SlideShare a Scribd company logo

Cybersecurity model and top cloud security controls for product development engineering organizations

Download as PPTX, PDF
James DeLuccia IV
James DeLuccia IV

Here is the expanded presentation materials shared at the 2019 RSA Conference. This includes a breakout for the most important cloud security areas to maximize the long tail concept shared in the deck. The last 25 years have exposed old and new cybersecurity patterns. There is a primal draw to those hot and elite threat actors at the detriment of common security. This presentation will share a practical cybersecurity method employed for our 300+ deployed cloud subscriptions and hundreds of products. Learn how to focus those vital engineering hours where they will benefit your customers the best. Learning Objectives: 1: Learn how to balance your security requirements with product teams. 2: Understand what risks you need to include when in the minimum viable product world. 3: Learn how you can deliver products at scale in the world that meet industrial security requirements.

Technology
1 of 37
#RSAC SESSION ID: James DeLuccia The Advantage of Ignoring the Long Tail of Security: A Product View CSV-R11 Cybersecurity Cloud B2C & B2B, New Products, Honeywell
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC James DeLuccia 2 • Part of product engineering at Honeywell • Core mission: Help create delightful customer experiences • Major project work: Develop and introduce enhanced cybersecurity work patterns and technology on Azure • Scale: Honeywell’s customers make up roughly 25% of all buildings globally; operate 300+ subscriptions online, and 100s of products online • History: 25+ years in technology; Writer, Researcher, Patents
Product considerations
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Honeywell Buildings Technology 4 • We currently serve 25% of all buildings in the world • 1,000s of products that depend on the cloud service providers • 100s of cloud subscriptions and millions of resources • Millions of hardware end-points (IOT), handheld devices, and more with orchestration between fixed locations and the cloud • Ongoing Challenge – Deliver to market expectations, regulations, and a brand of trust – Heavy evolution in our space – Transformation of technology available in our space and utility – Churn in regulation and geo-political relations impact our supply chain
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Global product footprint, team, and market 5 • We build and sell products globally • Leverage the leading cloud service providers • Have a globally deployed team that reflects our developers • Serve global markets and thus coordinate closely with local authorities and local partners
What is the long tail of security controls Practicality and focus
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Long Tail of Security Controls 7 Refers to the value (impact) of security control compared against all other controls Viewpoints and analysis are best done in house: • Reflective of your product • Customer use cases • Technology truths Send feedback to @jdeluccia on twitter
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Long Tail of Security Controls 8 • Take a pragmatic view of your products, tooling, and platforms. Then apply a deployment priority that demands the table steaks first, and then allows for incremental expansions. ISA Level 4ISA Level 3ISA Level 2ISA Level 1
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Context matters, examples
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Relevance Matters More
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Based on this lens, we prioritize controls 11 • Cloud deployments have Level 4 configs • Endpoints utilize PKI service • Detective and preventive controls adaptive to tech • More details and specifics on back half...
Demonstrative Product Security Model Practical and based on multi-organizational practices to deliver global digital and physical products w/ the cloud
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Demonstrative Organizational Roles & Priority
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC PROGRAM Backbone - Standards 14 Demonstrative Examples: • IOT/IIOT = ISA/IEC 62443 , (DRAFT) NIST IOT Baseline • Cloud = CSA STAR, SOC 2 Type 2. • Product or Process Certifications = ISASecure, UL 29001 • People = CSSLP, Ethical Hacker, CCSK, CCSP, CISSP + ISA/IEC 62443 Cybersecurity certificates • SSDL = Microsoft Security Development Lifecycle Together these guide our core controls Architects define our product controls
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Set your management system and then layer in controls 15 ISA 62443 ISO 27001 / SDLC ISO 27018 GDPR FEDRAMP / ENISA / Govs Stds ISO 27002 NIST / CSA
How to focus your cybersecurity resources Demonstrative method and tactics for product teams
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC 1. Embed and own the SDLC process 17 6. Embed and own the SDLC process Involve Security Architect Security / Privacy Requirements Security Review Checklist Security Risks Threat Model Security Tests Security/Privacy Requirements Security Review Checklist Security Risks Security Manual Threat Model Security /Privacy Requirements Security Tests Security Risks Security Review Checklist Security Risks SIGN OFF Requirements Design Development Testin g Deployment Maintenance & EOL 10110 10011 Start PIA/DPIA PIA/DPIA Review Revise PIA/DPIA Revise Threat Model “Wash/Repeat” SSDL Cust Comms & PSIRT
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC 5. Live with your developers, residents vs. guests 18 • Be a part of the Product Planning and design discussions • JOIN daily stand-ups and sprints • Embrace their development cycles • Deploy Architects to development teams to build together • Mutually accountable for product delivery and success
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC 4. Invent and create alternatives 19 • You are not a robot, yet … • Adapt cybersecurity requirements to the actual world • Set infrastructure; intent & guidance – Limit cognitive dissonance with choices (NetFlix) – Platforms and shared components ← Cyber security helps source Encryption Guidance Public Network Private Network Sensitive Data HIGHEST HIGHEST Non Sensitive Data LOWEST LOWEST
