SlideShare a Scribd company logo

Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Download as PPTX, PDF
Claus Cramon Houmann
Claus Cramon Houmann

This document discusses the importance of security over compliance and provides strategies for building an effective security posture. It argues that compliance focuses on past threats and does not ensure true security. Several models for security are presented, including defense in depth with layered protections across systems, following the cyber kill chain to disrupt attacks, and building a defensible security posture. Real security that goes beyond minimum compliance is needed to effectively defend against evolving threats.

1 of 32
Taking Security Seriously Going Above and Beyond Compliance
About me • I might be provoking you a bit • Father of 3, happily married. I live in Luxembourg • CIO for a Bank, and also independent IT/Infosec consultant and CIO-as-a-service. Any opinions here are my own and do not represent my employer. • Contributor to @TheAnalogies project (making IT and Infosec understandable to the masses) • Member of the I am the Cavalry movement – securing our bodies, minds and souls in the IoT • @ClausHoumann • Find my work on slideshare
It’s late. WAKE UP • CEO’s? • CISO’s? • CIO’s? • CFO’s? • CTO’s? • COO’s? • Consultants?
Let’s get the FUD out of the way • FUD is Fear, uncertainty and doubt. • You will be presented with FUD by vendors, daily • I’ll try not to FUD you. Focus on solution models.
Is security important? • Raise of hands for: – No – Maybe – Yes – Always – My compliance department keeps me safe Note to self: Remember to apologize in advance to any auditors present at this point.
Monopoly • Is compliance this? Is company X secure
Compliance • Is • NOT • Security • Which any of you who ever attended a Security conference will have already heard • Compliance is preparing to fight yesteryears war
Auditor limitations • Auditors are easily distracted • Auditors are easily ”Information overloaded” • Auditors go easy on you because they want to keep the audit contract • Auditors can be persuaded to remove critical findings • Auditors will let you pass in the end anyway
That being said • Compliance CAN plug holes for you • Compliance CAN set a minimum-level of security for you • Compliance does provide more security than nothing, especially if done right • All this is nothing new, lets move on
Example: PCI DSS
but • Target was compliant, Home Depot also. • 97%+ of audits are succesful • Compliance is at the same time both simple (you can do it succesfully) and complex (SO many things to be compliant with)
What is (most) compliance about then? Source: Accretive solutions, Gary Pennington
But as you see.....no security. Fake security, or if you really like compliance, spotty / patchy security
Security IS important • Why? • Dont say you dont know why.
It’s an assymetrical conflict X-wing
Want to beat assymetricality? • Creating awareness (risk management?) • Increasing the security budget • Justifying the investment when no/few real attacks/opponents – It’s easier when you’re actually being attacked. But too late. • Doing it right without attacks require automation, red team testing, training -> all expensive
How • Identify potential attackers and profile them • Decrease attacker ROI below critical threshold
Mitigate risks Source: Dave Sweigert
Building an actual defense A few ideas exist • A scaleable Defense in Depth (not defined sufficiently yet) • A defensible security posture (Nigel Willson – nigethesecurityguy.wordpress.com) • Breaking the ”Cyber kill chain” (Lockheed Martin) • Joshua Cormans pyramid
Defense-in-Depth
Defense in Depth • You need to secure: – Internal systems – The Cloud – The Mobile user Sample protections added only, not the complete picture of course
Defend in depth, on all devices and networks • Example. PC defense includes: – Whitelisting – Blacklisting – AV – Sandboxing – Registry defenses – Change roll-backs – HIPS – EMET – Domain policies – Log collection and review – MFA – ACL’s/Firewall rules – Heuristics detection/prevention – DNS audit and protection
Defensible security posture via @Nigethesecurityguy
Cyber kill chain Sources: Huntsman, Tier-3 & Lockheed Martin
Kill chain actions Source: Nige the security guy = Nigel Wilson
Counter-measures Situational Awareness Operational Excellence Defensible Infrastructure Joshua Cormans pyramid for going beyond compliance
Pick the low hanging apples? •As your organizations “Infosec level” matures – you may be able to pass or almost pass a pentest. •Most low hanging fruits have been “picked” already •This makes it very hard for “them” to get in via hacking methods -> they will try malware next
And the unexpected extra win • Real security will actually make you compliant in many areas of compliance
Q & A • Ask me question, or I’ll ask you questions
Sources used – http://www.itbusinessedge.com – Heartbleed.com – https://nigesecurityguy.wordpress.com/ – American association for justice – http://www.slideshare.net/AffiniPay?utm_campaign=pro filetracking&utm_medium=sssite&utm_source=ssslidevie wv – Accretive solutions – Gary Pennington – Joshua Corman and David Etue from RSAC 2014 ”Not Go Quietly: Surprising Strategies and Teammates to Adapt and Overcome” – Lego / PCthreat

