thought leader global 2014 amsterdam: taking security seriously -> going beyond compliance
DESCRIPTION
Presentation of different strategic models for approaching Information Security on an enterprise levelTRANSCRIPT
Taking Security Seriously
Going Aboveand Beyond Compliance
About me
• I might be provoking you a bit• Father of 3, happily married. I live in Luxembourg• CIO for a Bank, and also independent IT/Infosec consultant
and CIO-as-a-service. Any opinions here are my own and do not represent my employer.
• Contributor to @TheAnalogies project (making IT and Infosec understandable to the masses)
• Member of the I am the Cavalry movement – securing our bodies, minds and souls in the IoT
• @ClausHoumann• Find my work on slideshare
It’s late. WAKE UP
• CEO’s?• CISO’s?• CIO’s?• CFO’s?• CTO’s?• COO’s?• Consultants?
Let’s get the FUD out of the way
• FUD is Fear, uncertainty and doubt.• You will be presented with FUD by vendors,
daily• I’ll try not to FUD you. Focus on solution
models.
Is security important?
• Raise of hands for:– No– Maybe– Yes– Always– My compliance department keeps me safe
Note to self: Remember to apologize in advance to any auditors present at this point.
Monopoly
• Is compliance this?
Is company X secure
Compliance
• Is• NOT
• Security
• Which any of you who ever attended a Security conference will have already heard
• Compliance is preparing to fight yesteryears war
Auditor limitations
• Auditors are easily distracted• Auditors are easily ”Information overloaded”• Auditors go easy on you because they want to
keep the audit contract• Auditors can be persuaded to remove critical
findings• Auditors will let you pass in the end anyway
That being said
• Compliance CAN plug holes for you• Compliance CAN set a minimum-level of
security for you• Compliance does provide more security than
nothing, especially if done right
• All this is nothing new, lets move on
Example: PCI DSS
but
• Target was compliant, Home Depot also.• 97%+ of audits are succesful
• Compliance is at the same time both simple (you can do it succesfully) and complex (SO many things to be compliant with)
What is (most) compliance about then?
Source: Accretive solutions, Gary Pennington
But as you see.....no security. Fake security, or if you really like compliance, spotty / patchy security
Security IS important
• Why?• Dont say you dont know why.
It’s an assymetrical conflict
X-wing
Want to beat assymetricality?
• Creating awareness (risk management?)• Increasing the security budget• Justifying the investment when no/few real attacks/opponents
– It’s easier when you’re actually being attacked. But too late.• Doing it right without attacks require automation, red team testing, training -> all
expensive
How
• Identify potential attackers and profile them• Decrease attacker ROI below critical threshold
Mitigate risks
Source: Dave Sweigert
Building an actual defense
A few ideas exist• A scaleable Defense in Depth (not defined
sufficiently yet)• A defensible security posture (Nigel Willson –
nigethesecurityguy.wordpress.com)• Breaking the ”Cyber kill chain” (Lockheed
Martin)• Joshua Cormans pyramid
Defense-in-Depth
Defense in Depth
• You need to secure:– Internal systems– The Cloud– The Mobile user
Sample protections added only, not the complete picture of course
Defend in depth, on all devices and networks
• Example. PC defense includes:– Whitelisting– Blacklisting– AV– Sandboxing– Registry defenses– Change roll-backs– HIPS– EMET– Domain policies– Log collection and review– MFA– ACL’s/Firewall rules– Heuristics detection/prevention– DNS audit and protection
Defensible security posture via @Nigethesecurityguy
Cyber kill chain
Sources: Huntsman, Tier-3 & Lockheed Martin
Kill chain actions
Source: Nige the security guy = Nigel Wilson
Defensible Infrastructure
Operational Excellence
Situational Awareness
Counter-measures
Joshua Cormans pyramid for going beyond compliance
Pick the low hanging apples?
•As your organizations “Infosec level” matures – you may be able to pass or almost pass a pentest. •Most low hanging fruits have been “picked” already•This makes it very hard for “them” to get in via hacking methods -> they will try malware next
And the unexpected extra win
• Real security will actually make you compliant in many areas of compliance
Q & A
• Ask me question, or I’ll ask you questions
Sources used– http://www.itbusinessedge.com– Heartbleed.com– https://nigesecurityguy.wordpress.com/– American association for justice– http://
www.slideshare.net/AffiniPay?utm_campaign=profiletracking&utm_medium=sssite&utm_source=ssslideviewv
– Accretive solutions – Gary Pennington– Joshua Corman and David Etue from RSAC 2014 ”Not Go Quietly:
Surprising Strategies and Teammates to Adapt and Overcome”– Lego / PCthreat