![Page 1: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/1.jpg)
Staying Ahead of the Security Poverty Line (or just getting ahead in the first place)
Andy EllisChief Security Officer
@csoandy#HITB2012AMS
Thursday, May 24, 2012
![Page 2: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/2.jpg)
©2012 AkamaiFaster Forward TM
Security Poverty Line
Thursday, May 24, 2012
![Page 3: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/3.jpg)
©2012 AkamaiFaster Forward TM
Security Poverty Line
Organizations that don’t have enough resources to implement perceived basic security needs.
Thursday, May 24, 2012
![Page 4: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/4.jpg)
©2012 AkamaiFaster Forward TM
Security Poverty Line
Organizations that don’t have enough resources to implement perceived basic security needs.
Security Subsistence Syndrome“I can’t even do the barest minimum to cover my ass, so I’d better not do anything but cover my ass.”
Thursday, May 24, 2012
![Page 5: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/5.jpg)
©2012 AkamaiFaster Forward TM
Security Poverty Line
Organizations that don’t have enough resources to implement perceived basic security needs.
Security Subsistence Syndrome“I can’t even do the barest minimum to cover my ass, so I’d better not do anything but cover my ass.”
Accruing Technical DebtWith every step forward, the undone work increases risk and makes future steps harder.
Thursday, May 24, 2012
![Page 6: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/6.jpg)
©2012 AkamaiFaster Forward TM
Adding value: “measuring” a security program
Value = resources * capabilities
Thursday, May 24, 2012
![Page 7: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/7.jpg)
©2012 AkamaiFaster Forward TM
Adding value: “measuring” a security program
Value = resources * capabilitiestime + money
Thursday, May 24, 2012
![Page 8: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/8.jpg)
©2012 AkamaiFaster Forward TM
Adding value: “measuring” a security program
Value = resources * capabilitiestime + money skill * effort * effectiveness
Thursday, May 24, 2012
![Page 9: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/9.jpg)
©2012 AkamaiFaster Forward TM
How much security is “good enough”?
Security value
Thursday, May 24, 2012
![Page 10: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/10.jpg)
©2012 AkamaiFaster Forward TM
How much security is “good enough”?
“Good” security
Security value
Thursday, May 24, 2012
![Page 11: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/11.jpg)
©2012 AkamaiFaster Forward TM
How much security is “good enough”?
“Good” security
Sufficient against the casual chaotic actor
Security value
Thursday, May 24, 2012
![Page 12: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/12.jpg)
©2012 AkamaiFaster Forward TM
How much security is “good enough”?
What you need to fend off a nation state
“Good” security
Sufficient against the casual chaotic actor
Security value
Thursday, May 24, 2012
![Page 13: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/13.jpg)
©2012 AkamaiFaster Forward TM
How much security is “good enough”?
“Perfect” security
What you need to fend off a nation state
“Good” security
Sufficient against the casual chaotic actor
Security value
Thursday, May 24, 2012
![Page 14: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/14.jpg)
©2012 AkamaiFaster Forward TM
How much security is “good enough”?
“Perfect” security
What you need to fend off a nation state
“Good” security
Sufficient against the casual chaotic actor
Where a good assessor can help you
Security value
Thursday, May 24, 2012
![Page 15: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/15.jpg)
©2012 AkamaiFaster Forward TM
How much security is “good enough”?
“Perfect” security
What you need to fend off a nation state
“Good” security
Sufficient against the casual chaotic actor
Enough to convince a serious auditor
Where a good assessor can help you
Security value
Thursday, May 24, 2012
![Page 16: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/16.jpg)
©2012 AkamaiFaster Forward TM
How much security is “good enough”?
“Perfect” security
What you need to fend off a nation state
“Good” security
Sufficient against the casual chaotic actor
Enough to convince a serious auditor
Enough to fool the standard auditor
Where a good assessor can help you
Security value
Thursday, May 24, 2012
![Page 17: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/17.jpg)
©2012 AkamaiFaster Forward TM
How much security is “good enough”?
