a fistful of fire hoses: putting out fires without crossing streams [presented by steve werby at...

Steve Werby | ShmooCon 2012: A Fistful of Fire Hoses… | @stevewerby

A Fistful of Fire Hoses:Putting out Fires Without Crossing Streams

Steve Werby (@stevewerby)Chief Information Security OfficerUniversity of Texas at San Antonio


A Fistful of Fire Hoses:Putting out Fires Without Crossing Streams

AV FW IDS FIM SIEM Pen Test

Config Mgmt IP Flow Mon Log Analysis Data Discovery Forensics Vuln Scanning

10 person department


One Size Does Not Fit All


Obligatory DisclaimerThe opinions shared represent my views, the views of my employer, the views of my past employers and the views of my future employers.

Are presentation disclaimers REALLY necessary?


My Org 31k students 6k FTEs 155 classrooms 65 labs 1.5MM SQFT $450MM budget

15k workstations 1k servers /16


My Org Heterogeneous IT environment Silos Low visibility into state of IT security Inconsistent infosec risk mgmt & compliance


Overview of Presentation


Project Goals push(@manager, $info) => informed decisions push(@infosec, $info) => $visibility++ Improve security posture of organization Change culture Facilitate standardization


Development Project charter, steering committee, work plan Project team

Project sponsor (CIO) Project manager from IT Project Mgmt

CISO and several infosec staff IT App Development staff IT Marketing/Communications staff

Pilot users


Implementation Piloted while (1==1) communicate();

Email and postcard marketing Presentations to key groups

Started small Staged release phases


Architecture


InSight – Indicator Dashboard


InSight – Indicator Summary


InSight – Indicator Detail


InSight – Indicator Detail #2


InSight – Indicator Description


InSight – Asset View


InSight – Exemption Request


Reaction☑ “How can we get all of our laptops encrypted?”☑ “IT, fix it!”☑ “I’m not going to look at it.”☑ “Security is YOUR job. Why should I help do your job?


Carrots and Sticks Peer pressure Eligibility for IT funding


Project Goals Revisited☑ push(@manager, $info) => informed decisions☑ push(@infosec, $info) => $visibility++☑ Improve security posture of organization☑ Change culture☑ Facilitate standardization


Project Goals Revisited☑ push(@manager, $info) => informed decisions☑ push(@infosec, $info) => $visibility++☑ Improve security posture of organization☑ Change culture☑ Facilitate standardization

Additional impact Increased IT staff accountability Increased IT and infosec workload


Lessons Learned process(“garbage”) = “garbage”

Inventory, computer name, etc. A computer is…huh A laptop is a server Intended audience != actual audience Anticipate how app will be used


The Future

risk profiles$awareness++$scope++$functionality++


The Future – $awareness++ Monthly automated emails to managers Periodic reporting to governance groups Expand access to all employees


The Future - $scope++ More endpoint devices Include servers and apps More data sources (IP Flow, SIEM, etc.) More granularity Information about people and processes


The Future - $functionality++ Maintain historical information Increase update frequency Triggers


The Future – risk profiles By device, person, biz unit, system

Take the number of vehicles in the field, A), and multiply it by the probable rate of failure, (B), then multiply the result by the average out-of-court settlement, (C). A times B times C equals X. If X is less than the cost of a recall, we don't do one.


Just Passing This On


Questions [Answers…Maybe]

a fistful of fire hoses: putting out fires without crossing streams [presented by steve werby at...

Technology