Cyber 24/7: Risks, Leadership,

SharingPete O’Dell

Pete.odell@SwanIsland.net

202-460-9207

A stranger will soon enter your network

• Author: Cyber 24-7: Risks, Leadership, Sharing:Sound advice for Boards, the C-Suite, and non-technical executives (+2 other books)

• Background: Technology, manufacturing, services, CIO, COO, CEO, board member, entrepreneur, consultant, author, veteran, poor golfer, avid fly fisherman

• www.swanislandnetworks.com – TX360 cyber/physical situational intelligence service (Founder/Board)

• Fellow: National Cybersecurity Institute

Introduction: Pete O’Dell

Organizations face diverse risks…

Social Media Civil Unrest

Terrorism Travel Disruption & Delays

Natural Disasters Severe Weather

Hazardous Materials

Disease

Cyber ThreatsCyber Threats

Supply Chain Disruption

Blackouts

Crime

Source: Chertoff Group

• Victims of own success; spectacular attacks in the news

• New business opportunities expand the attack surface: Clouds, IoE, Bring

your own devices (BYOD), M&A, SmartGrid

• We’re not doing all we can:

Boards and C-Suite are not leading and aligning strategy and resources enough

Poor info sharing even at basic levels, not real-time

“Tone at the Top” by the board and C-Suite – cyber awareness

Government – fragmented efforts, confusing rules, poor grades

International law enforcement challenges – jurisdictions/extradition

Setting the Cyber Stage

Highly ComplicatedJust the IT portion!

• Computing – 1950’s to present – revolutionary, world changing

• Internet and WWW has connected almost everything

• Moore’s law and price/performance – what’s in your pocket?

• Multiple generations of solutions by different groups/vendors

• IT priesthood – little governance/certification/talent trap

• Competitive pressure has often trumped security

• Result: delicate, vulnerable, unique IT infrastructures that will not be

healed by a new gadget

How did we become so vulnerable?

“Cyberspace is a single point of failure and we've

hooked everything up to it!”

- Jeff Gaynor

JOE

SALLY

ERICBILL

The IT/CIO Revolving Door

• Cyber defies conventional risk metrics:

• Non-quantifiable & non-predictable: not the 100 year flood

• Global, not local: traditional physical separation less effective

• Puts the entire organization at risk

• Multi-faceted and multiple types of attackers

• You may be under attack while you are analyzing

• Examples:

• Payment breach (Target): immediate impact on all

• IP theft (DOD Contractors): 20 year impact

• DDOS: immediate business degradation

Cyber is not a Normal Risk!

Today’s Cyber Context

Good News

• World paying attention

• Boards at least discussing

• Vendors – solutions/tools

• Investment –R&D/Solutions

• Info sharing value/discussion

• Cloud – excellent promise

• Insurance options emerging

Bad news

• Same attacks happening

• Attacks increasing

• More sophisticated attackers

• New threats emerging daily

• Shortage of great people

• Bad guys share methods

• Growth areas expand risks

• Threats trump forward progress

Board & C-Suite Prep/Proactive Efforts

• Set the “Tone at the Top” – live it and enforce it (leadership)

• Align all internal/external resources with defined priorities

• Hire and validate great people and partners

• Validate strategy/team using hard-core outsiders

• Detailed risk, resilience and plan reviews

• Understand executive specific vulnerabilities

• Technical board member or committee

• Exercise full response plan across the enterprise – GridEx?

“By the time you hear the thunder, it’s too late to build the ark”

- Unknown

Competing pressures

Board/Management• Are we safe?• Are we prepared?• Can we count on our

people?• What is our strategy?• We can’t we afford it!• I don’t understand!• We can’t stop!• We don’t like bad news!

CIO/CISO/IT Team• Rogue IT projects• SAAS w/credit card• BYOD,USB sticks• Data everywhere• Budget constraints• Legacy systems • New demands: cloud & IOT• Nobody likes to deliver bad

news!

Cyber-Resilience

“There are two kinds of people in America today: those who have experienced a cyber attack and know it, and those who have experienced a cyber attack and don't know it.”

- Industry Pundits - about 27 variations

“It takes a licking and keeps on ticking”– TIMEX Commercial

Cyber Resilience: 24/7 Continuous Effort

Proactive Protection Measures

Cyber Intelligence

Response Plan & Exercises

Breach Response

Lessons Learned

• Bigger than your organization

• Understanding interdependencies critical

• Proactive planning—avoid crisis introductions

• Cross organizational information sharing (cross silo as well)

• SURGE capabilities

• We’re stronger together than separate

Resilience: One Continuity Factor

16

• Entire organization focus – this is not just an IT issue!

• IT & cyber industry shortage means marginal execs and employees,

turnover, and rapid obsolescence

• Train the entire organization

• Finding, training, retaining and motivating – hard but worth it

• Validate through vetted outside expertise

• Trusted people can turn malicious for outside reasons

• Board/Exec knowledge is critical

People: Critical at all Levels

• Proactive effort required: Worst time to engage is in the middle of a crisis

• Embrace reality: You can’t staff to an unknown level or timeframe – outside services vital

• Teaming: Great partners will help on the prevention and preparation plus incident response surge

• Broad set of offerings available – choose carefully

• Set and enforce service level agreements

• Exercise and integrate ahead of time

Cyber Partners: who will stand with you?

How do handle SURGE operations?