“Perfect” security
What you need to fend off a nation state
“Good” security
Sufficient against the casual chaotic actor
Enough to convince a serious auditor
Enough to fool the standard auditor
What your organization thinks it can get away with
Where a good assessor can help you
Security value
Thursday, May 24, 2012
![Page 18: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/18.jpg)
©2012 AkamaiFaster Forward TM
How much security is “good enough”?
“Perfect” security
What you need to fend off a nation state
“Good” security
Sufficient against the casual chaotic actor
Enough to convince a serious auditor
Enough to fool the standard auditor
What your organization thinks it can get away with
Where a good assessor can help you
Security value
Thursday, May 24, 2012
![Page 19: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/19.jpg)
©2012 AkamaiFaster Forward TM
How much security is “good enough”?
“Perfect” security
What you need to fend off a nation state
“Good” security
Sufficient against the casual chaotic actor
Enough to convince a serious auditor
Enough to fool the standard auditor
What your organization thinks it can get away with
Where a good assessor can help you
Security value
Thursday, May 24, 2012
![Page 20: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/20.jpg)
©2012 AkamaiFaster Forward TM
How much security is “good enough”?
“Perfect” security
What you need to fend off a nation state
“Good” security
Sufficient against the casual chaotic actor
Enough to convince a serious auditor
Enough to fool the standard auditor
What your organization thinks it can get away with
Where a good assessor can help you
Security value
Thursday, May 24, 2012
![Page 21: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/21.jpg)
©2012 AkamaiFaster Forward TM
How much security is “good enough”?
“Perfect” security
What you need to fend off a nation state
“Good” security
Sufficient against the casual chaotic actor
Enough to convince a serious auditor
Enough to fool the standard auditor
What your organization thinks it can get away with
Where a good assessor can help you
Security value
Thursday, May 24, 2012
![Page 22: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/22.jpg)
©2012 AkamaiFaster Forward TM
HD Moore’s Law
A rising tide lifts all boats...
Sufficient against the casual chaotic actor
Thursday, May 24, 2012
![Page 23: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/23.jpg)
©2012 AkamaiFaster Forward TM
HD Moore’s Law
A rising tide lifts all boats...
Sufficient against the casual chaotic actor
Thursday, May 24, 2012
![Page 24: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/24.jpg)
©2012 AkamaiFaster Forward TM
HD Moore’s Law
A rising tide lifts all boats...
Sufficient against the casual chaotic actor
Thursday, May 24, 2012
![Page 25: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/25.jpg)
©2012 AkamaiFaster Forward TM
HD Moore’s Law
A rising tide lifts all boats...
Sufficient against the casual chaotic actor
Thursday, May 24, 2012
![Page 26: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/26.jpg)
©2012 AkamaiFaster Forward TM
HD Moore’s Law
A rising tide lifts all boats...
Sufficient against the casual chaotic actor
Thursday, May 24, 2012
![Page 27: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/27.jpg)
©2012 AkamaiFaster Forward TM
Peltzman EffectWhat your organization thinks it can get away with
Thursday, May 24, 2012
![Page 28: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/28.jpg)
©2012 AkamaiFaster Forward TM
Peltzman EffectWhat your organization thinks it can get away with
Thursday, May 24, 2012
![Page 29: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/29.jpg)
©2012 AkamaiFaster Forward TM
Set-point theory of risk tolerance
Tolerance of perceived risk drives to a stable equilibrium
Security value
Perceived risk
Thursday, May 24, 2012
![Page 30: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/30.jpg)
©2012 AkamaiFaster Forward TM
Set-point theory of risk tolerance
Tolerance of perceived risk drives to a stable equilibrium
Security value
Perceived risk
Thursday, May 24, 2012
![Page 31: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/31.jpg)
©2012 AkamaiFaster Forward TM
Set-point theory of risk tolerance
