Jorge Sebastiao, profile picture
Uploaded byJorge Sebastiao
123 views

A6 pragmatic journey into cyber security

The document discusses cyber security and presents a framework for an effective cyber security program. It outlines the key elements of a comprehensive security approach, including assessing risks, architecting security controls, applying protections, administering security operations, raising user awareness, ensuring agility, defining the appropriate risk appetite, and aligning security with business needs. The framework emphasizes that security is a continuous process requiring skills in various areas to successfully manage risks.

Embed presentation

A6 a pragmatic Journey into Cyber Security Jorge Sebastiao, CISSP ICT Expert Huawei http://linkedin.com/in/sebastiao/ Twitter: @4jorge
Disclaimer & Copyright • Please note that this presentation is for informational, knowledge sharing and educational purposes only. Any comments or statements made herein do not necessarily reflect the views of Huawei. The information is intended for the recipient's use only and should not be cited, reproduced or distributed to any third party without the prior consent of the authors. Although great care is taken to ensure accuracy of information neither the author, nor Huawei can be held responsible for any decision made on the basis of the information cited. • The content of this presentation is based on information gathered in good faith from both primary and secondary sources and is believed to be correct at the time of publication. The author can however provide no guarantee regarding the accuracy of this content and therefore accepts no liability whatsoever for any actions taken that subsequently prove incorrect. • The practices listed in the document are provided as is and as guidance and the author and Huawei do not claim that these comprise the only practices to be followed. The readers are urged to make informed decisions in their usage. • The information presented in this presentation is not intended to be, and should not be construed as, an offer to sell any products or services or a solicitation of an offer to buy any products or services . Any such offer or sale will be made pursuant to, and the information presented at this meeting is qualified in its entirety by, authorized offering documents and related disclosure schedules or similar disclosure documentation. • All logos and brand names belong to their respective owners and we do not claim any relationship or association, implied or otherwise, with them. • Use of any materials by virtue of relationships and associations, if any, are mentioned explicitly. • Author has taken care to attribute all sources for external materials used in this presentation, and any oversight is regretted. If you, as owner, or as viewer, find any reason to dispute the use of these materials kindly communicate the same to author. • Any omissions, in terms of attribution, may be due to an error of author and not intentional.
Google review of email Phishing
Spear Phishing
Is That an Office Phone In Your Pocket?
The future is here
Uncontrolled Connectivity
Everything is connected…
Apple Pay Exploit
M2M and Google Voice?
Smart Meters and Nest Hack
Healthcare Sensors Exploits
Physical Security
Hacking IIoT SCADA sensors Industrial Scale Risks
Challenges Disengagement from the changing customer mindset Lack of confidence in return on investment Lack of regulatory certainty on new market structures Privacy, security and resilience Poorly formulated M&A and strategic partnerships Failure to define new business metrics Failure to capitalize on new types of connectivity Insufficient information to turn demand into value Failure to shift the business model from minutes to bytes Lack of organizational flexibility
Mobile Malware up 148,778 samples 2013
5th Challenge -Protection against State Sponsored Attacks • # 19M89. %6/><345% • I </>%' X71>%><. %v' ; >0%7?%# /4@q%
Is there an elephant in the room?
0 Day Exploits - Guaranteed
Rogue & Clueless Users
Our security enemy is? Security Nightmare
Cyberspace CharacteristicsAsymmetric Attribution Problems No Borders Complex Interconnected Systems
Outdated Assumptions?
Effective Countermeasures
Wrong Skills?
What is next?
Think outside the box 2
Effective Security is hidden deep underneath… Technology ProcessPeople
Right Risk Appetite?
Modeling Risk and Threats Threats Vulnerabilities Controls Risks Assets Security Requirements Business Impact exploit exposeincreaseincrease increase have protect against met by indicate reduce
CONSEQUENCE LIKLIEHOOD FV T Risk Group 1 Risk Group 2 Risk Group 3 HighLow L o w H i g h RESPONSE PROTECTION Target Risk Risk Reduction Strategies!
4As A4 of Security Assess Evaluate, Audit, Check Architect Plan, Design Apply Build, Implement, Do Administer Operate, Act
5As A5 of Security Assess Evaluate, Audit, Check Architect Plan, Design Apply Build, Implement, Do Administer Operate, Act Awareness Intelligence, User
6As A6 of Security Assess Evaluate, Audit, Check Architect Plan, Design Apply Build, Implement, Do Administer Operate, Act Awareness Intelligence, User Agility Timeliness of Response
A6 - Process Business Risk Controls Maturity
Defense in depth
The « defence in depth »
TBS- Time Based Security Protection DetectionResponse SECURITY P>D+R Anti-virus VPN Firewall, IPS Access Control Grid Time Response Patch Mgmt Incidence Response Disaster Recovery Vulnerability Testing SIEM Log Correlation CCTV, Access Control
Proper Security Metrics
Cyber Attack Recovery Agility Risk Active Business Can you successfully recover?
Road to Security Metrics Security Metrics KPIs, Testing Results CSA Controls, Compliance, Operational, Financial CoBIT SOX ISMS ISO27001 PCI HIPAA Time Based Security ISMS ISO22301 ISMS ISO20000
Final Goal Is Total Integrated Security Information Security Management IoT, Device Security Management
Winning the War Red Teaming Solve Attribution Continuous Vulnerability Mgmt Crowd Sourcing/Bug Bounty Fusing Crisis Management Vertical CERT Integration Encryption Exchange Knowledge Data Leak Prevention Threat Management Reputation Management Big Data Honeynets Machine Learning Sandbox Security Metrics Empower end users Continuous Training Attack / Take down
10As A10 of Security Assess Evaluate, Audit, Check Architect Plan, Design Apply Build, Implement, Do Administer Operate, Act, Respond Awareness Intelligence, User Agility Timeliness of Response Appetite How much Risk can you take? Alignment Business focus Assumption Something is wrong? Authorization Right to access, authentication
Don’t bring a knife to gun fight
“…Security is a continuous skilled process…”… Jorge Sebastiao http://linkedin.com/in/sebastiao
Questions Jorge Sebastiao, CISSP ICT Expert Huawei http://linkedin.com/in/sebastiao/ Twitter: @4jorge

