No More Snake Oil: Why InfoSec Needs Security Guarantees
- 1. No More Snake Oil:
© 2015 WhiteHat Security, Inc.
Jeremiah Grossman
Founder
WhiteHat Security, Inc.
@jeremiahg
Why InfoSec Needs Security Guarantees
- 2. Ever notice how
everything in the
Information Security
is sold “AS-IS”?
• No Guarantees
• No Warranties
• No Return Policies
© 2015 WhiteHat Security, Inc.
- 4. Customer challenges…
• Difficult telling security vendors
apart.
• Justifying the business value of
security products to management.
• Trusting security vendors since their
interests are misaligned.
© 2015 WhiteHat Security, Inc.
Answer:
Security Guarantees
- 6. © 2015 WhiteHat Security, Inc.
“According to the IT
research and advisory firm
[Gartner], global IT
security spending will
reach $71.1 billion this
year [2014], which
represents an increase of
7.9% compared to 2013.
Next year, spending will
grow even more, reaching
$76.9 billion.”
Security Industry Spends Billions
- 7. © 2015 WhiteHat Security, Inc.
In 2014, 71% of security professionals said
their networks were breached. 22% of them
victimized 6 or more times. This increased
from 62% and 16% respectively from 2013.
52% said their organizations will likely be
successfully hacked in the next 12 months.
This is up from 39% in 2013.
Result: Every Year is the Year of the Hack
Survey of security professionals by CyberEdge Group
- 11. © 2015 WhiteHat Security, Inc.
• As of 2014, American
businesses were expected to
pay up to $2 billion on cyber-
insurance premiums, a 67%
spike from $1.2 billion spent in
2013.
• Current expectations by one
industry watcher suggest
100% growth in insurance
premium activity, possibly
130% growth.
• It’s usually the firms that are
best prepared for cyber attacks
that wind up buying insurance.
Downside Protection
- 12. © 2015 WhiteHat Security, Inc.
“Premiums for a $1 million
plan are generally $5,000
to $10,000 annually,
though that can vary based
on several factors, including
the company's revenue,
cyber-risk management
efforts and the coverage
chosen, Fenaroli said. For
hospitals, premiums can be
much larger—sometimes
more than $100,000 or even
$1 million for larger health
systems, he said.”
- 13. © 2015 WhiteHat Security, Inc.
Sony Pictures Entertainment
holds $60 million in Cyber
insurance with Marsh, according
to documents leaked by the group
claiming responsibility for the
attack on the movie studio.
“The documents, covered in detail
by Steve Ragan at CSO, say that
after sonypictures.com was
breached in 2011, Sony made a
claim of $1.6 million with
Hiscox, its Cyber provider at the
time. The insurer declined to quote
at renewal, so Sony Pictures
turned to Lockton, which
brokered a $20 million policy
that included $10 million in self-
insured retention.”
- 14. © 2015 WhiteHat Security, Inc.
“Target spent $248 million after
hackers stole 40 million payment
card accounts and the personal
information of up to 70 million
customers. The insurance payout,
according to Target, will be $90
million.”
“Target spent $248 million after
hackers stole 40 million payment
card accounts and the personal
information of up to 70 million
customers. The insurance payout,
according to Target, will be $90
million.”
- 15. © 2015 WhiteHat Security, Inc.
“Anthem has $150 million
to $200 million in cyber
coverage, including excess
layers, sources say.”
Insurers providing excess
layers of cyber coverage
include: Lloyd's of London
syndicates; operating units of
Liberty Mutual Holding Co.;
Zurich Insurance Group; and
CNA Financial Corp., sources
say.
- 16. © 2015 WhiteHat Security, Inc.
“Liability enforcement is essential.
Remember that I said the costs of
bad security are not borne by the
software vendors that produce
the bad security. In economics this
is known as an externality: a cost of
a decision that is borne by people
other than those making the
decision.
However it happens, liability
changes everything. Currently, there
is no reason for a software company
not to offer more features, more
complexity, more versions. Liability
forces software companies to think
twice before changing something.
