Jennifer Allen & Chris Strand - Continuous Compliance

advertisement
CONTINOUS COMPLIANCE
Shifting from checking the box to real-time threat
detection and response
Version Control
After I drink coffee I like to show the empty mug to the IT guy to
tell him that I've Successfully installed JAVA. He hates me!
Arm Your Endpoints and Achieve Continuous Compliance
Real time Visibility
of in-scope systems
and events
Control over
critical changes
and system events
Complete Protection
from ALL malware
threats on every in-scope
system and beyond
“Active Intelligence”
to Measure risk and
Prioritize events
Immediate Enforcement
and Audit of security
compliance policy
and BAUs
Merge Compliance and Security
CHALLENGE
Compliance
=
Security
Achieve Continuous Compliance and Strengthen
Your Security Profile
You must validate both compliance and
security with controls that:
1. Identify, Classify & Scope and
Critical Business Processes
1. Real Time Visibility
2. Monitor & Prevent Change
2. Stop Analyzing Change and Start
Controlling it
3. Measure, Identify & Analyze Risk
3. “Active Intelligence” and Always-on
Monitoring
4. Detect & Prevent Malware
4. Complete Protection from ALL Malware
Threats
5. Actively Enforce Policy
5. Immediate Enforcement and Audit of
Security Compliance Policy
Current Vulnerabilities and Hazards
Windows EOL XP and 2003 – July 14th 2015
58% of businesses do not have a
fully mature patch management
process in place, and 12% do not
have a patch management
process in place at all.
* Trustwave 2014 State of Risk report
Even if support package is
purchased from MS you do not
get the moderate and low
patches only critically deemed
ones.
Unsupported OS and Applications: Compliance
The absence of vulnerability and security patches leaves
businesses at risk for satisfying compliance requirements
(PCI, HIPAA) and increases company wide LIABILITY.
Examples:
• PCI Requirement 6.2: update all critical in-scope systems
with the latest security patches within 30 days.
• HIPAA Sec. 164.308 (a)(1) Security Management Process
– Risk Analysis.
Cost of Support
The estimated cost of premier support per 2K3 endpoint system
is 3x cost of XP:
*Taken from Microsoft yearly Premier Support
• $200 per PC for the first year = $600
• $400 per PC for the second year = $1200
• $1,000 per PC for the third year = $3000
Premier support provides:
• Critical patches only
• Important patches are available at an additional price. Historically, Microsoft labeled
many patches as ‘important’ that should have been labeled as ‘critical’
• No support for moderate-or low-priority security updates = Widening Threat Window
Windows Server 2003 End-of-Life Survey
Completed in March 2015, based on 500 IT leaders at medium and large
enterprises in the US and UK:
34% of organizations are still using a combination of Windows XP and
Windows Server 2003.
Another 10% of organizations continue to use Windows XP exclusively.
30% plan to continue to run WS2K3 after the July 14 deadline, leaving an
estimated 2.7 million servers unprotected.
57% of enterprises do not know when the end of life deadline is.
14% of enterprises do not yet have an upgrade plan for WS2K3
Can’t Upgrade? Extend the Life of Your Systems with
Compensating Controls
There are three compensating controls that can keep your systems
secure after end of life:
Network Isolation – isolate WS2K3 servers so that these machines
cannot access your central services
Virtualization - virtual desktop infrastructure (VDI) where you host
Windows 2003 (and the WS2K3 legacy application) on a PC running
Windows 7 or Windows 8. (some risks involved)
Positive Security - a model based on known, ‘good’ applications and
focuses on what you want to have happen on your systems
Third Party Risk – Do you know TPISA?
68% of businesses transfer sensitive data between locations; 58% of
businesses use third parties to manage sensitive data, yet almost half
(48%) do not have a third-party management program in place. Trustwave
2014 state of risk report
Things to consider in your TPISA Program:
Full data lifecycle analysis
GRC programs for managing risks and
contract changes
Escrow agreements and contract language
SSAE16 standardized review and reporting
Use cases and certifications
POS and ATMs
Block
execution
on every
system
Servers
CNN Money ATM Bank Hacking
Backend Servers
Block
execution
on every
system
Terminals
Block
execution
on every
system
Block
execution
on every
system
Loyalty Servers
Block
execution
on every
system
Block
execution
on every
system
Transactional
Data servers
Card
Reader
Payment Processors
And Integrate Systems
Current Compliance Requirements
and Best Practice Standards for
Continuous Monitoring
PCI DSS 3.0
1.
PCI 3.0 will affect a greater number of companies than it ever has
before.
1.
PCI 3.0 is increasing the scrutiny of security control measurement to a
greater degree than any of the previous versions of the standard.
1.
PCI 3.0 is more technology agnostic than ever before. Opens the door
for businesses to consider alternate technologies as primary and
compensating controls to meet PCI requirements.
HIPAA and HITECH
Part 1: The HIPAA Omnibus Rule and Its Impact on Security
https://www.youtube.com/watch?v=x__DfCo1HOc
Part 3: Why a Risk Assessment Is Critical to HIPAA Compliance and
Security
https://www.youtube.com/watch?v=P5C4EBO9ZMs
According to the Fifth annual Ponemon study research, the average
cost of a data breach for healthcare organizations is estimated to be
more than $2.1 million.
