SlideShare una empresa de Scribd logo

Tactical Edge - How Much Security Do You Really Need?

Wendy Nather
Wendy Nather

This document discusses how to evaluate your organization's security spending and portfolio. It notes that even security experts don't agree on exactly how much should be spent. The document recommends using a Cyber Defense Matrix to identify key assets and risks, and evaluating spending based on addressing real risks and having evidence it is effective, rather than just compliance or benchmarking. It also cautions that spending alone does not equal effective security, and processes are also important.

Tecnología
1 de 39
Descargar para leer sin conexión
HOW MUCH SECURITY DO YOU REALLY NEED? Wendy Nather @RCISCwendy Research Director, Retail Cyber Intelligence Sharing Center (R-CISC) Bogotá, 24 Octubre 2016
INTRODUCTION • The Great Mystery • “Expense in Depth” • Even the Experts Don’t Know – pricing out a security program • A better framework – the Cyber Defense Matrix • Trimming your current security portfolio • Evaluating the risk in a way that works for you
MODELS FOR SECURITY SPENDING • Benchmarking – what is everyone else doing? • Compliance-driven spending • Metrics-driven • Evidence-driven
MODELS FOR SECURITY SPENDING • Spend only what you need to until the next breach • Keep spending until you run out of budget • Have an unlimited budget
EXPENSE IN DEPTH (RICK HOLLAND) • Security is a patchwork quilt, and you keep buying things to layer over the gaps • Leads to overspending in some areas and underspending in others • Overloading systems
EXPENSE IN DEPTH • Dueling agents • Prioritizing network decisions • Cognitive and effort overload on your personnel every time you add something new
“ ” I’M A NEW CISO. IT’S MY FIRST DAY ON THE JOB IN AN ORGANIZATION THAT HAS NEVER DONE SECURITY BEFORE. WHAT SHOULD I BUY? The Real Cost of Security 451 Research, 2013
EVEN THE EXPERTS DON’T KNOW • As few as 4 different technologies and as many as 31 • Everyone said “it depends,” including the vendors ¯_(ツ)_/¯
EVEN THE EXPERTS DON’T KNOW •The minimum baselines pretty much matched up to PCI, and included both firewalls and AV •Budget could be off by as much as a factor of 4 •There’s still no guarantee you won’t get breached
CAN WE DO BETTER?
CYBER DEFENSE MATRIX SOUNIL YU, [LARGE US FINANCIAL] Devices Applications Network Data People Degree of Dependence Identify Protect Detect Respond Recover Technology People Process
LEFT AND RIGHT OF “BOOM” Devices Applications Network Data People Degree of Dependence Identify Protect Detect Respond Recover Technology People Process Pre-Compromise Post-Compromise
ENTERPRISE SECURITY MARKET SEGMENTS 13 Devices Applications Network Data People Degree of Dependence Identify Protect Detect Respond Recover Technology People Process IAM Endpoint Visibility and Control / Endpoint Threat Detection & Response Configuration and Systems Management Data Labeling App Sec (SAST, DAST, IAST, RASP), WAFs Phishing Simulations DDoS Mitigation Insider Threat / Behavioral Analytics Network Security (FW, IPS) DRM Data Encryption, DLP IDS Netflow Full PCAP AV, HIPS Deep Web, Brian Krebs, FBI Backup Phishing Awareness
MARKET SEGMENTS – OTHER ENVIRONMENTS 14 Threat Actor Assets Threat Data Intrusion Deception Malware Sandboxes
MARKET SEGMENTS – OTHER ENVIRONMENTS 15 Vendor Assets Cloud Access Security Brokers Vendor Risk Assess- ments Customer Assets Endpoint Fraud Detection Device Finger- printing Device Finger- printing Web Fraud Detection Employee Assets BYOD MAM BYOD MDM
See the rest of the slides at https://www.rsaconference.com/events/us16/agenda/sessio ns/2530/understanding-the-security-vendor-landscape-using Or Google for “RSAC Sounil Yu” J
TRIMMING YOUR SECURITY PORTFOLIO • Why would you need to do that? • Mergers and acquisitions leave redundant products in place
TRIMMING YOUR SECURITY PORTFOLIO • Shelfware (see Javvad Malik’s research at https://www.rsaconference.com/writable/presentati ons/file_upload/mash-t07a-security-shelfware-which- products-gathering-dust-and-why.pdf or just Google “Javvad Malik Shelfware”)
TRIMMING YOUR SECURITY PORTFOLIO • Improving performance • Simplifying • Better integration and communication • Better price
BEFORE YOU CUT TECHNOLOGY … • Make sure you’re using it right • Make sure you’re using it as fully as possible • Talk to the vendor about its limitations and roadmap (or ask peers or an analyst)
BEFORE YOU CUT TECHNOLOGY … •Decide whether you need to replace it •Is it a greater liability to keep it and not use it, or not to have it at all?
BEFORE YOU CUT PEOPLE … • Know what they’re contributing both in expertise and workload • Expertise includes institutional knowledge
BEFORE YOU CUT PEOPLE … •Remember cognitive workload: just because they have the time to squeeze in an extra task, it doesn’t mean they can give it the attention it needs •Keep task priorities in mind – response mode keeps staff from being proactive
EVALUATING EFFECTIVENESS AND RISK
EVALUATING EFFECTIVENESS AND RISK • Is it addressing a risk everyone can believe in?
CHEESEBURGER RISK MANAGEMENT Sure, it might happen – but not for a long time
EVALUATING EFFECTIVENESS AND RISK •How does it address the risk? •Don’t say “it’s blocking millions of attacks,” because that makes Dave Lewis really angry
EVALUATING EFFECTIVENESS AND RISK •What are you relying on technology to do, versus what you’re relying on people to do? •Are you basing your security strategy on the hope that people will change?
YOUR MANAGEMENT’S FAVORITE METRICS Time saved Money saved Performance improvements / availability
MATCHING MONEY WITH SECURITY • Avoiding loss – but remember the probability discussion • Allowing revenue generators to do it faster • Saving time, which is money
MATCHING MONEY WITH SECURITY • Helping the business make better decisions in other areas • Providing a competitive advantage (but you’ll have to prove it) • Losses may or may not happen, but other improvements will show themselves if you can measure them
GETTING BREACHED JUST MIGHT BE CHEAPER … • Published research by Sasha Romanosky, RAND Corporation (August 2016) • “Most cyber events cost firms less than 0.4% of their annual revenues”
GETTING BREACHED JUST MIGHT BE CHEAPER … • By contrast, US firms lost an estimated 0.9% of their revenue to online fraud in 2013 (Cybersource 2013 Online Fraud Report) (Which shows that breaches are being treated separately from fraud, so whatever)
GETTING BREACHED JUST MIGHT BE CHEAPER … • Calculated that firms were spending an average of 0.025% of revenues on cybersecurity • Half of cyber events cost a firm an amount approximately equal to its annual investment in IT security (i.e. within ±$1 million of investment). Wait, what?
WHAT IF I TOLD YOU … … that you may already be spending enough?
SPENDING IS NOT DOING • You can be spending right, but doing it wrong • You can be doing it right, but spending wrong
SOME KIND OF PYRAMID Using security products Understanding threats Controlling changes Knowing what you have and what it’s doing
SUMMARY • There are many ways to evaluate your portfolio • There’s no ground truth • Identify the risks you can believe in • Find the evidence that you’re addressing those risks • Remember: it’s in the way that you use it
Tactical Edge - How Much Security Do You Really Need?