Liability forces companies to protect
the data they're entrusted with.”
- 17. Objections to Security Guarantees
© 2015 WhiteHat Security, Inc.
"You're not entitled to take a view, unless and until you can
argue better against that view than the smartest guy who
holds that opposite view. If you can argue better than the
smartest person who holds the opposite view, that is when
you are entitled to hold a certain view."
Charlie Munger
Vice-Chairman Berkshire Hathaway
- 18. © 2015 WhiteHat Security, Inc.
Rebuttal: Nothing is ever 100% secure, just
like no every-day product is 100% reliable.
With product performance data, even if
unable to provide 100% protection, offering
security guarantees is possible.
Objection: 100% security is impossible.
- 19. © 2015 WhiteHat Security, Inc.
Rebuttal: It’s contractually possible to
specify exactly what a security guarantee
covers and disclaim excessively risky events
and unknowns. Insurance companies do this
routinely.
Objection: Guarantees can’t keep up.
- 20. © 2015 WhiteHat Security, Inc.
Rebuttal: Today we’re in the era of the
cloud, managed services, and products
routinely phoning home for updates, all
providing real-time access to an ample
supply of performance data.
Objection: Vendors don’t have the data.
- 21. © 2015 WhiteHat Security, Inc.
Rebuttal: For organizations capable of
performing effective forensic investigations,
identifying the gap in the defense or the
product that failed, is entirely possible.
Objection: Pinpointing product
failure is difficult.
- 22. © 2015 WhiteHat Security, Inc.
Rebuttal: Security guarantees and cyber-
security insurance typically cover only hard
costs associated with downtime, legal feels,
incident response, credit monitoring, fines,
and so on.
Objection: Soft costs are hard to quantify.
- 23. © 2015 WhiteHat Security, Inc.
Rebuttal: Security guarantees represent a
unique opportunity for vendors to
differentiate from competitors and an
opportunity for customers to demand more
effective products.
Objection: Security vendors don’t
want the liability.
- 24. © 2015 WhiteHat Security, Inc.
Rebuttal: Like many other products we buy,
guarantees only covers intended use.
Security vendors can specify how their
product is meant to be used for its
effectiveness to be guaranteed.
Objection: Improper product use is
often the cause.
- 25. © 2015 WhiteHat Security, Inc.
2014-2015 Annual Spending Increase
Information Security Spending (N. America)
~$2.4 billion in new spending (+7.8%)
Cyber-Security Insurance
~$1.34 Billion in new spending (+67%)
Forecast Overview: Information Security, Worldwide, 2014 Update
(Gartner Published: 25 June 2014)
1/3 of the budget left on the table!
1,340,000
2,400,000
- 26. © 2015 WhiteHat Security, Inc.
“We also asked about the
importance of being offered a
‘security guarantee’ by cloud
service providers. Three-
quarters of respondents (74%)
say it’s ‘Very Important’ that
cloud providers offer a
guarantee, and another 22%
say ‘Somewhat Important.’
Companies not using cloud
place a greater importance on
security guarantees than current
users. As such, security
guarantees give cloud service
providers an opportunity to
attract new customers.”
Subsidiary of 451 Research
Survey of 1,097 respondents involved in
their company's IT buying decisions (Jul,
2014). 445 currently uses public cloud.
- 27. © 2015 WhiteHat Security, Inc.
Customer challenges…
Difficult telling security vendors apart.
Justifying the business value of security products to management.
Trusting security vendors since their interests are misaligned.
Security guarantees help customers differentiate truly effective security
products from those that are…less effective.
Security guarantees help quantify the value of security products in
dollars and cents for the business.
Security guarantees hold vendors accountable for the performance of
their products and therefore more credible.
- 28. © 2015 WhiteHat Security, Inc.
How WhiteHat Approaches
Security Guarantees
WhiteHat Sentinel: Tests tens of thousands of websites
24x7x365
Incident Data: Data sharing relationships incident
responders
Customer Relationships: ‘Missed’ vulns leading to breaches
Our success rate is over 99%.
