Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Ähnlich wie Converge 2018 - Funding Your Security Program Through Digital Transformation
Ähnlich wie Converge 2018 - Funding Your Security Program Through Digital Transformation (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Converge 2018 - Funding Your Security Program Through Digital Transformation
- 1. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 1 Show Me the Money Matt Topper matt@uberether.com
- 2. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 2 UberEther is a full stack technology integrator based in Dulles, Virginia and Detroit, Michigan with over twenty hands on technical resources building solutions every day. Since 2009, our team has been building simple, secure, sustainable customer solutions for Enterprises, Federal Government agencies and the Intelligence Community. We are passionate about using technology to solve security problems, and we use this passion to prove solutions on our own time prior to bringing ideas to our customers. Our history in the intelligence community and our diverse background of development, integration and operations skills allows our team provide extremely secure and scalable solutions, ensuring that what works great in the lab will excel in production. About UsSecure, Automated Solutions.
- 3. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 3 Identity & Access ManagementSecuring applications and services across borders. Analytics takes all of the information from the other areas and asserts compliance. Our team has built numerous data analytics platforms to drive identity intelligence for our nations most critical assets. Analytics Credentials provide the drivers license for people and services. Our team has developed and maintained production federal and SaaS PKI offerings and secure token services. Credentials Authorization determines if the user can access the requested resource. Our team has developed coarse and fine grained RBAC, ABAC, and PBAC solutions for the nation’s more secure data stores. Authorization Identity aggregation and certification of user and service attribute and group information. Our team has aggregated thousands of data sources and managed entitlements on millions of users. Identity Authentication identifies the user or service accessing a resource. Our team has developed and deployed federated, multi-level and multi- factor authentication and token services. Authentication
- 4. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 4 Managed Solutions Data Center Migration Security Integration Re-EngineeringArchitecture & Design Cloud Core CompetenciesWe admit we can’t know it all. Our team has planned, deployed, migrated, and managed numerous cloud migrations and new developments for AWS and Azure. Solutions are secured with proven designs to provide incremental low risk and high impact approaches. Just set it and forget it. We have experience deploying our customers solutions into AWS and managing them end to end. This provides a true, hands off, managed service approach for our customers. One of the largest challenges with moving to the cloud is determining what the migration strategy should be. Whole hog, incremental or hybrid all have their benefits, let us help you pick the best, with flawless execution. Security in the cloud provides many new operating principles. Not only do software defined networks change operating procedures, but hardening, identity management, and auditing has completely changed. Let us help. Our team has built numerous cloud native custom applications. Our solutions have been built to scale elastically by thousands of concurrent users, with no manual intervention.
- 5. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 5
- 6. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 6 You have 16 minutes until the first click on a phishing campaign. The first report from a savvy user will arrive after 28 minutes.
- 7. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 7 60 percent of small companies go out of business within six months of a cyber attack.
- 8. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 8 1. Make people your first line of defense. 2. Patch promptly. 3. Encrypt your data. 4. Use Two Factor 5. Manage Privileged Accounts
- 9. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 9
- 10. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 10 How did we get here?
- 11. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 11
- 12. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 12
- 13. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 13
- 14. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 14 Keep Them Inline These people are weird, we don’t understand how to work with them. You figure it out we tried. Make Sure Its Working It’s need to be online or the plant doesn’t run. If we can’t product we can’t make money Deliver On Time Give us what we asked for when we asked for it no matter how many times we change requirements. Deliver on Budget We only give you so much money, make sure you don’t burn it up 45% 45% 75% 35% Chief Information OfficerHerding cats for 35 years
- 15. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 15
- 16. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 16 Let’s work together!
- 17. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 17
- 18. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 18
- 19. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 19
- 20. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 20
- 21. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 21
- 22. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 22
- 23. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 23
- 24. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 24
- 25. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 25 How do we fix it?
- 26. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 26
- 27. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 27 27
- 28. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 28
- 29. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 29 29
- 30. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 30 Story Time!
- 31. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 31 Customer TRUST is real customer RELATIONSHIP management
- 32. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 32 What Should You Do 1.Focus on Outcomes 2.Be Proactive 3.Break Down the Silos 4.Increase Automation 5.Review Processes
- 33. www.uberether.com © 2018 UberEther, Inc. All Rights Reserved. 33 Thank you!
Hinweis der Redaktion
- You have 16 minutes until the first click on a phishing campaign. The first report from a savvy user will arrive after 28 minutes. 68% of breaches took months or longer to discover. A whopping 81% involved stolen or weak passwords.
