Stefan van Gansbeke - One Step Closer to the Unhackable Enterprise

Okay, thank you.
Last year, I was here for a presentation on the security awareness this year. I will go a little bit further on. I see there's a little problem with the presentation, but I will go further on a team and it's about security strategy. Currently. They say that there are two kinds of companies, the companies that have been hacked and the other who will be hacked. What's a bit strange about that paradigm is that we accept it as someone of the security community. I would say we can do better. We should come to an hackable company, but as we are in security, we need to be humble. So we will do it step by step. So this presentation is about the building of an effective information, security strategy. That means making your long term objective clear in a language that's that engages your employees, but also your clients. And in the end, the bottom line of it all is that it opens the walls of your board. So in the end, you want to, to, to, to implement security projects. So you need the money to do, to do it. Before I go on maybe a few questions who is involved with security management in the room,
Not a lot about the security budget of this year. Did you got an, an, an increase, a freeze, an increase? Yeah. Okay. Was there are freeze or decrease? Oh, okay. Not so good. And then last question about the security. Does your company has security strategy that has been approved and has been communicated to the employees? Yeah. Okay, good, fine. The, I will run through the, my company's profile. I will look into the driver's mission vision to come to the security roadmap for of all my company is, is organized. It's pretty in Belgium health insurance. It's a federated organization. We have a central hub with 18 regional offices. Each office has its related organization. 400, 400 related organizations in total. It means a shared infrastructure. They exchange information with each other. We have about 6,000 employees. They come, they go, they get promoted, they get demoted. And some of them get fired. It's good to have a privileged account, a good privileged account management in place. The talk of this conference is about internet of things. So it should be in there, but those devices, they do not only need access to the internet. They also want access to the corporate assets, to the corporate network.
We have about four and a half million members. We call it members with our clients. They, it means that we have four and a half million of member files with a lot of sensitive information about medical and privacy information. Every member in, in that file of if they take a medicine it's in there, huh? If they go to the psychiatrist in there. So a lot of sensitive information and we treat about 40 million transactions a day because if a member goes to the, to the doctor or the hospital, you get a partial refund. This is about the company's profile. I see there's a little problem with the presentation. It doesn't show up, but I will try to make the best of it on security strategy. Last year, I talked with a few of my colleagues in, in banks, in the pharmacy industry, and they were also building with the, or they were busy with a security strategy. We came to the conclusion that there was not such a thing as a framework to, to, to build such a security strategy, not the, not, not the gardeners and the PVCs. And so didn't provide one. So we built one on, on our own.
We started with the drivers. Why are we doing security? First of all, it's the risks, enterprise risk and ICT risks. We separated the law enforcement and audit recommendations. Next to that, we had, we, we took into account security needs related to business changes the project programs running in, in our company. And next to that, we took into our account, the evolutions and the trends within the security community. Huh? What were the competitors doing? What are the vendors saying on that? Those four dimensions we took together. So for each dimension, we had an inventory list. We prioritized it so that we had a manageable set of tool, a tool set that we can use to prioritize things. You see four different dimensions, important to know that each dimension has its own sponsor. And that makes a little difference between just to have a long list. Risks identified. These are elements to take to, into account for, to show you a little bit on, on our, to give you some examples. We give the, the most important risks of my company. This is very strange. It's about the law enforcement within our social com social security environment. We have a kind of HIPAA regulation. We also are bonded to the privacy regulations. Like every company
About the security needs, our business has developed, oh, this is not right. This is not right. Hm, no, it's not following the right. Yeah. Okay. No, it's not right. Okay. I will make, try to do the best. It's a little, a little change on program. So on the trends we are bounded to at evolutions, I had to show you some incident we had and the emergency response we organized around that we came to the conclusion. It was that okay. Related to, to a fishing mill, we activated our emergency response team in the war room. We came to the conclusion that it was, it came from one typical, typical male, and that provoked an outbound traffic.
Okay. The conclusions we had that the different layers of security didn't work. So our spam filter didn't work, user awareness. People kept on clicking the web filter inbound didn't stop it. And the antivirus didn't see anything about that. There was another zero day vulnerability story on it. Last year, we all know in July, we had hard bleed. The open SSL vulnerability was in there for many years from in the beginning. And I thought more than 15 years we had in September, the shell shock it's vulnerability in the bash. She, so you could do remote executions on the Linux service. We had the, the busy work and the, the Firefox open as not open, but ASL problem. And on the windows also remote execution S channel. What was remarkable, specific on the shell shock was that on, was announced on the 24th of September, two days later, we saw a text coming on our firewall. So it took only two days to, to, to detect it, to see that the liability someone tries to, to, to, to misuse it. So these are the conclusions. So they exploits our widely used and everyone is a target, even cm. I think on the world scale scale, we are very ti, very small, but we are targeted. And the conclusion we can, we can say, or, or we can repeat it. The detection capability is very important.
