Broke Note Broken: An Effective Information Security Program With a $0 Budget


Published on

Slides from my talk at BSides Detroit 2013

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Michigan’s economy has been shrinking since 2000. While 2013 will be better than 2011, national recovery has yet to hit our state in a meaningful way.The technology market is in a major shift – consumers now expect to interact with your company any time, any place via web & mobile technology.Security, while highly relevant and in the media spotlight, is not strategic.Therefore, your CIO is spending IT dollars to play catch-up to keep the business relevant. Any level of risk you can quantify is meaningless in the face of enabling sales & revenue. “Who cares if you avoid a major data breach if your company still goes out of business?”So you might get to keep the money we’ve contractually committed to your firewall, AV, and whatever else you have, but new capital is going elsewhere.
  • Not only are you not getting any new capital, but all of the new capital is going to directly increase your security risk.Got PII? Manufacturing IP? Payroll? Storage? Bandwidth? Then there are organized criminal enterprises that would like to send you a few emails.Speaking of IP, if it’s worth anything in China, they already have it.Regulations around privacy and security are being released at an ever-increasing pace.
  • When InfoSec is aligned, it is:RelevantEnablingForward-looking
  • There’s all kinds of technical risk waiting for you to assess it. And it needs to be assessed regularly.Somebody may already be looking at some of this. Do your homework.The phrase of the year for healthcare is “risk assessment.” KPMG and OCR say most organizations experiencing data breaches don’t have a current risk assessment. Meaningful Use requires a risk assessment for all phases. Oooh, I bet there’s money to fix the stuff you find in that risk assessment! Let’s pick on vendors! No, seriously. New and key vendors should undergo risk assessment. Partner with procurement – add their concerns, do some of their work, and now you’re embedded in the contracting process and people want to involve you.And above all else, REPORTING REPORTINGREPORTING! Give CIO, CFO, whoever will listen visibility to the risks you have identified.
  • In my opinion, this is where InfoSec is at its best – embedded in project teams from project planning through to go-live.Best outcomes, least cost, minimal conflict.This is just one slide. But if you write nothing else down today, write this down. If you’re not working hard on other people’s projects, you’re accepting too much risk, paying too much security, or both.
  • Cloud, mobile, BYOD, SOA, Big DataDo your homework. Identify what security technologies, standards, and practices enable all of the things that are front-page tech news. Best part? It’s totally OK to say things like, “The tipping point for secure, mobile-enabled, unstructured data in the cloud is 18 to 30 months out because leading innovators’ integration with DLP and MDM is still immature.” I don’t even know what that actually means. What it I do know is that I just said no to a bad idea, but it sounds like I’m saying yes.
  • There’s lots of stuff out there. Do research. Find the stuff that’s relevant to you, customize to your environment. Publish, circulate.Even if nobody ever uses anything you publish, it’s good internal PR. You’re business aligned!
  • This is how you get budget for next year! You measure a bunch of security stuff over time. Number of incidents per month (severity, type, etc.)Aggregate risk score – trend linesStart with known issues and figure out how to measure themCreate a dispassionate, data-driven case for action (funding).
  • Create artifacts. Reports, graphs, infographics, slide decks.Present the information, especially to affected decision-makers, including peers.(Don’t mix peers & your uplines in the same preso – no blindsides!)After you present, get feedback, make changes. Then distribute your materials liberally. Only be stingy with truly sensitive information.
  • 1 – Nameless Ukranian arrested for Zeus botnet2 – Hector Montsegur, Sabu (lulzsec)3 – Albert Gonzalez (TJX, Heartland)4 – Matt Flannery, Aush0k (lulzsec)5 – David Kernell (Palin email hacker)6 – PLA Unit 61398 (aka APT1)
  • It doesn’t matter what you’ve spent on prevention and control, you have problems. If you’re not monitoring for phishing, web kits, and malware C2 beacons, you’re missing something important. Also, people work for you. A tiny number commit crimes. A much larger number make mistakes. The speed at which you respond to problems has a lot to do with the impact to your organization.
  • Your Internet browsing logs and firewall logs will require something other than the free Logger or SplunkYou need to be able to write your own signatures
  • About half of the really good stuff out there for incident response is free.The free versions of the commercial stuff are limited, but it’s a good way to prove out the product and justify budget for it next year.
  • This distribution has most of what you need to get visibility to the right data and start sifting through it.All you need is a couple of old boxes and a SPAN port to get started.Doug Burks’ DerbyCon talk from last year is on YouTube. Go watch it.
  • Deployed EMET 3.0 to 1,500 workstations at Priority Health, our health insurance company in October 2012.In November, we had 1 case of malware on their network. In December we had 4.The one in November was not one of the Priority Health workstations. The four in December were FakeAV and did not use an exploit. They were easily cleaned.That’s the biggest statistical decline we’ve seen since that metric was introduced in 2007. The only similar decrease was in 2009 when we introduced Websense security filtering content. And six months later we standardized on issuing laptops that people took home on a regular basis. EMET goes home with them.
  • Broke Note Broken: An Effective Information Security Program With a $0 Budget

