ten tenets of security success - sans · • 27002 –code of practice ... •attributed to q4 byod...
TRANSCRIPT
Ten Tenets of Security Success
SANS Security Leadership Summit
© 2016 Frank Kim | All Rights Reserved
SANS Security Leadership Summit
ABOUT
• Frank Kim
• CISO, SANS Institute
• Curriculum Lead
• Management
• Application Security
• Author
• MGT514: Security Strategic Planning, Policy, and Leadership
• DEV541: Secure Coding in Java
SANS Security Leadership Summit
Stakeholder Management Strategy
• As you become more successful in your career, the initiatives you run will affect more people
• It’s likely your work will impact people who have power and influence over your projects
• These people can support or block you
• Meet with stakeholders to:
• Build trust
• Form alliances
• Understand what motivates them
• Identify what you can provide to them
4
SANS Security Leadership Summit
Understanding Stakeholders – Example
• Power/Interest Grid
5
Keep
Satisfied
ManageClosely
MonitorKeep
Informed
From mindtools.com
Pow
er
Low
Low
High
High
CIO
End
Users
HR
Legal CISO
CFO
Ops Team
Interest
SANS Security Leadership Summit 7
Organizational Culture
“Culture eats strategy for breakfast.”
- Peter Drucker
SANS Security Leadership Summit 9
Precision Farming
• Use sensors and drones
• Simulate water, fertilizer, and pesticide adjustments
• Goal
• Increase yields and profit
• Impact
• Crop & pricing manipulation
SANS Security Leadership Summit 10
Industrial Control Systems
• Ukrainian Power Grid
• Power distribution hacked
• 225,000 citizens w/o power
• Goal
• Supply power reliably
• Impact
• Power outage
• Political destabilization
• Decreased confidence in government
SANS Security Leadership Summit
Technology Risk
1995 2000 2005 2010 2015
Ris
k E
xp
osu
re
Increasing complexity of threats results in
additional exposure due to security risks
Basic Threats
Partners
Advanced Persistent Threats
Organized Crime
Activists
Insider Threats
Nation States
Stuxnet
Year of the breach Increasing risk due to
evolving threat
landscape and
business
requirements
Edward Snowden
First web site
Increasing complexity of technology
environment results in operational risks
Global network
Introduction of Mobile Devices
Mobile Payments
First Mobile App
Cloud Computing
Big Data
Wireless Network
Internet of Things
11
SANS Security Leadership Summit
• Security frameworks provide a blueprint for
• Building security programs
• Managing risk
• Communicating about security
• Many frameworks share common security concepts
• Examples include
• ISO 27000 Series• 27001 – ISMS requirements
• 27002 – Code of practice
• 27003 – Implementation guidance
• 27004 – Measurement
• 27005 – Risk management
13
Identify a Security Framework
• COBIT
• ENISA Evaluation Framework
• NIST Cybersecurity Framework
SANS Security Leadership Summit
• Composed of three parts• Core, Implementation Tiers, Profiles
• Defines a common language for managing security risk
• Core has five Functions that provide a high-level, strategic view of the security life cycle
• Helps organizations ask:• What are we doing today?
• How are we doing?
• Where do we want to go?
• When do we want to get there?
14
NIST Cybersecurity Framework
Identify
Protect
Detect
Respond
Recover
SANS Security Leadership Summit 15
Maturity Comparison Example
0 1 2 3 4 5
Recover
Respond
Detect
Protect
Identify
Current state
Target state
Lagging Industry Leading
SANS Security Leadership Summit
• Stakeholders don’t value expertise
• They value results
• By understanding what they value
• We can learn to innovate with the business
17
Establish a Vision
“The best way to predict the future is to invent it.”
- Alan Kay
SANS Security Leadership Summit
Mapping to Strategic Objectives
18
Financial/Stewardship
Customer/Stakeholder
InternalBusinessProcess
Organizational Capacity or“Security Capability”
Increased
profitability
Increased
revenue
Lower wait
times
Increase process
efficiency
Lower cycle
times
Improved knowledge
& skills
Improved tools
& technology
Business
innovation/new
product support
Improved
compliance &
regulatory
Improved
satisfaction
Improved availability
& resiliency
Lower costs
SANS Security Leadership Summit
Translating Security Vision & Strategy
19
Financial/Stewardship
How much does security cost to operate?
