A Risk-based Security Program Approach: Security Enables Digital - - PowerPoint PPT Presentation

a risk based security program approach security enables
SMART_READER_LITE
LIVE PREVIEW

A Risk-based Security Program Approach: Security Enables Digital - - PowerPoint PPT Presentation

Jan 31, 2023 35 likes •249 views

A Risk-based Security Program Approach: Security Enables Digital Transformation and Compliance Michael Gutsche, Cybersecurity Strategy Peter Bronson, Cybersecurity Strategy #MicroFocusCyberSummit This document contains forward looking

slide-1
SLIDE 1

#MicroFocusCyberSummit

A Risk-based Security Program Approach: Security Enables Digital Transformation and Compliance

Michael Gutsche, Cybersecurity Strategy Peter Bronson, Cybersecurity Strategy

slide-2
SLIDE 2

FORWARD-LOOKING STATEMENTS

www.microfocus.com

This document contains forward looking statements regarding future operations, product development, product capabilities and availability dates. This information is subject to substantial uncertainties and is subject to change at any time without prior notification. Statements contained in this document concerning these matters only reflect Micro Focus ArcSight’s predictions and / or expectations as of the date of this document and actual results and future plans of Hewlett-Packard may differ significantly as a result of, among other things, changes in product strategy resulting from technological, internal corporate, market and other changes. This is not a commitment to deliver any material, code or functionality and should not be relied upon in making purchasing decisions. User Interface depictions should be considered non-final and subject to re-design and / or removal. This is a rolling (up to three year) Roadmap and is subject to change without notice.

slide-3
SLIDE 3

State of Cyber Security and Threats Compliance vs. Risk Based Programs Cyber Security Program Approaches Areas of Focus to “Move the Needle”

3

Agenda

slide-4
SLIDE 4

The State of Cyber Security and Threats

slide-5
SLIDE 5

The Impact is Global

5

World Economic Forum – 2018 Global Risk Report

2015

Attack on Ukraine’s power grid shut down 30 substations, interrupting power to 230,000 people

2016

SWIFT attack led to the theft of US$81 million from the central bank of Bangladesh

Today

European Aviation Safety Agency has stated their systems are subject to an average of 1,000 attacks each month

Global interconnectedness continues to expand the attack surface

Top 10 risks in terms of likelihood

#3 – Cyber attacks

slide-6
SLIDE 6

Cyber Damages Continue to Outpace Spend

6

CSO online: Top 5 cybersecurity facts, figures and statistics for 2018

Cyber damages to hit $6 trillion annually by 2021 Up from $3 trillion in 2015 Cyber security spending to exceed $1 trillion from 2017 to 2021 Cyber crime will more than triple the number of unfilled security jobs Predicted to reach 3.5 million by 2021 Human attack surface to reach 6 billion people by 2022 Ransomware damage costs are predicted to reach $11.5 billion by 2019

slide-7
SLIDE 7

The Reach of Cyber Attacks

7

143 million customers data stolen due to a vulnerability found in

  • pen software

A majority of people over 18 in the U.S. data is now exposed 3 billion customers impacted Every Yahoo customers’ data was exposed spanning 3 years 57 million customers and drivers impacted Every Uber customers’ data went exposed for a year

Net income fell

27%

in ONE quarter

M&A impact

  • f $350M

$20B market cap loss; untold

amount in litigation

slide-8
SLIDE 8

It’s no longer a question of if, but when your data breach will happen

slide-9
SLIDE 9

9

It is a new level of complexity!

Threats (internal and external) Information Overload Regulatory/ Privacy concerns Infrastructure complexity

slide-10
SLIDE 10

Risk vs. Compliance Based Information Security Programs

slide-11
SLIDE 11

Compliance/Standards – A Subset!!

ISO/IEC 27001/2 ISF NIST 800- 53/CSF ISACA COBIT 5 CIS 20 DISA ITIL PCI-DSS OWASP BSIMM CSA 4.0 ILTA

slide-12
SLIDE 12

Know Your Enemy

12

  • Attacks come in all shapes and sizes
  • Organized crime has become very

sophisticated and operate like corporations

  • Main goal is to maximize profits and

minimize risks

  • Compete on quality, customer services,

price, reputation, and innovation

  • Use SDLC and are adopting SaaS

Difficult Easy

Effort and risk

Low High

Payout potential

Organized crime IP theft Extortion Ad fraud Bank fraud Bug bounty Cyber warfare Identity theft Hacktivism Payment system fraud Medical records fraud Credential harvesting Credit card fraud

slide-13
SLIDE 13

Your Telco’s information about your account Banks’ data about your finances and accounts Your interactions with SaaS applications

Your customers’ data. Your organizational data.

Your private email to and from your smartphone Your credit rating information Your email correspondence Health records your care provider manages for you Payments made to you

Know Your Treasure and Where It Resides

slide-14
SLIDE 14

Additional Treasure Chests

14

“The health record is worth 10x that of a credit card number on the black market” TBD TBD TBD Point of Sale Systems Customer Portals Credit Card Processing HR Systems

Workday

CRM Systems

Microsoft Dynamics Peoplesoft

Financial Systems

Lawson

slide-15
SLIDE 15

Assess security investments and posture

  • How will attacks likely occur? How will you spot them on

each platform? What corrective action will you take?

Transform from silos to a comprehensive view

  • On-prem traditional systems, SaaS, IaaS, and PaaS all of

which should fall under the same security umbrella

Optimize to proactively improve security posture Manage security effectively

  • Including internal SLAs and SLAs related to cloud providers.

Maintain SLAs in the context of your security program

Establish a Risk-based Approach

Actionable Security Intelligence

Moving from Reactive to Proactive Information Security & Risk Management

slide-16
SLIDE 16

Cyber Kill Chain

slide-17
SLIDE 17

Cycle of Security – Breaking the Cyber Kill Chain

slide-18
SLIDE 18

“Compliance does not equate to security” “Compliance to industry regulations should be “free bonus” to a robust risk based security program.”

Table-stakes – Good security hygiene, perimeter security, endpoint protection Identifying risks – Unique to each organization Addressing the risks by implementation of programs not products Risk based security programs enable cloud and hybrid adoption Goal: Overall security posture improvement

Risk Based Security Programs

slide-19
SLIDE 19

Comprehensive security for the enterprise

CYBERSECURITY, PRIVACY & RISK MANAGEMENT APP SECURITY DATA SECURITY SECURITY OPERATIONS IDENTITY & ACCESS ENDPOINT SECURITY

  • Data de-identification

(encryption/tokenization)

  • Key management
  • Hardware-based trust assurance
  • Messaging security
  • Static, Dynamic, & Runtime

application testing

  • Application security-as-a-

service

  • Lifecycle management
  • Patching & containerization
  • Application virtualization
  • Mobile & server management
  • Adaptive Identity governance
  • Adaptive access management
  • Adaptive privileged users
  • Real-time detection
  • Workflow automation
  • Open source data ingestion
  • Hunt and investigation

GOVERNANCE, RISK & COMPLIANCE

  • eDiscovery & Classification
  • Information Management
slide-20
SLIDE 20

Thank You.

#MicroFocusCyberSummit

slide-21
SLIDE 21

#MicroFocusCyberSummit