strategies for security when why how
play

STRATEGIES FOR SECURITY: WHEN, WHY, HOW Adam Ely adam@bluebox.com - PowerPoint PPT Presentation

Oct 06, 2022 •238 likes •465 views

STRATEGIES FOR SECURITY: WHEN, WHY, HOW Adam Ely adam@bluebox.com www.bluebox.com @BlueboxSec About ME About ME Experience Co-founder Bluebox Security CISO, Heroku CISO, TiVo Walt Disney . Other nifty stuff Coded

  1. STRATEGIES FOR SECURITY: WHEN, WHY, HOW Adam Ely adam@bluebox.com www.bluebox.com @BlueboxSec

  2. About ME About ME Experience • Co-founder Bluebox Security • CISO, Heroku • CISO, TiVo • Walt Disney … . Other nifty stuff • Coded exploits • Consulted for the government • Published numerous articles & papers • <insert other egotistical stuff here>

  3. Define: Security Define: Security CIA Triad: Use as a basic guiding principle

  4. Define: Security Define: Security Security is comprised of many things. • Technical bits • Application security • Infrastructure security • Access controls • Non-techie bits • Process • Compliance • Legal • Assurance

  5. Define: Security Define: Security Security is comprised of many things. • Technical bits • Application security • Code standards • Sanitization functions • Vetted framework versions • Application/lib/framework updates • Logging • Session handling • etc … .

  6. Define: Security Define: Security Security is comprised of many things. • Technical bits • Infrastructure security • Configuration • Hardening • Patching • User & group management • Network topology/security groups • Logging • etc … .

  7. Define: Security Define: Security Security is minimizing risk to both those that trust us and our organization through the assurance of confidentiality, integrity, and availability. I’m embarrassed to even mention the triad but it works and proves this shit ain’t new.

  8. Security: Why Security: Why • Bullshit answer • Compromises always mean loss of business • Crappy answer • Depends on your business • Better Answers • Spike Lee said: Do the right thing • You have IP that is valuable, don’t get jacked • Customers have valuable information • Dealing with fines & bad publicity is a PIA • Enterprises need assurances

  9. Security: Why Security: Why Enterprises need assurances. Why? #1 Reason • You haven’t proven yourself as being legit and on their level. Much like dating. Other • Valuable assets = loss of market leadership • Monetary penalties = no return on this “investment” • Someone’s ass is on the line = Bob gets fired

  10. Security: Why Security: Why But what do I get from security? • Customer adoption • Market leadership • Money ($$$$$)

  11. Define: How Define: How • Make it frictionless and part of how you operate • Understand customer concerns • Distinguish between needs and wants • Understand your risks & concerns • Prioritize • Big wins first • Just like building a product • Learn from those before us • Define ownership • Communicate & be transparent

  12. Define: How Define: How Make it frictionless and part of how you operate • If it interferes with productivity, people will ignore it, go around it, and bitch about it. • Build security into what you already do • Give good options for doing the right (secure) thing. Example: Have a custom client side tool? Have it perform a client side audit each time it runs. Continuous auditing w/o manual audits

  13. Define: How Define: How Understand customer concerns • Customers want everything • Boil down to what they need • Solve for need, work towards want Example: Customer might want PCI compliance. Not relevant to your business? Show intent and how you meet their data security needs while working to check that box for future clueless customers.

  14. Define: How Define: How Understand your risks & concerns • You know your risks better than anyone • Where do you think you have issues? • How would you exploit those weaknesses? • How easy would it be for someone else? • Define and prioritize

  15. Define: How Define: How Prioritize • What can you do now that gives the biggest wins? • Security prioritization is just like building a product • Think of a CISO as the product manager of your security

  16. Define: How Define: How Learn from those before us • This shit ain’t new • Learn from previous breaches • You’re smart but this isn’t your wheelhouse • RTFM, plenty of resources out there

  17. Define: How Define: How Define ownership • Executive level champion to influence the org. • Tactical level leaders and involvement to keep it fresh and moving

  18. Define: How Define: How Communicate & be transparent • Ease customers minds, communicate • Document what you do, say what you don’t • Show that you’re always working to be “better” and meet their ever changing needs • Build a transparent relationship • Find the right verticals, go after others when ready

  19. Define: How Define: How Where to actually start? • Customer data storage and handling • Culture of treating security as a first class citizen • Customer data storage and handling • Application security • Infrastructure configuration & patching • Access controls • Policies/documentation • 3rd party audits

  20. Security: when Security: when • Start as early as possible • Make it core to the culture • The sooner, less to fix later • Increase effort as needed to meet customer needs/demands • Roadmap your security strategy like a product • Hire dedicated people for security when you must impress customers, there is no forward momentum, or there is work to justify doing so • Prior to that, involve anyone who wants to help

