Presentation crafting your active security management strategy 3 keys and 4 steps
-
Upload
xkinanx -
Category
Technology
-
view
619 -
download
0
description
Transcript of Presentation crafting your active security management strategy 3 keys and 4 steps
Crafting Your ActiveSecurity Management Strategy:3 Keys and 4 Steps
1EMC CONFIDENTIAL—INTERNAL USE ONLY
Agenda
• Security Challenges: A Root-Cause Analysis
• 3 Keys to Effective Security Management
• RSA’s 4-Step Approach
2EMC CONFIDENTIAL—INTERNAL USE ONLY
EMC eGRC Strategy
Business Business Business Business Continuity Continuity Continuity Continuity
ManagementManagementManagementManagement
Information Information Information Information GovernanceGovernanceGovernanceGovernance
eGRCeGRCeGRCeGRC Business SolutionsBusiness SolutionsBusiness SolutionsBusiness Solutions
Security Security Security Security ManagementManagementManagementManagement
3EMC CONFIDENTIAL—INTERNAL USE ONLY
Consulting/Implementation Consulting/Implementation Consulting/Implementation Consulting/Implementation Best Practices Best Practices Best Practices Best Practices
RSA Archer eGRC Management PlatformRSA Archer eGRC Management PlatformRSA Archer eGRC Management PlatformRSA Archer eGRC Management Platform
ManagementManagementManagementManagementGovernanceGovernanceGovernanceGovernanceManagementManagementManagementManagement
You have not maximized your security management program if…
Pop Quiz
You are assessing compliance one regulation at a time
You can’t prioritize your projects by risk
4EMC CONFIDENTIAL—INTERNAL USE ONLY
You handle incidents like playing Whack-a-Mole
You have mountains of security data and don’t use it
Management has no idea how well you are doing (and Finance can’t see why you deserve a bigger budget)
Security Challenges: A Root-Cause Analysis
5EMC CONFIDENTIAL—INTERNAL USE ONLY
Traditional Approach
Point ToolPolicy
Team
Network
Point ToolPolicy
Team
Datacenter
6EMC CONFIDENTIAL—INTERNAL USE ONLY
Point ToolPolicy
Team
Endpoint
Point ToolPolicy
Team
Applications
Siloed Inflexible Inconsistent Costly
Result: Uncontrolled Risk
Risk = Likelihood × Impact• threats
• vulnerabilities
• value of target
• detection
• response
• value of target
7EMC CONFIDENTIAL—INTERNAL USE ONLY
LIKELIHOODLIKELIHOODLIKELIHOODLIKELIHOOD IMPACTIMPACTIMPACTIMPACT
HIGHHIGHHIGHHIGH � �
MEDIUMMEDIUMMEDIUMMEDIUM � �
MEDIUMMEDIUMMEDIUMMEDIUM � �
LOWLOWLOWLOW � �
PRIORITIZE BY RISK:
Business Impact
Increased Exposure to Inhibited Business
Uncontrolled risk leads to…
PlayStation suffers
massive data breach…
8EMC CONFIDENTIAL—INTERNAL USE ONLY
• Theft of trade secrets• Headline-making breaches• Fines and penalties
• Virtualization• Consumer web services• Geographic expansion
Increased Exposure to Catastrophic Loss
Inhibited Business Objectives
Security is about…
Security isn’t about security. It is about managing risk at some cost. In the absence of metrics, we tend to over compensate and
9EMC CONFIDENTIAL—INTERNAL USE ONLY
cost. In the absence of metrics, we tend to over compensate and focus on risks that are either familiar or recent.
Hugh Thompson, Chief Security StrategistPeople SecurityPeople SecurityPeople SecurityPeople Security
The 3 Keys to Effective Security Management
10EMC CONFIDENTIAL—INTERNAL USE ONLY
#1: Begin and End withBusiness Context
Executive Committee
Audit Committee
Risk Committee
Legal, HR, etc
11EMC CONFIDENTIAL—INTERNAL USE ONLY
Security Management
Business Objectives
MonitoringMonitoringMonitoringMonitoringGovernanceGovernanceGovernanceGovernance
PoliciesAuthoritative
SourcesBusiness Criticality
#2: Follow an Integrated ApproachHow?
Security Risk Management
Operations
Understand external and internal threat landscapeIdentify vulnerabilitiesClassify high-value assets
Business Governance
Prioritize work by risk
Define business objectivesDefine business-level risk targetsDefine business-critical assets
12EMC CONFIDENTIAL—INTERNAL USE ONLY
Operations Management
Incident Management
Security Management framework: ISO 27001 Risk Management framework: ISO 31000
Prioritize work by riskAdd security controls where neededMaximize monitoring and visibility
Identify security eventsPrioritize by business impactReport to business owners
Reassess business risk and critical assets
#3: Develop a Maturity StrategyWhere do you want to be in 3 years?
