SlideShare a Scribd company logo

A6 pragmatic journey into cyber security

Jorge Sebastiao, profile picture
Jorge Sebastiao

The document discusses cyber security and presents a framework for an effective cyber security program. It outlines the key elements of a comprehensive security approach, including assessing risks, architecting security controls, applying protections, administering security operations, raising user awareness, ensuring agility, defining the appropriate risk appetite, and aligning security with business needs. The framework emphasizes that security is a continuous process requiring skills in various areas to successfully manage risks.

Education
Related topics:
Cyber-Security Information SecurityCybersecurity Awareness
1 of 47
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
A6 a pragmatic Journey into Cyber Security Jorge Sebastiao, CISSP ICT Expert Huawei http://linkedin.com/in/sebastiao/ Twitter: @4jorge
Disclaimer & Copyright • Please note that this presentation is for informational, knowledge sharing and educational purposes only. Any comments or statements made herein do not necessarily reflect the views of Huawei. The information is intended for the recipient's use only and should not be cited, reproduced or distributed to any third party without the prior consent of the authors. Although great care is taken to ensure accuracy of information neither the author, nor Huawei can be held responsible for any decision made on the basis of the information cited. • The content of this presentation is based on information gathered in good faith from both primary and secondary sources and is believed to be correct at the time of publication. The author can however provide no guarantee regarding the accuracy of this content and therefore accepts no liability whatsoever for any actions taken that subsequently prove incorrect. • The practices listed in the document are provided as is and as guidance and the author and Huawei do not claim that these comprise the only practices to be followed. The readers are urged to make informed decisions in their usage. • The information presented in this presentation is not intended to be, and should not be construed as, an offer to sell any products or services or a solicitation of an offer to buy any products or services . Any such offer or sale will be made pursuant to, and the information presented at this meeting is qualified in its entirety by, authorized offering documents and related disclosure schedules or similar disclosure documentation. • All logos and brand names belong to their respective owners and we do not claim any relationship or association, implied or otherwise, with them. • Use of any materials by virtue of relationships and associations, if any, are mentioned explicitly. • Author has taken care to attribute all sources for external materials used in this presentation, and any oversight is regretted. If you, as owner, or as viewer, find any reason to dispute the use of these materials kindly communicate the same to author. • Any omissions, in terms of attribution, may be due to an error of author and not intentional.
Google review of email Phishing
Spear Phishing
Is That an Office Phone In Your Pocket?
The future is here
Uncontrolled Connectivity
Everything is connected…
Apple Pay Exploit
M2M and Google Voice?
Smart Meters and Nest Hack
Healthcare Sensors Exploits
Physical Security
Hacking IIoT SCADA sensors Industrial Scale Risks
Challenges Disengagement from the changing customer mindset Lack of confidence in return on investment Lack of regulatory certainty on new market structures Privacy, security and resilience Poorly formulated M&A and strategic partnerships Failure to define new business metrics Failure to capitalize on new types of connectivity Insufficient information to turn demand into value Failure to shift the business model from minutes to bytes Lack of organizational flexibility
Mobile Malware up 148,778 samples 2013
5th Challenge -Protection against State Sponsored Attacks • # 19M89. %6/><345% • I </>%' X71>%><. %v' ; >0%7?%# /4@q%
Is there an elephant in the room?
0 Day Exploits - Guaranteed
Rogue & Clueless Users
Our security enemy is? Security Nightmare
Cyberspace CharacteristicsAsymmetric Attribution Problems No Borders Complex Interconnected Systems
Outdated Assumptions?
Effective Countermeasures
Wrong Skills?
What is next?
Think outside the box 2
Effective Security is hidden deep underneath… Technology ProcessPeople
Right Risk Appetite?
Modeling Risk and Threats Threats Vulnerabilities Controls Risks Assets Security Requirements Business Impact exploit exposeincreaseincrease increase have protect against met by indicate reduce
CONSEQUENCE LIKLIEHOOD FV T Risk Group 1 Risk Group 2 Risk Group 3 HighLow L o w H i g h RESPONSE PROTECTION Target Risk Risk Reduction Strategies!
4As A4 of Security Assess Evaluate, Audit, Check Architect Plan, Design Apply Build, Implement, Do Administer Operate, Act
5As A5 of Security Assess Evaluate, Audit, Check Architect Plan, Design Apply Build, Implement, Do Administer Operate, Act Awareness Intelligence, User
6As A6 of Security Assess Evaluate, Audit, Check Architect Plan, Design Apply Build, Implement, Do Administer Operate, Act Awareness Intelligence, User Agility Timeliness of Response
A6 - Process Business Risk Controls Maturity
Defense in depth
The « defence in depth »
TBS- Time Based Security Protection DetectionResponse SECURITY P>D+R Anti-virus VPN Firewall, IPS Access Control Grid Time Response Patch Mgmt Incidence Response Disaster Recovery Vulnerability Testing SIEM Log Correlation CCTV, Access Control
Proper Security Metrics
Cyber Attack Recovery Agility Risk Active Business Can you successfully recover?
Road to Security Metrics Security Metrics KPIs, Testing Results CSA Controls, Compliance, Operational, Financial CoBIT SOX ISMS ISO27001 PCI HIPAA Time Based Security ISMS ISO22301 ISMS ISO20000
Final Goal Is Total Integrated Security Information Security Management IoT, Device Security Management
Winning the War Red Teaming Solve Attribution Continuous Vulnerability Mgmt Crowd Sourcing/Bug Bounty Fusing Crisis Management Vertical CERT Integration Encryption Exchange Knowledge Data Leak Prevention Threat Management Reputation Management Big Data Honeynets Machine Learning Sandbox Security Metrics Empower end users Continuous Training Attack / Take down
10As A10 of Security Assess Evaluate, Audit, Check Architect Plan, Design Apply Build, Implement, Do Administer Operate, Act, Respond Awareness Intelligence, User Agility Timeliness of Response Appetite How much Risk can you take? Alignment Business focus Assumption Something is wrong? Authorization Right to access, authentication
Don’t bring a knife to gun fight
“…Security is a continuous skilled process…”… Jorge Sebastiao http://linkedin.com/in/sebastiao
Questions Jorge Sebastiao, CISSP ICT Expert Huawei http://linkedin.com/in/sebastiao/ Twitter: @4jorge

