PROTECTING THE CROWN JEWELS: A PERSPECTIVE FOR THE

PROTECTING THE CROWN JEWELS: A PERSPECTIVE FOR THE C-­‐SUITE GIRISH K. JINDIA, CHIEF EXECUTIVE OFFICER 9 DECEMBER 2013 Building for the future Copyright Aveshka, Inc. 2013 Agenda • IntroducSon • A Solid Game Plan • Then What Happens? • What DirecSon Is it Going? • How to Respond • The Right SoluSon Set • Achieving the Desired Outcomes • Close 2 AVESHKA INC. | © 2013 Aveshka Introduction
3 AVESHKA INC. | © 2013 Who We Are Aveshka is a consul3ng, services, and solu3ons firm focused on na3onal priori3es. “Aveshka” means innova3on and discovery A team of experienced na3onal security and informa3on technology professionals Technology-­‐enabled We align the full spectrum from policy and strategy to implementa3on and opera3ons. 4 AVESHKA INC. | © 2013 Collabora3ve with client staff and vendors Employee-­‐owned Our Clients • U.S. Intelligence Agencies
• Department of Homeland Security
• Global Banking & Finance
• Healthcare & “Big Pharma”
• Department of Justice
• Department of Defense
The biggest R&D labs in the world.
5 AVESHKA INC. | © 2013 The Dream Your Environment
6 AVESHKA INC. | © 2013 Protec3ng the “Crown Jewels” What threats are you prepared for? “Your Crown Jewels” Intellectual Property Private Client Data Personally Iden3fiable Info Financials Development Plans 7 AVESHKA INC. | © 2013 “Perfect” Architecture: The Dream Layout Internet/Cloud Services Secure Data Center Secure HQ Data Center Controlled Access Environment Access Control List (ACL) External Firewall BYOD/Remote access 8 AVESHKA INC. | © 2013 DMZ Opera3onal Changes Then reality takes over!
9 AVESHKA INC. | © 2013 Someone Drains the Moat! 10 AVESHKA INC. | © 2013 Insider Threats Insider 11 AVESHKA INC. | © 2013 Applica3on Access Tunnels Uninten3onal Tunnels Admin Development Inten3onal Tunnels Web Apps SOA VPN 12 AVESHKA INC. | © 2013 Your “perfect” architecture is now penetrable 13 AVESHKA INC. | © 2013 Real World Threats
Top Threats in 2013* 1.
2.
3.
4.
5.
6.
7.
8.
9.
Data Breaches
Data Loss (25% of all threats reported)
Account or Service Traffic Hijacking
Insecure Interface and APIs (29% of all threats reported)
Denial of Service
Malicious Insider (WikiLeaks, Snowden, etc.)
Abuse of Cloud Services
Insufficient Due Diligence
Shared Technology Vulnerabilities (10% of all threats reported)
*Source: CLOUD SECURITY ALLIANCE - The Notorious Nine: Cloud Computing Top Threats in 2013
15 AVESHKA INC. | © 2013 Real-­‐World Examples •  Internal Audit Service (IAS) – International
–  IAS was put on alert after hackers gained access to and changed the government’s
Citizens’ Service Centre database. It was reported that personal data was altered,
allowing people to become eligible for free healthcare and welfare benefits.
•  Recent Cyber Attacks on U.S. Utility Companies Have Been Traced to Iran – Critical
Infrastructure
–  Many U.S. utility companies have reported that their data was hacked. Hackers have
targeted their attacks on oil, gas, and electricity companies. Security officials believe
that the attack was mainly aimed at destroying all the data from these companies
and controlling the machinery that is used for operating control systems.
•  China-based Hacking Group Behind Hundreds of Attacks on U.S. Companies –
Commercial Infrastructure
–  Hidden Lynx hacking-for-hire group more sophisticated than others, including using
malware targeting zero-day flaws.
No one is immune!
16 AVESHKA INC. | © 2013 Real-­‐World Examples •  Global Bank Hacking Attack Gang Stole £1.3 Million – Global Finance
–  One of the gang posed as an IT engineer fixing the computer to gain access to the
branch in order to fit a device that allowed the hackers to access its network
remotely and transfer money into their own accounts.
•  Commercial Property Management Firm – Commercial Real Estate
–  Three days prior to the acquisition of another company, an employee clicked on a
social network link that launched a virus. With an estimated monthly revenue of $24
million, the acquired firm could not access their data, suspending operations,
and impeding the close.
The damage in terms of time and money is indeterminable!
17 AVESHKA INC. | © 2013 Emerging and Future Threats for 2014 •  Mobile Malware
–  The number of malicious and suspicious Android apps grew to 175,000 at the end of
September 2012, up from 30,000 in June.
