tactical edge - how much security do you really need?

HOW MUCH SECURITY DO YOU REALLY NEED?Wendy Nather @RCISCwendy

Research Director, Retail Cyber Intelligence Sharing Center (R-CISC)

Bogotá, 24 Octubre 2016

INTRODUCTION

• The Great Mystery• “Expense in Depth”• Even the Experts Don’t Know – pricing out a security

program•A better framework – the Cyber Defense Matrix• Trimming your current security portfolio• Evaluating the risk in a way that works for you

MODELS FOR SECURITY SPENDING

• Benchmarking – what is everyone else doing?•Compliance-driven spending•Metrics-driven• Evidence-driven

MODELS FOR SECURITY SPENDING

• Spend only what you need to until the next breach• Keep spending until you run out of budget• Have an unlimited budget

EXPENSE IN DEPTH (RICK HOLLAND)

• Security is a patchwork quilt, and you keep buying things to layer over the gaps• Leads to overspending in

some areas and underspending in others•Overloading systems

EXPENSE IN DEPTH

•Dueling agents• Prioritizing network

decisions•Cognitive and effort

overload on your personnel every time you add something new

“

”I’M A NEW CISO. IT’S MY FIRST DAY ON THE JOB IN AN ORGANIZATION THAT HAS NEVER DONE SECURITY BEFORE. WHAT SHOULD I BUY?

The Real Cost of Security 451 Research, 2013

EVEN THE EXPERTS DON’T KNOW

•As few as 4 different technologies and as many as 31• Everyone said “it depends,” including the vendors

¯\_(ツ)_/¯

EVEN THE EXPERTS DON’T KNOW

• The minimum baselines pretty much matched up to PCI, and included both firewalls and AV•Budget could be off by as much as a factor of 4

• There’s still no guarantee you won’t get breached

CAN WE DO BETTER?

CYBER DEFENSE MATRIXSOUNIL YU, [LARGE US FINANCIAL]

Devices

Applications

Network

Data

People

Degree of Dependence

Identify Protect Detect Respond Recover

Technology PeopleProcess

LEFT AND RIGHT OF “BOOM”

Devices

Applications

Network

Data

People

Degree of Dependence

Identify Protect Detect Respond Recover

Technology PeopleProcess

Pre-Compromise

Post-Compromise

ENTERPRISE SECURITY MARKET SEGMENTS13

Devices

Applications

Network

Data

People

Degree of Dependence

Identify Protect Detect Respond Recover

Technology PeopleProcess

IAM Endpoint Visibility and Control /Endpoint Threat Detection & Response

Configurationand Systems

Management

DataLabeling

App Sec(SAST, DAST,IAST, RASP),

WAFs

PhishingSimulations

DDoS Mitigation

Insider Threat /Behavioral Analytics

NetworkSecurity(FW, IPS)

DRMData

Encryption,DLP

IDSNetflow

Full PCAP

AV, HIPS

Deep Web,Brian Krebs,

FBIBackup

PhishingAwareness

MARKET SEGMENTS – OTHER ENVIRONMENTS

14

Threat Actor Assets

ThreatData

IntrusionDeception

MalwareSandboxes

MARKET SEGMENTS – OTHER ENVIRONMENTS

15

Vendor Assets

Cloud AccessSecurity Brokers

VendorRisk

Assess-ments

Customer Assets

Endpoint FraudDetection

DeviceFinger-printing

DeviceFinger-printing

Web FraudDetection

Employee Assets

BYODMAM

BYODMDM

See the rest of the slides at

https://www.rsaconference.com/events/us16/agenda/sessions/2530/understanding-the-security-vendor-landscape-using

Or Google for “RSAC Sounil Yu” J

TRIMMING YOUR SECURITY PORTFOLIO

•Why would you need to do that?•Mergers and acquisitions leave redundant products

in place

TRIMMING YOUR SECURITY PORTFOLIO

• Shelfware

(see Javvad Malik’s research at https://www.rsaconference.com/writable/presentations/file_upload/mash-t07a-security-shelfware-which-products-gathering-dust-and-why.pdfor just Google “Javvad Malik Shelfware”)

TRIMMING YOUR SECURITY PORTFOLIO

• Improving performance• Simplifying• Better integration and communication• Better price

BEFORE YOU CUT TECHNOLOGY …

•Make sure you’re using it right•Make sure you’re using it as fully

as possible

• Talk to the vendor about its limitations and roadmap (or ask peers or an analyst)

BEFORE YOU CUT TECHNOLOGY …

•Decide whether you need to replace it

• Is it a greater liability to keep it and not use it, or not to have it at all?

BEFORE YOU CUT PEOPLE …• Know what

they’re contributing both in expertise and workload• Expertise includes

institutional knowledge

BEFORE YOU CUT PEOPLE …

•Remember cognitive workload: just because they have the time to squeeze in an extra task, it doesn’t mean they can give it the attention it needs

•Keep task priorities in mind – response mode keeps staff from being proactive

EVALUATING EFFECTIVENESS AND RISK

EVALUATING EFFECTIVENESS AND RISK

• Is it addressing a risk everyone can believe in?

CHEESEBURGER RISK MANAGEMENT

Sure, it might happen – but not for a long time

EVALUATING EFFECTIVENESS AND RISK

•How does it address the risk?•Don’t say “it’s blocking millions of attacks,” because that makes Dave Lewis really angry

EVALUATING EFFECTIVENESS AND RISK

•What are you relying on technology to do, versus what you’re relying on people to do?

•Are you basing your security strategy on the hope that people will change?

YOUR MANAGEMENT’S FAVORITE METRICS

Time saved

Money saved

Performance improvements /

availability

MATCHING MONEY WITH SECURITY

•Avoiding loss – but remember the probability discussion•Allowing revenue generators to do it faster• Saving time, which is money

MATCHING MONEY WITH SECURITY

• Helping the business make better decisions in other areas• Providing a competitive advantage (but you’ll have

to prove it)

• Losses may or may not happen, but other improvements will show themselves if you can measure them

GETTING BREACHED JUST MIGHT BE CHEAPER …

• Published research by Sasha Romanosky, RAND Corporation (August 2016)• “Most cyber events cost firms less than 0.4% of their

annual revenues”

GETTING BREACHED JUST MIGHT BE CHEAPER …

• By contrast, US firms lost an estimated 0.9% of their revenue to online fraud in 2013 (Cybersource 2013 Online Fraud Report)

(Which shows that breaches are being treated separately from fraud, so whatever)

GETTING BREACHED JUST MIGHT BE CHEAPER …

• Calculated that firms were spending an average of 0.025% of revenues on cybersecurity• Half of cyber events cost a firm an

amount approximately equal to its annual investment in IT security (i.e. within ±$1 million of investment).

Wait, what?

WHAT IF I TOLD YOU …

… that you may already be spending enough?

SPENDING IS NOT DOING

• You can be spending right, but doing it wrong

• You can be doing it right, but spending wrong

SOME KIND OF PYRAMID

Using security products

Understanding threats

Controlling changes

Knowing what you have and what it’s doing

SUMMARY

• There are many ways to evaluate your portfolio• There’s no ground truth• Identify the risks you can believe in• Find the evidence that you’re addressing those risks• Remember: it’s in the way that you use it