RSA Security Summit London April 2014 – Keynote 2

The second keynote today was given by Dave Martin, VP & Chief Security Officer – EMC.

Tales From The Front Lines: Actionable Strategies for An Intelligence-Driven Security Program

This was a pretty good talk, covering at a high level a lot of topics;

The gap continues to widen!

–          Business wants faster, more agile, cheaper

  • But ‘keep us safe’
  • IT is not the only partner
  • IT is having an identity crisis (business can launch IT systems vis SaaS / PaaS etc without needing traditional IT involvement)
  • IT foundations are shaky

–          Technology change is relentless

  • Mobile, cloud, big data
  • Platforms, M&A

–          Changing compliance and standards

  • Privacy
  • Critical infrastructure

–          Attackers are getting smarter, sharing

  • Better and sharing than companies / law enforcement especially across geographic and political boarders
  • Training each other
  • Sold and free tools

Complexity will be the rule

–          Software defined Networks, data centres, everything!

–          Mobile really will be first – Pervasive access to everything, from everywhere, from everything

–          BYO… Device, Network, Data, Analytics, … Security

–          Commercial internet of things – everything from printers to vending machines want wired or wireless network and internet access.

Big is going to get bigger!

–          If you are not there already data is going to get big

  • Are you ready for this?

–          Traffic volume is going to get big

  • Can you build a big enough gateway?
  • Can you afford the internal bandwidth?
  • Will you see the traffic?
    • Will you be able to analyse and understand it??

You may hear that bandwidth is cheap, but can we scale it enough?

Monitoring and securing large bandwidth is not cheap – do your security and monitoring devices scale enough?

Can you really analyse and understand all the traffic?

What is normal?

What is abnormal / malicious?

How much traffic circumvents the main business gateways?  User with 3/4g modems, users working on their own devices connecting to cloud services?

 

The ‘Kill Chain’ now has a bad ending;

–          Recovering from a disruptive attack will mean going far beyond traditional resiliency

–          They will know your DR; failover is not enough!

–          How will you rebuild, restore when;

  • Your primary and DR is gone
  • 75% of your endpoints
  • DNS? AD?
  • Data is corrupted / compromised and this corruption is replicated to the DR copies

 

Ways to stay ahead..

Or maybe how not to drown!

Establish core tenets;

–          Traditional weapons are not going to work

  • Don’t be the cavalry, those are tanks

–          Raise the bar and don’t make it easy

–          Prevention in small doses, detection is key

–          What gives you visibility; makes you stronger (collect and analyse data)

–          When you detect, response is key (strong incident response process)

Be thoughtful and surgical;

–          Think closely about control decisions

  • What other behaviours are you encouraging or creating?
  • Are they worse than the original risk?
  • Carrots are more effective than sticks!

–          One size doesn’t fit all

  • Don’t boil the ocean
  • Perfection is a lost cause
  • How can we have the largest risk impact?
  • Target high value assets
    • Consider People, Process, Data, Geography
  • Largest population

Communicate and Educate;

–          Be transparent – let people know WHY

–          Make it personal

–          Do it often and with data

–          Business relationships

  • Change in the C suite
  • Power is shifting

Use leverage;

–          Our security teams are not growing!

  • ‘Trojan horse’ security projects;
    • SSO
    • Asset management
    • Change management
  • Embrace change- Make sure we are involved in defining requirements and design of new areas such as;
    • Automation
    • Mobility
    • Software defined
      • Networks
      • Data Centre

Areas of Focus;

Identity

–          Provisioning and onboarding

–          Role management

–          Map identity and log streams

–          Profiling; map users to

  • Devices
  • Applications
  • Systems
  • Behaviours

Data

–          DLP isn’t the final word

–          Consider data bankruptcy

–          Focus on visibility and analytics

  • High value asset
  • Point of creation or storage
  • Visibility at the large endpoint

–          Contain where possible – mobile and virtual

–          Leverage master data management programs

  • Define data owners and criticality

–          Evaluate data categorisation technology

Customer Experience

–          They have many choices and security isn’t on their list

  • Offer enterprise versions of consumer services

–          Can you trade experience for visibility?

–          Provide for safe, open access

–          Leverage SSO to better map identity

 

Supply chain and third party risk

–          Understand supply chains

–          Enforce contracted policies

  • Network Access Control

–          Reduce access

  • Virtual desktops
  • Review privilege

–          Third party risk services

Incident detection and response

–          Single UI and alerting for visibility – feed in data from controls, and add context

Resiliency and Recovery

–          Non traditional DDoS targets

–          Table top based on known attacks

Threat model based on existing Business impact analysis

These 2 keynotes were a great way to start the days presentations.

K

Security as a Service Implementation Guidance documents published!

The Security as a Service working group implementation guidance papers have now all been published and are available for free download from the Cloud Security Alliance website.

These provide a great overview of, and guidance around the 10 categories of security as a service that we identified last year.  The 10 documents have all been created using a standard template to ensure they are easy to use and understand.

Each document contains the following sections;

1. Introduction; Brief overview of the service, along with intended audience and the scope of the document.

2. Requirements Addressed; An overview of the business / security requirements that the service can address.

3. Considerations and Concerns; Details of areas to consider and potential risks / concerns when implementing the cloud based service.

4. Implementation Guidance; This section is the meat of the document providing guidance for anyone looking to implement the service usually including diagrams of example architectures or architecture components.

5. References and Useful Links; References used in the creation of the document and useful links for further research.

The documents and their download links are shown below;

Category 1 // Identity and Access Management Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat1-1.0.php

Category 2 // Data Loss Prevention Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat2-1.0.php

Category 3 // Web Security Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat3-1.0.php

Category 4 // Email Security Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat4-1.0.php

Category 5 // Security Assessments Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat5-1.0.php

Category 6 // Intrusion Management Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat6-1.0.php

Category 7 // Security Information and Event Management Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat7-1.0.php

Category 8 // Encryption Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat8-1.0.php

Category 9 // Business Continuity / Disaster Recovery Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat9-1.0.php

Category 10 // Network Security Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat10-1.0.php

If you are planning on implementing and of the Security as a Service categories, need to evaluate them, or just want to know more, please feel free to download these documents.  I hope you find them interesting and useful.

If you have any feedback for the documents don’t hesitate to provide it either via the comment section of this blog, or directly via the CSA website.  If you are interested in getting involved and contributing to the next steps of this research we are always looking for more volunteers!

Get involved via the ‘get involved’ link;

https://cloudsecurityalliance.org/research/secaas/#_get-involved

K