Turning IT Professionals into Cybersecurity Warriors · **Source: Vormetric Data Threat Report 2016...
Transcript of Turning IT Professionals into Cybersecurity Warriors · **Source: Vormetric Data Threat Report 2016...
An Educational Seminar
Turning IT Professionals into
Cybersecurity Warriors
May 18, 2016
Sponsored by
Turning IT Professionals into Cybersecurity Warriors
AgendaIntroductions: John Thomas Flynn, Creator and Host of TechLeader.TV
Keynote: Mark Ghilarducci, Director, Governor's Office of Emergency Services
Presentations: Andre McGregor - Tanium, Director of Security
Sebastian Goodwin – Dir. of Endpoint Security/Security, Palo Alto Networks
Sean Cordero - Optiv, Senior Executive Director, Office of the CISO
Case Studies: Initiatives, Organizational Readiness, Experiences, Lesson Learned, Best Practices:
Todd Ibbotson - Information Security Officer, Calif. Depart. of Justice
Justin Cain - Cybersecurity Coordinator, Homeland Security Div. CalOES
Doug Leone - Agency Information Security Officer, California EPA
3 | © 2015, Palo Alto Networks. Confidential and Proprietary.
CYBERSECURITY
SEBASTIAN E. GOODWIN
MBA, CISSP, CISA, CCNA, MCSE, MCT
DIRECTOR, ENDPOINT SECURITY
PROTECTING OUR DIGITAL FUTURE
MAY 2016
Summit
WE MUST CHANGE THE COST CURVE
Number of
successful attacks
Cost of launching a
successful attack
WE MUST CHANGE THE COST CURVE
Cost of launching a
successful attack
Number of
successful attacks
Anti-APT for
port 80 APTs
Anti-APT for
port 25 APTs
Endpoint AV
DNS protection cloud
Network AV
DNS protection for
outbound DNS
Anti-APT cloud
Internet
Enterprise Network
UTM/Blades
Limited visibility Manual responseLacks correlation
Vendor 1
Vendor 2
Vendor 3
Vendor 4
Internet Connection
Malware Intelligence
DNS AlertEndpoint Alert
AV Alert
SMTP Alert
AV Alert
Web Alert
Web Alert
SMTP Alert
DNS Alert
AV Alert
DNS Alert
Web Alert
Endpoint Alert
HOW TO ENSURE FAILURE
PREVENTION
PREVENTION EVERYWHERE
Cloud
At the internet
edge
Between
employees and
devices within
the LAN
At the data
center edge, and
between VM’s
On the endpoint Within private,
public and hybrid
clouds, and SaaS
Detect and prevent threats at every point across the organization
IMPERATIVES
PREVENT
INTELLIGENCE
SHARING
ENDPOINTS ARE EASY TARGETS
Guggenheim Securities
“Endpoint Endgame: The Race to Replace AV” Sept. 2015
“Endpoints are one of the most popular threat vectors for cyberattacks, because it has historically been easier to gain access to an endpoint (which often moves in and out of the network perimeter) than it has to penetrate core infrastructure. ”
Palo Alto Networks and Tanium
Manage, Prevent, Confirm, and Sweep
Tanium Server
NGFW
Identifies malware and generates high fidelity IOCs
Generates new protections for all Palo Alto Networks
customers within 15 minutes
IOCs
WildFire
Pinpoints all endpoints infected with IOCs within seconds
Automated isolation and remediation
of infected endpoints
Tanium
Traps Server
Protections
MalwareMalware
Protections
TrapsPrevents execution of malware using built-in
mechanisms and verdicts from Wildfire.
Prevents exploitation of vulnerable software
with unique ability to prevent zero day exploits.
Patching, visibility, and control.
The Compliance
Treadmill & The Fight for
Effective Security
Programs
Sean Cordero, Senior Executive Director, oCISO
CISSP, CISM, CRISC, CISA
22
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Agenda
Security Today
Programs for Today & Tomorrow
Questions?
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Security Today
24
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Signal to Noise
• Contributed to up-take of compliance approach
• Compliance/audit drowned out larger issues
25
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Compliance Focused Programs
1. Risk Assessment Optional (sometimes)Used a proxy for critical analysis
Can remove the need for understanding
Most have built in risk decisions made for you
2. Inefficient Standards for Management Requirements Overlap
Requirements Conflict
3. Traditional Frameworks – Not enough for new techLack Service and Delivery Awareness
Control extensibility
26
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
It wasn’t all bad..
Facilitated the Security Discussion with Stakeholders
• Allowed for easier discussions around “Why?”
• Facilitated standardized measurements
• Could be validated by 3rd parties
Resulted in Near Term Security Investments
• Funding & resources tied to compliance program
• Resourcing tied
Provided (a) Uniform Taxonomy and Language for Security
• Implement network based advanced malware capability
• Established common terms and definitions
• Provided visibility into long standing issues
All positive outcomes. For some, it has lowered expectations over
InfoSec
27
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Compliance as Security Plot twist! The approach fails in the end!
**Source: Vormetric Data Threat Report 2016
Vulnerable to threats 61%
aware of a breach. (Vormetric,
2016)
Believe Compliance is
Effective at breach
prevention64% (Vormetric, 2016)
46% Rank Compliance in Top 3 for
IT Spending (Vormetric, 2016)
91%
28
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
The State of Cyber Security:“2015 Year of the Hack”
2015 Breaches
• V-Tech 4.7 million accounts
• Experian 15 million accounts
• BCBS 11.2 million subscriber
records affected.
