Ryan Jones - Security Convergence – Gold Mines and Pitfalls

Security Convergence – Gold Mines and Pitfalls

Ryan Jones

Copyright Trustwave 2010 Confidential

A Little About Me

Ryan Jones

Employment History: Manager of Physical Security and Social Engineering Practice,

Trustwave Spiderlabs Previous places include Alternative Technology, IBM Security &

Privacy, Safe Harbor, US West, .com’s Red teaming, pentesting, business intelligence, etc.

Random other facts:• Tiger Team, Exotic Liability podcast


Security Convergence

Definition

Formal cooperation between two previously disjointed security functions

NOTE: This does NOT always mean an organizational chart change


Technologies Used

You’ve seen it and probably not realized it

Smart Cards – RFID, chip, etc

IP Cameras

Access controlled doors

Physical Security Management systems



Quick History

Up until now typical corporate structure maintained two independent groups

IT Security• Confidentiality• Integrity• Availability

Physical Security (or Facilities)• Badging process• CCTV• Fire and Police• HVAC



Quick History

Separate but similar

Protecting data

Business continuity

Corporate asset protection

Life cycle of employee



Present

Why are we starting to see this change?

Need to cut costs

Corporate Compliance

Attackers taking path of least resistance

Blended threats

Gains in efficiency


Benefits to Security Convergence

• A complete security strategy helps keeps security goals in sync with business goals

• Single point of contact

• Information sharing increases

• More versatile staff

• Save money



This all sounds great!

So why are you giving this speech?


Possible Pitfalls

• Single point of failure

• A network breach can now affect you physically as well

• People’s egos• 'I'm not going to do anything to hurt your system or inhibit

your business processes. I'm here to protect you so our CEO isn't standing before a congressional committee someday explaining why credit reports are in front of some gym locker.’ – Mecsics @ Equifax

• Cultural differences

• Information sharing


But wait… there’s more

• Combining of very different methodologies and capabilities

• Without proper evaluation of new tools and software, you can be introducing even more vulnerabilities and risks into your environment

• Long term cost benefit is there, but initial cost is very high

training

hardware installation/upgrades

let’s not forget the cost in TIME



YOU HAVE TO PLAN!

This is not something you do because you read about it in a trade rag

This is not something you copy from what another company did

This is not something that will just plug and play into your organization

This is not something that will necessarily even work for your organization currently

This is not a quick fix for all your security problems


Planning

Determine what style of merger will work best for YOUR organization

Policies and procedures will need to change

Make sure the right people are in the right jobs and are properly trained

Network design

Technology options

Pilot deployment

Obtain upper management support


More Information

ASIS – http://www.asisonline.org

Alliance for Enterprise Security Risk Management – http://www.aesrm.org

ASIS, ISACA, and ISSA

Contact:

Ryan JonesTwitter: lizbordenEmail: [email protected]

http://www.asisonline.org/

http://www.aesrm.org/


That’s it

QUESTIONS?