ciso executive forum 2013
TRANSCRIPT
CISO Survival In The Real World
Bill BurnsDirector, Information Security
ISSA CISO Executive ForumFeb 24, 2013
“Thrive”, not Survive
•Context
•A few contributions
•Future Bets & Areas of Focus
Future Bets 2015: Forcing Functions
•Social + Mobility + Cloud
•Traditional Controls Are Lacking
•Analytics
NetflixBusiness
• World’s largest TV network
• 33 million members in 40 countries
• Over a billion hours streamed per month
• Supported on 1000+ device types
• 1/3 of evening Internet traffic
(c) 2011 Sandvine
Our Culture
•High Performance, Engineering-Focused
•Fail Fast, Learn Fast ... Get Results
•Data- and Metrics-Driven
•Take Smart Risks
•Some core values:
•“Freedom & Responsibility”
•“Loosely-Coupled, Highly-Aligned”
•“Context not control”
Today: DataCenters & Cloud
• Tooling
• Risk Assessments, Treatments
• Business Processes
• ~99% Cloud-based today
• Goal: Pure-Cloud Streaming
Cloud:On-Demand Capacity
1. Demand: Typical pattern of customer requests rise & fall over time
2. Reaction: System automatically adds, removes servers to the application pool
3. Result: Overall utilization stays constant
1
Demand
2
# Servers
3
Utilization
The Netflix Simian Army
• Striving for continuous testing, monitoring
• Identify and test common failure modes
• Automation everywhere to manage risk
• Chaos Monkey - Kills randomly instances
• Chaos Gorilla - Evacuates entire data centers
• Chaos Kong - Evacuates entire regions
• Janitor Monkey – Ensures a clean inventory
• Security Monkey – Various security checks
InfoSec Challenge in an IaaS Cloud :: Confidentiality/Possession
Key Management :: HSMs
• Motivation:
• Decouple DC and Cloud
• Trust our Cloud more fully
• Others probably want this too
• Challenges:
• Need crypto keys near the Cloud
• HSMs are in the data center
• Can’t entirely trust our CSP
• Solution:
• A real HSM: FIPS 140-2 certified hardware
• Keys stay in hardware
• “HSM as a Service”
Security: Thrivingin an
Agile Enterprise
Future Bets 2015: Org Demands
• Fluid, Virtual Teams of specialists / specialties
• Dynamically form & dissolve to address opportunities, challenges
• Emphasis on collaboration, roaming
• Analytic, data-driven
Future Bets 2015: Team Dynamics, Skills
•Teams will•Be Risk/Security Advisors, coaches, business analysts
•Speak their language•Skill sets will become•Less: people clicking on GUIs•More: analytics, automation, gluing systems together (APIs)
SaaS: In use Today? next Year?
1. Email/chat/calendar
2. File Storage/backups
3. Service Ticketing4. On-call paging5. Log management6. Authentication/
IAM7. App vulnerability
scanning
8. Risk management9. HRIS, ERM 10. Source code
repository11. Blogs, websites12. Doc collaboration13. Risk assessments14. Encryption / key
management
15. Data analytics/BI/DSE
16. Project Management
17. SIEM18. VPN19. MDM20. Anti-Virus/Anti-
malware
Future Bets 2015: Data, Application Security
•Business Forcing Function: Third-party cloud apps will innovate faster than your IT department can
•Cloud/SaaS will be IT tools, not competitors
•Data will be encrypted automatically off-network, off-device
•Automated, continuous assessments of your controls
Future Bets 2015: Device Security
•All-wireless office, Gigabit Wireless•Smartphone building badges•MDM layers: managed VPN, device- and app-wrapping
Future Bets 2015: Network Security
•You will be breached – Not “if” but “when”?
•How fast can you respond, contain?
•Mix of trust: corporate, vendor, employee owned devices
•Verify every device, user
Future Bets 2015: Automated protection
•We will no longer talk about BYO[everything]
•Zero-Trust / NAC will be common
•Networks will dynamically quarantines, inspects, tests
•Large-scale event correlation, analytics => reaction
Future Bets 2015: What about the users?
• Awareness Training will• Be automated• Be context-relevant, bite-
sized• Phish your employees
before they do!• Actively test for
vulnerabilities, quarantine• Gamifiy, (“peer pressure”) on
compliance, activity• Be developed collaboratively
Future Bets: Areas of Focus Today
The future is already here - it's just not evenly distributed. —William Gibson
The best way to predict the future is to invent it. – Alan Kay
Future Bets 2015: Targeted Training
Future Bets 2015: Security Analytics
SAMPLE DATA
Future Bets 2015: Security Analytics
Security Control A/B Testing
SAMPLE DATA