• Excellus BCBS SSNs and
personal data of 10.5 million
customers. Breach occurred in
December 2013, discovered in
2015.
• Anthem Health data breach
results in compromise of 80
million records.
• CareFirst BCBS 1.1 billion
records breached.
• Premera BCBS 11.2 million
subscriber records affected.
• Office of Personnel
Management breach of 21.5
million records.
• IRS breach of 100K+ records,
$50m in fraud.
• UCLA 4.5 million patient
records
• Ashley Madison hack
discloses customer records,
including military and
government email addresses.
• Kaspersky Labs Security
Vendor infiltrated by nation-
state sponsored hacker.
• ISIL Cyber Caliphate hacker
killed in US military drone
strike.
• Cyber Security Bill delayed in
the Senate.
• Federal Data Security Breach
legislation would supersede 48
state laws and would impose
30 day notification
requirements to consumers in
the event of a breach.
REGULATORY CLIMATE
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
29
Disappearing
Boundaries
• Actors can locate and attack
from anywhere
• Very difficult to trace and
identify actors
• Socially connected networks
provide cheap and easy
intelligence to plan an attack
Cyber Security Realities
Increasing Risk
Adjusted Returns
• Cost of launching an
attack has drastically
decreased
• “Victimless” crime that is
“safer” than drug dealing
Method of Attack
Changes Frequently
• Targeted phishing campaigns
to gain login credentials
• Trusted third-party
relationships to bypass controls
• Malicious insider still concern
You can not fight today’s cyber warfare with yesterday’s tactics
30
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Business Aligned Strategy: Create a security
program that enables your organization by
understanding the business objectives,
compliance objectives, threats and material risks.
Compliance
Based
Threat
Based
Risk
Based/Data
Centric
Business
AlignedThe Security Journey
Ad Hoc
Program
Infrastructure
Based
Shortcut = Failure to
Pass
31
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Diagnosing Your Program
1. Discussions focused on “findings”
2. Compliance is Top of Mind
Compliance 1st, Security 2nd
Sole justification for InfoSec
3. No time for security work
Endless audit/re-audit
4. Half complete infosec deployments
Show Enough
Do Enough
Build Capability (hopefully)
Get Audited
Likelihood of on-going success is low.
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Programs for Today & Tomorrow
33
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Six Forces
of a
Security
Strategy
The Six Forces
Require a
Resilient Security
Strategy
Business
Strategy
Global Social
and Political
Forces
Government
and Industry
Regulations
Adversaries and
Threats
Organizational
Culture
IT Organization,
Systems and
Infrastructure
34
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
2nd Line of DefenseInformation Risk Office &
Steering Team
Information Risk Program
1st Line of DefenseIT Information
Security
3rd Line of DefenseAudit and External
Experts
• Highly Skilled & Trained Staff
• Install and maintain enabling Security Technologies
• Processes to Protect, Detect, and Respond
• Define and Enforce Information Security Policy
• Manage Information Risk Program
• Program Strategy and Goals
• Measure & Manage Information Risk
• Oversee Industry and Regulatory Requirements
• Executive Sponsors• Internal Audit
Validation of Control Framework
• External Audit• External Testing and
Validation of Controls
Three Lines of Defense to Achieve Effective Information Risk Management and Assurance
35
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
MAKE WHAT WE DO BETTER
KEEP US OUT OF TROUBLE
EX
EC
UT
IVE
MA
NA
GE
ME
NT
Business
Drivers, Goal
and
Strategies
Risk and
Security
Coverage
Filter and Prioritize
Enterprise
and
Operational
Risks
Executive Sponsors, Audit Committee, Media, Constituents, Clients
Infrastructure,
Frameworks
and
Regulations
Achieve
Business
Objectives
Threat
Management
Assets and Capital
Management
Earnings and
Operation Margins Revenues and
Efficencies
ISO 2700X
Business Drivers
Asset Profile
Technical
Specifications
People and
Organizational
Management
Governanc
e, Policies
and
StandardsTechnical
Security
Architecture
Threat Aware Security Program
ComplexRegulatory
Requirements
Mission Aligned Security Program
36
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
End-to-end
cyber security
solutions
Tailored to
your needs
Client
Centric
Approac
h
Optiv Value
37
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Summary
1. Leverage compliance, do not rely on it
2. Compliance is an byproduct of program
success.
3. Strive to understand. Context is key.
4. Use Contextualized and Delivery Aware
Models.
38
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
QuestionsSean CorderoSenior Executive Director
CISSP, CISM, CRISC, CISA
@sean_cordero
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Turning IT Professionals into Cybersecurity Warriors
Case Studies
Initiatives, Organizational Readiness, Experiences,
Lesson Learned, Best Practices:
Todd Ibbotson - Information Security Officer,
California Department of Justice
Justin Cain - Cybersecurity Coordinator, CalOES
Doug Leone - Agency Information Security Officer,
California EPA
Sponsored by40
z
Turning IT Professionals into Cybersecurity Warriors
Final Questions???
Sponsored by41