El documento habla sobre la necesidad de transformar la seguridad para hacerla más alineada con los negocios. Explica que la seguridad tradicional es reactiva, fragmentada e improvisada, mientras que la seguridad transformada debe ser proactiva, tener visibilidad en toda la organización y estar planificada. La transformación de la seguridad es necesaria para administrar mejor el riesgo digital creciente.
5. 5 of Y Internal Use - Confidential
DIGITAL
TRANSFORMATION
IT
TRANSFORMATION
WORKFORCE
TRANSFORMATION
SECURITY
TRANSFORMATION
6. 6 of Y Internal Use - Confidential
IT
TRANSFORMATION
WORKFORCE
TRANSFORMATION
DIGITAL
TRANSFORMATION
SECURITY
TRANSFORMATION
7. 7 of Y Internal Use - Confidential
58%
Están preocupados
que la falta de
confianza / seguridad
impactará el
crecimiento
65%
Es improbable que
haga negocios con una
empresa después de
una violación
CONSUMERSCEO’S
8. 8 of Y Internal Use - Confidential
Mayoría
de las organizaciones se
sienten despreparadas
para el GDPR
$10M
es un presupuesto para
GDPR del 40% de las
empresas encuestadas
OPORTUNIDADRIESGO
9. 9 of Y Internal Use - Confidential
$93B
información mundial - gastos
de seguridad en 2018
GARTNER
11. 11 of Y Internal Use - Confidential
DIGITAL
TRANSFORMATION
IT
TRANSFORMATION
WORKFORCE
TRANSFORMATION
SECURITY
TRANSFORMATION
12. 12 of Y Internal Use - Confidential
La Era Digital trae una
inmensa Oportunidad Digital
(Pero ...)
13. 13 of Y Internal Use - Confidential
LA SEGURIDAD DE HOY NO FUNCIONA
1 RSA Cybersecurity Poverty Index 2016
2 RSA Threat Detection Effectiveness Survey 2016
3 RSA Estimate based on multiple studies
70%
Comprometido
en el último año1
90%
Están insatisfechos
con la velocidad de
respuesta2
80%
Estrategia de
repensar de CISO en
los próximos 12-18
meses3
14. 14 14RSA, a Dell Technologies business
T EC N O L O G Í A D E S EG U R I DA D
Donde los líderes empresariales
se están enfocando
Donde la mayoría de los vendedores
de seguridad se están enfocando
R I E S G O D E L N EG O C I O
Account lockouts
Web shell deletions
Buffer overflows
SQL injections
Cross-site scripting
DDOS
IDS / IPS events
How bad is it?
Who was it?
How did they get in?
What information was taken?
What are the legal implications?
Is it under control?
What are the damages?
15. Riesgo
Digital
• Las organizaciones deben permanecer relevantes y
sobrevivir mientras administra el Riesgo Digital
• Los ciberdelincuentes mejoraron sus ataques
mientras exploraban el Riesgo Digital
20. The Dark Net
Es un mercado digital con su propia red
privada, donde los adversarios
cibernéticos monetizan las herramientas
del crimen y mucho de lo que roban
37. 37
Los ataques son más sofisticados
El perímetro ha desaparecido
La complejidad se ha convertido en el enemigo
La falta de retorno de la inversión para defensa
Inspección del CEO / Board
L A SEGURI DAD ES UN
PROBLEMA
DE NEGOCIO
Estou honrado de estar aqui hoje, com todos vocês, falando sobre Transformação de Segurança, uma grande paixão minha!"
“Realmente, verdadeiramente honrado e tão feliz que… a princípio…”!
"Eu nem acreditava que tinha tido essa oportunidade“ fui nomeado pelo Giam o Embaixador de Security Transformation!!
"Mas, assim que eu limpei minhas lágrimas felizes, comecei a missão imediatamente"
“Agora sendo o brasileiro eu sou… e muito emotivo… como você pode ver…”
“Eu decidi começar com uma análise de sentimentos de todas as transformações”
e foi aí que fiquei muito arrasado, de fato coração partido ... ”
"Porque eu vi que a Transformação de Segurança não estava recebendo muita atenção..."
