Je to bezpečné - Dell EMC Czech Republic · PDF filePolicy Management Content 26...

1© Copyright 2011 EMC Corporation. All rights reserved.

Je to bezpečné ?

Security Management

RSA Archer GRC

Ivan Svoboda

Key Account Manager

David Matějů

Presales Engineer


Je to bezpečné ? (Je to v souladu ?)

Ředitel

Security Officer (CISO)

IT Manager, Vývojář, Admin

• Maratonec (Dustin Hoffman, Laurence Olivier)

• http://www.youtube.com/watch?v=uVr_AbvSR3k

http://www.youtube.com/watch?v=uVr_AbvSR3k



Ředitel


IT Manager, Vývojář, Admin

Jak velké je riziko?

Nezavřou mne?

Projdeme auditem?

Jaká je konfigurace?

Co je vlastně potřeba?

Co je důležitější?

• Maratonec (Dustin Hoffman, Laurence Olivier)

• http://www.youtube.com/watch?v=uVr_AbvSR3k

http://www.youtube.com/watch?v=uVr_AbvSR3k



Ředitel


IT Manager, Vývojář, Administrátor

Jak velké je riziko?

Nezavřou mne?

Projdeme auditem?

Jaká je konfigurace?

Co je vlastně potřeba?

Co je důležitější?

• Jaká je naše bezpečnostní politika?

• Jaká rizika jsou pro nás přijatelná?

• Jakou hodnotu mají naše data, aplikace, procesy, … ?

• Jaké hrozby jsou u nás reálné?

• Jak má být systém správně nakonfigurován?

• Jaká je důležitost incidentů, výjimek, … ?


Agenda

• RSA Strategy

• GRC and Security Management

• Archer GRC


GRC Definition

RiskEffect of uncertainty on business objectives

Neither good nor bad

GovernancePolicies, processes, laws that define a business

Long-term strategies and day-to-day operations

ComplianceAdherence to laws, regulations, corporate policies

Proof of adherence

http://images.google.com/imgres?imgurl=http://www.mhd.state.ma.us/safetytoolbox/images/Speed_Limit_25.png&imgrefurl=http://www.mhd.state.ma.us/safetytoolbox/&usg=__yZtejv8z4RQrGsVaEziIK-UvVs0=&h=600&w=480&sz=25&hl=en&start=2&itbs=1&tbnid=Xj-q506DrbMW6M:&tbnh=135&tbnw=108&prev=/images?q=speed+limit+sign&gbv=2&hl=en


Analyze / Discover(Data, Threats)

Enforce Controls

Log / Report / Audit

GRC: Risk/ Policy Management

RSA DLP, FraudAction,

NetWitness

RSA Encryption, Authentication,

Access control, Transaction Monit

RSA enVision

RSA Archer

How We Do ItSystem for Managing Security, Risk and Compliance


Identity SecurityAuthentication

Access /

Provision

Fraud

Prevention

Data SecurityData Loss

Prevention

Encryption &

Tokenization

Network / System SecurityCisco Microsoft VMware

RSA – Komplexní přístup k řešení bezpečnosti

Governance, Risk & ComplianceArcher eGRC Suite

Policy

Management

Risk

Management

Incident

Management

Compliance

Management

Enterprise

Management

Monitoring / Audit / ReportingSIEM (enVision) NAV (NetWitness)


Current Security Landscape

Cyber-crime

APT

0Day Malware

Data Leakage

Insiders

Espionage

New Threats

New IT

Technologies

New

Business

Processes

Virtualization

Cloud

Mobiles

iPads

Facebook, …

Self-service

Partner-Networking

Automation


New requirements for CISO

Visibility

Intelligence

Fast Analysis

Fast ResponseNew Threats

New IT

Technologies

New

Business

Processes

New IT and Security skills

Standards

Integration

Business skills

Organizational integration


Security Management Maturity ModelWhere are we going?

