View
821
Download
3
Category
Preview:
Citation preview
SECURITY VISION
ANITIAN
INSPIRING A CULTURE OF SECURITY
intelligent information securityA N I T I AN
OUR VIS ION
WE BELIEVE
SECURITY IS ESSENTIAL FOR
GROWTH, INNOVATION, AND
PROSPERITY
intelligent information securityA N I T I AN
programs
controls
practices
policies
in the cloud
leaders
OUR MISSION
Build great security…
intelligent information securityA N I T I AN
OUR SERVICES
• Enterprise risk assessments
• HIPAA risk assessment
• Third party risk assessment
• PCI-DSS
• HIPAA / HITRUST
• ISO 27001:2013
• SOC2
• FFIEC / GLBA
• FISMA / NIST
• NERC-CIP
• EI3PA
• Cloud compliance
• Penetration testing
• Application security
• Code review
• Configuration analysis
• Firewall policy review
• Cloud architecture
• Social engineering
• Red team testing
• Managed security (MSSP)
• NGFW
• SIEM
• Endpoint
• Vulnerability Management
• Web Gateway
• DLP
• Behavior Analytics
• Managed detection & response
(MDR)
• Digital forensics & incident
response (DFIR)
• Leadership as a Service
• On-Demand advisory
• Industry & market research
• Staff augmentation
intelligent information securityA N I T I AN
OUR SPEAKER
• President / CEO of Anitian
• Principal at TrueBit CyberPartners
• 20+ years of experience in security
• Discovered SQL injection in 1995
• Helped develop first in-line IPS engine
(BlackICE)
intelligent information securityA N I T I AN
OVERVIEW
Intent
• Help you build a more effective security program
• Discuss the value of creating Security Vision
• Demonstrate Anitian’s value
Outline
1. The Challenge
2. Defining Security Vision
3. Implementing Security Vision
4. Qualities of Great Security Leaders
Logic clearly dictates that the needs of the many, outweigh the needs of the few…or the one.
- Spock Star Trek II The Wrath of Khan
THE CHALLENGE
DO WE HAVE A SECURITY
PROGRAM EFFECTIVENESS
PROBLEM?
YES
PEOPLERESOURCE
ARE THE MOST IMPORTANT: THREAT
CHALLENGE
I just want to do the right things
…but I can’t
Security is a top priority…
…that does not apply to me
SCHIZOID SECURITY
CHECKBOX SECURITY
DESTROYS TRUST
GOOD ENOUGH
ISN’T GOOD ENOUGH
Weakness is endemic...
…exploitation is epidemic
Alerts are a hacker’s way of saying goodbye
PASSIVE SECURITY
Apps, cloud, access…
…the back door is wide open.
IS THERE ANY
HOPE?
intelligent information securityA N I T I AN
YES
WITH
SECURITY
VISION
MEANING
FOCUS
RELEVANCE
ACTION
DEFININGSECURITY VISION
intelligent information securityA N I T I AN
WH
Y
HO
W
WH
AT
WH
ER
E
WH
O
AC
TIO
N
SECURITY OPERATIONS
PROJECTS
METR
ICS
SECURITY
PROGRAM
intelligent information securityA N I T I AN
BUSINESS RISK VISION COMPONENTS
•Vision and Mission StatementsWHY
• Core ValuesHOW
• Risk ManagementWHAT
• ProjectsWHERE
• Roles and responsibilitiesWHO
• SimplicityACTION
intelligent information securityA N I T I AN
START WITH WHY
Simon Sinek: www.startwithwhy.com
intelligent information securityA N I T I AN
VISION & MISSION STATEMENTS
• Vision
• Make the world a better place
• Improve quality of life for everybody
• Preserve our heritage
• A world free of evil (pain, misery, loss, disease, etc.)
• Mission
• Care for the sick
• Defend (Enable, Cultivate) prosperity and innovation
• Bring (service) to everybody
• Build great security leaders
• Manage risk to promote prosperity
intelligent information securityA N I T I AN
INWARD VS OUTWARD VISION
• FedEx
FedEx will produce superior financial returns for shareowners
by providing high value-added supply chain, transportation,
business and related information services through focused
operating company.
• Raytheon
One global team creating trusted, innovative solutions to
make the world a safer place.
