What affects security program confidence? - may2014 - bill burns
1. 1
What Affects Confidence In
Security Programs?
Rocky Mountain Information Security Conference 2014
Bill Burns | Executive-In-Residence | Scale Venture Partners | Bill@ScaleVP.com | @x509v3
2. 2
My Background
Production hybrid cloud security at scale
– Deployed distributed, hybrid cloud WAF
– Co-developed CloudHSM for IaaS hardware root of trust
Corporate IT “all-cloud” security strategy
– Cloud-first, mobile-first infrastructure model
– Mix of public cloud, best-of-breed SaaS
RSAC Program Committee, Startup Technical Advisory Boards,
ISSA CISO Forum & Career Lifecycle
Previously:
3. 3
Agenda
Trends and Forcing Functions on Information Security
InfoSec’s Role in Managing Business Risk
Security Innovations, Market Needs
Early Research Results: Improving Confidence
7. 7
Security Forcing Function – Mobility, BYOD
(1) Pew Research, Jan 2014 | (2) Gartner, May 2013
Smartphone - 58%
Tablet - 42%
By 2017, 50% of employers will
require you to BYOD[2] for
work.
8. 8
Security Forcing Function – Work Anywhere
Blurring work/life integration
– Aruba’s “#GenMobile”initiative
– Starbucks wants to be your life’s “3rd Place”
Ubiquitous network access & seamless roaming
– 802.11ac, n – wireless networking “just works”
• Faster than typical wired ports, easier to provision
– Mobile 4G LTE is also “fast enough”
• Faster than my home’s DSL
– By 2018: 25% of corporate data will flow directly mobile-cloud[3]
(3) Gartner, Nov 2013
9. 9
Security Forcing Function – IaaS / Virtualization
Clouds are
compelling to
businesses, hard
for old security
controls to match
pace
AWS Example:
– ~Quadrupled
offered services in 4
years
– Reduced pricing 42
times in 8 years as
equipment ages out
Source: AWS
13. 13
Security controls evolving to be more:
o Proximal – Move closer to the application and data
o Mobile – Follow the infrastructure, application
o Resilient - Emphasize recovery and response
o Holistic – Include technical, legal, and business-level input
o Coordinated - Reliant on communications, automation
New Perimeters : Follow the Data
14. 14
InfoSec’s Role
Be a trusted advisor to the business
– InfoSec doesn’t own the risk
– Anticipates security risk/controls changes and needs
– Communicates technical risks in business terms
Implement guardrails and gates based on risk, sensitivity
– Like breaks on a car: Enables the business to take smart risks
– Architect, design, implement controls
– Measure & report risk with data
– Manage remediation, response
Success: Customers proactively request your guidance!
15. 15
So…What’s Your Cloud Comfort Level?
Cloud Adoption / Maturity:
– Naysayers: you can’t do that (but can’t articulate why)
– Pathfinders: here’s how to do it, early lessons learned
– Optimizers: here’s how to do it well, what not to do
16. 16
So…What’s Your Cloud Comfort Level?
Cloud Adoption/Maturity
– Naysayers
– Pathfinders
– Optimizers
Cloud is inevitable – Get comfortable managing it
– Example: “We have 10 years of legacy work to deal with, we don’t have
time to look at our cloud usage!”
– Benefits to agility, automation, consistency
It’s about the business
– Board-level discussion on results, competition, risk
– “Risk is our business” – Philosopher James T. Kirk
18. 18
Anticipating Risks: Partners’ Controls
Service Providers: must consider security as a basic requirement
– They have a smoother attack surface than enterprises
– Laser-focused goals, homogeneous environment, etc.
– All customers pentesting their provider: Doesn’t scale
• Which standard would we all trust? CCM? Other? Discuss.
Which controls are most relevant, important for your business?
– Prioritize those during negotiations, evaluations, assessments
– Bring Your Own Security: Encryption, incident response, audit, SoD, …
19. 19
Anticipating Risks: Partners’ Controls
Integrate Security Controls with Legal
– Risk-based Questionnaires: Level of scrutiny based on data sensitivity
– Contractual: Add boilerplate language in your contracts, MSAs, etc.
• Ask your partners for the security fundamentals
• Operational security basics, secure development, security incident
notification, etc.
Assess Third-Parties Partners
– Trust but verify their controls. It’s your data!
– Do one-time and ongoing assessments
– Make sure you’re testing what you anticipated
– Partner with your partners on any findings
21. 21
InfoSec Advisor: New controls and capabilities
Track movement, access to assets
– Behavioral analytics become embedded, table stakes
– DRM/DLP-like controls, applied closer to the data
– More focus on detection, monitoring
– Blocking done more through orchestration, automation
– Inventories and network paths always up to date
Restrict access to assets
– Cloud-to-Cloud chokepoints
– SSO and risk-based authentication, authorization
– On-the-fly controls: DLP, encryption, watermarking
– Firewall controls based on tags, data and host classification/sensitivity
22. 22
Adopting Cloud: Getting Started in IaaS
Plan: Pick 1-3 security metrics to improve & compare
– Examples: Days to patch vulns, avg host uptime, fw ACLs used
Do: Start simple, fail fast on “uninteresting” workflows
Improve: Codify policies, patches, asset management, provisioning.
Iterate: Review lessons learned often, make small course
corrections
– Good security starts with solid operational hygiene
23. 23
Summary: Evolving Controls, Maturity
Get Baseline visibility into your Cloud Services
– Facts critical to business-level conversations
– You’re using more SaaS than you realize
– Share data with IT, legal, other stakeholders
Monitor and Protect your Data
– Start collecting/mining SaaS access, audit logs
– Integrate with your SIEM, monitoring systems
– Deploy additional controls via chokepoints, automation
Increase program maturity
– Cloud is an opportunity to codify, automate security
– Operational hygiene is the basis for solid security program
25. 25
Areas of Security Interest: Early Results
Advanced authentication and
identification schemes
App-centric firewalls and containers
to protect data
Behavioral analytics to improve
security, fraud
Continuous endpoint monitoring,
orchestration, remediation
Continuous risk & compliance
monitoring, reporting
Dashboards and analytics to
communicate and share metrics
DevOps / security integrations to
codify security
Holistic DLP, data encryption and
key management
Malware protection without
signatures
Mobile security to protect data
anywhere
PKI and digital certificate
management for authentication,
encryption
Proactive / predictive attack
detection, real-time response
Threat intelligence feeds, sharing
Source: Scale Venture Partners
26. 26
Guidance to Security Vendors: Early Feedback
Be 10x better - provide superior customer value
– Look for disruptive technologies, approaches
– Interoperate with what I already have
– What can I turn off if I buy your thing?
Think API, integration first
– Defenders & DevOps: The future is automation, interoperability
– InfoSec staffing is hard, automation is a force multiplier
– No cheating: Build your GUI on your API
Model, measure, provide insights
– Security A/B testing, modeling allows safe experimentation
– Provide insights of current, continuous risk state
– Want to manage cloud risk better than legacy
– Good deployment strategies start with great migration strategies
Source: Scale Venture Partners
27. 27
Increasing Confidence: Early Research Results
Security programs with higher maturity have more confidence
– Regulations help, but also
– Operational consistency,
– Incorporating standardized frameworks (ISO, NIST)
Build what works for your company’s culture
– Culture trumps strategy
– There is no one, true “map”: Every program is different
– ? Endpoint-centric vs. network-centric // Block vs. monitor + respond
Create, market, share metrics with your peers
– Empowers teams that own responsibility for controls
– Encourages fact-based decision-making
– Communicates your program’s Business Impact
Source: Scale Venture Partners
Internet Access – not a concern, a foregone conclusion
IoT – too unclear what it means
Agile/DevOps – polarizing
Consumerization - polarizing
By 2017: 50% of employers will require employees to BYOD for work purposes(2)
58% / 42% of Americans now own a smartphone / tablet(1)
New: Identity and Authentication
Authenticated checkpoints/chokepoints
Everything and everyone is “outside the firewall”
Controls moving closer to the data, finer-grained
Provisioning and security policies are automated
Trust no one implicitly; authorize everything
New: Identity and Authentication
Authenticated checkpoints/chokepoints
Everything and everyone is “outside the firewall”
Controls moving closer to the data, finer-grained
Provisioning and security policies are automated
Trust no one implicitly; authorize everything