A Global Vulnerability Management Program to Protect the Global Brand Myles Higa Vulnerability Management Lead Toyota Financial Services Informa;on Security [email protected] Feb. 2014 Qualys - RSA Conference 2014 1 For hackers, Big Brands are … Feb. 2014 Qualys - RSA Conference 2014 2 TFS’ Global VM Strategy & Approach Incorporate the global VM program on the global security roadmap Implement an operaDonal and managerial VM program in all offices worldwide Plan Adapt Toyota’s Kaizen Principles Act Plan-‐Do-‐Check-‐Act Do Con;nuous improvement Respect for people Feb. 2014 Qualys - RSA Conference 2014 4 “PLAN” The Global VM Program IniDaDve Set the global program objectives Scope the global program Assess Validate Analyze Remediate Identify key sponsors and stakeholders Feb. 2014 Prepare the business plan Qualys - RSA Conference 2014 Obtain corporate leadership approval 5 “PLAN” The Global VM Program Project Establish the T-E-A-M Prepare the plan Clarify the problem Define the requirements Solicit & evaluate alternative solutions Select solution & consummate the contract Scan at 34 offices Global & regional reporting Easy deployment & administration Feb. 2014 Qualys - RSA Conference 2014 6 “DO” The Global VM Program Deployment Engage the Qualys TAM Execute a pilot deployment Develop the global deployment plan Conduct site analysis Setup the global subscription in QualysGuard Develop standards & procedures Assess Validate Analyze Remediate Feb. 2014 Qualys - RSA Conference 2014 7 “DO” The Global VM Program Deployment Set up training Roll out in regions Americas Install the appliance Feb. 2014 Europe/ Africa Ship appliances Asia Pacific Test & validate scanning Qualys - RSA Conference 2014 Resolve scanning issues 8 “DO” The Global VM Program Deployment Feb. 2014 Implement operational VM scanning Generate operational reports Implement or improve the patching process Implement a remediation framework Qualys - RSA Conference 2014 9 “CHECK” The Global VM Program ImplementaDon Set up global administrative & operational support Monitor & track activity Feb. 2014 Weekly regional collaboration Get feedback from local offices Develop VM metrics Set up compliance & audit reporting Qualys - RSA Conference 2014 10 “ACT” The Global VM Program ImplementaDon Communicate progress to stakeholders & partners Refine standards & processes Initiate Web Application Scanning & Policy Compliance Initiate Global VM program improvements Feb. 2014 Qualys - RSA Conference 2014 11 TFS’ Global VM Program Global Management & Administration Regional Management & Administration Local administration & operations Feb. 2014 Qualys - RSA Conference 2014 12 Keys to Success Global leadership sponsorship Global Security, Risk, & IT Communicate, communicate, communicate Corporate, regional, & individual countries QualysGuard Solu;on Fully func;onal, rapid deployment, scalable, reliable, low maintenance T-‐E-‐A-‐M-‐W-‐O-‐R-‐K Horizontally & ver;cally Plan-‐Do-‐Check-‐Act Con;nuous improvement & respect for people Feb. 2014 Qualys - RSA Conference 2014 13 THANKS YOU! QUESTIONS? Feb. 2014 Qualys - RSA Conference 2014 14 Agenda Why protect the Brand? Sony, Target, Nordstrom's, TJ Maxx, Ci;bank, Google, Yahoo What do these companies have in common? Toyota Quality, customer loyalty, What keeps up our CEO, CIO, & CISO? Incident response It not a maZer of if but when Key points RFP Evalua;on, proof of concept Selec;on and contract nego;a;ons Global drivers Scoping & Planning ► ► ► ► 34 SFCs not connected or integrated Vulnerabili;es, websites, compliance Deployment plan Global Team – Qualys Technical Account Manager (TAM); regional teams Global policies, standards & baselines Communica;ons with each SFC (country) Average of three months for tes;ng Deployment plan: Map, vuln scan, authen;ca;on, WAS, PC Qualys business unit/asset group/ asset tag structure Physical versus virtual scanners Pros/Cons Resistance from IT, developers Global administra;on – collabora;on; leveraging tools for security SDLC (WAS & VM scanning), opera;onal scans, patch management, baseline configura;ons SIEM integra;on, CMDB Priori;ze patching Authen;ca;on, firewalls Overlapping IPs KRI – Define risk; risk management Interna;onal vulnerabili;es Analysis of vulnerabili;es, discovery of assets; printers, VOIP, cameras, etc. ► 3/14/14 Cultural change Small deployments, no dedicated security 15 Road map to global deployment Key points RFP Evalua;on, proof of concept Selec;on and contract nego;a;ons Global drivers Scoping & Planning ► ► ► ► Cultural change 34 SFCs not connected or integrated Vulnerabili;es, websites, compliance Deployment plan Global Team – Qualys Technical Account Manager (TAM); regional teams Global policies, standards & baselines Communica;ons with each SFC (country) Average of three months for tes;ng Deployment plan: Map, vuln scan, authen;ca;on, WAS, PC Qualys business unit/asset group/ asset tag structure Physical versus virtual scanners Pros/Cons Resistance from IT, developers Global administra;on – collabora;on; leveraging tools for security SDLC (WAS & VM scanning), opera;onal scans, patch management, baseline configura;ons SIEM integra;on, CMDB Priori;ze patching Authen;ca;on, firewalls Overlapping IPs KRI – Define risk; risk management Interna;onal vulnerabili;es Analysis of vulnerabili;es, discovery of assets; printers, VOIP, cameras, etc. ► 3/14/14 Small deployments, no dedicated security 16
© Copyright 2024 ExpyDoc
