Transcript aranoffpresx - IEEE Computer Society

“INTELLECTUAL PROPERTY PROTECTION
IN THE DIGITAL COLLABORATIVE ERA”
BROADCOM CORPORATION
OCTOBER 27, 2015
Geoff Aranoff
Chief Information Security Officer
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
1
AGENDA
 Broadcom Background
 The Nature of Broadcom’s Assets
 Security Threat Vectors
 Our Approach to Investing in IP Protection
 The Surrounding Ecosystem
 CIO’s Summary Perspective
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
2
TECHNOLOGY LEADERSHIP FUELING
CUSTOMER EXPANSION
Broadband
& Connectivity
Group
Infrastructure
& Networking
Group
Broadcom
©
2015 Broadcom
Proprietary
Corporation.
and Confidential.
All rights©reserved.
2015 Broadcom Corporation. All rights reserved.
3
COMPETITIVE ADVANTAGES
COMPETITIVE ADVANTAGES
R&D Innovation
Unparalleled
Chip Integration
~$2.4B annual investment;
ranked #2 by Fortune
in R&D intensity
StrataXGS® Tomahawk™ SoC;
7B transistors equals one for
every person on earth
Source: Google Census 2014
Source: Fortune 2014
World-class
Engineering Talent
~75% of employees in
engineering; two employees
on the “World’s Most Prolific
Inventors” list
IP Portfolio Strength
#2 among fabless
semiconductor companies;
portfolio breadth
Source: Wikipedia 2015
Source: IEEE November 2014
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
4
SUSTAINED RECORD OF INTELLECTUAL PROPERTY INNOVATION
Total patents issued
and pending
~20,650
14,000
10,900
Issued Patents
12,900
8,600
6,800
70
260
460
2001
2002
2003
820
2004
1,630
2005
2,630
2006
3,490
2007
4,500
2008
5,350
2009
2010
2011
2012
2013
2014
Patent Issued
Note: patent issued numbers are rounded
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
5
THE NATURE OF BROADCOM’S ASSETS
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
6
BROADCOM’S ASSET BASE
Intellectual property in the form of hardware designs and
accompanying software
Minimal traditional bricks and mortar
No production facilities and minimal warehousing/distribution
Engineering laboratories and data center compute capacity
We are only
as successful as our
next design win …
Our assets primarily take the form of:
•
•
•
People & Skills
Chip/Hardware Designs
Software Functionality
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
•
•
Customer Confidence
Limited Inventory
7
GLOBAL COLLABORATION ENABLES WORLD-CLASS PRODUCTS
World’s Most Advanced Ultra-HD STB SoC
Team A
 3D Graphics – Cambridge
Team B
Team E




Memory Control
Audio DSP
Video Encoder
Audio I/O
 Gb Ethernet – Irvine
Team C




Component A - Israel
Component B - San Jose
Component C - Vancouver
Component D - Irvine
Team D
28nm, >One Billion Transistors
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.





Component E – Irvine
Component F – Irvine
Component G – Irvine
Component H – Tempe
Component I – Singapore
Team F
 Component J – Irvine
Team G






