Mitigating Cybersecurity Risk with Hyper-Segmentation

Size: px

Start display at page:

Download "Mitigating Cybersecurity Risk with Hyper-Segmentation"

Edmund Goodman
5 years ago
Views:

1 Mitigating Cybersecurity Risk with Hyper-Segmentation Session 46, February 20, 2017 Eric Miller, Sr. Director, Ascension Information Services Paul Unbehagen, Chief Architect, Avaya 1

2 Speaker Introduction Eric Miller Sr. Director Ascension Information Services Paul Unbehagen Chief Architect Avaya 2

3 Conflict of Interest Eric Miller, Ascension Information Services Has no real or apparent conflicts of interest to report. Paul Unbehagen, Avaya Salaried employee of Avaya. 3

4 Agenda Learning Objectives Escalating Risks of IoT and Connected Devices Assessing Risk Solutions to Address Risks 4

5 Learning Objectives Identify devices, exposures and risk profiles Apply risk models to the device and general exposures, including shield and contain Employ hyper-segmentation zones Assess hyper-segmentation zones with focused current technologies Prepare a plan for implementation 5

6 An Introduction of How Benefits Were Realized for the Value of Health IT The value steps impacted are: Satisfaction Electronic Secure Data 6

7 Escalating Risks 7

Gartner, 2016 25+% Enterprise Attacks will be IoT 256 Days to Identify

8 New Technology Brings New Attack Vectors 38% Increase Security Incidents By 2020, over 25% of identified attacks in enterprises will involve IoT Gartner, % Enterprise Attacks will be IoT 256 Days to Identify Attacks 25B IoT Devices 48% Breaches were Malicious 8 $ 6.7M Cost Per Data Breach

9 The Network Perimeter Was Well Defined 9

10 The Everywhere Perimeter But now BYOD is a new normal IoT is exploding Cloud services are burgeoning 10 Contracting continues to expand

11 Where Do I Start? 11

12 Follow the NIST Cybersecurity Framework (CSF) NIST Cybersecurity Framework HIPAA Crosswalk to NIST Framework: 12

2.2 Risk Management Framework Reprinted courtesy of the National Institute of Standards and Technology, U.S. Department of Commerce.

13 Use the Risk Management Framework Step 6 Monitor Security Controls Step 5 Authorize Information Systems Step 4 Assess Security Controls Step 1 Categorize Information Systems Step 2 Risk Management Framework NIST SP Rev1: Figure 2.2 Risk Management Framework Reprinted courtesy of the National Institute of Standards and Technology, U.S. Department of Commerce. Not copyrightable in the United States. 13 Select Security Controls Step 3 Implement Security Controls

14 Classify Your Risks High Likelihood Low Low Consequences High Note: NIST IR 8023: Risk Management for Replication Devices provides an example for printers / copiers 14

15 Principles of Risk Mitigation Universal isolation Not seeing is believing Complexity is the enemy of security IoT security and speed 15

16 Defining Hyper Segmentation Universal Isolation Without Hyper- Segmentation With Hyper- Segmentation END-TO-END CONTROL PLANE Patient Records Financial Systems Application Servers Patient Records Financial Systems Application Servers 16

17 Going Stealth Without Stealth Hyper-Segmentation Video Surveillance Cameras Video Surveillance Cameras With Stealth Hyper-Segmentation With Stealth Capability Network visibility is dark or limited if a zone is breached Patient Records Financial Systems Video Surveillance Servers 17

Records Financial Systems Application Servers

18 The Elastic Imperative Without Elasticity END-TO-END CONTROL PLANE With Elasticity Patient Records Financial Systems Application Servers Patient Records Financial Systems Application Servers 18

19 Missing a Device Identifier? Open Networking Adapters (ONA) IoT Controller 19

Zone Protects IoT devices Local WLAN Controller

20 Secure Zoning Isolates traffic into encrypted zones Infusion Pump Zone Imaging Zone Financial Transaction Zone Protects IoT devices Local WLAN Controller Filters traffic flows Application Servers IoT Controller 20

21 Elasticity L2 L3 Enables follow-me profiles Requires minimal configuration Offers elastic L2 zones Utilizes onboarding utilities Application Servers IoT Controller 21

22 IoT Intelligence Collect Learns and updates Reports asset utilization Offers programmability Whitelist Profile Update Analyze 22

23 Framework Technologies Implementation 23

24 Implement: Step 1: Prioritize and Scope NIST CSF 7 Step Process Step 7: Implement an Action Plan Step 6: Analyze and Prioritize Gaps Step 2: Orient Step 3: Create a Current Profile Step 5: Create a Target Profile Step 4: Conduct a Risk Assessment Reprinted courtesy of the National Institute of Standards and Technology, U.S. Department of Commerce. Not copyrightable in the United States. 24

25 Implementation Tiers Risk Informed Partial Repeatable None Adaptive Reprinted courtesy of the National Institute of Standards and Technology, U.S. Department of Commerce. Not copyrightable in the United States. 25

26 A Summary of How Benefits Were Realized for the Value of Health IT Satisfaction Reduced in time to deploy new services Improved reliability Electronic Secure Data Improved NIST CSF Implementation Tier in both Identify and Protect categories 26

Questions Eric Miller http://www.linkedin.

27 Questions Eric Miller Paul Unbehagen 27

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor, National Institute of Standards and Technology 1 Speaker