  21. STRATEGIES FOR SECURITY: WHEN, WHY, HOW Adam Ely adam@bluebox.com www.bluebox.com @BlueboxSec

Recommend

Active Shooter Training Created by Security Strategies Today For The Hospitality Law Conference

Active Shooter Training Created by Security Strategies Today For The Hospitality Law Conference

Active Shooter Training Created by Security Strategies Today For The Hospitality Law Conference Houston, April 24-26, 2017 Proprietary-Security Strategies Today Steve Cocco Steve Cocco, President of Security Strategies Today, is a counter-

180 views • 14 slides
Cracking Drupal Security concepts and pitfalls Klaus Purer Peter Wolanin Security strategies

Cracking Drupal Security concepts and pitfalls Klaus Purer Peter Wolanin Security strategies

Cracking Drupal Security concepts and pitfalls Klaus Purer Peter Wolanin Security strategies Trust - who can do what Principle of least privilege - each site user should have only the permissions necessary to do their job Defense

623 views • 36 slides
Strategies to Maximize the Security Efforts into the Agile Software Development Life Cycle Without

Strategies to Maximize the Security Efforts into the Agile Software Development Life Cycle Without

Strategies to Maximize the Security Efforts into the Agile Software Development Life Cycle Without Increasing the Headcount Anderson Maranho Ventura Dadario Information Security Flare Security, So Paulo, Brazil anderson@dadario.com.br

428 views • 3 slides
Strategies for Achieving Network Intelligence Adam DAmico Zanshin Security, LLC

Strategies for Achieving Network Intelligence Adam DAmico Zanshin Security, LLC

Strategies for Achieving Network Intelligence Adam DAmico Zanshin Security, LLC adam@zanshinsecurity.com June 8, 2005 Abstract In order for security efforts to be effective in the contemporary threat environment, network professionals who

497 views • 14 slides
Voluntary Pensions in Emerging Markets New Strategies for Meeting the Retirement Security

Voluntary Pensions in Emerging Markets New Strategies for Meeting the Retirement Security

Voluntary Pensions in Emerging Markets New Strategies for Meeting the Retirement Security Challenge Richard Jackson President Global Aging Institute AMAFORE 2 a Convencin Nacional de Afores FIAP 15 o Seminario Internacional October 30-31,

593 views • 25 slides
Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 3:

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 3:

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 3: Foundations of Computer Security Chapter 3: 2 Agenda Security strategies Prevention detection reaction Security objectives

839 views • 38 slides
Computer Security 3e Security.di.unimi.it/sicurezza1516 Chapter 3: 1 Chapter 3: Foundations of

Computer Security 3e Security.di.unimi.it/sicurezza1516 Chapter 3: 1 Chapter 3: Foundations of

Computer Security 3e Security.di.unimi.it/sicurezza1516 Chapter 3: 1 Chapter 3: Foundations of Computer Security Chapter 3: 2 Agenda Security strategies Prevention detection reaction Security objectives Confidentiality

553 views • 39 slides
Computer Security 3e Security.di.unimi.it/sicurezza1314 Chapter 3: 1 Chapter 3: Foundations of

Computer Security 3e Security.di.unimi.it/sicurezza1314 Chapter 3: 1 Chapter 3: Foundations of

Computer Security 3e Security.di.unimi.it/sicurezza1314 Chapter 3: 1 Chapter 3: Foundations of Computer Security Chapter 3: 2 Agenda Security strategies Prevention detection reaction Security objectives Confidentiality

1.08k views • 42 slides
7 strategies for scaling product security QCon 2018 New York City Angelo Prado, Senior

7 strategies for scaling product security QCon 2018 New York City Angelo Prado, Senior

7 strategies for scaling product security QCon 2018 New York City Angelo Prado, Senior Director Jet.com | Walmart about me 12+ years of experience in software development and Leading Product Security teams at Jet.com, Salesforce and

895 views • 78 slides
Defense Strategies Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer

Defense Strategies Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Defense Strategies Trent Jaeger Systems and Internet Infrastructure

457 views • 27 slides
Game Theory: Lecture #9 Outline: Zero-sum games Security strategies and values Value

Game Theory: Lecture #9 Outline: Zero-sum games Security strategies and values Value

Game Theory: Lecture #9 Outline: Zero-sum games Security strategies and values Value Minimax Theorem Individual Optimization Previous focus: Single decision-maker i A set of actions for the individual, denoted by A i .

