Cybersecurity Toward Strategic Approach to Cyber Risk CSC by mikeholy

VIEWS: 1 PAGES: 38

									                                                    Cybersecurity –
                                                 Toward a Strategic
                                             Approach to Cyber Risk



                                                                                   Andy Purdy
                                                                 Chief Cybersecurity Strategist
                                                                                 May 18, 2010




CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk                          Page 1
Summary


1      What is the current cyber risk?


2      Learn lessons from experience.


3     What approach should we take?

 4     What capabilities do we need?


5     Risk management – for organizations and countries




     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk   Page 2
                                                           What is the current
                                                                   cyber risk?




CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk         Page 3
                                                                               1

What is Cyber?


• Cyber is the ability to operate
  in cyberspace to achieve the
  results that you intend and not
  those intended by your
  adversaries, competitors or
  cyber criminals.




    CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk       Page 4
                                                                                1

In this brave new world we tread…


• November 2002 (Geopolitics): The rise of the Botnets
 – A DDOS…by an army of citizen-zombie computer attacks…
• April 2004 (Sasser): Widespread outages around the world
 – Agence France-Presse (AFP) blocked satellite communications, Delta Airlines cancel
   several trans-atlantic flights, If and Sampo Bank close130 offices, also impacted
   …Goldman Sachs, Deutsche Post, European Commission, Lund University Hospital
• January 2010 (Google discloses): The NYT, April 2010
 – ―…losses included one of Google’s crown jewels, a password system that controls access
   by millions of users worldwide to almost all of the company’s Web services, including e-
   mail and business applications…‖
• Looking into the Future:
    → APT/Botnets/Integrity Attacks/Convergence of Threats to Converged Infrastructures




     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk           Page 5
                                                                                        1

…cheerfully, into the unknown

• 4G Wireless Broadband Networks: LTE and Wimax
 – 100 Mbit/s on the move, and 1 Gbit/s stationary - the world goes wireless
 – Tens of billions of devices (smart phones, metering)…


• Convergence in technology and infrastructure: sharing same threats
 – Voice – Video – Data: using a common protocol (IP), sharing a common infrastructure, and the risks
 – All national infrastructures (energy, transportation) using the same ICT infrastructure
 – Threats that transfer between data - video - telephony
 – Cloud Computing: A shared ICT infrastructure –shared risks




      CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk                     Page 6
                                                                                1

Premises


• Experience is only valuable if we learn from it and act on it
• Information sharing is not enough
• A strategic approach to the cyber challenge is essential
• Stakeholder collaboration is critical at each level
• Threat information is important, but risk should be the driver
• Risk management is critical for organizations, nations, and the global
  information infrastructure




     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk       Page 7
                                                                                1

Summary of Cyber Risk


• The use of innovative technology and interconnected networks in
  operations improves productivity and efficiency, but also increases the
  vulnerability to cyber threats if cybersecurity is not addressed and
  integrated appropriately.
• A spectrum of malicious actors routinely conducts attacks against the
  cyber infrastructure using cyber attack tools.
• Because of the interconnected nature of the ICT infrastructure, these
  attacks could spread quickly and have a debilitating effect.




     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk       Page 8
                                                      Learn lessons from
                                                              experience.




CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk    Page 9
                                                                                                             2

Industry concerns?

• Data vulnerability due to the sizable increase in data volumes, flows, and interfaces
• System security resulting from converged, automated, and integrated environments
• New devices that may be immature and have security limitations
• Consumer privacy from increased connectivity, devices, and intelligence
• Potential fraud from insufficient tamper protection
• Overall increase in the complexity of a utility’s compliance profile




                                                                            Adapted from EPRI source image



     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk                                    Page 10
                                                                                2

Introduction


Cybersecurity – a National Security Imperative and Global Business
 Issue


• Nations and critical infrastructure owners and operators are dependent
  on Cyber for national security, economic well-being, public safety and
  law enforcement, and privacy.
• Major companies must ensure the resiliency of their operations, protect
  their reputations and the privacy of their customers, differentiate their
  brand, and meet compliance obligations.
• Innovative technologies and information assurance strategies must be
  implemented by government and private companies through fully
  integrated, end-to-end cyber solutions




     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk       Page 11
                                                                                2

Secure ICT also Represents …


• Technological advantage
• Opportunity to gain competitive advantage
• Opportunity to help shape the global cyber environment in support of US
  interests
• An exciting field for our emerging technology
• An additional foundation for academic excellence




     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk       Page 12
                                             What approach should
                                                         we take?




CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk   Page 13
                                                                                3

A Strategic View of ICT Security


• There is no real separation in cyberspace; we share a common
  environment with allies, partners, adversaries, and competitors.
• It is important to understand computer network defense, and be informed
  by exploitation and attack.
• Security is more about architecture and integration than about
  deployment of more products to build perimeter defenses.




