Kyberturvallisuus yrityksenmenestystekijänä

Kyberturvallisuus teollisuuden näkökulmasta

17.3.2016 Jari Still, CIO, F-SECURE

1

AGENDA Security and privacy trends

Security market view

Advanced attacks

Cyber security?

FSC business models

Software security

2

© F-Secure Confidential3

SECURITY AND PRIVACY TRENDS

Threat landscape overall is getting more complex

Targeted cyber attacks threaten companies and privacy of individuals

New connected home devices (Internet of Things) are a risk to security and privacy

New opportunitiesin security and privacy

Revelations on governmental surveillance continue

SECURITY MARKET CONTINUES TO GROW

2015 2016 2017 2018

Consumer Security 5518 5799 6063 6316

0

5 000

10 000

15 000

20 000

25 000

Consumer security

$ million

2015 2016 2017 2018

Corporate Security 17311 18463 19612 20820

0

5 000

10 000

15 000

20 000

25 000

Corporate security

$ million

Consumer Security Software market is expected to grow

4-5% annually

Corporate Security Software market is expected to grow

faster, 6-7% annually

Source:Gartner

B2B SECURITY SERVICES DRIVING THE FUTURE GROWTH

0

10

20

30

40

50

60

70

2014 2015 2016 2017 2018 2019IT security services and consulting IT security products Consumer Security

20%

2%

5%

Source: Gartner

Billion dollar

Tech Advanced/Enterprise

Mid-Size Business

Consumer

ADVANCED ATTACKS ARE DRIVING THE SECURITY

TECHNOLOGY

Anthem (80 million people affected)

Ashley Madison (37m)

Office of Personnel

Management (25m)

Experian/T-Mobile (15m)

Premera (11m)

LastPass (7m)

CareFirst (1,1m)

The hacking team (1m)

Slack (0,5m)

Source: Forbes

Top breachesin 2015

6

THERE ARE TWO TYPES

OF COMPANIES: 1. THOSE WHO HAVE BEEN BREACHED

2. THOSE WHO CAN BE BREACHED, BUT NOBODY GOOD ENOUGH HAS BOTHERED TO DO IT YET

8

TODAY CUSTOMERS ARE BEING OWNED IN AVERAGE FOR 200 DAYS WITHOUT THEM KNOWING ABOUT IT.

TODAY, EVERY BUSINESS IS A TARGET

9

“It is no longer an issue that concerns only information technology and security professionals; the impact has extended to the C-suite and boardroom.” – PwC 2015

Detected security incidents

11

PREDICT PREVENT

DETECTRESPOND

Understand your risk, know your attack surface, uncover weak spots

Minimize attack surface, prevent incidents

Recognize incidents and threats, isolate and

contain them

React to breaches,mitigate the damage,analyze and learn

CYBER SECURITY IS A PROCESS

PRODUCTS SUPPORTING THE PROCESSES

VULNERABILITY & PATCH MGMT

END-POINT & NETWORK SECURITY SUITES

FREEDOME

SENSE

SERVICES & CONSULTING

THREAT INTELLIGENCE AND CYBER ANALYTICS

INCIDENT RESPONSE SERVICES (RDC/IR) ADVANCED THREAT PROTECTION (ATP)

PREDICT PREVENT

DETECTRESPOND

*NEW PRODUCTS

SECURITY SPENDING BY SECURITY LIFECYCLE

PREDICT PREVENT

DETECTRESPOND

ENDPOINT PROTECTION PLATFORMS

MARKET SIZE 3B USDGrowth 3%

VULNERABILITY ASSESSMENT

MARKET SIZE 1B USD

Growth 20-30%

ENDPOINT DETECTION AND REMEDIATION

MARKET SIZE 0.5-1B USDGrowth 50-100%

SECURITY CONSULTING

MARKET SIZE 18B USDGrowth 10-20%

THREAT INTELLIGENCE

14

CYBER SECURITY IS A TOPIC FOR ALL ORGANIZATION LEVELS

STRATEGIC –RISK MANAGEMENT

TACTICAL –SECURITY MANAGEMENT

EXECUTION –TECHNOLOGY MANAGEMENT

15

WHY SHOULD WE TAKE IT SERIOUSLY ?

DIGITALIZATION OF BUSINESS, INTERNET OF THINGS CYBER SECURITY HAS BECOME AN INTEGRAL PART OF YOUR BUSINESS

COST FOR ADVANCED ATTACKS GETTING LOWER -WHAT NATION STATES INNOVATED YESTERDAY IS IN HANDS OF COMMON CRIMINALS TODAY

16

THE ROLE OF EXECUTIVE LEADERSHIP

• Prioritize critical assets• Identify business risks• Establish risk appetite

• Mitigate the risk• Transfer the risk• Accept the risk

• Assign responsibilities• Ensure resources/ budget

Corporate strategyRisk management

Monitoring resultsFeedback

17

HAVE YOU IDENTIFIED YOUR CYBER BUSINESS RISKS ?

ThreatsWho? Attack

vector?

ImpactHow it impacts

business/strategic

objectives?

EffectWhat is theoperationaleffect of the

event?

Weaknesses

How a breach could happen?

Events

What happens, how is it noticed?

?

18

SIMPLIFIED BUSINESS IMPACT TIMELINE

Stak

eho

lder

focu

s &

att

enti

on

Reso

urce

dem

and

Discovery

Long-term implications- Loss of revenue- Stock price effect- Brand & Reputation damage- Regulatory fines- Contractual fines- Costs incurred in remediation- 3rd party legal liability

Incident Response- IT Forensics- Legal & Regulatory review

External areas- Public Relations- Notification management- Stakeholder Communication- Remedial Service Provision

Time

Short-term implications- Loss of efficiency & delivery- Internal reporting mayhem- Management’s focus on incident,

not on business- Costs incurred in response- Customer interface overload

19

GERMANY 4,490,000€

FRANCE 3,990,000€

UK 3,420,000€

ITALY 2,530,000€Source: Ponemon Institute, 2015 Cost of Data Breach Study: Global Analysis

DATA BREACH COSTS ARE RISING

Opportunity cost

Indirect costs

Direct costs

20

HAVE YOU CONSIDERED THE REPUTATION RISK

Source: The Aftermath of a Mega Data Breach: Consumer Sentiment, Ponemon Institute, April 2014

http://www.ft.com/cms/s/0/390ecea2-bf69-11e5-a8c6-deeeb63d6d4b.html#axzz3yMGLS5Zg

21

LETS LOOK AT HOW ATTACKERS OPERATEAND WHAT THEY ARE AFTER

DATA

CONTROL

USERCREDENTIALS

OPERATINGENVIRONMENT

OPERATINGSYSTEM

CRIMINALS

HACTIVISTS

INDUSTRIAL ESPIONAGE

NATION STATES

22

IN THE PROCESS, THEY WILL ALWAYS LEAVE (SOMETIMES VERY SUBTLE) FOOTPRINTS SOMEWHERE…

CRIMINALS

HACTIVISTS

INDUSTRIAL ESPIONAGE

NATION STATES

USERCREDENTIALS

OPERATINGSYSTEM

OPERATINGENVIRONMENT

USER LEVEL FOOTPRINTS

APPLICATION LEVEL FOOTPRINTS

OPERATING ENVIRONMENTFOOTPRINTS

OS LEVEL FOOTPRINTS

NETWORK LEVEL FOOTPRINTS

23

TRADITIONAL DEFENSES ARE NOT ENOUGH

COMPANIES FROM SAME INDUSTRY

VERTICAL

<30min

YOURCOMPANY

Sensors on yournetwork andendpoints

BIGDATA

BEHA-VIOUR

F-SECURE THREATINTELLIGENCE ANDANALYTICS

Anomaly

Alert

RAPIDDETECTIONCENTER

HERE’S HOW IT WORKS – BEST EXPERTS, TECHNOLOGYAND INTELLIGENCE AT YOUR SERVICE

F-SECURE GO-TO-MARKET MODELS

CONSUMER SECURITY

CORPORATE SECURITY

OPERATORS DIRECT SALES RESELLERS CYBER SECURITY SERVICES

Consumer security (61%) Corporate security (39%)

25

CONSUMER SECURITY

CORPORATE SECURITY

OPERATORS DIRECT SALES RESELLERS DIRECT SALES

SMBLARGE

ENTERPRISESCONSUMERS

200+ operators 4000+ resellers

Tens of millions Tens of thousands Hundreds

F-SECURE GO-TO-MARKET MODELS

27

SECURITYDONE, RIGHT ON TIME, EARLY ENOUGH, WHEN IT’S CHEAPER

SOFTWARE SECURITY

MAKING SECURITY INTUITIVE

Three corners of innovation: Technology –User experience –Business models

29

SECURITY, PRIVACY, ANONYMITY.