SlideShare a Scribd company logo

NZISF Talk: Six essential security services

Download as PPTX, PDF
Hinne Hettema
Hinne Hettema

This is the slide deck for my talk on six essential security services for the NZISF forum on 9 February 2017.

Internet
1 of 47
The Six essential security services Hinne Hettema IT Security Team Leader The University of Auckland Email: h.hettema@auckland.ac.nz PGP Key ID: B1EA7147 | PGP Key Fingerprint: AC12 2983 2EA1 B328 95BB B4AE EDA5 8E90 B1EA 7147 NZISF | 9 February 2017 | Auckland
root@myops:~# whoami • Theoretical chemist and philosopher by training (PhD 1993 and 2012) • Wrote DALTON program code [in FORTRAN] • Played with supercomputers such as Cray Y-MP • First got hacked in 1991 • Worked 15 years as IT Infrastructure architect for various NZ companies • Now lead the IT Security team @UoA by day • Public speaker and cybersecurity blogger, Gartner Research Circle • Present at technical cyber security conferences
root@myops:~# whoami > graphic
My mission: Become a ‘second generation’ security leader, focusing on the security challenges of new technology for large organisations: the cloud, threat intelligence handling and sharing, and big data initiatives to drive an improved security posture for complex organisations.
Contents 1. The root of the problem 2. A conventional view: cyber security is a business problem 3. A maverick view: cyber security is a business problem 4. The six essential security services 5. A call to action
The root of the problem
Security train wreck: why the mess? The IT industry creates and maintains eternal economic disincentives to build better security into anything: 1. Rapid consumerisation, hence feature driven development (security is not a feature) 2. Time and Cost driven market model (lowering quality) 3. Security has to be relearned at each new phase of development (why, oh why is ‘telnet’ the most common IoT port?) With IoT, to make it worse, these disincentives are meeting: 4. Long expected lifetimes
And the business response Operational Security dimension Fear Resilience Security posture Reactive Proactive Incident approach Panic [denial, anger, bargaining] Controlled chaos Security team HR “we need a fall guy” “build the team” Security monitoring Haphazard [Worse] Vendor driven Controls based on • attacker behaviour/movement • known exploit risks • known vulnerability/exposure Predictability None / little Anticipated events People impact Burn-out Busy Security perception IT problem Hackers are nerds doing bad things! Business problem Hackers are people too Defence focus Border Fortress Defence in depth “Assume breach” Immune system Resilience and antifragility
A conventional view: cyber security is a business problem
Cyber security as a risk exercise • Cybersecurity usually seen as an area of tactical IT risk • Risk treatment strategies • Accept (who accepts what risk on behalf of whom?) • Mitigate (what to put in place?) • Transfer (insurance?) • Two notes • Trends cannot always be extrapolated • Cyber security risk is ‘black swan’ territory, so actuarial calculations are problematic
All your risks are belong to us • Tactical IT risk hides cybersecurity risk safely somewhere in the realm of the ‘techies’ The four mistakes people make when looking to get security leadership: 1. Short-change how much risk is actually involved 2. Get the reporting structure wrong 3. Overemphasise the technical 4. Looking for five-legged unicorns (the ‘skill shortage’) http://www.heidrick.com/Knowledge-Center/Publication/Four-mistakes-to-avoid-when-hiring-your-next-security-chief
Compliance focus • Compliance is not a comprehensive answer to risk • Rather than a baseline, compliance becomes the end-goal (understandable if the starting point is abject non- compliance…) • Focus on compliance can lead to ‘box- ticking’ exercise and poorly conceived or mis-scoped security solutions
Governance, Risk, Compliance What can possibly go wrong…? • Cybersecurity usually seen as an area of tactical IT risk (risk of mis- scoping) • Struggle to get from the IT department up to board level • Focus on compliance leads to box-ticking exercise • Compliance concerns drive security solutions that don’t work • This gives security a bad name • Solution: disband your security team…
If all this works so bad, let’s just…
A maverick view: cyber security is a business problem
Recognise the true complexity http://cyber-analysis.blogspot.co.nz/2014/10/cyber-terrain-model-for-increased.html
Crims and others on the cyber terrain… • Unlike ‘acts of god’ attacks are intentional Cyber attack is a very attractive mode of crime or espionage / sabotage • Very large economies of scale • Very low chance of getting caught • Very easy to do in different jurisdictions, so low chance of conviction • Methods and tools readily available • In large quantity and variety 18
