380 likes | 511 Views
Rhodri Davies. Managed Security Services Chief Technologist HP Enterprise Security Services. A Presentation of 2 Halves. Cyber Crime Study (UK) 2012. Challenges of meeting an Organisation’s security policy/audit in a multi-customer environment.
E N D
Rhodri Davies Managed Security Services Chief Technologist HP Enterprise Security Services
A Presentation of 2 Halves • Cyber Crime Study (UK) 2012 • Challenges of meeting an Organisation’s security policy/audit in a multi-customer environment
The challenges of meting an organisation’s security policy and audit requirements in a multi-customer environment (A view from the other side of the fence)
Drivers are not all the same • Provider • Efficiency • Repeatability • Highest margin • Customer • Perfect fit • Lowest cost • Maximum control • Maximum visibility
Customers are not all the same • Small / Direct • Lack of expertise • 24x7 requirement • Minimal service management staff • Minimal in-house tools • Off the shelf service • Big / ITO • Part of a bigger deal • Outsource strategy • Service management team • Compliance team • Shadow security team • Own tools
Continuum of Service Flexibility Bespoke Higher cost Off the shelf Lower cost Where do you sit? Do the customer and service provider have the same idea? Does everyone in the organisation have the same idea?
Efficiency – a Provider’s View • Do the same thing for all customers • Large number of administrators • 24x7 coverage • Scalability • Communications via a portal • Standard reports • Multi-customer systems • Standard certifications rather than individual review
Managed (Leveraged) Service vs. ITO ITO frequently involves • Dedicated teams/locations • Greater customer control and visibility • Larger deals • More customer leverage • Is what service management teams are used to!
(Real) Customer Expectations • Independent • Change approvals processes • Reports and report processes • Ticketing systems • Incident reporting • Audit processes • Physical requirements • Bunker necessary • Government clearances • Rights to run • On site audits • Forensics • Own contractors • Pen Tests • Specific compliance training • Quarterly confirmations • Lists of admins • Notifications of changes • Regional requirements
Particular Issues (from Provider PoV) These occur in RFP, contracts and audits Assumptions that there are locations and systems dedicated to the customer
Particular Issues (from Provider PoV) Data classification and handling requirements without reference to the data available to the provider • E.g. PCI requirements
Particular Issues (from Provider PoV) Specifying technological solutions not requirements E.g. There must be individual user accounts Rather than There must be an audit trail that tracks each individual to their system activity.
What about Cloud Services • Similar issues driven by economy of scale and efficiency • Even less flexible • More automated • Less margin
Certifications ISO 27001, ISAE 3402, ITIL (20000)…. • Allows the supplier to do it once • Understand what they actually give you. • Know how to evaluate them • Who certifies • What scope • Statement of Applicability • Be prepared to accept them
Following from Ian’s Points • Generally agree • Enforcing standard change control • Whose standard? • Patching and maintenance • Often the customer’s demand for availability that is the constraint • Privilege user management • You’ve outsourced the service – is it your problem any more? • Depends on the nature of the service. • Notification and approvals can cost more than the management
Recommendations • Be Realistic • What are you actually buying into? • Standard service / ITO? • You are involved in a trade off of control vs. cost! • Not the same as a trade off of security • You may have to accept rather than dictate • Security policy • Visibility
Recommendations • Accept standards certifications • Trust but verify
Recommendations • Don’t use one size fitsall questionnaires/contracts • Wastes everyone’s time • Poor quality answers • Can miss critical questions • E.g. separation between customers
Recommendations • Encourage a generic solution • E.g. common metrics • Better for everyone • Cuts costs • Push continuous improvement • Be a critical friend • Tough but realistic and fair
Credits • Data and graphs from Ponemon Institute report • Sponsorship by HP • Acknowledged with thanks
Getting the Report http://www.hpenterprisesecurity.com/news/resource-center
Purpose • Observe Trends • Quantify Costs (direct/indirect/opportunity) • Loss of Intellectual Property • Disruption to business operations • Revenue loss • Destruction of property • Investigation/detection/recovery • “ex-post” response
Process • 5 page explanation! • Field based interviews • Senior personnel • 38 companies in the UK • >1000 enterprise seats • 3rd year in the US • First time in the UK, Germany, Australia, Japan
International Comparison • Different attack profile • DoS most likely in UK and Aus • Different valuations • Lower IP cost • Higher disruption
Common • >1 attack per organisation per week • That’s successful attacks
Varies with Organisation size • Total increases with organisation size • Per capita higher for smaller organisation
Affects all Industries • But not equally • Biggest impacts • Defence • Utilities • Finance • Low impact • Hospitality • Retail • Education
Most Common Attacks • The bigger you are the more likely DoS
UK Findings • UK quick to resolve (24 days) • Different mix of attacks • Disruption and revenue loss were the highest external costs • Recovery and detection the biggest internal costs • SIEM deployment did help
Effective Governance Cuts Costs • “Cost saving” of £0.3M where • Adequate resources • Expert staff • Dedicated senior position • Strong security posture cuts costs • SES maturity model
Conclusions • Watch future years for trends • Benchmark information • How do you compare • Confirms what we knew • But with numbers behind it • Raises interesting questions • Help drive appropriate investment