The problem of security keeps getting bigger - more vulnerabilities that can be exposed, information assets are more critical to the business and there are more threats trying to cause harm. Security budgets and resources are not growing at nearly the same pace. If this is indeed the case, there is only one solution - the security problem needs to be re-defined to be a smaller one - small enough that the enterprise has adequate levels of resources / budget to address.
2. 1. MOST ORGANIZATIONS WORRY ABOUT EVERYTHING
THEORETICAL: Universe of bad things that can happen to anyone
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
2
3. 2. IN REALITY, ONLY CERTAIN TYPES OF BAD THINGS
ACTUALLY HAPPENED ACROSS ALL ORGANIZATIONS
ACTUAL: Bad things (color indicates frequency) that actually happened
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
3
4. 3. SPECIFICALLY, WHICH BAD THINGS SHOULD YOUR
ORGANIZATION BE WORRIED ABOUT?
THEORETICAL FOR YOU: bad things that are likely to happen to your organization
if you have no protection in place (color indicates likelihood)
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
4
5. 4. HOW WELL PROTECTED IS YOUR ORGANIZATION?
REALITY FOR YOU: bad things that are likely to happen to your organization given
you have some protection in place (color indicates likelihood)
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
5
6. 5. What is the desired state?
IDEAL FOR YOU: bad things that are likely to happen to your organization given you
have sufficient protection in place (color indicates likelihood)
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
6
8. VERIS
VERIS is a (open and free) set of metrics designed to provide a common
language for describing security incidents (or threats) in a structured and
repeatable manner.
Actor – Who did it?
Action – How’d they do it?
Asset – What was affected?
Attribute – How was it affected?
http://www.veriscommunity.net
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
8
9. 1. MOST ORGANIZATIONS WORRY ABOUT EVERYTHING
THEORETICAL: Universe of bad things that can happen to anyone
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
9
10. 2. IN REALITY, ONLY CERTAIN TYPES OF BAD THINGS ACTUALLY
HAPPENED ACROSS ALL ORGANIZATIONS
ACTUAL: Bad things (color indicates frequency) that actually happened
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
10
11. 3. SPECIFICALLY, WHICH BAD THINGS SHOULD YOUR
ORGANIZATION BE WORRIED ABOUT?
THEORETICAL FOR YOU: bad things that are likely to happen to your organization if
you have no protection in place (color indicates likelihood)
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
11
12. 4. HOW WELL PROTECTED IS YOUR ORGANIZATION?
REALITY FOR YOU: bad things that are likely to happen to your organization given
you have some protection in place (color indicates likelihood)
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
12
13. 4. HOW WELL PROTECTED IS YOUR ORGANIZATION?
REALITY FOR YOU: bad things that are likely to happen to your organization given
you have some protection in place (color indicates likelihood)
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
13
14. 5. HOW DO YOU GET TO THE DESIRED STATE?
6 SECURITY SOLUTION AREAS:
• Data Protection
• Governance, Risk & Compliance
• Identity & Access Mgmt
• Investigative Response
• Threat Mgmt (MSS)
• Vulnerability Mgmt
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
14
15. 5. HOW DO YOU GET TO THE DESIRED STATE?
SOME SPECIFICS…
DBIR FINDINGS
VERIZON SOLUTIONS
WHY VERIZON?
71%: victim didn’t know how
much data was stolen
Data Discovery (DDISC)
Scanned 100,000,000+ files and
discovered 1,000,000,000+ targeted
data elements
61%: payment card data was stolen
PCI Compliance
More PCI auditors(140+ QSAs) than
any other firm in the world
100%: data was exfilterated
Data Loss Prevention (DLP)
Led one of the largest DLP
deployments
in the world (400,000 seats)
92% of attackers were external
Managed Secure Enterprise
Gateway (MSEG)
7 SOCs on 4 continents manage
security devices in 45 countries
52% of attacks involved Hacking
Vulnerability Scanning Service
Delivered 1500+ vulnerability mgmt
engagements in past 3 years
Universal Identity Services (UIS)
Manage digital identities in 50+
countries
& for 25+ national governments
Security Mgmt Program (SMP)
SMP is the oldest security certification
program in the industry
Rapid Response Retainer (RRR)
Handled 9 of the world’s 11 largest
data compromise investigations
Incident Analytics Service (IAS)
Analyzed 2500+ data breaches
involving more than 1 Billion records
76% of network intrusions exploited
weak or stolen credentials
75% of all attacks were opportunistic
(vs. targeted)
