insider threat - building a multi-generational security program

INSIDER THREATANITIANBUILDING A MULTI-GENERATIONAL SECURITY PROGRAM

Intelligent Information SecurityAnitian

1

Meet the Speaker Andrew PlatoPresident / CEO of Anitian Principal at TrueBit CyberPartners20+ years of experience in securityDiscovered SQL injection in 1995Helped develop first in-line IPS engine (BlackICE)


Vision: Security is essential for growth, innovation and prosperity. Mission: Build great security leaders. ANITIAN

Rapid Risk AssessmentCompliancePenetration TestingManaged Threat Intelligence


truth

a box checkedWhat do you want?Anitianintelligent information securitywe deliver truth and build great security leaders


OverviewIntent Help you build a more effective security programPrepare your security program for the demographic shift Demonstrate Anitians value

OutlineHypothesis The Multi-Generational WorkforceThe Problem Next Generation Security Program


BIG TOPIC! This is a very big and complex concept. In this presentation were going to touch on a lot of ideas, without getting too deep.

THIS IS FOR A USA AUDIENCE AND USA COMPANIES5

HYPOTHESIS


Begin with a discussion of the workplace today as it relates to information security6

It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change.


Charles Darwin, he never actually said this, but it is a paraphrasing of his theories which have been widely used. This concept, agility is profoundly important to business and information security. 7

IS THE root CAUSE OF NEARLY ALL BREACHESHUMAN ERROR


At the root of nearly all compromise and breach is human errorPeople dont configure systems correctly Vulnerabilities are left unpatchedPeople click dangerous linksDevelopers dont take the time to code securely Policies are not followed 8

Indirectly RELATED to EMPLOYEE ENGAGEMENTINSIDER THREAT


When people do not care about their job, or feel marginalized or disrespected, they engage in riskier behavior. 9

REDUCE RISKENGAGED EMPLOYEES


When people are engaged and motivated, they naturally care for the organization. 10

Drives ENGAGEMENTLEADERSHIP


As well as policies and practices11

The WORKFORCE


Begin with a discussion of the workplace today as it relates to information security12

OF THE WORKFORCE IN 202575% Source: Bureau Of Laborand Statistics, 2015


Currently, 53M Gen Y, 50M Gen X about 15M Boomers, 3M others 20K boomers leave the workforce everyday, 30K Gen Y enter. By 2025 50% of the workforce will be millennials, 35% GenX, Boomers and Gen Z making up the remaining 15% DONT LEAVE THIS SLIDE WITHOUT JOKING: You cannot have a presentation about the generations without a section that overly generalizes and panders to each generation.Who am I to break tradition here?

13

BOOMERS

Born 1946-1964CompetitivePrefers process OptimisticPoliticalLoyal Status conscious Job defines themRESPECT


Boomers are leaving the workforce at the rate of about 20K per day. 14

GEN X

Born 1965-1980CynicalAnalyticalAgile Results oriented IndividualisticEntrepreneurial Wants to chart their own pathFREEDOM


15

MILLENNIALS

Born after 1980Idealistic Self-conscious Social Empathetic Team playersExtremely agile Connected Open minded Wants praise & involvement

AUTHENTICITY


TRANSITION: So what else can we learn about Millennials. 16

OF MILLENNIALS Have a college degree79%


Gen X 69%Boomers 62%17

WILL REJECT A JOB FROM A COMPANY THAT BANS SOCIAL MEDIA56%


18

CHOOSE FLEXIBILITYOVER PAY45%


19

Expect to modify and customize their work computer73%


20

CITE LEADERSHIP AS THE KEY TO ENGAGEMENT74%


21

The PROBLEM?


Typically.these presentations begin with a lot of statistics and scary numbers. 22

OF ORGANIZATIONS HAVE HAD SOME TYPE OF SUCCESSFUL ATTACK90%


BREACHES ARE COSTLY


So what do we do?



TL;DR

TL;DR


THE ULTRA IMPORTANT COMPANY HAS HEREBY ISSSUANTED THIS POLICY OF COMPUTING TECHNOLOGICAL RESOURCE ALIGNMENT TO COMPLY WITH SECTION 98292D OF THE REGULATORY COMPLIANCE INSTRCTUALIZATION OF FRAMEWORK REGIONALISM 27

BORING


Nobody cares about your internationally approved framework of risk management. 28

NO!


Enforcement minded mentality does not make people care. It makes them care just enough to keep you off their back29

EVERYBODY TALKS

NOBODY LISTENS


When people dont respect the policies and practices, they argue and undermine them 30

LOL DONT CARE

IM DOWNLOADIN IT


When people dont care, they ignore policies. 31

PARANOIA


Nobody cares about your insufferable reasons why 32

TODAY WE SHALL

CRUSH CYBERSECURITY WITH ONE SWIFT STROKE


33

WOOT! ITS BEER-THIRTYLETS UPLOAD EVERYTHING TO PASTEBIN


34

IS THERE ANY HOPE?


Seems pretty hopeless eh? 35

Yes


36

AvailabilityConfidentialityIntegrityComplianceRespectFreedomAuthenticityMissionTHE BALANCING ACT


Your program must have meaning. It must covey the importance of security and make people care.

