Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ciso executive forum 2013


Published on

  • Be the first to comment

  • Be the first to like this

Ciso executive forum 2013

  1. 1. CISOSurvival InThe RealWorldBill BurnsDirector, Information SecurityISSA CISO Executive ForumFeb 24, 2013
  2. 2. “Thrive”, not Survive• Context• A few contributions• Future Bets & Areas of Focus
  3. 3. Future Bets 2015:Forcing Functions• Social + Mobility + Cloud• Traditional Controls Are Lacking• Analytics
  4. 4. Netflix Business • World’s largest TV network • 33 million members in 40 countries • Over a billion hours streamed per month • Supported on 1000+ device types • 1/3 of evening Internet traffic(c) 2011 Sandvine
  5. 5. OurCulture• High Performance, • Some core values: Engineering-Focused • “Freedom &• Fail Fast, Learn Fast ... Responsibility” Get Results • “Loosely-Coupled,• Data- and Metrics-Driven Highly-Aligned”• Take Smart Risks • “Context not control”
  6. 6. Today: DataCenters & Cloud• Tooling• Risk Assessments, Treatments• Business Processes• ~99% Cloud-based today• Goal: Pure-Cloud Streaming
  7. 7. Demand 1 Cloud: On- Demand # Servers Capacity 21. Demand: Typical pattern of customer requests rise & fall over time Utilization2. Reaction: System automatically adds, removes servers to the application pool 33. Result: Overall utilization stays constant
  8. 8. The Netflix Simian Army • Chaos Monkey - Kills randomly instances• Striving for continuous • Chaos Gorilla - Evacuates entire data centers testing, monitoring • Chaos Kong - Evacuates entire regions• Identify and test common failure modes • Janitor Monkey – Ensures a clean inventory• Automation everywhere • Security Monkey – Various security checks to manage risk
  9. 9. InfoSec Challengein an IaaS Cloud ::Confidentiality/Possession
  10. 10. Key Management :: HSMs• Motivation: • Decouple DC and Cloud • Trust our Cloud more fully • Others probably want this too• Challenges: • Need crypto keys near the Cloud • HSMs are in the data center • Can’t entirely trust our CSP• Solution: • A real HSM: FIPS 140-2 certified hardware • Keys stay in hardware • “HSM as a Service”
  11. 11. Security: Thriving in an Agile Enterprise
  12. 12. FutureBets2015:OrgDemands• Fluid, Virtual Teams of specialists / specialties• Dynamically form & dissolve to address opportunities, challenges• Emphasis on collaboration, roaming• Analytic, data-driven
  13. 13. Future Bets 2015: Team Dynamics, Skills•Teams will •Be Risk/Security Advisors, coaches, business analysts •Speak their language•Skill sets will become •Less: people clicking on GUIs •More: analytics, automation, gluing systems together (APIs)
  14. 14. SaaS: In use Today? next Year?1. Email/chat/ 8. Risk management 15. Data analytics/BI/ calendar DSE 9. HRIS, ERM2. File Storage/ 16. Project 10. Source code backups Management repository3. Service Ticketing 17. SIEM 11. Blogs, websites4. On-call paging 18. VPN 12. Doc collaboration5. Log management 19. MDM 13. Risk assessments6. Authentication/ 20. Anti-Virus/Anti- 14. Encryption / key IAM malware management7. App vulnerability scanning
  15. 15. Future Bets 2015: Data, Application Security• Business Forcing Function: Third-party cloud apps will innovate faster than your IT department can• Cloud/SaaS will be IT tools, not competitors• Data will be encrypted automatically off-network, off-device• Automated, continuous assessments of your controls
  16. 16. Future Bets 2015: Device Security•All-wireless office, Gigabit Wireless•Smartphone building badges•MDM layers: managed VPN,device- and app-wrapping
  17. 17. Future Bets 2015: Network Security• You will be breached –  Not “if” but “when”?• How fast can you respond, contain?• Mix of trust: corporate, vendor, employee owned devices• Verify every device, user
  18. 18. FutureBets 2015:Automatedprotection• We will no longer talk about BYO[everything]• Zero-Trust / NAC will be common• Networks will dynamically quarantines, inspects, tests• Large-scale event correlation, analytics => reaction
  19. 19. FutureBets 2015:What aboutthe users?• Awareness Training will • Be automated • Be context-relevant, bite- sized • Phish your employees before they do! • Actively test for vulnerabilities, quarantine • Gamifiy, (“peer pressure”) on compliance, activity • Be developed collaboratively
  20. 20. Future Bets: Areas of Focus TodayThe best way to predict the future is to invent it. – Alan Kay The future is already here - its just not evenly distributed. —William Gibson
  21. 21. Future Bets 2015:Targeted Training
  22. 22. Future Bets 2015:Security Analytics DATA MP LE SA
  23. 23. Future Bets 2015:Security Analytics Security Control A/B Testing DATA MP LE SA
  24. 24. Thank you!