More Related Content

PPTX
Cybersecurity Fundamentals for Legal Professionals
byShawn Tuma
 
PPTX
CYMASS Security Awareness Version 1.2
byJorge Sebastiao
 
PPTX
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
byShawn Tuma
 
PPTX
Crowd-Sourced Threat Intelligence
byAlienVault
 
PDF
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
byMITRE - ATT&CKcon
 
PPTX
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
byClare Nelson, CISSP, CIPP-E
 
PDF
Building a Threat Hunting Practice in the Cloud
byProtectWise
 
Cybersecurity Fundamentals for Legal Professionals
byShawn Tuma
 
CYMASS Security Awareness Version 1.2
byJorge Sebastiao
 
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
byShawn Tuma
 
Crowd-Sourced Threat Intelligence
byAlienVault
 
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
byMITRE - ATT&CKcon
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
byClare Nelson, CISSP, CIPP-E
 
Building a Threat Hunting Practice in the Cloud
byProtectWise
 

What's hot

PPTX
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
byEC-Council
 
PPTX
Why Depending On Malware Prevention Alone Is No Longer An Option
bySeculert
 
PDF
E-FILE_Proofpoint_Uberflip_120915_optimized
byLynn Feltner
 
PDF
MITRE ATTACKcon Power Hour - January
byMITRE - ATT&CKcon
 
PDF
WhyNormShield
byCandan BOLUKBAS
 
PDF
(SACON) Shomiron das gupta - threat hunting use cases
byPriyanka Aash
 
PDF
Slides to the online event "Creating an effective cybersecurity strategy" by ...
byGo Global
 
PDF
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas
byTripwire
 
PDF
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
PPT
Ethical hacking
byBeing Uniq Sonu
 
PDF
A Journey Into Pen-tester land: Myths or Facts!
byAmmar WK
 
PDF
See Clearly and Respond Quickly from the Network to the Endpoint
byProtectWise
 
PDF
[Webinar] The Art & Value of Bug Bounty Programs
bybugcrowd
 
PDF
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
byHexis Cyber Solutions
 
PPTX
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
bycentralohioissa
 
PPTX
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
byCODE BLUE
 
PDF
Opsec for security researchers
byvicenteDiaz_KL
 
PDF
Mobile Application Security Threats through the Eyes of the Attacker
bybugcrowd
 
PDF
Nexus It Group Resume Writing
bytlinde
 
PPT
Top 5 website security myths
bykanika sharma
 
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
byEC-Council
 
Why Depending On Malware Prevention Alone Is No Longer An Option
bySeculert
 
E-FILE_Proofpoint_Uberflip_120915_optimized
byLynn Feltner
 
MITRE ATTACKcon Power Hour - January
byMITRE - ATT&CKcon
 
WhyNormShield
byCandan BOLUKBAS
 
(SACON) Shomiron das gupta - threat hunting use cases
byPriyanka Aash
 
Slides to the online event "Creating an effective cybersecurity strategy" by ...
byGo Global
 
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas
byTripwire
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
Ethical hacking
byBeing Uniq Sonu
 
A Journey Into Pen-tester land: Myths or Facts!
byAmmar WK
 
See Clearly and Respond Quickly from the Network to the Endpoint
byProtectWise
 
[Webinar] The Art & Value of Bug Bounty Programs
bybugcrowd
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
byHexis Cyber Solutions
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
bycentralohioissa
 
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
byCODE BLUE
 
Opsec for security researchers
byvicenteDiaz_KL
 
Mobile Application Security Threats through the Eyes of the Attacker
bybugcrowd
 
Nexus It Group Resume Writing
bytlinde
 
Top 5 website security myths
bykanika sharma
 

Similar to A6 pragmatic journey into cyber security

PDF
Wfh security risks - Ed Adams, President, Security Innovation
byPriyanka Aash
 
PPTX
Practical analytics hands-on to cloud & IoT cyber threats
byJorge Sebastiao
 
PPTX
Security is broken V3.0
byJorge Sebastiao
 
PPTX
NZISF Talk: Six essential security services
byHinne Hettema
 
PDF
Fall2015SecurityShow
byAdam Heller
 
PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
PPTX
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
PDF
Tech Talent Meetup Hacking Security Event Recap
byDominic Vogel
 
PDF
Cyber Security in a Fully Mobile World
byUniversity of Suffolk
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byveikkieymann
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
bybaruulisy
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byeapysvt6956
 
PPTX
How to-become-secure-and-stay-secure
byIIMBNSRCEL
 
PPTX
Securing your digital world cybersecurity for sb es
bySonny Hashmi
 
PPTX
Securing your digital world - Cybersecurity for SBEs
bySonny Hashmi
 
PPTX
Emerging Trends in Cybersecurity by Amar Prusty
byCysinfo Cyber Security Community
 
PDF
Cybersecurity Fundamentals for Bar Associations
byNowSecure
 
PDF
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
byBeyondTrust
 
PDF
Application Security - Your Success Depends on it
byWSO2
 
PDF
Treating Security Like a Product
byVMware Tanzu
 
Wfh security risks - Ed Adams, President, Security Innovation
byPriyanka Aash
 
Practical analytics hands-on to cloud & IoT cyber threats
byJorge Sebastiao
 
Security is broken V3.0
byJorge Sebastiao
 
NZISF Talk: Six essential security services
byHinne Hettema
 
Fall2015SecurityShow
byAdam Heller
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
Tech Talent Meetup Hacking Security Event Recap
byDominic Vogel
 
Cyber Security in a Fully Mobile World
byUniversity of Suffolk
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byveikkieymann
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
bybaruulisy
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byeapysvt6956
 
How to-become-secure-and-stay-secure
byIIMBNSRCEL
 
Securing your digital world cybersecurity for sb es
bySonny Hashmi
 
Securing your digital world - Cybersecurity for SBEs
bySonny Hashmi
 
Emerging Trends in Cybersecurity by Amar Prusty
byCysinfo Cyber Security Community
 
Cybersecurity Fundamentals for Bar Associations
byNowSecure
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
byBeyondTrust
 