- 29. © 2015 WhiteHat Security, Inc.
What WebApp Attacks Are
Adversaries Using?
“This year, organized
crime became the most
frequently seen threat
actor for Web App
Attacks.”
Verizon 2015 Data
Breach Investigations
Report
- 30. © 2015 WhiteHat Security, Inc.
Vulnerabilities We Test For
The World of Web
Vulnerabilities
Vulnerabilities
We DON’T Test
For
- 31. © 2015 WhiteHat Security, Inc.
Vulnerabilities We Test For
Vulns We Found
Vulns Not Exploited
Vulns Exploited
Vulns We Missed
Vulns Not
Exploited
Vulns Exploited
That Got Website
Hacked
- 32. Vulnerabilities Missed & Exploited
© 2015 WhiteHat Security, Inc.
• Why was the vulnerability missed? Improve technology,
training, and process.
• Other consumer products have standard performance metrics
(MTB; Operating Hours – runtime of motors; Mileage for
drivetrain, tires, etc.)
- 33. © 2015 WhiteHat Security, Inc.
If a website covered by Sentinel Elite is hacked, using a
vulnerability we missed and should have found, the
customer will be refunded in full. Plus up to…
$500,000…to help cover the cost associated with the breach.
- 34. © 2015 WhiteHat Security, Inc.
Monetary loss distribution per data breach
~75% have losses less
than $500K
“The Post Breach Boom”, Ponemon Institute, 2013
- 35. © 2015 WhiteHat Security, Inc.
Ranges of expected loss by
number of records
Verizon 2015 Data Breach Investigations Report
- 36. Paths for Other
Security Vendors to
Follow
• Obtain as much performance data
as possible
• Contractually capture what your
product is able to reliably
guarantee and disclaim the rest.
• Back your security guarantee with
an insurance provider.
© 2015 WhiteHat Security, Inc.
- 37. “The only two
products not covered
by product liability are
religion and software,
and software shall not
escape much longer.”
Dan Geer (CISO, In-Q-Tel)
© 2015 WhiteHat Security, Inc.
- 39. Thank you!
© 2015 WhiteHat Security, Inc.
Jeremiah Grossman
Founder
WhiteHat Security, Inc.
@jeremiahg
Editor's Notes
- Ever notice how everything in the information security industry is sold “as is”? No guarantees, no warrantees, no return policies. This provides little peace of mind that any of the billions that are spent every year on security products and services will deliver as advertised. In other words, there is no way of ensuring that what customers purchase truly protects them from getting hacked, breached, or defrauded. And when these security products fail – and I do mean when – customers are left to deal with the mess on their own, letting the vendors completely off the hook. This does not seem fair to me, so I can only imagine how a customer might feel in such a case. What’s worse, any time someone mentions the idea of a security guaranty or warranty, the standard retort is “perfect security is impossible,” “we provide defense-in-depth,” or some other dismissive and ultimately unaccountable response.
- http://www.securityweek.com/global-cybersecurity-spending-reach-769-billion-2015-gartner
http://www.gartner.com/newsroom/id/2828722
http://www.wsj.com/articles/financial-firms-bolster-cybersecurity-budgets-1416182536
http://mspmentor.net/managed-security-services/100314/pwc-cybersecurity-costs-rise-budgets-decrease
- http://www.darkreading.com/attacks-breaches/most-companies-expect-to-be-hacked-in-the-next-12-months/d/d-id/1319497?
- Window of exposure is defined as the number of days an application has one or more serious vulnerabilities open during a given time period. We categorize window of exposure as:
Always Vulnerable: A site falls in this category if it is vulnerable on every single day of the year.
Frequently Vulnerable: A site is called frequently vulnerable if it is vulnerable for 271-364 days a year.
Regularly Vulnerable: A regularly vulnerable site is vulnerable for 151-270 days a year.
