www oasisopen org OASIS International Cloud Symposium October

www. oasis-open. org OASIS International Cloud Symposium October 11, 2011 London, England

Agenda Introduction to IT-ISAC Drivers to the Cloud Current Threat Environment Cloud Considerations Risk Management and Collaboration 2

IT-ISAC Mission n Share: Report, exchange, and analyze across the IT sector information on electronic incidents, threats, vulnerabilities, solutions and countermeasures, best security practices, and other protective measures; Trust: Establish a mechanism for systematic and protected exchange and coordination of information and trusted collaboration; and Lead: Provide thought leadership to policymakers on cyber security and information sharing issues.

What we do n n n Facilitate Analyst to Analyst Collaboration: SIGS and AGs are member driven and bring together subject matter experts from member companies. Join the analysts from some of the world’s leading IT companies. Enhance Situational Awareness: Analytical products from SIGs and AGs are distributed throughout the IT-ISAC membership. Together, these topic specific products provide members with the latest threat analysis on key security and business topics. Support International Response: An effective global response and analytical capability provides for more timely alerting and incident response.

Who We Are Foundation Members BAE Systems, IT CA, Inc. Cargill, Inc. CSC e. Bay HP IBM Intel Corporation Oracle USA, Inc. SRA International Symantec Corp. Verisign, Inc. Silver Members Afilias, USA Cisco Systems, Inc. Juniper Networks Neu. Star Bronze Members AT&T GE Lockheed Martin Corporation Microsoft Corp. Prescient Solutions SAP Labs

Drivers to the Cloud n n More complex threat environment, more devices to secure, and more complicated infrastructures increases the complexity of securing networks and data Economic downturn constrains budgets l Forrester reports IT Security Budgets relatively steady from 2010 – 2011 despite increase threat Cloud Computing has potential to drive down IT Security and Business continuity Gartner: Cloud Services Revenue expected to be $148 billion in 2014, up from $68. 3 billion on 2010 Forrester Source: http: //www. eweek. com/c/a/Security-Spending. Priorities-for-2011 -to-Include-Firewalls-Blocking-Tools-650650/ Gartner Source: http: //www. cioupdate. com/news/article. php/3889106/Cloud. Services-Market-Seeing-Explosive-Growth. htm

Exponential Malware Growth According to Symantec Corporation: l l l 2002: 20, 000 malicious signatures 2010: 286 million unique variants of malware 600, 000 variants per day!! According to Mc. Afee: l l l 2001: 9, 000 individual pieces of malware 2010: More than 20 million new pieces of malware 2011: First half more than 12 million unique malware samples (Busiest ever 6 month period).

Mobile Threats n As use of mobile devices increase, so does the number of malware targeting mobile devices l l Mc. Afee reports malicious activity up 46% from 2009 – 2010 Q 1 2009: 600 pieces of mobile malware Q 2: 2011 1, 200 pieces of mobile malware Symantec reported a 42% increase in mobile operating system vulnerabilities from 2009 2010

Economic Costs n Symantec estimates total economic loss globally at $388 billion per year. n RSA attack cost it $66 million n Epsilon data breach estimated to cost $225 million n Symantec Source: http: //www. symantec. com/about/news/release/article. jsp? prid=20110907_ 02 RSA Source: http: //www. washingtonpost. com/blogs/post-tech/post/cyberattack-on-rsa-cost-emc-66 -million/2011/07/26/g. IQA 1 ce. Kb. I_blog. html Epsilon Source: http: //www. btobonline. com/article/20110502/EMAIL 04/305029957/epsilon -data-breach-damage-could-hit-225 m#seenit 9

Key Problem Industry and Government do not view risks in the same way. Therefore, it is difficult to develop a common understanding on appropriate measures and strategies.

Industry View n Manage and accept certain risk l n Balance security spending against other business costs l n Cyber security is managed as a business risk, not a national security concern Money spent on cybersecurity cannot be spent on marketing Lines of responsibility are clearly defined l Accountable to shareholders and customers

Government View n Tries to eliminate risk l n Generally have a zero tolerance for risk, especially concerning the private sector l n National security risks differ from business risk Claims private sector “is not doing enough” Lines of Responsibility not well defined l Agency heads, Department heads, Agency CIO, Department CIO, Legislative committees etc.

Corporate Risk Management n Identify, prioritize and protect key IP and data l n n n Migrating to the Cloud should be part of an overall business strategy Promote security as an integral component of business, not a cost of business Institutionalize security into all aspects of company Engage, and encourage your cloud providers to engage, in forums that enable trusted information sharing to identify common threats and mitigation techniques

National Risk Management n 2009 IT Sector Risk Assessment l l l Identify 6 IT Sector “Critical Functions” Develop “attack trees” to identify risks to those functions Examine capabilities needed to successfully disrupt the function Consider mitigation activities Creates a national sector Risk Assessment

Cloud Security Considerations n The Cloud can reduce security costs but is also becoming a huge target— the cloud provides a “one stop shop” for threat actors l n Legally complex environment l l n Cloud providers have been successfully attacked Who owns incident management: the customer or the provider? What information can be shared across national borders? What forums exist for cloud providers to share incident and threat information and mitigation strategies l l Defense cannot be done in isolation Should SLAs require providers to participate in ISACs or with National CERTs?

How to move forward? n Understand industry and governments’ risks perspectives are not the same l n Build common situational awareness l l l n Recognize business and national security interests are not the same Actively share and collaboratively analyze threat information within industry, between industry and government, and across national borders Use purchasing power to require vendors to actively participate in information sharing forums. Link national CERTs and sector ISACs Prioritize what needs to be protected l Focus on areas where we have common security concerns and needs

IT-ISAC Operations Construct n Shifting focus from vulnerabilities to threats and indicators l l n Develop internal communities focused on specific issues of common interest l n Companies need more timely, high-quality, analyzed information on threats Better leveraging global networks of members to create enhanced situational awareness Aggregate analysis from communities of interest to provide greater depth and breadth to members Broadening scope and membership internationally l Cyber by nature is international, so we need an international capability

Conclusion n We’re operating in a new environment and still do not understand all the risks l n The Cloud is already being attacked l n The threat is changing more quickly than a regulatory environment can address As more data moves to the cloud, we’ll see more attacks on the cloud International collaboration is essential, but we need to prioritize l l Leverage ISACs and CERTs to share and analyze threat information and incident indicators Link CERTs and ISACs to build a global incident response capability

Thank You!! Scott C. Algeier Executive Director, IT-ISAC +1 703 -385 -4969 salgeier@it-isac. org www. it-isac. org