Toreon Presentation: Security Trends & Management PDF
Document Details
Uploaded by FaultlessDidgeridoo
Toreon
Tags
Related
- EC-Council Certified Cybersecurity Technician Exam 212-82 Mobile Device Security PDF
- Chapter 12 - 05 - Mobile Security Management Solutions PDF
- Chapter 12 - 05 - Enterprise Mobile Security Management Solutions PDF
- Information Security & Management PDF
- Cybersecurity: Protecting Your Digital Landscape PDF
- Artificial Intelligence in Protecting Cyber Security (PDF)
Summary
This Toreon presentation discusses security trends and management, focusing on the economics of cybersecurity, risks, and strategies focusing on building secure products, organizations, and cyber capacity.
Full Transcript
Guest Class Toreon: Security Trends & Security Management w YOUR COACH IN DIGITAL SECURITY w w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw About Me • • Principal GRC consultant @ Toreon Head of Sales & Marketing @ Toreon • Studied (Applied) Economics • • • 10+ years of Security Expe...
Guest Class Toreon: Security Trends & Security Management w YOUR COACH IN DIGITAL SECURITY w w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw About Me • • Principal GRC consultant @ Toreon Head of Sales & Marketing @ Toreon • Studied (Applied) Economics • • • 10+ years of Security Experience Certified ISO27001 LA Certified DPO • Lecturer @ Data Protection Institute, NCOI, Kluwer w OUR MISSION STATEMENT w Antwerp, Belgium Cybersecurity only 2014 >50 experts Player / Coach Independent Delivery vehicles Toreon Consulting organizations Training individuals ‘Secure Product’ ‘Secure Organization’ ‘Secure People’ (‘Building Cyber capacity’) 4 3 impact areas 3 power houses - 2+ boutiques Building Secure Products Building Secure Organizations Building Cyber Capacity APPSEC/ETH group GRC & CISO group DPI Cloud sec & compliance Operational Technology ... “Business driven cyber consulting” From Strategy to technology Toreon creates Information Security Strategy aligned to the business and activates it everywhere Information Security Strategy, Governance, Risk & Compliance Secure Software Development Industrial Security Ethical Hacking & Incident Response Cloud Security & Compliance w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw Agenda • • • • • • What is Security? The Economics of Cybersecurity Security Strategy & Roadmap Security Operating Model Cybersecurity & Start/Scale-Ups Cloud Security What is Security? GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENT w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw Cybersecurity – Technology 3 layers of technology: - Implementation - Automation - Reporting Cybersecurity – People (3 Layers) 1. CISO / Security Officers a) Strategic/Tactical Layer b) Swiss Pocketknife 2. Domain Experts (E.g., Architects, Admins, Engineers, AppSec experts, etc.) a) Operates Technology b) Laser Cutter 3. Employee Awareness a) Hygiene Layer Cybersecurity – CISO Cybersecurity – Process Benefits: - Efficiency - Consistency - Compliance - Scalability - Continouos improvement 6 most Critical Security Processes - Risk Management Access Management Patch Management Incident Management / Disaster Recovery Monitoring Awareness The Economics of Cybersecurity: Trends & Risks GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENT Cybersecurity – the good, the bad, the ugly 18 Cybersecurity – the bad news – threats Where there is commerce, there is the risk for cybercrime. It is estimated that the cost of cybercrime amounted to $6 trillion end of 2021. 19 w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw Economics of Cyber Crime • • Cybercrime = Big Business (projected $2 Trillion in 2019) Organized like big business, complete with a supply chain, middlemen, and sales and distribution channels. Negative: More Threats, Organized Threats Positive: Hackers have a Business mindset > We know how to compete in business! Source: https://iapp.org/resources/article/the-economics-of-cybercrime-series-by-richard-kam/ w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw The Hacker Business Mindset – Business Models • Dark Web Services • • • • Training Exploit Kits Botnet Leasing (estimated cost by Symantec: $ 20.000,00) HaaS (estimated cost by Symantec: $ 500) • Dark Web Markets (monetizing stolen data) • Credit card Info • email addresses (useful for phishing campaigns) • $ 15 / 1000 mail addresses Source: https://iapp.org/resources/article/the-economics-of-cybercrime-series-by-richard-kam/ w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw The Hacker Business Mindset – ROI • Return of Investment (ROI) - study by the Ponemon Institute Source: https://iapp.org/resources/article/the-economics-of-cybercrime-series-by-richard-kam/ w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw The Hacker Business Mindset – ROI • Return of Investment (ROI) The average return per attack is less than $4,500. Which means that hackers can’t afford to spend time attacking a system that’s either hard to breach or doesn’t yield information that will fetch a good price on the black market. And the results of the Ponemon study confirm that: More than 60 percent of hackers will move on if an attack doesn’t yield results within 40 hours. “Hackers have become almost corporate in their behavior,” in that they tend to weigh costs, effort, and risks. Source: https://iapp.org/resources/article/the-economics-of-cybercrime-series-by-richard-kam/ w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw Outrunning the Bear: Using ROI to defeat cybercrime Source: https://iapp.org/resources/article/the-economics-of-cybercrime-series-by-richard-kam/ w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw Outrunning the Bear: Using ROI to defeat cybercrime • Reduce return-on-investment (ROI), so attackers will bypass your business. • Determine what is valuable • For you. • For Hackers • Determine how they attack Source: https://iapp.org/resources/article/the-economics-of-cybercrime-series-by-richard-kam/ w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw Security Trends - Overview • If it works, it will be used (again and again) • Industry Security Trend Analysis w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw Security Trends – Spear Phishing w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw Security Trends – Ransomware Mass Infection ‘Targeted’ Malware/Worm Basic hacking tools Individuals Company $ $$$ w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw Security Trends – Ransomware w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw Contemporary Cybercrime Source:Microsoft_Digital_Defense_Report_2020_September w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw Security Trends – Living-off-the-land attacks A method that is becoming increasingly frequent. Attackers using this approach use trusted off-theshelf and preinstalled system tools to conduct their attacks (e.g. Powershell). Many of these tools are used by system administrators for legitimate work. This makes it harder for defenders to completely block access to these programs and allows the attackers to hide in plain sight. w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw Security Trends – Living-off-the-land attacks w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw Security Trends - Mobile & Internet-of-Things (IoT) Mobile & IoT devices are becoming more and more popular targets. • Malvertising abuses Telenet, Proximus and other brands to phish on your mobile • Silex malware is bricking (= completely wiping) IoT devices w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw Zero Day(s) A zero-day (also known as 0-day) vulnerability is a computersoftware vulnerability that is unknown to those who should be interested in mitigating the vulnerability (including the vendor of the target software). Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network.[1] An exploit directed at a zeroday is called a zero-day exploit, or zero-day attack. Cybersecurity – the bad news – compliance Ever-growing landscape of Cybersecurity laws, regulations & standards: ISO27k, NIST, CIS, GDPR, NIS, FDA Rulings, …. Cyber Compliance is an effective barrier of trade 35 w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw Legal Trends • • • • • • • GDPR NIS EU CyberSecurity Act CRA Cyfun DORA … w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw Cybersecurity – the bad news – lack of resources What is the biggest challenge for the Cyber industry? 1205 cyber security vacancies in Belgium 16% vacancy rate in cyber security sector 38 Questions? 39 How to define a Tailored Security Strategy & Roadmap GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENT Cybersecurity – the good news The good guys have also evolved 41 Cybersecurity – the good news Cyber = opportunity Direct damage avoidance • Direct costs, missed revenue, reputational damage But also consider • Customer confidence (ISO27k, SOC 2) • Investor confidence • Source of product differentiation 42 Cybersecurity – the ugly truth/challenge 43 The Fog of More Challenge 44 The Fog of More Challenge A good Cyber Strategy is business driven and optimizes ROSI. 45 w PILLARS OF A SECURITY STRATEGY w • Governance Maturity • Organizational Risks • Technical Maturity o Which business are you in? o What are your business objectives? • Security Trends o Numerous reports Where are you now? o Based on your ambition o Based on a comparison within the sector Security Maturity Security Requirements • Compliance Requirements o General, like GDPR o (Sector) specific, like SOX, PCIDSS, NIS, ... Security