Upload
anitian
View
420
Download
0
Embed Size (px)
Citation preview
INSIDER THREATANITIANBUILDING A MULTI-GENERATIONAL SECURITY PROGRAM
Intelligent Information SecurityAnitian
1
Meet the Speaker Andrew PlatoPresident / CEO of Anitian Principal at TrueBit CyberPartners20+ years of experience in securityDiscovered SQL injection in 1995Helped develop first in-line IPS engine (BlackICE)
Intelligent Information SecurityAnitian
Vision: Security is essential for growth, innovation and prosperity. Mission: Build great security leaders. ANITIAN
Rapid Risk AssessmentCompliancePenetration TestingManaged Threat Intelligence
Intelligent Information SecurityAnitian
truth
a box checkedWhat do you want?Anitianintelligent information securitywe deliver truth and build great security leaders
Intelligent Information SecurityAnitian
OverviewIntent Help you build a more effective security programPrepare your security program for the demographic shift Demonstrate Anitians value
OutlineHypothesis The Multi-Generational WorkforceThe Problem Next Generation Security Program
Intelligent Information SecurityAnitian
BIG TOPIC! This is a very big and complex concept. In this presentation were going to touch on a lot of ideas, without getting too deep.
THIS IS FOR A USA AUDIENCE AND USA COMPANIES5
HYPOTHESIS
Intelligent Information SecurityAnitian
Begin with a discussion of the workplace today as it relates to information security6
It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change.
Intelligent Information SecurityAnitian
Charles Darwin, he never actually said this, but it is a paraphrasing of his theories which have been widely used. This concept, agility is profoundly important to business and information security. 7
IS THE root CAUSE OF NEARLY ALL BREACHESHUMAN ERROR
Intelligent Information SecurityAnitian
At the root of nearly all compromise and breach is human errorPeople dont configure systems correctly Vulnerabilities are left unpatchedPeople click dangerous linksDevelopers dont take the time to code securely Policies are not followed 8
Indirectly RELATED to EMPLOYEE ENGAGEMENTINSIDER THREAT
Intelligent Information SecurityAnitian
When people do not care about their job, or feel marginalized or disrespected, they engage in riskier behavior. 9
REDUCE RISKENGAGED EMPLOYEES
Intelligent Information SecurityAnitian
When people are engaged and motivated, they naturally care for the organization. 10
Drives ENGAGEMENTLEADERSHIP
Intelligent Information SecurityAnitian
As well as policies and practices11
The WORKFORCE
Intelligent Information SecurityAnitian
Begin with a discussion of the workplace today as it relates to information security12
OF THE WORKFORCE IN 202575% Source: Bureau Of Laborand Statistics, 2015
Intelligent Information SecurityAnitian
Currently, 53M Gen Y, 50M Gen X about 15M Boomers, 3M others 20K boomers leave the workforce everyday, 30K Gen Y enter. By 2025 50% of the workforce will be millennials, 35% GenX, Boomers and Gen Z making up the remaining 15% DONT LEAVE THIS SLIDE WITHOUT JOKING: You cannot have a presentation about the generations without a section that overly generalizes and panders to each generation.Who am I to break tradition here?
13
BOOMERS
Born 1946-1964CompetitivePrefers process OptimisticPoliticalLoyal Status conscious Job defines themRESPECT
Intelligent Information SecurityAnitian
Boomers are leaving the workforce at the rate of about 20K per day. 14
GEN X
Born 1965-1980CynicalAnalyticalAgile Results oriented IndividualisticEntrepreneurial Wants to chart their own pathFREEDOM
Intelligent Information SecurityAnitian
15
MILLENNIALS
Born after 1980Idealistic Self-conscious Social Empathetic Team playersExtremely agile Connected Open minded Wants praise & involvement
AUTHENTICITY
Intelligent Information SecurityAnitian
TRANSITION: So what else can we learn about Millennials. 16
OF MILLENNIALS Have a college degree79%
Intelligent Information SecurityAnitian
Gen X 69%Boomers 62%17
WILL REJECT A JOB FROM A COMPANY THAT BANS SOCIAL MEDIA56%
Intelligent Information SecurityAnitian
18
CHOOSE FLEXIBILITYOVER PAY45%
Intelligent Information SecurityAnitian
19
Expect to modify and customize their work computer73%
Intelligent Information SecurityAnitian
20
CITE LEADERSHIP AS THE KEY TO ENGAGEMENT74%
Intelligent Information SecurityAnitian
21
The PROBLEM?