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC 3. Track, Log exceptions, and escalate 20 • Code evolves and gets reused, thus our tickets allow us to keep practicality match to new truths. – Assumptions evolve – Client environments change – Scope of product impact shifts • All impact risk management and mitigation considerations • All exceptions go beyond the security architect on the project: – Product Security Leaders – Chief Technology Officers (monthly)
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC 2. Build and scale your knowledge with broader engineering 21 • Create the Passionate Few across the engineering organization – Individuals not owned by Cyber or matrixed into cyber – Give them training and free resources to develop their skill sets – Support and over deliver on growing their careers • We are not creating cybersecurity professionals, we are making the engineering teams better
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC 1. We must evolve too 22 • Our programs must also constantly evolve – Weekly track our security metrics across all phases, programs, and work with escalations directly – Monthly review over entire governance, documentation (training, and operational wikis), and make updates broadly – Sit with our engineers, participate in planning at the business and product level (early identify skill sets and tools we need) – Report up to the CTO and CEO level; risks to act on, and customer impact – Annually we globally get together for deep dives & program updates
Be obsessed about these highly effective Cloud Security Controls for your Products Attributes and habits for the win
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Core Cloud - Controls, MEATY 24 • Minimize public-facing endpoints and other forms of public access to resources (starting with everything in a subscription/VPC) • Make IAM decisions that can survive changes in employees and resources, (start by putting virtual MFA on root and lock it up/ throw it away) • Take advantage of Cloud security tools • Automate as much as possible/ get the humans away from the machines (lambda functions, Functions, etc.. • Consider a ‘bunker’ account for backups. This is a completely off-the-grid account, no IAM federation, and it’s where all critical backups get copied in case an account gets compromised or disgruntled employee threatens to destroy data – (coupled with least privilege, any employee should have limited, need-to-know access).
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Reduce Attack Surface 25 • #1 thing we can do is reduce / eliminate existing public exposed cloud API, resources, storage accounts, etc… • #2 thing we can do is to disallow creating public accessible end points and services without an exception ticket – for instance, don’t allow RedShift to be publicly accessible • Utilize Load Balancers and aggressive security group / rulesets
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Root Credentials 26 • Don’t pass down root credentials • Have Product Architecture hold root key – Prod Architecture creates and gives lesser credentials for devs to execute • Eliminate Root Actions – no actions where a engineer needs a root password – Adopt a key management system (such as KMS )
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Billing and Ownership 27 • Billing triggers – Not just cost savings – Allows for detecting and providing additional insights (i.e., crypto server) • Account Service Owners – Be sure 1 employee can’t walk away with full ownership – Deny / Remove non-business managed email accounts on the Cloud
Shiny Objects - resist
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC History supports that core elemental focus is critical 29 NOTHING has changed in the past 10 years - • OWASP Top 10, • SANS Top 20, • Verizon Data Breach …..top causes of breach remain fairly constant The right thing is still the right thing The only variable is are you having to edge more and less practical controls given the platform and customer nuances
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Why IGNORING the shiny objects benefits you... 30 • Here are the advantages I have found... • Allows you to improve on strengths • Resources spent on where we gain the biggest impact • Are we really stopping an APT • Prevents fatigue of cybersecurity in engineering teams • Prevents burn out from cybersecurity team • Brain matter can focus on the organization’s custom needs …… I have found these to disproportionately impactful at Google, Microsoft, and now Honeywell
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC A few of my favorite ‘Shiny Objects’ 31 Don’t buy these or be distracted by them… • Quantum Computing mood rings • Diamond studded Blockchain charms • Deception based security • Cyber warfare tools • Cryptojacking Attacks • Software update supply chain attacks • Coinminers
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Long Tail - Foundational vs Shiny Controls 32 • High ROI • Foundational Controls • (Encryption, FWs, IAM, quality code, etc..) • Higher sophistication • Unique operational situations • Shiny objects Send feedback to @jdeluccia on twitter
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC How can you measure shiny impact needs for your org? 33 • % of coverage; • probability of impact; • customer event; • are we even using that tech or playing in that technology space; • is that technology space in play for us now or near term?
Our focus for tomorrow
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC What should be our focus over the next few years? 35 • Supply chain - hardware, software, and partnerships in the market (less isolation and more collaboration) • Abstraction of services - continued refactoring of code and product stack • Growth of cybersecurity standards and practices across our sectors • Elemental security - further expanded
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Actions, the most important 36 • Audit your coverage of security programs with the development of new products (are you involved cradle to grave?) • Create clarity of security objectives against product types and your own control reference standard • Connected products establish core basics - 100% vision of resources; automation of scripts that trigger; empower • Conduct root cause analysis against engineer behaviors to discover cultural manifestations of policy
DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Please grab the expanded list on slideshare. 37 All available for free on Slideshare, please consume & improve + 50+ articles posted on LinkedIN My greatest thanks

