SlideShare a Scribd company logo

Mork - CISO Summit USA 2016 - Security in an Outsourced World

Download as PPTX, PDF
Nothing Nowhere
Nothing Nowhere
1 of 36
Security in an OutsourcedWorld Brian Mork CISO Celanese
About Me • CISO at Celanese • Hacker / Security Aficionado • Former RF engineer, US Navy Cryptographer, Software Developer, PenTester, etc. • Father and Husband
Disclaimers • I am not a lawyer • The opinions expressed in this presentation are only warranted as my own • I am not a lawyer • While I have some ideas, I am very interested in yours as well • I am not a lawyer
Rules of Engagement • Interactive sessions are more beneficial to all than lectures • If you have a question or comment, please let me know • The standard rule applies: the only dumb question is one not asked • There will be time for questions and discussions at the end as well
The Problems • Compliance continues to grow • Budgets vary with the news cycle • Threats are evolving faster than defenses • Tools to attack are cheap, to defend are expensive • Decentralized computing removes (some) visibility
Growing Compliance
NameThat ComplianceTarget • HIPAA/HITECH • PCI • SOX • FISMA • GLBA • FERPA • EU DPD • EU GDP • PIPA • ITA
NameThat Framework • ISO 27000 Series • NIST SP-800 Series • NIST CSF • SSAE 16 • ISAE 3402 • CSC • COBIT • NERC • ISA/IEC-62443 • IASME • RFC 2196
Competing National Priorities • US company doing business in Germany and China • China requires high degree of reporting and monitoring • Germany requires high degree of privacy protections • The intersection of the two can be quite a challenge for multi-national corporations
Tracking It All • Multitude of compliance targets, which vary per country and industry • Difficult to track compliance across targets • Frameworks -> Policies -> Processes -> Procedures • Framework -> Compliance mappings exist • Sourcing can make compliance easier, but requires upfront negotiation
BudgetVariances
Source: SANS IT Security Spending Trends Feb. 2016 • Budgets are normalizing towards the 5-7% range of IT spending overall • Lower ends show significant improvements in security spend
Source: SANS IT Security Spending Trends Feb. 2016 • IT budgets are mostly remaining flat, and in some cases constricting • Education remains a challenge both for personnel and spending
Source: SANS IT Security Spending Trends Feb. 2016 • It’s not a matter of if, but when… so why do we prioritize prevention? • Staff training and certification is in the lowest tier of spending… are we doing enough? • We spend more money responding to compliance requests than we spend on improving and automating • Does this seem crazy to anyone else?
SoWhy Source? • XaaS only works as a provider when there is commonality • Commonality that doesn’t include default secure configurations increases overhead of incident response • Price points can be powerful drivers to enhance overall security • Proper outsourcing can result in outsourcing of risk as well -- IF -- proper diligence was performed in selecting the provider
Threat Evolution
ExceptThat… • Ideology isn’t motivating attacks, money is. • The actual threat actors are now frequently masking their actions with commoditized attack vectors and techniques. • Collective hacking is a concept espoused since Hackers, but has never really materialized.
“FYI man, alright.You could sit at home, and do like absolutely nothing, and your name goes through like 17 computers a day. 1984?Yeah right, man.That's a typo. Orwell is here now. He's livin' large.” “We have no names, man. No names. We are nameless!”
Leaving UsWith • The attackers have realized the economies of scale far faster than we have. • They use well-defined services, including corporate level branding. • They use viable, commodity attacks to defeat our defenses. • Even when we’re told about the attacks, we often have to sort out exactly what the actual target was. • “They know your network better than your staff do.”
Tool Costs
Let’s Compare • How close do you think the attack versus defend costs really are? • All of the following statements are based upon open source intelligence/pricing data for a company of 10,000 employees and are per- year costs unless otherwise noted.
DefenseTools • Cost of industry-leading SIEM: $300,000 • Cost of industry-leading vulnerability scanning/management: $40,000 • Cost of industry-leading AV: $75,000 • Cost of industry-leading DDOS protection: $120,000 • Cost of industry-leading APT protection: $95,000 • Cost of industry-leading wireless attack detection/remediation: $25,000 • Cost of integration of all of above: $150,000
AttackTools • Cost of world-class wireless hacking tool: $0 • Cost of world-class extensible exploitation framework: $0 • Cost of world-class browser exploitation and automation tool: $0 • Cost of custom exploit with guaranteed AV bypass: $250 • Cost of world-class reverse engineering software suite: $1200 • Cost of world-class OSINT pivoting sofware: $800 • Cost of world-class DDOS botnet rental: $30/hr
Pricing and Support • How much do you spend on just the tools themselves? • How much do you spend on support? • How frequently do you have to hire a third-party to review what the tool vendor setup? • How frequently do you have to integrate two tools, and end up needing at least three representatives on the line to make all of that work… and how often when that occurs do the vendors point to one another as the culprit?
WhyWe’re Losing • It’s cost prohibitive to defend • When something works we monetize it instead of donating it • We haven’t yet realized what the attackers do: we work better together • We deal far too often in commodity while thinking it’s “APT” or ”nation state” • We use terms like “APT” to defend our reputations whenever a breach occurs
Decentralization
The New IT Landscape • All of this drives us to XaaS solutions • We outsource our hardware and call it IaaS • We outsource our applications and call it PaaS • We outsource everything and call it SaaS • And the thing is, these are generally GOOD decisions… but how do we monitor them?
The Challenges of XaaS • Every XaaS includes some mechanism to monitor the SLA/OLA performance • Every XaaS includes some API that can magically give any data you want • Most XaaS integrate with a few strategic partners, and if you happen to use their chosen partners, life is great • Most XaaS offer very limited (non-paid) support to integrate with anyone else
How Did Netflix Succeed? • They determined that their core focus was to get users watching content. • They didn’t care what they watched that content on. • They didn’t really care how many simultaneous users there were.* • They aggressively developed integrations with every platform they could. • They made their service a benefit to other companies/products, and freely available. * Based upon personal experiences, not hard data
The Future
So How Do We Move Forward? • Invest in our people. We ignore them at our peril. • Foster deeper relationships and partnerships with our vendors. • Vendor management is the new SIEM. • Demand the same degree of cooperation between vendors that we expect from one another. • Define what it is that we actually require. When a vendor can’t or won’t commit to that, have the courage to walk away.
Homework • Create policies and requirements aligned to a common framework • Establish standards for data consumption and document them • Send your security teams out to more training • Take your vendor management team out to lunch • Support the vendor management team like they’re part of your team (they are) • Don’t be afraid to share
TheTakeaways • Compliance can work for or against you • Vendor management teams need to be your close allies • We need to start sharing if we ever hope to overcome our adversaries • The computing landscapes are getting both more complex and more secure • Economies of scale are predicated upon partnership and trust • Invest first in people, then in processes, then technology
Questions/Discussion Thank you for your time and attention!
Credits • https://www.sans.org/reading-room/whitepapers/analyst/security- spending-trends-36697 • http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/

Recommended

Aaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseAaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseJason Luttrell, CISSP, CISM
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?centralohioissa
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your MindBrian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mindcentralohioissa
 
CredDefense Toolkit
CredDefense ToolkitCredDefense Toolkit
CredDefense ToolkitDerek Banks
 
Incident response on a shoestring budget
Incident response on a shoestring budgetIncident response on a shoestring budget
Incident response on a shoestring budgetDerek Banks
 
William Diederich - Security Certifications: Are They Worth the Investment? A...
William Diederich - Security Certifications: Are They Worth the Investment? A...William Diederich - Security Certifications: Are They Worth the Investment? A...
William Diederich - Security Certifications: Are They Worth the Investment? A...centralohioissa
 
Webinar: How To Achieve Total File Security in the Cloud
Webinar: How To Achieve Total File Security in the CloudWebinar: How To Achieve Total File Security in the Cloud
Webinar: How To Achieve Total File Security in the CloudStorage Switzerland
 

Recommended

Aaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseAaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseJason Luttrell, CISSP, CISM
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?centralohioissa
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your MindBrian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mindcentralohioissa
 
CredDefense Toolkit
CredDefense ToolkitCredDefense Toolkit
CredDefense ToolkitDerek Banks
 
Incident response on a shoestring budget
Incident response on a shoestring budgetIncident response on a shoestring budget
Incident response on a shoestring budgetDerek Banks
 
William Diederich - Security Certifications: Are They Worth the Investment? A...
William Diederich - Security Certifications: Are They Worth the Investment? A...William Diederich - Security Certifications: Are They Worth the Investment? A...
William Diederich - Security Certifications: Are They Worth the Investment? A...centralohioissa
 
Webinar: How To Achieve Total File Security in the Cloud
Webinar: How To Achieve Total File Security in the CloudWebinar: How To Achieve Total File Security in the Cloud
Webinar: How To Achieve Total File Security in the CloudStorage Switzerland
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence programMark Arena
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
Bootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NCBootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NCAll Things Open
 
What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?PECB
 
Big data security in the cloud: Buzzword Bingo!
Big data security in the cloud: Buzzword Bingo!Big data security in the cloud: Buzzword Bingo!
Big data security in the cloud: Buzzword Bingo!Spiceworks Ziff Davis
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0Amazon Web Services
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Network Security
Network SecurityNetwork Security
Network SecurityUnited Nations Development Program
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Robi Sen
 
IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security StrategyLaura Vanassche
 
IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security StrategyLaura Vanassche
 
Andrew Shepherd - Rethink the service desk role to change its image forever
Andrew Shepherd - Rethink the service desk role to change its image foreverAndrew Shepherd - Rethink the service desk role to change its image forever
Andrew Shepherd - Rethink the service desk role to change its image foreveritSMF UK
 
Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Rachel Harpley
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
Cipher_Guide-To-Selecting-the-Right-CI-Software-Solution
Cipher_Guide-To-Selecting-the-Right-CI-Software-SolutionCipher_Guide-To-Selecting-the-Right-CI-Software-Solution
Cipher_Guide-To-Selecting-the-Right-CI-Software-SolutionBenjamin Decowski
 
2016 State of DevOps
2016 State of DevOps2016 State of DevOps
2016 State of DevOpsNicole Forsgren
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 

More Related Content

Similar to Mork - CISO Summit USA 2016 - Security in an Outsourced World

How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence programMark Arena
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
Bootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NCBootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NCAll Things Open
 
What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?PECB
 
Big data security in the cloud: Buzzword Bingo!
Big data security in the cloud: Buzzword Bingo!Big data security in the cloud: Buzzword Bingo!
Big data security in the cloud: Buzzword Bingo!Spiceworks Ziff Davis
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0Amazon Web Services
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Robi Sen
 
Andrew Shepherd - Rethink the service desk role to change its image forever
Andrew Shepherd - Rethink the service desk role to change its image foreverAndrew Shepherd - Rethink the service desk role to change its image forever
Andrew Shepherd - Rethink the service desk role to change its image foreveritSMF UK
 
Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Rachel Harpley
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
Cipher_Guide-To-Selecting-the-Right-CI-Software-Solution
Cipher_Guide-To-Selecting-the-Right-CI-Software-SolutionCipher_Guide-To-Selecting-the-Right-CI-Software-Solution
Cipher_Guide-To-Selecting-the-Right-CI-Software-SolutionBenjamin Decowski
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 

Similar to Mork - CISO Summit USA 2016 - Security in an Outsourced World (20)

How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence program
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
 
Bootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NCBootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NC
 
What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?
 
Big data security in the cloud: Buzzword Bingo!
Big data security in the cloud: Buzzword Bingo!Big data security in the cloud: Buzzword Bingo!
Big data security in the cloud: Buzzword Bingo!
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
Network Security
Network SecurityNetwork Security
Network Security
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
 
IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security Strategy
 
IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security Strategy
 
Andrew Shepherd - Rethink the service desk role to change its image forever
Andrew Shepherd - Rethink the service desk role to change its image foreverAndrew Shepherd - Rethink the service desk role to change its image forever
Andrew Shepherd - Rethink the service desk role to change its image forever
 
Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Cipher_Guide-To-Selecting-the-Right-CI-Software-Solution
Cipher_Guide-To-Selecting-the-Right-CI-Software-SolutionCipher_Guide-To-Selecting-the-Right-CI-Software-Solution
Cipher_Guide-To-Selecting-the-Right-CI-Software-Solution
 
2016 State of DevOps
2016 State of DevOps2016 State of DevOps
2016 State of DevOps
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 

Mork - CISO Summit USA 2016 - Security in an Outsourced World

  • 1. Security in an OutsourcedWorld Brian Mork CISO Celanese
  • 2. About Me • CISO at Celanese • Hacker / Security Aficionado • Former RF engineer, US Navy Cryptographer, Software Developer, PenTester, etc. • Father and Husband
  • 3. Disclaimers • I am not a lawyer • The opinions expressed in this presentation are only warranted as my own • I am not a lawyer • While I have some ideas, I am very interested in yours as well • I am not a lawyer
  • 4. Rules of Engagement • Interactive sessions are more beneficial to all than lectures • If you have a question or comment, please let me know • The standard rule applies: the only dumb question is one not asked • There will be time for questions and discussions at the end as well
  • 5. The Problems • Compliance continues to grow • Budgets vary with the news cycle • Threats are evolving faster than defenses • Tools to attack are cheap, to defend are expensive • Decentralized computing removes (some) visibility
  • 7. NameThat ComplianceTarget • HIPAA/HITECH • PCI • SOX • FISMA • GLBA • FERPA • EU DPD • EU GDP • PIPA • ITA
  • 8. NameThat Framework • ISO 27000 Series • NIST SP-800 Series • NIST CSF • SSAE 16 • ISAE 3402 • CSC • COBIT • NERC • ISA/IEC-62443 • IASME • RFC 2196
  • 9. Competing National Priorities • US company doing business in Germany and China • China requires high degree of reporting and monitoring • Germany requires high degree of privacy protections • The intersection of the two can be quite a challenge for multi-national corporations
  • 10. Tracking It All • Multitude of compliance targets, which vary per country and industry • Difficult to track compliance across targets • Frameworks -> Policies -> Processes -> Procedures • Framework -> Compliance mappings exist • Sourcing can make compliance easier, but requires upfront negotiation
  • 12. Source: SANS IT Security Spending Trends Feb. 2016 • Budgets are normalizing towards the 5-7% range of IT spending overall • Lower ends show significant improvements in security spend
  • 13. Source: SANS IT Security Spending Trends Feb. 2016 • IT budgets are mostly remaining flat, and in some cases constricting • Education remains a challenge both for personnel and spending
  • 14. Source: SANS IT Security Spending Trends Feb. 2016 • It’s not a matter of if, but when… so why do we prioritize prevention? • Staff training and certification is in the lowest tier of spending… are we doing enough? • We spend more money responding to compliance requests than we spend on improving and automating • Does this seem crazy to anyone else?
  • 15. SoWhy Source? • XaaS only works as a provider when there is commonality • Commonality that doesn’t include default secure configurations increases overhead of incident response • Price points can be powerful drivers to enhance overall security • Proper outsourcing can result in outsourcing of risk as well -- IF -- proper diligence was performed in selecting the provider
  • 17.
  • 18. ExceptThat… • Ideology isn’t motivating attacks, money is. • The actual threat actors are now frequently masking their actions with commoditized attack vectors and techniques. • Collective hacking is a concept espoused since Hackers, but has never really materialized.
  • 19. “FYI man, alright.You could sit at home, and do like absolutely nothing, and your name goes through like 17 computers a day. 1984?Yeah right, man.That's a typo. Orwell is here now. He's livin' large.” “We have no names, man. No names. We are nameless!”
  • 20. Leaving UsWith • The attackers have realized the economies of scale far faster than we have. • They use well-defined services, including corporate level branding. • They use viable, commodity attacks to defeat our defenses. • Even when we’re told about the attacks, we often have to sort out exactly what the actual target was. • “They know your network better than your staff do.”
  • 22. Let’s Compare • How close do you think the attack versus defend costs really are? • All of the following statements are based upon open source intelligence/pricing data for a company of 10,000 employees and are per- year costs unless otherwise noted.
  • 23. DefenseTools • Cost of industry-leading SIEM: $300,000 • Cost of industry-leading vulnerability scanning/management: $40,000 • Cost of industry-leading AV: $75,000 • Cost of industry-leading DDOS protection: $120,000 • Cost of industry-leading APT protection: $95,000 • Cost of industry-leading wireless attack detection/remediation: $25,000 • Cost of integration of all of above: $150,000
  • 24. AttackTools • Cost of world-class wireless hacking tool: $0 • Cost of world-class extensible exploitation framework: $0 • Cost of world-class browser exploitation and automation tool: $0 • Cost of custom exploit with guaranteed AV bypass: $250 • Cost of world-class reverse engineering software suite: $1200 • Cost of world-class OSINT pivoting sofware: $800 • Cost of world-class DDOS botnet rental: $30/hr
  • 25. Pricing and Support • How much do you spend on just the tools themselves? • How much do you spend on support? • How frequently do you have to hire a third-party to review what the tool vendor setup? • How frequently do you have to integrate two tools, and end up needing at least three representatives on the line to make all of that work… and how often when that occurs do the vendors point to one another as the culprit?
  • 26. WhyWe’re Losing • It’s cost prohibitive to defend • When something works we monetize it instead of donating it • We haven’t yet realized what the attackers do: we work better together • We deal far too often in commodity while thinking it’s “APT” or ”nation state” • We use terms like “APT” to defend our reputations whenever a breach occurs
  • 28. The New IT Landscape • All of this drives us to XaaS solutions • We outsource our hardware and call it IaaS • We outsource our applications and call it PaaS • We outsource everything and call it SaaS • And the thing is, these are generally GOOD decisions… but how do we monitor them?
  • 29. The Challenges of XaaS • Every XaaS includes some mechanism to monitor the SLA/OLA performance • Every XaaS includes some API that can magically give any data you want • Most XaaS integrate with a few strategic partners, and if you happen to use their chosen partners, life is great • Most XaaS offer very limited (non-paid) support to integrate with anyone else
  • 30. How Did Netflix Succeed? • They determined that their core focus was to get users watching content. • They didn’t care what they watched that content on. • They didn’t really care how many simultaneous users there were.* • They aggressively developed integrations with every platform they could. • They made their service a benefit to other companies/products, and freely available. * Based upon personal experiences, not hard data
  • 32. So How Do We Move Forward? • Invest in our people. We ignore them at our peril. • Foster deeper relationships and partnerships with our vendors. • Vendor management is the new SIEM. • Demand the same degree of cooperation between vendors that we expect from one another. • Define what it is that we actually require. When a vendor can’t or won’t commit to that, have the courage to walk away.
  • 33. Homework • Create policies and requirements aligned to a common framework • Establish standards for data consumption and document them • Send your security teams out to more training • Take your vendor management team out to lunch • Support the vendor management team like they’re part of your team (they are) • Don’t be afraid to share
  • 34. TheTakeaways • Compliance can work for or against you • Vendor management teams need to be your close allies • We need to start sharing if we ever hope to overcome our adversaries • The computing landscapes are getting both more complex and more secure • Economies of scale are predicated upon partnership and trust • Invest first in people, then in processes, then technology
  • 35. Questions/Discussion Thank you for your time and attention!

Editor's Notes

  1. HIPAA – Health Insurance Portability and Accountability Act HITECH – Health Information Technology for Economic and Clinical Health PCI – Payment Card Industry, normally DSS (Data Security Standards) SOX – Sarbanes Oxley FISMA – Federal Information Security Management Act of 2002 GLBA – Graham Leach Bliley Act FERPA – Family Educational Rights and Privacy Act DPD – Data Protection Directive GDPR – General Data Protection Regulation (supercedes the DPD) PIPA – Korea’s Personal Information Protection Act ITA – India’s Information Technology Act of 2002
  2. ISO – Grandfather of them all, information security management system (27001 – is management system, 27002 is best practice recommendations) NIST CSF – National Institute of Standards and Technology Cyber Security Framework – 2014, incorporates NIST SPs into guidance NIST SP-800 series – Detailed list of computer security guidelines, recommendations, and reference materials. SP-1800 series contains user-level guides SAS-70 – Statement on Auditing Standards No. 70, related to financial reporting controls, replaced by SSAE 16 SSAE 16 – Statement on Standards for Attestation Engagements, includes Service Organization Control frameworks 1-3 ISAE 3402 – International Standard on Assurance Engagements (ISAE)… Assurance Reports on Controls at a Service Organization. Expansion of SAS-70 CSC – SANS Center for Internet Security Critical Security Controls – 20 controls, starts with inventories COBIT – Control Objectives for Information and related Technologies, created by ISACA (formerly Information Systems Audit and Control Association) NERC – North American Electric Reliability Corporation ISA/IEC 62443 – Industrial Automation and Controls Systems, certifications for COTS, being revised to align more closely with ISO 27000 series IASME – Information Assurance for Small and Medium Enterprises RFC 2196 – Site Security Handbook (1997)
  3. China: National Security Law of the PRC, passed July 1, 2015: “Article 83: In national security work, when special measures are required that restrict the rights and freedoms of citizens, they shall be conducted in accordance with law, and limited by the actual needs to of safeguarding national security.” Germany: Federal Data Protection Act of 2003 (whole thing, including