Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Similar documents
DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Cybersecurity Auditing in an Unsecure World

Cybersecurity The Evolving Landscape

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

01.0 Policy Responsibilities and Oversight

EU General Data Protection Regulation (GDPR) Achieving compliance

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Navigate IT Security with a Framework as Your Guide

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Business continuity management and cyber resiliency

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Department of Management Services REQUEST FOR INFORMATION

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Background FAST FACTS

Gujarat Forensic Sciences University

Designing and Building a Cybersecurity Program

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Why you should adopt the NIST Cybersecurity Framework

CISO as Change Agent: Getting to Yes

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Cyber Resilience. Think18. Felicity March IBM Corporation

MITIGATE CYBER ATTACK RISK

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

Protecting your data. EY s approach to data privacy and information security

2017 Annual Meeting of Members and Board of Directors Meeting

Position Title: IT Security Specialist

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

University of Pittsburgh Security Assessment Questionnaire (v1.7)

A Comprehensive Guide to Remote Managed IT Security for Higher Education

CYBER RESILIENCE & INCIDENT RESPONSE

Must Have Items for Your Cybersecurity or IT Budget in 2018

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Continuous protection to reduce risk and maintain production availability

CCISO Blueprint v1. EC-Council

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

locuz.com SOC Services

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

Security and Privacy Governance Program Guidelines

K12 Cybersecurity Roadmap

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

White Paper. How to Write an MSSP RFP

Intelligent Building and Cybersecurity 2016

Are we breached? Deloitte's Cyber Threat Hunting

Ransomware A case study of the impact, recovery and remediation events

What It Takes to be a CISO in 2017

Background FAST FACTS

CYBER SECURITY WORKSHOP NOVEMBER 2, Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services

Cyber Security Incident Response Fighting Fire with Fire

INTELLIGENCE DRIVEN GRC FOR SECURITY

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Automating the Top 20 CIS Critical Security Controls

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Ransomware A case study of the impact, recovery and remediation events

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

WHITE PAPER. Title. Managed Services for SAS Technology

Cybersecurity for Service Providers

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Staffing Services UnderDefense your source of experienced professionals to solve security staffing challenges today

the SWIFT Customer Security

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Protecting your next investment: The importance of cybersecurity due diligence

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Reinvent Your 2013 Security Management Strategy

Cybersecurity for Health Care Providers

From Managed Security Services to the next evolution of CyberSoc Services

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

10 FOCUS AREAS FOR BREACH PREVENTION

Best Practices in Securing a Multicloud World

Changing the Game: An HPR Approach to Cyber CRM007

The Common Controls Framework BY ADOBE

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

2015 HFMA What Healthcare Can Learn from the Banking Industry

FDIC InTREx What Documentation Are You Expected to Have?

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

Certified Information Security Manager (CISM) Course Overview

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

ISE North America Leadership Summit and Awards

How to Write an MSSP RFP. White Paper

Cybersecurity in Higher Ed

Cyber Security. Building and assuring defence in depth

Assessing Your Incident Response Capabilities Do You Have What it Takes?

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

Rethinking Information Security Risk Management CRM002

COPE-ing with Cyber Risk Exposures

Industrial Defender ASM. for Automation Systems Management

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Transcription:

Cybersecurity What Companies are Doing & How to Evaluate Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security Learning Objectives At the end of this presentation, you will be able to: Explain the importance of cybersecurity in terms of risk to insurers and cybersecurity s role in future examinations. Differentiate between cybersecurity providers, including their product and service offerings. Identify the NIST Cybersecurity Framework s 5 main domain areas along with practical applications. Identify cybersecurity red flags in examinations and when outside assistance is appropriate. All Rights Reserved 1

Agenda Part I The Importance of Cybersecurity What do Cybersecurity Firms Actually Do? Part II NIST Cybersecurity Framework Overview w/ Good & Bad Real Life Examples Part III NAIC Thoughts on Cybersecurity The Ideal Role for Examiners Red Flags for Examiners Part I The Importance of Cybersecurity All Rights Reserved 2

