Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building a Security Strategy Without a Security Staff

7eaca7b954a0966ed47bda102a669af9?s=47 Andrew Hay
October 20, 2016

Building a Security Strategy Without a Security Staff

Where do I start? Am I at risk of being targeted? How much should it cost? What is the ROI? What happens if I do it wrong? What do I do?!?!

These are some of the questions that every small or medium (SMB) sized business owner is asking in the wake of some of the most prolific and highly publicized data security breaches in history. Most people have forgotten about the massive TJX credit card breach of 2007 but recent breaches, such as those experienced by Sony Pictures Entertainment, OPM, and Anthem, have found their way into typical conversations at coffee shops, family events, and holiday parties of the average consumer. The difference, however, is that most SMBs have neither the money, expertise, nor the forgiving customer base which would allow their business to survive a similar breach.

So how does a SMB, that is increasingly responsible for the security and privacy of customer and employee information, mitigate a serious and perhaps business-ending data breach? This session will present real world strategies to prepare for, mitigate, and respond to incidents posed by opportunistic attackers, malicious insiders, and targeted attackers - taking into account real-world constraints such as time, expertise, business continuity, and money.

7eaca7b954a0966ed47bda102a669af9?s=128

Andrew Hay

October 20, 2016
Tweet

Transcript

  1. Building a Security Strategy Without a Security Staff Andrew Hay,

    CISO DataGravity, Inc. ahay@datagravity.com @andrewsmhay
  2. 2 When You Get To Start Fresh When You Inherit

    The Wanderer Security In The Not-So-Fortunate 500 Quick Wins Introduction Summary 1 2 3 4 5 6
  3. 3 • Andrew Hay – Chief Information Security Officer (CISO)

    @ DataGravity • Former: – Director of Research @ OpenDNS – Chief Evangelist & Director of Research @ CloudPassage – Senior Security Analyst @ 451 Research – Sr. Security Analyst in higher education and a bank in Bermuda • Wrote some books, blog, spend more time on planes than I care to mention… About Andrew Hay
  4. 4

  5. 5

  6. 6 2016 Verizon DBIR

  7. 7 2016 Verizon DBIR

  8. 8 2016 Verizon DBIR Minutes…what hope do I have? Could

    I find this in only a week? If my customers knew, my business would be finished!
  9. 9 2016 Verizon DBIR OK, I know how to handle

    this…
  10. 10 2016 Verizon DBIR OK, I know how to handle

    this… How do I even know this is happening?
  11. 11 2016 Verizon DBIR OK, I know how to handle

    this… How do I even know this is happening? WTF? This is getting out of hand!
  12. 12 When You Get To Start Fresh When You Inherit

    The Wanderer Security In The Not-So-Fortunate 500 Quick Wins Introduction Summary 1 2 3 4 5 6
  13. 13

  14. 14 When You Get To Start Fresh • This is

    the ideal (and highly unlikely) situation • You – Likely have budget – Get to architect security – Can position purchases as cost of doing business – Can enforce policy and program goals from day one
  15. 15 When You Get To Start Fresh When You Inherit

    The Wanderer Security In The Not-So-Fortunate 500 Quick Wins Introduction Summary 1 2 3 4 5 6
  16. 16 Everyone Remember Captain Ron? • “We're getting a boat!”

  17. 17 When You Inherit The Wanderer • Inheriting The Wanderer

    is a more likely occurrence than a net-new security program – Especially in SMB/SME • You need to be prepared to be told: “You are/were the security spend…” “We’ve never been breached before…” “We have nothing the attackers want…” • It’s often an uphill battle
  18. 18 When You Get To Start Fresh When You Inherit

    The Wanderer Security In The Not-So-Fortunate 500 Quick Wins Introduction Summary 1 2 3 4 5 6
  19. 19 Security In The Not-So-Fortunate 500 • When I say

    Not-So-Fortunate 500 I’m referring to companies that have less than (or equal to): – 500 employees – 0.5% of IT budget allocated for security – 0.25 to 1 full-time employee (if they’re lucky)
  20. 20 Security In The Not-So-Fortunate 500 • Also, when I

    use “we” I’m using it in the Royal sense
  21. 21 % of IT Budget Spent on Information Security

  22. 22 “Suggested” IT Security Spend Number of firms < 500

    employees 5,756,4191 Annual payroll of firms < 500 employees $2,318,163,431,000 ($2.3 trillion)1 Payroll from revenue ~15% (on average)2 Estimated annual revenue $2,665,887,945,650 ($2.6 trillion)3 1 - 2013 County Business Patterns, http://www.census.gov 2 - http://smallbusiness.chron.com/percentage-business-overhead-should-payroll-66492.html; AH: 15% is very conservative 3 - Census annual payroll figure multiplied by payroll from revenue of 15% ($2,318,163,431,000 * 1.15)
  23. 23 “Suggested” IT Security Spend Estimated average revenue by firm

