Building a Security Strategy Without a Security Staff

Transcript

1. Building a Security Strategy Without a Security Staff Andrew Hay,

   CISO DataGravity, Inc. [email protected] @andrewsmhay

2. 2 When You Get To Start Fresh When You Inherit

   The Wanderer Security In The Not-So-Fortunate 500 Quick Wins Introduction Summary 1 2 3 4 5 6

3. 3 • Andrew Hay – Chief Information Security Officer (CISO)

   @ DataGravity • Former: – Director of Research @ OpenDNS – Chief Evangelist & Director of Research @ CloudPassage – Senior Security Analyst @ 451 Research – Sr. Security Analyst in higher education and a bank in Bermuda • Wrote some books, blog, spend more time on planes than I care to mention… About Andrew Hay

4. 4

5. 5

6. 6 2016 Verizon DBIR

7. 7 2016 Verizon DBIR

8. 8 2016 Verizon DBIR Minutes…what hope do I have? Could

   I find this in only a week? If my customers knew, my business would be finished!

9. 9 2016 Verizon DBIR OK, I know how to handle

   this…

10. 10 2016 Verizon DBIR OK, I know how to handle

    this… How do I even know this is happening?

11. 11 2016 Verizon DBIR OK, I know how to handle

    this… How do I even know this is happening? WTF? This is getting out of hand!

12. 12 When You Get To Start Fresh When You Inherit

    The Wanderer Security In The Not-So-Fortunate 500 Quick Wins Introduction Summary 1 2 3 4 5 6

13. 13

14. 14 When You Get To Start Fresh • This is

    the ideal (and highly unlikely) situation • You – Likely have budget – Get to architect security – Can position purchases as cost of doing business – Can enforce policy and program goals from day one

15. 15 When You Get To Start Fresh When You Inherit

    The Wanderer Security In The Not-So-Fortunate 500 Quick Wins Introduction Summary 1 2 3 4 5 6

16. 16 Everyone Remember Captain Ron? • “We're getting a boat!”

17. 17 When You Inherit The Wanderer • Inheriting The Wanderer

    is a more likely occurrence than a net-new security program – Especially in SMB/SME • You need to be prepared to be told: “You are/were the security spend…” “We’ve never been breached before…” “We have nothing the attackers want…” • It’s often an uphill battle

18. 18 When You Get To Start Fresh When You Inherit

    The Wanderer Security In The Not-So-Fortunate 500 Quick Wins Introduction Summary 1 2 3 4 5 6

19. 19 Security In The Not-So-Fortunate 500 • When I say

    Not-So-Fortunate 500 I’m referring to companies that have less than (or equal to): – 500 employees – 0.5% of IT budget allocated for security – 0.25 to 1 full-time employee (if they’re lucky)

20. 20 Security In The Not-So-Fortunate 500 • Also, when I

    use “we” I’m using it in the Royal sense

21. 21 % of IT Budget Spent on Information Security

22. 22 “Suggested” IT Security Spend Number of firms < 500

    employees 5,756,4191 Annual payroll of firms < 500 employees $2,318,163,431,000 ($2.3 trillion)1 Payroll from revenue ~15% (on average)2 Estimated annual revenue $2,665,887,945,650 ($2.6 trillion)3 1 - 2013 County Business Patterns, http://www.census.gov 2 - http://smallbusiness.chron.com/percentage-business-overhead-should-payroll-66492.html; AH: 15% is very conservative 3 - Census annual payroll figure multiplied by payroll from revenue of 15% ($2,318,163,431,000 * 1.15)

23. 23 “Suggested” IT Security Spend Estimated average revenue by firm

    $463,1164 Average IT budget based on revenue 5.2%5 4 - Estimated annual revenue divided by number of firms with less than 500 employees 5 - http://structurepoint.com/it/structurepoint-it-spending.pdf

24. 24 “Suggested” IT Security Spend Calculated IT budget $24,082.026 Average

    IT budget from Techaisle $8,0007 Average IT budget from Spiceworks Survey $192,0008 6 - Average IT budget spend percentage multiplied by estimated average revenue by firm (5.2% * $463,116) 7 - http://techaisle.com/blog/210-2015-ww-smb-and-midmarket-it-spend-key-trends 8 - http://www.spiceworks.com/news/press-release/2013/05-29/

