Broke, Not Broken: An Effective Information Security Program With a $0 Budget

all right am i now i'm just reporting it no problem

okay great all right well we'll get started i uh appreciate everybody sticking around to the the absolute bitter end of b-sides to hear my talk um i'd like to say i'm betting cleanup but it's probably not that so anyway um so the talk i'm going to present today is broke not broken an effective information security program with a zero dollar budget um but uh first a little bit about me i mean you can read my uh my corporate communications approved bio in the uh in the pamphlet but uh i thought i'd share uh a a a little bit uh i don't know a more direct level about me and my background and why you might

even want to bother continuing to sit through the rest of my talk um and uh you know credit where credit is due i completely stole this idea from johnny long so hi my name is i used to be one of these but now i'm one of these i i work for them i do this for them i'm wearing the jacket because they let me use the logo before that i was a security consultant for uh for this company you probably know them but probably by other names but that doesn't really matter because i didn't really do anything on their behalf i worked for them and them and them and them and them and them and them and them and them and

them okay um let's see what else uh i learned to code here i learned i learned technical writing here i got my business degree here i've got one of these i've got one of these um believe it or not i'm old enough i even have one of those yep um let's see um and so none of this makes me anything like this guy which i'm not because like i said i'm like this guy though when i get up for work in the morning i like to think i'm a little more like this guy except without the bag of guns because it's not my job to stop this guy it's my job to stop these guys and if you don't believe me

here's a picture of the gibson okay so that's me now let's talk a little bit about you because if we're going to talk about why we would even put forth the concept of having a security program that doesn't have a budget which is insanity in and of itself i grant you let's talk about the problem that we might need to solve in the first place so a little bit of the hard truth you work in michigan and and and that's not a bag on michigan i'm i'm a native son i love this state i will probably never move away again and um this is where we've chosen to to uh to have our family and raise our kids

and and uh but there are some things wrong with michigan um so um one of them is that michigan's been in a steady state of recession since before 9 11. it just has um and and so even though we've kind of skipped off the bottom of the double dip right i mean the last reception was really a double dip on michigan um and things are improving um so i'm not saying don't be optimistic but we haven't even begun to approach uh where this state was in terms of jobs and revenue uh since 1999. so things are tight i'm not telling you anything you don't already know unless you work at ge and then whatever i'm not banking on ge but please you

guys you guys don't have a budget problem when it comes to security

all right um so uh yeah uh this is my you work in michigan and uh dear kevin bacon okay um so um other things right so the other thing that's happened over the last ten years well uh well uh the those of us in the midwest have been suffering through um kind of an elongated manufacturing recession um is that consumerism has completely changed the way your it department works and if they haven't been paying attention uh your cio now finds uh him or herself behind the eight ball right um so uh anybody um stop by the gas station and get an updated map to find this place why not right exactly so the the last so the last time

i bought something i pulled my phone out of my pocket i pushed a button that controls the relationship that i have with this company i interacted live with someone and then i bought something and they sent it to my house and that's such a huge transformative thing for everybody that wants to make money whether or not they understand how to play in this space they think they need to be in this space right so if if your cio is not talking about what they're doing around mobile technology what they're doing about additional web capability what they're doing about contact management crm you know customer engagement whatever you want to call it and they're not talking about how they're going to do

more of it cheaper and faster with things like cloud or asps is anybody still using that term it's all cloud now but whatever the case might be if you're not hearing them talk about it that's because somebody else in the business is talking about it and we'll talk about why you need to find that person in a few minutes so um we add all of that up and add to that the sad truth that security is not strategic now you may have a security strategy i have a security strategy i don't dare get out of bed in the morning and show up in my office without some idea of what that is and the ability to

communicate that to my upline and to their peers and down to the staff that actually carry it out as well as all of the other folks in is that need to know what i'm focused on and why it is i'm knocking on their door but the fact of the matter is is that it doesn't matter how secure i make things for my company it's only ever table i'm not driving innovation i'm not moving things forward i'm certainly not seeing patients believe me you don't want me to be the next person that shows up with a scalpel to perform surgery on you i didn't go to school for that we already talked about that so um

so that leads to this problem right you may be getting budget to support the stuff we've already invested in right payer maintenance uh scheduled end of life stuff for you know right that picks has got to become an asa right um you you can't run mcafee virus scan 85 anymore except on the nt4 box that we all know you have still but the uh so but the ability to invest in new capabilities whether it be consulting dollars whether it's capital for uh new software or new appliances or whether it's even just budget for new staff they're not going to throw at you and so let's talk about that for a minute because the reality of the situation is

