When a security program isn't as good as it should be it can be tempting to conclude that it needs more resources and solutions. Jack Nichelson decided to take a different approach: simplification. By focusing on fewer problems with bigger returns, he was able to reduce malware by 60 percent and improve the results of his annual pen report. He’ll share a back-to-the-basics case study for removing complexity and running a simple, effective, start-up worthy security program.
This Talk is for - Security Managers looking to better focus on the real vulnerabilities and more effectively communicate your progress
The Goals of this talk – Find the real problems, create a formal plan, build support for the plan, and report the progress
Information Security - Back to Basics - Own Your Vulnerabilities
1. Back to Basics
Information
Security
IT'S TIME TO OWN YOUR
VULNERABILITIES
“If you are still missing patch MS08-67, this talk is for you!”
2. I defend my companies
competitive advantage by helping
solve business problems through
technology to work faster and
safer.
Who is Jack Nichelson?
Global Information Security Manager at GrafTech International
15 years of experience in IT Security & Risk Management
Active in the security community (DefCon, ShmooCon, DerbyCon)
Teach Network Security and advise the BW CCDC team
“Solving Problems, is my Passion”
Introduction
3. 3
Problem Statement
“After a year of hard work implanting solutions, I just failed
another PEN test.”
Possibility #1:
I must need more budget & resources
I need more control over the systems &
data I need to secure
I need more NextGen solutions &
consultants
Possibility #2:
Maybe I am not focused on the right things
Maybe I am trying to do too much at once
Maybe I need a better way to show results
Maybe I need to ask for help
4. 4
Good Advice
“Think about how you can simplify security – make it easy – and
focus on the basics.” - Dave Kennedy
Recommendations:
Take a step back and read “REWORK”
Remove complexity – Start small
Start at the epicenter, on what won’t
change
Focus on fewer problems that provide
bigger returns
Build an audience
Keep score & publish it (Good or Bad)
5. 5
What does good look like
Company's that were making the most improvement year over
year with there PEN tests had these things in common.
Common Trends of a good Security Program:
Monthly or quarterly security awareness
training at all levels of the company
Regularly assesses vulnerabilities and
report with action plans
Strong project management to make sure
remediation gets done
Well defined reporting that is tied to
performance goals
Everyone in IT has responsibility for
meeting security goals
6. 4 Steps to get Focused
Align:
Build & execute
project plan
Identify:
Conduct analyses
that will give you
actionable insight
Communicate:
Build consensus
through awareness
Report:
Build a Scorecard
to show Results
7. Hype vs. Reality
Hackers Organized Crime State Sponsored
Higher Difficulty
~10% of incidents
Security Risks
• APT
• The “Cloud”
• Mobile Malware
• Big Data
• BYOD
Lower Difficulty
~90% of incidents
• Malware
• Phishing
• Missing Patches
• Missing Security Baselines
• Lost & Stolen Devices
• Poor Passwords
8. Identify – Looking for Actionable Metrics
Conduct analyses that will give you actionable insight that can be
translated into deliverable results.
1. Start at the epicenter & focus on what won’t change
2. Define the process of reporting & tracking security events by people and systems
3. Analyze the metrics collected to identify your top 3 incident types, by volume & time
4. Identify the root cause of each incident, and stack rank
Monthly Security Awareness Training
15 Day Patching Window
Egress Filtering (Block Ports 21, 80, 443)
Remove Java
Malware Metrics
• # of Detections
• # of Infections
• # of Re-Images
Malware Root Cause
• Filter Failed
• Missing Security Baselines
• Web Based Infections
• Java Based Infections
• Missing Patches
Phishing Metrics
• # of Detections
• # of User Reports
• # of Infections
Phishing Root Cause
• Filter Failed
• Lack of Awareness
• Web Based Infections
• Java Based Infections
• Adobe Based Infection
Patching Metrics
• # of Desktops by Location
• # of Servers by Location
• # Missing Patches by Year
Patching Root Cause
• SCCM Agent Failed
• Admin Failed to Patch
• Legacy System
• Missing 3rd Party Patch
• Poor Assist Inventory
9. 9
Align – Manage like you own the problem
Build & Execute project plans to drive for results & share
successes
Investing more time in project planning and due diligence,
time spent defining the problem is NEVER time wasted
Write a Project Charter, clearly state the scope, objectives,
participants and success measurements
Create a Work Breakdown Structure to graphical represent
the project scope, broken down in successive chunks with
defined deliverables
Pay close attention to the human factor and involve your
team in the planning process
Hold regular project meetings & publish the progress
10. 10
Communicate – Build consensus through awareness
“It’s hard to overstate the importance of effective
security awareness & communication”
If you do not define the key issues and challenges for
your security program, chances are that others will
Get out in front of how security is perceived,
understood and supported at every level
Good security awareness not only lowers your risks but
also help users and management accept change
When an understanding that security is here to help –
the culture changes & Adoption of security occurs
Craft crisp messages that can help your audiences
internalize and quickly accept your information
11. 11
Reporting - Think like a CFO
Think like a CFO, so you can deliver results the business can
understand.
