Back to Basics Information Security IT'S TIME TO OWN YOUR VULNERABILITIES “If you are still missing patch MS08-67, this talk is for you!”
Information Security - Back to Basics - Own Your Vulnerabilities
Jun 21, 2015
When a security program isn't as good as it should be it can be tempting to conclude that it needs more resources and solutions. Jack Nichelson decided to take a different approach: simplification. By focusing on fewer problems with bigger returns, he was able to reduce malware by 60 percent and improve the results of his annual pen report. He’ll share a back-to-the-basics case study for removing complexity and running a simple, effective, start-up worthy security program.
This Talk is for - Security Managers looking to better focus on the real vulnerabilities and more effectively communicate your progress
The Goals of this talk – Find the real problems, create a formal plan, build support for the plan, and report the progress
This Talk is for - Security Managers looking to better focus on the real vulnerabilities and more effectively communicate your progress
The Goals of this talk – Find the real problems, create a formal plan, build support for the plan, and report the progress
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Back to Basics Information SecurityIT'S TIME TO OWN YOUR VULNERABILITIES
“If you are still missing patch MS08-67, this talk is for you!”
I defend my companies competitive advantage by helping solve business problems through technology to work faster and safer.
Who is Jack Nichelson? Global Information Security Manager at GrafTech International
15 years of experience in IT Security & Risk Management
Active in the security community (DefCon, ShmooCon, DerbyCon)
Teach Network Security and advise the BW CCDC team“Solving Problems, is my Passion”
Introduction
3
Possibility #1: I must need more budget &
resources I need more control over the
systems & data I need to secure I need more NextGen solutions &
consultants
Possibility #2: Maybe I am not focused on the
right things Maybe I am trying to do too much
at once Maybe I need a better way to show
results Maybe I need to ask for help
Problem Statement
“After a year of hard work implanting solutions, I just failed another PEN test.”
4
Recommendations:
Take a step back and read “REWORK”
Remove complexity – Start small
Start at the epicenter, on what won’t change
Focus on fewer problems that provide bigger returns
Build an audience
Keep score & publish it (Good or Bad)
Good Advice
“Think about how you can simplify security – make it easy – and focus on the basics.” - Dave Kennedy
5
Common Trends of a good Security Program:
Monthly or quarterly security awareness training at all levels of the company
Regularly assesses vulnerabilities and report with action plans
Strong project management to make sure remediation gets done
Well defined reporting that is tied to performance goals
Everyone in IT has responsibility for meeting security goals
What does good look like
Company's that were making the most improvement year over year with there PEN tests had these things in common.
4 Steps to get Focused
Align: Build & execute project plan
Identify:Conduct analyses that will give you actionable insight
Communicate:Build consensus through awareness
Report: Build a Scorecard to show Results
Hackers Organized Crime
State Sponsored
Hype vs. Reality
Higher Difficulty~10% of incidents
Security Risks
• APT• The “Cloud” • Mobile Malware• Big Data• BYOD
Lower Difficulty~90% of incidents
• Malware• Phishing• Missing Patches• Missing Security Baselines• Lost & Stolen Devices• Poor Passwords
Conduct analyses that will give you actionable insight that can be translated into deliverable results. 1. Start at the epicenter & focus on what won’t change
2. Define the process of reporting & tracking security events by people and systems
3. Analyze the metrics collected to identify your top 3 incident types, by volume & time
4. Identify the root cause of each incident, and stack rank
Identify – Looking for Actionable Metrics
Malware Metrics• # of Detections• # of Infections• # of Re-Images
Malware Root Cause• Filter Failed• Missing Security Baselines• Web Based Infections• Java Based Infections• Missing Patches
Phishing Metrics• # of Detections• # of User Reports• # of Infections
Phishing Root Cause• Filter Failed • Lack of Awareness • Web Based Infections• Java Based Infections• Adobe Based Infection
Patching Metrics• # of Desktops by Location• # of Servers by Location• # Missing Patches by Year
Patching Root Cause• SCCM Agent Failed • Admin Failed to Patch• Legacy System• Missing 3rd Party Patch• Poor Assist Inventory
Monthly Security Awareness Training
15 Day Patching WindowEgress Filtering (Block Ports 21, 80,
443)
Remove Java
9
Investing more time in project planning and due diligence, time spent defining the problem is NEVER time wasted
Write a Project Charter, clearly state the scope, objectives, participants and success measurements
Create a Work Breakdown Structure to graphical represent the project scope, broken down in successive chunks with defined deliverables
Pay close attention to the human factor and involve your team in the planning process
Hold regular project meetings & publish the progress
Build & Execute project plans to drive for results & share successes
Align – Manage like you own the problem
10
If you do not define the key issues and challenges for your security program, chances are that others will
Get out in front of how security is perceived, understood and supported at every level
Good security awareness not only lowers your risks but also help users and management accept change
When an understanding that security is here to help – the culture changes & Adoption of security occurs
Craft crisp messages that can help your audiences internalize and quickly accept your information
“It’s hard to overstate the importance of effectivesecurity awareness & communication”
Communicate – Build consensus through awareness
11
Reporting good data is the best way to show that Security is a business enhancement.
Make Heroes, when people starts with an A+ they will fight harder to keep it
Define the metrics to measure and assess security’s performance
Metrics are the lifeblood to make any good decision
Create a Security Scorecard so you have a standard way for communicating your progress to anyone
Report the value of security activities to a wide range of security consumers
Think like a CFO, so you can deliver results the business can understand.
Reporting - Think like a CFO
Gemba (現場 ) is a Japanese term referring to the place where value is created. The idea of Gemba is that the problems are visible, and the best improvement ideas will come from going to the Gemba.
Gemba Board - Where value is created
13
Accomplishments:
Think Before You Click – Awareness Program
Patches applied within 15 Days on 95% of devices
Full egress filtering only allowing access out to internet through proxy
Removed Java from 85% of Workstations
Security Baselines on 90% of servers
Enforced password policy with 10 character minimum, with password self-service reset
Encryption of all mobile Workstations & Phones
Disabled local Admin on all servers
“Good security is not something you have, it’s something you do” - Wendy Nather
Current State - Proof is in the results
14
Once you have the basics covered, it time to start focusing on protecting the King “Your Data”.
What’s next – Protect the King!
“Risk Management is about separating your kings from your pawns” – Chris Clymer
Summary– Key Takeaways
Align: Build & execute project plan
Identify:Conduct analyses that will give you actionable insight
Communicate:Build consensus through awareness
Report: Build a Scorecard to show Results
Special Thanks to Dave Kennedy
Related Documents
