Post on 29-Jun-2018
Synopsis
An overall deep level analysis of why it is important to go back to basics, and basics of risk based
approach towards information security. The session will be covering the current and historical state
of information security, its challenges, and the way to get the right security for any organization.
Risk based approach, frameworks, high level steps, cost-benefit analysis, prioritization of corrective
measures based on risk categories, and presenting the information security plans to executive
management based on a risk based approach. This is extremely key, when the organizational
perimeters are not physical anymore, and organizational boundaries cannot be clearly defined
within a firewall or a router, due to the adoption of new technologies and solutions like cloud, big
data, mobiles etc.
Questions in our mind?
• Risk Based Security – Is it a new thing? Is it need of the hour? Time to go to basics?
• Why should we move to risk based security model?
• To get buy in from executive management – Is risk based security the answer? In fact, how can you
sell security to the board with a risk based approach?
• Risk based security with Cost-Benefit analysis – Decision based on Dollars?
• Can Risk based approach ensure effectiveness of Security?
• How to go about it? What are the important elements to get the best out of it? Which is the right
framework to adopt?
• Risk Management Evolution & Levels of Risk Management
• What are the secrets of being successful with the approach?
• What is the future direction – Any new addition
Introduction
What is RBSM? Why it is important?
Security Strategy, Roadmap, and RBSM
RBSM Framework, process
Metrics
Summary
What is Risk Based Security ?
• Information Security decisions based on careful identification, analysis and prioritization of risks
• Must be observable facts, measurable data to defend subsequent analyses
• Risk Analysis is the research before the trip
• Focus on the areas that produce the greatest benefits
01
02
03
04
05
Increasingly required to engage non-
technical executives for budget
Habitual security spending not
aligned with the business
More objective methods needed
to allocate limited budgets
Scary things in the news,
noticed by business guys
Compliance is driving the
conversation around risks
Interest in Risk
Management
is spiking
Why Risk Based Security ?
Why it is Important?
Threat Landscape is changed
– Cloud
– Mobile Computing
– Infrastructure
– Ecosystem
Why it is important?
Threats originates from
– Criminal syndicates
– State sponsored attackers
– Hactivists
– Lone wolf hacker
Why it is important?
• Security budget increased
• ROI is not clear
• Major security incidents due to gaps in the security posture, after
investing a lot
• Too many security products and solutions, but benefits not known/visible
Starts with Firewall
In addition, traditionally add security controls/technologies based on the threats…
Why it is important?
• Visible, exposed security breaches/incidents
• More executive management had to answer for
security breaches
• Compliance/regulations
• Financial losses are found to be huge
Triggering Factors
73%
15%
21%
47% 47%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Triggering Factors
TRIGGERING FACTORS FOR RBSM
Compliance
Recent security event – requiring external notification
Security close call – without external reporting
General threat landscape facing your business,technology, and employees
It is right thing to do –change rather than react to events
Risk Based Security – Key Factors
• Proactive, rather than reactive
• Steady and slow change at the way organizations approach
information security using a risk based model
• CSO/CISO – are being asked to prioritize risks/solutions – by
identifying which ones should be accepted as the cost of doing
business, and which one needs to be addressed
Challenges
• Information Security was considered as a secondary IT function.
• Budgeting has been minimal
• Misallocated solely as a part of the general IT budget
• Traditional security budget wont impress executives – because it is based on a vulnerability assessment mostly.
Challenges
• Vulnerability assessment (VA) mostly test critical IT systems and applications and identify exploitable – these are highly technical and focused on few critical systems and applications.
• VA approach misses strategic aspects, but focus on short term, tactical elements mostly.
• People and processes are mostly missed, and some technical areas too
• Executive’s understanding and appreciation and time for technical elements is rather limited
• Tactical expenditure without a strategic direction is like a boat without a sail.
Introspection ?
Did we really need to spend this money? Or could we have done without it?
Why are we spending this much for security?
If we buy and install this product – is that good enough?
Why we don’t have controls to protect from that attack?
Who and why some body is attacking us?
