© 2017 The SANS™ Institute – www.sans.org

2017 Cybersecurity Trends: Making Progress by Aiming Ahead of the Target

John Pescatore, SANSDirector, Emerging Security Trends

Chris Carlson, Vice President, Product Management, Qualys

© 2017 The SANS™ Institute – www.sans.org

May You Be Cursed/Blessed to Live In Interesting Times

© 2017 The SANS™ Institute – www.sans.org

Obligatory Agenda Slide

Housekeeping infoHere’s what we will do

– 1:05 – 1:25 Overview – John Pescatore– 1:25 – 1:45 Qualys – – 1:45 – 2:00 – Q&A

Thanks to our sponsor:

© 2017 The SANS™ Institute – www.sans.org

Q & A

Please use GoToWebinar’s

Questions tool to submit

questions to our panel.

Send to “Organizers”

and tell us if it’s for

a specific speaker.

5© 2017 The SANS™ Institute – www.sans.org

What Should We Learn From the Past Year?

6© 2017 The SANS™ Institute – www.sans.org

Vulnerabilities Did Slow Down

Source: Microsoft Security Intelligence Report

7© 2017 The SANS™ Institute – www.sans.org

Damage from Attacks Did Not

Yahoo — Impacted value of sale to VerizonIRS — Get Transcript breachPremier Healthcare — Laptop still not encryptedWendy's — Ever-expanding point-of-sale breachSF Muni — RansomwareDynDNS — Mirai IoT DDoS

8© 2017 The SANS™ Institute – www.sans.org

Evolution in Targeting and Evasion

Source: Fireeye iSight

9© 2017 The SANS™ Institute – www.sans.org

Not Just Breaches - Ransomware

Source: Kaspersky

10© 2017 The SANS™ Institute – www.sans.org

“New” Threat Mechanisms — DNS Tunneling

Source: Infoblox

11© 2017 The SANS™ Institute – www.sans.org

Critical Infrastructure AttacksThe Seven Most Dangerous New Attack Techniques, and What’s Coming Next

2015 Ukraine Attack Summary

12© 2017 The SANS™ Institute – www.sans.org

New Forms of Infrastructure Vulnerabilities

13© 2017 The SANS™ Institute – www.sans.org

Protecting Your Company From the Company It Keeps

Business is increasingly interconnected and interdependent

The bad guys have figured that out

So have the regulators The cloud exacerbates

that trend, additional levels of parties

© 2017 The SANS™ Institute – www.sans.org

Third Parties in the Breach Chain

Source: The Aerospace Corp.

© 2017 The SANS™ Institute – www.sans.org

Mobility and the Cloud

A mobile, distributed workforce is the norm

The cloud exacerbates that trend

The bad guys have figured this out

Visibility and mitigation need to be extended

Source: Citrix

© 2017 The SANS™ Institute – www.sans.org

SaaS Is a Given, PaaS Is Happening, IaaS Is Growing

Nontraditional Application Ecosystems

Good Old Data Center

Data.gov

Wired/Wireless Internet

© 2017 The SANS™ Institute – www.sans.org

The Internet of Vulnerable Things

© 2017 The SANS™ Institute – www.sans.org

“Obviously, some people here do not appreciate the gravity of our situation.”

Increasing Boards of Directors’ Focus

© 2017 The SANS™ Institute – www.sans.org

The Messages Back from Directors“Security people don’t speak our language. In fact, at each briefing they seem to speak a different language.”“The CISO is great at talking about ‘blood in the streets’ but very weak on strategy to avoid disasters.”“We know bad things will happen — the CEO and CFO and VPs inform us of business problems frequently. We want to have confidence that basic competence and strategies are in place to reduce bottom line impact.”“The board is not an ATM — we are not here to give you resources.”“A big part of being believable and building our trust is showing us how we compare to competitors, other industries, some kind of standards or benchmarks.”