It's becoming more important than the prevention.
So that's about the risk drivers next to that. Every security strategy or every strategy needs a mission. So we developed our mission statement with not only, it's not only about supporting the business, it's also strengthening the business security should be, should go a mile further than just protecting. What's also doing the, the strengthening of, of your business business. Then we had also a discussion on, or we talked about enterprise security governance. Is it security? Is it information security? And we, we, we have chosen for security because it's more than information. Yeah. So you have scan attacks, you have the physical security coming into the play. So in our mission statement, we, we took that into account. And then the last part is, okay, we're, it's about risk management, reducing the risk coming to an acceptable level by applying controls, cost conscious controls, but also part of creativity. So room for innovation, that's the mission statement. Is it important? Yes, but it's, it's, it's a long term. It's the reason why we live. And that's, that's good to know, but it's not very useful day, day by day for that, we had our vision.
Normally it, it should build up, but we have it all in once four building blocks, the red one is a typical one. It's the one we all know there, you are there to support your business, your company, your enterprise. So you need to protect it. Huh? So it's a chain of prevention, detection and response. So all activities are situated in there. In our mission statement, we say that we also strengthen our business and that's the, the green one. We want to go further security should help to connect your members or your clients with your employees, with the, the altogether, with the partners and, and the suppliers. So on a, on, on a smooth and, and reliable way. And we learned with the internet of things. It's not only people we connect. It's also devices to connect. The yellow. One is about the availability part. It's a stabilizer. It's the backup restore should be in place and should work and should guarantee that you can take a risk or disaster recover business, business continuity. Those three building blocks need to be controlled. And that's the control layer where we can find the, the policies where we can find the governance, where we can find the dashboarding. So you can control all the activities.
On top of that, we added guiding principles. It are principles that guide your security team throughout the work when they are on their own. I'm not always there or so sometimes they need to, to take decisions. Sometimes they need to do, to, to look for solutions, 10 principles. I only will pick out two of them be relevant. It's getting to know your business. You need to talk the language of your business. You need to bring solutions that are worthwhile for your business. It should be cost effective. So cost consciousness is important. And in the end, you should bring value to your organization. That's very important. Next to focusing on the value at risk security by design should be important. Getting your, your sensors in place to get a good overview. So it's another principle, security awareness, very important to engage your employees and your customers. Security by isolation is a principle, centralized management. And the last one think like a hacker. It's one of the favorites of my team members.
That's about getting the knowledge, getting the capability of, of understanding what the heck is and how you can identify it and how you can protect yourself. I have a little story about that a few years ago, I sent, I, I agree that that, that my security team went on a hacking course and with the, the course needed to be approved. So my boss came to me and said, Stephan, are you sure that we sending people out to learn to hack? And I said, yes. And luckily, because we had a lot of incidents and through their capabilities, they were, they could handle it very effectively. So the return on investment was there.
Good. We have now the four drivers, we have the mission. We have the vision. So we can start to build our security portfolio or the, the, the security road map I grade out. So there's a list with projects. So the controls we want to put in place security projects that, that, that should be done sometimes is business, business. It security related project. I grade them out, cuz probably there are some vendors in the room and I wouldn't like to be spammed tomorrow because they want to be in there. So for each project, we score them against the for driver elements, huh. Together with the contribution they had, they give to the vision and that's results in heat map, the prioritization of the projects we need to, to address next to that.
Okay. That's fine. All, all over the next to that. It, it also real, we realized the, the vision, we have an overview that we are sure that all elements of the vision are, are filled, filled in or are, are at least we have a good balance. And although the projects are spread out over time, taking into account that it's feasible, the resources are there. So now we know why we are doing, we know what we are doing. And we know when we will do it. The only thing that's that's open that's do we get the budget? I must say I presented it to the board and they agreed to give me the budget to, to implement. So we come to the conclusion, you get them all together. So it's easy for me, alignment with the business, very important, get their solution. They want be relevant, consistent, and give a simple message so that you create the board.
By in the end, you need a sponsorship. You need to, to get their approval, to, to get the money for your projects, for your controls, to bring them in place. Creativity. Also, your message should be sexy these days. Otherwise you cannot come across and perseverance is important. If you don't get an approval in Q1, it should be on key you a reusable framework. That's what we have here. It's cost efficient and we should as, as a good evangelist, spread the word and fulfill the promise. So with that, you are able to, I, I hope you are able to, to close a little bit more the gap towards an UN hackable enterprise. Thank you.