An Educational Seminar

Turning IT Professionals into

Cybersecurity Warriors

May 18, 2016

Sponsored by

Turning IT Professionals into Cybersecurity Warriors

AgendaIntroductions: John Thomas Flynn, Creator and Host of TechLeader.TV

Keynote: Mark Ghilarducci, Director, Governor's Office of Emergency Services

Presentations: Andre McGregor - Tanium, Director of Security

Sebastian Goodwin – Dir. of Endpoint Security/Security, Palo Alto Networks

Sean Cordero - Optiv, Senior Executive Director, Office of the CISO

Case Studies: Initiatives, Organizational Readiness, Experiences, Lesson Learned, Best Practices:

Todd Ibbotson - Information Security Officer, Calif. Depart. of Justice

Justin Cain - Cybersecurity Coordinator, Homeland Security Div. CalOES

Doug Leone - Agency Information Security Officer, California EPA

3 | © 2015, Palo Alto Networks. Confidential and Proprietary.

CYBERSECURITY

SEBASTIAN E. GOODWIN

MBA, CISSP, CISA, CCNA, MCSE, MCT

DIRECTOR, ENDPOINT SECURITY

PROTECTING OUR DIGITAL FUTURE

MAY 2016

Summit

WE MUST CHANGE THE COST CURVE

Number of

successful attacks

Cost of launching a

successful attack

WE MUST CHANGE THE COST CURVE

Cost of launching a

successful attack

Number of

successful attacks

Anti-APT for

port 80 APTs

Anti-APT for

port 25 APTs

Endpoint AV

DNS protection cloud

Network AV

DNS protection for

outbound DNS

Anti-APT cloud

Internet

Enterprise Network

UTM/Blades

Limited visibility Manual responseLacks correlation

Vendor 1

Vendor 2

Vendor 3

Vendor 4

Internet Connection

Malware Intelligence

DNS AlertEndpoint Alert

AV Alert

SMTP Alert

AV Alert

Web Alert

Web Alert

SMTP Alert

DNS Alert

AV Alert

DNS Alert

Web Alert

Endpoint Alert

HOW TO ENSURE FAILURE

PREVENTION

PREVENTION EVERYWHERE

Cloud

At the internet

edge

Between

employees and

devices within

the LAN

At the data

center edge, and

between VM’s

On the endpoint Within private,

public and hybrid

clouds, and SaaS

Detect and prevent threats at every point across the organization

IMPERATIVES

PREVENT

INTELLIGENCE

SHARING

ENDPOINTS ARE EASY TARGETS

Guggenheim Securities

“Endpoint Endgame: The Race to Replace AV” Sept. 2015

“Endpoints are one of the most popular threat vectors for cyberattacks, because it has historically been easier to gain access to an endpoint (which often moves in and out of the network perimeter) than it has to penetrate core infrastructure. ”

Palo Alto Networks and Tanium

Manage, Prevent, Confirm, and Sweep

Tanium Server

NGFW

Identifies malware and generates high fidelity IOCs

Generates new protections for all Palo Alto Networks

customers within 15 minutes

IOCs

WildFire

Pinpoints all endpoints infected with IOCs within seconds

Automated isolation and remediation

of infected endpoints

Tanium

Traps Server

Protections

MalwareMalware

Protections

TrapsPrevents execution of malware using built-in

mechanisms and verdicts from Wildfire.

Prevents exploitation of vulnerable software

with unique ability to prevent zero day exploits.

Patching, visibility, and control.

The Compliance

Treadmill & The Fight for

Effective Security

Programs

Sean Cordero, Senior Executive Director, oCISO

CISSP, CISM, CRISC, CISA

22

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Agenda

Security Today

Programs for Today & Tomorrow

Questions?

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Security Today

24

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Signal to Noise

• Contributed to up-take of compliance approach

• Compliance/audit drowned out larger issues

25

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Compliance Focused Programs

1. Risk Assessment Optional (sometimes)Used a proxy for critical analysis

Can remove the need for understanding

Most have built in risk decisions made for you

2. Inefficient Standards for Management Requirements Overlap

Requirements Conflict

3. Traditional Frameworks – Not enough for new techLack Service and Delivery Awareness

Control extensibility

26

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

It wasn’t all bad..

Facilitated the Security Discussion with Stakeholders

• Allowed for easier discussions around “Why?”

• Facilitated standardized measurements

• Could be validated by 3rd parties

Resulted in Near Term Security Investments

• Funding & resources tied to compliance program

• Resourcing tied

Provided (a) Uniform Taxonomy and Language for Security

• Implement network based advanced malware capability

• Established common terms and definitions

• Provided visibility into long standing issues

All positive outcomes. For some, it has lowered expectations over

InfoSec

27

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Compliance as Security Plot twist! The approach fails in the end!

**Source: Vormetric Data Threat Report 2016

Vulnerable to threats 61%

aware of a breach. (Vormetric,

2016)

Believe Compliance is

Effective at breach

prevention64% (Vormetric, 2016)

46% Rank Compliance in Top 3 for

IT Spending (Vormetric, 2016)

91%

28

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

The State of Cyber Security:“2015 Year of the Hack”

2015 Breaches

• V-Tech 4.7 million accounts

• Experian 15 million accounts

• BCBS 11.2 million subscriber

records affected.

