Upload
truongthu
View
215
Download
1
Embed Size (px)
Citation preview
1 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
“INTELLECTUAL PROPERTY PROTECTION IN THE DIGITAL COLLABORATIVE ERA” BROADCOM CORPORATION OCTOBER 27, 2015
Geoff Aranoff Chief Information Security Officer
2 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
§ Broadcom Background
§ The Nature of Broadcom’s Assets
§ Security Threat Vectors
§ Our Approach to Investing in IP Protection
§ The Surrounding Ecosystem
§ CIO’s Summary Perspective
AGENDA
3 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
TECHNOLOGY LEADERSHIP FUELING CUSTOMER EXPANSION TECHNOLOGY LEADERSHIP
Infrastructure & Networking
Group
Broadband & Connectivity
Group
© 2015 Broadcom Corporation. All rights reserved.
4 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
COMPETITIVE ADVANTAGES COMPETITIVE ADVANTAGES
Unparalleled Chip Integration
~$2.4B annual investment; ranked #2 by Fortune in R&D intensity
R&D Innovation
~75% of employees in engineering; two employees on the “World’s Most Prolific Inventors” list
World-class Engineering Talent
#2 among fabless semiconductor companies; portfolio breadth
IP Portfolio Strength
Source: IEEE November 2014
StrataXGS® Tomahawk™ SoC; 7B transistors equals one for every person on earth
Source: Google Census 2014 Source: Fortune 2014
Source: Wikipedia 2015
5 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
SUSTAINED RECORD OF INTELLECTUAL PROPERTY INNOVATION
70 260 460 820
1,630 2,630
3,490 4,500
5,350 6,800
8,600
10,900
12,900 14,000
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Patent Issued
Total patents issued and pending
~20,650
Issued Patents
Note: patent issued numbers are rounded
6 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
THE NATURE OF BROADCOM’S ASSETS
7 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
BROADCOM’S ASSET BASE
• People & Skills • Chip/Hardware Designs • Software Functionality
Our assets primarily take the form of: • Customer Confidence • Limited Inventory
We are only as successful as our next design win …
Intellectual property in the form of hardware designs and accompanying software
Minimal traditional bricks and mortar
No production facilities and minimal warehousing/distribution
Engineering laboratories and data center compute capacity
8 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
GLOBAL COLLABORATION ENABLES WORLD-CLASS PRODUCTS
World’s Most Advanced Ultra-HD STB SoC
Team A § 3D Graphics – Cambridge
Team G
§ Video Processing § Transport § Video Encoder § Video Decoder § DDR Controller § SATA3
Team D
§ Component E – Irvine § Component F – Irvine § Component G – Irvine § Component H – Tempe § Component I – Singapore
Team B § Gb Ethernet – Irvine
Team E
§ Memory Control § Audio DSP § Video Encoder § Audio I/O
Team F
§ Component J – Irvine
Team C § Component A - Israel § Component B - San Jose § Component C - Vancouver § Component D - Irvine