Recommended

Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
The Current State of Cybersecurity
The Current State of CybersecurityThe Current State of Cybersecurity
The Current State of Cybersecurity
TruShield Security Solutions
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
TruShield Security Solutions
 
2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class Eleven2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class Eleven
FRSecure
 
How to Protect Your Mainframe from Hackers (v1.0)
How to Protect Your Mainframe from Hackers (v1.0)How to Protect Your Mainframe from Hackers (v1.0)
How to Protect Your Mainframe from Hackers (v1.0)
Rui Miguel Feio
 
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Rui Miguel Feio
 
2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten
FRSecure
 

Recommended

Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
The Current State of Cybersecurity
The Current State of CybersecurityThe Current State of Cybersecurity
The Current State of Cybersecurity
TruShield Security Solutions
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
TruShield Security Solutions
 
2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class Eleven2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class Eleven
FRSecure
 
How to Protect Your Mainframe from Hackers (v1.0)
How to Protect Your Mainframe from Hackers (v1.0)How to Protect Your Mainframe from Hackers (v1.0)
How to Protect Your Mainframe from Hackers (v1.0)
Rui Miguel Feio
 
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Rui Miguel Feio
 
2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten
FRSecure
 
Mainframe Security - It's not just about your ESM v2.2
Mainframe Security - It's not just about your ESM v2.2Mainframe Security - It's not just about your ESM v2.2
Mainframe Security - It's not just about your ESM v2.2
Rui Miguel Feio
 
Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To
IDERA Software
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
Hinne Hettema
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mindsblom
 
Evolving threat landscape
Evolving threat landscapeEvolving threat landscape
Evolving threat landscape
Motiv
 
Security Audit on the Mainframe (v1.0 - 2016)
Security Audit on the Mainframe (v1.0 - 2016)Security Audit on the Mainframe (v1.0 - 2016)
Security Audit on the Mainframe (v1.0 - 2016)
Rui Miguel Feio
 
Assessing Your security
Assessing Your securityAssessing Your security
Assessing Your security
Legal Services National Technology Assistance Project (LSNTAP)
 
Security challenges in 2017
Security challenges in 2017Security challenges in 2017
Security challenges in 2017
Etienne Liebetrau
 
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554TISA
 
Automation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersAutomation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackers
Frank Victory
 
(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2
Rui Miguel Feio
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...
How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...
How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...
Ronald Harrison
 
Analogic Opsec 101
Analogic Opsec 101Analogic Opsec 101
Analogic Opsec 101
vicenteDiaz_KL
 
Cyber security and the mainframe (v1.3)
Cyber security and the mainframe (v1.3)Cyber security and the mainframe (v1.3)
Cyber security and the mainframe (v1.3)
Rui Miguel Feio
 
15 Minute Ransomware Survival Guide
15 Minute Ransomware Survival Guide15 Minute Ransomware Survival Guide
15 Minute Ransomware Survival Guide
Storage Switzerland
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Robi Sen
 
Deral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail LaterDeral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail Later
centralohioissa
 
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.22017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
Rui Miguel Feio
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
 
APT - Project
APT - Project APT - Project
APT - Project Dev Lavaniya
 

More Related Content

What's hot

Mainframe Security - It's not just about your ESM v2.2
Mainframe Security - It's not just about your ESM v2.2Mainframe Security - It's not just about your ESM v2.2
Mainframe Security - It's not just about your ESM v2.2
Rui Miguel Feio
 
Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To
IDERA Software
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
Hinne Hettema
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mindsblom
 
Evolving threat landscape
Evolving threat landscapeEvolving threat landscape
Evolving threat landscape
Motiv
 
Security Audit on the Mainframe (v1.0 - 2016)
Security Audit on the Mainframe (v1.0 - 2016)Security Audit on the Mainframe (v1.0 - 2016)
Security Audit on the Mainframe (v1.0 - 2016)
Rui Miguel Feio
 
Assessing Your security
Assessing Your securityAssessing Your security
Assessing Your security
Legal Services National Technology Assistance Project (LSNTAP)
 
Security challenges in 2017
Security challenges in 2017Security challenges in 2017
Security challenges in 2017
Etienne Liebetrau
 
