SlideShare ist ein Scribd-Unternehmen logo
1 von 45
Downloaden Sie, um offline zu lesen
Risk Based
Security and
Self Protection
Miguel Sanchez,
Sr. Sales Engineer
February 16, 2015
Presenter for today:
Miguel Sanchez
Sr Sales Engineer, First
Communictions
First Communications: At A Glance
Technology Provider since 1998,
serving thousands of Businesses
throughout the Midwest
24x7x365 Network Management
Center (NMC)
Data Center and Colocation Facilities
in Cleveland and Downtown Chicago
Serving Diverse Businesses ranging
from SMB to Enterprise
Headquartered in Akron, Ohio
Our Mission
To Empower our customers through leading-edge technology solutions delivered with a first-class
experience.
Today’s Topic Agenda
• Current State of Information Security
• Overview of Risk Based Security
models
• Risk Management Process
• Multi-tiered Risk Management Model
• Three levels of Risk Management
• Runtime Application Self Protection
Current State of Information Security
• The threat landscape has changed considerably over the
past few years due to the disappearance of the
perimeter defense for the following reasons:
– Change
– Mobility and consumerization
– Ecosystem
– Cloud
– Infrastructure
Current State of Information Security
• The growing attacking power of cyber
criminals has increased significantly and are
not just some hackers operating out of
someone’s basement anymore
• We need to take into consideration the
following threats:
– Criminal syndicates
– State sponsored attackers
– Hactivists
– Lone wolf hacker
Perimeter Security
• One of the first and most basic lines of network
perimeter defense is a firewall.
– A device that inspects inbound and outbound traffic on a
network.
• In addition to firewalls, traditional responses to new
threats has been to add stand-alone security
technologies to the network.
Next Generation Firewalls
• There have been tremendous advancements in the Next
Generation Firewalls that should be a part of any Information
Security Plan that include the following Unified Threat
Management (UTM) capabilities:
• Stateful Packet Inspection
• Application Control
• Intrusion Detection/Prevention
• Data Loss Prevention
• Content Filtering
• Anti-malware/Anti-spam
• IPv6 support
• Virtualized environments
• Endpoint security
• VPN
Information Security:
Reactive to Proactive
For most small to medium organizations,
Information Security is a Reactive vs a
Proactive process.
•How many breaches do you hear in the
news of compromised systems that are
discovered weeks or months after the
actual event?
•How do we get to a model that is more
proactive and workable for various
organizations regardless of size?
Information Security Constraints
What are some of the constraints for
implementing effective Information Security?
•Shrinking budgets
•Lack of security focus
•Lack of resources
•Lack of a common approach to information security
Risk based Security
• There has been a steady and slow change at the way
organizations approach Information Security using a
Risk Based model.
• Today’s CSO/CISOs are being asked to prioritize risks—
by identifying which ones need to be addressed and
which ones should be accepted as the cost of doing
business.
Risk Based Security
What are some of the factors that drive a Risk
Based Security model:
•Compliance
•Recent security event
•Threat landscape
•Proactive approach
What are the top drivers for your Information
Security / Risk Management program?
Wisegate Community Viewpoints
Risk Management Model
Risk management is the ongoing process of identifying,
assessing, and responding to risk.
•Managing Risk
– Businesses and Organizations need to understand the likelihood
or the probability that an event will occur and it’s resulting
consequence or impact.
•Risk Tolerance
– Using the Risk Management Model, organizations can determine
the acceptable level of risk for the delivery of services and this
can be expressed as their risk tolerance.
Risk Management Process
• There are several Risk Management frameworks that
organizations are using including NIST SP 800-39. ITIL,
ISO 27000 Series, PCI, HIPPA, Internally Developed
systems or a combination of others.
• For this discussion we will be using the NIST SP 800-39
framework
Risk Management Process
• Managing risk is a complex and multifaceted process. It requires the
involvement of the entire organization using a Multitiered Risk
Management Process.
• Risk management is a comprehensive process that requires
organizations to:
Frame Risk
Establishing a realistic and credible risk frame
requires organizations to identify the following:
•Risk assumptions
•Risk constraints
•Risk tolerance
•Priorities and trade-offs
Assess Risk
• The Risk Assessment component identifies:
– Threats
– Vulnerabilities
– Consequences/impact
– The likelihood that harm will occur.
• The end result is a determination of risk
Respond to Risk
• The purpose is to provide a consistent, organization-
wide, response to risk in accordance with the
organizational risk frame by:
– Developing
– Evaluating
– Determining
– Implementing
Monitor Risk
• The purpose of the risk monitoring component is
to:
– Verify
– Determine ongoing effectiveness
– Identification of risk-impacting changes
Risk Management Process
NIST SP800-39
Information and
communications flow
Assess
Monitor Respond
Frame
Information and
communications flows
Making Risk Management Work
• Risk management can be broken down into
three distinct areas:
– Tier 1 Organization level (Strategic)
– Tier 2 Mission/business process level
(Tactical)
– Tier 3 Information system level (Operational)
Multitiered Risk Management
NIST SP800-39
Strategic Risk
Tactical Risk
• Traceability and Transparency
of Risk-Based Decisions
• Organization-Wide Risk
Awareness
• Inter-Tier and Intra-Tier
Communications
• Feedback Loop for
Continuous Improvement
Tier 1 Organization
• Organizational perspective that establishes and
implements structures for:
– Governance
– Risk Executive
– Risk Tolerance
– Investment strategies
Tier 2 Mission/Business Processes
• Tier 2 addresses risk from a business process
perspective by designing, developing, and implementing
business processes that support the business functions
defined at Tier 1.
– Risk-Aware Mission/Business Processes
– Enterprise Architecture
– Information Security Architecture
Information Security Architecture
NIST SP800-39
Tier 3 Information Systems View
• The risk management activities at Tier 3 reflect the organization’s
risk management strategy and any risk related to the cost, schedule,
and performance requirements for individual information systems
that support the mission/business functions of organizations.
• Risk management activities are also integrated into the system
development life cycle of information systems at Tier 3.
• There are typically five phases in system development life cycles: (i)
initiation; (ii) development/ acquisition; (iii) implementation; (iv)
operation/maintenance; and (v) disposal.
Three Levels of Risk Management
When we look at the Multitiered Risk Management model, it
is the similar to the three levels of Risk Management in
other models with the following correlations:
•Tier 1 Organization
– Risk Management strategy
•Tier 2 Business Processes
– Tactical/Architecture
•Tier 3 Information Systems
– Processes/Operational
Risk Management Process Applied
Across All The Tiers
NIST SP800-39
Assess
Monitor Respond
Frame
Tier 1 - Organization
Tier 2 – Mission/Business Processes
Tier 3 – Information Systems
Cybersecurity Framework
NIST Cybersecurity Framework
Risk Based Security
We will look at a sample outline that can be used for implementing a
Risk Based Security Plan:
1.Identify what is of value
2.Collect data on that value
3.Perform a risk assessment
4.Present to the organization
5.Identify control objectives
6.Identify and select controls
7.Implement controls
8.Operate controls
9.Monitor and measure
10.Operate a feedback loop
Frame and Assess
• Identify what is of value
– Tangible versus intangible assets
– Collaborative effort
• Collect data on that asset
– Asset valuation
– Impact
– Threat landscapes
– Frequency and likelihood
– Vulnerabilities
Assess and Frame
• Perform Risk Assessment
– Objectives
– Methodology
• Present to the organization
– Key risks to the achievement of organizational goals
– Open discussion
– Not a precise prediction of future
Respond
• Identify Control Objectives
– A control objective is the aim or purpose of controls put in place
and intended to mitigate risk
– Best solution
• Identify and select controls
– TCO
– Flexibility
– Amount spent
– Does the control reduce the risk by an expected amount?
• Implement controls
– Ensure that implementation follows the objectives and
requirements previously set
• Operate controls
Monitor
• Monitor and measure
– Measure on an ongoing basis
– Focus on clearly identifiable changes in risk
• Operate a feedback loop
– Risk Based Security Management is cyclical and
ongoing
– Data collected should create a feedback loop
Cybersecurity Framework
NIST Cybersecurity Framework
Risk Management Evolution
Up and Coming Technology
for Information Security
Runtime Application Self Protection
• Realistic detection rates for today’s advanced threats are typically
around 5-10 percent.
• Compounding the security threat to applications is the heavy
reliance on mobile devices for access and the use of these mobile
devices within the enterprise network.
• Applications need self-defense or as Gartner calls it, runtime
application self-protection (RASP).
Runtime Application Self Protection
• Runtime Application Self Protection (RASP)
– The next layer of Information Security?
– Is a security technology that is built or linked into an application
or application runtime environment
– RASP runs on the application server and monitors the execution
of the application from the stack.
– Gartner predicts “25% of Web and cloud applications will
become self-protecting, up from less than 1% today.”
Runtime Application Self Protection
• Applications should not be delegating — as is
done today — most of their runtime protection to
external devices.
• Applications should be capable of self-protection
— that is, have protection features built into
the application runtime environment.
• RASP, as with any new technology, does
have its drawbacks
– Performance
• 5-10%
– Implementation
• Web
• Virtualized environments
Runtime Application Self Protection
Conclusion
• A Risk Based Security model helps to
provide a flexible, fluid and ongoing
Information Security framework that needs
collaboration
• A different perspective in Information
Security
• Various models to accomplish an
organizations overall strategic objectives
Conclusion
• Runtime Application Self
Protection(RASP) is an emerging
technology that can address the quickly
disappearing perimeter for Information
Security
Thank you!
Miguel Sanchez
Sr Sales Engineer
(312) 673-4014
msanchez@firstcomm.com

