Date post: | 07-Aug-2015 |
Category: |
Technology |
Upload: | resilient-systems |
View: | 381 times |
Download: | 0 times |
Co3's Annual Review & Predictions Webinar
WEBINAR
We’ll Get Started Shortly
Co3's Annual Review & Predictions Webinar
WEBINAR
Slide 3
Agenda
• Introductions
• Who Are We
• Review & Predictions
• Q&A
Slide 4
Introductions
• Ted Julian, CMO, Co3 Systems
• Bruce Schneier, CTO, Co3 Systems
• Jon Oltsik, Principal Analyst, ESG
• Gant Redmon, General Counsel, Co3 Systems
Slide 5
• He is a successful serial entrepreneur, and has launched multiple start-ups in the security and compliance industry
• Was once named “Geek of the Week” by The Boston Globe, and has also appeared on CNN and ABC News as well as in the Wall Street Journal and USA Today
• Fun Fact: He is an avid long-distance runner
Ted Julian, CMO, Co3 Systems
Slide 6
• An internationally renowned security technologist and cryptographer, aka the “Security Guru”
• He has authored 12 books (another being released in February 2015), he maintains a blog “Schneier on Security,” and sends a monthly newsletter “Crypto-Gram”
• Fun Fact: He makes his own absinthe
Bruce Schneier, CTO, Co3 Systems
Slide 7
Jon Oltsik, Principal Analyst, ESG
• He is widely recognized as an expert in all aspects of information security and is often called upon to help customers understand a CISO’s perspective and strategies
• Writer for Network World on his series “Networking Nuggets and Security Snippets”
• Fun Fact: He plays guitar in a rock-and-roll cover band
Slide 8
Gant Redmon, General Counsel, Co3 Systems
• He has practiced law for 19 years; 15 of those years as in-house counsel for security software companies
• He was appointed membership on President Clinton’s Export Council Subcommittee on Encryption (PECSENC)
• Fun Fact: He plays soccer at 6 AM four times per week
Slide 9
About Co3 – Incident Response Management
MITIGATEDocument Results &
Improve Performance• Generate reports for management, auditors, and authorities • Conduct post-mortem• Update SOPs• Track evidence• Evaluate historical performance• Educate the organization
ASSESSIdentify and Evaluate Incidents• Assign appropriate team members• Evaluate precursors and indicators• Correlate threat intelligence• Track incidents, maintain logbook• Prioritize activities based on criticality• Generate assessment summaries
PREPAREImprove Organizational Readiness• Appoint team members• Fine-tune response SOPs • Escalate from existing systems• Run simulations (firedrills / table tops)
MANAGEContain, Eradicate, and Recover• Generate real-time IR plan• Coordinate team response• Choose appropriate containment strategy• Isolate and remediate cause• Instruct evidence gathering and handling• Log evidence
Slide 10
Co3 Incident Response Management System (IRMS)
INCIDENT RESPONSE PLAN INSTANT CREATION & STREAMLINED COLLABORATION
HR IT
LEGAL/COMPLIANCE
MARKETING
PLAN SYNTHESIS
COMMUNITYBEST
PRACTICES
INDUSTRY STANDARD
FRAMEWORKS
ORGANIZATIONALSOPS
GLOBAL PRIVACY BREACH REGULATIONS
CONTRACTUALREQUIREMENTS
ACCELERATED MITIGATION CUSTOM ACTION FRAMEWORK
AUTOMATED ESCALATION WEB FORM TROUBLE TICKETING ENTRY WIZARD SIEM
PLAN ENRICHMENT
MALWARE SAMPLE
IP ADDRESS
DNS NAME
PROCESS NAME
DASHBOARDS AND REPORTING
INCIDENT TIMELINE /
STATUS
CSO DASHBOARD
AUDITOR DASHBOARD
TEAM UTILIZATION
INCIDENTS BY TYPE
OVER TIME
■ Cyber Threats
Slide 12
• 2014: Started with Target, ended with Sony
• Targeted vs. opportunistic attacks
• New motivations: Financial, IP, revenge
• Blended threats and impacts
• Increase in post-breach lawsuits
• Security practices on trial after a breach
• Individual privacy breaches
• Vulnerabilities in open source – ShellShock, Heartbleed
• Nation-state malware
Cyber Threats - Trends
Slide 13
• Is Sony’s CEO next to be fired?
• Boardroom will focus more on security
• Expect the unexpected
• Measurement changes – and more accountability
Cyber Threats - Predictions
■ IT Trends & Cybersecurity
Slide 15
• Ongoing loss of control, broader threat landscape
• Larger focus on cloud security – e.g. Apple iPhoto hack
• Need for greater control over identity and data
• Whistleblower Rock Stars
• Open source vulnerabilities
IT Trends & Cybersecurity - Trends
Slide 16
• Spying fears change vendor landscape
• Stricter security terms in contracts
• Economic impact on U.S. vendors internationally
• New book from Bruce!
IT Trends & Cybersecurity - Predictions
What talked-about trend of 2014 gave you the biggest headaches?
POLL
■ Professional Development
Slide 19
• Vacancy rate is at 22 percent. Employee shortage is in the millions
• Hyper-inflation of security salaries, more outsourcing for smaller businesses
• Industry isn’t building next generation of security leaders
• Collaboration with PR, HR, legal is more important than ever
• Basic analysis skills – like malware – are in demand, as are mobile and cloud skills
Professional Development - Trends
Slide 20
• Skills shortage gets worse next year
• More demand = less accountability
Professional Development - Predictions
■ The Business of Security
Slide 22
• Security professionals struggle to relate issues to boardroom
• Healthcare’s security risk: Conversations happening at the boardroom level
• Cybercriminals seek more details on individuals
The Business of Security - Trends
Slide 23
• Marketing and legal professionals may take over CISO roles
• More people problems than tech problems
The Business of Security - Predictions
What’s at the top of your organization’s security holiday wish list?
POLL
■ Privacy
Slide 26
Privacy - Review
• Safe Harbor Alive and Well – The 13 Principles from the European Commission are not too specific or onerous.
• Usernames and passwords– May the country follow California…again
– S.B. 46, which amends Sections 1798.29 and 1798.82 of the Civil Code to require businesses and state agencies to notify consumers if their login credentials are compromised by a data breach
• Kentucky
• FCC gets into privacy enforcement– Plans $10M in fines against TerraCom and YourTel
Slide 27
Privacy - Predictions
• Target scale breach in the EU– Fodder for EU regs.
– Bigger than University of Limerick
• Backlash on click-through boilerplate. – Not sufficient to opt-in.
– Contract considered illusory.
– Companies have to try again with a different approach: clear and concise language.
Slide 28
Privacy - Predictions
• People realize that losing their credit card numbers is not identity theft.
– This leads to less concern over credit monitoring.
• No follow the leader - TX and CA
• No unified EU breach notice in 2015.
• More US uniform notification bills filed early in 2015…and they will all die by October
■ Questions?
Slide 30
Upcoming Co3 Events
• Data Breach Crisis Communications: 2014 – The Year of the Data Breach, in Review
– January 8, 2015, 1 pm EST
• You’ve Been Breached: How to Mitigate the Incident – January 21, 2015, 12 pm EST
Slide 31
“Co3 makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”
– PC Magazine, Editor’s Choice
“Platform is comprehensive, user friendly, and very well designed.”
– Ponemon Institute
“One of the most important startups in security…”
– Business Insider
“One of the hottest products at RSA…”– Network World
“...an invaluable weapon when responding to security incidents.”
– Government Computer News
“Co3 has done better than a home-run...it has knocked one out of the park.”
– SC Magazine
Most Innovative Product
Slide 32