Successfully reported this slideshow.
Your SlideShare is downloading. ×

No More Snake Oil: Why InfoSec Needs Security Guarantees

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 39 Ad

No More Snake Oil: Why InfoSec Needs Security Guarantees

Download to read offline

Ever notice how everything in InfoSec is sold “as is”? No guarantees, no warrantees, no return policies. For some reason in InfoSec, providing customers with a form of financial coverage for their investment is seen as gimmicky, but the tides and times are changing. This talk discusses use cases on why guarantees are a must have and how guarantees benefit customers as well as InfoSec as a whole.

Ever notice how everything in InfoSec is sold “as is”? No guarantees, no warrantees, no return policies. For some reason in InfoSec, providing customers with a form of financial coverage for their investment is seen as gimmicky, but the tides and times are changing. This talk discusses use cases on why guarantees are a must have and how guarantees benefit customers as well as InfoSec as a whole.

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Similar to No More Snake Oil: Why InfoSec Needs Security Guarantees (20)

Advertisement

More from Jeremiah Grossman (20)

Advertisement

No More Snake Oil: Why InfoSec Needs Security Guarantees

  1. 1. No More Snake Oil: © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. @jeremiahg Why InfoSec Needs Security Guarantees
  2. 2. Ever notice how everything in the Information Security is sold “AS-IS”? • No Guarantees • No Warranties • No Return Policies © 2015 WhiteHat Security, Inc.
  3. 3. © 2015 WhiteHat Security, Inc. Unlike every day ‘real world’ products…
  4. 4. Customer challenges… • Difficult telling security vendors apart. • Justifying the business value of security products to management. • Trusting security vendors since their interests are misaligned. © 2015 WhiteHat Security, Inc. Answer: Security Guarantees
  5. 5. © 2015 WhiteHat Security, Inc. 5
  6. 6. © 2015 WhiteHat Security, Inc. “According to the IT research and advisory firm [Gartner], global IT security spending will reach $71.1 billion this year [2014], which represents an increase of 7.9% compared to 2013. Next year, spending will grow even more, reaching $76.9 billion.” Security Industry Spends Billions
  7. 7. © 2015 WhiteHat Security, Inc. In 2014, 71% of security professionals said their networks were breached. 22% of them victimized 6 or more times. This increased from 62% and 16% respectively from 2013. 52% said their organizations will likely be successfully hacked in the next 12 months. This is up from 39% in 2013. Result: Every Year is the Year of the Hack Survey of security professionals by CyberEdge Group
  8. 8. © 2015 WhiteHat Security, Inc. AppSec: Too Many Vulns, Too Little Time
  9. 9. © 2015 WhiteHat Security, Inc. Windows of Exposure
  10. 10. © 2015 WhiteHat Security, Inc.
  11. 11. © 2015 WhiteHat Security, Inc. • As of 2014, American businesses were expected to pay up to $2 billion on cyber- insurance premiums, a 67% spike from $1.2 billion spent in 2013. • Current expectations by one industry watcher suggest 100% growth in insurance premium activity, possibly 130% growth. • It’s usually the firms that are best prepared for cyber attacks that wind up buying insurance. Downside Protection
  12. 12. © 2015 WhiteHat Security, Inc. “Premiums for a $1 million plan are generally $5,000 to $10,000 annually, though that can vary based on several factors, including the company's revenue, cyber-risk management efforts and the coverage chosen, Fenaroli said. For hospitals, premiums can be much larger—sometimes more than $100,000 or even $1 million for larger health systems, he said.”
  13. 13. © 2015 WhiteHat Security, Inc. Sony Pictures Entertainment holds $60 million in Cyber insurance with Marsh, according to documents leaked by the group claiming responsibility for the attack on the movie studio. “The documents, covered in detail by Steve Ragan at CSO, say that after sonypictures.com was breached in 2011, Sony made a claim of $1.6 million with Hiscox, its Cyber provider at the time. The insurer declined to quote at renewal, so Sony Pictures turned to Lockton, which brokered a $20 million policy that included $10 million in self- insured retention.”
  14. 14. © 2015 WhiteHat Security, Inc. “Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million.” “Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million.”
  15. 15. © 2015 WhiteHat Security, Inc. “Anthem has $150 million to $200 million in cyber coverage, including excess layers, sources say.” Insurers providing excess layers of cyber coverage include: Lloyd's of London syndicates; operating units of Liberty Mutual Holding Co.; Zurich Insurance Group; and CNA Financial Corp., sources say.
  16. 16. © 2015 WhiteHat Security, Inc. “Liability enforcement is essential. Remember that I said the costs of bad security are not borne by the software vendors that produce the bad security. In economics this is known as an externality: a cost of a decision that is borne by people other than those making the decision. However it happens, liability changes everything. Currently, there is no reason for a software company not to offer more features, more complexity, more versions. Liability forces software companies to think twice before changing something. Liability forces companies to protect the data they're entrusted with.”
  17. 17. Objections to Security Guarantees © 2015 WhiteHat Security, Inc. "You're not entitled to take a view, unless and until you can argue better against that view than the smartest guy who holds that opposite view. If you can argue better than the smartest person who holds the opposite view, that is when you are entitled to hold a certain view." Charlie Munger Vice-Chairman Berkshire Hathaway