Weitere ähnliche Inhalte

Was ist angesagt?

INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMChristopher Nanchengwa
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by FirstMutualHoldings
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk ManagementGoutama Bachtiar
 
IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best PracticeDigicomp Academy AG
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk managementhealthpoint
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy John Gilligan
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!Heather Salmons Newswanger
 
Information Security Risk Management Overview
Information Security Risk Management OverviewInformation Security Risk Management Overview
Information Security Risk Management OverviewWesley Moore
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modelingsedukull
 
Information Secuirty Vulnerability Management
Information Secuirty   Vulnerability ManagementInformation Secuirty   Vulnerability Management
Information Secuirty Vulnerability Managementtschraider
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 

Was ist angesagt? (20)

INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
 
NIST 800 30 revision Sep 2012
NIST 800 30 revision  Sep 2012NIST 800 30 revision  Sep 2012
NIST 800 30 revision Sep 2012
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 
Risk management
Risk managementRisk management
Risk management
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
 
IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best Practice
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk management
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!
 
Information Security Risk Management Overview
Information Security Risk Management OverviewInformation Security Risk Management Overview
Information Security Risk Management Overview
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modeling
 
Information Secuirty Vulnerability Management
Information Secuirty   Vulnerability ManagementInformation Secuirty   Vulnerability Management
Information Secuirty Vulnerability Management
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
 

Andere mochten auch

Making a Better World with Technology Innovations
Making a Better World with Technology InnovationsMaking a Better World with Technology Innovations
Making a Better World with Technology InnovationsImesh Gunaratne
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...BCM Institute
 
Senior Consultant - Internal Audit & Compliance CV
Senior Consultant - Internal Audit  & Compliance CVSenior Consultant - Internal Audit  & Compliance CV
Senior Consultant - Internal Audit & Compliance CVHala Mohamed
 
How To Survive An OSHA Audit
How To Survive An OSHA AuditHow To Survive An OSHA Audit
How To Survive An OSHA AuditJames Rhoad
 
(PROF. SHUKOR) STEP-BY-STEP COMPLIANCE TO OSHA 1994 REGULATIONS.
(PROF. SHUKOR) STEP-BY-STEP COMPLIANCE TO OSHA 1994 REGULATIONS.(PROF. SHUKOR) STEP-BY-STEP COMPLIANCE TO OSHA 1994 REGULATIONS.
(PROF. SHUKOR) STEP-BY-STEP COMPLIANCE TO OSHA 1994 REGULATIONS.Abdul Shukor
 
Saurav Raj Risk Assessment in lending to SME's PPT - Copy
Saurav Raj Risk Assessment in lending to SME's PPT - CopySaurav Raj Risk Assessment in lending to SME's PPT - Copy
Saurav Raj Risk Assessment in lending to SME's PPT - CopySaurav Srivastava
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The BoardPaul Melson
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Phil Agcaoili
 