Prospect theory and your cybers • GRC models are based on ‘rational behaviour’ • We are evolutionary primed to prefer fast solutions that help us survive (something rustles in the bushes…) • Daniel Kahnemann: Thinking Fast, Thinking slow • Look at prospect theory • Loss feels 2.25 as bad as a similar gain feels good • Overweight small probabilities, and underweight big ones • Defenders: avoid a big loss (becoming the next Sony), overestimate small probabilities (APT), easy attitude to adopt is to become big risk takers (spend megabucks on some flashing lights automated kill chain mitigation device)
The ‘operations dilemma’ • Good cyber security depends on a lot of small things done well • Which each help to mitigate a ‘small loss’ • Or have small gains Operations? • It’s ‘operational’, and hence it’s cost minimised • Or it’s assumed ‘done already’ • Operational people outside security often have a ‘break fix’ attitude (incentivise lack of outages), so no patching, no hygiene, ‘but it works’
Outcomes of the ‘operations dilemma’ 1. Many criminally under-adopted (hard to get budget for) tools • 2FA or two-step verification • Canaries (thinkst or canary.tools) • Understanding the threats in your context – any logging and monitoring projects • Certificate health and maintenance 2. Overspending on high risk technical solutions • Non-contextualised threat intelligence feeds and tooling • Automated threat mitigation tools • ‘Prevention’ and DLP tools
‘Operations Dilemma’ restated • We can get action if there are massive and costly breaches • Otherwise it’s hard to get visibility and budget • We don’t help ourselves: Department of ‘No’ • How many of us can • Provide instant and up to date metrics on small breaches and incidents • Define the services that the security team provides to the rest of the organisation? • Work our people in virtual teams, devops, cloud? • Work with agencies and trust groups if required?
Strategic aspects of cyber security Consider this • Almost all ‘new’ business is heavily digital or has IT as a central component • Existing and new customers need to trust you if they are to continue business with you • We want to use ‘cloud’ to cut costs • We’re rapidly re-engineering ‘IT’ from waterfall to DevOps • ‘Cloud’ is a strategic choice and changes all security architectures we have so far been comfortable with (firewalls will become irrelevant)
Where to focus security operations? ‘Services’ help define ‘security’ in terms the rest of the business understands • Compliance approach is still primarily preventive • ‘Beyond compliance’ is proactive, predictive and corrective in each stage of the IT factory • Step 1: What can we learn from actual breaches that happened to us? 24
The six essential security services: best practice, maturity, examples
The six essential security services • Strategy • Policies • Architecture • Penetration testing • Monitoring and Alerting • Incident response
Strategy: why • Cyber security is now firmly a matter of boards, who need education themselves (a good strategy can help) • No longer ‘just an IT issue’ • Security is becoming exponentially more complex: it’s about maintaining trust in the digital assets of an organization, understanding the threats to that trust, and sharing that intelligence with the community in a controlled fashion • Security landscape changes incredibly quickly • Strategy needs to be forward looking and anticipate changes
Strategy: how • Strategy is narrative and contextual • Focus on two upper levels of the pyramid of pain in your business context • The ‘why’ of the attack landscape is most important • Build on existing strengths: reputation, mission, values, value chain David Bianco: The pyramid of pain http://detect- respond.blogspot.co.nz/2013/03/the-pyramid- of-pain.html
Strategy: forward or backward looking Recommended strategic settings: • Assume breach • Fully informed management • Threat hunting, collection and intelligence program • Address how to work with agencies – legal, organisational, reputational Backward looking strategy is focusing on • Compliance • Anything with ‘ISO’ • Risk management Forward looking strategy focuses on • Antifragility • Resilience • Threat hunting and discovery • Cloud enablement • Trust and its implementation
Policies: how, why, maturity • My least favourite area! • Writing is easy, adoption is key • Can plunder other sites, but no substitute for understanding your own business Maturity • Immature: Policies for each technology element • Mature: Policies focusing on trust anchors, data classification, use