  18. 18. © 2015 WhiteHat Security, Inc. Rebuttal: Nothing is ever 100% secure, just like no every-day product is 100% reliable. With product performance data, even if unable to provide 100% protection, offering security guarantees is possible. Objection: 100% security is impossible.
  19. 19. © 2015 WhiteHat Security, Inc. Rebuttal: It’s contractually possible to specify exactly what a security guarantee covers and disclaim excessively risky events and unknowns. Insurance companies do this routinely. Objection: Guarantees can’t keep up.
  20. 20. © 2015 WhiteHat Security, Inc. Rebuttal: Today we’re in the era of the cloud, managed services, and products routinely phoning home for updates, all providing real-time access to an ample supply of performance data. Objection: Vendors don’t have the data.
  21. 21. © 2015 WhiteHat Security, Inc. Rebuttal: For organizations capable of performing effective forensic investigations, identifying the gap in the defense or the product that failed, is entirely possible. Objection: Pinpointing product failure is difficult.
  22. 22. © 2015 WhiteHat Security, Inc. Rebuttal: Security guarantees and cyber- security insurance typically cover only hard costs associated with downtime, legal feels, incident response, credit monitoring, fines, and so on. Objection: Soft costs are hard to quantify.
  23. 23. © 2015 WhiteHat Security, Inc. Rebuttal: Security guarantees represent a unique opportunity for vendors to differentiate from competitors and an opportunity for customers to demand more effective products. Objection: Security vendors don’t want the liability.
  24. 24. © 2015 WhiteHat Security, Inc. Rebuttal: Like many other products we buy, guarantees only covers intended use. Security vendors can specify how their product is meant to be used for its effectiveness to be guaranteed. Objection: Improper product use is often the cause.
  25. 25. © 2015 WhiteHat Security, Inc. 2014-2015 Annual Spending Increase Information Security Spending (N. America) ~$2.4 billion in new spending (+7.8%) Cyber-Security Insurance ~$1.34 Billion in new spending (+67%) Forecast Overview: Information Security, Worldwide, 2014 Update (Gartner Published: 25 June 2014) 1/3 of the budget left on the table! 1,340,000 2,400,000
  26. 26. © 2015 WhiteHat Security, Inc. “We also asked about the importance of being offered a ‘security guarantee’ by cloud service providers. Three- quarters of respondents (74%) say it’s ‘Very Important’ that cloud providers offer a guarantee, and another 22% say ‘Somewhat Important.’ Companies not using cloud place a greater importance on security guarantees than current users. As such, security guarantees give cloud service providers an opportunity to attract new customers.” Subsidiary of 451 Research Survey of 1,097 respondents involved in their company's IT buying decisions (Jul, 2014). 445 currently uses public cloud.
  27. 27. © 2015 WhiteHat Security, Inc. Customer challenges… Difficult telling security vendors apart. Justifying the business value of security products to management. Trusting security vendors since their interests are misaligned. Security guarantees help customers differentiate truly effective security products from those that are…less effective. Security guarantees help quantify the value of security products in dollars and cents for the business. Security guarantees hold vendors accountable for the performance of their products and therefore more credible.
  28. 28. © 2015 WhiteHat Security, Inc. How WhiteHat Approaches Security Guarantees WhiteHat Sentinel: Tests tens of thousands of websites 24x7x365 Incident Data: Data sharing relationships incident responders Customer Relationships: ‘Missed’ vulns leading to breaches Our success rate is over 99%.
  29. 29. © 2015 WhiteHat Security, Inc. What WebApp Attacks Are Adversaries Using? “This year, organized crime became the most frequently seen threat actor for Web App Attacks.” Verizon 2015 Data Breach Investigations Report
  30. 30. © 2015 WhiteHat Security, Inc. Vulnerabilities We Test For The World of Web Vulnerabilities Vulnerabilities We DON’T Test For
  31. 31. © 2015 WhiteHat Security, Inc. Vulnerabilities We Test For Vulns We Found Vulns Not Exploited Vulns Exploited Vulns We Missed Vulns Not Exploited Vulns Exploited That Got Website Hacked
  32. 32. Vulnerabilities Missed & Exploited © 2015 WhiteHat Security, Inc. • Why was the vulnerability missed? Improve technology, training, and process. • Other consumer products have standard performance metrics (MTB; Operating Hours – runtime of motors; Mileage for drivetrain, tires, etc.)
  33. 33. © 2015 WhiteHat Security, Inc. If a website covered by Sentinel Elite is hacked, using a vulnerability we missed and should have found, the customer will be refunded in full. Plus up to… $500,000…to help cover the cost associated with the breach.
  34. 34. © 2015 WhiteHat Security, Inc. Monetary loss distribution per data breach ~75% have losses less than $500K “The Post Breach Boom”, Ponemon Institute, 2013
  35. 35. © 2015 WhiteHat Security, Inc. Ranges of expected loss by number of records Verizon 2015 Data Breach Investigations Report
  36. 36. Paths for Other Security Vendors to Follow • Obtain as much performance data as possible • Contractually capture what your product is able to reliably guarantee and disclaim the rest. • Back your security guarantee with an insurance provider. © 2015 WhiteHat Security, Inc.
  37. 37. “The only two products not covered by product liability are religion and software, and software shall not escape much longer.” Dan Geer (CISO, In-Q-Tel) © 2015 WhiteHat Security, Inc.
  38. 38. Questions? Jeremiah Grossman Founder, WhiteHat Security blog.whitehatsec.com Twitter: @JeremiahG © 2015 WhiteHat Security, Inc.
  39. 39. Thank you! © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. @jeremiahg