OSHA Auditing: Federal Compliance: Construction: The Complete Health and Safe...
OSHA Auditing: Federal Compliance: Construction: The Complete Health and Safe...OSHA Auditing: Federal Compliance: Construction: The Complete Health and Safe...
OSHA Auditing: Federal Compliance: Construction: The Complete Health and Safe...Specialty Technical Publishers
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 
Information Security It's All About Compliance
Information Security   It's All About ComplianceInformation Security   It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Nfpa Process Safety Management and osha 6 8 2013
Nfpa Process Safety Management and osha 6 8 2013Nfpa Process Safety Management and osha 6 8 2013
Nfpa Process Safety Management and osha 6 8 2013John Newquist
 
Google Analytics Tutorial
Google Analytics TutorialGoogle Analytics Tutorial
Google Analytics TutorialSean Si
 
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...XEventsHospitality
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boardsPaul McGillicuddy
 

Andere mochten auch (20)

Making a Better World with Technology Innovations
Making a Better World with Technology InnovationsMaking a Better World with Technology Innovations
Making a Better World with Technology Innovations
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
 
Senior Consultant - Internal Audit & Compliance CV
Senior Consultant - Internal Audit  & Compliance CVSenior Consultant - Internal Audit  & Compliance CV
Senior Consultant - Internal Audit & Compliance CV
 
Webinar - OSHA Compliance Made Simple
Webinar - OSHA Compliance Made SimpleWebinar - OSHA Compliance Made Simple
Webinar - OSHA Compliance Made Simple
 
How To Survive An OSHA Audit
How To Survive An OSHA AuditHow To Survive An OSHA Audit
How To Survive An OSHA Audit
 
Maximising value to stakeholders through risk management
Maximising value to stakeholders through risk managementMaximising value to stakeholders through risk management
Maximising value to stakeholders through risk management
 
OSHA Compliance Update
OSHA Compliance UpdateOSHA Compliance Update
OSHA Compliance Update
 
(PROF. SHUKOR) STEP-BY-STEP COMPLIANCE TO OSHA 1994 REGULATIONS.
(PROF. SHUKOR) STEP-BY-STEP COMPLIANCE TO OSHA 1994 REGULATIONS.(PROF. SHUKOR) STEP-BY-STEP COMPLIANCE TO OSHA 1994 REGULATIONS.
(PROF. SHUKOR) STEP-BY-STEP COMPLIANCE TO OSHA 1994 REGULATIONS.
 
Saurav Raj Risk Assessment in lending to SME's PPT - Copy
Saurav Raj Risk Assessment in lending to SME's PPT - CopySaurav Raj Risk Assessment in lending to SME's PPT - Copy
Saurav Raj Risk Assessment in lending to SME's PPT - Copy
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The Board
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
 
OSHA Auditing: Federal Compliance: Construction: The Complete Health and Safe...
OSHA Auditing: Federal Compliance: Construction: The Complete Health and Safe...OSHA Auditing: Federal Compliance: Construction: The Complete Health and Safe...
OSHA Auditing: Federal Compliance: Construction: The Complete Health and Safe...
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
 
Information Security It's All About Compliance
Information Security   It's All About ComplianceInformation Security   It's All About Compliance
Information Security It's All About Compliance
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Nfpa Process Safety Management and osha 6 8 2013
Nfpa Process Safety Management and osha 6 8 2013Nfpa Process Safety Management and osha 6 8 2013
Nfpa Process Safety Management and osha 6 8 2013
 
Google Analytics Tutorial
Google Analytics TutorialGoogle Analytics Tutorial
Google Analytics Tutorial
 
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
 

Ähnlich wie Risk Based Security and Self Protection Powerpoint

Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesJohn Gilligan
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Manuel Guillen
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentortmbainjr131
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting   itweb workshopSLVA - Security monitoring and reporting   itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdfsdfghj21
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationWilliam McBorrough
 
Security-Invest Where it Matters Most
Security-Invest Where it Matters MostSecurity-Invest Where it Matters Most
Security-Invest Where it Matters MostInnoTech
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPScott Baron
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
Managing Security Risks in Manufacturing
Managing Security Risks in ManufacturingManaging Security Risks in Manufacturing
Managing Security Risks in ManufacturingWilliam McBorrough
 
Threat intelligence life cycle steps by steps
Threat intelligence life cycle steps by stepsThreat intelligence life cycle steps by steps
Threat intelligence life cycle steps by stepsJayeshGadhave1
 
Tech 2 Tech: increasing security posture and threat intelligence sharing
Tech 2 Tech: increasing security posture and threat intelligence sharingTech 2 Tech: increasing security posture and threat intelligence sharing
Tech 2 Tech: increasing security posture and threat intelligence sharingJisc
 
framework-version-1.1-overview-20180427-for-web-002.pptx
framework-version-1.1-overview-20180427-for-web-002.pptxframework-version-1.1-overview-20180427-for-web-002.pptx
framework-version-1.1-overview-20180427-for-web-002.pptxAshishRanjan546644
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersDenim Group
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldiMIS
 

Ähnlich wie Risk Based Security and Self Protection Powerpoint (20)

Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practices
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting   itweb workshopSLVA - Security monitoring and reporting   itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 
Security-Invest Where it Matters Most
Security-Invest Where it Matters MostSecurity-Invest Where it Matters Most
Security-Invest Where it Matters Most
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
Managing Security Risks in Manufacturing
Managing Security Risks in ManufacturingManaging Security Risks in Manufacturing
Managing Security Risks in Manufacturing
 
Threat intelligence life cycle steps by steps
Threat intelligence life cycle steps by stepsThreat intelligence life cycle steps by steps
Threat intelligence life cycle steps by steps
 
Tech 2 Tech: increasing security posture and threat intelligence sharing
Tech 2 Tech: increasing security posture and threat intelligence sharingTech 2 Tech: increasing security posture and threat intelligence sharing
Tech 2 Tech: increasing security posture and threat intelligence sharing
 
framework-version-1.1-overview-20180427-for-web-002.pptx
framework-version-1.1-overview-20180427-for-web-002.pptxframework-version-1.1-overview-20180427-for-web-002.pptx
framework-version-1.1-overview-20180427-for-web-002.pptx
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
 