More Related Content

PPTX
Cybersecurity Fundamentals for Legal Professionals
Shawn Tuma
 
PPTX
CYMASS Security Awareness Version 1.2
Jorge Sebastiao
 
PPTX
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
Shawn Tuma
 
PPTX
Crowd-Sourced Threat Intelligence
AlienVault
 
PDF
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE - ATT&CKcon
 
PPTX
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
Clare Nelson, CISSP, CIPP-E
 
PDF
Building a Threat Hunting Practice in the Cloud
ProtectWise
 
Cybersecurity Fundamentals for Legal Professionals
Shawn Tuma
 
CYMASS Security Awareness Version 1.2
Jorge Sebastiao
 
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
Shawn Tuma
 
Crowd-Sourced Threat Intelligence
AlienVault
 
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE - ATT&CKcon
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
Clare Nelson, CISSP, CIPP-E
 
Building a Threat Hunting Practice in the Cloud
ProtectWise
 

What's hot (20)

PPTX
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
EC-Council
 
PPTX
Why Depending On Malware Prevention Alone Is No Longer An Option
Seculert
 
PDF
E-FILE_Proofpoint_Uberflip_120915_optimized
Lynn Feltner
 
PDF
MITRE ATTACKcon Power Hour - January
MITRE - ATT&CKcon
 
PDF
WhyNormShield
Candan BOLUKBAS
 
PDF
(SACON) Shomiron das gupta - threat hunting use cases
Priyanka Aash
 
PDF
Slides to the online event "Creating an effective cybersecurity strategy" by ...
Go Global
 
PDF
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas
Tripwire
 
PDF
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
PPT
Ethical hacking
Being Uniq Sonu
 
PDF
A Journey Into Pen-tester land: Myths or Facts!
Ammar WK
 
PDF
See Clearly and Respond Quickly from the Network to the Endpoint
ProtectWise
 
PDF
[Webinar] The Art & Value of Bug Bounty Programs
bugcrowd
 
PDF
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cyber Solutions
 
PPTX
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
centralohioissa
 
PPTX
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
CODE BLUE
 
PDF
Opsec for security researchers
vicenteDiaz_KL
 
PDF
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
PDF
Nexus It Group Resume Writing
tlinde
 
