No InfoSec Staff? No Problem

power power knows who's going to die I just can't believe this I don't know I'm just where is it here we go guys my man

brought my doll please welcome Anthony is arnoc his talk today is called no info site staff no problem I just got lazy I have to use glasses now see where my page on Kia's I had a sacrifice short-term for short sight vision for long sight vision but we only have 30 minutes at this point we're down to like 22 or something so I'm going to dive right in the deep end and we'll talk about my theory and what could be your greatest challenge in terms of a root cause for information security failure when I've interfaced with employees in IT what I've ministers if they have a primary responsibility talking about proactive smart professionals like you

and I they'll take that primary responsibility and they'll do research they come up with a plan they proactively attack problems or before the problem even occurs and then they'll monitor their plan and they'll update it 180-degree difference when they have something outside of their primary responsibility it's reactive and things are taken one off and usually it's minimal time that they need to spend on something well oftentimes it's not enough time in our industry after you're an IT leader and or an IT whatever and you're also responsible for information security so what I call you commonly suffer from secondary responsibility syndrome what that creates a scenario where you're not putting enough everything that's needed to really be effective you may think

that until you get breached may not be aware of it case in point someone was referred to me ID director Tony I got three problems I'm trying to solve can you write me a statement of work for it let's talked a little bit about his environment is his organization and then I learned it I would take a step back and I would do a risk assessment said I can't I only have enough budget for these three things I know I'm still going to need to do them I can't we figured it out what resulted was all of the risk assessment a roadmap that we agreed on we're going to roadmap which the bottom line is it was much different

priorities than the three things he mentioned and what was fantastic is because of the risk assessment we were able to go back to the CEO and get an order of magnitude more budget because we proved how we were going to reduce the risk of IT which was enabling the organization to achieve its business objectives another another example net case third-party software my IT Director claimed the organizations in business of stakeholders they were responsible for security of those third-party apps when I met with the stakeholders they said the IT director was responsible so end result nobody was responsible accountable or even looking into that the third party cloud applications they were using were actually secure so my theory and the case in point there

the drivers for this shorten session where I want to provide you information about what could be potentially so stopping challenges some you're not you haven't encountered yet in some you may not even be aware of yet now unlike the IT director I can't provide you with your a roadmap today right because because your roadmaps different than your roadmap difference in your roadmap but what I can in plan to provide you today is a travel guide that will make you aware of tools like compasses and maps roadside hazards to warning signs and I can also provide you with example information factors you should consider when you're determining your mode of transportation you may say rd well i

know i should take a should drive a car not a motorcycle baby you thought maybe you should actually be taking the bus or a plane let somebody else drive the top two challenges here these everyone has small business enterprises and it what's really concerning our they're increasing at an accelerated pace if I went to the sport if I ran the sports book here at the at the tuscan i would give everyone here three-to-one odds that you don't even know all the third-party cloud apps that your employees are using Dropbox things like applications like that it's a dynamic environment considering that considering that jump out here considering that the legacy perimeters we knew it it's really dissolving and

we've now first but one from a computer data center to the internet and now we have the whole world has access now all of a sudden whatever the perimeter we got mobile devices from our employees our customers our partners accessing remote users they can be using their their own device or our company sponsored device virtualization it creates a blind spot now that system is really a network how do you see inside of their complexity it's like kryptonite for security let's take a step back I jumped ahead here and save time but is this the risk is real sick smbs our are being tarred and in one case beyond just because it's an opportunistic attack my

security at the students you know that I trust on all all types of security risk assessments demetrice Jeff Scott you know he's opportunistic and in his approach to to say penetration testing and then you had opportunities attackers they don't care who you are they find an IP dick and get in there going to go for data so the risk is real s enemies are being targeted if you are if you have partners as an SMB where their enterprise and your road you're a way to get in to that enterprise I'm a legal firm and I've got Boeing is my client all right probably out weaker security let's go left at a law firm and go

