Professional Documents
Culture Documents
WP Security Program Focus by Industry1 - 230799
WP Security Program Focus by Industry1 - 230799
WP Security Program Focus by Industry1 - 230799
PROGRAM
FOCUS BY
INDUSTRY
W H I T E PA P E R
CONTENTS
Introduction 2
Financial Services 7
Healthcare 9
Information Technology 10
Legal 11
Professional Services 13
Retail 14
Utilities 15
Conclusion 16
W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 2
INTRODUCTION
SED ANALY
K-BA SIS
RIS
Governance,
Third-Party/
Compliance and
Vendor Management
Organtization
O RT
PP
L-D
D
VE
LE
TH
N
RE A
AT EN
Incident Y Security Awareness
P RO OG
Response FILI N OL Training
G • TECHN
FIGU RE 1 . 10 CRITICAL CYB E R SECU RIT Y COMPONE NTS OF A SECU RIT Y PROG R AM .
W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 3
Security Program Components 8. Application, Database and Mobile Protection: Use of
various tools and technologies deployed as part of the
1. Governance, Compliance and Organization: client’s application, database and mobile protection
An organization’s information security program capability with effective architecture to provide visibility
should align with business objectives and governance and incorporate security into emerging technologies, such
requirements that are placed on the client by other as mobile application and device management, bring your
governing bodies. This includes linkage between an own device (BYOD) and software as a service (SAAS).
organization’s strategic goals and its program components.
Appropriate governance mechanisms should be in place, 9. Network, Cloud and Data Center Protection: Use of
including policies, standards and guidelines that govern various tools and technologies deployed as part of
how the client’s information security program achieves the the client’s network, cloud and data center protection
business objectives of the broader organization. profile, effectiveness of the architecture in providing
visibility into network and perimeter protection,
2. Data Protection: A data protection framework with extended network and cloud environment and data
data classification and identification capabilities, center activities and incorporation of security into the
including definition of high-target information assets use of emerging technologies, such as next-generation
enables focused protective and defensive security protection, advanced threat detection, geo-location
measures. Data protection techniques, such as technologies and NetFlow.
encryption and access controls, should be used to
protect data in motion, in use and at rest. 10. Security Awareness and Training: Effective
information security awareness and training program
3. Security Risk Management: A risk management that informs end users of potential security concerns
framework and process for identifying, assessing and includes effective protocols to disseminate
and addressing security risks within the organization. information security department communications to
Risk should be appropriately managed across the the rest of the organization.
enterprise and appropriate security controls should
be applied based on the assessed risk.
While a comprehensive security program consists of these
4. Identity and Access Management: Access management ten areas, determining the priorities varies from organization
policies and procedures are proactive controls to to organization. Focus area may differ industry by industry,
reduce the risk of inappropriate access to sensitive data. depending on the nature of business being conducted and
This includes use of directory services and management the threat landscape facing that organization. For example
solutions currently in place at the client. organizations in highly regulated industries such as banking
and financial services are likely focus more on governance
5. Incident Response: People, processes and technologies and compliance, while organizations in industries reliant on
are deployed to detect, analyze, escalate, respond to intellectual property are likely to focus on data protection.
and contain advanced attacks. Related topics include
governance, people, communication, infrastructure, In this paper, we provide an overview of the key objectives, focus
visibility and response. areas and areas of concern across the following industries:
6. Third-Party / Vendor Management: Security measures • Aerospace and defense
must be in place to protect access to the client’s
information or resources when access is provided to a • Financial services
third-party provider or when information is sent to a
• Governments and agencies
third-party provider for business operation. Processes
should include a periodic review of third-party access • Healthcare
and should ensure that contractual requirements for
• Information technology
third-party security and control are being honored.
• Legal
7. Host and Endpoint Protection: Use of various tools
and technologies deployed as part of the client’s • Media and entertainment
host and endpoint protection infrastructure. Effective
architecture should provide visibility into host-based • Professional services
activities and incorporate security into the use of • Retail
emerging technologies, such as advanced threat
protection and real-time host analytics. • Utilities
W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 4
AEROSPACE
AND DEFENSE
S U M M A RY
R E L E VA N T CO M P O N E N T S
As more sophisticated attacks are on the rise, aerospace and defense
organizations are doubling down on their efforts to protect themselves.