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554TISA
 
Automation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersAutomation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackers
Frank Victory
 
(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2
Rui Miguel Feio
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...
How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...
How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...
Ronald Harrison
 
Analogic Opsec 101
Analogic Opsec 101Analogic Opsec 101
Analogic Opsec 101
vicenteDiaz_KL
 
Cyber security and the mainframe (v1.3)
Cyber security and the mainframe (v1.3)Cyber security and the mainframe (v1.3)
Cyber security and the mainframe (v1.3)
Rui Miguel Feio
 
15 Minute Ransomware Survival Guide
15 Minute Ransomware Survival Guide15 Minute Ransomware Survival Guide
15 Minute Ransomware Survival Guide
Storage Switzerland
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Robi Sen
 
Deral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail LaterDeral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail Later
centralohioissa
 
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.22017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
Rui Miguel Feio
 

What's hot (20)

Mainframe Security - It's not just about your ESM v2.2
Mainframe Security - It's not just about your ESM v2.2Mainframe Security - It's not just about your ESM v2.2
Mainframe Security - It's not just about your ESM v2.2
 
Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mind
 
Evolving threat landscape
Evolving threat landscapeEvolving threat landscape
Evolving threat landscape
 
Security Audit on the Mainframe (v1.0 - 2016)
Security Audit on the Mainframe (v1.0 - 2016)Security Audit on the Mainframe (v1.0 - 2016)
Security Audit on the Mainframe (v1.0 - 2016)
 
Assessing Your security
Assessing Your securityAssessing Your security
Assessing Your security
 
Security challenges in 2017
Security challenges in 2017Security challenges in 2017
Security challenges in 2017
 
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
 
Automation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersAutomation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackers
 
(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
 
How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...
How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...
How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...
 
Analogic Opsec 101
Analogic Opsec 101Analogic Opsec 101
Analogic Opsec 101
 
Cyber security and the mainframe (v1.3)
Cyber security and the mainframe (v1.3)Cyber security and the mainframe (v1.3)
Cyber security and the mainframe (v1.3)
 
15 Minute Ransomware Survival Guide
15 Minute Ransomware Survival Guide15 Minute Ransomware Survival Guide
15 Minute Ransomware Survival Guide
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
 
Deral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail LaterDeral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail Later
 
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.22017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
 

Viewers also liked

Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
 
Intelligence Driven Security
Intelligence Driven SecurityIntelligence Driven Security
Intelligence Driven Security
MarketingArrowECS_CZ
 
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
Claus Cramon Houmann
 
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
Claus Cramon Houmann
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
Luca Simonelli
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Lastline, Inc.
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade Detection
Lastline, Inc.
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Lastline, Inc.
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 

Viewers also liked (11)

Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
APT - Project
APT - Project APT - Project
APT - Project
 
Intelligence Driven Security
Intelligence Driven SecurityIntelligence Driven Security
Intelligence Driven Security
 
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
 
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade Detection
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 

Similar to Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
Stephen Cobb
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
Sean Whalen
 
terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433Terry Gilsenan
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleaner
John Stauffacher
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries
Blake Carver
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
Shannon Lietz
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control Systems
Infonaligy
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)
Hannah Jane del Castillo
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online Privacy
Kazi Sarwar Hossain
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
Anthony Melfi
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
Anant Shrivastava
 
What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?
PECB
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
Evan Francen
 
Carver IT Security for Librarians
Carver IT Security for LibrariansCarver IT Security for Librarians
Carver IT Security for Librarians
National Information Standards Organization (NISO)
 
Security For Free
Security For FreeSecurity For Free
Security For Free
gwarden
 
12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business 12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business
NSUGSCIS
 

Similar to Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance (20)

The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleaner
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control Systems
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online Privacy
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
 
What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
 
Carver IT Security for Librarians
Carver IT Security for LibrariansCarver IT Security for Librarians
Carver IT Security for Librarians
 
Security For Free
Security For FreeSecurity For Free
Security For Free
 
(2016_01_20)_IS_Management_Basics_LinkedIn
(2016_01_20)_IS_Management_Basics_LinkedIn(2016_01_20)_IS_Management_Basics_LinkedIn
(2016_01_20)_IS_Management_Basics_LinkedIn
 
12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business 12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business
 

Recently uploaded

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 

Recently uploaded (20)

