Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Its time to grow up by Eric C.


Published on

Its time to grow up by Eric C.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Its time to grow up by Eric C.

  1. 1. P A G E It’s Time To Grow Up Eric Cowperthwaite Vice President, Advanced Security & Strategy Core Security @e_cowperthwaite
  2. 2. P A G E They Say To Always Start With A Joke 2 • A duck walks in to a bar … • See, that was a security joke!
  3. 3. P A G E We Suck • The bad guys can go where they want and do what they want • The good guys are reduced to fixing the damage, it seems • Costs are in the $Billions • CEOs, Boards are at risk • President discussed cyber security in his State of the Union 3
  4. 4. P A G E Breaches, exploits, vulnerabilities … Oh My 4 • Low priority, seemingly innocuous • Inappropriate connectivity • Simple paths to critical assets
  5. 5. P A G E Just Give It Away 5 "99.9% of vulnerabilities are exploited more than a year after they were published, and in 2014, 90% plus of the CVEs exploited were published in 2007.” – 2015 Verizon DBIR
  6. 6. P A G E It’s Real Money Now • Target internal cost is $236 million • Target credit card fraud estimate $1.2 - $2.2 billion • Card replacement costs $400 million • CEO’s, CIO’s and CISO’s losing their jobs 6
  7. 7. P A G E Keeping Bad Guys Out Today • Our current concept says: − Scan and detect all vulnerabilities − Prioritize system by system − Patch immediately • Is this working? 7
  8. 8. P A G E The Problem • Thousands of servers, tens of thousands of endpoints • Hundreds of pages of vulnerability reports, no easy way to prioritize • Complex networks, no clear picture of how attackers will exploit it • We are overwhelmed by data 8
  9. 9. P A G E It’s Time To Grow Up and Patch Stuff • Do you know what vulnerabilities threaten your business? − Are you able to respond effectively to them? • Do you scan/patch haphazardly? For a compliance regulation? Or regularly driven by risk, internal policies? • Can you list the top 100 (or even 10) threats to your critical assets? − And create a plan to fix them? • Do you know what attack paths through your network lead to sensitive data? 9
  10. 10. P A G E Let’s Talk About Growing Up 1 0
  11. 11. P A G E A View of a Security Program 1 1
  13. 13. P A G E What We Know About Your Maturity Core Security’s ongoing Maturity Survey Results 33% of respondents are level 2 or below 52% of respondents are level 3 or below *120 total respondents 1 3
  14. 14. P A G E It’s Only A 5 Step Program 1 4
  15. 15. P A G E Things to do: • Acquire a vulnerability scanner • Identify need to regularly scan • Create emerging process for patching Step 1: Get the basics in order 1 5
  16. 16. P A G E Step 2: Begin actually managing vulnerabilities Things to do: • Establish processes • Adopt compliance frameworks • Implement basic prioritization to deal with data overload • Create repeatable metrics • Establish management lifecycle • Conduct first penetration test 1 6
  17. 17. P A G E Step 3: Prioritization and formalized processes Things to do: • Move to risk-based patching vs compliance patching • Advance basic prioritization • Focus metrics on improving security • Implement measurable processes • Use penetration testing for validation 1 7
  18. 18. P A G E Step 4: Attacker focused Things to do: • Enhance metrics for security trends • Build continuous processes • Patch based on critical asset risk • Address additional threat vectors • Conduct formalized penetration testing via red teams 1 8
  19. 19. P A G E Step 5: Business-risk and vulnerability context Things to do: • Incorporate business goals into vulnerability management program • Align business and IT security goals • Consider deep vulnerability context and all threat-vectors • Leverage vulnerability metrics as key risk indicators 1 9
  20. 20. P A G E What does this look like in practice? 2 0
  21. 21. P A G E Prioritized Attack Paths to Your Critical Assets Attack Point Web Application Server Vulnerable Database Critical Business Asset (Ex. credit card database)
  22. 22. P A G E Continuous Monitoring for Critical Vulnerabilities • Scan routinely • Absorb network change • Correlate assets, network paths and vulnerabilities • Correct unknown attack paths
  23. 23. P A G E Connect With The Business • Understand critical business assets • Unify IT and Security processes • Measure in meaningful ways • Break down silos
  24. 24. P A G E What stage are you? Where do you want to be? 2 4
  25. 25. P A G E What does this mean for your business? • Operational efficiency − High value assets redeployed to high value activities • IT and the business are working together − Patch and vulnerability management driven business decisions − Critical assets are focused on, rather than “whack-a-mole” patching • Reduced risk exposure − Solves issues with regulators, audits, etc. • Much less likely to be Home Depot, Adobe, or 2 5
  26. 26. P A G E 2 6