1 / 38

Rhodri Davies

Rhodri Davies. Managed Security Services Chief Technologist HP Enterprise Security Services. A Presentation of 2 Halves. Cyber Crime Study (UK) 2012. Challenges of meeting an Organisation’s security policy/audit in a multi-customer environment.

doli
Download Presentation

Rhodri Davies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Rhodri Davies Managed Security Services Chief Technologist HP Enterprise Security Services

  2. A Presentation of 2 Halves • Cyber Crime Study (UK) 2012 • Challenges of meeting an Organisation’s security policy/audit in a multi-customer environment

  3. The challenges of meting an organisation’s security policy and audit requirements in a multi-customer environment (A view from the other side of the fence)

  4. Drivers are not all the same • Provider • Efficiency • Repeatability • Highest margin • Customer • Perfect fit • Lowest cost • Maximum control • Maximum visibility

  5. Customers are not all the same • Small / Direct • Lack of expertise • 24x7 requirement • Minimal service management staff • Minimal in-house tools • Off the shelf service • Big / ITO • Part of a bigger deal • Outsource strategy • Service management team • Compliance team • Shadow security team • Own tools

  6. Continuum of Service Flexibility Bespoke Higher cost Off the shelf Lower cost Where do you sit? Do the customer and service provider have the same idea? Does everyone in the organisation have the same idea?

  7. Efficiency – a Provider’s View • Do the same thing for all customers • Large number of administrators • 24x7 coverage • Scalability • Communications via a portal • Standard reports • Multi-customer systems • Standard certifications rather than individual review

  8. Managed (Leveraged) Service vs. ITO ITO frequently involves • Dedicated teams/locations • Greater customer control and visibility • Larger deals • More customer leverage • Is what service management teams are used to!

  9. (Real) Customer Expectations • Independent • Change approvals processes • Reports and report processes • Ticketing systems • Incident reporting • Audit processes • Physical requirements • Bunker necessary • Government clearances • Rights to run • On site audits • Forensics • Own contractors • Pen Tests • Specific compliance training • Quarterly confirmations • Lists of admins • Notifications of changes • Regional requirements

  10. Particular Issues (from Provider PoV) These occur in RFP, contracts and audits Assumptions that there are locations and systems dedicated to the customer

  11. Particular Issues (from Provider PoV) Data classification and handling requirements without reference to the data available to the provider • E.g. PCI requirements

  12. Particular Issues (from Provider PoV) Specifying technological solutions not requirements E.g. There must be individual user accounts Rather than There must be an audit trail that tracks each individual to their system activity.

  13. What about Cloud Services • Similar issues driven by economy of scale and efficiency • Even less flexible • More automated • Less margin

  14. Certifications ISO 27001, ISAE 3402, ITIL (20000)…. • Allows the supplier to do it once • Understand what they actually give you. • Know how to evaluate them • Who certifies • What scope • Statement of Applicability • Be prepared to accept them

  15. Following from Ian’s Points • Generally agree • Enforcing standard change control • Whose standard? • Patching and maintenance • Often the customer’s demand for availability that is the constraint • Privilege user management • You’ve outsourced the service – is it your problem any more? • Depends on the nature of the service. • Notification and approvals can cost more than the management

  16. Recommendations • Be Realistic • What are you actually buying into? • Standard service / ITO? • You are involved in a trade off of control vs. cost! • Not the same as a trade off of security • You may have to accept rather than dictate • Security policy • Visibility

  17. Recommendations • Accept standards certifications • Trust but verify

  18. Recommendations • Don’t use one size fitsall questionnaires/contracts • Wastes everyone’s time • Poor quality answers • Can miss critical questions • E.g. separation between customers

  19. Recommendations • Encourage a generic solution • E.g. common metrics • Better for everyone • Cuts costs • Push continuous improvement • Be a critical friend • Tough but realistic and fair

  20. Cost of Cybercrime Study 2012 (UK)

  21. Credits • Data and graphs from Ponemon Institute report • Sponsorship by HP • Acknowledged with thanks

  22. Getting the Report http://www.hpenterprisesecurity.com/news/resource-center

  23. Purpose • Observe Trends • Quantify Costs (direct/indirect/opportunity) • Loss of Intellectual Property • Disruption to business operations • Revenue loss • Destruction of property • Investigation/detection/recovery • “ex-post” response

  24. Process • 5 page explanation! • Field based interviews • Senior personnel • 38 companies in the UK • >1000 enterprise seats • 3rd year in the US • First time in the UK, Germany, Australia, Japan

  25. US Trends – Annual cost rising

  26. US Trends – Number of attacks

  27. US Trends – Time to Resolution

  28. US Trends – Common attacks

  29. International Comparison • Different attack profile • DoS most likely in UK and Aus • Different valuations • Lower IP cost • Higher disruption

  30. £2.1M Average annual cost

  31. Common • >1 attack per organisation per week • That’s successful attacks

  32. Varies with Organisation size • Total increases with organisation size • Per capita higher for smaller organisation

  33. Affects all Industries • But not equally • Biggest impacts • Defence • Utilities • Finance • Low impact • Hospitality • Retail • Education

  34. Most Common Attacks • The bigger you are the more likely DoS

  35. Most expensive attacks

  36. UK Findings • UK quick to resolve (24 days) • Different mix of attacks • Disruption and revenue loss were the highest external costs • Recovery and detection the biggest internal costs • SIEM deployment did help

  37. Effective Governance Cuts Costs • “Cost saving” of £0.3M where • Adequate resources • Expert staff • Dedicated senior position • Strong security posture cuts costs • SES maturity model

  38. Conclusions • Watch future years for trends • Benchmark information • How do you compare • Confirms what we knew • But with numbers behind it • Raises interesting questions • Help drive appropriate investment

More Related