Cybersecurity Fortification Initiative (CFI) infrastructure whitepaper

Similar documents
Are we breached? Deloitte's Cyber Threat Hunting

Real estate predictions 2017 What changes lie ahead?

Customer Breach Support A Deloitte managed service. Notifying, supporting and protecting your customers through a data breach

The New Healthcare Economy is rising up

Emerging Technologies The risks they pose to your organisations

Risk Advisory Academy Training Brochure

Vulnerability Management. June Risk Advisory

The Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory

Cyber Risk Services Going beyond limits

Anticipating the wider business impact of a cyber breach in the health care industry

Cyber Security Incident Response Fighting Fire with Fire

Cyber Espionage A proactive approach to cyber security

Multi-factor authentication enrollment guide for Deloitte client or business partner user

Autobot - IoT enabled security. For Private circulation only October Risk Advisory

SEGMENTATION TO A TRADITIONAL DATA CENTER

Managing Cyber Risk. Robert Entin Executive Vice President Chief Information Officer Vornado Realty Trust

CFOs in a new global environment Sandy Cockrell, Deloitte

Cyber Security is it a boardroom issue?

SOC for cybersecurity

Achieving effective risk management and continuous compliance with Deloitte and SAP

Run the business. Not the risks.

Cyber Risk and Networked Medical Devices

MFA Enrollment Guide. Multi-Factor Authentication (MFA) Enrollment guide STAGE Environment

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

SIEM: Five Requirements that Solve the Bigger Business Issues

Cyber Incident Response. Prepare for the inevitable. Respond to evolving threats. Recover rapidly. Cyber Incident Response

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

CipherCloud CASB+ Connector for ServiceNow

If you were under cyber attack would you ever know?

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Adopting SSAE 18 for SOC 1 reports

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

CYBER RESILIENCE & INCIDENT RESPONSE

Cyber Security: Are digital doors still open?

AKAMAI CLOUD SECURITY SOLUTIONS

Achieving third-party reporting proficiency with SOC 2+

Standing Together for Financial Industry Resilience Quantum Dawn 3 After-Action Report. November 19, 2015

Cybersecurity and the role of internal audit An urgent call to action

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

External Supplier Control Obligations. Cyber Security

Best Practices in Securing a Multicloud World

Cyber Threat Landscape April 2013

The value of visibility. Cybersecurity risk management examination

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Business continuity management and cyber resiliency

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Securing Your Digital Transformation

Big data privacy in Australia

INTELLIGENCE DRIVEN GRC FOR SECURITY

From Dabbling to Doing The Age of the Intuitive Enterprise

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Continuous protection to reduce risk and maintain production availability

Vulnerability Assessments and Penetration Testing

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Automating the Top 20 CIS Critical Security Controls

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

Creating your own payment card Joost Kremers MSc CEH

THE CYBER SECURITY PLAYBOOKECTOR SHOULD KNOW BEFPRE, DURING & AFTER WHAT EVERY DIRECTOR SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

locuz.com SOC Services

Cloud Computing Overview. The Business and Technology Impact. October 2013

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Sustainable Security Operations

GDPR: A QUICK OVERVIEW

The Deloitte-NASCIO Cybersecurity Study Insights from

THE ACCENTURE CYBER DEFENSE SOLUTION

CYBER CAMPUS KPMG BUSINESS SCHOOL THE CYBER SCHOOL FOR THE REAL WORLD. The Business School for the Real World

Accelerate Your Enterprise Private Cloud Initiative

Webcast title in Verdana Regular

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Building and Testing an Effective Incident Response Plan

Avanade s Approach to Client Data Protection

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

Network Visibility and Segmentation

#DeloitteInnovation: In-Time Uncover the Potential of SAP HANA

CYBER INSURANCE: MANAGING THE RISK

Securing Your Most Sensitive Data

Cyber Risks in the Boardroom Conference

CCISO Blueprint v1. EC-Council

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

GDPR: An Opportunity to Transform Your Security Operations

Internet of Things (IoT) Securing the Connected Ecosystem

Department of Management Services REQUEST FOR INFORMATION

MITIGATE CYBER ATTACK RISK

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Standing Together for Financial Industry Resilience Quantum Dawn IV after-action report June 2018

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Cybersecurity and the role of internal audit An urgent call to action

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Protecting your data. EY s approach to data privacy and information security

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

THE POWER OF TECH-SAVVY BOARDS:

PROTECT WORKLOADS IN THE HYBRID CLOUD

The threat landscape is constantly

Transcription:

