Proactive Security: Effective Cyber Risk Mitigation. Dave Shackleford Founder and Principal Consultant, Voodoo Security

Similar documents
IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

The Convergence of Security and Compliance. How Next Generation Endpoint Security Manages 5 Core Compliance Controls

Cyber Risks in the Boardroom Conference

INTELLIGENCE DRIVEN GRC FOR SECURITY

MARKETING VOL. 1

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Cyber security tips and self-assessment for business

Case Study: Security Implementation for a Pharmaceutical Company

The Convergence of Security and Compliance

Security Profiles of the CISO. Vanessa Pegueros DocuSign Enterprise Security & Risk

Education Network Security

IT SECURITY FOR LIBRARIES PART 1: SECURING YOUR LIBRARY BRIAN PICHMAN EVOLVE PROJECT

Measuring Usability: The Basics

Cyber Due Diligence: Understanding the New Normal in Corporate Risk

Security. Made Smarter.

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

locuz.com SOC Services

Crash course in Azure Active Directory

Entertaining & Effective Security Awareness Training

Fighting Phishing I: Get phish or die tryin.

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Vendors and Security. Robert Smith Sr. Director Technology Student Affairs Technology Services

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

What makes a good KRI? Using FAIR to discover meaningful metrics

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Advanced Security Tester Course Outline

The new cybersecurity operating model

Security Automation Best Practices

Meet our Example Buyer Persona Adele Revella, CEO

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Magnetize Your. Website. A step-by-step action guide to attracting your perfect clients. Crystal Pina. StreamlineYourMarketing.com

Managing an Active Incident Response Case. Paul Underwood, COO

A company built on security

IMPROVING NETWORK SECURITY

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

IT SECURITY FOR NONPROFITS

State of the. Union. (or: How not to use Krebs as an IDS ) (Information Security) Jeff McJunkin Senior Technical Analyst Counter Hack Challenges

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation

Think Vulnerability Management Has Been Commoditized? You're using the wrong vendor.

How to get the Enterprise to Understand the Value of Security

Department of Management Services REQUEST FOR INFORMATION

Real-time Cyber Situational Awareness for Satellite Ground Networks. March 2015 Presenter: Ted Vera

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Objectives of the Security Policy Project for the University of Cyprus

Influence and Implementation

Automating the Top 20 CIS Critical Security Controls

ISE North America Leadership Summit and Awards

Attackers Process. Compromise the Root of the Domain Network: Active Directory

Information Security Risk Strategies. By

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Building a Resilient Security Posture for Effective Breach Prevention

Network Security: Firewall, VPN, IDS/IPS, SIEM

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Cyber Security Stress Test SUMMARY REPORT

Mapping BeyondTrust Solutions to

Top 10 Considerations for Securing Private Clouds

At a Glance. Introducing Security Metrics

Think Like an Attacker

Industrial Defender ASM. for Automation Systems Management

Operational Network Security

NEXT GENERATION SECURITY OPERATIONS CENTER

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

CISO as Change Agent: Getting to Yes

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Intelligent Security Management. Helping Enterprise Security Teams Improve Resource Efficiency & Reduce Overall Risk Exposure

NISTCSF Enterprise Training Solutions. By David Nichols & Rick Lemieux December 2018

Improving Your Network Defense. Joel M Snyder Senior Partner Opus One

Too Little Too Late: Top Reasons Why You Got Hacked

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

Session 5311 Critical Testing Programs for Security Operations

What are we going to talk about today?

Building YOUR Privacy Program: One Size Does Not Fit All. IBM Security Services

Enabling Efficient, Consistent Certification and Accreditation Enterprise-Wide

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

Case Study: Security Implementation for a Global Packaging Company

FireMon Security manager

McAfee Database Security

Network Security Whitepaper. Good Security Policy Ensures Payoff from Your Security Technology Investment

Compliance Is Security. Presented by: Jeff Hall Optiv Security

PCI Compliance Assessment Module with Inspector

You ve Been Hacked Now What? Incident Response Tabletop Exercise

Cyber Hygiene Guide. Politicians and Political Parties

Roadmap to the Efficient Cloud: 3 Checkpoints for the Modern Enterprise

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Best Practices in Securing a Multicloud World

Shifting focus: Internet of Things (IoT) from the security manufacturer's perspective

Unlocking the Power of the Cloud

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

The Workflows Recipe Book

Escaping PCI purgatory.

Will your application be secure enough when Robots produce code for you?