Occasionally Vulnerable: An occasionally vulnerable application is vulnerable for 31-150 days a year.
Rarely Vulnerable: A rarely vulnerable application is vulnerable for less than 30 days a year.
Our analysis shows that 55% of the Retail Trade sites, 50% of Health Care and Social Assistance sites, and 25% of Finance and Insurance sites are always vulnerable. Similarly, only 16% of the Retail Trade sites, 18% of Health Care and Social Assistance sites, and 25% of Finance and Insurance sites are rarely vulnerable.
Conversely, Educational Services is the best performing industry with the highest percentage of rarely vulnerable sites (40%). Arts, Entertainment, and Recreation is the next best industry with 39% of sites in rarely vulnerable category.
- http://fortune.com/2015/01/23/cyber-attack-insurance-lloyds/
http://www.techtimes.com/articles/27454/20150120/cyber-insurance-forefront-companies-minds.htm
http://www.latimes.com/business/la-fi-hacking-insurance-20150210-story.html
http://www.cnbc.com/id/101804150
http://www.darkreading.com/risk/the-problem-with-cyber-insurance/a/d-id/1269682?#ftag=YHF87e0214
- http://www.modernhealthcare.com/article/20150205/NEWS/302059939/anthem-hack-will-shake-up-market-for-cyber-risk-insurance
- http://www.propertycasualty360.com/2014/12/18/sony-pictures-holds-60-million-cyber-policy-with-m
- http://www.insurancejournal.com/news/national/2014/02/26/321638.htm
http://www.latimes.com/business/la-fi-hacking-insurance-20150210-story.html
- http://www.businessinsurance.com/article/20150206/NEWS06/150209857/aig-unit-leads-anthems-cyber-coverage?tags=%7C83%7C299%7C302%7C329
- https://www.schneier.com/essays/archives/2003/11/liability_changes_ev.html
- 1: Nothing is ever 100% secure, just like no every-day product is 100% reliable. However, this hasn’t prevented many industries including automotive, electronics, exercise equipment and thousands of others from offering product guarantees. If a product is defective, simply return it for a replacement or get your money back. What’s different about information security is vendors have lacked product performance data, which is essential to offer guarantees. With product performance data, even if its unable to provide 100% security, offering guarantees is possible to offer.
2: There are always new vulnerabilities being disclosed, new attack techniques, and the new tactics employed by our adversaries. However, if a security vendor has sufficient actuarial data about the performance their product (today), it’s contractually possible to specify exactly what a security guarantee covers and disclaim excessively risky events and unknowns. This is precisely what other industries do. When new vulnerabilities, techniques, and tactics become understood and defensible, those can be guaranteed as well.
3: In the hay day of home-brew firewalls, intrusion detection systems, and other security products, security vendors didn’t have access to the data their products generated. This is no longer the case. Today we’re in the era of the cloud, managed services, and products routinely phoning home for updates, which all provide real-time access to an ample supply of performance data. Modern security vendors have access to the data they need to provide guarantees should they choose to.
4: Determining the layer of defense that failed requires at a minimum some degree of system logging, ideally forensically secure logging. If an organization is unable to determine what transpired during given security event, that problem must be solved first. For organizations capable of performing effective forensic investigations, identifying the gap in the defense or the product that failed, is entirely possible.
5: Like any guarantee, the vendor decides what type of costs they’ll cover in the event the product does not perform as expected. With respect to a breach, often guarantees and cyber-security insurance cover hard costs associated with downtime, legal feels, incident response, credit monitoring, fines, and so on.
6: This represents a unique opportunity for security vendors to differentiate from their competitors and an opportunity for customer to demand more effective products.
7: Like all other products we purchase, guarantees only covers intended use. For example in the case of cars, to keep the guarantee, it’s often required to get the vehicle properly serviced according to maintenance schedule. Another example is electronics guarantees, which may not cover water damage. Security vendors can specify exactly how their product is meant to be used for its effectiveness to be guaranteed.
