mork - ciso summit usa 2016 - security in an outsourced world
TRANSCRIPT
![Page 1: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/1.jpg)
Security in an Outsourced WorldBrian Mork
CISOCelanese
![Page 2: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/2.jpg)
About Me
• CISO at Celanese• Hacker / Security Aficionado• Former RF engineer, US Navy Cryptographer, Software
Developer, PenTester, etc.• Father and Husband
![Page 3: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/3.jpg)
Disclaimers
• I am not a lawyer• The opinions expressed in this presentation are only
warranted as my own• I am not a lawyer• While I have some ideas, I am very interested in yours as well• I am not a lawyer
![Page 4: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/4.jpg)
Rules of Engagement
• Interactive sessions are more beneficial to all than lectures• If you have a question or comment, please let me know• The standard rule applies: the only dumb question is one not
asked• There will be time for questions and discussions at the end as
well
![Page 5: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/5.jpg)
The Problems
• Compliance continues to grow• Budgets vary with the news cycle• Threats are evolving faster than defenses• Tools to attack are cheap, to defend are expensive• Decentralized computing removes (some) visibility
![Page 6: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/6.jpg)
Growing Compliance
![Page 7: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/7.jpg)
Name That Compliance Target
• HIPAA/HITECH• PCI• SOX• FISMA• GLBA• FERPA
• EU DPD• EU GDP• PIPA• ITA
![Page 8: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/8.jpg)
Name That Framework
• ISO 27000 Series• NIST SP-800 Series• NIST CSF• SSAE 16• ISAE 3402• CSC
• COBIT• NERC• ISA/IEC-62443• IASME• RFC 2196
![Page 9: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/9.jpg)
Competing National Priorities
• US company doing business in Germany and China• China requires high degree of reporting and monitoring• Germany requires high degree of privacy protections• The intersection of the two can be quite a challenge for multi-
national corporations
![Page 10: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/10.jpg)
Tracking It All
• Multitude of compliance targets, which vary per country and industry• Difficult to track compliance across targets• Frameworks -> Policies -> Processes -> Procedures• Framework -> Compliance mappings exist• Sourcing can make compliance easier, but requires upfront
negotiation
![Page 11: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/11.jpg)
Budget Variances
![Page 12: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/12.jpg)
Source:SANS IT Security Spending TrendsFeb. 2016
• Budgets are normalizing towards the 5-7% range of IT spending overall• Lower ends show significant improvements in security spend
![Page 13: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/13.jpg)
Source:SANS IT Security Spending TrendsFeb. 2016
• IT budgets are mostly remaining flat, and in some cases constricting• Education remains a challenge both for personnel and
spending
![Page 14: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/14.jpg)
Source:SANS IT Security Spending TrendsFeb. 2016
• It’s not a matter of if, but when… so why do we prioritize prevention?
• Staff training and certification is in the lowest tier of spending… are we doing enough?
• We spend more money responding to compliance requests than we spend on improving and automating
• Does this seem crazy to anyone else?
![Page 15: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/15.jpg)
So Why Source?
• XaaS only works as a provider when there is commonality• Commonality that doesn’t include default secure configurations
increases overhead of incident response• Price points can be powerful drivers to enhance overall security• Proper outsourcing can result in outsourcing of risk as well
-- IF -- proper diligence was performed in selecting the provider
![Page 16: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/16.jpg)
Threat Evolution
![Page 17: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/17.jpg)
![Page 18: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/18.jpg)
Except That…• Ideology isn’t motivating attacks, money
is.• The actual threat actors are now
frequently masking their actions with commoditized attack vectors and techniques.• Collective hacking is a concept espoused
since Hackers, but has never really materialized.
![Page 19: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/19.jpg)
“FYI man, alright. You could sit at home, and do like absolutely nothing, and your name goes through like 17 computers a day. 1984? Yeah right, man. That's a typo. Orwell is here now. He's livin' large.”
“We have no names, man. No names. We are nameless!”– Cereal Killer
![Page 20: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/20.jpg)
Leaving Us With• The attackers have realized the economies of scale far faster
than we have.• They use well-defined services, including corporate level
branding.• They use viable, commodity attacks to defeat our defenses.• Even when we’re told about the attacks, we often have to sort
out exactly what the actual target was.• “They know your network better than your staff do.”
