tactical edge - how much security do you really need?
TRANSCRIPT
![Page 1: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/1.jpg)
HOW MUCH SECURITY DO YOU REALLY NEED?Wendy Nather @RCISCwendy
Research Director, Retail Cyber Intelligence Sharing Center (R-CISC)
Bogotá, 24 Octubre 2016
![Page 2: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/2.jpg)
INTRODUCTION
• The Great Mystery• “Expense in Depth”• Even the Experts Don’t Know – pricing out a security
program•A better framework – the Cyber Defense Matrix• Trimming your current security portfolio• Evaluating the risk in a way that works for you
![Page 3: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/3.jpg)
MODELS FOR SECURITY SPENDING
• Benchmarking – what is everyone else doing?•Compliance-driven spending•Metrics-driven• Evidence-driven
![Page 4: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/4.jpg)
MODELS FOR SECURITY SPENDING
• Spend only what you need to until the next breach• Keep spending until you run out of budget• Have an unlimited budget
![Page 5: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/5.jpg)
EXPENSE IN DEPTH (RICK HOLLAND)
• Security is a patchwork quilt, and you keep buying things to layer over the gaps• Leads to overspending in
some areas and underspending in others•Overloading systems
![Page 6: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/6.jpg)
EXPENSE IN DEPTH
•Dueling agents• Prioritizing network
decisions•Cognitive and effort
overload on your personnel every time you add something new
![Page 7: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/7.jpg)
“
”I’M A NEW CISO. IT’S MY FIRST DAY ON THE JOB IN AN ORGANIZATION THAT HAS NEVER DONE SECURITY BEFORE. WHAT SHOULD I BUY?
The Real Cost of Security 451 Research, 2013
![Page 8: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/8.jpg)
EVEN THE EXPERTS DON’T KNOW
•As few as 4 different technologies and as many as 31• Everyone said “it depends,” including the vendors
¯\_(ツ)_/¯
![Page 9: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/9.jpg)
EVEN THE EXPERTS DON’T KNOW
• The minimum baselines pretty much matched up to PCI, and included both firewalls and AV•Budget could be off by as much as a factor of 4
• There’s still no guarantee you won’t get breached
![Page 10: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/10.jpg)
CAN WE DO BETTER?
![Page 11: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/11.jpg)
CYBER DEFENSE MATRIXSOUNIL YU, [LARGE US FINANCIAL]
Devices
Applications
Network
Data
People
Degree of Dependence
Identify Protect Detect Respond Recover
Technology PeopleProcess
![Page 12: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/12.jpg)
LEFT AND RIGHT OF “BOOM”
Devices
Applications
Network
Data
People
Degree of Dependence
Identify Protect Detect Respond Recover
Technology PeopleProcess
Pre-Compromise
Post-Compromise
![Page 13: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/13.jpg)
ENTERPRISE SECURITY MARKET SEGMENTS13
Devices
Applications
Network
Data
People
Degree of Dependence
Identify Protect Detect Respond Recover
Technology PeopleProcess
IAM Endpoint Visibility and Control /Endpoint Threat Detection & Response
Configurationand Systems
Management
DataLabeling
App Sec(SAST, DAST,IAST, RASP),
WAFs
PhishingSimulations
DDoS Mitigation
Insider Threat /Behavioral Analytics
NetworkSecurity(FW, IPS)
DRMData
Encryption,DLP
IDSNetflow
Full PCAP
AV, HIPS
Deep Web,Brian Krebs,
FBIBackup
PhishingAwareness
![Page 14: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/14.jpg)
MARKET SEGMENTS – OTHER ENVIRONMENTS
14
Threat Actor Assets
ThreatData
IntrusionDeception
MalwareSandboxes
![Page 15: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/15.jpg)
MARKET SEGMENTS – OTHER ENVIRONMENTS
15
Vendor Assets
Cloud AccessSecurity Brokers
VendorRisk
Assess-ments
Customer Assets
Endpoint FraudDetection
DeviceFinger-printing
DeviceFinger-printing
Web FraudDetection
Employee Assets
BYODMAM
BYODMDM
![Page 16: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/16.jpg)
See the rest of the slides at
https://www.rsaconference.com/events/us16/agenda/sessions/2530/understanding-the-security-vendor-landscape-using
Or Google for “RSAC Sounil Yu” J
![Page 17: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/17.jpg)
TRIMMING YOUR SECURITY PORTFOLIO
•Why would you need to do that?•Mergers and acquisitions leave redundant products
in place
![Page 18: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/18.jpg)
TRIMMING YOUR SECURITY PORTFOLIO
• Shelfware
(see Javvad Malik’s research at https://www.rsaconference.com/writable/presentations/file_upload/mash-t07a-security-shelfware-which-products-gathering-dust-and-why.pdfor just Google “Javvad Malik Shelfware”)
![Page 19: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/19.jpg)
TRIMMING YOUR SECURITY PORTFOLIO
• Improving performance• Simplifying• Better integration and communication• Better price
![Page 20: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/20.jpg)
BEFORE YOU CUT TECHNOLOGY …
•Make sure you’re using it right•Make sure you’re using it as fully
as possible
• Talk to the vendor about its limitations and roadmap (or ask peers or an analyst)
![Page 21: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/21.jpg)
BEFORE YOU CUT TECHNOLOGY …
•Decide whether you need to replace it
• Is it a greater liability to keep it and not use it, or not to have it at all?