Why is Cybersecurity Important? According to National Institute of Standards and Technology (NIST): Cybersecurity events can have significant financial implications Can result in administrative costs to enhance cybersecurity Can result in significant legal settlements (e.g. paying for identify theft protection, investigation expenses, regulator fines, etc.) Can harm an organization s ability to innovate (if not implemented correctly) Why is Cybersecurity Important? According to NIST (cont.): Can also have significant implications for policyholders The national and economic security of the United States depends on reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation s security, economy, and public safety and health at risk. All Rights Reserved 3

Exam Enhancements NAIC used NIST to enhance Exam Handbook guidance: Narrative procedures (2015 & 2016) Questionnaire enhancements (2015 & 2016) Work program enhancements (2015) Conclusions Memorandum (2016) Training enhancements (2016 Webinar) Types of Security Firms What security firms actually do can be difficult to understand we get it At a high level, security firms generally provide either: Technology & Security Tools Services All Rights Reserved 4

Technology & Security Tools Firms like Palo Alto Networks, Tenable and others focus on creating tools or appliances that detect / block threats or otherwise help security professionals do their jobs well Examples include: Firewalls Intrusion Protection Systems Intrusion Detection Systems Scanners Log Collectors Endpoint Detection Service Providers Service providers focus less on developing technology and more on expertise with strategy, people and processes Two Main Types: Managed Services: Manage IT or services on behalf of clients Highly-focused, specialized, value-added staff augmentation Usually 24x7 and long-term contracts Advisory Firms: Provide specialized ad-hoc strategic assistance to clients both proactively and reactively All Rights Reserved 5

Managed Services Providers Managed services providers offer front line support for a variety of security responsibilities: Security Monitoring Incident Response Tool Management (Firewalls, etc.) Vulnerability Identification and Management Various other Services Also known as security operations centers (SOCs), they offer differing levels of client integration and are similar to air traffic controllers for security operations Security Operations Center All Rights Reserved 6

Advisory Advisory firms can provide a broad or very narrowly tailored set of security services, generally including the following: THREAT & VULNERABILITY MANAGEMENT Penetration Testing Network & Applications Social Engineering Testing & Security Awareness Training Vulnerability Assessments GOVERNANCE, RISK & COMPLIANCE Security Strategy Policy Creation / Documentation Audits & Assessments Risk Assessments, Security Frameworks, Various Audits DIGITAL FORENSICS & INCIDENT RESPONSE Digital Forensics Incident Response Part II NIST Cybersecurity Framework Overview All Rights Reserved 7

NIST Cybersecurity Framework Overview & Components 1. Identify 2. Protect 3. Detect 4. Respond 5. Recover Identify Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. How does the insurer assess, monitor, and manage its cybersecurity exposure? All Rights Reserved 8

Identify Best Practices Complete Asset Management Full catalog of physical and logical assets and there relationships Cybersecurity Roles and Responsibilities Well Defined Policies, Processes, and Procedures Robust Risk Management Process Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. How does the insurer use physical and logical access controls to safeguard information? What role does employee training play in the insurer s security program? All Rights Reserved 9

Protect Done Badly Poor Visibility Technology is selectively or improperly deployed Social Engineering Testing Removing CEO / CFO / VIPs from testing sample or tipping off organization to the test! Executive Sponsorship Not prioritizing information security Protect Best Practices 1. Access Control Multifactor Authentication 2. Awareness and Training Continuous training program combined with real assessments of employee skills and behavior 3. Data Security Encryption in motion and at rest Data Loss Prevention (DLP) Integrity Checking (i.e. Tripwire) 4. Information Protection Processes and Procedures Backups Configuration Change Control Continuous Improvement All Rights Reserved 10

Detect Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Does the insurer have a process or program in place to ensure detection of cybersecurity incidents? Detect Red Flags Lack of Consistent Monitoring No internal or external team in charge of monitoring threats or responding to incidents Incident management processes should be consistent, repeatable and sustainable Alert Backlog Many breaches (Target) have resulted not from a new breed of malware, but from ignoring the alert from the security tool that detected it Lack of Tuning / Use A lot of security tools are dramatically underutilized due to a lack of qualified engineers, proper configuration settings, unfamiliarity or all of the above Today s security tools generally do a good job greater gains can be made in squeezing out efficiencies vs. chasing shiny new security tools A low or non-existent level of reporting / alert activity across certain appliances can signify problems All Rights Reserved 11