Reporting good data is the best way to show that
Security is a business enhancement.
Make Heroes, when people starts with an A+ they
will fight harder to keep it
Define the metrics to measure and assess security’s
performance
Metrics are the lifeblood to make any good decision
Create a Security Scorecard so you have a standard
way for communicating your progress to anyone
Report the value of security activities to a wide range
of security consumers
12. Gemba Board -Where value is created
Gemba (現場) is a Japanese term referring to the place where value
is created. The idea of Gemba is that the problems are visible, and
the best improvement ideas will come from going to the Gemba.
13. Current State - Proof is in the results
“Good security is not something you have, it’s something you do”
-Wendy Nather
13
Accomplishments:
Think Before You Click –Awareness Program
Patches applied within 15 Days on 95% of
devices
Full egress filtering only allowing access out
to internet through proxy
Removed Java from 85% of Workstations
Security Baselines on 90% of servers
Enforced password policy with 10 character
minimum, with password self-service reset
Encryption of all mobile Workstations &
Phones
Disabled local Admin on all servers
14. 14
What’s next – Protect the King!
Once you have the basics covered, it time to start focusing on
protecting the King “Your Data”.
“Risk Management is about separating your
kings from your pawns” – Chris Clymer
15. Summary– Key Takeaways
Align:
Build & execute
project plan
Identify:
Conduct analyses
that will give you
actionable insight
Communicate:
Build consensus
through awareness
Report:
Build a Scorecard
to show Results
17. What Questions are there?
Jack Nichelson
E-mail: Jack@Nichelson.net
Twitter: @Jack0Lope
Notas do Editor
Find the real pain not the Hype (Real Pain is what is taking up your time and why the Red team keeps getting in)
Once you know the problem, define it in a project charter with a work break down so anyone in the company can understand the problem, solution, investment and benefits
Communicate at all levels, Security Awareness training can be your greatest tool for moving security forward. If you enlighten people about risk so they can see the risk you can stop pushing and start leading the movement
Regular reporting is so important to keep support going and not to slow progress
Who is setting your goals
Don’t follow the Hype
The Basics are where the problem are
This is the hardest part. There are two many problems.
Start with the problems that you have the best data around
If you don’t have good data, that is your first problem
Go through the 5 ways to ensure you are addressing the root of the problem
It’s very easy to let the daily operational stuff consume all of your time and budget, Project Management is the Key to getting things done.
I have started putting most of my time into Project Management this is your sniper rifle
I thought I was good at project management, its time to go formal
Project Charters, Project Sponsors, Spend the time detailing out your Work Breakdown structure
Get everyone involved and post the progress
Communicate at all levels, Security Awareness training can be your greatest tool for moving security forward. If you enlighten people about the risk you can stop pushing and start leading the movement
Pave the way for changes with education
Regular reporting is so important to keep support going and not to slow progress
Use Reports and leverage the power of good data to support where you are going and that the end is in reach
Survival of the fittest
System Thinking – A bunch of things that come together, for the pursuit of a common objective, in an environment or context that impacts them and their ability to achieve the objective!
YES, you can remove Java
Find the real pain not the Hype (Real Pain is what is taking up your time and why the Red team keeps getting in)
Once you know the problem, define it in a project charter with a work break down so anyone in the company can understand the problem, solution, investment and benefits
Communicate at all levels, Security Awareness training can be your greatest tool for moving security forward. If you enlighten people about risk so they can see the risk you can stop pushing and start leading the movement
Regular reporting is so important to keep support going and not to slow progress