Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Information Security - Back to Basics - Own Your Vulnerabilities

When a security program isn't as good as it should be it can be tempting to conclude that it needs more resources and solutions. Jack Nichelson decided to take a different approach: simplification. By focusing on fewer problems with bigger returns, he was able to reduce malware by 60 percent and improve the results of his annual pen report. He’ll share a back-to-the-basics case study for removing complexity and running a simple, effective, start-up worthy security program.

This Talk is for - Security Managers looking to better focus on the real vulnerabilities and more effectively communicate your progress

The Goals of this talk – Find the real problems, create a formal plan, build support for the plan, and report the progress

  • Login to see the comments

Information Security - Back to Basics - Own Your Vulnerabilities

  1. 1. Back to Basics Information Security IT'S TIME TO OWN YOUR VULNERABILITIES “If you are still missing patch MS08-67, this talk is for you!”
  2. 2. I defend my companies competitive advantage by helping solve business problems through technology to work faster and safer. Who is Jack Nichelson?  Global Information Security Manager at GrafTech International  15 years of experience in IT Security & Risk Management  Active in the security community (DefCon, ShmooCon, DerbyCon)  Teach Network Security and advise the BW CCDC team “Solving Problems, is my Passion” Introduction
  3. 3. 3 Problem Statement “After a year of hard work implanting solutions, I just failed another PEN test.” Possibility #1:  I must need more budget & resources  I need more control over the systems & data I need to secure  I need more NextGen solutions & consultants Possibility #2:  Maybe I am not focused on the right things  Maybe I am trying to do too much at once  Maybe I need a better way to show results  Maybe I need to ask for help
  4. 4. 4 Good Advice “Think about how you can simplify security – make it easy – and focus on the basics.” - Dave Kennedy Recommendations:  Take a step back and read “REWORK”  Remove complexity – Start small  Start at the epicenter, on what won’t change  Focus on fewer problems that provide bigger returns  Build an audience  Keep score & publish it (Good or Bad)
  5. 5. 5 What does good look like Company's that were making the most improvement year over year with there PEN tests had these things in common. Common Trends of a good Security Program:  Monthly or quarterly security awareness training at all levels of the company  Regularly assesses vulnerabilities and report with action plans  Strong project management to make sure remediation gets done  Well defined reporting that is tied to performance goals  Everyone in IT has responsibility for meeting security goals
  6. 6. 4 Steps to get Focused Align: Build & execute project plan Identify: Conduct analyses that will give you actionable insight Communicate: Build consensus through awareness Report: Build a Scorecard to show Results
  7. 7. Hype vs. Reality Hackers Organized Crime State Sponsored Higher Difficulty ~10% of incidents Security Risks • APT • The “Cloud” • Mobile Malware • Big Data • BYOD Lower Difficulty ~90% of incidents • Malware • Phishing • Missing Patches • Missing Security Baselines • Lost & Stolen Devices • Poor Passwords
  8. 8. Identify – Looking for Actionable Metrics Conduct analyses that will give you actionable insight that can be translated into deliverable results. 1. Start at the epicenter & focus on what won’t change 2. Define the process of reporting & tracking security events by people and systems 3. Analyze the metrics collected to identify your top 3 incident types, by volume & time 4. Identify the root cause of each incident, and stack rank Monthly Security Awareness Training 15 Day Patching Window Egress Filtering (Block Ports 21, 80, 443) Remove Java Malware Metrics • # of Detections • # of Infections • # of Re-Images Malware Root Cause • Filter Failed • Missing Security Baselines • Web Based Infections • Java Based Infections • Missing Patches Phishing Metrics • # of Detections • # of User Reports • # of Infections Phishing Root Cause • Filter Failed • Lack of Awareness • Web Based Infections • Java Based Infections • Adobe Based Infection Patching Metrics • # of Desktops by Location • # of Servers by Location • # Missing Patches by Year Patching Root Cause • SCCM Agent Failed • Admin Failed to Patch • Legacy System • Missing 3rd Party Patch • Poor Assist Inventory
  9. 9. 9 Align – Manage like you own the problem Build & Execute project plans to drive for results & share successes  Investing more time in project planning and due diligence, time spent defining the problem is NEVER time wasted  Write a Project Charter, clearly state the scope, objectives, participants and success measurements  Create a Work Breakdown Structure to graphical represent the project scope, broken down in successive chunks with defined deliverables  Pay close attention to the human factor and involve your team in the planning process  Hold regular project meetings & publish the progress
  10. 10. 10 Communicate – Build consensus through awareness “It’s hard to overstate the importance of effective security awareness & communication”  If you do not define the key issues and challenges for your security program, chances are that others will  Get out in front of how security is perceived, understood and supported at every level  Good security awareness not only lowers your risks but also help users and management accept change  When an understanding that security is here to help – the culture changes & Adoption of security occurs  Craft crisp messages that can help your audiences internalize and quickly accept your information
  11. 11. 11 Reporting - Think like a CFO Think like a CFO, so you can deliver results the business can understand. Reporting good data is the best way to show that Security is a business enhancement.  Make Heroes, when people starts with an A+ they will fight harder to keep it  Define the metrics to measure and assess security’s performance  Metrics are the lifeblood to make any good decision  Create a Security Scorecard so you have a standard way for communicating your progress to anyone  Report the value of security activities to a wide range of security consumers
  12. 12. Gemba Board -Where value is created Gemba (現場) is a Japanese term referring to the place where value is created. The idea of Gemba is that the problems are visible, and the best improvement ideas will come from going to the Gemba.
  13. 13. Current State - Proof is in the results “Good security is not something you have, it’s something you do” -Wendy Nather 13 Accomplishments:  Think Before You Click –Awareness Program  Patches applied within 15 Days on 95% of devices  Full egress filtering only allowing access out to internet through proxy  Removed Java from 85% of Workstations  Security Baselines on 90% of servers  Enforced password policy with 10 character minimum, with password self-service reset  Encryption of all mobile Workstations & Phones  Disabled local Admin on all servers
  14. 14. 14 What’s next – Protect the King! Once you have the basics covered, it time to start focusing on protecting the King “Your Data”. “Risk Management is about separating your kings from your pawns” – Chris Clymer
  15. 15. Summary– Key Takeaways Align: Build & execute project plan Identify: Conduct analyses that will give you actionable insight Communicate: Build consensus through awareness Report: Build a Scorecard to show Results
  16. 16. Special Thanks to Dave Kennedy
  17. 17. What Questions are there? Jack Nichelson E-mail: Twitter: @Jack0Lope