     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk       Page 14
                                                                                3

Public Policy Challenge


• Nations are dependent on cyber for national security, economic well-
  being, public safety, and law enforcement
• Risk is real but not visible and obvious
• Authority/control is spread among multiple entities in the public and
  private sectors
• ICT is international
• Individuals and organizations are reactive and tactical, not proactive and
  strategic
• We do not learn lessons from the past




     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk       Page 15
                                                                                3

Learn Lessons from Experience


• Recognize the value of lessons learned to enhance preparedness
• Systematize after-action processes for exercises AND real-world events
• Take a pro-active, strategic approach to risk
• A robust risk management program can facilitate and prioritize planning,
  decision-making, and resource allocation
• A strategic approach to ICT risk management should be grounded in
  architectural, design, and process principles
• Stakeholders should be engaged in the assessment and mitigation of ICT
  risk, spending on research & development, & cyber incident response
  and recovery preparedness




     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk       Page 16
                                                                                3

Regulatory Enviroment – Upcoming Challenges for Private
Sector and Critical Infrastructure?

• Legislative perspective: has the private sector done enough to secure
  their own facilities?
• Executive perspective: concern about government and critical
  infrastructure relative to cyber threats.
• Power/Utility, transportation, and other critical infrastructure sectors of
  significant cyber concern.
• Private sector favors voluntary, private-sector developed standards,
  incentives, and safe harbor provisions rather than regulations




     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk       Page 17
                                                                                 3

The ―New Reality‖


• Global recognition that ―national health and security…‖ is permanently intertwined
  with the internet.
• National governments across the globe are intending to actively address cyber
  security risks to specified private-sector infrastructures of interest supporting
  national programs and critical infrastructure segments.
• Examples of the ―national health and security… ‖ requirement in evidence
 – Transglobal Secure Collaboration Program (TSCP) – voluntary collaborative program
   (funded by membership contributions)
   • Governments – US, UK, Netherlands
   • Companies – BAE, Boeing, EADS, Lockheed Martin, Northr op Grumman, Rolls Royce,
     Raytheon
 – U.S. Defense Industrial Base (DIB) – a threshold of capabilities defined by U.S. DoD to
   protect Controlled Unclassified Information (CUI) used in Defense contracts
   • Established and monitored by US DoD (as expressed in the DIB Cyber Security
     Benchmark and DIB CONOPS)
   • One-to-one framework agreements, funded by individual companies
 – U.S. Comprehensive National Cybersecurity Initiative (CNCI)
 – Activities of European Network Information Security Agency (ENISA)
     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk         Page 18
                                          What capabilities do we
                                                            need?




CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk   Page 19
                                                                               4

What is missing nationally and internationally?


• What do we need to worry about and what do we need to do about it?
• We need to
 –know our risk posture,
 –identify requirements for addressing that risk that are generated
  by a public-private collaboration, and
 –Make it easy to hold stakeholders accountable.




    CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk       Page 20
                                                                                4

What is needed nationally and internationally?


A strategic approach to facilitate public/private collaboration and
 information sharing to set requirements, and resource, execute, and track
 progress on:
• ICT risk;
• ICT preparedness;
• Malicious activity and cyber crime; and
• Research and development.




     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk       Page 21
                                                                                4

How should the challenge of ICT risk and preparedness be
addressed?

• Stakeholders at the organizational, national ,and int’l levels must work
  together
 –to identify critical functions,
 –assess and mitigate risk, and
 –plan, and build capacity for, response and recovery
• Use standards to drive risk reduction
• Exercise to identify gaps and improve
• Pursue innovation
• Use this process to identify requirements to drive resource allocation for
  risk mitigation, response preparedness, and research and development




     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk       Page 22
                                           Risk management – for
                                                organizations and
                                                        countries




CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk   Page 23
                                                                                   5

Protecting your Organization, Clients, and Costumers


• Use lessons learned from Advanced Persistent Threats (APTs) and other
  sophisticated attackers to strengthen active defense
• Work in public-private partnerships to strategically collaborate and share
  information about threat and risk




     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk   Page 24
                                                                                   5

Strategic Approach to Malicious Cyber Activity


• An initiative to promote a strategic approach – by government (not just
  law enforcement) and the private sector – against malicious cyber activity
• Need to build national and international information sharing capabilities to
  collect, preserve, analyze, and share information on malicious actors
  AND enablers – using a federated data-sharing model.
• Need good national and international data on cyber crime.