is that the cio's role has become innovate or die if you sell direct to consumer or even if you don't but there's some perception that you have to engage consumers and you're not in that space your cio is looking at every other problem he has and saying if i don't go do this the company's not relevant in three years and frankly you want them working on that problem because these are the people that pay you and if in three years the company's not relevant well then it's gone in five and you need a new job anyway so who cares about your budget so a little tough love also none of the stuff the cio is going to

spend any money on is going to make anything you're doing easier right this stuff all plugs into the internet everything we're going to spend money on is higher risk than the last round of stuff we did before from a security perspective additionally if i hope the second bullet's not news to you but you know got pii got financials got manufacturing ip got storage got bandwidth then there is a very organized group of criminals that would like to send you a couple of emails because they can monetize it they can make money on it this is the new black market um foreign competitors have your old ip they're probably going to get your new ip2 so if a big part of that mobile push is

to go along with new product that you'd like to launch and you'd really like to get it out there before the chinese knockoffs hit the market then you've got a lot of work to do and no budget to do it and um anybody get a call uh from let's say consultants or maybe your your your representative saying hey good news the industry you're in we're going to regulate it less yeah not likely um so uh so the bar is getting raised or or at least the uh the the obstacle course has gotten longer depending on how you view regulation and and how compliance looks in your organization it's different everywhere um so how do we address the issue of

these problems coming on uh at the same time that we're not getting uh investment well the first is we're going to stop calling them problems we're going to stop talking about challenges i'm not even going to say opportunities because that's just one of those like optimists buzzwords right like look at this great opportunity we have right i mean you you you you're all laughing because you work with that person where right like somebody just delivered horrible news and they're like what a great opportunity this is not great that's not an opportunity but so instead we're just going to talk about strategic initiatives right we're going to talk about the hard work that we have to do

because these are transformational times um so what does that mean well we're going to talk about business alignment okay so business alignment is not this um business alignment it turns out it's actually really really simple right so when you're business aligned what you're doing is relevant to your leadership and to the company's strategy we'll talk about strategy in a minute because that ain't simple is like that that's something different on its own um so you're relevant what you're doing is enabling that strategy right so you're talking about the same thing that your cio is talking about the ceo is talking about you're working on making that thing a success and you're doing forward-looking things right this isn't about as i stand here

today this change control is going to introduce too much risk we're going to violate this law and so i can't let it through believe me important work not saying stop but you're not business aligned when you're you know the the guy at the gates going we'll let that one through i'm gonna let that one through that one stop i i always use this um this metaphor there's two right i i the security problem i call it the you know the hall monitor and the priest right so if i'm the hall monitor i'm the typical security guy that i've got to run around and find out what people are doing and when i tell you to stop

because you're running in the hall if you don't stop what am i going to do not much right stop or i'll say stop again yeah exactly thank you precisely i i'll send you to the principal's office and you might get detention right but i'm certainly not directly giving you detention and i'm certainly not going to be allowed to fire you right um so let's start there if your security can't function can't fire people don't spend a whole lot of time on rule enforcement it's sort of a waste of your time um and the and then the priest is um hey security guys we built this thing check and make sure it's okay because we go

live on monday right so but we're going to talk about how we solve that problem um because because it's actually up to you to solve that problem um because because it is right they're strategically aligned or at least they've got money right which makes them ahead of the game uh compared to you no offense um so that's business alignment those three things right you're you're on message you're relevant you're working on enabling the same things that everybody else is working on and you're looking forward okay so what's our strategy i just told you you need to be focused on strategy i would bet that maybe some of you in the room have a really good idea of what

your company's strategy is right what your stated goal is what your what your vision and values might be what it is you're going to try and accomplish over the next three to five years you might even know what the top five things that you're spending budget on this year are but i bet there's a good number of folks in the room that don't know what their company's strategy is so these are some questions you can ask yourself to kind of figure this out what does the ceo say the strategy is that let's start with that right i mean if your executive officer says we're going to go um you know we're going to innovate in

the space of new um solar powered flashlights that you know use a hybrid model so you can put gas in your flashlight too so be it you know which projects you should probably be talking to they're funded they're important right the solar powered gas hybrid flashlight project you should talk to those people um what are your other second-tier executives the cio the cfo the coo right because your cio isn't necessarily going to be out front on everything that has everything to do with politics and dynamics in the c-suite within your organization you know and i know some of the folks sitting in the room your c-suite could be a company unto itself so spend time finding out what people

are worried about but acknowledge that what the cia what the ceo or what even even what the ceo says your goals for the year are as an organization and the things that your top executives are worried about right market readiness for the the super duper solar powered flashlight hybrid right we might be worried about market readiness for that but if we're not doing anything about market readiness is is that really our strategy right if we're worried about the complexity of increased regulation but we haven't funded any projects to address our readiness for that new regulation is that really our strategy no it's just something that we're worrying about and doing nothing about it so what are you right so what are you

