Post on 07-Apr-2020
Securing the Digital Enterprise
Pete Lindstrom
VP, Security Research
IDC
Securing the Digital EnterpriseWith the unprecedented value opportunities for digital transformation (DX) lurks an ugly downside — intelligent adversaries looking for ways to abuse or exploit the complex IT systems that keep things running. Breaches are constantly being identified and disclosed, and IT security professionals are working hard to manage risk, but are challenged to meet security needs in the face of scarce resources and highly dynamic IT architectures. This session cuts through the confusion of how risk is measured and how resources are allocated to create the strongest Digital Security program.
Pete Lindstrom
Over 25 years in InfoSec, IT, Finance
Tech Risk Pro performing reading, writing, ‘rithmetic on risk and security matters
Former Marine (Gulf War veteran), ‘Big Six’ IT Auditor (PwC), Internal Auditor (GMAC Mortgage), Security Architect & Director (Wyeth)
BBA Finance, University of Notre Dame; reformed CISA and CISSP
Vice President, Security StrategiesIT Executive Program, IDC
Digital Transformation Predictions
Digital Transformation is Here
Digital Transformation Investments
Source: DX Data Center Study 2017, N = 304
Digital Security Vision
Enabling digital transformation through
efficient and effective IT adversarial risk
management that makes economic decisions
supported by evidence and outcome analysis
leading to a security model that aligns with
the 3rd platform.
3rd Platform Technologies
Digital Security MaturityScapeVision Risk Mgt People Process Technologies
Business Alignment
Approach Executives Identity Identity
Security Objectives
Methods Culture Vulnerability Vulnerability
Oversight External Security Pros Threat Threat
Economics Control Worksource Trust Trust
How mature are we?
Digital Security Issues
Value
Proposition:
• Improve control
effectiveness.
• Optimize
security
spending.
• Create dynamic
security
program.
Security
Economics
Security at
Scale
Security Measures
Research Themes
Enable digital transformation via IT adversarial risk management
Digital Security
The application of the
most effective IT
security at the lowest
cost.
Key Issue
Create a security
upside that enables
secure Digital
Transformation
3rd Platform
Regulators
Risk
Management
Challenges
Virtuous Digital Security CycleSecurity Metrics
(gather evidence)
Security Economics
(make decisions)
Security at Scale
(apply controls)
Evidence and Outcomes
Key Risk Indicators (KRIs)Control Outcome Population Efficacy / Errors Normalized
Endpoint Antimalware allowed/denied
File Objects Malware blocked (TP); Legitimate file allowed (TN);Legitimate file blocked (FP);Malware allowed (FN)
Number of files transmittedTotal filesNumber of endpointsNumber of usersBusiness Unit/Department
Firewall connections allowed/denied
Network Flows/Connections Connection blocked (TP); Legitimate connection allowed (TN);Legitimate connection blocked (FP);Connection allowed (FN)
Number of flowsNumber of active IP addressNumber of open portsNumber of applicationsBusiness unit/Department
Intrusion Prevention flows allowed/denied
Network Flows/ConnectionsFile Objects
Connection/malware blocked (TP); Legitimate connection/file allowed (TN);Legitimate connection/file blocked (FP);Connection/malware allowed (FN)
Number of flowsNumber of active IP addressNumber of open portsNumber of files transmittedNumber of applicationsBusiness unit/Department
Email Security messages allowed/denied
Email Messages Phish/malware blocked (TP); Legitimate email allowed (TN);Legitimate email blocked (FP);Phish/malware allowed (FN)
Number of messagesNumber of users
Secure Web Gateway sessions allowed/denied
Web Sessions (outbound) Malicious/inappropriate Web blocked (TP);Legit Web session allowed (TN);Legit Web session blocked (FP);Malicious/inappropriate Web allowed (FN)
Number of Web sessionsNumber of users
Matthew’s Correlation Coefficient
Virtuous Digital Security CycleSecurity Metrics
(gather evidence)
Security Economics
(make decisions)
Security at Scale
(apply controls)
The Risk Equation
Probability ValuexExpected Value
=
Threat Vulnerability ImpactRisk x=
Attacker’s Risk-Ease of exploit-Possible gains-Possible loss
Security Posture-Attack surface-Offset by controls
Costs & Losses-Lost value-Response & recovery-Legal expenses
x
Risk Reduced per Unit Cost
RRUC= Risk Reduced ($) / Total Cost of Ownership ($)
where RR = Risk’ – Risk or (probability*impact)’ –
(probability*impact)
and TCO = Annualized Capital Costs (hardware,
software) + Labor + Maintenance + Service
Economics: Estimate Costs
Economics: Estimate Losses
Virtuous Digital Security CycleSecurity Metrics
(gather evidence)
Security Economics
(make decisions)
Security at Scale
(apply controls)
Traditional Perimeter
Server
Server
Client Client
Client
Server
Data
APP APP
APP
Data Data
Distributed Integrity