Just Trust Everyone and We Will Be Fine,

Right?Scott Carlson - BeyondTrust

As a CISO, you have been asked why you can't just trust your employees to do the right thing. What benefit to the business comes from technical security controls? You have likely been asked to reduce risk and action every funded project at once. In this session, we will realistically consider which projects can reduce risk most quickly, which layers of security are most important, and how things like privilege management, vulnerability control, over-communicating, and simply reducing the attack surface can bring peace of mind and actual direct improvements to your information security posture.

Our Information Security Implementation Plan

Target senior leaders and understand their language

Focus on business and risk issues of concern to key leadersFocus on solving problems and controlling risk

**** NOT technology solutions ***

Identify and Produce metrics that matter to your audience• Gain alignment for needed improvements based on business risks• Requires strong reporting tools and analytics• Avoid embarrassing individuals but inform (wall of shame)• Produce trend charts that show progress

Provide limited, general reporting and TELL THE TRUTH

Develop effective communications

7

Gain business leaders’ sponsorship• Define accountabilities and ownership

across key organizations• Establish metrics• # assets with owner / custodian identified• # assets with recommended protection

What are your crown jewels and where are they?• Not easy to define the crown jewels and get

agreement from business leadership• Often, crown jewels are loosely managed

across servers & end-user devices

Move them to stronger controlled environments • e.g., hardened repositories, strong MF

authentication, VDI, data leakage, digital rights management) and upgrade business processes

Review and continually manage access, with a manual process if you need

Restrict administrator access when possible • Monitor and alert

Identify and protect the crown jewels.

8

Make it hard for attackers to gain privileged access

Use strong multi-factor authentication

Drive least-privilege management processes and solutions• Include end-points where most initial

attacks are focused• Enable system and application

management without admin privileges

Implement privileged password management solutions• Eliminate shared passwords• Passwords automatically changed on

every use• Eliminate hard-coded passwords• Dual control / approval for critical

systems

Tightly manage privileged access

9

Integrate vulnerability issues with privileged access• Deny privileged access with critical vulnerabilities after certain time

Align Security and IT Ops teams• By policy, all aspects of security must be key operational requirements• Defined patch timetable by asset class• Shutdown if critical issues not addressed• Variance approved by leadership if allowed to operate past deadline• Joint improvement program driven by business requirements and metrics• Requires excellent analytics and reporting• Fix defective operational processes that enable or leave vulnerabilities• New system deployments• Application accountability and patching

Get Smarter About Vulnerability Management

10

Gain business leaders’ sponsorship• Train users to report phishing• Turn users into human detectors• Requires a reporting solution and a rapid response

Establish a threat intelligence program • Collect feeds from both open sources and subscription

sources• Collaborate with others inside your industry and

overall leaders to stay abreast of current techniques, tactics, and procedures.

• Continually block bad internet addresses, domains, other indicators of compromise (files)

Detect, alert & block crown jewel exfiltration• Best to tag crown jewels by type and control based on

policies defined by owner

Monitor inbound files for malware• Much more difficult than AV or IPS• Requires sandbox solutions or other solutions that

monitor behavior

Monitor and alert on unusual application activities and access to crown jewels• Alert when certain applications doing unusual things

(spawning processes)• What applications are allowed to access sensitive data

by class (whitelist)

Monitor and filter outbound traffic• Prevent traffic to uncategorized URLs• Can be challenging to categorize some traffic but

results in strong improvements

Improve your ability to detect attacks

11

Thank You!

Scott Carlson@scottophile