•  The Cloud
–  Huge repositories of data are very attractive targets for hackers.
•  Data Destruction
–  Hackers are using ransomware to encrypt data so its owner can no longer access it. A
password will unlock the data, but a ransom must be paid to the hacker to get that
code.
•  Social Networks
–  Employees are giving up information, or communicating with sketchy accounts.
•  Supply Chain Security
–  Inter-dependencies within the supply chains.
•  Bring Your Own Device (BYOD)
–  Users are increasingly using their devices as they would their PCs, and are opening
themselves up to attacks the same as they would if they were operating a PC.
Just when you thought it was safe to go back in the water!
18 AVESHKA INC. | © 2013 Reali3es • Attacks are proliferating at an accelerating rate
• Critical infrastructure (i.e., finance, energy, health) is
a primary target of state sponsored actors
• Attacks are not limited to any market segment
• The threats are asymmetric and ubiquitous
• Defending it is not cheap, while consequences are
significant
19 AVESHKA INC. | © 2013 Typical Situa3on • Most organizations rely on a reactive strategy with
static defenses that identify known vulnerabilities
and then fix them one-by-one.
• An effective security posture requires anticipatory,
predictive intelligence to enable an organization to
get ahead of threats before an attack occurs.
20 AVESHKA INC. | © 2013 State of the Threat Environment
21 AVESHKA INC. | © 2013 Malware Growth 22 AVESHKA INC. | © 2013 Malware Sophis3ca3on 23 AVESHKA INC. | © 2013 Ransomware Growth 24 AVESHKA INC. | © 2013 Mobile Exposure 25 AVESHKA INC. | © 2013 Internet Vulnerabili3es 26 AVESHKA INC. | © 2013 How This Affects Your Business Impact on Selected Markets
27 AVESHKA INC. | © 2013 Banking 28 AVESHKA INC. | © 2013 Financial Services 29 AVESHKA INC. | © 2013 Healthcare 30 AVESHKA INC. | © 2013 2014 Security Predic3ons Info from Websense report, “2014 Security Predictions”
The Response Closing the Vulnerability Gap
32 AVESHKA INC. | © 2013 No easy solu3ons • Demands a continuously evolving cyber
strategy
• The best talent is in high demand and
limited supply
• Technology or tools by themselves do
not guarantee security
Response Framework • Corporate Governance
• Leverage Existing Resources
• Employ Best Practices
• Establish Priorities
34 AVESHKA INC. | © 2013 What Can Help Me Today? •  Corporate Buy-In
–  Most importantly, implement from top-down
–  Don’t wait for a crisis
–  Dialogue with security advisors and current security staff
•  Adopt Common Security Protocols
–  NIST Cybersecurity Framework (Preliminary)
•  Education
–  Teach and encourage use of safe practices
•  Defense-in-Depth
–  Layered approach
–  Firewalls, anti-virus, etc.
–  Host/Network IDS/IPS
•  Encryption
–  At-Rest and In-Transit
35 AVESHKA INC. | © 2013 Leveraging What I Have In Place Today •  People
–  Training
–  Understanding
–  Stakeholder ownership
•  Processes
–  Learn why yesterday’s methods didn’t succeed
–  Know your firewall, control your firewall
–  Discover modern security without comprising performance
•  Technologies
–  Real-time security updates
–  Network port monitoring
–  Robust reporting
36 AVESHKA INC. | © 2013 Best Prac3ces to Employ • Risk-based – assess risk by identifying threats,
vulnerabilities, and consequences
• Outcome-focused – focus on desired end-state versus
prescribing the means to achieve it
• Prioritized – adopt a graduated approach to criticality
• Practicable – optimize for adoption by largest possible group
of critical assets and implementation across broadest range
of critical sectors
37 AVESHKA INC. | © 2013 Best Prac3ces to Employ (cont.) • Respectful of privacy and civil liberties – protections for
privacy and civil liberties based upon Fair Information
Practice Principles, etc.
