1. 1
What Affects Confidence In
Security Programs?
Rocky Mountain Information Security Conference 2014
Bill Burns | Executive-In-Residence | Scale Venture Partners | Bill@ScaleVP.com | @x509v3

2. 2
My Background
 Production hybrid cloud security at scale
– Deployed distributed, hybrid cloud WAF
– Co-developed CloudHSM for IaaS hardware root of trust
 Corporate IT “all-cloud” security strategy
– Cloud-first, mobile-first infrastructure model
– Mix of public cloud, best-of-breed SaaS
 RSAC Program Committee, Startup Technical Advisory Boards,
ISSA CISO Forum & Career Lifecycle
 Previously:

3. 3
Agenda
 Trends and Forcing Functions on Information Security
 InfoSec’s Role in Managing Business Risk
 Security Innovations, Market Needs
 Early Research Results: Improving Confidence

4. 4
CISOs: “What Kept You Up Last Night?”
Source: Scale Venture Partners

5. 5
Agile/DevOps
BYOD
Shadow IT /
Consumerization
Increased
Regs/Compliance
Internet Of Things
IT Automation
Mobile computing
SaaS
Ubiquitous Internet
Access
Virtualization / IaaS
Weaponization of Internet
/ espionage
Work/Life Integration
Concern
Unconcern
Top Trends & Forcing Functions on InfoSec
Source: Scale Venture Partners

6. 6
Security Forcing Function – Mobility, BYOD
Source: Mary Meeker, KPCB

7. 7
Security Forcing Function – Mobility, BYOD
(1) Pew Research, Jan 2014 | (2) Gartner, May 2013
Smartphone - 58%
Tablet - 42%
By 2017, 50% of employers will
require you to BYOD[2] for
work.

8. 8
Security Forcing Function – Work Anywhere
 Blurring work/life integration
– Aruba’s “#GenMobile”initiative
– Starbucks wants to be your life’s “3rd Place”
 Ubiquitous network access & seamless roaming
– 802.11ac, n – wireless networking “just works”
• Faster than typical wired ports, easier to provision
– Mobile 4G LTE is also “fast enough”
• Faster than my home’s DSL
– By 2018: 25% of corporate data will flow directly mobile-cloud[3]
(3) Gartner, Nov 2013

9. 9
Security Forcing Function – IaaS / Virtualization
 Clouds are
compelling to
businesses, hard
for old security
controls to match
pace
 AWS Example:
– ~Quadrupled
offered services in 4
years
– Reduced pricing 42
times in 8 years as
equipment ages out
Source: AWS

10. 10
Old: Perimeter Firewalls

11. 11
Old: Perimeter Firewalls
 Castle and Moat (layered) defense
 Place people, data behind datacenter firewalls
 Provisioning workflows were serialized, expensive, slow
 “Behind the firewall” = Trusted

12. 12
New Perimeters : Follow the Data

13. 13
Security controls evolving to be more:
o Proximal – Move closer to the application and data
o Mobile – Follow the infrastructure, application
o Resilient - Emphasize recovery and response
o Holistic – Include technical, legal, and business-level input
o Coordinated - Reliant on communications, automation
New Perimeters : Follow the Data

14. 14
InfoSec’s Role
 Be a trusted advisor to the business
– InfoSec doesn’t own the risk
– Anticipates security risk/controls changes and needs
– Communicates technical risks in business terms
 Implement guardrails and gates based on risk, sensitivity
– Like breaks on a car: Enables the business to take smart risks
– Architect, design, implement controls
– Measure & report risk with data
– Manage remediation, response
 Success: Customers proactively request your guidance!

15. 15
So…What’s Your Cloud Comfort Level?
 Cloud Adoption / Maturity:
– Naysayers: you can’t do that (but can’t articulate why)
– Pathfinders: here’s how to do it, early lessons learned
– Optimizers: here’s how to do it well, what not to do

16. 16
So…What’s Your Cloud Comfort Level?
 Cloud Adoption/Maturity
– Naysayers
– Pathfinders
– Optimizers
 Cloud is inevitable – Get comfortable managing it
– Example: “We have 10 years of legacy work to deal with, we don’t have
time to look at our cloud usage!”
– Benefits to agility, automation, consistency
 It’s about the business
– Board-level discussion on results, competition, risk
– “Risk is our business” – Philosopher James T. Kirk

