2. About Me
• CISO at Celanese
• Hacker / Security Aficionado
• Former RF engineer, US Navy Cryptographer, Software Developer,
PenTester, etc.
• Father and Husband
3. Disclaimers
• I am not a lawyer
• The opinions expressed in this presentation are only warranted as my own
• I am not a lawyer
• While I have some ideas, I am very interested in yours as well
• I am not a lawyer
4. Rules of Engagement
• Interactive sessions are more beneficial to all than lectures
• If you have a question or comment, please let me know
• The standard rule applies: the only dumb question is one not asked
• There will be time for questions and discussions at the end as well
5. The Problems
• Compliance continues to grow
• Budgets vary with the news cycle
• Threats are evolving faster than defenses
• Tools to attack are cheap, to defend are expensive
• Decentralized computing removes (some) visibility
9. Competing National Priorities
• US company doing business in Germany and China
• China requires high degree of reporting and monitoring
• Germany requires high degree of privacy protections
• The intersection of the two can be quite a challenge for multi-national
corporations
10. Tracking It All
• Multitude of compliance targets, which vary per country and industry
• Difficult to track compliance across targets
• Frameworks -> Policies -> Processes -> Procedures
• Framework -> Compliance mappings exist
• Sourcing can make compliance easier, but requires upfront negotiation
12. Source:
SANS IT Security
Spending Trends
Feb. 2016
• Budgets are normalizing towards the 5-7% range of IT spending overall
• Lower ends show significant improvements in security spend
13. Source:
SANS IT Security
Spending Trends
Feb. 2016
• IT budgets are mostly remaining flat, and in some cases constricting
• Education remains a challenge both for personnel and spending
14. Source:
SANS IT Security
Spending Trends
Feb. 2016
• It’s not a matter of if, but when… so why do
we prioritize prevention?
• Staff training and certification is in the
lowest tier of spending… are we doing
enough?
• We spend more money responding to
compliance requests than we spend on
improving and automating
• Does this seem crazy to anyone else?
15. SoWhy Source?
• XaaS only works as a provider when there is commonality
• Commonality that doesn’t include default secure configurations increases
overhead of incident response
• Price points can be powerful drivers to enhance overall security
• Proper outsourcing can result in outsourcing of risk as well
-- IF -- proper diligence was performed in selecting the provider
18. ExceptThat…
• Ideology isn’t motivating attacks, money is.
• The actual threat actors are now frequently masking
their actions with commoditized attack vectors and
techniques.
• Collective hacking is a concept espoused since
Hackers, but has never really materialized.
19. “FYI man, alright.You could sit at home,
and do like absolutely nothing, and your
name goes through like 17 computers a
day. 1984?Yeah right, man.That's a typo.
Orwell is here now. He's livin' large.”
“We have no names, man. No
names. We are nameless!”
20. Leaving UsWith
• The attackers have realized the economies of scale far faster than we have.
• They use well-defined services, including corporate level branding.
• They use viable, commodity attacks to defeat our defenses.
• Even when we’re told about the attacks, we often have to sort out exactly
what the actual target was.
• “They know your network better than your staff do.”
22. Let’s Compare
• How close do you think the attack versus defend costs really are?
• All of the following statements are based upon open source
intelligence/pricing data for a company of 10,000 employees and are per-
year costs unless otherwise noted.
23. DefenseTools
• Cost of industry-leading SIEM: $300,000
• Cost of industry-leading vulnerability scanning/management: $40,000
• Cost of industry-leading AV: $75,000
• Cost of industry-leading DDOS protection: $120,000
• Cost of industry-leading APT protection: $95,000
• Cost of industry-leading wireless attack detection/remediation: $25,000
• Cost of integration of all of above: $150,000
24. AttackTools
• Cost of world-class wireless hacking tool: $0
• Cost of world-class extensible exploitation framework: $0
• Cost of world-class browser exploitation and automation tool: $0
• Cost of custom exploit with guaranteed AV bypass: $250
• Cost of world-class reverse engineering software suite: $1200
• Cost of world-class OSINT pivoting sofware: $800
• Cost of world-class DDOS botnet rental: $30/hr
25. Pricing and Support
• How much do you spend on just the tools themselves?
• How much do you spend on support?
• How frequently do you have to hire a third-party to review what the tool
vendor setup?
• How frequently do you have to integrate two tools, and end up needing at
least three representatives on the line to make all of that work… and how
often when that occurs do the vendors point to one another as the culprit?
26. WhyWe’re Losing
• It’s cost prohibitive to defend
• When something works we monetize it instead of donating it
• We haven’t yet realized what the attackers do: we work better together
• We deal far too often in commodity while thinking it’s “APT” or ”nation state”
• We use terms like “APT” to defend our reputations whenever a breach occurs
28. The New IT Landscape
• All of this drives us to XaaS solutions
• We outsource our hardware and call it IaaS
• We outsource our applications and call it PaaS
• We outsource everything and call it SaaS
• And the thing is, these are generally GOOD decisions… but how do we monitor
them?
29. The Challenges of XaaS
• Every XaaS includes some mechanism to monitor the SLA/OLA performance
• Every XaaS includes some API that can magically give any data you want
• Most XaaS integrate with a few strategic partners, and if you happen to use their
chosen partners, life is great
• Most XaaS offer very limited (non-paid) support to integrate with anyone else
30. How Did Netflix Succeed?
• They determined that their core focus was to get users watching content.
• They didn’t care what they watched that content on.
• They didn’t really care how many simultaneous users there were.*
• They aggressively developed integrations with every platform they could.
• They made their service a benefit to other companies/products, and freely
available.
* Based upon personal experiences, not hard data
32. So How Do We Move Forward?
• Invest in our people. We ignore them at our peril.
• Foster deeper relationships and partnerships with our vendors.
• Vendor management is the new SIEM.
• Demand the same degree of cooperation between vendors that we expect from
one another.
• Define what it is that we actually require. When a vendor can’t or won’t commit
to that, have the courage to walk away.
33. Homework
• Create policies and requirements aligned to a common framework
• Establish standards for data consumption and document them
• Send your security teams out to more training
• Take your vendor management team out to lunch
• Support the vendor management team like they’re part of your team (they are)
• Don’t be afraid to share
34. TheTakeaways
• Compliance can work for or against you
• Vendor management teams need to be your close allies
• We need to start sharing if we ever hope to overcome our adversaries
• The computing landscapes are getting both more complex and more secure
• Economies of scale are predicated upon partnership and trust
• Invest first in people, then in processes, then technology
HIPAA – Health Insurance Portability and Accountability Act
HITECH – Health Information Technology for Economic and Clinical Health
PCI – Payment Card Industry, normally DSS (Data Security Standards)
SOX – Sarbanes Oxley
FISMA – Federal Information Security Management Act of 2002
GLBA – Graham Leach Bliley Act
FERPA – Family Educational Rights and Privacy Act
DPD – Data Protection Directive
GDPR – General Data Protection Regulation (supercedes the DPD)
PIPA – Korea’s Personal Information Protection Act
ITA – India’s Information Technology Act of 2002
ISO – Grandfather of them all, information security management system (27001 – is management system, 27002 is best practice recommendations)
NIST CSF – National Institute of Standards and Technology Cyber Security Framework – 2014, incorporates NIST SPs into guidance
NIST SP-800 series – Detailed list of computer security guidelines, recommendations, and reference materials. SP-1800 series contains user-level guides
SAS-70 – Statement on Auditing Standards No. 70, related to financial reporting controls, replaced by SSAE 16
SSAE 16 – Statement on Standards for Attestation Engagements, includes Service Organization Control frameworks 1-3
ISAE 3402 – International Standard on Assurance Engagements (ISAE)… Assurance Reports on Controls at a Service Organization. Expansion of SAS-70
CSC – SANS Center for Internet Security Critical Security Controls – 20 controls, starts with inventories
COBIT – Control Objectives for Information and related Technologies, created by ISACA (formerly Information Systems Audit and Control Association)
NERC – North American Electric Reliability Corporation
ISA/IEC 62443 – Industrial Automation and Controls Systems, certifications for COTS, being revised to align more closely with ISO 27000 series
IASME – Information Assurance for Small and Medium Enterprises
RFC 2196 – Site Security Handbook (1997)
China: National Security Law of the PRC, passed July 1, 2015:“Article 83: In national security work, when special measures are required that restrict the rights and freedoms of citizens, they shall be conducted in accordance with law, and limited by the actual needs to of safeguarding national security.”
Germany: Federal Data Protection Act of 2003 (whole thing, including