As a CISO, you have been asked why you can't just trust your employees to do the right thing. What benefit to the business comes from technical security controls? You have likely been asked to reduce risk and action every funded project at once. In this session, we will realistically consider which projects can reduce risk most quickly, which layers of security are most important, and how things like privilege management, vulnerability control, over-communicating, and simply reducing the attack surface can bring peace of mind and actual direct improvements to your information security posture.
1. Just Trust Everyone
and We Will Be Fine,
Right?
Scott Carlson - BeyondTrust
As a CISO, you have been asked why you can't just trust your employees to do the right thing. What benefit to the business comes from technical security controls? You
have likely been asked to reduce risk and action every funded project at once. In this session, we will realistically consider which projects can reduce risk most quickly,
which layers of security are most important, and how things like privilege management, vulnerability control, over-communicating, and simply reducing the attack surface
can bring peace of mind and actual direct improvements to your information security posture.
7. Target senior leaders and understand their language
Focus on business and risk issues of concern to key leaders
Focus on solving problems and controlling risk
**** NOT technology solutions ***
Identify and Produce metrics that matter to your audience
• Gain alignment for needed improvements based on business risks
• Requires strong reporting tools and analytics
• Avoid embarrassing individuals but inform (wall of shame)
• Produce trend charts that show progress
Provide limited, general reporting and TELL THE TRUTH
Develop effective communications
7
8. Gain business leaders’ sponsorship
• Define accountabilities and ownership
across key organizations
• Establish metrics
• # assets with owner / custodian identified
• # assets with recommended protection
What are your crown jewels and where
are they?
• Not easy to define the crown jewels and get
agreement from business leadership
• Often, crown jewels are loosely managed
across servers & end-user devices
Move them to stronger controlled
environments
• e.g., hardened repositories, strong MF
authentication, VDI, data leakage, digital
rights management) and upgrade business
processes
Review and continually manage access,
with a manual process if you need
Restrict administrator access when
possible
• Monitor and alert
Identify and protect the crown jewels.
8
9. Make it hard for attackers to gain
privileged access
Use strong multi-factor authentication
Drive least-privilege management
processes and solutions
• Include end-points where most initial
attacks are focused
• Enable system and application
management without admin privileges
Implement privileged password
management solutions
• Eliminate shared passwords
• Passwords automatically changed on
every use
• Eliminate hard-coded passwords
• Dual control / approval for critical
systems
Tightly manage privileged access
9
10. Integrate vulnerability issues with privileged access
• Deny privileged access with critical vulnerabilities after certain time
Align Security and IT Ops teams
• By policy, all aspects of security must be key operational requirements
• Defined patch timetable by asset class
• Shutdown if critical issues not addressed
• Variance approved by leadership if allowed to operate past deadline
• Joint improvement program driven by business requirements and metrics
• Requires excellent analytics and reporting
• Fix defective operational processes that enable or leave vulnerabilities
• New system deployments
• Application accountability and patching
Get Smarter About Vulnerability Management
10
11. Gain business leaders’ sponsorship
• Train users to report phishing
• Turn users into human detectors
• Requires a reporting solution and a rapid response
Establish a threat intelligence program
• Collect feeds from both open sources and subscription
sources
• Collaborate with others inside your industry and overall
leaders to stay abreast of current techniques, tactics,
and procedures.
• Continually block bad internet addresses, domains,
other indicators of compromise (files)
Detect, alert & block crown jewel exfiltration
• Best to tag crown jewels by type and control based on
policies defined by owner
Monitor inbound files for malware
• Much more difficult than AV or IPS
• Requires sandbox solutions or other solutions that
monitor behavior
Monitor and alert on unusual application activities
and access to crown jewels
• Alert when certain applications doing unusual things
(spawning processes)
• What applications are allowed to access sensitive data
by class (whitelist)
Monitor and filter outbound traffic
• Prevent traffic to uncategorized URLs
• Can be challenging to categorize some traffic but
results in strong improvements
Improve your ability to detect attacks
11
Who looks like this in the audience - this is the first reaction when we are asked to trust
Looks like a standard enterprise corporate network, like a patchwork of applications, a patchwork of capabilities. I know *I* for one can figure out where all of my stuff is in this mess. Why wouldn’t you trust people to be able to navigate this??? BECAUSE THEY ARE HUMAN!
control your environment, you cannot trust it. Trusting your people is fine - you have to trust them to do their jobs, etc.