Recomendados

Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analyticsChristian Have
 
Embracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionEmbracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionCylance
 
Aaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseAaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseJason Luttrell, CISSP, CISM
 
Building Cyber Resilience at the Speed of Business
Building Cyber Resilience at the Speed of BusinessBuilding Cyber Resilience at the Speed of Business
Building Cyber Resilience at the Speed of BusinessRahul Neel Mani
 
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityMT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityDell EMC World
 
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the WarGary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the Warcentralohioissa
 
2016 Scalar Security Study Roadshow
2016 Scalar Security Study Roadshow2016 Scalar Security Study Roadshow
2016 Scalar Security Study RoadshowScalar Decisions
 

Recomendados

Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analyticsChristian Have
 
Embracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionEmbracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionCylance
 
Aaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseAaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseJason Luttrell, CISSP, CISM
 
Building Cyber Resilience at the Speed of Business
Building Cyber Resilience at the Speed of BusinessBuilding Cyber Resilience at the Speed of Business
Building Cyber Resilience at the Speed of BusinessRahul Neel Mani
 
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityMT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityDell EMC World
 
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the WarGary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the Warcentralohioissa
 
2016 Scalar Security Study Roadshow
2016 Scalar Security Study Roadshow2016 Scalar Security Study Roadshow
2016 Scalar Security Study RoadshowScalar Decisions
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?centralohioissa
 
William Diederich - Security Certifications: Are They Worth the Investment? A...
William Diederich - Security Certifications: Are They Worth the Investment? A...William Diederich - Security Certifications: Are They Worth the Investment? A...
William Diederich - Security Certifications: Are They Worth the Investment? A...centralohioissa
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityDell EMC World
 
Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?centralohioissa
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protectioncentralohioissa
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Frameworkcentralohioissa
 
Cyber Security: Strategies, Defence and what’s not working
Cyber Security: Strategies, Defence and what’s not workingCyber Security: Strategies, Defence and what’s not working
Cyber Security: Strategies, Defence and what’s not workingJonathan Sinclair
 
Tanium Overview
Tanium OverviewTanium Overview
Tanium OverviewJordanTough
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceSurfWatch Labs
 
Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesLiberteks
 
Scalar - a brief introduction
Scalar - a brief introductionScalar - a brief introduction
Scalar - a brief introductionScalar Decisions
 
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)Fujitsu Middle East
 
Quantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataQuantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataSteven Schwartz
 
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...Resilient Systems
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloudScalar Decisions
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown JewelsIBM Security
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiativescentralohioissa
 
Digital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – FinanceDigital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – FinanceXenith Document Systems Ltd
 
MT29 Panel: Becoming a data-driven enterprise
MT29 Panel: Becoming a data-driven enterpriseMT29 Panel: Becoming a data-driven enterprise
MT29 Panel: Becoming a data-driven enterpriseDell EMC World
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surfacePriyanka Aash
 
How to Make a Decent PowerPoint
How to Make a Decent PowerPointHow to Make a Decent PowerPoint
How to Make a Decent PowerPointAdam Fowler
 
Neira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf readyNeira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf readyNeira Jones
 

Más contenido relacionado

La actualidad más candente

Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?centralohioissa
 
William Diederich - Security Certifications: Are They Worth the Investment? A...
William Diederich - Security Certifications: Are They Worth the Investment? A...William Diederich - Security Certifications: Are They Worth the Investment? A...
William Diederich - Security Certifications: Are They Worth the Investment? A...centralohioissa
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityDell EMC World
 
Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?centralohioissa
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protectioncentralohioissa
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Frameworkcentralohioissa
 
Cyber Security: Strategies, Defence and what’s not working
Cyber Security: Strategies, Defence and what’s not workingCyber Security: Strategies, Defence and what’s not working
Cyber Security: Strategies, Defence and what’s not workingJonathan Sinclair
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceSurfWatch Labs
 
Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesLiberteks
 
Scalar - a brief introduction
Scalar - a brief introductionScalar - a brief introduction
Scalar - a brief introductionScalar Decisions
 
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)Fujitsu Middle East
 
Quantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataQuantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataSteven Schwartz
 
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...Resilient Systems
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloudScalar Decisions
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown JewelsIBM Security
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiativescentralohioissa
 
Digital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – FinanceDigital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – FinanceXenith Document Systems Ltd
 
MT29 Panel: Becoming a data-driven enterprise
MT29 Panel: Becoming a data-driven enterpriseMT29 Panel: Becoming a data-driven enterprise
MT29 Panel: Becoming a data-driven enterpriseDell EMC World
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surfacePriyanka Aash
 

La actualidad más candente (20)

Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
 
William Diederich - Security Certifications: Are They Worth the Investment? A...
William Diederich - Security Certifications: Are They Worth the Investment? A...William Diederich - Security Certifications: Are They Worth the Investment? A...
William Diederich - Security Certifications: Are They Worth the Investment? A...
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in Cybersecurity
 
Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
 
Cyber Security: Strategies, Defence and what’s not working
Cyber Security: Strategies, Defence and what’s not workingCyber Security: Strategies, Defence and what’s not working
Cyber Security: Strategies, Defence and what’s not working
 
Tanium Overview
Tanium OverviewTanium Overview
Tanium Overview
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
 
Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for Dummies
 
Scalar - a brief introduction
Scalar - a brief introductionScalar - a brief introduction
Scalar - a brief introduction
 
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)
 
Quantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataQuantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal Data
 
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
 
Digital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – FinanceDigital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – Finance
 
MT29 Panel: Becoming a data-driven enterprise
MT29 Panel: Becoming a data-driven enterpriseMT29 Panel: Becoming a data-driven enterprise
MT29 Panel: Becoming a data-driven enterprise
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surface
 

Destacado

How to Make a Decent PowerPoint
How to Make a Decent PowerPointHow to Make a Decent PowerPoint
How to Make a Decent PowerPointAdam Fowler
 
Neira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf readyNeira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf readyNeira Jones
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareLeigh Honeywell
 
RSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityRSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityScott Carlson
 
Distributed Denial Of Service Introduction
Distributed Denial Of Service IntroductionDistributed Denial Of Service Introduction
Distributed Denial Of Service Introductionwremes
 
AusCERT - Mikko Hypponen
AusCERT - Mikko HypponenAusCERT - Mikko Hypponen
AusCERT - Mikko HypponenMikko Hypponen
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Scott Carlson
 
Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Dan Kaminsky
 
The InfoSec Avengers
The InfoSec AvengersThe InfoSec Avengers
The InfoSec AvengersTripwire
 
Security Configuration Management for Dummies
Security Configuration Management for DummiesSecurity Configuration Management for Dummies
Security Configuration Management for DummiesTripwire
 
RDF and other linked data standards — how to make use of big localization data
RDF and other linked data standards — how to make use of big localization dataRDF and other linked data standards — how to make use of big localization data
RDF and other linked data standards — how to make use of big localization dataDave Lewis
 
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...Tripwire
 
Data security brian honan
Data security brian honanData security brian honan
Data security brian honanBrian Honan
 
The dark side of the internet
The dark side of the internetThe dark side of the internet
The dark side of the internetBrian Honan
 

Destacado (14)

How to Make a Decent PowerPoint
How to Make a Decent PowerPointHow to Make a Decent PowerPoint
How to Make a Decent PowerPoint
 
Neira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf readyNeira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf ready
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
 
RSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityRSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud Security
 
Distributed Denial Of Service Introduction
Distributed Denial Of Service IntroductionDistributed Denial Of Service Introduction
Distributed Denial Of Service Introduction
 
AusCERT - Mikko Hypponen
AusCERT - Mikko HypponenAusCERT - Mikko Hypponen
AusCERT - Mikko Hypponen
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?
 
Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)
 
The InfoSec Avengers
The InfoSec AvengersThe InfoSec Avengers
The InfoSec Avengers
 
Security Configuration Management for Dummies
Security Configuration Management for DummiesSecurity Configuration Management for Dummies
Security Configuration Management for Dummies
 
RDF and other linked data standards — how to make use of big localization data
RDF and other linked data standards — how to make use of big localization dataRDF and other linked data standards — how to make use of big localization data
RDF and other linked data standards — how to make use of big localization data
 
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
 
Data security brian honan
Data security brian honanData security brian honan
Data security brian honan
 
The dark side of the internet
The dark side of the internetThe dark side of the internet
The dark side of the internet
 

Similar a Tactical Edge - How Much Security Do You Really Need?

