際際滷

際際滷Share a Scribd company logo

ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0

Fabrizio Cilli
Fabrizio Cilli

- The document discusses the need for a layered and holistic approach to cyber security including security management, risk containment, threat response, and crisis management given the changing landscape with IoT and cloud. - It emphasizes applying confidentiality, integrity and availability principles to information and considering information as the key element and most valuable asset rather than physical products. - Achieving situational awareness across edge, core, logical and physical layers through a combination of perimeter defenses, deep inspection, data analytics and monitoring is key to proper information protection.

1 of 18
Downloaded 14 times
A view on Cyber Security Speech proposed to ISACA Ireland on Governance Risk and Compliance Cyber Defense Strategy - Situational Awareness - GRC
Changing viewpoint, from the Enterprise IT business operations space, to a new domain entitled as Cyber Territory entailing IoT and Cloud, we find inevitable to consider a layered and holistic approach to : - Security Management, - Risk Containment, - Threat Response, - Crisis Management. Intro
Confidentiality, Integrity and Availability as Basic unIT of information attributes, are applied to each information set we map, and consider of value, for the uses it is subject to. Access to, and use of, that information is the key element for the future of business, in a truly transforming landscape. CIA to the BIT
The enormous attention we give to Industrial Control Systems today, is a hint of what we can expect from the near future: The Information, to control industrial processes and wealth assurance and growth, as more valuable than the product or asset itself. Information Builds Bridges ( LITERALLY )
How the information surpasses the intrinsic value of the product of its elaboration? By having, in a controlled (automated) environment, creative (as destructive) power. The Information piece of IoT and Industry Control Networks, as the Item (BIT) to which, Confidentiality, Integrity and Availability, have to be attentively applied. Creative Power
Alienation of Data items in an industrial control system or a data-centric enterprise environment, or IoT, means disruption of creative processes. Same applies to wealth management and banking environments. For this specific reason the information capital, intended as the Data Set for these specific purposes, have to be: Known, Valued, Managed, Protected, Disposed. Information as Capital
In this document Introductory 際際滷 a layered approach was mentioned as key element of a sound Information and Cyber Security practice. To further explain, there are two dimensions we can easily mind-map to progress with the concept: - Edge-to-Core - when considering perimeter to the core networks; - Logical-to-Physical - when considering the top-down network traffic layers. Layered
Edge to Core This is where Attack Vector analysis applies.
Logical to Physical This is where DPI and Realtime analytics applies.
Taking from the established GRC and Active Defense Information Security practice, we tend to consider, as ways to protect the Information Assets: - Sound Governance of business processes - Extensive Risk management practice - Compliance to regulatory frameworks - Tools and Processes protecting our assets - Effective Incident Response procedures There is nothing inefficient in this list, if they blend. Holistic
Translating the objectives of Layered and Holistic into practice yet, it is easily done by mutuating the concept of Situational Awareness. Being this declined into the perimeter defences, it means the combination of proper edge and core security tools. Applied to communication layers, it has to conciliate with the capability of monitoring physical data transmission and its transformation, by application and user, access. Layered Holistic
To properly appreciate an elevated cyber security posture the two aspects of: 1) Perimeter and Data Egress points protection 2) Deep to Surface Data Analytics Shall blend together, aiming for a timely and proactive Situational Awareness. Information Protection
Governance, Risk and Compliance-wide, the concept of Awareness is partly technological and partly procedural. Blending system and network status change with the capability to govern (Vulnerability), having a sound scoring system to track risk and its impact on the business (Risk), and the capability to have real time evidence of events (Threats). Linking these feeds to facilitate and improve incident response capability. (Countermeasures) all in a world where M stands for Management VM RM TM CM
The underestimated gap in GRC programs, around Data (Information Item or BIT), its Value, its Container, the Transformation it is subject to, and the desired Outcome of that transformation, is to apply segregated forms of protection to it. A missing goal even for the Defense-in-Depth, if left to reciprocally unrelated technical capabilities: The Physical-to-Logical Data monitoring Deep Inspection and Application Protocol Analysis. The Emmenthal Effect ( IN SECURITY PROGRAMS STRATEGY )
I substantially want to point the auditor attention to the lessons learned, from the latest advanced, or low-and-slow cyber attack winning techniques: - Weak Application Protocols, even where encrypted; - Flaws in core operating system kernels and modules; - Holes into (managed) network elements firmware; Opening doors to Advanced and Persistent Threats. Thats where Id like to point at the age of these flaws, often there by design and unnoticed for decades. Trailing Persistent Threats
No matter how complex a network environment is, it will anyway fall into a 3D (three dimensional or more) layered model: The perimeter is a layered Candy. Communication stack is a Milfoil. Candy and Milfoil
To achieve Situational Awareness, the synergy between the procedural governance and controls, and visibility across the communication stack when perimeters are crossed, is key. In industry specific scenarios, Industrial Control Systems more than Financial Systems, the Data Stores, Data Classification, and allowed Data Transformations are well- known helping these use cases to be more easily implemented. ( easy-to-classify, easy-to-map egress points ) Synergy
Situational Awareness is a live, universal, social and environmental concept. Applied to the Enterprise it is a mean to support its body immune defences and to enable the evolution of its organs and limbs. Translating into Compliance and Security Practice, the DPI and Application Protocol analysis, SIEM, GRC and Vulnerability Management outputs shall be systematically joined to achieve: a brand new level of detection and response capability. Conclusions