• Realities: Budgets are tight - Threats are numerous - Change is constant

• How to multiply your response resources?

oWork more hours (that always works!)

oRepurpose internal assets (planned)

oContract in advance (proactive)

oSupply chain partners?

oPublic/Private support?

oProactive Mutual Assistance!

SURGE! (prepared and unprepared)

20

• “Take a licking and keep on ticking”

• Human Centric – no magic solution

• CSIRP – Cyber Security Incident Response Plan

• Demands:

• Planning & Preparedness

• Agility and adaptability

• Creativity

• Cross organization and external – partners, customers

21

Cyber Resilience

• Silos, rice bowls, internal fragmentation

• Lack of broad based personnel/leadership

• Budgets – the smallest things not done can wreak havoc

• Other priorities

• Disbelief in investment – “we’ll be okay”

• Preparedness is deemed boring work by most

22

Barriers to Resilience

• Apply common sense to preparation

• Plan/prepare to be attacked/breached

• Identify your response partners ahead of time

• Exercise tirelessly/fix identified issues (Gridex III?)

• Study others where possible and make adjustments

23

5 Resilience Efforts

Resilience Planning – A Cross/Org Effort

Cyber Situational Intelligence

• Many breaches are known exploits!

• Advance notice critical – real time monitoring 24/7

• Many sources available – government, industry, non-profits, media, vendors, internal tools, employees

• Blend Open Source, proprietary, internal to create a customized threat intelligence picture

• Alerts and alarms to multiple levels in organization – more than IT

• Finding out intelligence was available after the attack is painful

• Combining on physical threats a good use of resources

Example: Cyber Intelligence

26

Cloud based resiliency systems

• “All-hazards” high-assurance system to help proactively and during response/recovery

• Cloud based, redundant during a prolonged outage

• Cross organizational—link in established & new partners

• Scalable during a major training cycle or incident

• Combine many different information elements that can be distributed in multiple ways

• Proven solutions which can be rapidly deployed

Future Directions &

Wrap-up

• Unprecedented adoption of new technology

• Connectivity expanding everywhere

• Costs dropping, capabilities rising

• Disruptive business models (Uber, AirBnB)

• Worldwide Silicon Valley emulation—US and International

The future is here now!

• IOT: Sensors, collectors and adjusters

• Drones and robots

• Driverless cars and trucks

• Advanced batteries (resilience!)

• Virtual and Augmented Reality

• Big Data and predictive analytics

• Cloud as primary and redundant platform

The future is accelerating!

• Smaller and more numerous (billions) devices

• Autonomous operation, both active and passive

• Sensors, Collectors, Adjusters, Aggregators

• Collected data can be multi-purpose, cross org

• Many policy and governance issues still unsolved

• Some think IoE is bigger than today’s internet impact

• Security concerns abound – opportunity brings risk

Internet of Things/Everything/Systems

• “Internet of Systems” a more inclusive term for security

• Massive, worldwide impact over next 30+ years

• Sensor cost differential and communications will be key drivers

• Power, health, transportation, manufacturing, maintenance, security

• Integrated, multi-point data flows are a risk/opportunity

• Car attacks – 50+ computers in modern vehicle

• IoT a security problem and a security opportunity

IoT Cyber Implications

• Many have been created

• Some have good reputations: FS-ISAC, SANS

• Option to pool resources at low cost

• Some more narrowly focused – regional or industry

• Not a panacea, but an excellent tool when used

33

Public/Private Efforts

NYC’s Metropolitan Resilience Network

• Public/Private Initiative – “All Hazards”

• NYU/INTERCEP, Championed by PANYNJ

• Assist business, government and other stakeholders

• Real time communications and collaborative platform

• Regional Common Operating Picture

• High value information sharing/best practices

• Info on request – something to monitor

Wrapping up

• Electrical Grid: regional outage for months

• Data Integrity: massive change attack to disrupt systems

• Firmware or silicon based exploits

• Large scale ransomware encryption attacks

• GPS: High use, high vulnerability

• Control devices: pacemakers, transportation

• Will it take “Cyber Pearl Harbor” to get urgency accelerated?

Personal concerns/opinions

• Corporate leadership responsibility to drive alignment

• Growing threats, no easy fixes or silver bullet for years

• Shortage of talented defenders; but no shortage of stuff to buy

• People, partners, planning, prevention, response critical

• Continual learning and adapting a necessity

• All hands issue versus just the IT organization

• Civilization will prevail, but will require global effort

• Push government to help in the right ways

In Review…

• SANS institute: www.sans.org

• Ponemon Institute: www.ponemon.org

• Cisco 2015 Annual Security Report: www.cisco.com

• PWC: www.pwc.com (Cybermetrics Sep2015 report)

• OWASP: www.owasp.org

• World Economic Forum: www.weforum.org

• www.informationisbeautiful.com (cyber)

Excellent Resources

39

• Complimentary e-book: peterlodell@gmail.com

• Ask me about integrated situational intelligence -www.swanislandnetworks.com

Thank You! Questions?

Questions

• Assessments?

• Multi-factor auth?

• Enforced password changes?

• Tone at the top or IT for awareness?

• Phishing training?

• Continuous background checks?

• Separation of duties?

• Outside audits/penetration testing

• Aligned BC/IR/Cyber/Physical?

• Situational intelligence – how doing?

• Who most concerned about from outside?

• Is the government helping?

• Shared accounts?

• Default passwords?

• Rogue IT

• Info sharing?

• ISAC good?

• Trusted sharing?