WIXLIB

www.pwc.comThreat and VulnerabilityManagement (TVM)Protecting IT assets througha comprehensive programChicago IIA/ISACA2nd Annual Hacking ConferenceOctober 2015

IntroductionsPaul HindsManaging DirectorCybersecurity and Privacy PracticeChicago, ILpaul.hinds@pwc.comDavid Eccles-AmbroseSenior AssociateCybersecurity and Privacy PracticeChicago, ILdavid.eccles-ambrose@pwc.comThreat and Vulnerability Management (TVM)PwCOctober 20152

Agenda1. Changing Risk and Protection Models2. Threat and Vulnerability Management Programs3. QuestionsThreat and Vulnerability Management (TVM)PwCOctober 20153

Changing Risk and Protection ModelsThreat and Vulnerability Management (TVM)PwCOctober 20154

Data Privacy & Information Security Risks Companies face several financial risks Compliance with governmentor industry regulations(HIPAA, PCI, GLBA, COPPA,FTC Act) Compliance with selfregulatory frameworks (i.e.,U.S.-EU Safe Harbor, TRUSTe,DMA OBA Principles)ComplianceFinancialassociated with a breach: Federal or state regulatory fines Stock price decline Remediation effortsRisk FactorsReputational Negative impact to the brand Loss of employee, customer,& investor confidenceThreat and Vulnerability Management (TVM)PwCLegalRegulatory Companies are experiencingincreasing lawsuits from: Employees Customers Investors Enforcement actions from federaland state agencies Regulatory inquires may requirelong-term third party remediationin order to verify regulatoryOctober 2015compliance5

What kinds of questions should you be asking?12What are the company’s compliance requirements?What is the culture of the company and what is the philosophy regarding data privacy and security?Who will lead the efforts for information security & privacy (e.g., Steering Committee)?How does the company ensure alignment between the management and staff?What is the company trying to achieve with its information security/privacy program?CompanyCulture SensitiveInformation What sensitive data does the company collect, use, disclose, dispose, etc.? Is there a process to ensure customers are provided proper notice, choice, and consent with respectto the company’s data collection, use, and disclosure practices? How does the company ensure data practices comply with customer privacy notices/policies? Has the company classified and inventoried that data? Has the company's data been exposed – and would management know if it were?Does the company know what breach indicators it should be monitoring?Has the company released any new products that collect PII/SPI (i.e., websites, mobile apps, etc.)?Has the company introduced any new technologies that access or store sensitive information (i.e.,mobile devices , social media sites, cloud service providers, etc.)?3Threats4BuildingProtections Has the company established formal governance and controls around the data privacy lifecycle (i.e.,notice, consent/choice, collection, access, disclosure, use, retention, disposal, security, etc.)? Are such controls and safeguards periodically tested and monitored? Have the controls and safeguards been updated to respond to changing business models?Responding toIncidents Has the company established formal plans to respond to privacy and security incidents when theyoccur? Is there a cross-functional team in place to monitor, investigate and respond to incidents? Is the company prepared to respond to legal actions? If a regulator were to inquire or investigate, would the company be prepared to respond?5Threat and Vulnerability Management (TVM)PwCOctober 20156

Having a Program In Place to Protect DataA comprehensive program is needed to address the myriad of compliancerequirements, and to protect consumer information and sensitive oring &AuditingRiskAssessmentTraining &AwarenessProcesses &ControlsTechnicalSecurity &ControlsThreat and Vulnerability Management (TVM)PwCOctober 20157

Global State of Information Security SurveyIndustry practice or toolPercent of respondents using therespective practice or toolHave an overall information security strategy81%Employ Chief Information Security Officer74%Employ security information & event management (SIEM)technologies66%Established security baselines/standards for urity strategy for employee use of personal devices onthe enterprise62%Intrusion-prevention tools60%Vulnerability scanning tools60%Intrusion-detection tools60%Active monitoring/analysis of information securityintelligence59%Vulnerability assessments54%www.pwc.com/gsiss2015

Threat and Vulnerability Management (TVM)ProgramsThreat and Vulnerability Management (TVM)PwCOctober 20159

Breach Indicator MethodologyWhy?1Baseline Network Scan Acquire running state information from information technology networkusing WMI/Linux shell scriptsConfigure scanning tools to network specificationsUse initial scan data to represent current state of network Customize and tuneour solution for theclient network Determine presentstate deviation frombaseline Correlate end-pointresults with expandednetwork knowledgeWork with internal information technology teams to determine businessjustification for processes and network connections that exist withinenvironmentEstablish baseline limited to authorized system or network activity Validate technicalresults and buildthreat profileCategorize the assessment observations by risk in a detailed observationsmatrix for leadership to reviewBusiness impact discussion with key stakeholders Document results forstakeholderremediation decisions2Analysis of RunningProcesses3Network Log Analysis 4Output Analysis / ThreatIntelligence Review Review and analyze collected running process information forworkstations and serversAnalyze for statistical anomalies and compare against our proprietary listof known breach indicatorsReview collected information for network connectionsMay request certain log data from monitoring technologies for analysis(firewall, proxy, Web server, Intrusion Detection System, etc.)Provide a thorough picture of the state of the network5Report Findings Threat and Vulnerability Management (TVM)PwCOctober 201510