PPT
Top 5 website security myths
kanika sharma
 
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
EC-Council
 
Why Depending On Malware Prevention Alone Is No Longer An Option
Seculert
 
E-FILE_Proofpoint_Uberflip_120915_optimized
Lynn Feltner
 
MITRE ATTACKcon Power Hour - January
MITRE - ATT&CKcon
 
WhyNormShield
Candan BOLUKBAS
 
(SACON) Shomiron das gupta - threat hunting use cases
Priyanka Aash
 
Slides to the online event "Creating an effective cybersecurity strategy" by ...
Go Global
 
Black Hat USA 2015: A Visual Snapshot of Security Threats, Trends and Ideas
Tripwire
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
Ethical hacking
Being Uniq Sonu
 
A Journey Into Pen-tester land: Myths or Facts!
Ammar WK
 
See Clearly and Respond Quickly from the Network to the Endpoint
ProtectWise
 
[Webinar] The Art & Value of Bug Bounty Programs
bugcrowd
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cyber Solutions
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
centralohioissa
 
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
CODE BLUE
 
Opsec for security researchers
vicenteDiaz_KL
 
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
Nexus It Group Resume Writing
tlinde
 
Top 5 website security myths
kanika sharma
 
Ad

Similar to A6 pragmatic journey into cyber security (20)

PDF
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
PPTX
Practical analytics hands-on to cloud & IoT cyber threats
Jorge Sebastiao
 
PPTX
Security is broken V3.0
Jorge Sebastiao
 
PPTX
NZISF Talk: Six essential security services
Hinne Hettema
 
PDF
Fall2015SecurityShow
Adam Heller
 
PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
EC-Council
 
PPTX
Top Cybersecurity Challenges Facing Your Business
Nicholas Davis
 
PDF
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
PDF
Cyber Security in a Fully Mobile World
University of Hertfordshire
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
veikkieymann
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
baruulisy
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
eapysvt6956
 
PPTX
How to-become-secure-and-stay-secure
IIMBNSRCEL
 
PPTX
Securing your digital world cybersecurity for sb es
Sonny Hashmi
 
PPTX
Securing your digital world - Cybersecurity for SBEs
Sonny Hashmi
 
PPTX
Emerging Trends in Cybersecurity by Amar Prusty
Cysinfo Cyber Security Community
 
PDF
Cybersecurity Fundamentals for Bar Associations
NowSecure
 
PDF
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
BeyondTrust
 
PDF
Application Security - Your Success Depends on it
WSO2
 
PDF
Treating Security Like a Product
VMware Tanzu
 
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Practical analytics hands-on to cloud & IoT cyber threats
Jorge Sebastiao
 
Security is broken V3.0
Jorge Sebastiao
 
NZISF Talk: Six essential security services
Hinne Hettema
 
Fall2015SecurityShow
Adam Heller
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
EC-Council
 
Top Cybersecurity Challenges Facing Your Business
Nicholas Davis
 
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
Cyber Security in a Fully Mobile World
University of Hertfordshire
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
veikkieymann
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
baruulisy
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
eapysvt6956
 
How to-become-secure-and-stay-secure
IIMBNSRCEL
 
Securing your digital world cybersecurity for sb es
Sonny Hashmi
 
Securing your digital world - Cybersecurity for SBEs
Sonny Hashmi
 
Emerging Trends in Cybersecurity by Amar Prusty
Cysinfo Cyber Security Community
 
Cybersecurity Fundamentals for Bar Associations
NowSecure
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
BeyondTrust
 
Application Security - Your Success Depends on it
WSO2
 
Treating Security Like a Product
VMware Tanzu
 
Ad

More from Jorge Sebastiao (20)

