the economics of security
TRANSCRIPT
www.niiconsulting.com @kkmookhey
The Economics of SecurityK. K. MookheyFounder & DirectorNetwork Intelligence (I) Pvt. Ltd.
www.niiconsulting.com @kkmookhey
AgendaWhat should you invest in?
Solving current problems?Being ready for future ones?
How do you justify this investment to the Board?Some parting thoughts…
www.niiconsulting.com @kkmookhey
Investing in security solutions
Should I buy APT Protection?Or WAF / DLP / IRM / Whatever?
www.niiconsulting.com @kkmookhey
Measuring Information SecurityWhat is your Risk?Standard Risk Assessments
More for compliance than for actual business decision making Elaborate Excel sheets Few insights
Taking a different approach War-game exercises Run scenarios
APT attack Insider breach Perimeter breach
www.niiconsulting.com @kkmookhey
Scenario 1: End-point compromise
Typical breaches target the end-point and the attacker then penetrate deeper into the network from there onwards. End-points are compromised due to missing Adobe/Java patches or unpatched browsers being used.
Malware can also get introduced via USB drives.Controls:End-point malware protectionInternet content filteringUSB blockingRemoval of local admin rightsInstalling latest OS patchesInstalling latest non-OS patches (for Java, Adobe, etc.)Email filteringRestrict local admin rightsModify local administrator account password
Observations:Anti-virus protection is working wellMicrosoft patches are being applied properlyEmail filtering is working wellInternet content filtering allows access to file sharing sites and does not block zip/exe downloadsPatches not applied to non-MS software such as Java, Adobe]Internet content filtering can be bypassed by changing WLAN/browser settingsNearly 100 users have local admin rightsLocal administrator password not changed
Recommendations:1. Enhance end-point
security controls2. Enhance Internet
content filtering3. Address systems noted as malware-
infected
www.niiconsulting.com @kkmookhey
Recommendation 1: Enhance end-point & gateway security controls
As a media company and due to various software requirements, we understand that standard end-point security controls are difficult to implement. Yet we cannot stress enough the importance of protecting the end-point as that has become the primary target for attackers:
a. Restrict the Internet access and block Skype / YouTube / Dropbox / Social Mediab. Upgrade firewalls to Next Generation Firewallsc. Ensure patching process covers non-MS software such as Adobe and Javad. Remove local admin rights by working with the provider of Media software e. Block USB access and provide users with an alternate means of file sharingf. Enhance endpoint security to enforce conditional USB / Local Admin controlsg. Evaluate and budget for DLPPriority: Critical
www.niiconsulting.com @kkmookhey
Two major decision points
Choosing the right solution
Choosing the right price
www.niiconsulting.com @kkmookhey
Case Study
Large Telco On-going application security assessments On-going source code reviews Periodic penetration tests Development done by vendors WAF decision pending for a year…
Should they buy a WAF? Should they invest more in application security? Should they implement a GRC solution?
www.niiconsulting.com @kkmookhey
Vulnerability Statistics
Oct-13
Nov-13
Dec-13
Jan-1
4
Feb-14
Mar-14
Apr-14
May-14
Jun-1
4Ju
l-14
0
10
20
30
40
50
60
70
HighMediumLow
The # of High/Medium vulnerabilities are stable – no significant trends emerge! Why?
www.niiconsulting.com @kkmookhey
Insights from data analytics Vendor delays in fixing the issues Multiple reassessments leads to the issues
remaining open and overlapped in subsequent assessments
High level of exposure on the Internet Multiple approaches adopted and strong focus on
appsec in recent times
www.niiconsulting.com @kkmookhey
Hence…Strategy is two pronged1. WAF and other virtual patching
technologies should be implemented2. Vendor management practices and
contractual negotiation should have CISO involvement
www.niiconsulting.com @kkmookhey
Why you need your data Surveys/Reports cover
organizations across industries Do not take into account
nature of the organization’s current web app situation – vendor, in-house, legacy, COTSE, etc.
Do not take into account current level of maturity
Try to draw general conclusions from average/sum of all data
www.niiconsulting.com @kkmookhey
Economic Model for Information SecurityParameter ValueTurnover ₹1000 crores
Profit-After-Tax (15%) ₹150 crores
Number of customers 10 lakhs (0.1 crore)
Profit per customer ₹1500
Number of customers that will go away in case of cyber-security incident
5%
Profit reduction (financial impact) ₹7.5 croresRemediation costs (incident response, forensics, legal fees, if any)
₹20 lakhs
Business growth projection 15% - 1.5 lakh new customers
Future customer attrition 5% new customers won’t join
Cost of lost future business ₹1.12 crores
Total cost of the breach ₹8.8 crores
www.niiconsulting.com @kkmookhey
Other economic modelsTheft of intellectual property
Market opportunity cost is much higher
Cost of regulatory non-compliancePenalties to be paid to the regulator; orCost of class-action lawsuit
www.niiconsulting.com @kkmookhey
Solving for the future?Are your investments future-proof?
www.niiconsulting.com @kkmookhey
On the horizon…Cloud adoption – only going to increaseMobility – moving towards mobile-firstShadow ITBig DataSocial Media AccessDevOps Internet of ThingsDeperimeterizationBusiness environments are becoming increasingly VUCA
www.niiconsulting.com @kkmookhey
Changing role of information security
www.niiconsulting.com @kkmookhey
Evolving Role of Information SecurityMore evangelist than checkpointEmbedding information security within the businessEnabling the business to address information security riskReporting structure outside of ITYou will – or have already been – compromised; so be responsive
You can’t protect everything – so strategize and prioritize