Notes accompany this presentation. Please select Notes Page view.

These materials can be reproduced only with written approval from Gartner.

Such approvals must be requested via e-mail: vendor.relations@gartner.com.

Gartner is a registered trademark of Gartner, Inc. or its affiliates.

Information Security Technology

and Services

Claudio Neiva Research Director – Network Security

Claudio.neiva@gartner.com

Fear, Uncertainty and Doubt

Brasil

DDoS Attacks Increasing in Size;

Frequency of Attacks Is High

Source: Arbor Networks — Worldwide Infrastructure Security Report 2013

0

20

40

60

80

100

120

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011

0

5

10

15

20

25

30

35

40

45

50

Most Common Motivations Behind DDOS Largest Bandwidth Attacks Reported

Phishing e-mails

Phishing e-mails vary in quality, payload, and purpose, but they all share the same initial goal: get the user to take action

Source: Verizon 2013 security report

Likely Impacts

• Loss of availability:

1. Several hours

2. Several days

3. Forever

• Confidentiality failure:

1. Embarrassment

2. Privacy loss, fine and PR damage

3. Loss of competitive advantage

• Data loss:

1. Recoverable in several days

2. Partially corrupted data

3. Never fully recoverable

Confidentiality and Accessibility

Cannot Be Simultaneously Optimized C

onfidentialit

y

Accessibility/Availability

• Secrecy and reliability are negatively linked goals

• Time and money can partially raise the overall level of both

Nobody can see data

Everybody can see data

Optimized Trade-off Curve

Business

Security

Consumer

Security

Low Risk

High Cost

High Maturity

What Is Appropriate Risk?

There is no such thing as "perfect protection"

Manufacturing Healthcare Financial Services

Production Engineering

High Risk

Low Cost

Low Maturity

… More risk!

Business Model

More customers, more locations, more complexity, more aggressive use of personally identifiable information in

marketing, more regulatory scrutiny, …

Station Access

Govern

The Nexus of Forces Is Driving Innovation

in Government

Extreme Networking

Rampant Access

Global Class Delivery

Rich Context,

Deep Insights

Data Loss Prevention

Secure Web Gateway

Secure Web Gateway

Risk

Security Application Testing

Security Information and

Event Management

Cryptography

Firewalls

Managed Security Services

Intrusion Prevention

Mobile Security

Endpoint Protection

Social Media Security

Monitoring

Digital Surveillance

Information Security and

the Nexus of Forces

Identity and Access Management

NEXUS

NEXUS

The 4 Phases of BYOD (Device or Disaster?)

Don't Ask, Don't Tell

Corporate-Owned

Devices Only

Focus:

Productivity

• Desktop

Virtualization

• Adoption of New

Enterprise-Grade

Services

• Enterprise App

Stores

• Self-Service and

P2P Platforms

Focus: Data

Protection, Cost

• BYO Policies

• Formal Mobile

Support Roles

• MDM

• NAC

• Limited Support

• Extend Existing

Capabilities

Realization of the

Personal Cloud

• Context Awareness

• Identity-Aware NAC

• Workspace

Aggregators

• "Walk-Up" Services

Avoid Adopt Accommodate Assimilate

How's This Working for You?

2002 2010 2018

Security is in the control of IT & Operations

Security is in the control of business units and users

Strategic Planning Assumption

By 2018, 70% of mobile professionals will conduct all of their work on personal smart devices.

Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and will be detectable via security monitoring.

By 2020, 75% of enterprises' information security budgets will be

allocated for rapid detection and response approaches, up from less

than 10% in 2012.

Can Your Board Handle the Truth?

100% of U.S. public company boards are required annually to disclose their

ability to oversee risk, yet …

fewer than 2% of U.S.-based companies, and fewer than 9% of global companies,

actually have robust and mature risk oversight practices.

You Must Get Right

Information Security Privacy Risk Management

Business Continuity Management

Compliance Identity and Access Management

Identity

Single-Sign-On

Auto provisionamento

Hootsuite – Redes Sociais

GRC & Auditing

Analise de Vulnerabilidades

Pentest

Auditoria interna

PCI

Gestão de Risco

Legal & Policy

Revisão de Política

Contrato para fornecedores

Contrato para colaboradores

Information Security Management

Scenario

Software

Auditoria de código

Fortify - Métodos Ágeis

Whitelisting

SO Assessment

Endpoint

VPN

NAC

AV, Malware & Host IPS

DLP & Criptografia

Proxy Internet

AntiSpam

Awareness

E-learning

Hotspots

E-mails educativos

Palestras

Treinamentos específicos

Intel & Operation

SOC

SIEM

Perimeter

IPS

Firewall

Firewall Aplicação (WAF)

VPN

Gestão de Segurança da Informação

Composto por diversas áreas da empresa, não é exclusivo da TI. Incorpora a Segurança da Informação, TI, mas também usuários, controladores, auditoria, RH, Jurídico etc.

