Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Kyberturvallisuus yrityksenmenestystekijänä
Kyberturvallisuus teollisuuden näkökulmasta
17.3.2016 Jari Still, CIO, F-SECURE
1
AGENDA Security and privacy trends
Security market view
Advanced attacks
Cyber security?
FSC business models
Software security
2
© F-Secure Confidential3
SECURITY AND PRIVACY TRENDS
Threat landscape overall is getting more complex
Targeted cyber attacks threaten companies and privacy of individuals
New connected home devices (Internet of Things) are a risk to security and privacy
New opportunitiesin security and privacy
Revelations on governmental surveillance continue
SECURITY MARKET CONTINUES TO GROW
2015 2016 2017 2018
Consumer Security 5518 5799 6063 6316
0
5 000
10 000
15 000
20 000
25 000
Consumer security
$ million
2015 2016 2017 2018
Corporate Security 17311 18463 19612 20820
0
5 000
10 000
15 000
20 000
25 000
Corporate security
$ million
Consumer Security Software market is expected to grow
4-5% annually
Corporate Security Software market is expected to grow
faster, 6-7% annually
Source:Gartner
B2B SECURITY SERVICES DRIVING THE FUTURE GROWTH
0
10
20
30
40
50
60
70
2014 2015 2016 2017 2018 2019IT security services and consulting IT security products Consumer Security
20%
2%
5%
Source: Gartner
Billion dollar
Tech Advanced/Enterprise
Mid-Size Business
Consumer
ADVANCED ATTACKS ARE DRIVING THE SECURITY
TECHNOLOGY
Anthem (80 million people affected)
Ashley Madison (37m)
Office of Personnel
Management (25m)
Experian/T-Mobile (15m)
Premera (11m)
LastPass (7m)
CareFirst (1,1m)
The hacking team (1m)
Slack (0,5m)
Source: Forbes
Top breachesin 2015
6
THERE ARE TWO TYPES
OF COMPANIES: 1. THOSE WHO HAVE BEEN BREACHED
2. THOSE WHO CAN BE BREACHED, BUT NOBODY GOOD ENOUGH HAS BOTHERED TO DO IT YET
8
TODAY CUSTOMERS ARE BEING OWNED IN AVERAGE FOR 200 DAYS WITHOUT THEM KNOWING ABOUT IT.
TODAY, EVERY BUSINESS IS A TARGET
9
“It is no longer an issue that concerns only information technology and security professionals; the impact has extended to the C-suite and boardroom.” – PwC 2015
Detected security incidents
11
PREDICT PREVENT
DETECTRESPOND
Understand your risk, know your attack surface, uncover weak spots
Minimize attack surface, prevent incidents
Recognize incidents and threats, isolate and
contain them
React to breaches,mitigate the damage,analyze and learn
CYBER SECURITY IS A PROCESS
PRODUCTS SUPPORTING THE PROCESSES
VULNERABILITY & PATCH MGMT
END-POINT & NETWORK SECURITY SUITES
FREEDOME
SENSE
SERVICES & CONSULTING
THREAT INTELLIGENCE AND CYBER ANALYTICS
INCIDENT RESPONSE SERVICES (RDC/IR) ADVANCED THREAT PROTECTION (ATP)
PREDICT PREVENT
DETECTRESPOND
*NEW PRODUCTS
SECURITY SPENDING BY SECURITY LIFECYCLE
PREDICT PREVENT
DETECTRESPOND
ENDPOINT PROTECTION PLATFORMS
MARKET SIZE 3B USDGrowth 3%
VULNERABILITY ASSESSMENT
MARKET SIZE 1B USD
Growth 20-30%
ENDPOINT DETECTION AND REMEDIATION
MARKET SIZE 0.5-1B USDGrowth 50-100%
SECURITY CONSULTING
MARKET SIZE 18B USDGrowth 10-20%
THREAT INTELLIGENCE
14
CYBER SECURITY IS A TOPIC FOR ALL ORGANIZATION LEVELS
STRATEGIC –RISK MANAGEMENT
TACTICAL –SECURITY MANAGEMENT
EXECUTION –TECHNOLOGY MANAGEMENT
15
WHY SHOULD WE TAKE IT SERIOUSLY ?
DIGITALIZATION OF BUSINESS, INTERNET OF THINGS CYBER SECURITY HAS BECOME AN INTEGRAL PART OF YOUR BUSINESS
COST FOR ADVANCED ATTACKS GETTING LOWER -WHAT NATION STATES INNOVATED YESTERDAY IS IN HANDS OF COMMON CRIMINALS TODAY
16
THE ROLE OF EXECUTIVE LEADERSHIP
• Prioritize critical assets• Identify business risks• Establish risk appetite
• Mitigate the risk• Transfer the risk• Accept the risk
• Assign responsibilities• Ensure resources/ budget
Corporate strategyRisk management
Monitoring resultsFeedback
17
HAVE YOU IDENTIFIED YOUR CYBER BUSINESS RISKS ?
ThreatsWho? Attack
vector?
ImpactHow it impacts
business/strategic
objectives?
EffectWhat is theoperationaleffect of the
event?
Weaknesses
How a breach could happen?
Events
What happens, how is it noticed?
?
18
SIMPLIFIED BUSINESS IMPACT TIMELINE
Stak
eho
lder
focu
s &
att
enti
on
Reso
urce
dem
and
Discovery
Long-term implications- Loss of revenue- Stock price effect- Brand & Reputation damage- Regulatory fines- Contractual fines- Costs incurred in remediation- 3rd party legal liability
Incident Response- IT Forensics- Legal & Regulatory review
External areas- Public Relations- Notification management- Stakeholder Communication- Remedial Service Provision
Time
Short-term implications- Loss of efficiency & delivery- Internal reporting mayhem- Management’s focus on incident,
not on business- Costs incurred in response- Customer interface overload
19
GERMANY 4,490,000€
FRANCE 3,990,000€
UK 3,420,000€
ITALY 2,530,000€Source: Ponemon Institute, 2015 Cost of Data Breach Study: Global Analysis
DATA BREACH COSTS ARE RISING
Opportunity cost
Indirect costs
Direct costs
20
HAVE YOU CONSIDERED THE REPUTATION RISK
Source: The Aftermath of a Mega Data Breach: Consumer Sentiment, Ponemon Institute, April 2014
http://www.ft.com/cms/s/0/390ecea2-bf69-11e5-a8c6-deeeb63d6d4b.html#axzz3yMGLS5Zg
21
LETS LOOK AT HOW ATTACKERS OPERATEAND WHAT THEY ARE AFTER
DATA
CONTROL
USERCREDENTIALS
OPERATINGENVIRONMENT
OPERATINGSYSTEM
CRIMINALS
HACTIVISTS
INDUSTRIAL ESPIONAGE
NATION STATES
22
IN THE PROCESS, THEY WILL ALWAYS LEAVE (SOMETIMES VERY SUBTLE) FOOTPRINTS SOMEWHERE…
CRIMINALS
HACTIVISTS
INDUSTRIAL ESPIONAGE
NATION STATES
USERCREDENTIALS
OPERATINGSYSTEM
OPERATINGENVIRONMENT
USER LEVEL FOOTPRINTS
APPLICATION LEVEL FOOTPRINTS
OPERATING ENVIRONMENTFOOTPRINTS
OS LEVEL FOOTPRINTS
NETWORK LEVEL FOOTPRINTS
23
TRADITIONAL DEFENSES ARE NOT ENOUGH
COMPANIES FROM SAME INDUSTRY
VERTICAL
<30min
YOURCOMPANY
Sensors on yournetwork andendpoints
BIGDATA
BEHA-VIOUR
F-SECURE THREATINTELLIGENCE ANDANALYTICS
Anomaly
Alert
RAPIDDETECTIONCENTER
HERE’S HOW IT WORKS – BEST EXPERTS, TECHNOLOGYAND INTELLIGENCE AT YOUR SERVICE
F-SECURE GO-TO-MARKET MODELS
CONSUMER SECURITY
CORPORATE SECURITY
OPERATORS DIRECT SALES RESELLERS CYBER SECURITY SERVICES
Consumer security (61%) Corporate security (39%)
25
CONSUMER SECURITY
CORPORATE SECURITY
OPERATORS DIRECT SALES RESELLERS DIRECT SALES
SMBLARGE
ENTERPRISESCONSUMERS
200+ operators 4000+ resellers
Tens of millions Tens of thousands Hundreds
F-SECURE GO-TO-MARKET MODELS
27
SECURITYDONE, RIGHT ON TIME, EARLY ENOUGH, WHEN IT’S CHEAPER
SOFTWARE SECURITY
MAKING SECURITY INTUITIVE
Three corners of innovation: Technology –User experience –Business models
29
SECURITY, PRIVACY, ANONYMITY.