8: Products with a guarantee do tend to cost more than those sold AS-IS. Someone may purchase an ultra-cheap computer on eBay, without a guarantee, but they’ll have to take their chances with how long it might last. Or, someone can buy a new computer at Dell.com, which may cost more, but the peace of mind could be worth it. The option they prefer is their choice. It’s also quite common for consumers pay even more for extended warrantees on various products including cars and electronics, and many industries have found doing so to be highly profitable.
9: Every business encounters obstacles when competing in a market. For example, to do business with large organizations, they may require vendors to have general business liability insurance, a minimum amount of cash in the bank, physically located in a given country, and more. These are generally viewed as a cost of doing business. If and when organizations require security vendors to offer product guarantees, that’s just one more thing an organization must offer in order to play in the market. The customer is always right.
- 1: Nothing is ever 100% secure, just like no every-day product is 100% reliable. However, this hasn’t prevented many industries including automotive, electronics, exercise equipment and thousands of others from offering product guarantees. If a product is defective, simply return it for a replacement or get your money back. What’s different about information security is vendors have lacked product performance data, which is essential to offer guarantees. With product performance data, even if its unable to provide 100% security, offering guarantees is possible to offer.
- 2: There are always new vulnerabilities being disclosed, new attack techniques, and the new tactics employed by our adversaries. However, if a security vendor has sufficient actuarial data about the performance their product (today), it’s contractually possible to specify exactly what a security guarantee covers and disclaim excessively risky events and unknowns. This is precisely what other industries do. When new vulnerabilities, techniques, and tactics become understood and defensible, those can be guaranteed as well.
- 3: In the hay day of home-brew firewalls, intrusion detection systems, and other security products, security vendors didn’t have access to the data their products generated. This is no longer the case. Today we’re in the era of the cloud, managed services, and products routinely phoning home for updates, which all provide real-time access to an ample supply of performance data. Modern security vendors have access to the data they need to provide guarantees should they choose to.
- 4: Determining the layer of defense that failed requires at a minimum some degree of system logging, ideally forensically secure logging. If an organization is unable to determine what transpired during given security event, that problem must be solved first. For organizations capable of performing effective forensic investigations, identifying the gap in the defense or the product that failed, is entirely possible.
- 5: Like any guarantee, the vendor decides what type of costs they’ll cover in the event the product does not perform as expected. With respect to a breach, often guarantees and cyber-security insurance cover hard costs associated with downtime, legal feels, incident response, credit monitoring, fines, and so on.
- 6: This represents a unique opportunity for security vendors to differentiate from their competitors and an opportunity for customer to demand more effective products.
- 7: Like all other products we purchase, guarantees only covers intended use. For example in the case of cars, to keep the guarantee, it’s often required to get the vehicle properly serviced according to maintenance schedule. Another example is electronics guarantees, which may not cover water damage. Security vendors can specify exactly how their product is meant to be used for its effectiveness to be guaranteed.
- Gartner
Forecast Overview: Information Security, Worldwide, 2014 Update
Published: 25 June 2014
1) We're leaving 1/3rd of the money on the table. Imagine if I could say
that I can increase your revenue by 1/3rd. If your board figures out that
they're loosing this much money because you can't get your stats in order
they're not going to be pleased. The insurance industry is taking money
from our industry, and that means less security spend, less jobs, less
innovation, less growth and less security.
2) The insurance industry is on a path to grow faster than us by leaps and
bounds. Their power and influence will easily dwarf ours if we don't act
soon. We're ceding control of our industry to the insurance industry - do
we want them to dictate/mandate spend? Do we really want a new regulatory
body we have to comply with? The growth seems like a graph too. Show
ours increasing by 7% or whatever and theirs increasing by 67%. If
they're growing that much faster than us, we need to demonstrate how much
faster and give them the ominous feeling that we're being gutted from the
inside.
- https://451research.com/report-long?icid=3155
- http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf
- http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf
- https://www.youtube.com/watch?v=nT-TGvYOBpI&list=UUJ6q9Ie29ajGqKApbLqfBOg