• Excellus BCBS SSNs and

personal data of 10.5 million

customers. Breach occurred in

December 2013, discovered in

2015.

• Anthem Health data breach

results in compromise of 80

million records.

• CareFirst BCBS 1.1 billion

records breached.

• Premera BCBS 11.2 million

subscriber records affected.

• Office of Personnel

Management breach of 21.5

million records.

• IRS breach of 100K+ records,

$50m in fraud.

• UCLA 4.5 million patient

records

• Ashley Madison hack

discloses customer records,

including military and

government email addresses.

• Kaspersky Labs Security

Vendor infiltrated by nation-

state sponsored hacker.

• ISIL Cyber Caliphate hacker

killed in US military drone

strike.

• Cyber Security Bill delayed in

the Senate.

• Federal Data Security Breach

legislation would supersede 48

state laws and would impose

30 day notification

requirements to consumers in

the event of a breach.

REGULATORY CLIMATE

Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.

29

Disappearing

Boundaries

• Actors can locate and attack

from anywhere

• Very difficult to trace and

identify actors

• Socially connected networks

provide cheap and easy

intelligence to plan an attack

Cyber Security Realities

Increasing Risk

Adjusted Returns

• Cost of launching an

attack has drastically

decreased

• “Victimless” crime that is

“safer” than drug dealing

Method of Attack

Changes Frequently

• Targeted phishing campaigns

to gain login credentials

• Trusted third-party

relationships to bypass controls

• Malicious insider still concern

You can not fight today’s cyber warfare with yesterday’s tactics

30

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Business Aligned Strategy: Create a security

program that enables your organization by

understanding the business objectives,

compliance objectives, threats and material risks.

Compliance

Based

Threat

Based

Risk

Based/Data

Centric

Business

AlignedThe Security Journey

Ad Hoc

Program

Infrastructure

Based

Shortcut = Failure to

Pass

31

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Diagnosing Your Program

1. Discussions focused on “findings”

2. Compliance is Top of Mind

Compliance 1st, Security 2nd

Sole justification for InfoSec

3. No time for security work

Endless audit/re-audit

4. Half complete infosec deployments

Show Enough

Do Enough

Build Capability (hopefully)

Get Audited

Likelihood of on-going success is low.

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Programs for Today & Tomorrow

33

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Six Forces

of a

Security

Strategy

The Six Forces

Require a

Resilient Security

Strategy

Business

Strategy

Global Social

and Political

Forces

Government

and Industry

Regulations

Adversaries and

Threats

Organizational

Culture

IT Organization,

Systems and

Infrastructure

34

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

2nd Line of DefenseInformation Risk Office &

Steering Team

Information Risk Program

1st Line of DefenseIT Information

Security

3rd Line of DefenseAudit and External

Experts

• Highly Skilled & Trained Staff

• Install and maintain enabling Security Technologies

• Processes to Protect, Detect, and Respond

• Define and Enforce Information Security Policy

• Manage Information Risk Program

• Program Strategy and Goals

• Measure & Manage Information Risk

• Oversee Industry and Regulatory Requirements

• Executive Sponsors• Internal Audit

Validation of Control Framework

• External Audit• External Testing and

Validation of Controls

Three Lines of Defense to Achieve Effective Information Risk Management and Assurance

35

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

MAKE WHAT WE DO BETTER

KEEP US OUT OF TROUBLE

EX

EC

UT

IVE

MA

NA

GE

ME

NT

Business

Drivers, Goal

and

Strategies

Risk and

Security

Coverage

Filter and Prioritize

Enterprise

and

Operational

Risks

Executive Sponsors, Audit Committee, Media, Constituents, Clients

Infrastructure,

Frameworks

and

Regulations

Achieve

Business

Objectives

Threat

Management

Assets and Capital

Management

Earnings and

Operation Margins Revenues and

Efficencies

ISO 2700X

Business Drivers

Asset Profile

Technical

Specifications

People and

Organizational

Management

Governanc

e, Policies

and

StandardsTechnical

Security

Architecture

Threat Aware Security Program

ComplexRegulatory

Requirements

Mission Aligned Security Program

36

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

End-to-end

cyber security

solutions

Tailored to

your needs

Client

Centric

Approac

h

Optiv Value

37

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Summary

1. Leverage compliance, do not rely on it

2. Compliance is an byproduct of program

success.

3. Strive to understand. Context is key.

4. Use Contextualized and Delivery Aware

Models.

38

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

QuestionsSean CorderoSenior Executive Director

CISSP, CISM, CRISC, CISA

Sean.Cordero@optiv.com

@sean_cordero

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Turning IT Professionals into Cybersecurity Warriors

Case Studies

Initiatives, Organizational Readiness, Experiences,

Lesson Learned, Best Practices:

Todd Ibbotson - Information Security Officer,

California Department of Justice

Justin Cain - Cybersecurity Coordinator, CalOES

Doug Leone - Agency Information Security Officer,

California EPA

Sponsored by40

z

Turning IT Professionals into Cybersecurity Warriors

Final Questions???

Sponsored by41