Editor's Notes

  • Ever notice how everything in the information security industry is sold “as is”? No guarantees, no warrantees, no return policies. This provides little peace of mind that any of the billions that are spent every year on security products and services will deliver as advertised. In other words, there is no way of ensuring that what customers purchase truly protects them from getting hacked, breached, or defrauded. And when these security products fail – and I do mean when – customers are left to deal with the mess on their own, letting the vendors completely off the hook. This does not seem fair to me, so I can only imagine how a customer might feel in such a case. What’s worse, any time someone mentions the idea of a security guaranty or warranty, the standard retort is “perfect security is impossible,” “we provide defense-in-depth,” or some other dismissive and ultimately unaccountable response.
  • http://www.securityweek.com/global-cybersecurity-spending-reach-769-billion-2015-gartner
    http://www.gartner.com/newsroom/id/2828722
    http://www.wsj.com/articles/financial-firms-bolster-cybersecurity-budgets-1416182536
    http://mspmentor.net/managed-security-services/100314/pwc-cybersecurity-costs-rise-budgets-decrease
  • http://www.darkreading.com/attacks-breaches/most-companies-expect-to-be-hacked-in-the-next-12-months/d/d-id/1319497?


  • Window of exposure is defined as the number of days an application has one or more serious vulnerabilities open during a given time period. We categorize window of exposure as:

    Always Vulnerable: A site falls in this category if it is vulnerable on every single day of the year.

    Frequently Vulnerable: A site is called frequently vulnerable if it is vulnerable for 271-364 days a year.