spending money on actually i think these two go to that right i mean the bottom two bullet points are where you should you should ask if this stuff is in alignment great you work at a good company stay there if if all of this has zero overlap with any of that and those bottom two are both going on run but before you run here's some things you can do so um so what's it spending money on and then in addition is your company spending lots of money on technology without it involvement this happens from time to time in companies where um some other person and and you know blame the cloud or whatever um i i um which by

the way like this is a unicorn does anybody actually run across this is how most cloud sales gigs go they don't sell to it anymore because they compete with capabilities it is really really good at calling bs on startups that don't know what they're doing anyway because we've got more we've got more experience and more seasoned people in our team than they have in theirs in a lot of cases and so when you ask things like well you know what's your you know what's your what's your rta uh if you know the the primary database goes down or they go ninety nine point nine nine percent uptime like no that's nice right which is why they hate talking to us

because a we don't even have the budget b we don't make the business decision and c we make them look stupid so they've stopped talking to us all together and now they're talking to somebody in finance uh all about um their platform and what are they telling them at the end of the meeting oh and by the way well yeah we're gonna save you money this is gonna be easy to implement and by the way you'll be up and running in two weeks and you won't even have to call your help desk once we are your new it department asterisk and what is that asterisk that asterisk is so long as you manually type in every piece of data that's in your

current source of truth for say contact management and then maintain it by hand right in which case then it becomes an unbudgeted uh burden that falls to the it department and we all know how what the quality of those are when they come across the finish line so um so even though you might not be invited to the table these are good places to go looking for opportunities to get business aligned okay so risk assessment so risk assessment is great because it's really a matter of doing some homework coming up with a methodology there are tons of good free ones i recommend steel liberally from the internet but really it's this simple risk equals impact

times likelihood most enterprise risk assessments and most of the ones you'll get out of like big four audit companies are really really simple like five-point likert scales this is this you know this is not hard math this is easy math so this is you and an excel spreadsheet and a bunch of questions and some meetings doing risk assessment and risk management well risk assessment risk management requires budget we'll get to that um so uh internet exposed systems we've got a lot of those core applications you've probably got a couple of those if nobody's looking at those there's something to be said for uh for understanding what your risks are there those are all things that your cio will

care about by the way fraud and separation to duties these are all things that your cfo will care about so if there's opportunities for people to steal from the company electronically through your erp or whatever it might be get involved in that right good opportunity for you to to help add value pretty much just out of your own time business continuity planning and dr yuck but you know somebody but lots of people care right i mean you you want to know how much your company cares about bcp like hang out when something crashed right like just hang around your help desk when like something's down and you know how much do they care about bcp and dr you'd be surprised

how little people are willing to throw at this in terms of money and actually you don't need a ton of money to be really good at this you need money to be good at high availability but high availability is what people do when they don't want to do the planning and documentation and maintain it for business continuity also business continuity right and i don't want to this isn't turning into a bcp talk like the end of this sentence i'm done but the other part of business continuity right is really identifying who are the users of this thing and actually sitting in security especially if you're responsible for let's say access and administration and role-based authorization within your organization

you know better than anyone else where you work who needs to be available to make a thing run it's in your log file um anybody in healthcare or work with people in healthcare right um yeah so the the phrase of the year for healthcare is risk assessment right kpmg came out and said everybody we audited last year on those on the the ocr funded hipaa audits uh nobody was doing a good job of doing the risk assessment and i know why i'm in health care i've been in health care for the last going on nine years and the reason that nobody's doing it is because the way it's written in the law the actual hipaa security rule

that went into effect in 2004 is it's garbage it's three sentences right it says you must perform a risk assessment as part of your security program well when you read that in 2004 you did it once and thought you were done and that's a valid interpretation of that law until now when they say oh no what we really meant is you got to do it annually it has to cover the following scope and uh and you must have a remediation plan that you can demonstrate you made progress against all of that wording not anywhere in the law but um also if you're on the delivery side whether it's uh whether you're uh you you you support doctors or you're in a

hospital meaningful use um if you're not aware of meaningful use there's a whole bunch of federal matching dollars for patient engagement this is uh so this is the um this is the we think hies might not have been the answer three years ago play around we need to get doctors and patients communicating online right we need to drive down you know people really honestly what this is the stage two stuff in my humble opinion is we gotta stop paying doctors for meeting people in their office to give them lab results that they could just send them electronically right but there's more to it than that um there's also disease management and other things that could really make a

