Upload
dior
View
28
Download
0
Tags:
Embed Size (px)
DESCRIPTION
www.oasis-open.org. OASIS International Cloud Symposium October 11, 2011 London, England. Agenda. Introduction to IT-ISAC. Drivers to the Cloud. Risk Management and Collaboration. Current Threat Environment. Cloud Considerations. IT-ISAC Mission. - PowerPoint PPT Presentation
Citation preview
OASIS International Cloud SymposiumOctober 11, 2011London, England
www.oasis-open.org
Agenda
2
Introduction to IT-ISAC
Drivers to the Cloud
Current Threat Environment
Cloud Considerations
Risk Management and Collaboration
IT-ISAC Mission
Share: Report, exchange, and analyze across the IT sector information on electronic incidents, threats, vulnerabilities, solutions and countermeasures, best security practices, and other protective measures;
Trust: Establish a mechanism for systematic and protected exchange and coordination of information and trusted collaboration; and
Lead: Provide thought leadership to policymakers on cyber security and information sharing issues.
What we do Facilitate Analyst to Analyst Collaboration: SIGS and AGs
are member driven and bring together subject matter experts from member companies. Join the analysts from some of the world’s leading IT companies.
Enhance Situational Awareness: Analytical products from SIGs and AGs are distributed throughout the IT-ISAC membership. Together, these topic specific products provide members with the latest threat analysis on key security and business topics.
Support International Response: An effective global response and analytical capability provides for more timely alerting and incident response.
Who We Are
Foundation MembersBAE Systems, IT
CA, Inc.
Cargill, Inc.
CSC
eBay
HP
IBM
Intel Corporation
Oracle USA, Inc.
SRA International
Symantec Corp.
Verisign, Inc.
Silver MembersAfilias, USA
Cisco Systems, Inc.
Juniper Networks
NeuStar
Bronze MembersAT&T
GE
Lockheed Martin Corporation
Microsoft Corp.
Prescient Solutions
SAP Labs
Drivers to the Cloud More complex threat environment, more devices to secure, and
more complicated infrastructures increases the complexity of securing networks and data
Economic downturn constrains budgets Forrester reports IT Security Budgets relatively steady from
2010 – 2011 despite increase threat Cloud Computing has potential to drive down IT Security and
Business continuity Gartner: Cloud Services Revenue expected to be $148 billion in
2014, up from $68.3 billion on 2010
Forrester Source: http://www.eweek.com/c/a/Security/Security-Spending-Priorities-for-2011-to-Include-Firewalls-Blocking-Tools-650650/
Gartner Source: http://www.cioupdate.com/news/article.php/3889106/Cloud-Services-Market-Seeing-Explosive-Growth.htm
Exponential Malware Growth
According to Symantec Corporation: 2002: 20,000 malicious signatures 2010: 286 million unique variants of malware 600,000 variants per day!!
According to McAfee: 2001: 9,000 individual pieces of malware 2010: More than 20 million new pieces of
malware 2011: First half more than 12 million unique
malware samples (Busiest ever 6 month period).
Mobile Threats As use of mobile devices increase, so does
the number of malware targeting mobile devices
McAfee reports malicious activity up 46% from 2009 – 2010
Q1 2009: 600 pieces of mobile malware Q2: 2011 1,200 pieces of mobile malware
Symantec reported a 42% increase in mobile operating system vulnerabilities from 2009 - 2010
Economic Costs Symantec estimates total economic loss globally at $388 billion
per year.
RSA attack cost it $66 million
Epsilon data breach estimated to cost $225 million
Symantec Source: http://www.symantec.com/about/news/release/article.jsp?prid=20110907_02
RSA Source: http://www.washingtonpost.com/blogs/post-tech/post/cyber-attack-on-rsa-cost-emc-66-million/2011/07/26/gIQA1ceKbI_blog.html
Epsilon Source: http://www.btobonline.com/article/20110502/EMAIL04/305029957/epsilon-data-breach-damage-could-hit-225m#seenit 9
Key Problem
Industry and Government do not view risks in the same way. Therefore, it is
difficult to develop a common understanding on appropriate
measures and strategies.
Industry View
Manage and accept certain risk Cyber security is managed as a business risk, not a national
security concern
Balance security spending against other business costs
Money spent on cybersecurity cannot be spent on marketing
Lines of responsibility are clearly defined Accountable to shareholders and customers
Government View Tries to eliminate risk
National security risks differ from business risk
Generally have a zero tolerance for risk, especially concerning the private sector
Claims private sector “is not doing enough”
Lines of Responsibility not well defined Agency heads, Department heads, Agency CIO,
Department CIO, Legislative committees etc.
Corporate Risk Management Identify, prioritize and protect key IP and data
Migrating to the Cloud should be part of an overall business strategy
Promote security as an integral component of business, not a cost of business
Institutionalize security into all aspects of company
Engage, and encourage your cloud providers to engage, in forums that enable trusted information sharing to identify common threats and mitigation techniques
National Risk Management
2009 IT Sector Risk Assessment Identify 6 IT Sector “Critical Functions” Develop “attack trees” to identify risks to
those functions Examine capabilities needed to
successfully disrupt the function Consider mitigation activities Creates a national sector Risk Assessment
Cloud Security Considerations The Cloud can reduce security costs but is also becoming a
huge target— the cloud provides a “one stop shop” for threat actors
Cloud providers have been successfully attacked
Legally complex environment Who owns incident management: the customer or the provider? What information can be shared across national borders?
What forums exist for cloud providers to share incident and threat information and mitigation strategies
Defense cannot be done in isolation Should SLAs require providers to participate in ISACs or with
National CERTs?
How to move forward? Understand industry and governments’ risks perspectives are not
the same Recognize business and national security interests are not the same
Build common situational awareness Actively share and collaboratively analyze threat information within
industry, between industry and government, and across national borders Use purchasing power to require vendors to actively participate in
information sharing forums. Link national CERTs and sector ISACs
Prioritize what needs to be protected Focus on areas where we have common security concerns and needs
IT-ISAC Operations Construct Shifting focus from vulnerabilities to threats and
indicators Companies need more timely, high-quality, analyzed information
on threats Better leveraging global networks of members to create
enhanced situational awareness Develop internal communities focused on specific issues
of common interest Aggregate analysis from communities of interest to provide
greater depth and breadth to members Broadening scope and membership internationally
Cyber by nature is international, so we need an international capability
Conclusion We’re operating in a new environment and still do not
understand all the risks The threat is changing more quickly than a regulatory environment can
address
The Cloud is already being attacked As more data moves to the cloud, we’ll see more attacks on the cloud
International collaboration is essential, but we need to prioritize Leverage ISACs and CERTs to share and analyze threat information
and incident indicators Link CERTs and ISACs to build a global incident response
capability
Scott C. Algeier
Executive Director, IT-ISAC
+1 703-385-4969
www.it-isac.org
Thank You!!