Agenda: Insurance Academy Event Drs Ing René Pluis MBA MBI Cyber Security Lead, Country Digitization Acceleration program the Netherlands The Hague, Thursday 16 November Introduction Integrated Security Architecture BDA Before, During and After System Assurance PBD Privacy By Design Dangerous Times Introduction Jan. 2015 World Economic Forum, Davos Switzerland Relentless vs Tireless 1
Lack of Talent Change Relentless Flooded with Products Tireless vs Undetected Multi-vector and Advanced Threats Why defense in-depth is BROKEN! Known threats are blocked Current defense inindepth approach is built on binary detection Good files make it through Unknown threats are passed to the next system Integrated Security Architecture NGFW NGIPS EMAIL WEB ENDPOINT ROUTER Single points of inspection have their limitations Solution Integration: Cisco Portfolio Unified By Threat... Database Cloudlock Stealthwatch Static & Dymanic Analysis Threat Score Advanced Malware Protection Cloud 5. File Metadata Cloud Umbrella Network ISR/ASR Advanced Malware Meraki NGIPS Event Threat Intel Policy Context ISE Umbrella NGFW ISR Meraki M 1. Network Attached Controls ESA CES WSA 2. CWS Endpoint 3. Web Threat Grid 4. Host and Network WWW Cognitive Threat Analytics Network Telemetry Web ISE Stealthwatch NGFW/ NGIPS 2
URL Rep & Cat Insurance Academy Event - Preparation Intrusion Active Breach 1. Reconnaissance Harvest information to create attack strategy and toolset 3. Delivery Delivering weaponized bundle to the victim via email, web, USB, etc. 5. Installation Installing malware on the asset 7. Actions on Objectives With Hands on Keyboard access, intruders accomplish BDA Before, During and After 2. Weaponization Coupling exploit with backdoor into deliverable payload 4. Exploitation Exploiting a vulnerability to execute code on victim s system 6. Command & Control Command channel for remote manipulation of victim s system Based on Lockheed Martin s Cyber Kill Chain The new security model Cisco Security (Overview) Incoming Threat Before During Talos Cisco Cloud Appliance After Virtual BEFORE Discover Enforce Harden DURING Detect Defend AFTER Scope Contain Remediate Inbound Reputation Mail Flow Policies Acceptance Controls Anti-Spam Anti-Virus File Graymail Reputation Management ThreatGrid Safe Unsubscribe Content Controls Outbreak Filters Anti-Phish File Sandboxing & Retrospection Tracking User click Activity (Anti-Phish) Network Endpoint Mobile Virtual Cloud Threat Intelligence Point in Time Continuous Before Outbound Outbound Liability HIPAA Mail Flow Policies During Anti-Spam Data Loss and Protection Anti-Virus Encryption Admin HQ Allow Warn Management Reporting Message Track Partial Secure Boot In-depth Hardware-anchored anchored Secure Boot Helps protect against persistent Software Tampering Helps ensure only authentic signed software boots up on a platform UEFI Unified Extensible Firmware Interface System Assurance Power On Immutable Anchor ensuring hardware integrity and key authenticity Cisco Hardware-Anchored Secure Boot Anchors UEFI boot security to hardware Resists supply chain and physical possession-based firmware tampering attacks Secure Signed Signed Operating Microloader Bootloader/BIOS System Microloader verifies A Signed Bootloader/ Launch Operating Bootloader/ BIOS validates Operating System BIOS System UEFI Nothing validates BIOS o Susceptible to BIOS rootkits o Susceptible to easy modifications in supply chain or with physical possession 3
Privacy by Design (PbD) Proactive not reactive process; preventative not remedial Privacy by Design Privacy as the default setting PBD Privacy By Design Privacy embedded into design Full functionality positive-sum, not sero-sum End-to-end security full lifecycle protection Visibility and transparency keep it open Respect for user privacy keep us user-centric Privacy notices as meta-use case requirements / Business Plan Realistic technology capabilities and limitations Privacy Engineering is A discrete discipline or field of inquiry and innovation using engineering principles and The creative innovation process to manage increasingly more complex data streams and data sets that describe individual humans. Economic pressure to create value through efficient sharing/relationship building Usability, access and availability for end users of information systems The gathering and application of privacy requirements with the same primacy as other Design processes to build controls and measures into processes, systems, components, and products that enable the authorized processing of personal information. Industry standards traditional feature- or process requirements and then incorporating, prioritizing, and addressing them at each stage of the development process, project, product or system lifecycle. Privacy Policy Ethical obligations Enforceability and compliance Local and international legal, jurisdictional and regulatory necessities Organisation/business requirements Brand identity Permission marketing/customer relationship management/business intelligence Cisco s Approach to Managing Privacy Understand Prioritize Develop Compliance EU General Data Protection Regulation Govern Business Requirement Privacy Impact Analysis Kickstart a program Periodic review of capability evolution Privacy Program - Assessment and Strategy Development Comprehensive assessment of requirements and development of a program roadmap Privacy Compliance Program Support Accelerate development and implementation Transform compliance requirements into a practical program Comply to the EU General Data Protection Regulation (GDPR) For all companies servicing >5000 Data Subjects in the EU Drivers Digital Capabilities Offers Be able to Sensor any Security Breach or Data Loss Network as a Sensor Security Analytics The Visibility you need, Across your Entire Network Protect the data from any Unauthorized Access or Usage Network as an Enforcer 802.1 enabled and automated Infrastructure Use your Network to enforce Security Policies Be able to Report any Breach with no delay and show the implications Secure Policy and Visibility enabled infrastructure System of Record System of Change Offer mapping with Bundles All kinds of Cisco products, services and designs 1 All kinds of Cisco products, services and designs 2 4
Insurance Academy Event - Cisco Security Introduction and GDPR Many LEGO blocks already available: Encryption Trust systems CVD / DIG Privacy by design / security by design Etc. Open questions: Certification Forensic grade safe keeping 5