Recommended

Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)Jason Mashak
 
Evolvable architecture for hybrid multicloud with sdn
Evolvable architecture for hybrid multicloud with sdnEvolvable architecture for hybrid multicloud with sdn
Evolvable architecture for hybrid multicloud with sdnJames Kelly
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriAtif Ghauri
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
 
Cloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnCloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnSamuel Reed
 
SplunkLive! Austin Customer Presentation - Baylor
SplunkLive! Austin Customer Presentation - BaylorSplunkLive! Austin Customer Presentation - Baylor
SplunkLive! Austin Customer Presentation - BaylorSplunk
 
Web scale with-nutanix_rev
Web scale with-nutanix_revWeb scale with-nutanix_rev
Web scale with-nutanix_revScalar Decisions
 
10 Steps to Architecting a Sustainable SCADA System
10 Steps to Architecting a Sustainable SCADA System10 Steps to Architecting a Sustainable SCADA System
10 Steps to Architecting a Sustainable SCADA SystemInductive Automation
 

Recommended

Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)Jason Mashak
 
Evolvable architecture for hybrid multicloud with sdn
Evolvable architecture for hybrid multicloud with sdnEvolvable architecture for hybrid multicloud with sdn
Evolvable architecture for hybrid multicloud with sdnJames Kelly
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriAtif Ghauri
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
 
Cloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnCloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnSamuel Reed
 
SplunkLive! Austin Customer Presentation - Baylor
SplunkLive! Austin Customer Presentation - BaylorSplunkLive! Austin Customer Presentation - Baylor
SplunkLive! Austin Customer Presentation - BaylorSplunk
 
Web scale with-nutanix_rev
Web scale with-nutanix_revWeb scale with-nutanix_rev
Web scale with-nutanix_revScalar Decisions
 
10 Steps to Architecting a Sustainable SCADA System
10 Steps to Architecting a Sustainable SCADA System10 Steps to Architecting a Sustainable SCADA System
10 Steps to Architecting a Sustainable SCADA SystemInductive Automation
 
GE Predix Transform 2016 - UX & Customer Engagement
GE Predix Transform 2016 - UX & Customer EngagementGE Predix Transform 2016 - UX & Customer Engagement
GE Predix Transform 2016 - UX & Customer EngagementDavid Bingham
 
Getting ready for Infrastructure Transformation with hyper-converged
Getting ready for Infrastructure Transformation with hyper-convergedGetting ready for Infrastructure Transformation with hyper-converged
Getting ready for Infrastructure Transformation with hyper-convergedSynapse360
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
 
SplunkLive! Austin Customer Presentation - Xerox
SplunkLive! Austin Customer Presentation - XeroxSplunkLive! Austin Customer Presentation - Xerox
SplunkLive! Austin Customer Presentation - XeroxSplunk
 
Devops Indonesia Presentation Monitoring Framework
Devops Indonesia Presentation Monitoring FrameworkDevops Indonesia Presentation Monitoring Framework
Devops Indonesia Presentation Monitoring FrameworkYusuf Hadiwinata Sutandar
 
Managing Effective Security Policies Across Hybrid and Multi-Cloud Environment
Managing Effective Security Policies Across Hybrid and Multi-Cloud EnvironmentManaging Effective Security Policies Across Hybrid and Multi-Cloud Environment
Managing Effective Security Policies Across Hybrid and Multi-Cloud EnvironmentAlgoSec
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onJustin Henderson
 
Managed Cloud and the MSP Market
Managed Cloud and the MSP MarketManaged Cloud and the MSP Market
Managed Cloud and the MSP MarketSolarwinds N-able
 
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Decisions
 
20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security BrokersRobin Vermeirsch
 
No you are not a DevOps engineer
No you are not a DevOps engineerNo you are not a DevOps engineer
No you are not a DevOps engineerMike Kavis
 
Leveraging Operational Data in the Cloud
Leveraging Operational Data in the Cloud Leveraging Operational Data in the Cloud
Leveraging Operational Data in the CloudInductive Automation
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsMicro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsColorTokens Inc
 
