Ciso executive forum 2013


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Ciso executive forum 2013

  1. 1. CISOSurvival InThe RealWorldBill BurnsDirector, Information SecurityISSA CISO Executive ForumFeb 24, 2013
  2. 2. “Thrive”, not Survive• Context• A few contributions• Future Bets & Areas of Focus
  3. 3. Future Bets 2015:Forcing Functions• Social + Mobility + Cloud• Traditional Controls Are Lacking• Analytics
  4. 4. Netflix Business • World’s largest TV network • 33 million members in 40 countries • Over a billion hours streamed per month • Supported on 1000+ device types • 1/3 of evening Internet traffic(c) 2011 Sandvine
  5. 5. OurCulture• High Performance, • Some core values: Engineering-Focused • “Freedom &• Fail Fast, Learn Fast ... Responsibility” Get Results • “Loosely-Coupled,• Data- and Metrics-Driven Highly-Aligned”• Take Smart Risks • “Context not control”
  6. 6. Today: DataCenters & Cloud• Tooling• Risk Assessments, Treatments• Business Processes• ~99% Cloud-based today• Goal: Pure-Cloud Streaming
  7. 7. Demand 1 Cloud: On- Demand # Servers Capacity 21. Demand: Typical pattern of customer requests rise & fall over time Utilization2. Reaction: System automatically adds, removes servers to the application pool 33. Result: Overall utilization stays constant
  8. 8. The Netflix Simian Army • Chaos Monkey - Kills randomly instances• Striving for continuous • Chaos Gorilla - Evacuates entire data centers testing, monitoring • Chaos Kong - Evacuates entire regions• Identify and test common failure modes • Janitor Monkey – Ensures a clean inventory• Automation everywhere • Security Monkey – Various security checks to manage risk
  9. 9. InfoSec Challengein an IaaS Cloud ::Confidentiality/Possession
  10. 10. Key Management :: HSMs• Motivation: • Decouple DC and Cloud • Trust our Cloud more fully • Others probably want this too• Challenges: • Need crypto keys near the Cloud • HSMs are in the data center • Can’t entirely trust our CSP• Solution: • A real HSM: FIPS 140-2 certified hardware • Keys stay in hardware • “HSM as a Service”
  11. 11. Security: Thriving in an Agile Enterprise
  12. 12. FutureBets2015:OrgDemands• Fluid, Virtual Teams of specialists / specialties• Dynamically form & dissolve to address opportunities, challenges• Emphasis on collaboration, roaming• Analytic, data-driven
  13. 13. Future Bets 2015: Team Dynamics, Skills•Teams will •Be Risk/Security Advisors, coaches, business analysts •Speak their language•Skill sets will become •Less: people clicking on GUIs •More: analytics, automation, gluing systems together (APIs)
  14. 14. SaaS: In use Today? next Year?1. Email/chat/ 8. Risk management 15. Data analytics/BI/ calendar DSE 9. HRIS, ERM2. File Storage/ 16. Project 10. Source code backups Management repository3. Service Ticketing 17. SIEM 11. Blogs, websites4. On-call paging 18. VPN 12. Doc collaboration5. Log management 19. MDM 13. Risk assessments6. Authentication/ 20. Anti-Virus/Anti- 14. Encryption / key IAM malware management7. App vulnerability scanning
  15. 15. Future Bets 2015: Data, Application Security• Business Forcing Function: Third-party cloud apps will innovate faster than your IT department can• Cloud/SaaS will be IT tools, not competitors• Data will be encrypted automatically off-network, off-device• Automated, continuous assessments of your controls
  16. 16. Future Bets 2015: Device Security•All-wireless office, Gigabit Wireless•Smartphone building badges•MDM layers: managed VPN,device- and app-wrapping
  17. 17. Future Bets 2015: Network Security• You will be breached –  Not “if” but “when”?• How fast can you respond, contain?• Mix of trust: corporate, vendor, employee owned devices• Verify every device, user
  18. 18. FutureBets 2015:Automatedprotection• We will no longer talk about BYO[everything]• Zero-Trust / NAC will be common• Networks will dynamically quarantines, inspects, tests• Large-scale event correlation, analytics => reaction
  19. 19. FutureBets 2015:What aboutthe users?• Awareness Training will • Be automated • Be context-relevant, bite- sized • Phish your employees before they do! • Actively test for vulnerabilities, quarantine • Gamifiy, (“peer pressure”) on compliance, activity • Be developed collaboratively
  20. 20. Future Bets: Areas of Focus TodayThe best way to predict the future is to invent it. – Alan Kay The future is already here - its just not evenly distributed. —William Gibson
  21. 21. Future Bets 2015:Targeted Training
  22. 22. Future Bets 2015:Security Analytics DATA MP LE SA
  23. 23. Future Bets 2015:Security Analytics Security Control A/B Testing DATA MP LE SA
  24. 24. Thank you!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.