Data Protection
These organizations are concerned with the protection of proprietary
data and data shared with external entities. This means focusing on
aspects of their infrastructure such as the Data Protection, Identity and Identity and Access
Access Management and elements of the Security Risk Management Management
component, namely redundancy and recoverability. These industries
have shown maturity in Third Party Vendor Management because Security Awareness
they are required to focus heavily on their inbound and outbound and Training
connections with other organizations for the sake of data transfer and
day-to-day activities. However, Mandiant has seen a lack of maturity
in the Incident Response and elements of the Network, Cloud and
Data Center components because many organizations tend to focus
on prevention at the perimeter rather than response and secure
architecture.
A R E A S O F CO N C E R N
W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 5
FINANCIAL
SERVICES
S U M M A RY
R E L E VA N T CO M P O N E N T S
Financial services industries are highly targeted within the information
security space. it’s not uncommon to hear of a breach occurring Security Awareness
within a financial institution, from a multi-national organization to Training
smaller, independent banks and credit unions. Additionally, these
organizations must adhere to strict PCI-DSS regulations as well as Host and Endpoint
protect the personally identifiable information (PII) of their customers. Protection
As a result, Security Awareness Training is a priority for all employees.
Other focus areas include Security Risk Management to protect
existing data and to recover lost data as part of the Governance, Incident Response
Compliance and Organization component. However, Mandiant
consultants have discovered a lack of maturity in the areas of Incident
Response and Identity and Access Management as many of these
financial institutions are primarily focused on utilizing limited resources
on the areas tied to compliance requirements.
A R E A S O F CO N C E R N
W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 6
GOVERNMENT AND
INTERNATIONAL
ORGANIZATIONS
S U M M A RY
R E L E VA N T CO M P O N E N T S
Long gone are the days where cyber attacks only happened to
private businesses and for monetary gain. With the rise of state- Identity and Access
sponsored attackers and “hacktivists,” governments and international Management
organizations have a unique set of concerns to focus on. Resource
allocation and efforts appear to be focused on Identity and Access
Management and “keeping the enemy out” which leads into parallel Data Protection
components such as Security Risk Management and Incident
Response. Internal visibility into the environment, proactive responses Security Risk
to potential incidents and Security Awareness and Training and Data Management
Protection are key areas of focus for this industry.
Incident Response
A R E A S O F CO N C E R N
W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 7
HEALTHCARE
S U M M A RY
R E L E VA N T CO M P O N E N T S
The healthcare industry has seen a rise in malicious activity in
recent years with highly public breaches occurring at several major
Data Protection
organizations. Because of this new influx of activity, healthcare
organizations are increasingly concerned about reviewing their internal
infrastructure and policies. While many organizations are focused on
designing their Governance, Compliance and Organization components Incident Response
to comply with HIPAA standards and ensure they’re meeting their
compliance requirements, FireEye has found low maturity levels in areas
such as Incident Response and elements of the Network, Cloud and Governance, Compliance
Data Center Protection. This has caused issues in some instances where and Organization
entire hospital systems were impacted and left vulnerable due to an
Host and Endpoint
advanced attack such as a successful ransomware campaign.
Protection
A R E A S O F CO N C E R N
W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 8
INFORMATION
TECHNOLOGY
S U M M A RY
R E L E VA N T CO M P O N E N T S
Information technology firms have always faced a unique challenge
with regards to proactively bolstering their environment and security Identity and Access
program, as the threats that they face most commonly are tied to Management
the niche of the information technology space that they reside in.
Data warehouses and hosting providers are primarily concerned with Security Risk
Security Risk Management elements such as data redundancy and Management
resiliency as well as the Identity and Access Management component,
while managed service providers may be more concerned with Third Third-Party/Vendor
Party Vendor Management and securing the connections with their Management
clients. However, commons trends tend to emerge and while there
are certainly strengths in the components of Incident Response and
Network, Cloud and
Governance, Compliance and Organization, Data Protection tends to
Data Center
be the least mature of the components.