Application Security - Your Success Depends on it
byWSO2
 
Treating Security Like a Product
byVMware Tanzu
 

More from Jorge Sebastiao

PPTX
Real estate tokenization and blockchain
byJorge Sebastiao
 
PPTX
Blockchain and covid19 v3
byJorge Sebastiao
 
PPTX
Top tech shapping startups
byJorge Sebastiao
 
PPTX
Blockchain and security v3
byJorge Sebastiao
 
PPTX
The road to blockchain 5.0
byJorge Sebastiao
 
PPTX
Cyber Warfare 4TH edition
byJorge Sebastiao
 
PPTX
How AI is Disrupting Traffic Management in Smart City
byJorge Sebastiao
 
PPTX
Ai and traffic management application v1.0
byJorge Sebastiao
 
PPTX
Dz hackevent 2019 Middle East Cyberwars V3
byJorge Sebastiao
 
PPTX
AI HR and Future Jobs Version 2.1
byJorge Sebastiao
 
PPTX
Cyber fear obstacles to info sharing-Version 2
byJorge Sebastiao
 
PPTX
Blockchain & cyber security Algeria Version 1.1
byJorge Sebastiao
 
PPTX
Datamatix GCC HR future jobs Version 1.3
byJorge Sebastiao
 
PPTX
Cyber security crypto blockchain Version 3.2
byJorge Sebastiao
 
PPTX
RTA AI for traffic management version 1.4
byJorge Sebastiao
 
PPTX
IGF2017 Data is new oil - UN Internet Governance Forum
byJorge Sebastiao
 
PPTX
ADIPEC physical and Infosec for Oil and Gas
byJorge Sebastiao
 
PPTX
AVSEC are you flying cybersafe?
byJorge Sebastiao
 
PPTX
Are we ready for IoT? VU Version 7
byJorge Sebastiao
 
PPT
Togaf Version 9.1 Introduction Overview
byJorge Sebastiao
 
Real estate tokenization and blockchain
byJorge Sebastiao
 
Blockchain and covid19 v3
byJorge Sebastiao
 
Top tech shapping startups
byJorge Sebastiao
 
Blockchain and security v3
byJorge Sebastiao
 
The road to blockchain 5.0
byJorge Sebastiao
 
Cyber Warfare 4TH edition
byJorge Sebastiao
 
How AI is Disrupting Traffic Management in Smart City
byJorge Sebastiao
 
Ai and traffic management application v1.0
byJorge Sebastiao
 
Dz hackevent 2019 Middle East Cyberwars V3
byJorge Sebastiao
 
AI HR and Future Jobs Version 2.1
byJorge Sebastiao
 
Cyber fear obstacles to info sharing-Version 2
byJorge Sebastiao
 
Blockchain & cyber security Algeria Version 1.1
byJorge Sebastiao
 
Datamatix GCC HR future jobs Version 1.3
byJorge Sebastiao
 
Cyber security crypto blockchain Version 3.2
byJorge Sebastiao
 
RTA AI for traffic management version 1.4
byJorge Sebastiao
 
IGF2017 Data is new oil - UN Internet Governance Forum
byJorge Sebastiao
 
ADIPEC physical and Infosec for Oil and Gas
byJorge Sebastiao
 
AVSEC are you flying cybersafe?
byJorge Sebastiao
 
Are we ready for IoT? VU Version 7
byJorge Sebastiao
 
Togaf Version 9.1 Introduction Overview
byJorge Sebastiao
 

Recently uploaded

PPTX
Plant fibres used as surgical dressings & Sutures – Surgical Catgut and Ligat...
bySai Meer College of Pharmacy
 
PDF
How "Raiders of the Lost Ark" and "Ordinary People" Employ Non-Verbal Acting
by6x5csns4pn
 
PDF
Tetracycline Class of Antibiotics: SAR, MOA and Uses
bymominzarinamdnajeeb
 
PPTX
Problem and Solution (PowerPoint Game Template)
byacpaulite
 
PPTX
WEEK 2 (2).pptx TLE COOKERY 10 QUARTER 4
byResynFayeCortez2
 
PDF
RAJAT ARORA SIR PHYSICAL EDUCATION NOTES ALL CHAPTERS .pdf
bysumitkannoujiya74
 
PPTX
How to Track & Manage My Time Section in Odoo 18 Time Off
byCeline George
 
PDF
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
PPTX
Overview of How to set priority in Odoo 19 Todo
byCeline George
 
PDF
Unit3 Phases and process of curriculum development.pdf
byziaoria016
 
PPTX
Chapter 1: Introduction to Economics - Macroeconomics and Microeconomics.pptx
byFJ M
 
