broke note broken: an effective information security program with a $0 budget
DESCRIPTION
Slides from my talk at BSides Detroit 2013TRANSCRIPT
![Page 1: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/1.jpg)
![Page 2: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/2.jpg)
Broke, Not BrokenAn Effective Information Security Program With a $0 Budget
![Page 3: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/3.jpg)
The Hard Truth
You work in Michigan Your company needs to innovate Security itself is not strategic
You get no [new] money
![Page 4: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/4.jpg)
The Harder Truth
All new technology is on the Internet
Your company is a monetizible target
Foreign competitors have your old IP
They’re going to get your new IP, too
Regulation +1
![Page 5: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/5.jpg)
Business Alignment
![Page 6: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/6.jpg)
What’s our strategy?
What does the CEO say it is?
What is the CIO/CFO/COO worried about?
What is IT spending money on this year?
Is your company spending lots of money on technology without IT involvement?
![Page 7: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/7.jpg)
Risk = Impact x Likelihood
Internet-exposed systems Core applications Fraud / separation of duties BCP / DR OMG, are you in healthcare?! VENDORS!!
![Page 8: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/8.jpg)
Project Consulting
Go to where the money is being spent!
Give generously of your time
Focus on the project’s success
![Page 9: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/9.jpg)
Architecture (or whatever)
Designs, roadmaps, or whatever
Don’t just produce ivory tower crap
Sprinkle liberally with buzzwords
![Page 10: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/10.jpg)
Architecture (serious this time)
Future-forward capabilities Data & network security design for IaaS Secure API architecture for mobile apps
Secure standards SDLC practices Server build guides
![Page 11: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/11.jpg)
Metrics
Security metrics are really hard
Risk metrics are the easiest to put together
Good metrics tell a story
Data drives decision-making
![Page 12: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/12.jpg)
Deliverables
Risk Assessment Architecture Compliance Metrics
Publish and Present
![Page 13: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/13.jpg)
None of what you said helps
![Page 14: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/14.jpg)
Incident Response
Your budget doesn’t matter
Dedicated time for investigating
Find your normal, look for anomalies
![Page 15: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/15.jpg)
What to collect
Web filter / proxy logs
SMTP gateway logs
Firewall logs
NIDS (use bro or Snort)
Edge router / Internet full packet capture
![Page 16: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/16.jpg)
Incident Response
Commercial, yet free ArcSight Logger L750B Splunk Free License Q1 Labs Qradar Free License NetWitness Investigator
Open Source Snort, suricata Snare, syslog-ng, OSSEC
![Page 17: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/17.jpg)
Best Distro EVAR!
![Page 18: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/18.jpg)
The best free thing right now
Microsoft EMET v4.0 is imminent (late, actually) Managed via AD group policy (3) By-process memory exploit protections SSL/TLS cert pinning detection (4) Error reporting to SCOM for mitigation
alerts (4)
![Page 19: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/19.jpg)
Other 2013 Security Initiatives“Malware incidents demonstrated a noticeable peak in volume during the summer months of 2012. The significant fall of malware-related incidents beginning in November coincided with the deployment of the Microsoft Enhanced Mitigation Experience Toolkit (EMET), a new vulnerability mitigation tool that has been installed onto Priority Health user workstations. The highest volume of malware incidents in 2012 was in October with 14. In comparison the highest volume of malware incidents in any month in 2011 was 22. Botnet activity accounted for all of the malware incidents in October that could be identified, with the largest portion coming from an attack that used the compromised web server of a local TV station.”
19
IS Information Security Program
Jan
Feb
Mar Apr
May Ju
n JulAug Se
pOct
Nov Dec0
2
4
6
8
10
12
14
16
2012 Security Case Category: Malware
Malware
![Page 20: Broke Note Broken: An Effective Information Security Program With a $0 Budget](https://reader035.vdocuments.net/reader035/viewer/2022062706/55757dabd8b42adb7e8b4e63/html5/thumbnails/20.jpg)
Shameless Promotions
I’m hiring! careers.spectrum-health.org
GRSec grsec.blogspot.com
GrrCON grrcon.org