SECURITY A DynTek Publication
ajor Trends
in cybersecurity
FIND OUT WHAT 3 ACCELERATING CYBERSECURITY TRENDS ARE RAISING CONCERNS FOR ORGANIZATIONS TODAY.
WITH INTEL SECURITY’S BRETT KELSEY IN-DEPTH INTERVIEW ON CYBERSECURITY TRENDS
security
isks
IDENTIFY WHERE GAPS OCCUR IN RELATION TO SECURITY CONTROLS
EMERGING
BUSINESS & TECHNOLOGY
SOLUTIONS
Virtualization | Cloud Computing Unified Communications | Collaboration
DynTek provides professional technology solutions to architect, secure and support the core areas of your technical environment: Infrastructure/Data Center, Microsoft Platforms and End Point Computing.
WWW.DYNTEK.COM
SCHEDULE A FREE CONSULTATION 877-297-3723 | marketing@dyntek.com
SECURITYINSIGHTS
CYBERSECURITY GAPS
09
Isn’t it time to know where your security risks lie and create a plan to address them?
01
05
Join Intel Security’s Vice President & Chief Technology Officer for the Americas, Brett Kelsey, for an in-depth interview on cybersecurity trends.
Learn how to forge a risk-based security strategy and articulate business risk — not IT risk — with Intel Security’s CTO Healthcare, Sumit Sehgal.
Q&A WITH BRETT KELSEY
BOSTON MEDICAL CENTER
STRATEGY, RISK-BASED FRAMEWORK KEY TO CYBERSECURITY
09
For those who want to know the secret to effortlessly growing your IT security budget exponentially.
CONTENTS
SECURITYINSIGHTS
THE INTERVIEW
Q A
Brett Kelsey from Intel Security
Brett Kelsey Vice President & Chief Technology Officer for the Americas for Intel Security. Brett Kelsey leverages his business and practice development, technical expertise and innovative thought leadership to evangelize Intel Security’s go-to-market strategy across key customer segments in the Americas. He drives strategic customer engagements and provides customer feedback back to product engineering to help shape the direction of our technology.
01
SECURITYINSIGHTS
THREE ACCELERATING CYBERSECURITY TRENDS ARE RAISING CONCERNS FOR INTEL SECURITY’S CUSTOMER BASE AND ARE CREEPING INTO ORGANIZATIONS WORLDWIDE.
organizations they target. We see more organizations, experiencing more attacks, across more attack vectors, taking longer to detect attacks in progress, and sustaining more damage due to their lack of incident response capabilities.
Q What are the major
Q Where are these new
A
A
:
cybersecurity trends you are seeing today? : We see three accelerating trends raising concerns across our customer base: the failure of security management, the shortage of cybersecurity professionals, and the growth and severity of cyberthreats. First, devices continue to proliferate at an incredible rate, and the quantity of devices out there will soon surpass the ability of established security architectures to protect them. People are using more devices in more locations, and the rise of the Internet of Things is adding an additional layer to this growth. Efforts to extend security to all these devices and applications are struggling to keep pace, and risk leaving individuals and organizations open to new and unforeseen threats. Second, the growing shortage of cybersecurity professionals is leaving organizations short-staffed in the critical early moments of incident response. The U.S. Department of Labor predicts a global workforce shortage of 1.5 million cybersecurity professionals by 2020. Without a reassessment of how enterprise cybersecurity is managed, companies simply will not find enough people with the right level of work experience and skills to protect themselves and their customers. Third, companies are seeing a huge increase in the rate of threat innovation and quantity of attacks. Ten years ago, McAfee Labs saw about 25 new pieces of malicious code or malware a day. Today, our researchers identify 316 new threats every minute, or more than five every second. These are new samples of malware that the industry has not seen before, and they are more likely to be undetected by the
:
attacks coming from, and why are these hackers attacking companies? : Thieves and hackers come from all backgrounds and nationalities, and most are doing it for money. When you look at the problem from a financial perspective, cybercrime is almost on par with narcotics: opportunity attracts capability and supply meets demand. Previously, people hacked as a way to prove that they could do it, a trend that extended through the late 1980s and 1990s, and into the early 2000s. They wanted to prove that the world’s largest, most high-profile companies had vulnerabilities and then called them out to fix the vulnerabilities. Hacktivism—cyberattacks with peaceful but political protest objectives — evolved out of this activity. Nation-state actors seeking geopolitical national security advantages further drove threat innovation through their investments in battalions of military hackers, actively recruiting IT professionals to develop cyber-espionage and cyber-warfare techniques.