![Page 22: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/22.jpg)
BEFORE YOU CUT PEOPLE …• Know what
they’re contributing both in expertise and workload• Expertise includes
institutional knowledge
![Page 23: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/23.jpg)
BEFORE YOU CUT PEOPLE …
•Remember cognitive workload: just because they have the time to squeeze in an extra task, it doesn’t mean they can give it the attention it needs
•Keep task priorities in mind – response mode keeps staff from being proactive
![Page 24: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/24.jpg)
EVALUATING EFFECTIVENESS AND RISK
![Page 25: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/25.jpg)
EVALUATING EFFECTIVENESS AND RISK
• Is it addressing a risk everyone can believe in?
![Page 26: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/26.jpg)
CHEESEBURGER RISK MANAGEMENT
Sure, it might happen – but not for a long time
![Page 27: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/27.jpg)
EVALUATING EFFECTIVENESS AND RISK
•How does it address the risk?•Don’t say “it’s blocking millions of attacks,” because that makes Dave Lewis really angry
![Page 28: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/28.jpg)
EVALUATING EFFECTIVENESS AND RISK
•What are you relying on technology to do, versus what you’re relying on people to do?
•Are you basing your security strategy on the hope that people will change?
![Page 29: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/29.jpg)
YOUR MANAGEMENT’S FAVORITE METRICS
Time saved
Money saved
Performance improvements /
availability
![Page 30: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/30.jpg)
MATCHING MONEY WITH SECURITY
•Avoiding loss – but remember the probability discussion•Allowing revenue generators to do it faster• Saving time, which is money
![Page 31: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/31.jpg)
MATCHING MONEY WITH SECURITY
• Helping the business make better decisions in other areas• Providing a competitive advantage (but you’ll have
to prove it)
• Losses may or may not happen, but other improvements will show themselves if you can measure them
![Page 32: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/32.jpg)
GETTING BREACHED JUST MIGHT BE CHEAPER …
• Published research by Sasha Romanosky, RAND Corporation (August 2016)• “Most cyber events cost firms less than 0.4% of their
annual revenues”
![Page 33: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/33.jpg)
GETTING BREACHED JUST MIGHT BE CHEAPER …
• By contrast, US firms lost an estimated 0.9% of their revenue to online fraud in 2013 (Cybersource 2013 Online Fraud Report)
(Which shows that breaches are being treated separately from fraud, so whatever)
![Page 34: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/34.jpg)
GETTING BREACHED JUST MIGHT BE CHEAPER …
• Calculated that firms were spending an average of 0.025% of revenues on cybersecurity• Half of cyber events cost a firm an
amount approximately equal to its annual investment in IT security (i.e. within ±$1 million of investment).
Wait, what?
![Page 35: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/35.jpg)
WHAT IF I TOLD YOU …
… that you may already be spending enough?
![Page 36: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/36.jpg)
SPENDING IS NOT DOING
• You can be spending right, but doing it wrong
• You can be doing it right, but spending wrong
![Page 37: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/37.jpg)
SOME KIND OF PYRAMID
Using security products
Understanding threats
Controlling changes
Knowing what you have and what it’s doing
![Page 38: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/38.jpg)
SUMMARY
• There are many ways to evaluate your portfolio• There’s no ground truth• Identify the risks you can believe in• Find the evidence that you’re addressing those risks• Remember: it’s in the way that you use it
![Page 39: Tactical Edge - How Much Security Do You Really Need?](https://reader031.vdocument.in/reader031/viewer/2022021507/587854881a28ab68198b6f71/html5/thumbnails/39.jpg)