28nm, >One Billion Transistors
9 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
LEVERAGING IP SHARING TO ENHANCE DESIGN EFFICIENCY LEVERAGING IP SHARING TO ENHANCE DESIGN EFFICIENCY
Collaboration Is Part of the Broadcom Cultural Fabric
PRODUCT LINE 3
PRODUCT LINE 2
PRODUCT LINE 1
EXTERNAL PARTNERS
CENTRAL ENGINEERING
100
80
130
100+
4000+
200 70
35
500+
3000+ 35 130
200+
1500+ 75
3000+
500+
500+
5 OVER 15,000 INSTANCES OF IP SHARING LAST YEAR!!
Broadcom’s IP Exchange Database Tracks all IP Check-Ins and Check-Outs
10 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
BROADCOM SECURITY THREAT VECTORS
11 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
SECURITY CONCERNS AT BROADCOM Electronic Design Images – Product
Build Files are Rendered 100% in
Software Sensitive Customer
Information and Specifications
Software Development Kits
(SDK’s)
Loss of Proprietary Data
Through Personnel Exits
Contracts and Financial
Information
Physical Access and Property
Security (Prototypes)
Sensitive Employee Data
International Workforce and
Privacy Standards
Security must be “designed-in” to Broadcom products for
marketplace success and brand protection
12 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
EVALUATING BROADCOM’S RISK
Over 20,000 Patents and Patents Pending
§ Multiple design teams to build a single IP stack § No single design flow standard to create intellectual property § Hardware and software design tools
Engineers Comprise Over 75% of the Global Workforce
§ Wider usage of cloud applications to enable better tools § Social media is pervasive § Intellectual property and privacy laws in 25 countries
High Profile Customers in Many Markets
§ Unique security requirements in many cases § 3rd party intellectual property protection § Sophisticated external and internal adversaries
Market Risk Level
L H M
L H M
L H M
Cloud Security Mobile Devices
Data Governance
Cyber and Insider Threats
010 110 100 001 0101 1011
101011011011
31 Design Centers – Global Engineering § Custom design for some customers § Security cannot impact the performance of the engineering design tools § High risk regions
L H M
Collaboration
13 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
THE FACTS ABOUT CYBER
§ Loss of company proprietary and client data through cyber attacks § Damage to company brand § Loss of ability to function (Shipping, receiving, financials…) § Costs of remediation
The number of Cyber incidents increases year over year
§ Most attacks are utilizing variants of known hacking techniques
§ Spear phishing and web links
§ M&A and Partners § Compromised credential not the
end goal External Cyber incidents account for 92% of all data compromises
§ Almost 80% of reported incidents are traced back to security weaknesses § Most attacks are not highly complex § Proper security practices strengthen a company’s defensive position
Most Cyber incidents are opportunistic in nature
§ Financial gain § Competitive and economic advantage § Ideology (Hacktivists) § State sponsored sabotage
Motivations behind attacks vary
14 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
ACTIVE THREAT STATISTICS – 2015 YEAR TO DATE
Cyber Attacks: Broadcom is
Attacked Daily
~287 malicious phishing attacks that bypassed
technology phishing controls
~190,000
malicious attempts to communicate
outside of Broadcom’s
network were blocked
Insider Threat: Approximately
8,200 Engineers
Over 71,000 user data transactions
reviewed
Over 437 deep dive reviews
Multiple investigations
conducted
M&A and Partner
Activities
Acquisitions: Ensuring
Broadcom is not compromised by
the acquired company
Divestitures: Protecting valuable IP while separating
divested data
Partners : Do our partners
protect our data as we do?
Control of User IDs
Over 800 roles for all applications
Centralized management and
control
15 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
OUR APPROACH TO IP PROTECTION
16 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
OK, SO WHAT DO WE DO?
§ Fostering executive awareness and agreement is half the battle – Transparency is imperative – risks vs. active threats vs. cost of mitigation – Continue to monitor the environment
§ Develop a strategic plan to address the risks – Lack of a market solution is not an indication that there is no solution,
consider all possibilities – Prioritize risks with active threats in the wild – Tie the progress of the plan to business objectives – Be mindful that this is a long term, ongoing strategy
§ Participate in industry groups whenever possible
§ Ensure you have a team of security practitioners – Technologists wear different goggles – Practitioners are passionate about security
17 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
