Not Go Quietly: Surprising Strategies and Teammates to Adapt and Overcome

793 views

Published on

Nearly every aspect of our job as defenders has gotten more difficult and more complex—escalating threat, massive IT change, burdensome compliance reporting, all with stagnant security budgets and headcount. Rather than surrender, it’s now time to fight back. This session will provide new approaches to finding financial and operational support for information security across the organization.

Published in: Software
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
793
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Source: Joshua Corman while at IBM Internet Security Systems
  • http://blog.cognitivedissidents.com/2011/10/24/a-replaceability-continuum/Original Concept by Joshua Corman
  • Slide 1st appeared in work by Joshua Corman and David Etue from RSA Europe 2012 – GRC-303 Adversary ROI
  • Slide 1st appeared in work by Joshua Corman and David Etue from RSA Europe 2012 – GRC-303 Adversary ROI
  • Slide 1st appeared in work by Joshua Corman and David Etue from RSA Europe 2012 – GRC-303 Adversary ROI
  • Slide 1st appeared in work by Joshua Corman and David Etue from RSA Europe 2012 – GRC-303 Adversary ROI
  • Slide 1st appeared in work by Joshua Corman and David Etue from RSA Europe 2012 – GRC-303 Adversary ROI
  • Slide 1st appeared in work by Joshua Corman and David Etue from RSA Europe 2012 – GRC-303 Adversary ROI
  • Slide 1st appeared in work by Joshua Corman and David Etue from RSA Europe 2012 – GRC-303 Adversary ROI
  • http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/Original Concept by Joshua Corman
  • Original Model by Joshua Corman
  • Original Model by Joshua Corman
  • Original Model by Joshua Corman
  • Original Model by Joshua Corman
  • Original Model by Joshua Corman
  • Source RSA USA 2013 Joshua Corman and David Etue – GRC-F41 “Control Quotient”
  • Source RSA USA 2013 Joshua Corman and David Etue – GRC-F41 “Control Quotient”
  • Source RSA USA 2013 Joshua Corman and David Etue – GRC-F41 “Control Quotient”
  • Source RSA USA 2013 Joshua Corman and David Etue – GRC-F41 “Control Quotient”
  • Source RSA USA 2013 Joshua Corman and David Etue – GRC-F41 “Control Quotient”
  • Extension of Adversary “Cards” which 1stappeared in work by Joshua Corman and David Etue from RSA Europe 2012 – GRC-303 Adversary ROI
  • Extension of Adversary “Cards” which 1stappeared in work by Joshua Corman and David Etue from RSA Europe 2012 – GRC-303 Adversary ROI
  • Extension of Adversary “Cards” which 1stappeared in work by Joshua Corman and David Etue from RSA Europe 2012 – GRC-303 Adversary ROI
  • Extension of Adversary “Cards” which 1stappeared in work by Joshua Corman and David Etue from RSA Europe 2012 – GRC-303 Adversary ROI
  • Extension of Adversary “Cards” which 1stappeared in work by Joshua Corman and David Etue from RSA Europe 2012 – GRC-303 Adversary ROI
  • Extension of Adversary “Cards” which 1stappeared in work by Joshua Corman and David Etue from RSA Europe 2012 – GRC-303 Adversary ROI
  • Extension of Adversary “Cards” which 1stappeared in work by Joshua Corman and David Etue from RSA Europe 2012 – GRC-303 Adversary ROI
  • Extension of Adversary “Cards” which 1stappeared in work by Joshua Corman and David Etue from RSA Europe 2012 – GRC-303 Adversary ROI
  • Original Model by Joshua CormanUse here… is – juxtapose the player with the asymmetric Value. Procurement looks very strong at the base. CIO/CTO as well… and DevOps is the GameChanger.
