SECURITY

PROGRAM
FOCUS BY
INDUSTRY

W H I T E PA P E R
CONTENTS

Introduction 2

Description of Security Program Components 4

Aerospace and Defense 6

Financial Services 7

Government and International Organizations 8

Healthcare 9

Information Technology 10

Legal 11

Media and Entertainment 12

Professional Services 13

Retail 14

Utilities 15

Conclusion 16

W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 2
INTRODUCTION

The need for a cyber security program is widely recognized. It is important to

understand that a security program is more than any one thing; it is comprised of 10
components. These components are based on a combination of industry standards
such as those from The American Institute of CPAs (AICPA), The European Network
and Information Security Agency, Information Assurance Framework (ENISA IAF),
Control Objectives for Information and Related Technologies (COBIT), The Payment
Card Industry Data Security Standard (PCI DSS) and National Institute of Standards
and Technology (NIST). They also include the insights of Mandiant, a FireEye
company, gained from over a decade of responding to security incidents across a
wide variety of industries worldwide.

SED ANALY
K-BA SIS
RIS
Governance,
Third-Party/
Compliance and
Vendor Management
Organtization

Host and Endpoint

Data Protection Protection

Security Risk Application, Database

Management and Mobile Protection
IN TE

O RT
PP
L-D

Identity and Access Network, Cloud and

Management Data Center
SU
RI

D
VE

LE

TH
N

RE A
AT EN
Incident Y Security Awareness
P RO OG
Response FILI N OL Training
G • TECHN

FIGU RE 1 . 10 CRITICAL CYB E R SECU RIT Y COMPONE NTS OF A SECU RIT Y PROG R AM .

W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 3
Security Program Components
1. Governance, Compliance and Organization:
An organization’s information security program
should align with business objectives and governance
requirements that are placed on the client by other
governing bodies. This includes linkage between an
organization’s strategic goals and its program components.
Appropriate governance mechanisms should be in place,
including policies, standards and guidelines that govern
how the client’s information security program achieves the
business objectives of the broader organization.
2. Data Protection: A data protection framework with
data classification and identification capabilities,
including definition of high-target information assets
enables focused protective and defensive security
measures. Data protection techniques, such as
encryption and access controls, should be used to
protect data in motion, in use and at rest.
3. Security Risk Management: A risk management
framework and process for identifying, assessing
and addressing security risks within the organization.
Risk should be appropriately managed across the
enterprise and appropriate security controls should
be applied based on the assessed risk.
4. Identity and Access Management: Access management
policies and procedures are proactive controls to
reduce the risk of inappropriate access to sensitive data.
This includes use of directory services and management
solutions currently in place at the client.
5. Incident Response: People, processes and technologies
are deployed to detect, analyze, escalate, respond to
and contain advanced attacks. Related topics include
governance, people, communication, infrastructure,
visibility and response.
6. Third-Party / Vendor Management: Security measures
must be in place to protect access to the client’s
information or resources when access is provided to a
third-party provider or when information is sent to a
third-party provider for business operation. Processes
should include a periodic review of third-party access
and should ensure that contractual requirements for
third-party security and control are being honored.
7. Host and Endpoint Protection: Use of various tools
and technologies deployed as part of the client’s
host and endpoint protection infrastructure. Effective
architecture should provide visibility into host-based
activities and incorporate security into the use of
emerging technologies, such as advanced threat
protection and real-time host analytics.
8. Application, Database and Mobile Protection: Use of
various tools and technologies deployed as part of the
client’s application, database and mobile protection
capability with effective architecture to provide visibility
and incorporate security into emerging technologies, such
as mobile application and device management, bring your
own device (BYOD) and software as a service (SAAS).
9. Network, Cloud and Data Center Protection: Use of
various tools and technologies deployed as part of
the client’s network, cloud and data center protection
profile, effectiveness of the architecture in providing
visibility into network and perimeter protection,
extended network and cloud environment and data
center activities and incorporation of security into the
use of emerging technologies, such as next-generation
protection, advanced threat detection, geo-location
technologies and NetFlow.
10. Security Awareness and Training: Effective
information security awareness and training program
that informs end users of potential security concerns
and includes effective protocols to disseminate
information security department communications to
the rest of the organization.
While a comprehensive security program consists of these
ten areas, determining the priorities varies from organization
to organization. Focus area may differ industry by industry,
depending on the nature of business being conducted and
the threat landscape facing that organization. For example
organizations in highly regulated industries such as banking
and financial services are likely focus more on governance
and compliance, while organizations in industries reliant on
intellectual property are likely to focus on data protection.
In this paper, we provide an overview of the key objectives, focus
areas and areas of concern across the following industries:
• Aerospace and defense
• Financial services
• Governments and agencies
• Healthcare
• Information technology
• Legal
• Media and entertainment
• Professional services
• Retail
• Utilities
W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 4
AEROSPACE
AND DEFENSE

