Everything Is Not

AwesomeThe rising threat of Cyber-attack and

what to do about it

Robi Sen, CSO, Department 13, LLCrobi.sen@department13.com

Agenda

• Its all just getting worse• Data breaches more common and larger• Number of attacks in total rapidly increasing• Threats are more sophisticated and hard to stop• Technology is failing us

• Why is it getting worse• High value low risk• Low barrier to entry - Its so easy• As technology gets more complex its harder to secure• Vendors don’t really care

• What can we do• Be realistic and plan for compromise• Focus on security early not after a event• Realize that the best defense is people• What you can do right now

Realize security is core to your businessIf you can answer no to any of these questions then your can ignore security.

• Does your brand matter to you?• Do you care about your customers and customer trust?• Do you have important Intellectual Property?• Do you have company secrets?• Do your products, services, or systems effect peoples lives?

Its getting worse. Data breaches and attacks are more common

Data breaches are getting bigger

Technology is failing us; fighting yesterdays battles

82 percent of all malware it detects stays active for a mere hour, and 70 percent of all threats only surface once, as malware authors rapidly change their software to skirt detection from traditional antivirus solutions(3).

(2)Antivirus "is dead," Brian Dye SVP INFOSEC at Symantec(1). "We don't think of antivirus as a moneymaker in any way."

Why? Your data is worth a lot

Why? Its just to easy• Tools such as Kali are widely • Point and click hacking tools • Hacking and Malware as a service are now wide spread• Most companies don’t even know if their are being hacked• Most companies don’t know how to respond

Why? Complexity is the bane of security• Organically grown systems – Bash and Shellshock are a great example

(1)• Systems layered and so complex they are hard to understand (2)• Overly specialized – nonsystem thinking

Why? Vendors really don’t care

• Vendors focus on features of their product and services first• Vendors product cycle is vicious allowing little time for security testing

and analysis • Vendors think security is something that should be added latter• Vendors are rarely sued or held responsible for the low quality of

security in their products

What can you do?

Realize your going to get compromised• Its not if. Its When!• Ask your self… What do you do when your compromised?• How well do you know how you will react? Timing, escalation, and

appropriateness. • Have you made connections with law enforcement, legal, PR, and

your vendors?• Who owns security in your company?• Who are the people who are most likely to attack you?

Focus on security early

• Include security in your business plan• Add security to your business model• At the start of a new service, product, or business • Add security as part of your cultural of excellence• Plan for the inevitable and make a response plan

Your people are your best security resource• Humans are better identifying modern threats• People are flexible• Humans assisted by technology are better than either • Your people and employees can respond to your needs while vendors

may not

What you can do right now

1. Prioritize your assets based on YOUR BUSINESS NEEDS2. Identify your major risks 3. Do a security assessment but make sure it focuses on YOUR BUSINESS NEEDS4. Work internally to understand your current policies and process to see if they

align with one and two5. Clarify and simplify 6. Make a response plan7. Create the ONION – Add your technical, physical, and human security systems8. Game and test9. Lather, Rinse, Repeat!

What you can do right now

• Hire a CSO or senior security professional• Invest in training• Empower you security staff• Invest in tools that empower people not replace• Join security groups • Connect with the FBI and local law enforcement• Make a relationship with a security partner• Remember security is a state not a goal

Questions?