Marked by record-breaking data breaches and an explosion of increasingly complex, sophisticated attacks, 2014 was challenging year for security professionals. Can the industry find relief in 2015? Bruce Schneier & Jon Oltsik evaluate how we did in 2014 from an incident response perspective, as well as offer predictions for what lies ahead in 2015.
4. Slide 4
Introductions
• Ted Julian, CMO, Co3 Systems
• Bruce Schneier, CTO, Co3 Systems
• Jon Oltsik, Principal Analyst, ESG
• Gant Redmon, General Counsel, Co3 Systems
5. Slide 5
• He is a successful serial
entrepreneur, and has launched
multiple start-ups in the security
and compliance industry
• Was once named “Geek of the
Week” by The Boston Globe, and
has also appeared on CNN and
ABC News as well as in the Wall
Street Journal and USA Today
• Fun Fact: He is an avid long-
distance runner
Ted Julian, CMO, Co3 Systems
6. Slide 6
• An internationally renowned
security technologist and
cryptographer, aka the “Security
Guru”
• He has authored 12 books (another
being released in February 2015),
he maintains a blog “Schneier on
Security,” and sends a monthly
newsletter “Crypto-Gram”
• Fun Fact: He makes his own
absinthe
Bruce Schneier, CTO, Co3 Systems
7. Slide 7
Jon Oltsik, Principal Analyst, ESG
• He is widely recognized as an expert in
all aspects of information security and is
often called upon to help customers
understand a CISO’s perspective and
strategies
• Writer for Network World on his series
“Networking Nuggets and Security
Snippets”
• Fun Fact: He plays guitar in a rock-and-
roll cover band
8. Slide 8
Gant Redmon, General Counsel, Co3 Systems
• He has practiced law for 19 years; 15 of
those years as in-house counsel for
security software companies
• He was appointed membership on
President Clinton’s Export Council
Subcommittee on Encryption
(PECSENC)
• Fun Fact: He plays soccer at 6 AM four
times per week
9. Slide 9
About Co3 – Incident Response Management
MITIGATE
Document Results &
Improve Performance
• Generate reports for management,
auditors, and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
ASSESS
Identify and Evaluate Incidents
• Assign appropriate team members
• Evaluate precursors and indicators
• Correlate threat intelligence
• Track incidents, maintain logbook
• Prioritize activities based on criticality
• Generate assessment summaries
PREPARE
Improve Organizational Readiness
• Appoint team members
• Fine-tune response SOPs
• Escalate from existing systems
• Run simulations (firedrills / table tops)
MANAGE
Contain, Eradicate, and
Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment strategy
• Isolate and remediate cause
• Instruct evidence gathering and handling
• Log evidence
10. Slide 10
Co3 Incident Response Management System (IRMS)
INCIDENT RESPONSE PLAN INSTANT CREATION
& STREAMLINED
COLLABORATION
HR IT
LEGAL/
COMPLIANCE
MARKETING
PLAN SYNTHESIS
COMMUNITY
BEST
PRACTICES
INDUSTRY
STANDARD
FRAMEWORKS
ORGANIZATIONAL
SOPS
GLOBAL PRIVACY
BREACH REGULATIONS
CONTRACTUAL
REQUIREMENTS
ACCELERATED MITIGATION CUSTOM ACTION FRAMEWORK
AUTOMATED ESCALATION WEB FORM TROUBLE TICKETING ENTRY WIZARD SIEM
PLAN ENRICHMENT
MALWARE
SAMPLE
IP
ADDRESS
DNS
NAME
PROCESS
NAME
EMAIL
DASHBOARDS
AND REPORTING
INCIDENT
TIMELINE /
STATUS
CSO
DASHBOARD
AUDITOR
DASHBOARD
TEAM
UTILIZATION
INCIDENTS
BY TYPE
OVER TIME
12. Slide 12
• 2014: Started with Target, ended with Sony
• Targeted vs. opportunistic attacks
• New motivations: Financial, IP, revenge
• Blended threats and impacts
• Increase in post-breach lawsuits
• Security practices on trial after a breach
• Individual privacy breaches
• Vulnerabilities in open source – ShellShock, Heartbleed
• Nation-state malware
Cyber Threats - Trends
13. Slide 13
• Is Sony’s CEO next to be fired?
