Security in an Outsourced WorldBrian Mork
CISOCelanese
About Me
• CISO at Celanese• Hacker / Security Aficionado• Former RF engineer, US Navy Cryptographer, Software
Developer, PenTester, etc.• Father and Husband
Disclaimers
• I am not a lawyer• The opinions expressed in this presentation are only
warranted as my own• I am not a lawyer• While I have some ideas, I am very interested in yours as well• I am not a lawyer
Rules of Engagement
• Interactive sessions are more beneficial to all than lectures• If you have a question or comment, please let me know• The standard rule applies: the only dumb question is one not
asked• There will be time for questions and discussions at the end as
well
The Problems
• Compliance continues to grow• Budgets vary with the news cycle• Threats are evolving faster than defenses• Tools to attack are cheap, to defend are expensive• Decentralized computing removes (some) visibility
Growing Compliance
Name That Compliance Target
• HIPAA/HITECH• PCI• SOX• FISMA• GLBA• FERPA
• EU DPD• EU GDP• PIPA• ITA
Name That Framework
• ISO 27000 Series• NIST SP-800 Series• NIST CSF• SSAE 16• ISAE 3402• CSC
• COBIT• NERC• ISA/IEC-62443• IASME• RFC 2196
Competing National Priorities
• US company doing business in Germany and China• China requires high degree of reporting and monitoring• Germany requires high degree of privacy protections• The intersection of the two can be quite a challenge for multi-
national corporations
Tracking It All
• Multitude of compliance targets, which vary per country and industry• Difficult to track compliance across targets• Frameworks -> Policies -> Processes -> Procedures• Framework -> Compliance mappings exist• Sourcing can make compliance easier, but requires upfront
negotiation
Budget Variances
Source:SANS IT Security Spending TrendsFeb. 2016
• Budgets are normalizing towards the 5-7% range of IT spending overall• Lower ends show significant improvements in security spend
Source:SANS IT Security Spending TrendsFeb. 2016
• IT budgets are mostly remaining flat, and in some cases constricting• Education remains a challenge both for personnel and
spending
Source:SANS IT Security Spending TrendsFeb. 2016
• It’s not a matter of if, but when… so why do we prioritize prevention?
• Staff training and certification is in the lowest tier of spending… are we doing enough?
• We spend more money responding to compliance requests than we spend on improving and automating
• Does this seem crazy to anyone else?
So Why Source?
• XaaS only works as a provider when there is commonality• Commonality that doesn’t include default secure configurations
increases overhead of incident response• Price points can be powerful drivers to enhance overall security• Proper outsourcing can result in outsourcing of risk as well
-- IF -- proper diligence was performed in selecting the provider
Threat Evolution
Except That…• Ideology isn’t motivating attacks, money
is.• The actual threat actors are now
frequently masking their actions with commoditized attack vectors and techniques.• Collective hacking is a concept espoused
since Hackers, but has never really materialized.
“FYI man, alright. You could sit at home, and do like absolutely nothing, and your name goes through like 17 computers a day. 1984? Yeah right, man. That's a typo. Orwell is here now. He's livin' large.”
“We have no names, man. No names. We are nameless!”– Cereal Killer
Leaving Us With• The attackers have realized the economies of scale far faster
than we have.• They use well-defined services, including corporate level
branding.• They use viable, commodity attacks to defeat our defenses.• Even when we’re told about the attacks, we often have to sort
out exactly what the actual target was.• “They know your network better than your staff do.”
Tool Costs
Let’s Compare
• How close do you think the attack versus defend costs really are?• All of the following statements are based upon open source
intelligence/pricing data for a company of 10,000 employees and are per-year costs unless otherwise noted.
Defense Tools• Cost of industry-leading SIEM: $300,000• Cost of industry-leading vulnerability scanning/management:
$40,000• Cost of industry-leading AV: $75,000• Cost of industry-leading DDOS protection: $120,000• Cost of industry-leading APT protection: $95,000• Cost of industry-leading wireless attack detection/remediation:
$25,000• Cost of integration of all of above: $150,000
Attack Tools
• Cost of world-class wireless hacking tool: $0• Cost of world-class extensible exploitation framework: $0• Cost of world-class browser exploitation and automation tool:
$0• Cost of custom exploit with guaranteed AV bypass: $250• Cost of world-class reverse engineering software suite: $1200• Cost of world-class OSINT pivoting sofware: $800• Cost of world-class DDOS botnet rental: $30/hr
Pricing and Support
• How much do you spend on just the tools themselves?• How much do you spend on support?• How frequently do you have to hire a third-party to review
what the tool vendor setup?• How frequently do you have to integrate two tools, and end
up needing at least three representatives on the line to make all of that work… and how often when that occurs do the vendors point to one another as the culprit?
Why We’re Losing• It’s cost prohibitive to defend• When something works we monetize it instead of donating it• We haven’t yet realized what the attackers do: we work better
together• We deal far too often in commodity while thinking it’s “APT” or
”nation state”• We use terms like “APT” to defend our reputations whenever a
breach occurs
Decentralization
The New IT Landscape
• All of this drives us to XaaS solutions• We outsource our hardware and call it IaaS• We outsource our applications and call it PaaS• We outsource everything and call it SaaS• And the thing is, these are generally GOOD decisions… but how
do we monitor them?
The Challenges of XaaS• Every XaaS includes some mechanism to monitor the SLA/OLA
performance• Every XaaS includes some API that can magically give any data
you want• Most XaaS integrate with a few strategic partners, and if you
happen to use their chosen partners, life is great• Most XaaS offer very limited (non-paid) support to integrate with
anyone else
How Did Netflix Succeed?• They determined that their core focus was to get users
watching content.• They didn’t care what they watched that content on.• They didn’t really care how many simultaneous users there
were.*• They aggressively developed integrations with every platform
they could.• They made their service a benefit to other
companies/products, and freely available.
* Based upon personal experiences, not hard data
The Future
So How Do We Move Forward?
• Invest in our people. We ignore them at our peril.• Foster deeper relationships and partnerships with our vendors.• Vendor management is the new SIEM.• Demand the same degree of cooperation between vendors that
we expect from one another.• Define what it is that we actually require. When a vendor can’t or
won’t commit to that, have the courage to walk away.
Homework• Create policies and requirements aligned to a common
framework• Establish standards for data consumption and document them• Send your security teams out to more training• Take your vendor management team out to lunch• Support the vendor management team like they’re part of your
team (they are)• Don’t be afraid to share
The Takeaways• Compliance can work for or against you• Vendor management teams need to be your close allies• We need to start sharing if we ever hope to overcome our
adversaries• The computing landscapes are getting both more complex
and more secure• Economies of scale are predicated upon partnership and trust• Invest first in people, then in processes, then technology
Questions/Discussion
Thank you for your time and attention!
Credits
• https://www.sans.org/reading-room/whitepapers/analyst/security-spending-trends-36697• http://www.verizonenterprise.com/verizon-insights-lab/dbir/20
16/