its time to grow up by eric c
TRANSCRIPT
P A G E
It’s Time To Grow Up
Eric Cowperthwaite
Vice President, Advanced Security & Strategy
Core Security
@e_cowperthwaite
P A G E
They Say To Always Start With A Joke
2
• A duck walks in to a bar …
• See, that was a security joke!
P A G E
We Suck
• The bad guys can go where they want and do what they want
• The good guys are reduced to fixing the damage, it seems
• Costs are in the $Billions
• CEOs, Boards are at risk
• President discussed cyber security in his State of the Union
3
P A G E
Breaches, exploits, vulnerabilities … Oh My
4
• Low priority, seemingly innocuous
• Inappropriate connectivity
• Simple paths to critical assets
P A G E
Just Give It Away
5
"99.9% of vulnerabilities are exploited morethan a year after they were published, and in 2014, 90% plus of the CVEs exploited were published in 2007.” –2015 Verizon DBIR
P A G E
It’s Real Money Now
• Target internal cost is $236 million
• Target credit card fraud estimate $1.2 - $2.2 billion
• Card replacement costs $400 million
• CEO’s, CIO’s and CISO’s losing their jobs
6
P A G E
Keeping Bad Guys Out Today
• Our current concept says:− Scan and detect all vulnerabilities
− Prioritize system by system
− Patch immediately
• Is this working?
7
P A G E
The Problem
• Thousands of servers, tens of thousands of endpoints
• Hundreds of pages of vulnerability reports, no easy way to prioritize
• Complex networks, no clear picture of how attackers will exploit it
• We are overwhelmed by data
8
P A G E
It’s Time To Grow Up and Patch Stuff
• Do you know what vulnerabilities threaten your business?− Are you able to respond effectively to them?
• Do you scan/patch haphazardly? For a compliance regulation? Or regularly driven by risk, internal policies?
• Can you list the top 100 (or even 10) threats to your critical assets?
− And create a plan to fix them?
• Do you know what attack paths through your network lead to sensitive data?
9
P A G E
Let’s Talk About Growing Up
1 0
P A G E
A View of a Security Program
1 1
P A G E
A Model For Maturity
1 2
NON-
EXISTENTSCANNING
ANALYZE &
PRIORITIZE
ASSESSMENT
&
COMPLIANCE
ATTACK
MANAGEMENT
BUSINESS-
RISK
MANAGEMENT
PEAK DATA OVERLOAD EFFECTIVE PRIORITIZATION
Blissful Ignorance Awareness & Early Maturity Business Risk & Context
P A G E
What We Know About Your Maturity
Core Security’s ongoing Maturity Survey Results
33% of respondents are level 2 or below
52% of respondents are level 3 or below
*120 total respondents
1 3
P A G E
It’s Only A 5 Step Program
1 4
P A G E
Things to do:
• Acquire a vulnerability scanner
• Identify need to regularly scan
• Create emerging process for patching
Step 1: Get the basics in order
1 5
P A G E
Step 2: Begin actually managing vulnerabilities
Things to do:
• Establish processes
• Adopt compliance frameworks
• Implement basic prioritization to deal with data overload
• Create repeatable metrics
• Establish management lifecycle
• Conduct first penetration test
1 6
P A G E
Step 3: Prioritization and formalized processes
Things to do:• Move to risk-based patching vs
compliance patching• Advance basic prioritization• Focus metrics on improving
security• Implement measurable
processes• Use penetration testing for
validation
1 7
P A G E
Step 4: Attacker focused
Things to do:
• Enhance metrics for security trends
• Build continuous processes
• Patch based on critical asset risk
• Address additional threat vectors
• Conduct formalized penetration testing via red teams
1 8
P A G E
Step 5: Business-risk and vulnerability context
Things to do:
• Incorporate business goals into vulnerability management program
• Align business and IT security goals
• Consider deep vulnerability context and all threat-vectors
• Leverage vulnerability metrics as key risk indicators
1 9
P A G E
What does this look like in practice?
2 0
P A G E
Prioritized Attack Paths to Your Critical Assets
Attack PointWeb Application Server
Vulnerable Database
Critical Business Asset(Ex. credit card database)
P A G E
Continuous Monitoring for Critical Vulnerabilities
• Scan routinely
• Absorb network change
• Correlate assets, network paths and vulnerabilities
• Correct unknown attack paths
P A G E
Connect With The Business
• Understand critical business assets
• Unify IT and Security processes
• Measure in meaningful ways
• Break down silos
P A G E
What stage are you? Where do you want to be?
2 4
P A G E
What does this mean for your business?
• Operational efficiency− High value assets redeployed to high value activities
• IT and the business are working together− Patch and vulnerability management driven business decisions
− Critical assets are focused on, rather than “whack-a-mole” patching
• Reduced risk exposure− Solves issues with regulators, audits, etc.
• Much less likely to be Home Depot, Adobe, or Healthcare.gov
2 5
P A G E 2 6