S U M M A RY

R E L E VA N T CO M P O N E N T S
As more sophisticated attacks are on the rise, aerospace and defense
organizations are doubling down on their efforts to protect themselves.
Data Protection
These organizations are concerned with the protection of proprietary
data and data shared with external entities. This means focusing on
aspects of their infrastructure such as the Data Protection, Identity and Identity and Access
Access Management and elements of the Security Risk Management Management
component, namely redundancy and recoverability. These industries
have shown maturity in Third Party Vendor Management because Security Awareness
they are required to focus heavily on their inbound and outbound and Training
connections with other organizations for the sake of data transfer and
day-to-day activities. However, Mandiant has seen a lack of maturity
in the Incident Response and elements of the Network, Cloud and
Data Center components because many organizations tend to focus
on prevention at the perimeter rather than response and secure
architecture.

A R E A S O F CO N C E R N

In recent breaches, loss of emails and proprietary information

have increased focus on the Data Protection, Identity and Access
Management and Security Awareness and Training within the
aerospace and defense industry. Additional areas of concern stem
from the host and endpoint protection where infections can spread
across the entire organization before exfiltration of potentially
sensitive data contained within the endpoints.

W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 5
FINANCIAL
SERVICES

S U M M A RY

R E L E VA N T CO M P O N E N T S
Financial services industries are highly targeted within the information
security space. it’s not uncommon to hear of a breach occurring Security Awareness
within a financial institution, from a multi-national organization to Training
smaller, independent banks and credit unions. Additionally, these
organizations must adhere to strict PCI-DSS regulations as well as Host and Endpoint
protect the personally identifiable information (PII) of their customers. Protection
As a result, Security Awareness Training is a priority for all employees.
Other focus areas include Security Risk Management to protect
existing data and to recover lost data as part of the Governance, Incident Response
Compliance and Organization component. However, Mandiant
consultants have discovered a lack of maturity in the areas of Incident
Response and Identity and Access Management as many of these
financial institutions are primarily focused on utilizing limited resources
on the areas tied to compliance requirements.

A R E A S O F CO N C E R N

Stemming from concerns surrounding new threats involving inter-bank

payment systems and ransomware, financial institutions are focusing
greater attention on Security Awareness and Training to train users
to act as a frontline of defense for the organization. As disruptive and
destructive cyber attacks continue to rise, infrastructure resiliency
has become a primary area of concern for organizations that need to
protect their customers’ sensitive financial information (PCI-DSS) and
personally identifiable information (PII). Host and Endpoint Protection
has also become a major area of concern with a rise in malicious activity
that tends to begin with individual users endpoints. The industry is using
heuristic antivirus technologies, mature incident response techniques,
and other practices against these challenges.

W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 6
GOVERNMENT AND
INTERNATIONAL
ORGANIZATIONS

S U M M A RY

R E L E VA N T CO M P O N E N T S
Long gone are the days where cyber attacks only happened to
private businesses and for monetary gain. With the rise of state- Identity and Access
sponsored attackers and “hacktivists,” governments and international Management
organizations have a unique set of concerns to focus on. Resource
allocation and efforts appear to be focused on Identity and Access
Management and “keeping the enemy out” which leads into parallel Data Protection
components such as Security Risk Management and Incident
Response. Internal visibility into the environment, proactive responses Security Risk
to potential incidents and Security Awareness and Training and Data Management
Protection are key areas of focus for this industry.

Incident Response
A R E A S O F CO N C E R N

Based on recent breaches, enhanced oversight of security operations

due to those breaches, and continued pressure from advanced
adversaries, government and international organizations have been
bolstering their defenses to protect sensitive data and respond quickly
to emerging threats. Common areas of focus include identity and
Access Management, Data Protection, Security Risk Management,
and Incident Response. Members of this industry must improve their
security from “behind the curve” — their starting security posture is
traditionally lower than that of other industries.