- 43 percent of cyber attacks target small business. Only 14 percent of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective. 60 percent of small companies go out of business within six months of a cyber attack. 48 percent of data security breaches are caused by acts of malicious intent. Human error or system failure account for the rest. In the aftermath of these incidents, these companies spent an average of $879,582 because of damage or theft of IT assets. In addition, disruption to normal operations cost an average of $955,429.
- 43 percent of cyber attacks target small business. Only 14 percent of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective. 60 percent of small companies go out of business within six months of a cyber attack. 48 percent of data security breaches are caused by acts of malicious intent. Human error or system failure account for the rest. In the aftermath of these incidents, these companies spent an average of $879,582 because of damage or theft of IT assets. In addition, disruption to normal operations cost an average of $955,429.
- IT started out just weird. Companies had one computer. It required a huge freezing cold dedicated room and you had to wear a white lab coat to even go into the room People walked around shoving stacks of punch cards into the machine to make it just spit out a number to say the books were balanced correctly.
- Guys like this were everywhere. We spoke of C and classes and functions. We talked about getting physical bugs out of machines. Can you imagine the Miltons next to Don Draper?
- We were seen as outsiders that “the business” people didn’t understand. We were never really part of the company. We were servants that let them do their jobs. They didn’t understand what we did or how we did it.
- They would give us all for requirements. Which we really should have called their wish list. We would spend weeks breaking them down
- produce a gantt chart and give them number.
- No matter what we gave them it was too high. We’d fight for weeks, drop requirements, drop time and in turn “price” At the end we’d agree but no one walked away happen
- Then we’d go away for months and start building. We have to buy new servers, rack them, stack them, put them on the network, setup DNS, install the software, then we can start writing code… Half way through they’d tell us they didn’t need what we were building anymore and wanted something else
- We’d yell scope creep and
- we’d make another one of these. At this point lots of projects were cancelled or failed to deliver what the business wanted
- Many organization’s are going through a “digital transformation.” Every single business is becoming a digital business. Everyone is realizing that the data we produce and consume as business is becoming much more powerful than the things we produce. The auto manufacturers around us are turning into digital platforms and less about the cars we make. As we move towards cars that drive themselves, people will care less and less about the bubble they’re in and more about what that bubble can do for them. Pay from your dashboard, watch movies in the back seat, car rental as a service. Finance and Banking is finally standardizing the APIs to do business between them and open up to additional services. Healthcare is finally maturing to allow us to securely share our records between doctors. Businesses are looking to create new business models, markets, products and services through new experiences with their customers. The business side of the world is seeing an ability to remove the operations and maintenance overhead of running all of the services on site and give them to someone else for a nominal fee.
- As the security centric folks in the company this is how we feel. Our company’s most critical data is going everywhere. Salesforce is taking all our CRM data. We have at least four different cloud providers where company resides, probably in an unencrypted misconfigured S3 bucket. Multiple startups who don’t care about your data or privacy are riding on top of these platforms letting the business users secure them and we’re busy trying to blacklist URLs and force users into an MDM they don’t want to use. Usernames and passwords are being generated on the fly in a bunch of different systems by any business user with a credit card. This is the third digital transformation I’ve seen in my career and I’ve only been doing this for about 20-25 years. Mainframe migration, IT modernization, Web 2.0 and not digital transformation. We claim that there are new ways of doing business, new opportunities that must be captured, IT isn’t moving fast enough so we have to toss a grenade on it. When you really look at it, this the culmination of years of mismanaged IT projects and service offerings that aren’t delivering the value they promised. How many projects have we seen where they put a whole bunch of developers on it, a bunch of focus and then “poof” there goes all the support once it hits production. Magically the business believes that the project is over and things will just run in production without any care and feeding. This is now “operations and maintenance” like we’re buying a car and just have to put gas in it, change the oil and tires and it should last for a decade.
