CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Transcription

1 CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

2 INFORMATION SECURITY PAINS CISO RESPONSIBILITY WITHOUT AUTHORITY INVENTORY TO MANAGE ALERTS WITHOUT MEANING ASSETS SPREAD ACROSS MULTI-CLOUD, MULTI-SERVICE ENVIRONMENTS LEGACY TOOLS ARE STATIC, VERTICAL & SILOED SERVICES ON BARE METAL, VIRTUAL, CONTAINER, SERVER-LESS M I S A L I G N E D BUSINESS AUTHORITY WITHOUT UNDERSTANDING BUSINESS FUNCTIONS TO MANAGE THREATS WITHOUT CONTEXT BREACHES, & THEIR COST, INCREASING REGULATIONS, & THEIR CONSEQUENCES, INCREASING BUSINESS RISK INCREASING

3 BUSINESS RISK INTELLIGENCE? Security has to connect to the business as it is a business risk. Bringing anomalous business practices into governance brings control. If we can define normal, and reduce the noise', we can operate an effective security service and inform the business of risk that relates to them. Gaining accountability in the business for their behaviours. Embed operational security into IT operations, forming control frameworks that don t inhibit the business.

4 THE PROBLEM Which business function is generating the most RISK? What are my risks? EVIDENCE is needed to validate risk. How do we (IT) engage with the business? What is my SOC missing, why is it so reactive? Are all these threats RELEVANT? Too much tech; not enough budget for one of everything! SECURITY is not just about BAD; how do I know what WRONG is?

5 CLEAR FRAMEWORK TO CATEGORISE AND COMMUNICATE RISK Determine priorities for remediation. Engage with the business to govern risk. Define appropriate response playbook s and SLA s with the business. Inform stage of attack. Identify gaps in visibility and control. Operate a security service that informs business risk.

6 INCIDENT TIMELINE AGAINST KILL CHAIN Data Movement RISK CATEGORIES / KILL CHAIN STAGES User Privilege Brute force attack begins on SERVER-01. Network Communications Software Configurations PC Hunter and SQL installed and run on multiple hosts. BIOS account adds other accounts to various privileged groups. Ransomware Distributed and Executed. Cylance Uninstalled. Account enumeration conducted by SERVICE account. Type 10 and 12 connections from external (Russian and British) IP s. Build SERVER-01 and SERVER-02 exposed to the internet.

7 SMART APPLICATION & CYBER RISK AUDIT GAINING CONTROL - APPROACH

8 NEAR INCIDENT RESPONSE (NIR) I. Continuous improvement. II. III. IV. System Admin priorities. Alerting framework to catch misuse. Benchmarking business functions by risk. V. Reduction of operational risk. VI. VII. Reduction of attack surface. Policy, Controls and Procedures. SECURE BY DESIGN = OPERATIONALLY SECURE If we can help people get control of hygiene, posture and operational risk through the CRA process, we can embed security within IT operations rather than as an overlay.

9 Kill Chain / Risk Categories AUDIT APPROACH - CYBER MATURITY JOURNEY NIST 800 / ISO IDENTIFY PREVENT DEFEND RESPOND RECOVER DATA Tools Movement Access Investigate Restore USER Rights Abuse Credentials Limit ACL NETWORK Anomalies Communications Services Restrict Provision SERVICE RAT Creation Use Control Baseline BUILD Vulnerabilities Exploitation Change Patch Rebuild AUDIT INTERPRET CONTROL REMEDIATE POLICY

10 CRA OUTPUT SMART ANALYTICS The results are delivered through SMART, our interactive analytics tool that packages your data by user, host, business unit, operating system, software versions, risk category etc. to provide valuable insight into current posture and IT Hygiene.

11

12 CYBER RISK AUDIT CRA ENDPOINT CRA NETWORK CRA LIVE SCOPE Endpoint (Workstation & Server) AD Objects (Computer, User & Groups) Anti-Virus Logs Communications (Firewall, IDS, ADDS, DHCP, VPN) AD Authentication Communications External Intelligence CASB Logs OUTPUT Hosts of Interest (HOI) HOI Remediation Posture & Hygiene Remediation Work Packages Policy Remediation & Augmentation Asset Inventory Alerting with context for SIEM/SOC Validation of Current Investments versus Priorities for Security Strategy Behaviours Policy Violations 3 rd Party Risk Anomalies Insider / Misuse Live Data and Analyses Hygiene Work Packages

13 CONTINUOUS IMPROVEMENT & ASSURANCE AUGMENT SOC/SIEM RED TEAM EXERCISES Validation of progress & controls. Security Operations AUDIT to identify risk, determine posture & compromise. REMEDIAL ACTIONS HOI investigation, hygiene & posture activities and good practice. Re-Audit User, Network, Data Movement, Policy Violation. Optional enrichment to monitor behaviour. ALERTING FRAMEWORK to inform on reoccurrence.

14 WIN A FREE CYBER RISK AUDIT Drop your business card at the front for a chance to win

15 ANY QUESTIONS?

16 WHAT IS THE SMART APPLICATION? THE SMART APPLICATION PROVIDES INSIGHT INTO COMPLIANCE POSTURE ASSURANCE STANDARDS HYGIENE