big difference but anyway there's lots of money in this this requires a risk assessment so do you think if you did a risk assessment against your main emrs or your claims pay application and then any of the brand new web and mobile stuff that you're spinning up to engage with those patients around meaningful use you think there might be money next year to fix those holes sure because if you don't you're not going to get the money from the federal government which could be a lot so just that's that's my tip to those of you in healthcare um oh and vendors let's pick on vendors no seriously though because um because you probably have some strategic

vendors that are holding a lot of risk for your organization right um and this is a really good way to kind of get aligned up front um so shortcuts to this go talk to procurement procurement cares a lot about this understand what their concerns are focus on what they're interested in up front and offer to do a bunch of their work for them and then add into that your own technology risk assessments privacy risk assessments and operational risk assessments and be able to score vendors when they come out of the process you may not ever get the ability to veto a vendor but if you can kick up to the signing executive or director who's going to be looking at

that vendor what the risk is of going with that vendor at the very least before right because the other thing i found is vendors are really really pliable before you cut a check right they will bend over sure will oh dedicated hosting encrypting yeah oh of course um no we don't do saml for single sign-on right now but um we could develop that in the next 60 days and we'd give it to you at no cost call them after the first check clears and they've got you for three years on a contract yeah we don't support samlist not even on the roadmap thanks for calling bye so the this is this is right so this is an

opportunity just by having the conversation with the vendor right because at that point you're not asking anybody on the project team to do any of the hard work they can punt it back over the fence to the vendor and you can stand in there in their project meetings and go oh yeah what's really bad and it's pretty industry standard they really ought to just have this and so somebody will go yeah we want you to write this into the contract that you're going to do it and what have you done you've spent zero dollars a little bit of your time you haven't even added to the budget of the project and you have not only made your environment secure

but you've also made the environment of every other customer that that company does business with more secure you're doing charity work congratulations to you so pick on vendors um a lot um so i just mentioned projects project consulting um so this is just one slide in my whole presentation but if you get nothing else out of today get this this is where information security inside of a company so defensive sec risk management compliance whatever you call what it is you do if you work at the company where your security is applied this is the best this is where you are forward-looking this is where you cost the least and this is where people like working with you

which admittedly right some of you somewhere in this room there there are people that don't like you not because you're a jerk right but because you are there to check their work and they don't and and that's weight and cost and things that they they don't like so go to where the money's being spent go to the projects right you might not have gotten new capital this year to do new cool stuff but somebody did go work with them give liberally of your time and focus on their outcomes and their objectives right so so here's here's a scenario for you but actually this is this is uh this is my how i know i'm business aligned

there's this project going at my company right now um and it is going live in august and we uh we got in early with the project team and they asked us to kind of look at the contract and we discovered you know hey what we're not seeing here is um is a pass-through on the hosting fee what are we where is this hosted guesses yeah yeah a dirty dirty cloud called godaddy oh yeah yep yeah and this is and this is not one of those like oh it's just you know marketing collateral in the web no no this is uh this is uh this is strategic every place i've been to five different events since the beginning of

the year where the ceo of our company has been this is a 20 i work at a pretty big health care provider on the west coast of the state last five times i've seen the ceo he's brought up this project with the site that's hosted a godaddy with no ability to do single sign-on from our own web app no ability to encrypt data in the database and when we asked to review their policies and procedures they sent us 200 pages which seemed like a lot of policies and procedures for an eight person startup with a standard work from home setup why they would have an enterprise wireless policy we were a little surprised at until we found where their

search and replace had failed we found the actual company that they stole the policy documents from

true story and and i won't i won't name the person um but um but i was in an actual meeting where we were uh we were talking about so those of you that deal with the federal government know there's all kind of regulation around um geographically where you can put data that they have an interest in right and typically the rule is you can't put it outside the u.s so we were working with with a company whose name i i promise you know that has a cloud presence they have us-based data centers but they have some in canada and some in apac and some in some in europe and we we said we want specified in the con in the contract

that you will never fail over outside of the country that we're only ever going to have a presence in one of these four locations um they didn't but they they they we got there the but what was really funny was the executive sponsor said so that's really an issue i mean i thought you know when it said cloud like you know geographic boundaries didn't really matter i just kind of thought it was up there somewhere and i kid you not i realized at the moment i'm sitting across the table from somebody somebody with a much bigger paycheck than me and a master's degree who thought the cloud was actually airborne yep and and why didn't she think it was

airborne she thought it was airborne because no vendor ever came along to dispel that myth right they were happy to let her keep believing that it was magic okay so but again right project consulting you're you're in early early in the phase of the you know if you're there for project ideation or for design you have the opportunity to comment on things before anybody's written a line of code for anybody's bought hardware before anybody's chosen a vendor and so you have the opportunity to work in tandem with these people on shared goals to drive towards secure decisions and you have visibility to the budget constraints so you're not the jerk that showed up and blew their budget at the