Components of a TVM ProgramDefining program ownership, policies andprocedures, and integration with enterpriserisk management programActively monitoring and enhancingthe TVM programTVM SecurityStrategy &PlanningDetecting breaches, roguetechnologies, and malicious activities.Threat andvulnerabilitymanagementprogramIsolating and resolving assetsecurity issues once identifiedThreat and Vulnerability Management (TVM)PwCThreat andVulnerabilityEvaluationEvaluating threats and vulnerabilities andestablishing communication and trackingmechanismsActively identifying assetweaknesses before they can beexploited by an attackOctober 201511

TVM Program – 20 Integrated CapabilitiesProgram ownershipPolicy and proceduresIntegration with risk managementProgram maturityenhancementTVM SecurityStrategy &PlanningIntrusion monitoringMalicious program detectionThreat awarenessRogue technology discoveryReportingLog activity analysisThreat andvulnerabilitymanagementprogramCompliance testingSecurity infrastructureimplementationVulnerability scanningSecurity remediationIncident responseThreat andVulnerabilityEvaluationPenetration testingIntelligence analysisSecurity intelligenceCommunication and trackingThreat and Vulnerability Management (TVM)PwCControls effectiveness evaluationOctober 201512

TVM Program – ScorecardProgram ownershipPolicy and proceduresIntegration with risk managementProgram maturityenhancementTVM SecurityStrategy &PlanningIntrusion monitoringMalicious program detectionThreat awarenessRogue technology discoveryLog activity analysisReportingThreat andvulnerabilitymanagementprogramCompliance testingSecurity infrastructureimplementationVulnerability scanningSecurity remediationIncident responseThreat andVulnerabilityEvaluationPenetration testingIntelligence analysisSecurity intelligenceCommunication and trackingThreat and Vulnerability Management (TVM)PwCControls effectiveness evaluationOctober 201513

TVM Security Strategy & Planning AssessmentProgram ownershipThe governance structure must ensure that designatedindividuals have the capacity to hold asset ownersaccountable.Policy and procedureManagement’s intent and directives are documented inthe relevant policies and procedures, but must beenhanced with additional security awareness training.Integration with risk managementTVM SecurityStrategy &PlanningThreat andvulnerabilitymanagementprogramThreat andVulnerabilityEvaluationAn integrated TVM program which enhances the overallenterprise information security risk managementprogramDefining program ownership,policies, procedures, andintegration with enterpriserisk management programThreat and Vulnerability Management (TVM)PwCOctober 201514

Threat Detection Capabilities AnalysisIntrusion monitoringThere’s lots of options- host based like OSSEC, or networkbased like SNORT, but how do you assess theeffectiveness of the intrusion monitoring?TVM SecurityStrategy &PlanningMalicious program detectionRogue security software, adware, and spyware.Rogue technology discoveryIt can be difficult to detect, prevent, and control roguetechnologies in most enterprise environments.Network Access Control (Cisco ISE), detect unapprovedwireless device with Cisco CleanAir .Threat andvulnerabilitymanagementprogramThreat andVulnerabilityEvaluationLog activity analysisHow do you effectively manage your log monitoring andanomaly detection capabilities? SIEM tools likeAlienVault, LogRythm, and Splunk?Breach indicator analysisImmature organizations lack basic capabilities to identifyindicators of a security breach.Threat and Vulnerability Management (TVM)PwCActively identifying and isolatingthreats to minimize their impactupon assetsOctober 201515

Vulnerability Detection AnalysisCompliance testingHow do you evaluate conformance with establishedsecurity guidelines and policies and compliancemonitoring techniques?Unreliable scanning or time consuming audits?TVM SecurityStrategy &PlanningVulnerability scanningEnhance vulnerability scanning capabilities by assessingfactors such as tools, techniques, scope and frequencyNessus, Nexpose, QualysGuard.Penetration testingPenetration testing assesses factors such as methodology,attack scenarios, scope and frequency.Threat andvulnerabilitymanagementprogramThreat andVulnerabilityEvaluationIntelligence analysisSecurity intelligence should be gathered from multiplesources and effectively leveraged through use ofintelligence tools.Threat and Vulnerability Management (TVM)PwCActively identifying assetweaknesses before they can beexploited by an attackOctober 201516

Threat and Vulnerability Evaluation AnalysisSecurity intelligenceBig data analytics approach (ArcSight or QRadar) ensuresassimilation and correlation of security information andthe process of responding to the identified issuesCommunication and trackingHow are identified threats and vulnerabilities beingcommunicated and tracked until closure?Controls effectiveness evaluationTVM SecurityStrategy &PlanningThreat andvulnerabilitymanagementprogramThreat andVulnerabilityEvaluationAssess the process of evaluating the controls andmitigating mechanismsEvaluating threats andvulnerabilities and establishingcommunication and trackingmechanismThreat and Vulnerability Management (TVM)PwCOctober 201517