tech r03 protect your achilles heel manage security risks in your legacy products final


2019/03/16 发布于 技术 分类

1. SESSION ID: TECH-R03 Protecting your Achilles’ heel: managing security risk in your legacy product portfolio Kyle Brunell Connected Product Security Leader Ernst & Young LLP (EY) @kyle_Brunell The views expressed by the presenters are not necessarily those of Ernst & Young LLP or other members of the global EY organization. #RSAC
2. #RSAC First, a personal story about legacy products … 2
3. #RSAC What are the business drivers for better connectivity among products? Service Consumer Purpose Maximize revenue Industrial Minimize cost sImprove quality of life Purpose Increase asset utilization Examples: Smart homes, connected cars and wearables provide daily life convenience, efficiency and overall improve the customer experience Health care, financial services and utilities provide real-time execution of transactions such as remote payments, prescription filing, health records management and metering 3 Manufacturing, oil and gas, and agriculture to achieve supply chain optimization, quality control, asset management, remote control and predictive maintenance
4. #RSAC Why are we doing this talk? How can I understand the risk of the legacy products I’ve developed, manufactured, sold and deployed? What are some security challenges with legacy products that we have released? What are some strategic and tactical methods to manage my risk? Product Manufacturer 4
5. #RSAC What qualifies as a legacy product? Legacy products were built with different expectations. These products are still in operation, but the expectations have changed Yesterday’s legacy products Today’s environment ► Developed without current security threats in mind ► Increased sophistication of threat actors ► Intended to operate in isolation ► Demand for expanded connectivity ► Expensive to replace ► Limited capital for improving old products ► Not extensively tested for security ► Enhanced security testing tools and techniques ► Difficult to update or upgrade ► Demand for new functionality ► Contain rich data, but data is largely inaccessible ► Greater need for data ► Minimal regulatory requirements ► Increased regulation and standards ► Lack of security solutions available ► Heightened customer expectations
6. #RSAC Where’s the risk? The expanded attack surface: Physical objects and devices Gateway Network connectivity 6 Cloud analytics and hosting Application and user interaction
7. #RSAC Why is securing legacy products such a complicated problem? Executive management Protect our brand Integrate security into the business Engineering Cybersecurity Know our portfolio Focus on new products Manage our liability Differentiate from our competitors Dedicate security resources Be prepared to respond Manage product margins Be compliant Provide customer support Legal Marketing & sales Charge for support Internal audit 7
8. #RSAC So what can be done to manage the risk of legacy products? 1 2 3 Involve stakeholders from across the enterprise Understand your legacy product portfolio based on risk Establish clear lines of communication with your customers 8 4 5 6 Uncover vulnerabilities through various testing approaches Engage external researchers appropriately Prepare for potential security incidents
9. #RSAC Involve stakeholders from across the enterprise Board of directors Internal audit Executive management Business unit Cybersecurity Business unit Engineering Business unit Business unit Legal Sales / Marketing Legal Product management Engineering Cybersecurity Internal audit Sales and marketing Business development Research and development Manufacturing and supply chain Customer support 9 Oversight and independent assurance (Board of directors and internal audit) Third line of governance — vision (Corporate operating committee) Second line of governance — validation (Steering committee) First line of governance — evaluation (Working group)
10. #RSAC Understand your legacy product portfolio based on risk STEP 1 32 4 Align security activities with theoperating highest-risk products Know where your Prioritize products based onare their risk to the organization Understand the riskproducts of your products • • • • • What the anticipated production Are allisof thecurrent highest-risk contacts in product place and from do athey legalunderstand orvolume? reputational their Which locations are or the products operating in? What is thethem? intended functionality of the product? responsibilities? standpoint? Who owns What type of data is stored or processed? How Which products security have activities the highest scale based potential on the liability? risk of the product? Who do operates them? Whatnecessary connectivity does the support? Have security testsproduct been conducted? regulations apply? What security controls have been implemented? 10
11. #RSAC Establish clear lines of communication with your customers With an increasingly sophisticated and security-aware customer base, the right customer support model is needed to communicate security in a timely and consistent manner Business development Onboarding and deployment Program strategy and vision Solution security brochure Secure deployment support Customer support model Solution security controls Product security marketing collateral Secure deployment guidance Solution support and update procedures 11 Product support Incident and vulnerability communications
12. #RSAC Uncover vulnerabilities through various testing approaches Product security risk assessment and prioritization Post-production product security framework Production Governance Operation Incident response Vulnerability identification Guidance for secure decommissioning Maintenance Patch management Security threat reviews End of life Component obsolescence planning Metrics and lessons learned for future product development Key challenges • • • • • Critical success factors • • • • • • Difficulty updating products Challenges in prioritizing and funding resolution Outdated third-party components Lack of vendor support Deficiency of testing resources 12 Leverage automation to the extent possible Integrate into existing reporting and workflow tools Scale testing activities based on the risk of the product Continued vendor assessments Monitor and manage security demand Have a plan for different types of issues you may find
13. #RSAC Engage external researchers appropriately 1 Understand your capacity to consume vulnerability reports from researchers 2 Create easy-to-use avenue for researchers to submit vulnerabilities Actively address submissions and engage with researchers throughout the process 4 Consider monetary and/or non-monetary incentives for researchers 13
14. #RSAC Prepare for potential security incidents Define points of contact between legacy product owners and incident response team (IRT) Establish channels to receive and escalate security events submitted through customer/dealer intake channels Maintain criteria to effectively escalate security events to IRT and engage crossfunctional teams Coordinate with legal counsel to evaluate contractual agreements Establish and maintain appropriate relationships with internal and external stakeholders Ensure that IRT has appropriate legacy product details
15. #RSAC Summary  Legacy product security requires a collaborative approach with engagement from all parts of the organization.  Understanding what products you have and their relative risk is a must.  When used appropriately, external researchers can be essential to improving security.  Customer communication is paramount, especially in the absence of technical controls.  Security testing requirements and methods need to be well defined.  Be prepared for potential incidents. Next week • • Identify stakeholders Engage sales team to understand security inquiries Next 90 days • • • Identify and prioritize legacy products Establish a method to submit vulnerabilities Conduct a tabletop for legacy products Next 180 days • Develop a testing program
16. #RSAC Questions Kyle Brunell Connected Product Security Leader +1 312 879 2811 16