Cybersecurity Fortification Initiative (CFI) infrastructure whitepaper

Recently, Cybersecurity Fortification Initiative (CFI) have been a hot topic in the Hong Kong banking industry and financial institutions are working very hard to comply with the initiative. During the exercise, financial institutions are going through a cycle which Deloitte define as Secure, Vigilant and Resilient to reassure the requirements are being addressed. However, it is also important to look at it from the operation side by implementing necessary controls and technologies. Technology Risk Framework Deloitte's technology risk framework incorporates key cybersecurity areas and is built on industry leading practices and regulatory expectations. It allows our clients to take stock of current capabilities to manage cyber security risk. Inputs Industry standards ISO 1 27001/2 NIST 2 cybersecurity framework Global privacy and data protection laws ITIL 3 Deloitte s Technology Risk Framework Secure Enhance risk-prioritized controls to protect against known & emerging threats, & comply with industry cybersecurity standards & regulations Actionable threat intelligence Vigilant Detect violations & anomalies through better situational awareness across the environment Resilient Establish the ability to quickly return to normal operations & repair damage to the business Strategic organizational approach Leading practices Recognized information security leader Project / engagement experience Published industry research Threat Landscape Who might attack? What are they after? What tactics will they use? Business Objectives Operating Model Components Cyber Risk Domains Growth / Innovation Governance & Oversight The organizational structure, committees, and roles & responsibilities for managing information security 1. Risk & Compliance 2. Identity & Access 3. Data Protection & Secure Operational E ciency Policies & Standards Expectations for the management of information security 5. App Security & Secure SDLC 6. Asset 7. Third Party Risk Brand Protection Processes Processes to manage risks in information security risk management and oversight 9. Vulnerability 10. Threat Intelligence 11. Security and Threat Monitoring Vigilant Risk-based Decision Making Tools & Technology Tools and technology that support the risk management lifecycle and integration of risk with cyber risk domains 12. Cybersecurity Operations 13. Predictive Cyber Analytics 14. Insider Threat Monitoring Compliance Risk Metrics & Dashboard Reports identifying risks and performance across information security domains; communicated to multiple levels of management Resilient 15. Crisis 16. Resiliency & Recovery 17. Cyber Simulations 1 International Organization for Standardization 2 National Institute for Standards and Technology 3 Formerly known as the Information Technology Infrastructure Library Business Security 4. Infrastructure Security 8. Physical Security Secure Client Service Delivery 18. Incident Response & Forensics As used in this document, Deloitte means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of publicaccounting. 1

Network is the fundamental element of the business environment and it is important to secure and set as the priority. Improvements in cybersecurity posture are also possible as network segmentation can be used to reduce the risks and impact of cyberattacks. By taking a pragmatic approach to introduce network segmentation, financial institutions can minimize business disruption and reap benefits, such as limited exposure after an intrusion, reductions in lost productivity, remediation costs, and reputational damage from actual loss of personally identifiable information (PII) or financial data. As part of a layered security philosophy, network segmentation enables financial institutions to survive intrusions and minimize or even prevent successful data breaches. In the end, this allows for a speedy return to business as usual. Network segmentation Network segmentation is a "tried and true" technique that has been implemented through the years to address an assortment of issues in IT infrastructure environments. Network segmentation ultimately leads to improved availability of the entire network by localizing the impact of faults when they do occur. Extending this concept to cybersecurity, network segmentation can restrict lateral movement of malware or malicious actors if or when a PC or server is compromised. With network segmentation, the cyber attacker is contained to a localized portion of the network to minimize the opportunities to find valuable information or resources. Network segmentation is a key element in a layered defense model for cybersecurity. However, it requires collaboration among business and technology leadership in order to be adopted across an organization. Current state In spite of the near universal consensus on the value of network segmentation for improved cybersecurity posture, actual implementations are still rare on internal networks. Many financial institutions have essentially "flat" networks, as far as security is concerned. This puzzling inconsistency between the mindset related to and the practice of network segmentation is actually easy to explain. For many years, the primary concern was to protect the network perimeter. The outside was "dirty" and the internal network was "clean". The objective was simply to keep the undesirable traffic out. Moreover, there was and still is an incomplete knowledge of applications and traffic flows inside the network. Consequently, this necessitates an open internal network to allow communications to occur freely in support of business applications. This places too much reliance on the legacy controls at the network perimeter of the financial institution, which are not entirely effective against the sophisticated attacks of today. 2

Challenges to reach the desired state Financial institutions have complex networks that encompass remote offices, retail branches, campus sites, third-party partners and e-commerce environments and there are concerns over the introduction of internal network segmentation for cybersecurity. Incorrect or incomplete identification of required traffic flows would lead to potential disruptions to business applications. To properly implement network segmentation in a "brown field" environment is a significant undertaking that will require cooperation from stakeholders in the security, application development, network, compute, storage and business functions. The creation of a governance process for new or modified applications will be required to sustain the network segmentation. Updates to the security policies will be needed as traffic patterns change due to movement of infrastructure components, modifications in applications themselves, or the introduction of new applications. There is a cost in both capital and operating expenses associated with the initial deployment of segmentation gateways as well as with the ongoing management of those devices. Business drivers Perimeter network security alone is not completely effective against the increased sophistication of advanced persistent threats and the multiple attack vectors facing financial institutions. In spite of the challenges associated with network segmentation, there are some key business drivers in support of it. Minimize the time, effort, and resources associated with audits (e.g., PCI DSS) by reducing their breadth through compartmentalizing related resources on the network. Limit exposed resources to constrain cyber attackers ability to find critical data or intellectual property even if they gain a foothold in the network. Prevent the movement of malware from end-user systems to more sensitive systems and data center resources. Supplement the capabilities of perimeter security controls with another layer of defense on the interior of the network. Avoid or minimize the lost productivity, remediation costs, credit monitoring costs, reputational damage, and class-action lawsuits in the aftermath of data breaches. 3

