RSAC2016 25th Anniversary

Another great show at #RASC2016 except the crowd this year – So, brain dump of key takeways. First, I did not win the CloudLock Harley Davidson raffle [Bummer]. Other big ticket items including asking yourself “what does the data say” which runs parallel my own motto, “follow the data” trail.  Both have significant impact in how you address holistic data security practices, diversity in implementation and incident recovery.  Having an exit prevention strategy, for example, can be as essential, if not more, to being proactive and preventative controls.  While it has been proven that no security is full proof, there are many commonalities the root-cause. But first recapping the notables: Anthem 80 Million medical records which is the largest of it’s kind and new pathway to type of rich data breach; Premera for 11 Million accounts compromised for over 9 months which would segway to Dwell-time (I posted in the past)?; or Ashley Madison for failure of contracted services and security (so not actually/so much for the profile who likes what data itself i.e. $19 fee for deletion of data was not delivered prior to incident); 333,000+ IRS breach of records which is still climbing – that revealed 400,000 attempts of credits reports leading to this hack…
And so the commonalities:

• Improperly segmented networks
• detection deficit disorder (ignoring or looking at incidents in wrong places)
• Failure to white list
• Not monitoring critical systems
• Poor awareness
• No multi-factor authentication
• Phishing messages 

Can’t have an IT discussion without, The Cloud – Companies should be responsible for their data and so warrants should be issued to the individual organization not to the cloud service providers.  Yes, worth more than a few words but does allow and command more transparency for customers and their clients to have the level of “trust” and necessary attestation upon signing-up for cloud services.  Matters of privacy is a timeless value and a balance between right to privacy and personal data, public value, and safety will be in the hot seat in legal, courts as the laws try to catch up with technology.
RSA’s key note heightened the privacy issues and how that would related to opening pandora’s box for allowing backdoors, etc. revealed without textual diligence, modern technological construct and consideration of its impact, both fundamental practices in the past as well as decisions for the future.

So, what’s the long-and-short? Defense in Depth is Dead. The source is not connecting data elements and lack of collaboration within teams and outside company boundaries.  Solutioning is based on now based on integration and not layers!  The 6 key domains are

• Discovery-got to know what’s on networks not just servers but cloud providers, IOT
• State of security for each asset we own – not just vulnerability , malicious file e.g. phishing exploiting client-side vulnerability
• Need ability to monitor activity across the network – packet inspection integration
• Analyze – pulling domains together (event correlation, behavior analysis) to prioritize
• Response – typically the SOC and effectively response
• Protect – proactively protect devices (NOT prevent) and can it be done in an automated way – longest item for industry to solve since it’s based on trust of ability to do this

As a result, the upshot is (1) results will be visibility (for all state of assets including shadow), (2) understanding critical context (to prioritize threats/weaknesses), and (3) ability to take appropriate action in a decisive manner.  Conclusion instead is Long Live Depth in Defense.

More recap / notes...as RSAC comes to a close