Cybersecurity The Evolving Landscape

Ron Woerner, CISSP, CEH, CHFI

Transcription:

Proactive Security: Effective Cyber Risk Mitigation Dave Shackleford Founder and Principal Consultant, Voodoo Security

Agenda This talk will really be split into two sections The first will focus on new ways of thinking about your security program The second will focus on ways that you can apply new strategies to be more effective Voodoo Security 2012 2

Change your mojo Think like an entrepreneur & be more creative Voodoo Security 2012 3

Not your usual intro. I normally start these things with the Blah Blah Blah we re not winning Blah Blah Blah speech. But you already knew that. Instead, let s talk about insanity. "Insanity is doing the same thing over and over again but expecting different results." Voodoo Security 2012 4

It s time to think like entrepreneurs. This may seem like a stretch. It s not. There s one fundamental change in your thinking you ll need to make: What is your product? Along with that, you will need to package it, sell it, and improve it over time. Let s examine four questions we need to answer. Voodoo Security 2012 5

Question #1: Do Consumers Recognize the Problem We Solve? Voodoo Security 2012 6

Things to Consider First, who are your consumers? Executives IT Business Units Partners General employees Second, what problem do you solve? For security, likely Ongoing risk intelligence and mitigation for cyber risks. Voodoo Security 2012 7

Question #2: If there s a solution, will the consumers buy it? Voodoo Security 2012 8

Things to Consider There are lots of reasons the answer is yes Compliance Risk awareness Peer/business pressure Stakeholder pressure However, there are lots of reasons they WON T. Politics $$$ You. Yes, YOU. Voodoo Security 2012 9

Question #3: Will consumers buy the solution from us? Voodoo Security 2012 10

Things to Consider You need your organization to buy your product, namely security intelligence and risk management services and capabilities. There are plenty of reasons why you may be having trouble with this. Your selling ability. Your demeanor. Your security program. Your people. Things beyond your control. Voodoo Security 2012 11

Question #4: Can we build a solution for the problem? Voodoo Security 2012 12

Things to Consider You need your organization to buy your product, namely security intelligence and risk management services and capabilities. There are plenty of reasons why you may be having trouble with this. Your selling ability. Your demeanor. Your security program. Your people. Things beyond your control. Voodoo Security 2012 13

The Entrepreneur Pyramid Product Optimization Strategy Pivoting Vision Voodoo Security 2012 14

Thoughts for Security Category Vision Strategy Product Security Considerations 1. Have a security mission statement! 2. Have definitive outcomes of your efforts tied to the vision. 1. This is people, process, and technologies. 2. How will you accomplish the vision? 1. This is the outcome of your strategy. 2. It should be measurable! 3. You should be focused primarily on the MVP Voodoo Security 2012 15

MVP What s That? No, not the Most Valuable Player. Although being one never hurts. For this strategy, it s the Minimum Viable Product Voodoo Security 2012 16

Your Strategy Starter To kick off this whole creative process, go back to your organization and look at your entire security program as the MVP. But we ve got a lot of complexity, Dave! Yep, I hear ya. Chances are, you can still improve. A lot. Accept this, and look at your existing program as the beginning baseline (aka MVP). Voodoo Security 2012 17

Now the Feedback Loop. Ideas Learn Build Data Product Measure Voodoo Security 2012 18

Building Build a program that helps to accomplish your goals, meeting your vision. People: Security should be unobtrusive wherever possible. People should also be protected. Process: Security should be as efficient as possible, and not interfere with business processes that drive revenue. Technology: All technology should be immediately tied to the security vision, with the goals of providing your product to the organization. Voodoo Security 2012 19

Measuring You need to measure how well you re doing. All metrics should be: Actionable: Every metric should be directly tied to causes and effects. No guessing. And actions should be possible based on them. Accessible: Can all relevant stakeholder both easily SEE and UNDERSTAND your metrics? If not, revise them and make them available. Auditable: Are your metrics credible? No leaps of faith. Voodoo Security 2012 20

Metrics Example Measuring things like IPS alerts and blocks? In what context? Voodoo Security 2012 21

Learning Learning is the most valuable aspect of this cycle for infosec teams. A common entrepreneur excuse for failure: Well, we learned a lot. Maybe, but what did it lead to? Understand VALUE vs. WASTE. Also know MACRO learning (industry) vs. MICRO learning (your own organization) Voodoo Security 2012 22

A Final Point: Get Out More. No, really. We need lots of input for learning in infosec. Internal: Users IT Business units External: Partners Threat info sources (SANS ISC, commercial services) YOUR PEERS Voodoo Security 2012 23