CONSIDER MULTIPLE CYBER INVESTMENT AVENUES
Partnerships • Advanced
threat intelligence
• Adversarial tactics
• Validation of strategies
Team Building • Experienced
practitioners • Table top
exercises • Practice the
plan • Formal training
Infrastructure • Internet
access • Network
segmentation • Endpoint
management
Tools • Advanced
detection • Endpoint
controls • Blocking • Cyber
forensics • Data Loss
Prevention (DLP)
Analysis • Security
Operations Center (SOC)
• Log consolidation
• Baseline normal traffic
• Data parsers and correlation
18 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
INVEST IN CYBER CAPABILITY VERTICALS
Program Pillars
Incident Response
Standard Security
Tools and Processes
Monitoring and Audit
Situational Awareness
Architecture and
Infrastructure
Identity Management
Objective: Establish a comprehensive and sustainable enterprise wide Cyber Security strategy through:
• Multi-year program
• Optimizing the interplay of people, processes and technologies
• Real time threat protection
ü Formal Plans ü Forensics ü Cyber Tools ü Outside Partnerships
ü Patch Management ü Penetration Testing ü Vulnerability Testing ü DMZ Policies
ü Security Operations Center (SOC)
ü Data Correlation ü SOC Processing ü Metrics and Tracking
ü Cross Functional Training ü Phishing Notifications ü Phishing Mailbox ü Executive Support
ü Network Segmentation ü Network Access Control ü Internal Data
Transactions ü IP Identifications ü Asset Identification
ü Centralized Account Management
ü Automated Account Management
ü Identity Controls ü Access Controls
19 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
0
1,500,000
3,000,000
4,500,000
6,000,000
7,500,000
9,000,000
10,500,000
12,000,000
13,500,000
15,000,000
2012 2013 2014 2015 2016 2017 2018
DEFINE A REALISTIC CYBER INVESTMENT TIMELINE
Analysis and
Planning
Practice, Mature,
Plan Implement
Phase I
Execute Next Phase
CYBER SOPHISTICATION
LEVELS
$$$$$
$$$$
$$$
$$
$
INVESTMENT DOLLARS
20 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
SECURITY VENDOR SOLICITATIONS: JULY 8, 2015
Is One of Your Employees Actually a Spy? Technology Brief: HP(NYSE: HPQ) – Intrusion Prevention Systems 5 Steps to Prepare Your Cyber Attack Communications & Response Plan You're Invited | Investigate Attacks Like Never Before A next-gen firewall can deliver more protection with less effort Video: The True Cost of a Data Breach The Cloud Security Knowledge Center Protect Against a Security Breach with Simple, Smarter Authentication (eGuide)
21 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
Example of Phishing Awareness Memo
EMPLOYEE AWARENESS IS VITAL AND ESSENTIALLY FREE
22 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
§ Geoff Aranoff, CISO - Veteran of the US Marine Corps, BRCM CISO for 10 years, Chief Privacy Officer for 2 Years, State Department MRPT Certified. Experience working with the US Government
§ Cyber Director - US Naval Reserve Officer with Federal Clearances, MS in Information Security, BS in Computer Science, CISSP, CEH, CISA, and GCIH
§ Cyber Manager - Veteran of the US Army, BS in Computer Information Systems, DOD Clearances. Certified Reverse Engineer (CREA), CEH
§ InfoSec Expert - 20 Years Information Security experience, expertise in Cryptography, BS in Computer Science, BA in Business, CCNP+ Security, CCDA, CEH, and the Cisco-ARCH
§ Forensics Investigator – Orange County Sheriff’s Office Veteran in Homicide, SVU, and Computer Forensics. Managed FBI’s OC Chapter of the Regional Forensics Computer Lab, CFCE, IACIS, EnCE, ACE
§ Forensics Investigator - Orange County Sheriff’s Office Veteran, SVU, and Computer Forensics. FBI’s OC Chapter of the Regional Forensics Computer Lab, CFCE, IACIS, EnCE, ACE, CART
THERE IS NO SUBSTITUTE FOR TALENT
23 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
Measuring Success – increased capability should translate to decreased times to detect and contain. A mature program will significantly decrease the systems exposed to attack.
Trends to Track ü Time to detect ü Time to contain ü Types of attacks ü Numbers of compromised systems ü Time to remediate ü Phishing numbers ü Call backs (C2) blocked ü Penetration Testing Statistics
HOW DO YOU KNOW IF THE INVESTMENT WORKED?
24 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
THE SURROUNDING ECOSYSTEM
25 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
INDUSTRY ACTIONS CAN TRIGGER INCREASED CYBER ACTIVITY
Intel (INTC) said it will buy fellow chip maker Altera(ALTR) for $54 a share in an all-cash transaction valued at approximately $16.7 billion that will allow it to expand behind chips for personal computers into chips for smart cars and other newfangled technologies.
