SlideShare uma empresa Scribd logo

Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

Transferir como PPTX, PDF
Claus Cramon Houmann
Claus Cramon Houmann

This document discusses the importance of security over compliance and provides strategies for building an effective security posture. It argues that compliance focuses on past threats and does not ensure true security. Several models for security are presented, including defense in depth with layered protections across systems, following the cyber kill chain to disrupt attacks, and building a defensible security posture. Real security that goes beyond minimum compliance is needed to effectively defend against evolving threats.

Tecnologia
1 de 32
Taking Security Seriously Going Above and Beyond Compliance
About me • I might be provoking you a bit • Father of 3, happily married. I live in Luxembourg • CIO for a Bank, and also independent IT/Infosec consultant and CIO-as-a-service. Any opinions here are my own and do not represent my employer. • Contributor to @TheAnalogies project (making IT and Infosec understandable to the masses) • Member of the I am the Cavalry movement – securing our bodies, minds and souls in the IoT • @ClausHoumann • Find my work on slideshare
It’s late. WAKE UP • CEO’s? • CISO’s? • CIO’s? • CFO’s? • CTO’s? • COO’s? • Consultants?
Let’s get the FUD out of the way • FUD is Fear, uncertainty and doubt. • You will be presented with FUD by vendors, daily • I’ll try not to FUD you. Focus on solution models.
Is security important? • Raise of hands for: – No – Maybe – Yes – Always – My compliance department keeps me safe Note to self: Remember to apologize in advance to any auditors present at this point.
Monopoly • Is compliance this? Is company X secure
Compliance • Is • NOT • Security • Which any of you who ever attended a Security conference will have already heard • Compliance is preparing to fight yesteryears war
Auditor limitations • Auditors are easily distracted • Auditors are easily ”Information overloaded” • Auditors go easy on you because they want to keep the audit contract • Auditors can be persuaded to remove critical findings • Auditors will let you pass in the end anyway
That being said • Compliance CAN plug holes for you • Compliance CAN set a minimum-level of security for you • Compliance does provide more security than nothing, especially if done right • All this is nothing new, lets move on
Example: PCI DSS
but • Target was compliant, Home Depot also. • 97%+ of audits are succesful • Compliance is at the same time both simple (you can do it succesfully) and complex (SO many things to be compliant with)
What is (most) compliance about then? Source: Accretive solutions, Gary Pennington
But as you see.....no security. Fake security, or if you really like compliance, spotty / patchy security
Security IS important • Why? • Dont say you dont know why.
It’s an assymetrical conflict X-wing
Want to beat assymetricality? • Creating awareness (risk management?) • Increasing the security budget • Justifying the investment when no/few real attacks/opponents – It’s easier when you’re actually being attacked. But too late. • Doing it right without attacks require automation, red team testing, training -> all expensive
How • Identify potential attackers and profile them • Decrease attacker ROI below critical threshold
Mitigate risks Source: Dave Sweigert
Building an actual defense A few ideas exist • A scaleable Defense in Depth (not defined sufficiently yet) • A defensible security posture (Nigel Willson – nigethesecurityguy.wordpress.com) • Breaking the ”Cyber kill chain” (Lockheed Martin) • Joshua Cormans pyramid
Defense-in-Depth
Defense in Depth • You need to secure: – Internal systems – The Cloud – The Mobile user Sample protections added only, not the complete picture of course
Defend in depth, on all devices and networks • Example. PC defense includes: – Whitelisting – Blacklisting – AV – Sandboxing – Registry defenses – Change roll-backs – HIPS – EMET – Domain policies – Log collection and review – MFA – ACL’s/Firewall rules – Heuristics detection/prevention – DNS audit and protection
Defensible security posture via @Nigethesecurityguy
Cyber kill chain Sources: Huntsman, Tier-3 & Lockheed Martin
Kill chain actions Source: Nige the security guy = Nigel Wilson
Counter-measures Situational Awareness Operational Excellence Defensible Infrastructure Joshua Cormans pyramid for going beyond compliance
Pick the low hanging apples? •As your organizations “Infosec level” matures – you may be able to pass or almost pass a pentest. •Most low hanging fruits have been “picked” already •This makes it very hard for “them” to get in via hacking methods -> they will try malware next
And the unexpected extra win • Real security will actually make you compliant in many areas of compliance
Q & A • Ask me question, or I’ll ask you questions
Sources used – http://www.itbusinessedge.com – Heartbleed.com – https://nigesecurityguy.wordpress.com/ – American association for justice – http://www.slideshare.net/AffiniPay?utm_campaign=pro filetracking&utm_medium=sssite&utm_source=ssslidevie wv – Accretive solutions – Gary Pennington – Joshua Corman and David Etue from RSAC 2014 ”Not Go Quietly: Surprising Strategies and Teammates to Adapt and Overcome” – Lego / PCthreat

Recomendados

Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
The Current State of Cybersecurity
The Current State of CybersecurityThe Current State of Cybersecurity
The Current State of Cybersecurity
TruShield Security Solutions
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
TruShield Security Solutions
 
2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class Eleven2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class Eleven
FRSecure
 
How to Protect Your Mainframe from Hackers (v1.0)
How to Protect Your Mainframe from Hackers (v1.0)How to Protect Your Mainframe from Hackers (v1.0)
How to Protect Your Mainframe from Hackers (v1.0)
Rui Miguel Feio
 
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Rui Miguel Feio
 
2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten
FRSecure
 

Recomendados

Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
The Current State of Cybersecurity
The Current State of CybersecurityThe Current State of Cybersecurity
The Current State of Cybersecurity
TruShield Security Solutions
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
TruShield Security Solutions
 
2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class Eleven2019 FRSecure CISSP Mentor Program: Class Eleven
2019 FRSecure CISSP Mentor Program: Class Eleven
FRSecure
 
How to Protect Your Mainframe from Hackers (v1.0)
How to Protect Your Mainframe from Hackers (v1.0)How to Protect Your Mainframe from Hackers (v1.0)
How to Protect Your Mainframe from Hackers (v1.0)
Rui Miguel Feio
 
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Rui Miguel Feio
 
2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten
FRSecure
 
Mainframe Security - It's not just about your ESM v2.2
Mainframe Security - It's not just about your ESM v2.2Mainframe Security - It's not just about your ESM v2.2
Mainframe Security - It's not just about your ESM v2.2
Rui Miguel Feio
 
Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To
IDERA Software
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
Hinne Hettema
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mind
sblom
 
Evolving threat landscape
Evolving threat landscapeEvolving threat landscape
Evolving threat landscape
Motiv
 
Security Audit on the Mainframe (v1.0 - 2016)
Security Audit on the Mainframe (v1.0 - 2016)Security Audit on the Mainframe (v1.0 - 2016)
Security Audit on the Mainframe (v1.0 - 2016)
Rui Miguel Feio
 
Assessing Your security
Assessing Your securityAssessing Your security
Assessing Your security
Legal Services National Technology Assistance Project (LSNTAP)
 
Security challenges in 2017
Security challenges in 2017Security challenges in 2017
Security challenges in 2017
Etienne Liebetrau
 
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
TISA
 
Automation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersAutomation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackers
Frank Victory
 
(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2
Rui Miguel Feio
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
Andrew S. Baker (ASB)
 
How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...
How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...
How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...
Ronald Harrison
 
Analogic Opsec 101
Analogic Opsec 101Analogic Opsec 101
Analogic Opsec 101
vicenteDiaz_KL
 
Cyber security and the mainframe (v1.3)
Cyber security and the mainframe (v1.3)Cyber security and the mainframe (v1.3)
Cyber security and the mainframe (v1.3)
Rui Miguel Feio
 
15 Minute Ransomware Survival Guide
15 Minute Ransomware Survival Guide15 Minute Ransomware Survival Guide
15 Minute Ransomware Survival Guide
Storage Switzerland
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Robi Sen
 
Deral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail LaterDeral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail Later
centralohioissa
 
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.22017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
Rui Miguel Feio
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
 
APT - Project
APT - Project APT - Project
APT - Project
Dev Lavaniya
 

Mais conteúdo relacionado

Mais procurados

Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To
IDERA Software
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mind
sblom
 
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
TISA
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
Andrew S. Baker (ASB)
 
Deral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail LaterDeral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail Later
centralohioissa
 

Mais procurados (20)

Mainframe Security - It's not just about your ESM v2.2
Mainframe Security - It's not just about your ESM v2.2Mainframe Security - It's not just about your ESM v2.2
Mainframe Security - It's not just about your ESM v2.2
 
Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To Database Security Risks You Might Not Have Considered, but Need To
Database Security Risks You Might Not Have Considered, but Need To
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mind
 
Evolving threat landscape
Evolving threat landscapeEvolving threat landscape
Evolving threat landscape
 
Security Audit on the Mainframe (v1.0 - 2016)
Security Audit on the Mainframe (v1.0 - 2016)Security Audit on the Mainframe (v1.0 - 2016)
Security Audit on the Mainframe (v1.0 - 2016)
 
Assessing Your security
Assessing Your securityAssessing Your security
Assessing Your security
 
Security challenges in 2017
Security challenges in 2017Security challenges in 2017
Security challenges in 2017
 
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
 
Automation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersAutomation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackers
 
(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
 
How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...
How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...
How organisations can_avoid_data_breaches_and_thus_meet_their_security_obliga...
 
Analogic Opsec 101
Analogic Opsec 101Analogic Opsec 101
Analogic Opsec 101
 
Cyber security and the mainframe (v1.3)
Cyber security and the mainframe (v1.3)Cyber security and the mainframe (v1.3)
Cyber security and the mainframe (v1.3)
 
15 Minute Ransomware Survival Guide
15 Minute Ransomware Survival Guide15 Minute Ransomware Survival Guide
15 Minute Ransomware Survival Guide
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
 
Deral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail LaterDeral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail Later
 
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.22017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
 

Destaque

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 

Destaque (11)

Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
APT - Project
APT - Project APT - Project
APT - Project
 
Intelligence Driven Security
Intelligence Driven SecurityIntelligence Driven Security
Intelligence Driven Security
 
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
 
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade Detection
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 

Semelhante a Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433
Terry Gilsenan
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
Evan Francen
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
Anthony Melfi
 
What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?
PECB
 
12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business 12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business
NSUGSCIS
 

Semelhante a Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance (20)

The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleaner
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control Systems
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online Privacy
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
 
What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?What Suppliers Don't Tell You About Security?
What Suppliers Don't Tell You About Security?
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
 
Carver IT Security for Librarians
Carver IT Security for LibrariansCarver IT Security for Librarians
Carver IT Security for Librarians
 
Security For Free
Security For FreeSecurity For Free
Security For Free
 
(2016_01_20)_IS_Management_Basics_LinkedIn
(2016_01_20)_IS_Management_Basics_LinkedIn(2016_01_20)_IS_Management_Basics_LinkedIn
(2016_01_20)_IS_Management_Basics_LinkedIn
 
12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business 12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Último (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyond compliance

  • 1. Taking Security Seriously Going Above and Beyond Compliance
  • 2. About me • I might be provoking you a bit • Father of 3, happily married. I live in Luxembourg • CIO for a Bank, and also independent IT/Infosec consultant and CIO-as-a-service. Any opinions here are my own and do not represent my employer. • Contributor to @TheAnalogies project (making IT and Infosec understandable to the masses) • Member of the I am the Cavalry movement – securing our bodies, minds and souls in the IoT • @ClausHoumann • Find my work on slideshare
  • 3. It’s late. WAKE UP • CEO’s? • CISO’s? • CIO’s? • CFO’s? • CTO’s? • COO’s? • Consultants?
  • 4. Let’s get the FUD out of the way • FUD is Fear, uncertainty and doubt. • You will be presented with FUD by vendors, daily • I’ll try not to FUD you. Focus on solution models.
  • 5. Is security important? • Raise of hands for: – No – Maybe – Yes – Always – My compliance department keeps me safe Note to self: Remember to apologize in advance to any auditors present at this point.
  • 6. Monopoly • Is compliance this? Is company X secure
  • 7. Compliance • Is • NOT • Security • Which any of you who ever attended a Security conference will have already heard • Compliance is preparing to fight yesteryears war
  • 8. Auditor limitations • Auditors are easily distracted • Auditors are easily ”Information overloaded” • Auditors go easy on you because they want to keep the audit contract • Auditors can be persuaded to remove critical findings • Auditors will let you pass in the end anyway
  • 9. That being said • Compliance CAN plug holes for you • Compliance CAN set a minimum-level of security for you • Compliance does provide more security than nothing, especially if done right • All this is nothing new, lets move on
  • 11. but • Target was compliant, Home Depot also. • 97%+ of audits are succesful • Compliance is at the same time both simple (you can do it succesfully) and complex (SO many things to be compliant with)
  • 12. What is (most) compliance about then? Source: Accretive solutions, Gary Pennington
  • 13. But as you see.....no security. Fake security, or if you really like compliance, spotty / patchy security
  • 14. Security IS important • Why? • Dont say you dont know why.
  • 15.
  • 16. It’s an assymetrical conflict X-wing
  • 17. Want to beat assymetricality? • Creating awareness (risk management?) • Increasing the security budget • Justifying the investment when no/few real attacks/opponents – It’s easier when you’re actually being attacked. But too late. • Doing it right without attacks require automation, red team testing, training -> all expensive
  • 18. How • Identify potential attackers and profile them • Decrease attacker ROI below critical threshold
  • 19. Mitigate risks Source: Dave Sweigert
  • 20. Building an actual defense A few ideas exist • A scaleable Defense in Depth (not defined sufficiently yet) • A defensible security posture (Nigel Willson – nigethesecurityguy.wordpress.com) • Breaking the ”Cyber kill chain” (Lockheed Martin) • Joshua Cormans pyramid
  • 22. Defense in Depth • You need to secure: – Internal systems – The Cloud – The Mobile user Sample protections added only, not the complete picture of course
  • 23.
  • 24. Defend in depth, on all devices and networks • Example. PC defense includes: – Whitelisting – Blacklisting – AV – Sandboxing – Registry defenses – Change roll-backs – HIPS – EMET – Domain policies – Log collection and review – MFA – ACL’s/Firewall rules – Heuristics detection/prevention – DNS audit and protection
  • 25. Defensible security posture via @Nigethesecurityguy
  • 26. Cyber kill chain Sources: Huntsman, Tier-3 & Lockheed Martin
  • 27. Kill chain actions Source: Nige the security guy = Nigel Wilson
  • 28. Counter-measures Situational Awareness Operational Excellence Defensible Infrastructure Joshua Cormans pyramid for going beyond compliance
  • 29. Pick the low hanging apples? •As your organizations “Infosec level” matures – you may be able to pass or almost pass a pentest. •Most low hanging fruits have been “picked” already •This makes it very hard for “them” to get in via hacking methods -> they will try malware next
  • 30. And the unexpected extra win • Real security will actually make you compliant in many areas of compliance
  • 31. Q & A • Ask me question, or I’ll ask you questions
  • 32. Sources used – http://www.itbusinessedge.com – Heartbleed.com – https://nigesecurityguy.wordpress.com/ – American association for justice – http://www.slideshare.net/AffiniPay?utm_campaign=pro filetracking&utm_medium=sssite&utm_source=ssslidevie wv – Accretive solutions – Gary Pennington – Joshua Corman and David Etue from RSAC 2014 ”Not Go Quietly: Surprising Strategies and Teammates to Adapt and Overcome” – Lego / PCthreat

Notas do Editor

  1. Original Model by Joshua Corman