    $463,1164 Average IT budget based on revenue 5.2%5 4 - Estimated annual revenue divided by number of firms with less than 500 employees 5 - http://structurepoint.com/it/structurepoint-it-spending.pdf
  24. 24 “Suggested” IT Security Spend Calculated IT budget $24,082.026 Average

    IT budget from Techaisle $8,0007 Average IT budget from Spiceworks Survey $192,0008 6 - Average IT budget spend percentage multiplied by estimated average revenue by firm (5.2% * $463,116) 7 - http://techaisle.com/blog/210-2015-ww-smb-and-midmarket-it-spend-key-trends 8 - http://www.spiceworks.com/news/press-release/2013/05-29/
  25. 25 $50 $500 $5,000 $50,000 $500,000 1 4 7 10

    13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 73 76 79 82 85 88 91 94 97 100 Suggested Security Spend (USD) Suggested Security Spend (Percentrage of IT Budget) Industry Suggested Security Spend for SMB/SME (includes average breach costs) AMI Partners Avg Cost Per Breach @ $8,000 USD Kaspersky & B2B Avg Cost Per Breach @ $38,000 USD Suggested Spend on Security (calculated) SANS IT Security Spending Trends 2016 (low end) SANS IT Security Spending Trends 2016 (high end) 2015 WW IT spend per SMB - Techaisle Spiceworks Survey - 1H2013 How Much We Should Spend vs. Breach Cost
  26. 26 How Much We Should Spend vs. Breach Cost $50

    $500 $5,000 $50,000 $500,000 1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 73 76 79 82 85 88 91 94 97 100 Suggested Security Spend (USD) Suggested Security Spend (Percentrage of IT Budget) Industry Suggested Security Spend for SMB/SME (includes average breach costs) AMI Partners Avg Cost Per Breach @ $8,000 USD Kaspersky & B2B Avg Cost Per Breach @ $38,000 USD Suggested Spend on Security (calculated) SANS IT Security Spending Trends 2016 (low end) SANS IT Security Spending Trends 2016 (high end) 2015 WW IT spend per SMB - Techaisle Spiceworks Survey - 1H2013
  27. 27 Gartner: Organize for Security Incident Response • On a

    high level, to organize for effective security incident response, organizations need to: A high degree of clarity is needed for effective IR and for prioritizing efforts. Define Incidents Source: https://www.gartner.com/doc/reprints?ct=160427&id=1-34IIH00&st=sb
  28. 28 Gartner: Organize for Security Incident Response • On a

    high level, to organize for effective security incident response, organizations need to: A high degree of clarity is needed for effective IR and for prioritizing efforts. Define what the enterprise IR capability should be. This leads many organizations to consider/engage third-party IR services. Define Capabilities Define Incidents Source: https://www.gartner.com/doc/reprints?ct=160427&id=1-34IIH00&st=sb
  29. 29 Gartner: Organize for Security Incident Response • On a

    high level, to organize for effective security incident response, organizations need to: A high degree of clarity is needed for effective IR and for prioritizing efforts. Define what the enterprise IR capability should be. This leads many organizations to consider/engage third-party IR services. Having a dedicated point of contact and, hopefully, a center of excellence for security IR is essential today. Define Capabilities Create Team Define Incidents Source: https://www.gartner.com/doc/reprints?ct=160427&id=1-34IIH00&st=sb
  30. 30 Gartner: Organize for Security Incident Response • On a

    high level, to organize for effective security incident response, organizations need to: A high degree of clarity is needed for effective IR and for prioritizing efforts. Define what the enterprise IR capability should be. This leads many organizations to consider/engage third-party IR services. Having a dedicated point of contact and, hopefully, a center of excellence for security IR is essential today. Understand compliance and threat trends. Some verticals have specific requirements and legal obligations. Understand Define Capabilities Create Team Define Incidents Source: https://www.gartner.com/doc/reprints?ct=160427&id=1-34IIH00&st=sb
  31. 31 Gartner: Organize for Security Incident Response • On a

    high level, to organize for effective security incident response, organizations need to: A high degree of clarity is needed for effective IR and for prioritizing efforts. Define what the enterprise IR capability should be. This leads many organizations to consider/engage third-party IR services. Having a dedicated point of contact and, hopefully, a center of excellence for security IR is essential today. Understand compliance and threat trends. Some verticals have specific requirements and legal obligations. Prepare tooling to manage and respond. Having the right visibility tools will save days and months of work and often hundreds of thousands of dollars during response. Understand Prepare Tooling Define Capabilities Create Team Define Incidents Source: https://www.gartner.com/doc/reprints?ct=160427&id=1-34IIH00&st=sb
  32. 32 ”Cost and Effect” • As you can see, the

    recommendations we present to SMB are – Expensive – Based on enterprise security industry experience – Untenable for most • How do we address this by… – Looking the other way – Imposing Government – Penalizing into submission
  33. 33 Why Do We Punish SMB? • Breach laws are

    enacted to promote better safety and security of customer data – And, by proxy, small businesses • This is a combination of carrot, stick, and bullying • Why don’t we try incentivizing?
  34. 34 Why Do We Punish SMB? • Look to The

