rhodri davies n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Rhodri Davies PowerPoint Presentation
Download Presentation
Rhodri Davies

Loading in 2 Seconds...

play fullscreen
1 / 38

Rhodri Davies - PowerPoint PPT Presentation


  • 110 Views
  • Uploaded on

Rhodri Davies. Managed Security Services Chief Technologist HP Enterprise Security Services. A Presentation of 2 Halves. Cyber Crime Study (UK) 2012. Challenges of meeting an Organisation’s security policy/audit in a multi-customer environment.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Rhodri Davies


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. Rhodri Davies Managed Security Services Chief Technologist HP Enterprise Security Services

    2. A Presentation of 2 Halves • Cyber Crime Study (UK) 2012 • Challenges of meeting an Organisation’s security policy/audit in a multi-customer environment

    3. The challenges of meting an organisation’s security policy and audit requirements in a multi-customer environment (A view from the other side of the fence)

    4. Drivers are not all the same • Provider • Efficiency • Repeatability • Highest margin • Customer • Perfect fit • Lowest cost • Maximum control • Maximum visibility

    5. Customers are not all the same • Small / Direct • Lack of expertise • 24x7 requirement • Minimal service management staff • Minimal in-house tools • Off the shelf service • Big / ITO • Part of a bigger deal • Outsource strategy • Service management team • Compliance team • Shadow security team • Own tools

    6. Continuum of Service Flexibility Bespoke Higher cost Off the shelf Lower cost Where do you sit? Do the customer and service provider have the same idea? Does everyone in the organisation have the same idea?

    7. Efficiency – a Provider’s View • Do the same thing for all customers • Large number of administrators • 24x7 coverage • Scalability • Communications via a portal • Standard reports • Multi-customer systems • Standard certifications rather than individual review

    8. Managed (Leveraged) Service vs. ITO ITO frequently involves • Dedicated teams/locations • Greater customer control and visibility • Larger deals • More customer leverage • Is what service management teams are used to!

    9. (Real) Customer Expectations • Independent • Change approvals processes • Reports and report processes • Ticketing systems • Incident reporting • Audit processes • Physical requirements • Bunker necessary • Government clearances • Rights to run • On site audits • Forensics • Own contractors • Pen Tests • Specific compliance training • Quarterly confirmations • Lists of admins • Notifications of changes • Regional requirements

    10. Particular Issues (from Provider PoV) These occur in RFP, contracts and audits Assumptions that there are locations and systems dedicated to the customer

    11. Particular Issues (from Provider PoV) Data classification and handling requirements without reference to the data available to the provider • E.g. PCI requirements

    12. Particular Issues (from Provider PoV) Specifying technological solutions not requirements E.g. There must be individual user accounts Rather than There must be an audit trail that tracks each individual to their system activity.

    13. What about Cloud Services • Similar issues driven by economy of scale and efficiency • Even less flexible • More automated • Less margin

    14. Certifications ISO 27001, ISAE 3402, ITIL (20000)…. • Allows the supplier to do it once • Understand what they actually give you. • Know how to evaluate them • Who certifies • What scope • Statement of Applicability • Be prepared to accept them

    15. Following from Ian’s Points • Generally agree • Enforcing standard change control • Whose standard? • Patching and maintenance • Often the customer’s demand for availability that is the constraint • Privilege user management • You’ve outsourced the service – is it your problem any more? • Depends on the nature of the service. • Notification and approvals can cost more than the management

    16. Recommendations • Be Realistic • What are you actually buying into? • Standard service / ITO? • You are involved in a trade off of control vs. cost! • Not the same as a trade off of security • You may have to accept rather than dictate • Security policy • Visibility

    17. Recommendations • Accept standards certifications • Trust but verify

    18. Recommendations • Don’t use one size fitsall questionnaires/contracts • Wastes everyone’s time • Poor quality answers • Can miss critical questions • E.g. separation between customers

    19. Recommendations • Encourage a generic solution • E.g. common metrics • Better for everyone • Cuts costs • Push continuous improvement • Be a critical friend • Tough but realistic and fair

    20. Cost of Cybercrime Study 2012 (UK)

    21. Credits • Data and graphs from Ponemon Institute report • Sponsorship by HP • Acknowledged with thanks

    22. Getting the Report http://www.hpenterprisesecurity.com/news/resource-center

    23. Purpose • Observe Trends • Quantify Costs (direct/indirect/opportunity) • Loss of Intellectual Property • Disruption to business operations • Revenue loss • Destruction of property • Investigation/detection/recovery • “ex-post” response

    24. Process • 5 page explanation! • Field based interviews • Senior personnel • 38 companies in the UK • >1000 enterprise seats • 3rd year in the US • First time in the UK, Germany, Australia, Japan

    25. US Trends – Annual cost rising

    26. US Trends – Number of attacks

    27. US Trends – Time to Resolution

    28. US Trends – Common attacks

    29. International Comparison • Different attack profile • DoS most likely in UK and Aus • Different valuations • Lower IP cost • Higher disruption

    30. £2.1M Average annual cost

    31. Common • >1 attack per organisation per week • That’s successful attacks

    32. Varies with Organisation size • Total increases with organisation size • Per capita higher for smaller organisation

    33. Affects all Industries • But not equally • Biggest impacts • Defence • Utilities • Finance • Low impact • Hospitality • Retail • Education

    34. Most Common Attacks • The bigger you are the more likely DoS

    35. Most expensive attacks

    36. UK Findings • UK quick to resolve (24 days) • Different mix of attacks • Disruption and revenue loss were the highest external costs • Recovery and detection the biggest internal costs • SIEM deployment did help

    37. Effective Governance Cuts Costs • “Cost saving” of £0.3M where • Adequate resources • Expert staff • Dedicated senior position • Strong security posture cuts costs • SES maturity model

    38. Conclusions • Watch future years for trends • Benchmark information • How do you compare • Confirms what we knew • But with numbers behind it • Raises interesting questions • Help drive appropriate investment