Top 5 Reasons To Consider SolarWinds IPAM Over Infoblox
Top 5 Reasons To Consider SolarWinds IPAM Over InfobloxTop 5 Reasons To Consider SolarWinds IPAM Over Infoblox
Top 5 Reasons To Consider SolarWinds IPAM Over InfobloxSolarWinds
 
Biznet Gio Presentation - Database Security
Biznet Gio Presentation - Database SecurityBiznet Gio Presentation - Database Security
Biznet Gio Presentation - Database SecurityYusuf Hadiwinata Sutandar
 
Evaluating the Cloud
Evaluating the CloudEvaluating the Cloud
Evaluating the CloudSociusPartner
 
What is NetOps? | NetOps Transformation
What is NetOps? | NetOps TransformationWhat is NetOps? | NetOps Transformation
What is NetOps? | NetOps TransformationAppViewX
 
21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event 21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event Kyos
 
SplunkLive! Austin Customer Presentation - Dell
SplunkLive! Austin Customer Presentation - DellSplunkLive! Austin Customer Presentation - Dell
SplunkLive! Austin Customer Presentation - DellSplunk
 
The Many Faces of PaaS
The Many Faces of PaaSThe Many Faces of PaaS
The Many Faces of PaaSMike Kavis
 
Accion Labs - Rackspace - How can cloud help you?
Accion Labs - Rackspace - How can cloud help you?Accion Labs - Rackspace - How can cloud help you?
Accion Labs - Rackspace - How can cloud help you?Accion Labs, Inc.
 
Continuous Deployment - Case Study at WIX
Continuous Deployment - Case Study at WIXContinuous Deployment - Case Study at WIX
Continuous Deployment - Case Study at WIXAgileSparks
 

More Related Content

What's hot

GE Predix Transform 2016 - UX & Customer Engagement
GE Predix Transform 2016 - UX & Customer EngagementGE Predix Transform 2016 - UX & Customer Engagement
GE Predix Transform 2016 - UX & Customer EngagementDavid Bingham
 
Getting ready for Infrastructure Transformation with hyper-converged
Getting ready for Infrastructure Transformation with hyper-convergedGetting ready for Infrastructure Transformation with hyper-converged
Getting ready for Infrastructure Transformation with hyper-convergedSynapse360
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
 
SplunkLive! Austin Customer Presentation - Xerox
SplunkLive! Austin Customer Presentation - XeroxSplunkLive! Austin Customer Presentation - Xerox
SplunkLive! Austin Customer Presentation - XeroxSplunk
 
Devops Indonesia Presentation Monitoring Framework
Devops Indonesia Presentation Monitoring FrameworkDevops Indonesia Presentation Monitoring Framework
Devops Indonesia Presentation Monitoring FrameworkYusuf Hadiwinata Sutandar
 
Managing Effective Security Policies Across Hybrid and Multi-Cloud Environment
Managing Effective Security Policies Across Hybrid and Multi-Cloud EnvironmentManaging Effective Security Policies Across Hybrid and Multi-Cloud Environment
Managing Effective Security Policies Across Hybrid and Multi-Cloud EnvironmentAlgoSec
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onJustin Henderson
 
Managed Cloud and the MSP Market
Managed Cloud and the MSP MarketManaged Cloud and the MSP Market
Managed Cloud and the MSP MarketSolarwinds N-able
 
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Decisions
 
20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security BrokersRobin Vermeirsch
 
No you are not a DevOps engineer
No you are not a DevOps engineerNo you are not a DevOps engineer
No you are not a DevOps engineerMike Kavis
 
Leveraging Operational Data in the Cloud
Leveraging Operational Data in the Cloud Leveraging Operational Data in the Cloud
Leveraging Operational Data in the CloudInductive Automation
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsMicro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsColorTokens Inc
 
Top 5 Reasons To Consider SolarWinds IPAM Over Infoblox
Top 5 Reasons To Consider SolarWinds IPAM Over InfobloxTop 5 Reasons To Consider SolarWinds IPAM Over Infoblox
Top 5 Reasons To Consider SolarWinds IPAM Over InfobloxSolarWinds
 
Evaluating the Cloud
Evaluating the CloudEvaluating the Cloud
Evaluating the CloudSociusPartner
 
What is NetOps? | NetOps Transformation
What is NetOps? | NetOps TransformationWhat is NetOps? | NetOps Transformation
What is NetOps? | NetOps TransformationAppViewX
 
21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event 21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event Kyos
 
SplunkLive! Austin Customer Presentation - Dell
SplunkLive! Austin Customer Presentation - DellSplunkLive! Austin Customer Presentation - Dell
SplunkLive! Austin Customer Presentation - DellSplunk
 