    Regularly Vulnerable: A regularly vulnerable site is vulnerable for 151-270 days a year.

    Occasionally Vulnerable: An occasionally vulnerable application is vulnerable for 31-150 days a year.

    Rarely Vulnerable: A rarely vulnerable application is vulnerable for less than 30 days a year.

    Our analysis shows that 55% of the Retail Trade sites, 50% of Health Care and Social Assistance sites, and 25% of Finance and Insurance sites are always vulnerable. Similarly, only 16% of the Retail Trade sites, 18% of Health Care and Social Assistance sites, and 25% of Finance and Insurance sites are rarely vulnerable.

    Conversely, Educational Services is the best performing industry with the highest percentage of rarely vulnerable sites (40%). Arts, Entertainment, and Recreation is the next best industry with 39% of sites in rarely vulnerable category.

  • http://fortune.com/2015/01/23/cyber-attack-insurance-lloyds/

    http://www.techtimes.com/articles/27454/20150120/cyber-insurance-forefront-companies-minds.htm

    http://www.latimes.com/business/la-fi-hacking-insurance-20150210-story.html

    http://www.cnbc.com/id/101804150

    http://www.darkreading.com/risk/the-problem-with-cyber-insurance/a/d-id/1269682?#ftag=YHF87e0214
  • http://www.modernhealthcare.com/article/20150205/NEWS/302059939/anthem-hack-will-shake-up-market-for-cyber-risk-insurance
  • http://www.propertycasualty360.com/2014/12/18/sony-pictures-holds-60-million-cyber-policy-with-m
  • http://www.insurancejournal.com/news/national/2014/02/26/321638.htm

    http://www.latimes.com/business/la-fi-hacking-insurance-20150210-story.html
  • http://www.businessinsurance.com/article/20150206/NEWS06/150209857/aig-unit-leads-anthems-cyber-coverage?tags=%7C83%7C299%7C302%7C329
  • https://www.schneier.com/essays/archives/2003/11/liability_changes_ev.html
  • 1: Nothing is ever 100% secure, just like no every-day product is 100% reliable. However, this hasn’t prevented many industries including automotive, electronics, exercise equipment and thousands of others from offering product guarantees. If a product is defective, simply return it for a replacement or get your money back. What’s different about information security is vendors have lacked product performance data, which is essential to offer guarantees. With product performance data, even if its unable to provide 100% security, offering guarantees is possible to offer.

    2: There are always new vulnerabilities being disclosed, new attack techniques, and the new tactics employed by our adversaries. However, if a security vendor has sufficient actuarial data about the performance their product (today), it’s contractually possible to specify exactly what a security guarantee covers and disclaim excessively risky events and unknowns. This is precisely what other industries do. When new vulnerabilities, techniques, and tactics become understood and defensible, those can be guaranteed as well.

    3: In the hay day of home-brew firewalls, intrusion detection systems, and other security products, security vendors didn’t have access to the data their products generated. This is no longer the case. Today we’re in the era of the cloud, managed services, and products routinely phoning home for updates, which all provide real-time access to an ample supply of performance data. Modern security vendors have access to the data they need to provide guarantees should they choose to.

    4: Determining the layer of defense that failed requires at a minimum some degree of system logging, ideally forensically secure logging. If an organization is unable to determine what transpired during given security event, that problem must be solved first. For organizations capable of performing effective forensic investigations, identifying the gap in the defense or the product that failed, is entirely possible.

    5: Like any guarantee, the vendor decides what type of costs they’ll cover in the event the product does not perform as expected. With respect to a breach, often guarantees and cyber-security insurance cover hard costs associated with downtime, legal feels, incident response, credit monitoring, fines, and so on.

    6: This represents a unique opportunity for security vendors to differentiate from their competitors and an opportunity for customer to demand more effective products.

    7: Like all other products we purchase, guarantees only covers intended use. For example in the case of cars, to keep the guarantee, it’s often required to get the vehicle properly serviced according to maintenance schedule. Another example is electronics guarantees, which may not cover water damage. Security vendors can specify exactly how their product is meant to be used for its effectiveness to be guaranteed.