  • http://www.lancope.com/files/451_Group_Real_Use_Case.pdf
  • Not Go Quietly: Surprising Strategies and Teammates to Adapt and Overcome

    1. 1. SESSION ID: Not Go Quietly: Surprising Strategies and Teammates to Adapt and Overcome STR-R01 David Etue VP Corporate Development Strategy SafeNet, Inc. @djetue Joshua Corman Chief Technology Officer Sonatype @joshcorman
    2. 2. #RSAC A story of a CISO…  This presentation tell the story of a CISO  THIS CISO is fictional…  …but all the stories are REAL examples from real security programs
    3. 3. #RSAC Depressed? You are not alone…
    4. 4. #RSAC Forces of Constant Change BUSINESS COMPLEXITY = RISING COSTS Evolving Threats Evolving Technologies Evolving Compliance Evolving Economics Evolving Business Needs
    5. 5. #RSAC Consequences: Value & Replaceability http://blog.cognitivedissidents.com/2011/10/24/a-replaceability-continuum/ ReplaceabilityIRREPLACEABLE HIGHLY REPLACEABLE Human Life Intellectual Property PHI CCNs
    6. 6. #RSAC Feel Like Surrendering?
    7. 7. #RSAC A Modern Pantheon of Adversary Classes WHO: Actor Classes Nation States Competitors Organized Crime Script Kiddies Terrorists “Hacktivists” Insiders Auditors WHY: Motivations Financial Industrial Military Ideological Political Prestige WHAT: Target Assets Credit Card #s Web Properties Intellectual Property PII/Identity Cyber Infrastructure Core Business Processes HOW: Methods “MetaSploit” DoS Phishing Rootkit SQLi Auth Exfiltration Malware Physical NOTE: More Complete Version @ http://slidesha.re/1fgu6rb
    8. 8. #RSAC Profiling a Particular Actor WHO: Actor Classes Nation States Competitors Organized Crime Script Kiddies Terrorists “Hacktivists” Insiders Auditors WHY: Motivations Financial Industrial Military Ideological Political Prestige WHAT: Target Assets Credit Card #s Web Properties Intellectual Property PII/Identity Cyber Infrastructure Core Business Processes HOW: Methods “MetaSploit” DoS Phishing Rootkit SQLi Auth Exfiltration Malware Physical NOTE: More Complete Version @ http://slidesha.re/1fgu6rb
    9. 9. #RSAC Script Kiddies (aka Casual Adversary) Script Kiddie “MetaSploit”, SQLi, Phishing CCN/Fungible Profit, Prestige Skiddie 5
    10. 10. #RSAC Organized Crime Organized Crime Malware, Botnets, Rootkits Fungible, Banking Profit Organized Crime 50
    11. 11. #RSAC Nation States (Adaptive Persistent Adversaries) Nation States Custom Malware, SpearPhishing, Physical, Stealth Intellectual Property, Trade Secrets, Infrastructure Military, Industrial, Economic Nation States 50
    12. 12. #RSAC Hacktivists Chaotic Actors Chaotic Actors DoS, SQLi, Phishing, Pranks Web Properties, Individuals, Gov’t Policy Ideological and/or LULZ Chaotic Actors 10
    13. 13. #RSAC Auditors/Assessors/QSA Auditors Checklist ONLY “In Scope” E.g. CCN (Credit Card #s) Profit, Compliance Auditor 1
    14. 14. #RSAC Attacker Power - HD Moore’s Law  Moore’s Law: Compute power doubles every 18 months  HDMoore’s Law: Casual Attacker Strength grows at the rate of MetaSploit
    15. 15. #RSAC Do not go gentle into that not so good night...