The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Emrah Alpa, CISSP CEH CCSK
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Amazon Web Services
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAmazon Web Services
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...CODE BLUE
 
A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersTony Perez
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security FrameworkJerod Brennen
 
SACON - Incident Response Automation & Orchestration (Amit Modi)
SACON - Incident Response Automation & Orchestration (Amit Modi)SACON - Incident Response Automation & Orchestration (Amit Modi)
SACON - Incident Response Automation & Orchestration (Amit Modi)Priyanka Aash
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Too Small to Get Hacked? Think Again (Webinar)
Too Small to Get Hacked? Think Again (Webinar)Too Small to Get Hacked? Think Again (Webinar)
Too Small to Get Hacked? Think Again (Webinar)OnRamp
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique SingerLet's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique SingerSaraPia5
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsRedhuntLabs2
 

Similar a Tactical Edge - How Much Security Do You Really Need? (20)

The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the Cloud
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
 
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
 
A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
 
BREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAPBREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAP
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
 
SACON - Incident Response Automation & Orchestration (Amit Modi)
SACON - Incident Response Automation & Orchestration (Amit Modi)SACON - Incident Response Automation & Orchestration (Amit Modi)
SACON - Incident Response Automation & Orchestration (Amit Modi)
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
Too Small to Get Hacked? Think Again (Webinar)
Too Small to Get Hacked? Think Again (Webinar)Too Small to Get Hacked? Think Again (Webinar)
Too Small to Get Hacked? Think Again (Webinar)
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
 
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique SingerLet's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Último (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Tactical Edge - How Much Security Do You Really Need?