The Many Faces of PaaS
The Many Faces of PaaSThe Many Faces of PaaS
The Many Faces of PaaSMike Kavis
 

What's hot (20)

GE Predix Transform 2016 - UX & Customer Engagement
GE Predix Transform 2016 - UX & Customer EngagementGE Predix Transform 2016 - UX & Customer Engagement
GE Predix Transform 2016 - UX & Customer Engagement
 
Getting ready for Infrastructure Transformation with hyper-converged
Getting ready for Infrastructure Transformation with hyper-convergedGetting ready for Infrastructure Transformation with hyper-converged
Getting ready for Infrastructure Transformation with hyper-converged
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
SplunkLive! Austin Customer Presentation - Xerox
SplunkLive! Austin Customer Presentation - XeroxSplunkLive! Austin Customer Presentation - Xerox
SplunkLive! Austin Customer Presentation - Xerox
 
Devops Indonesia Presentation Monitoring Framework
Devops Indonesia Presentation Monitoring FrameworkDevops Indonesia Presentation Monitoring Framework
Devops Indonesia Presentation Monitoring Framework
 
Managing Effective Security Policies Across Hybrid and Multi-Cloud Environment
Managing Effective Security Policies Across Hybrid and Multi-Cloud EnvironmentManaging Effective Security Policies Across Hybrid and Multi-Cloud Environment
Managing Effective Security Policies Across Hybrid and Multi-Cloud Environment
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
 
Managed Cloud and the MSP Market
Managed Cloud and the MSP MarketManaged Cloud and the MSP Market
Managed Cloud and the MSP Market
 
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
 
20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers
 
No you are not a DevOps engineer
No you are not a DevOps engineerNo you are not a DevOps engineer
No you are not a DevOps engineer
 
Leveraging Operational Data in the Cloud
Leveraging Operational Data in the Cloud Leveraging Operational Data in the Cloud
Leveraging Operational Data in the Cloud
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsMicro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
 
Top 5 Reasons To Consider SolarWinds IPAM Over Infoblox
Top 5 Reasons To Consider SolarWinds IPAM Over InfobloxTop 5 Reasons To Consider SolarWinds IPAM Over Infoblox
Top 5 Reasons To Consider SolarWinds IPAM Over Infoblox
 
Biznet Gio Presentation - Database Security
Biznet Gio Presentation - Database SecurityBiznet Gio Presentation - Database Security
Biznet Gio Presentation - Database Security
 
Evaluating the Cloud
Evaluating the CloudEvaluating the Cloud
Evaluating the Cloud
 
What is NetOps? | NetOps Transformation
What is NetOps? | NetOps TransformationWhat is NetOps? | NetOps Transformation
What is NetOps? | NetOps Transformation
 
21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event 21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event
 
SplunkLive! Austin Customer Presentation - Dell
SplunkLive! Austin Customer Presentation - DellSplunkLive! Austin Customer Presentation - Dell
SplunkLive! Austin Customer Presentation - Dell
 
The Many Faces of PaaS
The Many Faces of PaaSThe Many Faces of PaaS
The Many Faces of PaaS
 

Similar to Cybersecurity model and top cloud security controls for product development engineering organizations

Accion Labs - Rackspace - How can cloud help you?
Accion Labs - Rackspace - How can cloud help you?Accion Labs - Rackspace - How can cloud help you?
Accion Labs - Rackspace - How can cloud help you?Accion Labs, Inc.
 
Continuous Deployment - Case Study at WIX
Continuous Deployment - Case Study at WIXContinuous Deployment - Case Study at WIX
Continuous Deployment - Case Study at WIXAgileSparks
 
Engineering Effectiveness
Engineering EffectivenessEngineering Effectiveness
Engineering EffectivenessMarcio Sete
 
AWS Partner: Grindr: Aggregate, Analyze, and Act on 900M Daily API Calls
AWS Partner: Grindr: Aggregate, Analyze, and Act on 900M Daily API CallsAWS Partner: Grindr: Aggregate, Analyze, and Act on 900M Daily API Calls
AWS Partner: Grindr: Aggregate, Analyze, and Act on 900M Daily API CallsAmazon Web Services
 
Resume_Achhar_Kalia
Resume_Achhar_KaliaResume_Achhar_Kalia
Resume_Achhar_KaliaAchhar Kalia
 
Re-Platforming Applications for the Cloud
Re-Platforming Applications for the CloudRe-Platforming Applications for the Cloud
Re-Platforming Applications for the CloudCarter Wickstrom
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The CloudPECB
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsThousandEyes
 