    Speed Camera Lottery - The Fun Theory https://www.youtube.com/watch?v=iynzHWwJXaA
  35. 35 The Speed Camera Lottery • The Speed Camera Lottery

    – The winning idea of the fun theory award, submitted by Kevin Richardson, USA – Can we get more people to obey the speed limit by making it fun to do? – Volkswagen, together with The Swedish National Society for Road Safety, made this idea a reality in Stockholm, Sweden • Speed citations go into a pot – Drive legally, get entered into a lottery for the a share of the pot – Speeding decreased 22% during experiment
  36. 36 Incentivizing Ideas • What if we rewarded better business

    practices instead of only punishing bad ones? – Card merchants could provide preferred rates for transactions… – Government could provide bursaries or “credits” for responsible security operations • Think “Carbon/Emission Credits” – Insurance premiums could be reduced
  37. 37 When You Get To Start Fresh When You Inherit

    The Wanderer Security In The Not-So-Fortunate 500 Quick Wins Introduction Summary 1 2 3 4 5 6
  38. 38 • So let’s say we’re working with a Wanderer

    scenario • How can you make incremental improvements without – Rocking the boat… – Spending a fortune... • The easiest way is to evoke change by taking small bites Large Bites Small Bites • NIST • ISO • COBIT • ITIL • CIS • CSA Quick Wins
  39. 39 CIS Controls for Effective Cyber Defense • The CIS

    Controls are a set of internationally recognized measures developed, refined, and validated by leading IT security experts from around the world • Represent the most important cyber hygiene actions every organization should implement to protect their IT networks • Study by the Australian government indicates that 85% of known vulnerabilities can be stopped by deploying the Top 5 CIS Controls
  40. 40 CIS Critical Security Controls - Version 6.0 Inventory of

    Authorized and Unauthorized Devices Secure Configurations for Network Devices such as Firewall Routers, and Switches Inventory of Authorized and Unauthorized Software Boundary Defense Secure Configurations for Hardware and Software on Mobile Device Laptops, Workstations, and Servers Data Protection Continuous Vulnerability Assessment and Remediation Controlled Access Based on the Need to Know Controlled Use of Administrative Privileges Wireless Access Control Maintenance, Monitoring, and Analysis of Audit Logs Account Monitoring and Control Email and Web Browser Protections Security Skills Assessment and Appropriate Training to Fill Gaps Malware Defenses Application Software Security Limitation and Control of Network Ports, Protocols, and Services Incident Response and Management Data Recovery Capability Penetration Tests and Red Team Exercises
  41. 41 CIS Critical Security Controls - Version 6.0 Inventory of

    Authorized and Unauthorized Devices Secure Configurations for Network Devices such as Firewall Routers, and Switches Inventory of Authorized and Unauthorized Software Boundary Defense Secure Configurations for Hardware and Software on Mobile Device Laptops, Workstations, and Servers Data Protection Continuous Vulnerability Assessment and Remediation Controlled Access Based on the Need to Know Controlled Use of Administrative Privileges Wireless Access Control Maintenance, Monitoring, and Analysis of Audit Logs Account Monitoring and Control Email and Web Browser Protections Security Skills Assessment and Appropriate Training to Fill Gaps Malware Defenses Application Software Security Limitation and Control of Network Ports, Protocols, and Services Incident Response and Management Data Recovery Capability Penetration Tests and Red Team Exercises Phase 1: FREE
  42. 42 CIS Critical Security Controls - Version 6.0 Secure Configurations

    for Hardware and Software on Mobile Device Laptops, Workstations, and Servers Data Protection Continuous Vulnerability Assessment and Remediation Controlled Access Based on the Need to Know Maintenance, Monitoring, and Analysis of Audit Logs Wireless Access Control Email and Web Browser Protections Account Monitoring and Control Malware Defenses Security Skills Assessment and Appropriate Training to Fill Gaps Limitation and Control of Network Ports, Protocols, and Services Application Software Security Secure Configurations for Network Devices such as Firewall Routers, and Switches Incident Response and Management Boundary Defense Penetration Tests and Red Team Exercises
  43. 43 When You Get To Start Fresh When You Inherit

    The Wanderer Security In The Not-So-Fortunate 500 Quick Wins Introduction Summary 1 2 3 4 5 6
  44. 44 Summary • We need to incentivize organizations to operate

    more securely • We’re asking a lot of SMB and SME market segments – Can’t get blood from a stone • To properly secure our SMBs, we need to take small, iterative bites from problem – There is no magic/silver security bullet
  45. Building a Security Strategy Without a Security Staff Andrew Hay,

    CISO DataGravity, Inc. ahay@datagravity.com @andrewsmhay