Brian FosterChief Security Officer – CSO as a Service

There is no bigger law firm in Australia than (Herbert Smith) Freehills and between 1996 and April 2016 Brian was responsible for the IT Security strategy and requirements of the firm.

ISO27001 is becoming the de-facto standard required for any large law firm – Brian led the HSF team to certification

Targa Tasmania 2016 – 2nd in Early Modern Category

The theme of this presentation is FOCUS. A Security Manager can spend hundreds of thousands of dollars on the best security devices money can buy –but if he has focussed on the wrong thing/wrong direction, then the expenditure can be effectively wasted. FOCUS on what it is you are setting out to protect

Brian knows all about FOCUS – that’s him in the Co-Drivers seat in this rally car in which he competes. If Brian loses Focus then the result can be catastrophic….

www.csoaas.com.au

CSO - THE ROLE AND RESPONSIBILITIES

• CSO – Chief Security Officer

The CSO is a senior level executive who deals with aligning areas such as security and business objectives and ensuring

that there is proper protection in place for information assets and technology.

Regulatory compliance, data privacy, implementing security strategy and designing security architecture, as well as

handling data privacy and working with others in the organisation to focus on business continuity are all key elements of

the role.

But most important of all, Security policies, standards and procedures (“PSPs”) form the backbone of any Information

Security Management System (ISMS). Although these PSPs are the most basic elements of an ISMS, they are also one of

the most challenging for many organisations to implement effectively. It is important that there is a structured approach

taken to the development, implementation and governance of a framework to ensure that it is effective

For growing enterprises, the need to keep costs to a minimum is understandable and many assume that their small size

means that they are likely under the radar for any passing cyber criminals looking to profit from a hack and they don’t

yet have anything much to protect. However, the reality is that every business has data from the minute it starts up and it

is the responsibility of the CSO to ensure that this message is not only relayed to the Board of Directors but that they

fully understand the implications to the business.

CSO - THE CHALLENGES

• Six Phases of Resilience

The convergence of people, business and things creates digital forces that is transforming business models. With much IT

activity now happening outside the IT department, organizations face critical issues regarding privacy, security, safety,

and risk.

The digital crime rate continues to climb as the bad guys innovate quickly and siphon massive amounts of private

information out of enterprises via their infrastructure. Traditional defenses such as antivirus and network firewalls have

failed to stop the continuous stream of breaches. Furthermore, regulatory and compliance standards are reactive and

too prescriptive...

It is the CSO’s role to lead the business in facing up to the challenge – and to do this, the CSO must adapt to a different

way of thinking

CSO - THE CHALLENGES

• Six Phases of Resilience

1. Move from Check-Box compliance to Risk-based thinking

Following a regulation, or a framework, or just doing what your auditors tell you to do, has never resulted in

appropriate or sufficient protection for an organization. “Risk-based thinking” is about understanding the major

risks the business is facing and prioritising controls and investments in security to achieve business outcomes. It

should be remembered (and understood) that being Compliant does not mean the business is Secure

2. Move from protecting the infrastructure to supporting organisational outcomes

It is still necessary to protect the infrastructure but the CSO also has to elevate the security strategy to protect the

things the business actually cares about.

3. Move from being the defender of the organisation to be the facilitator

The CSO must resist the temptation to tell the business what to do and decide how much risk is good for the

organisation. Instead of pushing back on business requests to move workloads to the cloud, for example, work

effectively with your business counterparts to negotiate appropriate levels of security

CSO - THE CHALLENGES

4. Move from controlling the flow of information to understanding how information flows

Digital business has introduced massive new volumes and types of information that must be understood and

appropriately protected. You cannot apply appropriate controls to protect information when you don’t know

where it is

5. Move from a technology focus to a people focus

Security technology has its limits and, therefore, it’s necessary to shape behaviour and motivate people to do the

right thing, not just try to force people to do what we want. A strategic approach to information security called,

“People-centric security,” emphasises individual accountability and trust, and de-emphasises restrictive,

preventative security controls.

