thought leader global 2014 amsterdam: taking security seriously -> going beyond compliance

Taking Security Seriously

Going Aboveand Beyond Compliance

About me

• I might be provoking you a bit• Father of 3, happily married. I live in Luxembourg• CIO for a Bank, and also independent IT/Infosec consultant

and CIO-as-a-service. Any opinions here are my own and do not represent my employer.

• Contributor to @TheAnalogies project (making IT and Infosec understandable to the masses)

• Member of the I am the Cavalry movement – securing our bodies, minds and souls in the IoT

• @ClausHoumann• Find my work on slideshare

It’s late. WAKE UP

• CEO’s?• CISO’s?• CIO’s?• CFO’s?• CTO’s?• COO’s?• Consultants?

Let’s get the FUD out of the way

• FUD is Fear, uncertainty and doubt.• You will be presented with FUD by vendors,

daily• I’ll try not to FUD you. Focus on solution

models.

Is security important?

• Raise of hands for:– No– Maybe– Yes– Always– My compliance department keeps me safe

Note to self: Remember to apologize in advance to any auditors present at this point.

Monopoly

• Is compliance this?

Is company X secure

Compliance

• Is• NOT

• Security

• Which any of you who ever attended a Security conference will have already heard

• Compliance is preparing to fight yesteryears war

Auditor limitations

• Auditors are easily distracted• Auditors are easily ”Information overloaded”• Auditors go easy on you because they want to

keep the audit contract• Auditors can be persuaded to remove critical

findings• Auditors will let you pass in the end anyway

That being said

• Compliance CAN plug holes for you• Compliance CAN set a minimum-level of

security for you• Compliance does provide more security than

nothing, especially if done right

• All this is nothing new, lets move on

Example: PCI DSS

but

• Target was compliant, Home Depot also.• 97%+ of audits are succesful

• Compliance is at the same time both simple (you can do it succesfully) and complex (SO many things to be compliant with)

What is (most) compliance about then?

Source: Accretive solutions, Gary Pennington

But as you see.....no security. Fake security, or if you really like compliance, spotty / patchy security

Security IS important

• Why?• Dont say you dont know why.

It’s an assymetrical conflict

X-wing

Want to beat assymetricality?

• Creating awareness (risk management?)• Increasing the security budget• Justifying the investment when no/few real attacks/opponents

– It’s easier when you’re actually being attacked. But too late.• Doing it right without attacks require automation, red team testing, training -> all

expensive

How

• Identify potential attackers and profile them• Decrease attacker ROI below critical threshold

Mitigate risks

Source: Dave Sweigert

Building an actual defense

A few ideas exist• A scaleable Defense in Depth (not defined

sufficiently yet)• A defensible security posture (Nigel Willson –

nigethesecurityguy.wordpress.com)• Breaking the ”Cyber kill chain” (Lockheed

Martin)• Joshua Cormans pyramid

Defense-in-Depth

Defense in Depth

• You need to secure:– Internal systems– The Cloud– The Mobile user

Sample protections added only, not the complete picture of course

Defend in depth, on all devices and networks

• Example. PC defense includes:– Whitelisting– Blacklisting– AV– Sandboxing– Registry defenses– Change roll-backs– HIPS– EMET– Domain policies– Log collection and review– MFA– ACL’s/Firewall rules– Heuristics detection/prevention– DNS audit and protection

Defensible security posture via @Nigethesecurityguy

Cyber kill chain

Sources: Huntsman, Tier-3 & Lockheed Martin

Kill chain actions

Source: Nige the security guy = Nigel Wilson

Defensible Infrastructure

Operational Excellence

Situational Awareness

Counter-measures

Joshua Cormans pyramid for going beyond compliance

Pick the low hanging apples?

•As your organizations “Infosec level” matures – you may be able to pass or almost pass a pentest. •Most low hanging fruits have been “picked” already•This makes it very hard for “them” to get in via hacking methods -> they will try malware next

And the unexpected extra win

• Real security will actually make you compliant in many areas of compliance

Q & A

• Ask me question, or I’ll ask you questions

Sources used– http://www.itbusinessedge.com– Heartbleed.com– https://nigesecurityguy.wordpress.com/– American association for justice– http://

www.slideshare.net/AffiniPay?utm_campaign=profiletracking&utm_medium=sssite&utm_source=ssslideviewv

– Accretive solutions – Gary Pennington– Joshua Corman and David Etue from RSAC 2014 ”Not Go Quietly:

Surprising Strategies and Teammates to Adapt and Overcome”– Lego / PCthreat