OASIS: Integrating Standards for Web Services, Business
Download
Report
Transcript OASIS: Integrating Standards for Web Services, Business
www.oasis-open.org
OASIS International Cloud Symposium
October 11, 2011
London, England
Agenda
Introduction to IT-ISAC
Drivers to the Cloud
Current Threat Environment
Cloud Considerations
Risk Management and Collaboration
2
IT-ISAC Mission
Share: Report, exchange, and analyze across the IT
sector information on electronic incidents, threats,
vulnerabilities, solutions and countermeasures, best
security practices, and other protective measures;
Trust: Establish a mechanism for systematic and protected
exchange and coordination of information and trusted
collaboration; and
Lead: Provide thought leadership to policymakers on cyber
security and information sharing issues.
What we do
Facilitate Analyst to Analyst Collaboration: SIGS and AGs
are member driven and bring together subject matter experts
from member companies. Join the analysts from some of the
world’s leading IT companies.
Enhance Situational Awareness: Analytical products from
SIGs and AGs are distributed throughout the IT-ISAC
membership. Together, these topic specific products provide
members with the latest threat analysis on key security and
business topics.
Support International Response: An effective global
response and analytical capability provides for more timely
alerting and incident response.
Who We Are
Silver Members
Foundation Members
BAE Systems, IT
CA, Inc.
Cargill, Inc.
CSC
eBay
HP
IBM
Intel Corporation
Oracle USA, Inc.
SRA International
Symantec Corp.
Verisign, Inc.
Afilias, USA
Cisco Systems, Inc.
Juniper Networks
NeuStar
Bronze Members
AT&T
GE
Lockheed Martin Corporation
Microsoft Corp.
Prescient Solutions
SAP Labs
Drivers to the Cloud
More complex threat environment, more devices to
secure, and more complicated infrastructures
increases the complexity of securing networks and
data
Economic downturn constrains budgets
Forrester reports IT Security Budgets relatively
steady from 2010 – 2011 despite increase threat
Cloud Computing has potential to drive down IT
Security and Business continuity
Gartner: Cloud Services Revenue expected to be
$148 billion in 2014, up from $68.3 billion on 2010
Forrester Source: http://www.eweek.com/c/a/Security/Security-SpendingPriorities-for-2011-to-Include-Firewalls-Blocking-Tools-650650/
Gartner Source: http://www.cioupdate.com/news/article.php/3889106/CloudServices-Market-Seeing-Explosive-Growth.htm
Exponential Malware Growth
According to Symantec Corporation:
2002: 20,000 malicious signatures
2010: 286 million unique variants of malware
600,000 variants per day!!
According to McAfee:
2001: 9,000 individual pieces of malware
2010: More than 20 million new pieces of
malware
2011: First half more than 12 million unique
malware samples (Busiest ever 6 month period).
Mobile Threats
As use of mobile devices increase, so
does the number of malware targeting
mobile devices
McAfee reports malicious activity up 46%
from 2009 – 2010
Q1 2009: 600 pieces of mobile malware
Q2: 2011 1,200 pieces of mobile malware
Symantec reported a 42% increase in mobile
operating system vulnerabilities from 2009 2010
Economic Costs
Symantec estimates total economic loss globally at $388
billion per year.
RSA attack cost it $66 million
Epsilon data breach estimated to cost $225 million
Symantec Source:
http://www.symantec.com/about/news/release/article.jsp?prid=20110907_
02
RSA Source: http://www.washingtonpost.com/blogs/post-tech/post/cyberattack-on-rsa-cost-emc-66-million/2011/07/26/gIQA1ceKbI_blog.html
Epsilon Source:
http://www.btobonline.com/article/20110502/EMAIL04/305029957/epsilon
-data-breach-damage-could-hit-225m#seenit
9
Key Problem
Industry and Government do not view
risks in the same way. Therefore, it is
difficult to develop a common
understanding on appropriate
measures and strategies.
Industry View
Manage and accept certain risk
Balance security spending against other
business costs
Cyber security is managed as a business risk, not a
national security concern
Money spent on cybersecurity cannot be
spent on marketing
Lines of responsibility are clearly defined
Accountable to shareholders and customers
Government View
Tries to eliminate risk
Generally have a zero tolerance for risk,
especially concerning the private sector
National security risks differ from business risk
Claims private sector “is not doing enough”
Lines of Responsibility not well defined
Agency heads, Department heads, Agency CIO,
Department CIO, Legislative committees etc.
Corporate Risk Management
Identify, prioritize and protect key IP and data
Migrating to the Cloud should be part of an overall business
strategy
Promote security as an integral component of
business, not a cost of business
Institutionalize security into all aspects of company
Engage, and encourage your cloud providers to
engage, in forums that enable trusted information
sharing to identify common threats and mitigation
techniques
National Risk Management
2009 IT Sector Risk Assessment
Identify 6 IT Sector “Critical Functions”
Develop “attack trees” to identify risks to
those functions
Examine capabilities needed to
successfully disrupt the function
Consider mitigation activities
Creates a national sector Risk
Assessment
Cloud Security Considerations
The Cloud can reduce security costs but is also becoming
a huge target— the cloud provides a “one stop shop” for
threat actors
Legally complex environment
Cloud providers have been successfully attacked
Who owns incident management: the customer or the
provider?
What information can be shared across national borders?
What forums exist for cloud providers to share incident and
threat information and mitigation strategies
Defense cannot be done in isolation
Should SLAs require providers to participate in ISACs or with
National CERTs?
How to move forward?
Understand industry and governments’ risks
perspectives are not the same
Build common situational awareness
Recognize business and national security interests are not the
same
Actively share and collaboratively analyze threat information
within industry, between industry and government, and across
national borders
Use purchasing power to require vendors to actively participate
in information sharing forums.
Link national CERTs and sector ISACs
Prioritize what needs to be protected
Focus on areas where we have common security
concerns and needs
IT-ISAC Operations Construct
Shifting focus from vulnerabilities to threats and
indicators
Develop internal communities focused on specific
issues of common interest
Companies need more timely, high-quality, analyzed
information on threats
Better leveraging global networks of members to create
enhanced situational awareness
Aggregate analysis from communities of interest to
provide greater depth and breadth to members
Broadening scope and membership internationally
Cyber by nature is international, so we need an
international capability
Conclusion
We’re operating in a new environment and still do not
understand all the risks
The Cloud is already being attacked
The threat is changing more quickly than a regulatory
environment can address
As more data moves to the cloud, we’ll see more attacks on the
cloud
International collaboration is essential, but we need to
prioritize
Leverage ISACs and CERTs to share and analyze threat
information and incident indicators
Link CERTs and ISACs to build a global incident
response capability
Thank You!!
Scott C. Algeier
Executive Director, IT-ISAC
+1 703-385-4969
[email protected]
www.it-isac.org