broke note broken: an effective information security program with a $0 budget

Broke, Not BrokenAn Effective Information Security Program With a $0 Budget

The Hard Truth

You work in Michigan Your company needs to innovate Security itself is not strategic

You get no [new] money

The Harder Truth

All new technology is on the Internet

Your company is a monetizible target

Foreign competitors have your old IP

They’re going to get your new IP, too

Regulation +1

Business Alignment

What’s our strategy?

What does the CEO say it is?

What is the CIO/CFO/COO worried about?

What is IT spending money on this year?

Is your company spending lots of money on technology without IT involvement?

Risk = Impact x Likelihood

Internet-exposed systems Core applications Fraud / separation of duties BCP / DR OMG, are you in healthcare?! VENDORS!!

Project Consulting

Go to where the money is being spent!

Give generously of your time

Focus on the project’s success

Architecture (or whatever)

Designs, roadmaps, or whatever

Don’t just produce ivory tower crap

Sprinkle liberally with buzzwords

Architecture (serious this time)

Future-forward capabilities Data & network security design for IaaS Secure API architecture for mobile apps

Secure standards SDLC practices Server build guides

Metrics

Security metrics are really hard

Risk metrics are the easiest to put together

Good metrics tell a story

Data drives decision-making

Deliverables

Risk Assessment Architecture Compliance Metrics

Publish and Present

None of what you said helps

Incident Response

Your budget doesn’t matter

Dedicated time for investigating

Find your normal, look for anomalies

What to collect

Web filter / proxy logs

SMTP gateway logs

Firewall logs

NIDS (use bro or Snort)

Edge router / Internet full packet capture

Incident Response

Commercial, yet free ArcSight Logger L750B Splunk Free License Q1 Labs Qradar Free License NetWitness Investigator

Open Source Snort, suricata Snare, syslog-ng, OSSEC

Best Distro EVAR!

The best free thing right now

Microsoft EMET v4.0 is imminent (late, actually) Managed via AD group policy (3) By-process memory exploit protections SSL/TLS cert pinning detection (4) Error reporting to SCOM for mitigation

alerts (4)

Other 2013 Security Initiatives“Malware incidents demonstrated a noticeable peak in volume during the summer months of 2012. The significant fall of malware-related incidents beginning in November coincided with the deployment of the Microsoft Enhanced Mitigation Experience Toolkit (EMET), a new vulnerability mitigation tool that has been installed onto Priority Health user workstations. The highest volume of malware incidents in 2012 was in October with 14. In comparison the highest volume of malware incidents in any month in 2011 was 22. Botnet activity accounted for all of the malware incidents in October that could be identified, with the largest portion coming from an attack that used the compromised web server of a local TV station.”

19

IS Information Security Program

Jan

Feb

Mar Apr

May Ju

n JulAug Se

pOct

Nov Dec0

2

4

6

8

10

12

14

16

2012 Security Case Category: Malware

Malware

Shameless Promotions

I’m hiring! careers.spectrum-health.org

GRSec grsec.blogspot.com

GrrCON grrcon.org

Discussion

Email: pmelson@gmail.com Twitter: @pmelson