Architecture Aim for Defensible Architecture Understand and document the key elements driving security posture: 1. Security zones: geographic, legal, physical, logical (not just defence in depth!) 2. User, workload and data perimeters 3. Trust calculations for user / data access or data / data access 4. Controls and detection
Key architecture practices • Trust modelling • Threat modelling • Mitigations integrated with a risk framework • Monitoring and detection baked in from day 1
Penetration / security testing • Works two ways: • Backward into the next design iteration • Forward into deploying operational protection • And bugs can get fixed • Mix of manual and automated • Works on application hardening • Aspect of QA – integrate with QA service?
Penetration testing: maturity Immature • Run an automated scan across every web site Mature • Do you architects threat model? Great! You’ve just got yourself a test plan for penetration testing • Don’t forget your buildings, access cards, shadow cloud • For stuff that you can’t fix: implement deployment controls
Monitoring and Alerting • Think along the threat chain • Understand the various stages of an attack, at least conceptually and in the context of your business • Select detection, mitigation and tooling techniques that suit your businesses • Be wary of ‘automated kill chain mitigation’ tools
Attack stages: the ‘kill chain’ Source: A “Kill Chain” Analysis of the 2013 Target Data Breach: Majority Staff Report For Chairman Rockefeller, March 26, 2014, diagram attributed to Lockheed Martin
The kill chain as a detection tool Source: A “Kill Chain” Analysis of the 2013 Target Data Breach: Majority Staff Report For Chairman Rockefeller, March 26, 2014
Tooling examples • Ingress / egress at the border • Flow data • Packet captures • IDS close to key services • Logon / logoff intelligence • System logs • Host systems – HIDS / HIPS / system hardening
Kill chain derived Tooling Matrix Border Hosts Internal network Storage … Discovery NIDS Referrers Flows, patterns Weaponisation FW Logs Delivery FW, Flows AV, EMET, HID[P]S Exploitation NIS AV Internal IDS Installation HID[P]S Configuration Ports Files, changes Lateral movement FW, Logs, flow data Command and Control Flows Egress traffic File access Actions objectives Flows Destruction
Alerting strategy Leading principle: Alerts are based on contextualised data Example – automate this: • IDS detects attack against a server [say, ssh brute forcing] • When was the last vulnerability scan done? • Where is the report? • Should a report be run now? • Is the server vulnerable to this attack? [Yes / Maybe / No]
Contextualisation • This can drive the ‘big data threat intelligence’ strategy • Can’t buy everything • Your own logs and auth records are key components • Consolidate on noSQL solution, with large storage • Automate threat indicator collection • Do not generate alerts if not necessary
Incident response: maturity • No maturity: nothing or headless chicken • Low maturity: SIEM • Lots of false positives • Analysts sit waiting for an alarm to go off • Passive activity, turning you into a victim • No capability to consume and use threat intelligence • High maturity: • Contextualised TI, warning early in kill chain • Blue teaming • Active hunting
The elites: Threat Intelligence Sharing • Open source feeds • Sharing collectives / trust groups • Commercial feeds • Your own attack intelligence • Network • Memory • Antivirus • Logs • Enterprise data stores
A call to action
Where to from here? • Start with an understanding of the business • A full-fledged security strategy not necessary on day 1, but executive support is required • Start with incidents, monitoring and alerting and build out from there • If that’s hard, think ‘logs’ • Architecture / threat modelling your processes is next • Put monitoring and alerting around identified threats (past incidents) • Investigate incidents in depth to understand your adversary
Key considerations in security leadership 1. Drive from tactical to strategic: know how to articulate the dimensions of ‘trust’ and ‘security’ for new business 2. Step out of tech: Understand ‘security’ in terms of the ‘cyber terrain’ (people, process, technology) 3. Drive the closure of the incident response loop (organisational learning) 4. Develop and contextualise threat intelligence by enriching logs and incident data before buying expensive platforms and feeds 5. Work with agencies and trust groups http://www.heidrick.com/Knowledge-Center/Publication/Does_Your_Security_Chief_Have_Board_Level_Commercial_Savvy
Questions?

