Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get...
Transcript of Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get...
![Page 1: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/1.jpg)
Don't Get Hacked - 10 Controls &SecOps Ways to Secure Your Company
Dr. Christopher T. Pierson, EVP, General Counsel & CSO, ViewpostJames T. Shreve, Attorney, BuckleySandler
![Page 2: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/2.jpg)
2
Agenda
1. Newsworthy Hacks
2. Environment Differences
3. Top 10 Controls
4. Privacy Professional Roles
5. Communications
6. Now What?The opinions contained herein do not reflect the opinions and beliefs of the author’s employers orassociated agencies. All content contained herein is for informational purposes only and may not reflectthe most current legal developments. The content is not offered as legal or any other advice on anyparticular matter.
![Page 3: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/3.jpg)
Part I.Newsworthy Hacks
![Page 4: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/4.jpg)
4
I. Newsworthy Security Breaches
Living Social SONY
![Page 5: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/5.jpg)
5
I. Newsworthy Security Breaches
JP Morgan
Target
Home Depot
![Page 6: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/6.jpg)
6
I. Newsworthy Security Breaches
White House
NSA
CENTCOM
![Page 7: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/7.jpg)
Part II.Environmental Differences
![Page 8: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/8.jpg)
8
II. Environmental Differences
• Clean House – Segmentthe Networks– Segment & Separate
Development, Test,Corporate, andProduction
– Speedbumps and LeastPrivileged Access
– Code Repositories– Contractors and
consultants
![Page 9: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/9.jpg)
9
II. Environmental Differences
![Page 10: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/10.jpg)
10
II. Environmental Differences
• Endpoints?– Do they exist?– Mobile work force?– BYOD?
![Page 11: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/11.jpg)
Part III.Top Security Controls
![Page 12: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/12.jpg)
12
III. Top Security Controls
• Access-based Controls– Portable devices (usb/dvd)– Network segregation– Lateral movement restrictions– Admin privileges
![Page 13: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/13.jpg)
III. Top Security Controls
• Signature Based Controls– Firewalls (Next Gen)– Intrusion Detection System (IDP)/
Intrusion Prevention System (IPS)– Anti-Virus and Anti-Spam– Data Leakage Protection (DLP)– Proxy Technology
13
![Page 14: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/14.jpg)
III. Top Security Controls
• Baselines– Determining what is normal– Why this must come first
• Anomalies– How much tolerance for the abnormal?
• Constant Refinement• Comparison with signature-based
14
![Page 15: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/15.jpg)
III. Top Security Controls
• White Listing Technology– Whitelist vs. Blacklist– Allow vs. Deny– Maintenance– Part of Build– Audit Cycle
15
![Page 16: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/16.jpg)
III. Top Security Controls
• Indicators of Compromise (IoC)– Review Ips for bad connection– Known Command & Control Sites– Not Signature Based– Evolves Based on Current Attacks– Stronger when Powered by the Network
16
![Page 17: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/17.jpg)
III. Top Security Controls
• File Integrity Monitoring– Monitors for changes in key files– Can be used in production or corporate network– Human Resource intensive– Fingerprinting is helpful– False Positives?
17
![Page 18: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/18.jpg)
III. Top Security Controls
• Access Controls– Accessing the system and the data– Borrowing from the financial industry– Multifactor (out of band)– Passwords (and beyond)
18
![Page 19: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/19.jpg)
III. Top Security Controls
• Encryption– Data at rest– Data in motion– Devices– Legal and regulatory requirements– Contractual requirements
• Focus– Outside in– Inside– Rest 19
![Page 20: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/20.jpg)
III. Top Security Controls
• Network Flows– Visibility into the Network– Netflows/Data Flows– SIEM – what is happening on your network?– Wireless Protection and WIPS
20
![Page 21: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/21.jpg)
III. Top Security Controls
• Intelligence– Groups
• ISACs– Governmental
• Regulators• Law enforcement• Intelligence agencies
– Informal
21
![Page 22: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/22.jpg)
Part IV.Privacy Professional Role?
![Page 23: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/23.jpg)
23
IV. Privacy Professional Role?
• Knowledge• Governance• Verification
![Page 24: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/24.jpg)
Part V.Communications
![Page 25: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/25.jpg)
25
V. Communications
• Communicating Up– Executive Team– Decision Makers– GC, CFO, Brand– Educating the Board
![Page 26: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/26.jpg)
26
V. Communications
• Communicating Out– Business lines– Company administration– Customers
![Page 27: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/27.jpg)
27
V. Communications
• Communicating Down– Contracts and legal– Diligence– Oversight– Working with them
• Communicating In– The importance of listening
![Page 28: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/28.jpg)
Part VI.Now What?
![Page 29: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/29.jpg)
29
VI. Now What?
• You will still be hacked• You almost certainly have been before• You may be being hacked right now
![Page 30: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/30.jpg)
30
Questions
![Page 31: Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your …t... · 2015. 3. 2. · Don't Get Hacked - 10 Controls & SecOps Ways to Secure Your Company Dr. Christopher T. Pierson,](https://reader031.fdocuments.us/reader031/viewer/2022011918/5ffaf47711760229e91e7f66/html5/thumbnails/31.jpg)
Thanks!
James T. Shreve, J.D.BuckleySandler [email protected]
Christopher T. Pierson, Ph.D., J.D.ViewpostEVP, General Counsel & Chief Security [email protected]