Here is the expanded presentation materials shared at the 2019 RSA Conference. This includes a breakout for the most important cloud security areas to maximize the long tail concept shared in the deck.
The last 25 years have exposed old and new cybersecurity patterns. There is a primal draw to those hot and elite threat actors at the detriment of common security. This presentation will share a practical cybersecurity method employed for our 300+ deployed cloud subscriptions and hundreds of products. Learn how to focus those vital engineering hours where they will benefit your customers the best.
Learning Objectives:
1: Learn how to balance your security requirements with product teams.
2: Understand what risks you need to include when in the minimum viable product world.
3: Learn how you can deliver products at scale in the world that meet industrial security requirements.
Cybersecurity model and top cloud security controls for product development engineering organizations
1. #RSAC
SESSION ID:
James DeLuccia
The Advantage of Ignoring the Long Tail of
Security: A Product View
CSV-R11
Cybersecurity Cloud B2C & B2B, New
Products, Honeywell
2. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
James DeLuccia
2
• Part of product engineering at Honeywell
• Core mission: Help create delightful customer experiences
• Major project work: Develop and introduce enhanced
cybersecurity work patterns and technology on Azure
• Scale: Honeywell’s customers make up roughly 25% of all
buildings globally; operate 300+ subscriptions online, and 100s
of products online
• History: 25+ years in technology; Writer, Researcher, Patents
4. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
Honeywell Buildings Technology
4
• We currently serve 25% of all buildings in the world
• 1,000s of products that depend on the cloud service providers
• 100s of cloud subscriptions and millions of resources
• Millions of hardware end-points (IOT), handheld devices, and
more with orchestration between fixed locations and the cloud
• Ongoing Challenge
– Deliver to market expectations, regulations, and a brand of trust
– Heavy evolution in our space
– Transformation of technology available in our space and utility
– Churn in regulation and geo-political relations impact our supply chain
5. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
Global product footprint, team, and market
5
• We build and sell products globally
• Leverage the leading cloud service providers
• Have a globally deployed team that reflects our developers
• Serve global markets and thus coordinate closely with local
authorities and local partners
6. What is the long tail of security
controls
Practicality and focus
7. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
Long Tail of Security Controls
7
Refers to the value (impact) of security control
compared against all other controls
Viewpoints and analysis are best done in house:
• Reflective of your product
• Customer use cases
• Technology truths
Send feedback to
@jdeluccia on twitter
8. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
Long Tail of Security Controls
8
• Take a pragmatic view of your products,
tooling, and platforms. Then apply a
deployment priority that demands the table
steaks first, and then allows for incremental
expansions.
ISA Level 4ISA Level 3ISA Level 2ISA Level 1
9. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
Context matters, examples
11. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
Based on this lens, we prioritize controls
11
• Cloud deployments have Level 4 configs
• Endpoints utilize PKI service
• Detective and preventive controls adaptive
to tech
• More details and specifics on back half...
13. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
Demonstrative Organizational Roles & Priority
14. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
PROGRAM Backbone - Standards
14
Demonstrative Examples:
• IOT/IIOT = ISA/IEC 62443 , (DRAFT) NIST IOT Baseline
• Cloud = CSA STAR, SOC 2 Type 2.
• Product or Process Certifications = ISASecure, UL 29001
• People = CSSLP, Ethical Hacker, CCSK, CCSP, CISSP
+ ISA/IEC 62443 Cybersecurity certificates
• SSDL = Microsoft Security Development Lifecycle
Together these guide our core controls
Architects define our product controls
15. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
Set your management system and then layer in controls
15
ISA 62443
ISO 27001
/ SDLC
ISO 27018
GDPR
FEDRAMP /
ENISA / Govs
Stds
ISO 27002
NIST / CSA
16. How to focus your cybersecurity
resources
Demonstrative method and tactics for product teams
17. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
1. Embed and own the SDLC process
17
6. Embed and own the SDLC process
Involve
Security
Architect
Security / Privacy
Requirements
Security Review
Checklist
Security Risks
Threat Model
Security
Tests
Security/Privacy
Requirements
Security Review
Checklist
Security Risks
Security Manual
Threat Model
Security /Privacy
Requirements
Security
Tests
Security Risks
Security Review
Checklist
Security Risks
SIGN OFF
Requirements Design Development Testin
g
Deployment Maintenance
& EOL
10110
10011
Start
PIA/DPIA
PIA/DPIA
Review
Revise PIA/DPIA
Revise
Threat Model
“Wash/Repeat”
SSDL
Cust Comms &
PSIRT
18. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
5. Live with your developers, residents vs. guests
18
• Be a part of the Product Planning and design discussions
• JOIN daily stand-ups and sprints
• Embrace their development cycles
• Deploy Architects to development teams to build together
• Mutually accountable for product delivery and success
19. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
4. Invent and create alternatives
19
• You are not a robot, yet …
• Adapt cybersecurity requirements to the actual world
• Set infrastructure; intent & guidance
– Limit cognitive dissonance with choices (NetFlix)
– Platforms and shared components ← Cyber security helps source
Encryption Guidance Public Network Private Network
Sensitive Data HIGHEST HIGHEST
Non Sensitive Data LOWEST LOWEST
20. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
3. Track, Log exceptions, and escalate
20
• Code evolves and gets reused, thus our tickets allow us to keep
practicality match to new truths.
