The document outlines security challenges faced by website owners with limited technical knowledge and emphasizes the need for simplification in security processes. It highlights the prevalence of security fatigue among users and the importance of transparent, easy-to-use security solutions that meet customer expectations without ambiguity. Additionally, it calls for collaboration among service providers to create a safer online environment through shared security practices and continuous improvement.

4. US Department of Homeland Security
GRIZZLY STEEPE
2016 Joint Analysis Report (JAR)

5. Spring of 2016Summer of 2015
EmailWebsite
Delivery Mechanisms

6. *Illustration of APT29 tactics and techniques

7. *Illustration of APT28 tactics and techniques

8. They could use websites as an attack vector
via a technique known as water-hole attack.
They could depend on our curiosity as
humans to click on something. (links are meant to be
clicked, attachments opened)
Attackers in both scenarios knew…

11. SALES
MARKETING
PRODUCT
SECURITY
•
•

13. Today’s Website Owner
No technical background, they just
know they need an online presence
No purview of anything further out
than their immediate sphere
Are concerned about security only in
as far as it affects them, and by affect
a) they are blacklisted by Google or
b) customers are complaining
Few take proactive measures
against security
Inundated with noise around
security - Security Fatigue
Security is non-revenue generating
function, meaning it’s recognized as
important, but suffers from resource
allocation and prioritization
Confused around the delineation of
responsibility as it pertains to
“security”
For those that do address security
shortfalls, approach is a static
state, vs a continuous process

14. Security Reality

15. There is an exponential growth
event expected in the world
of websites.
Facilitated by the emphasis
being placed by platforms to
make the process of getting
online even simpler.

16. Process simplification
simplifies the process of
getting online, but lowers
the technical aptitude.
The lower the technical
aptitude the more security
issues we can expect.

17. What Customers Want
Easy-to-Use
Security Product
• Don’t want switch and baits when it comes to any product
• Expect security to be all encompassing
• Solve their “security” problem
No Price Ambiguity
Removal of
Arbitrary Controls
Exemplary
Customer Support
• Flat fee structure
• Customers don’t care about the nuances of security (they can’t
differentiate between backdoors and drive by downloads)
• No pricing on:
• Number of pages, number of files cleaned, or bandwidth usage
• Want a trusted partner when it comes to security
• Want to be configured and sold correctly
• Want support they can rely on

18. What can we be doing as
service providers?

19. Security must be
transparent.

20. Access Control Software
Vulnerabilities
Vectors Being Actively Abused

21. Force MFA/2FA
configurations.
A Secure by Default Paradigm
Automatic Updates. No
more Out-of-Date.

22. Security Consortium
for Service Providers
Independent of brand or organizational goals, and driven by
the simple desire to create a safer online environment.

23. Thank You!
Find us at booth #001