Upload
wendy-nather
View
181
Download
0
Embed Size (px)
Citation preview
HOW MUCH SECURITY DO YOU REALLY NEED?Wendy Nather @RCISCwendy
Research Director, Retail Cyber Intelligence Sharing Center (R-CISC)
Bogotá, 24 Octubre 2016
INTRODUCTION
• The Great Mystery• “Expense in Depth”• Even the Experts Don’t Know – pricing out a security
program•A better framework – the Cyber Defense Matrix• Trimming your current security portfolio• Evaluating the risk in a way that works for you
MODELS FOR SECURITY SPENDING
• Benchmarking – what is everyone else doing?•Compliance-driven spending•Metrics-driven• Evidence-driven
MODELS FOR SECURITY SPENDING
• Spend only what you need to until the next breach• Keep spending until you run out of budget• Have an unlimited budget
EXPENSE IN DEPTH (RICK HOLLAND)
• Security is a patchwork quilt, and you keep buying things to layer over the gaps• Leads to overspending in
some areas and underspending in others•Overloading systems
EXPENSE IN DEPTH
•Dueling agents• Prioritizing network
decisions•Cognitive and effort
overload on your personnel every time you add something new
“
”I’M A NEW CISO. IT’S MY FIRST DAY ON THE JOB IN AN ORGANIZATION THAT HAS NEVER DONE SECURITY BEFORE. WHAT SHOULD I BUY?
The Real Cost of Security 451 Research, 2013
EVEN THE EXPERTS DON’T KNOW
•As few as 4 different technologies and as many as 31• Everyone said “it depends,” including the vendors
¯\_(ツ)_/¯
EVEN THE EXPERTS DON’T KNOW
• The minimum baselines pretty much matched up to PCI, and included both firewalls and AV•Budget could be off by as much as a factor of 4
• There’s still no guarantee you won’t get breached
CAN WE DO BETTER?
CYBER DEFENSE MATRIXSOUNIL YU, [LARGE US FINANCIAL]
Devices
Applications
Network
Data
People
Degree of Dependence
Identify Protect Detect Respond Recover
Technology PeopleProcess
LEFT AND RIGHT OF “BOOM”
Devices
Applications
Network
Data
People
Degree of Dependence
Identify Protect Detect Respond Recover
Technology PeopleProcess
Pre-Compromise
Post-Compromise
ENTERPRISE SECURITY MARKET SEGMENTS13
Devices
Applications
Network
Data
People
Degree of Dependence
Identify Protect Detect Respond Recover
Technology PeopleProcess
IAM Endpoint Visibility and Control /Endpoint Threat Detection & Response
Configurationand Systems
Management
DataLabeling
App Sec(SAST, DAST,IAST, RASP),
WAFs
PhishingSimulations
DDoS Mitigation
Insider Threat /Behavioral Analytics
NetworkSecurity(FW, IPS)
DRMData
Encryption,DLP
IDSNetflow
Full PCAP
AV, HIPS
Deep Web,Brian Krebs,
FBIBackup
PhishingAwareness
MARKET SEGMENTS – OTHER ENVIRONMENTS
14
Threat Actor Assets
ThreatData
IntrusionDeception
MalwareSandboxes
MARKET SEGMENTS – OTHER ENVIRONMENTS
15
Vendor Assets
Cloud AccessSecurity Brokers
VendorRisk
Assess-ments
Customer Assets
Endpoint FraudDetection
DeviceFinger-printing
DeviceFinger-printing
Web FraudDetection
Employee Assets
BYODMAM
BYODMDM
See the rest of the slides at
https://www.rsaconference.com/events/us16/agenda/sessions/2530/understanding-the-security-vendor-landscape-using
Or Google for “RSAC Sounil Yu” J
TRIMMING YOUR SECURITY PORTFOLIO
•Why would you need to do that?•Mergers and acquisitions leave redundant products
in place
TRIMMING YOUR SECURITY PORTFOLIO
• Shelfware
(see Javvad Malik’s research at https://www.rsaconference.com/writable/presentations/file_upload/mash-t07a-security-shelfware-which-products-gathering-dust-and-why.pdfor just Google “Javvad Malik Shelfware”)
TRIMMING YOUR SECURITY PORTFOLIO
• Improving performance• Simplifying• Better integration and communication• Better price
BEFORE YOU CUT TECHNOLOGY …
•Make sure you’re using it right•Make sure you’re using it as fully
as possible
• Talk to the vendor about its limitations and roadmap (or ask peers or an analyst)
BEFORE YOU CUT TECHNOLOGY …
•Decide whether you need to replace it
• Is it a greater liability to keep it and not use it, or not to have it at all?
BEFORE YOU CUT PEOPLE …• Know what
they’re contributing both in expertise and workload• Expertise includes
institutional knowledge
BEFORE YOU CUT PEOPLE …
•Remember cognitive workload: just because they have the time to squeeze in an extra task, it doesn’t mean they can give it the attention it needs
•Keep task priorities in mind – response mode keeps staff from being proactive
EVALUATING EFFECTIVENESS AND RISK
EVALUATING EFFECTIVENESS AND RISK
• Is it addressing a risk everyone can believe in?
CHEESEBURGER RISK MANAGEMENT
Sure, it might happen – but not for a long time
EVALUATING EFFECTIVENESS AND RISK
•How does it address the risk?•Don’t say “it’s blocking millions of attacks,” because that makes Dave Lewis really angry
EVALUATING EFFECTIVENESS AND RISK
•What are you relying on technology to do, versus what you’re relying on people to do?
•Are you basing your security strategy on the hope that people will change?
YOUR MANAGEMENT’S FAVORITE METRICS
Time saved
Money saved
Performance improvements /
availability
MATCHING MONEY WITH SECURITY
•Avoiding loss – but remember the probability discussion•Allowing revenue generators to do it faster• Saving time, which is money
MATCHING MONEY WITH SECURITY
• Helping the business make better decisions in other areas• Providing a competitive advantage (but you’ll have
to prove it)
• Losses may or may not happen, but other improvements will show themselves if you can measure them
GETTING BREACHED JUST MIGHT BE CHEAPER …
• Published research by Sasha Romanosky, RAND Corporation (August 2016)• “Most cyber events cost firms less than 0.4% of their
annual revenues”
GETTING BREACHED JUST MIGHT BE CHEAPER …
• By contrast, US firms lost an estimated 0.9% of their revenue to online fraud in 2013 (Cybersource 2013 Online Fraud Report)
(Which shows that breaches are being treated separately from fraud, so whatever)
GETTING BREACHED JUST MIGHT BE CHEAPER …
• Calculated that firms were spending an average of 0.025% of revenues on cybersecurity• Half of cyber events cost a firm an
amount approximately equal to its annual investment in IT security (i.e. within ±$1 million of investment).
Wait, what?
WHAT IF I TOLD YOU …
… that you may already be spending enough?
SPENDING IS NOT DOING
• You can be spending right, but doing it wrong
• You can be doing it right, but spending wrong
SOME KIND OF PYRAMID
Using security products
Understanding threats
Controlling changes
Knowing what you have and what it’s doing
SUMMARY
• There are many ways to evaluate your portfolio• There’s no ground truth• Identify the risks you can believe in• Find the evidence that you’re addressing those risks• Remember: it’s in the way that you use it