through and get Boeing that way it's a really complex net we're going to move faster such as time but attractive the bus routes CT routes in Chicago um everyone's probably heard her seeing some type of zombie movie right don't of the Dead was the first I think the black and white basically you know the story line even if you haven't seen one you've got people all of a sudden there's dead people coming back to life to eat them my nerves are freaked out and they fell running and all of a sudden they find some old house all right it is panic and they get in a native this bolt up the doors and they bolted board up the

windows and they take that first sigh of relief and I'll sudden they hear some noise like from downstairs zombies are at the cellar door as an industry the network and the operating system were art we're where we are target those were the attack factors and we shored those up pretty well and so when the attackers do well they found an area that not only we hadn't protected before but it was more complex to protect us as multiple layers and developers I they don't do you think they get paid more for writing code to has functionality and performance or for making sure there's no sequel injections so the zombies are at our cellar door and it's not just web

applications blacklisting it's not effective if you've got malware that keeps changing its signature by obfuscation so it works the same that's a little bit different all of a sudden barracuda and sofas and they're not they're not detecting it picture this you're in your office the red phone rings you know it's serious your number one web application which is revenue jetting generating ecommerce it's down to a crawl so your entire IT staff is on it this is primary responsibility now then maybe only you whatever but everyone's on it because there could be terrorists in your data center and you wouldn't even know it you know what again I'm betting that there are terrorists cyber terrorists and what

they're doing is that denial of service was a smokescreen and while you're focussed on fixing that problem directional trading sensitive data

social engineering it wasn't that long ago they were third part third world looking emails that if you weren't brain dead you'd realized it this wasn't really the IT department asking for your password but it's RSA they got breached the backbone of our security infrastructure through social engineering that leverage things like social media we're all that information out there know your partners are know who your suppliers are co-workers or none of these are way let's just get your users to a site that's attractive and then we'll will infect down there and we don't have to get in there going to bring us with them consider that you need to very sort of like polar attributes for cyber crime you need

someone who's really really evil and you also need somebody who's really really smart those two qualities aren't going to come that often but you know what what doesn t have the really smart people right to software and they sell it at a really evil people okay yeah I only got 20 minutes but that's I mean I think for philosophy that's a great open me you can talk about later really will okay but if you're opening up like again we'll talk about it the outside um just watch out keep your wall if they had all your stuff close all right um there's a it's for thread actors they could be they could be somebody who's out for

political gain the during prenatal the anonymous took down in Chicago Police Department's website because they could money power a lot of people sell their soul for it so the network sitting complicated the attackers are getting complicated and if your SMB you don't have learn how many a lot people you don't have money and you don't have the expertise look hey Dmitri I got it got lost something we're gonna get my glasses on I hate end me get right back to the ppt I've hit the wrong button all right so with that said

so we've covered those two things I think the next thing I want to present to you would be how how you can sell this the first time consider like it's a really lame attempt on my part to for me to remember to discuss the wrong way before we talk about how to do it right but consider that the wrong way is lame so maybe it really fits if your security technology deserts how I see the wrong way what what if I heard lately it sounds like a good idea that I should do what happens are too often if you do that you over protect and I say you under protect or you over protecting therefore overspend or a combination of

both what you should with the appropriate methodology is to see that I t's an enabler it helps businesses achieve their objectives and that inherently to those out to the IT is risk and it's important to have security that will reduce that risk to an acceptable level therefore you're supporting the business objectives therefore you need to know your business you need to know the objectives of the business and most importantly how does your information technology and systems support that business business aligned just it's considered that if you can get in ahead of the curve you've got a lot more chance of succeeding in terms of business case whenever there's an IT project to be part of security part of

it you much easier to justify from the beginning how do you start a risk-based approach with a risk assessment if you do a risk assessment how do you how do you decide what where to invest your limited funding how do you justify your business case how do you justify that you're that you're solving the worst risks of the business with what you're implementing simple formula find out from a high level what are my assets what's the threat landscape like what's the probability what are the probability of my gaps causing exploit and what's the impact of that event now when I recommendation with a risk assessment is to ensure that you take an approach that's a line you know custom