Recommended

Rothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professionalRothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professional
Ben Rothke
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
Andrew S. Baker (ASB)
 
Helen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry CollaborationHelen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry Collaboration
centralohioissa
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control Systems
Infonaligy
 
IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security Strategy
Laura Vanassche
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
centralohioissa
 
Keith Fricke - CISO for an Hour
Keith Fricke - CISO for an HourKeith Fricke - CISO for an Hour
Keith Fricke - CISO for an Hour
centralohioissa
 

Recommended

Rothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professionalRothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professional
Ben Rothke
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
Andrew S. Baker (ASB)
 
Helen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry CollaborationHelen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry Collaboration
centralohioissa
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control Systems
Infonaligy
 
IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security Strategy
Laura Vanassche
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
centralohioissa
 
Keith Fricke - CISO for an Hour
Keith Fricke - CISO for an HourKeith Fricke - CISO for an Hour
Keith Fricke - CISO for an Hour
centralohioissa
 
IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,
Information Security Awareness Group
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics security
Joel Cardella
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
Joel Cardella
 
Info Sec2007 End Point Final
Info Sec2007 End Point FinalInfo Sec2007 End Point Final
Info Sec2007 End Point Final
Ben Rothke
 
Trustwave Cybersecurity Education Catalog
Trustwave Cybersecurity Education CatalogTrustwave Cybersecurity Education Catalog
Trustwave Cybersecurity Education Catalog
Trustwave
 
Security challenges in 2017
Security challenges in 2017Security challenges in 2017
Security challenges in 2017
Etienne Liebetrau
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
Michele Chubirka
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber Security
Misha Hanin
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
EnergySec
 
Sweden dell security
Sweden dell securitySweden dell security
Sweden dell security
Ronny Stavem
 
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Livingstone Advisory
 
Nonprofit IT Trends 2018
Nonprofit IT Trends 2018Nonprofit IT Trends 2018
Nonprofit IT Trends 2018
Community IT Innovators
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk Management
EnergySec
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
MichaelSadeghiPhDABD
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
EnergySec
 
Fns Incident Management Powered By En Case
Fns Incident Management Powered By En CaseFns Incident Management Powered By En Case
Fns Incident Management Powered By En Case
tbeckwith
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day Threats
Peter Wood
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator Display
EnergySec
 
#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...
#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...
#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...
Jane Alexander
 
NESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationNESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development Presentation
EnergySec
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
Donald Tabone
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Intergen
 

More Related Content

What's hot

Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
Michele Chubirka
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
EnergySec
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk Management
EnergySec
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator Display
EnergySec
 
#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...
#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...
#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...
Jane Alexander
 

What's hot (20)

IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics security
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
Info Sec2007 End Point Final
Info Sec2007 End Point FinalInfo Sec2007 End Point Final
Info Sec2007 End Point Final
 
Trustwave Cybersecurity Education Catalog
Trustwave Cybersecurity Education CatalogTrustwave Cybersecurity Education Catalog
Trustwave Cybersecurity Education Catalog
 
Security challenges in 2017
Security challenges in 2017Security challenges in 2017
Security challenges in 2017
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber Security
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
 
Sweden dell security
Sweden dell securitySweden dell security
Sweden dell security
 
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
 
Nonprofit IT Trends 2018
Nonprofit IT Trends 2018Nonprofit IT Trends 2018
Nonprofit IT Trends 2018
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk Management
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
Fns Incident Management Powered By En Case
Fns Incident Management Powered By En CaseFns Incident Management Powered By En Case
Fns Incident Management Powered By En Case
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day Threats
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator Display
 
#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...
#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...
#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...
 
NESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationNESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development Presentation
 

Similar to NZISF Talk: Six essential security services

Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Intergen
 
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxSAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
hforhassan101
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Empired
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
Mark Simos
 
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
NRBsanv
 

Similar to NZISF Talk: Six essential security services (20)

Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxSAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
What your scanner isn't telling you
What your scanner isn't telling youWhat your scanner isn't telling you
What your scanner isn't telling you
 
Trending it security threats in the public sector
Trending it security threats in the public sectorTrending it security threats in the public sector
Trending it security threats in the public sector
 
The Datacenter Security Continuum
The Datacenter Security ContinuumThe Datacenter Security Continuum
The Datacenter Security Continuum
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
 
MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architecture
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 
The myth of secure computing; management information system; MIS
The myth of secure computing; management information system; MISThe myth of secure computing; management information system; MIS
The myth of secure computing; management information system; MIS
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
 
Sem 001 sem-001
Sem 001 sem-001Sem 001 sem-001
Sem 001 sem-001
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial Services
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small Enterprise
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat Modelling
 

Recently uploaded

valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
Delhi Call girls
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Call Girls in Nagpur High Profile
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
nirzagarg
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
tanu pandey
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
SUHANI PANDEY
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
nilamkumrai
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Delhi Call girls
 
Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls Dubai
Escorts Call Girls
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
tanu pandey
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
tanu pandey
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
ruhi
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
SUHANI PANDEY
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
SUHANI PANDEY
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
imonikaupta
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
SUHANI PANDEY
 

Recently uploaded (20)

valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 
Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls Dubai
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
 

NZISF Talk: Six essential security services

  • 1. The Six essential security services Hinne Hettema IT Security Team Leader The University of Auckland Email: h.hettema@auckland.ac.nz PGP Key ID: B1EA7147 | PGP Key Fingerprint: AC12 2983 2EA1 B328 95BB B4AE EDA5 8E90 B1EA 7147 NZISF | 9 February 2017 | Auckland
  • 2. root@myops:~# whoami • Theoretical chemist and philosopher by training (PhD 1993 and 2012) • Wrote DALTON program code [in FORTRAN] • Played with supercomputers such as Cray Y-MP • First got hacked in 1991 • Worked 15 years as IT Infrastructure architect for various NZ companies • Now lead the IT Security team @UoA by day • Public speaker and cybersecurity blogger, Gartner Research Circle • Present at technical cyber security conferences
  • 4. My mission: Become a ‘second generation’ security leader, focusing on the security challenges of new technology for large organisations: the cloud, threat intelligence handling and sharing, and big data initiatives to drive an improved security posture for complex organisations.
  • 5. Contents 1. The root of the problem 2. A conventional view: cyber security is a business problem 3. A maverick view: cyber security is a business problem 4. The six essential security services 5. A call to action
  • 6. The root of the problem
  • 7. Security train wreck: why the mess? The IT industry creates and maintains eternal economic disincentives to build better security into anything: 1. Rapid consumerisation, hence feature driven development (security is not a feature) 2. Time and Cost driven market model (lowering quality) 3. Security has to be relearned at each new phase of development (why, oh why is ‘telnet’ the most common IoT port?) With IoT, to make it worse, these disincentives are meeting: 4. Long expected lifetimes
  • 8. And the business response Operational Security dimension Fear Resilience Security posture Reactive Proactive Incident approach Panic [denial, anger, bargaining] Controlled chaos Security team HR “we need a fall guy” “build the team” Security monitoring Haphazard [Worse] Vendor driven Controls based on • attacker behaviour/movement • known exploit risks • known vulnerability/exposure Predictability None / little Anticipated events People impact Burn-out Busy Security perception IT problem Hackers are nerds doing bad things! Business problem Hackers are people too Defence focus Border Fortress Defence in depth “Assume breach” Immune system Resilience and antifragility
  • 9. A conventional view: cyber security is a business problem
  • 10. Cyber security as a risk exercise • Cybersecurity usually seen as an area of tactical IT risk • Risk treatment strategies • Accept (who accepts what risk on behalf of whom?) • Mitigate (what to put in place?) • Transfer (insurance?) • Two notes • Trends cannot always be extrapolated • Cyber security risk is ‘black swan’ territory, so actuarial calculations are problematic
  • 11. All your risks are belong to us • Tactical IT risk hides cybersecurity risk safely somewhere in the realm of the ‘techies’ The four mistakes people make when looking to get security leadership: 1. Short-change how much risk is actually involved 2. Get the reporting structure wrong 3. Overemphasise the technical 4. Looking for five-legged unicorns (the ‘skill shortage’) http://www.heidrick.com/Knowledge-Center/Publication/Four-mistakes-to-avoid-when-hiring-your-next-security-chief
  • 12. Compliance focus • Compliance is not a comprehensive answer to risk • Rather than a baseline, compliance becomes the end-goal (understandable if the starting point is abject non- compliance…) • Focus on compliance can lead to ‘box- ticking’ exercise and poorly conceived or mis-scoped security solutions
  • 13. Governance, Risk, Compliance What can possibly go wrong…? • Cybersecurity usually seen as an area of tactical IT risk (risk of mis- scoping) • Struggle to get from the IT department up to board level • Focus on compliance leads to box-ticking exercise • Compliance concerns drive security solutions that don’t work • This gives security a bad name • Solution: disband your security team…
  • 14. If all this works so bad, let’s just…
  • 15. A maverick view: cyber security is a business problem