Customer success is our mission.
intelligent information securityA N I T I AN
HOW: SAMPLE CORE VALUES - RAYTHEON
• Trust
• Respect
• Collaboration
• Innovation
• Accountability
intelligent information securityA N I T I AN
WHY/HOW: ANSWER THE BIG QUESTIONS
Communicate
1. Why we are here? <- Vision
2. Why do what we do? <- Mission
3. How do we do it? <- Core Values
4. What do we do? <- Security Program
Execute:
• Encourage care
• Bring people to the table
• Focus people on the right things
• Inspire decision making
IMPLEMENTINGSECURITY VISION
intelligent information securityA N I T I AN
WHAT: IS THE THREAT?
• Your program must be based in risk management
• Communicate
• What can damage the business?
• How could it happen?
• What would be the outcome?
• What weaknesses
• Execute
• Conduct a comprehensive, organizational risk assessment
• Share the top 10 threats with the organization
• Define projects based on those top 10
• Focus staff on those threats
intelligent information securityA N I T I AN
SAMPLE THREAT INTELLIGENCE BRIEFING
# Threat Vulnerabilities Recommendations Imp
act
Pro
bab
ility
Ris
k
1. Attacker
successfully
tricks user
to perform
unsafe
action
No formal security
awareness training
program for employees.
Insufficient personnel for
execution of security
awareness training.
Users have been the target
of multiple sophisticated
spear-phishing email fraud
campaigns.
Implement a formal
security awareness
training program for all
employees.
Conduct regular
internal phishing
campaigns to help raise
awareness of potential
security issues.
H E H
intelligent information securityA N I T I AN
SAMPLE RISK INTELLIGENCE BRIEFING
intelligent information securityA N I T I AN
WHERE: IS THE ANSWER?
• Establish projects that target threat and support the
business
• Communicate
• Focus on the strategic goals of the company
• Align projects to those goals, and the vision, mission, and
core values
• Have clearly defined business, security, and cost
requirements
• Execute
• Select projects to improve:
1. People
2. Technologies
3. Procedures/Policies
In that order
intelligent information securityA N I T I AN
WHO: REALLY MATTERS?
• People are not assets
• Communicate
• Each team member’s value
• Trust, collaboration, and togetherness
• Read Speed of Trust
• Be a Servant Leader
• Execute
• Follow the 13 Behaviors of Trust
• Hire on cultural fit, not technical skill
• Fire toxic employees quickly
• Spend every day engaged, working with your team
• Serve the needs of the many AND the few
intelligent information securityA N I T I AN
ACTION: AFFECT CHANGE
Communicate
• Favor action over reaction
• Push people to learn, grow, and become more
• What is the total cost of ownership (time, money, effort)?
Execute
• Control vendor engagement closely
• Ask people to commit to deadlines and milestones, hold
them accountable.
• Reward action that protects the business
• Establish metrics that measure result, not effort
intelligent information securityA N I T I AN
ACTION PLAN EXAMPLE
• Define exactly what must be done to reduce/eliminate risk
• Be specific; no vague hopes
• Define the effort to implement the fix
# Action Description Estimate Effort
A1 Integrate all
critical devices
with SIEM
Complete the SIEM deployment,
aggregating system- and application-level
logs for all critical application and security
monitoring devices.
Tune event correlation, incident thresholds
and alerting.
Integrate alerting with incident response
plan.
This work is critical because currently little
to no automated review or alerting for
unauthorized access to PHI occurs.
200-280
hours
$100,000
High
intelligent information securityA N I T I AN
KEY GOVERNANCE METRICS
Metric Definition
Dwell time How long can an intruder linger before being
detected?
Patch latency How long does it take you to distribute a security
patch?
Velocity of change How quickly are changes implemented, averaged
over time?
Control strength Aggressively test controls
Regulatory coverage Compliance state, progress toward completion
Risk Trend YOY how is your total risk trending
intelligent information securityA N I T I AN
SECURITY VISION ENABLES
AGILE AUTHENTIC
ALIGNED ACTIONABLE
SECURITY PROGRAM
QUALITIES OF GREAT SECURITY LEADERS
TRUSTWORTHY
ABRAHAM LINCOLN
ANALYTICAL
NIKOLA TESLA
VISIONARY
STEVE JOBS
INSPIRATIONAL
VINCE LOMBARDI
INCLUSIVE
DR. MARTIN LUTHER KING JR.
HUMBLE
MAHATMA GANDHI
FEARLESS
AUNG SAN SUU KYI
THANK YOU
EMAIL: andrew.plato@anitian.com
TWITTER: @andrewplato
@AnitianSecurity
WEB: www.anitian.com
BLOG: blog.anitian.com
SLIDES: bit.ly/anitian
CALL: 888-ANITIAN
Recommended