2. LOOKING BACK…
• What were the risks when everything was centralised on
mainframes?
Overnight
batch
processing
Avoiding data
loss
Centralised
data storage
What was
printed?
2
3. LOOKING FORWARD…
• Today, we have almost come full circle…
Centralised
storage
Thin client
access
Don’t allow
data to move
3
4. DEFINING THE PROBLEM
• What are the concerns for companies today?
Data
•
•
•
•
•
Where is it?
Who has
access to it?
How sensitive
is it?
How sensitive
will it be in a
week, a
month or a
year?
What rules do
you have to
follow to
protect it?
Applications
•
•
•
•
•
The dangers
of downtime,
ensuring
availability
Testing
Development
Protecting
sensitive
application
data
Ensuring
perfect
performance
Physical
•
•
•
•
Ensuring
business
continuity
Robust
disaster
protection
Data
replication
Physical site
security
Connectivity
•
•
•
•
•
Bring Your
Own Device
Secure
remote
access
Cloud-based
services and
infrastructure
Virtualisation
Unified
comms and
collaboration
4
5. STATE OF THE MARKET
• Securing data has been a moving target for the last 20
years. Today, we’re facing:
Squeezed IT
budgets
Time
constraints
Changing
technology
and threats
Most companies are locking the stable door
after the horse has bolted!
5
6. WHERE ARE WE GOING?
• We’re seeing a proven track record that compliance
gives results
• Thanks to PCI compliance, credit card fraud reached a
10 year low in 2012
Established
security
frameworks
Increased
compliance
requirements
Companies
aligning to
ISO 27001
6
7. WHAT CAN YOU DO?
• Assess the unique vulnerabilities of your business
• Identify the greatest risks and vulnerabilities to enable
you to implement preventative protection
Risk
assessments
Security
assessments
Security as a
service
Threat
analysis
What are the
acceptable risks
and what are
the crucial areas
to protect?
SensePost
Push monitoring
data and
analytics to the
cloud and
consume as an
expert service
Assess on
demand and
model the
potential
problem
Network
Applications
Employee
training and
education
Websense,
Bluecoat,
CheckPoint,
SIEM, SkyBox
7
8. WHAT SHOULD YOU DO NEXT?
Perform a risk
assessment
Prioritise the
gaps
Deploy a SIEM
Implement
scanning /
patch
management
Then assess, assess, assess!
Assessment is the new incident response
8
Introduce myself and my background of 30 years IT employment with the majority of it in IT security. When I started the new kid on the block was the VAX VMS which still relied on disk platters and tape backups. Access was granted through a Front End Processor and one of the primary concerns was to make sure that everything had been printed. It seemed to a naïve operator that the soul purpose of these “big” systems was to print, of course they were doing a lot more than that, processing and storing data via very specific applications. Nobody worked from home and BYOD was a Sony Walkman……Happy days.Our idea of Security and DR was to have a numeric keypad on the computer room door and to take one of the disk platters over to another building on a weekly basis!One job that we did then that shouldn’t have changed was to check the logs daily and look for any odd events.
So what has changed in all those years……. Well having decentralised everything and moved the processing power (and data) out to the end point we are now looking at ways to control the data and one of the options is to centralise the data and prevent it from ending up on the end point.We are achieving this by improving the way we deliver the data by implementing application acceleration systems , such as F5, Bluecoat, Netscaler etc. or as we used to call them “Front End Processors” and accessing the application and data through thin client. It is unlikely now that we will ever get away now from having data at the endpoint but as data connections and applications become faster it is becoming acceptable to keep critical and sensitive in one place and protect it from moving and we are becoming better at doing that.
DataIn my experience of performing security reviews and audits, most customers face the same problems. We try to focus on the data element as that tends to unearth all of the other areas. Our approach is to sit down with various representatives from the business and discuss what types of data they use , how often, where they think it is stored , the sensitivity of it now, next week and in the future. During this phase we also try and establish if there are any governing bodies or security frameworks that the customer has to adhere to.ApplicationsAn easily overlooked area but can be just as critical as the data if this is under valued. Our interests are in the availability, management and development of the applications.PhysicalOur main interests are around DR but quite often we find inadequate physical security, which, when companies have spent a lot of time and effort on securing the logical perimeter is disappointing to find the fire door wedged open.ConnectivityFalls under the availability , as we extend our usage of different devices we introduce additional risks associated with these devices and the methods they use to connect. The introduction of cloud services and storage brings greater flexibility and some additional compliance concerns (saviour or sinner?)
The threat landscape is continually changing, as we make positive steps and improvements other new risk and attack scenarios are developed. As it says here it is a moving target and our job is to prevent as much bad stuff as possible given both the budget and time constraints all companies face.We must work in partnership to sensibly assess the risks faced and prioritise our approach. It is perfectly acceptable to accept some risk but only after we have assessed the impact and likelihood of it occuring.
A solid security framework will ensure that you cover all of the obvious points. I’m not particularly interested in HVAC but unless I include it in my assessment I could be missing something that potentially could cause a problem in the future.If you don’t have an industry specific security framework, you aren’t a merchant, on the US Stock market , manufacture drugs or handle sensitive personal data then make up your own security framework to follow. Take something like ISO 27001 and edit it down to suit your needs and ability…….. Or call us in and we will help you.
I apologies for the next bit about egg sucking but it is important if you aren’t doing it already.As already mentioned in lieu of an industry specific Security Framework , set up your own but make sure it includes a structured risk assessment that covers all the areas logical, physical, people etc.This is a manual process and will involve you talking to all aspects of the business to get their views on what is important to them, how long they could live without it and also what they do to reduce their own risk. Once you have done that it would be worth getting an independent assessment of your perimeter, most of us aren’t well versed on abusing security vulnerabilities so call in an expert to assess and help you find some weak points.If you don’t practise security monitoring or have a SIEM solution deployed , investigate push that as a service to the cloud. In most cases this has limited sensitivity and rarely needs keeping after a year so it is one of the few areas that does lend itself to “Cloud” solutionLikewise, threat analysis, we are seeing more and more vendors producing very good threat analysis packages and coupled with systems that have visibilty of your own landscape can give you early warning signals on new threats.
So in summaryDo the risk assessment – get somebody in to help start this process, you sometimes don’t see your own risks until somebody asks the right (or wrong) questionPrioritise the gaps – you will already be ahead of the game by knowing what the gaps are. Allocate as many of the tasks to existing personnel you think they have the capability to remediate the gap but check with them, I’ve seen OS and Application patch management come up so many times as a gap and it’s still a gap a year late when I re-check and this isn’t because IT are lazy and don’t want to do it, it’s because they don’t always have the right tools.If you do nothing else – deploy a SIEM before you buy the next fancy trojan bad boy hacking detection and prevention widgetExternal and Internal scanning will at least give you visibility and the urge to patch the most critical systemsA bit like the Plan , Do, Check, Act – schedule regular tests of all your systems and continually perform them.