"Quero dizer ... Na ordem de popularidade, a segurança é o número quatro ..."
“E, como há apenas quatro… isso significa que a transformação de segurança foi a última…”
“Não podemos ter as 4 transformações isoladas! Ou as quatro transformações sem segurança!!”
"Nunca ... nunca ... Pelo menos enquanto meu mandato de Embaixador!
"Especialmente considerando que a segurança é um enorme desafio para nossos clientes hoje."
“E não nos esqueçamos da proteção de dados também…
O Regulamento Geral de Proteção de Dados, o GDPR, um novo regulamento da União Europeia que estabelece um único conjunto de regras para cada Estado-Membro da UE para proteger os dados pessoais
está se tornando obrigatório em maio deste ano,
O GDPR introduz multas significativas para organizações de até 4% do volume de negócios total mundial ou 20 milhões de euros.
“Ainda não está convencido… aqui estão alguns fatos a serem considerados:
A segurança já conta com US $ 3 bilhões de nossa receita ... US $ 3 bilhões!
E sem segurança, não podemos obter o nosso Marketshare das Quatro Transformações… ”e
Sem Segurança, não podemos obter nossa parte justa do Mercado de Segurança da Informação ... ”
“E pessoal ... que mercado enorme que é…”
“Segundo o Gartner, os gastos mundiais em Segurança da Informação em 2018 serão de US $ 93 bilhões”
"E eu repito ..."
"US $ 93 bilhões em 2018!"
“Então nosso objetivo hoje é
Agora, eu também tive outro pensamento…
"A única explicação possível de por que não há muito atenção para Transformação da Segurança AINDA é porque ela não é tão bem compreendida."
“How can we explain to our customers how to “transform” something, anything, when we do not understand what that “thing” is to start with?”
“You do not say…”
“You need something in that…”
“We say”
“You need security in that!”
“And this is why today is the day to clear that all up…”
“This is what we will do right here, right now:”
“A Era Digital traz uma imensa oportunidade digital”
“Mas essa oportunidade não vem sozinha ...
At RSA, we get to speak to many CISOs and security teams to get the pulse of what is going on in the industry. Here is what we are hearing:
We’re dealing with focused adversaries with creativity, patience and persistence. They’re unpredictable, with a wide-range of tools at their disposal. They will carry on their attack campaigns until they are successful. Remember, we are dealing with human ingenuity…which is a powerful thing. We’re also struggling to deal with our growing attack surface, which is growing as a result of cloud, mobile, and IoT. The attack surface area in the modern enterprise is unlimited.
So it’s no wonder that 70% of organizations report that they’ve had a security incident that’s negatively impacted their operations in the past 12 months. 90% of organizations are not satisfied with how quickly they can detect and investigate attacks. And, as a result, based on our estimation, 80% of CISOs are completely re-thinking their security strategy in the next year.
Despite all the money we have invested in security, it’s still too difficult to put security details in business context fast enough. Both security and business leaders want to understand to what degree security incidents impact business continuity, intellectual property, and damage to their reputation, among other things.
The truth is, CEOs and Boards don't care about whether a breach was caused by a new Remote Access Trojan coming from the ShellCrew group that’s exploiting a vulnerability in Internet Explorer. What they do care about is overall impact to the business. So what we need to do is to express the details of security in the language of business risk.
The inability to do so is what we call the “gap of grief.” And this gap stands in the way of being able to answer THE critical question when a breach does occur… HOW BAD IS IT?
Traz riscos de negócios digitais junto com ele ”
“Por um lado, as organizações precisam capturar a Oportunidade Digital para permanecer relevante e sobreviver, enquanto gerencia o Risco Digital”
“Por outro lado, os ciber adversários querem capturar a Oportunidade Digital para melhorar seus ataques, enquanto exploram o Risco Digital”
it brings Digital Business Risks along with it”
“On one hand, organizations need to capture the Digital Opportunity to remain relevant and survive, while managing the Digital Risk”
“On the other hand, cyber adversaries want to capture the Digital Opportunity to improve their attacks, while exploiting the Digital Risk”
“Ambos os lados entram em um jogo de defesa contra ataque, onde as equipes de segurança devem se defender contra a ofensiva dos adversários cibernéticos”.