• Security budget as a % of IT
• Budget including CAPEX, OPEX
• Lower costs, increased revenue, increased profitability
How incidents financially impact your company
• Direct loss (e.g. IP, customer lists, trade secrets, loss or destruction of assets)
• Cost of downtime (e.g. refunds, or failed transactions)
• Cost of containment, recovery, and restitution
Customer/Stakeholder
• Improved compliance & regulatory (e.g. security controls of impacted systems and reporting capability)
• Lower wait times (e.g. meeting SLAs on evidence to HR/Legal, and on-time, on-budget delivery of projects)
• Improved satisfaction (e.g. responsiveness in time to remediate incidents on customer facing sites)
InternalBusiness Process
• Improved availability & resiliency (e.g. time to detect, respond, remediate outages caused by incidents)
• Increased process efficiency (e.g. time to remove unauthorized devices from the network)
• Lower cycle times (e.g. response time for customer facing security activities)
• Business innovation/new product support (e.g. response time for security assessments)
Security Capability
• Improved knowledge & skills (e.g. security awareness training completion rate and/or phishing results)
• Improved tools & technology (e.g. false positive trends on customer visible security controls such as encryption)
SANS Security Leadership Summit
• As a manager and leader you are expected to
• Understand the vision and mission of the company
• Make security understandable to business leaders
• Don’t just ask for the money
• Sell the vision and how you will solve business problems
• Let the case speak for itself
• Allow decision makers to come to their own conclusion
• Outline three options with various pros and cons
• Let them pick one
21
Build Your Business Case
SANS Security Leadership Summit 22
Provide Options
Option A
✔
$
• Highlight trade-offs with business value, risk reduction, cost
Business value
Risk reduction
Cost
Option B
✔✔
$$
Option C
✔✔✔
$$$
SANS Security Leadership Summit 24
Putting Leadership Into Perspective
Boss ✗ Manager ✔ Leader ✔
Drives people Manages things Coach, mentors and grows people
Thinks short term Thinks mid term Things long term
Focused on self Focused on process Focused on people
Instills fear Earns respect Generates enthusiasm
Says “I” Says “Our” Says “We”
Micromanages Delegates Motivates
Places blame on roadblocks Navigates roadblocks Removes roadblocks
Dictates how it’s done Shows how it’s done Influences how it’s done
Takes credit Shares credit Gives credit
Commands Asks Influences
Says “Go” Says “let’s go” Says “way to go”
SANS Security Leadership Summit 25
The Three “Es” of Learning
Education 10% Exposure 20% Experience 70%
• Training Course
• Leadership programs
• Professional Conferences
• Online Resources
• Online Learning
• Career Education
• Reading
• Peer Learning
• Formal Education
• Increase your perspective
• Showcase your sills
• Peer Networking
• Career Counseling
• Networking workshops
• Informal Interviews
• Shadowing
• Use a buddy
• Mentor
• Cross-functional project Stretch task
• Special assignment
• Leadership challenge
• Deliver a presentation
• Expanding skills
• Teach/Coach
• Best practice
• Special initiative
• Special project
SANS Security Leadership Summit
• Everyone should have a piece of the P.I.E.
• Performance
• Perform exceptionally well
• Image
• Cultivate the proper image
• Exposure
• Manage their exposure so the right people will know them
26
Career Management – P.I.E.
SANS Security Leadership Summit 27
Marissa Mayer on Sponsorship
“Work for someone who believes in you,
because when they believe in you,
they’ll invest in you.”
- Marissa Mayer
SANS Security Leadership Summit
Metrics Hierarchy
29
Strategic
Operational
Technical
• Focus & actions increase as you move up the pyramid
• Volume of information increases as you move down the pyramid
FocusData
ImplementationCharts
& Graphs
TypeMeasures
FocusAnalysis
& Trends
ImplementationSecurity
Dashboard
TypeMetrics
FocusStrategic
Objectives
ImplementationBalanced
Scorecard
TypeKPIs
SANS Security Leadership Summit
Security Dashboard Example
30
# Authorized/unauthorized devices on the network
Avg. time to remove unauthorized devices from the network
Application Scanning Coverage
Security Budget Allocation% of Products Delivered On Time
and On BudgetDevelopers Trained in Secure Coding
-
5,000
10,000
15,000
20,000
25,000
30,000
35,000
Q1 Q2 Q3 Q4
#, AuthorizedDevices
#,UnauthorizedDevices
Total
$0
$1
$1
$2
$2
$3
$3
Q1 Q2 Q3 Q4
Mil
lio
ns
Training
Services
Products
Budget
Actuals
0%
50%
100%
Q1 Q2 Q3 Q4
Actual
Upper ≥ 95%
Lower ≥ 55%
-
500
1,000
1,500
2,000
2,500
3,000
Q1 Q2 Q3 Q4
Scanned
Not Scanned
Total
0%
20%
40%
60%
80%
100%
Q1 Q2 Q3 Q4
% DevelopersNot trained
% Devoloperstrained
Lower ≥ 75%
Upper ≥ 95%
0
5
10
15
Q1 Q2 Q3 Q4
Ho
ur
s
Avg. time toremediate(hours)
Upper ControlLimit (hours)
Lower ControlLimit (hours)
SANS Security Leadership Summit
Balanced Scorecard Example
31
Financial/Stewardship Customer / Stakeholder Internal Business Process
Q4 % Product Development Budget Allocated to Security
Q4 % of Products Delivered On Time and On Budget
Q4 % of Developers Training in Secure Coding Principles
Target 5% ✔Trend
