a fistful of fire hoses: putting out fires without crossing streams [presented by steve werby at...
DESCRIPTION
Your organization has invested in a variety of tools to manage its information technology and the security of its systems. But it's a nightmare to synthesize this information so non-technical decision makers can make informed decisions and so information security and IT management can manage security effectively. We developed and implemented a web-based tool which has been integrated with numerous data sources to address this business need across our large, decentralized organization with a heterogeneous IT environment. Now non-technical staff who previously knew little about their technology can easily view information about their assets and how they.re being managed and information security staff have access to the information they need in a centralized tool. The tool will be demonstrated and the technology, implementation, management and usage of the system will be covered in order to share successes and lessons learned.TRANSCRIPT
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
A Fistful of Fire Hoses:Putting out Fires Without Crossing Streams
Steve Werby (@stevewerby)Chief Information Security OfficerUniversity of Texas at San Antonio
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
A Fistful of Fire Hoses:Putting out Fires Without Crossing Streams
AV FW IDS FIM SIEM Pen Test
Config Mgmt IP Flow Mon Log Analysis Data Discovery Forensics Vuln Scanning
10 person department
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
One Size Does Not Fit All
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
Obligatory DisclaimerThe opinions shared represent my views, the views of my employer, the views of my past employers and the views of my future employers.
Are presentation disclaimers REALLY necessary?
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
Obligatory DisclaimerThe opinions shared represent my views, the views of my employer, the views of my past employers and the views of my future employers.
Are presentation disclaimers REALLY necessary?
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
My Org 31k students 6k FTEs 155 classrooms 65 labs 1.5MM SQFT $450MM budget
15k workstations 1k servers /16
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
My Org Heterogeneous IT environment Silos Low visibility into state of IT security Inconsistent infosec risk mgmt & compliance
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
Overview of Presentation
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
Overview of Presentation
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
Project Goals push(@manager, $info) => informed decisions push(@infosec, $info) => $visibility++ Improve security posture of organization Change culture Facilitate standardization
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
Development Project charter, steering committee, work plan Project team
Project sponsor (CIO) Project manager from IT Project Mgmt
CISO and several infosec staff IT App Development staff IT Marketing/Communications staff
Pilot users
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
Implementation Piloted while (1==1) communicate();
Email and postcard marketing Presentations to key groups
Started small Staged release phases
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
Architecture
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
InSight – Indicator Dashboard
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
InSight – Indicator Summary
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
InSight – Indicator Detail
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
InSight – Indicator Detail #2
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
InSight – Indicator Description
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
InSight – Asset View
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
InSight – Exemption Request
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
Reaction☑ “How can we get all of our laptops encrypted?”☑ “IT, fix it!”☑ “I’m not going to look at it.”☑ “Security is YOUR job. Why should I help do your job?
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
Carrots and Sticks Peer pressure Eligibility for IT funding
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
Project Goals Revisited☑ push(@manager, $info) => informed decisions☑ push(@infosec, $info) => $visibility++☑ Improve security posture of organization☑ Change culture☑ Facilitate standardization
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
Project Goals Revisited☑ push(@manager, $info) => informed decisions☑ push(@infosec, $info) => $visibility++☑ Improve security posture of organization☑ Change culture☑ Facilitate standardization
Additional impact Increased IT staff accountability Increased IT and infosec workload
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
Lessons Learned process(“garbage”) = “garbage”
Inventory, computer name, etc. A computer is…huh A laptop is a server Intended audience != actual audience Anticipate how app will be used
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
The Future
risk profiles$awareness++$scope++$functionality++
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
The Future – $awareness++ Monthly automated emails to managers Periodic reporting to governance groups Expand access to all employees
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
The Future - $scope++ More endpoint devices Include servers and apps More data sources (IP Flow, SIEM, etc.) More granularity Information about people and processes
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
The Future - $functionality++ Maintain historical information Increase update frequency Triggers
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
The Future – risk profiles By device, person, biz unit, system
Take the number of vehicles in the field, A), and multiply it by the probable rate of failure, (B), then multiply the result by the average out-of-court settlement, (C). A times B times C equals X. If X is less than the cost of a recall, we don't do one.
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
Just Passing This On
Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby
Questions [Answers…Maybe]