Risk Based Security and Self Protection Powerpoint
-
Upload
randalje86 -
Category
Marketing
-
view
736 -
download
0
Transcript of Risk Based Security and Self Protection Powerpoint
![Page 1: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/1.jpg)
Risk Based Security and Self Protection
Miguel Sanchez, Sr. Sales Engineer
February 16, 2015
![Page 2: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/2.jpg)
Presenter for today:
Miguel Sanchez
Sr Sales Engineer, First Communictions
![Page 3: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/3.jpg)
First Communications: At A Glance
Technology Provider since 1998,
serving thousands of Businesses
throughout the Midwest
24x7x365 Network Management
Center (NMC)
Data Center and Colocation Facilities
in Cleveland and Downtown Chicago
Serving Diverse Businesses ranging
from SMB to Enterprise
Headquartered in Akron, Ohio
Our MissionTo Empower our customers through leading-edge technology solutions delivered with a first-class experience.
![Page 4: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/4.jpg)
Today’s Topic Agenda
• Current State of Information Security
• Overview of Risk Based Security models
• Risk Management Process• Multi-tiered Risk Management Model• Three levels of Risk Management
• Runtime Application Self Protection
![Page 5: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/5.jpg)
Current State of Information Security
• The threat landscape has changed considerably over the past few years due to the disappearance of the perimeter defense for the following reasons:
– Change– Mobility and consumerization– Ecosystem– Cloud
– Infrastructure
![Page 6: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/6.jpg)
Current State of Information Security
• The growing attacking power of cyber criminals has increased significantly and are not just some hackers operating out of someone’s basement anymore
• We need to take into consideration the following threats:– Criminal syndicates– State sponsored attackers– Hactivists
– Lone wolf hacker
![Page 7: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/7.jpg)
Perimeter Security
• One of the first and most basic lines of network perimeter defense is a firewall. – A device that inspects inbound and outbound traffic on a
network.
• In addition to firewalls, traditional responses to new threats has been to add stand-alone security technologies to the network.
![Page 8: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/8.jpg)
Next Generation Firewalls
• There have been tremendous advancements in the Next Generation Firewalls that should be a part of any Information Security Plan that include the following Unified Threat Management (UTM) capabilities:
• Stateful Packet Inspection• Application Control• Intrusion Detection/Prevention• Data Loss Prevention• Content Filtering
• Anti-malware/Anti-spam• IPv6 support• Virtualized environments• Endpoint security• VPN
![Page 9: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/9.jpg)
Information Security: Reactive to ProactiveFor most small to medium organizations, Information Security is a Reactive vs a Proactive process.
•How many breaches do you hear in the news of compromised systems that are discovered weeks or months after the actual event?
•How do we get to a model that is more proactive and workable for various organizations regardless of size?
![Page 10: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/10.jpg)
Information Security Constraints
What are some of the constraints for implementing effective Information Security?
•Shrinking budgets
•Lack of security focus
•Lack of resources•Lack of a common approach to information security
![Page 11: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/11.jpg)
Risk based Security
• There has been a steady and slow change at the way organizations approach Information Security using a Risk Based model.
• Today’s CSO/CISOs are being asked to prioritize risks—by identifying which ones need to be addressed and which ones should be accepted as the cost of doing business.
![Page 12: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/12.jpg)
Risk Based Security
What are some of the factors that drive a Risk Based Security model:•Compliance•Recent security event•Threat landscape•Proactive approach
![Page 13: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/13.jpg)
What are the top drivers for your Information Security / Risk Management program?
Wisegate Community Viewpoints
![Page 14: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/14.jpg)
Risk Management ModelRisk management is the ongoing process of identifying, assessing, and responding to risk.
•Managing Risk– Businesses and Organizations need to understand the likelihood
or the probability that an event will occur and it’s resulting consequence or impact.
•Risk Tolerance– Using the Risk Management Model, organizations can determine
the acceptable level of risk for the delivery of services and this can be expressed as their risk tolerance.
![Page 15: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/15.jpg)
Risk Management Process
• There are several Risk Management frameworks that organizations are using including NIST SP 800-39. ITIL, ISO 27000 Series, PCI, HIPPA, Internally Developed systems or a combination of others.
• For this discussion we will be using the NIST SP 800-39 framework
![Page 16: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/16.jpg)
Risk Management Process• Managing risk is a complex and multifaceted process. It requires the
involvement of the entire organization using a Multitiered Risk Management Process.
• Risk management is a comprehensive process that requires organizations to:
![Page 17: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/17.jpg)
Frame Risk
Establishing a realistic and credible risk frame requires organizations to identify the following:
•Risk assumptions •Risk constraints•Risk tolerance •Priorities and trade-offs
![Page 18: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/18.jpg)
Assess Risk
• The Risk Assessment component identifies:– Threats – Vulnerabilities– Consequences/impact
– The likelihood that harm will occur.