Step 1:Threat Defense

• Security is “necessary evil”

• Reactive and de-centralized monitoring

• Tactical point products

Step 2:Compliance and Defense-in-Depth

• Check-box mentality• Collect data needed

primarily for compliance• Tactical threat defenses

enhanced with layered security controls

Step 3:Risk-Based Security

• Proactive and assessment based

• Collect data needed to assess risk and detect advanced threats

• Security tools integrated with common data and management platform

Step 4:Business-Oriented

• Security fully embedded in enterprise processes

• data fully integrated with business context drives decision-making

• Security tools integrated with business tools

Approach

Scope

Technology


Security Management FrameworkWhat do we need to consider?

Security Risk Management

Operations Management

Incident Management

Security Management framework: ISO 27001 Risk Management framework: ISO 31000

What threats and vulnerabilities can jeopardize your business?How can you reduce these risks?

Business Governance

How do you prioritize your IT workload and security investments?

How can you quickly detect and respond to serious incidents?

Reassess business risk and critical assets

What policies and governance structures are required to securely operate your business?


RSA Enables Security Management

Security Risk Management

Operations Management

Security Management framework: ISO 27001 Risk Management framework: ISO 31000

Archer Risk and Threat ManagementDLP Risk Remediation Manager and Policy Workflow ManagerNetWitness Spectrum

Business Governance

Archer Policy and Enterprise ManagementSolution for Cloud Security and ComplianceenVision SIEM

Archer Incident ManagementenVision SIEMDLP (Data Loss Prevention)NetWitness Investigator

Archer Policy ManagementArcher Enterprise ManagementArcher Compliance Management

Incident Management


RSA Archer Solutions

Overview


Compliance ManagementEvaluate the effective design

and operation of your internal

controls, and respond to issues

of non-compliance with

remediation or waivers.

Policy ManagementCentrally manage policies and control standards,

map them to objectives and guidelines, and

promote awareness across your enterprise to

support a culture of corporate governance.

Threat ManagementTrack threats through a

customizable early warning system

to help prevent attacks before they

affect your enterprise.

Enterprise ManagementManage relationships and

dependencies within your

enterprise hierarchy and

infrastructure to support risk and

compliance initiatives.

Risk ManagementIdentify risks to your business,

evaluate them through online

assessments and metrics, and

respond with remediation or

acceptance. Incident ManagementReport incidents, manage their

escalation, track investigations

and analyze resolutions.

Vendor ManagementCentralize vendor data, manage

relationships, assess vendor risk,

and ensure compliance with your

policies and controls.

Business Continuity ManagementManage the creation, review, testing

and activation of business continuity

plans to ensure rapid recovery of your

business processes.

Audit ManagementCentrally manage the planning,

prioritization, staffing,

procedures and reporting of

audits to increase collaboration

and efficiency.

RSA Archer “Core” eGRC Solutions

17© Copyright 2011 EMC Corporation. All rights reserved.17

Virtualizace a cloud computing:

RSA řešení bezpečnosti a souladu


Je to bezpečné ? A je to v souladu ?

• Běžná odpověď provozovatele IT: ANO!

– Na bezpečnost velmi dbáme …

– Máme implementovánu spoustu firewallů, …

– Dodržujeme zákony ….

– Prošli jsme auditem …

„Vidíte dovnitř“?

• Kde jsou Vaše data, kdo k nim přistoupil, co se stalo …

Můžete „změřit compliance“?

• Jaká je aktuální realita (technická konfigurace) ?

• Co přesně je/není splněno ?

Můžete to dokázat/reportovat?


Mapping VMware Security Controls to Regulations and Standards

CxO

VI Admin

Authoritative Source

Regulations (PCI-DSS, etc.)“10.10.04 Administrator and Operator Logs”

Control Standard

Generalized security controls “CS-179 Activity Logs – system start/stop/config

changes etc.”

Control Procedure

Technology-specific control“CP-108324 Persistent logging on ESXi Server”

RSA Archer eGRC


Control Procedures – List, Status and Measurement Method


Making Archer the Best GRC Solution for Hybrid Clouds

RSA Solution for Cloud Securityand Compliance aligns with CSAConsensus Assessment Questionsby automating 195 questions thatcustomers can issue to assess cloudservice providers.