- USA TODAY, June 1, 2015
Industry Acquisition Announcements
Press Releases Pertaining to New Technology
A breakthrough in the real-time observation of fuel cell catalyst degradation could lead to a new generation of more efficient and durable fuel cell stacks.
- Autoblog.com, Toyota City, Japan, May 18, 2015
Publication of Contracts and Industry Awards
The export version of General Atomics' Predator drone conducted a 40-hour test flight this week, according to Defense News, marking a record for the company's aircraft.
- Washington Business Journal, February 13, 2015
26 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
INDUSTRY ACTIONS CAN TRIGGER INCREASED CYBER ACTIVITY (CON’T)
“T-Mobile USA claims Chinese telecom giant Huawei Technologies stole its software, specifications and other secrets for a cellphone-testing robot nicknamed “Tappy” — and it’s not happy. In a lawsuit filed Sept. 2 in federal court in Seattle, T-Mobile says …”
- The Seattle Times, September 5, 2014
“A month after hackers launched an attack on Sony Pictures, the fallout initially led the Hollywood studio to cancel the release of satirical comedy “The Interview,” which involves a plot to assassinate North Korean leader Kim Jong-un.”
- BBC NEWS, December 29, 2014
Very Visible Legal Actions
High Profile Events and Activities
27 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
CAN WE COUNT ON THE GOVERNMENT TO HELP?
The U.S. Government is helpful once you’ve been targeted. The FBI is often a good source of support
Other agencies have specific agendas that primarily focus on Government contractors and their own organizational needs
The U.S. Government is challenged in working with multinational or overseas firms for obvious reasons
Lots of discussion today about facilitating sharing of information, but antitrust laws are complex and tend to work against all of us in most instances
You are still better off working with technically competent firms such as FireEye, Crowdstrike, PwC, Accenture and others to obtain timely support
28 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
GOVERNMENT IS SOMETIMES PART OF THE CHALLENGE
The Office of Personnel Management included the findings in a statement Thursday on the investigation into a pair of major hacks believed carried out by China.
"The team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases," the agency said of the second breach, which affected background investigation files.”
- Fox News, July 9, 2015
29 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
SUMMARY PERSPECTIVE
30 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
ASK YOURSELF: HOW SECURE IS YOUR PERIMETER?
31 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
WHAT SHOULD A CIO LOOK FOR AS INDICATORS OF ORGANIZATIONAL SECURITY AWARENESS?
When was the last comprehensive penetration test completed?
Are high quality passwords utilized by the workforce with mandatory password changes?
Are routine and thorough server and network gear software patching cycles pursued?
Complete instrumentation of Internet egress points?
Comprehensive firewall architecture employed?
Intelligent web application design, sans basic vulnerabilities?
Anti-phishing reminders and user awareness campaign?
How thoroughly have company acquisitions been integrated?
32 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
ADVANCED CONSIDERATIONS: CYBER AND INSIDER THREAT
There are more advanced markers of organizational success
§ Respected industry partners utilized
§ Well-defined security event escalation process engaged
§ SIEM tools and advanced Cyber detection capabilities employed
§ Proactive SOC operational
§ Mapped business process flows with identified vulnerabilities (ex. supply chain)
§ Thorough understanding of expected traffic patterns versus anomalies
§ Forensic and investigative capabilities available
§ Previous or current security clearances held by some team members
33 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
Is Cyber expertise represented on most Boards today?
§ Audit Committee stewardship is generally expected
§ Shareholder activist lawsuits have become common
§ ERM processes expose a full range of possible threat vectors
§ Many historical precedents exist across government and industry
§ A regular, open exchange with company leadership is warranted
§ Company managers can lose their jobs over Cyber events
The CIO / CISO has an obligation to promote Corporate Cyber Governance
BOARD LEVEL EXPOSURE AND EXPECTATIONS
34 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
THANK YOU!