A segurança deve estar presente em cada um, a preocupação deve ser de todos.

Política de Segurança

Documenta as responsabilidades de cada um, os pontos de atenção e os controles necessários.

Para os controles define procedimentos e checklists para implantação e monitoramento

Perímetro: primeira barreira – reativa – entre a Internet e redes internas. Base em redes.

IPS: bloqueia ataques de volume ou diversos; Firewall: realiza o controle de acesso

WAF: blinda aplicações Web VPN permite acesso externo como se estivesse na rede interna.

Software – segunda barreira – proativa – código e aplicações seguras

Auditoria de código: com ferramenta adequada realizado pela equipe de segurança Fortify: parte do processo de desenvolvimento com deploy ágil

Whitelisting: controle das aplicações o servidor de aplicação pode executar Assessment: validação cíclica dos servidores de aplicação quanto a checklists

Endpoint – proteção de estacoes, notebooks e dispositivos moveis

VPN: permite o acesso externo seguro NAC: permite o acesso interno seguro

AV, Anti-malware, Host IPS, DLP e Criptografia: protege a estação e os dados Proxy e AntiSpam: protege o usuário e a produtividade

Conscientização e educação dos usuários

e-learning e e-mail educativos com curiosidades e dicas Hotspots de tecnologia (folhetos, paineis)

Palestras e treinamentos realizados pela área Palestras e treinamentos contratados

Gestão de Identidade

Single-sign-on: login automático em aplicações após o login no Windows

Auto provisionamento: criação e exclusão de contas em único workflow

Hootsuite: gestão de acesso a perfis de redes sociais

Inteligência e Gestão de Logs

SIEM: concentração de logs e aplicação de regras de segurança e de negocio no correlacionamento dos eventos detectados

SOC: equipe especializada em monitorar incidentes e executar tarefas operacionais de segurança da informação

GRC e Auditoria

Auditoria, PCI e Gestão de Risco: monitoramento das vulnerabilidades e gestão dos riscos Analise de vulnerabilidades: analise manual de todos os ativos de informação da empresa por consultoria

especializada Pentest: teste de intrusão manual nas vulnerabilidades encontradas e input para gestão de riscos

Legal e Política

Revisões cíclicas da Política: reuniões entre pessoas chaves do comitê de segurança ou similar para elaboração de Políticas e aprovação

Contrato para fornecedores: contrato com os requisitos de segurança impostos aos fornecedores de ativos de informação

Contrato para colaboradores: adendo ao contrato de trabalho regulando o uso de ativos de TI

Implemented Gap Revision

Information Security – Framework

From Control-Centric Security

to People-Centric Security

Policy Rules

People

Punishment

Control

Rights Principles

Policy

Responsibilities

People

Monitor

Educate

Kickin' it old school • Threat-based

• Tool-focused

• Tactical

• Reactive

• Project-oriented

• Ignored by business

• Take ownership of risk

The new paradigm • Risk-based

• Process-focused

• Strategic

• Proactive

• Programmatic

• Engaged with business

• Educate about risk

New Goals of Information Security

The function of information security management is to support the business's ability to deliver on its goals in a risk-resilient manner.

Cost Center Value-Add

Transform: Mapping KRIs and KPIs

Revenue Loss

Miss the

Quarter

Leading Indicator That…

Leading Indicator That…

Leading Indicator That…

Critical Application

Fault

Supply Chain

Support Application

Key Risk Indicator

Open Incidents

Poor Patching

Negative Impact KPI

Supply Chain Slows

CRO/CISO CIO The Business

Reading Gartner’s reports, but not speaking to an

analyst

Path to Failure:

What product and vendor selection tools are appropriate for my enterprise?

Gartner Methodologies

Gartner IT Market Clock

Gartner Hype Cycle

Gartner MarketScope

Gartner Magic Quadrant

Technology Evolution

Market Overview

Gartner Critical Capabilities

Should you move or wait?

Maintain or retire?

Evaluate risks in emerging and mature markets

Map providers against business requirements

Identify use cases and compare vendors

Recommended Gartner Research

The Structure and Scope of an Effective Information Security Program Tom Scholtz (G00210133)

Security Management Strategy Planning Best Practices Tom Scholtz (G00223694)

The Security Processes You Must Get Right Rob McMillan (G00209848)

Seven Techniques for More Proactive Risk and Security Management Tom Scholtz (G00224578)

The Keep-It-Simple Approach for CIO Risk Reporting to the Board Richard Hunter, French Caldwell (G00211351)

Introducing Risk-Adjusted Value Management Paul E. Proctor, Michael Smith (G00225409)

The Gartner Business Risk Model: A Framework for Integrating Risk and Performance Paul E. Proctor, Michael Smith (G00214758)

Information Security and Risk Governance: Forums and Committees Tom Scholtz, F. Christian Byrnes (G00207477)

For more information, stop by Experience Gartner Research Zone.