thought leader global 2014 amsterdam: taking security seriously -> going beyond compliance

32
Taking Security Seriously Going Above and Beyond Compliance

Upload: claus-cramon-houmann

Post on 08-Jun-2015

278 views

Category:

Technology


1 download

DESCRIPTION

Presentation of different strategic models for approaching Information Security on an enterprise level

TRANSCRIPT

Page 1: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Taking Security Seriously

Going Aboveand Beyond Compliance

Page 2: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

About me

• I might be provoking you a bit• Father of 3, happily married. I live in Luxembourg• CIO for a Bank, and also independent IT/Infosec consultant

and CIO-as-a-service. Any opinions here are my own and do not represent my employer.

• Contributor to @TheAnalogies project (making IT and Infosec understandable to the masses)

• Member of the I am the Cavalry movement – securing our bodies, minds and souls in the IoT

• @ClausHoumann• Find my work on slideshare

Page 3: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

It’s late. WAKE UP

• CEO’s?• CISO’s?• CIO’s?• CFO’s?• CTO’s?• COO’s?• Consultants?

Page 4: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Let’s get the FUD out of the way

• FUD is Fear, uncertainty and doubt.• You will be presented with FUD by vendors,

daily• I’ll try not to FUD you. Focus on solution

models.

Page 5: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Is security important?

• Raise of hands for:– No– Maybe– Yes– Always– My compliance department keeps me safe

Note to self: Remember to apologize in advance to any auditors present at this point.

Page 6: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Monopoly

• Is compliance this?

Is company X secure

Page 7: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Compliance

• Is• NOT

• Security

• Which any of you who ever attended a Security conference will have already heard

• Compliance is preparing to fight yesteryears war

Page 8: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Auditor limitations

• Auditors are easily distracted• Auditors are easily ”Information overloaded”• Auditors go easy on you because they want to

keep the audit contract• Auditors can be persuaded to remove critical

findings• Auditors will let you pass in the end anyway

Page 9: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

That being said

• Compliance CAN plug holes for you• Compliance CAN set a minimum-level of

security for you• Compliance does provide more security than

nothing, especially if done right

• All this is nothing new, lets move on

Page 10: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Example: PCI DSS

Page 11: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

but

• Target was compliant, Home Depot also.• 97%+ of audits are succesful

• Compliance is at the same time both simple (you can do it succesfully) and complex (SO many things to be compliant with)

Page 12: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

What is (most) compliance about then?

Source: Accretive solutions, Gary Pennington

Page 13: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

But as you see.....no security. Fake security, or if you really like compliance, spotty / patchy security

Page 14: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Security IS important

• Why?• Dont say you dont know why.

Page 15: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance
Page 16: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

It’s an assymetrical conflict

X-wing

Page 17: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Want to beat assymetricality?

• Creating awareness (risk management?)• Increasing the security budget• Justifying the investment when no/few real attacks/opponents

– It’s easier when you’re actually being attacked. But too late.• Doing it right without attacks require automation, red team testing, training -> all

expensive

Page 18: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

How

• Identify potential attackers and profile them• Decrease attacker ROI below critical threshold

Page 19: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Mitigate risks

Source: Dave Sweigert

Page 20: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Building an actual defense

A few ideas exist• A scaleable Defense in Depth (not defined

sufficiently yet)• A defensible security posture (Nigel Willson –

nigethesecurityguy.wordpress.com)• Breaking the ”Cyber kill chain” (Lockheed

Martin)• Joshua Cormans pyramid

Page 21: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Defense-in-Depth

Page 22: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Defense in Depth

• You need to secure:– Internal systems– The Cloud– The Mobile user

Sample protections added only, not the complete picture of course

Page 23: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance
Page 24: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Defend in depth, on all devices and networks

• Example. PC defense includes:– Whitelisting– Blacklisting– AV– Sandboxing– Registry defenses– Change roll-backs– HIPS– EMET– Domain policies– Log collection and review– MFA– ACL’s/Firewall rules– Heuristics detection/prevention– DNS audit and protection

Page 25: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Defensible security posture via @Nigethesecurityguy

Page 26: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Cyber kill chain

Sources: Huntsman, Tier-3 & Lockheed Martin

Page 27: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Kill chain actions

Source: Nige the security guy = Nigel Wilson

Page 28: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Defensible Infrastructure

Operational Excellence

Situational Awareness

Counter-measures

Joshua Cormans pyramid for going beyond compliance

Page 29: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Pick the low hanging apples?

•As your organizations “Infosec level” matures – you may be able to pass or almost pass a pentest. •Most low hanging fruits have been “picked” already•This makes it very hard for “them” to get in via hacking methods -> they will try malware next

Page 30: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

And the unexpected extra win

• Real security will actually make you compliant in many areas of compliance

Page 31: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Q & A

• Ask me question, or I’ll ask you questions

Page 32: Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Sources used– http://www.itbusinessedge.com– Heartbleed.com– https://nigesecurityguy.wordpress.com/– American association for justice– http://

www.slideshare.net/AffiniPay?utm_campaign=profiletracking&utm_medium=sssite&utm_source=ssslideviewv

– Accretive solutions – Gary Pennington– Joshua Corman and David Etue from RSAC 2014 ”Not Go Quietly:

Surprising Strategies and Teammates to Adapt and Overcome”– Lego / PCthreat