don't get hacked - 10 controls & secops ways to secure your …t... · 2015. 3. 2. ·...
Post on 20-Sep-2020
2 Views
Preview:
TRANSCRIPT
Don't Get Hacked - 10 Controls &SecOps Ways to Secure Your Company
Dr. Christopher T. Pierson, EVP, General Counsel & CSO, ViewpostJames T. Shreve, Attorney, BuckleySandler
2
Agenda
1. Newsworthy Hacks
2. Environment Differences
3. Top 10 Controls
4. Privacy Professional Roles
5. Communications
6. Now What?The opinions contained herein do not reflect the opinions and beliefs of the author’s employers orassociated agencies. All content contained herein is for informational purposes only and may not reflectthe most current legal developments. The content is not offered as legal or any other advice on anyparticular matter.
Part I.Newsworthy Hacks
4
I. Newsworthy Security Breaches
Living Social SONY
5
I. Newsworthy Security Breaches
JP Morgan
Target
Home Depot
6
I. Newsworthy Security Breaches
White House
NSA
CENTCOM
Part II.Environmental Differences
8
II. Environmental Differences
• Clean House – Segmentthe Networks– Segment & Separate
Development, Test,Corporate, andProduction
– Speedbumps and LeastPrivileged Access
– Code Repositories– Contractors and
consultants
9
II. Environmental Differences
10
II. Environmental Differences
• Endpoints?– Do they exist?– Mobile work force?– BYOD?
Part III.Top Security Controls
12
III. Top Security Controls
• Access-based Controls– Portable devices (usb/dvd)– Network segregation– Lateral movement restrictions– Admin privileges
III. Top Security Controls
• Signature Based Controls– Firewalls (Next Gen)– Intrusion Detection System (IDP)/
Intrusion Prevention System (IPS)– Anti-Virus and Anti-Spam– Data Leakage Protection (DLP)– Proxy Technology
13
III. Top Security Controls
• Baselines– Determining what is normal– Why this must come first
• Anomalies– How much tolerance for the abnormal?
• Constant Refinement• Comparison with signature-based
14
III. Top Security Controls
• White Listing Technology– Whitelist vs. Blacklist– Allow vs. Deny– Maintenance– Part of Build– Audit Cycle
15
III. Top Security Controls
• Indicators of Compromise (IoC)– Review Ips for bad connection– Known Command & Control Sites– Not Signature Based– Evolves Based on Current Attacks– Stronger when Powered by the Network
16
III. Top Security Controls
• File Integrity Monitoring– Monitors for changes in key files– Can be used in production or corporate network– Human Resource intensive– Fingerprinting is helpful– False Positives?
17
III. Top Security Controls
• Access Controls– Accessing the system and the data– Borrowing from the financial industry– Multifactor (out of band)– Passwords (and beyond)
18
III. Top Security Controls
• Encryption– Data at rest– Data in motion– Devices– Legal and regulatory requirements– Contractual requirements
• Focus– Outside in– Inside– Rest 19
III. Top Security Controls
• Network Flows– Visibility into the Network– Netflows/Data Flows– SIEM – what is happening on your network?– Wireless Protection and WIPS
20
III. Top Security Controls
• Intelligence– Groups
• ISACs– Governmental
• Regulators• Law enforcement• Intelligence agencies
– Informal
21
Part IV.Privacy Professional Role?
23
IV. Privacy Professional Role?
• Knowledge• Governance• Verification
Part V.Communications
25
V. Communications
• Communicating Up– Executive Team– Decision Makers– GC, CFO, Brand– Educating the Board
26
V. Communications
• Communicating Out– Business lines– Company administration– Customers
27
V. Communications
• Communicating Down– Contracts and legal– Diligence– Oversight– Working with them
• Communicating In– The importance of listening
Part VI.Now What?
29
VI. Now What?
• You will still be hacked• You almost certainly have been before• You may be being hacked right now
30
Questions
Thanks!
James T. Shreve, J.D.BuckleySandler LLPAttorney202.461.2994jshreve@buckleysandler.com
Christopher T. Pierson, Ph.D., J.D.ViewpostEVP, General Counsel & Chief Security Officer407.515.6727cpierson@viewpost.com
top related