Post on 15-Jan-2015
description
Omar Khawaja
Smarter Security
@smallersecurity
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.2
1. MOST ORGANIZATIONS WORRY ABOUT EVERYTHING
THEORETICAL: Universe of bad things that can happen to anyone
2. IN REALITY, ONLY CERTAIN TYPES OF BAD THINGS ACTUALLY HAPPENED ACROSS ALL ORGANIZATIONS
ACTUAL: Bad things (color indicates frequency) that actually happened
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.3
3. SPECIFICALLY, WHICH BAD THINGS SHOULD YOUR ORGANIZATION BE WORRIED ABOUT?
THEORETICAL FOR YOU: bad things that are likely to happen to your organization if you have no protection in place (color indicates likelihood)
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.4
4. HOW WELL PROTECTED IS YOUR ORGANIZATION?
REALITY FOR YOU: bad things that are likely to happen to your organization given you have some protection in place (color indicates likelihood)
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.5
5. What is the desired state?
IDEAL FOR YOU: bad things that are likely to happen to your organization given you have sufficient protection in place (color indicates likelihood)
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.6
What’s under the hood?
VERIS
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.8
http://www.veriscommunity.net
Actor – Who did it?
Action – How’d they do it?
Asset – What was affected?
Attribute – How was it affected?
VERIS is a (open and free) set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner.
1. MOST ORGANIZATIONS WORRY ABOUT EVERYTHING
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.9
THEORETICAL: Universe of bad things that can happen to anyone
2. IN REALITY, ONLY CERTAIN TYPES OF BAD THINGS ACTUALLY HAPPENED ACROSS ALL ORGANIZATIONS
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.10
ACTUAL: Bad things (color indicates frequency) that actually happened
3. SPECIFICALLY, WHICH BAD THINGS SHOULD YOUR ORGANIZATION BE WORRIED ABOUT?
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.11
THEORETICAL FOR YOU: bad things that are likely to happen to your organization if you have no protection in place (color indicates likelihood)
4. HOW WELL PROTECTED IS YOUR ORGANIZATION?
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.12
REALITY FOR YOU: bad things that are likely to happen to your organization given you have some protection in place (color indicates likelihood)
4. HOW WELL PROTECTED IS YOUR ORGANIZATION?
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.13
REALITY FOR YOU: bad things that are likely to happen to your organization given you have some protection in place (color indicates likelihood)
5. HOW DO YOU GET TO THE DESIRED STATE?
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.14
6 SECURITY SOLUTION AREAS:
• Data Protection
• Governance, Risk & Compliance
• Identity & Access Mgmt
• Investigative Response
• Threat Mgmt (MSS)
• Vulnerability Mgmt
5. HOW DO YOU GET TO THE DESIRED STATE? SOME SPECIFICS…
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.15
DBIR FINDINGS VERIZON SOLUTIONS WHY VERIZON?
71%: victim didn’t know howmuch data was stolen
Data Discovery (DDISC)Scanned 100,000,000+ files and
discovered 1,000,000,000+ targeted data elements
61%: payment card data was stolen PCI ComplianceMore PCI auditors(140+ QSAs) than
any other firm in the world
100%: data was exfilterated Data Loss Prevention (DLP)Led one of the largest DLP
deploymentsin the world (400,000 seats)
92% of attackers were externalManaged Secure Enterprise
Gateway (MSEG)7 SOCs on 4 continents manage security devices in 45 countries
52% of attacks involved Hacking Vulnerability Scanning ServiceDelivered 1500+ vulnerability mgmt
engagements in past 3 years
76% of network intrusions exploited weak or stolen credentials
Universal Identity Services (UIS)Manage digital identities in 50+
countries& for 25+ national governments
75% of all attacks were opportunistic (vs. targeted)
Security Mgmt Program (SMP)SMP is the oldest security certification
program in the industry78% of attacks were of Low or Very Low difficulty
82%: discovered by External partyRapid Response Retainer (RRR)
Handled 9 of the world’s 11 largest data compromise investigations
36%: took weeks or more to contain
78%: took weeks or more to discover
Incident Analytics Service (IAS)Analyzed 2500+ data breaches
involving more than 1 Billion records
WHAT DOES SMARTER SECURITY LOOK LIKE?
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.16
1. VERIS
2. DBIR
3. IAS (“Custom DBIR”)
4. Security Monitoring
5. Security Enforcement
STRATEGY BASED ON EVIDENCE• Not FUD
DON’T STARTW/ PRODUCTS OR TOOLS• Start with what’s worth protecting
DON’T DEPLOY THE SECURITY CONTROLS THAT SOUND COMPELLING• Deploy the security controls you really need
DON’T FOCUS ON ALL THE DOTS• Focus on the right dots
@smallersecurity
VERIZON’S SECURITY LEADERSHIP
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.17
INDUSTRY RECOGNITION• Large & highly rated MSSP (Frost & Sullivan, Gartner, Forrester)• Founding and Executive Member of Open Identity Exchange• Security Consulting practice recognized as a Strong Performer (Forrester)• ICSA Labs is the industry standard for certifying security products (started in 1991)
CREDENTIALS• One of the largest PCI auditors (100+ QSAs) in the world• Actively participate in 30+ standards / certification bodies, professional organizations and vertical specific consortia• Personnel hold 40+ unique industry, technology and vendor certifications
GLOBAL REACH• 550+ dedicated security consultants in 28 countries speak 28 languages• Investigated breaches in 41 countries in 2011 and 2012• 7 SOCs on 4 continents manage security devices in 45+ countries• Serve 77% of Forbes Global 2000
EXPERIENCE• Verizon’s SMP is the oldest security certification program in the industry• Analyzed 2500+ breaches involving 1+ Billion records• Manage identities in 50+ countries and for 25+ national governments• Delivered 5000+ security consulting engagements in the past 3 years
ISO 9001ISO 17025
@smallersecurity