25. 25 $50 $500 $5,000 $50,000 $500,000 1 4 7 10

    13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 73 76 79 82 85 88 91 94 97 100 Suggested Security Spend (USD) Suggested Security Spend (Percentrage of IT Budget) Industry Suggested Security Spend for SMB/SME (includes average breach costs) AMI Partners Avg Cost Per Breach @ $8,000 USD Kaspersky & B2B Avg Cost Per Breach @ $38,000 USD Suggested Spend on Security (calculated) SANS IT Security Spending Trends 2016 (low end) SANS IT Security Spending Trends 2016 (high end) 2015 WW IT spend per SMB - Techaisle Spiceworks Survey - 1H2013 How Much We Should Spend vs. Breach Cost

26. 26 How Much We Should Spend vs. Breach Cost $50

    $500 $5,000 $50,000 $500,000 1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 73 76 79 82 85 88 91 94 97 100 Suggested Security Spend (USD) Suggested Security Spend (Percentrage of IT Budget) Industry Suggested Security Spend for SMB/SME (includes average breach costs) AMI Partners Avg Cost Per Breach @ $8,000 USD Kaspersky & B2B Avg Cost Per Breach @ $38,000 USD Suggested Spend on Security (calculated) SANS IT Security Spending Trends 2016 (low end) SANS IT Security Spending Trends 2016 (high end) 2015 WW IT spend per SMB - Techaisle Spiceworks Survey - 1H2013

27. 27 Gartner: Organize for Security Incident Response • On a

    high level, to organize for effective security incident response, organizations need to: A high degree of clarity is needed for effective IR and for prioritizing efforts. Define Incidents Source: https://www.gartner.com/doc/reprints?ct=160427&id=1-34IIH00&st=sb

28. 28 Gartner: Organize for Security Incident Response • On a

    high level, to organize for effective security incident response, organizations need to: A high degree of clarity is needed for effective IR and for prioritizing efforts. Define what the enterprise IR capability should be. This leads many organizations to consider/engage third-party IR services. Define Capabilities Define Incidents Source: https://www.gartner.com/doc/reprints?ct=160427&id=1-34IIH00&st=sb

29. 29 Gartner: Organize for Security Incident Response • On a

    high level, to organize for effective security incident response, organizations need to: A high degree of clarity is needed for effective IR and for prioritizing efforts. Define what the enterprise IR capability should be. This leads many organizations to consider/engage third-party IR services. Having a dedicated point of contact and, hopefully, a center of excellence for security IR is essential today. Define Capabilities Create Team Define Incidents Source: https://www.gartner.com/doc/reprints?ct=160427&id=1-34IIH00&st=sb

30. 30 Gartner: Organize for Security Incident Response • On a

    high level, to organize for effective security incident response, organizations need to: A high degree of clarity is needed for effective IR and for prioritizing efforts. Define what the enterprise IR capability should be. This leads many organizations to consider/engage third-party IR services. Having a dedicated point of contact and, hopefully, a center of excellence for security IR is essential today. Understand compliance and threat trends. Some verticals have specific requirements and legal obligations. Understand Define Capabilities Create Team Define Incidents Source: https://www.gartner.com/doc/reprints?ct=160427&id=1-34IIH00&st=sb

31. 31 Gartner: Organize for Security Incident Response • On a

    high level, to organize for effective security incident response, organizations need to: A high degree of clarity is needed for effective IR and for prioritizing efforts. Define what the enterprise IR capability should be. This leads many organizations to consider/engage third-party IR services. Having a dedicated point of contact and, hopefully, a center of excellence for security IR is essential today. Understand compliance and threat trends. Some verticals have specific requirements and legal obligations. Prepare tooling to manage and respond. Having the right visibility tools will save days and months of work and often hundreds of thousands of dollars during response. Understand Prepare Tooling Define Capabilities Create Team Define Incidents Source: https://www.gartner.com/doc/reprints?ct=160427&id=1-34IIH00&st=sb

32. 32 ”Cost and Effect” • As you can see, the

    recommendations we present to SMB are – Expensive – Based on enterprise security industry experience – Untenable for most • How do we address this by… – Looking the other way – Imposing Government – Penalizing into submission

33. 33 Why Do We Punish SMB? • Breach laws are

    enacted to promote better safety and security of customer data – And, by proxy, small businesses • This is a combination of carrot, stick, and bullying • Why don’t we try incentivizing?