Intelligent Information SecurityAnitian
Typically.these presentations begin with a lot of statistics and scary numbers. 22
OF ORGANIZATIONS HAVE HAD SOME TYPE OF SUCCESSFUL ATTACK90%
Intelligent Information SecurityAnitian
BREACHES ARE COSTLY
Intelligent Information SecurityAnitian
So what do we do?
Intelligent Information SecurityAnitian
Intelligent Information SecurityAnitian
TL;DR
TL;DR
Intelligent Information SecurityAnitian
THE ULTRA IMPORTANT COMPANY HAS HEREBY ISSSUANTED THIS POLICY OF COMPUTING TECHNOLOGICAL RESOURCE ALIGNMENT TO COMPLY WITH SECTION 98292D OF THE REGULATORY COMPLIANCE INSTRCTUALIZATION OF FRAMEWORK REGIONALISM 27
BORING
Intelligent Information SecurityAnitian
Nobody cares about your internationally approved framework of risk management. 28
NO!
Intelligent Information SecurityAnitian
Enforcement minded mentality does not make people care. It makes them care just enough to keep you off their back29
EVERYBODY TALKS
NOBODY LISTENS
Intelligent Information SecurityAnitian
When people dont respect the policies and practices, they argue and undermine them 30
LOL DONT CARE
IM DOWNLOADIN IT
Intelligent Information SecurityAnitian
When people dont care, they ignore policies. 31
PARANOIA
Intelligent Information SecurityAnitian
Nobody cares about your insufferable reasons why 32
TODAY WE SHALL
CRUSH CYBERSECURITY WITH ONE SWIFT STROKE
Intelligent Information SecurityAnitian
33
WOOT! ITS BEER-THIRTYLETS UPLOAD EVERYTHING TO PASTEBIN
Intelligent Information SecurityAnitian
34
IS THERE ANY HOPE?
Intelligent Information SecurityAnitian
Seems pretty hopeless eh? 35
Yes
Intelligent Information SecurityAnitian
36
AvailabilityConfidentialityIntegrityComplianceRespectFreedomAuthenticityMissionTHE BALANCING ACT
Intelligent Information SecurityAnitian
Your program must have meaning. It must covey the importance of security and make people care.
37
MEANING
Intelligent Information SecurityAnitian
Your program must have meaning. It must covey the importance of security and make people care.
38
PERSONAL
Intelligent Information SecurityAnitian
Our program has to stop being so ruthless and cold. We need to connect with people, rather than disconnect them.
39
SOCIAL
Intelligent Information SecurityAnitian
Security must integrate into every dimension of the workplaceWe must leverage social constructs to disseminate and enforce Make it like a smartphone
40
AGILE
Intelligent Information SecurityAnitian
WE MUST ADAPT to the business, not the other way around
41
Next-generationSECURITY PROGRAM
Intelligent Information SecurityAnitian
Strategies 42
The Multigenerational Security Program
Intelligent Information SecurityAnitian
8 Concepts to drive your security programDefine how it will be PEOPLE, PROCESS, and TECH43
Start with WhyPeoplePeople dont buy what you do, they buy why you do it(Simon Sinak, http://bit.ly/anitian-sww)Connect everything security to a greater mission or ethicPolicyPut the reader into each policy and give them reason: Lets make a difference. We need your help to stop criminals from stealing our data and hurting people. You can help. Keep confidential data it off your computer and out of your email. If you dont have it, it cant be stolen, and youre safe!TechnologyAllow customization and connect them to the core values
Intelligent Information SecurityAnitian
Complexity is easy, simplicity is difficult44
Automate SecurityPeople Millennials love automation (so do hackers) PolicyDefine what is and is not automated, and whyStandardize automation Technology Automate everywhereAuto-blockAuto-respondAuto-scan Auto-remediate
Intelligent Information SecurityAnitian
It is disrespectful to expect people to care about obtuse security rules. Dont value feedback. WANT it. Beg for it if necessary. 45
Less is MorePeoplePeople do not read, less is more PolicyJust Say It and be bluntYou cannot plug a personal device into the network. It is too dangerous. Systems must be patched every 30 days because it is the right thing to do and protects the business. TechnologyAvoid complex dashboards Implement a core firewall and segment your network Do not buy anything unless you have the people to run it
Intelligent Information SecurityAnitian
Complexity is easy, simplicity is difficult46
Roll with ItPeople Change is the norm around here, roll with it. Does the change align with what we believe?What is the intent with this change? PolicyChange policy on a whim, its okayBe honest when a policy is no longer relevant TechnologyChange vendors regularly, get a new perspective and say youre doing it Build a process for evaluating new technologies
Intelligent Information SecurityAnitian
Dont connect intent to some framework or standard nobody cares 47
