What affects security program confidence? - may2014 - bill burns
Download as PPTX, PDF3 likes948 views
Bill Burns gave a presentation on factors that affect confidence in security programs. He discussed how mobility, BYOD, virtualization, and cloud computing are forcing changes to security controls and perimeters. As data moves to the cloud, security must follow and focus on being proximal, mobile, resilient, holistic, and coordinated. Building maturity in security programs through frameworks, metrics, and culture helps increase confidence. Early research shows higher maturity programs have more confidence.
![7
Security Forcing Function – Mobility, BYOD
(1) Pew Research, Jan 2014 | (2) Gartner, May 2013
Smartphone - 58%
Tablet - 42%
By 2017, 50% of employers will
require you to BYOD[2] for
work.](https://image.slidesharecdn.com/rmisc-whataffectssecurityprogramconfidence-may2014-billburns-140528151155-phpapp01/85/What-affects-security-program-confidence-may2014-bill-burns-7-320.jpg)
![8
Security Forcing Function – Work Anywhere
Blurring work/life integration
– Aruba’s “#GenMobile”initiative
– Starbucks wants to be your life’s “3rd Place”
Ubiquitous network access & seamless roaming
– 802.11ac, n – wireless networking “just works”
• Faster than typical wired ports, easier to provision
– Mobile 4G LTE is also “fast enough”
• Faster than my home’s DSL
– By 2018: 25% of corporate data will flow directly mobile-cloud[3]
(3) Gartner, Nov 2013](https://image.slidesharecdn.com/rmisc-whataffectssecurityprogramconfidence-may2014-billburns-140528151155-phpapp01/85/What-affects-security-program-confidence-may2014-bill-burns-8-320.jpg)
What affects security program confidence? - may2014 - bill burns
- 1. 1 What Affects Confidence In Security Programs? Rocky Mountain Information Security Conference 2014 Bill Burns | Executive-In-Residence | Scale Venture Partners | [email protected] | @x509v3
- 2. 2 My Background Production hybrid cloud security at scale – Deployed distributed, hybrid cloud WAF – Co-developed CloudHSM for IaaS hardware root of trust Corporate IT “all-cloud” security strategy – Cloud-first, mobile-first infrastructure model – Mix of public cloud, best-of-breed SaaS RSAC Program Committee, Startup Technical Advisory Boards, ISSA CISO Forum & Career Lifecycle Previously:
- 3. 3 Agenda Trends and Forcing Functions on Information Security InfoSec’s Role in Managing Business Risk Security Innovations, Market Needs Early Research Results: Improving Confidence
- 4. 4 CISOs: “What Kept You Up Last Night?” Source: Scale Venture Partners
- 5. 5 Agile/DevOps BYOD Shadow IT / Consumerization Increased Regs/Compliance Internet Of Things IT Automation Mobile computing SaaS Ubiquitous Internet Access Virtualization / IaaS Weaponization of Internet / espionage Work/Life Integration Concern Unconcern Top Trends & Forcing Functions on InfoSec Source: Scale Venture Partners
- 6. 6 Security Forcing Function – Mobility, BYOD Source: Mary Meeker, KPCB
- 7. 7 Security Forcing Function – Mobility, BYOD (1) Pew Research, Jan 2014 | (2) Gartner, May 2013 Smartphone - 58% Tablet - 42% By 2017, 50% of employers will require you to BYOD[2] for work.
- 8. 8 Security Forcing Function – Work Anywhere Blurring work/life integration – Aruba’s “#GenMobile”initiative – Starbucks wants to be your life’s “3rd Place” Ubiquitous network access & seamless roaming – 802.11ac, n – wireless networking “just works” • Faster than typical wired ports, easier to provision – Mobile 4G LTE is also “fast enough” • Faster than my home’s DSL – By 2018: 25% of corporate data will flow directly mobile-cloud[3] (3) Gartner, Nov 2013
- 9. 9 Security Forcing Function – IaaS / Virtualization Clouds are compelling to businesses, hard for old security controls to match pace AWS Example: – ~Quadrupled offered services in 4 years – Reduced pricing 42 times in 8 years as equipment ages out Source: AWS
- 11. 11 Old: Perimeter Firewalls Castle and Moat (layered) defense Place people, data behind datacenter firewalls Provisioning workflows were serialized, expensive, slow “Behind the firewall” = Trusted
- 12. 12 New Perimeters : Follow the Data
- 13. 13 Security controls evolving to be more: o Proximal – Move closer to the application and data o Mobile – Follow the infrastructure, application o Resilient - Emphasize recovery and response o Holistic – Include technical, legal, and business-level input o Coordinated - Reliant on communications, automation New Perimeters : Follow the Data
- 14. 14 InfoSec’s Role Be a trusted advisor to the business – InfoSec doesn’t own the risk – Anticipates security risk/controls changes and needs – Communicates technical risks in business terms Implement guardrails and gates based on risk, sensitivity – Like breaks on a car: Enables the business to take smart risks – Architect, design, implement controls – Measure & report risk with data – Manage remediation, response Success: Customers proactively request your guidance!