Kürzlich hochgeladen

Top 15 Emerging Technologies for the Modern World
Top 15 Emerging Technologies for the Modern WorldTop 15 Emerging Technologies for the Modern World
Top 15 Emerging Technologies for the Modern WorldD Cloud Solutions
 
Run more experiments with fewer resources
Run more experiments with fewer resourcesRun more experiments with fewer resources
Run more experiments with fewer resourcesVWO
 
A_B Testing Personalized Meditation Recommendations.pdf
A_B Testing Personalized Meditation Recommendations.pdfA_B Testing Personalized Meditation Recommendations.pdf
A_B Testing Personalized Meditation Recommendations.pdfVWO
 
Ppt regarding of Digital Marketing cours
Ppt regarding of Digital Marketing coursPpt regarding of Digital Marketing cours
Ppt regarding of Digital Marketing courstegveersingh09
 
The 2024 Next Gen Attention Study - www.livewire.group
The 2024 Next Gen Attention Study - www.livewire.groupThe 2024 Next Gen Attention Study - www.livewire.group
The 2024 Next Gen Attention Study - www.livewire.groupLivewire
 
Digital Marketing Services like SEO, SMM, SEM
Digital Marketing Services like SEO, SMM, SEMDigital Marketing Services like SEO, SMM, SEM
Digital Marketing Services like SEO, SMM, SEMNazal Digital
 
Voltas turnaround strategy management case
Voltas turnaround strategy management caseVoltas turnaround strategy management case
Voltas turnaround strategy management caseAnkit Sarkar
 
Music and Ai Technology
Music and Ai TechnologyMusic and Ai Technology
Music and Ai Technologyehimaibooks
 
Harnessing Social Media for Marketing Growth
Harnessing Social Media for Marketing GrowthHarnessing Social Media for Marketing Growth
Harnessing Social Media for Marketing Growthabinashdm2014
 
Imposter Syndrome in Marketing & Why You're Not Alone
Imposter Syndrome in Marketing & Why You're Not AloneImposter Syndrome in Marketing & Why You're Not Alone
Imposter Syndrome in Marketing & Why You're Not AloneHerd
 
Podvertise.fm - Founder.University - Pitch Deck 2024
Podvertise.fm - Founder.University - Pitch Deck 2024Podvertise.fm - Founder.University - Pitch Deck 2024
Podvertise.fm - Founder.University - Pitch Deck 2024Nedko Nedkov
 
Unifying feature management with experiments - Server Side Webinar (1).pdf
Unifying feature management with experiments - Server Side Webinar (1).pdfUnifying feature management with experiments - Server Side Webinar (1).pdf
Unifying feature management with experiments - Server Side Webinar (1).pdfVWO
 
Increase Your Website Sales & Leads Webinar
Increase Your Website Sales & Leads WebinarIncrease Your Website Sales & Leads Webinar
Increase Your Website Sales & Leads WebinarSEO Optimizers
 
The best Crypto Marketing Strategies pdf
The best Crypto Marketing Strategies pdfThe best Crypto Marketing Strategies pdf
The best Crypto Marketing Strategies pdfShifali roy
 
Fashion-Marketing-1- Assaginment mid.pdf
Fashion-Marketing-1- Assaginment mid.pdfFashion-Marketing-1- Assaginment mid.pdf
Fashion-Marketing-1- Assaginment mid.pdfUttara University
 
Snapshot of Consumer Behaviors of February 2024-EOLiSurvey (EN).pdf
Snapshot of Consumer Behaviors of February 2024-EOLiSurvey (EN).pdfSnapshot of Consumer Behaviors of February 2024-EOLiSurvey (EN).pdf
Snapshot of Consumer Behaviors of February 2024-EOLiSurvey (EN).pdfEastern Online-iSURVEY
 
scope in Digital Marketing & advertising
scope in Digital Marketing & advertisingscope in Digital Marketing & advertising
scope in Digital Marketing & advertisingKBS SHOP
 
Ice Cream Brand Harmony Study - TINT Emotional Profiling Research
Ice Cream Brand Harmony Study - TINT Emotional Profiling ResearchIce Cream Brand Harmony Study - TINT Emotional Profiling Research
Ice Cream Brand Harmony Study - TINT Emotional Profiling ResearchTINT Marketing
 
SEO Trends in 2024: What You Need to Know to Succeed
SEO Trends in 2024: What You Need to Know to SucceedSEO Trends in 2024: What You Need to Know to Succeed
SEO Trends in 2024: What You Need to Know to SucceedMumbai Pixels
 
TAM AdEx-A Pixelated view into Digital Advertising Trends for Y 2023.pdf
TAM AdEx-A Pixelated view into Digital Advertising Trends for Y 2023.pdfTAM AdEx-A Pixelated view into Digital Advertising Trends for Y 2023.pdf
TAM AdEx-A Pixelated view into Digital Advertising Trends for Y 2023.pdfSocial Samosa
 

Kürzlich hochgeladen (20)

Top 15 Emerging Technologies for the Modern World
Top 15 Emerging Technologies for the Modern WorldTop 15 Emerging Technologies for the Modern World
Top 15 Emerging Technologies for the Modern World
 
Run more experiments with fewer resources
Run more experiments with fewer resourcesRun more experiments with fewer resources
Run more experiments with fewer resources
 
A_B Testing Personalized Meditation Recommendations.pdf
A_B Testing Personalized Meditation Recommendations.pdfA_B Testing Personalized Meditation Recommendations.pdf
A_B Testing Personalized Meditation Recommendations.pdf
 
Ppt regarding of Digital Marketing cours
Ppt regarding of Digital Marketing coursPpt regarding of Digital Marketing cours
Ppt regarding of Digital Marketing cours
 
The 2024 Next Gen Attention Study - www.livewire.group
The 2024 Next Gen Attention Study - www.livewire.groupThe 2024 Next Gen Attention Study - www.livewire.group
The 2024 Next Gen Attention Study - www.livewire.group
 
Digital Marketing Services like SEO, SMM, SEM
Digital Marketing Services like SEO, SMM, SEMDigital Marketing Services like SEO, SMM, SEM
Digital Marketing Services like SEO, SMM, SEM
 