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 

Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

  • 1. Taking Security Seriously Going Above and Beyond Compliance
  • 2. About me • I might be provoking you a bit • Father of 3, happily married. I live in Luxembourg • CIO for a Bank, and also independent IT/Infosec consultant and CIO-as-a-service. Any opinions here are my own and do not represent my employer. • Contributor to @TheAnalogies project (making IT and Infosec understandable to the masses) • Member of the I am the Cavalry movement – securing our bodies, minds and souls in the IoT • @ClausHoumann • Find my work on slideshare
  • 3. It’s late. WAKE UP • CEO’s? • CISO’s? • CIO’s? • CFO’s? • CTO’s? • COO’s? • Consultants?
  • 4. Let’s get the FUD out of the way • FUD is Fear, uncertainty and doubt. • You will be presented with FUD by vendors, daily • I’ll try not to FUD you. Focus on solution models.
  • 5. Is security important? • Raise of hands for: – No – Maybe – Yes – Always – My compliance department keeps me safe Note to self: Remember to apologize in advance to any auditors present at this point.
  • 6. Monopoly • Is compliance this? Is company X secure
  • 7. Compliance • Is • NOT • Security • Which any of you who ever attended a Security conference will have already heard • Compliance is preparing to fight yesteryears war
  • 8. Auditor limitations • Auditors are easily distracted • Auditors are easily ”Information overloaded” • Auditors go easy on you because they want to keep the audit contract • Auditors can be persuaded to remove critical findings • Auditors will let you pass in the end anyway
  • 9. That being said • Compliance CAN plug holes for you • Compliance CAN set a minimum-level of security for you • Compliance does provide more security than nothing, especially if done right • All this is nothing new, lets move on
  • 11. but • Target was compliant, Home Depot also. • 97%+ of audits are succesful • Compliance is at the same time both simple (you can do it succesfully) and complex (SO many things to be compliant with)
  • 12. What is (most) compliance about then? Source: Accretive solutions, Gary Pennington
  • 13. But as you see.....no security. Fake security, or if you really like compliance, spotty / patchy security
  • 14. Security IS important • Why? • Dont say you dont know why.
  • 15.
  • 16. It’s an assymetrical conflict X-wing
  • 17. Want to beat assymetricality? • Creating awareness (risk management?) • Increasing the security budget • Justifying the investment when no/few real attacks/opponents – It’s easier when you’re actually being attacked. But too late. • Doing it right without attacks require automation, red team testing, training -> all expensive
  • 18. How • Identify potential attackers and profile them • Decrease attacker ROI below critical threshold
  • 19. Mitigate risks Source: Dave Sweigert
  • 20. Building an actual defense A few ideas exist • A scaleable Defense in Depth (not defined sufficiently yet) • A defensible security posture (Nigel Willson – nigethesecurityguy.wordpress.com) • Breaking the ”Cyber kill chain” (Lockheed Martin) • Joshua Cormans pyramid
  • 22. Defense in Depth • You need to secure: – Internal systems – The Cloud – The Mobile user Sample protections added only, not the complete picture of course
  • 23.
  • 24. Defend in depth, on all devices and networks • Example. PC defense includes: – Whitelisting – Blacklisting – AV – Sandboxing – Registry defenses – Change roll-backs – HIPS – EMET – Domain policies – Log collection and review – MFA – ACL’s/Firewall rules – Heuristics detection/prevention – DNS audit and protection
  • 25. Defensible security posture via @Nigethesecurityguy
  • 26. Cyber kill chain Sources: Huntsman, Tier-3 & Lockheed Martin
  • 27. Kill chain actions Source: Nige the security guy = Nigel Wilson
  • 28. Counter-measures Situational Awareness Operational Excellence Defensible Infrastructure Joshua Cormans pyramid for going beyond compliance
  • 29. Pick the low hanging apples? •As your organizations “Infosec level” matures – you may be able to pass or almost pass a pentest. •Most low hanging fruits have been “picked” already •This makes it very hard for “them” to get in via hacking methods -> they will try malware next
  • 30. And the unexpected extra win • Real security will actually make you compliant in many areas of compliance
  • 31. Q & A • Ask me question, or I’ll ask you questions
  • 32. Sources used – http://www.itbusinessedge.com – Heartbleed.com – https://nigesecurityguy.wordpress.com/ – American association for justice – http://www.slideshare.net/AffiniPay?utm_campaign=pro filetracking&utm_medium=sssite&utm_source=ssslidevie wv – Accretive solutions – Gary Pennington – Joshua Corman and David Etue from RSAC 2014 ”Not Go Quietly: Surprising Strategies and Teammates to Adapt and Overcome” – Lego / PCthreat

Editor's Notes

  1. Original Model by Joshua Corman