Upload
lyhuong
View
220
Download
3
Embed Size (px)
Citation preview
Lessons Learned from 4,000 Security Assessments
Sadik Al-AbdullaSecurity Practice Director, CDW
MY GOAL TODAY
Share learning from 4000+ security assessments
Provide tactical and strategic guidance to step towards truly adaptive security
Balancing IT Security
THIS ISN’T OUR BIGGEST THREAT…
OR THIS…
IT’S THIS!
AND THIS!
Source: APT1: Exposing one of China’s Cyber Espionage Units, Mandiant®, 2013
BY THE NUMBERS
“In 99% of the cases: someone else told the victim they had suffered a breach.” (Referring to POS intrusions)1
“Median number of days attackers were present on a victim network before they were discovered has gone from 365 to 229 to 146 days”2
1. 2014 Verizon Data Breach Report (DBIR), page 182. 2013 APT1, 2014 M-Trends, 2015 M-Trends Reports by Mandiant
THE DEFENSES ARE WORKING… BUT
SECURITY ASSESSMENT FINDINGS
4,000 Assessments completed 100% Ability to gain access
<10% Access detected 0 Times we tried to hide
TOP SECURITY ASSESSMENT FINDINGS
People/Process
#1: Insecure default configurations, gaps in patch discipline
#2: Bad passwords
#3: Arbitrary trusts
#4: Phishing, users like to click
Technology
#5: Application code issues
#6: Man in the middle
#7: Lack of encryption or porous implementation
#8: Mobile application vulnerabilities
TOP SECURITY ASSESSMENT FINDINGS
#1: Gaps in patch discipline
TOP SECURITY ASSESSMENT FINDINGS
#2: Bad passwords
TOP SECURITY ASSESSMENT FINDINGS
#3: Arbitrary trusts
TOP SECURITY ASSESSMENT FINDINGS
#4: Phishing, users like to click
DATA LOSS PREVENTION (DLP) ASSESSMENT FINDINGS
300+Assessmentscompleted
100%
Discovered sensitiveinformation outside
approved areas
86%
Loss of sensitiveinformation DURING
ASSESSMENT PERIOD
95%
5%
Incidents that were accidental exposure or by well-meaning insiders
Incidents that were … not
80% Email incidents 12% Web incidents
DLP ASSESSMENT 24-MONTH TRENDS
800%increase in upload
violations -Dropbox, Skydrive, Google Drive, etc.
2000%increase in mobile
violations
I’ve tried to keep the company real about the fact that I could spend twice as much as I do today on security, and it doesn’t mean that we’re going to eliminate the risk. We might reduce it a bit, but I can’t give a good answer of how much. Compromise is a certainty.
…But I can limit the impact.
— Malcolm Harkins CISO, Intel
MANAGING IMPACTS MEANS…
Accepting that breach is inevitable
Designing for post-breach detection
Designing to limit impacts
Planning for breach response
THREATS -> RISKS -> IMPACTS
MaliciousOutsider Data
Loss
THE WAY WE USED TO THINK ABOUT IT…
THE $5 WRENCH
THE WAY WE NEED TO THINK ABOUT IT…
Identify
RespondRecover
ProtectDetect
Networks Data
Devices
LESSONS LEARNED
Rate of Occurrence
People & process require as much attention as technology
─ Simplicity, flexibility and reinforcement are key
Over controlling reactions generate greater systemic risk
Uncontrolled adoption creates enormous risk
Single Loss Expectancy
Time to detect/time to respond are key metrics
True segmentation is critical to limiting impacts
Data centric controls are critical to limiting impacts
LESSONS LEARNED
Tactical Next Steps
Identify “check the box” activities, repurpose spend and cycles
Adopt TRUE segmentation
Revisit fundamentals for sensitive data management
Revisit fundamentals for identity management in a cloud-enabled world
Search out and revise overly and overtly restrictive policies
Start measuring time to detect / time to respond
LESSONS LEARNED
Strategic Next Steps
Measure and invest separately for:
– People, process, technology
– Before, during, after
Engage proactively; design OTHER IT projects securely
Build security governance and sponsorship cross functionally
View and evangelize security as a process: break out of the “point in time” design and administration model