Security Themes Debunked Brian Minick Security Themes Debunked

Who is this guy? Brian Minick CEO and Founder of Morphick CISO General Electric Aviation Energy Transportation Industry leader across: Defense Industrial Base DSIE Policy consulting: White House Department of State Pentagon NSA Personal Three daughters Running Church (my second startup)

Security is noisy A lot of people trying to get your attention and your $$$ A lot of investment A lot of messages One dimensional thinking is dangerous The best lie is based on truth How do you know what to believe? Let’s look at some messages

Technology will save the day The claims Our technology solves your security issues Most effective way to stop attacks Make your team more effective The reality Our technology solves your security issues…or just a couple of them. Most effective way to stop attacks...at least for today Attackers figure out a way around. Signature, reputation, whitelist, sandbox, analytics, what’s next? Make your team more effective…by giving them more work to do Security is too large a space to find one technology to solve all the issues (insider attacks, outsider attacks, account management, firewall rule management, patch management, on and on) All businesses end up with numerous technologies that do not work together. Orchestration is next big thing because of all the point solutions. There is a difference between random and targeted attacks. Technology is effective against random attacks…at least in the mid term Targeted attacks are driven by people and people figure out ways around tech Most detection technology turned into work generation systems.

Process will save the day The claims Compliance with standards will solve security problems Risk based controls effectively prioritize Standards create an effective measuring stick The reality Compliance with standards will solve security problems…or auditor problems Risk based controls effectively prioritize…just not quickly enough Standards create an effective measuring stick… Things take on a life of their own. Don’t lose sight of the goal, which is to protect the business, not to pass an audit. Risk based is great, but how quickly is risk assessed and changed? Hyper risk assessment. Risk doesn’t change with every attack. Risk changes with targeted attacks though. Need an effective measuring stick, current standards need updated. Acknowledge the difference between random and targeted, include rapid change capabilities for targeted.

Smart people will save the day The claims Nothing works without the right people They built it once, they can do it again It just takes a couple great people The reality Nothing works without the right people…and process and tech They built it once, they can do it again…if everything else is equal It just takes a couple great people…and an army behind them

Reality is never simple Truth in all these messages None offer a complete picture People, process and technology is required

Different problems different approaches Random Adversary is a computer program Find the solution and repeat it A product will solve the problem Security through compliance Targeted Adversary is a person using a computer program Creativity and strategy People need to solve the problem Unique, morphing defenses

Where is cyber headed - random Dealing with random attacks Technology to address technology Technology to automate process Technology to eliminate people Technology direction This is an arms race The race is fought at the industry level

Where is cyber headed - Targeted Dealing with targeted attacks People to address people Technology for efficiency and agility Process to morph defenses Technology direction This is an arms race It is fought by your company only

Reality is complicated…and so is security So what Reality is complicated…and so is security Security is a broad discipline No company can do it all alone No vendor can do it all for their customers Find an ally What are your current strengths What strengths do you want to develop What allies can you identify to help develop those strengths and fill your weaknesses?