last minute because you knew what it was before they ever spent any of it right and you were also there at the time when you had the opportunity to say well you know what it really would make a big difference and now another project manager and everybody else is on board with you really would make a big difference if we did this other thing and we could get more of what we wanted but it would require a little bit more money and then as a project you go back and ask for some additional money which is a whole lot more successful than being the guy at the end going hey you're gonna need to spend all this

other money and delay your go live by 30 days because that's more secure nobody listens to that guy that guy's a jerk he's in the way he's an obstacle but if you're in the early project meetings the same discussions like wow it's been so great to have security at the table with us they've made this so easy for us so i'll stop ranting architecture or whatever you know i don't mean to pick on folks that they have architect in their title or work in an enterprise you know whether whether you do um zachman or togaf or whatever i'm i'm um i'll i'll i don't i don't put it on linkedin but i'm e-a-c-o-e-certified and zachman and yeah so um

so but but architecture really um is an opportunity though um to uh to kind of have your say on stuff right i mean it's a it's a little ivory tower it can be a little obnoxious um but uh you know right but but everybody expects the architect to show up and talk about you know cloud mobile byod so big data right i mean you know just just read you know just read the last six months headlines off of right off of networking world or whatever right and uh and uh and but but the thing is is that if you're doing you know or cio magazine or whatever right but but you're you somebody in your organization is

reading that and thinking about it and at least saying your cio is saying i have to have an answer for this buzzword because my upline is going to go to a conference somewhere and they're going to want to come ask me what what are we doing about big data backing it up sir um right right it's it's in the cloud we're backing it up to the cloud um right so but but one of the things you can do as an architect though is you can you can get there before everybody else's project is even funded you can get to where you think you're going but again this requires kind of understanding what the strategy is but

then you can come out with so instead of being the security group that shows up and says like oh you did this all wrong go back and rework it you instead say hey i don't know if anybody's going to do a project on big data but here's some security stuff that would let you do big data around our sensitive data right or here is how we would want to secure and make redundant restful services to support portable web applications html5 apps and mobile apps that we want to roll out and here is maybe you know here are some standards we would want for um you know secure storage containers so that we can put the data that our customers

uh actually care about right on their mobile device instead of having to mask it and pretend like it's not there or just leave it unsecured on their device and put them at risk and eventually us but if you're out there describing how to do it the way you would want it done up front then nobody's got to come ask you and what your cio could read into that hopefully does read into that is hey here's how we will do this securely additionally um the the you know the the beautiful thing about architectures is it lets you say things like the tipping point for secure mobile enabled unstructured data in the cloud is 18 to 30 minutes out because the

leading innovators of integration with dlp and mda it's still immature i've been in this industry for 14 years i don't know what i just said i have no idea what that means but the beautiful part is but i do know what it does mean it does mean all those buzzwords i just threw at you were not ready to do that with secure data but we will be but we're not now and you don't even have to stand on that point because you just said hey the technology is immature right prove me wrong i dare you like it's fully mature so says the vendor okay so anyway um but so that's that's like an artful ivy

tower kind of way of saying no um so um so okay seriously this time on architecture though um future forward capabilities right um so somebody somewhere in your company is thinking about how are we doing infrastructure as a service right if you're running out of floor space in your data center you probably well you may have a cio who's thinking i'm never building another data center right why would i right somebody somebody cio is thinking that i know that um so but if you never build another data center where are you going to put your regulated data wouldn't you like more regulated data right i mean you'd like less regulation but you'd like more of the data because

it means you're doing more of the things that are core to what it is your industry is is all about so data network security designs for infrastructure as a service i'll give you an example too right so anybody here raise your hand and i won't call on your pick on you so this is an informal poll you can lie and i won't check you um but raise your hand if somebody in here is doing infrastructure as a service in particular you're doing amazon virtual private cloud maybe anybody like rolling out servers okay so not nobody um so somebody to do vpc uh one of your firewall engineers probably set up some sort of a dedicated vpn tunnel and

extended your your network topology into the cloud that's pretty sweet right is that same guy managing the firewall rules out in front of those servers for when people hit them from the cloud no the answer to that is totally no it's some server engineer that's never played with aws before and probably didn't do it right did he but you don't even know because you didn't give you the vips so you don't even know what to scan with your vulnerability scanner to know whether or not you got the firewall rule set right so write them a document and show them how to do it and moreover go operational right don't just talk about what should be done but talk about who