W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 7
HEALTHCARE
S U M M A RY

R E L E VA N T CO M P O N E N T S
The healthcare industry has seen a rise in malicious activity in
recent years with highly public breaches occurring at several major
Data Protection
organizations. Because of this new influx of activity, healthcare
organizations are increasingly concerned about reviewing their internal
infrastructure and policies. While many organizations are focused on
designing their Governance, Compliance and Organization components Incident Response
to comply with HIPAA standards and ensure they’re meeting their
compliance requirements, FireEye has found low maturity levels in areas
such as Incident Response and elements of the Network, Cloud and Governance, Compliance
Data Center Protection. This has caused issues in some instances where and Organization
entire hospital systems were impacted and left vulnerable due to an
Host and Endpoint
advanced attack such as a successful ransomware campaign.
Protection

A R E A S O F CO N C E R N

Healthcare organizations must use and protect highly sensitive

information such as Personally Identifiable Information (PII). Due to
several recent high-profile breaches, they have doubled their efforts
to protect such information. This has led to an increased focus on the
Data Protection, Incident Response and the Governance, Compliance
and Organization. However, their efforts are complicated by a scarcity
of dedicated and trained security personnel, especially in the short
term. Sophisticated, targeted threats such as ransomware are also
increasing in frequency and number, crippling entire hospitals and
medical networks. In response, healthcare organizations have only
recently begun to consider Host and Endpoint Protection with
heuristic-based antivirus technologies.

W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 8
INFORMATION
TECHNOLOGY

S U M M A RY

R E L E VA N T CO M P O N E N T S
Information technology firms have always faced a unique challenge
with regards to proactively bolstering their environment and security Identity and Access
program, as the threats that they face most commonly are tied to Management
the niche of the information technology space that they reside in.
Data warehouses and hosting providers are primarily concerned with Security Risk
Security Risk Management elements such as data redundancy and Management
resiliency as well as the Identity and Access Management component,
while managed service providers may be more concerned with Third Third-Party/Vendor
Party Vendor Management and securing the connections with their Management
clients. However, commons trends tend to emerge and while there
are certainly strengths in the components of Incident Response and
Network, Cloud and
Governance, Compliance and Organization, Data Protection tends to
Data Center
be the least mature of the components.

Application, Database
and Mobile Protection
A R E A S O F CO N C E R N

Information technology companies are typically driven to focus

on different components, based on the niche the fall within.
However, traditional areas of concern appear to be identity and
access management, Security Risk Management with a special
concern surrounding infrastructure resiliency and third party vendor
management. Additionally, IT organizations have begun to focus heavily
on their network, cloud and data center protection standards, with a
specific focus around cloud environments. Finally, within the area of
application, database and mobile security, mandiant has noticed an
increase in concern over application security, from development to
deployment and ongoing maintenance with operational sustainability.

W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 9
LEGAL

S U M M A RY

R E L E VA N T CO M P O N E N T S
Legal firms are a bit of a unique outlier within the information security
industry. While most industries traditionally have shortcomings in the
Incident Response
Third Party Vendor Management and Incident Response components,
this industry excels at it. This is primarily because legal firms understand
liability and risk mitigation in terms of consequential damages that Third-Party/Vendor
can result from the lack of security maturity. However, FireEye has Management
discovered that they experience poor security risk management results
in the infrastructure resiliency arena, lack of dedicated resources and Network, Cloud and
have poor security architecture controls within Network, Cloud and Data Center
Data Center Protection. The security team within the organization must
often wear multiple hats and while it’s important to be able to quickly
respond to incidents, there tends to be a lack of visibility into the Data Protection
environment that can help identify problems before they occur.

A R E A S O F CO N C E R N

Legal organizations have been traditionally focused on the

components that help to mitigate risk and liability and as such, have
honed in on Incident Response and Third Party Vendor Management.
The areas of concern are Network, Cloud and Data Center Protection,
Data Protection and Incident Response.

W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 10
MEDIA AND
ENTERTAINMENT

S U M M A RY

R E L E VA N T CO M P O N E N T S
Media and entertainment industries have always placed a focus on
protecting their internal assets, such as preventing piracy or access
Data Protection
to sensitive data that may be kept within the organization. However,
due to recent breaches, this focus is expanding to protecting the
entire infrastructure. One such breach resulted in the theft and Identity and Access
release of internal communications that were made public. Because Management
of this, the heaviest emphasis is placed on asset protection such
as identity and Access Management, Data Protection and Incident
Response. Additionally, some of the businesses within this industry Incident Response
are focused on Governance, Compliance and Organization due to
their hosting of PCI-DSS data that requires special consideration.
Types of proactive efforts and their effectiveness differ wildly among
different types of media organizations.

