what affects security program confidence? - may2014 - bill burns
TRANSCRIPT
1
What Affects Confidence In Security Programs?
Rocky Mountain Information Security Conference 2014
Bill Burns | Executive-In-Residence | Scale Venture Partners | [email protected] | @x509v3
2
My Background
Production hybrid cloud security at scale–Deployed distributed, hybrid cloud WAF–Co-developed CloudHSM for IaaS hardware root of trust
Corporate IT “all-cloud” security strategy–Cloud-first, mobile-first infrastructure model–Mix of public cloud, best-of-breed SaaS
RSAC Program Committee, Startup Technical Advisory Boards, ISSA CISO Forum & Career Lifecycle
Previously:
3
Agenda
Trends and Forcing Functions on Information Security
InfoSec’s Role in Managing Business Risk
Security Innovations, Market Needs
Early Research Results: Improving Confidence
4
CISOs: “What Kept You Up Last Night?”
Source: Scale Venture Partners
5
Agile/DevOpsBYOD
Shadow IT / Consumerization
Increased Regs/Compliance
Internet Of Things
IT AutomationMobile computing
SaaS
Ubiquitous Internet Access
Virtualization / IaaS
Weaponization of Internet / espionage
Work/Life Integration
Concern
Unconcern
Top Trends & Forcing Functions on InfoSec
Source: Scale Venture Partners
6
Security Forcing Function – Mobility, BYOD
Source: Mary Meeker, KPCB
7
Security Forcing Function – Mobility, BYOD
(1) Pew Research, Jan 2014 | (2) Gartner, May 2013
Smartphone - 58%
Tablet - 42%
By 2017, 50% of employers will require you to BYOD[2] for work.
8
Security Forcing Function – Work Anywhere
Blurring work/life integration–Aruba’s “#GenMobile”initiative–Starbucks wants to be your life’s “3rd Place”
Ubiquitous network access & seamless roaming–802.11ac, n – wireless networking “just works”
•Faster than typical wired ports, easier to provision–Mobile 4G LTE is also “fast enough”
•Faster than my home’s DSL–By 2018: 25% of corporate data will flow directly mobile-cloud[3]
(3) Gartner, Nov 2013
9
Security Forcing Function – IaaS / Virtualization
Clouds are compelling to businesses, hard for old security controls to match pace
AWS Example:–~Quadrupled
offered services in 4 years
–Reduced pricing 42 times in 8 years as equipment ages out
Source: AWS
10
Old: Perimeter Firewalls
11
Old: Perimeter Firewalls
Castle and Moat (layered) defense
Place people, data behind datacenter firewalls
Provisioning workflows were serialized, expensive, slow
“Behind the firewall” = Trusted
12
New Perimeters : Follow the Data
13
Security controls evolving to be more:o Proximal – Move closer to the application and datao Mobile – Follow the infrastructure, applicationo Resilient - Emphasize recovery and responseo Holistic – Include technical, legal, and business-level inputo Coordinated - Reliant on communications, automation
New Perimeters : Follow the Data
14
InfoSec’s Role
Be a trusted advisor to the business–InfoSec doesn’t own the risk–Anticipates security risk/controls changes and needs–Communicates technical risks in business terms
Implement guardrails and gates based on risk, sensitivity–Like breaks on a car: Enables the business to take smart risks–Architect, design, implement controls–Measure & report risk with data–Manage remediation, response
Success: Customers proactively request your guidance!
15
So…What’s Your Cloud Comfort Level?
Cloud Adoption / Maturity:–Naysayers: you can’t do that (but can’t articulate why)–Pathfinders: here’s how to do it, early lessons learned–Optimizers: here’s how to do it well, what not to do
16
So…What’s Your Cloud Comfort Level?
Cloud Adoption/Maturity–Naysayers–Pathfinders–Optimizers
Cloud is inevitable – Get comfortable managing it–Example: “We have 10 years of legacy work to deal with, we
don’t have time to look at our cloud usage!”–Benefits to agility, automation, consistency
It’s about the business–Board-level discussion on results, competition, risk–“Risk is our business” – Philosopher James T. Kirk
17
Security Delivered Via Cloud Services
18
Anticipating Risks: Partners’ Controls
Service Providers: must consider security as a basic requirement
–They have a smoother attack surface than enterprises–Laser-focused goals, homogeneous environment, etc.–All customers pentesting their provider: Doesn’t scale
•Which standard would we all trust? CCM? Other? Discuss.