  • 16. Recognise the true complexity http://cyber-analysis.blogspot.co.nz/2014/10/cyber-terrain-model-for-increased.html
  • 17. Crims and others on the cyber terrain… • Unlike ‘acts of god’ attacks are intentional Cyber attack is a very attractive mode of crime or espionage / sabotage • Very large economies of scale • Very low chance of getting caught • Very easy to do in different jurisdictions, so low chance of conviction • Methods and tools readily available • In large quantity and variety 18
  • 18. Prospect theory and your cybers • GRC models are based on ‘rational behaviour’ • We are evolutionary primed to prefer fast solutions that help us survive (something rustles in the bushes…) • Daniel Kahnemann: Thinking Fast, Thinking slow • Look at prospect theory • Loss feels 2.25 as bad as a similar gain feels good • Overweight small probabilities, and underweight big ones • Defenders: avoid a big loss (becoming the next Sony), overestimate small probabilities (APT), easy attitude to adopt is to become big risk takers (spend megabucks on some flashing lights automated kill chain mitigation device)
  • 19. The ‘operations dilemma’ • Good cyber security depends on a lot of small things done well • Which each help to mitigate a ‘small loss’ • Or have small gains Operations? • It’s ‘operational’, and hence it’s cost minimised • Or it’s assumed ‘done already’ • Operational people outside security often have a ‘break fix’ attitude (incentivise lack of outages), so no patching, no hygiene, ‘but it works’
  • 20. Outcomes of the ‘operations dilemma’ 1. Many criminally under-adopted (hard to get budget for) tools • 2FA or two-step verification • Canaries (thinkst or canary.tools) • Understanding the threats in your context – any logging and monitoring projects • Certificate health and maintenance 2. Overspending on high risk technical solutions • Non-contextualised threat intelligence feeds and tooling • Automated threat mitigation tools • ‘Prevention’ and DLP tools
  • 21. ‘Operations Dilemma’ restated • We can get action if there are massive and costly breaches • Otherwise it’s hard to get visibility and budget • We don’t help ourselves: Department of ‘No’ • How many of us can • Provide instant and up to date metrics on small breaches and incidents • Define the services that the security team provides to the rest of the organisation? • Work our people in virtual teams, devops, cloud? • Work with agencies and trust groups if required?
  • 22. Strategic aspects of cyber security Consider this • Almost all ‘new’ business is heavily digital or has IT as a central component • Existing and new customers need to trust you if they are to continue business with you • We want to use ‘cloud’ to cut costs • We’re rapidly re-engineering ‘IT’ from waterfall to DevOps • ‘Cloud’ is a strategic choice and changes all security architectures we have so far been comfortable with (firewalls will become irrelevant)
  • 23. Where to focus security operations? ‘Services’ help define ‘security’ in terms the rest of the business understands • Compliance approach is still primarily preventive • ‘Beyond compliance’ is proactive, predictive and corrective in each stage of the IT factory • Step 1: What can we learn from actual breaches that happened to us? 24
  • 24.
  • 25. The six essential security services: best practice, maturity, examples
  • 26. The six essential security services • Strategy • Policies • Architecture • Penetration testing • Monitoring and Alerting • Incident response
  • 27. Strategy: why • Cyber security is now firmly a matter of boards, who need education themselves (a good strategy can help) • No longer ‘just an IT issue’ • Security is becoming exponentially more complex: it’s about maintaining trust in the digital assets of an organization, understanding the threats to that trust, and sharing that intelligence with the community in a controlled fashion • Security landscape changes incredibly quickly • Strategy needs to be forward looking and anticipate changes
  • 28. Strategy: how • Strategy is narrative and contextual • Focus on two upper levels of the pyramid of pain in your business context • The ‘why’ of the attack landscape is most important • Build on existing strengths: reputation, mission, values, value chain David Bianco: The pyramid of pain http://detect- respond.blogspot.co.nz/2013/03/the-pyramid- of-pain.html
  • 29. Strategy: forward or backward looking Recommended strategic settings: • Assume breach • Fully informed management • Threat hunting, collection and intelligence program • Address how to work with agencies – legal, organisational, reputational Backward looking strategy is focusing on • Compliance • Anything with ‘ISO’ • Risk management Forward looking strategy focuses on • Antifragility • Resilience • Threat hunting and discovery • Cloud enablement • Trust and its implementation
