CISO Survival In The Real World

Bill BurnsDirector, Information Security

ISSA CISO Executive ForumFeb 24, 2013

“Thrive”, not Survive

•Context

•A few contributions

•Future Bets & Areas of Focus

Future Bets 2015: Forcing Functions

•Social + Mobility + Cloud

•Traditional Controls Are Lacking

•Analytics

NetflixBusiness

• World’s largest TV network

• 33 million members in 40 countries

• Over a billion hours streamed per month

• Supported on 1000+ device types

• 1/3 of evening Internet traffic

(c) 2011 Sandvine

Our Culture

•High Performance, Engineering-Focused

•Fail Fast, Learn Fast ... Get Results

•Data- and Metrics-Driven

•Take Smart Risks

•Some core values:

•“Freedom & Responsibility”

•“Loosely-Coupled, Highly-Aligned”

•“Context not control”

Today: DataCenters & Cloud

• Tooling

• Risk Assessments, Treatments

• Business Processes

• ~99% Cloud-based today

• Goal: Pure-Cloud Streaming

Cloud:On-Demand Capacity

1. Demand: Typical pattern of customer requests rise & fall over time

2. Reaction: System automatically adds, removes servers to the application pool

3. Result: Overall utilization stays constant

1

Demand

2

# Servers

3

Utilization

The Netflix Simian Army

• Striving for continuous testing, monitoring

• Identify and test common failure modes

• Automation everywhere to manage risk

• Chaos Monkey - Kills randomly instances

• Chaos Gorilla - Evacuates entire data centers

• Chaos Kong - Evacuates entire regions

• Janitor Monkey – Ensures a clean inventory

• Security Monkey – Various security checks

InfoSec Challenge in an IaaS Cloud :: Confidentiality/Possession

Key Management :: HSMs

• Motivation:

• Decouple DC and Cloud

• Trust our Cloud more fully

• Others probably want this too

• Challenges:

• Need crypto keys near the Cloud

• HSMs are in the data center

• Can’t entirely trust our CSP

• Solution:

• A real HSM: FIPS 140-2 certified hardware

• Keys stay in hardware

• “HSM as a Service”

Security: Thrivingin an

Agile Enterprise

Future Bets 2015: Org Demands

• Fluid, Virtual Teams of specialists / specialties

• Dynamically form & dissolve to address opportunities, challenges

• Emphasis on collaboration, roaming

• Analytic, data-driven

Future Bets 2015: Team Dynamics, Skills

•Teams will•Be Risk/Security Advisors, coaches, business analysts

•Speak their language•Skill sets will become•Less: people clicking on GUIs•More: analytics, automation, gluing systems together (APIs)

SaaS: In use Today? next Year?

1. Email/chat/calendar

2. File Storage/backups

3. Service Ticketing4. On-call paging5. Log management6. Authentication/

IAM7. App vulnerability

scanning

8. Risk management9. HRIS, ERM 10. Source code

repository11. Blogs, websites12. Doc collaboration13. Risk assessments14. Encryption / key

management

15. Data analytics/BI/DSE

16. Project Management

17. SIEM18. VPN19. MDM20. Anti-Virus/Anti-

malware

Future Bets 2015: Data, Application Security

•Business Forcing Function: Third-party cloud apps will innovate faster than your IT department can

•Cloud/SaaS will be IT tools, not competitors

•Data will be encrypted automatically off-network, off-device

•Automated, continuous assessments of your controls

Future Bets 2015: Device Security

•All-wireless office, Gigabit Wireless•Smartphone building badges•MDM layers: managed VPN, device- and app-wrapping

Future Bets 2015: Network Security

•You will be breached – Not “if” but “when”?

•How fast can you respond, contain?

•Mix of trust: corporate, vendor, employee owned devices

•Verify every device, user

Future Bets 2015: Automated protection

•We will no longer talk about BYO[everything]

•Zero-Trust / NAC will be common

•Networks will dynamically quarantines, inspects, tests

•Large-scale event correlation, analytics => reaction

Future Bets 2015: What about the users?

• Awareness Training will• Be automated• Be context-relevant, bite-

sized• Phish your employees

before they do!• Actively test for

vulnerabilities, quarantine• Gamifiy, (“peer pressure”) on

compliance, activity• Be developed collaboratively

Future Bets: Areas of Focus Today

The future is already here - it's just not evenly distributed. —William Gibson

The best way to predict the future is to invent it. – Alan Kay

Future Bets 2015: Targeted Training

Future Bets 2015: Security Analytics

SAMPLE DATA

Future Bets 2015: Security Analytics

Security Control A/B Testing

SAMPLE DATA

Thank you!

@x509v3Bill.Burns@Netflix.com