34. 34 Why Do We Punish SMB? • Look to The

    Speed Camera Lottery - The Fun Theory https://www.youtube.com/watch?v=iynzHWwJXaA

35. 35 The Speed Camera Lottery • The Speed Camera Lottery

    – The winning idea of the fun theory award, submitted by Kevin Richardson, USA – Can we get more people to obey the speed limit by making it fun to do? – Volkswagen, together with The Swedish National Society for Road Safety, made this idea a reality in Stockholm, Sweden • Speed citations go into a pot – Drive legally, get entered into a lottery for the a share of the pot – Speeding decreased 22% during experiment

36. 36 Incentivizing Ideas • What if we rewarded better business

    practices instead of only punishing bad ones? – Card merchants could provide preferred rates for transactions… – Government could provide bursaries or “credits” for responsible security operations • Think “Carbon/Emission Credits” – Insurance premiums could be reduced

37. 37 When You Get To Start Fresh When You Inherit

    The Wanderer Security In The Not-So-Fortunate 500 Quick Wins Introduction Summary 1 2 3 4 5 6

38. 38 • So let’s say we’re working with a Wanderer

    scenario • How can you make incremental improvements without – Rocking the boat… – Spending a fortune... • The easiest way is to evoke change by taking small bites Large Bites Small Bites • NIST • ISO • COBIT • ITIL • CIS • CSA Quick Wins

39. 39 CIS Controls for Effective Cyber Defense • The CIS

    Controls are a set of internationally recognized measures developed, refined, and validated by leading IT security experts from around the world • Represent the most important cyber hygiene actions every organization should implement to protect their IT networks • Study by the Australian government indicates that 85% of known vulnerabilities can be stopped by deploying the Top 5 CIS Controls

40. 40 CIS Critical Security Controls - Version 6.0 Inventory of

    Authorized and Unauthorized Devices Secure Configurations for Network Devices such as Firewall Routers, and Switches Inventory of Authorized and Unauthorized Software Boundary Defense Secure Configurations for Hardware and Software on Mobile Device Laptops, Workstations, and Servers Data Protection Continuous Vulnerability Assessment and Remediation Controlled Access Based on the Need to Know Controlled Use of Administrative Privileges Wireless Access Control Maintenance, Monitoring, and Analysis of Audit Logs Account Monitoring and Control Email and Web Browser Protections Security Skills Assessment and Appropriate Training to Fill Gaps Malware Defenses Application Software Security Limitation and Control of Network Ports, Protocols, and Services Incident Response and Management Data Recovery Capability Penetration Tests and Red Team Exercises

41. 41 CIS Critical Security Controls - Version 6.0 Inventory of

    Authorized and Unauthorized Devices Secure Configurations for Network Devices such as Firewall Routers, and Switches Inventory of Authorized and Unauthorized Software Boundary Defense Secure Configurations for Hardware and Software on Mobile Device Laptops, Workstations, and Servers Data Protection Continuous Vulnerability Assessment and Remediation Controlled Access Based on the Need to Know Controlled Use of Administrative Privileges Wireless Access Control Maintenance, Monitoring, and Analysis of Audit Logs Account Monitoring and Control Email and Web Browser Protections Security Skills Assessment and Appropriate Training to Fill Gaps Malware Defenses Application Software Security Limitation and Control of Network Ports, Protocols, and Services Incident Response and Management Data Recovery Capability Penetration Tests and Red Team Exercises Phase 1: FREE

42. 42 CIS Critical Security Controls - Version 6.0 Secure Configurations

    for Hardware and Software on Mobile Device Laptops, Workstations, and Servers Data Protection Continuous Vulnerability Assessment and Remediation Controlled Access Based on the Need to Know Maintenance, Monitoring, and Analysis of Audit Logs Wireless Access Control Email and Web Browser Protections Account Monitoring and Control Malware Defenses Security Skills Assessment and Appropriate Training to Fill Gaps Limitation and Control of Network Ports, Protocols, and Services Application Software Security Secure Configurations for Network Devices such as Firewall Routers, and Switches Incident Response and Management Boundary Defense Penetration Tests and Red Team Exercises

43. 43 When You Get To Start Fresh When You Inherit

    The Wanderer Security In The Not-So-Fortunate 500 Quick Wins Introduction Summary 1 2 3 4 5 6

44. 44 Summary • We need to incentivize organizations to operate

    more securely • We’re asking a lot of SMB and SME market segments – Can’t get blood from a stone • To properly secure our SMBs, we need to take small, iterative bites from problem – There is no magic/silver security bullet

45. Building a Security Strategy Without a Security Staff Andrew Hay,

    CISO DataGravity, Inc. [email protected] @andrewsmhay