Embed Size (px)
Citation preview
Security and Compliance
Manish SethiHead Security Solutions Datacraft
Agenda
Security Today
Disappearing Boundaries
Compliance Landscape
Challenge to Compliance
Why Security Metrics
Automation of Compliance
The dashboard approach
1
2
3
4
5
6
7
today …… from castles before …
Disappearing boundaries
The Bank
Anotherenterprise
The Bank
Outsourcing
Agencyagreements
Consultants
Trustedrelationships
Collaboration
Technologypartnerships
Joint ventures
to airports …
Source : Dimension Data CxO Assessment
Consistent mistakes
1. Equating compliance with security2. Failure to track key security metrics 3. Authorising reactive short-term fixes4. Failure to protect Laptop and Home computers5. Failure to institute effective change management6. Failure to implement a defence-in-depth strategy7. Failure to implement a vulnerability management strategy 8. Failure to get executive support for your security program 9. Failure to realise that traditional perimeter security is dead10.Underestimating the costs of “catching up when the need arises”11.Failure to recognise importance of security awareness programs12.Thinking that security is in the scope of your outsourcing contract13.Assign untrained people in unorganised fashion to maintain security14.Thinking that security is only a technology or IT department problem15.Thinking that “we can’t be held legally liable for lax information security”16.Failure to understand the relationship of IT security to the business process17.Failing to realise the value of their information and organisational reputation18.Failure to realise that viruses, Spam and spyware are a BC issue and not just a nuisance
Security landscape – Attack dynamics
Attack targets Attack Types50%
40%
30%
20%
10%
0Operatingsystems
E-mail Knownapplications
Unknownapplications
100%
80%
60%
40%
20%
0Spyware Viruses
and wormsPhishing DoS Web
scripting
14,000 schemeslaunched each month
with 5% hit rate
New targetsHackers are looking beyond the operating system to gain access to computers, and they're increasingly targeting Web browsers, e-mail clients and other applications and client software
Vulnerabilities have been discovered recently in Apple Computer's iTunes, RealNetworks' RealPlayer, Microsoft's Internet Explorer, Mozilla Foundation's Firefox, various Oracle applications, enterprise data-backup software from Computer Associates and Veritas and Cisco’s IOS
New targetsHackers are looking beyond the operating system to gain access to computers, and they're increasingly targeting Web browsers, e-mail clients and other applications and client software
Vulnerabilities have been discovered recently in Apple Computer's iTunes, RealNetworks' RealPlayer, Microsoft's Internet Explorer, Mozilla Foundation's Firefox, various Oracle applications, enterprise data-backup software from Computer Associates and Veritas and Cisco’s IOS
Security Landscape – 4 of 13
Regulations : Financial Institutions, Insurance, Regulations : Financial Institutions, Insurance,
Operational risk management, fraud detection and anti money laundering are major areas of concern
Some of the key drivers for IT Compliance in Banks Internet Banking Electronic Clearing Services (ECS) E- Services – Bill Payment, Online Purchase
through Debit / Credit Cards
Stringent Basel II made mandatory by RBI to implement by 2007
SEBI have been issuing various guidelines to enterprises for ensuring compliance for addressing SEBI Clause 49
Impact
Impact of Non-compliance Severe Penalties
Monetary penalties Company liabilities Personal liabilities (responsibility of individual)
Reduction in compatibility (level of compliance) as compared to peers (competitors)
Processes & procedures interaction Information exposure Ability to meet litigation demands
Company reputation and Market (business) at stake
Key To Success – Frequent Auditing
Success
Factors
Laggards
(23%)
Norm
(67%)
Leaders
(10%)
Freq of internal audits 8 Months 7 Months 1 Month
IT time on compliance 16% 25% 30%
IT budget on security 4.5% 7.4% 12.7%
# of overall deficiencies 75 30 20
# of significant
deficiencies33 6 2
Leaders are 15x better because they do more audits…
…But they spend 3x more because they lack automation
Challenges in being Compliance - To Sustain
Time and Cost Manual and inefficient processes Redundant or ineffective IT controls Explosive data growth/expanding retention periods
Measurement and Reporting Processes not auditable Issues with timeliness and accuracy
Inconsistency and De-centralization No standardized processes Fragmented IT testing efforts
Complexity IT infrastructure Multiple regulations to address
simultaneously
There are three kinds of lies:
Lies, Damn Lies, and Statistics
George Campbell – CSO Emeritus Faculty
The challenge of measuring Security
…is not about numbers
It really is about measuring performanceof Security’s programs
Security Metrics
George Campbell – CSO Emeritus Faculty
Copyright © 2005 CSO Executive Council -- All Rights Reserved
Metrics Program
Focuses on three distinctly interrelated processes
Copyright © 2005 CSO Executive Council -- All Rights Reserved
Security Baseline
Security Operational
Metrics
Security Balanced Scorecard
Metrics
•ISO17799 •COBIT•NIST•NFPA 1600•Common practices as they evolve over time
•Numerous, comprehensive and relatively static•Derived from the security baseline •Use to improve security processes
•Financial Performance•Customer Focus•Operational Excellence•Business Process Maturity
The CxO Security Assessment : Banking Security Benchmarking
A weighted, quantitative assessment
Low cost, high value, “instant gratification”
Covers over 150 best practices
One-day workshop
Best practices – ISO 17799, ISA, ISF, CSI, TechNet, CobiT, NIST, SANS, Gartner, IDC
Risk management Governance
People Processes
Organisation Technology
A facilitated, self-assessment on current security posture
Information Security Management Dashboard
Detailed CXO Scorecard
CXO Benchmarking
Audit Automation
Compliance Audit Automation
Addresses the following: Need to achieve continuous & proactive security
strategy Automatically detects vulnerabilities in Systems & Network
Need to know changes in system for compliance Detects deviation from security policies in mission critical
systems and servers Compliance reporting for deviations
Need to have baseline configuration for performance measurement of their security programs and to enforce change management methodology.
Create baselines for every system in the network
Compliance Audit Automation
Key Benefits Resource optimization Higher assurance of Compliance Reduce risk of threats due to vulnerabilities in systems Enforcement of Change Management process
Enterprise Manager
Allows us to measure compliance over time
Compliance Audit Automation
Case Studies Large MNC Financial Bank (Regional Deployment)
Assurance to compliance (Due-Diligent) Reduce the need for onsite audit Speed of audit
Large BPO in India Mitigation of risk of information exposure due to
vulnerabilities in systems Provide constant assurance of compliance to their
end-customers
Compliance Reporting & Data Archival
Any compliance requires : Specific Systems of Control over Financial Data
Router logs
IDS/IDP logs
VPN logs
Firewall logs
Switch logs
Windows logs
Client & file server logs
Wireless access
logs
Windows domain logins
Oracle Financial Logs
San File Access Logs
VLAN Access & Control
logs
DHCP logs
Linux, Unix, Windows OS
logs
Mainframe logs
Database Logs
Web server activity logs
Content management logs
Web cache & proxy logs
VA Scan logs
UnauthorizedService Detection
IP Leakage
Configuration ControlLockdown enforcement
False Positive Reduction
Access Control EnforcementPrivileged User Management
Malicious Code DetectionSpyware detection
RealTime MonitoringTroubleshooting
User Monitoring
Compliance reporting & Data Archival
A Platform for Compliance &
Security Operations
Compliance Reporting & Data Archival
Compliance reporting & Data Archival
In Brief Help manage soaring data volumes, ensuring storage and
data access meet regulatory compliance Helps automate compliance reporting Organizations can strategize now for a platform to integrate
future compliance initiatives.
Compliance Reports
Features
Operational and Executive Compliance
Reports
Addresses specific sections regulations
such as Sarbanes-Oxley, HIPAA,
FISMA, and GLBA.
Compliance Reports are Customizable
Benefits
Create a timely, prioritized view of
threats against compliance asset
Measure the effectiveness of
compliance initiatives over time
Customizable compliance reports
monitor controls unique to an
organization
Compliance reporting & Data Archival
Address the following: Need to fulfil regulatory compliance and audits
reporting Automates the process of collecting, performing analysis
and reporting on data from systems and network devices
Need to have secure data retention/archival Securely store collected data for forensics, future
retrieval & compliance to data retention regulations
A need to perform better resource allocation and more efficient incidence response Data collected are analyzed/correlated to generate
alerts for escalations
Compliance reporting & Data Archival
Key Benefits Automates the collection and secure storage of device
logs for security management and compliance Provide compliance reporting at your finger-tip More efficient incidence response procedure Provide more in-depth and quicker analysis/correlation
of collected device logs
Compliance reporting & Data Archival
Case Studies Local trading house
Compliance reporting Automate the collection of crucial device logs
Large MNC Financial Institution (Regional Deployment) Compliance reporting More efficient incidence response procedure Archival of collected device logs for quicker analysis
Local Service Provider More efficient incidence response procedure Integrated to Datacraft Trouble-Ticketing system for
round the clock monitoring (Compliance Driven)
The role of IT in Compliance – Cost Control
IT automation help to reduce cost of Compliance Reduces mandate task Increase efficiency Better resource management Higher level of assurance Take away Business pain-points and sleepless nights
Security program as an after thought or part and parcel (Automation Vs Manual Patch work)
becomes …
Looking Ahead – 4 of 8
