Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

One Security Device to Rule Them All

937 views

Published on

Presented on May 3, 2012 for InnoTech Oregon. All rights reserved

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

One Security Device to Rule Them All

  1. 1. One Security Device To Rule Them All NW ISSA Security Summit InnoTech May 3 2012, Portland OR Oregon Convention Center
  2. 2. Technology Landscape !  Emergent intelligence !  A new digital world order !  Widespread connectivity !  Boundarylessness (B*YOD) !  Hyper-embeddedness !  Lingering legacy * Brought The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 2"
  3. 3. Cybersecurity Landscape !  Research, espionage, organized crime, cyber/info warfare !  Nation state quality defense is the new norm !  Inference and Aggregation !  Cyber-kinetic impacts !  Engineering vs. Security The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 3"
  4. 4. Advantage: Adversaries Intelligent, adaptive adversaries exist. They don’t follow the rules or compliance checklists. They have people, money and time. How do you stop them? The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 4"
  5. 5. You’ve Probably Got… The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 5"
  6. 6. And Some of This… The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 6"
  7. 7. And Even Some of This… The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 7"
  8. 8. You Have a Technology Problem !  The solution is not MORE Technology !  Bolt-on security !  Complexity !  Maintenance !  Testing The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 8"
  9. 9. The One Device To Rule Them All !  Best defense against a human is a human !  Aware Person System !  Security is both art AND science !  Culture shift !  Maintenance The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 9"
  10. 10. You Need People !  Technology alone will not make you secure !  Humans are the weakest AND strongest link in any system !  Protip: unskilled/untrained operators of power tools can cause significant damage !  Turn your humans into security benefits instead of security liabilities The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 10"
  11. 11. The Insider Threat The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 11"
  12. 12. Beyond Malice !  Hanlon’s Razor –  Never attribute to malice that which is adequately explained by incompetence !  Accidents, lack of focus, curiosity, laziness, haste, fatigue… !  They may have no idea that they are the conduit [ignorance/bliss] The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 12"
  13. 13. Engage, Equip, Empower !  So you’ve bought all of the fancy cybersecurity gizmos… –  What about the skilled staff? !  So you’ve installed cameras… –  What about the staff to monitor and respond to incidents? !  An appropriate balance of skilled people and current technology must be used
  14. 14. Security Awareness !  Best money spent on security is awareness !  Social engineering tests are a waste of money !  Basic security is not a mysterious dark art !  Treat security like safety, or other company wide effort The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 14"
  15. 15. Security Conscience!  Security is everyone’s job, but everyone learns and receives information differently!  Avoid one-size-fits-most approaches!  Brand/functional recognition can help!  Real examples, both business and personal!  Humorous, but professional (no humiliation)!  Done right, EVERYONE will be your security staff
  16. 16. Culture Shift !  Passwords for candy !  “Cylinders of Excellence” !  Not Invented Here !  Coffee, beer and/or the woodshed !  Tone at the top is required The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 16"
  17. 17. Security Supports the Business !  Whatever your business mission is, security should support it, not impair it !  Security’s answer shouldn’t be “No” but rather “Yes, IF…” !  You are a security GOD, but you need to leave your ego behind and put on your business hat !  Remember your job is RISK MANAGEMENT, not security The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 17"
  18. 18. The Business Needs Security !  Security! Now in Project Phase One! !  The business question should be “will this increase our risk exposure?” !  Yes, you are the best Project Manager EVAH, but you need to think like a hacker !  Not all security can be automated !  Remember, your job is RISK MANAGEMENT The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 18"
  19. 19. The Big Picture !  Continuous Monitoring is a noble goal –  Requires solid logging and monitoring foundation –  When implemented correctly, it can be the cybersecurity “Holy Grail” –  Merges cyber and physical; people and technology –  Realtime telemetry and situational awareness –  Changes behavior, the hardest problem to solve with the highest security benefit –  Highest maturity and lowest risk The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 19"
  20. 20. Summary !  Security technology won’t protect you by itself !  You need skilled, well equipped people to prevent, detect and respond to security matters (tactical and strategic) !  One will not work without the other The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 20"
  21. 21. Questions? Patrick C Miller President & CEO, EnergySec Principal Investigator, National Electric Sector Cybersecurity Organization patrick.miller@energysec.org 503.446.1212 (desk) @patrickcmiller (twitter) www.energysec.org The$Naonal$Electric$Sector$Cybersecurity$Organizaon$(NESCO)$is$operated$by$EnergySec$5/3/12" with$funding$assistance$from$the$U.S.$Department$of$Energy$ 21"

×