     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk   Page 25
                                                                                          5

Government Cyber Security Involvement


• Government needs to help define domestic, EU, and allied ICT interests
• Using those interests, Government needs to create stronger interagency
  and inter-governmental policy process and policy (guiding principles)
• Collective interests need to be represented consistently in all international
  fora concerned with global cyber security and cyber governance; if not,
  global policy and governance may not conform to national and
  international interests
• Your country, EU, and its allies, need a consistent approach to the ICT
  risk in critical infrastructure
 – Focus on security standards, rather than prescribed processes (i.e., define how secure to
   be, not how to be secure)
 – Recognize that the threat is advanced and dynamic; a ―cookbook‖ approach will not adapt
   sufficiently well to such a threat
• Sensitize private sector and public to the threat; recognize that
  adversaries do not reserve their most advanced technologies for use only
  against our Government

     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk          Page 26
                                                                                  5

Private Sector Role


• Request government to facilitate information exchange and enhanced
  collaboration.
• What actions are advisable?
• What incentives would help bring those actions about?




    CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk   Page 27
                                                                                      5

The Model-Portfolio – A Different Way to View the Problem


An integrated set of capabilities consistent to a model – new to the industry – fit-for
 purpose - to demands of a complex global problem


  • The ―security stack‖ - defines the problem complexity and the
   sophistication needed in the solution


  •Demonstrated ability to scale to the full dimensions of the problem


  •Demonstrated ability to leverage our government knowledge applied to
   our commercial delivery


  •Allows us to see the gaps – determine how we close them



     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk      Page 28
                                                                                                       5

  Making a better case …for Why CSC


             Cyber security is a core competency of CSC in both commercial and public sectors

             Comprehensive capability – the full range of the ―security stack‖

             Cross-leverage what we know - between commercial and public sectors

                                                                                   SOCs to Fortune 500s
                                                                                   Defense Industrial Base
Nation State-Threats                   Commercial Sector                           Worldwide presence
     Groundbreaker                                                                 ISO 27001 preparations
  Forensics training
   Biometric Access
System Certification                                  Public Sector
 Phys-Lgical Access
    Personnel Quals




        CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk                    Page 29
                                                                                                                      5
A New Idea: The Security Stack as a Model…for how we
present – organize – determine gaps – integrate. Only CSC and IBM
can make this case

                                                  The Security Stack
  Functional Technologies                                                              Cyber Security Services


                                                        The Exercise of
Layer 4 Functional Technologies                                                      •Security consulting …
                                                      National Sovereignty
• Ethical hacking – integrating                                                       understand and manage risk
  government capabilities
                                                                                     •Security integration led by
                                                    Situational Awareness             solution architects
Layer 3 Functional Technologies
• Worldwide monitoring
                                                   External to the Perimeter
                                             Determine Source — Adjust Defenses      •Managed Security Services
• Attestation — adjusting the defenses
                                                                                     •Forensics analysis assessments
                                                          Integrated                 •Certification and accreditation
Layer 2 Functional Technologies                        Security Overlay
• Security Incident/Event Manager
                                                   Prevent-Detect-Response
• OOB managed devices                                                                •Security training - cyber experts
• Perimeter defenses (f/w)
• Intrusion detection/prevention                                                     •Product and system evaluation –
• Data Loss Prevention                                                                common criteria
• Honeypots

Layer 1 Functional Technologies                        Assured Systems               •Penetration testing – ethical
• CMDB                                                   and Content                  hacking
• White listing
• PIV-based biometric access                                                         •Compliance
• Single Sign On
• Data encryption and key management                                                 •Disaster Recovery / B-Continuity
• Vulnerability assessment




          CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk                              Page 30
                                                                                    5
 CSC Cyber Security Overview (1 of 3)
• More than 1,400 full-time security professionals globally
• Security and compliance services to
 – More than150 Commercial clients globally in more than 40 counties
 – Many Fortune 500 companies including many with PCI compliance
 – U.S. federal agencies and many state and local government clients
 – Non-U.S. government clients (UK Royal Mail, UK National Health Services)

• Wide range of security offerings
 – Managed Security/SOC services
 – Endpoint Protection
 – Messaging Security
 – Data loss prevention
 – Compliance Monitoring/Enforcement
 – Vulnerability, Risk and regulatory assessments
 – Forensic and Investigative Response
 – Identity and Access management and biometrics
 – Security engineering, integration, and testing
 – Disaster recovery and business continuity


      CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk   Page 31
                                                                                   5
CSC Cyber Security Overview (2 of 3)


• SSE-CMM Level 4 Information Security Practices by
  independent third party
• Defense Security Service (DSS) Cogswell Award for 5 of
  past 10 years
• Achieved ISO 2700 certification for the CSC-managed EPA
  security program
• Many CSC data centers and service delivery centers
  achieved third party ISO 27001 certification
• Major provider of vulnerability assessments, risk
  assessments and security accreditation services to Federal
  agencies
• Active SAS 70 audit program
• Operates DoD Cyber Investigative Training Academy
• Biometric engineering services to DoD
• Operates certified Common Criteria Test Laboratories in the
  U.S., Australia and Germany under ISO15408
• Operates FIPS 140-2 NVLAP certified Cryptographic Module
  Test Laboratory

     CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk   Page 32
                                                                                                                        5

CSC Security Operations Centers (SOCs) (3 of 3)
Managed Security Services Delivery around the Globe in all Regions

• Commercial SOC Operations
 –   North America (Newark, DE) – Newark 33 customers
 –   UK (Chesterfield) -- 15 customers
 –   Australia (Sydney) – 9 customers
 –   India (Hyderabad) – 17 customers
 –   Malaysia and Hong Kong – 2 customers

• U.S. Federal SOC/CERT/CSIRT Support
 –   Defense Information Systems Agency (DISA)
 –   U.S. Air Force
 –   U.S. Army
 –   Dept of Homeland Security
 –   EPA
 –   NOAA

• Monitor and manage thousands of
  security devices worldwide                                                       Chesterfield, UK
                                                           Marlton , NJ
 –   Network/Host IDS/IPS
                                                                     Newark, DE
 –   Audit Log Storage/Monitoring                       Annapolis
 –   Security Event Management                         Junction, MD
 –   Security Incident Response Services                                                                    Hong Kong
 –   Technical Compliance Monitoring                                                  Hyderabad, India   Kuala Lumpur
 –   Vulnerability Scanning and Alerting
 –   End Point Security Management
 –   Managed Encryption Services
 –   Data Loss Prevention                                                                                 Sydney,
 –   Forensic Response                                                                                    Australia
                                                           Consistent and effective 7x24 security
                                                         monitoring, detection, response and recovery
        CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk                                  Page 33
                                                                                                           5

Representative Cyber Security Clients

• Public Sector: Internal Revenue Service,                   • Retail & Distribution: Coles, Myer, David
  FAA, USDA, Dept. of Education,                               Jones, Estee Lauder, Cargill, Astro
  Environmental Protection Agency, Dept of                   • Travel & Transportation: Railcorp,
  Energy, Department of Homeland Security,                     Bombardier
  Australian Department of Immigration and
  Citizenship, Prime Minister and Cabinet,                   • Health Services: National E-Health Transition
  Department of the Attorney General and                       Authority, University of Pennsylvania Health
  Transport Accident Commission; Canadian                      Systems, UK National Health Service, Nobel
  Treasury Board Secretariat, Communication                    Biocare, Consolidated Medicaid/Medicare
  Security Establishment Canada, Public Safety                 (CMS), Virginia and North Carolina,
  Canada, Canada Revenue Agency, Transport                     Medicare/Medicaid Information Systems, eMed
  Canada, DISA, DCITA, U.S. Army, U.S. Navy,                   of New York, Stellaris Health
  U.S. Marine Corps, U.S. STRATCOM, Office of                • Manufacturing: BlueSteel, OneSteel, Delphi,
  Secretary of Defense, Biometric Fusion                       Chrysler, Freescale, Westinghouse, Motorola,
  Center, U.K. Ministry of Defense, Danish                     Nissan, Xerox, Bombardier, Nissan
  Ministry of Defense
                                                             • Chemical, Energy & Natural Resources:
• Aerospace & Defense: Textron, Raytheon,                      Powercor, BHPB, Rio Tinto, Alcoa, Woodside
  Boeing, Hawker Beechcraft, UTC, General                      Petroleum, Newmont Mining, Shell, DuPont,
  Dynamics, Spirit Aerospace                                   BHP Billiton Petroleum, Watercorp, Western
• Financial and Insurance Services: Allianz,                   Power, Exelon, Basell, Invista, Anglian Water,
  AMP, Dunn and Bradstreet, Maybank, Toyota                    National Grid, Urenco, BNFL
  Financial Services, Zurich, PartnerRe,
  Alliancez, AMP, IMB, GE Capital, Toyota
  Financial Services
      CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk                          Page 34
                                                                                     5
CSC Strategic Security Partners



                      CSC’s formal partnership with leading security vendors

                         – Special discounts on industry leading security tools

                         – Responsive procurement

                         – Insight into emerging security technology

                         – Increase depth of managed security services




   CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk       Page 35
Thank you for your attention!
Contact
Andy Purdy
Chief Cybersecurity Strategist

dpurdy@csc.com
apurdy1@gmu.edu




   CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk   Page 36
Further webinars




        08.07.10 / 15:30 -16:30 Uhr / Digitales Vertrauen
        "Der Neue Personalausweis - Möglichkeiten und Anwendungsbereiche―




        05.08.10 / 15:30 -16:30 Uhr / Wirkung- und Nutzenorientierung
        "Strategische Steuerung und Kennzahlenermittlung mit SAP Xcelsius―




                                      Quelle: www.de.csc.com

    CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk   Page 37
CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk   Page 38

								
To top