For example, phishing is the initial infection vector of 80% of breaches. However, there are no totally effective

technical controls to this problem. When employees are motivated and understand the limitations of trust, the click

through rate on phishing emails dramatically drops.

6. Move from protection only to detect and respond

The disparity between the speed of compromise and the speed of detection is one of the starkest failures

discovered in breach investigations. In the digital world the pace of change is too fast to anticipate and defend

against every type of attack. Security professionals should acknowledge that compromise is inevitable.

It’s time to invest in technical, procedural and human capabilities to detect when a compromise occurs.

SECURITY BUDGETS – BANG FOR YOUR BUCK

What’s Important – What are you trying to protect…

Security budgets, just like any other budget, are under pressure. Given the present cyber security climate it is probably

easier than ever to convince a Board of Directors that there needs to be increased spending on cyber security but the

problem then is what to spend the $$s on.

To SIEM or not to SIEM, that is the question

Cyber Security is a 24x7x365 problem. Just about every organisation needs some form of cooperation to be effective

in this field. Don’t try and do it all yourself or you will most probably fail…

A Monitoring regime which cast a wide net, allied to a well trained response plan/team is the

most bang for your buck in 2016

Hewlett Packard’s Arcsight was the SIEM of choice of my Monitoring service but it is the task of a specialist to configure

the tool and the environment. Even as a fully experienced security professional, I do not consider myself sufficiently

skilled to be the sole authority on what Arcsight should be looking at in my environment.

Network devices generate H-U-G-E amounts of data, the majority of which is false positive. It is essential to

tune-out the noise or you will be paying too much (Events per Second is the usual licence model)

SECURITY BUDGETS – BANG FOR YOUR BUCK

IDS/IPS

So we just bought the latest and greatest IDS/IPS devices – phew. The initial configuration and tune is critical to the

success of IDS.

IDS/IPS is not a “Set and Forget” technology and these devices need two things to provide an effective layer of

security. The devices must be tuned to the network they monitor and tuned-in to the latest threats. It is a specialised field

which a good Managed Security Provider will include. IDS should be tuned at least once per month…

Remediation Plan

No matter how much an organisation spends on security technology and tools the adversaries lined up will almost

certainly find a way through and penetrate the network – if they have not already done so. Most organisations will

have a fully documented DRP (Disaster Recovery Plan) and or BCP (Business Continuity Plan) but how effective will the

plans be in a crisis. Part of the Security Budget should included the testing of the plans – you don’t want to discover a

deficiency in the plan when it is most needed

SECURITY BUDGETS – BANG FOR YOUR BUCK

Awareness Training

Cyber attackers have shifted their focus away from targeting computers and now they target PEOPLE.

Much has been written about “The Human Firewall” – I have written a whole series of blogs on my own web site

highlighting that people are the easiest of targets for an adversary (http://www.csoaas.com.au/blog/16-the-human-

firewall-the-human-o-s) and it is money well spent to promote Security Awareness Training in any organisation. But it

can’t be the old method of talking to the staff – telling them what they can’t do. The training has to be informative and

interactive because it is the Behaviour of the Staff that needs to be changed and you don’t get that result by following

yesterday’s doctrine.

THE INTERNET OF THINGS

The Internet of Things (IoT)

In an industry renowned for its “Buzz Phrases” and acronyms – here is another, The Internet of Things. I included my

Managed Print Solution when I think of an Internet of Things.

An MFP has an Operating System (now nearly always Windows based), huge computing power, huge storage, huge

memory. It’s always on, usually operates with a range of Administrator credentials, is LDAP aware and connects to

multiple VLANs at any one time. It has an email address and connects to the internet and very few people will give it a

second glance (unless it fails to print).

Well after all it is “Just a Printer”.

Nothing could be further from the truth. Because of its capabilities and because of how most people view them, an MFP

is one of the most potentially dangerous pieces of equipment on any network. They are seldom patched, have minimal

configuration applied to them and almost “Access all Areas”… It is not specifically the data on an MFP that may be

targeted, it is an entry point to the wider network

Fortunately there is a solution…