Tactical Edge - How Much Security Do You Really Need?

  • Published on

  • View

  • Download

Embed Size (px)


<ul><li><p>HOW MUCH SECURITY DO YOU REALLY NEED?Wendy Nather @RCISCwendy</p><p>Research Director, Retail Cyber Intelligence Sharing Center (R-CISC)</p><p>Bogot, 24 Octubre 2016</p></li><li><p>INTRODUCTION</p><p> The Great Mystery Expense in Depth Even the Experts Dont Know pricing out a security </p><p>program A better framework the Cyber Defense Matrix Trimming your current security portfolio Evaluating the risk in a way that works for you</p></li><li><p>MODELS FOR SECURITY SPENDING</p><p> Benchmarking what is everyone else doing? Compliance-driven spending Metrics-driven Evidence-driven</p></li><li><p>MODELS FOR SECURITY SPENDING</p><p> Spend only what you need to until the next breach Keep spending until you run out of budget Have an unlimited budget</p></li><li><p>EXPENSE IN DEPTH (RICK HOLLAND)</p><p> Security is a patchwork quilt, and you keep buying things to layer over the gaps</p><p> Leads to overspending in some areas and underspending in others</p><p> Overloading systems</p></li><li><p>EXPENSE IN DEPTH</p><p> Dueling agents Prioritizing network </p><p>decisions Cognitive and effort </p><p>overload on your personnel every time you add something new</p></li><li><p>IM A NEW CISO. ITS MY FIRST DAY ON THE JOB IN AN ORGANIZATION THAT HAS NEVER DONE SECURITY BEFORE. WHAT SHOULD I BUY?</p><p>The Real Cost of Security 451 Research, 2013</p></li><li><p>EVEN THE EXPERTS DONT KNOW</p><p> As few as 4 different technologies and as many as 31 Everyone said it depends, including the vendors</p><p>\_()_/</p></li><li><p>EVEN THE EXPERTS DONT KNOW</p><p> The minimum baselines pretty much matched up to PCI, and included both firewalls and AVBudget could be off by as much as a factor of 4</p><p> Theres still no guarantee you wont get breached</p></li><li><p>CAN WE DO BETTER?</p></li><li><p>CYBER DEFENSE MATRIXSOUNIL YU, [LARGE US FINANCIAL]</p><p>Devices</p><p>Applications</p><p>Network</p><p>Data</p><p>People</p><p>Degree of Dependence</p><p>Identify Protect Detect Respond Recover</p><p>Technology PeopleProcess</p></li><li><p>LEFT AND RIGHT OF BOOM</p><p>Devices</p><p>Applications</p><p>Network</p><p>Data</p><p>People</p><p>Degree of Dependence</p><p>Identify Protect Detect Respond Recover</p><p>Technology PeopleProcess</p><p>Pre-Compromise</p><p>Post-Compromise</p></li><li><p>ENTERPRISE SECURITY MARKET SEGMENTS13</p><p>Devices</p><p>Applications</p><p>Network</p><p>Data</p><p>People</p><p>Degree of Dependence </p><p>Identify Protect Detect Respond Recover</p><p>Technology PeopleProcess</p><p>IAM Endpoint Visibility and Control /Endpoint Threat Detection &amp; Response</p><p>Configurationand Systems</p><p>Management</p><p>DataLabeling</p><p>App Sec(SAST, DAST,IAST, RASP),</p><p>WAFs</p><p>PhishingSimulations</p><p>DDoS Mitigation</p><p>Insider Threat /Behavioral Analytics</p><p>NetworkSecurity(FW, IPS)</p><p>DRMData</p><p>Encryption,DLP</p><p>IDSNetflow</p><p>Full PCAP</p><p>AV, HIPS</p><p>Deep Web,Brian Krebs,</p><p>FBIBackup</p><p>PhishingAwareness</p></li><li><p>MARKET SEGMENTS OTHER ENVIRONMENTS</p><p>14</p><p>Threat Actor Assets</p><p>ThreatData</p><p>IntrusionDeception</p><p>MalwareSandboxes</p></li><li><p>MARKET SEGMENTS OTHER ENVIRONMENTS</p><p>15</p><p>Vendor Assets</p><p>Cloud AccessSecurity Brokers</p><p>VendorRisk</p><p>Assess-ments</p><p>Customer Assets</p><p>Endpoint FraudDetection</p><p>DeviceFinger-printing</p><p>DeviceFinger-printing</p><p>Web FraudDetection</p><p>Employee Assets</p><p>BYODMAM</p><p>BYODMDM</p></li><li><p>See the rest of the slides at</p><p>https://www.rsaconference.com/events/us16/agenda/sessions/2530/understanding-the-security-vendor-landscape-using</p><p>Or Google for RSAC Sounil Yu J</p></li><li><p>TRIMMING YOUR SECURITY PORTFOLIO</p><p> Why would you need to do that? Mergers and acquisitions leave redundant products </p><p>in place</p></li><li><p>TRIMMING YOUR SECURITY PORTFOLIO</p><p> Shelfware</p><p>(see Javvad Maliks research at https://www.rsaconference.com/writable/presentations/file_upload/mash-t07a-security-shelfware-which-products-gathering-dust-and-why.pdfor just Google Javvad Malik Shelfware)</p></li><li><p>TRIMMING YOUR SECURITY PORTFOLIO</p><p> Improving performance Simplifying Better integration and communication Better price</p></li><li><p>BEFORE YOU CUT TECHNOLOGY </p><p> Make sure youre using it right Make sure youre using it as fully </p><p>as possible</p><p> Talk to the vendor about its limitations and roadmap (or ask peers or an analyst)</p></li><li><p>BEFORE YOU CUT TECHNOLOGY </p><p>Decide whether you need to replace it</p><p> Is it a greater liability to keep it and not use it, or not to have it at all?</p></li><li><p>BEFORE YOU CUT PEOPLE Know what </p><p>theyre contributing both in expertise and workload</p><p> Expertise includes institutional knowledge</p></li><li><p>BEFORE YOU CUT PEOPLE </p><p>Remember cognitive workload: just because they have the time to squeeze in an extra task, it doesnt mean they can give it the attention it needs</p><p>Keep task priorities in mind response mode keeps staff from being proactive</p></li><li><p>EVALUATING EFFECTIVENESS AND RISK</p></li><li><p>EVALUATING EFFECTIVENESS AND RISK</p><p> Is it addressing a risk everyone can believe in?</p></li><li><p>CHEESEBURGER RISK MANAGEMENT</p><p>Sure, it might happen but not for a long time</p></li><li><p>EVALUATING EFFECTIVENESS AND RISK</p><p>How does it address the risk?Dont say its blocking millions of attacks, because that makes Dave Lewis really angry </p></li><li><p>EVALUATING EFFECTIVENESS AND RISK</p><p>What are you relying on technology to do, versus what youre relying on people to do?</p><p>Are you basing your security strategy on the hope that people will change?</p></li><li><p>YOUR MANAGEMENTS FAVORITE METRICS</p><p>Time saved</p><p>Money saved</p><p>Performance improvements / </p><p>availability</p></li><li><p>MATCHING MONEY WITH SECURITY</p><p> Avoiding loss but remember the probability discussion</p><p> Allowing revenue generators to do it faster Saving time, which is money</p></li><li><p>MATCHING MONEY WITH SECURITY</p><p> Helping the business make better decisions in other areas</p><p> Providing a competitive advantage (but youll have to prove it)</p><p> Losses may or may not happen, but other improvements will show themselves if you can measure them</p></li><li><p>GETTING BREACHED JUST MIGHT BE CHEAPER </p><p> Published research by Sasha Romanosky, RAND Corporation (August 2016)</p><p> Most cyber events cost firms less than 0.4% of their annual revenues</p></li><li><p>GETTING BREACHED JUST MIGHT BE CHEAPER </p><p> By contrast, US firms lost an estimated 0.9% of their revenue to online fraud in 2013 (Cybersource 2013 Online Fraud Report)</p><p>(Which shows that breaches are being treated separately from fraud, so whatever)</p></li><li><p>GETTING BREACHED JUST MIGHT BE CHEAPER </p><p> Calculated that firms were spending an average of 0.025% of revenues on cybersecurity</p><p> Half of cyber events cost a firm an amount approximately equal to its annual investment in IT security (i.e. within $1 million of investment). </p><p>Wait, what?</p></li><li><p>WHAT IF I TOLD YOU </p><p> that you may already be spending enough?</p></li><li><p>SPENDING IS NOT DOING</p><p> You can be spending right, but doing it wrong</p><p> You can be doing it right, but spending wrong</p></li><li><p>SOME KIND OF PYRAMID</p><p>Using security products</p><p>Understanding threats</p><p>Controlling changes</p><p>Knowing what you have and what its doing</p></li><li><p>SUMMARY</p><p> There are many ways to evaluate your portfolio Theres no ground truth Identify the risks you can believe in Find the evidence that youre addressing those risks Remember: its in the way that you use it</p></li></ul>