Voltas turnaround strategy management case
Voltas turnaround strategy management caseVoltas turnaround strategy management case
Voltas turnaround strategy management case
 
Music and Ai Technology
Music and Ai TechnologyMusic and Ai Technology
Music and Ai Technology
 
Harnessing Social Media for Marketing Growth
Harnessing Social Media for Marketing GrowthHarnessing Social Media for Marketing Growth
Harnessing Social Media for Marketing Growth
 
Imposter Syndrome in Marketing & Why You're Not Alone
Imposter Syndrome in Marketing & Why You're Not AloneImposter Syndrome in Marketing & Why You're Not Alone
Imposter Syndrome in Marketing & Why You're Not Alone
 
Podvertise.fm - Founder.University - Pitch Deck 2024
Podvertise.fm - Founder.University - Pitch Deck 2024Podvertise.fm - Founder.University - Pitch Deck 2024
Podvertise.fm - Founder.University - Pitch Deck 2024
 
Unifying feature management with experiments - Server Side Webinar (1).pdf
Unifying feature management with experiments - Server Side Webinar (1).pdfUnifying feature management with experiments - Server Side Webinar (1).pdf
Unifying feature management with experiments - Server Side Webinar (1).pdf
 
Increase Your Website Sales & Leads Webinar
Increase Your Website Sales & Leads WebinarIncrease Your Website Sales & Leads Webinar
Increase Your Website Sales & Leads Webinar
 
The best Crypto Marketing Strategies pdf
The best Crypto Marketing Strategies pdfThe best Crypto Marketing Strategies pdf
The best Crypto Marketing Strategies pdf
 
Fashion-Marketing-1- Assaginment mid.pdf
Fashion-Marketing-1- Assaginment mid.pdfFashion-Marketing-1- Assaginment mid.pdf
Fashion-Marketing-1- Assaginment mid.pdf
 
Snapshot of Consumer Behaviors of February 2024-EOLiSurvey (EN).pdf
Snapshot of Consumer Behaviors of February 2024-EOLiSurvey (EN).pdfSnapshot of Consumer Behaviors of February 2024-EOLiSurvey (EN).pdf
Snapshot of Consumer Behaviors of February 2024-EOLiSurvey (EN).pdf
 
scope in Digital Marketing & advertising
scope in Digital Marketing & advertisingscope in Digital Marketing & advertising
scope in Digital Marketing & advertising
 
Ice Cream Brand Harmony Study - TINT Emotional Profiling Research
Ice Cream Brand Harmony Study - TINT Emotional Profiling ResearchIce Cream Brand Harmony Study - TINT Emotional Profiling Research
Ice Cream Brand Harmony Study - TINT Emotional Profiling Research
 
SEO Trends in 2024: What You Need to Know to Succeed
SEO Trends in 2024: What You Need to Know to SucceedSEO Trends in 2024: What You Need to Know to Succeed
SEO Trends in 2024: What You Need to Know to Succeed
 
TAM AdEx-A Pixelated view into Digital Advertising Trends for Y 2023.pdf
TAM AdEx-A Pixelated view into Digital Advertising Trends for Y 2023.pdfTAM AdEx-A Pixelated view into Digital Advertising Trends for Y 2023.pdf
TAM AdEx-A Pixelated view into Digital Advertising Trends for Y 2023.pdf
 