PPTX
Math 8 Quarter 4 Week 3 PRIMARY DATA.pptx
byshahanieabbat3
 
PPTX
How to Change Shipping Label Size in Odoo 18 Inventory
byCeline George
 
PPTX
How to Configure Dispatch Management System in Odoo 18 Inventory
byCeline George
 
PPTX
Plato's Insight model teaching and learning.pptx
byNikhitaDS
 
PPTX
Fluorimetric Analysis- Theory, Instrumentation and Application
bySayali Powar
 
PPTX
How to Manage Checkout Policy & Customer Portal in Odoo 18 Website
byCeline George
 
PPTX
Greengnorance Toolkit Module 5 Waste Management
byKarl Donert
 
PDF
PHARMACOLOGY 1 ( BP 404 T) Unit 1 (Cology 1)
byChetan Mali
 
PPTX
Q4_PPT MUSIC & ARTS 7 week 1-2, matatag curriculum
byZEN
 
Plant fibres used as surgical dressings & Sutures – Surgical Catgut and Ligat...
bySai Meer College of Pharmacy
 
How "Raiders of the Lost Ark" and "Ordinary People" Employ Non-Verbal Acting
by6x5csns4pn
 
Tetracycline Class of Antibiotics: SAR, MOA and Uses
bymominzarinamdnajeeb
 
Problem and Solution (PowerPoint Game Template)
byacpaulite
 
WEEK 2 (2).pptx TLE COOKERY 10 QUARTER 4
byResynFayeCortez2
 
RAJAT ARORA SIR PHYSICAL EDUCATION NOTES ALL CHAPTERS .pdf
bysumitkannoujiya74
 
How to Track & Manage My Time Section in Odoo 18 Time Off
byCeline George
 
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
Overview of How to set priority in Odoo 19 Todo
byCeline George
 
Unit3 Phases and process of curriculum development.pdf
byziaoria016
 
Chapter 1: Introduction to Economics - Macroeconomics and Microeconomics.pptx
byFJ M
 
Math 8 Quarter 4 Week 3 PRIMARY DATA.pptx
byshahanieabbat3
 
How to Change Shipping Label Size in Odoo 18 Inventory
byCeline George
 
How to Configure Dispatch Management System in Odoo 18 Inventory
byCeline George
 
Plato's Insight model teaching and learning.pptx
byNikhitaDS
 
Fluorimetric Analysis- Theory, Instrumentation and Application
bySayali Powar
 
How to Manage Checkout Policy & Customer Portal in Odoo 18 Website
byCeline George
 
