what affects security program confidence? - may2014 - bill burns

1

What Affects Confidence In Security Programs?

Rocky Mountain Information Security Conference 2014

Bill Burns | Executive-In-Residence | Scale Venture Partners | Bill@ScaleVP.com | @x509v3

2

My Background

Production hybrid cloud security at scale–Deployed distributed, hybrid cloud WAF–Co-developed CloudHSM for IaaS hardware root of trust

Corporate IT “all-cloud” security strategy–Cloud-first, mobile-first infrastructure model–Mix of public cloud, best-of-breed SaaS

RSAC Program Committee, Startup Technical Advisory Boards, ISSA CISO Forum & Career Lifecycle

Previously:

3

Agenda

Trends and Forcing Functions on Information Security

InfoSec’s Role in Managing Business Risk

Security Innovations, Market Needs

Early Research Results: Improving Confidence

4

CISOs: “What Kept You Up Last Night?”

Source: Scale Venture Partners

5

Agile/DevOpsBYOD

Shadow IT / Consumerization

Increased Regs/Compliance

Internet Of Things

IT AutomationMobile computing

SaaS

Ubiquitous Internet Access

Virtualization / IaaS

Weaponization of Internet / espionage

Work/Life Integration

Concern

Unconcern

Top Trends & Forcing Functions on InfoSec

Source: Scale Venture Partners

6

Security Forcing Function – Mobility, BYOD

Source: Mary Meeker, KPCB

7

Security Forcing Function – Mobility, BYOD

(1) Pew Research, Jan 2014 | (2) Gartner, May 2013

Smartphone - 58%

Tablet - 42%

By 2017, 50% of employers will require you to BYOD[2] for work.

8

Security Forcing Function – Work Anywhere

Blurring work/life integration–Aruba’s “#GenMobile”initiative–Starbucks wants to be your life’s “3rd Place”

Ubiquitous network access & seamless roaming–802.11ac, n – wireless networking “just works”

•Faster than typical wired ports, easier to provision–Mobile 4G LTE is also “fast enough”

•Faster than my home’s DSL–By 2018: 25% of corporate data will flow directly mobile-cloud[3]

(3) Gartner, Nov 2013

9

Security Forcing Function – IaaS / Virtualization

Clouds are compelling to businesses, hard for old security controls to match pace

AWS Example:–~Quadrupled

offered services in 4 years

–Reduced pricing 42 times in 8 years as equipment ages out

Source: AWS

10

Old: Perimeter Firewalls

11

Old: Perimeter Firewalls

Castle and Moat (layered) defense

Place people, data behind datacenter firewalls

Provisioning workflows were serialized, expensive, slow

“Behind the firewall” = Trusted

12

New Perimeters : Follow the Data

13

Security controls evolving to be more:o Proximal – Move closer to the application and datao Mobile – Follow the infrastructure, applicationo Resilient - Emphasize recovery and responseo Holistic – Include technical, legal, and business-level inputo Coordinated - Reliant on communications, automation

New Perimeters : Follow the Data

14

InfoSec’s Role

Be a trusted advisor to the business–InfoSec doesn’t own the risk–Anticipates security risk/controls changes and needs–Communicates technical risks in business terms

Implement guardrails and gates based on risk, sensitivity–Like breaks on a car: Enables the business to take smart risks–Architect, design, implement controls–Measure & report risk with data–Manage remediation, response

Success: Customers proactively request your guidance!

15

So…What’s Your Cloud Comfort Level?

Cloud Adoption / Maturity:–Naysayers: you can’t do that (but can’t articulate why)–Pathfinders: here’s how to do it, early lessons learned–Optimizers: here’s how to do it well, what not to do

16

So…What’s Your Cloud Comfort Level?

Cloud Adoption/Maturity–Naysayers–Pathfinders–Optimizers

Cloud is inevitable – Get comfortable managing it–Example: “We have 10 years of legacy work to deal with, we

don’t have time to look at our cloud usage!”–Benefits to agility, automation, consistency

It’s about the business–Board-level discussion on results, competition, risk–“Risk is our business” – Philosopher James T. Kirk

17

Security Delivered Via Cloud Services

18

Anticipating Risks: Partners’ Controls

Service Providers: must consider security as a basic requirement

–They have a smoother attack surface than enterprises–Laser-focused goals, homogeneous environment, etc.–All customers pentesting their provider: Doesn’t scale

•Which standard would we all trust? CCM? Other? Discuss.

