Lessons Learned from 4,000 Security Assessments

Sadik Al-AbdullaSecurity Practice Director, CDW

MY GOAL TODAY

Share learning from 4000+ security assessments

Provide tactical and strategic guidance to step towards truly adaptive security

Balancing IT Security

THIS ISN’T OUR BIGGEST THREAT…

OR THIS…

IT’S THIS!

AND THIS!

Source: APT1: Exposing one of China’s Cyber Espionage Units, Mandiant®, 2013

BY THE NUMBERS

“In 99% of the cases: someone else told the victim they had suffered a breach.” (Referring to POS intrusions)1

“Median number of days attackers were present on a victim network before they were discovered has gone from 365 to 229 to 146 days”2

1. 2014 Verizon Data Breach Report (DBIR), page 182. 2013 APT1, 2014 M-Trends, 2015 M-Trends Reports by Mandiant

THE DEFENSES ARE WORKING… BUT

SECURITY ASSESSMENT FINDINGS

4,000 Assessments completed 100% Ability to gain access

<10% Access detected 0 Times we tried to hide

TOP SECURITY ASSESSMENT FINDINGS

People/Process

#1: Insecure default configurations, gaps in patch discipline

#2: Bad passwords

#3: Arbitrary trusts

#4: Phishing, users like to click

Technology

#5: Application code issues

#6: Man in the middle

#7: Lack of encryption or porous implementation

#8: Mobile application vulnerabilities

TOP SECURITY ASSESSMENT FINDINGS

#1: Gaps in patch discipline

TOP SECURITY ASSESSMENT FINDINGS

#2: Bad passwords

TOP SECURITY ASSESSMENT FINDINGS

#3: Arbitrary trusts

TOP SECURITY ASSESSMENT FINDINGS

#4: Phishing, users like to click

DATA LOSS PREVENTION (DLP) ASSESSMENT FINDINGS

300+Assessmentscompleted

100%

Discovered sensitiveinformation outside

approved areas

86%

Loss of sensitiveinformation DURING

ASSESSMENT PERIOD

95%

5%

Incidents that were accidental exposure or by well-meaning insiders

Incidents that were … not

80% Email incidents 12% Web incidents

DLP ASSESSMENT 24-MONTH TRENDS

800%increase in upload

violations -Dropbox, Skydrive, Google Drive, etc.

2000%increase in mobile

violations

I’ve tried to keep the company real about the fact that I could spend twice as much as I do today on security, and it doesn’t mean that we’re going to eliminate the risk. We might reduce it a bit, but I can’t give a good answer of how much. Compromise is a certainty.

…But I can limit the impact.

— Malcolm Harkins CISO, Intel

MANAGING IMPACTS MEANS…

Accepting that breach is inevitable

Designing for post-breach detection

Designing to limit impacts

Planning for breach response

THREATS -> RISKS -> IMPACTS

MaliciousOutsider Data

Loss

THE WAY WE USED TO THINK ABOUT IT…

THE $5 WRENCH

THE WAY WE NEED TO THINK ABOUT IT…

Identify

RespondRecover

ProtectDetect

Networks Data

Devices

LESSONS LEARNED

Rate of Occurrence

People & process require as much attention as technology

─ Simplicity, flexibility and reinforcement are key

Over controlling reactions generate greater systemic risk

Uncontrolled adoption creates enormous risk

Single Loss Expectancy

Time to detect/time to respond are key metrics

True segmentation is critical to limiting impacts

Data centric controls are critical to limiting impacts

LESSONS LEARNED

Tactical Next Steps

Identify “check the box” activities, repurpose spend and cycles

Adopt TRUE segmentation

Revisit fundamentals for sensitive data management

Revisit fundamentals for identity management in a cloud-enabled world

Search out and revise overly and overtly restrictive policies

Start measuring time to detect / time to respond

LESSONS LEARNED

Strategic Next Steps

Measure and invest separately for:

– People, process, technology

– Before, during, after

Engage proactively; design OTHER IT projects securely

Build security governance and sponsorship cross functionally

View and evangelize security as a process: break out of the “point in time” design and administration model

THANK YOU

Sadik Al-Abdulla

Security Practice Director

Sadik.Al-Abdulla@cdw.com