to the business so use a standard framework NIST not again there's only a lemon-thyme effort i can show you they've got some information i have it also on a website with major frameworks and methodologies nist fair octave I so instead of a standard and then I prefer to customize it not just myself maybe blend a couple the best parts of multiple standards and then somewhat a smaller business it's not a security person on staff work with the IT director because they're going to have their challenges that are going to it's going to be helpful for them they're going to take ownership that they're going to want to work together see so one of those at risk assessment should

be working with that lead person to understand the culture and how to make things happen the number one output from a risk assessment if it is still an immature security organization is a formal program consider this is your blueprint this is where all three decisions are made going forward I know something that's tough when you feel there's not enough time in the day but take the step back and build a program that then consider a blueprint what it does when after I have a blueprint site for a building if I need to make a change the change I need to make it whatever level is I can see the effect all the other components at that level

or two other levels otherwise you don't really know starts out framework is your elite likes I'm going to buy a two bedroom ranch or a condo the policies your foundation and then the security controls that's what you actually see the house the walls see the the roofing again offline I also have what papers on this policy is some for now if your technologists going to schools computer science marketing make it red and people see it got hug that's like two simple even deal with no it's really important though like policy you get someone comes into China lot of you don't have policy you're screwed then never look at everything really really deepen and now yeah you want to have

policy that's really then your security controls support that policy they implement they enforce it and what keeps that all together our procedures you want your your policies to be spoken like with in forceful language yeah I am we thought it would be nice or do this if you can you want to make sure that there's also a result if you don't do this this is what's going to happen it's bad health your senior management approve it passwords if you really there's a verizon data breach with the FBI every year there are high percentage of breaches that occur because password simple things like passwords were involved simple controls weren't tested you kidding me hey Dmitri and they don't

mind please to help me out so I'm going really got home is so consider that how are you then going to say I'm selling out what you need to do but how do you do it right there's two ways you fly solo or your work with somebody maybe you have them do a lot of the work one thing in terms of of doing it solo consider there's a ton of information that you're going to need core information like these missed 800 series or ISO 27001 259 the other thing that's recordings to do first secondly there's yearly papers like the verizon data breach report michael davis um he's got the security strategy what are all your

peers doing i personally take them together and do a correlation what's what's going on based on what people are saying what and what they're doing what what's happening in tech world and what they're doing now the trick to now is getting a subject matter expertise is to filter because you don't have time to read everything it's out there gotta find that filter that gets it to you a lot of inexpensive tools that are available that you'd want to use now again I'll have a list of that for you of those tools a list of technical controls what happens if you put access control hooks up with encryption what what what do you guys in offspring you get a child that can

travel securely on the network on the internet but these I go back is this is real important if you do these three things when you're doing security controls are most important you want to do it data-centric so take looks or most important data through classification ensure that that data is secure through every layer of technology and everywhere travel in a network holistic don't look at just one particular controller tool what what is the holistic effect of secure of all my controls defense-in-depth I don't want I hate getting sick I washed my hands I don't put my hands in my face I take plenty of vitamin C I eat I sleep defense-in-depth I measure security risk of 7 you never

had pen testing on your network your web apps that's a no-brainer what couldn't okay i don't believe things what can someone who's got a really good mind like an attacker what can they really do until I security awareness I mention that I don't want to hit a button but if moisture awareness I've had people asked should I do training first or should i do an assessment first I would in chicken and egg I would do the training first because if you never get any training they they're going to fail to one last thing so if you go get help there's two ways you can get it at a help one is to use a virtual see so

you're getting somebody's going to do some leadership and help guide you and work together or you use an MSSP where you're basically they're your security operations and they might often put that in a cloud all your technology so we really need to wrap it up apologize on the shortness on time but and I had to go rather quickly I think you got the major point honey if you're if you're in charge of delivering your IT and you've got people using mobile devices he's I don't we can wheel down the keck to network you can either get in front of the train and get run over or you can grab the conductor hat spend a little time learning and drive

the Train that's it again I'm out of time [Applause]