Continuous Delivery at Wix, Yaniv Even Haim
Continuous Delivery at Wix, Yaniv Even HaimContinuous Delivery at Wix, Yaniv Even Haim
Continuous Delivery at Wix, Yaniv Even HaimDevOpsDays Tel Aviv
 
Meeting Nuvollo - La passerelle-I.D.E
Meeting Nuvollo - La passerelle-I.D.EMeeting Nuvollo - La passerelle-I.D.E
Meeting Nuvollo - La passerelle-I.D.ENuvollo
 
Nuvollo and La passerelle-I.D.E
Nuvollo and La passerelle-I.D.ENuvollo and La passerelle-I.D.E
Nuvollo and La passerelle-I.D.ENuvollo
 
Cloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackCloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackLaurenWendler
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
Horizontal Scaling for Millions of Customers!
Horizontal Scaling for Millions of Customers! Horizontal Scaling for Millions of Customers!
Horizontal Scaling for Millions of Customers! elangovans
 
Accelerate to Cloud
Accelerate to CloudAccelerate to Cloud
Accelerate to CloudRightScale
 
Cloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackCloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackLaurenWendler
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruMarketingArrowECS_CZ
 
RightScale Roadtrip - Accelerate to Cloud
RightScale Roadtrip - Accelerate to CloudRightScale Roadtrip - Accelerate to Cloud
RightScale Roadtrip - Accelerate to CloudRightScale
 

Similar to Cybersecurity model and top cloud security controls for product development engineering organizations (20)

Accion Labs - Rackspace - How can cloud help you?
Accion Labs - Rackspace - How can cloud help you?Accion Labs - Rackspace - How can cloud help you?
Accion Labs - Rackspace - How can cloud help you?
 
Continuous Deployment - Case Study at WIX
Continuous Deployment - Case Study at WIXContinuous Deployment - Case Study at WIX
Continuous Deployment - Case Study at WIX
 
Engineering Effectiveness
Engineering EffectivenessEngineering Effectiveness
Engineering Effectiveness
 
AWS Partner: Grindr: Aggregate, Analyze, and Act on 900M Daily API Calls
AWS Partner: Grindr: Aggregate, Analyze, and Act on 900M Daily API CallsAWS Partner: Grindr: Aggregate, Analyze, and Act on 900M Daily API Calls
AWS Partner: Grindr: Aggregate, Analyze, and Act on 900M Daily API Calls
 
Resume_Achhar_Kalia
Resume_Achhar_KaliaResume_Achhar_Kalia
Resume_Achhar_Kalia
 
Re-Platforming Applications for the Cloud
Re-Platforming Applications for the CloudRe-Platforming Applications for the Cloud
Re-Platforming Applications for the Cloud
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of Concepts
 
Continuous Delivery at Wix, Yaniv Even Haim
Continuous Delivery at Wix, Yaniv Even HaimContinuous Delivery at Wix, Yaniv Even Haim
Continuous Delivery at Wix, Yaniv Even Haim
 
Meeting Nuvollo - La passerelle-I.D.E
Meeting Nuvollo - La passerelle-I.D.EMeeting Nuvollo - La passerelle-I.D.E
Meeting Nuvollo - La passerelle-I.D.E
 
Nuvollo and La passerelle-I.D.E
Nuvollo and La passerelle-I.D.ENuvollo and La passerelle-I.D.E
Nuvollo and La passerelle-I.D.E
 
Cloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackCloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover Track
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
Smartscale Executive Summary
Smartscale Executive SummarySmartscale Executive Summary
Smartscale Executive Summary
 
Horizontal Scaling for Millions of Customers!
Horizontal Scaling for Millions of Customers! Horizontal Scaling for Millions of Customers!
Horizontal Scaling for Millions of Customers!
 
Accelerate to Cloud
Accelerate to CloudAccelerate to Cloud
Accelerate to Cloud
 
Cloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover TrackCloud Innovation Tour - Discover Track
Cloud Innovation Tour - Discover Track
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC Miniclusteru
 
RightScale Roadtrip - Accelerate to Cloud
RightScale Roadtrip - Accelerate to CloudRightScale Roadtrip - Accelerate to Cloud
RightScale Roadtrip - Accelerate to Cloud
 

Recently uploaded

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Recently uploaded (20)

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Cybersecurity model and top cloud security controls for product development engineering organizations