should own the process right that's another thing architecture can do at least within it you say who should own this process because you have existing affinity right i mean you know that's that's part of how we do architecture right we map to business process okay um other things secure standards um uh if you want the developers to never ask you to lunch again sdlc practices um but but but i the one caveat to that is okay so today we're a java shop and the uh the vp of application development has just announced that we're going to go completely.net because they haven't read the cio article on mobile so we're going.net and the and so before everybody's got to get visual

studio ultimate installed at 13k of pop we're going to go ahead and write sdlc4.net so while everybody's learning the new standard and working in the environment you do have an opportunity to introduce standards but if you've been coding java in your environment for seven years and you show up with by the way here's how you do it right that was um i hope you enjoyed writing the document because that's the value that it's going to provide your personal enjoyment server build guides um here's how to sell server build guides to infrastructure by the way because they hate these um and i would too right if somebody that didn't work in my department wasn't responsible for my

responsibilities came to me and said by the way here's how you're going to do your job now i wouldn't care for that here's the take i have on server build guides though go back to the last time you had an i.t audit that said boy you guys like you're not patching this right this isn't done right you should right and all this stuff because because i promise you this has happened right big4 auditor comes in and you know well what we found is is that all of your oracle is running a port 18281 and um that's the default port and that's a problem and uh that's got to drive your dba's nuts right they're like well

okay yeah it's on that port and it's on like five other ports because that's how we deploy tns and like and by the way why is that even a problem well you know it's a best practice which is um by the way if you have if you have a cpa who's under the age of 30 saying it's best practice that means they don't know right um so uh right back to back to miller's law from jen's talk okay anyway um so but the advantage is here's our server build guide if you go with the golden image live on the standard then when the auditors come through they have to audit against our standards and not

theirs and you can stop listening to them say stupid things you can stop dealing with onesie 2z break fix things that you shouldn't have to be dealing with because we're going to publish these standards it's your one way out with server guides but but they could see that as a lot of value or they might not they they might i don't know okay metrics security metrics are super hard risk metrics are the easiest to put together because they come with a number and you can add them up and they kind of make sense and and nobody can call you on your risk metrics right because if you if you don't have risk metrics today and you're going to build them memorize

this phrase my risk metrics are relative to themselves and themselves alone they do not translate across environments right that's a because what that really means is all i'm doing is telling you this one's worse than that one based on hopefully something that's a little more um objective than it is subjective but that's all that's all you're really saying um good metrics should tell a story um so uh and and um and ultimately right where you're headed is data driving decision making this slide describes the next 12 months of my security program where i work um and i've uh i've got a lot of collateral actually if you if you care because you're going to go down this road

yourself i'm i'm happy to afterwards show you my collateral for for this i put together an infographic and a bunch of slides and i am selling my data driven security strategy uh within the organization and i'm happy to share because frankly i think it makes sense um the but the reality of the situation is if you have metrics then you don't have a story to tell because you can't quantify it and even if you can tell a story you can only sell that story once because somebody's going to want a result and if you can't produce a measurable result over time then it it's hard to continue to invest in your organization right those of you that read richard

baitlich's books or blogs are probably familiar with his statements that the security roi is this unprovable thing and it's really great especially when we talk defensive internal to a company well we implemented a full disk encryption it cost us you know it cost us a million five to do the entire organization and i stand on if it prevented us from having to go to the news once because we lost the laptop full of patient information then a it was worth it because it was the right thing to do and b it paid for itself just on one lost laptop but we didn't have to go to the news we didn't spend that money and because we encrypted it we don't bother

because we shouldn't don't bother to track what data was on it and it's on so it's it's an unprovable you say well we lost four laptops last year yeah but did any of them have the entirety of our of our database on it that we would have to report to the press i don't know because i don't want to have to track that well then yeah right then you're then you're sort of and that's an easy one that's an easy one that i would hope most people would get so so metrics lots of metrics um and be dispassionate right um you can tell kind of by listening to me i get fired up about this stuff um sometimes

it even makes me angry um but be be outside of that be away from that and and sometimes that's going to mean having to stop gaming your numbers and really do the things that your numbers say you have to focus on even if your gut tells you something different that's going to be the hardest challenge you'll have in operating metrics over years but you'll be surprised but the other thing about metrics 2 is don't forget the internal facing value of them now the value of them for the purpose of this talk is to give you a case to go forward with on where investment belongs or at the very least to get to a place

where you've done a really good job of informing your upline and the decision makers in your company about the risk that they're accepting about the problems that they have how good you're doing how good you're not doing are things improving are they getting worse you know so and that's everything right even with even with hard to quantify things like external threats at the very least you need to have some level of metrics around your incident response if you don't have insurance if you don't have an incident response practice stick around i have some more on that because you'd be surprised how cheaply you can do incident response so and then finally deliverables right i was starting to get here with metrics

