Presentation is loading. Please wait.

Presentation is loading. Please wait.

Perry Carpenter, MSIA, C|CISO Leadership Partner

Published byCalvin Evans Modified over 6 years ago

Similar presentations

Presentation on theme: "Perry Carpenter, MSIA, C|CISO Leadership Partner"— Presentation transcript:

1 The Future of Global Information Security: Information Security Five-Year Scenario
Perry Carpenter, MSIA, C|CISO Leadership Partner EITL Security & Risk Management Gartner Application Architecture, Development & Integration Summit December 8-10, 2014 Caesars Palace Las Vegas, NV Paul Proctor

2 Controls Help Us Achieve the Target Level of Security
But with hundreds of potential controls, we need a way to select the right ones The Strategy Tool: Four strategies for selecting controls Search & Destroy Psy Ops Castles & Moats Behavior Jujitsu

3 Fact: The Real World Changes
It no longer works to base control decisions on past performance We need a way to plan for the ways the world might become, not how it was We need a five-year planning guide that: Identifies possible future conditions Provides a way of detecting shifts in direction (guideposts) Calls out control requirements early

4 Problem Statement How will the Nexus of Forces (cloud, mobile, social and big data) plus other forces and trends, transform the practice of information security and IT risk management between and 2019? What are the two most powerful uncertain forces driving change? How might those forces interact? What evidence exists now?

5 Critical Issues How the world might change?
How shall we detect that change? How shall we deal with that change?

6 Threats Against Targets: A Moving Target
As servers move into the cloud As enterprise security improves As mobility drives increased connectivity out to the edge As the value at the edge increases As end-node compromise tools continue to become more automated And …

7 Now assume that 90% stay on the "white hat" side.
Orders of Magnitude … as the number of highly trained cyber-students increases by orders of magnitude: Over 100 "white hat" hacker university degree programs in U.S. funded by NSA and DHS. Similar programs in UK. 10th through 12th grade training for all in Israel. Similar programs growing worldwide. China in a leadership position? Now assume that 90% stay on the "white hat" side.

8 Trend: Our X Axis TARGET
Security compromise of enterprise accounts may become more heavily weighted to indirect attacks through captured end nodes, or may focus even more clearly on servers. TARGET Enterprise Individual

9 Who Will Save Us … … From the chaos that is the Internet?
Nation-states want to carve the Internet into manageable pieces. Cloud and Big Data push toward less regulation. Governments threaten to regulate. "Critical infrastructure" is continuously redefined. But very little actually gets done. And what does get done takes a looooong time.

10 Trend: Our Y Axis AUTHORITY
The level of market intervention can vary dramatically, shifting costs and influencing business flexibility. Tribal AUTHORITY Monolithic

11 The Gartner Security Scenario 2014-2020
Coalition Rule Neighborhood Watch Regulated Risk Controlling Parent How we select from and apply our four control strategies will depend on how the world changes for our organization.

12 The Gartner Security Scenario 2014-2020
Tribal AUTHORITY 2 4 Enterprise Individual TARGET 1 3 Monolithic

13 Enterprise Target Centralized Authority
Regulated Risk Enterprise Target Centralized Authority 1 Governments use regulation to provide safety An attack can become an act of war All infrastructure becomes critical infrastructure Enterprises are held responsible for actions of employees Additional regulations Gov't disclosure of breach Cyber "Monroe Doctrine" RoE Software liability defined PUSHING TOWARD THE CORNER Attack publicized Public shaming and fines NATO cybersecurity division Int'l cyberwar convention Milestones: Additional regulations Increase in public acknowledgment of attacks Increase in government disclosure of breach info Public shaming and fines for breaches Publication of a "Monroe Doctrine" for cyber-security rules of engagement NATO creates a cyber-security division Software liability established International convention on cyber-war: And one major nation refuses to sign because it limits their responses Evidence: Critical infrastructure directive

14 Enterprise Target Fragmented Authority
Coalition Rule Enterprise Target Fragmented Authority 2 Warlords and cartels rule Corporations establish fiefdoms, suppress independent innovation Aggressive corporate and national espionage Supply chain for offensive activities Underground economy grows Corporate counterattack Cyberwar merc. co. IPO Cyberinsurance fails PUSHING TOWARD THE CORNER Cyberwar dept. in finance Crypto-extortion schemes $100 million cyberblackmail Milestones: Evidence of corporate counter-attack A major financial industry company forms cyber-war department IPO for cyber-war mercenary company Increase in crypto-extortion schemes Cyber-insurance fails, is withdrawn Public corporation records $100 million charge for cyber- blackmail Evidence: Cyber and Cloud Security Alliances; drug cartel use of Internet

15 Individual Target Centralized Authority
Controlling Parent Individual Target Centralized Authority 3 Attacks against individuals push government to act Governments try to establish a norm of personal responsibility Theft-oriented botnets proliferate Surveillance society grows Strong privacy regulations emerge Mobile devices become closed, curated ISPs retain transactions U.S. class action lawsuits User database PUSHING TOWARD THE CORNER CPSC/FTC take action School training Milestones: ISPs (outside of Europe) ordered to retain all transactions CPSC/FTC takes action against product vulnerabilities U.S. class action lawsuits over vulnerabilities School training and (in some areas) license to browse Creation of a computer user database Evidence: Do not call list; FISA amendments

16 Individual Target Authority Breakdown
Neighborhood Watch Individual Target Authority Breakdown 4 E-militia emerge — self-organizing protection societies Extreme anarcho-hacktivism Internet resembles gangs of New York Corporate and communal walled gardens form Extensive darknet and dependence on anonymity E-commerce declines due to distrust Cybermilitias Refusal to hold personal info Facebook loses members PUSHING TOWARD THE CORNER Anonymous focus on CEOs Cyberbullying E-commerce slows Milestones: Formation of cyber-militias Anonymous focuses on CEOs rather than business operations Corporations start refusing to hold personal information Harassment, reputation attacks, cyber-bullying become common Facebook loses 10% of its members Slowdown in e-commerce growth rate Evidence: Islamic Internet efforts; increase in identity theft; "net nanny" approaches

17 The Gartner Security Scenario: Evidence for Every Direction
Tribal Islamic Internet CSA Enterprise NOW Individual CID DNC Monolithic

18 So Watch for the Milestones
Tribal Enterprise Individual Monolithic

19 Four Different Threats and Opportunities
Regulated Risk: Threat: Over-regulation increases cost without decreasing risk Opportunity: Lobbying can influence direction and degree Coalition Rule: Threat: Increase in attacks could cause severe damage Opportunity: Found (then dominate) an industry standards group Controlling Parent: Threat: Privacy regulations will inhibit business operations Opportunity: Surveillance society benefits those who do Big Data well Neighborhood Watch: Threat: E-commerce drop; reputation and trust failures Opportunity: Form your own protection society for your customers

20 Understanding the Strategy Tool
Active Controls Technical Controls Search & Destroy Psy. Ops. Castles & Moats Behavioral Controls Passive Controls Behavior Jujitsu

21 Four Control Directions
Castles and Moats: Traditional passive technical controls Isolation via network architecture and access controls Behavior Jujitsu: Improved security training programs as passive (defensive) behavioral controls Search and Destroy: Active technical approach to returning fire Psy. Ops.: Advanced behavioral intervention

22 The Controls We Need Vary With the Environment We Are in
Coalition Rule Neighborhood Watch Regulated Risk Controlling Parent

23 Control Interdependence
ACTIVE TECHNOLOGICAL SWG Admin SIEM Usage Guideline PASSIVE BEHAVIORAL The interdependence of control types drives the formation of a security strategy. For example, a SIEM tool escalates a proxy log entry (passive, technological) to a security engineer who reconfigures (active, behavioral) the Secure Web Gateway (active, technological) and inform users of a rule change regarding Web use (passive, behavioral). In a similar fashion, many controls blur the lines between active and passive (e.g.: combining logging and active response).

24 Building a Strategic Response
Confront Tailgaters ACTIVE TECHNOLOGICAL Event Log Report Incident Acceptable Use Guide BEHAVIORAL PASSIVE Traditional security control strategy focuses on defensive techniques that minimize vulnerabilities and maintain system integrity. These techniques are primarily expressed through infrastructure (e.g.: firewalls, EPP) with a minor investment in user behavior management (aka: Security Awareness).The four scenarios for the future of security require new security capabilities that expand beyond existing strategic options. In particular, security capabilities must expand beyond primarily passive, defensive approaches to include, potentially, more active aggressive approaches. An example of the difference between active and passive controls is the common practice of disabling logins after a defined number of failed login attempts. This process incorporates a passive control — logging a failed login attempt — and an active control — disabling login for the UserID involved after a certain number of failures. At the extreme, an active control would actually attack the source of an active threat, rather than simply block or minimize vulnerabilities targeted by the threat, while an extreme passive control would simply monitor an attack. There is a second factor that combines with the active/passive gradient: Technology versus Behavioral. The vast bulk of security investment is in technological controls. Most organizations sustain a minor investment in security education. This minor investment is an attempt to create behavioral controls. As with technological controls, behavioral controls can be active or passive. For example, asking users to reported suspected security incidents is essentially passive as the action will not directly terminate the incident. In contrast, asking users to physically confront or block a person attempting to tailgate through a secure entrance is an active behavioral control. Active and passive controls are effective in different ways in different contexts. Technological and behavioral controls are also effective in different contexts. All of these forms of control interact and affect the others.

25 Using the Strategy Tool — an Example
Coalition Rule Neighborhood Watch Neighborhood Watch: Threat: E-commerce drop; reputation and trust failures. Opportunity: Form your own protection society for your customers. Regulated Risk Controlling Parent Control requirements? Distributed, autonomous: Can run in isolation on consumer endpoints. Extended perimeter (VPN): Centrally managed but remotely initiated. Endpoint neutralization: DDoS of attack sources. Control options? Passive behavioral: Observe and report. Passive technological: EPP platform with VPN agent. Active technological: Identify and attack apparent attack sources via neighborhood watch botnet.

26 To Do List Gartner: You: Special report phase 1 Special report phase 2
Ongoing research publication You: Analyze the impact of the four quadrants on your organization Outline your response to each of the four quadrants using the strategy tool Monitor the environment for milestones as they occur Shift your controls strategy as change happens

Download ppt "Perry Carpenter, MSIA, C|CISO Leadership Partner"

Similar presentations

Chapter 3 E-Strategy.

Chapter 3 E-Strategy.
Distributed Data Processing

Distributed Data Processing
Chapter 1 Business Driven Technology

Chapter 1 Business Driven Technology
Addressing Terrorist Use of the Internet, Cyber Crime and Other Threats: National Expert Workshop Forging a Comprehensive Approach to Cyber Security Richard.

Addressing Terrorist Use of the Internet, Cyber Crime and Other Threats: National Expert Workshop Forging a Comprehensive Approach to Cyber Security Richard.
Leonie Valentine IntraCom Australia. Revolution the e-Business issue is not one of technology, we have had many new technologies that have assisted business.

Leonie Valentine IntraCom Australia. Revolution the e-Business issue is not one of technology, we have had many new technologies that have assisted business.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Network security policy: best practices

Network security policy: best practices
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Www.softwareassist.net Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
Prof. Yuan-Shyi Peter Chiu

Prof. Yuan-Shyi Peter Chiu
1. 2 IT innovations in specialized areas where competitors will have difficulty copying Excellence in design of processes and activities and how they.

1. 2 IT innovations in specialized areas where competitors will have difficulty copying Excellence in design of processes and activities and how they.
1. Windows Vista Enterprise And Mid-Market User Scenarios 2. Customer Profiling And Segmentation Tools 3. Windows Vista Business Value And Infrastructure.

1. Windows Vista Enterprise And Mid-Market User Scenarios 2. Customer Profiling And Segmentation Tools 3. Windows Vista Business Value And Infrastructure.
Strategy and the Internet INBS 640 by Margaret Walsh.

Strategy and the Internet INBS 640 by Margaret Walsh.
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication.

© 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication.
Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc. 13-1 Introduction to Information Technology.

Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc Introduction to Information Technology.
© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.

© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.
Event Management & ITIL V3

Event Management & ITIL V3
Big Data Bijan Barikbin Denisa Teme Matthew Joseph.

Big Data Bijan Barikbin Denisa Teme Matthew Joseph.

Similar presentations

Ads by Google