20© 2017 The SANS™ Institute – www.sans.org

Delivering Security Efficiency and Effectiveness

Decrease the cost of dealing with known threats Decrease the impact of residual risks Decrease the cost of demonstrating compliance Reduce business damage due to security failures Maintain level of protection with less EBITDA impact

Increase the speed of dealing with a new threat or technology Decrease the time required to secure a new business application, partner or supplier Reduce incident costReduce downtimeDecrease customer defections Position security as a competitive business factor

Efficiency Effectiveness

21© 2017 The SANS™ Institute – www.sans.org

Good News: Many Organizations Avoided or Reduced Damage

980 breaches in 2016– What did the other 9,020 of the

F10000 do differently?– (781 in 2015)

On average, 36K records exposed per breach

– What did those that limited breach size do differently?

– (Average = 215K in 2015)Almost invariably, the organizations with the least cyber incident impact have the strongest CISOs and security teams.

Source: Identity Theft Resource Center

22© 2017 The SANS™ Institute – www.sans.org

Some Things Don’t Change

Sample Red/Yellow/Green Metric

1 23

4

5

6

7

8910111213

14

15

16

17

1819 20

Center for Internet Security Critical Security Controls

PreventionDetection & ResponseIdentity, Access, Governance & Architecture

23© 2017 The SANS™ Institute – www.sans.org

CISO Hot Topic: Application Security

Problem: Healthcare company needs to reduce threat exposure and bug fix costs across all corporate applications.Solution: Focus on Secure (and Agile!) Software Development LifecycleResults:

– Defect density decreased by 92% for high/moderate vulnerabilities– Apps using secure library increased each month– Threat modeling approach reduced resource time from 40 hours to 2– Overall CDLC productivity increase of 15% estimated

24© 2017 The SANS™ Institute – www.sans.org

When You Get Back to WorkThreats evolve but still need vulnerabilities to exploit

– Reduce people-attack aperture– Decrease time to detect and mitigate software vulnerabilities

Make sure you are collecting the right security metrics so you can demonstrate value, improvement, danger—and connection to business goals.Take advantage of any transitions coming:

– Moving to Windows 10, cloud services, mobile apps, agile dev, etc.– M&A, re-org, new C-level management– Audit results

Identify high-leverage, short-term basic-security-hygiene win to gain trustGrab a few third rails!

DevSecOpsBuilding Continuous Security

into IT and Application Infrastructures

Chris CarlsonVP, Product Management

Qualys

Terminology

DevOps Build AutomationContinuous Integration (CI)Continuous Deployment (CD)

Containers

(Docker)Repositor

y

AgileWaterfallAgile-fall

XP

Test Driven

Automation

Waterfall vs. Agile Dev Methodologies

Waterfall vs. Agile Dev Methodologies

Agile (Dev) + Deploy (Ops) Automation

Where do Security Assessments Fit?

Terminology: Shift Left

Apply Shift Left to Security?

Transparent Security or Process Blockers

DevOps + Security: Friend or Foe?

“Shift Left” Security

Integrate Security into the CI/CD Process

Shift Left Security – Continuous Security

DevSecOps – How to Accelerate Usage

DevSecOps: Docker Containers

Next Steps and What Works

Next Steps and What Works

Next Steps and What Works

Thank You

Chris Carlsonccarlson@qualys.com

VP, Product Management, Qualyswww.qualys.com

© 2017 The SANS™ Institute – www.sans.org

© 2017 The SANS™ Institute – www.sans.org

ResourcesSANS : https://www.sans.org/webcasts/archive/20167What Works: https://www.sans.org/critical-security-controlsSANS SOC – https://www.sans.org/event/security-operations-center-summit-2017Qualys: https://www.Qualys.com/Questions: q@sans.org@John_Pescatoreccarlson@qualys.com

© 2017 The SANS™ Institute – www.sans.org

Acknowledgments

Thanks to our sponsor:

And also to our speaker and to our attendees:

Thank you for joining us today