Lessons Learned from 4,000 Security Assessments. Sadik Al-Abdulla Security Practice Director, CDW

Transcription

1 Lessons Learned from 4,000 Security Assessments Sadik Al-Abdulla Security Practice Director, CDW

2 MY GOAL TODAY Balancing IT Security Share learning from security assessments Provide tactical and strategic guidance to step towards truly adaptive security

3 THIS ISN T OUR BIGGEST THREAT

4 OR THIS

5 IT S THIS!

6 AND THIS! Source: APT1: Exposing one of China s Cyber Espionage Units, Mandiant, 2013

7 BY THE NUMBERS In 99% of the cases: someone else told the victim they had suffered a breach. (Referring to POS intrusions) 1 Median number of days attackers were present on a victim network before they were discovered has gone from 365 to 229 to 146 days Verizon Data Breach Report (DBIR), page APT1, 2014 M-Trends, 2015 M-Trends Reports by Mandiant

8 THE DEFENSES ARE WORKING BUT

9 SECURITY ASSESSMENT FINDINGS 4,000 Assessments completed 100% Ability to gain access <10% Access detected 0 Times we tried to hide

10 TOP SECURITY ASSESSMENT FINDINGS People/Process #1: Insecure default configurations, gaps in patch discipline #2: Bad passwords #3: Arbitrary trusts #4: Phishing, users like to click Technology #5: Application code issues #6: Man in the middle #7: Lack of encryption or porous implementation #8: Mobile application vulnerabilities

11 TOP SECURITY ASSESSMENT FINDINGS #1: Gaps in patch discipline

12 TOP SECURITY ASSESSMENT FINDINGS #2: Bad passwords

13 TOP SECURITY ASSESSMENT FINDINGS #3: Arbitrary trusts

14 TOP SECURITY ASSESSMENT FINDINGS #4: Phishing, users like to click

15 DATA LOSS PREVENTION (DLP) ASSESSMENT FINDINGS 300+ Assessments completed 100% Discovered sensitive information outside approved areas 86% Loss of sensitive information DURING ASSESSMENT PERIOD 95% Incidents that were accidental exposure or by well-meaning insiders 5% Incidents that were not 80% incidents 12% Web incidents

16 DLP ASSESSMENT 24-MONTH TRENDS 800% increase in upload violations - Dropbox, Skydrive, Google Drive, etc. 2000% increase in mobile violations

17 I ve tried to keep the company real about the fact that I could spend twice as much as I do today on security, and it doesn t mean that we re going to eliminate the risk. We might reduce it a bit, but I can t give a good answer of how much. Compromise is a certainty. But I can limit the impact. Malcolm Harkins CISO, Intel

18 MANAGING IMPACTS MEANS Accepting that breach is inevitable Designing for post-breach detection Designing to limit impacts Planning for breach response

19 THREATS -> RISKS -> IMPACTS Malicious Outsider Data Loss

20 THE WAY WE USED TO THINK ABOUT IT

21 THE $5 WRENCH

22 THE WAY WE NEED TO THINK ABOUT IT Identify Respond Recover Networks Data Protect Detect Devices

23 LESSONS LEARNED Rate of Occurrence People & process require as much attention as technology Simplicity, flexibility and reinforcement are key Over controlling reactions generate greater systemic risk Uncontrolled adoption creates enormous risk Single Loss Expectancy Time to detect/time to respond are key metrics True segmentation is critical to limiting impacts Data centric controls are critical to limiting impacts

24 LESSONS LEARNED Tactical Next Steps Identify check the box activities, repurpose spend and cycles Adopt TRUE segmentation Revisit fundamentals for sensitive data management Revisit fundamentals for identity management in a cloud-enabled world Search out and revise overly and overtly restrictive policies Start measuring time to detect / time to respond

25 LESSONS LEARNED Strategic Next Steps Measure and invest separately for: People, process, technology Before, during, after Engage proactively; design OTHER IT projects securely Build security governance and sponsorship cross functionally View and evangelize security as a process: break out of the point in time design and administration model

26 THANK YOU Sadik Al-Abdulla Security Practice Director