– Assumptions evolve
– Client environments change
– Scope of product impact shifts
• All impact risk management and mitigation considerations
• All exceptions go beyond the security architect on the project:
– Product Security Leaders
– Chief Technology Officers (monthly)
21. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
2. Build and scale your knowledge with broader
engineering
21
• Create the Passionate Few across the engineering organization
– Individuals not owned by Cyber or matrixed into cyber
– Give them training and free resources to develop their skill sets
– Support and over deliver on growing their careers
• We are not creating cybersecurity professionals, we are making
the engineering teams better
22. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
1. We must evolve too
22
• Our programs must also constantly evolve
– Weekly track our security metrics across all phases, programs, and
work with escalations directly
– Monthly review over entire governance, documentation (training, and
operational wikis), and make updates broadly
– Sit with our engineers, participate in planning at the business and
product level (early identify skill sets and tools we need)
– Report up to the CTO and CEO level; risks to act on, and customer
impact
– Annually we globally get together for deep dives & program updates
23. Be obsessed about these highly
effective Cloud Security Controls for
your Products
Attributes and habits for the win
24. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
Core Cloud - Controls, MEATY
24
• Minimize public-facing endpoints and other forms of public access to resources
(starting with everything in a subscription/VPC)
• Make IAM decisions that can survive changes in employees and resources, (start
by putting virtual MFA on root and lock it up/ throw it away)
• Take advantage of Cloud security tools
• Automate as much as possible/ get the humans away from the machines (lambda
functions, Functions, etc..
• Consider a ‘bunker’ account for backups. This is a completely off-the-grid account,
no IAM federation, and it’s where all critical backups get copied in case an
account gets compromised or disgruntled employee threatens to destroy data
– (coupled with least privilege, any employee should have limited, need-to-know
access).
25. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
Reduce Attack Surface
25
• #1 thing we can do is reduce / eliminate existing public exposed
cloud API, resources, storage accounts, etc…
• #2 thing we can do is to disallow creating public accessible end
points and services without an exception ticket
– for instance, don’t allow RedShift to be publicly accessible
• Utilize Load Balancers and aggressive security group / rulesets
26. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
Root Credentials
26
• Don’t pass down root credentials
• Have Product Architecture hold root key
– Prod Architecture creates and gives lesser credentials for devs to
execute
• Eliminate Root Actions – no actions where a engineer needs a
root password
– Adopt a key management system (such as KMS )
27. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
Billing and Ownership
27
• Billing triggers
– Not just cost savings
– Allows for detecting and providing additional insights (i.e., crypto
server)
• Account Service Owners
– Be sure 1 employee can’t walk away with full ownership
– Deny / Remove non-business managed email accounts on the Cloud
29. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
History supports that core elemental focus is critical
29
NOTHING has changed in the past 10 years -
• OWASP Top 10,
• SANS Top 20,
• Verizon Data Breach
…..top causes of breach remain fairly constant
The right thing is still the right thing
The only variable is are you having to edge more and less practical
controls given the platform and customer nuances
30. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
Why IGNORING the shiny objects benefits you...
30
• Here are the advantages I have found...
• Allows you to improve on strengths
• Resources spent on where we gain the biggest impact
• Are we really stopping an APT
• Prevents fatigue of cybersecurity in engineering teams
• Prevents burn out from cybersecurity team
• Brain matter can focus on the organization’s custom needs
…… I have found these to disproportionately impactful at
Google, Microsoft, and now Honeywell
31. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
A few of my favorite ‘Shiny Objects’
31
Don’t buy these or be distracted by them…
• Quantum Computing mood rings
• Diamond studded Blockchain charms
• Deception based security
• Cyber warfare tools
• Cryptojacking Attacks
• Software update supply chain attacks
• Coinminers
32. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
Long Tail - Foundational vs Shiny Controls
32
• High ROI
• Foundational Controls
• (Encryption, FWs, IAM, quality code, etc..)
• Higher sophistication
• Unique operational situations
• Shiny objects
Send feedback to
@jdeluccia on twitter
33. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
How can you measure shiny impact needs for your org?
33
• % of coverage;
• probability of impact;
• customer event;
• are we even using that tech or playing in
that technology space;
• is that technology space in play for us now
or near term?
35. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
What should be our focus over the next few years?
35
• Supply chain - hardware, software, and partnerships in the
market (less isolation and more collaboration)
• Abstraction of services - continued refactoring of code and
product stack
• Growth of cybersecurity standards and practices across our
sectors
• Elemental security - further expanded
36. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
Actions, the most important
36
• Audit your coverage of security programs with the development
of new products (are you involved cradle to grave?)
• Create clarity of security objectives against product types and
your own control reference standard
• Connected products establish core basics - 100% vision of
resources; automation of scripts that trigger; empower
• Conduct root cause analysis against engineer behaviors to
discover cultural manifestations of policy
37. DO GOOD
GIVE YOUR TIME
HELP OUR WORLD
#RSAC
Please grab the expanded list on slideshare.
37
All available for free on Slideshare,
please consume & improve + 50+
articles posted on LinkedIN
My greatest thanks