    16. 16. #RSAC
    17. 17. #RSAC Defensible Infrastructure
    18. 18. #RSAC Defensible Infrastructure Operational Excellence
    19. 19. #RSAC Defensible Infrastructure Operational Excellence Situational Awareness
    20. 20. #RSAC Defensible Infrastructure Operational Excellence Situational Awareness Counter- measures
    21. 21. #RSAC
    22. 22. #RSAC Sphere of Control Control
    23. 23. #RSAC Sphere of Influence vs. Control Influence Control
    24. 24. #RSAC “Rage, rage against the dying of the light”
    25. 25. #RSAC PHI “IP” Web PCI AV FW IDS/IPS WAF Log Mngt File Integrity Disk Encryption Vulnerability Assessment Multi-Factor Auth Anti-SPAM VPN Web Filtering DLP Anomaly Detection Network Forensics Advanced Malware NG Firewall DB Security Patch Management SIEM Anti-DDoS Anti-Fraud … Desired OutcomesLeverage Points Compliance (1..n) “ROI” Breach / QB sneak Productivity … PHI PCI “IP” Web Control ―Swim Lanes‖
    26. 26. #RSAC Web … PHI “IP” PCI AV FW IDS/IPS WAF Log Mngt File Integrity Disk Encryption Vulnerability Assessment Multi-Factor Auth Anti-SPAM VPN Web Filtering DLP Anomaly Detection Network Forensics Advanced Malware NG Firewall DB Security Patch Management SIEM Anti-DDoS Anti-Fraud … Control & Influence ―Swim Lanes‖ Desired OutcomesLeverage Points Compliance (1..n) “ROI” Breach / QB sneak Procurement Disruption DevOps Productivity “Honest Risk” General Counsel
    27. 27. #RSAC Web … PHI “IP” PCI AV FW IDS/IPS WAF Log Mngt File Integrity Disk Encryption Vulnerability Assessment Multi-Factor Auth Anti-SPAM VPN Web Filtering DLP Anomaly Detection Network Forensics Advanced Malware NG Firewall DB Security Patch Management SIEM Anti-DDoS Anti-Fraud … Litigation Legislation Open Source Hearts & Minds Academia Under-tapped Researcher Influence Desired OutcomesLeverage Points Compliance (1..n) “ROI” Breach / QB sneak Procurement Disruption DevOps Productivity “Honest Risk” General Counsel
    28. 28. #RSAC Its Easier with Teammates Alone? Team? 28 
    29. 29. #RSAC Surprising Teammates Executives CIO CFO General Counsel CTO R&D Operations Sales Business Owner Supporting Cast DevOps Procurement Compliance Internal Audit Risk Mgmt Crisis Mgmt Open Source Academia Gov’t Affairs
    30. 30. #RSAC DEFENDER: General Counsel General Counsel Policy, LDoS, Contracts, AttorneyClientPriv Intellectual Property, Trade Secrets, Sensitive Due Care, Defensible Risks General Counsel 25
    31. 31. #RSAC DEFENDER: Procurement / Supply Chain Procurement RFPs, T&Cs, SLAs, “Gating” All Things Procured: Goods, COTS, Services Cost Reduction, Employer Interests Procurement 20
    32. 32. #RSAC DEFENDER: Chief Information Officer CIO GRC, Standards, Policy, Change Mngt, Process All Infrastructure Stability, Order, Support Business CIO 20
    33. 33. #RSAC DEFENDER: Chief Technology Officer CTO SDLC, Standards, Code/Tech Selection, Research IP, Trade Secrets, Code, Platforms Innovation, Differentiation, Adoption CTO 20
    34. 34. #RSAC DEFENDER: Chief Financial Officer CFO Audit, Process, “Purse Strings” Financials, Accounting Integrity, “Material” Responsible & Lawful Fiduciary for stakeholders CFO 05
    35. 35. #RSAC DEFENDER: Senior Vice President, Sales SVP Sales Customer Compliance, $DEALS, Roadmaps Customer Data, “Goods” Retire Quota, Drive Revenue SVP Sales 15
    36. 36. #RSAC DEFENDER: Internal Audit Internal Audit CheckLists, Interviews, Policies Scoped Data & Environments Strict Compliance Internal Audit 05
    37. 37. #RSAC DEFENDER: DevOps DevOps Automate, Orchestrate, ChaosMonkey, Teamwork Code, Deploys, Environments Faster Faster, Velocity, Efficiency DevOps 50
    38. 38. #RSAC Defensible Infrastructure Operational Excellence Situational Awareness Counter- measures
    39. 39. #RSAC Battle: PCI Compliance 39 V S
    40. 40. #RSAC Battle: Intellectual Property 40 50 V S
    41. 41. #RSAC Battle: Intellectual Property Round 2 41 50 V S
    42. 42. #RSAC Battle: Web Properties +20 V S
    43. 43. #RSAC Case Study: Gaining Situational Awareness  CISO: "There is a difference between reacting and hunting. If you're reacting, you're done. We knew we had to go hunting, and that meant we had to do things differently.‖  Teammates:  Business Owner: Understood adversary  Operations: Deploy BigFix for Power Management (GREEN!) AND security  Compliance: Repurposed SIEM and other compliance tools  CIO: Driven by Productivity Result: One of the most advanced automated attack identification and classification systems developed at the time