• The end result is a determination of risk
![Page 19: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/19.jpg)
Respond to Risk
• The purpose is to provide a consistent, organization-wide, response to risk in accordance with the organizational risk frame by:
– Developing– Evaluating– Determining
– Implementing
![Page 20: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/20.jpg)
Monitor Risk
• The purpose of the risk monitoring component is to: – Verify– Determine ongoing effectiveness– Identification of risk-impacting changes
![Page 21: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/21.jpg)
Risk Management Process
NIST SP800-39
Information and communications flow
Assess
Monitor Respond
Frame
Information and communications flows
![Page 22: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/22.jpg)
Making Risk Management Work
• Risk management can be broken down into three distinct areas: – Tier 1 Organization level (Strategic)– Tier 2 Mission/business process level
(Tactical)– Tier 3 Information system level (Operational)
![Page 23: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/23.jpg)
Multitiered Risk Management
NIST SP800-39
Strategic Risk
Tactical Risk
• Traceability and Transparency of Risk-Based Decisions
• Organization-Wide Risk Awareness
• Inter-Tier and Intra-Tier Communications
• Feedback Loop for Continuous Improvement
![Page 24: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/24.jpg)
Tier 1 Organization
• Organizational perspective that establishes and implements structures for:– Governance– Risk Executive– Risk Tolerance– Investment strategies
![Page 25: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/25.jpg)
Tier 2 Mission/Business Processes
• Tier 2 addresses risk from a business process perspective by designing, developing, and implementing business processes that support the business functions defined at Tier 1.
– Risk-Aware Mission/Business Processes – Enterprise Architecture – Information Security Architecture
![Page 26: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/26.jpg)
Information Security Architecture
NIST SP800-39
![Page 27: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/27.jpg)
Tier 3 Information Systems View
• The risk management activities at Tier 3 reflect the organization’s risk management strategy and any risk related to the cost, schedule, and performance requirements for individual information systems that support the mission/business functions of organizations.
• Risk management activities are also integrated into the system development life cycle of information systems at Tier 3.
• There are typically five phases in system development life cycles: (i) initiation; (ii) development/ acquisition; (iii) implementation; (iv) operation/maintenance; and (v) disposal.
![Page 28: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/28.jpg)
Three Levels of Risk Management
When we look at the Multitiered Risk Management model, it is the similar to the three levels of Risk Management in other models with the following correlations:
•Tier 1 Organization– Risk Management strategy
•Tier 2 Business Processes– Tactical/Architecture
•Tier 3 Information Systems
– Processes/Operational
![Page 29: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/29.jpg)
Risk Management Process Applied Across All The Tiers
NIST SP800-39
Assess
Monitor Respond
Frame
Tier 1 - Organization
Tier 2 – Mission/Business Processes
Tier 3 – Information Systems
![Page 30: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/30.jpg)
Cybersecurity Framework
NIST Cybersecurity Framework
![Page 31: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/31.jpg)
Risk Based Security
We will look at a sample outline that can be used for implementing a Risk Based Security Plan:
1.Identify what is of value
2.Collect data on that value
3.Perform a risk assessment
4.Present to the organization
5.Identify control objectives
6.Identify and select controls
7.Implement controls
8.Operate controls
9.Monitor and measure
10.Operate a feedback loop
![Page 32: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/32.jpg)
Frame and Assess
• Identify what is of value– Tangible versus intangible assets– Collaborative effort
• Collect data on that asset– Asset valuation
– Impact– Threat landscapes– Frequency and likelihood– Vulnerabilities
![Page 33: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/33.jpg)
Assess and Frame
• Perform Risk Assessment– Objectives– Methodology
• Present to the organization– Key risks to the achievement of organizational goals
– Open discussion– Not a precise prediction of future
![Page 34: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/34.jpg)
Respond
• Identify Control Objectives– A control objective is the aim or purpose of controls put in place
and intended to mitigate risk– Best solution
• Identify and select controls– TCO– Flexibility– Amount spent– Does the control reduce the risk by an expected amount?
• Implement controls– Ensure that implementation follows the objectives and
requirements previously set• Operate controls
![Page 35: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/35.jpg)
Monitor
• Monitor and measure– Measure on an ongoing basis– Focus on clearly identifiable changes in risk
• Operate a feedback loop– Risk Based Security Management is cyclical and
ongoing
– Data collected should create a feedback loop
![Page 36: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/36.jpg)
Cybersecurity Framework
NIST Cybersecurity Framework
![Page 37: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/37.jpg)
Risk Management Evolution
![Page 38: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/38.jpg)
Up and Coming Technology for Information Security
![Page 39: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/39.jpg)
Runtime Application Self Protection
• Realistic detection rates for today’s advanced threats are typically around 5-10 percent.
• Compounding the security threat to applications is the heavy reliance on mobile devices for access and the use of these mobile devices within the enterprise network.
• Applications need self-defense or as Gartner calls it, runtime application self-protection (RASP).
![Page 40: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/40.jpg)
Runtime Application Self Protection
• Runtime Application Self Protection (RASP)– The next layer of Information Security?– Is a security technology that is built or linked into an application
or application runtime environment – RASP runs on the application server and monitors the execution
of the application from the stack. – Gartner predicts “25% of Web and cloud applications will
become self-protecting, up from less than 1% today.”
![Page 41: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/41.jpg)
Runtime Application Self Protection
• Applications should not be delegating — as is done today — most of their runtime protection to external devices.
• Applications should be capable of self-protection — that is, have protection features built into the application runtime environment.
![Page 42: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/42.jpg)
• RASP, as with any new technology, does have its drawbacks– Performance
• 5-10%
– Implementation• Web• Virtualized environments
Runtime Application Self Protection
![Page 43: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/43.jpg)
Conclusion
• A Risk Based Security model helps to provide a flexible, fluid and ongoing Information Security framework that needs collaboration
• A different perspective in Information Security
• Various models to accomplish an organizations overall strategic objectives
![Page 44: Risk Based Security and Self Protection Powerpoint](https://reader030.fdocuments.us/reader030/viewer/2022013122/55a51a741a28ab565a8b4574/html5/thumbnails/44.jpg)
Conclusion
• Runtime Application Self Protection(RASP) is an emerging technology that can address the quickly disappearing perimeter for Information Security