smarter security - a practical guide to doing more with less

17
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or PTE15562 1/13 Omar Khawaja Smarter Security @smallersecurity

Upload: omar-khawaja

Post on 15-Jan-2015

522 views

Category:

Business


1 download

DESCRIPTION

The problem of security keeps getting bigger - more vulnerabilities that can be exposed, information assets are more critical to the business and there are more threats trying to cause harm. Security budgets and resources are not growing at nearly the same pace. If this is indeed the case, there is only one solution - the security problem needs to be re-defined to be a smaller one - small enough that the enterprise has adequate levels of resources / budget to address.

TRANSCRIPT

Page 1: Smarter Security - A Practical Guide to Doing More with Less

Omar Khawaja

Smarter Security

@smallersecurity

Page 2: Smarter Security - A Practical Guide to Doing More with Less

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.2

1. MOST ORGANIZATIONS WORRY ABOUT EVERYTHING

THEORETICAL: Universe of bad things that can happen to anyone

Page 3: Smarter Security - A Practical Guide to Doing More with Less

2. IN REALITY, ONLY CERTAIN TYPES OF BAD THINGS ACTUALLY HAPPENED ACROSS ALL ORGANIZATIONS

ACTUAL: Bad things (color indicates frequency) that actually happened

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.3

Page 4: Smarter Security - A Practical Guide to Doing More with Less

3. SPECIFICALLY, WHICH BAD THINGS SHOULD YOUR ORGANIZATION BE WORRIED ABOUT?

THEORETICAL FOR YOU: bad things that are likely to happen to your organization if you have no protection in place (color indicates likelihood)

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.4

Page 5: Smarter Security - A Practical Guide to Doing More with Less

4. HOW WELL PROTECTED IS YOUR ORGANIZATION?

REALITY FOR YOU: bad things that are likely to happen to your organization given you have some protection in place (color indicates likelihood)

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.5

Page 6: Smarter Security - A Practical Guide to Doing More with Less

5. What is the desired state?

IDEAL FOR YOU: bad things that are likely to happen to your organization given you have sufficient protection in place (color indicates likelihood)

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.6

Page 7: Smarter Security - A Practical Guide to Doing More with Less

What’s under the hood?

Page 8: Smarter Security - A Practical Guide to Doing More with Less

VERIS

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.8

http://www.veriscommunity.net

Actor – Who did it?

Action – How’d they do it?

Asset – What was affected?

Attribute – How was it affected?

VERIS is a (open and free) set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner.

Page 9: Smarter Security - A Practical Guide to Doing More with Less

1. MOST ORGANIZATIONS WORRY ABOUT EVERYTHING

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.9

THEORETICAL: Universe of bad things that can happen to anyone

Page 10: Smarter Security - A Practical Guide to Doing More with Less

2. IN REALITY, ONLY CERTAIN TYPES OF BAD THINGS ACTUALLY HAPPENED ACROSS ALL ORGANIZATIONS

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.10

ACTUAL: Bad things (color indicates frequency) that actually happened

Page 11: Smarter Security - A Practical Guide to Doing More with Less

3. SPECIFICALLY, WHICH BAD THINGS SHOULD YOUR ORGANIZATION BE WORRIED ABOUT?

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.11

THEORETICAL FOR YOU: bad things that are likely to happen to your organization if you have no protection in place (color indicates likelihood)

Page 12: Smarter Security - A Practical Guide to Doing More with Less

4. HOW WELL PROTECTED IS YOUR ORGANIZATION?

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.12

REALITY FOR YOU: bad things that are likely to happen to your organization given you have some protection in place (color indicates likelihood)

Page 13: Smarter Security - A Practical Guide to Doing More with Less

4. HOW WELL PROTECTED IS YOUR ORGANIZATION?

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.13

REALITY FOR YOU: bad things that are likely to happen to your organization given you have some protection in place (color indicates likelihood)

Page 14: Smarter Security - A Practical Guide to Doing More with Less

5. HOW DO YOU GET TO THE DESIRED STATE?

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.14

6 SECURITY SOLUTION AREAS:

• Data Protection

• Governance, Risk & Compliance

• Identity & Access Mgmt

• Investigative Response

• Threat Mgmt (MSS)

• Vulnerability Mgmt

Page 15: Smarter Security - A Practical Guide to Doing More with Less

5. HOW DO YOU GET TO THE DESIRED STATE? SOME SPECIFICS…

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.15

DBIR FINDINGS VERIZON SOLUTIONS WHY VERIZON?

71%: victim didn’t know howmuch data was stolen

Data Discovery (DDISC)Scanned 100,000,000+ files and

discovered 1,000,000,000+ targeted data elements

61%: payment card data was stolen PCI ComplianceMore PCI auditors(140+ QSAs) than

any other firm in the world

100%: data was exfilterated Data Loss Prevention (DLP)Led one of the largest DLP

deploymentsin the world (400,000 seats)

92% of attackers were externalManaged Secure Enterprise

Gateway (MSEG)7 SOCs on 4 continents manage security devices in 45 countries

52% of attacks involved Hacking Vulnerability Scanning ServiceDelivered 1500+ vulnerability mgmt

engagements in past 3 years

76% of network intrusions exploited weak or stolen credentials

Universal Identity Services (UIS)Manage digital identities in 50+

countries& for 25+ national governments

75% of all attacks were opportunistic (vs. targeted)

Security Mgmt Program (SMP)SMP is the oldest security certification

program in the industry78% of attacks were of Low or Very Low difficulty

82%: discovered by External partyRapid Response Retainer (RRR)

Handled 9 of the world’s 11 largest data compromise investigations

36%: took weeks or more to contain

78%: took weeks or more to discover

Incident Analytics Service (IAS)Analyzed 2500+ data breaches

involving more than 1 Billion records

Page 16: Smarter Security - A Practical Guide to Doing More with Less

WHAT DOES SMARTER SECURITY LOOK LIKE?

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.16

1. VERIS

2. DBIR

3. IAS (“Custom DBIR”)

4. Security Monitoring

5. Security Enforcement

STRATEGY BASED ON EVIDENCE• Not FUD

DON’T STARTW/ PRODUCTS OR TOOLS• Start with what’s worth protecting

DON’T DEPLOY THE SECURITY CONTROLS THAT SOUND COMPELLING• Deploy the security controls you really need

DON’T FOCUS ON ALL THE DOTS• Focus on the right dots

@smallersecurity

Page 17: Smarter Security - A Practical Guide to Doing More with Less

VERIZON’S SECURITY LEADERSHIP

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.17

INDUSTRY RECOGNITION• Large & highly rated MSSP (Frost & Sullivan, Gartner, Forrester)• Founding and Executive Member of Open Identity Exchange• Security Consulting practice recognized as a Strong Performer (Forrester)• ICSA Labs is the industry standard for certifying security products (started in 1991)

CREDENTIALS• One of the largest PCI auditors (100+ QSAs) in the world• Actively participate in 30+ standards / certification bodies, professional organizations and vertical specific consortia• Personnel hold 40+ unique industry, technology and vendor certifications

GLOBAL REACH• 550+ dedicated security consultants in 28 countries speak 28 languages• Investigated breaches in 41 countries in 2011 and 2012• 7 SOCs on 4 continents manage security devices in 45+ countries• Serve 77% of Forbes Global 2000

EXPERIENCE• Verizon’s SMP is the oldest security certification program in the industry• Analyzed 2500+ breaches involving 1+ Billion records• Manage identities in 50+ countries and for 25+ national governments• Delivered 5000+ security consulting engagements in the past 3 years

ISO 9001ISO 17025

@smallersecurity