like you need to be turning out reports slide decks prezis infographics whatever it is you need to be sharing this information both in person so people have an opportunity to to pull additional information out of you get context around it establish a dialogue share their concerns give you feedback additionally you also need to publish this stuff you need to send it with them right so after your upline and your peers that you're talking about their stuff have had the opportunity to give you feedback by the way don't invite so if you have if you're a peer with the director of it infrastructure you talk a lot about his stuff share your stuff with him first get his

feedback and then bring in the executives because nobody likes a blind side but publish and present arm them right give them this information because if you're the only person that knows about all the stuff that you've quantified and identified through your program then then it's not going to do you much good so build a case around it and be transparent and for that matter at the very least if nothing else you've you've had several presentations you've handed out a bunch of reports and nobody in your upline or your peer group is going i don't even know what security's done this year so but i get it um you may be sitting here saying this none of what you said helps that may

well be true so real quick we're gonna play a game um and this game is called uh name that threat okay so um can anybody name this threat this is a trick question it's kind of hard but anybody name this threat wow that's actually not bad um this i i i made this intentionally fuzzy but yes this is a guy in the ukraine getting arrested in really in relation to a zeus botnet i don't know his name it wasn't in the article it's probably uh not pronounceable and it doesn't matter because he's dead anyway all right name this threat what's that yup yeah who said sabu well done yep hector matsugar um this guy it's it's not his mug shot so you're

gonna have to think hard this will also tell me how many of you have been going to def con for yeah gonzalez right yep that's uh that's albie um okay this guy

no he's he's not from the uk uh not not not totally you know that's you're you're headed in the right direction sort of so his name is matt flannery and for everybody that knew cebu you should know this guy because because because because uh australia yep um yeah so cebu's rolling over is what led to this guy's direct this is oshak uh supposedly the leader of lolsek um how about this guy he's my he's my favorite of the of the list so far nobody alright this is david cornell he uh he's famous for having hacked sarah palin's yahoo account during the during the 2008 campaign that's why you've all forgotten about him because she didn't because she didn't

win so he's still alive um and then finally who's that who said apt-1 it is that is in fact apt-1 that is pla unit 61-398 aka apt-1 right uh so i get it um all the stuff i just talked about none of it helps with this this crowd so so what can we do incident response the good news about incident response is that your budget doesn't matter the bad news about incident response is that your budget doesn't matter it doesn't matter how much you're spending on prevention the fact of the matter is is you have problems somebody's circumventing something somewhere no i'm not i'm not going to pick on them um so but if you're not looking for uh for

fishing webkits malware c2 beacons you're definitely missing something important and chances are you're probably missing your data going out the door along with it um so the big thing that you do need investment for is dedicated time for investigating but sometime greater than zero is better than zero even if it's eight hours a week across the entirety of your team if you're looking for something you might find something you might add value and beginning to do this and quantifying it and reporting on it is how you get more investment in doing this true story um a few years ago we put forth uh we put forth the budget to go ahead and uh start bringing in some some additional

capabilities some of which i'm going to talk about we spent money on it um i don't regret having spent money on it but uh the uh that went to the capital committee a group of executives and one of the executives said we're just a small company in michigan we're not this mom by the way we're just a small company in michigan who would want to hack us and and that question because i hadn't armed the cio with the answer to it cost me two-thirds of my budget that year it just happened right and and you know what it's fair because none of them could answer the question they saw it around and said well we're going to

spend all this money on defending ourselves from a threat we can't quantify so guess what i have a lot of metrics on now so what to collect if you're spinning up your program you need to be looking at web browsing across your environment if you can put this on clients do it because they all leave at the end of the day but if you can't get what you can get smtp and log you know what email is coming and going from your organization firewall logs this is good for finding malware c2 beacons are getting harder and harder to find your ids is worse and worse at this but still get an ids and in particular get an ids that you

can write custom signatures for because the immediate value that you will get out of incident responses i detected this problem and now i've automated detecting it this the next time it occurs right because because if it because if all of because of all the threats all look the same all the time then ips and av would have worked and i wouldn't you wouldn't sit through these slides you go this guy's crazy but i'm not because they don't okay and then full packet capture boy if you can get this there's a lot of value to this so commercial yet free there's a lot of free technology out there you might not realize this but i would say that in the

space of incident response a better than half of the really good stuff is available in some form for free so log aggregation collection and search is going to be a key piece of what you need to be able to do so logger has a has a software appliance that's free splunk has a free license q1 labs qradar has a free license they all limit you by storage but if you're starting out small this is a good way to proof out the tools in your environment too by the way so if you say hey right now today i'm only able to look at phishing attacks because i'm only able to look at smtp and and these other things and maybe ips