PPTX
Real estate tokenization and blockchain
Jorge Sebastiao
 
PPTX
Blockchain and covid19 v3
Jorge Sebastiao
 
PPTX
Top tech shapping startups
Jorge Sebastiao
 
PPTX
Blockchain and security v3
Jorge Sebastiao
 
PPTX
The road to blockchain 5.0
Jorge Sebastiao
 
PPTX
Cyber Warfare 4TH edition
Jorge Sebastiao
 
PPTX
How AI is Disrupting Traffic Management in Smart City
Jorge Sebastiao
 
PPTX
Ai and traffic management application v1.0
Jorge Sebastiao
 
PPTX
Dz hackevent 2019 Middle East Cyberwars V3
Jorge Sebastiao
 
PPTX
AI HR and Future Jobs Version 2.1
Jorge Sebastiao
 
PPTX
Cyber fear obstacles to info sharing-Version 2
Jorge Sebastiao
 
PPTX
Blockchain & cyber security Algeria Version 1.1
Jorge Sebastiao
 
PPTX
Datamatix GCC HR future jobs Version 1.3
Jorge Sebastiao
 
PPTX
Cyber security crypto blockchain Version 3.2
Jorge Sebastiao
 
PPTX
RTA AI for traffic management version 1.4
Jorge Sebastiao
 
PPTX
IGF2017 Data is new oil - UN Internet Governance Forum
Jorge Sebastiao
 
PPTX
ADIPEC physical and Infosec for Oil and Gas
Jorge Sebastiao
 
PPTX
AVSEC are you flying cybersafe?
Jorge Sebastiao
 
PPTX
Are we ready for IoT? VU Version 7
Jorge Sebastiao
 
PPT
Togaf Version 9.1 Introduction Overview
Jorge Sebastiao
 
Real estate tokenization and blockchain
Jorge Sebastiao
 
Blockchain and covid19 v3
Jorge Sebastiao
 
Top tech shapping startups
Jorge Sebastiao
 
Blockchain and security v3
Jorge Sebastiao
 
The road to blockchain 5.0
Jorge Sebastiao
 
Cyber Warfare 4TH edition
Jorge Sebastiao
 
How AI is Disrupting Traffic Management in Smart City
Jorge Sebastiao
 
Ai and traffic management application v1.0
Jorge Sebastiao
 
Dz hackevent 2019 Middle East Cyberwars V3
Jorge Sebastiao
 
AI HR and Future Jobs Version 2.1
Jorge Sebastiao
 
Cyber fear obstacles to info sharing-Version 2
Jorge Sebastiao
 
Blockchain & cyber security Algeria Version 1.1
Jorge Sebastiao
 
Datamatix GCC HR future jobs Version 1.3
Jorge Sebastiao
 
Cyber security crypto blockchain Version 3.2
Jorge Sebastiao
 
RTA AI for traffic management version 1.4
Jorge Sebastiao
 
IGF2017 Data is new oil - UN Internet Governance Forum
Jorge Sebastiao
 
ADIPEC physical and Infosec for Oil and Gas
Jorge Sebastiao
 
AVSEC are you flying cybersafe?
Jorge Sebastiao
 
Are we ready for IoT? VU Version 7
Jorge Sebastiao
 
Togaf Version 9.1 Introduction Overview
Jorge Sebastiao
 

Recently uploaded (20)

PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PPTX
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
Computing-Curriculum for Schools in Ghana
abigailanane203
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
Basic Mud Logging Guide for educational purpose
wdandworks
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
Institutional Correction lecture only . . .
limvtheghins
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
Computing-Curriculum for Schools in Ghana
abigailanane203
 