Open the Kimono PeopleWork at the Speed of Trust Share openly, be honest when you cannot share PolicyBe brutally honestWe can read your email. There is no expectation of privacy when you use a company-owned asset. TechnologyMonitor everything, log everything, watch everything Put it in the cloudAggressively test, and test, and test againSocialize the data, show the good and bad
Intelligent Information SecurityAnitian
Millennials, and to some extent Gen X hate secrecy. All they hear is that theyre out of the loop. 48
Be Authentic PeopleConfront the security perception gradient, words and behaviors must alignMillennials have a high affinity for authentic leadershipPolicyGet rid of the stiff, distant, pontificating policies: We all want to do the right thing. Help protect data. If you see something wrong, say something and lets work together to fix it. TechnologyDiscuss, openly, the controls you have Be conspicuously vocal in your opposition to checkbox audits
Intelligent Information SecurityAnitian
49
Socialize SecurityPeopleUse peer pressure to enforce: What would your co-workers think of this?Use feedback to gather intelligencePolicyUse modern policy dissemination methodsGamify policy acceptance Ask for involvement: You are a vital part of our security program and we want your feedback. TechnologyUse feedback technologies like 15Five.com or TinyPulse.comLeverage social platforms or sharing, like SharePoint
Intelligent Information SecurityAnitian
Cite the RSA presentation from Ubers Security Awareness person: Samantha Davison80% acceptance and retention when gamified 50
Culture of Security PeoplePut security responsibilities into ALL job descriptions Cross train everybody in IT on security PolicyAdd security responsibilities to every jobRequire security awareness for everybody TechnologyDisseminate control authority across teams Integrate security practices into dev teams Move toward unified platforms with integrated defenses
Intelligent Information SecurityAnitian
51
SECURE THE GENERATIONS
Intelligent Information SecurityAnitian
Strategies 52
EVERY BREACH BEGINS (AND ENDS) WITHPEOPLE
Intelligent Information SecurityAnitian
ALL information security weakness are ultimately due to human error Developers do not code apps securelySystem admins do not harden systems Network admins ignore or bypass controls Employees leak data or engage in risky behaviors Attackers manipulate people into giving up access, credentials, or data
53
THE BIGGEST THREAT YOU HAVE ISPEOPLE
Intelligent Information SecurityAnitian
ALL information security weakness are ultimately due to human error Developers do not code apps securelySystem admins do not harden systems Network admins ignore or bypass controls Employees leak data or engage in risky behaviors Attackers manipulate people into giving up access, credentials, or data
54
SO WHY ARE THESE IN CHARGE OF SECURITY?
Intelligent Information SecurityAnitian
ALL information security weakness are ultimately due to human error Developers do not code apps securelySystem admins do not harden systems Network admins ignore or bypass controls Employees leak data or engage in risky behaviors Attackers manipulate people into giving up access, credentials, or data
55
OR THIS?
Intelligent Information SecurityAnitian
ALL information security weakness are ultimately due to human error Developers do not code apps securelySystem admins do not harden systems Network admins ignore or bypass controls Employees leak data or engage in risky behaviors Attackers manipulate people into giving up access, credentials, or data
56
OR THIS GUY?
Intelligent Information SecurityAnitian
Better call Saul57
WHEN THIS IS YOUR WORKFORCE?
Intelligent Information SecurityAnitian
58
THE SECURITY PROGRAM OF THE FUTURE IS BUILT AROUNDPEOPLE
Intelligent Information SecurityAnitian
ALL information security weakness are ultimately due to human error Developers do not code apps securelySystem admins do not harden systems Network admins ignore or bypass controls Employees leak data or engage in risky behaviors Attackers manipulate people into giving up access, credentials, or data
59
ADAPTOr BREACH(and possibly lose your job)
Intelligent Information SecurityAnitian
60
Action PlanExecute a risk assessment ( a real one) Rewrite policies, hyper-simplify them Automate security, everywhereMonitor everything, log everything, watch everythingGamify your security awareness program Stop talking to VARsDefine customization boundaries, publish them for all to seePut security requirements in everybodys job descriptionImplement feedback process for security Push SecOps away from reaction-focus to analysis-focus
Intelligent Information SecurityAnitian
THANK YOUEMAIL: [email protected]:@andrewplato@AnitianSecurityWEB:www.anitian.comBLOG: blog.anitian.comSLIDES:bit.ly/anitianCALL:888-ANITIAN
Intelligent Information SecurityAnitian
62