Presentation on theme: "Welcome HITRUST 2014 Conference April 22, 2014. The Evolving Information Security Organization – Challenges and Successes Jason Taule, Chief Security."— Presentation transcript:
The Evolving Information Security Organization – Challenges and Successes Jason Taule, Chief Security and Privacy Officer, FEi Systems (Moderator) Robert Booker, Vice President and Chief Information Security Officer, UnitedHealth Group Erick Rudiak, Information Security Officer, Express Scripts Roy Mellinger, Vice President, IT Security and Chief Information Security Officer, WellPoint Omar Khawaja, Vice President and Chief Information Security Officer, Highmark
Chief Information Security Office HITRUST 2014 Conference The Evolving Information Security Organization Challenges and Successes Tuesday – April 22, 2014 Roy R. Mellinger, CISSP – ISSAP, ISSMP, CIM Vice President, IT Security Chief Information Security Officer
17 The Evolving Information Security Organization Enterprise Risk Management Security Viewed as a Business Enabler Translating Business Needs into Security Requirements Translating Security Requirements into Technical Security Controls Operating Technical Security Controls RiskOperational Compliance Security Threat Management IT Compliance IT Risk Enterprise Risk Fighting Fires Containing Anticipating Fires Preventing Fires
18 The Evolving Information Security Organization CYBER THREAT MANAGEMENT 24x7 Security Operations Center (SOC) End to End DLP (Data Loss Prevention) Strategy Tracking of Malware Threats and Coding Techniques Effective Firewalls, IDS / IPS Strategy Implementations Effective Security and Event Log Management & Monitoring Robust Safeguarding Polices, Programs and Processes
19 The Evolving Information Security Organization Hacking Now Automated / Sophisticated Malware Hactivism – Freedom of Speech, Statements to Influence Change, Sway Public Opinion and Publicize Views Criminal – Drug Cartels, Domestic and Foreign Organized Crime for Identity Theft and Financial Fraud Espionage – IP, Business Intelligence, Technology, Military / Political Secrets Terrorism – Sabotage, Disruption and Destruction Nation-State – Intelligence Gathering, Disruptive Tactics, Clandestine Ops, Misinformation, Warfare Strategies, and Infrastructure Destruction Individual or Computer Clubs/ Groups Manual efforts with Social Engineering Success = Badge Of Honor Personal Monetary Gain or to pay for / fund hacking activity Hacking Then War Protesting and Civil Disobedience Anti-Establishment Rhetoric Social Rebels and Misfits FRINGEMAINSTREAM........... 30 YEARS.......
20 The Evolving Information Security Organization Initial compromise — spear phishing via email, planting malware on a target website or social engineering. Establish Foothold — plant administrative software and create back doors to allow for stealth access. Escalate Privileges — use exploits and password cracking tools to gain privileges on victim computer and network. Internal Reconnaissance — collect info on network and trust relationships. Move Laterally — expand control to other workstations and servers. Harvest data. Maintain Presence — ensure continued control over access channels and credentials acquired in previous steps. Complete Mission — exfiltrate stolen data from victim's network.
21 The Evolving Information Security Organization Cyber Threat Management Conventional ApproachParadigm Shift: Cyber Threat Management Controls CoverageProtect ALL information assetsProtect your MOST IMPORTANT assets (Crown Jewels) based on risk assessments Controls FocusPreventive Controls (anti-virus, firewalls, intrusion prevention, etc.) Detective Controls (monitoring, behavioral logic, data analytics) PerspectivePerimeter BasedData Centric Goal of LoggingCompliance ReportingThreat Detection Security Incident Management Piecemeal – Find and neutralize malware or infected nodes BIG PICTURE – Find and dissect attack patterns to understand threat Threat ManagementCollect information on MalwareDevelop a deep understanding of attackers targets and modus operandi related to YOUR org’s network and information assets Success Defined By:No attackers get into the networkAttackers sometimes get in; BUT are detected as early as possible and impact is minimized
Omar Khawaja April 23, 2014 The Evolving Information Security Organization – Challenges and Successes
Risk is increasing Our information is increasing in value… More data (EMRs) More collaboration (ACOs) More regulation (FTC) Our weaknesses are increasing… More suppliers (Cloud) More complexity (ACA) Opportunities to attack are increasing… More access (consumer portals) More motivated attackers Becoming increasingly difficult to secure Multiple Compliance Requirements Evolving Compliance Requirements Unclear Compliance Requirements Less visibility Less control (Assets Vulnerabilities Threats) Controls X X -
Security org needs to evolve From… Explaining the “what” Growing the security org Creating more security processes Telling them what to do Protecting everything equally Measuring what matters to security org To… Explaining the "why" Growing security in the org Making security part of more processes Assisting them with their job Differentiated controls Reporting on what matters to audience