Which controls are most relevant, important for your business?
–Prioritize those during negotiations, evaluations, assessments–Bring Your Own Security: Encryption, incident response, audit, SoD,
…
19
Anticipating Risks: Partners’ Controls
Integrate Security Controls with Legal–Risk-based Questionnaires: Level of scrutiny based on data
sensitivity–Contractual: Add boilerplate language in your contracts, MSAs,
etc.•Ask your partners for the security fundamentals•Operational security basics, secure development, security
incident notification, etc.
Assess Third-Parties Partners–Trust but verify their controls. It’s your data!–Do one-time and ongoing assessments–Make sure you’re testing what you anticipated–Partner with your partners on any findings
20
SaaS Applications: Growth and Risk Perspective
21
InfoSec Advisor: New controls and capabilities
Track movement, access to assets–Behavioral analytics become embedded, table stakes–DRM/DLP-like controls, applied closer to the data–More focus on detection, monitoring–Blocking done more through orchestration, automation–Inventories and network paths always up to date
Restrict access to assets–Cloud-to-Cloud chokepoints–SSO and risk-based authentication, authorization–On-the-fly controls: DLP, encryption, watermarking–Firewall controls based on tags, data and host
classification/sensitivity
22
Adopting Cloud: Getting Started in IaaS
Plan: Pick 1-3 security metrics to improve & compare–Examples: Days to patch vulns, avg host uptime, fw ACLs used
Do: Start simple, fail fast on “uninteresting” workflows
Improve: Codify policies, patches, asset management, provisioning.
Iterate: Review lessons learned often, make small course corrections
–Good security starts with solid operational hygiene
23
Summary: Evolving Controls, Maturity
Get Baseline visibility into your Cloud Services–Facts critical to business-level conversations–You’re using more SaaS than you realize–Share data with IT, legal, other stakeholders
Monitor and Protect your Data–Start collecting/mining SaaS access, audit logs–Integrate with your SIEM, monitoring systems–Deploy additional controls via chokepoints, automation
Increase program maturity–Cloud is an opportunity to codify, automate security–Operational hygiene is the basis for solid security program
24
Wisegate: Maturity Proportional to Confidence
Source: Wisegate IT Security Benchmark, Sept 2013
25
Areas of Security Interest: Early Results
Advanced authentication and identification schemes
App-centric firewalls and containers to protect data
Behavioral analytics to improve security, fraud
Continuous endpoint monitoring, orchestration, remediation
Continuous risk & compliance monitoring, reporting
Dashboards and analytics to communicate and share metrics
DevOps / security integrations to
codify security
Holistic DLP, data encryption and key management
Malware protection without signatures
Mobile security to protect data anywhere
PKI and digital certificate management for authentication, encryption
Proactive / predictive attack detection, real-time response
Threat intelligence feeds, sharing
Source: Scale Venture Partners
26
Guidance to Security Vendors: Early Feedback
Be 10x better - provide superior customer value–Look for disruptive technologies, approaches–Interoperate with what I already have–What can I turn off if I buy your thing?
Think API, integration first–Defenders & DevOps: The future is automation, interoperability–InfoSec staffing is hard, automation is a force multiplier–No cheating: Build your GUI on your API
Model, measure, provide insights–Security A/B testing, modeling allows safe experimentation–Provide insights of current, continuous risk state–Want to manage cloud risk better than legacy–Good deployment strategies start with great migration strategiesSource: Scale Venture Partners
27
Increasing Confidence: Early Research Results
Security programs with higher maturity have more confidence–Regulations help, but also–Operational consistency,–Incorporating standardized frameworks (ISO, NIST)
Build what works for your company’s culture–Culture trumps strategy–There is no one, true “map”: Every program is different–? Endpoint-centric vs. network-centric // Block vs. monitor + respond
Create, market, share metrics with your peers–Empowers teams that own responsibility for controls–Encourages fact-based decision-making–Communicates your program’s Business Impact
Source: Scale Venture Partners
28
Thank you!
Bill Burns | Executive-In-Residence | Scale Venture Partners | [email protected] | @x509v3