SIGS AFTERWORK EVENT Security: which operational model for which scenario Hotel Warwick - Geneva
Johny Gasser Information Security & Compliance Officer (for a global customer) Orange Business Services Thierry Clavel Corporate Security & Lawful Interception Manager Salt Mobile SA
AGENDA Focus on the outsourcing of Security and not IT Devices management Governance Control Assurance Security Incident Response Intelligence Summary Scenarios Advices Real life feedback
DEVICES MANAGEMENT What Firewalls Anti-malwares gateways IPS Proxies Encryption IAM Advanced Threats Protection CASB Why and when Resources shortage Lack of competencies Costs saving Consolidation / Centralization Security incident How Rules & configurations management HW/SW monitoring & maintenance Lifecycle management Licenses management DDoS management XaaS
DEVICES MANAGEMENT Advices & Real Life Feedback RACI for EVERY activity Detail activities You validate the changes & controls Vulnerabilities management HW / SW supported by vendor (release management) Who pays what? You shall have the right to oppose a veto to a technology selection
GOVERNANCE What Establishing policies Security Awareness RFP, providers selection Products selection Body renting Why and when Resources shortage Lack of competencies Merge, acquisition Security incident How Security Expert / Officer as a service Consulting mandates
GOVERNANCE Advices & Real Life Feedback Define required competences You shall have the right to replace un-adapted resource Trust the person, not the company Policies / awareness have to be tailored Detail content of deliverables
CONTROL ASSURANCE What Pen Tests Vulnerabilities Assessment Audits Code review Why and when Lack of competencies Resources shortage Independence Security incident CYA policy How Perform pen testing Run vulnerability scans Carry out audits Execute code review
CONTROL ASSURANCE Advices & Real Life Feedback Define deliverables (quality, granularity, format, language, etc.) Ask for example of reports and verify pen testers reputation Describe boundaries No black box - Do your home work! No actions are taken without your formal approval Validates actions prior execution (clear communication)
INCIDENT RESPONSE What Why and when Incident support & assistance Onsite assistance to manage incident Crisis management (including communications, etc..) Forensics evidences collection Security incident Lack of competencies Resources shortage How Security Expert / Officer as a service (on / off site) On demand services (i.e. Forensics investigation)
INCIDENT RESPONSE Advices Real Life & Feedback Real Life Feedback Advices Clear definitions and thresholds (security incident, crisis, etc..) Outline required competencies 24x7x365, on both side Define SLAs with penalties <IMAGE THERE> Define locations & availabilities Define rate card for outsourced services
INTELLIGENCE What Early sign of attacks Targeted Phishing attacks (against your organisation or your Customers) Why and when Security incident Lack of competencies Data leak detection (confidential documents available on the web/darkweb) Resources shortage Hack detection Detection of compromised devices from external sources Potential target (vertical sectors, R&D, etc.) How CyberSOC Specialized Security Analysts SIEM <IMAGE THERE>
INTELLIGENCE Advices & Real Life Feedback FIRST, define you needs and stay focused Verify available scenarios defined by services providers Always perform a proof of concept Ensure real time (24x7x365) On call Experts <IMAGE THERE>
CONSIDERING OUTSOURCING Remember that partnership exists in Dreamland Services Providers are responsible, YOU remain accountable Define / identify clear objectives (why do we want to outsource security?) Do not blindly follow best practices You need to be mature and outsource what is working Never ever outsource the RFP and contract creation & negotiation Remember: you can stop RFP at any time if objectives are not met <IMAGE THERE>
BEFORE CONTRACT SIGNATURE If objectives cannot be met, you can always stop negotiations Define details now, after it will be at bigger costs (grey zones show dark side of people) Systems lifecycle, services enhancement and innovation have to be well detailed (costs / trigger / responsibilities, etc.) Vocabulary (i.e. security incident) SLAs without penalties are SLOs Service Level Objectives BMW KPI (Business oriented, Measured and Well defined) <IMAGE THERE> Ask for available options, you will understand what is NOT included Add a few consulting days for the unexpected Define deliverables (periodicity, samples, content (incl. raw data) Audit right, external reports (i.e. ISAE 3402, SSAE16, ISO 27k, etc.) Early termination & exit procedures
CONTRACT EXECUTION Be strict from the beginning (but fair) Trust, but verify - Periodic controls (including sub contractors) <IMAGE THERE> Verify periodically that deliverable are properly distributed and understood by stakeholders Adapt deliverables over time
TAKE AWAY You don t need someone to tell you what you need Cheap is always expensive (Service Providers need to earn money) Details / Transparency / Controls