The 2nd Annual DevOps Connect: Rugged DevOps Edition at RSA Conference is a day-long series of sessions focusing on the DevOps Software Supply Chain. Stephan Chenette, CEO and Co-Founder of AttackIQ, will speak on the importance of challenging your security deployments and why running continuous, automated attack and validation scenarios will minimize risks to your organization.
During RSA 2016, Mr. Chenette will be available for limited VIP meetings. To schedule a face-to-face meeting, please send us a message here and we will have someone reach out to coordinate a meeting time and location.
Title: Continuous Security Control Validation
Details: Monday, February 29, 2016 | 8:30 AM – 4:30 PM | West | Room: 2018 (DevOps Connect)
Reception: AttackIQ will be sponsoring the Rugged DevOps Reception hosted at Jillians, we look forward to seeing you there.
I want to invite everyone to my talk at RSA 2016 called “Continuous Security Control Validation”. If I was giving the talk at Blackhat I would have most likely called it “Why Security Chaos Monkeys are Good for Business”, but this is RSA so the title is a bit more conservative and straight forward. The talk is about the benefits of automated security testing. Here is an overview of the talk:
Automated security testing is useful for any organization at every level of maturity within a security program. Continuously validating and measuring your security technologies is critical to mounting an effective defense. Security chaos monkey is a term typically used to refer to safely testing the resiliency of a particular target. In this case, I’m talking about your security infrastructure.
The data you obtain from continuous testing allows you to justify current security spending and identify future needs. Approaching the board of directors with a budget request to buy a security product because you “feel” you need it, or because you heard or read that it works won’t be persuasive. You don’t need to educate them on security technology — that’s a losing battle. You need to convince them exactly how the improvement will reduce business risk, not in terms of technology, but in terms of the bottom line. To them, cyber security is a business issue, not an IT issue.
Help them understand the return-on-investment (ROI) of the security technologies protecting the organization. They want to hear detection capabilities have increased by 10%, or buying a new technology will increase prevention by 15%. They want to know that a lose of a particular asset could cost the business $10 million and that effecitive security measures have been put in place to minimize the risk of losing that asset. Let me throw out an analogy here. Almost all of us hate going to the doctor for our regular checkout. We don’t know what the doctor will find, we think the worse, but eventually we go, and we get a checkup, we see the data and we are convinced by looking at that data of our current health posture. We need to start doing security hygiene testing for our infrastructure. That data are the facts we use in our discussions with the board. X-Rays like a security gap report or validation report, will lead to objective discussions.
Metrics provide the data you need for effective security spending. Continuous visibility into your unique security infrastructure generates that data. That data ultimately can justify and validate your budget requests.
At RSA, we’re going to talk about metrics related to reducing your risk. Risk is much more than simply factoring in a cumulated vulnerability CVSS score. It’s related to understanding the value and criticality of an asset and the impact of relevant threats to that asset. It’s simple, regardless of whether or not there is a specific vulnerability. If there is no threat, there is no risk. If there is a threat, you can minimize the risk by driving down the impact of that threat. To truly measure the impact of a threat, you must be able to safely run attack and validation scenarios on your actual live hosts and networks. Only when you test yourself can you start to gain an understanding of your detection, protection capabilities, and response time. Now we’re talking metrics and a baseline from which to continuously improve.
When you look at your own organization, the team responsible for running these types of tests should be a cross-funtional combination of dev+ops+security. Every business component has a related security control associated with it, so security is everyone’s responsibility. You have to communicate effectively across the business and provide the tools to validate that the security controls in place are working as deployed and assumed.
The cost of a data breach pales in comparison to the cost of routine testing of your security technologies, people, and processes. How else do you improve but to create a baseline and find out where your weaknesses are, then prioritize and improve?
It really comes down to questions every organization should to ask itself. Are you confident in your security posture, do you value measuring the effectiveness of what you have implemented in your security program and challenging your assumptions of what is working and what is not working?
We started AttackIQ because the industry was inundated with security products, deploying them with a lack of strategy and understanding of their true capability. We saw the frustration of so many board members, C-level executives, and security team members who wanted to speak facts and make rational decisions which is 180 degrees from the fear, uncertainly, and doubt (FUD) that our industry typically bases its decisions upon.
The last 15 years of my career have brought me to the firm conviction that this industry needs to begin holding itself accountable. This starts with security teams realizing that security budgets are better spent when you truly understand attackers, their techniques, and their capabilities versus your own defense-in-depth strategy. At the end of the day, running attack and validation scenarios minimizes security costs, time, and resources. More importantly, it reduces business risk which is the ultimate end goal. Wouldn’t you like to speak confidently about your actual security capabilities? Don’t you want to make rational, data-driven decisions instead of just hoping you’re safe? Don’t you want to run continuous, real-world scenarios in your production environment? That’s what I thought.
See you at my talk.
CEO and Co-Founder, AttackIQ