17. 17
Security Delivered Via Cloud Services

18. 18
Anticipating Risks: Partners’ Controls
 Service Providers: must consider security as a basic requirement
– They have a smoother attack surface than enterprises
– Laser-focused goals, homogeneous environment, etc.
– All customers pentesting their provider: Doesn’t scale
• Which standard would we all trust? CCM? Other? Discuss.
 Which controls are most relevant, important for your business?
– Prioritize those during negotiations, evaluations, assessments
– Bring Your Own Security: Encryption, incident response, audit, SoD, …

19. 19
Anticipating Risks: Partners’ Controls
 Integrate Security Controls with Legal
– Risk-based Questionnaires: Level of scrutiny based on data sensitivity
– Contractual: Add boilerplate language in your contracts, MSAs, etc.
• Ask your partners for the security fundamentals
• Operational security basics, secure development, security incident
notification, etc.
 Assess Third-Parties Partners
– Trust but verify their controls. It’s your data!
– Do one-time and ongoing assessments
– Make sure you’re testing what you anticipated
– Partner with your partners on any findings

20. 20
SaaS Applications: Growth and Risk Perspective

21. 21
InfoSec Advisor: New controls and capabilities
 Track movement, access to assets
– Behavioral analytics become embedded, table stakes
– DRM/DLP-like controls, applied closer to the data
– More focus on detection, monitoring
– Blocking done more through orchestration, automation
– Inventories and network paths always up to date
 Restrict access to assets
– Cloud-to-Cloud chokepoints
– SSO and risk-based authentication, authorization
– On-the-fly controls: DLP, encryption, watermarking
– Firewall controls based on tags, data and host classification/sensitivity

22. 22
Adopting Cloud: Getting Started in IaaS
 Plan: Pick 1-3 security metrics to improve & compare
– Examples: Days to patch vulns, avg host uptime, fw ACLs used
 Do: Start simple, fail fast on “uninteresting” workflows
 Improve: Codify policies, patches, asset management, provisioning.
 Iterate: Review lessons learned often, make small course
corrections
– Good security starts with solid operational hygiene

23. 23
Summary: Evolving Controls, Maturity
 Get Baseline visibility into your Cloud Services
– Facts critical to business-level conversations
– You’re using more SaaS than you realize
– Share data with IT, legal, other stakeholders
 Monitor and Protect your Data
– Start collecting/mining SaaS access, audit logs
– Integrate with your SIEM, monitoring systems
– Deploy additional controls via chokepoints, automation
 Increase program maturity
– Cloud is an opportunity to codify, automate security
– Operational hygiene is the basis for solid security program

24. 24
Wisegate: Maturity Proportional to Confidence
Source: Wisegate IT Security Benchmark, Sept 2013

25. 25
Areas of Security Interest: Early Results
 Advanced authentication and
identification schemes
 App-centric firewalls and containers
to protect data
 Behavioral analytics to improve
security, fraud
 Continuous endpoint monitoring,
orchestration, remediation
 Continuous risk & compliance
monitoring, reporting
 Dashboards and analytics to
communicate and share metrics
 DevOps / security integrations to
codify security
 Holistic DLP, data encryption and
key management
 Malware protection without
signatures
 Mobile security to protect data
anywhere
 PKI and digital certificate
management for authentication,
encryption
 Proactive / predictive attack
detection, real-time response
 Threat intelligence feeds, sharing
Source: Scale Venture Partners

26. 26
Guidance to Security Vendors: Early Feedback
 Be 10x better - provide superior customer value
– Look for disruptive technologies, approaches
– Interoperate with what I already have
– What can I turn off if I buy your thing?
 Think API, integration first
– Defenders & DevOps: The future is automation, interoperability
– InfoSec staffing is hard, automation is a force multiplier
– No cheating: Build your GUI on your API
 Model, measure, provide insights
– Security A/B testing, modeling allows safe experimentation
– Provide insights of current, continuous risk state
– Want to manage cloud risk better than legacy
– Good deployment strategies start with great migration strategies
Source: Scale Venture Partners

27. 27
Increasing Confidence: Early Research Results
 Security programs with higher maturity have more confidence
– Regulations help, but also
– Operational consistency,
– Incorporating standardized frameworks (ISO, NIST)
 Build what works for your company’s culture
– Culture trumps strategy
– There is no one, true “map”: Every program is different
– ? Endpoint-centric vs. network-centric // Block vs. monitor + respond
 Create, market, share metrics with your peers
– Empowers teams that own responsibility for controls
– Encourages fact-based decision-making
– Communicates your program’s Business Impact
Source: Scale Venture Partners

28. 28
Thank you!
Security-Research@ScaleVP.com
Bill Burns | Executive-In-Residence | Scale Venture Partners | Bill@ScaleVP.com | @x509v3