Rafae Bhatti
Head of Security and Privacy, HealthTap
LinkedIn: rafaebhatti
Twitter: @privacyphd
Overcoming obstacles in operationalizing security:
A tale from the trenches
Outline
Introduction <5 mins
● About Me
● Why This Talk
Problem Statement 5 mins
● “Textbook” approach
● Why it doesn’t work
Overcoming Obstacles 15 mins
● Pick Your Battles Wisely
● Identify Your Allies/Gaps Early
● Tension between Advice and Practice
● Buy what you must, Build what you can
Q&A 5 mins
About Me
Why This Talk
Introduction
Outline
Introduction 5 mins
● About Me
● Why This Talk
Problem Statement 5 mins
● “Textbook” approach
● Why it doesn’t work
Overcoming Obstacles 15 mins
● Pick Your Battles Wisely
● Identify Your Allies/Gaps Early
● Tension between Advice and Practice
● Buy what you must, Build what you can
Q&A 5 mins
Problem Statement
Variables
1. Risk surface (Threat Model)
2. Resources (Budget, Teams, Tools)
3. Capabilities (Skills, Frameworks)
Rate of Change
Assumptions in Rate of Change
1. Linear
2. Non-linear
Assumption: Linear
How Linear Assumption Works
1. The resource availability adjusts in response to higher risk
a. Present the risk report to management
b. Walk away with $$
c. You hire employees
1. The capabilities improve in response to additional resources
a. Adequate skills on the team
b. Solutions aligned to framework (DevOps, etc.)
Reality: Non-Linear
Why Linear Assumption Fails?
1. The risk profile may not result in adequate resource availability
a. Inherit a negative slope
b. First zero out and then enter a positive slope
1. The available resources may not provide the needed capabilities
a. Funding alone does not ensure capabilities
b. Mix of talent and tools in response to capability gaps
Is this Scary?
1. We hear about
a. the coolest offensive techniques to be aware of
b. the frameworks for creating defensive capabilities
c. best practices to create security awareness
BUT
1. We don’t hear enough about
a. Challenges people faced when putting this together
b. Getting a sense of how far behind can be very scary
c. Knowing where you are on the relative curve is important
Get Your Engines Started!
Nice to have Ferrari of security (large enterprises)
Or build your own Tesla (Facebook, Google, Netflix)
But when faced with resource constraints:
Start with a Prius
Downside: Big gap in terms of effort required to lay proper
foundation
Upside: You don't get a greenfield every day, and that is
where rubber meets the road !
Introduction 5 mins
● About Me
● Why This Talk
Problem Statement 5 mins
● “Textbook” approach
● Why it doesn’t work
Overcoming Obstacles 15 mins
● Pick Your Battles Wisely
● Identify Your Allies/Gaps Early
● Tension between Advice and Practice
● Buy what you must, Build what you can
Q&A 5 mins
Outline
Pick Your Battles Wisely
1. You win some, you lose some
a. Real world demands compromise.
b. Competing priorities would require that you make
trade-offs
1. Hype alone may get you money but not the results
a. Separate sales pitch from actual security need, understand your
risk surface
i. Equifax, Uber, ...
ii. GDPR
b. Is that problem an immediate priority for you?
c. Is there a simpler solution you can adopt?
d. Are you ignoring the low-hanging fruit?
Pick Your Battles Wisely:
Examples of Tradeoffs
1. Attack Simulation / Red Teaming / Bug Bounty
a. When and when not?
1. DoS Protection / WAF
a. Why and why not?
1. Endpoint Protection
a. What is your fit?
1. Awareness Training
a. What is your approach?
Identify Your Allies/Gaps Early
1. You cannot go the whole nine yards alone
a. Identify any dependencies on teams
i. When the department doesn’t exist, what you do?
1. Do more, expect less (To be done for you)
a. Hands on yes- enabler yes
i. Doesn't always mean getting your way
a. “Buy-in”- what does it mean?
i. No one size fits all- adapt to your environment
ii. Impress them with your judgement- money will
follow
Identify Your Allies/Gaps Early:
Examples of Tradeoffs
1. HR processes
a. No HR? Create simplified workflows
1. IT processes
a. No IT? Don’t wait for Workday
1. Security/privacy by design
a. No PM? Keep pushing the product team.