Utilities and
Government
NERC/FERC CIP-005-1-R1.6 states
that “an electronic Security
Perimeter should be established
that provides . . . Monitor and Log
Access 24X7X365.”
FISMA/FISMA 2—FISMA and
FISMA 2 also require continuous
monitoring activities that include
configuration management and
control of information system
components, security impact
analyses of changes to the system,
ongoing assessment of security
controls, and status reporting
NIST and ISO
NIST 800-53:
describes automated inspection
items in connection with a CA-2
(security assessment), CA-4
(security certification) and CA-7
(continuous monitoring and
vulnerability detection) continuous
monitoring program.
ISO/IEC 27001:
provides a description of an
information security
management system that calls
for continual process
improvement in information
security. To accomplish this goal,
an organization must
continuously monitor its own
security-related processes and
improve according to feedback
from objective measurements
FFEIC Handbooks
Security Monitoring:
Financial institutions should gain assurance of the adequacy of their risk
mitigation strategy and implementation by monitoring network and host
activity to identify policy violations and anomalous behavior;
Monitoring host and network condition to identify unauthorized
configuration and other conditions which increase the risk of intrusion or
other security events;
Analyzing the results of monitoring to accurately and quickly identify,
classify, escalate, report, and guide responses to security events; and
Responding to intrusions and other security events and weaknesses to
appropriately mitigate the risk to the institution and its customers, and
to restore the institution's systems.
Governance and Risk
Complex overlap of IT Objectives
Governance
Situational security is an enterprise’s collective assessment of the threat
posture, vulnerability posture, compliance posture, and incidents at a
moment in time. Actionable intelligence from an enterprise’s
circumstances and conditions is the essence of situational awareness.
Situational awareness is the state of vigilance where an enterprise is alert
to the constantly changing threat landscape, constructively makes
decisions, and responds proactively.
Who should own governance?
Risk Checklist for Success
VULNERABILITY MANAGEMENT AND SECURITY TESTING PROGRAMs
Update your vulnerability management and penetration testing
programs with the latest security requirements and ensure they are part
of your risk, change control, compliance and corporate governance
initiatives.
Prioritize any vulnerability findings and communicate them to allow
senior management to help assess the level of risk.
Review the security model being used to secure your data, if you are
using a third party to run your security management programs and to
store your vulnerability database.
Confirm the vulnerability and associated risk is no longer present in your
systems once you have mitigated a weakness.
Use Case: ABC Corporation
worksheet
Instructions
Divide in group of verticals for Retail, Finance, Healthcare, and Utilities
and government.
Answer the use case scenario as if you ABC Corp was a company within
your vertical
We will review answers at the end of the exercise.
You will have 10 minutes to come up with suggestions to help with ABC
Corp’s current business and compliance situations. Use your industries
vertical to craft responses for compliance regulations and best
practices.
Discussion
Aligning Business with Info Sec
Do you face the following challenges?
Senior management’s commitment to information security
initiatives
Management’s understanding of information security issues
Information security planning prior to implementation of new
technologies
Integration between business and information security
Alignment of information security with the enterprise’s objectives
Executive and line management’s ownership and accountability for
implementing, monitoring and reporting on information security
Verizon Report on Compliance and Business Strategy
There will always be constraints on the amount of people and money
available, and it can be a challenge to convince senior management that
these resources should be focused on “compliance” rather than, say,
developing a new product line.
Unless they can see the relationship between the effort that they put in
to compliance and the benefits they get out, the logical approach would
be to do the bare minimum to comply. This is a challenge when security
and compliance are there to avoid a possible negative outcome: how can
you measure the cost of a breach that you avoided?
Many organizations are still either not sufficiently aware, or not capable
of measuring the benefits of compliance to justify the investment in not
just complying with the letter, but also the spirit of the rules.
There are many benefits of taking a holistic approach to governance, risk
and compliance, both regulatory and operational.
Continuously Proactive
Continuous measuring and monitoring of the operational
benefits of compliance drives increased understanding and
support for data protection, compliance, and eventually the
acknowledgment that compliance can make a substantial
contribution toward more effective business management.
How do you put a value on compliance?
Unlike many business investments, the ROI of compliance
may not be immediately obvious in terms of bottom-line
benefits.
* Verizon Report 2015
Value Proposition for Continuous Monitoring
Security
Immediate visibility into everything running in your environment to
prevent, detect & respond to threats that evade traditional security
defenses
Mitigate weakness in third-party applications
Go beyond scanners point in time snapshots & signatures to prevent “alert
fatigue”, identify threats in real-time & rapidly respond
Eliminate the risk from malicious, illegal and unauthorized software.
Compliance
Compliance governing automation
Support for legacy, orphaned, or end-of-life application & operating
systems
No need for scans or other performance burdensome procedures
Aggregate big data to relieve data fatigue – integrate your data to
personalize compliance stance in real time
Questions?
Download