John B. Dickson, CISSP @johnbdickson

Denim Group

The Savvy Security Leader: Using Guerrilla Tactics to ID

Security Program Resources

© 2014 EMC Corporation. All rights reserved. 2

•  Application Security Enthusiast •  Helps CSO’s and CISO’s with Application Security Programs •  ISSA Distinguished Fellow •  Security Author and Speaker

2  

© 2014 EMC Corporation. All rights reserved. 3

Denim Group | Company Background

•  Professional services firm that builds & secures enterprise applications •  External application & network assessments

•  Web, mobile, and cloud •  Software development lifecycle development (SDLC) consulting

•  Secure development services: •  Secure .NET and Java application development & remediation

•  Classroom and e-Learning for PCI compliance •  Developed ThreadFix

© 2014 EMC Corporation. All rights reserved. 4

Overview

•  Background on the Issue •  Key Concept •  Examples of Guerrilla Tactics •  Questions and Answers

© 2014 EMC Corporation. All rights reserved. 5

Key Thought

•  Executives are becoming more resistant to FUD carpet bombing

5

© 2014 EMC Corporation. All rights reserved. 6

Getting Your Security Budget Approved without FUD

•  RSA 2014 track session •  Assumption: internal sale of security

budget to executives is fundamentally different

•  Security leaders competing for scarce corporate resources

•  Common denominators exist –  See more on RSA’s site here

© 2014 EMC Corporation. All rights reserved. 7

Getting Your Security Budget Approved without FUD

–  Exploiting Pet Projects

–  Accounting for Culture

–  Tailoring to their Vertical

–  Consciously Cultivating Credibility & Relationships

–  Using Timing to Capitalize on Certain events

–  Selling by-Products of Security Activities

© 2014 EMC Corporation. All rights reserved. 8

Security Budgets: The Starting Point

•  Some have lost the game before getting on the field •  Competing Against:

–  Line of business pet projects – expansion of production

– Executive level visibility or utility – e.g., new corporate jet

–  Things that product more tangible ROI •  Information security as the “silent service” – Rich Baich, Wells

Fargo CISO –  Source: “Winning as a CISO,” Rich Baich

© 2014 EMC Corporation. All rights reserved. 9

Security Budgets: The Starting Point

•  Annual operations budgets are highly scrutinized – Are normalized to past budget years and easy

to compare •  Some budgets items are easier to get

approved –  Items mandated by compliance

–  Items mandated by buyers

– Historical operations; Example: Licensing fees

© 2014 EMC Corporation. All rights reserved. 10

Security Budgets: The Starting Point

Photo by Matt Mechtley

© 2014 EMC Corporation. All rights reserved. 11

Security Budgets: The Starting Point

•  So…. What does a savvy security leader do?

© 2014 EMC Corporation. All rights reserved. 12

Key Concept

•  Adopts guerrilla selling tactics to increase budget – Uses the resources of others to expand your security

coverage

© 2014 EMC Corporation. All rights reserved. 13

Mergers and Acquisitions

•  Corporate Mergers and Acquisition (M&A) activities include substantial attorneys fees for: – Due diligence and contracts

•  M&A activity is the domain of the CEO –  The CEO will be less price sensitive to security costs

•  Insert security testing into M&A process to ID: – Risk of the acquired entity & provide a remediation path

–  Lower downstream security exposure

© 2014 EMC Corporation. All rights reserved. 14

Leverage Things Already Bought

•  Identify technologies bought by business units, leverage any security by-product

•  Example #1: Web Application Firewalls (WAF’s)

– Mandated by PCI, bought by IT or Internal Audit

– Creates incredible Layer 7 logging and protection •  Example #2: Big Data Technologies

– Big Data

© 2014 EMC Corporation. All rights reserved. 15

Development Tools

•  Development tools stack

– Expensive

– Dwarf security vulnerability scanners •  Get development team to purchase scanner for SDLC because

they own the SLDC

– A line item in a larger quote for a development stack

– Bake testing into SDLC earliest in the process •  Might be able to use leverage of large purchase to get tools

thrown in

© 2014 EMC Corporation. All rights reserved. 16

Development Training

•  For internally developed software •  Cost of vulnerability most expensive when put into production

– Change the reality, make security a quality issue! •  Have development teams pay for training

– Make this part of general developer training and onboarding

© 2014 EMC Corporation. All rights reserved. 17

Leverage Open Source

•  Use what others have already contributed to the Open Source community to further your security coverage

•  First steps

– Hire a security pro w/ Open Source experience

– Add an Open Source project that solves a problem – start small

–  ThreadFix •  Capture licensing cost savings and communicate

© 2014 EMC Corporation. All rights reserved. 18

Q&A @johnbdickson