John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO’s) of Fortune 500 companies and government organizations launch and expand their critical application security initiatives. His leadership has been instrumental in Denim Group being honored by Inc. Magazine as one of the fastest growing companies in the industry for five years in a row.
2. MY BACKGROUND
• 20+ Year Security Professional
• Denim Group Principal
• MBA Strategy Guy
• ISSA Distinguished Fellow
• Security Conference Speaker
• Dark Reading Columnist
• Twitter: @johnbdickson
3. DENIM GROUP | COMPANY
BACKGROUND
• Trusted advisor on all matters of software risk
• External application & network assessments
• Web, mobile, and cloud
• Software development lifecycle development (SDLC) consulting
• Network and infrastructure where applications reside
• Secure development services:
• Secure application development & remediation
• Managed security services
• Developed ThreadFix
6. WHY IS THIS IMPORTANT?
6
The day security became
important to business executives
7. BREACH FIXATION OVERVIEW
7
• What is Breach Fixation?
• How Does Breach Fixation Manifest Itself?
• How you can Use Breach Fixation to Your Advantage
9. BREACH FIXATION
9
• A phenomena created by media fixation on breach
stories
• Breach Fixation distorts reality by putting most of the
focus on external activities that we don’t control…
• At the expense of internal security activities that we do
• Affects strategy and resource allocation in a potentially
negative way
• Takes focus away from addressing the root cause while
treating the symptom
15. WHAT DOES THAT CREATE?
15
• A Situation Where Basic Security Blocking & Tackling
Remains Problematic
• Window of Exposure of Application Vulnerabilities Remains Egregious
• Well-known Security Weaknesses Continue to be an Avenue of Approach for
Attackers
• Outside the largest and most sophisticated organizations, security only covers a
subset of the enterprise
16. WHAT DOES THAT CREATE?
16
• A Situation Where External Threats Might Distract
Security Focus
• Whipsawed by #ToD (Threat of the Day) or #YABS (Yet Another Breach Story)
• “Incumbent Spend” around FW, Endpoint, AV, dwarf other areas
• Focus on latest outwardly-focuses security “shiny rock” technologies as panaceas
18. EXAMPLES OF IMPACT
18
• Press DDoS on speaker by the entire media
• Gartner: By 2020, 60% of enterprise information
security budgets will be allocated for rapid detection and
response approaches, up from less than 20% in 2015.
• EY: A Shift to “Active Defense” and its implications
• A cautionary tale: State of Texas Public Utilities
Commission war story
19. HOW CAN YOU ADDRESS BREACH
FIXATION
19
• Recognize Breach Fixation When a Layperson (e.g.,
“Executive”) References it.
• The First Step to Recovery is Admitting you have a Problem!
20. HOW CAN YOU ADDRESS BREACH
FIXATION
20
• Constantly Quantify Internal Security Posture
• Measure, measure, measure
21. HOW TO USE BREACH FIXATION TO
YOUR ADVANTAGE
21
• Use the Positive Force from the Attack Side & Map to
Your Strategy
23. WRAP UP
23
• Breach Fixation distorts reality by putting most of the
focus on external security activities that we don’t control
at the expense of internal security that we do.
• Sophisticated security practitioners understand how
Breach Fixation can help or hurt them, if not managed
• Once recognized, there are several basic strategies that
one can use to take advantage of Breach Fixation
Have done a tremendous amount of mobile testing for our clients, including Fortune 500 and sensitive
Have assessed MDM systems
And made recommendation to sensitive .gov and .mil clients surrounding application testing
TJX hacker Albert Gonzalez was sentenced to 20 years and a day
The Leavenworth Federal Maximum Security Prison, Leavenworth, Kansas!
- More and more sensational stories.. Press doesn’t understand – or want to understand – the very hard business of security in an organization
Now front and center to popular and business press – consumed by executives and boards of directors
Vendor marketing campaigns also add to the hype
Share Dark Reading click-through stories
But is critically important….
Sources:
WhiteHat Security 2015 Website Security Statistics Report
Veracode 2015 State of Software Security
Verizone 2015 Data Breach Investigations Report
Eye is not on the prize! Security posture built on buying the shiny object….security ADHD – limited patience and or dilligence to do what’s necessary to reduce risk.
Sources:
WhiteHat Security 2015 Website Security Statistics Report
Veracode 2015 State of Software Security
Verizone 2015 Data Breach Investigations Report
Texas PUC moved its two cybersecurity staff working on Smart Meter security to the State’s Emergency Operations Center. No backfill
Source: "Shift Cybersecurity Investment to Detection and Response,” Ayal Tirosh & Paul E. Proctor, Gartner, January 2016.
Source: “Global Information Security Survey 2015” EY