Cloud Architecture

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Compliance and Audit

Information Lifecycle Management

Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery

Data Center Operations

Incident Response, Notification, Remediation

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization

Cloud Security Alliance’s 13 domains

of focus for cloud computing

Assessing Service

Provider Compliance


Step 1:Governance

“MassMutual’s approach to security is now based on a more current holistic view of the enterprise.”

- Mike Foley, CIO, MassMutual

Identify Objectives

Set Risk Targets

Define Policies


Step 1:Governance

• Intuitive, business-friendly and workflow-driven interface

• Central, cross-referenced repository for policies, risks, processes

• All data presented in business context

• Comprehensive audits and reports

RSA Archer eGRC Suite

Identify Objectives

Set Risk Targets

Define Policies

RSA Archer Policy Management

Policy Management Process

25

Policy Management Content

26

Authoritative Sources

PCI DSS v1.2 03.5 Protect Stored

Data-Protection and Encryption Keys

Policies

07.0 Communication Management

07.1 Encryption

07.1.03 Key Management

Control Standards

Managing Encryption Keys

• Key owners may not print out private keys and should

password-protect User IDs that contain each user's

encryption key(s)

• Private keys should be classified as Restricted and

treated accordingly

• Private keys should be transmitted through different

channels to ensure proper separation from the information

which is used to generate the encryption keys

Control Procedures

Windows Vista: Implementation Procedure

Set the "Configure TPM platform validation profile" setting by performing the following steps:1. Open Group Policy Editor focused on the appropriate object

2. Navigate to the following subtree location:

Computer Configuration\Administrative Templates\Windows Component\BitLocker

Drive Encryption

3. Set "Control Panel Setup: Enable advanced startup options" to Disabled

4. Click OK to confirm changes; and5) Close the group policy editor

Authoritative Source Sample

27

Regulatory Requirements Industry Standards /

Common Practices

CNBV Chapter X

FDA CFR 21

HIPAA

HITECH Act

GLBA

FACT Act “Red Flag”

PIPEDA

EU Privacy Acts

France – Federal Data

Protection Act 78-17

Germany – Federal Data

Protection Act

State Privacy Laws

BS25999

Cloud Security Alliance

COBiT

FFIEC

FISMA

IIA Standards

ISO27001/2

ITIL

Microsoft Security

Development Lifecycle

NERC

NIST

PCI

Author Policy Content

Centralize and normalize corporate

policies

Author new policies according to

organizational objectives and

authoritative sources that govern

the organization

Utilize the expanded RSA Archer

GRC Content Library that includes:

• 17 policies

• 85+ authoritative sources

• 900+ control standards

• 5000+ control procedures

• 11,000+ assessment questions

28


Step 1:Governance

“MassMutual’s approach to security is now based on a more current holistic view of the enterprise.”

- Mike Foley, CIO, MassMutual

Identify Objectives

Set Risk Targets

Define Policies


Step 1:Governance

• Intuitive, business-friendly and workflow-driven interface

• Central, cross-referenced repository for policies, risks, processes

• All data presented in business context

• Comprehensive audits and reports

RSA Archer eGRC Suite

Identify Objectives

Set Risk Targets

Define Policies

32© Copyright 2011 EMC Corporation. All rights reserved.32

RSA Archer Policy management


Protect• 6,000 employees and PCs

• Thousands of servers and network devices

• 700 applications

• Personal information of more than 12 million customers

BEFORE

NEEDS

Managing risk in a financial services firm with $420B in assets

MassMutual’s approach to security is “now based on a more current holistic view of the enterprise.”

Mike Foley, CIOMassMutual

Information Week Article

AFTER

See big picture and drill down on specifics

Identify & Prioritize critical risks

Automate risk assessments

More current, holistic view of the enterprise

Faster response to critical threats and potential exploits

Consolidated all critical IT risks into real time executive dashboards

97.5% cost reduction in the risk analysis process

Business Driven Customer Success


Step 2:Security Risk Management

Identify Threats Mitigate RiskAssess

Vulnerabilities


Step 2:Security Risk Management

• Relate risks to business objectives• Import vulnerability and threat data• Build and deliver online assessments• Track remediation projects

Archer (eGRC)

• Identify sensitive data in vulnerable locations• Educate end-users• Integrated with Archer to define policy and

remediate

DLP

Identify Threats Mitigate RiskAssess

Vulnerabilities

• Identity malicious code based on risk factors

NetWitness


Security Risk Management Example:DLP Risk Remediation Manager

Day 130K files discovered by RSA DLP

Day 10RRM sends initial questionnaire to data owners

Day 4090% of files remediated

Repeatable and continuously monitored

Analyst work space and executive metrics in RRM.

