1. Building A Security Program From The Ground Up

2. Agenda Understand InfoSec role in the business
Assess risks to the business
Secure support and funding from management
Document approach
Selection and tuning of tools
Reporting
Monitoring
Gain cooperation and support from IT teams

3. Background Studied Music at University of North Texas
Played and taught guitar from 1984 to 2000
Attended SMU MCSE Program
Started in IT in 2000 as Windows AD admin
Moved into security in 2006

4. Overview of past work Heartland Payment Systems
Acquired by Global Payment Systems
5th largest card acquirer in US
4 years as systems administrator
6 ½ as Security Manager
2009 Massive security breach

5. Overview of past work International Security Manger
Responsible for Europe, Australia
and New Zealand locations
Sr. Security Manager
Global IT Security Operations

6. Business World

7. Money

8. Possibility and Probability
Risk
Financial Loss
Ecommerce Downtime
Customer data
Fraud
Litigation
Damage to Brand
Possibility and Probability

9. Breaches Sell Security
2013 – 2014 Security Breaches
2013 Target Breach
252 Million Dollars to resolve
Recommend to fire 7 of 10 board members

10. The Hard Sell Give them data!
Top down or busting out of IT Department
Data to justify tools
Downtime due to malware infections
Data on attacks against websites
Data on investment per record
Breach cost per record
Breach cost per record (Sector)

11. Existing tools Data Accurate data on phishing
Infections due to clicking
Amount data encrypted from Ransomware
Time to recovery (hours of downtime)
Tie it to something the business can understand

12. Data From Board Presentation

13. Where to Start ID data most valuable to the company
Who need access to data
Applications
Systems
Network
Controls
Monitor

14. Create Policies and Standards
Time Consuming but important
Acceptable use policy
VPN Policy
Incident Response Policy
Firewall configuration standard
Web Proxy configuration standard
Obtain signoff from IT and or Business

15. Security Infrastructure
Make roadmap (Have a plan)
Identify, Protect, Detect, Respond and Recover (NIST Security Domains)
Target most useful tools
Firewalls
IDS
Endpoint systems
Web Proxy
Log correlation
Vulnerability Scanner
Better to have a few tools tuned well than many half implemented

16. Monitor Events and Alerts
Alerts and events from
Anti-Virus
IDS
Endpoint agents
Web proxy logs
Failed login attempts
Outbound connections attempts

17. IT Teams They want the company to be secure
They just don’t want more work on them
Often believe security wants to “Shut everything down”
Security doesn’t understand SLAs
Often they don’t know what to fix
Varying levels of talent

18. IT and Security Security Culture Partner with teams
Often best resource for reporting incidents
Do research to enable quick remediation
Be reasonable about requests
Understand their job responsibility
Attend Change Control Meetings

20. International Security
Understand culture
Learn about their business
Review organization structure
Listen to their concerns
Acknowledge their accomplishments
Reassure you won’t break their systems
Report findings in a constructive manner

21. Micromania France

22. HQ Sophia Antipolis (Nice) France
444 stores
Parent Company GameStop
Most profitable International region
First security person for company

23. Lack of Cooperation IT teams or individuals difficult to work with
Non-cooperative
Obstructive

24. Strictly Business not Personal

25. Questions