A6 pragmatic journey into cyber security

  • 1. A6 a pragmatic Journey into Cyber Security Jorge Sebastiao, CISSP ICT Expert Huawei http://linkedin.com/in/sebastiao/ Twitter: @4jorge
  • 2. Disclaimer & Copyright • Please note that this presentation is for informational, knowledge sharing and educational purposes only. Any comments or statements made herein do not necessarily reflect the views of Huawei. The information is intended for the recipient's use only and should not be cited, reproduced or distributed to any third party without the prior consent of the authors. Although great care is taken to ensure accuracy of information neither the author, nor Huawei can be held responsible for any decision made on the basis of the information cited. • The content of this presentation is based on information gathered in good faith from both primary and secondary sources and is believed to be correct at the time of publication. The author can however provide no guarantee regarding the accuracy of this content and therefore accepts no liability whatsoever for any actions taken that subsequently prove incorrect. • The practices listed in the document are provided as is and as guidance and the author and Huawei do not claim that these comprise the only practices to be followed. The readers are urged to make informed decisions in their usage. • The information presented in this presentation is not intended to be, and should not be construed as, an offer to sell any products or services or a solicitation of an offer to buy any products or services . Any such offer or sale will be made pursuant to, and the information presented at this meeting is qualified in its entirety by, authorized offering documents and related disclosure schedules or similar disclosure documentation. • All logos and brand names belong to their respective owners and we do not claim any relationship or association, implied or otherwise, with them. • Use of any materials by virtue of relationships and associations, if any, are mentioned explicitly. • Author has taken care to attribute all sources for external materials used in this presentation, and any oversight is regretted. If you, as owner, or as viewer, find any reason to dispute the use of these materials kindly communicate the same to author. • Any omissions, in terms of attribution, may be due to an error of author and not intentional.
  • 3. Google review of email Phishing
  • 5. Is That an Office Phone In Your Pocket?
  • 10. M2M and Google Voice?
  • 11. Smart Meters and Nest Hack
  • 14. Hacking IIoT SCADA sensors Industrial Scale Risks
  • 15. Challenges Disengagement from the changing customer mindset Lack of confidence in return on investment Lack of regulatory certainty on new market structures Privacy, security and resilience Poorly formulated M&A and strategic partnerships Failure to define new business metrics Failure to capitalize on new types of connectivity Insufficient information to turn demand into value Failure to shift the business model from minutes to bytes Lack of organizational flexibility
  • 17. 5th Challenge -Protection against State Sponsored Attacks • # 19M89. %6/><345% • I </>%' X71>%><. %v' ; >0%7?%# /4@q%
  • 18. Is there an elephant in the room?
  • 19. 0 Day Exploits - Guaranteed
  • 21. Our security enemy is? Security Nightmare
  • 28. Effective Security is hidden deep underneath… Technology ProcessPeople
  • 30. Modeling Risk and Threats Threats Vulnerabilities Controls Risks Assets Security Requirements Business Impact exploit exposeincreaseincrease increase have protect against met by indicate reduce
  • 31. CONSEQUENCE LIKLIEHOOD FV T Risk Group 1 Risk Group 2 Risk Group 3 HighLow L o w H i g h RESPONSE PROTECTION Target Risk Risk Reduction Strategies!
  • 32. 4As A4 of Security Assess Evaluate, Audit, Check Architect Plan, Design Apply Build, Implement, Do Administer Operate, Act
  • 33. 5As A5 of Security Assess Evaluate, Audit, Check Architect Plan, Design Apply Build, Implement, Do Administer Operate, Act Awareness Intelligence, User
  • 34. 6As A6 of Security Assess Evaluate, Audit, Check Architect Plan, Design Apply Build, Implement, Do Administer Operate, Act Awareness Intelligence, User Agility Timeliness of Response
  • 35. A6 - Process Business Risk Controls Maturity
  • 37. The « defence in depth »
  • 38. TBS- Time Based Security Protection DetectionResponse SECURITY P>D+R Anti-virus VPN Firewall, IPS Access Control Grid Time Response Patch Mgmt Incidence Response Disaster Recovery Vulnerability Testing SIEM Log Correlation CCTV, Access Control
  • 40. Cyber Attack Recovery Agility Risk Active Business Can you successfully recover?
  • 41. Road to Security Metrics Security Metrics KPIs, Testing Results CSA Controls, Compliance, Operational, Financial CoBIT SOX ISMS ISO27001 PCI HIPAA Time Based Security ISMS ISO22301 ISMS ISO20000
  • 42. Final Goal Is Total Integrated Security Information Security Management IoT, Device Security Management
  • 43. Winning the War Red Teaming Solve Attribution Continuous Vulnerability Mgmt Crowd Sourcing/Bug Bounty Fusing Crisis Management Vertical CERT Integration Encryption Exchange Knowledge Data Leak Prevention Threat Management Reputation Management Big Data Honeynets Machine Learning Sandbox Security Metrics Empower end users Continuous Training Attack / Take down
  • 44. 10As A10 of Security Assess Evaluate, Audit, Check Architect Plan, Design Apply Build, Implement, Do Administer Operate, Act, Respond Awareness Intelligence, User Agility Timeliness of Response Appetite How much Risk can you take? Alignment Business focus Assumption Something is wrong? Authorization Right to access, authentication
  • 45. Don’t bring a knife to gun fight
  • 46. “…Security is a continuous skilled process…”… Jorge Sebastiao http://linkedin.com/in/sebastiao
  • 47. Questions Jorge Sebastiao, CISSP ICT Expert Huawei http://linkedin.com/in/sebastiao/ Twitter: @4jorge