Defense in Depth Security in the Enterprise Mike Mulville SAIC Cyber Chief Technology Officer MulvilleM@saic.com
Agenda The enterprise challenge - threat; vectors; and risk Traditional data protection measures Expanded threat protection The road forward Conclusions / discussion 2
The challenging security question Critical Data 3 Loss Social Engineering Computer stolen with data on 800,000 doctors Payment Systems hacked, 100M accounts Missing: Records of 76M veterans Security breach exposes nearly 600,000 customers Computer hacked at University - data of 236,000 women in mammogram study taken Hack attack breaches 160,000 files Major University Former Federal Reserve Bank of New York IT worker charged with theft Virginia loses data on 100,000 students on unencrypted Flash Drive
Threats and vectors Threat vectors Impacts Internal threats have the largest impact and risk, followed closely by partners Perimeter threat vectors still important and still a challenge in the enterprise Insider attack vectors have larger impact to organizations Statistical data from: Verizon 2008 Data Breach Investigations Report 4
Traditional approach Perimeter defenses (Firewall and Intrusion detection systems) Limited internal or partner security measures Best practices and policies spotty or missing Unknown risk posture Limited or no monitoring of perimeter devices Little understanding of total context of events Uneducated workforce on security awareness Even with these defenses sensitive data continues to escape the enterprise 5
Perimeter defenses Limit protection points common gateways Protection applied at aggregation points 6
Remaining exposed and impacted targets 7 Multi-access vectors impacting targets Seeking high value critical and sensitive data Larger exploit surface
Expanded threat protection beyond the perimeter Security policies (ISO 27001/7799; COBIT, FIPS ) Data availability Data encryption data at rest, in motion, in use Incident response and remediation processes Disruption User awareness training Best practices (ITIL, business continuity, event mgmt, incident response) Data protection Configuration and asset control Specific device/system threats (e.g. energy 8 SCADA; health; education) Security control COBIT is a registered trademark of the Information Systems Audit and Control Association in the U.S. and/or other countries. ISO is a registered trademark of the International Organization for Standardization in the U.S. and/or other countries. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
The road forward A layered defense is the best approach Humans Applications Data Operating systems Networks Physical inspections Use defense in depth security Identify your potential issues before they happen Understand your systems before an incident Work with appropriate agencies, associations, and policy groups Address protecting the data Data lifecycle Management 9
Mitigating the risks Data Encryption of data in motion Encryption of data at rest Monitoring data stores (database IDS) Data loss protection Access / identity management Hosts Endpoint security (NIDS, AV) Patching Data loss protection Security platform monitoring Asset & change management Network / Perimeter Web application & vulnerability scanning Firewalls, IDS/IPS, WebApp firewalls Data inspection Data loss protection 24x7 security monitoring (SOC) Content filtering VPN s Polices Implement a security policy Assess and rank security measures implemented against a security policy Establish a security risk baseline Identify gaps, weaknesses Assign and track remediation steps Self audit controls and track metrics 10
Mitigating the risks Staff User awareness training Annual security policy training Background checks Incident management Applications Application code review Configuration management Access control Physical Surveillance Entry logs & review Access list reviews Access approvals Physical security controls Reporting Metrics Audit tracking of controls Reduction of incidents Reporting of incidents Tracking against the risk management plan 11
Questions? Michael Mulville SAIC Cyber CTO MulvilleM@saic.com 703-676-8381 12