536 views • 11 slides
Of Citadels And Sentinels: State Strategies For Contesting Cyber-terror Strategies For Contesting

Of Citadels And Sentinels: State Strategies For Contesting Cyber-terror Strategies For Contesting

Of Citadels And Sentinels: State Strategies For Contesting Cyber-terror Strategies For Contesting Cyber-terror Tim Legrand and Jeff Malone 4 key issues and challenges 1. A cyber architecture designed for efficiency, not security 2. Private

621 views • 21 slides
security vulnerabilities and strategies Fabio Patrone Polytechnic School, University of Genoa 1

security vulnerabilities and strategies Fabio Patrone Polytechnic School, University of Genoa 1

Satellite Communications: Cyber security vulnerabilities and strategies Fabio Patrone Polytechnic School, University of Genoa 1 Overview Satellite mission goals, categories, structural subsytems, network architectures, and communication

728 views • 53 slides
Security in Pakistan: Adaptation Options and Strategies by PIDE TEAM Pakistan Institute of

Security in Pakistan: Adaptation Options and Strategies by PIDE TEAM Pakistan Institute of

Climate Change, Agriculture, and Food Security in Pakistan: Adaptation Options and Strategies by PIDE TEAM Pakistan Institute of Development Economics, Islamabad and International Development Research Centre , Canada Introduction

339 views • 22 slides
Influence of Embedding Strategies on Security of Steganographic Methods in the JPEG Domain Jan

Influence of Embedding Strategies on Security of Steganographic Methods in the JPEG Domain Jan

Influence of Steganographic Design Elements Steganalysis of YASS Summary Influence of Embedding Strategies on Security of Steganographic Methods in the JPEG Domain Jan Kodovsk Jessica Fridrich January 28, 2008 / Electronic Imaging 2008

817 views • 22 slides
Social Security Claiming Strategies for Estate Planners: Updated for the 2015 Bipartisan Budget

Social Security Claiming Strategies for Estate Planners: Updated for the 2015 Bipartisan Budget

Presenting a live 90-minute webinar with interactive Q&amp;A Social Security Claiming Strategies for Estate Planners: Updated for the 2015 Bipartisan Budget Bill THURSDAY, DECEMBER 17, 2015 1pm Eastern | 12pm Central | 11am Mountain

1.14k views • 99 slides
High-Performance Network Security Monitoring at the Lawrence Berkeley National Lab Strategies for

High-Performance Network Security Monitoring at the Lawrence Berkeley National Lab Strategies for

High-Performance Network Security Monitoring at the Lawrence Berkeley National Lab Strategies for Monitoring External and Internal Activity Robin Sommer Lawrence Berkeley National Laboratory &amp; International Computer Science Institute

841 views • 52 slides
How to finance, deliver and govern social security for all Tripartite Meeting of Experts on

How to finance, deliver and govern social security for all Tripartite Meeting of Experts on

International Labour Office How to finance, deliver and govern social security for all Tripartite Meeting of Experts on Strategies for the Extension of Social Security Coverage Geneva, 2-4 September 2009 Michael Cichon Social Security

306 views • 9 slides
How to Give Effect to the Human Right to Social Security Tripartite Meeting of Experts on

How to Give Effect to the Human Right to Social Security Tripartite Meeting of Experts on

International Labour Office How to Give Effect to the Human Right to Social Security Tripartite Meeting of Experts on Strategies for the Extension of Social Security Coverage Geneva, 2-4 September 2009 Ursula Kulke Social Security

206 views • 9 slides
Implications of Dissemination Strategies on the Security of Distributed Ledgers Luca Serena,

Implications of Dissemination Strategies on the Security of Distributed Ledgers Luca Serena,

Implications of Dissemination Strategies on the Security of Distributed Ledgers Luca Serena, Gabriele DAngelo, Stefano Ferretti Dissemination Protocols Dissemination protocols = Algorithms to spread the information within a peer to peer

1.08k views • 13 slides
Digital Security Learning Table Workshop: Strategies for Sharing Documents Securely Alice

Digital Security Learning Table Workshop: Strategies for Sharing Documents Securely Alice

Digital Security Learning Table Workshop: Strategies for Sharing Documents Securely Alice Aguilar, Executive Director Jamie McClelland, Technology Director Progressive Technology Project What tools are you using to share files? Where do you

355 views • 20 slides
Security is an Awesome Product Feature Mark P. Hahn Director of Cloud Strategies and DevOps

Security is an Awesome Product Feature Mark P. Hahn Director of Cloud Strategies and DevOps

Security is an Awesome Product Feature Mark P. Hahn Director of Cloud Strategies and DevOps Ciber Global, LLC , an HTC Global Company 425-749-9501, mhahn@ciber.com, https://www.linkedin.com/in/markphahn/ DevSecOpsDays Pittsburgh 2020 This

640 views • 27 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Game Theory: Lecture #8 Outline: Individual Optimization Security Strategies Optimization

Game Theory: Lecture #8 Outline: Individual Optimization Security Strategies Optimization

Game Theory: Lecture #8 Outline: Individual Optimization Security Strategies Optimization and Strategy Previous focus: Given individual preferences, compute group preference? Given individual preferences, compute satisfactory

343 views • 9 slides

More recommend