Slide 1

Did You Hear That Alarm? The impacts of hitting the information security snooze button

Slide 2

Case Study: 1.Procurement representative receives an email 2.Workstation security alerts are generated 3.Malware detection alerts are generated on a production server 4.Large increase in network connections to a domain in another country 5.Federal authorities notify company about data being sold on black market

Slide 3

Anatomy of an Attack Spear phishing attack targets employee Recipient interacts with the malicious email content Exploit payload installs on workstation Compromised workstation sets up command and control and acts as pivot point Attacker traverses network and compromises production servers Full data compromise and exfiltration

Slide 4

How Did This Happen?: Security Training? Effective controls and patching? Event monitoring and response?

Slide 5

Threat Sources: National Governments Terrorists Industrial Spies Organizational Crime Groups Hactivists Insider Threat Source: Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Do not worry about the why

Slide 6

Industry Threat Data *Data taken from the Verizon 2014 Data Breach Investigation report 2013 Top Five Threat Actions Use of stolen credentials (Hacking) Export Data (Malware) Phishing (Social Engineering) Ram Scraper (Malware) Backdoor (Malware) 2013 Data Breach Trends 4% increase in Financial Services industry breaches 67% of breaches were notified by external entities 100% of retail Point-of-Sale system breaches occurred in Payment Card Industry-compliant environments *Data taken from the 2014 Mandiant Mtrends Breach report

Slide 7

Risk Equation R = f(T,V,A) RISK is the PROBABILITY that a THREAT will exploit a VULNERABILITY to cause harm to an ASSET Classical, yes, but has its limitations

Slide 8

Risk Equation Threats and vulnerabilities change rapidly; virtually unknowable Data as an asset Classical risk equation does not account for controls Subjectivity can skew results and corresponding action plans

Slide 9

Ok, now what?: Risk assessments are a baseline Constant vigilance in assessing risk variables Establish risk tolerance Enhance approaches by leveraging compliance and industry standards

Slide 10

Due Diligence: Utilize control frameworks Intelligence gathering Attack path threat modeling Vulnerability testing Analysis, Monitoring, Treatment, and Reporting

Slide 11

Employee error Malicious insiders Malicious outsiders System errors What Causes a Breach

Slide 12

Direct costs Credit monitoring Mailing costs Indirect Costs Time/Resources Productivity Opportunity Costs Brand and Reputation Cost of a breach

Slide 13

Defending Against Threat You should expect us Know your data Understand what threat is Threat should drive security control prioritization Enhance control strength and reduce attack surface Manage to risk tolerance

Slide 14

Know what applies to your business Educate your workforce Documented and tested Breach Response Plan Communication plan Engage business partners Practice and hold lessons learned sessions Preparing for a Breach

Slide 15

Dave Muxfeld dave.muxfeld.icd3@statefarm.com Pamela Ringenberg pamela.ringenberg.qr5f@statefarm.com Questions?