- But we can use this as an opportunity Everyone has a phone that can balance the books in their pocket and see their individual and the organization’s sales in realtime Most of the organization supports their own machines Everyone has a cousin or a nephew who wrote in app Amazon Echo is now three years old and everyone has one in their kitchen Users understand the importance of 2 factor thanks to the banking industry and asking us for it internally. We’re much more approachable now but they expect a lot more from us Businesses are scared of being left behind 33% of customers expect a personalized experience in exchange for their information 51% of customer would switch banks for a better app, 10% already have 85% of marketing teams are not ready for GDPR. Penalties are the greater of $24M or 4% of your revenue. 89% of customers are uncomfortable sharing personal data without their consent With the availability of cloud services we can start moving faster than ever before and have a demo environment up in minutes. We have an ability to put all the hardware, network, and platform service acquisition problems behind us. The cloud vendors are incentivized to give us secure platforms to build from because its their reputation as well. We have access to services at a secure massive scale that we could have never dreamed of 5 years ago. Amazon alone has 500,000 people making over $20 billion a year this year. Google over 125,000 people. Microsoft nearly 100,000. Let them them be smarter than all of us. Companies are scared of being the next Equifax or Facebook Equifax has screwed all of us harder than we can even imagine. It’s all been out there for years, but they’re the first to publicly admit it and have the direct attribution at scale. Facebook as stupid as it was, is really pushing the privacy and trust discussion forward. This gives us an opportunity.
- We are quickly moving away from just being able to take from consumers and customers. Consumers are realizing that they have options in the market and don’t have to give up their data. The business is struggling to enable this transformation and give customers options for sharing their data. How many times today do you install an app and it asks you for 50 permissions on your phone. I deny them all and uninstall it. We are asking users to trust us with their credit card numbers, their account permissions, their kids, access to their homes and vehicles, their entire medical history, the appliances in their home. Is the business makes this mistake, lose the data, then all the trust is lost. At this point we might be tempted to say “Did you know on average, when a company loses their customer financial information generates a loss of $1.5 Billion in market value” They know it, we don’t have to tell them anymore. This is on the front of every CEO and board member’s mind. We can use this.
- Link customer profiles. Manage relationships. Add accounts – spotify, pandora, etc. Add credit cards Vehicle profiles New car buying experience – pair your phone, your profile gets loaded directly Rental vehicles Dealership oil change opportunities Trunk deliveries Self driving cars Partner with Comcast Where did you pause it? Loaded direct in the car you step into in the morning Content providers
- You have a trust problem, it’s not an identity problem. You’re asking people for a lot of personal information that can do them damage and you need to have a platform for all of that info on one place that you can protect and that people can trust. You want one place to manage, secure and audit the hell out of instead of spreading that around to different platforms. You also want to be able to quickly add new services and capabilities without having to redesign or go through a bunch of custom integration links. This now gives us centralized services that the company can buy into: Centralized authentication Centralized authorization An Auditable API gateway A secure data store for credentials on users and APIs A secure device and IoT platform. We have a SIEM / logging platform that can audit all these events and actions and provide that for our own services and for their own metrics
- We need to work with the people on the business side to find out their desired outcomes instead of getting a list of requirements. We need to ask them what their desired business impact is and what behaviors they are looking to get from the customers. Read those leadership strategy emails or slides from the yearly all hands meeting and come prepared with ideas. When you work towards outcomes, the team becomes valuable because they take ownership of the outcome from the beginning. The team doesn’t assume the product owner knows what the customer wants and are in a place to try new ideas to help the business be successful with the business together. Constantly testing hypothesis. We’ve done this for years in marketing by using test markets and then expanding on successful trials. Be Proactive : Read the “top 5 priorities list” the business puts out every year. You know what the business is looking to do. Look for opportunities to do that securely. One think you have that Amazon, Google, and Microsoft can never compete with is inside knowledge of your business. Customers don’t know what they don’t know. If you can lead them to solutions that also help your cause it’s a double win. Log aggregation tools, SIEMs can provide them great insight into customer patterns and behaviors is built correctly. Just because it’s a security tool doesn’t mean it can’t be a business tool too. They want analytics at a user level, we can pretty easily give them that. Break down the silos : Walk through the marketing department, stare at the walls awkwardly until someone asks you WTF you’re doing. Then ask questions, find out what their problems are. Go to sales department and do the same thing. Then in a week come back and say “hey, I think I have something that might help you” and tell them about it. If they are interested, tell your boss about it. Work like hell to show them a prototype quickly. Increase Automation : If you aren’t learning Kubernetes, Puppet/Chef/Ansible, understanding how CI/CD works, do it now. It’s the only way to keep things moving. We need to be able to keep up with the Amazon’s of the world and integrate into their platforms. If we have a way to accelerate that and can anticipate the businesses and other developers needs and have it ready you look like the hero. This can’t be done without automation. Learn to script and learn to write simple code. i.e. something like Python, it’s going to be all about the data and if you can pull data from systems together and give it to the business they’ll love you to death Review shitty processes :