New Rules, New Toolsfor a

New World“Tools and Toys for the InfoSec Bat Cave”

Stash JarockiDirector, Information Security

John KirkwoodVP, CISO

February, 2018

“Opinions expressed are solely my own and do not express the views or opinions of my employer."

The Old World!Do you Remember?

• Monitoring software – Heartbeat, etc.

• Anti-Virus sets – Certus, Symantec, McAfee, etc.

• SIEMs

• Bindview – NetWare auditing

• NMAP

• Network Security Tools –Metasploit, Nessus, Tripwire, etc.

• Hacker Tools - Satan!; Snort, Wireshark, Cain & Abel, Aircrack-ng,

• GRC tools – Archer, ZenGRC

• Microsoft AD - ADAudit

Welcome to the New World Order

• The New World is evolving daily• BI• AI• IoT • Big Data

• New, larger and more devious attacks are being launched • Mirai• WannaCry• Sauron • Equifax

• In first 6 months of 2017, 918 breaches compromised 1.9B data records…. That we know of!• 22 of the largest breaches involved more than 1 million

records• For 500 of the 918 breaches, we don’t know how many

records were compromised

“Security is no longer a reactive measure but an expectation from companies and consumers.”

For the New World, CISOs need to Adopt new rules!

1. Security must be embedded and a lasting part in/of the culture

2. Security must be the shared responsibility of everyone, based on their job function

3. Beg, borrow or steal – Security MUST keep pace with the velocity of business evolution, anticipating trends and needs.

“To defeat Advanced Persistent Threats one needs to practice Adaptive Persistent Security.”Ira Winkler, 2018

Cross-Reference Policies to Critical Security Capabilities

ABS Information Security Policies

1. Information Security Management

2. Information Risk Management3. Personnel Security4. Physical Security5. Cyber Operations, Monitoring,

and Response6. Acceptable Use,

Communications and Encryption Management

7. Access Control8. Application Security

Management9. Legal, Privacy, Regulatory

Compliance

Top 20 Critical Cyber Security Controls (CSC) Framework

SANS Top

20 Critical

Security

Controls

(CSC V6.0)

Information Security Capabilities Identify

(ID)

Protect

(PR)

Detect

(DE)

Respond

(RS)

Recover

(RC)

1 Inventory of Authorized and Unauthorized Devices AM

2 Inventory of Authorized and Unauthorized Software AM

3 Secure Configuration of End-User Devices IP

4 Continuous Vulnerability Assessment & Remediation RA, RM CM MI

5 Controlled Use of Administrative Privileges AC

6 Maintenance, Monitoring, and Analysis of Audit Logs AE AN

7 Email and Web Browser Protections PT

8 Malware Defense PT CM

9Limitation and Control of Network Ports, Protocols, and

Service IP

10 Data Recovery Capability RP

11 Secure Configuration of Network Devices IP

12 Boundary Defense DP

13 Data Protection DS

14 Controlled Access Based on Need to Know AC

15 Wireless Access Control AC

16 Account Monitoring and Control AC CM

17 Security Skills Assessment and Appropriate Training AT

18 Application Software Security IP

19 Incident Response and Management AE RP

20 Penetration Tests and Red Team Exercises IM IM

NIST Framework

New Rule #1: Imbed Security into the Culture

• Critical to create strategies for managing and measuring how Security is imbedded into the culture• “Secure & Compliant by Design” MUST

be a mantra• Processes such as Agile and DevOps

MUST include security principles• Security Awareness Expo’s can be a

particularly effective way to engage and judge the engagement of users

• Don’t be stuck with compliance as security

If you don’t create target goals for cultural transformation, long term impact of the security program will be limited.

New Rule #2: Security is the shared responsibility of everyone.