NEED TO KNOW There are more organizations, experiencing more attacks, across more attack vectors. It now takes longer to detect attacks in progress, and companies are sustaining more damage to their networks due to their lack of incident response capabilities.
www.dyntek.com
02
SECURITYINSIGHTS
The latest development is the industrialization of cybercrime and the emergence of the Dark Web, an underworld marketplace for hacking skills, threats, and infrastructure required to launch attacks. This marketplace is so extensive that breakthrough turnkey ransomware services are available for hire, dramatically lowering barriers to entry. Regardless of their objectives and motives, anyone with the resources can buy in to the cybercrime economy. These dynamics have enabled more players to extend their cyber capabilities, targeting more organizations with more varieties of cyber-threats, leading to the astronomical growth in ransomware attacks on large and small organizations.
THE LATEST DEVELOPMENT IN CYBERCRIME IS THE EMERGENCE OF THE DARK
WEB.
BRETT KELSEY
Q
If Intel and others are seeing 500,000 new threats a day, what should a company do to protect itself? :
A
: First, the days of stitching together disparate security products from different manufacturers are gone. This is analogous to building a car with parts from five different manufacturers and hoping they will all work together. It probably won’t even start, let alone get you to where you’re trying to go. Today, you need a more unified solution where all the parts immediately and seamlessly communicate with each
03
other. That doesn’t mean you have to buy everything from one vendor, but you do need to look for products that do more than just share raw threat data. To work in concert, the system as a whole needs to share context, critical event data, and organizational intelligence. Second, you need to separate the featured soloist from the symphony. IT teams need to stop spending time on events that antivirus software should be able to recognize and mitigate, so they can focus resources on more serious cyber events. Intel Security studied the top cyber events in 2013, the year Target and six other major retailers were breached, and a couple of facts came to light. Among the study’s revelations was the fact that all seven were PCI compliant, which demonstrates that regulatory compliance does not equal security. Additionally, all seven were hit with the same derivative of malware, an attack that security systems were capable of detecting and protecting against two years earlier. The industry is really good at protecting companies from threats we know about, and for much of this malware protections have been in place for a long time. Highly targeted, stealthy attacks are coming in through low thresholds like this, and they are difficult to detect against the noise of events and routine behavior. Typically, security teams have to analyze millions of security events and suspicious files to find evidence of real incidents. Then the teams need to reconstruct the targeted attack, often done manually, limiting the speed and effectiveness of incident response. Instead, security teams need to minimize the attack surface, identify potential risky behaviors, and contain serious events before damage occurs. This is difficult to do given the increasing number of sophisticated attacks, lack of security personnel, and resulting lack of time.
Automation is necessary to identify the bad actors within the volume of threat information and event alerts. Automated processes that harness the power of machine learning and other technologies have the ability to analyze data faster and identify anomalous patterns. Human beings just are not fast enough to process 500,000 threats every day, and few have the skills to read the data and isolate what is relevant. Instead, leave the lowhanging fruit to the machines, relying on technology to look at the threats as they appear, and enabling the team to react faster and focus on the anomalies and outliers. Third, companies have to change how they look at cybersecurity. This is not just a technology problem. Organizations must look at this as a business issue, taking into account whether the integration strategy, architecture, and processes enable or inhibit their business. Going back to our car analogy, we put safety systems on a car to slow us down or protect us when necessary, without impeding the vehicle or the driver when not needed. The same needs to happen with corporate cybersecurity.
SECURITYINSIGHTS
SECURITY TEAMS NEED TO MINIMIZE THE ATTACK SURFACE, IDENTIFY POTENTIAL RISKY BEHAVIORS, AND CONTAIN SERIOUS EVENTS BEFORE DAMAGE OCCURS.