“Para piorar a situação, o campo de jogo não é nivelado ...
Defesa” deve “defender” contra todos os ataques; enquanto
"Ofensa" só precisa ter sucesso uma vez;
“Defesa” deve agir em minutos; enquanto
"Ofensa" tem meses e até anos para planejar e atacar;
Para a “defesa”, a segurança cibernética é um risco de negócio; enquanto
Para o “delito”, a segurança cibernética é uma oportunidade de negócio ”
“Uma oportunidade de negócio que está criando todo um mercado paralelo e negro.
A Dark Net, por exemplo, é um mercado digital com sua própria rede privada, onde os adversários cibernéticos monetizam as ferramentas do crime e muito do que eles roubam ”.
“Uma oportunidade de negócio que está atraindo um conjunto diversificado de adversários cibernéticos, com motivações distintas, como:
Hackers "ocasionais"
Crime organizado
Hacktivistas e
Estados da nação
"E para o que eles estão indo depois?"
"Deixando de lado a pressa de fazer algo ruim, eu acho,
Eles estão atrás dos nossos dados, a moeda da era digital!"
"Então, como podemos nós, os" defensores ", nos defender?"
“O primeiro passo no desenho de uma“ estratégia de defesa da segurança cibernética ”é entender o risco!
"Pronto?"
"Risco é uma situação que envolve exposição a eventos adversos".
"Basicamente, a exposição a qualquer coisa ruim!"
“O risco é medido em duas dimensões:
A probabilidade de algum evento adverso acontecer ... e
O impacto causado se o evento realmente acontecer, como:
Custos financeiros,
Reputação ou
Lealdade do consumidor
“There are many types of risks…
Personal risks… such as the one I am facing here, right now, with a high likelihood that this presentation becomes a career-ending event, and with a potential impact of costing me a job… or…
Cyber security risks, such as the data breach at Merck that caused more than $300 Million in damage;
"Este gráfico traçando riscos é chamado de mapa de risco e é tipicamente dividido em zonas de baixa, média e alta temperatura ..."
"Agora ... O desafio é que o risco não pode ser evitado ou eliminado."
Na verdade… o maior risco é não correr nenhum risco ”
"Como resultado, o risco deve ser gerenciado ..."
“Risk is managed along the same two dimensions:”
By decreasing the likelihood of exposure to adverse events and
By decreasing the potential impact when these events are happening or about to happen, and believe me that bad things actually happen, and happen all the time
The other challenge is that there are not enough resources in the world to fully manage all risks…
“As a result, Risk must also be prioritized…” meaning that…
The most impacting risks get the most attention…
Risk management and risk prioritization are key today!
Got it?
“Now…There are five “things” that can be done to prioritize and manage risk.”
“Ready?”
“To identify risks and prioritize them based on their positions in the risk map!”
“Deploy protection mechanisms on the highest risks:
to decrease the likelihood that the adverse event will happen and
to mitigate the impact it may cause.”
“Detect as soon as something bad happens, or, even better, before bad things actually happen,
“Respond once it has been detected”
“Recover from the damage it may have caused”
Consider, for example, a CISO who wants to define a “cyber security defense strategy” against data breaches, which, by the way, have reached an all-time high last year, with over 5 thousand reported breaches compromising almost 8 billion information records.
There are five functions the CISO must work on:
“Identify” the datasets whose breach would cause the highest impact to the business;
“Protect” these datasets by, for example, encrypting this data at rest, and in motion, preventing it from being viewed even if stolen;
“Detect” any suspicious activity in accessing the data;
“Respond” to breaches, if they occur, by notifying all parts affected and the government within 72 hours; and
Planning a “Recovery” by creating copies of the data in isolated physical areas, enabling any stolen data to be re-stored, without paying ransomware.
Now, I want to stop a minute and CONGRATULATE you all!
ocê acabou de aprender as cinco principais funções da estrutura de segurança cibernética definida pelo Instituto Nacional de Padrões e Tecnologias, NIST!
Agora, por favor, repita comigo, todas juntas, estas cinco funções!