• New projects and systems should demonstrate adherence to Security culture principles rather than the InfoSec group being the sole custodians of secure practices

• Process flow and RACI charts are fundamental to gaining clarity as to security and control responsibilities of all actors

• Incorporate security controls into general policies and procedures to be self-documenting and self-verifying

• Freely train and empower others on security topics and objectives so that the know how to make informed choices

Critical to Change Expectations and Organizational Focus

▪ Minimally, compliance requirements, required for regulatory, industry and corporate purposes must be met

▪ Tactically, key controls and policies provide the ability to more effectively meet compliance mandates by federating requirements

▪ Strategically, projects and programs focus on managing risks to minimize the attack surface

▪ Aspirational, business goals and objectives are enabled by appropriate application of practices, processes and resources

New Rule #3: Pacing Business Velocity and Innovation

• Gone are the days when it was even desirable to maintain a self-contained Information Security Organization• Resources are too limited and not necessarily appropriately trained or

experienced

• Cyber Security groups tend to “multi-source” their organization• Managed Security Services for top and bottom end services• Niche Consulting for expertise and knowledge transfer • IT groups, as able, to expand availability• More focus on “BISO” functions to remain close to the business

• Focus on Services, capabilities, and objectives rather than simply more tools • The business understands the need for and criticality of capabilities

Identity Life Cycle Services and Activities

Identity Access Management

Services

• Authentication- Web SSO- MFA

• Authorization- Rule / Attribute Based- Role Based- Remote Authorization

• Entitlements- Gross- Fine-Grained

• Identity Verification- HR Process Integration

Identity Directory Services & Federation

• Directory Services

- LDAP- User Repositories- Credential Stores- Access Meta-Databases- Data Synchronization

• Federation- On Prem (eg via SAML)- Cloud Identity Services- IDaaS

Identity Administration

Services

• Web Services

• Provisioning

- Self Service- On Demand- Termination- Transfer

• User Management

- Password Man. - Device- Group

• Privileged Access Management

• Identity Archives

Identity Audit and Compliance

Services

• Role Management- Role Mining- Role Engineering- Role Governance- Role Certification

• Audit- Access Recertification- Entitlement Recertification.- Segregation of Duties- Approvals- Exception Processing

• Reporting- Compliance Reporting- Process Reporting

NISTPCI 3.0

Cloud Security Alliance

Core Security Capability

ABS Service Catalog

ID

Core Security ServiceExisting Tools

and/or Service Providers

Gap Filled by FY17 Spend

Gap Filled by FY18 Spend

Tools to be Divested

ID.AM-1ID.AM-3PR.DS-3

2.4DCS-01MOS-09MOS-15

1. Inventory of Authorized and

Unauthorized Devices

1.1Automated Asset Discovery and Inventory Service Now (1.1,

1.3, 1.5)Men & Mice (1.2,

8.3) Radia (1.3,3.1)

Aruba Clearpass (1.4, 14.1, 15.1)

Manage Engine AD Audit Plus (1.5)

NO GAPS IDENTIFIED NO GAPS IDENTIFIED

1.2 DHCP Server Logging

1.3End Point Management for Persistent Systems

1.4 Network Level Authentication

1.5Active Directory Security Auditing

ID.AM-2PR.DS-6

CCC-04MOS-3

MOS-04MOS-15

2. Inventory of Authorized and Unauthorized

Software

2.1Software Configuration and Inventory Management Adobe Enterprise

(2.1) Agiliance Risk Vision

(2.3)

ServiceNow CMDB (2.1)

Netskope Cloud Apps (2.1,5.2,6.1)

Archer (1.1, 2.3, 4.1)

RiskvisionMcAfee App Whitelisting

2.2 Application Whitelisting

2.3Governance and Policy Process Management

PR.IP-1

2.22.36.2

11.5

IVS-07MOS-15MOS-19TVM-02

3. Secure Configuration of End-

User Devices

3.1Device Configuration Management and Change Control 3.1 Accounted for

in 1.3 Airwatch (3.2)

McAfee ePO (3.3)

Absolute (3.2) MS Intune (3.2)

Evaluate narrow FIM products -

Tripwire/Symantec (3.3)

MS Intune (3.2)McAfee ePO

Airwatch3.2Mobile Device Management and Theft Protection

3.3 File Integrity Monitoring

ID.RA-1ID.RA-2PR.IP-12DE.CM-8RS.MI-3

6.16.2

11.2

IVS-05MOS-15MOS-19TVM-02

4. Continuous Vulnerability

Assessment and Remediation

4.1Cyber Monitoring Intelligence and Benchmarking

BitSight (4.1) Exabeam (4.2)

Tripwire nCircle IP360 (4.3)

Not funded-ExtraHop (4.4)

Not funded-ExtraHop (4.4)