Greengnorance Toolkit Module 5 Waste Management
byKarl Donert
 
PHARMACOLOGY 1 ( BP 404 T) Unit 1 (Cology 1)
byChetan Mali
 
Q4_PPT MUSIC & ARTS 7 week 1-2, matatag curriculum
byZEN
 

A6 pragmatic journey into cyber security

  • 1.
    A6 a pragmaticJourney into Cyber Security Jorge Sebastiao, CISSP ICT Expert Huawei http://linkedin.com/in/sebastiao/ Twitter: @4jorge
  • 2.
    Disclaimer & Copyright •Please note that this presentation is for informational, knowledge sharing and educational purposes only. Any comments or statements made herein do not necessarily reflect the views of Huawei. The information is intended for the recipient's use only and should not be cited, reproduced or distributed to any third party without the prior consent of the authors. Although great care is taken to ensure accuracy of information neither the author, nor Huawei can be held responsible for any decision made on the basis of the information cited. • The content of this presentation is based on information gathered in good faith from both primary and secondary sources and is believed to be correct at the time of publication. The author can however provide no guarantee regarding the accuracy of this content and therefore accepts no liability whatsoever for any actions taken that subsequently prove incorrect. • The practices listed in the document are provided as is and as guidance and the author and Huawei do not claim that these comprise the only practices to be followed. The readers are urged to make informed decisions in their usage. • The information presented in this presentation is not intended to be, and should not be construed as, an offer to sell any products or services or a solicitation of an offer to buy any products or services . Any such offer or sale will be made pursuant to, and the information presented at this meeting is qualified in its entirety by, authorized offering documents and related disclosure schedules or similar disclosure documentation. • All logos and brand names belong to their respective owners and we do not claim any relationship or association, implied or otherwise, with them. • Use of any materials by virtue of relationships and associations, if any, are mentioned explicitly. • Author has taken care to attribute all sources for external materials used in this presentation, and any oversight is regretted. If you, as owner, or as viewer, find any reason to dispute the use of these materials kindly communicate the same to author. • Any omissions, in terms of attribution, may be due to an error of author and not intentional.
  • 3.
    Google review ofemail Phishing
  • 4.
  • 5.
    Is That anOffice Phone In Your Pocket?
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
    Hacking IIoT SCADAsensors Industrial Scale Risks
  • 15.
    Challenges Disengagement from the changing customermindset Lack of confidence in return on investment Lack of regulatory certainty on new market structures Privacy, security and resilience Poorly formulated M&A and strategic partnerships Failure to define new business metrics Failure to capitalize on new types of connectivity Insufficient information to turn demand into value Failure to shift the business model from minutes to bytes Lack of organizational flexibility
  • 16.
  • 17.
    5th Challenge -Protectionagainst State Sponsored Attacks • # 19M89. %6/><345% • I </>%' X71>%><. %v' ; >0%7?%# /4@q%
  • 18.
    Is there anelephant in the room?
  • 19.
    0 Day Exploits- Guaranteed
  • 20.
  • 21.
    Our security enemyis? Security Nightmare
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
    Effective Security ishidden deep underneath… Technology ProcessPeople
  • 29.
  • 30.
    Modeling Risk andThreats Threats Vulnerabilities Controls Risks Assets Security Requirements Business Impact exploit exposeincreaseincrease increase have protect against met by indicate reduce
  • 31.
    CONSEQUENCE LIKLIEHOOD FV T Risk Group 1 Risk Group 2 RiskGroup 3 HighLow L o w H i g h RESPONSE PROTECTION Target Risk Risk Reduction Strategies!
  • 32.
    4As A4 ofSecurity Assess Evaluate, Audit, Check Architect Plan, Design Apply Build, Implement, Do Administer Operate, Act
  • 33.
    5As A5 ofSecurity Assess Evaluate, Audit, Check Architect Plan, Design Apply Build, Implement, Do Administer Operate, Act Awareness Intelligence, User
  • 34.
    6As A6 ofSecurity Assess Evaluate, Audit, Check Architect Plan, Design Apply Build, Implement, Do Administer Operate, Act Awareness Intelligence, User Agility Timeliness of Response
  • 35.
    A6 - Process BusinessRisk Controls Maturity
  • 36.
  • 37.
    The « defencein depth »
  • 38.
    TBS- Time BasedSecurity Protection DetectionResponse SECURITY P>D+R Anti-virus VPN Firewall, IPS Access Control Grid Time Response Patch Mgmt Incidence Response Disaster Recovery Vulnerability Testing SIEM Log Correlation CCTV, Access Control
  • 39.
  • 40.
    Cyber Attack RecoveryAgility Risk Active Business Can you successfully recover?
  • 41.
    Road to SecurityMetrics Security Metrics KPIs, Testing Results CSA Controls, Compliance, Operational, Financial CoBIT SOX ISMS ISO27001 PCI HIPAA Time Based Security ISMS ISO22301 ISMS ISO20000
  • 42.
    Final Goal Is TotalIntegrated Security Information Security Management IoT, Device Security Management
  • 43.
    Winning the War RedTeaming Solve Attribution Continuous Vulnerability Mgmt Crowd Sourcing/Bug Bounty Fusing Crisis Management Vertical CERT Integration Encryption Exchange Knowledge Data Leak Prevention Threat Management Reputation Management Big Data Honeynets Machine Learning Sandbox Security Metrics Empower end users Continuous Training Attack / Take down
  • 44.
    10As A10 ofSecurity Assess Evaluate, Audit, Check Architect Plan, Design Apply Build, Implement, Do Administer Operate, Act, Respond Awareness Intelligence, User Agility Timeliness of Response Appetite How much Risk can you take? Alignment Business focus Assumption Something is wrong? Authorization Right to access, authentication
  • 45.
    Don’t bring aknife to gun fight
  • 46.
    “…Security is a continuous skilled process…”… JorgeSebastiao http://linkedin.com/in/sebastiao
  • 47.
    Questions Jorge Sebastiao, CISSP ICTExpert Huawei http://linkedin.com/in/sebastiao/ Twitter: @4jorge