Presentation is loading. Please wait.

Presentation is loading. Please wait.

Getting to Zero: Achieving Zero Loss of Crown Jewel IP CTO Design Challenge Team.

Similar presentations

Presentation on theme: "Getting to Zero: Achieving Zero Loss of Crown Jewel IP CTO Design Challenge Team."— Presentation transcript:


2 Getting to Zero: Achieving Zero Loss of Crown Jewel IP CTO Design Challenge Team

3 A National Crisis Ongoing, state-sponsored theft of Government and Commercial IP This may be the greatest transfer of wealth through theft and piracy in the history of the world and we are on the losing end of it. -Sen. Sheldon Whitehouse of Rhode Island $300 Billion cost to US each year -Source: Commission on the Theft of American Intellectual Property

4 A Policy and Technology Response If we do not hang together, we shall surely hang separately – Thomas Paine Everyone has been penetrated and will continue to be penetrated – US Govt

5 Crown Jewels Fake Jewels with Payload (think of parting gift) Code looks real, compiles, boots, gathers data and phones home Traceable Honeypots, Honeytokens, signatures Prevent Single Points of Failure with requirement of Multiple trusted employees using two keys for a missile launch Frequent, inconsistent movement of IP shell game Protect by physical isolation Obfuscate the Jewels Distribute components, withhold keystone offsite

6 Trade Policy – Trans Pacific Partners Import tariffs on stolen IP-based products –Alt: Delay imports, deny entry, seize ships/goods Prevent companies trading technology for access –Enforce Wassenaar Arrangement Export controls on arms and dual-use tech Penalize companies selling stolen-IP –Arrest, charge execs of offending companies –Deny/revoke visas to other company representatives –Deny access to stock exchanges –Deny ownership in US companies

7 Industry Policy Create industry-specific consortia –Establish consortia-specific private networks –Think SABREnet (US airlines) Create/Leverage Industry CSO organization –Discuss/share threat information, observations –Establish threat levels, vectors Physical isolation, secure networks, & restrictive access policies

8 Governmental Policy CSO: SEC compliance statement –Separate from financial audit –Security compliance, reporting –Data classification and marking Equivalent of MSDS sheet How valuable to other people (Natl, Industrial, Corp) Security or Trade Secret –Watermarking, digital leakage prevention

9 Academic Policies Universities must have IP protection as part of their major studies required coursework in order to apply for/receive US agency funding –Renewed/audited yearly for first 5 years –Benefits both US students, and instills IP mindset in foreign students –Publishing hold-backs: key processes held back from generally-published papers Universities need to understand their own profitability Detail requires specific disclosure process Particular audits for non Trans- Pacific Partnership disclosures

10 Organization Policies Implement dual networks (red/green) Machines run dual VMs (red/green) Red VM and network interface –Internal applications, Email (restricted) –Intranet access only –Changing IP and MAC addresses randomly –Aggressive network monitoring Green VM and network interface –Internet access –no access to internal network Document classification mapped to potential dollar loss. Required training.

11 Organization IT Machines/devices locked-down –TPM ecosystem, NIST 7904 (Geofencing/Geolocation) –No BYOD, devices encrypted, secured Ports are locked-out, UETF-lockout –Only boot from encrypted HD Drives encrypted – require TPM Only the application that has access to the information has the encryption access –Must go through the agent Encryption and Key management is reasonable expense: $20K for a company, $2K for a server Ability for Emergency Push of changes

12 A National Priority? So let me now be blunt for you and for the American people – Sequestration forces the intelligence community to reduce all intelligence activities and functions without regard to impact on our mission. In my considered judgment as the nation's senior intelligence officer, sequestration jeopardizes our nation's safety and security, and this jeopardy will increase over time. – James R. Clapper, Director of National Intelligence

13 Thank you…

14 Organization: Executive Level Board of Directors Accountability & Awareness Chief Security Officer – SEC compliance –Responsibility of rank-ordering the Crown Jewels periodically. Refresh entire list. Full review/update of organizational security made 20 years ago. Aggressive steps –Drive internal security culture change –Required continual training of employees Planted employees

15 Organization Policies Tiered defense IP classification on all documents/devices/materials –Red/Orange/Yellow books –No removal from room/bldg/campus Compartmentalize information, limited disclosure Traceability: both individuals and devices Clean, secured desks/cabinets –Strong Enforcement: One warning and/or dismissal

16 Organizations: Facilities Secured, limited entrances; no piggybacking –Positive, two-factor identity in critical areas Visible, changing badges Cameras, monitoring Changes in unexpected ways –Avoid predictability

17 Employee Badge changes, limited access Periodic access and security reviews, renewals Building, server, group policies Enforce Least Privilege

18 Org Processes and Methodologies –IP clarification: know your crown jewels –Tiered defense –Protect by physical isolation –Frequent movement –Compartmentalization –Traceability: both individuals and devices –Multiple stakeholders: two set of eyes –Move IP and IT to a more secure Cloud Based solution Organization and Governance –Org culture change related to security awareness –Training of internal stakeholders –Board of Directors role Private Sector IP Protection Tactics – Multidisciplinary Approach Technology Solutions –Encryption done the right way: do it all –Key protection –Privileged credential protection –Information sharing management –Device tracking outside network –Use Strong Compliance Frameworks: FedRAMP, ISO 27000, PCI Private sector coalition –Framework to defend and retaliate

19 Increase the role of government –Enforcing Law, Diplomatic Pressure, Share DoD level Security Protection Methods Raise the economic cost of IP theft –Ban products based on IP theft from US market –Restrict US financial system for companies whose products are based on IP theft Build offensive capabilities Public Sector Role in IP Protection – Balance between strong offensive and defensive strategies

20 Broad Scope of Impact and Involvement Stakeholder Ecosystem Corporate Executives Employees Partners (e.g., supply chain, distribution, etc.) Policy makers Vehicles for IP Theft Ecosystem All devices (PCs, laptops, mobile devices, sensors, etc.) Networks Other??

21 A Multilayered Solution Governmental Policies Industry & Academic Processes Corporate Policies Employee Policies





Download ppt "Getting to Zero: Achieving Zero Loss of Crown Jewel IP CTO Design Challenge Team."

Similar presentations

Ads by Google