More Related Content

ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0

  • 1. A view on Cyber Security Speech proposed to ISACA Ireland on Governance Risk and Compliance Cyber Defense Strategy - Situational Awareness - GRC
  • 2. Changing viewpoint, from the Enterprise IT business operations space, to a new domain entitled as Cyber Territory entailing IoT and Cloud, we find inevitable to consider a layered and holistic approach to : - Security Management, - Risk Containment, - Threat Response, - Crisis Management. Intro
  • 3. Confidentiality, Integrity and Availability as Basic unIT of information attributes, are applied to each information set we map, and consider of value, for the uses it is subject to. Access to, and use of, that information is the key element for the future of business, in a truly transforming landscape. CIA to the BIT
  • 4. The enormous attention we give to Industrial Control Systems today, is a hint of what we can expect from the near future: The Information, to control industrial processes and wealth assurance and growth, as more valuable than the product or asset itself. Information Builds Bridges ( LITERALLY )
  • 5. How the information surpasses the intrinsic value of the product of its elaboration? By having, in a controlled (automated) environment, creative (as destructive) power. The Information piece of IoT and Industry Control Networks, as the Item (BIT) to which, Confidentiality, Integrity and Availability, have to be attentively applied. Creative Power
  • 6. Alienation of Data items in an industrial control system or a data-centric enterprise environment, or IoT, means disruption of creative processes. Same applies to wealth management and banking environments. For this specific reason the information capital, intended as the Data Set for these specific purposes, have to be: Known, Valued, Managed, Protected, Disposed. Information as Capital
  • 7. In this document Introductory 際際滷 a layered approach was mentioned as key element of a sound Information and Cyber Security practice. To further explain, there are two dimensions we can easily mind-map to progress with the concept: - Edge-to-Core - when considering perimeter to the core networks; - Logical-to-Physical - when considering the top-down network traffic layers. Layered
  • 8. Edge to Core This is where Attack Vector analysis applies.
  • 9. Logical to Physical This is where DPI and Realtime analytics applies.
  • 10. Taking from the established GRC and Active Defense Information Security practice, we tend to consider, as ways to protect the Information Assets: - Sound Governance of business processes - Extensive Risk management practice - Compliance to regulatory frameworks - Tools and Processes protecting our assets - Effective Incident Response procedures There is nothing inefficient in this list, if they blend. Holistic
  • 11. Translating the objectives of Layered and Holistic into practice yet, it is easily done by mutuating the concept of Situational Awareness. Being this declined into the perimeter defences, it means the combination of proper edge and core security tools. Applied to communication layers, it has to conciliate with the capability of monitoring physical data transmission and its transformation, by application and user, access. Layered Holistic
  • 12. To properly appreciate an elevated cyber security posture the two aspects of: 1) Perimeter and Data Egress points protection 2) Deep to Surface Data Analytics Shall blend together, aiming for a timely and proactive Situational Awareness. Information Protection
  • 13. Governance, Risk and Compliance-wide, the concept of Awareness is partly technological and partly procedural. Blending system and network status change with the capability to govern (Vulnerability), having a sound scoring system to track risk and its impact on the business (Risk), and the capability to have real time evidence of events (Threats). Linking these feeds to facilitate and improve incident response capability. (Countermeasures) all in a world where M stands for Management VM RM TM CM
  • 14. The underestimated gap in GRC programs, around Data (Information Item or BIT), its Value, its Container, the Transformation it is subject to, and the desired Outcome of that transformation, is to apply segregated forms of protection to it. A missing goal even for the Defense-in-Depth, if left to reciprocally unrelated technical capabilities: The Physical-to-Logical Data monitoring Deep Inspection and Application Protocol Analysis. The Emmenthal Effect ( IN SECURITY PROGRAMS STRATEGY )
  • 15. I substantially want to point the auditor attention to the lessons learned, from the latest advanced, or low-and-slow cyber attack winning techniques: - Weak Application Protocols, even where encrypted; - Flaws in core operating system kernels and modules; - Holes into (managed) network elements firmware; Opening doors to Advanced and Persistent Threats. Thats where Id like to point at the age of these flaws, often there by design and unnoticed for decades. Trailing Persistent Threats
  • 16. No matter how complex a network environment is, it will anyway fall into a 3D (three dimensional or more) layered model: The perimeter is a layered Candy. Communication stack is a Milfoil. Candy and Milfoil
  • 17. To achieve Situational Awareness, the synergy between the procedural governance and controls, and visibility across the communication stack when perimeters are crossed, is key. In industry specific scenarios, Industrial Control Systems more than Financial Systems, the Data Stores, Data Classification, and allowed Data Transformations are well- known helping these use cases to be more easily implemented. ( easy-to-classify, easy-to-map egress points ) Synergy
  • 18. Situational Awareness is a live, universal, social and environmental concept. Applied to the Enterprise it is a mean to support its body immune defences and to enable the evolution of its organs and limbs. Translating into Compliance and Security Practice, the DPI and Application Protocol analysis, SIEM, GRC and Vulnerability Management outputs shall be systematically joined to achieve: a brand new level of detection and response capability. Conclusions