Which controls are most relevant, important for your business?

–Prioritize those during negotiations, evaluations, assessments–Bring Your Own Security: Encryption, incident response, audit, SoD,

…

19

Anticipating Risks: Partners’ Controls

Integrate Security Controls with Legal–Risk-based Questionnaires: Level of scrutiny based on data

sensitivity–Contractual: Add boilerplate language in your contracts, MSAs,

etc.•Ask your partners for the security fundamentals•Operational security basics, secure development, security

incident notification, etc.

Assess Third-Parties Partners–Trust but verify their controls. It’s your data!–Do one-time and ongoing assessments–Make sure you’re testing what you anticipated–Partner with your partners on any findings

20

SaaS Applications: Growth and Risk Perspective

21

InfoSec Advisor: New controls and capabilities

Track movement, access to assets–Behavioral analytics become embedded, table stakes–DRM/DLP-like controls, applied closer to the data–More focus on detection, monitoring–Blocking done more through orchestration, automation–Inventories and network paths always up to date

Restrict access to assets–Cloud-to-Cloud chokepoints–SSO and risk-based authentication, authorization–On-the-fly controls: DLP, encryption, watermarking–Firewall controls based on tags, data and host

classification/sensitivity

22

Adopting Cloud: Getting Started in IaaS

Plan: Pick 1-3 security metrics to improve & compare–Examples: Days to patch vulns, avg host uptime, fw ACLs used

Do: Start simple, fail fast on “uninteresting” workflows

Improve: Codify policies, patches, asset management, provisioning.

Iterate: Review lessons learned often, make small course corrections

–Good security starts with solid operational hygiene

23

Summary: Evolving Controls, Maturity

Get Baseline visibility into your Cloud Services–Facts critical to business-level conversations–You’re using more SaaS than you realize–Share data with IT, legal, other stakeholders

Monitor and Protect your Data–Start collecting/mining SaaS access, audit logs–Integrate with your SIEM, monitoring systems–Deploy additional controls via chokepoints, automation

Increase program maturity–Cloud is an opportunity to codify, automate security–Operational hygiene is the basis for solid security program

24

Wisegate: Maturity Proportional to Confidence

Source: Wisegate IT Security Benchmark, Sept 2013

25

Areas of Security Interest: Early Results

Advanced authentication and identification schemes

App-centric firewalls and containers to protect data

Behavioral analytics to improve security, fraud

Continuous endpoint monitoring, orchestration, remediation

Continuous risk & compliance monitoring, reporting

Dashboards and analytics to communicate and share metrics

DevOps / security integrations to

codify security

Holistic DLP, data encryption and key management

Malware protection without signatures

Mobile security to protect data anywhere

PKI and digital certificate management for authentication, encryption

Proactive / predictive attack detection, real-time response

Threat intelligence feeds, sharing

Source: Scale Venture Partners

26

Guidance to Security Vendors: Early Feedback

Be 10x better - provide superior customer value–Look for disruptive technologies, approaches–Interoperate with what I already have–What can I turn off if I buy your thing?

Think API, integration first–Defenders & DevOps: The future is automation, interoperability–InfoSec staffing is hard, automation is a force multiplier–No cheating: Build your GUI on your API

Model, measure, provide insights–Security A/B testing, modeling allows safe experimentation–Provide insights of current, continuous risk state–Want to manage cloud risk better than legacy–Good deployment strategies start with great migration strategiesSource: Scale Venture Partners

27

Increasing Confidence: Early Research Results

Security programs with higher maturity have more confidence–Regulations help, but also–Operational consistency,–Incorporating standardized frameworks (ISO, NIST)

Build what works for your company’s culture–Culture trumps strategy–There is no one, true “map”: Every program is different–? Endpoint-centric vs. network-centric // Block vs. monitor + respond

Create, market, share metrics with your peers–Empowers teams that own responsibility for controls–Encourages fact-based decision-making–Communicates your program’s Business Impact

Source: Scale Venture Partners

28

Thank you!

Security-Research@ScaleVP.com

Bill Burns | Executive-In-Residence | Scale Venture Partners | Bill@ScaleVP.com | @x509v3