Operations
Security RiskManagement
BusinessGovernance
Current state Desired state
Newspaper view of risk
Follow industry practices
Manage business-specific risks
Security buried inside IT
Basic guidelines defined by business
Security is part of every business process
13EMC CONFIDENTIAL—INTERNAL USE ONLY
Maturity
OperationsManagement
Incident Management
Tactical Strategic
Siloed monitoring Correlation and prioritization
Advanced analytics
Bare minimum tools Compliance-driven controls
Risk-based controls and monitoring
RSA’s 4-Step Approach
14EMC CONFIDENTIAL—INTERNAL USE ONLY
RSA Enables Security Management
Security Risk Management
Operations
Archer Risk and Threat ManagementDLP Risk Remediation Manager and Policy Workflow ManagerNetWitness Spectrum
Business Governance
Archer Enterprise ManagementSolution for Cloud Security and Compliance
Archer Policy ManagementArcher Enterprise ManagementArcher Compliance Management
15EMC CONFIDENTIAL—INTERNAL USE ONLY
Operations Management
Security Management framework: ISO 27001 Risk Management framework: ISO 31000
Solution for Cloud Security and ComplianceEMC IonixIntegrations with asset managers
Archer Incident ManagementenVision SIEMDLP (Data Loss Prevention)NetWitness Investigator
Incident Management
Step 1:Security Risk Management
Identification MitigationContext
EstablishmentAssessment
16EMC CONFIDENTIAL—INTERNAL USE ONLY
Establishment
Security Risk Management Example:DLP Risk Remediation Manager
Day 4090% of files remediated
Repeatable and continuously monitored
Analyst work space and executive metrics in RRM.
Day 31200 Owners in 43 Countries Identified
17EMC CONFIDENTIAL—INTERNAL USE ONLY
Day 130K files discovered by RSA DLP
Day 10RRM sends initial questionnaire to data owners
“The new process was more
than 4 times faster and much
less disruptive to business.”
- EMC CIRC
Step 2:Operations Management
Configuration MonitoringControl
StandardsOperation
18EMC CONFIDENTIAL—INTERNAL USE ONLY
Configuration Measurement(40% automated)
Operations Management Example:RSA Solution for Cloud Security and Compliance
Archer
Component Discovery and Population
> 130 VMware Specific Control Procedures
19EMC CONFIDENTIAL—INTERNAL USE ONLY
Archer
Connector Framework
enVisionalerts
Control Procedures
>380 log messages
Step 3:Incident Management
20EMC CONFIDENTIAL—INTERNAL USE ONLY
Correlation/ Prioritization
InvestigationCollection/Detection
Remediation
Incident Management Example:RSA Solution for Security Incident Management
Context Policy
Connector FrameworkConnector FrameworkConnector FrameworkConnector FrameworkNear Real-time feed into Archer
Incident Dashboards Incident Dashboards Incident Dashboards Incident Dashboards and Workflowand Workflowand Workflowand Workflow
Enterprise and Policy MgrEnterprise and Policy MgrEnterprise and Policy MgrEnterprise and Policy MgrenVision alerts are put in context with
enterprise assets, risk, process, teams, etc.
21EMC CONFIDENTIAL—INTERNAL USE ONLY
SIEMSIEMSIEMSIEMFormatted XML data out of enVision Task Triage – Incident details with
associated notes
Near Real-time feed into ArcherPlug-in Architecture for additional incident and compliance solutions
and Workflowand Workflowand Workflowand WorkflowIncidents are assigned in work
queues, workflow automates the case management process. Metrics are rolled up into an executive level
dashboard
“We saved 1,500
hours a month due to
the integration.”
- EMC CIRC
Step 4:Business-Driven Management
IT Risk Management
Operations Management
Incident Management
22EMC CONFIDENTIAL—INTERNAL USE ONLY
“MassMutual’s approach to security
is now based on a more current
holistic view of the enterprise.”
- Mike Foley, CIO, MassMutual
Protect• 6,000 employees and PCs
• Thousands of servers and network devices
• 700 applications
• Personal information of more
BEFOREBEFOREBEFOREBEFORE
NEEDSNEEDSNEEDSNEEDS
Managing risk in a financial services firm with $420B in assets
AFTERAFTERAFTERAFTER
More current, holistic view of the enterprise
Faster response to critical threats and potential
Business Driven Customer Success
23EMC CONFIDENTIAL—INTERNAL USE ONLY
• Personal information of more than 12 million customers
assets
MassMutual’s approach to security is “now based on a more current holistic view of the enterprise.”
Mike Foley, CIOMassMutual
Information Week Article
See big picture and drill down on specifics
Identify & Prioritize critical risks
Automate risk assessments
exploits
Consolidated all critical IT risks into real time executive dashboards
97.5% cost reduction in the risk analysis process
Leading Products, Better Together
ArcherArcherArcherArcher enVisionenVisionenVisionenVision DLPDLPDLPDLP VMwareVMwareVMwareVMware Integration & SolutionIntegration & SolutionIntegration & SolutionIntegration & Solution
� � Sol’n for Security Incident Mgmt
� � DLP Risk Remediation Manager
� � DLP Policy Workflow Manager
� � Content-aware SIEM
� � � Sol’n for Cloud Security & Compliance
24EMC CONFIDENTIAL—INTERNAL USE ONLY
� � � Sol’n for Cloud Security & Compliance
� � � SecurBook for VMware View (VDI)
NetWitness: integrations to be announced!Data Loss Prevention
LeaderSIEM
LeadereGRC
Leader
Take a Strategic Approach with RSA
Step 2:Compliance-Driven
Step 3:IT Risk-Oriented
Step 4:Business-Oriented
• Check-box mentality
• Proactive and assessment based
• Collect data needed to detect advanced threats
• Security fully embedded in enterprise processes
• data fully integrated with business context
• Security tools integrated with business tools
Most organizations are here
25EMC CONFIDENTIAL—INTERNAL USE ONLY
Step 1:Legacy
• Security is “necessary evil”
• No monitoring• Reactive and tactical
point products
• Check-box mentality• Collect data needed
for compliance• Tactical tools with
compliance reporting
threats• Security tools
integration providing technical visibility
“Security management is going to
be baked into many layers of
business operations. That’s what
I’m seeing in my organization.”
- Member, RSA Security Management Working Group
Approach
Information
Technology
In Action: Critical Incident Response Center
26EMC CONFIDENTIAL—INTERNAL USE ONLY
EMC EMC Critical Incident Response Center, Bedford, MACritical Incident Response Center, Bedford, MA
Business Context VisibilityIntegratedApproach
Process Automation
Next Steps and Resources
• Round Table Discussion on Privacy
• Incident Management Solution Brief
• Privacy Survey
• eGRC White Paper
27EMC CONFIDENTIAL—INTERNAL USE ONLY
• eGRC White Paper
• Ovum Research
THANK YOU
28EMC CONFIDENTIAL—INTERNAL USE ONLY
These backup slides just provide more product details on the 4 steps
29EMC CONFIDENTIAL—INTERNAL USE ONLY
Step 1:Security Risk Management
• Capture and relate risks to business objectives• Import data from vulnerability assessments, threat feeds
ArcherArcherArcherArcher(eGRC)(eGRC)(eGRC)(eGRC)
Identification MitigationContext
EstablishmentAssessment
30EMC CONFIDENTIAL—INTERNAL USE ONLY
• Import data from vulnerability assessments, threat feeds• Build and deliver online assessments• Resolve findings to reduce risk to tolerable levels
(eGRC)(eGRC)(eGRC)(eGRC)
• Map DLP policies to business policies• Identify sensitive data in vulnerable locations• Just-in-time education of end-users reduce future risks
DLPDLPDLPDLP
• Risk-based identification of malicious codeNetWitnessNetWitnessNetWitnessNetWitness
Step 2:Operations Management
• Control Standards: 900+ standards • Configuration: 4500+ control procedures
ArcherArcherArcherArcher(eGRC)(eGRC)(eGRC)(eGRC)
Configuration MonitoringControl
StandardsOperation
31EMC CONFIDENTIAL—INTERNAL USE ONLY
• Configuration: 4500+ control procedures • Monitoring: 8500+ question library
(eGRC)(eGRC)(eGRC)(eGRC)
• Real-time monitoring from the most event sources• Reporting: 1200+ out of box reports
enVisionenVisionenVisionenVision(SIEM)(SIEM)(SIEM)(SIEM)
Step 3:Incident Management
• Business-level incident management including Legal, HR, BUsArcherArcherArcherArcher
Correlation/ Prioritization
Investigation
enVisionenVisionenVisionenVision
Collection/Detection
Remediation
32EMC CONFIDENTIAL—INTERNAL USE ONLY
• Unmatched depth and breadth of event collection• Some of the largest SIEM deployments in the world• Prioritize by vulnerability feeds and watch lists
enVisionenVisionenVisionenVision(SIEM)(SIEM)(SIEM)(SIEM)
• Capture and visualize all network traffic for real time analysis• Unparalleled network forensics
NetWitnessNetWitnessNetWitnessNetWitness
• Data-centric view of policy violations everywhere• Automatically quarantine emails, block file transfers
DLPDLPDLPDLP
Step 4:Business-Driven Management
IT Risk Management
Operations Management
Incident Management
• Central repository for policies, risks,
RSA Archer RSA Archer RSA Archer RSA Archer eGRCeGRCeGRCeGRC SuiteSuiteSuiteSuite
33EMC CONFIDENTIAL—INTERNAL USE ONLY
• Central repository for policies, risks, and incidents
• All data presented in business context
• Integration with key security systems
• Comprehensive audits and reports