Tolerance of perceived risk drives to a stable equilibrium
Security value
Perceived risk
Thursday, May 24, 2012
![Page 32: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/32.jpg)
©2012 AkamaiFaster Forward TM
Set-point theory of risk tolerance
Tolerance of perceived risk drives to a stable equilibrium
Security value
Perceived risk
Thursday, May 24, 2012
![Page 33: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/33.jpg)
©2012 AkamaiFaster Forward TM
Set-point theory of risk tolerance
Tolerance of perceived risk drives to a stable equilibrium
Security value
Perceived risk
Thursday, May 24, 2012
![Page 34: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/34.jpg)
©2012 AkamaiFaster Forward TM
Set-point theory of risk tolerance
Tolerance of perceived risk drives to a stable equilibrium
Security value
Perceived risk
Thursday, May 24, 2012
![Page 35: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/35.jpg)
©2012 AkamaiFaster Forward TM
Set-point theory of risk tolerance
Tolerance of perceived risk drives to a stable equilibrium
Security value
Perceived risk
Thursday, May 24, 2012
![Page 36: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/36.jpg)
©2012 AkamaiFaster Forward TM
Set-point theory of risk tolerance
Tolerance of perceived risk drives to a stable equilibrium
Security value
Perceived risk
Thursday, May 24, 2012
![Page 37: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/37.jpg)
©2012 AkamaiFaster Forward TM
Perceived Risk vs. Actual Risk
perceived
actual
Thursday, May 24, 2012
![Page 38: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/38.jpg)
©2012 AkamaiFaster Forward TM
Perceived Risk vs. Actual Risk
perceived
actual
Thursday, May 24, 2012
![Page 39: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/39.jpg)
©2012 AkamaiFaster Forward TM
Perceived Risk vs. Actual Risk
perceived
actual
undisclosed breach
Thursday, May 24, 2012
![Page 40: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/40.jpg)
©2012 AkamaiFaster Forward TM
Perceived Risk vs. Actual Risk
perceived
actual
undisclosed breach
known vulnerability
Thursday, May 24, 2012
![Page 41: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/41.jpg)
©2012 AkamaiFaster Forward TM
Perceived Risk vs. Actual Risk
perceived
actual
undisclosed breach
known vulnerability
“FUD”
Thursday, May 24, 2012
![Page 42: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/42.jpg)
©2012 AkamaiFaster Forward TM
Perceived Risk vs. Actual Risk
perceived
actual
undisclosed breach
known vulnerability
“FUD”
stealth improvements
Thursday, May 24, 2012
![Page 43: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/43.jpg)
©2012 AkamaiFaster Forward TM
Perceived Risk vs. Actual Risk
perceived
actual
undisclosed breach
known vulnerability
“FUD”
stealth improvements
risk reduction
Thursday, May 24, 2012
![Page 44: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/44.jpg)
©2012 AkamaiFaster Forward TM
Perceived Risk vs. Actual Risk
perceived
actual
undisclosed breach
known vulnerability
“FUD”
stealth improvements
risk reductionsecurity theater
Thursday, May 24, 2012
![Page 45: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/45.jpg)
©2012 AkamaiFaster Forward TM
Don’t beg for money ...
Thursday, May 24, 2012
![Page 46: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/46.jpg)
©2012 AkamaiFaster Forward TM
Don’t beg for money ...
Thursday, May 24, 2012
![Page 47: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/47.jpg)
©2012 AkamaiFaster Forward TM
Don’t beg for money ...
“We need to roll out FDE immediately! And DLP!”
Thursday, May 24, 2012
![Page 48: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/48.jpg)
©2012 AkamaiFaster Forward TM
Don’t beg for money ...
“We need to roll out FDE immediately! And DLP!”
“We need DDoS protection, right away!”
Thursday, May 24, 2012
![Page 49: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/49.jpg)
©2012 AkamaiFaster Forward TM
Don’t beg for money ...
“We need to roll out FDE immediately! And DLP!”
“We need DDoS protection, right away!”
“And a WAF! And someone to look into our coding practices!”
Thursday, May 24, 2012
![Page 50: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/50.jpg)
©2012 AkamaiFaster Forward TM
... instead waste your crises ...
• And of course last but not LEAST a special From AKAMAI technologies yes sireee • (you guys cant keep this kind of stuff under wrapps)• (yes what if someone mass executed ping -f 6500 yahoo.com from your noc)• (i dont think anyone could block 5000+ machines world wide)• --
• [email protected]'s password: luxlacpconcaprevsiebsmdakanetwork24sdyoyo• Got RSA key from '[email protected]' to macau.nocc.akamai.com with pass h4rdc0r3
Thursday, May 24, 2012
![Page 51: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/51.jpg)
©2012 AkamaiFaster Forward TM
... and effect long term change
What if you found an organization where every developer had a copy of the key used to gain root access to every production system?
On their desktop?
At home?
How would you fix this?
Thursday, May 24, 2012
![Page 52: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/52.jpg)
©2012 AkamaiFaster Forward TM
Security Awareness
The Problem:• Auditors believe that if we just train everyone with a basic security education, then of course we’ll have no problems!The Solution:• Basic, standard security awareness, web-based, automated, simple.• Targeted training, not exposed to auditors.
Thursday, May 24, 2012
![Page 53: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/53.jpg)
©2012 AkamaiFaster Forward TM
Security Awareness
The Problem:• Auditors believe that if we just train everyone with a basic security education, then of course we’ll have no problems!The Solution:• Basic, standard security awareness, web-based, automated, simple.• Targeted training, not exposed to auditors.
Thursday, May 24, 2012
![Page 54: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/54.jpg)
©2012 AkamaiFaster Forward TM
Security Awareness
The Problem:• Auditors believe that if we just train everyone with a basic security education, then of course we’ll have no problems!The Solution:• Basic, standard security awareness, web-based, automated, simple.• Targeted training, not exposed to auditors.
Thursday, May 24, 2012
![Page 55: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/55.jpg)
©2012 AkamaiFaster Forward TM
Security Awareness
The Problem:• Auditors believe that if we just train everyone with a basic security education, then of course we’ll have no problems!The Solution:• Basic, standard security awareness, web-based, automated, simple.• Targeted training, not exposed to auditors.
Thursday, May 24, 2012
![Page 56: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/56.jpg)
©2012 AkamaiFaster Forward TM
Third party security reviews
Thursday, May 24, 2012
![Page 57: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/57.jpg)
©2012 AkamaiFaster Forward TM
Third party security reviews
Define requirement
Thursday, May 24, 2012
![Page 58: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/58.jpg)
©2012 AkamaiFaster Forward TM
Third party security reviews
Define requirement
Evaluate vendors
Thursday, May 24, 2012
![Page 59: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/59.jpg)
©2012 AkamaiFaster Forward TM
Third party security reviews
Define requirement
Evaluate vendors
Select vendor
Thursday, May 24, 2012
![Page 60: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/60.jpg)
©2012 AkamaiFaster Forward TM
Third party security reviews
Define requirement
Evaluate vendors
Select vendor
Implement solution
Thursday, May 24, 2012
![Page 61: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/61.jpg)
©2012 AkamaiFaster Forward TM
Third party security reviews
Define requirement
Evaluate vendors
Security evaluation
Select vendor
Implement solution
Thursday, May 24, 2012
![Page 62: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/62.jpg)
©2012 AkamaiFaster Forward TM
Third party security reviews
Define requirement
Evaluate vendors
Security evaluation
Select vendor
Implement solution
Security evaluation
Thursday, May 24, 2012
![Page 63: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/63.jpg)
©2012 AkamaiFaster Forward TM
Third party security reviews
Define requirement
Evaluate vendors
Security evaluation
Select vendor
Implement solution
Security evaluation
Security evaluation
Thursday, May 24, 2012
![Page 64: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/64.jpg)
©2012 AkamaiFaster Forward TM
Third party security reviews
Define requirement
Evaluate vendors
Security evaluation
Select vendor
Implement solution
Security evaluation
Security evaluation
Security evaluation
Thursday, May 24, 2012
![Page 65: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/65.jpg)
©2012 AkamaiFaster Forward TM
Third party security reviews
Define requirement
Evaluate vendors
Select vendor
Implement solution
Security evaluation
Security evaluation
Security evaluation
Vendor Hell
Thursday, May 24, 2012
![Page 66: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/66.jpg)
©2012 AkamaiFaster Forward TM
Third party security reviews
Define requirement
Evaluate vendors
Select vendor
Implement solution
Security evaluation
Security evaluation
Vendor Hell Auditor CYA
Thursday, May 24, 2012
![Page 67: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/67.jpg)
©2012 AkamaiFaster Forward TM
Third party security reviews
Define requirement
Evaluate vendors
Select vendor
Implement solution
Security evaluation
Vendor Hell Auditor CYA
Scapegoathunt
Thursday, May 24, 2012
![Page 68: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/68.jpg)
©2012 AkamaiFaster Forward TM
Third party security reviews
Define requirement
Evaluate vendors
Select vendor
Implement solution
Vendor Hell Auditor CYA
Scapegoathunt
Business alignment
Thursday, May 24, 2012
![Page 69: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/69.jpg)
©2012 AkamaiFaster Forward TM
Hunting for malware in a 10PB cloud
http://bitly.com/AkaVscan
Thursday, May 24, 2012
![Page 70: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/70.jpg)
©2012 AkamaiFaster Forward TM
Hunting for malware in a 10PB cloud
http://bitly.com/AkaVscanhttp://www.flickr.com/photos/james_lumb/3921969141/
Thursday, May 24, 2012
![Page 71: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/71.jpg)
©2012 AkamaiFaster Forward TM
How easy is juggling?
Thursday, May 24, 2012
![Page 72: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/72.jpg)
©2012 AkamaiFaster Forward TM
How easy is juggling?
Thursday, May 24, 2012
![Page 73: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/73.jpg)
©2012 AkamaiFaster Forward TM
How easy is juggling?
Thursday, May 24, 2012
![Page 74: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/74.jpg)
©2012 AkamaiFaster Forward TM
How easy is juggling?
Thursday, May 24, 2012
![Page 75: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/75.jpg)
©2012 AkamaiFaster Forward TM
How easy is juggling?
Thursday, May 24, 2012
![Page 76: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/76.jpg)
©2012 AkamaiFaster Forward TM
Takeaway: Measuring security value
Value = resources * capabilitiestime + money skill * effort * effectiveness
Thursday, May 24, 2012
![Page 77: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/77.jpg)
©2012 AkamaiFaster Forward TM
Takeaway: Measuring security value
Value = resources * capabilitiestime + money skill * effort * effectiveness
Goal of any security program: dv/dt > 0
Thursday, May 24, 2012
![Page 78: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/78.jpg)
©2012 AkamaiFaster Forward TM
Takeaway: Measuring security value
Value = resources * capabilitiestime + money skill * effort * effectiveness
Goal of any security program: dv/dt > 0
Below the Security Poverty Line, we see Security Subsistence Syndrome: relying
on resources, not capabilities.Goal: dr/dt > 0
Thursday, May 24, 2012
![Page 79: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/79.jpg)
©2012 AkamaiFaster Forward TM
Takeaway: Measuring security value
Value = resources * capabilitiestime + money skill * effort * effectiveness
Goal of any security program: dv/dt > 0
Below the Security Poverty Line, we see Security Subsistence Syndrome: relying
on resources, not capabilities.Goal: dr/dt > 0
A good security program wants to create surplus.Goal: dc/dt > 0
Thursday, May 24, 2012
![Page 80: Staying Ahead of the Security Poverty Line (or just ... · Staying Ahead of the Security Poverty Line (or just getting ahead in the first place) Andy Ellis Chief Security Officer](https://reader036.vdocuments.us/reader036/viewer/2022070902/5f53d33b947d387c6e07f4e6/html5/thumbnails/80.jpg)
©2012 AkamaiFaster Forward TM
Questions, Answers, and Pontifications
Andy [email protected]
@csoandyhttp://www.csoandy.com/
Thursday, May 24, 2012