Upload
issa-la
View
115
Download
1
Tags:
Embed Size (px)
Citation preview
© 2015 Denim Group – All Rights Reserved
The Savvy Security Leader: Using Guerrilla
Tactics to ID Security Program Resources
John B. Dickson, CISSP
@johnbdickson
Denim Group
© 2015 Denim Group – All Rights Reserved
• Application Security Enthusiast
• Helps CSO’s and CISO’s with
Application Security Programs
• ISSA Distinguished Fellow
• Security Author and Speaker
2
© 2015 Denim Group – All Rights Reserved
Denim Group | Company Background
• Professional services firm that builds & secures enterprise applications• External application & network assessments
• Web, mobile, and cloud
• Software development lifecycle development (SDLC) consulting
• Secure development services:• Secure .NET and Java application development & remediation
• Classroom and e-Learning for PCI compliance
• Developed ThreadFix
3
© 2015 Denim Group – All Rights Reserved
Overview
• Background on the Issue
• Key Concept
• Examples of Guerrilla Tactics
• Questions and Answers
4
© 2015 Denim Group – All Rights Reserved
Key Thought
• Executives are becoming more resistant to FUD carpet
bombing
5
© 2015 Denim Group – All Rights Reserved
Getting Your Security Budget Approved without
FUD
• RSA 2014 track session
• Assumption: internal sale of security budget to
executives is fundamentally different
• Security leaders competing for scarce
corporate resources
• Common denominators exist• See more on RSA’s site here
6
© 2015 Denim Group – All Rights Reserved
Getting Your Security Budget Approved without
FUD
• Exploiting Pet Projects
• Accounting for Culture
• Tailoring to their Vertical
• Consciously Cultivating Credibility & Relationships
• Using Timing to Capitalize on Certain events
• Selling by-Products of Security Activities
7
© 2015 Denim Group – All Rights Reserved
Security Budgets: The Starting Point
• Some have lost the game before getting on the field
• Competing Against:
• Line of business pet projects – expansion of production
• Executive level visibility or utility – e.g., new corporate jet
• Things that product more tangible ROI
• Information security as the “silent service” – Rich Baich, Wells Fargo CISO
• Source: “Winning as a CISO,” Rich Baich
8
© 2015 Denim Group – All Rights Reserved
Security Budgets: The Starting Point
• Annual operations budgets are highly scrutinized
• Are normalized to past budget years and easy to
compare
• Some budgets items are easier to get approved
• Items mandated by compliance
• Items mandated by buyers
• Historical operations; Example: Licensing fees
9
© 2015 Denim Group – All Rights Reserved
Security Budgets: The Starting Point
Photo by Matt Mechtley10
© 2015 Denim Group – All Rights Reserved
Security Budgets: The Starting Point
• So…. What does a savvy security leader do?
11
© 2015 Denim Group – All Rights Reserved
Key Concept
• Adopts guerrilla selling tactics to increase budget
• Uses the resources of others to expand your security coverage
12
© 2015 Denim Group – All Rights Reserved
Mergers and Acquisitions
• Corporate Mergers and Acquisition (M&A) activities include substantial attorneys fees for:
• Due diligence and contracts
• M&A activity is the domain of the CEO
• The CEO will be less price sensitive to security costs
• Insert security testing into M&A process to ID:
• Risk of the acquired entity & provide a remediation path
• Lower downstream security exposure
13
© 2015 Denim Group – All Rights Reserved
Leverage Things Already Bought
• Identify technologies bought by business units, leverage any security by-product
• Example #1: Web Application Firewalls (WAF’s)
• Mandated by PCI, bought by IT or Internal Audit
• Creates incredible Layer 7 logging and protection
• Example #2: Big Data Technologies
• Big Data
14
© 2015 Denim Group – All Rights Reserved
Development Tools
• Development tools stack
• Expensive
• Dwarf security vulnerability scanners
• Get development team to purchase scanner for SDLC because they own the SLDC
• A line item in a larger quote for a development stack
• Bake testing into SDLC earliest in the process
• Might be able to use leverage of large purchase to get tools thrown in
15
© 2015 Denim Group – All Rights Reserved
Development Training
• For internally developed software
• Cost of vulnerability most expensive when put into production
• Change the reality, make security a quality issue!
• Have development teams pay for training
• Make this part of general developer training and onboarding
16
© 2015 Denim Group – All Rights Reserved
Leverage Open Source
• Use what others have already contributed to the Open Source community to further your security coverage
• First steps
• Hire a security pro w/ Open Source experience
• Add an Open Source project that solves a problem – start small
• ThreadFix
• Capture licensing cost savings and communicate
17