Risk Based Security and Self Protection Powerpoint

  • 1. Risk Based Security and Self Protection Miguel Sanchez, Sr. Sales Engineer February 16, 2015
  • 2. Presenter for today: Miguel Sanchez Sr Sales Engineer, First Communictions
  • 3. First Communications: At A Glance Technology Provider since 1998, serving thousands of Businesses throughout the Midwest 24x7x365 Network Management Center (NMC) Data Center and Colocation Facilities in Cleveland and Downtown Chicago Serving Diverse Businesses ranging from SMB to Enterprise Headquartered in Akron, Ohio Our Mission To Empower our customers through leading-edge technology solutions delivered with a first-class experience.
  • 4. Today’s Topic Agenda • Current State of Information Security • Overview of Risk Based Security models • Risk Management Process • Multi-tiered Risk Management Model • Three levels of Risk Management • Runtime Application Self Protection
  • 5. Current State of Information Security • The threat landscape has changed considerably over the past few years due to the disappearance of the perimeter defense for the following reasons: – Change – Mobility and consumerization – Ecosystem – Cloud – Infrastructure
  • 6. Current State of Information Security • The growing attacking power of cyber criminals has increased significantly and are not just some hackers operating out of someone’s basement anymore • We need to take into consideration the following threats: – Criminal syndicates – State sponsored attackers – Hactivists – Lone wolf hacker
  • 7. Perimeter Security • One of the first and most basic lines of network perimeter defense is a firewall. – A device that inspects inbound and outbound traffic on a network. • In addition to firewalls, traditional responses to new threats has been to add stand-alone security technologies to the network.
  • 8. Next Generation Firewalls • There have been tremendous advancements in the Next Generation Firewalls that should be a part of any Information Security Plan that include the following Unified Threat Management (UTM) capabilities: • Stateful Packet Inspection • Application Control • Intrusion Detection/Prevention • Data Loss Prevention • Content Filtering • Anti-malware/Anti-spam • IPv6 support • Virtualized environments • Endpoint security • VPN
  • 9. Information Security: Reactive to Proactive For most small to medium organizations, Information Security is a Reactive vs a Proactive process. •How many breaches do you hear in the news of compromised systems that are discovered weeks or months after the actual event? •How do we get to a model that is more proactive and workable for various organizations regardless of size?
  • 10. Information Security Constraints What are some of the constraints for implementing effective Information Security? •Shrinking budgets •Lack of security focus •Lack of resources •Lack of a common approach to information security
  • 11. Risk based Security • There has been a steady and slow change at the way organizations approach Information Security using a Risk Based model. • Today’s CSO/CISOs are being asked to prioritize risks— by identifying which ones need to be addressed and which ones should be accepted as the cost of doing business.
  • 12. Risk Based Security What are some of the factors that drive a Risk Based Security model: •Compliance •Recent security event •Threat landscape •Proactive approach
  • 13. What are the top drivers for your Information Security / Risk Management program? Wisegate Community Viewpoints
  • 14. Risk Management Model Risk management is the ongoing process of identifying, assessing, and responding to risk. •Managing Risk – Businesses and Organizations need to understand the likelihood or the probability that an event will occur and it’s resulting consequence or impact. •Risk Tolerance – Using the Risk Management Model, organizations can determine the acceptable level of risk for the delivery of services and this can be expressed as their risk tolerance.
  • 15. Risk Management Process • There are several Risk Management frameworks that organizations are using including NIST SP 800-39. ITIL, ISO 27000 Series, PCI, HIPPA, Internally Developed systems or a combination of others. • For this discussion we will be using the NIST SP 800-39 framework
  • 16. Risk Management Process • Managing risk is a complex and multifaceted process. It requires the involvement of the entire organization using a Multitiered Risk Management Process. • Risk management is a comprehensive process that requires organizations to:
  • 17. Frame Risk Establishing a realistic and credible risk frame requires organizations to identify the following: •Risk assumptions •Risk constraints •Risk tolerance •Priorities and trade-offs
  • 18. Assess Risk • The Risk Assessment component identifies: – Threats – Vulnerabilities – Consequences/impact – The likelihood that harm will occur. • The end result is a determination of risk
  • 19. Respond to Risk • The purpose is to provide a consistent, organization- wide, response to risk in accordance with the organizational risk frame by: – Developing – Evaluating – Determining – Implementing
  • 20. Monitor Risk • The purpose of the risk monitoring component is to: – Verify – Determine ongoing effectiveness – Identification of risk-impacting changes
  • 21. Risk Management Process NIST SP800-39 Information and communications flow Assess Monitor Respond Frame Information and communications flows
  • 22. Making Risk Management Work • Risk management can be broken down into three distinct areas: – Tier 1 Organization level (Strategic) – Tier 2 Mission/business process level (Tactical) – Tier 3 Information system level (Operational)
  • 23. Multitiered Risk Management NIST SP800-39 Strategic Risk Tactical Risk • Traceability and Transparency of Risk-Based Decisions • Organization-Wide Risk Awareness • Inter-Tier and Intra-Tier Communications • Feedback Loop for Continuous Improvement
  • 24. Tier 1 Organization • Organizational perspective that establishes and implements structures for: – Governance – Risk Executive – Risk Tolerance – Investment strategies
  • 25. Tier 2 Mission/Business Processes • Tier 2 addresses risk from a business process perspective by designing, developing, and implementing business processes that support the business functions defined at Tier 1. – Risk-Aware Mission/Business Processes – Enterprise Architecture – Information Security Architecture
  • 27. Tier 3 Information Systems View • The risk management activities at Tier 3 reflect the organization’s risk management strategy and any risk related to the cost, schedule, and performance requirements for individual information systems that support the mission/business functions of organizations. • Risk management activities are also integrated into the system development life cycle of information systems at Tier 3. • There are typically five phases in system development life cycles: (i) initiation; (ii) development/ acquisition; (iii) implementation; (iv) operation/maintenance; and (v) disposal.
  • 28. Three Levels of Risk Management When we look at the Multitiered Risk Management model, it is the similar to the three levels of Risk Management in other models with the following correlations: •Tier 1 Organization – Risk Management strategy •Tier 2 Business Processes – Tactical/Architecture •Tier 3 Information Systems – Processes/Operational
  • 29. Risk Management Process Applied Across All The Tiers NIST SP800-39 Assess Monitor Respond Frame Tier 1 - Organization Tier 2 – Mission/Business Processes Tier 3 – Information Systems
  • 31. Risk Based Security We will look at a sample outline that can be used for implementing a Risk Based Security Plan: 1.Identify what is of value 2.Collect data on that value 3.Perform a risk assessment 4.Present to the organization 5.Identify control objectives 6.Identify and select controls 7.Implement controls 8.Operate controls 9.Monitor and measure 10.Operate a feedback loop
  • 32. Frame and Assess • Identify what is of value – Tangible versus intangible assets – Collaborative effort • Collect data on that asset – Asset valuation – Impact – Threat landscapes – Frequency and likelihood – Vulnerabilities
  • 33. Assess and Frame • Perform Risk Assessment – Objectives – Methodology • Present to the organization – Key risks to the achievement of organizational goals – Open discussion – Not a precise prediction of future
  • 34. Respond • Identify Control Objectives – A control objective is the aim or purpose of controls put in place and intended to mitigate risk – Best solution • Identify and select controls – TCO – Flexibility – Amount spent – Does the control reduce the risk by an expected amount? • Implement controls – Ensure that implementation follows the objectives and requirements previously set • Operate controls
  • 35. Monitor • Monitor and measure – Measure on an ongoing basis – Focus on clearly identifiable changes in risk • Operate a feedback loop – Risk Based Security Management is cyclical and ongoing – Data collected should create a feedback loop
  • 38. Up and Coming Technology for Information Security
  • 39. Runtime Application Self Protection • Realistic detection rates for today’s advanced threats are typically around 5-10 percent. • Compounding the security threat to applications is the heavy reliance on mobile devices for access and the use of these mobile devices within the enterprise network. • Applications need self-defense or as Gartner calls it, runtime application self-protection (RASP).
  • 40. Runtime Application Self Protection • Runtime Application Self Protection (RASP) – The next layer of Information Security? – Is a security technology that is built or linked into an application or application runtime environment – RASP runs on the application server and monitors the execution of the application from the stack. – Gartner predicts “25% of Web and cloud applications will become self-protecting, up from less than 1% today.”
  • 41. Runtime Application Self Protection • Applications should not be delegating — as is done today — most of their runtime protection to external devices. • Applications should be capable of self-protection — that is, have protection features built into the application runtime environment.
  • 42. • RASP, as with any new technology, does have its drawbacks – Performance • 5-10% – Implementation • Web • Virtualized environments Runtime Application Self Protection
  • 43. Conclusion • A Risk Based Security model helps to provide a flexible, fluid and ongoing Information Security framework that needs collaboration • A different perspective in Information Security • Various models to accomplish an organizations overall strategic objectives
  • 44. Conclusion • Runtime Application Self Protection(RASP) is an emerging technology that can address the quickly disappearing perimeter for Information Security
  • 45. Thank you! Miguel Sanchez Sr Sales Engineer (312) 673-4014 msanchez@firstcomm.com

