responsibilities
• Granular operational run books with established criteria, documented response actions
• 24x7x365 event analysis, triage and response capability
• Deep forensics, evidence chain of custody
• Reverse engineering capabilities to deconstruct and fully eradicate malware and anomalous
events
• Established relationships and retainers with specialized response organizations
• Ongoing relationship with law enforcement
Maintaining business continuity plans, strong resilience, and high availability systems and
networks will enable rapid recovery, further limit the impact from cybersecurity events and
can also help to prevent breaches through automation and self-healing architectures
• Business continuity and disaster recovery plans with periodic testing of the plans
• Intrusion and malware tools configured in-line to the network stream, enabling auto-mitigation
against tens of millions of malware events, including advanced, targeted attacks
• Geographically diverse high availability networks and security architecture
• Standardized configurations & encrypted backups to enable rapid re-building/recovery of assets
• Post-incident analysis, lessons learned, continuous improvement
• Corporate communications to manage internal and external communications
Comcast Confidential - For Internal Use Only