Moving up the Security Maturity Curve - SecTor
Transcript of Moving up the Security Maturity Curve - SecTor
Proprietary and confidential
Moving Up the Maturity CurveThe Sisyphean Task
Proprietary and confidential
• Managed Security Services Provider x 2• DNS Security Vendor• Video Surveillance & Analytics Vendor• Enterprise Software / Financial / Telecom
2
INTRODUCTION
Jamie Hari – Director of Cloud & Security
Proprietary and confidential
• Technology Geek• Comic Book Geek• Music Geek• Security Geek
3
INTRODUCTION
Jamie Hari – Director of Cloud & Security
4
10.4M Fiber Miles124,000 Route Miles49 zColo Data Centers391 Markets Served
Proprietary and confidential 5
SECURITY MATURITY
Defining Security Maturity
Proprietary and confidential 6
Proprietary and confidential 7
SECURITY MATURITY
Maximize ROSI
Proprietary and confidential 8
SECURITY MATURITY
Technology Is Not the (Only) Answer
Proprietary and confidential 9
SECURITY MATURITY
Holistic Thinking
Proprietary and confidential
• Exhaustive?• Up-to-Date?• Automated?
10
SECURITY MATURITY
Back to Basics
Proprietary and confidential 11
HOW TO THINK ABOUT ROSI
ROSI Calculators
Proprietary and confidential
“It's a good idea in theory, but it's mostly bunk in practice. […] The key to making this work is good data.”- Bruce Schneier
12
HOW TO THINK ABOUT ROSI
The Data Imperative
Proprietary and confidential 13
HOW TO THINK ABOUT ROSI
Beware the Cost of Free
Proprietary and confidential 14
ACCOUNTABILITY & RESPONSIBILITY
Consolidate Accountability
Proprietary and confidential 15
ACCOUNTABILITY & RESPONSIBILITY
Define, Educate, Reinforce
Proprietary and confidential
• Security Team Skills Matrix
• IT / Internet AUP
• Asset Summary
• Application List
• BC/DR Plan
SECURITY PROGRAM ASSETS
Security Program Assets
• Data Retention Policy
• Network Architecture Diagram
• Recent Vulnerability Assessment
• List of Applicable Compliance Standards
Proprietary and confidential 17
PASSWORD POLICY
Password Reuse
55%
Proprietary and confidential 18
PASSWORD POLICY
Rethink Password Dogma
Proprietary and confidential 19
PASSWORD POLICY
Password Management
Proprietary and confidential
ROLE-BASED ACCESS CONTROL
Drive Efficacy, Reduce Human Error
Proprietary and confidential
• Identify and continually monitor:• Existing skills, missing skills, and single points of failure
• Part of the documented RACI• Improved through measured repetition, just like fire drills
21
SECURITY INCIDENT RESPONSE PLAN
Define, Educate, Reinforce
Proprietary and confidential 22
PARTNER SECURITY
Your Security Includes Their Security
Proprietary and confidential 23
SECURITY CULTURE
Resting Suspicious Face
Proprietary and confidential
• Many modern applications support it• Simplified MFA tools, like Authenticator,
provide improved UX• Combined with SSO, further reduces
password challenges
24
ATTACK SURFACE
Use MFA Everywhere
Proprietary and confidential
• Aggregate Internet ingress / egress• Less to manage, easier to monitor
• Remove bloatware from default system images• Less to patch, less to exploit
• Software• Deprecated / Custom APIs• Admin interfaces / Login and authentication entry points
25
ATTACK SURFACE
Reduce Your Attack Surface
Thank You