security technology portfolio management · 2016. 12. 5. · bitsight vulnerability review security...
TRANSCRIPT
![Page 1: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/1.jpg)
Security Technology Portfolio Management
Jim Routh
CSO Aetna
![Page 2: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/2.jpg)
2
1. Encourage you to take more risks in order to manage risk more effectively
2. Share techniques for managing security technology portfolio risk
3. Identify methods for applying innovation to the evolution of control design to change the rules for threat adversaries
Session Objectives
![Page 3: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/3.jpg)
3
Definition of CISO
Chief information security officer From Wikipedia, the free encyclopedia
A Chief Information Security Officer (CISO) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing and maintaining processes across the organization
to reduce information and information technology (IT) risks
![Page 4: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/4.jpg)
4
The existing rules favor adversaries
Victim clicks on an URL in a phishing email
Threat actor uses access to gain privilege
TA uses privilege to
exfiltrate and monetize data
![Page 5: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/5.jpg)
5
Conventional controls are good and insufficient
NIST Cybersecurity Framework
NIST 800-53
PCI-DSS 3.0
Shared Assessments SIG
Shared Assessments AUP
SOC 1 & 2
BSIMM
Top Key Control Test Results
BitSight Vulnerability Review
Security Scorecard Vulnerability Review
Synack Pen Test Results (crowdsourced)
Email Sinkhole
DMARC
Domain attribute filtering
PUM and PAM
Next generation authentication
Vulnerability Management Software Security Program Mobile Security Program Identity & Access Management Security Data Analytics Adaptive Enablement (DLP) BYOD Controls Federated Identity Management Cloud Security Controls Cyber Threat Intelligence Policy Management (eGRC) Education & Communication Security Steering Committee Threat, Vulnerability Assessment Asset Inventory Prioritized by Risk Information Classification Policy Configuration Management 3rd Party Governance Incident Response Behavioral Based Authentication
CORE
![Page 6: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/6.jpg)
6
Innovation comes from entrepreneurial firms
Large Established firms
Early Stage Start Ups
![Page 7: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/7.jpg)
7
Investment Philosophy
Technology Portfolio
Legacy Technology
Mature Meets basic requirements Established companies Financially sound Enterprise scalable
65% 10% 25%
New Acquisition
Replacement of Legacy
Needs upgrade No longer mitigates risk
![Page 8: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/8.jpg)
8
Portfolio Management
Angel/Early Stage VC Backed IPO Private Equity Round 1 Round 2 Round 3
Product/Service
0
1
2
3
4
5
6
7
1 2 3 4 5
Market Share
PriceInvestment Opportunity
The Norm
![Page 9: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/9.jpg)
9
Procurement Criteria
1. Market share 2. Enterprise scalability 3. Enterprise customer feedback 4. Financial resiliency 5. Liability insurance level 6. Industry knowledge 7. Demonstrated track record
Conventional Unconventional
1. Game-changing capabilities 2. Founder’s ability to attract
engineering talent 3. Adult supervision- business acumen 4. Engineering team’s ability to pivot 5. Ability to listen to enterprise client
requirements
Volume discount off list price Very low acquisition price
Risk mitigation
![Page 10: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/10.jpg)
10
Conventional
Vendor Prospect List
1. Vendor A 2. Vendor B 3. Vendor C… RFP
Proposal
Proposal
Proposal
Proposal
Proposal
Proposal
Presentation Presentation
Presentation
Financial Resiliency
Market Share
Analysis
Competitor Analysis
International Scalability
![Page 11: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/11.jpg)
11
Revised Procurement Process
Valley Visits
Mutual Non-Disclosure Agreement
Agreement STEEP Session
• Identify trends, categories, early stage companies
• Game-changers
• Protects both firms
• Facilitates IP sharing
• Security Technology Exploratory Evaluation Process
• 20-60 participants • Education on emerging capabilities • No sales people, no selling • Problem statement and the
architecture • Technical depth
SCARF
SCARF Process
POC
90 Day POC
• License agreement for a POC Project
• Enterprise Architecture formally engaged
• Proof of Concept Project with iterative testing
![Page 12: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/12.jpg)
12
Hunting for Categories/IT Trends
1. Container technology enables the acceleration of a DevOps model for the large enterprise
2. Network architecture is changing at its core- Switch replaces a NIC card
3. To attract technical talent in the valley…go into residential real estate
![Page 13: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/13.jpg)
13
Example of IT Trend 2015
1. Smart switches connect directly to the server 2. Switch uses PCIe interface at the kernal level 3. Network traffic can be shaped with more ports increasing throughput
How will this influence compute architecture and ultimately security?
