The second keynote today was given by Dave Martin, VP & Chief Security Officer – EMC.
Tales From The Front Lines: Actionable Strategies for An Intelligence-Driven Security Program
This was a pretty good talk, covering at a high level a lot of topics;
The gap continues to widen!
– Business wants faster, more agile, cheaper
- But ‘keep us safe’
- IT is not the only partner
- IT is having an identity crisis (business can launch IT systems vis SaaS / PaaS etc without needing traditional IT involvement)
- IT foundations are shaky
– Technology change is relentless
- Mobile, cloud, big data
- Platforms, M&A
– Changing compliance and standards
- Critical infrastructure
– Attackers are getting smarter, sharing
- Better and sharing than companies / law enforcement especially across geographic and political boarders
- Training each other
- Sold and free tools
Complexity will be the rule
– Software defined Networks, data centres, everything!
– Mobile really will be first – Pervasive access to everything, from everywhere, from everything
– BYO… Device, Network, Data, Analytics, … Security
– Commercial internet of things – everything from printers to vending machines want wired or wireless network and internet access.
Big is going to get bigger!
– If you are not there already data is going to get big
- Are you ready for this?
– Traffic volume is going to get big
- Can you build a big enough gateway?
- Can you afford the internal bandwidth?
- Will you see the traffic?
- Will you be able to analyse and understand it??
You may hear that bandwidth is cheap, but can we scale it enough?
Monitoring and securing large bandwidth is not cheap – do your security and monitoring devices scale enough?
Can you really analyse and understand all the traffic?
What is normal?
What is abnormal / malicious?
How much traffic circumvents the main business gateways? User with 3/4g modems, users working on their own devices connecting to cloud services?
The ‘Kill Chain’ now has a bad ending;
– Recovering from a disruptive attack will mean going far beyond traditional resiliency
– They will know your DR; failover is not enough!
– How will you rebuild, restore when;
- Your primary and DR is gone
- 75% of your endpoints
- DNS? AD?
- Data is corrupted / compromised and this corruption is replicated to the DR copies
Ways to stay ahead..
Or maybe how not to drown!
Establish core tenets;
– Traditional weapons are not going to work
- Don’t be the cavalry, those are tanks
– Raise the bar and don’t make it easy
– Prevention in small doses, detection is key
– What gives you visibility; makes you stronger (collect and analyse data)
– When you detect, response is key (strong incident response process)
Be thoughtful and surgical;
– Think closely about control decisions
- What other behaviours are you encouraging or creating?
- Are they worse than the original risk?
- Carrots are more effective than sticks!
– One size doesn’t fit all
- Don’t boil the ocean
- Perfection is a lost cause
- How can we have the largest risk impact?
- Target high value assets
- Consider People, Process, Data, Geography
- Largest population
Communicate and Educate;
– Be transparent – let people know WHY
– Make it personal
– Do it often and with data
– Business relationships
- Change in the C suite
- Power is shifting
– Our security teams are not growing!
- ‘Trojan horse’ security projects;
- Asset management
- Change management
- Embrace change- Make sure we are involved in defining requirements and design of new areas such as;
- Software defined
- Data Centre
Areas of Focus;
– Provisioning and onboarding
– Role management
– Map identity and log streams
– Profiling; map users to
– DLP isn’t the final word
– Consider data bankruptcy
– Focus on visibility and analytics
- High value asset
- Point of creation or storage
- Visibility at the large endpoint
– Contain where possible – mobile and virtual
– Leverage master data management programs
- Define data owners and criticality
– Evaluate data categorisation technology
– They have many choices and security isn’t on their list
- Offer enterprise versions of consumer services
– Can you trade experience for visibility?
– Provide for safe, open access
– Leverage SSO to better map identity
Supply chain and third party risk
– Understand supply chains
– Enforce contracted policies
- Network Access Control
– Reduce access
- Virtual desktops
- Review privilege
– Third party risk services
Incident detection and response
– Single UI and alerting for visibility – feed in data from controls, and add context
Resiliency and Recovery
– Non traditional DDoS targets
– Table top based on known attacks
Threat model based on existing Business impact analysis
These 2 keynotes were a great way to start the days presentations.