    8: Products with a guarantee do tend to cost more than those sold AS-IS. Someone may purchase an ultra-cheap computer on eBay, without a guarantee, but they’ll have to take their chances with how long it might last. Or, someone can buy a new computer at Dell.com, which may cost more, but the peace of mind could be worth it. The option they prefer is their choice. It’s also quite common for consumers pay even more for extended warrantees on various products including cars and electronics, and many industries have found doing so to be highly profitable.

    9: Every business encounters obstacles when competing in a market. For example, to do business with large organizations, they may require vendors to have general business liability insurance, a minimum amount of cash in the bank, physically located in a given country, and more. These are generally viewed as a cost of doing business. If and when organizations require security vendors to offer product guarantees, that’s just one more thing an organization must offer in order to play in the market. The customer is always right.
  • 1: Nothing is ever 100% secure, just like no every-day product is 100% reliable. However, this hasn’t prevented many industries including automotive, electronics, exercise equipment and thousands of others from offering product guarantees. If a product is defective, simply return it for a replacement or get your money back. What’s different about information security is vendors have lacked product performance data, which is essential to offer guarantees. With product performance data, even if its unable to provide 100% security, offering guarantees is possible to offer.
  • 2: There are always new vulnerabilities being disclosed, new attack techniques, and the new tactics employed by our adversaries. However, if a security vendor has sufficient actuarial data about the performance their product (today), it’s contractually possible to specify exactly what a security guarantee covers and disclaim excessively risky events and unknowns. This is precisely what other industries do. When new vulnerabilities, techniques, and tactics become understood and defensible, those can be guaranteed as well.
  • 3: In the hay day of home-brew firewalls, intrusion detection systems, and other security products, security vendors didn’t have access to the data their products generated. This is no longer the case. Today we’re in the era of the cloud, managed services, and products routinely phoning home for updates, which all provide real-time access to an ample supply of performance data. Modern security vendors have access to the data they need to provide guarantees should they choose to.
  • 4: Determining the layer of defense that failed requires at a minimum some degree of system logging, ideally forensically secure logging. If an organization is unable to determine what transpired during given security event, that problem must be solved first. For organizations capable of performing effective forensic investigations, identifying the gap in the defense or the product that failed, is entirely possible.
  • 5: Like any guarantee, the vendor decides what type of costs they’ll cover in the event the product does not perform as expected. With respect to a breach, often guarantees and cyber-security insurance cover hard costs associated with downtime, legal feels, incident response, credit monitoring, fines, and so on.
  • 6: This represents a unique opportunity for security vendors to differentiate from their competitors and an opportunity for customer to demand more effective products.
  • 7: Like all other products we purchase, guarantees only covers intended use. For example in the case of cars, to keep the guarantee, it’s often required to get the vehicle properly serviced according to maintenance schedule. Another example is electronics guarantees, which may not cover water damage. Security vendors can specify exactly how their product is meant to be used for its effectiveness to be guaranteed.
  • Gartner
    Forecast Overview: Information Security, Worldwide, 2014 Update
    Published: 25 June 2014

    1) We're leaving 1/3rd of the money on the table.  Imagine if I could say
    that I can increase your revenue by 1/3rd. If your board figures out that
    they're loosing this much money because you can't get your stats in order
    they're not going to be pleased. The insurance industry is taking money
    from our industry, and that means less security spend, less jobs, less
    innovation, less growth and less security.

    2) The insurance industry is on a path to grow faster than us by leaps and
    bounds.  Their power and influence will easily dwarf ours if we don't act
    soon. We're ceding control of our industry to the insurance industry - do
    we want them to dictate/mandate spend?  Do we really want a new regulatory
    body we have to comply with?  The growth seems like a graph too.  Show
    ours increasing by 7% or whatever and theirs increasing by 67%.  If
    they're growing that much faster than us, we need to demonstrate how much
    faster and give them the ominous feeling that we're being gutted from the
    inside.
  • https://451research.com/report-long?icid=3155
  • http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf
  • http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf
  • https://www.youtube.com/watch?v=nT-TGvYOBpI&list=UUJ6q9Ie29ajGqKApbLqfBOg

×