  • 30. Policies: how, why, maturity • My least favourite area! • Writing is easy, adoption is key • Can plunder other sites, but no substitute for understanding your own business Maturity • Immature: Policies for each technology element • Mature: Policies focusing on trust anchors, data classification, use
  • 31. Architecture Aim for Defensible Architecture Understand and document the key elements driving security posture: 1. Security zones: geographic, legal, physical, logical (not just defence in depth!) 2. User, workload and data perimeters 3. Trust calculations for user / data access or data / data access 4. Controls and detection
  • 32. Key architecture practices • Trust modelling • Threat modelling • Mitigations integrated with a risk framework • Monitoring and detection baked in from day 1
  • 33. Penetration / security testing • Works two ways: • Backward into the next design iteration • Forward into deploying operational protection • And bugs can get fixed • Mix of manual and automated • Works on application hardening • Aspect of QA – integrate with QA service?
  • 34. Penetration testing: maturity Immature • Run an automated scan across every web site Mature • Do you architects threat model? Great! You’ve just got yourself a test plan for penetration testing • Don’t forget your buildings, access cards, shadow cloud • For stuff that you can’t fix: implement deployment controls
  • 35. Monitoring and Alerting • Think along the threat chain • Understand the various stages of an attack, at least conceptually and in the context of your business • Select detection, mitigation and tooling techniques that suit your businesses • Be wary of ‘automated kill chain mitigation’ tools
  • 36. Attack stages: the ‘kill chain’ Source: A “Kill Chain” Analysis of the 2013 Target Data Breach: Majority Staff Report For Chairman Rockefeller, March 26, 2014, diagram attributed to Lockheed Martin
  • 37. The kill chain as a detection tool Source: A “Kill Chain” Analysis of the 2013 Target Data Breach: Majority Staff Report For Chairman Rockefeller, March 26, 2014
  • 38. Tooling examples • Ingress / egress at the border • Flow data • Packet captures • IDS close to key services • Logon / logoff intelligence • System logs • Host systems – HIDS / HIPS / system hardening
  • 39. Kill chain derived Tooling Matrix Border Hosts Internal network Storage … Discovery NIDS Referrers Flows, patterns Weaponisation FW Logs Delivery FW, Flows AV, EMET, HID[P]S Exploitation NIS AV Internal IDS Installation HID[P]S Configuration Ports Files, changes Lateral movement FW, Logs, flow data Command and Control Flows Egress traffic File access Actions objectives Flows Destruction
  • 40. Alerting strategy Leading principle: Alerts are based on contextualised data Example – automate this: • IDS detects attack against a server [say, ssh brute forcing] • When was the last vulnerability scan done? • Where is the report? • Should a report be run now? • Is the server vulnerable to this attack? [Yes / Maybe / No]
  • 41. Contextualisation • This can drive the ‘big data threat intelligence’ strategy • Can’t buy everything • Your own logs and auth records are key components • Consolidate on noSQL solution, with large storage • Automate threat indicator collection • Do not generate alerts if not necessary
  • 42. Incident response: maturity • No maturity: nothing or headless chicken • Low maturity: SIEM • Lots of false positives • Analysts sit waiting for an alarm to go off • Passive activity, turning you into a victim • No capability to consume and use threat intelligence • High maturity: • Contextualised TI, warning early in kill chain • Blue teaming • Active hunting
  • 43. The elites: Threat Intelligence Sharing • Open source feeds • Sharing collectives / trust groups • Commercial feeds • Your own attack intelligence • Network • Memory • Antivirus • Logs • Enterprise data stores
  • 44. A call to action
  • 45. Where to from here? • Start with an understanding of the business • A full-fledged security strategy not necessary on day 1, but executive support is required • Start with incidents, monitoring and alerting and build out from there • If that’s hard, think ‘logs’ • Architecture / threat modelling your processes is next • Put monitoring and alerting around identified threats (past incidents) • Investigate incidents in depth to understand your adversary
  • 46. Key considerations in security leadership 1. Drive from tactical to strategic: know how to articulate the dimensions of ‘trust’ and ‘security’ for new business 2. Step out of tech: Understand ‘security’ in terms of the ‘cyber terrain’ (people, process, technology) 3. Drive the closure of the incident response loop (organisational learning) 4. Develop and contextualise threat intelligence by enriching logs and incident data before buying expensive platforms and feeds 5. Work with agencies and trust groups http://www.heidrick.com/Knowledge-Center/Publication/Does_Your_Security_Chief_Have_Board_Level_Commercial_Savvy