Application, Database
and Mobile Protection
A R E A S O F CO N C E R N
W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 9
LEGAL
S U M M A RY
R E L E VA N T CO M P O N E N T S
Legal firms are a bit of a unique outlier within the information security
industry. While most industries traditionally have shortcomings in the
Incident Response
Third Party Vendor Management and Incident Response components,
this industry excels at it. This is primarily because legal firms understand
liability and risk mitigation in terms of consequential damages that Third-Party/Vendor
can result from the lack of security maturity. However, FireEye has Management
discovered that they experience poor security risk management results
in the infrastructure resiliency arena, lack of dedicated resources and Network, Cloud and
have poor security architecture controls within Network, Cloud and Data Center
Data Center Protection. The security team within the organization must
often wear multiple hats and while it’s important to be able to quickly
respond to incidents, there tends to be a lack of visibility into the Data Protection
environment that can help identify problems before they occur.
A R E A S O F CO N C E R N
W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 10
MEDIA AND
ENTERTAINMENT
S U M M A RY
R E L E VA N T CO M P O N E N T S
Media and entertainment industries have always placed a focus on
protecting their internal assets, such as preventing piracy or access
Data Protection
to sensitive data that may be kept within the organization. However,
due to recent breaches, this focus is expanding to protecting the
entire infrastructure. One such breach resulted in the theft and Identity and Access
release of internal communications that were made public. Because Management
of this, the heaviest emphasis is placed on asset protection such
as identity and Access Management, Data Protection and Incident
Response. Additionally, some of the businesses within this industry Incident Response
are focused on Governance, Compliance and Organization due to
their hosting of PCI-DSS data that requires special consideration.
Types of proactive efforts and their effectiveness differ wildly among
different types of media organizations.
A R E A S O F CO N C E R N
W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 11
PROFESSIONAL
SERVICES
S U M M A RY
R E L E VA N T CO M P O N E N T S
The professional services industry shares many of the same concerns
as the information technology industry, with the additional unique Third-Party/Vendor
requirement of protecting client data as well as their own. Aspects Management
of Security Risk Management such as infrastructure resiliency are
strong and third party vendor management is typically mature.
However, FireEye has discovered weaknesses in Incident Response, Data Protection
Governance, Risk and Compliance organization in terms of personnel
and trained staffing and the remaining factors that play into the Security Risk
Security Risk Management. Companies in this industry appear to Management
focus on components they feel are relevant to their specific niche.
W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 12
RETAIL
S U M M A RY
R E L E VA N T CO M P O N E N T S
Within the past few years, the retail industry has been hit with several
massive breaches that became very visible and very, very costly. The
Data Protection
primary concern of nearly all retail organizations is the protection of
credit card data and personally identifiable information, so there tends
to be more focus on the Data Protection and Access Management Identity and Access
components. However, FireEye has found there appears to be a lack Management
of maturity within the Incident Response, Security Risk Management
and Third Party Vendor Management components, which are all three
vitally important to detect and remediate problems before they occur. Incident Response
Third-Party/Vendor
A R E A S O F CO N C E R N
Management
W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 13
UTILITIES
S U M M A RY
R E L E VA N T CO M P O N E N T S
Since the detection of Stuxnet in 2010, a unique spotlight has been
placed on public utility providers and other organizations that rely on Security Risk
industrial control systems. Many of these systems rely on end-of-life Management
and antiquated hardware that present non-traditional risks. Security
Risk Management that emphasizes infrastructure resiliency appears Identity and Access
to be the primary focus of this industry. The Network, Cloud and Data Management
Center protection component and subsequently Access Management,
follows close behind in their maturity levels. Other component such as
Governance, Compliance and Organization, Incident Response and Data Incident Response
Protection are found to be less robust. This industry’s primary focus is
operational stability, followed by improving security as the organization
Governance, Compliance
matures and new threats are discovered.
and Organization
A R E A S O F CO N C E R N
While utility providers have become a target in recent years, many are
working to bring their systems up to date to bear against the emerging
threats. They emphasize infrastructure resiliency as part of the Security
Risk Management component, but are gradually shifting to Identity and
Access Management and Incident Response. They are also trying to find
knowledgeable staff for industrial control systems, which ties into the
Governance, Compliance and Organization component.
W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 14
CO N C L U S I O N
FireEye, Inc.
1440 McCarthy Blvd. Milpitas, CA 95035
408.321.6300 / 877.FIREEYE (347.3393) / info@FireEye.com
www.FireEye.com
© 2016 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc.
All other brands, products, or service names are or may be trademarks
or service marks of their respective owners. WP.SPA.EN-US.102016