- 15. 15 So…What’s Your Cloud Comfort Level? Cloud Adoption / Maturity: – Naysayers: you can’t do that (but can’t articulate why) – Pathfinders: here’s how to do it, early lessons learned – Optimizers: here’s how to do it well, what not to do
- 16. 16 So…What’s Your Cloud Comfort Level? Cloud Adoption/Maturity – Naysayers – Pathfinders – Optimizers Cloud is inevitable – Get comfortable managing it – Example: “We have 10 years of legacy work to deal with, we don’t have time to look at our cloud usage!” – Benefits to agility, automation, consistency It’s about the business – Board-level discussion on results, competition, risk – “Risk is our business” – Philosopher James T. Kirk
- 17. 17 Security Delivered Via Cloud Services
- 18. 18 Anticipating Risks: Partners’ Controls Service Providers: must consider security as a basic requirement – They have a smoother attack surface than enterprises – Laser-focused goals, homogeneous environment, etc. – All customers pentesting their provider: Doesn’t scale • Which standard would we all trust? CCM? Other? Discuss. Which controls are most relevant, important for your business? – Prioritize those during negotiations, evaluations, assessments – Bring Your Own Security: Encryption, incident response, audit, SoD, …
- 19. 19 Anticipating Risks: Partners’ Controls Integrate Security Controls with Legal – Risk-based Questionnaires: Level of scrutiny based on data sensitivity – Contractual: Add boilerplate language in your contracts, MSAs, etc. • Ask your partners for the security fundamentals • Operational security basics, secure development, security incident notification, etc. Assess Third-Parties Partners – Trust but verify their controls. It’s your data! – Do one-time and ongoing assessments – Make sure you’re testing what you anticipated – Partner with your partners on any findings
- 20. 20 SaaS Applications: Growth and Risk Perspective
- 21. 21 InfoSec Advisor: New controls and capabilities Track movement, access to assets – Behavioral analytics become embedded, table stakes – DRM/DLP-like controls, applied closer to the data – More focus on detection, monitoring – Blocking done more through orchestration, automation – Inventories and network paths always up to date Restrict access to assets – Cloud-to-Cloud chokepoints – SSO and risk-based authentication, authorization – On-the-fly controls: DLP, encryption, watermarking – Firewall controls based on tags, data and host classification/sensitivity
- 22. 22 Adopting Cloud: Getting Started in IaaS Plan: Pick 1-3 security metrics to improve & compare – Examples: Days to patch vulns, avg host uptime, fw ACLs used Do: Start simple, fail fast on “uninteresting” workflows Improve: Codify policies, patches, asset management, provisioning. Iterate: Review lessons learned often, make small course corrections – Good security starts with solid operational hygiene
- 23. 23 Summary: Evolving Controls, Maturity Get Baseline visibility into your Cloud Services – Facts critical to business-level conversations – You’re using more SaaS than you realize – Share data with IT, legal, other stakeholders Monitor and Protect your Data – Start collecting/mining SaaS access, audit logs – Integrate with your SIEM, monitoring systems – Deploy additional controls via chokepoints, automation Increase program maturity – Cloud is an opportunity to codify, automate security – Operational hygiene is the basis for solid security program
- 24. 24 Wisegate: Maturity Proportional to Confidence Source: Wisegate IT Security Benchmark, Sept 2013
- 25. 25 Areas of Security Interest: Early Results Advanced authentication and identification schemes App-centric firewalls and containers to protect data Behavioral analytics to improve security, fraud Continuous endpoint monitoring, orchestration, remediation Continuous risk & compliance monitoring, reporting Dashboards and analytics to communicate and share metrics DevOps / security integrations to codify security Holistic DLP, data encryption and key management Malware protection without signatures Mobile security to protect data anywhere PKI and digital certificate management for authentication, encryption Proactive / predictive attack detection, real-time response Threat intelligence feeds, sharing Source: Scale Venture Partners
- 26. 26 Guidance to Security Vendors: Early Feedback Be 10x better - provide superior customer value – Look for disruptive technologies, approaches – Interoperate with what I already have – What can I turn off if I buy your thing? Think API, integration first – Defenders & DevOps: The future is automation, interoperability – InfoSec staffing is hard, automation is a force multiplier – No cheating: Build your GUI on your API Model, measure, provide insights – Security A/B testing, modeling allows safe experimentation – Provide insights of current, continuous risk state – Want to manage cloud risk better than legacy – Good deployment strategies start with great migration strategies Source: Scale Venture Partners
- 27. 27 Increasing Confidence: Early Research Results Security programs with higher maturity have more confidence – Regulations help, but also – Operational consistency, – Incorporating standardized frameworks (ISO, NIST) Build what works for your company’s culture – Culture trumps strategy – There is no one, true “map”: Every program is different – ? Endpoint-centric vs. network-centric // Block vs. monitor + respond Create, market, share metrics with your peers – Empowers teams that own responsibility for controls – Encourages fact-based decision-making – Communicates your program’s Business Impact Source: Scale Venture Partners
- 28. 28 Thank you! [email protected] Bill Burns | Executive-In-Residence | Scale Venture Partners | [email protected] | @x509v3
Editor's Notes
- #6: Internet Access – not a concern, a foregone conclusion IoT – too unclear what it means Agile/DevOps – polarizing Consumerization - polarizing
- #7: By 2017: 50% of employers will require employees to BYOD for work purposes(2)
- #8: 58% / 42% of Americans now own a smartphone / tablet(1)
- #13: New: Identity and Authentication Authenticated checkpoints/chokepoints Everything and everyone is “outside the firewall” Controls moving closer to the data, finer-grained Provisioning and security policies are automated Trust no one implicitly; authorize everything
- #14: New: Identity and Authentication Authenticated checkpoints/chokepoints Everything and everyone is “outside the firewall” Controls moving closer to the data, finer-grained Provisioning and security policies are automated Trust no one implicitly; authorize everything