37

MEANING


Your program must have meaning. It must covey the importance of security and make people care.

38

PERSONAL


Our program has to stop being so ruthless and cold. We need to connect with people, rather than disconnect them.

39

SOCIAL


Security must integrate into every dimension of the workplaceWe must leverage social constructs to disseminate and enforce Make it like a smartphone

40

AGILE


WE MUST ADAPT to the business, not the other way around

41

Next-generationSECURITY PROGRAM


Strategies 42

The Multigenerational Security Program


8 Concepts to drive your security programDefine how it will be PEOPLE, PROCESS, and TECH43

Start with WhyPeoplePeople dont buy what you do, they buy why you do it(Simon Sinak, http://bit.ly/anitian-sww)Connect everything security to a greater mission or ethicPolicyPut the reader into each policy and give them reason: Lets make a difference. We need your help to stop criminals from stealing our data and hurting people. You can help. Keep confidential data it off your computer and out of your email. If you dont have it, it cant be stolen, and youre safe!TechnologyAllow customization and connect them to the core values


Complexity is easy, simplicity is difficult44

Automate SecurityPeople Millennials love automation (so do hackers) PolicyDefine what is and is not automated, and whyStandardize automation Technology Automate everywhereAuto-blockAuto-respondAuto-scan Auto-remediate


It is disrespectful to expect people to care about obtuse security rules. Dont value feedback. WANT it. Beg for it if necessary. 45

Less is MorePeoplePeople do not read, less is more PolicyJust Say It and be bluntYou cannot plug a personal device into the network. It is too dangerous. Systems must be patched every 30 days because it is the right thing to do and protects the business. TechnologyAvoid complex dashboards Implement a core firewall and segment your network Do not buy anything unless you have the people to run it


Complexity is easy, simplicity is difficult46

Roll with ItPeople Change is the norm around here, roll with it. Does the change align with what we believe?What is the intent with this change? PolicyChange policy on a whim, its okayBe honest when a policy is no longer relevant TechnologyChange vendors regularly, get a new perspective and say youre doing it Build a process for evaluating new technologies


Dont connect intent to some framework or standard nobody cares 47

Open the Kimono PeopleWork at the Speed of Trust Share openly, be honest when you cannot share PolicyBe brutally honestWe can read your email. There is no expectation of privacy when you use a company-owned asset. TechnologyMonitor everything, log everything, watch everything Put it in the cloudAggressively test, and test, and test againSocialize the data, show the good and bad


Millennials, and to some extent Gen X hate secrecy. All they hear is that theyre out of the loop. 48

Be Authentic PeopleConfront the security perception gradient, words and behaviors must alignMillennials have a high affinity for authentic leadershipPolicyGet rid of the stiff, distant, pontificating policies: We all want to do the right thing. Help protect data. If you see something wrong, say something and lets work together to fix it. TechnologyDiscuss, openly, the controls you have Be conspicuously vocal in your opposition to checkbox audits


49

Socialize SecurityPeopleUse peer pressure to enforce: What would your co-workers think of this?Use feedback to gather intelligencePolicyUse modern policy dissemination methodsGamify policy acceptance Ask for involvement: You are a vital part of our security program and we want your feedback. TechnologyUse feedback technologies like 15Five.com or TinyPulse.comLeverage social platforms or sharing, like SharePoint


Cite the RSA presentation from Ubers Security Awareness person: Samantha Davison80% acceptance and retention when gamified 50

Culture of Security PeoplePut security responsibilities into ALL job descriptions Cross train everybody in IT on security PolicyAdd security responsibilities to every jobRequire security awareness for everybody TechnologyDisseminate control authority across teams Integrate security practices into dev teams Move toward unified platforms with integrated defenses


51

SECURE THE GENERATIONS


Strategies 52

EVERY BREACH BEGINS (AND ENDS) WITHPEOPLE


ALL information security weakness are ultimately due to human error Developers do not code apps securelySystem admins do not harden systems Network admins ignore or bypass controls Employees leak data or engage in risky behaviors Attackers manipulate people into giving up access, credentials, or data

53

THE BIGGEST THREAT YOU HAVE ISPEOPLE



54

SO WHY ARE THESE IN CHARGE OF SECURITY?



55

OR THIS?



56

OR THIS GUY?


Better call Saul57

WHEN THIS IS YOUR WORKFORCE?


58

THE SECURITY PROGRAM OF THE FUTURE IS BUILT AROUNDPEOPLE



59

ADAPTOr BREACH(and possibly lose your job)


60

Action PlanExecute a risk assessment ( a real one) Rewrite policies, hyper-simplify them Automate security, everywhereMonitor everything, log everything, watch everythingGamify your security awareness program Stop talking to VARsDefine customization boundaries, publish them for all to seePut security requirements in everybodys job descriptionImplement feedback process for security Push SecOps away from reaction-focus to analysis-focus


THANK YOUEMAIL: [email protected]:@andrewplato@AnitianSecurityWEB:www.anitian.comBLOG: blog.anitian.comSLIDES:bit.ly/anitianCALL:888-ANITIAN


62