One Security Device to Rule Them All

892 views

Published on

Presented on May 3, 2012 for InnoTech Oregon. All rights reserved

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
892
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

One Security Device to Rule Them All

  1. 1. One Security Device To Rule Them All NW ISSA Security Summit InnoTech May 3 2012, Portland OR Oregon Convention Center
  2. 2. Technology Landscape !  Emergent intelligence !  A new digital world order !  Widespread connectivity !  Boundarylessness (B*YOD) !  Hyper-embeddedness !  Lingering legacy * Brought The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 2"
  3. 3. Cybersecurity Landscape !  Research, espionage, organized crime, cyber/info warfare !  Nation state quality defense is the new norm !  Inference and Aggregation !  Cyber-kinetic impacts !  Engineering vs. Security The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 3"
  4. 4. Advantage: Adversaries Intelligent, adaptive adversaries exist. They don’t follow the rules or compliance checklists. They have people, money and time. How do you stop them? The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 4"
  5. 5. You’ve Probably Got… The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 5"
  6. 6. And Some of This… The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 6"
  7. 7. And Even Some of This… The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 7"
  8. 8. You Have a Technology Problem !  The solution is not MORE Technology !  Bolt-on security !  Complexity !  Maintenance !  Testing The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 8"
  9. 9. The One Device To Rule Them All !  Best defense against a human is a human !  Aware Person System !  Security is both art AND science !  Culture shift !  Maintenance The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 9"
  10. 10. You Need People !  Technology alone will not make you secure !  Humans are the weakest AND strongest link in any system !  Protip: unskilled/untrained operators of power tools can cause significant damage !  Turn your humans into security benefits instead of security liabilities The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 10"
  11. 11. The Insider Threat The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 11"
  12. 12. Beyond Malice !  Hanlon’s Razor –  Never attribute to malice that which is adequately explained by incompetence !  Accidents, lack of focus, curiosity, laziness, haste, fatigue… !  They may have no idea that they are the conduit [ignorance/bliss] The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 12"
  13. 13. Engage, Equip, Empower !  So you’ve bought all of the fancy cybersecurity gizmos… –  What about the skilled staff? !  So you’ve installed cameras… –  What about the staff to monitor and respond to incidents? !  An appropriate balance of skilled people and current technology must be used
  14. 14. Security Awareness !  Best money spent on security is awareness !  Social engineering tests are a waste of money !  Basic security is not a mysterious dark art !  Treat security like safety, or other company wide effort The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 14"
  15. 15. Security Conscience!  Security is everyone’s job, but everyone learns and receives information differently!  Avoid one-size-fits-most approaches!  Brand/functional recognition can help!  Real examples, both business and personal!  Humorous, but professional (no humiliation)!  Done right, EVERYONE will be your security staff
  16. 16. Culture Shift !  Passwords for candy !  “Cylinders of Excellence” !  Not Invented Here !  Coffee, beer and/or the woodshed !  Tone at the top is required The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 16"
  17. 17. Security Supports the Business !  Whatever your business mission is, security should support it, not impair it !  Security’s answer shouldn’t be “No” but rather “Yes, IF…” !  You are a security GOD, but you need to leave your ego behind and put on your business hat !  Remember your job is RISK MANAGEMENT, not security The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 17"
  18. 18. The Business Needs Security !  Security! Now in Project Phase One! !  The business question should be “will this increase our risk exposure?” !  Yes, you are the best Project Manager EVAH, but you need to think like a hacker !  Not all security can be automated !  Remember, your job is RISK MANAGEMENT The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 18"
  19. 19. The Big Picture !  Continuous Monitoring is a noble goal –  Requires solid logging and monitoring foundation –  When implemented correctly, it can be the cybersecurity “Holy Grail” –  Merges cyber and physical; people and technology –  Realtime telemetry and situational awareness –  Changes behavior, the hardest problem to solve with the highest security benefit –  Highest maturity and lowest risk The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 19"
  20. 20. Summary !  Security technology won’t protect you by itself !  You need skilled, well equipped people to prevent, detect and respond to security matters (tactical and strategic) !  One will not work without the other The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 20"
  21. 21. Questions? Patrick C Miller President & CEO, EnergySec Principal Investigator, National Electric Sector Cybersecurity Organization patrick.miller@energysec.org 503.446.1212 (desk) @patrickcmiller (twitter) www.energysec.org The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 21"

×