Standards and Frameworks Security Improvement Plan Where do you want to go? • • • • • • ISO27001/2 NIST CSF OWASP SANS CIS20 (Critical Controls) … w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw w GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENTw w PILLARS OF A SECURITY STRATEGY w Governance Track Technical Track Organisation, roles and responsibilities Focus on technical security measures Policies, processes, standards, procedures Define a security roadmap for IT ISMS (Information Security Management System) Drives the maturity of your operational security posture 49 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Time to select a standard / framework Governance Track Objectives: Technical Track Objectives: • Non-technical guidance on how to build and improve security. • Increase the level of your technical security countermeasures. • Bridge the gap between business and IT through (business) risk based actions. • • A means to assemble metrics/KPI’s to report the state of security towards management and involve them in the decision making process (cyber security is a company wide issue, not an IT issue). Prioritise according to the most effective countermeasures to implement based on your current maturity level and budget constraints. • Link with (business) risks identified in the governance track. • Produce metrics to feed into a higher level dashboard to track progress. 50 What is an ISMS? ISMS ≠ Goal Decreasing Risk, Increasing Maturity = Goal Peace of mind Less risk Balance Awareness Measurable & compliant Optimal security, you can concentrate on your business. Well thought-out and implemented security prevents and mitigates incidents. Security should not hinder your organization but should support your business operations. Security technology provides insight and awareness into risks and (near) incidents. Dashboards, procedures and documentation help you comply with regulations. ISMS = Tool 51 What is an ISMS? Definition An ISMS is a systematic approach for managing (establishing, implementing, operating, monitoring, reviewing, maintaining and improving) an organization's information security to achieve business objectives. It is based on risk assessment and the organization’s risk acceptance levels designed to effectively treat and manage risks. System = set of interrelated or interacting activities (processes & controls) Management System = coordinated activities to direct and control an organisation Information Security = preservation of the C I A of information 52 ISO27k – Family of Standards 2 Standards Management System - Security Controls – What High Level Structure Security Risk Assessments Continuous improvement - ISO27001 14 control domains 114 controls ISO27002 54 ISO27001 55 ISO27001:2017 Overview 4. Context Context/Stakeholder analyse Scope Documentation Management 5. Leadership Leadership and commitment Policy Organizational roles, responsibilities and authorities 6. Planning Actions to address risks and opportunities Information security objectives and planning to achieve them 7. Support Resources Competence Awareness Communication 8. Operation Operational planning and control Information security risk assessment Information security risk treatment 9. Performance evaluation Monitoring, measurement, analysis and evaluation Internal audit Management review 10. Improvement Nonconformity and corrective action Continual improvement Link with ISO27002 Link with ISO27002 ISO27001:2017 Risk Management Risks must be managed at different levels & occasions: • • • • A comprehensive risk assessment covering all information assets as part of the initial implementation of the Information Security Management System (ISMS). • Updates to the comprehensive risk assessment as part of the management review process – this should identify significant changes to assets, threats and vulnerabilities and possibly risk levels. As part of projects that involve significant change, the ISMS or its information assets. As part of the IT change management & development processes when assessing whether proposed changes should be approved and implemented. On major external change affecting your organisation which may invalidate the conclusions from previous risk assessments e.g. changes to relevant legislation, mergers and acquisitions. Different types of risk assessment: Governance assessments, Technical Assessments (pentesting) ISO27001:2017 Risk Management ISO27001:2017 Risk Management § A threat is a potential cause of an unwanted incident, which may result in harm to a system or organization. § Risk relates to the potential harm of that threat to an organization. § Risk = Impact * Probability (ISO31000, Guidance on Risk Management) ISO27001:2017 Risk Management CI/CD Servers JIRA/Confluence Critical Information Assets Business Impact Assessment Key Department / Process Management Active Directory Servers 1 2 3 1 2 3 2 3 4 1 1 3 4 3 3 1 2 3 AVERAGE SCORE 3 2 4 RTO (Recovery Time Objective) 1 day 1 day 4 hours RPO (Recovery Point Objective) N/A 1 day 1 day Risk Assessment Yes No Yes Sales & Marketing IT Finance Development/Flux Talent ISO27001:2017 Risk Management Risk Scenarios Example Type Source Scenario Chance Existing values: Control -Once a Measures month or less -Once a Ageing of Internal Failure Old - Adhoc once a application application updates quarter software software (not (e.g., old planned, technology only when , poorly needed for document Infrastruct Internal/ex Malicious Theft of -features) Server is once a ure theft ternal laptop stored in month or with seperate less sensitive server data. Theft room, of which is substantial closed number of with a key. developm Key is ent managed Asset Risk Profile Impact calculation values: -1 (Insignifica nt) - 2 (Small) 2 2-once a quarter 4 Asset Risk Profile after implementation Asset Risk Chance Impact calculation Asset Risk New Profile values: values: Profile Control values: -Once a -1 values: Measure - critical month or (Insignifica - critical s - high less nt) - high - medium -Once a - 2 (Small) - medium HIGH - Periodic once a 1 1-once a MEDIUM security quarter quarter updates will be planned and executed. 4-once a CRITICAL Smartlock once a 1 1-once a MEDIUM month or with month or month or less access less less logging will be places to control acces towards server room + Threat Modeling ISO27002:2017 Controls 114 controls in 14 clauses and 35 control categories A.5: Information security policies (2 ctrls) A.6: Organization of information security (7 ctrls) A.7: Human resource security - before, during, or after employment (6 ctrls) A.8: Asset management (10 ctrls) A.9: Access control (14 ctrls) A.10: Cryptography (2 ctrls) A.11: Physical and environmental security (15 ctrls) A.12: Operations security (14 ctrls) A.13: Communications security (7 ctrls) A.14: System acquisition, development and maintenance (13 ctrls) A.15: Supplier relationships (5 ctrls) A.16: Information security incident management (7 ctrls) A.17: Information security aspects of business continuity management (4 ctrls) A.18: Compliance (8 ctrls) Statement of Applicability ISO27002:2022 Expected Update 93 controls in 4 domains A.5: Organizational Controls (37 ctrls) A.6: People Controls (8 ctrls) A.7: Physical Controls (14 ctrls) A.8: Technical Controls (34 ctrls) Control Hashtags Type (Preventive, Detective, Corrective) Classification (Confidentiality, Integrity, Availability) NIST (Identify, Protect, Detect, Respond, Recover) Implementation Steps ISMS Components – Bringing it together ISMS Policy Strategic security governance (Why) Policies, Processes Strategic security governance (What) Management Controls (ISO27001) Standards Operational security governance (What) Procedures/Guidelines Technical Controls (ISO27002 + Other Standards) Operational technical security (How) w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Options for the Governance Track NIST Cloud Security Framework (CSF) • USA standards, series of SP800- docs “NIST implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U.S. to adopt cybersecurity capabilities.” 68 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Options for the Governance Track NIST Cyber Security Framework (CSF) • USA standards, series of SP800- docs • Easy to understand categories 69 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Options for the Governance Track NIST Cyber Security Framework (CSF) • USA standards, series of SP800- docs • Easy to understand categories • Easy to communicate towards management 70 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Options for the Governance Track NIST Cyber Security Framework (CSF) • USA standards, series of SP800- docs • Easy to understand categories • Easy to communicate towards mgmt • Risk management through “Tiers” (maturity levels) 71 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Options for the Governance Track NIST Cyber Security Framework (CSF) • USA standards, series of SP800- docs • Easy to understand categories • Easy to communicate towards management • Risk management through “Tiers” (maturity levels) • Not certifiable ... on its own, but it can help reach certification/compliance with other NIST standards. IT Security Validation programs exist, but are more focused on products. There are certifications for individuals to show you are a certified NIST CSF Practitioner 72 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Options for the Technical Track We recommend the CIS ControlsTM (V7.1) A prioritized, highly focused set of actions that have a community support network to make them implementable, usable, scalable and compliant with industry and government security requirements. The 5 critical tenets of an effective cyber defense system 1 2 3 Offense informs defense Use knowledge of actual attacks to build effective defenses. Include only those controls that actually stop known real-world attacks. Prioritization Invest first in controls that provide the greatest risk reduction and protection against most dangerous threat actors and are feasible to implement. Measurements and Metrics Provide a shared language for executives, IT specialists, auditors and security officials to measure effectiveness and identify required adjustments. 4 Continuous diagnostics and mitigation 5 Automation Continuous measurement to test and validate the effectiveness of current security measures to help drive the priority of next steps. Automate defenses so that you can achieve reliable, scalable and continuous measurements of their adherence to the controls. Source: CIS Center for Internet Security 73 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Options for the Technical Track CIS ControlsTM (V7.1) • Free to download and use. • Maps to both ISO27002 and NIST CSF controls (downloadable). • Assessment tools available on cisecurity.org o CSAT: web based o Excel Spreadsheet • Uses an easy concept for selection of controls, implementation groups (as of V7.1) 74 Cybersecurity – Technology w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w CIS recommends that organizations prioritize their implementation of the Controls by following the IGs. The IGs are not absolute; they are intended to provide a rough measure that organizations can use to better prioritize cybersecurity efforts. A risk assessment provides better insight in the company’s risks, and can therefore also be taken into account to set priorities for controls and sub controls. The following further defines and describes each Group. Implementation Group 1 An IG1 organization is small to medium-sized with limited IT and cybersecurity expertise to dedicate toward protecting IT assets and personnel. The principal concern of these organizations is to keep the business operational as they have a limited tolerance for downtime. The sensitivity of the data that they are trying to protect is low and principally surrounds employee and financial information. However, there may be some small to medium-sized organizations that are responsible for protecting sensitive data and, therefore, will fall into a higher Group. Sub-Controls selected for IG1 should be implementable with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks. These Sub-Controls will also typically be designed to work in conjunction with small or home office commercial-off-theShelf (COTS) hardware and software. Implementation Group 2 An IG2 organization employs individuals responsible for managing and protecting IT infrastructure. These organizations support multiple departments with differing risk profiles based on job function and mission. Small organizational units may have regulatory compliance burdens. IG2 organizations often store and process sensitive client or company information and can withstand short interruptions of service. A major concern is loss of public confidence if a breach occurs. Sub-Controls selected for IG2 help security teams cope with increased operational complexity. Some Sub-Controls will depend on enterprise-grade technology and specialized expertise to properly install and configure. Implementation Group 3 An IG3 organization employs security experts that specialize in the different facets of cybersecurity (e.g., risk management, penetration testing, application security). IG3 systems and data contain sensitive information or functions that are subject to regulatory and compliance oversight. A IG3 organization must address availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the public welfare. Sub-Controls selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks. 76 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Standards / framework chosen – next steps 1. Maturity assessment • Governance (NIST CSF / ISO27K) • Technical (CIS Controls) 2. Summarize findings / risks 3. Define high-level risk mitigation actions and set maturity target (max. 3 years) 4. Prioritize and detail 5. Bring it together 77 Governance Using the controls of the selected standard Interviews with various stakeholders Rating often based on CMM • • • Average 2,11 Industry 2,4 Technical • • • Average Using the controls and subcontrols of CIS Controls Interviews with various stakeholders CIS Controls own rating but comparable to others 1,5 Industry 2,1 Target maturity roadmap over 3 years Based on benchmark figures within the same sector 2,16 1,50 1,75 1,95 2,20 Reference Now 2021 2022 2023 78 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Summarize findings / risks Consolidated Findings 1 Finding A 2 Finding B 3 Finding C Summary explanation of finding A, giving more context and insight in what is important. Summary explanation of finding B, giving more context and insight in what is important. Summary explanation of finding C, giving more context and insight in what is important. Potential Risks Description of the risk that finding A could create. This is not to be seen as the equivalent of a detailed risk assessment exercise, which is usually the result of a clear risk assessment process, and part of the chosen governance standard. Description of the risk that finding B could create. This is not to be seen as the equivalent of a detailed risk assessment exercise, which is usually the result of a clear risk assessment process, and part of the chosen governance standard. Description of the risk that finding C could create. This is not to be seen as the equivalent of a detailed risk assessment exercise, which is usually the result of a clear risk assessment process, and part of the chosen governance standard. 79 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Define high-level risk mitigation actions and Set Target Consolidated Findings and risks 1 Finding A 2 Finding B 3 Finding C How to handle these risks Description of the risk that finding A could create. This is not to be seen as the equivalent of a detailed risk assessment exercise, which is usually the result of a clear risk assessment process, and part of the chosen governance standard. Description of the risk that finding B could create. This is not to be seen as the equivalent of a detailed risk assessment exercise, which is usually the result of a clear risk assessment process, and part of the chosen governance standard. Description of the risk that finding C could create. This is not to be seen as the equivalent of a detailed risk assessment exercise, which is usually the result of a clear risk assessment process, and part of the chosen governance standard. High-level description of the actions to take to mitigate the risk associated with finding A. These high-level actions will be further detailed later on. High-level description of the actions to take to mitigate the risk associated with finding B. These high-level actions will be further detailed later on. High-level description of the actions to take to mitigate the risk associated with finding C. These high-level actions will be further detailed later on. One can choose to set a target maturity over 3 years Governance 2,40 2,11 2,11 2,25 2,40 Technical 2,10 1,50 1,75 1,95 2,20 Reference Now 2021 2022 2023 Based on benchmark figures within the same sector 80 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Prioritize and detail For each high-level, risk mitigating action, you can now specify the more detailed actions to take, and to prioritize these actions over the coming (3) years. Per action, think about documenting: • Part of the governance or technical track • The detailed action • Stakeholders • Budget estimate • Timing • Must-do / Roadmap candidate Consider putting the high-level actions on a timeline 81 Cybersecurity – how to define a cyber strategy 82 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 2 83 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 3 84 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 4 85 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 1 86 Questions? 87 Security Operating Model GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENT Cybersecurity is too big a task to be handled by one person. Divide and conquer! 89 90 Managed Security Office Framework Client Security Office Security Office Essential Security & Compliance Projects Ecosystem of partners Expert Services Security Office – Typical persons involved Client X Security Office Account manager Cloud security expert (if applicable) Application security expert (if applicable) CISO / SPOC (required) Security Architect (if applicable) Sidekick (preferred) … (what’s applicable) 92 Foundation Strong foundation principle for SOaaS Pentest CIS assessment In Ga telli th gen er in ce g Foundation Business Threat Model s ou n u in o nt icati o C rif Ve Security Office Portal Continuous Vulnerability Scanning e nc a rn ve ol o G n tr Co Incident Response Brainframe 93 Foundation Security Office Portal Compliance standards Custom compliance CIS Project Management M365 CIS Azure CIS Zero Trust GDPR NIST ISO 27001 MITRE ATT&CK Data sources in-depth recommendations M365 & AAD Azure Conditional Access OnPremises AWS Google Cloud 450+ customizable rules 94 Cyber Security & Start & ScaleUps GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENT Tech Scale-Up Phases Conserve cash Invest Aggressively Search for product/Market Fit Search for Repeatable, Scalable, & Profitable Growth Model Scaling the Business 96 Phase 1: Product/Market Fit Search for product/Market Fit • Business Objectives: • Define MVP • Find Beachhead Market for MVP • Security Objectives: • Define Minimal Viable Product Security • Bootstrap Security 97 Phase 1: Product/Market Fit Search for product/Market Fit • Business Objectives: • Define MVP • Find Beachhead Market for MVP • Security Objectives: • Define Minimal Viable Product Security • Bootstrap Security • How to Implement Security Objectives: • Focus on Product Security Only • Define Basic Non-Functional Requirements • Manually • Threat Modeling • Validate Security of MVP • Penetration Testing • Use Subsidized Security Services to minimize costs. 98 Phase 2: Repeatable, Scalable & Profitable Growth Search for Repeatable, Scalable, & Profitable Growth Model • Business Objectives: • Exponential growth and market development. • Gaining trust of corporate and enterprise customers. • Security Objectives: • Gain overall security maturity and make it demonstrable towards interested stakeholders. 99 Phase 2: Repeatable, Scalable & Profitable Growth Search for Repeatable, Scalable, & Profitable Growth Model • Business Objectives: • Exponential growth and market development. • Gaining trust of corporate and enterprise customers. • Security Objectives: • Gain overall security maturity and make it demonstrable towards interested stakeholders. • How to Implement Security Objectives: • Adopt Security Standards (ISO27k, NIST, …) • Appoint Security Resources (CISO, Security Officer, DPO) • Can still be parttime • Retain focus on Product Security • Agile Pentesting • Agile Threat Modeling • Optimize important processes by adopting (basic) security technology. E.g. • Buy Cloud Licenses that include security functionalities (E5, …) • SAST/DAST tooling to improve code quality • … 100 Phase 3: Aggressive Scaling Scaling the Business • Business Objectives: • Sustain market leadership & growth • Security Objectives: • Continue to raise security maturity to retain security reputation and obtain a market security leadership position. • Improve the security posture of infrastructure and development teams (build an A-team). 101 Phase 3: Aggressive Scaling Scaling the Business • Business Objectives: • Sustain market leadership & growth • Security Objectives: • Continue to raise security maturity to retain security reputation and obtain a market security leadership position. • Improve the security posture of infrastructure and development teams (build an A-team). • How to Implement Security Objectives: • By this point you should have a clear grasp on your security and the remaining vulnerabilities. Security programs should be created to reduce these vulnerabilities and transform them (where possible) into strengths. • Example Tracks: • Secure Development Coaching • Infrastructure Hardening • Continuous Vulnerability Management (SOC/SIEM) • Red Teaming 102 Security doesn’t have to be expensive to be effective! Prioritise, prioritise, prioritise! 103 Questions? 104 Security in times of Covid: Cloud Security GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENT w CLOUD SECURITYw 2018 2019 2020 2021 Cloud Business Process Services (BPaaS) 41.7 Cloud Application Infrastructure Services 26.4 (PaaS) Cloud Application Services 85.7 (SaaS) Cloud Management and Security Services 10.5 Cloud System Infrastructure Services (IaaS) 32.4 Total Market 196.7 2022 43.7 46.9 50.2 53.8 32.2 39.7 48.3 58.0 99.5 116.0 133.0 151.1 12.0 13.8 15.7 17.6 40.3 50.0 61.3 74.1 227.8 266.4 308.5 354.6 w CLOUD SECURITYw “We have seen two years’ worth of transformation in two months.” Satya Nadella, Microsoft Remote Everything 89% of customers have moved at least 50% of their workforce to remote work. w CLOUD SECURITYw “Moat & Castle Security is outdated” Most Important Cybersecurity Investments Pre-pandemic 1. Anti-Phising tools Present 1. Multi-factor authentication 2. SIEM 2. Endpoint device protection 3. Endpoint Security Future 1. Cloud Security 2. Data and Information Protection w CLOUD SECURITYw Zero Trust 1. Strong authentication 2. Multi-factor authentication 3. Conditional authentication 114 1. Visibility to all devices accessing network 2. Mobile Device Management 115 1. Manage Application Access 2. Discover Shadow IT 116 1. Segmentation 2. Data Encryption 3. Limit Access 117 1. Real Time Threat Analytics 2. Least Privileged Access Management 118 1. Classify, Label, Encrypt 119 Questions? 120 Keep in touch! Siebe De Roovere Security Consultant +32 473 42 03 95 [email protected] www.linkedin.com/company/toreon Toreon Grotehondstraat 44/1 2018 Antwerpen, Belgium www.toreon.com @Toreon_BE