Everything is not awesome: The rising threat of Cyber-attack and what to do about it
description
Transcript of Everything is not awesome: The rising threat of Cyber-attack and what to do about it
Everything Is Not
AwesomeThe rising threat of Cyber-attack and
what to do about it
Robi Sen, CSO, Department 13, [email protected]
Agenda
• Its all just getting worse• Data breaches more common and larger• Number of attacks in total rapidly increasing• Threats are more sophisticated and hard to stop• Technology is failing us
• Why is it getting worse• High value low risk• Low barrier to entry - Its so easy• As technology gets more complex its harder to secure• Vendors don’t really care
• What can we do• Be realistic and plan for compromise• Focus on security early not after a event• Realize that the best defense is people• What you can do right now
Realize security is core to your businessIf you can answer no to any of these questions then your can ignore security.
• Does your brand matter to you?• Do you care about your customers and customer trust?• Do you have important Intellectual Property?• Do you have company secrets?• Do your products, services, or systems effect peoples lives?
Its getting worse. Data breaches and attacks are more common
Data breaches are getting bigger
Technology is failing us; fighting yesterdays battles
82 percent of all malware it detects stays active for a mere hour, and 70 percent of all threats only surface once, as malware authors rapidly change their software to skirt detection from traditional antivirus solutions(3).
(2)Antivirus "is dead," Brian Dye SVP INFOSEC at Symantec(1). "We don't think of antivirus as a moneymaker in any way."
Why? Your data is worth a lot
Why? Its just to easy• Tools such as Kali are widely • Point and click hacking tools • Hacking and Malware as a service are now wide spread• Most companies don’t even know if their are being hacked• Most companies don’t know how to respond
Why? Complexity is the bane of security• Organically grown systems – Bash and Shellshock are a great example
(1)• Systems layered and so complex they are hard to understand (2)• Overly specialized – nonsystem thinking
Why? Vendors really don’t care
• Vendors focus on features of their product and services first• Vendors product cycle is vicious allowing little time for security testing
and analysis • Vendors think security is something that should be added latter• Vendors are rarely sued or held responsible for the low quality of
security in their products
What can you do?
Realize your going to get compromised• Its not if. Its When!• Ask your self… What do you do when your compromised?• How well do you know how you will react? Timing, escalation, and
appropriateness. • Have you made connections with law enforcement, legal, PR, and
your vendors?• Who owns security in your company?• Who are the people who are most likely to attack you?
Focus on security early
• Include security in your business plan• Add security to your business model• At the start of a new service, product, or business • Add security as part of your cultural of excellence• Plan for the inevitable and make a response plan
Your people are your best security resource• Humans are better identifying modern threats• People are flexible• Humans assisted by technology are better than either • Your people and employees can respond to your needs while vendors
may not
What you can do right now
1. Prioritize your assets based on YOUR BUSINESS NEEDS2. Identify your major risks 3. Do a security assessment but make sure it focuses on YOUR BUSINESS NEEDS4. Work internally to understand your current policies and process to see if they
align with one and two5. Clarify and simplify 6. Make a response plan7. Create the ONION – Add your technical, physical, and human security systems8. Game and test9. Lather, Rinse, Repeat!
What you can do right now
• Hire a CSO or senior security professional• Invest in training• Empower you security staff• Invest in tools that empower people not replace• Join security groups • Connect with the FBI and local law enforcement• Make a relationship with a security partner• Remember security is a state not a goal
Questions?