  • 1. HOW MUCH SECURITY DO YOU REALLY NEED? Wendy Nather @RCISCwendy Research Director, Retail Cyber Intelligence Sharing Center (R-CISC) Bogotá, 24 Octubre 2016
  • 2. INTRODUCTION • The Great Mystery • “Expense in Depth” • Even the Experts Don’t Know – pricing out a security program • A better framework – the Cyber Defense Matrix • Trimming your current security portfolio • Evaluating the risk in a way that works for you
  • 3. MODELS FOR SECURITY SPENDING • Benchmarking – what is everyone else doing? • Compliance-driven spending • Metrics-driven • Evidence-driven
  • 4. MODELS FOR SECURITY SPENDING • Spend only what you need to until the next breach • Keep spending until you run out of budget • Have an unlimited budget
  • 5. EXPENSE IN DEPTH (RICK HOLLAND) • Security is a patchwork quilt, and you keep buying things to layer over the gaps • Leads to overspending in some areas and underspending in others • Overloading systems
  • 6. EXPENSE IN DEPTH • Dueling agents • Prioritizing network decisions • Cognitive and effort overload on your personnel every time you add something new
  • 7. “ ” I’M A NEW CISO. IT’S MY FIRST DAY ON THE JOB IN AN ORGANIZATION THAT HAS NEVER DONE SECURITY BEFORE. WHAT SHOULD I BUY? The Real Cost of Security 451 Research, 2013
  • 8. EVEN THE EXPERTS DON’T KNOW • As few as 4 different technologies and as many as 31 • Everyone said “it depends,” including the vendors ¯_(ツ)_/¯
  • 9. EVEN THE EXPERTS DON’T KNOW •The minimum baselines pretty much matched up to PCI, and included both firewalls and AV •Budget could be off by as much as a factor of 4 •There’s still no guarantee you won’t get breached
  • 10. CAN WE DO BETTER?
  • 11. CYBER DEFENSE MATRIX SOUNIL YU, [LARGE US FINANCIAL] Devices Applications Network Data People Degree of Dependence Identify Protect Detect Respond Recover Technology People Process
  • 12. LEFT AND RIGHT OF “BOOM” Devices Applications Network Data People Degree of Dependence Identify Protect Detect Respond Recover Technology People Process Pre-Compromise Post-Compromise
  • 13. ENTERPRISE SECURITY MARKET SEGMENTS 13 Devices Applications Network Data People Degree of Dependence Identify Protect Detect Respond Recover Technology People Process IAM Endpoint Visibility and Control / Endpoint Threat Detection & Response Configuration and Systems Management Data Labeling App Sec (SAST, DAST, IAST, RASP), WAFs Phishing Simulations DDoS Mitigation Insider Threat / Behavioral Analytics Network Security (FW, IPS) DRM Data Encryption, DLP IDS Netflow Full PCAP AV, HIPS Deep Web, Brian Krebs, FBI Backup Phishing Awareness
  • 14. MARKET SEGMENTS – OTHER ENVIRONMENTS 14 Threat Actor Assets Threat Data Intrusion Deception Malware Sandboxes
  • 15. MARKET SEGMENTS – OTHER ENVIRONMENTS 15 Vendor Assets Cloud Access Security Brokers Vendor Risk Assess- ments Customer Assets Endpoint Fraud Detection Device Finger- printing Device Finger- printing Web Fraud Detection Employee Assets BYOD MAM BYOD MDM
  • 16. See the rest of the slides at https://www.rsaconference.com/events/us16/agenda/sessio ns/2530/understanding-the-security-vendor-landscape-using Or Google for “RSAC Sounil Yu” J
  • 17. TRIMMING YOUR SECURITY PORTFOLIO • Why would you need to do that? • Mergers and acquisitions leave redundant products in place
  • 18. TRIMMING YOUR SECURITY PORTFOLIO • Shelfware (see Javvad Malik’s research at https://www.rsaconference.com/writable/presentati ons/file_upload/mash-t07a-security-shelfware-which- products-gathering-dust-and-why.pdf or just Google “Javvad Malik Shelfware”)
  • 19. TRIMMING YOUR SECURITY PORTFOLIO • Improving performance • Simplifying • Better integration and communication • Better price
  • 20. BEFORE YOU CUT TECHNOLOGY … • Make sure you’re using it right • Make sure you’re using it as fully as possible • Talk to the vendor about its limitations and roadmap (or ask peers or an analyst)
  • 21. BEFORE YOU CUT TECHNOLOGY … •Decide whether you need to replace it •Is it a greater liability to keep it and not use it, or not to have it at all?
  • 22. BEFORE YOU CUT PEOPLE … • Know what they’re contributing both in expertise and workload • Expertise includes institutional knowledge
  • 23. BEFORE YOU CUT PEOPLE … •Remember cognitive workload: just because they have the time to squeeze in an extra task, it doesn’t mean they can give it the attention it needs •Keep task priorities in mind – response mode keeps staff from being proactive
  • 25. EVALUATING EFFECTIVENESS AND RISK • Is it addressing a risk everyone can believe in?
  • 26. CHEESEBURGER RISK MANAGEMENT Sure, it might happen – but not for a long time
  • 27. EVALUATING EFFECTIVENESS AND RISK •How does it address the risk? •Don’t say “it’s blocking millions of attacks,” because that makes Dave Lewis really angry
  • 28. EVALUATING EFFECTIVENESS AND RISK •What are you relying on technology to do, versus what you’re relying on people to do? •Are you basing your security strategy on the hope that people will change?
  • 29. YOUR MANAGEMENT’S FAVORITE METRICS Time saved Money saved Performance improvements / availability
  • 30. MATCHING MONEY WITH SECURITY • Avoiding loss – but remember the probability discussion • Allowing revenue generators to do it faster • Saving time, which is money
  • 31. MATCHING MONEY WITH SECURITY • Helping the business make better decisions in other areas • Providing a competitive advantage (but you’ll have to prove it) • Losses may or may not happen, but other improvements will show themselves if you can measure them
  • 32. GETTING BREACHED JUST MIGHT BE CHEAPER … • Published research by Sasha Romanosky, RAND Corporation (August 2016) • “Most cyber events cost firms less than 0.4% of their annual revenues”
  • 33. GETTING BREACHED JUST MIGHT BE CHEAPER … • By contrast, US firms lost an estimated 0.9% of their revenue to online fraud in 2013 (Cybersource 2013 Online Fraud Report) (Which shows that breaches are being treated separately from fraud, so whatever)
  • 34. GETTING BREACHED JUST MIGHT BE CHEAPER … • Calculated that firms were spending an average of 0.025% of revenues on cybersecurity • Half of cyber events cost a firm an amount approximately equal to its annual investment in IT security (i.e. within ±$1 million of investment). Wait, what?
  • 35. WHAT IF I TOLD YOU … … that you may already be spending enough?
  • 36. SPENDING IS NOT DOING • You can be spending right, but doing it wrong • You can be doing it right, but spending wrong
  • 37. SOME KIND OF PYRAMID Using security products Understanding threats Controlling changes Knowing what you have and what it’s doing
  • 38. SUMMARY • There are many ways to evaluate your portfolio • There’s no ground truth • Identify the risks you can believe in • Find the evidence that you’re addressing those risks • Remember: it’s in the way that you use it