When a security program isn't as good as it should be it can be tempting to conclude that it needs more resources and solutions. Jack Nichelson decided to take a different approach: simplification. By focusing on fewer problems with bigger returns, he was able to reduce malware by 60 percent and improve the results of his annual pen report. He’ll share a back-to-the-basics case study for removing complexity and running a simple, effective, start-up worthy security program. This Talk is for - Security Managers looking to better focus on the real vulnerabilities and more effectively communicate your progress The Goals of this talk – Find the real problems, create a formal plan, build support for the plan, and report the progress

1. Back to Basics
Information
Security
IT'S TIME TO OWN YOUR
VULNERABILITIES
“If you are still missing patch MS08-67, this talk is for you!”

2. I defend my companies
competitive advantage by helping
solve business problems through
technology to work faster and
safer.
Who is Jack Nichelson?
 Global Information Security Manager at GrafTech International
 15 years of experience in IT Security & Risk Management
 Active in the security community (DefCon, ShmooCon, DerbyCon)
 Teach Network Security and advise the BW CCDC team
“Solving Problems, is my Passion”
Introduction

3. 3
Problem Statement
“After a year of hard work implanting solutions, I just failed
another PEN test.”
Possibility #1:
 I must need more budget & resources
 I need more control over the systems &
data I need to secure
 I need more NextGen solutions &
consultants
Possibility #2:
 Maybe I am not focused on the right things
 Maybe I am trying to do too much at once
 Maybe I need a better way to show results
 Maybe I need to ask for help

4. 4
Good Advice
“Think about how you can simplify security – make it easy – and
focus on the basics.” - Dave Kennedy
Recommendations:
 Take a step back and read “REWORK”
 Remove complexity – Start small
 Start at the epicenter, on what won’t
change
 Focus on fewer problems that provide
bigger returns
 Build an audience
 Keep score & publish it (Good or Bad)

5. 5
What does good look like
Company's that were making the most improvement year over
year with there PEN tests had these things in common.
Common Trends of a good Security Program:
 Monthly or quarterly security awareness
training at all levels of the company
 Regularly assesses vulnerabilities and
report with action plans
 Strong project management to make sure
remediation gets done
 Well defined reporting that is tied to
performance goals
 Everyone in IT has responsibility for
meeting security goals

6. 4 Steps to get Focused
Align:
Build & execute
project plan
Identify:
Conduct analyses
that will give you
actionable insight
Communicate:
Build consensus
through awareness
Report:
Build a Scorecard
to show Results

7. Hype vs. Reality
Hackers Organized Crime State Sponsored
Higher Difficulty
~10% of incidents
Security Risks
• APT
• The “Cloud”
• Mobile Malware
• Big Data
• BYOD
Lower Difficulty
~90% of incidents
• Malware
• Phishing
• Missing Patches
• Missing Security Baselines
• Lost & Stolen Devices
• Poor Passwords

8. Identify – Looking for Actionable Metrics
Conduct analyses that will give you actionable insight that can be
translated into deliverable results.
1. Start at the epicenter & focus on what won’t change
2. Define the process of reporting & tracking security events by people and systems
3. Analyze the metrics collected to identify your top 3 incident types, by volume & time
4. Identify the root cause of each incident, and stack rank
Monthly Security Awareness Training
15 Day Patching Window
Egress Filtering (Block Ports 21, 80, 443)
Remove Java
Malware Metrics
• # of Detections
• # of Infections
• # of Re-Images
Malware Root Cause
• Filter Failed
• Missing Security Baselines
• Web Based Infections
• Java Based Infections
• Missing Patches
Phishing Metrics
• # of Detections
• # of User Reports
• # of Infections
Phishing Root Cause
• Filter Failed
• Lack of Awareness
• Web Based Infections
• Java Based Infections
• Adobe Based Infection
Patching Metrics
• # of Desktops by Location
• # of Servers by Location
• # Missing Patches by Year
Patching Root Cause
• SCCM Agent Failed
• Admin Failed to Patch
• Legacy System
• Missing 3rd Party Patch
• Poor Assist Inventory

9. 9
Align – Manage like you own the problem
Build & Execute project plans to drive for results & share
successes
 Investing more time in project planning and due diligence,
time spent defining the problem is NEVER time wasted
 Write a Project Charter, clearly state the scope, objectives,
participants and success measurements
 Create a Work Breakdown Structure to graphical represent
the project scope, broken down in successive chunks with
defined deliverables
 Pay close attention to the human factor and involve your
team in the planning process
 Hold regular project meetings & publish the progress

10. 10
Communicate – Build consensus through awareness
“It’s hard to overstate the importance of effective
security awareness & communication”
 If you do not define the key issues and challenges for
your security program, chances are that others will
 Get out in front of how security is perceived,
understood and supported at every level
 Good security awareness not only lowers your risks but
also help users and management accept change
 When an understanding that security is here to help –
the culture changes & Adoption of security occurs
 Craft crisp messages that can help your audiences
internalize and quickly accept your information

11. 11
Reporting - Think like a CFO
Think like a CFO, so you can deliver results the business can
understand.
Reporting good data is the best way to show that
Security is a business enhancement.
 Make Heroes, when people starts with an A+ they
will fight harder to keep it
 Define the metrics to measure and assess security’s
performance
 Metrics are the lifeblood to make any good decision
 Create a Security Scorecard so you have a standard
way for communicating your progress to anyone
 Report the value of security activities to a wide range
of security consumers

12. Gemba Board -Where value is created
Gemba (現場) is a Japanese term referring to the place where value
is created. The idea of Gemba is that the problems are visible, and
the best improvement ideas will come from going to the Gemba.

13. Current State - Proof is in the results
“Good security is not something you have, it’s something you do”
-Wendy Nather
13
Accomplishments:
 Think Before You Click –Awareness Program
 Patches applied within 15 Days on 95% of
devices
 Full egress filtering only allowing access out
to internet through proxy
 Removed Java from 85% of Workstations
 Security Baselines on 90% of servers
 Enforced password policy with 10 character
minimum, with password self-service reset
 Encryption of all mobile Workstations &
Phones
 Disabled local Admin on all servers

14. 14
What’s next – Protect the King!
Once you have the basics covered, it time to start focusing on
protecting the King “Your Data”.
“Risk Management is about separating your
kings from your pawns” – Chris Clymer

15. Summary– Key Takeaways
Align:
Build & execute
project plan
Identify:
Conduct analyses
that will give you
actionable insight
Communicate:
Build consensus
through awareness
Report:
Build a Scorecard
to show Results

16. Special Thanks to Dave Kennedy

17. What Questions are there?
Jack Nichelson
E-mail: Jack@Nichelson.net
Twitter: @Jack0Lope