1 / 25

Getting to Zero: Achieving Zero Loss of Crown Jewel IP

Getting to Zero: Achieving Zero Loss of Crown Jewel IP. CTO Design Challenge Team. A National Crisis. Ongoing, state-sponsored theft of Government and Commercial IP

torin
Download Presentation

Getting to Zero: Achieving Zero Loss of Crown Jewel IP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Getting to Zero: Achieving Zero Loss of Crown Jewel IP CTO Design Challenge Team

  2. A National Crisis • Ongoing, state-sponsored theft of Government and Commercial IP • “This may be the greatest transfer of wealth through theft and piracy in the history of the world and we are on the losing end of it.” • Sen. Sheldon Whitehouse of Rhode Island • $300 Billion cost to US each year • Source: Commission on the Theft of American Intellectual Property

  3. A Policy and Technology Response • “If we do not hang together, we shall surely hang separately” – Thomas Paine • “Everyone has been penetrated and will continue to be penetrated” – US Gov’t

  4. Crown Jewels • Fake Jewels with Payload (think of “parting gift”) • Code looks real, compiles, boots, gathers data and phones home • Traceable “Honeypots”, “Honeytokens”, signatures • Prevent Single Points of Failure with requirement of Multiple trusted employees using “two keys for a missile launch” • Frequent, inconsistent movement of IP “shell game” • Protect by physical isolation • Obfuscate the Jewels • Distribute components, withhold “keystone” offsite

  5. Trade Policy – Trans Pacific Partners • Import tariffs on stolen IP-based products • Alt: Delay imports, deny entry, seize ships/goods • Prevent companies trading technology for access • Enforce Wassenaar Arrangement • Export controls on arms and dual-use tech • Penalize companies selling stolen-IP • Arrest, charge execs of offending companies • Deny/revoke visas to other company representatives • Deny access to stock exchanges • Deny ownership in US companies

  6. Industry Policy • Create industry-specific consortia • Establish consortia-specific private networks • Think “SABREnet” (US airlines) • Create/Leverage Industry CSO organization • Discuss/share threat information, observations • Establish threat levels, vectors • Physical isolation, secure networks, & restrictive access policies

  7. Governmental Policy • CSO: SEC compliance statement • Separate from financial audit • Security compliance, reporting • Data classification and marking • Equivalent of MSDS sheet • How valuable to other people • (Nat’l, Industrial, Corp) Security or Trade Secret • Watermarking, digital leakage prevention

  8. Academic Policies • Universities must have IP protection as part of their major studies required coursework in order to apply for/receive US agency funding • Renewed/audited yearly for first 5 years • Benefits both US students, and instills IP mindset in foreign students • Publishing hold-backs: key processes held back from generally-published papers • Universities need to understand their own profitability • Detail requires specific disclosure process • Particular audits for non Trans-Pacific Partnership disclosures

  9. Organization Policies • Implement dual networks (red/green) • Machines run dual VMs (red/green) • Red VM and network interface • Internal applications, Email (restricted) • Intranet access only • Changing IP and MAC addresses randomly • Aggressive network monitoring • Green VM and network interface • Internet access • no access to internal network • Document classification mapped topotential dollar loss. Required training.

  10. Organization IT • Machines/devices locked-down • TPM ecosystem, NIST 7904 (Geofencing/Geolocation) • No BYOD, devices encrypted, secured • Ports are locked-out, UETF-lockout • Only boot from encrypted HD • Drives encrypted – require TPM • Only the application that has access to the information has the encryption access • Must go through the agent • Encryption and Key management is reasonable expense: $20K for a company, $2K for a server • Ability for Emergency Push of changes

  11. A National Priority? • So let me now be blunt for you and for the American people – Sequestration forces the intelligence community to reduce all intelligence activities and functions without regard to impact on our mission. In my considered judgment as the nation's senior intelligence officer, sequestration jeopardizes our nation's safety and security, and this jeopardy will increase over time. • – James R. Clapper, Director of National Intelligence

  12. Thank you…

  13. Organization: Executive Level • Board of Directors Accountability & Awareness • Chief Security Officer – SEC compliance • Responsibility of rank-ordering the Crown Jewels periodically. Refresh entire list. • Full review/update of organizational security made 20 years ago. Aggressive steps • Drive internal security culture change • Required continual training of employees • Planted employees

  14. Organization Policies • Tiered defense • IP classification on all documents/devices/materials • Red/Orange/Yellow books • No removal from room/bldg/campus • Compartmentalize information, limited disclosure • Traceability: both individuals and devices • Clean, secured desks/cabinets • Strong Enforcement: One warning and/or dismissal

  15. Organizations: Facilities • Secured, limited entrances; no piggybacking • Positive, two-factor identity in critical areas • Visible, changing badges • Cameras, monitoring • Changes in unexpected ways • Avoid predictability

  16. Employee • Badge changes, limited access • Periodic access and security reviews, renewals • Building, server, group policies • Enforce Least Privilege

  17. Private Sector IP Protection Tactics – Multidisciplinary Approach • Technology Solutions • Encryption done the right way: do it all • Key protection • Privileged credential protection • Information sharing management • Device tracking outside network • Use Strong Compliance Frameworks: FedRAMP, ISO 27000, PCI • Private sector coalition • Framework to defend and retaliate • Org Processes and Methodologies • IP clarification: know your crown jewels • Tiered defense • Protect by physical isolation • Frequent movement • Compartmentalization • Traceability: both individuals and devices • Multiple stakeholders: “two set of eyes” • Move IP and IT to a more secure Cloud Based solution • Organization and Governance • Org culture change related to security awareness • Training of internal stakeholders • Board of Directors role

  18. Public Sector Role in IP Protection – Balance between strong offensive and defensive strategies • Increase the role of government • Enforcing Law, Diplomatic Pressure, Share DoD level Security Protection Methods • Raise the economic cost of IP theft • Ban products based on IP theft from US market • Restrict US financial system for companies whose products are based on IP theft • Build offensive capabilities

  19. Broad Scope of Impact and Involvement Stakeholder Ecosystem • Corporate Executives • Employees • Partners (e.g., supply chain, distribution, etc.) • Policy makers Vehicles for IP Theft Ecosystem • All devices (PCs, laptops, mobile devices, sensors, etc.) • Networks • Other??

  20. A Multilayered Solution

More Related