Bill Burns gave a presentation on factors that affect confidence in security programs. He discussed how mobility, BYOD, virtualization, and cloud computing are forcing changes to security controls and perimeters. As data moves to the cloud, security must follow and focus on being proximal, mobile, resilient, holistic, and coordinated. Building maturity in security programs through frameworks, metrics, and culture helps increase confidence. Early research shows higher maturity programs have more confidence.

1. 1
What Affects Confidence In
Security Programs?
Rocky Mountain Information Security Conference 2014
Bill Burns | Executive-In-Residence | Scale Venture Partners | Bill@ScaleVP.com | @x509v3

2. 2
My Background
 Production hybrid cloud security at scale
– Deployed distributed, hybrid cloud WAF
– Co-developed CloudHSM for IaaS hardware root of trust
 Corporate IT “all-cloud” security strategy
– Cloud-first, mobile-first infrastructure model
– Mix of public cloud, best-of-breed SaaS
 RSAC Program Committee, Startup Technical Advisory Boards,
ISSA CISO Forum & Career Lifecycle
 Previously:

3. 3
Agenda
 Trends and Forcing Functions on Information Security
 InfoSec’s Role in Managing Business Risk
 Security Innovations, Market Needs
 Early Research Results: Improving Confidence

4. 4
CISOs: “What Kept You Up Last Night?”
Source: Scale Venture Partners

5. 5
Agile/DevOps
BYOD
Shadow IT /
Consumerization
Increased
Regs/Compliance
Internet Of Things
IT Automation
Mobile computing
SaaS
Ubiquitous Internet
Access
Virtualization / IaaS
Weaponization of Internet
/ espionage
Work/Life Integration
Concern
Unconcern
Top Trends & Forcing Functions on InfoSec
Source: Scale Venture Partners

6. 6
Security Forcing Function – Mobility, BYOD
Source: Mary Meeker, KPCB

7. 7
Security Forcing Function – Mobility, BYOD
(1) Pew Research, Jan 2014 | (2) Gartner, May 2013
Smartphone - 58%
Tablet - 42%
By 2017, 50% of employers will
require you to BYOD[2] for
work.

8. 8
Security Forcing Function – Work Anywhere
 Blurring work/life integration
– Aruba’s “#GenMobile”initiative
– Starbucks wants to be your life’s “3rd Place”
 Ubiquitous network access & seamless roaming
– 802.11ac, n – wireless networking “just works”
• Faster than typical wired ports, easier to provision
– Mobile 4G LTE is also “fast enough”
• Faster than my home’s DSL
– By 2018: 25% of corporate data will flow directly mobile-cloud[3]
(3) Gartner, Nov 2013

9. 9
Security Forcing Function – IaaS / Virtualization
 Clouds are
compelling to
businesses, hard
for old security
controls to match
pace
 AWS Example:
– ~Quadrupled
offered services in 4
years
– Reduced pricing 42
times in 8 years as
equipment ages out
Source: AWS

10. 10
Old: Perimeter Firewalls

11. 11
Old: Perimeter Firewalls
 Castle and Moat (layered) defense
 Place people, data behind datacenter firewalls
 Provisioning workflows were serialized, expensive, slow
 “Behind the firewall” = Trusted

12. 12
New Perimeters : Follow the Data

13. 13
Security controls evolving to be more:
o Proximal – Move closer to the application and data
o Mobile – Follow the infrastructure, application
o Resilient - Emphasize recovery and response
o Holistic – Include technical, legal, and business-level input
o Coordinated - Reliant on communications, automation
New Perimeters : Follow the Data

14. 14
InfoSec’s Role
 Be a trusted advisor to the business
– InfoSec doesn’t own the risk
– Anticipates security risk/controls changes and needs
– Communicates technical risks in business terms
 Implement guardrails and gates based on risk, sensitivity
– Like breaks on a car: Enables the business to take smart risks
– Architect, design, implement controls
– Measure & report risk with data
– Manage remediation, response
 Success: Customers proactively request your guidance!

15. 15
So…What’s Your Cloud Comfort Level?
 Cloud Adoption / Maturity:
– Naysayers: you can’t do that (but can’t articulate why)
– Pathfinders: here’s how to do it, early lessons learned
– Optimizers: here’s how to do it well, what not to do

16. 16
So…What’s Your Cloud Comfort Level?
 Cloud Adoption/Maturity
– Naysayers
– Pathfinders
– Optimizers
 Cloud is inevitable – Get comfortable managing it
– Example: “We have 10 years of legacy work to deal with, we don’t have
time to look at our cloud usage!”
– Benefits to agility, automation, consistency
 It’s about the business
– Board-level discussion on results, competition, risk
– “Risk is our business” – Philosopher James T. Kirk