Day 31200 Owners in 43 Countries Identified

“The new process was more than 4 times faster and much less disruptive to business.”

- EMC CIRC


Step 3:Operations Management

Define Control Standards

Monitor Controls

Operate Controls


Step 3:Operations Management

• Authoritative Sources: 90+• Control Standards: 900+• Control Procedures: 6000+• Assessment questions: 12,000

Archer(eGRC)

• Out-of-box event sources: 200+• Reporting: 1200+ out of box reports

enVision(SIEM)

• Infrastructure-wide content awareness• 160+ policies for predefined sensitive data

DLP

Define Control Standards

Monitor Controls

Operate Controls

HQ

Div

Admin

Asset

Data

Polic

ies Visibility


Configuration Measurement(40% automated)

Operations Management Example:RSA Solution for Cloud Security and Compliance

Archer

Component Discovery and Population

Connector FrameworkenVisionalerts

> 130 VMware Specific Control Procedures

>380 log messages


Step 4:Incident Management

Correlate and Prioritize

InvestigateCollect

EvidenceRemediate


Step 4:Incident Management

• Full-lifecycle, including Legal, HR, BUsArcher

Correlate and Prioritize

Investigate

• Some of the largest SIEM deployments in the world• Incidents exported to Archer for lifecycle management• Content-awareness via DLP integration

enVision(SIEM)

• Capture and visualize all network traffic for real time analysis• Investigate across full network and log events

NetWitness

• Data-centric view of policy violations everywhere• Automatically quarantine emails, block file transfers

DLP

Collect Evidence

Remediate


Incident Management Example:RSA Solution for Security Incident Management

Context Policy

SIEMFormatted XML data out of enVision Task Triage – Incident details with

associated notes

Connector FrameworkNear Real-time feed into Archer

Plug-in Architecture for additional incident and compliance solutions

Incident Dashboards and Workflow

Incidents are assigned in work queues, workflow automates the

case management process. Metrics are rolled up into an executive level

dashboard

Enterprise and Policy MgrenVision alerts are put in context with

enterprise assets, risk, process, teams, etc.

“We saved 1,500hours a month due to

the integration.”- EMC CIRC


Leading Products, Better TogetherArcher enVision DLP NW VMware Use Case

Report incidents in real-time

Mitigate risk of sensitive files

Let data owners set DLP policy

Correlate logs with file content

Enable secure, compliant cloud

Secure virtual desktops

Investigate advanced threats

Data Loss Prevention

LeaderSIEM

LeaderIT-GRC

Leader


EMC Critical Incident Response Center, Bedford, MA

In Action: Critical Incident Response Center

Business Context VisibilityIntegratedApproach

Process Automation


Resources

• RSA Security Management Solution Briefs

• Maturity Model Whitepaper (authored by ESG)

• EMC Consulting Strategy Workshop

• Archer/enVision/DLP/NetWitness product briefs


THANK YOUTHANK YOU


Maturity Strategy WorksheetWhere do you want to be in 3 years?

Maturity

OperationsManagement

Incident Management

Security RiskManagement

BusinessGovernance

Tactical Strategic

Current state Desired state

Siloed monitoring Correlation and prioritization

Advanced analytics

Bare minimum tools Compliance-driven controls

Risk-based controls and monitoring

Newspaper view of risk

Follow industry practices

Manage business-specific risks

Security buried inside IT

Basic guidelines defined by business

Security is part of every business process

Je to bezpečné - Dell EMC Czech Republic · PDF filePolicy Management Content 26...

Documents

Transcript of Je to bezpečné - Dell EMC Czech Republic · PDF filePolicy Management Content 26...