Blue Lava InfoSec Update

Size: px

Start display at page:

Download "Blue Lava InfoSec Update"

Cori Fisher
6 years ago
Views:

1 Blue Lava InfoSec Update ISSA Los Angeles Demetrios Lazarikos (Laz) January 21, 2015

2 Agenda Intros Blue Lava InfoSec Survey Research and Findings Evolution How Did We Get Here? What Organizations Are Doing Some Final Thoughts 2

3 About Me First computer at 12 then recruited by the military at 16 Inventor of several InfoSec and Data patents Implemented Security and Fraud DOD / ebookers / Galileo Interna@onal / Orbitz EDS/HP Calyon Financial / NewEdge Financial / Societe General Group Sears Online Mul@ple graduate degrees and security cer@fica@ons former CISO, PCI QSA Gartner refers to work in the area of Big Data for Informa@on Security and Fraud analy@cs 3

4 Sears Online Interview

5 Before Laz Summer of 2009

7 InfoSec Research and Strategy 7

8 Approach and Methodology for 2015 Data Anonymous Survey 15 InfoSec to targeted list > 300 Audience Board of Directors and Leadership Teams InfoSec/Fraud Industry and Engineers 8

9 What s Top of Mind? Current architecture in most firms is a hot mess The perimeter is gone Internet of Things (IoT) is here Cybercriminals are bypassing tradi@onal security systems easily InfoSec alignment with the Business is increasing 9

10 Some of the Blue Lava Survey Results 10

11 Is there Board Oversight with your InfoSec program? 80.0% 70.0% 60.0% 50.0% 40.0% Yes No Don't know 30.0% 20.0% 10.0% 0.0% Yes No Don't know 11

12 Is cyber risk part of your current risk management framework? 100.0% 90.0% 80.0% 70.0% 60.0% 50.0% 40.0% Yes No Don't Know Other 30.0% 20.0% 10.0% 0.0% Yes No Don't Know Other 12

13 Do you share incident informa=on with industry groups? 60.0% 50.0% 40.0% 30.0% Yes No Don't Know 20.0% 10.0% 0.0% Yes No Don't Know 13

14 How are you recruiting qualified and trained InfoSec professionals? 70.0% 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0% Industry trade shows or professional organizations Through universities and colleges Traditional website recruitment Word of mouth Working with external recruiters Working with internal recruiters Working with staff aug or temp agencies Other (please specify) 14

15 My budget over the past year has % 70.0% 60.0% 50.0% 40.0% Increased Decreased Same 30.0% 20.0% 10.0% 0.0% Increased Decreased Same 15

16 My breach predic=ons for 2015 are that InfoSec breaches will % 80.0% 70.0% 60.0% 50.0% 40.0% Increase Decrease Same 30.0% 20.0% 10.0% 0.0% Increase Decrease Same 16

17 Which emerging technologies does your organization work with today? 90.0% 80.0% 70.0% 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0% 17

18 of Technology and Products Product Smarter Product Smarter Connected Product Product Integrated System 18

19 of the Automobile 19

20 of the Automobile 20

21 of the Automobile 21

22 of the Automobile 22

23 The Automobile Integrated System 23 23

24 System of Systems 24

25 of the Home 25

26 of the Home 26

27 of the Home 27

28 of the Home 28

29 29

30 Interconnected System of Systems 30

31 Interconnected System of Systems 31

32 How Did We Get Here? Third Party Vendor N Web Traffic Apps S DBs 32

33 The Agile Data Center Limited Visibility IoT - Third Par@es - Cloud Web No Visibility to Internal Traffic App DB 33

34 The Agile Data Center Limited Visibility IoT - Third Par@es - Cloud Web No Visibility to Internal Traffic App No Visibility to Internal Traffic DB 34

35 The Agile Data Center Limited Visibility IoT - Third Par@es - Cloud Web No Visibility to Internal Traffic App No Visibility to Internal Traffic DB 35

36 The Agile Data Center Limited Visibility IoT - Third Par@es - Cloud Web No Visibility to Internal Traffic App No Visibility to Internal Traffic DB 36

37 Where Do We Go From Here? Security must be part of the culture driven by the Board of Directors and throughout the Cyber criminals are evolving we must as well Architecture and technical designs must be conducted earlier Include InfoSec exit criteria through all project deliverables It s not if the cyber criminal will access your environment it s when invest in current technologies and have a plan to address the issue - user behavior analy@cs (UBA) is cri@cal Evaluate your InfoSec and IT Audit programs frequently ensure part of the program is to evaluate emerging technology 37

38 Resources How to Measure Anything, Douglas W. Hubbard ISBN- 13: Hoernecke, Andy, Security, Data Expert, and Inventor of D3Dash Iron- Clad Java: Building Secure Web Jim Manico and August Detlefsen ISBN- 13: Litan, Avivah, VP and Analyst, Gartner Market Guide for User Behavior (UBA), G , August 2014 Measuring and Managing Risk: A FAIR Approach, by Jack Freund and Jack Jones ISBN- 13: Perceptual Edge Security Metrics: Replacing Fear, Uncertainty, and Doubt, Andrew Jaquith ISBN- 13: threattransform, Open Source Tool for crea@ng and managing STIX data sets 38

39 Blue Lava InfoSec Update Thank You! Laz Twitter: iamlaz

THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY:

THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY: June 2013 Sponsored by Introduction Mobile devices cause ongoing concern for IT teams responsible for information security. Sensitive corporate information can be easily transported and lost, while the