SecureWorld 2006 in Detroit was a great opportunity to network with peers in the region and hear about security related projects and products.
Here is a recap of some of the best events I attended:
Creating Identity: It's Worth The Effort - David Sherry – VP Information Security at Citizens Bank (8th largest US Bank & parent is Royal Bank Scotland 5th largest bank in the world)
Discussed his experiences implementing an Identity Management (IdM) solution for Citizens Bank.
An interesting term he used was ‘colleagues’ to refer to employees and contractors within their system. (Note the blurring of the lines of demarcation between on premise employees and others.
He listed important actions that helped and hindered his project (in 3rd year of 5 year deployment).
His bottom line was that Identity Management is hard but doable and expensive.
The original drivers and benefits were seen in the security/ID admin arena but ultimately the project is yielding benefits enterprise wide.
Opening Keynote - Gary Warner "PIRT: A Neighborhood Watch For Phishing (Help Wanted!)" PIRT (Phishing Incident Response & Termination) http://www.castlecops.com/
Gary works for a southern energy firm (Energen) and a regional Infragard member which formed PIRT to respond to Phishing attacks.
He emphasized that very little criminal justice is being taken against phishers and that PIRT is a voluntary organization whose mission is to obtain forensic information on phishers and supply government with this information and then shut down active sites worldwide.
He described the link between spam & botnets and phishing as well as detailing the anatomy of phishing scams.
He stated that most phishing originates from very few people and cited specific figures about reported incidents and damage.
Mentioned that new suspected viruses can be submitted online to: Totalvirus.com
InfraGard Keynote - Ira Winkler "Secrets of SuperSpies" (former NSA staff, HP security strategist and currently at ISAG) and author of Spies Among Us
He works for organizations that are examining their security – his initial aim is to ‘find the most valuable information’ which is something that we (as organizations) should be protecting.
(As a side note he also had worked for HP in 2003 (as chief security strategist) and was being interviewed in CNBC as someone who left HP due to their culture.)
He recounted startling stories of how easy is was to compromise very valuable information at ‘secure’ organizations, able to enter and compromise critical information within one hour at facility that designs nuclear plants, able to enter and compromise critical information within five hours at commercial business HQ.
He emphasized how important it was to identify the most valuable information and work to protect it.
He distinguished the differences between security and counter intelligence (descriptions of actions and posture of those threatening you)
He also emphasized the need for defense in depth and awareness.
He illustrated typical line of business attitudes towards security (stifles innovation and productivity - even though this is a serious inhibitor to security)
Outsourcing Information Security: Truth or Fiction? Tim Bates GM Lead Info Security manager - North America
GM’s two main drivers:
- Cost (now use 250 people from vendors support organizations)
- Constant expertise (always up to date)
Do Outsource:
- Infrastructure Security Admin
- Security Monitoring (not oversight) (incident mgmt – emerg response & forensic analysis)
- Perimeter protection (incl fw, IDS, VPN, vuln assess, pen test)
- AV & Content Filtering
- Info Sec risk assessments
- Data archiving & restoration
Do Not Outsource:
- Governance
- Security Policies
- Architecture requirements
- Strategy development
GM security has 15 staff for managing contracts and SLAs
Plus 1 architect assigned from global architecture group
Key outsource requirements:
- SLAs (which are solid)
- Relationships (develop relationships between company and vendor)
Need to audit performance – poor contracts can mean worse availability and less security
Standardized global processes
By 2010 90% of all enterprise information security will be outsourced (Yankee Group)
Randy Sanovic (GM) & Deloitte & Touche – Privacy and Compliance Peer to Peer Roundtable Interesting discussions about the wide range of privacy and compliance issues around the globe.
See "Hall of Shame" - www.privacyrights.org
Int’l Assoc Privacy Professionals - IAPP http://www.privacyassociation.org/
Great overview on SecureWorld. I got a chance to see David Sherry speak at Security Decisions in Chicago. He laid out a seemingly very doable framework for identity management. I really liked his approach and there is a lot of great material from his presentation that will certainly help me as I craft a strategy for my organization.
I'm not sure I agree with the the Yankee Group prediction that 90% of enterprise information security will be outsourced. While it make look compelling on paper, I can't get my mind wrapped around what amounts, to me, of losing hands-on control of the security program.
Posted by: Darrin Wassom | October 23, 2006 at 07:37 PM