• Increased support for legal as they piloted their case management system
Target 95% ✔Trend
• 18% increase over Q3 in on-time and on budget delivery. Security staffed temporary PMO team to meet goal
Target 95% ✔Trend
• 100% of flagship application developers completed training reducing overall risk to organization
Q4 & YTD Security Budget Allocation Customer SatisfactionQ4 % of Developers Attaining
Certification
Target 90% ✗Trend
• 8% increase over Q3 in customer satisfactionrating of 4 or higher out of 5 possible
Target 95% ✗Trend
• Mitigation plan: Follow-up with developers after training is complete for certification
5% 95% 97%
85% 42% Q1 Q2 Q3 Q4
Products $575,000 $597,000 $425,000 $732,000
Services $1,590,000 $1,320,000 $1,190,000 $1,090,000
Training $326,000 $315,000 $427,000 $301,000
Actuals $2,491,000 $2,232,000 $2,042,000 $2,123,000
Budget $2,190,000 $2,211,900 $2,234,019 $2,256,359
$Variance -$301,000 -$20,100 $192,019 $133,359
YTD
SANS Security Leadership Summit
Balanced Scorecard Example
32
Security Capability Status Trend Highlights
Identify: Manage risk to systems, assets, data, and capabilities
Yellow
• 32% increase in unauthorized devices• 29% IT• 3 % HR
• 27% increase in unauthorized software• Attributed to Q4 BYOD pilot
Protect: Ensure delivery of critical infrastructure services
Green
• 12% of users failed sponsored email phishing tests• 15% of employees have not passed security
awareness assessments
Detect: Identify occurrence of a cybersecurity event
Green • 27% decrease in elevated access accounts• 275 total elevated access accounts
Respond: Take action regarding a detected cybersecurity event
Green • 5% of database systems with sensitive information
have not been scanned by vulnerability scanners
Recover: Maintain plans for resilience and to restore any capabilities or services that were impaired due to cybersecurity event
Red
• 34% of systems not enabled with up to date anti-malware
• Attributed to Q4 BYOD pilot
SANS Security Leadership Summit
• Physical and psychological barriers can stop the flow of communication
• Culture, background, and bias
• Allowing past experience to change the meaning of the message
• Ourselves
• Focusing on self rather than the other person can lead to confusion and/or conflict
• Defensiveness, superiority, and ego
• Perception
• Barriers such as poor language skills, a persons status, etc.
• Stress
• Psychological frame of reference at the given moment
34
Filters to Communication
SANS Security Leadership Summit 35
Example #1: Bad Exec Communication (DMARC)
DMARC is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain's administrators and that the email (including attachments) has not been modified during transport.
It expands on two existing mechanisms, the well-known Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), coordinating their results on the alignment of the domain in the From: header field, which is often visible to end users. It allows specification of policies (the procedures for handling incoming mail based on the combined results) and provides for reporting of actions performed under those policies. Source: https://en.wikipedia.org/wiki/DMARC
SANS Security Leadership Summit 36
Example #1: Better Exec Communication (DMARC)
The solution prevents scammers from sending fraudulent email to our customers. These fraudulent emails result in stolen usernames, passwords, and fraudulent transactions. The solution reduces the number of stolen accounts by 20%, account fraud by 10%, and the total amount of fraudulent transactions by $1 million per year.
SANS Security Leadership Summit 37
Example #2: Bad Exec Communication (DDoS)
DDoS is an attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Distributed Denial of Service (DDoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack. The DDoSattack uses multiple computers and Internet connections to flood the targeted resource. DDoS attacks are often global attacks, distributed via botnets.
Source: http://www.webopedia.com/TERM/D/DDoS_attack.html
SANS Security Leadership Summit 38
Example #2: Better Exec Communication (DDoS)
All web sites are up and operational after an traffic flood attack on Friday night. Our primary web site was unavailable for two minutes because it was flooded with traffic from the Internet by cyber attackers. We immediately instituted our incident response and recovery procedures and the web site was made available with zero customer impact.
SANS Security Leadership Summit
IT SecurityIT Security
41
Evolution of Security Leadership
Old
School
New
School
Risk Management
Graphic credit: https://www.rsaconference.com/writable/presentations/file_upload/prof-m07-from-cave-man_to-business-man-the-evolution-of-the-ciso-to-ciro.pdf
Regulatory, Compliance,
Legal, Privacy
Business Savvy
Technology Focus
Business Focus
SANS Security Leadership Summit 42
Ten Tenets of Security Success
Create Credibility
Catch the Culture
Relate to Risk
Shape the Strategy
Don’t Show Me the Money
#1
#2
#3
#4
#5
Deliver the Deal
Invest in Individuals
Make Metrics Matter
Master Your Message
Solve Business Problems
#6
#7
#8
#9
#10
SANS Security Leadership Summit
Presentation based on:
MGT514: IT Security Strategic Planning, Policy, and Leadership
Frank [email protected]
@fykim
Thank You!