Building A Security Program From The Ground Up

Agenda Understand InfoSec role in the business Assess risks to the business Secure support and funding from management Document approach Selection and tuning of tools Reporting Monitoring Gain cooperation and support from IT teams

Background Studied Music at University of North Texas Played and taught guitar from 1984 to 2000 Attended SMU MCSE Program Started in IT in 2000 as Windows AD admin Moved into security in 2006

Overview of past work Heartland Payment Systems Acquired by Global Payment Systems 5th largest card acquirer in US 4 years as systems administrator 6 ½ as Security Manager 2009 Massive security breach

Overview of past work International Security Manger Responsible for Europe, Australia and New Zealand locations Sr. Security Manager Global IT Security Operations

Business World

Money

Possibility and Probability Risk Financial Loss Ecommerce Downtime Customer data Fraud Litigation Damage to Brand Possibility and Probability

Breaches Sell Security 2013 – 2014 Security Breaches 2013 Target Breach 252 Million Dollars to resolve Recommend to fire 7 of 10 board members

The Hard Sell Give them data! Top down or busting out of IT Department Data to justify tools Downtime due to malware infections Data on attacks against websites Data on investment per record Breach cost per record Breach cost per record (Sector)

Existing tools Data Accurate data on phishing Infections due to clicking Amount data encrypted from Ransomware Time to recovery (hours of downtime) Tie it to something the business can understand

Data From Board Presentation

Where to Start ID data most valuable to the company Who need access to data Applications Systems Network Controls Monitor

Create Policies and Standards Time Consuming but important Acceptable use policy VPN Policy Incident Response Policy Firewall configuration standard Web Proxy configuration standard Obtain signoff from IT and or Business www.sans.org/info/166795

Security Infrastructure Make roadmap (Have a plan) Identify, Protect, Detect, Respond and Recover (NIST Security Domains) Target most useful tools Firewalls IDS Endpoint systems Web Proxy Log correlation Vulnerability Scanner Better to have a few tools tuned well than many half implemented

Monitor Events and Alerts Alerts and events from Anti-Virus IDS Endpoint agents Web proxy logs Failed login attempts Outbound connections attempts

IT Teams They want the company to be secure They just don’t want more work on them Often believe security wants to “Shut everything down” Security doesn’t understand SLAs Often they don’t know what to fix Varying levels of talent

IT and Security Security Culture Partner with teams Often best resource for reporting incidents Do research to enable quick remediation Be reasonable about requests Understand their job responsibility Attend Change Control Meetings

International Security Understand culture Learn about their business Review organization structure Listen to their concerns Acknowledge their accomplishments Reassure you won’t break their systems Report findings in a constructive manner

Micromania France

HQ Sophia Antipolis (Nice) France 444 stores Parent Company GameStop Most profitable International region First security person for company

Lack of Cooperation IT teams or individuals difficult to work with Non-cooperative Obstructive

Strictly Business not Personal

Questions

mray@fossil.com