Security in an Outsourced WorldBrian Mork

CISOCelanese

About Me

• CISO at Celanese• Hacker / Security Aficionado• Former RF engineer, US Navy Cryptographer, Software

Developer, PenTester, etc.• Father and Husband

Disclaimers

• I am not a lawyer• The opinions expressed in this presentation are only

warranted as my own• I am not a lawyer• While I have some ideas, I am very interested in yours as well• I am not a lawyer

Rules of Engagement

• Interactive sessions are more beneficial to all than lectures• If you have a question or comment, please let me know• The standard rule applies: the only dumb question is one not

asked• There will be time for questions and discussions at the end as

well

The Problems

• Compliance continues to grow• Budgets vary with the news cycle• Threats are evolving faster than defenses• Tools to attack are cheap, to defend are expensive• Decentralized computing removes (some) visibility

Growing Compliance

Name That Compliance Target

• HIPAA/HITECH• PCI• SOX• FISMA• GLBA• FERPA

• EU DPD• EU GDP• PIPA• ITA

Name That Framework

• ISO 27000 Series• NIST SP-800 Series• NIST CSF• SSAE 16• ISAE 3402• CSC

• COBIT• NERC• ISA/IEC-62443• IASME• RFC 2196

Competing National Priorities

• US company doing business in Germany and China• China requires high degree of reporting and monitoring• Germany requires high degree of privacy protections• The intersection of the two can be quite a challenge for multi-

national corporations

Tracking It All

• Multitude of compliance targets, which vary per country and industry• Difficult to track compliance across targets• Frameworks -> Policies -> Processes -> Procedures• Framework -> Compliance mappings exist• Sourcing can make compliance easier, but requires upfront

negotiation

Budget Variances

Source:SANS IT Security Spending TrendsFeb. 2016

• Budgets are normalizing towards the 5-7% range of IT spending overall• Lower ends show significant improvements in security spend

Source:SANS IT Security Spending TrendsFeb. 2016

• IT budgets are mostly remaining flat, and in some cases constricting• Education remains a challenge both for personnel and

spending

Source:SANS IT Security Spending TrendsFeb. 2016

• It’s not a matter of if, but when… so why do we prioritize prevention?

• Staff training and certification is in the lowest tier of spending… are we doing enough?

• We spend more money responding to compliance requests than we spend on improving and automating

• Does this seem crazy to anyone else?

So Why Source?

• XaaS only works as a provider when there is commonality• Commonality that doesn’t include default secure configurations

increases overhead of incident response• Price points can be powerful drivers to enhance overall security• Proper outsourcing can result in outsourcing of risk as well

-- IF -- proper diligence was performed in selecting the provider

Threat Evolution

Except That…• Ideology isn’t motivating attacks, money

is.• The actual threat actors are now

frequently masking their actions with commoditized attack vectors and techniques.• Collective hacking is a concept espoused

since Hackers, but has never really materialized.

“FYI man, alright. You could sit at home, and do like absolutely nothing, and your name goes through like 17 computers a day. 1984? Yeah right, man. That's a typo. Orwell is here now. He's livin' large.”

“We have no names, man. No names. We are nameless!”– Cereal Killer

Leaving Us With• The attackers have realized the economies of scale far faster

than we have.• They use well-defined services, including corporate level

branding.• They use viable, commodity attacks to defeat our defenses.• Even when we’re told about the attacks, we often have to sort

out exactly what the actual target was.• “They know your network better than your staff do.”

Tool Costs

Let’s Compare

• How close do you think the attack versus defend costs really are?• All of the following statements are based upon open source

intelligence/pricing data for a company of 10,000 employees and are per-year costs unless otherwise noted.

Defense Tools• Cost of industry-leading SIEM: $300,000• Cost of industry-leading vulnerability scanning/management:

$40,000• Cost of industry-leading AV: $75,000• Cost of industry-leading DDOS protection: $120,000• Cost of industry-leading APT protection: $95,000• Cost of industry-leading wireless attack detection/remediation:

$25,000• Cost of integration of all of above: $150,000

Attack Tools

• Cost of world-class wireless hacking tool: $0• Cost of world-class extensible exploitation framework: $0• Cost of world-class browser exploitation and automation tool:

$0• Cost of custom exploit with guaranteed AV bypass: $250• Cost of world-class reverse engineering software suite: $1200• Cost of world-class OSINT pivoting sofware: $800• Cost of world-class DDOS botnet rental: $30/hr

Pricing and Support

• How much do you spend on just the tools themselves?• How much do you spend on support?• How frequently do you have to hire a third-party to review

what the tool vendor setup?• How frequently do you have to integrate two tools, and end

up needing at least three representatives on the line to make all of that work… and how often when that occurs do the vendors point to one another as the culprit?

Why We’re Losing• It’s cost prohibitive to defend• When something works we monetize it instead of donating it• We haven’t yet realized what the attackers do: we work better

together• We deal far too often in commodity while thinking it’s “APT” or

”nation state”• We use terms like “APT” to defend our reputations whenever a

breach occurs

Decentralization

The New IT Landscape

• All of this drives us to XaaS solutions• We outsource our hardware and call it IaaS• We outsource our applications and call it PaaS• We outsource everything and call it SaaS• And the thing is, these are generally GOOD decisions… but how

do we monitor them?

The Challenges of XaaS• Every XaaS includes some mechanism to monitor the SLA/OLA

performance• Every XaaS includes some API that can magically give any data

you want• Most XaaS integrate with a few strategic partners, and if you

happen to use their chosen partners, life is great• Most XaaS offer very limited (non-paid) support to integrate with

anyone else

How Did Netflix Succeed?• They determined that their core focus was to get users

watching content.• They didn’t care what they watched that content on.• They didn’t really care how many simultaneous users there

were.*• They aggressively developed integrations with every platform

they could.• They made their service a benefit to other

companies/products, and freely available.

* Based upon personal experiences, not hard data

The Future

So How Do We Move Forward?

• Invest in our people. We ignore them at our peril.• Foster deeper relationships and partnerships with our vendors.• Vendor management is the new SIEM.• Demand the same degree of cooperation between vendors that

we expect from one another.• Define what it is that we actually require. When a vendor can’t or

won’t commit to that, have the courage to walk away.

Homework• Create policies and requirements aligned to a common

framework• Establish standards for data consumption and document them• Send your security teams out to more training• Take your vendor management team out to lunch• Support the vendor management team like they’re part of your

team (they are)• Don’t be afraid to share

The Takeaways• Compliance can work for or against you• Vendor management teams need to be your close allies• We need to start sharing if we ever hope to overcome our

adversaries• The computing landscapes are getting both more complex

and more secure• Economies of scale are predicated upon partnership and trust• Invest first in people, then in processes, then technology

Questions/Discussion

Thank you for your time and attention!

Credits

• https://www.sans.org/reading-room/whitepapers/analyst/security-spending-trends-36697• http://www.verizonenterprise.com/verizon-insights-lab/dbir/20

16/