![Page 14: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/14.jpg)
14
2015 Categories of Interest
1. Software defined networking
2. Cloud security- SAS and PAS
3. DevOps Security
![Page 15: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/15.jpg)
15
2013 Shopping List
• Network behavioral analysis (NBA)- • Data loss prevention (DLP)- • Cloud service consumption or dark network controls • Intrusion detection services (IDS) • Machine learning applied to entitlement data • Privilege user monitoring (PUM) • Mobile risk scoring engine • Fraud detection and management capabilities • Host based intrusion detection • B2B Connection behavioral monitoring • Software security program components
![Page 16: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/16.jpg)
16
Layered Controls
Micro-virtualization
Host-based intrusion detection 1 market leader
White listing processes
Host-based intrusion detection 2
![Page 17: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/17.jpg)
17
Botnet Filtering https://member.aetna.com/appConfig/login/login.fcc Shifter Aetna
Customers
Attackers/Content Scrapers
Legitimate traffic encounters no
barriers
Automated traffic can no longer
send valid requests
![Page 18: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/18.jpg)
18
More Un-Conventional Controls
"One of the most effective ways you can minimize the phishing threat is through awareness and training." —Lance Spitzner, Training Director, SANS Securing The Human
23% of recipients now open phishing messages and 11% click on attachments
• Phishing was associated with 95% of incidents attributed to state-sponsored threat actors
• Over 100 million phishing messages arrive in our inboxes every day Nearly 50% open emails and
click on phishing links within the first hour • The median time-to-first-click came in
at one minute and 22 seconds across all campaigns
According to the 2015 Verizon Data Breach Investigations Report (VDBIR):
What can we do?
1. Implement DMARC for all outbound email
2. Upgrade email gateway payload inspection and filters
3. Sinkhole all new domains for 48 hours
4. Enforce inbound filtering (DMARC)
• Improve education/awareness
• Consider designing new controls
![Page 19: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/19.jpg)
19
DMARC for Outbound Mail
Domain-based Message Authentication, Reporting and Conformance
Trusted email delivers:
1. Reduced risk to consumers
2. Lower operating costs from the elimination of account takeovers
3. Higher profit from an increase in email click-through rate
![Page 20: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/20.jpg)
20
Sinkhole Newly Registered Domains- in-bound
A sinkhole, also known as a cenote, sink, sink-hole,[1] shakehole,[2] swallet, swallow hole, or doline (the different terms for sinkholes are often used interchangeably[3]), is a depression or hole in the ground caused by some form of collapse of the surface layer
Enterprise DNS
Sinkhole Threat Actor bad_actor.com
Cybersecurity Intelligence
Data Feeds New domains (48 hrs)
eMail Gateway
1
FROM: igor@bad_actor.com
2 DNS Request SPF TXT Record
3
Custom SPF Response
4
SPF Header Added to email
5
BLOCK Rule
Check for “192.0.2.1”
6
Redirect email to CSI
7
![Page 21: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/21.jpg)
21
Domain Attributes Filtered- In Bound
Using email traffic data, the system learns the unique fingerprint of all email senders into
your enterprise
This durable identity trust model is used to stop all messages that do not prove they
should be trusted
29,231 servers sent email for an enterprise on a single day
312 servers for the enterprise 4,641 servers owned by service providers
9,732 benign email forwarders 14,526 malicious senders
![Page 22: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/22.jpg)
22
Privilege User Monitoring
Reduce the number of privilege users 1
3 Implement data analytic techniques to determine behavioral patterns
2 Provide context to monitoring
Level of access
Ability to modify
Access
Activity
Alerts
0 250 500 1000 750
Non-Person IDs
Person IDs
Active
Removed
![Page 23: Security Technology Portfolio Management · 2016. 12. 5. · BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Email Sinkhole](https://reader036.vdocuments.net/reader036/viewer/2022081600/602183345711753dd3322e7e/html5/thumbnails/23.jpg)
Jim Routh Aetna
@jmrouth1
?