Detect Best Practices Anomalies & Events are Monitored 24x7 Logs are configured and aggregated Correlation of events Alerting Action and resolution is documented and communication to key stakeholders Vulnerability scans are performed regularly Continuous improvement of Protect processes Penetration Testing Respond Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. How would the organization contain and mitigate a cybersecurity incident? Does the organization have a process in place to learn from incidents? All Rights Reserved 12

Respond Case Studies Recovered Laptops CFO Embezzlement Ransomware Recover Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. How will the organization manage its reputation following an incident? All Rights Reserved 13

Recover Best Practices Recovery Planning An incident response plan includes detailed recovery processes Improvement Identify real areas for change that remediate the actual security gaps that caused an incident Spear phishing was the cause? Invest in security awareness training and testing Communication The entire organization (not just IT) needs to respond to an incident cohesively all customer touchpoints: PR, marketing, in-store, regulatory, sales, etc. Honesty and transparency are the best policies Part III All Rights Reserved 14

Future Cybersecurity Enhancements When the Cybersecurity Model Law is passed (if?) the IT Examination Working Group will consider if further Handbook revisions are needed. Model Law, in its current form, would set a number of Information Security Program requirements Future Cybersecurity Enhancements The Handbook may also be enhanced as: Regulators identify best practices both through: Breach investigations Discussions with other regulators (e.g. Federal/International counterparts) Routine financial exams The NIST Framework is updated (in process) Other third-party publications identify best practices (e.g. Verizon Data Breach Investigations Report, etc.) All Rights Reserved 15

What Should Insurers Be Doing? There are lots of approaches to what makes a good security program. Insurers should have some discretion based on their size, but generally should include a mix of the following: Adopt a relevant, guiding information security control framework and adhere to it: NIST, SSAE16, ISO, HIPAA, CIS, etc. Perform regular risk and control security assessments Conduct internal and external penetration testing - network and applications Have a robust incident response policy and processes Conduct security awareness training and test its effectiveness regularly Have 24x7 security monitoring in place (internal or outsourced) Have a CIO / CISO and a dedicated security team (internal or outsourced) Conduct regular vulnerability scanning and patching Recognizing Red Flags in Exams Not conducting regular assessments or penetration / vulnerability testing (internally or third-party) Frequency of testing / scanning does not equate to insurer size or budget Not adopting a guiding security framework like NIST / ISO or even something custom or homegrown People, systems, applications taken out of scope during testing or assessments Lack of officers dedicated to security and / or privacy (sizedependent) Alerts from security tools are completely or infrequently monitored and / or actioned Lacking an incident response plan and / or its testing All Rights Reserved 16

Prioritizing Insurers for Greater Focus It s OK to have different expectations for insurers of varying size Anthem vs. Buffalo Municipal Workers Life Insurers that could be worth a closer look: Have experienced a breach previously Combining operations with another carrier (e.g. merger / acquisition) Large policy volume Nature of operations and underlying data (health or cyber insurance vs automotive) Relying Upon Third Party Security Reports Examiners sometimes encounter third-party IT security reports However, these reports can be difficult to understand, interpret and challenge especially for non-it people Third-party reports have the most value when the goal, scope, and outcome of the report is understood Attestation vs. Assessments Example: PCI Assessment All Rights Reserved 17

When to Raise Your Hand Just like assistance on certain actuary or reinsurance topics, it s OK to consider help from outside IT security experts Lack of security expertise for assessments Evaluation of third-party reports Ensuring operational effectiveness of controls by performing penetration testing, vulnerability assessments, etc. Investigation / follow-up on any areas of concern that might require a deeper technical skillset (i.e. forensics) IT security firms do this work everyday and can efficiently and quickly perform assessments and determine the validity /reliability of third-party reports Q&A All Rights Reserved 18

Thank You! Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security All Rights Reserved 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback