thought leader global 2014 amsterdam: taking security seriously -> going beyond compliance
DESCRIPTION
Presentation of different strategic models for approaching Information Security on an enterprise levelTRANSCRIPT
![Page 1: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/1.jpg)
Taking Security Seriously
Going Aboveand Beyond Compliance
![Page 2: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/2.jpg)
About me
• I might be provoking you a bit• Father of 3, happily married. I live in Luxembourg• CIO for a Bank, and also independent IT/Infosec consultant
and CIO-as-a-service. Any opinions here are my own and do not represent my employer.
• Contributor to @TheAnalogies project (making IT and Infosec understandable to the masses)
• Member of the I am the Cavalry movement – securing our bodies, minds and souls in the IoT
• @ClausHoumann• Find my work on slideshare
![Page 3: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/3.jpg)
It’s late. WAKE UP
• CEO’s?• CISO’s?• CIO’s?• CFO’s?• CTO’s?• COO’s?• Consultants?
![Page 4: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/4.jpg)
Let’s get the FUD out of the way
• FUD is Fear, uncertainty and doubt.• You will be presented with FUD by vendors,
daily• I’ll try not to FUD you. Focus on solution
models.
![Page 5: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/5.jpg)
Is security important?
• Raise of hands for:– No– Maybe– Yes– Always– My compliance department keeps me safe
Note to self: Remember to apologize in advance to any auditors present at this point.
![Page 6: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/6.jpg)
Monopoly
• Is compliance this?
Is company X secure
![Page 7: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/7.jpg)
Compliance
• Is• NOT
• Security
• Which any of you who ever attended a Security conference will have already heard
• Compliance is preparing to fight yesteryears war
![Page 8: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/8.jpg)
Auditor limitations
• Auditors are easily distracted• Auditors are easily ”Information overloaded”• Auditors go easy on you because they want to
keep the audit contract• Auditors can be persuaded to remove critical
findings• Auditors will let you pass in the end anyway
![Page 9: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/9.jpg)
That being said
• Compliance CAN plug holes for you• Compliance CAN set a minimum-level of
security for you• Compliance does provide more security than
nothing, especially if done right
• All this is nothing new, lets move on
![Page 10: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/10.jpg)
Example: PCI DSS
![Page 11: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/11.jpg)
but
• Target was compliant, Home Depot also.• 97%+ of audits are succesful
• Compliance is at the same time both simple (you can do it succesfully) and complex (SO many things to be compliant with)
![Page 12: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/12.jpg)
What is (most) compliance about then?
Source: Accretive solutions, Gary Pennington
![Page 13: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/13.jpg)
But as you see.....no security. Fake security, or if you really like compliance, spotty / patchy security
![Page 14: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/14.jpg)
Security IS important
• Why?• Dont say you dont know why.
![Page 15: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/15.jpg)
![Page 16: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/16.jpg)
It’s an assymetrical conflict
X-wing
![Page 17: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/17.jpg)
Want to beat assymetricality?
• Creating awareness (risk management?)• Increasing the security budget• Justifying the investment when no/few real attacks/opponents
– It’s easier when you’re actually being attacked. But too late.• Doing it right without attacks require automation, red team testing, training -> all
expensive
![Page 18: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/18.jpg)
How
• Identify potential attackers and profile them• Decrease attacker ROI below critical threshold
![Page 19: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/19.jpg)
Mitigate risks
Source: Dave Sweigert
![Page 20: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/20.jpg)
Building an actual defense
A few ideas exist• A scaleable Defense in Depth (not defined
sufficiently yet)• A defensible security posture (Nigel Willson –
nigethesecurityguy.wordpress.com)• Breaking the ”Cyber kill chain” (Lockheed
Martin)• Joshua Cormans pyramid
![Page 21: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/21.jpg)
Defense-in-Depth
![Page 22: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/22.jpg)
Defense in Depth
• You need to secure:– Internal systems– The Cloud– The Mobile user
Sample protections added only, not the complete picture of course
![Page 23: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/23.jpg)
![Page 24: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/24.jpg)
Defend in depth, on all devices and networks
• Example. PC defense includes:– Whitelisting– Blacklisting– AV– Sandboxing– Registry defenses– Change roll-backs– HIPS– EMET– Domain policies– Log collection and review– MFA– ACL’s/Firewall rules– Heuristics detection/prevention– DNS audit and protection
![Page 25: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/25.jpg)
Defensible security posture via @Nigethesecurityguy
![Page 26: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/26.jpg)
Cyber kill chain
Sources: Huntsman, Tier-3 & Lockheed Martin
![Page 27: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/27.jpg)
Kill chain actions
Source: Nige the security guy = Nigel Wilson
![Page 28: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/28.jpg)
Defensible Infrastructure
Operational Excellence
Situational Awareness
Counter-measures
Joshua Cormans pyramid for going beyond compliance
![Page 29: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/29.jpg)
Pick the low hanging apples?
•As your organizations “Infosec level” matures – you may be able to pass or almost pass a pentest. •Most low hanging fruits have been “picked” already•This makes it very hard for “them” to get in via hacking methods -> they will try malware next
![Page 30: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/30.jpg)
And the unexpected extra win
• Real security will actually make you compliant in many areas of compliance
![Page 31: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/31.jpg)
Q & A
• Ask me question, or I’ll ask you questions
![Page 32: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance](https://reader038.vdocuments.net/reader038/viewer/2022110120/557595e8d8b42ae7708b52c0/html5/thumbnails/32.jpg)
Sources used– http://www.itbusinessedge.com– Heartbleed.com– https://nigesecurityguy.wordpress.com/– American association for justice– http://
www.slideshare.net/AffiniPay?utm_campaign=profiletracking&utm_medium=sssite&utm_source=ssslideviewv
– Accretive solutions – Gary Pennington– Joshua Corman and David Etue from RSAC 2014 ”Not Go Quietly:
Surprising Strategies and Teammates to Adapt and Overcome”– Lego / PCthreat