Kevin Flook

Field Channels System Engineer

kflook@cisco.com

Modern Security vs. Modern Threats

22© 2008 Cisco Systems, Inc. All rights reserved.

Today’s Session

1. Recognize the Significance of SecurityThe Business Perspective

Data Owners vs Custodians

Security provides access to C-level

2. Understand the Real ThreatsUnderstanding the Hackers Strategy

Tools and Methods

The Impact is great

3. How to Leverage Compliance and LiabilityKey Concepts of Compliance

Information Lifecycle Management

The Compliance Landscape

4. Selling Cisco Security to Data OwnersRisk Management

Security in the Boardroom

33© 2008 Cisco Systems, Inc. All rights reserved.

2 Key Principles of Selling Security

1. Stop focusing on product, start focusing on assets!Digital Assets = Mission-critical data, Intellectual property

(company data + customer data)

Security is not a product, but a discipline comprised of technical (that’s us!), administrative, and physical controls working together to protect assets

2. Find the asset ownerThe person with liability, usually NOT the CIO

Not the data custodian, who’s liability is limited to job security

• SECURITY HAS THE POWER TO GET US INTO THE CXO SUITE MORE THAN ANY OTHER TECHNOLOGY

CAT > Board of Directors, CEO, CFO, CIO

Emerson > Board of Directors, CEO, CFO, CIO

44© 2008 Cisco Systems, Inc. All rights reserved.

Recognizing the Significance of SecurityTrends and Sound-Bytes

• Widespread outages from Virus’ and Worm’s are “old skool”

• 90% of Corporate America’s Intellectual Capital is stored and transmitted across IT infrastructures

• Cyber-crime is now extremely organized and stealthyEstimated $67.2B market, with 20x projected growth over 5yrs

Bigger than drug trade market today

• 100M US Population ID’s have been reported stolen

• 250,000 new zombies created each day

• MS reports 60% of telecommuting PC’s are zombies6% of inside systems

Statistically 99.9% probability your customer has one or more compromised machines

• 10x more expensive to react (clean up) a breach than to put in countermeasures to proactively stop in the first place

• Denial of Service attacks have increased by over 400% this year

55© 2008 Cisco Systems, Inc. All rights reserved.

Understand the Real ThreatsChanging Paradigm

• Security is no longer about virus/worms, but that’s the mindset most IT shops are stuck in

• The new and real threat is information and resource theft

• Impact of Theft:

- Up to and including Imprisonment for Data Owners

– Loss of shareholder value

– “CIO Magazine says that reported ID Thefts take an average of 5% hit on shareholder value and up to a year to recover”

– Loss of Marketshare

– Loss of customer confidence (TJ Maxx)

– Business Disruption

– Corporate and Personal Liability

– Average of $600,000 to notify customers of breach (~$300/ID)

66© 2008 Cisco Systems, Inc. All rights reserved.

Selling Security to Data OwnersSecurity = Risk Mitigation

LIK

ELI

HO

OD

IMPACT

Risk

Without both likelihood and impact there is no risk

We can’t control the Impact of a breach, but we CAN control the likelihood

Trusted Advisor covers ALL Security Controls

• Physical

Door locks, key card access

• Administrative

Security Policies, Procedures, Guidelines

• Technical

Applications, network

77© 2008 Cisco Systems, Inc. All rights reserved.

Sell the SDN to Data Owners

1. Stop focusing on product, start focusing on assets!

2. Find the asset owner

• Michael Bosworth (Solution Selling) says: “You get delegated to the people you sound like.”

• The next time someone says: “You should work with our IT engineering people...”, you should translate – I must sound like an IT engineer...

88© 2008 Cisco Systems, Inc. All rights reserved.

1. What assets are you trying to protect?- Credit Card Numbers- Identity Information- Political reputation- Patient Health Information

2. What are the relevant threats?- Constantly evolving threat landscape- Non-Compliance

3. How comfortable are you with your organization’s ability to detect and respond to these threats?

- Show an IT Auditor that you’ve exercised Due Care

Developing a Comprehensive IT Risk Mitigation Strategy:

Talking about Security in the BoardroomStep 1: The 3 Questions

99© 2008 Cisco Systems, Inc. All rights reserved.

Fence

Locks

Door

Windows

Dog

Where Do You Start?Step 2: The House

Alarms

Dog

Neighborhood Watch

Motion Detector

Protect Detect Respond

Police

Gun

Insurance

Dog

Protecting

Your House

1010© 2008 Cisco Systems, Inc. All rights reserved.

Alarms

Dog

Neighborhood Watch

Motion Detector

Fence

Locks

Door

Windows

Dog

Protect Detect Respond

Police

Gun

Insurance

Dog

Protecting

Your HouseYour Enterprise

Reputation-based Security

Behavioral Security

Updated Security Information / Monitoring

Static Security

Where Do You Start?Step 2: The House

1111© 2008 Cisco Systems, Inc. All rights reserved.

Beyond Due DiligenceFocus on Due Care

Due Care - shows that an organization has taken responsibility for the activities that take place within the organization and has taken the necessary steps to protect the organization, its resources, its employees and clients from possible risks. If an organization does not practice due care pertaining to the security of its assets, it can be legally charged with negligence and held accountable for any ramifications of that negligence.

- CISSP Exam Guide –

due caren. the conduct that a reasonable man or woman will exercise in a particular situation, in looking out for the safety of others. If one uses due care then an injured party cannot prove negligence. This is one of those nebulous standards by which negligence is tested. Each juror has to determine what a "reasonable" man or woman would do.

- The Law Encyclopedia -

1212© 2008 Cisco Systems, Inc. All rights reserved.

Step 3: The CloudHow easy it is to break into networks today

Points of entry

•Pop-ups

•Email attachments

•Web Links

•Keystroke Loggers

•Instant Messaging

•Peer to Peer file sharing

Trusted Network

UN-Trusted Network

1313© 2008 Cisco Systems, Inc. All rights reserved.

4 Reasons Organizations Buy Security

1. Risk MitigationPersonal/Organizational liability (Sarbanes-Oxley, PCI, etc.)

Tarnished image

Negative Publicity/Political carnage

2. Returns on Investment (ROI)

3. Competitive AdvantageProduct

Cost reduction

Employee/Customer/Constituent Satisfaction

4. Operational Efficiencies/Increased Productivity

1414© 2008 Cisco Systems, Inc. All rights reserved.

Cisco’s Security Value Proposition

1. Security is embedded in all our products (features and development)

2. The network touches all hosts, people, processes

3. R&D spending @ $350M annually

4. Acquisition strategy and execution

5. Total breadth of security offering to address dynamic and growing threat vectorsCollaboration vs. Best of Breed

6. Support infrastructure, intellectual capital, and human resources

7. John Chambers – Visionary, CelebrityJohn spends more than 50% of his time talking security

1616© 2008 Cisco Systems, Inc. All rights reserved.