Cybersecurity Toward a Strategic Approach to Cyber Risk

Andy Purdy
Chief Cybersecurity Strategist May 18, 2010

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 1

Summary

1 2 3 4 5

What is the current cyber risk? Learn lessons from experience. What approach should we take? What capabilities do we need? Risk management for organizations and countries

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 2

What is the current cyber risk?

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 3

What is Cyber? Cyber is the ability to operate in cyberspace to achieve the results that you intend and not those intended by your adversaries, competitors or cyber criminals.

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 4

In this brave new world we tread

November 2002 (Geopolitics): The rise of the Botnets
A DDOSby an army of citizen-zombie computer attacks

April 2004 (Sasser): Widespread outages around the world

Agence France-Presse (AFP) blocked satellite communications, Delta Airlines cancel several trans-atlantic flights, If and Sampo Bank close130 offices, also impacted Goldman Sachs, Deutsche Post, European Commission, Lund University Hospital

January 2010 (Google discloses): The NYT, April 2010

losses included one of Googles crown jewels, a password system that controls access by millions of users worldwide to almost all of the companys Web services, including e mail and business applications

Looking into the Future:

APT/Botnets/Integrity Attacks/Convergence of Threats to Converged Infrastructures

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 5

cheerfully, into the unknown

4G Wireless Broadband Networks: LTE and Wimax
100 Mbit/s on the move, and 1 Gbit/s stationary - the world goes wireless Tens of billions of devices (smart phones, metering)

Convergence in technology and infrastructure: sharing same threats

Voice Video Data: using a common protocol (IP), sharing a common infrastructure, and the risks All national infrastructures (energy, transportation) using the same ICT infrastructure Threats that transfer between data - video - telephony Cloud Computing: A shared ICT infrastructure shared risks

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 6

Premises
Experience is only valuable if we learn from it and act on it
Information sharing is not enough A strategic approach to the cyber challenge is essential Stakeholder collaboration is critical at each level Threat information is important, but risk should be the driver Risk management is critical for organizations, nations, and the global information infrastructure

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 7

Summary of Cyber Risk

The use of innovative technology and interconnected networks in operations improves productivity and efficiency, but also increases the vulnerability to cyber threats if cybersecurity is not addressed and integrated appropriately.
A spectrum of malicious actors routinely conducts attacks against the cyber infrastructure using cyber attack tools. Because of the interconnected nature of the ICT infrastructure, these attacks could spread quickly and have a debilitating effect.

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 8

Learn lessons from experience.

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 9

Industry concerns?
Data vulnerability due to the sizable increase in data volumes, flows, and interfaces System security resulting from converged, automated, and integrated environments New devices that may be immature and have security limitations Consumer privacy from increased connectivity, devices, and intelligence

Potential fraud from insufficient tamper protection

Overall increase in the complexity of a utilitys compliance profile

Adapted from EPRI source image

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 10

Introduction
Cybersecurity a National Security Imperative and Global Business Issue
Nations and critical infrastructure owners and operators are dependent on Cyber for national security, economic well-being, public safety and law enforcement, and privacy. Major companies must ensure the resiliency of their operations, protect their reputations and the privacy of their customers, differentiate their brand, and meet compliance obligations. Innovative technologies and information assurance strategies must be implemented by government and private companies through fully integrated, end-to-end cyber solutions

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 11

Secure ICT also Represents

Technological advantage
Opportunity to gain competitive advantage Opportunity to help shape the global cyber environment in support of US interests

An exciting field for our emerging technology

An additional foundation for academic excellence

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 12

What approach should we take?

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 13

A Strategic View of ICT Security

There is no real separation in cyberspace; we share a common environment with allies, partners, adversaries, and competitors.
It is important to understand computer network defense, and be informed by exploitation and attack.

Security is more about architecture and integration than about deployment of more products to build perimeter defenses.

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 14

Public Policy Challenge

Nations are dependent on cyber for national security, economic wellbeing, public safety, and law enforcement
Risk is real but not visible and obvious Authority/control is spread among multiple entities in the public and private sectors ICT is international Individuals and organizations are reactive and tactical, not proactive and strategic We do not learn lessons from the past

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 15

Learn Lessons from Experience

Recognize the value of lessons learned to enhance preparedness
Systematize after-action processes for exercises AND real-world events Take a pro-active, strategic approach to risk A robust risk management program can facilitate and prioritize planning, decision-making, and resource allocation A strategic approach to ICT risk management should be grounded in architectural, design, and process principles

Stakeholders should be engaged in the assessment and mitigation of ICT risk, spending on research & development, & cyber incident response and recovery preparedness

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 16

Regulatory Enviroment Upcoming Challenges for Private Sector and Critical Infrastructure?
Legislative perspective: has the private sector done enough to secure their own facilities?
Executive perspective: concern about government and critical infrastructure relative to cyber threats.

Power/Utility, transportation, and other critical infrastructure sectors of significant cyber concern.
Private sector favors voluntary, private-sector developed standards, incentives, and safe harbor provisions rather than regulations

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 17

The New Reality

Global recognition that national health and security is permanently intertwined with the internet.
National governments across the globe are intending to actively address cyber security risks to specified private-sector infrastructures of interest supporting national programs and critical infrastructure segments.

Examples of the national health and security requirement in evidence

Transglobal Secure Collaboration Program (TSCP) voluntary collaborative program (funded by membership contributions) Governments US, UK, Netherlands

Companies BAE, Boeing, EADS, Lockheed Martin, Northrup Grumman, Rolls Royce, Raytheon
U.S. Defense Industrial Base (DIB) a threshold of capabilities defined by U.S. DoD to protect Controlled Unclassified Information (CUI) used in Defense contracts Established and monitored by US DoD (as expressed in the DIB Cyber Security Benchmark and DIB CONOPS) One-to-one framework agreements, funded by individual companies U.S. Comprehensive National Cybersecurity Initiative (CNCI) Activities of European Network Information Security Agency (ENISA)
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk
Page 18

What capabilities do we need?

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 19

What is missing nationally and internationally?

What do we need to worry about and what do we need to do about it?
We need to

know our risk posture, identify requirements for addressing that risk that are generated by a public-private collaboration, and Make it easy to hold stakeholders accountable.

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 20

What is needed nationally and internationally?

A strategic approach to facilitate public/private collaboration and information sharing to set requirements, and resource, execute, and track progress on:
ICT risk;

ICT preparedness;
Malicious activity and cyber crime; and Research and development.

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 21

How should the challenge of ICT risk and preparedness be addressed?

Stakeholders at the organizational, national ,and intl levels must work together

to identify critical functions, assess and mitigate risk, and plan, and build capacity for, response and recovery
Use standards to drive risk reduction Exercise to identify gaps and improve Pursue innovation Use this process to identify requirements to drive resource allocation for risk mitigation, response preparedness, and research and development

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 22

Risk management for organizations and countries

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 23

Protecting your Organization, Clients, and Costumers

Use lessons learned from Advanced Persistent Threats (APTs) and other sophisticated attackers to strengthen active defense
Work in public-private partnerships to strategically collaborate and share information about threat and risk

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 24

Strategic Approach to Malicious Cyber Activity

An initiative to promote a strategic approach by government (not just law enforcement) and the private sector against malicious cyber activity
Need to build national and international information sharing capabilities to collect, preserve, analyze, and share information on malicious actors AND enablers using a federated data-sharing model. Need good national and international data on cyber crime.

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 25

Government Cyber Security Involvement

Government needs to help define domestic, EU, and allied ICT interests
Using those interests, Government needs to create stronger interagency and inter-governmental policy process and policy (guiding principles) Collective interests need to be represented consistently in all international fora concerned with global cyber security and cyber governance; if not, global policy and governance may not conform to national and international interests Your country, EU, and its allies, need a consistent approach to the ICT risk in critical infrastructure
Focus on security standards, rather than prescribed processes (i.e., define how secure to be, not how to be secure) Recognize that the threat is advanced and dynamic; a cookbook approach will not adapt sufficiently well to such a threat

Sensitize private sector and public to the threat; recognize that adversaries do not reserve their most advanced technologies for use only against our Government
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk
Page 26

Private Sector Role

Request government to facilitate information exchange and enhanced collaboration.
What actions are advisable? What incentives would help bring those actions about?

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 27

The Model-Portfolio A Different Way to View the Problem

An integrated set of capabilities consistent to a model new to the industry fit-for purpose - to demands of a complex global problem

The security stack - defines the problem complexity and the sophistication needed in the solution Demonstrated ability to scale to the full dimensions of the problem Demonstrated ability to leverage our government knowledge applied to our commercial delivery

Allows us to see the gaps determine how we close them

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 28

Making a better case for Why CSC

Cyber security is a core competency of CSC in both commercial and public sectors Comprehensive capability the full range of the security stack Cross-leverage what we know - between commercial and public sectors SOCs to Fortune 500s Defense Industrial Base Worldwide presence ISO 27001 preparations

Nation State-Threats Groundbreaker Forensics training Biometric Access System Certification Phys-Lgical Access Personnel Quals

Commercial Sector

Public Sector

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 29

A New Idea: The Security Stack as a Modelfor how we

present organize determine gaps integrate. Only CSC and IBM can make this case
The Security Stack
Functional Technologies
The Exercise of National Sovereignty

Cyber Security Services

Layer 4 Functional Technologies

Ethical hacking integrating government capabilities

Security consulting understand and manage risk Security integration led by solution architects Managed Security Services Forensics analysis assessments

Layer 3 Functional Technologies

Worldwide monitoring Attestation adjusting the defenses

Situational Awareness External to the Perimeter Determine Source Adjust Defenses

Layer 2 Functional Technologies

Security Incident/Event Manager OOB managed devices Perimeter defenses (f/w) Intrusion detection/prevention Data Loss Prevention Honeypots

Integrated Security Overlay Prevent-Detect-Response

Certification and accreditation Security training - cyber experts Product and system evaluation common criteria

Layer 1 Functional Technologies

CMDB White listing PIV-based biometric access Single Sign On Data encryption and key management Vulnerability assessment

Assured Systems and Content

Penetration testing ethical hacking

Compliance
Disaster Recovery / B-Continuity

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 30

CSC Cyber Security Overview (1 of 3) More than 1,400 full-time security professionals globally Security and compliance services to
More than150 Commercial clients globally in more than 40 counties Many Fortune 500 companies including many with PCI compliance U.S. federal agencies and many state and local government clients Non-U.S. government clients (UK Royal Mail, UK National Health Services)

Wide range of security offerings

Managed Security/SOC services Endpoint Protection Messaging Security Data loss prevention Compliance Monitoring/Enforcement Vulnerability, Risk and regulatory assessments Forensic and Investigative Response Identity and Access management and biometrics Security engineering, integration, and testing Disaster recovery and business continuity

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 31

CSC Cyber Security Overview (2 of 3)

SSE-CMM Level 4 Information Security Practices by independent third party Defense Security Service (DSS) Cogswell Award for 5 of past 10 years Achieved ISO 2700 certification for the CSC-managed EPA security program Many CSC data centers and service delivery centers achieved third party ISO 27001 certification Major provider of vulnerability assessments, risk assessments and security accreditation services to Federal agencies Active SAS 70 audit program Operates DoD Cyber Investigative Training Academy Biometric engineering services to DoD Operates certified Common Criteria Test Laboratories in the U.S., Australia and Germany under ISO15408 Operates FIPS 140-2 NVLAP certified Cryptographic Module Test Laboratory
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk
Page 32

CSC Security Operations Centers (SOCs) (3 of 3)

Managed Security Services Delivery around the Globe in all Regions
Commercial SOC Operations
North America (Newark, DE) Newark 33 customers UK (Chesterfield) -- 15 customers Australia (Sydney) 9 customers India (Hyderabad) 17 customers Malaysia and Hong Kong 2 customers

U.S. Federal SOC/CERT/CSIRT Support

Defense Information Systems Agency (DISA) U.S. Air Force U.S. Army Dept of Homeland Security EPA NOAA

Monitor and manage thousands of security devices worldwide

Network/Host IDS/IPS Audit Log Storage/Monitoring Security Event Management Security Incident Response Services Technical Compliance Monitoring Vulnerability Scanning and Alerting End Point Security Management Managed Encryption Services Data Loss Prevention Forensic Response

Chesterfield, UK Marlton , NJ Newark, DE Annapolis Junction, MD Hong Kong Hyderabad, India Kuala Lumpur

Sydney, Australia

Consistent and effective 7x24 security monitoring, detection, response and recovery
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk
Page 33

Representative Cyber Security Clients

Public Sector: Internal Revenue Service, FAA, USDA, Dept. of Education, Environmental Protection Agency, Dept of Energy, Department of Homeland Security, Australian Department of Immigration and Citizenship, Prime Minister and Cabinet, Department of the Attorney General and Transport Accident Commission; Canadian Treasury Board Secretariat, Communication Security Establishment Canada, Public Safety Canada, Canada Revenue Agency, Transport Canada, DISA, DCITA, U.S. Army, U.S. Navy, U.S. Marine Corps, U.S. STRATCOM, Office of Secretary of Defense, Biometric Fusion Center, U.K. Ministry of Defense, Danish Ministry of Defense
Aerospace & Defense: Textron, Raytheon, Boeing, Hawker Beechcraft, UTC, General Dynamics, Spirit Aerospace Financial and Insurance Services: Allianz, AMP, Dunn and Bradstreet, Maybank, Toyota Financial Services, Zurich, PartnerRe, Alliancez, AMP, IMB, GE Capital, Toyota Financial Services

Retail & Distribution: Coles, Myer, David Jones, Estee Lauder, Cargill, Astro
Travel & Transportation: Railcorp, Bombardier Health Services: National E-Health Transition Authority, University of Pennsylvania Health Systems, UK National Health Service, Nobel Biocare, Ascension Health, Consolidated Medicaid/Medicare (CMS), Virginia and North Carolina, Medicare/Medicaid Information Systems, eMed of New York, Stellaris Health Manufacturing: BlueSteel, OneSteel, Delphi, Chrysler, Freescale, Westinghouse, Motorola, Nissan, Xerox, Bombardier, Nissan Chemical, Energy & Natural Resources: Powercor, BHPB, Rio Tinto, Alcoa, Woodside Petroleum, Newmont Mining, Shell, DuPont, BHP Billiton Petroleum, Watercorp, Western Power, Exelon, Basell, Invista, Anglian Water, National Grid, Urenco, BNFL

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 34

CSC Strategic Security Partners

CSCs formal partnership with leading security vendors

Special discounts on industry leading security tools Responsive procurement Insight into emerging security technology Increase depth of managed security services

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 35

Thank you for your attention!

Contact Andy Purdy Chief Cybersecurity Strategist dpurdy@csc.com apurdy1@gmu.edu

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 36

Further webinars

15.06.10 / 15:30 -16:30 Uhr / Gesellschaftlicher Wandel "Social Media machen - Tipps & Tricks zur Planung und Durchfhrung"

Quelle: www.de.csc.com
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk
Page 37

CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk

Page 38