1. Procurement processes
a. No GA? Learn to negotiate.
Tension btw Advice and Practice
1. When training is not enough
a. Advice: Education is cheapest to do- the further you go into the
dev lifecycle, the more expensive it is to fix defects
b. Practice: ?
1. When specifications lag development
a. Advice: Write detailed specifications, get them reviewed and
approved, before code is written
b. Practice: ?
i. Specs are guideposts, not gospel- deviation may be expected
1. When you can’t ignore or apply a patch
a. Advice: Don’t ignore a high severity CVE
b. Practice: ?
Tension btw Advice and Practice:
Examples of Tradeoffs
1. Balance training with SDLC tools
a. Set up a feedback loop
1. Nudge your teams
a. Use the power of nudge
1. Push vs Pull
a. Provide unsolicited advice
1. Add compensating controls
a. When cannot fix, monitor
Buy what you Must, Build what you Can
1. Combination of Tools- Talent- Training
a. Few good vendors together with few good people- strike a
balance.
1. DIY vs. BUY buckets
a. Dictated by not just budget and resources but practical reasons
i. Does it involve strategic planning?
ii. Open source vs. commercial tools?
1. Hire right
a. Define the need gap- where can tools help?
Buy what you Must, Build what you Can:
Examples of Tradeoffs
1. Intrusion Detection System (IDS)
a. How to set up a cost-efficient SOC?
1. Mobile Device Management (MDM)
a. How to avoid getting (and paying) more than you
need?
1. Identity Management (IdM)
a. Resist AD?
b. Costly deployment?
Introduction 5 mins
● About Me
● Why This Talk
Problem Statement 5 mins
● “Textbook” approach
● Why it doesn’t work
Overcoming Obstacles 15 mins
● Pick Your Battles Wisely
● Identify Your Allies/Gaps Early
● Tension between Advice and Practice
● Buy what you must, Build what you can
Q&A 5 mins
Outline
Thankyou!

BSidesSF talk: Overcoming obstacles in operationalizing security

  • 1.
    Rafae Bhatti Head ofSecurity and Privacy, HealthTap LinkedIn: rafaebhatti Twitter: @privacyphd Overcoming obstacles in operationalizing security: A tale from the trenches
  • 2.
    Outline Introduction <5 mins ●About Me ● Why This Talk Problem Statement 5 mins ● “Textbook” approach ● Why it doesn’t work Overcoming Obstacles 15 mins ● Pick Your Battles Wisely ● Identify Your Allies/Gaps Early ● Tension between Advice and Practice ● Buy what you must, Build what you can Q&A 5 mins
  • 3.
    About Me Why ThisTalk Introduction
  • 4.
    Outline Introduction 5 mins ●About Me ● Why This Talk Problem Statement 5 mins ● “Textbook” approach ● Why it doesn’t work Overcoming Obstacles 15 mins ● Pick Your Battles Wisely ● Identify Your Allies/Gaps Early ● Tension between Advice and Practice ● Buy what you must, Build what you can Q&A 5 mins
  • 5.
    Problem Statement Variables 1. Risksurface (Threat Model) 2. Resources (Budget, Teams, Tools) 3. Capabilities (Skills, Frameworks) Rate of Change Assumptions in Rate of Change 1. Linear 2. Non-linear
  • 6.
  • 7.
    How Linear AssumptionWorks 1. The resource availability adjusts in response to higher risk a. Present the risk report to management b. Walk away with $$ c. You hire employees 1. The capabilities improve in response to additional resources a. Adequate skills on the team b. Solutions aligned to framework (DevOps, etc.)
  • 8.
  • 9.
    Why Linear AssumptionFails? 1. The risk profile may not result in adequate resource availability a. Inherit a negative slope b. First zero out and then enter a positive slope 1. The available resources may not provide the needed capabilities a. Funding alone does not ensure capabilities b. Mix of talent and tools in response to capability gaps
  • 10.
    Is this Scary? 1.We hear about a. the coolest offensive techniques to be aware of b. the frameworks for creating defensive capabilities c. best practices to create security awareness BUT 1. We don’t hear enough about a. Challenges people faced when putting this together b. Getting a sense of how far behind can be very scary c. Knowing where you are on the relative curve is important
  • 11.
