Upload
source-conference
View
1.389
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
Security Convergence – Gold Mines and Pitfalls
Ryan Jones
Copyright Trustwave 2010 Confidential
A Little About Me
Ryan Jones
Employment History: Manager of Physical Security and Social Engineering Practice,
Trustwave Spiderlabs Previous places include Alternative Technology, IBM Security &
Privacy, Safe Harbor, US West, .com’s Red teaming, pentesting, business intelligence, etc.
Random other facts:• Tiger Team, Exotic Liability podcast
Copyright Trustwave 2010 Confidential
Security Convergence
Definition
Formal cooperation between two previously disjointed security functions
NOTE: This does NOT always mean an organizational chart change
Copyright Trustwave 2010 Confidential
Technologies Used
You’ve seen it and probably not realized it
Smart Cards – RFID, chip, etc
IP Cameras
Access controlled doors
Physical Security Management systems
Copyright Trustwave 2010 Confidential
Security Convergence
Quick History
Up until now typical corporate structure maintained two independent groups
IT Security• Confidentiality• Integrity• Availability
Physical Security (or Facilities)• Badging process• CCTV• Fire and Police• HVAC
Copyright Trustwave 2010 Confidential
Security Convergence
Quick History
Separate but similar
Protecting data
Business continuity
Corporate asset protection
Life cycle of employee
Copyright Trustwave 2010 Confidential
Security Convergence
Present
Why are we starting to see this change?
Need to cut costs
Corporate Compliance
Attackers taking path of least resistance
Blended threats
Gains in efficiency
Copyright Trustwave 2010 Confidential
Benefits to Security Convergence
• A complete security strategy helps keeps security goals in sync with business goals
• Single point of contact
• Information sharing increases
• More versatile staff
• Save money
Copyright Trustwave 2010 Confidential
Security Convergence
This all sounds great!
So why are you giving this speech?
Copyright Trustwave 2010 Confidential
Possible Pitfalls
• Single point of failure
• A network breach can now affect you physically as well
• People’s egos• 'I'm not going to do anything to hurt your system or inhibit
your business processes. I'm here to protect you so our CEO isn't standing before a congressional committee someday explaining why credit reports are in front of some gym locker.’ – Mecsics @ Equifax
• Cultural differences
• Information sharing
Copyright Trustwave 2010 Confidential
But wait… there’s more
• Combining of very different methodologies and capabilities
• Without proper evaluation of new tools and software, you can be introducing even more vulnerabilities and risks into your environment
• Long term cost benefit is there, but initial cost is very high
training
hardware installation/upgrades
let’s not forget the cost in TIME
Copyright Trustwave 2010 Confidential
Security Convergence
YOU HAVE TO PLAN!
This is not something you do because you read about it in a trade rag
This is not something you copy from what another company did
This is not something that will just plug and play into your organization
This is not something that will necessarily even work for your organization currently
This is not a quick fix for all your security problems
Copyright Trustwave 2010 Confidential
Planning
Determine what style of merger will work best for YOUR organization
Policies and procedures will need to change
Make sure the right people are in the right jobs and are properly trained
Network design
Technology options
Pilot deployment
Obtain upper management support
Copyright Trustwave 2010 Confidential
More Information
ASIS – http://www.asisonline.org
Alliance for Enterprise Security Risk Management – http://www.aesrm.org
ASIS, ISACA, and ISSA
Contact:
Ryan JonesTwitter: lizbordenEmail: [email protected]
Copyright Trustwave 2010 Confidential
That’s it
QUESTIONS?