A R E A S O F CO N C E R N

Media and entertainment companies were some of the first organizations

to truly feel the effects of disruptive cyber attacks and data theft. As they
became increasingly concerned about protecting their assets against
piracy and outages, they increased focus on the Data Protection and
Identity and Access Management components to limit access to sensitive
data and curtail disruptive malfeasance. Many organizations are looking
to bolster their Incident Response capabilities so they can respond more
quickly to breaches that might result in loss of intellectual property.
Mandiant has observed that some groups, such as news organizations,
are at particularly high risk because of the information they hold.

W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 11
PROFESSIONAL
SERVICES

S U M M A RY

R E L E VA N T CO M P O N E N T S
The professional services industry shares many of the same concerns
as the information technology industry, with the additional unique Third-Party/Vendor
requirement of protecting client data as well as their own. Aspects Management
of Security Risk Management such as infrastructure resiliency are
strong and third party vendor management is typically mature.
However, FireEye has discovered weaknesses in Incident Response, Data Protection
Governance, Risk and Compliance organization in terms of personnel
and trained staffing and the remaining factors that play into the Security Risk
Security Risk Management. Companies in this industry appear to Management
focus on components they feel are relevant to their specific niche.

Network, Cloud and

Data Center
A R E A S O F CO N C E R N

Although there are many different types of professional services

companies that focus on different markets, the primary components
that Mandiant has found this industry focuses on are Third Party
Vendor Management, Data Protection and aspects of the Security
Risk Management. There is also an increased focus on cloud security
as part of the Network, Cloud and Data Center as more and more
client data moves to the cloud as a standard business practice.

W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 12
RETAIL

S U M M A RY

R E L E VA N T CO M P O N E N T S
Within the past few years, the retail industry has been hit with several
massive breaches that became very visible and very, very costly. The
Data Protection
primary concern of nearly all retail organizations is the protection of
credit card data and personally identifiable information, so there tends
to be more focus on the Data Protection and Access Management Identity and Access
components. However, FireEye has found there appears to be a lack Management
of maturity within the Incident Response, Security Risk Management
and Third Party Vendor Management components, which are all three
vitally important to detect and remediate problems before they occur. Incident Response

Third-Party/Vendor
A R E A S O F CO N C E R N
Management

Due to several recent, highly public breaches, retail organizations

have begun to focus very heavily on Data Protection, Identity and
Access Management and Incident Response. However, it is important
to note that Third Party Vendor Management is becoming more
important to this industry.

W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 13
UTILITIES

S U M M A RY

R E L E VA N T CO M P O N E N T S
Since the detection of Stuxnet in 2010, a unique spotlight has been
placed on public utility providers and other organizations that rely on Security Risk
industrial control systems. Many of these systems rely on end-of-life Management
and antiquated hardware that present non-traditional risks. Security
Risk Management that emphasizes infrastructure resiliency appears Identity and Access
to be the primary focus of this industry. The Network, Cloud and Data Management
Center protection component and subsequently Access Management,
follows close behind in their maturity levels. Other component such as
Governance, Compliance and Organization, Incident Response and Data Incident Response
Protection are found to be less robust. This industry’s primary focus is
operational stability, followed by improving security as the organization
Governance, Compliance
matures and new threats are discovered.
and Organization

A R E A S O F CO N C E R N

While utility providers have become a target in recent years, many are
working to bring their systems up to date to bear against the emerging
threats. They emphasize infrastructure resiliency as part of the Security
Risk Management component, but are gradually shifting to Identity and
Access Management and Incident Response. They are also trying to find
knowledgeable staff for industrial control systems, which ties into the
Governance, Compliance and Organization component.

W H I T E PA P E R / S E C U R I T Y P R O G R A M F O C U S B Y I N D U S T R Y 14
CO N C L U S I O N

Throughout this paper we have discussed how security priorities

vary from industry to industry. Understanding priorities by industry
helps identify focus and investment areas. Priorities will vary by
organization based in part on geographic presence and level of
security maturity at each specific organization.

To fully understand your security posture and risk exposure, hire an

intelligence-led third party service provider with abundant breach
experience to conduct a security program assessment. This will help
you measure the maturity and effectiveness of your existing cyber
security program, identify security gaps and help determine short-term,
long-term and ongoing cyber security priorities.

For more information on how Mandiant Consulting can help

in evaluating and enhancing your cyber security program, visit:
www.fireeye.com/services.html

FireEye, Inc.
1440 McCarthy Blvd. Milpitas, CA 95035
408.321.6300 / 877.FIREEYE (347.3393) / info@FireEye.com

www.FireEye.com

© 2016 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc.
All other brands, products, or service names are or may be trademarks
or service marks of their respective owners. WP.SPA.EN-US.102016