• Globally-relevant – integrate international standards,
keeping the goal of harmonization in mind
• Predictive intelligence and continuous monitoring –
proactive defense versus reactive remediation
38 AVESHKA INC. | © 2013 Establishing Priori3es •  Long-term corporate goals
–  Infrastructure or Virtualize
–  BYOD
–  Hybrid
–  Flexibility to adjust short-term
•  Draft a plan
–  Fail to plan = Plan to fail
–  Build security policy to match/complement
–  Defend the castle
•  Establish access privileges
–  Customers
–  Remote Employees
–  Partnerships
•  Appropriate balance between demarcations
39 AVESHKA INC. | © 2013 The Right Solu3on Set • Not the bleeding edge (unknown)
• Not the leading edge (unproven)
• Keep up with the “state of the shelf” (enterprise
grade)
40 AVESHKA INC. | © 2013 The 4 R’s React
Recover
Remediate
Reinforce
41 AVESHKA INC. | © 2013 A Holis3c, Enterprise Approach • Independent assessment
• Planning support
• Operational support
• Long-term support
• Right balance and mix of technology
42 AVESHKA INC. | © 2013 Candor™ A flexible, adaptable, and scalable
management and analytic platform
43 AVESHKA INC. | © 2013 Candor™ -­‐ Finding the Right “Needles” in the Haystack •  Aveshka’s Candor™ is an offering consisting of a cloudbased analytics platform for solving complex business
problems by integrating information and data analysis with
adaptable methodologies.
• Candor™ enables infinitely expandable customizable data
sources to present information via multiple visualization tools.
44 AVESHKA INC. | © 2013 Candor™ -­‐ Architecture ™ 45 AVESHKA INC. | © 2013 Candor™ -­‐ Features •  Intelligent disparate data linkages
–  “Finding needles in stacks of needles” –  Hidden relaSonships revealed –  Flexible and extensible •  Customizable insight
–  High performance visualizaSon and intelligence display –  Analysis and relaSonship mapping •  Web-enabled and Cloud-based
–  Infrastructure independence/dynamic resource allocaSon and deallocaSon –  Lower life cycle costs •  Data type independent and open source access
–  Structured Data –  Unstructured Data –  Social Media •  Open Architecture foundation
46 AVESHKA INC. | © 2013 Candor™ -­‐ Applica3ons • Fraud Detection
• Anti-Money Laundering
• Intelligence Collection & Analysis
• Competitive Intelligence
• Transaction Monitoring
• Risk Assessment
• Due Diligence
• Heath Care Record Management
• Political Micro-Targeting
• Brand/Reputation Management
47 AVESHKA INC. | © 2013 Summary
48 AVESHKA INC. | © 2013 Desired Outcomes • Low risk in a high risk environment
• Agile adaptation to the evolving threats
• Infrastructure resilience
• Business continuity
• Reduced risk of imposed regulatory oversight
• Increased productivity
• More efficient operations
• Protection of the “brand”
49 AVESHKA INC. | © 2013 Closing “Failure to protect the crown jewels can
cost you the family jewels!”
50 AVESHKA INC. | © 2013 Aveshka Appendix
Delegate One-on-One Sessions
51 AVESHKA INC. | © 2013 Key Demographics • Headquarters: Arlington, VA
• 20,000 sq. feet of high-finish office space and
demonstration center
• 10 field locations across U.S.
• Experienced leadership team
• Solutions-oriented, value-driven
• Technology-enabled
• National-priority market focused
52 AVESHKA INC. | © 2013 Aveshka Differen3a3on • Premise: Policy drives strategy, which determines
the approach to implementation and ultimately,
operations.
• Value Proposition: We possess the experience,
expertise, and discipline to align implementation and
operations with the underlying strategy and policy.
53 AVESHKA INC. | © 2013 Policy & Strategy to Implementa3on & Opera3ons Guidance and principles to
achieve the mission.
Plan of action to
achieve goals.
  Evaluate mandates, guidance, and naSonal prioriSes   Assess operaSonal effecSveness   Develop policy to drive mission outcomes
  Develop prioriSzed course of acSon   Align resources and acSviSes   Assess risks
Policy Ongoing activities
that realize value of goal
attainment and inform
policy making.
Integrated Mission Focus Opera3ons   Monitor and assess goal amainment and outcomes   QA/process improvement   Lessons learned 54 Strategy AVESHKA INC. | © 2013 Implementa3on Execution of plan to
realize goals.