Pronto?
Enterprises have been thrown off guard by the new world order of security. And that lack of footing has caused security to become a business problem.
A rapid convergence of technology trends have created a nearly impossible scenario for defending networks. We’ve dissolved the perimeter as we implement new technologies such as cloud, mobile, and IoT. The number of devices connected to our networks grows by the day, with predictions of more that 50 billion connected devices by 2020. And our workforce now demands 24/7 access to corporate resources from anywhere, to anything, on any device.
Further, attackers often have the upper hand because offense almost always beats defense. Attack ROI is immediate and continuous, while defense ROI is harder to see and measure. Access to specialized attack tools has gotten easier, and knowledge of more advanced TTPs is more common, making it possible for many types of actors to carry out sophisticated attacks.
Ironically, the complexity of the solutions we implement is exacerbating the problem. Most organizations have a large collection of tools, implemented over time, that don’t interoperate. As a result, organizations lack the visibility they need across the modern IT landscape. Further, the vast majority of these tools are aimed at stopping known threats, but do little to protect against new unknown attacks.
Against the backdrop of these technology challenges, CISOs are facing more scrutiny and more pressure from CEOs and Boards. The business is posing more questions about the possibility of a breach, scrutinizing security investments, and showing increasing interest in understanding the business impact of security activity. What this means is that the technology problem has become a business problem.
“Transformed security changes how security is done.”
“Here are some differences between ‘traditional security’ and ‘transformed security.’”
“Traditional security focuses mainly on compliance requirements to prioritize security controls, with the misconception that a compliant organization is a secure organization.”
“Transformed security goes well beyond compliance to identify the highest impacting digital business risks. It then designs a risk-driven security strategy, where security and risk management are unified; where both IT and the business know which risks are worth taking, and invest accordingly.”
“Traditional security “protects” by securing perimeters, sacrificing data mobility and workflows; and by bolting on more and more tools, in patchwork fashion, to fight known threats, such as viruses or harmful files. It impacts easy of management, and creates alert fatigue for already strapped security teams.”
“Transformed security chooses infrastructure where elements of security have already been designed-in, where data is surrounded with security, that moves along with the data, and where application and network access are automatically enforced on a least-privileged basis, meaning access is given to only the assets required to perform a task.
“Traditional security “detects” by having people monitor siloes of alarms, coming from that patchwork of tools, to catch known attacks after they have happened. They have limited visibility into the relationships among the many anomalies found, impacting detection and response.”
“Transformed security augments expert human intelligence with machine intelligence and contextual insight, applying machine learning and behavioral analytics to study events as they occur in the infrastructure, from the edge, to the core, to the cloud. It can proactively detect unusual behavior that can be the formation of advanced and persistent threats, in order to better contain threats and mitigate damage.”
“Traditional security “responds” to threats manually or using tools with static policies, specific for isolated events. These tools are not capable of learning or adapting their responses based on business context.”
“Transformed security uses a risk-driven approach to cohesively manage threats’ full lifecycle. It understands the business context to prioritize what to respond to. It ensures that business policies and protocols are followed and documented properly to minimize litigation risk after the fact.
“Traditional security “recovers” in an ad-hoc manner, improvising to leverage business continuity protection mechanisms, such as back-ups and disaster recovery, not designed for full recovery from an attack.”
“Transformed security leverages risk assessments to proactively plan, design and test “recovery” strategies for the most valuable assets, throughout their lifecycle, while creating digital copies of these assets and safe guarding them before they are affected.”
And last,
“A Traditional security defense strategy is mostly uncoordinated across the functions, with minimal data sharing, where different teams operate independently, using tools that do not connect to one another.
“Transformed security harmonizes activities across the functions, enabling them to have visibility, operate and invest against the same set of risk-driven priorities, sharing a common business context.
“Dell Technologies’ portfolio strategy is the only one to deliver on the shift from traditional to transformed through:”
“Unified risk management”
“Adaptable security operations”
“Resilient infrastructure”
“Trusted services”
“This is what Dell Technologies has that makes this real.”
“Together…”
“Let Dell Technologies Win!”
“Thank you very much Dell EMC!”