Welcome HITRUST 2014 Conference April 22, 2014 The Evolving Information Security Organization – Challenges and Successes Jason Taule, Chief Security and Privacy Officer, FEi Systems (Moderator) Robert Booker, Vice President and Chief Information Security Officer, UnitedHealth Group Erick Rudiak, Information Security Officer, Express Scripts Roy Mellinger, Vice President, IT Security and Chief Information Security Officer, WellPoint Omar Khawaja, Vice President and Chief Information Security Officer, Highmark Chief Information Security Office HITRUST 2014 Conference The Evolving Information Security Organization Challenges and Successes Tuesday – April 22, 2014 Roy R. Mellinger, CISSP – ISSAP, ISSMP, CIM Vice President, IT Security Chief Information Security Officer The Evolving Information Security Organization Operational Compliance Risk Enterprise Risk Management Security Viewed as a Business Enabler Translating Business Needs into Security Requirements Translating Security Requirements into Technical Security Controls Operating Technical Security Controls Security Threat Management IT Compliance IT Risk Enterprise Risk 17 The Evolving Information Security Organization CYBER THREAT MANAGEMENT 24x7 Security Operations Center (SOC) End to End DLP (Data Loss Prevention) Strategy Tracking of Malware Threats and Coding Techniques Effective Firewalls, IDS / IPS Strategy Implementations Effective Security and Event Log Management & Monitoring Robust Safeguarding Polices, Programs and Processes 18 The Evolving Information Security Organization Hacking Then Hacking Now Automated / Sophisticated Malware Individual or Computer Clubs/ Groups Manual efforts with Social Engineering - Success = Badge Of Honor - Personal Monetary Gain or to pay for / fund hacking activity War Protesting and Civil Disobedience Anti-Establishment Rhetoric Social Rebels and Misfits Hactivism – Freedom of Speech, Statements to Influence Change, Sway Public Opinion and Publicize Views Criminal – Drug Cartels, Domestic and Foreign Organized Crime for Identity Theft and Financial Fraud Espionage – IP, Business Intelligence, Technology, Military / Political Secrets Terrorism – Sabotage, Disruption and Destruction Nation-State – Intelligence Gathering, Disruptive Tactics, Clandestine Ops, Misinformation, Warfare Strategies, and Infrastructure Destruction FRINGE . . . . . . . . . . . 30 YEARS . . . . . . . MAINSTREAM 19 The Evolving Information Security Organization Initial compromise — spear phishing via email, planting malware on a target website or social engineering. Establish Foothold — plant administrative software and create back doors to allow for stealth access. Escalate Privileges — use exploits and password cracking tools to gain privileges on victim computer and network. Internal Reconnaissance — collect info on network and trust relationships. Move Laterally — expand control to other workstations and servers. Harvest data. Maintain Presence — ensure continued control over access channels and credentials acquired in previous steps. Complete Mission — exfiltrate stolen data from victim's network. 20 The Evolving Information Security Organization Cyber Threat Management Conventional Approach Paradigm Shift: Cyber Threat Management Controls Coverage Protect ALL information assets Protect your MOST IMPORTANT assets (Crown Jewels) based on risk assessments Controls Focus Preventive Controls (anti-virus, firewalls, intrusion prevention, etc.) Detective Controls (monitoring, behavioral logic, data analytics) Perspective Perimeter Based Data Centric Goal of Logging Compliance Reporting Threat Detection Security Incident Management Piecemeal – Find and neutralize malware or infected nodes BIG PICTURE – Find and dissect attack patterns to understand threat Threat Management Collect information on Malware Develop a deep understanding of attackers targets and modus operandi related to YOUR org’s network and information assets Success Defined By: No attackers get into the network Attackers sometimes get in; BUT are detected as early as possible and impact is minimized 21 The Evolving Information Security Organization – Challenges and Successes Omar Khawaja April 23, 2014 Who is Highmark? 23 Risk is increasing • • • • (Assets X Vulnerabilities • • - • More data (EMRs) More collaboration (ACOs) More regulation (FTC) Our weaknesses are increasing… • • X Threats) Controls Our information is increasing in value… More suppliers (Cloud) More complexity (ACA) Opportunities to attack are increasing… • • More access (consumer portals) More motivated attackers Becoming increasingly difficult to secure • • • • • Multiple Compliance Requirements Evolving Compliance Requirements Unclear Compliance Requirements Less visibility Less control Security org needs to evolve From… • Explaining the “what” To… • Explaining the "why" • Growing the security org • Growing security in the org • Creating more security processes • Making security part of more processes • Telling them what to do • Assisting them with their job • Protecting everything equally • Differentiated controls • Measuring what matters to security org • Reporting on what matters to audience Questions?