170 likes | 401 Views
Comcast Infrastructure & Information Security Breach Prevention and Mitigation. CWAG 2015 July 21,2015 Myrna Soto SVP/Chief Infrastructure & Information Security Officer. Comcast Confidential - For Internal Use Only. About Comcast.
E N D
Comcast Infrastructure & Information SecurityBreach Prevention and Mitigation CWAG 2015 July 21,2015 Myrna Soto SVP/Chief Infrastructure & Information Security Officer Comcast Confidential - For Internal Use Only
About Comcast Comcast Cable is the United States largest video, high-speed Internet and phone provider under the Xfinity brand for residential customers. 22.37 Million Customers US Largest Video Provider 22.36 Million Customers US Largest Residential High-Speed Internet Provider 11.2 Million Customers US Fourth Largest Digital Voice/Phone Provider 27.2 Million Combined Customer Relationships ( excluding NBCU) Operations in 39 states (out of 50) and Washington D.C. Founded 1963 Headquartered in Philadelphia, PA Approximately 143,000 employees
Comcast Across America Employer of choice for 139,000 employees The largest video provider in the U.S. • 15MOnDemand Views Daily BILLIONS of Daily Customer Experiences 1 connected by Internet Essentials Leading fiber optic network in the U.S. Fourth largest residential phone company in the U.S. 1.2M 1 22M+ Video & Data customers 4 Largest residentialbroadband provider in the U.S. Gigabit Pro The industry’s first residential 2Gbps service Comcast Cares 14 years, 600,000 volunteers, 3.7 Million hours 1 1 1 Fastest Xfinity In-Home WiFi
Who we are… • “We bring together the best in media and technology. • We drive innovation to create the world's best entertainment and onlineexperiences.” Broadcast Cable Digital Parks Film
A Changing Landscape Drives Security A security program must keep pace with the evolving threat landscape in order to prevent, detect and respond to security breaches Escalating and Evolving Threats Number of Connected People & Partners Mobility Information Assets & Amount of Valuable Data Challenges are increasing in size, intensity, velocity, and complexity over time 3 Comcast Confidential - For Internal Use Only
The Threat Landscape Is Extremely Complex Comcast Confidential - For Internal Use Only
Protection is Not Enough to Prevent a Breach • The efficacy of a security program requires a comprehensive framework to minimize the risk of a breach and the potential harm when a breach occurs • It’s not plausible to think all breaches can be prevented; a sufficiently motivated adversary will find the means to breach a system • Easiest method: Phishing for trusted users’ log-in credentials or the trusted insider • The ability to rapidly detect and respond to security events & anomalies (“ability to connect the dots”) is critical to reduce the harmful impact of a breach (i.e., prevent or minimize the loss of data) • Efficacy requires a mature, security program adaptive to evolving risks and threats, embedded within the culture of the organization, with dedicated resourcesand strategic investment in critical security toolsets Comcast Confidential - For Internal Use Only
Information and Infrastructure Security Program Overview Comcastemploys extensive security practices and procedures throughout its Corporate infrastructure. At a foundational level, the Corporation has established a highly talented and industry-recognized security organization supporting Risk Management, Governance, Security Architecture, Brand Protection, Security Operations, Security Analytics. In addition, Comcast maintains a 24x7 Security Response Center which provides continuous monitoring of the security assets, information stores, and systems infrastructure of the Corporation. Comcast employs many strong policies, controls and state of the art mechanisms to detect and prevent malware and intrusion into our Enterprise and Subscriber Delivery networks and systems. These systems include but are not limited to: • Intrusion Prevention - Incident Response Process • DDoS Detection - Penetration Testing Program • Threat Correlation - Security Auditing Program • Security Information Event Management (SEIM) - Identity and Access Management • Malware Detection and Remediation - Log collection/Analysis • Direct Surveillance (24x7 SOC) - Data Science/Analytics Comcast Confidential - For Internal Use Only
Patchwork of Breach Notification Laws Variations by state have created an increasingly unworkable situation for organizations when faced with a breach, adding additional costs and delays ------------------------------------------------------------ • Industry-specific requirements (HIPAA, GLB, PCI) • 47 States, District of Columbia, Guam, Puerto Rico, & Virgin Islands • Alabama (in process) • Exceptions: New Mexico & South Dakota • Variations include: • Notification content & method • Triggers: element of harm • Whom to notify • Definition of personal information • Time limits & acceptable delays • Covered entities • Encryption as a safe harbor • Ongoing changes & amendments focus on: • Expanding definition of personal info • Additional reporting requirements to state agencies Comcast Confidential - For Internal Use Only
Appendix Material Comcast Confidential - For Internal Use Only
A Framework of Policies, Controls and Practices Comcast Confidential - For Internal Use Only
A Framework of Policies, Controls and Practices Comcast Confidential - For Internal Use Only
A Framework of Policies, Controls and Practices Comcast Confidential - For Internal Use Only
A Framework of Policies, Controls and Practices Comcast Confidential - For Internal Use Only