Q: What does the future of
security look like, and how long will it take us to get to this elevated threat detection level?
A:
It is already possible to automate threat mitigation for the low-hanging fruit, addressing everything we already know about at the endpoint. As far as detecting anomalies and the more sophisticated unknowns, the technologies are at Version 1.0 and are maturing. As an industry, we need to deliver analytical tools and engines to decipher data and extrapolate the anomalies. We are developing tools that incorporate heuristics and behavioral analytics to look for outliers from a machine perspective and a human perspective. Imagine a tool that can analyze a machine’s or user’s behavior, looking at what they do, whether they are following a pattern or deviating from typical behavior. For example, a user surfing to an unusual location on a network, accessing data he or she never accesses, or uploading data to a computer in a foreign country. This type of behavior goes undetected today, but we need tools that help us question what is happening, detect the unknown, and identify the attacks that are coming at us today. Many companies, governments, and organizations are looking at solving this problem with anomaly detection we all need. Intel Security is forging partnerships with others to develop integrated, open security systems with cloud-first technology, enabling faster threat resolution with fewer resources.
We want to close the gaps between detection and remediation by creating a security ecosystem powered by real-time communication, threat intelligence exchange, and effective incident response capabilities. To create an ecosystem that is not dependent on a single vendor’s proprietary solutions, Intel Security created the Data Exchange Layer, also known as DXL. This technology enables bi-directional open communication and collaboration, uniting different security components into a single ecosystem, regardless of their underlying proprietary architecture. In the future, we need to sell companies the outcome, not a series of products. They want the outcome — a secure system — like they want reliable communications or transportation. We are working on solving this problem and are probably 18 months away from delivering it.
OUR PARTNERS ARE OUR HEART AND SOUL. WE CANNOT DO WHAT WE DO WITHOUT PARTNERS LIKE
DYNTEK.
BRETT KELSEY
Q: Why are partners like DynTek important in the equation?
A:
It is critical that we have partners like DynTek, especially in light of the national shortfall in security personnel. The number one issue that we have is that we lack scale in the market, and strategic partners like DynTek help us get to the market and scale. As we work towards a future where security products adopt standards like DXL, who better than our partners to help companies integrate these solutions into a single unified solution? Our partners are our heart and soul; we cannot do what we do without an excellent partner ecosystem.
CYBER THREATS EMERGE EVERY MINUTE THAT’S MORE THAN 6 THREATS PER SECOND From performance issues and content access to compliance with government regulations, DynTek provides security solutions designed to meet and manage your toughest business challenges head-on.
04
SECURITYINSIGHTS
Boston Medical Center
Sumit Sehgal, CTO Healthcare for Intel Security, and former Chief Security Officer for Boston Medical Center, discusses articulating business risk, not IT risk
CONSIDERATIONS FOR IMPLEMENTING SECURITY CONTROLS GOAL
CHALLENGE
Healthcare Deliver great patient healthcare
• Privacy and security are not the focus • Cumbersome security controls impede healthcare
Compliance Deliver an optimal user experience for healthcare workers
• Attractive, but risky alternatives; noncompliance with policy • Increased risk to healthcare organizations
Security Deliver security that performs effectively and is robust and usable
• Limited mobile device compute power • Surge in sensitive data to protect • Many alternatives
05
HAVING A SECURITY STRATEGY AND ALIGNING IT WITH BUSINESS RISKS ARE PART OF A NEW APPROACH TO SECURITY.
E PR V E R O Y VI H DE E A H LTH IG H CA -Q R U EW AL I T OR Y K H ER E A ’S LT P H RI CA M RE A R TO Y G PA O A TI L I EN S TS TO .. .
Articulating Business Risk, Not IT Risk — with Sumit Sehgal, CTO Healthcare for Intel Security
W
ith a goal of achieving the elusive balance between Information Security and Human Factors, Sumit Sehgal has spent the last fourteen years working in the healthcare industry to implement varying levels of security programs and best practices. His passion is to work towards building contextual security and privacy programs that bridge the gap between influencing existing employee behaviors and classical paradigms that govern information security best practices specifically as they pertain to adoption of new and emerging trends in technology and workforce. In his current role as CTO Healthcare for Intel Security, he is working to help healthcare industry CIOs and CISOs develop and execute integrated security strategies – an area he had first-hand experience in during his tenure as Chief Security Officer for Boston Medical Center.
SECURITYINSIGHTS
THE CHALLENGES
CLINICIAN SECURITY SYSTEM CHALLENGES When attempting to access records, the process of full disk encryption may create extended wait times. A login that requires two-factor authentication with a separate hardware token is cumbersome and adds to clinician workload. Clinicians with access to more than one EHR must remember and enter a different user ID and password each time they access patient records. Inability to effectively manage a large fleet of PCs can create vulnerabilities and increase risk.
...HOWEVER, IF SECURITY CONTROLS STAND IN THE WAY OF DELIVERING THAT CARE, CLINICIANS MAY SEEK OTHER WAYS TO ACCESS THE INFORMATION THEY NEED, EVEN IF THOSE METHODS CREATE SECURITY RISKS.
As the Chief Security Officer for Boston Medical Center (BMC), Sehgal oversaw a staff of six that supported 12,000 users and 10,000 endpoints spread among 49 buildings in a four-block area. BMC, an academic medical center and the primary teaching affiliate of Boston University Medical School, runs the busiest Emergency Room in New England and receives nearly 70 percent of its funding from state and federal funds. Spending on security amounted to a mere 1 to 2 percent of Sehgal’s overall IT budget, which made it hard to maintain programs at scale and address all the threats now facing healthcare organizations. Rather than looking at security through the lens of regulatory compliance like many healthcare organizations, Sehgal and his team addressed security with a comprehensive security strategy, one that considered BMC’s business risks.
Having a security strategy and aligning it with business risks are part of a new approach to security that’s in sharp contrast to how security has been handled in the past.
We didn’t run security as a HIPAA–security compliance program, but rather what BMC stood for in terms of security. That way, the controls and compliance are built into it. Like a growing number of companies, BMC adopted SANS’ 20 Critical Security Controls, assessing the organization’s defenses against each control area.” SUMIT SEHGAL CTO HEALTHCARE | INTEL SECURITY
06
SECURITYINSIGHTS
Evaluate Defenses Against Security Controls “From a technology perspective, addressing SANS controls gives you a good idea of what your organization should be focusing on and then what solutions are available to help,” Sehgal said. “It could be that asset management controls are critical for one firm while one with a distributed workforce might put remote access as a higher priority. You have to understand what your state of security in relation to SANS controls means to you, because time spent learning it keeps you from making wrong investments and having to replace security products every two years.” Organizations must evaluate where security holes exist in relation to the organization’s risk profile and then determine the required and addressable standards. “Then, from a risk perspective, you look at: A) Can we do it?; B) Can we mitigate it?; and C) Can we afford to do it? And if we can’t afford it, can we deal with repercussions?” said Sehgal. It is unrealistic for a healthcare organization to think it can address and protect itself in relation to 90 percent of the security controls, he said. Instead, 75 percent is a good goal. In some cases, it’s not whether you can afford to protect against a certain area, but that you have to plan for it.
S
ECURITY IS VERY MUCH A PEOPLE GAME, NOT A COMPLIANCE EXERCISE.”
DynTek consultants don’t hesitate to suggest clients change processes or practices rather than implement new products when appropriate, she said, and they tap their extensive healthcare network to make introductions to industry peers, which help BMC figure out better ways of doing things. “That, for me, is huge,” Duprey added. “That’s the level of trust I have in DynTek. One of DynTek’s strengths is setting us up with the correct resources. They go out of their way to find subject matter experts, not just send us general consultants. In addition, they helped us evaluate and deploy Intel Security solutions that address the full threat defense lifecycle with centralized management and visibility through the ePolicy Orchestrator console. We can manage how our technology solutions are aligned to our risk management controls and strategy.”
Articulate Business Risk, Not IT Risk Many in IT don’t understand that IT risks are not the same as business risks, and communication between the two job functions has been strained at best. To more closely align BMC’s IT security strategy with the organization’s business risks, Sehgal forged strategic relationships with BMC’s emergency management department and the business audit committee, two groups that fully understand the critical processes and functions that make the organization function at its basic levels. “Security is very much a people game, not a compliance exercise,” Sehgal said. Understanding the business risks, being able to identify where gaps occur in relation to SANS controls, and being able to articulate how products or processes are vital to the company’s operations makes it easier to land the IT funding needed, he said.
SUMIT SEHGAL CTO HEALTHCARE INTEL SECURITY Taking this strategic approach calls for a different tact when purchasing, he added. “Many of my counterparts automatically go to (research firm) Garner, and look at the top right-hand corner quadrant to pick their technology without understanding the implementation skill set needed to run it,” Sehgal said. “Most security products aren’t plug and play. Even if you have an outside consultant install it for you, you still have to understand how the tech is going to function and how to run it.” Having a trusted outside partner that shares the same approach to security is invaluable, especially when you have a small staff and little time to evaluate an overwhelming number of security products on the market. Added Michelle Duprey, Manager of Information Security at BMC, “When we engage DynTek, the conversation is not ‘Look at this technology because it’s cool’; it’s very much a conversation about what are we trying to achieve and whether we have realistic expectations, and whether it is a good solution or not. Every conversation is not a sales conversation.”
07
H
AVING A TRUSTED PARTNER LIKE
DYNTEK, WHICH SHARES THE SAME APPROACH TO SECURITY , IS INVALUABLE.” MICHELLE DUPREY MANAGER OF INFORMATION SECURITY BOSTON MEDICAL CENTER
SECURITYINSIGHTS
MANY IN IT DON’T UNDERSTAND THAT IT RISKS ARE NOT THE SAME AS BUSINESS RISKS.
08
SECURITYINSIGHTS
09
SECURITYINSIGHTS
ASSESSMENT
CYBER SECURITY GAPS DO YOU KNOW WHERE YOURS ARE?
T
he National Institute of Standards and Technology (NIST), in 2014, published an important document called the NIST Cybersecurity Framework. Based on the content in this framework, DynTek has identified a set of 57 Technical Controls that governments and companies should put in place to help simplify the management of security risk and achieve more secure information systems. Have you put a strategy in place to cover all 57? Probably not. Most companies haven’t. In fact, most IT departments are too busy putting out fires to find the time to make sure their company is protected on all levels.
Viewing your security strategy through a set of comprehensive security controls helps you understand the risks and factors that could adversely affect your overall operations and assets – and are an important way of linking technology spend with the business strategy. Most executives believe that security is IT’s problem. But ultimately, it is the role of the C-suite to determine acceptable levels of risk. To help IT better communicate with business, DynTek helps organizations review and understand the current status of their security programs and the security controls already in place, and how this aligns with the organization’s acceptable level of risk. We have a comprehensive methodology that clearly identifies current known business risks relative to IT and gives IT a central place to describe, score, and quantify those risks in terms of cost to remediate and potential financial and other impacts to the organization if no action is taken. In a relatively low-cost and expeditious engagement, we help you identify what controls are already in place, where your security gaps are, and which ones need immediate attention. Most importantly, we help you create a long-term security strategy aligned with your organization’s needs.
During the course of our engagement, we will: 1. Identify the key business strategies and associated risks through a security assessment. 2. Document and prioritize the risks based on IT’s understanding of the strategy. 3. Help you identify and select solutions to address each area of prioritized risk. 4. Help you create a roadmap of your findings and recommendations to help you present them to executive management for final determination and budget allocation. As you already know, it’s not a question of whether your company will be attacked, but when.
CONTACT DYNTEK TODAY 877-297-3723 | marketing@dyntek.com
ISN’T IT TIME TO KNOW WHERE YOUR RISKS LIE AND CREATE A PLAN TO ADDRESS THEM?” ABOUT DYNTEK
END-TO-END IT SECURITY DynTek provides an end-to-end strategic approach to security by working with our customers to create a security architecture that extends from the physical to the virtual to the cloud. Additionally, we have extensive expertise across the core technologies that make up an organization’s infrastructure, giving us a unique understanding of the adjacencies involved in security and risk management.
10
SECURITYINSIGHTS
STRATEGY, RISK-BASED FRAMEWORK
H
istorically, IT teams have taken a reactive approach to cybersecurity much like they have with all of IT: reacting to user complaints and network problems and purchasing products in an ad hoc fashion to — hopefully — fix the problems. “But security doesn’t work that way,” says Steve Struthers, DynTek Vice President (VP) of Security Services. “Security demands a completely different approach, one in which you are defending against the unknown.” In the above scenario, IT often spends a large portion of its budget on a big-ticket item based on fixing the single event and runs into problems when the team asks for additional funds to address other issues that are also important. Increasingly, however, companies are taking a different approach to security, one that involves creating a security strategy based upon the company’s risk profile and mapped to the NIST Cybersecurity Framework. Having a strategy in place, knowing the business risk, not just IT risk, and clearly communicating where security gaps are in relation to NIST security controls make it easier for Chief Security Officers (CSOs) to win budget for cybersecurity spending, says Struthers. DynTek’s Security Team, along with Shaun Land, DynTek’s Principal Architect for Security Strategy, has created a simple, one-page template that easily shows customers a set of technical controls, derived from NIST and similar frameworks, and maps out which products from various vendors can be applied to address those controls.
11
THE SECRET TO EFFORTLESSLY GROWING YOUR IT SECURITY BUDGET EXPONENTIALLY. The template, which Land originally developed when he was a client of DynTek, allows customers to see what areas they have covered and where their security lapses reside. Other vendors trying to represent security architectures in graphic form often ignore standard frameworks such as NIST and deliver documents that “are so complex that they look like Intel chip designs” said Land. “We then help CSOs build a plan that addresses which gaps they want to fix first, which risks they want to accept and cover, and help them build a strategy around security,” says Struthers. The end result is a oneto three-year strategic security roadmap based upon the company’s risk profile and appetite. The NIST Cybersecurity Framework, a 40-page document that breaks down security concerns into Functions, Categories, and Subcategories and provides a way to organize, conduct, plan security goals, and drive improvements for small to large enterprises and across different industries. It does not, however, include a specific risk management process or specify any priority of action, instead leaving that up to individual organizations based upon their own risk profiles. Since business risk management may be a little out of the comfort zone for technology-focused directors and CIOs, DynTek has tapped Land’s expertise in risk management and strategic decision making, giving the company and its clients a strategic advantage. “We simplify the task of translating NIST to controls, and we help IT understand what it means to be in the recommendation business, relative to security,” says Struthers.
SECURITYINSIGHTS
WE HELP CHIEF SECURITY OFFICERS ORGANIZE, COMMUNICATE, AND BE SUCCESSFUL IN THEIR PROGRAMS. SHAUN LAND
Shaun Land Principal Architect for Security Strategy DynTek
DynTek also helps IT understand that the business executives and the board should be the ones in the ‘decision business.’ Rather than telling business what IT needs to buy, DynTek teaches IT how to speak with business leaders. “We help IT explain what the risks are and how they impact the business on a quantitative basis, showing that they have estimated the cost to the business if they don’t take action, and the cost to remediate as well,” says Land. Helping IT better communicate in this way casts them in a better light, since at many companies, IT and business are at odds, he says. “The change in processes and communication helps ensure the success of the overall program. As a result, they can now communicate clearly with the business, which gives the IT and security team a better chance to get the budget and resources they need to be successful.”
FRAMEWORK FOR SECURING CRITICAL INFRASTRUCTURE CYBERSECURITY CREATED BY THE FEDERAL NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) RESEARCH The federal National Institute of Standards and Technology Research was created in February 2014 to provide
DynTek also helps customers develop their full policies library and primary procedures library. As Land describes it, “We move them from ‘there’s too much to do’ and ‘where do I start?’— a state that never goes anywhere — to literally within a few weeks having security policies ready for full review by the business, no matter what industry they are in. “We help CSOs organize, communicate, and be successful in their programs,” Land says.
security guidelines to reduce federal agencies’ cyber risks. It has since become a major part of the national conversation about cybersecurity.
12
A DynTek Publication
IN PARTNERSHIP WITH
www.dyntek.com