Mechanics of network segmentation Network segmentation cannot be achieved in a vacuum. The involvement of stakeholders across multiple disciplines, including application architects, network architects, business application owners and information security personnel is essential. Together, this crossfunctional team needs to take several steps to actually segment the network. Identify applications, including their traffic flows and dependencies. Architect the segmented network. Construct security policies. Enable additional security capabilities. Continuously monitor and update. Practical approaches Implementing network segmentation is a non-trivial effort in an existing environment. However, this should not deter a pragmatic approach to adopting some degree of segmentation in the internal network. The ideal would be to achieve a "Zero Trust" network, as defined by Forrester 4. Every organization will need to determine how much network segmentation is appropriate for its situation. With that in mind, here are some practical considerations for introducing this concept to an internal network. Select low-risk environments as proofs of concept. Compartmentalizing all servers used for an application test environment would bring minimal risk to the overall business. Deploy initially in locations with easier physical or topological considerations. The access layer of the network, where end-users reside, only transports data required by that population. Separate the data center from the portions of the network where end-users reside. This is essentially providing north-south controls over traffic from the entire user population to the services in the data center. Leverage cloud initiatives to segment resources. New private or public cloud projects provide an ideal situation to impart controls over application and data flows inside and out of those environments. Prioritize which data and workloads to segment. Any portions of the network that warrant special consideration due to audit or regulatory concerns should be prioritized. Establish governance for new applications or modified workloads. Visibility and knowledge of new or changing traffic patterns is required to adjust the security policies accordingly. 4 Build Security Into Your Network's DNA: The Zero Trust Network Architecture, https://www.forrester.com/report/build+security+into+your+networks+dna+the+zero+trust+network+architecture/-/e-res57047 4

Conclusion Network segmentation has been a boon to network performance and availability over the years enabling effective use of business applications. In a cybersecurity context, network segmentation will protect financial institutions from being completely exposed after an initial penetration by malicious actors. Containing the intrusion to a portion of the environment reduces the overall risk to the institution. Implementing network segmentation across the entire estate is a major undertaking. However, a practical approach to introducing this in a controlled and strategic manner that is consistent with the institution's overarching security architecture will minimize any potential business disruptions. Network segmentation adds another layer of protection that will partition the enterprise network into manageable, secure segments to reduce the attack surface, limit data exfiltration, and reduce the scope of audits and compliance. With the collaboration between Deloitte and Palo Alto Networks, which played an important role in providing cyber threat intelligence and help to prevent breaches to many financial institutions, it is no doubt that this consortium is one of the best choices with which to engage. Beyond network segmentation, this partnership can provide additional solutions to elevate the cybersecurity posture of your financial institution. 5

Deloitte and Palo Alto Networks Thomas Lee Partner, Risk Advisory Deloitte China Tel: +852 2852 1931 Email: thomalee@deloitte.com.hk Wickie Fung General Manager, Hong Kong & Macau Palo Alto Networks Tel: +852 9644 8330 Email: wfung@paloaltonetworks.com Stephen Chan Director, Risk Advisory Deloitte China Tel: +852 2238 7346 Email: stchan@deloitte.com.hk David Wong Regional Sales Manager Palo Alto Networks Tel: +852 9106 9906 Email: dwong@paloaltonetworks.com 6

About Deloitte Global Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms. Deloitte provides audit & assurance, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500 companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights, and high-quality service to address clients' most complex business challenges. To learn more about how Deloitte's approximately 245,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter. About Deloitte China The Deloitte brand first came to China in 1917 when a Deloitte office was opened in Shanghai. Now the Deloitte China network of firms, backed by the global Deloitte network, deliver a full range of audit & assurance, consulting, financial advisory, risk advisory and tax services to local, multinational and growth enterprise clients in China. We have considerable experience in China and have been a significant contributor to the development of China's accounting standards, taxation system and local professional accountants. To learn more about how Deloitte makes an impact that matters in the China marketplace, please connect with our Deloitte China social media platforms via www2.deloitte.com/cn/en/social-media. About Palo Alto Networks Palo Alto Networks is the next-generation security company, maintaining trust in the digital age by helping tens of thousands of organizations worldwide prevent cyber breaches. Our innovative security platform with game-changing technology natively brings network, cloud and endpoint security into a common architecture. By doing this, we safely enable applications, users and content; deliver visibility, automation and control; and detect and prevent threats at every stage of the attack lifecycle, so organizations can securely and efficiently move their businesses forward. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively the "Deloitte Network") is by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. 2017. For information, contact Deloitte China CQ-098EN-17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback