1. Modern Challenges for IT Governance, Risk, and Compliance in the Enterprise Brian Robison Product Manager McAfee Eric Fredericksen, PhD Solutions Architect McAfee Risk and Compliance

2. Lack of visibility False positiv e Labor intensive Lengthy time for manual approaches Inadequate information Protect data SRM process Reduce costs New regulations Sustain compliance IT Governance, Risk and Compliance Labor intensive processes Visibility of critical assets Lengthy manual approaches Inaccurate scan results (False Positives) Inadequate information Changing regulatory content Meeting CIA requirements for data Continuous compliance and reducing costs Integrating compliance

3. Context Finding unknown assets Managing known assets Increasing workload Multiple vendors

4. Unknown assets N. America Network Asia Network Security systems Corporate Headquarters Network/SOC Firewall ACME Corporation IPV6 protocol China Class C Network complexity is increasing Network connected assets are increasing Rogue systems are connecting IPV6 is on the way How do I find them? Class B Internet

5. Networks Known assets Asset repositories are large and growing More laptops mean more mobility Laptop WiFi means more multi-homed assets How do I manage them? ACME Corporation Corporate Headquarters Network/SOC Security systems IPV6 protocol China N. America Network Asia Network IPV6 is on the way Internet Firewall

6. Increasing workload means audit fatigue Factor Small (5000-) Large (5000+) Likely impact IT optimization opportunity Lack of automation tools (using spreadsheets or no specified tools) 69%51% Lack of operational efficiency strains IT departments Select tools with - A common management platform -Unified reporting Less than 25% of IT audit controls are automated 73%57% Collecting accurate audit data is a protracted manual effort -Ensure that controls are mapped to policy -Automate data gathering for audits Audits are conducted on ad-hoc basis 30%25% Unforecasted IT spend takes budget from other key IT initiatives -Optimize audit scheduling with regular, frequent assessments Managing 10+ Regulations 22%51% Time consuming and costly, especially for smaller organizations -Leverage IT automation tools to build repeatable, sustainable processes McAfee-commissioned survey to qualify and quantify IT audit pain points A total of 389 IT security and audit executives from 15 countries were surveyed Continuous effort for IT security audits

7. Multiple Vendors Mountains of data

8. Eric Fredericksen, PhD Solutions Architect McAfee Risk and Compliance

9. Overview Break the problem into parts for solution ― Asset management ― Integrated technologies ―Integrated systems

10. Asset management Active discovery –IPv4 has the usual suspects –IPv6 will be a challenge –Vista is a challenge Explore the unknown Passive discovery –DNS, DCHP, ARP, and other chattiness on the wire –NAC and RSD systems –IDS, IPS, routers, and switches –Agents phone home—use that information!

11. Asset Management Leverage existing repositories –Active Directory (AD) –Lightweight Directory Access Protocol (LDAP) –Proprietary repositories (customer built) –Commercial asset management systems –Security systems Consolidate data Use what you have

12. Integrated technologies Enterprises use agent assessment, network assessment, or both, to perform compliance and vulnerability management Both technologies have unique behaviors and challenges. How can we have the best of all worlds and derive maximum benefit? Assessment

13. Integrated technologies Virtual private network Desktop network Conference network Starbucks Agent assessment Agents phone home on a schedule no matter where they are

14. Integrated technologies Network assessment Virtual private network Desktop network Conference network Wireless network Network assessments run on a schedule no matters where assets are

15. Integrated technologies Assessment consistency Virtual private network Desktop network Conference network Wireless network Network assessment succeeds using dynamic asset location data

16. Integrated technologies Continuous active and passive discovery and asset- originated events provide –Asset network status (online and offline) –Asset network location Network assessments behave like an agent-based system –High likelihood of successful assessment –Reduced network usage (no futile discovery) –Compliance assessments governed by “freshness” Consistent assessment behavior

17. Integrated technologies Script content –Often proprietary –More flexible –Harder to customize –Vendor content (VM FASL) Declarative content –Open—OVAL/XCCDF –Less flexible –Easier to customize –Public content (NIST, MITRE, etc.) Convergent content

18. Integrated technologies IT risk and compliance need both content types –Let’s combine them! One content package to rule them all –Reduced content package sizes –Increased content production rates –Increased content QA time –Interoperability Convergent content

19. Integrated systems We must –Combine data from all sources –Report what is happening now –Report on trends over time –Decide what goes into unified reports Data management and reporting The “Microsoft Security Management Suite”

20. Integrated systems IT risk and compliance reports Integrated reporting Data management and reporting

21. Brian Robison Product Manager McAfee

22. Integrated systems Multiple systems doing similar tasks –Vulnerability management –Compliance management (not to mention Network IPS, Host IPS, DLP, AV, etc.) Integrate systems into a single workflow and management system –One work request –Multiple assessment types and subsystems –Details managed by the system and not the user Integrating compliance

23. Summary Integrated asset management Integrated systems Consistent behavior, content and technologies Integrated data, management, and reporting Integrating compliance

24. Presentations will be available on the FOCUS web site after the conference www.mcafee.com/focuswww.mcafee.com/focus password: secure

25. Thank You