  Plan of acSon and milestones   Cost, schedule, and performance measures and metrics   Resource allocaSon
Capabili3es •  Policy, Planning and Preparedness
–  Policy and strategy development
–  Strategic, operational, and tactical planning
–  Stakeholder outreach and strategic communications
–  Exercise design, planning, conduct, and evaluation
–  Organizational performance and effectiveness
•  Cybersecurity and Security Engineering
–  Information and mission assurance
–  Secure information sharing
–  System engineering, design, development, and integration
–  Computer & network forensics
–  Independent verification and validation
•  Analytic Solutions
–  Fraud detection and analysis
–  Analytic methodology development
–  Data analytics support and implementation
55 AVESHKA INC. | © 2013 Aveshka Sample Offerings
56 AVESHKA INC. | © 2013 Management Consul3ng • Policy development and implementation
• Strategic and operational planning
• Organizational effectiveness
• Performance management
• Threat and vulnerability assessments
• Training and exercises
• Enterprise architecture
• Security engineering
57 AVESHKA INC. | © 2013 Digital Forensics •  Infrastructure
–  Forensic-friendly server/desktop systems
•  Improves LE/examiner ability to image RAM and drives
•  Virtual
–  Local host hardware
–  Cloud-based – vendor trust
–  Hybrid combination
–  Increased usage drives need for forensic access
•  Mobile (BYOD)
–  Corporate mobile device security policy
–  Wide range of mobile OSes
•  Memory
–  Lots of critical data not available elsewhere
58 AVESHKA INC. | © 2013 Penetra3on Tes3ng •  Methodologies
–  White Hat
–  Black Hat
–  Grey Hat
•  Vulnerability scanning
–  Basic testing required by most regulations (often overlooked)
–  Various tools used for heuristic view
•  Infrastructure testing
–  External
–  Internal
•  Application testing
–  Web applications and supporting databases
•  User testing
–  Social engineering
59 AVESHKA INC. | © 2013 Applica3on Code Valida3on & Remedia3on Application source code is a major source of enterprise vulnerabilities, yet
one of the hardest to discern.
•  Process
–  Factory Model with scalable production line
–  Based on Toyota Production System (TPS) leveraging KANBAN
•  Technologies
–  Proprietary Repository of Vulnerability Solutions – best pattern analysis, etc.
–  Proprietary Process Control & Documentation Systems
–  Remediate legacy & modern applications – desktop & mobile
•  People
–  Specialists experienced in application security remediation
•  Benefits
–  Lower cost
–  Frees up client technical resources for other priorities
–  Consistent solutions lower application lifecycle costs lowering TCO
60 AVESHKA INC. | © 2013 Cloud Engineering and Security • Architecture design
• Security controls
• Data protection
• Identity management
• Physical and personnel security
• Application security
• Privacy
• Compliance logs and audit trails
• Service Level Agreement design and implementation
61 AVESHKA INC. | © 2013 Predic3ve Intelligence
• Continuous monitoring
• Real-time data consolidation and analysis
• Pattern-based access and traffic monitoring
• Software and hardware agnostic
• Monitor both internal and external threats
• Automate decision support
• Preemptive alerting and response
• Situational awareness of potential corporate loss
• Reduced risk to business and operational productivity
62 AVESHKA INC. | © 2013 “Know Your Customer” (KYC) Programs To really understand your business risks you need to “Know Your
Customer” from a 360 degree view, as single source check no longer
provides a reliable view of who your customers are.
• Multi-national data
• Open-Source Reporting
• Social Media
• Multiple data sources
• Single system for reporting and data access
• Data Agnostic
• Connects to existing systems
• Predictive Analytics
• Dashboard view for enhanced decision-making 63 AVESHKA INC. | © 2013 Candor™ Technology-enabled
64 AVESHKA INC. | © 2013 Candor™ -­‐ Finding the Right “Needles” in the Haystack •  Aveshka’s Candor™ is an offering consisting of a cloudbased analytics platform for solving complex business
problems by integrating information and data analysis with
adaptable methodologies.
• Candor™ enables infinitely expandable customizable data
sources to present information via multiple visualization
tools.
65 AVESHKA INC. | © 2013 Candor™ -­‐ Architecture ™ 66 AVESHKA INC. | © 2013 Candor™ -­‐ Features •  Intelligent disparate data linkages
–  “Finding needles in stacks of needles”
–  Hidden relationships revealed
–  Flexible and extensible
•  Customizable insight
–  High performance visualization and intelligence display
–  Analysis and relationship mapping
•  Web-enabled and Cloud-based
–  Infrastructure independence/ dynamic resource allocation and deallocation
–  Lower life cycle costs
•  Data type independent and open source access
–  Structured Data
–  Unstructured Data
–  Social Media
•  Open Architecture foundation
67 AVESHKA INC. | © 2013 Candor™ -­‐ Applica3ons • Fraud Detection
• Anti-Money Laundering
• Intelligence Collection & Analysis
• Competitive Intelligence
• Transaction Monitoring
• Risk Assessment
• Due Diligence
• Healthcare Record Management
• Political Micro-Targeting
• Brand/Reputation Management
68 AVESHKA INC. | © 2013 Aveshka, Inc. visit learn discuss 4075 Wilson Boulevard Suite 800 Arlington, VA 22203 www.aveshka.com 571.814.5700 69 AVESHKA INC. | © 2013