Effective security
0 likes161 views
This document provides guidance on building an effective security team in 2016. It recommends distributing security responsibilities across business units by embedding security-focused people within teams like product, infrastructure, and compliance. This integrated approach allows security to better support business goals while increasing visibility. Key benefits include improved productivity, reduced need for a large centralized security team, and motivating employees through a sense of shared success.
Effective security
- 1. BUILDING AN EFFECTIVE SECURITY TEAM IN 2016 SECURITY
- 2. WHO AM I? ▸ I am Mike Mackintosh ▸ On Twitter: @mikemackintosh ▸ On GitHub: @mikemackintosh ▸ I was a Principle Engineer, VZW - Infrastructure Security ▸ I ran Security at Shutterstock ▸ I currently run Security at Signal Sciences
- 3. OBJECTIVE: SHOW THE VALUE IN BUILDING A SMART, INTEGRATED AND BUSINESS-MINDED SECURITY TEAM
- 5. WHAT GOES INTO MAINTAINING A SECURITY ORG? ▸ A lot. ▸ Advocating for better security practices to protect the end-user/consumer ▸ Advocating for better security practices to protect the company ▸ Supporting the internal organization’s infrastructure and applications ▸ Providing tools and knowledge to employees to help support security-driven development ▸ Making sure the company doesn’t get hacked isn’t a goal, it’s a byproduct
- 6. ARE YOU THINKING TO YOURSELF “WE DON’T HAVE A BIG SECURITY TEAM” ▸ Actually, you probably don’t have a security team at all… ▸ Or at least not an effective team
- 7. GREAT NEWS! ▸ You don’t need a traditional silo’d security team working on secret projects that no one else in the company knows about. ▸ You need to make security more visible ▸ If integrating services into your web app makes them better, so can integrating security teams with other business units
- 8. ULTIMATE SECTEAM LIFE-HACK ▸ Hire security-focused people with skills in different business units, and attach them to those units. ▸ Don’t look at me sideways, look at me with batted eyelids
- 10. NO MORE OF THIS ▸ The following used to run directly under Director/VP of Security/CISO ▸ Application Security Engineers ▸ Security Operation Engineers ▸ Risk Assessment Engineers ▸ Information Security Engineers
- 11. BUT THAT’S A BIG SECURITY TEAM ▸ You’re right. And sometimes, especially in smaller businesses, there’s not a CONSTANT need for a ________ security engineer. ▸ That’s actually O.K. ▸ Instead, hire the same amount of security engineers, but have them benefit the business in other ways too.
- 12. WHY WOULD THIS WORK? BECAUSE THEY CAN NOW HAVE KICKASS TEAM NAMES AND LOGOS. SERIOUSLY, IT CREATES A SENSE OF PRIDE AND A “FREE” SOURCE OF MOTIVATION.
- 13. WHERE DO THE SECURITY-RELATED RESPONSIBILITIES LIVE? ▸ Product Security - Defined by the use of existing sales, frontend, and application engineers that work on customer features to fix security issues. Security responsibilities include: ▸ AppSec ▸ Brand Integrity ▸ Bug Bounties ▸ Corporate Security - Infrastructure and Information security engineers responsible for the security at a device/node level, which can serve many responsibilities of Ops and traditional IT teams: ▸ Infrastructure Hardening (opsy-style things) ▸ Endpoint Defense (endpoints, firewalls, etc) ▸ Automation ▸ Training
- 14. WHAT DO THE SECURITY OUTFITS BECOME? ▸ Security Planning - Planning is made up of security risk assessors and/or analysts and fit perfectly with a team under the CFO or Legal. These people are responsible for identifying and protecting against literal financial attacks. ▸ Security Tooling - Security tooling is one of the most valuable assets to a company by means of increasing productivity for the company while creating the toolsets required for both security and non-security personnel to complete their jobs.
- 15. COMPLIANCE IS NOT A SECURITY PROBLEM ▸ Compliance != Security ▸ Sometimes being compliant makes things more secure ▸ Sometimes being more secure makes things compliant ▸ Validating the integrity of scan results could be useful with a security team; but the security team should not be making/implementing all the changes to enforce compliance ▸ Security leadership should be an enabler, not a doer.
- 16. WHY SHOULD THEY REPORT WITHIN THE BUSINESS ORG TREE? ▸ Security is not a joke. People lose jobs because companies tank because people don’t take security seriously. ▸ Having security leadership in any team is important, and that leadership is best prepared and equipped for handling both technical and personal incidents. ▸ Engineering, ops, and other leadership historically have interest in keeping up with product demands, regardless of security concerns. ▸ Security must adapt with a companies’ move to a more cross-functional culture, and begin embedding with other parts of the org
- 17. HOW WOULD THIS HELP? ▸ Because security teams using sprints are the worst… They’re just the worst… ▸ An engineering team using sprints is pretty effective. ▸ An engineering team that has a dedicated security engineer working within a sprint while ensuring the product doesn’t outpace security posture is the most effective use of the companies time and money. ▸ Turn bug fixes and incident response into learning experiences for the devs, ops and sales. ▸ It’s better than patching fixes after massive amounts of public embarrassment.
- 18. I STILL DON’T GET IT ▸ You have to hire engineers to work on your product and you have to hire people in sales as well as operations. ▸ Have one person from each of those teams report to your security team lead. ▸ This planted security engineer can help deliver company wide goals with the product or internal milestones while supporting that smaller team’s security requirements.
- 19. WHAT YOUR FLOW LOOKS LIKE RIGHT NOW (IF YOU HAVE ONE) LOL
- 21. WHAT YOUR FLOW WILL LOOK LIKE (IF YOU LISTEN TO ME)
- 23. WHY WOULD I DO THIS? ▸ Your attackers are motivated by success. ▸ Your employees are motivated by success.
- 24. SUCCESS CAN BE… financial: bug bounty payout, raise, bonus, promotion, selling stolen goods on the `dark` web
- 25. SUCCESS CAN BE… Recognition: bug bounty attribution, peer recognition (giving `props`)
- 26. SUCCESS CAN BE… Thrill and Knowledge: learning something new, solving an `impossible` challenge
- 27. EMPLOYEES ARE MOTIVATED ▸ If you are in a leadership position, find your motivated employees. ▸ If you are motivated, find your manager. ▸ Inspiration + Motivation = Success MOTIVATE YOUR EMPLOYEES WITH SUCCESS TO PREVENT A SUCCESSFUL ATTACKER
- 28. YOU JUST TRIPLED YOUR SECURITY COVERAGE BY NOT HIRING ANYONE ▸ All you needed to do was a simple reorg. ▸ Tasks need to be completed. People need to complete them. ▸ Have a security SME for that area work with the team to deliver on company goals and disseminate their security knowledge while allowing someone to advocate for them. ▸ They won’t always be understood by traditional managers. ▸ Having security leadership support them creates a successful secure environment.
- 29. AND GIVE OUT T-SHIRTS People. Love. Swag.