Kevin Flook Field Channels System Engineer [email protected] Modern Security vs. Modern Threats.
-
Upload
nathaniel-morrison -
Category
Documents
-
view
219 -
download
4
Transcript of Kevin Flook Field Channels System Engineer [email protected] Modern Security vs. Modern Threats.
22© 2008 Cisco Systems, Inc. All rights reserved.
Today’s Session
1. Recognize the Significance of SecurityThe Business Perspective
Data Owners vs Custodians
Security provides access to C-level
2. Understand the Real ThreatsUnderstanding the Hackers Strategy
Tools and Methods
The Impact is great
3. How to Leverage Compliance and LiabilityKey Concepts of Compliance
Information Lifecycle Management
The Compliance Landscape
4. Selling Cisco Security to Data OwnersRisk Management
Security in the Boardroom
33© 2008 Cisco Systems, Inc. All rights reserved.
2 Key Principles of Selling Security
1. Stop focusing on product, start focusing on assets!Digital Assets = Mission-critical data, Intellectual property
(company data + customer data)
Security is not a product, but a discipline comprised of technical (that’s us!), administrative, and physical controls working together to protect assets
2. Find the asset ownerThe person with liability, usually NOT the CIO
Not the data custodian, who’s liability is limited to job security
• SECURITY HAS THE POWER TO GET US INTO THE CXO SUITE MORE THAN ANY OTHER TECHNOLOGY
CAT > Board of Directors, CEO, CFO, CIO
Emerson > Board of Directors, CEO, CFO, CIO
44© 2008 Cisco Systems, Inc. All rights reserved.
Recognizing the Significance of SecurityTrends and Sound-Bytes
• Widespread outages from Virus’ and Worm’s are “old skool”
• 90% of Corporate America’s Intellectual Capital is stored and transmitted across IT infrastructures
• Cyber-crime is now extremely organized and stealthyEstimated $67.2B market, with 20x projected growth over 5yrs
Bigger than drug trade market today
• 100M US Population ID’s have been reported stolen
• 250,000 new zombies created each day
• MS reports 60% of telecommuting PC’s are zombies6% of inside systems
Statistically 99.9% probability your customer has one or more compromised machines
• 10x more expensive to react (clean up) a breach than to put in countermeasures to proactively stop in the first place
• Denial of Service attacks have increased by over 400% this year
55© 2008 Cisco Systems, Inc. All rights reserved.
Understand the Real ThreatsChanging Paradigm
• Security is no longer about virus/worms, but that’s the mindset most IT shops are stuck in
• The new and real threat is information and resource theft
• Impact of Theft:
- Up to and including Imprisonment for Data Owners
– Loss of shareholder value
– “CIO Magazine says that reported ID Thefts take an average of 5% hit on shareholder value and up to a year to recover”
– Loss of Marketshare
– Loss of customer confidence (TJ Maxx)
– Business Disruption
– Corporate and Personal Liability
– Average of $600,000 to notify customers of breach (~$300/ID)
66© 2008 Cisco Systems, Inc. All rights reserved.
Selling Security to Data OwnersSecurity = Risk Mitigation
LIK
ELI
HO
OD
IMPACT
Risk
Without both likelihood and impact there is no risk
We can’t control the Impact of a breach, but we CAN control the likelihood
Trusted Advisor covers ALL Security Controls
• Physical
Door locks, key card access
• Administrative
Security Policies, Procedures, Guidelines
• Technical
Applications, network
77© 2008 Cisco Systems, Inc. All rights reserved.
Sell the SDN to Data Owners
1. Stop focusing on product, start focusing on assets!
2. Find the asset owner
• Michael Bosworth (Solution Selling) says: “You get delegated to the people you sound like.”
• The next time someone says: “You should work with our IT engineering people...”, you should translate – I must sound like an IT engineer...
88© 2008 Cisco Systems, Inc. All rights reserved.
1. What assets are you trying to protect?- Credit Card Numbers- Identity Information- Political reputation- Patient Health Information
2. What are the relevant threats?- Constantly evolving threat landscape- Non-Compliance
3. How comfortable are you with your organization’s ability to detect and respond to these threats?
- Show an IT Auditor that you’ve exercised Due Care
Developing a Comprehensive IT Risk Mitigation Strategy:
Talking about Security in the BoardroomStep 1: The 3 Questions
99© 2008 Cisco Systems, Inc. All rights reserved.
Fence
Locks
Door
Windows
Dog
Where Do You Start?Step 2: The House
Alarms
Dog
Neighborhood Watch
Motion Detector
Protect Detect Respond
Police
Gun
Insurance
Dog
Protecting
Your House
1010© 2008 Cisco Systems, Inc. All rights reserved.
Alarms
Dog
Neighborhood Watch
Motion Detector
Fence
Locks
Door
Windows
Dog
Protect Detect Respond
Police
Gun
Insurance
Dog
Protecting
Your HouseYour Enterprise
Reputation-based Security
Behavioral Security
Updated Security Information / Monitoring
Static Security
Where Do You Start?Step 2: The House
1111© 2008 Cisco Systems, Inc. All rights reserved.
Beyond Due DiligenceFocus on Due Care
Due Care - shows that an organization has taken responsibility for the activities that take place within the organization and has taken the necessary steps to protect the organization, its resources, its employees and clients from possible risks. If an organization does not practice due care pertaining to the security of its assets, it can be legally charged with negligence and held accountable for any ramifications of that negligence.
- CISSP Exam Guide –
due caren. the conduct that a reasonable man or woman will exercise in a particular situation, in looking out for the safety of others. If one uses due care then an injured party cannot prove negligence. This is one of those nebulous standards by which negligence is tested. Each juror has to determine what a "reasonable" man or woman would do.
- The Law Encyclopedia -
1212© 2008 Cisco Systems, Inc. All rights reserved.
Step 3: The CloudHow easy it is to break into networks today
Points of entry
•Pop-ups
•Email attachments
•Web Links
•Keystroke Loggers
•Instant Messaging
•Peer to Peer file sharing
Trusted Network
UN-Trusted Network
1313© 2008 Cisco Systems, Inc. All rights reserved.
4 Reasons Organizations Buy Security
1. Risk MitigationPersonal/Organizational liability (Sarbanes-Oxley, PCI, etc.)
Tarnished image
Negative Publicity/Political carnage
2. Returns on Investment (ROI)
3. Competitive AdvantageProduct
Cost reduction
Employee/Customer/Constituent Satisfaction
4. Operational Efficiencies/Increased Productivity
1414© 2008 Cisco Systems, Inc. All rights reserved.
Cisco’s Security Value Proposition
1. Security is embedded in all our products (features and development)
2. The network touches all hosts, people, processes
3. R&D spending @ $350M annually
4. Acquisition strategy and execution
5. Total breadth of security offering to address dynamic and growing threat vectorsCollaboration vs. Best of Breed
6. Support infrastructure, intellectual capital, and human resources
7. John Chambers – Visionary, CelebrityJohn spends more than 50% of his time talking security
1616© 2008 Cisco Systems, Inc. All rights reserved.