Ryan Jones - Security Convergence – Gold Mines and Pitfalls


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Ryan Jones - Security Convergence – Gold Mines and Pitfalls

  1. 1. Security Convergence – Gold Mines and Pitfalls<br />Ryan Jones<br />
  2. 2. A Little About Me<br />Ryan Jones<br />Employment History: <br /><ul><li>Manager of Physical Security and Social Engineering Practice, TrustwaveSpiderlabs
  3. 3. Previous places include Alternative Technology, IBM Security & Privacy, Safe Harbor, US West, .com’s
  4. 4. Red teaming, pentesting, business intelligence, etc.</li></ul>Random other facts:<br /><ul><li>Tiger Team, Exotic Liability podcast</li></li></ul><li>Security Convergence<br />Definition<br /> Formal cooperation between two previously disjointed security functions<br />NOTE: This does NOT always mean an organizational chart change<br />
  5. 5. Technologies Used<br />You’ve seen it and probably not realized it<br />Smart Cards – RFID, chip, etc<br />IP Cameras<br />Access controlled doors<br />Physical Security Management systems<br />
  6. 6. Security Convergence<br />Quick History<br /> Up until now typical corporate structure maintained two independent groups<br /> IT Security<br /><ul><li>Confidentiality
  7. 7. Integrity
  8. 8. Availability</li></ul> Physical Security (or Facilities)<br /><ul><li>Badging process
  9. 9. CCTV
  10. 10. Fire and Police
  11. 11. HVAC</li></li></ul><li>Security Convergence<br />Quick History<br /> Separate but similar<br /> Protecting data<br /> Business continuity<br /> Corporate asset protection<br /> Life cycle of employee<br />
  12. 12. Security Convergence<br />Present<br />Why are we starting to see this change?<br /> Need to cut costs<br /> Corporate Compliance<br /> Attackers taking path of least resistance<br /> Blended threats<br /> Gains in efficiency<br />
  13. 13. Benefits to Security Convergence<br /><ul><li>A complete security strategy helps keeps security goals in sync with business goals
  14. 14. Single point of contact
  15. 15. Information sharing increases
  16. 16. More versatile staff
  17. 17. Save money</li></li></ul><li>Security Convergence<br />This all sounds great! <br />So why are you giving this speech?<br />
  18. 18. Possible Pitfalls<br /><ul><li>Single point of failure
  19. 19. A network breach can now affect you physically as well
  20. 20. People’s egos
  21. 21. 'I'm not going to do anything to hurt your system or inhibit your business processes. I'm here to protect you so our CEO isn't standing before a congressional committee someday explaining why credit reports are in front of some gym locker.’ – Mecsics @ Equifax
  22. 22. Cultural differences
  23. 23. Information sharing</li></li></ul><li>But wait… there’s more<br /><ul><li>Combining of very different methodologies and capabilities
  24. 24. Without proper evaluation of new tools and software, you can be introducing even more vulnerabilities and risks into your environment
  25. 25. Long term cost benefit is there, but initial cost is very high</li></ul> training<br />hardware installation/upgrades<br /> let’s not forget the cost in TIME<br />
  26. 26. Security Convergence<br />YOU HAVE TO PLAN!<br />This is not something you do because you read about it in a trade rag<br />This is not something you copy from what another company did<br />This is not something that will just plug and play into your organization<br />This is not something that will necessarily even work for your organization currently<br />This is not a quick fix for all your security problems<br />
  27. 27. Planning<br />Determine what style of merger will work best for YOUR organization<br />Policies and procedures will need to change<br />Make sure the right people are in the right jobs and are properly trained<br />Network design<br />Technology options<br />Pilot deployment<br />Obtain upper management support<br />
  28. 28. More Information<br />ASIS – http://www.asisonline.org<br />Alliance for Enterprise Security Risk Management – http://www.aesrm.org<br /> ASIS, ISACA, and ISSA<br />Contact:<br />Ryan Jones<br />Twitter: lizborden<br />Email: rjones2@trustwave.com<br />
  29. 29. That’s it<br />QUESTIONS?<br />