ISE® West executive forum 2012

Practical Security Management: Getting Back to Basics

With the media continuing to report on the latest security incidents and malware du jour, it’s tempting to view the constant stream of high-profile data breaches as proof of the advanced capability of the faceless adversary. Driven by the seemingly endless stream of news-making exploits, organizations increasingly are relying on the latest technology as a silver bullet in defending against attacks.

Many organizations put safeguards in place without actually thinking things through and apply defenses around business processes that lack a stable foundation and employees that lack the most basic knowledge of security. With all the money invested in security solutions, most organizations still fall short in protecting against the same threats that they've faced for the last 10 years. Phishing, SQL injection, malicious attachments, social engineering. Old, every one of them. And yet, very effective at compromising networks in some of the best-known companies.

Risk and security issues today, although more sophisticated in name, are essentially the same as they’ve always been. Neglecting remediation of the more remedial threats that a company is most likely to encounter can reduce the effectiveness of security solutions, open the door to intruders, jeopardize business operations and affect shareholder value. It's time to get back to the basics and focus on keeping things practical.

Dive deeper into the discussions and share your ideas with your executive peers:

• Resistance from business units that do not want interruptions in their operations can often force IT organizations to delay necessary upgrades to business software and critical applications. How important is it from a business and security perspective to use the latest version of critical business software? Are upgrades always necessary? What are the obstacles to running the latest?
• Many IT organizations struggle with the decisions of what to patch and when. What are the best practices for staying current on patch levels for critical applications? What is an acceptable window and how can security practitioners convince CIOs to accelerate the deployment window?  What are the costs associated with staying current?
• An incident-response plan is a critical component that is often overlooked and not taken seriously – until an incident happens. What are the elements of a practical incident-response plan? What are the essential areas that must be addressed?
• Many organizations struggle with change management as a broken process. What role can ITIL and CMDB play in the Change Management process. Is a Change Advisory Board always necessary? Discuss the pros and cons of change management software that integrates change management with traditional security controls, dashboards and security information and risk management platforms.
• The behavior of employees runs the gamut from unintentionally breaking security policies to purposely ignoring them. Many younger employees believe it’s up to IT staff, not them, to safeguard information and devices. Can risk and damage caused by the human element be contained?

Building Trust in the Cloud: Managing the Risk

Cloud computing has accelerated the rapid adoption of digital business models and given rise to a breed of sophisticated business user who can choose which services to use and combine them at will. Cloud computing clearly delivers value in terms of flexibility, scalability, cost savings and the ability to focus on the core business. But in exchange for speed and efficiencies, organizations are increasing their dependency on third parties and making business trade-offs that may be risky due to a lack of expertise by the person making the outsourcing decisions. Further, as organizations become locked in to a cloud provider, they face compliance, contracting, legal and integration risks.

Traditional approaches to security do not translate easily to the cloud environment and questions about transparency, acceptable risk, disaster recovery, business continuity and actual costs savings persist. Top-of-mind cloud security issues include data breaches related to mobile device data, the need for better access control and identity management, ongoing compliance concerns, the risk of multiple tenants and the emergence of cloud standards and certifications.

Dive deeper into the discussions and share your ideas with your executive peers:

• What are cloud security vendors doing beyond the marketing? Does it match with enterprise needs? Discuss the practices of cloud providers in terms of contract terms, charges for add-on services, service levels, warranties, data protection, security, liability, service suspension and termination.
• No real standards exist for the auditing/review of cloud applications - should there be? SAS-70 is not seen as a standard for evaluating cloud computing providers, yet it is provided as information in lieu of an audit or site visit. How do you assess service providers when it's not possible to leverage the typical contract/SLA process?  What are companies using as a baseline to assess cloud-based solutions?  What are companies establishing as requirements?
• How do you manage the risk of problems occurring at a vendor leading to problems for your organization? How can this be handled through the contract negotiation process? How do you assess the security risk for on-premise software/devices?
• What steps can security executives take to ensure that service providers implement, deploy, manage and report on security at an appropriate level. What type of reporting should be available? Are breaches being reported?
• What kind of insurance and recourse for lost data is available?
• What is the impact of eDiscovery, regulatory compliance and auditing on the capability to move your organization to this environment? Discuss the ability to obtain forensic data and interpret it while working with the privacy laws among the jurisdictions where such data resides.
• What tough questions are you asking about the ability to define a security incident and receive reporting based on that definition, choice of where data is stored, visibility of the data, ability to copy data for back-up and data integrity and recovery. Do you like the answers?
• Not often in contracts or due diligence, but should be –  planning “divorce” should the “marriage fail.” Discuss exit strategies/off boarding from cloud providers.
• There is a tendency to rely on trust, when what is required are trust and validation, verification and certification. The market need for independent verification, external certification and standards is recognized by several independent bodies. Are we there yet?
• What kinds of compliance-related activities does a provider need to adhere to, especially for the healthcare and financial services industries? What kind of certifications should they have? Discuss trustworthiness as a web currency.

Threat Intelligence: Knowledge is Power

Today’s cyber threat actors are unwaveringly focused on the theft of intellectual property, mission-critical details, and other sensitive information, continually evolving their methods and routinely defeating traditional approaches to defense. As organizations work to thwart the attackers, they find themselves in an escalating arms race with unseen attackers. To combat the advanced, persistent and constantly morphing threats, organizations need the very best security intelligence delivered immediately. However, conventional security technologies typically lack the innate intelligence to deal with rapidly emerging threats and web innovation. As a result, current approaches to threat management often fail due to limited threat intelligence, a lack of event context and gaps associated with this lack of visibility. Further, conducting threat intelligence is tedious and time-consuming. Most security teams are already overburdened with other initiatives. Without ongoing threat vigilance, most organizations stand to find themselves in a constant, reactive state, trying to limit damage after outbreaks occur.

Industry focus has now shifted to put as much emphasis on broad threat awareness as it has on prevention, and knowledge is power when protecting information assets against cyber threats. A mix of innovative technology and big data analysis will allow enterprises to analyze vast data sets of unprecedented scale and format, breakdown information silos, normalize internal and external security intelligence and respond in real-time.

Dive deeper into the discussions and share your ideas with your executive peers:

• Without a threat, vulnerabilities don't really matter that much. Who are the threat parties and what are the threat categories? How might companies assess actual threats? What are best practices in streamlining the vulnerability research process. 
• What are best practices in conducting threat intelligence?  How effective are the processes?  How good is a rolodex of security experts and what role might Collaborative Security Intelligence and Co-Opetition play? What is the right frequency of communication with security expert channels?  How can security practitioners correlate and act upon the resulting information?
• Federal legislation is in process to improve the information flow around threat intelligence. What is your opinion of this legislation? What must it do to be effective?
• Active or dynamic defense is a way to proactively deal with cyber attacks and may be the future of cyber security. While it emphasizes real-time information, broader situational awareness and speed, it also raises concerns about privacy, the sharing of classified information and the militarization of cyberspace. Discuss.
• What is the future of SIEM and what role will it play in achieving “real-time security intelligence”? Can SIEM technology evolve to support a Big Data approach to security analysis? How might integrating DLP assist in achieving security intelligence?
• It’s said that analytics will be a core element of all next-generation security platforms. What will be the nature of security analytics that enable security executives to take advantage of Big Data trends – whether by human analysis, or by analytics integrated within the platform?
• Closing the loop on risk assessment, controls and security investment – how might security business intelligence be used to move from investment decisions based on intuition and estimates to cost-justified decisions based on risk models?

Mobile Device Management: Balancing Business Agility and its Risk

With the astonishing influx of smartphones, mobile devices and tablets into enterprises, mobile data has become a foundation of the daily operations of businesses around the world. Not only has data itself become more mobile, but the users holding that data have as well. It is the job of the IT organization to make this ‘mobile user experience’ no different than if the user was inside the office and connected to the network, and just as secure. While employees relish the anywhere, anytime power of smartphones and tablets, IT executives shudder at the security risks associated with the advent of free-roaming, employee-owned devices that have direct access to the corporate data. With inadequate mobile security solutions and a lack of understanding or disregard of company security policies by employees, mobile users routinely put sensitive data at risk and are often completely unaware of the inherent risks.

Complex mobile device security issues often create a no-win situation for enterprise IT. The challenge begins at the device level and then extends into securing data, provisioning applications and managing application access to corporate resources. While companies want to support devices and applications that improve productivity and enable creativity, they must do so while carefully monitoring and managing business risks. The upsurge of smart devices into the enterprise has made secure mobile device management a top IT priority. As a result, organizations are turning to MDM solutions that incorporate many of the features familiar from PC management, with the addition of on-the-go functionality, such as remote wipe/lock, real-time device monitoring, location broadcast and software distribution.

Dive deeper into the discussions and share your ideas with your executive peers:

• Discuss best practices in building a comprehensive data protection program by incorporating risk-based security controls to enforce policy. What are the challenges, options and tradeoffs around applying appropriate management and security policy controls to enable the new BYOD world?
• Discuss the importance of having full audit and forensic capabilities of all files to provide a digital 'paper trail' that can be used in court if necessary.
• What are the advantages of segmenting control for data on the device and how do you manage it without impinging on the employee’s right to privacy or interrupting critical business processes?
• What are the legal ramifications of mixing business with personal data. Who owns the device? Who owns the data? What happens when an employee leaves or is terminated?
• Cloud and managed service providers offer a built-in way to support multiple mobile devices. Is client virtualization and moving to the cloud for device management the answer? Why or why not?
• Employees turn to consumer devices partly because enterprise applications are inadequate or cumbersome to use. Discuss the strategies of organizations:  1) Deploying their own “Enterprise App Store” and developing enterprise applications that look and feel like smart device apps, but have enterprise-level functionality. 2) Working with solution providers to communicate security and manageability requirements needed to add enterprise capabilities to consumer products and services.
• Mobile devices, with their rich store of business and personal data, have become a prime target for hackers. What are the top threats to the mobile technology? How can CISOs balance business agility and productivity gains and the IT risk associated with providing mobile device access within the enterprise?