don't get hacked - 10 controls & secops ways to secure your …t... · 2015. 3. 2. ·...

Don't Get Hacked - 10 Controls &SecOps Ways to Secure Your Company

Dr. Christopher T. Pierson, EVP, General Counsel & CSO, ViewpostJames T. Shreve, Attorney, BuckleySandler

2

Agenda

1. Newsworthy Hacks

2. Environment Differences

3. Top 10 Controls

4. Privacy Professional Roles

5. Communications

6. Now What?The opinions contained herein do not reflect the opinions and beliefs of the author’s employers orassociated agencies. All content contained herein is for informational purposes only and may not reflectthe most current legal developments. The content is not offered as legal or any other advice on anyparticular matter.

Part I.Newsworthy Hacks

4

I. Newsworthy Security Breaches

Living Social SONY

5

I. Newsworthy Security Breaches

JP Morgan

Target

Home Depot

6

I. Newsworthy Security Breaches

White House

NSA

CENTCOM

Part II.Environmental Differences

8

II. Environmental Differences

• Clean House – Segmentthe Networks– Segment & Separate

Development, Test,Corporate, andProduction

– Speedbumps and LeastPrivileged Access

– Code Repositories– Contractors and

consultants

9

II. Environmental Differences

10

II. Environmental Differences

• Endpoints?– Do they exist?– Mobile work force?– BYOD?

Part III.Top Security Controls

12

III. Top Security Controls

• Access-based Controls– Portable devices (usb/dvd)– Network segregation– Lateral movement restrictions– Admin privileges

III. Top Security Controls

• Signature Based Controls– Firewalls (Next Gen)– Intrusion Detection System (IDP)/

Intrusion Prevention System (IPS)– Anti-Virus and Anti-Spam– Data Leakage Protection (DLP)– Proxy Technology

13

III. Top Security Controls

• Baselines– Determining what is normal– Why this must come first

• Anomalies– How much tolerance for the abnormal?

• Constant Refinement• Comparison with signature-based

14

III. Top Security Controls

• White Listing Technology– Whitelist vs. Blacklist– Allow vs. Deny– Maintenance– Part of Build– Audit Cycle

15

III. Top Security Controls

• Indicators of Compromise (IoC)– Review Ips for bad connection– Known Command & Control Sites– Not Signature Based– Evolves Based on Current Attacks– Stronger when Powered by the Network

16

III. Top Security Controls

• File Integrity Monitoring– Monitors for changes in key files– Can be used in production or corporate network– Human Resource intensive– Fingerprinting is helpful– False Positives?

17

III. Top Security Controls

• Access Controls– Accessing the system and the data– Borrowing from the financial industry– Multifactor (out of band)– Passwords (and beyond)

18

III. Top Security Controls

• Encryption– Data at rest– Data in motion– Devices– Legal and regulatory requirements– Contractual requirements

• Focus– Outside in– Inside– Rest 19

III. Top Security Controls

• Network Flows– Visibility into the Network– Netflows/Data Flows– SIEM – what is happening on your network?– Wireless Protection and WIPS

20

III. Top Security Controls

• Intelligence– Groups

• ISACs– Governmental

• Regulators• Law enforcement• Intelligence agencies

– Informal

21

Part IV.Privacy Professional Role?

23

IV. Privacy Professional Role?

• Knowledge• Governance• Verification

Part V.Communications

25

V. Communications

• Communicating Up– Executive Team– Decision Makers– GC, CFO, Brand– Educating the Board

26

V. Communications

• Communicating Out– Business lines– Company administration– Customers

27

V. Communications

• Communicating Down– Contracts and legal– Diligence– Oversight– Working with them

• Communicating In– The importance of listening

Part VI.Now What?

29

VI. Now What?

• You will still be hacked• You almost certainly have been before• You may be being hacked right now

30

Questions

Thanks!

James T. Shreve, J.D.BuckleySandler LLPAttorney202.461.2994jshreve@buckleysandler.com

Christopher T. Pierson, Ph.D., J.D.ViewpostEVP, General Counsel & Chief Security Officer407.515.6727cpierson@viewpost.com