Broke, Not BrokenAn Effective Information Security Program With a $0 Budget
The Hard Truth
You work in Michigan Your company needs to innovate Security itself is not strategic
You get no [new] money
The Harder Truth
All new technology is on the Internet
Your company is a monetizible target
Foreign competitors have your old IP
They’re going to get your new IP, too
Regulation +1
Business Alignment
What’s our strategy?
What does the CEO say it is?
What is the CIO/CFO/COO worried about?
What is IT spending money on this year?
Is your company spending lots of money on technology without IT involvement?
Risk = Impact x Likelihood
Internet-exposed systems Core applications Fraud / separation of duties BCP / DR OMG, are you in healthcare?! VENDORS!!
Project Consulting
Go to where the money is being spent!
Give generously of your time
Focus on the project’s success
Architecture (or whatever)
Designs, roadmaps, or whatever
Don’t just produce ivory tower crap
Sprinkle liberally with buzzwords
Architecture (serious this time)
Future-forward capabilities Data & network security design for IaaS Secure API architecture for mobile apps
Secure standards SDLC practices Server build guides
Metrics
Security metrics are really hard
Risk metrics are the easiest to put together
Good metrics tell a story
Data drives decision-making
Deliverables
Risk Assessment Architecture Compliance Metrics
Publish and Present
None of what you said helps
Incident Response
Your budget doesn’t matter
Dedicated time for investigating
Find your normal, look for anomalies
What to collect
Web filter / proxy logs
SMTP gateway logs
Firewall logs
NIDS (use bro or Snort)
Edge router / Internet full packet capture
Incident Response
Commercial, yet free ArcSight Logger L750B Splunk Free License Q1 Labs Qradar Free License NetWitness Investigator
Open Source Snort, suricata Snare, syslog-ng, OSSEC
Best Distro EVAR!
The best free thing right now
Microsoft EMET v4.0 is imminent (late, actually) Managed via AD group policy (3) By-process memory exploit protections SSL/TLS cert pinning detection (4) Error reporting to SCOM for mitigation
alerts (4)
Other 2013 Security Initiatives“Malware incidents demonstrated a noticeable peak in volume during the summer months of 2012. The significant fall of malware-related incidents beginning in November coincided with the deployment of the Microsoft Enhanced Mitigation Experience Toolkit (EMET), a new vulnerability mitigation tool that has been installed onto Priority Health user workstations. The highest volume of malware incidents in 2012 was in October with 14. In comparison the highest volume of malware incidents in any month in 2011 was 22. Botnet activity accounted for all of the malware incidents in October that could be identified, with the largest portion coming from an attack that used the compromised web server of a local TV station.”
19
IS Information Security Program
Jan
Feb
Mar Apr
May Ju
n JulAug Se
pOct
Nov Dec0
2
4
6
8
10
12
14
16
2012 Security Case Category: Malware
Malware
Shameless Promotions
I’m hiring! careers.spectrum-health.org
GRSec grsec.blogspot.com
GrrCON grrcon.org
Discussion
Email: [email protected] Twitter: @pmelson