Welcome
HITRUST 2014 Conference
April 22, 2014
The Evolving Information Security
Organization – Challenges and Successes
Jason Taule, Chief Security and Privacy Officer, FEi Systems (Moderator)
Robert Booker, Vice President and Chief Information Security Officer, UnitedHealth Group
Erick Rudiak, Information Security Officer, Express Scripts
Roy Mellinger, Vice President, IT Security and Chief Information Security Officer, WellPoint
Omar Khawaja, Vice President and Chief Information Security Officer, Highmark
Chief Information Security Office
HITRUST 2014 Conference
The Evolving Information Security Organization
Challenges and Successes
Tuesday – April 22, 2014
Roy R. Mellinger, CISSP – ISSAP, ISSMP, CIM
Vice President, IT Security
Chief Information Security Officer
The Evolving Information Security Organization
Operational
Compliance
Risk
Enterprise Risk Management
Security Viewed as a
Business Enabler
Translating Business Needs
into Security Requirements
Translating Security
Requirements into
Technical Security Controls
Operating Technical
Security Controls
Security Threat
Management
IT
Compliance
IT
Risk
Enterprise
Risk
17
The Evolving Information Security Organization
CYBER THREAT MANAGEMENT

24x7 Security Operations Center (SOC)

End to End DLP (Data Loss Prevention) Strategy

Tracking of Malware Threats and Coding Techniques

Effective Firewalls, IDS / IPS Strategy Implementations

Effective Security and Event Log Management & Monitoring

Robust Safeguarding Polices, Programs and Processes
18
The Evolving Information Security Organization
Hacking Then
Hacking Now
 Automated / Sophisticated Malware
 Individual or Computer Clubs/ Groups
 Manual efforts with Social Engineering
- Success = Badge Of Honor
- Personal Monetary Gain or
to pay for / fund hacking
activity
 War Protesting and Civil Disobedience
 Anti-Establishment Rhetoric
 Social Rebels and Misfits
 Hactivism – Freedom of Speech,
Statements to Influence Change, Sway
Public Opinion and Publicize Views
 Criminal – Drug Cartels, Domestic and
Foreign Organized Crime for Identity
Theft and Financial Fraud
 Espionage – IP, Business Intelligence,
Technology, Military / Political Secrets
 Terrorism – Sabotage, Disruption and
Destruction
 Nation-State – Intelligence Gathering,
Disruptive Tactics, Clandestine Ops,
Misinformation, Warfare Strategies, and
Infrastructure Destruction
FRINGE . . . . . . . . . . . 30 YEARS . . . . . . . MAINSTREAM
19
The Evolving Information Security Organization
Initial compromise — spear phishing via
email, planting malware on a target website
or social engineering.
Establish Foothold — plant administrative
software and create back doors to allow for
stealth access.
Escalate Privileges — use exploits and
password cracking tools to gain privileges on
victim computer and network.
Internal Reconnaissance — collect info on
network and trust relationships.
Move Laterally — expand control to other
workstations and servers. Harvest data.
Maintain Presence — ensure continued
control over access channels and credentials
acquired in previous steps.
Complete Mission — exfiltrate stolen data
from victim's network.
20
The Evolving Information Security Organization
Cyber Threat Management
Conventional Approach
Paradigm Shift: Cyber Threat
Management
Controls Coverage
Protect ALL information assets
Protect your MOST IMPORTANT assets
(Crown Jewels) based on risk assessments
Controls Focus
Preventive Controls (anti-virus,
firewalls, intrusion prevention, etc.)
Detective Controls (monitoring, behavioral
logic, data analytics)
Perspective
Perimeter Based
Data Centric
Goal of Logging
Compliance Reporting
Threat Detection
Security Incident
Management
Piecemeal – Find and neutralize
malware or infected nodes
BIG PICTURE – Find and dissect attack
patterns to understand threat
Threat Management
Collect information on Malware
Develop a deep understanding of attackers
targets and modus operandi related to YOUR
org’s network and information assets
Success Defined By:
No attackers get into the network
Attackers sometimes get in; BUT are
detected as early as possible and impact is
minimized
21
The Evolving Information
Security Organization –
Challenges and Successes
Omar Khawaja
April 23, 2014
Who is Highmark?
23
Risk is increasing
•
•
•
•
(Assets
X
Vulnerabilities
•
•
-
•
More data (EMRs)
More collaboration (ACOs)
More regulation (FTC)
Our weaknesses are increasing…
•
•
X
Threats)
Controls
Our information is increasing in value…
More suppliers (Cloud)
More complexity (ACA)
Opportunities to attack are increasing…
•
•
More access (consumer portals)
More motivated attackers
Becoming increasingly difficult to secure
•
•
•
•
•
Multiple Compliance Requirements
Evolving Compliance Requirements
Unclear Compliance Requirements
Less visibility
Less control
Security org needs to evolve
From…
• Explaining the “what”
To…
• Explaining the "why"
• Growing the security org
• Growing security in the org
• Creating more security
processes
• Making security part of more
processes
• Telling them what to do
• Assisting them with their job
• Protecting everything equally
• Differentiated controls
• Measuring what matters to
security org
• Reporting on what matters to
audience
Questions?