Redseal, Radia? (2018)

4.2 User Behavior Analytics

4.3Vulnerability Scanning (ASV), Prioritization, Patch Management

4.4 Real-Time Wire Data Analytics

▪ Tool Rationalization provides the benefit of knowing the Which, What and Why around tools, services and strategic partners

▪ Rationalization provides a way to communicate that utilization is appropriate

▪ Identified Gaps can be easily understood and communicated

Rationalize Use of Tools, Services and Strategic Vendors

. Policies and Controls• Core Security Capabilities (20)

o Data Protection (#13)• Core Security Service (50+):

o Data Loss Prevention (DLP)• Core Security Tools (18)

o Network: Symantec DLP

o App: MS Exchange DLP

o CASB: MS Office 365 DLP

Results of Tool, Technologies, Services Rationalization

▪ Tools and Services Rationalized to minimum tools and services

▪ Where practical, tools retired or replaced via MSA agreement

▪ Checkpoint and Tipping Point IPS, in collaboration

▪ Some on-premise tools replaced by cloud capabilities:

▪ Appliance WAF to Cloud WAF

▪ On-Premise GRC to Cloud GRC

▪ Some savings in Infrastructure identified (e.g., utilize existing contracts with key vendor partnerships)

▪ Leveraging Microsoft Enterprise Agreement –“Airwatch” to “Intune”

▪ Collaboration with Infrastructure, Network, Digital, and App Dev to leverage tools owned by various groups

18 Core / Basic existing Security Tools

(Owned by InfoSec)

8 Professional Services

1 Managed Services

6 New Cloud Security Tools

9 tools replaced by MSA agreement

New Tools – Example #1: Department Big Data

WEBAPP

Access ControlBlocks unwanted IPs, Regions, Countries

Bot MitigationBlocks automated attackers, bad bots, scrapers, spammers

WAFBlocks Hacking attacksOWASP Top 10 attacks (SQLi, XSS, etc.)

Custom Rule & Policy EngineApplication specific attacks

▪ Rationalized Applications are being assessed to determine readiness and need for remediation

▪ In anticipation that application is not practical, Imperva will be used to provide additional layered compensating controls

▪ Incapsula is to be placed outside of the firewalls to provide protection and visibility

▪ Note: OWASP attack vectors will be managed by Imperva. InfoSec must be notified via the exception process if an applications requires this functionality

New Tools – Example #2: Cloud Compensating Control

New Tools – Example #3: Block Chain

• “Walmart and IBM test blockchain for custom supply chain tracking”

– SiliconANGLE11/22/2016

• Strategic and timely removal of tainted food and packages with confidence

Coindesk – New View of Blockchain Tech

For those unfamiliar, the enterprise blockchain adoption timeline looks something like this:

• 2013-2014 was characterized as a period of learning, understanding the distinction between bitcoin, the currency, and the underlying protocol.

• 2015 introduced the concept of permissioned or consortium blockchains, as well as the term DLT (distributed ledger technology).

• 2016 was the year of the prototype or POC (proof of concept), where success was measured based on how many use cases for an industry or company could be identified.

• 2017 was braver, focusing on how companies could move beyond a POC and into a pilot, in preparation for production-level deployment.

• 2018 – BitCoin – Value rides the roller coaster of Wall Street

Forward-thinking clients are wrestling with key questions based on how they, and their ecosystems, could transform business processes using blockchain technology.

These include:

• If this is not just a technology, but rather a paradigm shift, what will our business look like in 10 years?

• Given that this is a network technology, how do we find and participate in the relevant consortiums?

• On a use case specific basis, how do we identify and align interests with other stakeholders?

• Will these new blockchain-powered networks be run as a separate business venture of sorts?

• How do we find and develop talent in a decentralized world? (We’re seeing investments made in academic partnerships, research initiatives, and training)

Quotes of the Day!

Half Life of a Breach --- At the end of a year, the Executives are off and doing business as usual. The

Breach has become a historic event…

Or

Security is a Journey not a Destination!

Final Thought –Be Fearless and Courageous

• Innovate constantly – Fail early and often

• Be Adaptive

• Be aware of the 3 phases of new ideas• It can’t be done

• It probably can be done, but it’s not worth doing

• I knew it was a good idea all along !

- Arthur C. Clarke