but wouldn't it be great if we could also catch drive-by downloads but we're out of storage but this is the tool i mean that that's a no-brainer for your cio you've already proved it in his environment and it didn't cost them anything net witness investigator that's a fun front end but you got to go get your own p caps but it turns out getting your own p caps isn't that hard snort cerakata long before my company acquired its network forensic technology which may or may not be on that slide somewhere we we wrote our own uh with a bunch of pearl scripts and snort with zero signatures on it and then wrote and it was actually a project put together by a

really really smart guy named anthony spina but i wouldn't don't do it now use circada now um but uh but uh before circada came out we went through all the trouble of doing that ourselves and the ability to extract full file instead of packet snippets out of your ips is massive um and and it's really not that hard it's not that complicated the infrastructure is pretty simple right um also for log aggregation snare syslog ng i love syslog ng um my backup box for my uh my arcsight logger appliances is syslog ng i don't have two loggers i have logger and a syslog ng um os sec well osec is free um also if you're interested in this start here

cut to the head of the line security onion i so i'm just going to say two things about security onion one you need a pair of old boxes and a span port to get started this is really really straightforward this is going to do some reading additionally doug burks the guy who's behind this in fact he's actually presenting at a different b-sides in georgia today on this very topic but he's got a set of talks his talk from derby con last fall is online on youtube uh just doug burks security onion in the youtube search box go watch that presentation and it's enough to get you started uh and and what it is is it's all the it's

all the good open source tools for for network ir and analysis on a single distro ready to run and it's even got you the ability to deploy disparately across your network and send it back to a single a single management system for analysis very very slick okay uh the other best free thing right now uh microsoft has released emet um raise your hand if this is news to you okay this would be the other slide in my deck you need to write down um so emet is the enhanced mitigation experience tool kit um i think the m was supposed to stand for malware somewhere along the way but anyway um so version 4.0 was supposed to come out

on the 28th of may it didn't make it but it should be out any day now but what this does is it takes a bunch of stuff some of the best of the blue hat prize from last year in rob prevention as well as the ability to do complicated essentially essentially memory corruption vulnerability mitigation at the kernel level and you don't have an av vendor who can deliver this to you today because microsoft will only allow their signed code to do some of the things that emet does but don't worry the price is right it's free um you can starting in version three you can manage with ad policy uh by process memory exploit protections that's the other

thing is you can turn it on with group policy for stuff so let's say you've got a legacy app that dies when you do anything interesting with the stack that's okay because you can just choose to wrap ie flash and acrobat reader and move on also the new version coming out has some stuff for uh certificate pinning the ability to uh to detect and prevent those attacks uh and the the biggie is right now uh version three only writes to local syslog so if you don't have some way of pull or event logs so if you don't have some way of using wmi to pull event log off of every workstation in your environment um four will be a big boon to you

because now it'll do central reporting back to scom as well as back to microsoft if you'd like to give them intel about your environment um and the type of exploits that are being seen and this is my uh this is my emet story um part of our company is a is a health plan about 1500 workstations we rolled it out in october of last year and you can see these are these are cases by month of malware that they detected within the health plan environment and this drop was tremendous and actually here's the best part so in in november we had one case and in december we had four november that one case was actually one of the laptops that did not

this wasn't deployed to it wasn't part of the standard image it was something else uh and then the other four were fake av that didn't use an exploit and were easily cleaned those four cases in december question what's that similar it's um we're we're it's yeah similar i'll say similar um it's it's a little more complicated on the uh but but uh but i'm not back up in the double digits which is um which is cool um so that's the biggest statistical decline we've had in that case metric since 2009 i told you i had a bunch of metrics about this stuff now and this is the single uh largest decline we've had in malware cases

across our environment uh in a in a month-to-month comparison since we implemented um uh special content filtering for uh for detecting malware related sites right so you know like you're like you're your web sense type stuff and of course the difference is is that websense doesn't go home with people on my network this this goes home with you okay so um real quick i just want to um because i'm out here uh representing uh the west coast um wanted to give a couple of uh a couple of shameless promotions first of all um if you're interested in working in information security and in particular in risk management and uh project consulting which i've just spent

a bunch of time talking about um i'm hiring looking for for two people to join my team based out of grand rapids um if you're going to be in grand rapids come visit us at grsac it's a monthly meetup we go to a bar and talk about security it's awesome and also in the fall uh even if you're not willing to come out just to drink beer with us come out for girkon which i'd see chris has already been here ahead of me and put flyers up everywhere so that's a little redundant okay and that's my talk who's got the first question we're at time all right then catch me in the hallway thank you very much