• Boardroom will focus more on security
• Expect the unexpected
• Measurement changes – and more accountability
Cyber Threats - Predictions
15. Slide 15
• Ongoing loss of control, broader threat landscape
• Larger focus on cloud security – e.g. Apple iPhoto hack
• Need for greater control over identity and data
• Whistleblower Rock Stars
• Open source vulnerabilities
IT Trends & Cybersecurity - Trends
16. Slide 16
• Spying fears change vendor landscape
• Stricter security terms in contracts
• Economic impact on U.S. vendors internationally
• New book from Bruce!
IT Trends & Cybersecurity - Predictions
19. Slide 19
• Vacancy rate is at 22 percent. Employee shortage is in
the millions
• Hyper-inflation of security salaries, more outsourcing for
smaller businesses
• Industry isn’t building next generation of security leaders
• Collaboration with PR, HR, legal is more important than
ever
• Basic analysis skills – like malware – are in demand, as
are mobile and cloud skills
Professional Development - Trends
20. Slide 20
• Skills shortage gets worse next year
• More demand = less accountability
Professional Development - Predictions
22. Slide 22
• Security professionals struggle to relate issues to
boardroom
• Healthcare’s security risk: Conversations happening at
the boardroom level
• Cybercriminals seek more details on individuals
The Business of Security - Trends
23. Slide 23
• Marketing and legal professionals may take over CISO
roles
• More people problems than tech problems
The Business of Security - Predictions
26. Slide 26
Privacy - Review
• Safe Harbor Alive and Well – The 13 Principles from the
European Commission are not too specific or onerous.
• Usernames and passwords
– May the country follow California…again
– S.B. 46, which amends Sections 1798.29 and 1798.82 of the Civil
Code to require businesses and state agencies to notify consumers
if their login credentials are compromised by a data breach
• Kentucky
• FCC gets into privacy enforcement
– Plans $10M in fines against TerraCom and YourTel
27. Slide 27
Privacy - Predictions
• Target scale breach in the EU
– Fodder for EU regs.
– Bigger than University of Limerick
• Backlash on click-through boilerplate.
– Not sufficient to opt-in.
– Contract considered illusory.
– Companies have to try again with a different approach: clear and
concise language.
28. Slide 28
Privacy - Predictions
• People realize that losing their credit card numbers is not
identity theft.
– This leads to less concern over credit monitoring.
• No follow the leader - TX and CA
• No unified EU breach notice in 2015.
• More US uniform notification bills filed early in 2015…and
they will all die by October
30. Slide 30
Upcoming Co3 Events
• Data Breach Crisis Communications: 2014 – The Year of
the Data Breach, in Review
– January 8, 2015, 1 pm EST
• You’ve Been Breached: How to Mitigate the Incident
– January 21, 2015, 12 pm EST
31. Slide 31
“Co3 makes the process of planning for a
nightmare scenario as painless as possible,
making it an Editors’ Choice.”
– PC Magazine, Editor’s Choice
“Platform is comprehensive, user friendly,
and very well designed.”
– Ponemon Institute
“One of the most important
startups in security…”
– Business Insider
“One of the hottest products at RSA…”
– Network World
“...an invaluable weapon when
responding to security incidents.”
– Government Computer News
“Co3 has done better than a home-run...
it has knocked one out of the park.”
– SC Magazine
Most Innovative Product
Adapted from the standard Emergency Response Process of : Prepare Respond Recover Mitigate
“Let’s take a look at how each of the components work.....”
REVIEW
Sony
Talk about a blended threat! In terms of its mechanisms (cyber and terrorism), motivations, and impact on Sony (financial, PR, IP, privacy)
Target fall-out
Lost not only their CIO but also their CEO
This morning learned that ICANN also reportedly hacked
PREDICTIONS
Sony CEO?
Mobile?
Hacktivism
Cyber war
REVIEW
Ongoing loss of control: mobile and cloud
3rd party risk
PREDICTIONS
More substantial Cloud and mobile breaches?
Do fears over spying bolster IT suppliers outside of the US?
DDoS attacks
BYOD
Advanced Persistent Threat
The cybersecurity skills gap
Other
REVIEW
In 2013, a Government Accountability Office (GAO) report stated that the DHS’s National Protection and Programs Directorate’s Office of Cybersecurity and Communications had a vacancy rate of 22%. Similar data is coming from other geographic areas as well.
In November, a special Parliamentary Select Committee in the United Kingdom’s House of Lords reported a global shortage of ” no less than two million cybersecurity professionals” by the year 2017.
PREDICTIONS
Talent gap gets better or worse? How can we make a dent?
REVIEW
Security continues to struggle with talking about security in business terms
PREDICTIONS
Do people with marketing and/or legal backgrounds take over?
More staff
Better staff
New technology
Less regulatory responsibilities