  • 1. #RSAC SESSION ID: James DeLuccia The Advantage of Ignoring the Long Tail of Security: A Product View CSV-R11 Cybersecurity Cloud B2C & B2B, New Products, Honeywell
  • 2. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC James DeLuccia 2 • Part of product engineering at Honeywell • Core mission: Help create delightful customer experiences • Major project work: Develop and introduce enhanced cybersecurity work patterns and technology on Azure • Scale: Honeywell’s customers make up roughly 25% of all buildings globally; operate 300+ subscriptions online, and 100s of products online • History: 25+ years in technology; Writer, Researcher, Patents
  • 4. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Honeywell Buildings Technology 4 • We currently serve 25% of all buildings in the world • 1,000s of products that depend on the cloud service providers • 100s of cloud subscriptions and millions of resources • Millions of hardware end-points (IOT), handheld devices, and more with orchestration between fixed locations and the cloud • Ongoing Challenge – Deliver to market expectations, regulations, and a brand of trust – Heavy evolution in our space – Transformation of technology available in our space and utility – Churn in regulation and geo-political relations impact our supply chain
  • 5. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Global product footprint, team, and market 5 • We build and sell products globally • Leverage the leading cloud service providers • Have a globally deployed team that reflects our developers • Serve global markets and thus coordinate closely with local authorities and local partners
  • 6. What is the long tail of security controls Practicality and focus
  • 7. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Long Tail of Security Controls 7 Refers to the value (impact) of security control compared against all other controls Viewpoints and analysis are best done in house: • Reflective of your product • Customer use cases • Technology truths Send feedback to @jdeluccia on twitter
  • 8. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Long Tail of Security Controls 8 • Take a pragmatic view of your products, tooling, and platforms. Then apply a deployment priority that demands the table steaks first, and then allows for incremental expansions. ISA Level 4ISA Level 3ISA Level 2ISA Level 1
  • 9. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Context matters, examples
  • 10. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Relevance Matters More
  • 11. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Based on this lens, we prioritize controls 11 • Cloud deployments have Level 4 configs • Endpoints utilize PKI service • Detective and preventive controls adaptive to tech • More details and specifics on back half...
  • 12. Demonstrative Product Security Model Practical and based on multi-organizational practices to deliver global digital and physical products w/ the cloud
  • 13. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Demonstrative Organizational Roles & Priority
  • 14. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC PROGRAM Backbone - Standards 14 Demonstrative Examples: • IOT/IIOT = ISA/IEC 62443 , (DRAFT) NIST IOT Baseline • Cloud = CSA STAR, SOC 2 Type 2. • Product or Process Certifications = ISASecure, UL 29001 • People = CSSLP, Ethical Hacker, CCSK, CCSP, CISSP + ISA/IEC 62443 Cybersecurity certificates • SSDL = Microsoft Security Development Lifecycle Together these guide our core controls Architects define our product controls
  • 15. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Set your management system and then layer in controls 15 ISA 62443 ISO 27001 / SDLC ISO 27018 GDPR FEDRAMP / ENISA / Govs Stds ISO 27002 NIST / CSA
  • 16. How to focus your cybersecurity resources Demonstrative method and tactics for product teams
  • 17. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC 1. Embed and own the SDLC process 17 6. Embed and own the SDLC process Involve Security Architect Security / Privacy Requirements Security Review Checklist Security Risks Threat Model Security Tests Security/Privacy Requirements Security Review Checklist Security Risks Security Manual Threat Model Security /Privacy Requirements Security Tests Security Risks Security Review Checklist Security Risks SIGN OFF Requirements Design Development Testin g Deployment Maintenance & EOL 10110 10011 Start PIA/DPIA PIA/DPIA Review Revise PIA/DPIA Revise Threat Model “Wash/Repeat” SSDL Cust Comms & PSIRT
  • 18. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC 5. Live with your developers, residents vs. guests 18 • Be a part of the Product Planning and design discussions • JOIN daily stand-ups and sprints • Embrace their development cycles • Deploy Architects to development teams to build together • Mutually accountable for product delivery and success
  • 19. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC 4. Invent and create alternatives 19 • You are not a robot, yet … • Adapt cybersecurity requirements to the actual world • Set infrastructure; intent & guidance – Limit cognitive dissonance with choices (NetFlix) – Platforms and shared components ← Cyber security helps source Encryption Guidance Public Network Private Network Sensitive Data HIGHEST HIGHEST Non Sensitive Data LOWEST LOWEST
  • 20. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC 3. Track, Log exceptions, and escalate 20 • Code evolves and gets reused, thus our tickets allow us to keep practicality match to new truths. – Assumptions evolve – Client environments change – Scope of product impact shifts • All impact risk management and mitigation considerations • All exceptions go beyond the security architect on the project: – Product Security Leaders – Chief Technology Officers (monthly)