![Page 21: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/21.jpg)
Tool Costs
![Page 22: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/22.jpg)
Let’s Compare
• How close do you think the attack versus defend costs really are?• All of the following statements are based upon open source
intelligence/pricing data for a company of 10,000 employees and are per-year costs unless otherwise noted.
![Page 23: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/23.jpg)
Defense Tools• Cost of industry-leading SIEM: $300,000• Cost of industry-leading vulnerability scanning/management:
$40,000• Cost of industry-leading AV: $75,000• Cost of industry-leading DDOS protection: $120,000• Cost of industry-leading APT protection: $95,000• Cost of industry-leading wireless attack detection/remediation:
$25,000• Cost of integration of all of above: $150,000
![Page 24: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/24.jpg)
Attack Tools
• Cost of world-class wireless hacking tool: $0• Cost of world-class extensible exploitation framework: $0• Cost of world-class browser exploitation and automation tool:
$0• Cost of custom exploit with guaranteed AV bypass: $250• Cost of world-class reverse engineering software suite: $1200• Cost of world-class OSINT pivoting sofware: $800• Cost of world-class DDOS botnet rental: $30/hr
![Page 25: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/25.jpg)
Pricing and Support
• How much do you spend on just the tools themselves?• How much do you spend on support?• How frequently do you have to hire a third-party to review
what the tool vendor setup?• How frequently do you have to integrate two tools, and end
up needing at least three representatives on the line to make all of that work… and how often when that occurs do the vendors point to one another as the culprit?
![Page 26: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/26.jpg)
Why We’re Losing• It’s cost prohibitive to defend• When something works we monetize it instead of donating it• We haven’t yet realized what the attackers do: we work better
together• We deal far too often in commodity while thinking it’s “APT” or
”nation state”• We use terms like “APT” to defend our reputations whenever a
breach occurs
![Page 27: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/27.jpg)
Decentralization
![Page 28: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/28.jpg)
The New IT Landscape
• All of this drives us to XaaS solutions• We outsource our hardware and call it IaaS• We outsource our applications and call it PaaS• We outsource everything and call it SaaS• And the thing is, these are generally GOOD decisions… but how
do we monitor them?
![Page 29: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/29.jpg)
The Challenges of XaaS• Every XaaS includes some mechanism to monitor the SLA/OLA
performance• Every XaaS includes some API that can magically give any data
you want• Most XaaS integrate with a few strategic partners, and if you
happen to use their chosen partners, life is great• Most XaaS offer very limited (non-paid) support to integrate with
anyone else
![Page 30: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/30.jpg)
How Did Netflix Succeed?• They determined that their core focus was to get users
watching content.• They didn’t care what they watched that content on.• They didn’t really care how many simultaneous users there
were.*• They aggressively developed integrations with every platform
they could.• They made their service a benefit to other
companies/products, and freely available.
* Based upon personal experiences, not hard data
![Page 31: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/31.jpg)
The Future
![Page 32: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/32.jpg)
So How Do We Move Forward?
• Invest in our people. We ignore them at our peril.• Foster deeper relationships and partnerships with our vendors.• Vendor management is the new SIEM.• Demand the same degree of cooperation between vendors that
we expect from one another.• Define what it is that we actually require. When a vendor can’t or
won’t commit to that, have the courage to walk away.
![Page 33: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/33.jpg)
Homework• Create policies and requirements aligned to a common
framework• Establish standards for data consumption and document them• Send your security teams out to more training• Take your vendor management team out to lunch• Support the vendor management team like they’re part of your
team (they are)• Don’t be afraid to share
![Page 34: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/34.jpg)
The Takeaways• Compliance can work for or against you• Vendor management teams need to be your close allies• We need to start sharing if we ever hope to overcome our
adversaries• The computing landscapes are getting both more complex
and more secure• Economies of scale are predicated upon partnership and trust• Invest first in people, then in processes, then technology
![Page 35: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/35.jpg)
Questions/Discussion
Thank you for your time and attention!
![Page 36: Mork - CISO Summit USA 2016 - Security in an Outsourced World](https://reader036.vdocument.in/reader036/viewer/2022062522/5881db281a28ab331a8b76bd/html5/thumbnails/36.jpg)
Credits
• https://www.sans.org/reading-room/whitepapers/analyst/security-spending-trends-36697• http://www.verizonenterprise.com/verizon-insights-lab/dbir/20
16/