Hinweis der Redaktion

  1. 1 Change such as new product launches or the introductions of new technology are all on the rise having a complicating impact on the strength of cybersecurity. 2 Mobility and consumerization. The adoption of mobile computing has resulted in the blurring of organizational boundaries. IT is getting closer to the user and further from the organization. The use of the Internet, smartphones and tablets (in combination with BYOD) has made organizations data accessible everywhere. 3 We live and operate in an ecosystem of digitally connected entities, people and data. All increasing the likelihood of exposure to cybercrime in both the work and home environment. 4 Cloud-based services, third party data management and storage, open up new channels of risk that previously did not exist. It is very common to hear about security concerns for shadow IT. 5 Infrastructure for traditionally closed operational technology systems are now being given IP addresses. Cyber threats are now making their way out of the back-office systems and into critical infrastructures such as power generation and transportation systems which of course is a high concern for Homeland Security.
  2. Dell Secureworks has reported over 830,000 victims of the Cryptowall ransomware with demand starting at $500 each. We keep hearing about state sponsored Dedicated Denial of Service attacks by Russia or China. Hactivists such as Anonymous making political statements. And lastly, Lone wolf hacker or Black Hat who is just having some malicious fun. The attacking power of cyber criminals is increasing at an astonishing speed. Attackers have access to significant funding; they are more patient and sophisticated than ever before; and they are looking for vulnerabilities in the whole operating environment — including people and processes.
  3. So what are the defenses currently in place? 1) Firewalls were the first widely deployed network security technology when the Internet was a baby. It’s basic job is to inspect that traffic and to decide what traffic is allowed to go from outside to inside, and from inside to outside. However, network traffic has changed quite a bit in the past couple decades. 2) Unfortunately, this adds complexity and cost, as each new technology means a new device to deploy, a new set of policies to configure, and a new management console to monitor.
  4. In response to the limitations to the traditional method of network security, Next Generation Firewalls have evolved to fill the need. NGFWs or Web Application Firewalls are an important part of an Information Security plan, but not the end all be all. It becomes an important part of an Information Security Architecture.
  5. How do we avoid the recent data breaches of Sony Entertainment or the health care provider, Anthem. For example, in Anthem’s case, they are considered HIPPA compliant but their data was not encrypted because it didn’t need to be. Being compliant does not mean you avoid or mitigate risk and the impact or consequences that will be experienced.
  6. In addition to less money, IT is given more responsibilities Not every organization has a dedicated security team Shortage of staff or lack of training Being reactive versus proactive. This is were having a framework is necessary to help identify your cybersecurity risks.
  7. Compliance is a big factor for heavily regulated industries such as healthcare and financial institutions. Could be internal or external. Recent issued threats or assessment of a risk Companies that are leading edge or want to do the rght thing
  8. As you can see from the survey, compliance has the greatest response for a risk management program, but it becomes just one factor in the risk profile. Even in a risk-based program, compliance doesn’t go away entirely with the regulations still being there. Department heads and managers have to start thinking in terms of acceptable risk levels versus compliance requirements from a checklist. It's a change in mindset of an organization. It is the moment an "ahha!“ moment for the entire organization when everyone understands the difference is.
  9. Lets take a look at what you get with a Risk Management model. Tolerance for risk changes over time. It is dynamic and fluid.
  10. It needs the involvement from senior leaders/executives providing the strategic vision; to mid-level leaders planning projects; to individuals on the front lines operating the information systems. frame risk (i.e., establish the context for risk-based decisions); (ii) assess risk; (iii) respond to risk and (iv) monitor risk on an ongoing basis The Risk Management Process model shows a continues loop feedback across all levels. Where the risk frame is defined at the strategic level down to the front lines where Information Security systems are monitored.
  11. The first component of risk management addresses how organizations frame risk or the risk context. The Risk Context is the environment in which risk-based decisions are made The purpose of this step is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk. The risk frame establishes a foundation for managing risk and the boundaries for risk-based decisions.
  12. The second component of risk management addresses how organizations assess risk within the context of the risk frame. Threats to organizations or threats directed through organizations against other organizations. For example, an attack on your information systems to gain access to one of your outside vendors through a company portal Vulnerabilities internal and external. Internal could be people or systems Consequences or impact that may occur given the potential for threats exploiting vulnerabilities Likelihood that harm will occur. The end result is a determination of risk (i.e., the degree of harm and likelihood of harm occurring).
  13. The third component of risk management addresses how organizations respond to risk once that risk is determined based on the results of risk assessments. (i) developing alternative courses of action for responding to risk; (ii) evaluating the alternative courses of action; (iii) determining appropriate courses of action consistent with organizational risk tolerance; and (iv) implementing risk responses based on selected courses of action. To support the risk response component, organizations describe the types of risk responses that can be implemented by either accepting, avoiding, mitigating, sharing, or transferring risk. As you can see, everything revolves around identifying the Risk Frame which drives all other decisions.
  14. The fourth component of risk management addresses how organizations monitor risk over time. Verify that planned risk response measures are implemented and information security requirements are satisfied Determine the ongoing effectiveness of risk response measures following implementation; Identify risk-impacting changes to organizational information systems and the environments in which the systems operate.
  15. Here we come back to the Risk Management Process model where the Frame Risk is at the center of the whole process. Basically, we start with identifying what is of value for an organization and the risk associated with that valuable asset.
  16. How do we make Risk Management Work? The risk management process is carried out seamlessly across the three tiers with the overall objective of continuous improvement in the organization’s risk-related activities with effective communication across all tiers and among all stakeholders having a shared interest in the success of the organization.
  17. The Multitiered Risk Management approach has distinct boundaries and accountabilities with continuing communication across all tiers. From the Organization level that frames risk, to the Mission/Business processes that assess and respond to risk, down to the operational level where risk is monitored.
  18. Governance which is the set of responsibilities and practices exercised by those responsible for an organization such as the board of directors and/or executive management. The risk executive (function) serves as the common risk management resource. It is similar to the recommended executive position in Disaster Recovery/Business Continuity Planning. They are the single point of contact between various departments in this collaborative process. Risk tolerance is the level of risk or degree of uncertainty that is acceptable to organizations and is a key element of the risk frame. Investment strategies that generally reflect the long-term strategic goals and objectives of organizations.
  19. A risk-aware mission/business process is one that explicitly takes into account the likely risk such a process would cause if implemented. Implementing risk-aware mission/business processes requires a thorough understanding of the organizational missions and business functions and the relationships among those functions and supporting processes. Enterprise architecture establishes a clear and direct connection from investments to measurable performance improvements. It promotes the concepts of segmentation, redundancy, and elimination of single points of failure—all concepts that can help organizations manage risk more effectively .
  20. The information security architecture is an integral part of the organization’s enterprise architecture. It represents that portion of the enterprise architecture specifically addressing information system resilience and providing architectural information for the implementation of security capabilities. The primary purpose of the information security architecture is to ensure that mission/business process-driven information security requirements are Consistently and cost-effectively achieved in information systems The environments in which those systems operate are consistent with the organizational risk management strategy. Information security requirements defined in the segment architecture are implemented in the form of management, operational, and technical security controls. It provides a detailed roadmap that allows traceability from the highest Tier 1 strategic level down to the Tier 3 operational level. Here you see how the Information Security Architecture flows from Organization strategic level and into the environments of operation in the Miltitiered Risk Managed model
  21. All information systems, including operational systems, systems under development, and systems undergoing modification, are in some phase of the system development life cycle.
  22. The slide shows the integration of the Risk Management model with the Multitiered Risk Management process. As you can see, everything revolves around the Frame Risk component. The bidirectional arrows in the figure indicate that the information and communication flows among the risk management components. The execution order of the components, may be flexible and respond to the dynamic nature of the risk management process as it is applied across all three tiers.
  23. When we look at a the NIST Cybersecurity Framework, it has direct correlations with the Risk Based Management model with the Multitiered Management approach. It has distinct boundaries, but is collaborative and flexible.
  24. So how do we get started?
  25. Of value or what matters. If you have a Disaster Recovery/Business Continuity Plan, than you have already started to identify critical information systems that need to be prioritized. This can help in the identification of risk to that value. 1a) Many of the most valuable assets are intangible and are typically not considered in technical approaches to information security. A company’s reputation is considered an intangible asset so how do you place a value on that asset? Maybe we need to ask Target for the value of this intangible asset? 1b) This requires us to step out of our techie role and step into that of sociologist. We need to survey the organization and engage those who are responsible for each line of business. We need to gather information about the organization’s revenue stream, its revenue per line of business, how each business unit is interrelated and can impact the revenue stream. We need to learn what the manager focuses on to keep their area running. Nearly all risk analysis methodologies require key pieces of information in order to complete the analysis. Collecting this information is a process best based in observable data and can include feedback from the organization’s environment or be based on broader industry studies. The information collected does not need to be absolute and precise and in some cases the data collected will be closer to estimations. It is important to start with a baseline that will evolve over time.
  26. A risk assessment is the critical junction of any risk management program. It is where the various elements that affect risk are brought together and the data that has been collected is exercised. The first step is to set the objectives of the assessment. The objectives should specify the environment and assets being assessed. Some of the things we need to look at for the Methodology to assess risk are: The need to represent risk as a balanced combination of threats, vulnerabilities, and likelihood; Consider a broad range of viable threats, likelihoods and vulnerabilities; Measure risk using as much tangible data as possible; Not attempt to be absolute or force precision but rather attempt to define the probability of events and outcomes; Create meaningful analysis of probabilities (what is the likelihood of something happening) rather than possibilities (simply what can and what cannot happen); Creates meaningful information on the magnitude of an event and its impact; and Rank risk based on a normalized scale that is explicitly defined, relevant and re-usable across risk analyses of all sizes and types. Similar to the DR/BC prioritization of Information Systems. Ultimately all decisions about the treatment of risk are up to the owners of that asset. Therefore the material needs to be presented in a manner that make the stakeholders better able and enabled to make informed decisions. The risk analysis should be presented in the context of the asset owner’s own goals and objectives and in a language they understand.
  27. A control objective will identify the risk being addressed, and will identify ways that minimize an element of that risk— whether it is reducing threats, frequency or likelihood, or mitigating the vulnerability that makes the threat viable. What is the total cost of ownership of the control? Besides simple capital costs, what are the long term costs of maintaining the control? What are the labor and maintenance costs? What are the costs of upgrades, changes and development? How flexible is the control to changes in the organization or the elements that make up the risk? Is the amount spent on the control going to be appropriate for the probable magnitude and impact of an event? If inserted back in to the risk analysis, does the control reduce the risk by an expected amount? As with any project, it is important to ensure that the implementation follows the objectives and requirements that were previously set forth. This step is one that we also are very well acquainted with, and does not operate controls differently than a non-risk based methodology. RBSM does however take an additional step that measures the effectiveness of the control itself and its operation.
  28. In order to validate that the control is satisfying the intended objectives, it is critical to measure on an ongoing basis the effectiveness of the control in relation to the original risks it is designed to mitigate. The measures must focus on clearly identifying changes in risks.
  29. The idea is that this is a flexible model that addresses current identified risks and any future risks that might be idnetified thorugh this model.
  30. Some of the more recent options for helping in implementing a Risk Based Security model is RASP. 1) We need to accept that, just like us, our computers cannot distinguish good from bad. Anti-virus and other security products that claim to be able to detect malware quite simply cannot keep up. 2) The BYOD growth has helped fuel some of the growth in the perimeter security spending increase, but perimeter protection simply won’t cut it in today’s intrusion landscape;
  31. 1)and is capable of controlling application execution and detecting and preventing real-time attacks. It is like learning karate for self defense and not waiting for the local police to arrive before it’s to late. Imagine what happens to malware that just bypassed the IPS on the new NGFW, but the application defends itself against it. 2)It protects from within the application, utilizing contextual insight so that you can be confident in identifying and stopping attacks that network security cannot see. 
  32. These features should see all data coming in and out of the application, all events affecting the application, all executed instructions, and all database access. Once RASP is deployed into production, the application runtime environment should be able to detect attacks and protect applications with a high level of assurance.
  33. Not sure about legacy applications, but that was an issue too when server virtualization started taking off.