  • 21. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC 2. Build and scale your knowledge with broader engineering 21 • Create the Passionate Few across the engineering organization – Individuals not owned by Cyber or matrixed into cyber – Give them training and free resources to develop their skill sets – Support and over deliver on growing their careers • We are not creating cybersecurity professionals, we are making the engineering teams better
  • 22. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC 1. We must evolve too 22 • Our programs must also constantly evolve – Weekly track our security metrics across all phases, programs, and work with escalations directly – Monthly review over entire governance, documentation (training, and operational wikis), and make updates broadly – Sit with our engineers, participate in planning at the business and product level (early identify skill sets and tools we need) – Report up to the CTO and CEO level; risks to act on, and customer impact – Annually we globally get together for deep dives & program updates
  • 23. Be obsessed about these highly effective Cloud Security Controls for your Products Attributes and habits for the win
  • 24. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Core Cloud - Controls, MEATY 24 • Minimize public-facing endpoints and other forms of public access to resources (starting with everything in a subscription/VPC) • Make IAM decisions that can survive changes in employees and resources, (start by putting virtual MFA on root and lock it up/ throw it away) • Take advantage of Cloud security tools • Automate as much as possible/ get the humans away from the machines (lambda functions, Functions, etc.. • Consider a ‘bunker’ account for backups. This is a completely off-the-grid account, no IAM federation, and it’s where all critical backups get copied in case an account gets compromised or disgruntled employee threatens to destroy data – (coupled with least privilege, any employee should have limited, need-to-know access).
  • 25. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Reduce Attack Surface 25 • #1 thing we can do is reduce / eliminate existing public exposed cloud API, resources, storage accounts, etc… • #2 thing we can do is to disallow creating public accessible end points and services without an exception ticket – for instance, don’t allow RedShift to be publicly accessible • Utilize Load Balancers and aggressive security group / rulesets
  • 26. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Root Credentials 26 • Don’t pass down root credentials • Have Product Architecture hold root key – Prod Architecture creates and gives lesser credentials for devs to execute • Eliminate Root Actions – no actions where a engineer needs a root password – Adopt a key management system (such as KMS )
  • 27. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Billing and Ownership 27 • Billing triggers – Not just cost savings – Allows for detecting and providing additional insights (i.e., crypto server) • Account Service Owners – Be sure 1 employee can’t walk away with full ownership – Deny / Remove non-business managed email accounts on the Cloud
  • 28. Shiny Objects - resist
  • 29. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC History supports that core elemental focus is critical 29 NOTHING has changed in the past 10 years - • OWASP Top 10, • SANS Top 20, • Verizon Data Breach …..top causes of breach remain fairly constant The right thing is still the right thing The only variable is are you having to edge more and less practical controls given the platform and customer nuances
  • 30. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Why IGNORING the shiny objects benefits you... 30 • Here are the advantages I have found... • Allows you to improve on strengths • Resources spent on where we gain the biggest impact • Are we really stopping an APT • Prevents fatigue of cybersecurity in engineering teams • Prevents burn out from cybersecurity team • Brain matter can focus on the organization’s custom needs …… I have found these to disproportionately impactful at Google, Microsoft, and now Honeywell
  • 31. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC A few of my favorite ‘Shiny Objects’ 31 Don’t buy these or be distracted by them… • Quantum Computing mood rings • Diamond studded Blockchain charms • Deception based security • Cyber warfare tools • Cryptojacking Attacks • Software update supply chain attacks • Coinminers
  • 32. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Long Tail - Foundational vs Shiny Controls 32 • High ROI • Foundational Controls • (Encryption, FWs, IAM, quality code, etc..) • Higher sophistication • Unique operational situations • Shiny objects Send feedback to @jdeluccia on twitter
  • 33. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC How can you measure shiny impact needs for your org? 33 • % of coverage; • probability of impact; • customer event; • are we even using that tech or playing in that technology space; • is that technology space in play for us now or near term?
  • 34. Our focus for tomorrow
  • 35. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC What should be our focus over the next few years? 35 • Supply chain - hardware, software, and partnerships in the market (less isolation and more collaboration) • Abstraction of services - continued refactoring of code and product stack • Growth of cybersecurity standards and practices across our sectors • Elemental security - further expanded
  • 36. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Actions, the most important 36 • Audit your coverage of security programs with the development of new products (are you involved cradle to grave?) • Create clarity of security objectives against product types and your own control reference standard • Connected products establish core basics - 100% vision of resources; automation of scripts that trigger; empower • Conduct root cause analysis against engineer behaviors to discover cultural manifestations of policy
  • 37. DO GOOD GIVE YOUR TIME HELP OUR WORLD #RSAC Please grab the expanded list on slideshare. 37 All available for free on Slideshare, please consume & improve + 50+ articles posted on LinkedIN My greatest thanks