    1. 1.  You work in Michigan Your company needs to innovate Security itself is not strategic  You get no [new] money  
    2. 2.  All new technology is on the Internet  Your company is a monetizible target  Foreign competitors have your old IP  They’re going to get your new IP, too  Regulation +1
    3. 3.  What does the CEO say it is?  What is the CIO/CFO/COO worried about?  What is IT spending money on this year?  Is your company spending lots of money on technology without IT involvement?
    4. 4.       Internet-exposed systems Core applications Fraud / separation of duties BCP / DR OMG, are you in healthcare?! VENDORS!!
    5. 5.  Go to where the money is being spent!  Give generously of your time  Focus on the project’s success
    6. 6.  Designs, roadmaps, or whatever  Don’t just produce ivory tower crap  Sprinkle liberally with buzzwords
    7. 7.  Future-forward capabilities  Data & network security design for IaaS  Secure API architecture for mobile apps  Secure standards  SDLC practices  Server build guides
    8. 8.  Security metrics are really hard  Risk metrics are the easiest to put together  Good metrics tell a story  Data drives decision-making
    9. 9.  Risk Assessment Architecture Compliance Metrics  Publish and Present   
    10. 10.  Your budget doesn’t matter  Dedicated time for investigating  Find your normal, look for anomalies
    11. 11.  Web filter / proxy logs  SMTP gateway logs  Firewall logs  NIDS (use bro or Snort)  Edge router / Internet full packet capture
    12. 12.  Commercial, yet free      ArcSight Logger L750B Splunk Free License Q1 Labs Qradar Free License NetWitness Investigator Open Source  Snort, suricata  Snare, syslog-ng, OSSEC
    13. 13.  Microsoft EMET  v4.0 is imminent (late, actually)  Managed via AD group policy (3)  By-process memory exploit protections  SSL/TLS cert pinning detection (4)  Error reporting to SCOM for mitigation alerts (4)
    14. 14. IS Information Security Program “Malware incidents demonstrated a 19 2012 Security Case Category: Malware 16 14 12 10 8 Malware 6 4 2 Dec Nov Oct Sep Aug Jul Jun May Apr Mar Feb 0 Jan noticeable peak in volume during the summer months of 2012. The significant fall of malware-related incidents beginning in November coincided with the deployment of the Microsoft Enhanced Mitigation Experience Toolkit (EMET), a new vulnerability mitigation tool that has been installed onto Priority Health user workstations. The highest volume of malware incidents in 2012 was in October with 14. In comparison the highest volume of malware incidents in any month in 2011 was 22. Botnet activity accounted for all of the malware incidents in October that could be identified, with the largest portion coming from an attack that used the compromised web server of a local TV station.”
    15. 15.  I’m hiring!   GRSec   GrrCON 
    16. 16.   Email: Twitter: @pmelson