Securing the Digital Enterprise

Pete Lindstrom

VP, Security Research

IDC

Securing the Digital EnterpriseWith the unprecedented value opportunities for digital transformation (DX) lurks an ugly downside — intelligent adversaries looking for ways to abuse or exploit the complex IT systems that keep things running. Breaches are constantly being identified and disclosed, and IT security professionals are working hard to manage risk, but are challenged to meet security needs in the face of scarce resources and highly dynamic IT architectures. This session cuts through the confusion of how risk is measured and how resources are allocated to create the strongest Digital Security program.

Pete Lindstrom

Over 25 years in InfoSec, IT, Finance

Tech Risk Pro performing reading, writing, ‘rithmetic on risk and security matters

Former Marine (Gulf War veteran), ‘Big Six’ IT Auditor (PwC), Internal Auditor (GMAC Mortgage), Security Architect & Director (Wyeth)

BBA Finance, University of Notre Dame; reformed CISA and CISSP

Vice President, Security StrategiesIT Executive Program, IDC

Digital Transformation Predictions

Digital Transformation is Here

Digital Transformation Investments

Source: DX Data Center Study 2017, N = 304

Digital Security Vision

Enabling digital transformation through

efficient and effective IT adversarial risk

management that makes economic decisions

supported by evidence and outcome analysis

leading to a security model that aligns with

the 3rd platform.

3rd Platform Technologies

Digital Security MaturityScapeVision Risk Mgt People Process Technologies

Business Alignment

Approach Executives Identity Identity

Security Objectives

Methods Culture Vulnerability Vulnerability

Oversight External Security Pros Threat Threat

Economics Control Worksource Trust Trust

How mature are we?

Digital Security Issues

Value

Proposition:

• Improve control

effectiveness.

• Optimize

security

spending.

• Create dynamic

security

program.

Security

Economics

Security at

Scale

Security Measures

Research Themes

Enable digital transformation via IT adversarial risk management

Digital Security

The application of the

most effective IT

security at the lowest

cost.

Key Issue

Create a security

upside that enables

secure Digital

Transformation

3rd Platform

Regulators

Risk

Management

Challenges

Virtuous Digital Security CycleSecurity Metrics

(gather evidence)

Security Economics

(make decisions)

Security at Scale

(apply controls)

Evidence and Outcomes

Key Risk Indicators (KRIs)Control Outcome Population Efficacy / Errors Normalized

Endpoint Antimalware allowed/denied

File Objects Malware blocked (TP); Legitimate file allowed (TN);Legitimate file blocked (FP);Malware allowed (FN)

Number of files transmittedTotal filesNumber of endpointsNumber of usersBusiness Unit/Department

Firewall connections allowed/denied

Network Flows/Connections Connection blocked (TP); Legitimate connection allowed (TN);Legitimate connection blocked (FP);Connection allowed (FN)

Number of flowsNumber of active IP addressNumber of open portsNumber of applicationsBusiness unit/Department

Intrusion Prevention flows allowed/denied

Network Flows/ConnectionsFile Objects

Connection/malware blocked (TP); Legitimate connection/file allowed (TN);Legitimate connection/file blocked (FP);Connection/malware allowed (FN)

Number of flowsNumber of active IP addressNumber of open portsNumber of files transmittedNumber of applicationsBusiness unit/Department

Email Security messages allowed/denied

Email Messages Phish/malware blocked (TP); Legitimate email allowed (TN);Legitimate email blocked (FP);Phish/malware allowed (FN)

Number of messagesNumber of users

Secure Web Gateway sessions allowed/denied

Web Sessions (outbound) Malicious/inappropriate Web blocked (TP);Legit Web session allowed (TN);Legit Web session blocked (FP);Malicious/inappropriate Web allowed (FN)

Number of Web sessionsNumber of users

Matthew’s Correlation Coefficient

Virtuous Digital Security CycleSecurity Metrics

(gather evidence)

Security Economics

(make decisions)

Security at Scale

(apply controls)

The Risk Equation

Probability ValuexExpected Value

=

Threat Vulnerability ImpactRisk x=

Attacker’s Risk-Ease of exploit-Possible gains-Possible loss

Security Posture-Attack surface-Offset by controls

Costs & Losses-Lost value-Response & recovery-Legal expenses

x

Risk Reduced per Unit Cost

RRUC= Risk Reduced ($) / Total Cost of Ownership ($)

where RR = Risk’ – Risk or (probability*impact)’ –

(probability*impact)

and TCO = Annualized Capital Costs (hardware,

software) + Labor + Maintenance + Service

Economics: Estimate Costs

Economics: Estimate Losses

Virtuous Digital Security CycleSecurity Metrics

(gather evidence)

Security Economics

(make decisions)

Security at Scale

(apply controls)

Traditional Perimeter

Server

Server

Client Client

Client

Server

Data

APP APP

APP

Data Data

Distributed Integrity