    44. 44. #RSAC Case Study: Using Customers To Your Advantage  Large Financial CISO: Only getting investment in InfoSec where required by ―compliance‖ Result: Significant increase in Information Security investment—driven by Sales  Teammates:  VP of Sales: Worked with to include customer contractual obligations in scope of compliance  General Counsel: Determine committed customer contractual obligations, measured risk  Audit: Added customer contractual obligations to scope of audit
    45. 45. #RSAC Case Study: ―DevOps‖ Chaotic Good  F100 Insurance ―Chaos Monkey‖: ―We spend ZERO on securing anything but mandatory PCI controls & scope; therefore I must infect the org w/ Card Data.‖ Result: More sane/balanced security posture, more agility/efficient IT  Teammates:  LOB CTO: WAFaaS can accelerate your PCI 6.6 & TimeToMarket  General Counsel: We must take reasonable steps to keep our secrets secret  CIO: If we fund a Visible Ops program, we’ll run more efficiently & be complaint
    46. 46. #RSAC Case Study: Changing Report Structure  CISO: ―Reporting into CIO ignored Data Security and 3rd Party Risk‖ Greater Board Level Visibility & Access to Drive Table Top Exercises  Teammates:  General Counsel: Heavier concern focus Data Classification/Security  Procurement: More stringent 3rd Party Service Provider Security, Ts & Cs
    47. 47. #RSAC Case Study: Adversary Driven!  Large Scale European Financial Services CISO: ―Despite a large scale information security investment, we were still losing‖ 47 Result: Significantly more effective information security program resulting in lower fraud without significant increase in investment  Teammates:  Business Owners: Determine likely adversaries— organized crime for financial fraud  Risk: Determine potential financial losses due to various fraudulent attacks  Application Development: Shared investment to tie broad information security controls will application specific security and fraud prevention
    48. 48. #RSAC CISO: The New ―Nick Fury‖ 48 YOU Assemble Your Team of Heroes *.* ? YOU ∞
    49. 49. #RSAC Apply  Who Is Your Team?  Identify at least one opportunity to leverage a new swim lane  Identify at least one new teammate to recruit and make a hero  Identify one opportunity this year to influence each layer of the pyramid 49 Everyone Has The Chance To Be the Hero In Their Own Story!
    50. 50. #RSAC Thank You & Additional Resources  Adversary ROI: [SlideShare] [RSA US 2012 Online on YouTube]  Supply Chain Security: Policy and Program Development [Free Research from IANS]  Rugged Software – Are you Rugged? [Website]  Do not go gentle into that good night by Dylan Thomas 50 David Etue @djetue Joshua Corman @joshcorman
    51. 51. Back-Up
    52. 52. #RSAC 52 Internal Audit 05 CheckLists, Interviews, Policies Scoped Data & Environments Strict Compliance Internal Audit DevOps 50 Automation, Orchestration, Teams Code, Deploys, Environments Faster Faster, Velocity, Efficiency DevOps Risk Management ?? Risk Models, Metrics, “TableTops” Risk Identified & Prioritized Assets Support Business Intent Risk Management
    53. 53. #RSAC 53 SVP SalesCTO SDLC, Research, Tech Selection IP, Trade Secrets, Code, Platforms Innovation, Adoption CTO 20 CFO 05 Audit, Process, “Purse Strings” Financials Integrity, “Material” Responsible & Lawful Fiduciary CFO 15 Customer Compliance & $DEALS Customer Data, “Goods” Retire Quota, Drive Revenue SVP Sales
    54. 54. #RSAC 54 Procurement RFPs, T&Cs, SLAs, “Gating” All Things Procured: COTS, Services Cost Reduction, Employer Interests Procurement 20 CIO GRC, Policy, Change Mngt All Infrastructure Stability, Order, Support Business CIO 20General Council Policy, Contracts, AttorneyClientPriv IP, Trade Secrets, Sensitive Due Care, Defensible Risks General Counsel 20
    55. 55. #RSAC 55 Nation State Custom Malware, Stealth, *.* IP, Trade Secrets, Infrastructure Military, Industrial, Economic Nation State/Espionage 50 Script Kiddie 05 “MetaSploit”, SQLi, Phishing CCN/Fungible Profit, Prestige Skiddie Organized Crime 50 Malware, Botnets, Rootkits Fungible, Banking Profit Organized Crime
    56. 56. #RSAC 56 Auditors Checklist ONLY “In Scope” (Credit Card #s) Profit, Compliance Auditor 01

    ×