Why Information Security did not high light this risk? Why you have not told the potential risks about not buying that device/solution?
5
7
6 RBSM
4
Information Security budget- Many questions from business & executives..
Why proactive actions not taken?
Proactive CISO
Anticipate those above questions
Be prepared with the answers to those questions, before it is
asked
Optimum ROI Measureable increase in the overall information security
posture and expenses
More buy-in, higher credibility for the security programs
Be ready with a Risk based security plan
Key Components
• Step 1 – Information Security Risk Assessment
• Step 2 – Security Plan
• Step 3 – Security Budget
PUBLIC
Information Security Strategy/Plan
Stable, Secure, IT/Data
Environment
Stable, Secure, IT/Data
EnvironmentRisk “n ” +
LOWMEDIUM
HIGH
Risk “n”
Risk 1
LOWTarget - MEDIUM
< “n”
Target - HIGH = 0
Maturity Level Current State - 0 to 1
Maturity Level Target – 2 to 3
Maturity Level Target – 4 to 5
Risk “n” +
Process
People
Technology
Confidentiality
C
Integrity
IAvailability
A
Committee & Awareness
Before
Period - 2016-2019
After
During
Confidentiality
C
Integrity
IAvailability
A
Risk Management Model
Risk Management is the ongoing process of identifying, assessing, and responding to risk
– Managing Risk
• Businesses and Organizations need to understand the likelihood or the probability that an event will occur and it’s resulting consequence or impact
– Risk Tolerance
• Using the Risk Management Model, organizations can determine the acceptable level of risk for the delivery of services and this can be expressed as their risk tolerance
Frameworks
Risk Management Process
– NIST SP 800-39, ADSIC/NESA (UAE), etc.
– ITIL
– ISO 27000
– PCI
– HIPPA
– Internally developed etc.
Complex and multifaceted process.
Assess-Respond-Monitor
Risk Management Process
• Risk Frame work requires to identify
– Risk Assumptions
– Risk Constraints
– Risk tolerance
– Priorities and trade-offs
Basic Steps/Process
00
Identify the Information that is key to the business
I D E N T I F YSTEP
1
Categorize the information according to its importance to the business
C A T E G O R I Z E
STEP
2
Identify threats to the information
T H R E A T SSTEP
3
Assess vulnerabilities to the systems that process the information
V U L N E R A B I L I T I E S
STEP
4
Assess the risks of loss or corruption of the information
R I S K SSTEP
5
• Identify controls necessary to mitigate the risks
• Implement the controls• Monitor controls
continuously
C O N T R O L S
STEP
6
What is risk based security?
• Risk = Probability (of threat exploiting vulnerability) x
Impact (to the asset)
• T (Threat), V (Vulnerability), I (Impacts)
• Part of wider enterprise risk management system, specific to
info sec
• Goal is to enable the business.
Concerns
• Unbalanced Approach
– Security resources are not aligned with the perceived risks
– Over investing in some areas, woefully underinvested in others
• Preventive Vs. Detective control implementation
– Organizations making good progress on preventive controls, yet they are
– Behind on detective controls, which means
– They have good expectations, but no way to hold others accountable
• Most have work to do on the critical last steps of RBSM
• Lack of metrics to measure success of RBSM
• 50% no Metrics
Metrics
44%
34% 34%
32%
29% 29%28%
8% 8%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
2
Pe
rce
nta
ge
of
resp
on
se
Metrics
W H AT I S B E I N G M E A S U R E D F O R R B S M S U C C E S S - S U R V E Y R E S U LT S
Reduction in the cost of security management activities
Number of end users receiving appropriate training
Reduction in the number of policy violations
Reduction in the number of data breach incidents
Reduction in the number of known vulnerabilities
Reduction in unplanned system downtime
Percentage of endpoint free of malware or other attackagents
Reduction in the frequency of denial of service attacks
Reduction in the cost of cyber crime
Assess Risks
• Risk Assessment Component includes
– Threats, vulnerabilities, consequences/impact
– Likelihood that harm will occur
• The end result is a determination of risk
Respond to Risk
Purpose is to provide a consistent, organization-wide, response to risk in
accordance with the organizational risk frame work by:
– Developing
– Evaluating
– Determining
– Implementing
Monitor Risk
Purpose of the risk monitoring component is to
– Verify
– Determine ongoing effectiveness
– Identification of risk-impacting changes
Managing Risk Management Framework
Broken down into three distinct areas
– Tier1 Organization level (strategic)
– Tier2 Mission/Business process level (Tactical)
– Tier 3 Information System level (Operational)
RBSM Process - Details
– Identify what matters? – Understanding the environment being examined
• Organization’s priorities
• Areas that are sensitive to change
• Goals and objectives of the business
• Insights into the elements of the organization that management sees as its critical
assets
RBSM - Process
• Assets are those that are tangible or intangible that holds a
value to the company
• Intangible are more important for executives, that misses by
technologists
• Survey the organization and executives
• Gather information about the organizational revenue stream
• Revenue per line of business
• How each business unit is interrelated and can impact the
revenue stream, dependencies
RBSM Process
• Learn what the business manager focuses on keeping his area running
• Critical elements
– Assets of value
– Associated value of each business unit
– Potential impacts (different from tech)
• Meet with business leaders to listen their upcoming plans, challenges, and opportunities, and their affect on the objectives and risks to the organization
RBSM Process
Collect data on what matters
– Data collected may be estimations
– Asset Valuation
• Not simple replacement cost
• Top down perspective
• Start with organization’s gross revenue
• Break that down by the lines of business
• Then by business process that support them
• E.g. these processes may be development, manufacturing, sales etc.
• Identify the information systems that support each of these groups
• This maps specific systems to goals and objectives (including revenue generation)
RBSM Process
• It can probably identify the impact to those goals when a business unit or its supporting systems are unable to contribute
• Impact: Communicate with business units and gather data regarding the impact to key business processes that would result from the absence of their department.
• How long it would take for to impact upstream and downstream processes
RBSM Process
• How long it will take to replace key physical assets or rebuild the
intellectual property.
• Threat Landscape:
– It could be broad
– Human actions, environmental conditions, regulatory compliance
– Threats should be realistic
RBSM Process
• Examine broad range of public resources, and experiences
• Frequency and likelihood:
– Never will be precise
– But it can give a range of probabilities that can have a large impact on accuracy during decision making
– Honeypots, web server logs,
– Locally and public resources
– Vendors, consulting firms reports
– Not single report is comprehensive, but it can give overall picture of frequency and likelihood
Step 2 – Security Plan
• Security Roadmap Recommendation
– Strategic
– Tactical
– Operational
• Security Plan translates the recommendations into
• actionable items,
• Specific projects
• resource requirements
• Time lines
Step 3 – Security Budget
• Formulate budget from security plan
• Clearly reflect the strategic direction taken by the Info Sec team
• Identify the underlying risks being addressed by each line item
• Identify IT assets that will benefit from the project
• Provide an opportunity to measure the overall improvement in the risk
posture of each IT asset
Benefits of RBSM
44%
34% 34%
32%
29% 29%
8%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
2
Pe
rce
nta
ge
of
resp
on
se
Benefits of Risk Based Security Management
BENEFITS OF RBSM - SURVEY RESULTS
Reduction in the cost of security management activities
Number of end users receiving appropriate training
Reduction in the number of policy violations
Reduction in the number of data breach incidents
Reduction in the number of known vulnerabilities
Reduction in unplanned system downtime
Reduction in the frequency of denial of service attacks
Summary
• Go back to basics – remember the objectives of security
• How to sell security? How to present it to the board/executives effectively? How to get the needed budget?
• ROI? Optimized budget, expenses, Effective security?
• Security has to be business aligned, understanding, add value, and cost efficient.
• Address the most critical/important (risky) areas first - instead of going and buying the latest and most fancy products/solutions
• Have proper visibility, measurement, progress, KPIs etc.
• Institute a formal RBSM Program or function with a formal strategy
• Ensure the appropriate balance of preventive and detective controls
• Establish and use metrics to demonstrate program success.