    Get Your EnginesStarted! Nice to have Ferrari of security (large enterprises) Or build your own Tesla (Facebook, Google, Netflix) But when faced with resource constraints: Start with a Prius Downside: Big gap in terms of effort required to lay proper foundation Upside: You don't get a greenfield every day, and that is where rubber meets the road !
  • 12.
    Introduction 5 mins ●About Me ● Why This Talk Problem Statement 5 mins ● “Textbook” approach ● Why it doesn’t work Overcoming Obstacles 15 mins ● Pick Your Battles Wisely ● Identify Your Allies/Gaps Early ● Tension between Advice and Practice ● Buy what you must, Build what you can Q&A 5 mins Outline
  • 13.
    Pick Your BattlesWisely 1. You win some, you lose some a. Real world demands compromise. b. Competing priorities would require that you make trade-offs 1. Hype alone may get you money but not the results a. Separate sales pitch from actual security need, understand your risk surface i. Equifax, Uber, ... ii. GDPR b. Is that problem an immediate priority for you? c. Is there a simpler solution you can adopt? d. Are you ignoring the low-hanging fruit?
  • 14.
    Pick Your BattlesWisely: Examples of Tradeoffs 1. Attack Simulation / Red Teaming / Bug Bounty a. When and when not? 1. DoS Protection / WAF a. Why and why not? 1. Endpoint Protection a. What is your fit? 1. Awareness Training a. What is your approach?
  • 15.
    Identify Your Allies/GapsEarly 1. You cannot go the whole nine yards alone a. Identify any dependencies on teams i. When the department doesn’t exist, what you do? 1. Do more, expect less (To be done for you) a. Hands on yes- enabler yes i. Doesn't always mean getting your way a. “Buy-in”- what does it mean? i. No one size fits all- adapt to your environment ii. Impress them with your judgement- money will follow
  • 16.
    Identify Your Allies/GapsEarly: Examples of Tradeoffs 1. HR processes a. No HR? Create simplified workflows 1. IT processes a. No IT? Don’t wait for Workday 1. Security/privacy by design a. No PM? Keep pushing the product team. 1. Procurement processes a. No GA? Learn to negotiate.
  • 17.
    Tension btw Adviceand Practice 1. When training is not enough a. Advice: Education is cheapest to do- the further you go into the dev lifecycle, the more expensive it is to fix defects b. Practice: ? 1. When specifications lag development a. Advice: Write detailed specifications, get them reviewed and approved, before code is written b. Practice: ? i. Specs are guideposts, not gospel- deviation may be expected 1. When you can’t ignore or apply a patch a. Advice: Don’t ignore a high severity CVE b. Practice: ?
  • 18.
    Tension btw Adviceand Practice: Examples of Tradeoffs 1. Balance training with SDLC tools a. Set up a feedback loop 1. Nudge your teams a. Use the power of nudge 1. Push vs Pull a. Provide unsolicited advice 1. Add compensating controls a. When cannot fix, monitor
  • 19.
    Buy what youMust, Build what you Can 1. Combination of Tools- Talent- Training a. Few good vendors together with few good people- strike a balance. 1. DIY vs. BUY buckets a. Dictated by not just budget and resources but practical reasons i. Does it involve strategic planning? ii. Open source vs. commercial tools? 1. Hire right a. Define the need gap- where can tools help?
  • 20.
    Buy what youMust, Build what you Can: Examples of Tradeoffs 1. Intrusion Detection System (IDS) a. How to set up a cost-efficient SOC? 1. Mobile Device Management (MDM) a. How to avoid getting (and paying) more than you need? 1. Identity Management (IdM) a. Resist AD? b. Costly deployment?
  • 21.
    Introduction 5 mins ●About Me ● Why This Talk Problem Statement 5 mins ● “Textbook” approach ● Why it doesn’t work Overcoming Obstacles 15 mins ● Pick Your Battles Wisely ● Identify Your Allies/Gaps Early ● Tension between Advice and Practice ● Buy what you must, Build what you can Q&A 5 mins Outline
  • 22.

Editor's Notes

  • #4 About Me Why This Talk