17. 17
Security Delivered Via Cloud Services

18. 18
Anticipating Risks: Partners’ Controls
 Service Providers: must consider security as a basic requirement
– They have a smoother attack surface than enterprises
– Laser-focused goals, homogeneous environment, etc.
– All customers pentesting their provider: Doesn’t scale
• Which standard would we all trust? CCM? Other? Discuss.
 Which controls are most relevant, important for your business?
– Prioritize those during negotiations, evaluations, assessments
– Bring Your Own Security: Encryption, incident response, audit, SoD, …

19. 19
Anticipating Risks: Partners’ Controls
 Integrate Security Controls with Legal
– Risk-based Questionnaires: Level of scrutiny based on data sensitivity
– Contractual: Add boilerplate language in your contracts, MSAs, etc.
• Ask your partners for the security fundamentals
• Operational security basics, secure development, security incident
notification, etc.
 Assess Third-Parties Partners
– Trust but verify their controls. It’s your data!
– Do one-time and ongoing assessments
– Make sure you’re testing what you anticipated
– Partner with your partners on any findings

20. 20
SaaS Applications: Growth and Risk Perspective

21. 21
InfoSec Advisor: New controls and capabilities
 Track movement, access to assets
– Behavioral analytics become embedded, table stakes
– DRM/DLP-like controls, applied closer to the data
– More focus on detection, monitoring
– Blocking done more through orchestration, automation
– Inventories and network paths always up to date
 Restrict access to assets
– Cloud-to-Cloud chokepoints
– SSO and risk-based authentication, authorization
– On-the-fly controls: DLP, encryption, watermarking
– Firewall controls based on tags, data and host classification/sensitivity

22. 22
Adopting Cloud: Getting Started in IaaS
 Plan: Pick 1-3 security metrics to improve & compare
– Examples: Days to patch vulns, avg host uptime, fw ACLs used
 Do: Start simple, fail fast on “uninteresting” workflows
 Improve: Codify policies, patches, asset management, provisioning.
 Iterate: Review lessons learned often, make small course
corrections
– Good security starts with solid operational hygiene

23. 23
Summary: Evolving Controls, Maturity
 Get Baseline visibility into your Cloud Services
– Facts critical to business-level conversations
– You’re using more SaaS than you realize
– Share data with IT, legal, other stakeholders
 Monitor and Protect your Data
– Start collecting/mining SaaS access, audit logs
– Integrate with your SIEM, monitoring systems
– Deploy additional controls via chokepoints, automation
 Increase program maturity
– Cloud is an opportunity to codify, automate security
– Operational hygiene is the basis for solid security program

24. 24
Wisegate: Maturity Proportional to Confidence
Source: Wisegate IT Security Benchmark, Sept 2013

25. 25
Areas of Security Interest: Early Results
 Advanced authentication and
identification schemes
 App-centric firewalls and containers
to protect data
 Behavioral analytics to improve
security, fraud
 Continuous endpoint monitoring,
orchestration, remediation
 Continuous risk & compliance
monitoring, reporting
 Dashboards and analytics to
communicate and share metrics
 DevOps / security integrations to
codify security
 Holistic DLP, data encryption and
key management
 Malware protection without
signatures
 Mobile security to protect data
anywhere
 PKI and digital certificate
management for authentication,
encryption
 Proactive / predictive attack
detection, real-time response
 Threat intelligence feeds, sharing
Source: Scale Venture Partners

26. 26
Guidance to Security Vendors: Early Feedback
 Be 10x better - provide superior customer value
– Look for disruptive technologies, approaches
– Interoperate with what I already have
– What can I turn off if I buy your thing?
 Think API, integration first
– Defenders & DevOps: The future is automation, interoperability
– InfoSec staffing is hard, automation is a force multiplier
– No cheating: Build your GUI on your API
 Model, measure, provide insights
– Security A/B testing, modeling allows safe experimentation
– Provide insights of current, continuous risk state
– Want to manage cloud risk better than legacy
– Good deployment strategies start with great migration strategies
Source: Scale Venture Partners

27. 27
Increasing Confidence: Early Research Results
 Security programs with higher maturity have more confidence
– Regulations help, but also
– Operational consistency,
– Incorporating standardized frameworks (ISO, NIST)
 Build what works for your company’s culture
– Culture trumps strategy
– There is no one, true “map”: Every program is different
– ? Endpoint-centric vs. network-centric // Block vs. monitor + respond
 Create, market, share metrics with your peers
– Empowers teams that own responsibility for controls
– Encourages fact-based decision-making
– Communicates your program’s Business Impact
Source: Scale Venture Partners

28. 28
Thank you!
Security-Research@ScaleVP.com
Bill Burns | Executive-In-Residence | Scale Venture Partners | Bill@ScaleVP.com | @x509v3