Be More Proactive. Voodoo Security 2012 24

How most security shops spend their time. Voodoo Security 2012 25

Data Correlation & Analysis First things first: We have lots of data Detective and reactive solutions need to sift through this normalized data and find patterns that trigger events We re not doing a good job of telling stories or matching real world scenarios though. Voodoo Security 2012 26

Data Types System Access Logs Database/App Logs Network Device Logs IDS/IPS Events Vulnerability Assessments Behavioral Data (Flow, etc.) Oct 2 01:13:19 host sshd[19618]: Illegal user test from ::ffff:69.10.144.194 Oct 2 01:13:19 host sshd[19618]: Address 69.10.144.194 maps to unknown.xyz.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT! Jan 20 11:54:15 [192.149.115.1] %PIX-2-106001: Inbound TCP connection denied from 1.2.3.47/47321 to a.b.c.d/111 flags SYN on interface outside Jan 20 11:55:25 [192.149.115.1] %PIX-2-106001: Inbound TCP connection denied from 1.2.3.47/4842 to a.b.c.d/135 flags SYN on interface outside Jan 20 11:54:15 [192.149.115.1] %PIX-2-106001: Inbound TCP connection denied from Jan 27 17:23:16 10.10.10.123 security[failure] 529 NT AUTHORITY\SYSTEM Logon Failure: Reason:Unknown user name 1.2.3.47/38485 or bad password to a.b.c.d/445 User Name: flags SYN on interface outside Administrator Domain:webserver1 Logon Type:3 Logon Process:User32 Authentication Package:Negotiate Workstation Name: 080129 03:00:32 1 Connect websa@webserver1 on dbserver1 080129 03:01:48 1 Query show tables 080129 03:02:22 1 use creditcarddb; 080129 03:04:56 1 SELECT * FROM cardnumbers; Voodoo Security 2012 27

Changing our Risk Profile Today s attacks require a different focus: 1. Prevention techniques should protect you from 80% or more of the issues 2. Detection techniques should be focused on continuous monitoring 3. Reaction capabilities are inevitable, and should be focused on speed and thoroughness With 90% Detection and Reaction - we are just doing knee jerk security This is bad. Voodoo Security 2012 28

Prevention: Education Educating users about the dangers of the Internet (!) is important Browsing safely Not giving out personal or sensitive information over the phone Separating work and personal life on social media networks Being wary of links and emails with attachments However, many security awareness programs don t seem to work well - why? Voodoo Security 2012 29

Prevention: Communication Risk needs to be articulated in audience-specific formats What are the best ways to communicate and work with groups internally & externally? Internally: Proactive communications: Share news stories and new threat information with executive management, IT management, and employees (via newsletter or Intranet) Externally: Develop and nurture contacts and relationships with law enforcement, ISP, and key partners and customers Set a threshold or trigger for when to communicate potential issues Voodoo Security 2012 30

Prevention: Testing Yourself Find holes before attackers do! Prove that security issues exist to skeptical management Raise overall security awareness Verify secure system configurations Test new technology Discover gaps in compliance posture and satisfy legal, industry and/or governmental requirements such as HIPAA, SOX or PCI DSS. Voodoo Security 2012 31

It s never this simple. OK, so these are the basics. We have two much bigger issues, that tie back to the way we think. We WAIT for input to learn from. We do not model REAL-WORLD scenarios that depict how our PRODUCT will serve our CUSTOMERS. We will never, ever get there by just gathering data from sensors and dashboards. Voodoo Security 2012 32

Real Threat Modeling? Windows 2008 Server IIS Hack Database Segment Admin workstation Local Admin password theft/crack Pivoting To your SAN? File shares? DMZ What about social engineering with your users? Behavioral monitoring? Voodoo Security 2012 33

Suggestions For Building: Only buy technologies that help your product Be prepared to pivot in your strategy - no status quo For Measuring: Define metrics that are actionable, accessible, and auditable Put all metrics in context - more data is not necessarily better For Learning: Model threats and perform real-world attack scenarios Get out more to get input and feedback - users and peers Voodoo Security 2012 34

A Final Thought Gene Kim, a friend and all around smart guy, just said this in his SXSW presentation last weekend: There is a disastrous consequence of status quo. Folks, this is true. Leadership!= Meetings + Politics Creative Security (startup mentality)!= Ramen Noodles and a Garage Voodoo Security 2012 35

Final Discussion & Questions Thanks for attending! Voodoo Security 2012 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback