This document discusses the importance of security over compliance and provides strategies for building an effective security posture. It argues that compliance focuses on past threats and does not ensure true security. Several models for security are presented, including defense in depth with layered protections across systems, following the cyber kill chain to disrupt attacks, and building a defensible security posture. Real security that goes beyond minimum compliance is needed to effectively defend against evolving threats.
2. About me
• I might be provoking you a bit
• Father of 3, happily married. I live in Luxembourg
• CIO for a Bank, and also independent IT/Infosec
consultant and CIO-as-a-service. Any opinions here are
my own and do not represent my employer.
• Contributor to @TheAnalogies project (making IT and
Infosec understandable to the masses)
• Member of the I am the Cavalry movement – securing
our bodies, minds and souls in the IoT
• @ClausHoumann
• Find my work on slideshare
3. It’s late. WAKE UP
• CEO’s?
• CISO’s?
• CIO’s?
• CFO’s?
• CTO’s?
• COO’s?
• Consultants?
4. Let’s get the FUD out of the way
• FUD is Fear, uncertainty and doubt.
• You will be presented with FUD by vendors,
daily
• I’ll try not to FUD you. Focus on solution
models.
5. Is security important?
• Raise of hands for:
– No
– Maybe
– Yes
– Always
– My compliance department keeps me safe
Note to self: Remember to apologize in advance to any
auditors present at this point.
7. Compliance
• Is
• NOT
• Security
• Which any of you who ever attended a
Security conference will have already heard
• Compliance is preparing to fight yesteryears
war
8. Auditor limitations
• Auditors are easily distracted
• Auditors are easily ”Information overloaded”
• Auditors go easy on you because they want to
keep the audit contract
• Auditors can be persuaded to remove critical
findings
• Auditors will let you pass in the end anyway
9. That being said
• Compliance CAN plug holes for you
• Compliance CAN set a minimum-level of
security for you
• Compliance does provide more security than
nothing, especially if done right
• All this is nothing new, lets move on
11. but
• Target was compliant, Home Depot also.
• 97%+ of audits are succesful
• Compliance is at the same time both simple
(you can do it succesfully) and complex (SO
many things to be compliant with)
12. What is (most) compliance about then?
Source: Accretive solutions, Gary Pennington
13. But as you see.....no security. Fake security, or if
you really like compliance, spotty / patchy
security
17. Want to beat assymetricality?
• Creating awareness (risk management?)
• Increasing the security budget
• Justifying the investment when no/few real attacks/opponents
– It’s easier when you’re actually being attacked. But too late.
• Doing it right without attacks require automation, red team testing,
training -> all expensive
18. How
• Identify potential attackers and profile them
• Decrease attacker ROI below critical threshold
20. Building an actual defense
A few ideas exist
• A scaleable Defense in Depth (not defined
sufficiently yet)
• A defensible security posture (Nigel Willson –
nigethesecurityguy.wordpress.com)
• Breaking the ”Cyber kill chain” (Lockheed
Martin)
• Joshua Cormans pyramid
22. Defense in Depth
• You need to secure:
– Internal systems
– The Cloud
– The Mobile user
Sample protections added only, not the
complete picture of course
23.
24. Defend in depth, on all devices and networks
• Example. PC defense includes:
– Whitelisting
– Blacklisting
– AV
– Sandboxing
– Registry defenses
– Change roll-backs
– HIPS
– EMET
– Domain policies
– Log collection and review
– MFA
– ACL’s/Firewall rules
– Heuristics detection/prevention
– DNS audit and protection
29. Pick the low hanging apples?
•As your organizations “Infosec level” matures
– you may be able to pass or almost pass a
pentest.
•Most low hanging fruits have been “picked”
already
•This makes it very hard for “them”
to get in via hacking methods
-> they will try malware next
30. And the unexpected extra win
• Real security will actually make you compliant
in many areas of compliance
31. Q & A
• Ask me question, or I’ll ask you questions
32. Sources used
– http://www.itbusinessedge.com
– Heartbleed.com
– https://nigesecurityguy.wordpress.com/
– American association for justice
– http://www.slideshare.net/AffiniPay?utm_campaign=pro
filetracking&utm_medium=sssite&utm_source=ssslidevie
wv
– Accretive solutions – Gary Pennington
– Joshua Corman and David Etue from RSAC 2014 ”Not Go
Quietly: Surprising Strategies and Teammates to Adapt
and Overcome”
– Lego / PCthreat