78% of attacks were of Low or Very
Low difficulty
82%: discovered by External party
36%: took weeks or more to contain
78%: took weeks or more to discover
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
15
16. WHAT DOES SMARTER SECURITY LOOK LIKE?
1. VERIS
STRATEGY BASED ON EVIDENCE
• Not FUD
2. DBIR
DON’T START
W/ PRODUCTS OR TOOLS
• Start with what’s worth protecting
3. IAS (“Custom DBIR”)
4. Security Monitoring
DON’T DEPLOY THE SECURITY
CONTROLS THAT SOUND
COMPELLING
• Deploy the security controls you
really need
DON’T FOCUS ON ALL THE DOTS
• Focus on the right dots
5. Security Enforcement
@smallersecurity
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
16
17. VERIZON’S SECURITY LEADERSHIP
INDUSTRY RECOGNITION
•
•
•
•
Large & highly rated MSSP (Frost & Sullivan, Gartner, Forrester)
Founding and Executive Member of Open Identity Exchange
Security Consulting practice recognized as a Strong Performer (Forrester)
ICSA Labs is the industry standard for certifying security products (started in 1991)
ISO 9001
ISO 17025
CREDENTIALS
• One of the largest PCI auditors (100+ QSAs) in the world
• Actively participate in 30+ standards / certification bodies, professional
organizations and vertical specific consortia
• Personnel hold 40+ unique industry, technology and vendor certifications
GLOBAL REACH
•
•
•
•
550+ dedicated security consultants in 28 countries speak 28 languages
Investigated breaches in 41 countries in 2011 and 2012
7 SOCs on 4 continents manage security devices in 45+ countries
Serve 77% of Forbes Global 2000
EXPERIENCE
•
•
•
•
Verizon’s SMP is the oldest security certification program in the industry
Analyzed 2500+ breaches involving 1+ Billion records
Manage identities in 50+ countries and for 25+ national governments
Delivered 5000+ security consulting engagements in the past 3 years
@smallersecurity
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
17
Notes de l'éditeur
For the latest version, please contact Omar KhawajaThe approach that follows intends to help organizations make the transition from thinking of security as a grouping of tools to a truly risk-based (and evidence-based) approach that has been preached for years, but one that continues to elude most organizations.
1. Most organizations worry about everything: the universe of bad things that can happen to anyone; this is one contributing factor to every security leader complaining about not have enough budget, time, resources, etc. to protect the organization. The problem is this: they are trying to protect every asset, against every actor trying to expose every vulnerability… they are trying to boil the ocean. In order to address security, the problem needs to be more narrowly defined…
This is in line with our approach to transition MSS from thousands of signatures to a few dozen Indicators of Compromise that are most likely2. In reality, only certain types of bad things actually happened across all organizations. Before worrying about the universe of the theoretical (see #1), organizations should make sure they have addressed the actual bad things that are happening.
3. Specifically, which bad things should your organization be worried about? Even better than worrying about every bad thing that happened to any organization (see #2), why not identify the specific bad things your organization should be worried about given: the types of data you have, your competitive environment, the geographies within which you operate, the people you may have made angry, etc.
The basic stuff is important; do the basic before the sophisticated4. How well protected is your organization? Undoubtedly, every organization has some protection mechanisms in place. When you account for the protection offered by those, will have further reduced their risk (residual risk). Now, the organization knows exactly which areas require additional attention vs. which are sufficiently being addressed.
5. This is what nirvana looks like. We can’t remove the threats to our business (the dots will always be there), but we can ensure we are sufficiently protected to defend against them (the dots are green vs red or yellow). Address the red dots and yellow dots to turn them into green dots, by deploying (implementing and managing) the relevant security technologies, processes and training. Don’t apply any effort (resources, budget, thinking, sleepless nights, etc.) on white space or green dots prior to addressing the red and yellow dots.
Is this real? How does this actually work?
Confidentiality = data breachesAvailability = DoS Defense
Threat library to monitor for key threats
In reality, some risks will cost too much to mitigate / transfer; in these cases the best option will be to accept the risk (will stay red or yellow in perpetuity)Screenshot from Security Mgmt ProgramThreat library to monitor for key threatsSecurity Monitoring includes control validation too; Gracie = OG + RCMC = MSS + GRC
5. Address the red dots and yellow dots to turn them into green dots, by deploying (implementing and managing) the relevant security technologies, processes and training. Solve the problems you actually should be worried about vs. the ones that the vendor happens to have a robust solution for.
Don’t need to be a CSO to get itUnderstood by the businessPoints products vs. Solutions Threat ProfilingChange SMP to … Security Monitoring + Ongoing Control Validation + Analytics = Vulns + Threats + AssetsOur security portfolio helps organization turn reds to yellows and yellows to greensNeed vs. Want
For the latest version, please contact Omar KhawajaCREST approved penetration testerActively participate in 30+ standards / certification bodies, professional organizations and vertical specific consortia