Video Processing
Transport
Video Encoder
Video Decoder
DDR Controller
SATA3
8
LEVERAGING IP SHARING TO ENHANCE DESIGN EFFICIENCY
3000+
Collaboration Is Part of the
Broadcom Cultural Fabric
PRODUCT
LINE 1
200+
100
OVER 15,000
INSTANCES
OF IP SHARING
LAST YEAR!!
500+
3000+
5
500+
PRODUCT
LINE 2
1500+
35
CENTRAL
ENGINEERING
80
100+
130
35
75
EXTERNAL
PARTNERS
4000+
70
200
130
Broadcom’s IP Exchange Database
Tracks all IP Check-Ins and Check-Outs
PRODUCT
LINE 3
500+
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
9
BROADCOM SECURITY THREAT VECTORS
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
10
SECURITY CONCERNS AT BROADCOM
Electronic Design
Images – Product
Build Files are
Rendered 100%
in Software
Sensitive
Customer
Information and
Specifications
International
Workforce and
Privacy Standards
Sensitive
Employee Data
Security must be “designed-in”
to Broadcom products for
marketplace success and
brand protection
Software
Development Kits
(SDK’s)
Loss of
Proprietary Data
Through
Personnel Exits
Physical Access
and Property
Security
(Prototypes)
Contracts and
Financial
Information
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
11
EVALUATING BROADCOM’S RISK
Market Risk Level
High Profile Customers in Many Markets
010
110
100
001
0101
1011
101011011011
 Unique security requirements in many cases
M
L
H
 3rd party intellectual property protection
Cyber and
Insider Threats
 Sophisticated external and internal adversaries
31 Design Centers – Global Engineering
 Custom design for some customers
M
L
H
 Security cannot impact the performance of the engineering design tools
Collaboration
 High risk regions
Over 20,000 Patents and Patents Pending
M
 Multiple design teams to build a single IP stack
L
H
 No single design flow standard to create intellectual property
Data Governance
 Hardware and software design tools
Engineers Comprise Over 75% of the Global Workforce
 Wider usage of cloud applications to enable better tools
Cloud Security
Mobile Devices
M
L
H
 Social media is pervasive
 Intellectual property and privacy laws in 25 countries
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
12
THE FACTS ABOUT CYBER
The number of Cyber incidents
increases year over year
External Cyber incidents
account for 92% of all data
compromises




Loss of company proprietary and client data through cyber attacks
Damage to company brand
Loss of ability to function (Shipping, receiving, financials…)
Costs of remediation
 Most attacks are utilizing variants of
known hacking techniques
 Spear phishing and web links
 M&A and Partners
 Compromised credential not the
end goal
Most Cyber incidents are
opportunistic in nature
 Almost 80% of reported incidents are traced back to security weaknesses
 Most attacks are not highly complex
 Proper security practices strengthen a company’s defensive position
Motivations behind attacks vary




Financial gain
Competitive and economic advantage
Ideology (Hacktivists)
State sponsored sabotage
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
13
ACTIVE THREAT STATISTICS – 2015 YEAR TO DATE
Cyber Attacks:
Broadcom is
Attacked Daily
Insider Threat:
Approximately
8,200
Engineers
M&A and
Partner
Activities
Control of
User IDs
Acquisitions:
~287 malicious
phishing attacks
that bypassed
technology
phishing controls
Over 71,000 user
data transactions
reviewed
Ensuring
Broadcom is not
compromised by
the acquired
company
Over 800 roles for
all applications
Divestitures:
Over 437 deep
dive reviews
~190,000
malicious attempts
to communicate
outside of
Broadcom’s
network were
blocked
Multiple
investigations
conducted
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
Protecting valuable
IP while separating
divested data
Partners :
Do our partners
protect our data as
we do?
Centralized
management and
control
14
OUR APPROACH TO IP PROTECTION
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
15
OK, SO WHAT DO WE DO?
 Fostering executive awareness and agreement is half the battle
– Transparency is imperative – risks vs. active threats vs. cost of mitigation
– Continue to monitor the environment
 Develop a strategic plan to address the risks
– Lack of a market solution is not an indication that there is no solution,
consider all possibilities
– Prioritize risks with active threats in the wild
– Tie the progress of the plan to business objectives
– Be mindful that this is a long term, ongoing strategy
 Participate in industry groups whenever possible
 Ensure you have a team of security practitioners
– Technologists wear different goggles
– Practitioners are passionate about security
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
16
CONSIDER MULTIPLE CYBER INVESTMENT AVENUES
Partnerships
Team Building
Infrastructure
Tools
Analysis
• Advanced
threat
intelligence
• Adversarial
tactics
• Validation of
strategies
• Experienced
practitioners
• Table top
exercises
• Practice the
plan
• Formal training
• Internet
access
• Network
segmentation
• Endpoint
management
• Advanced
detection
• Endpoint
controls
• Blocking
• Cyber
forensics
• Data Loss
Prevention
(DLP)
• Security
Operations
Center (SOC)
• Log
consolidation
• Baseline
normal traffic
• Data parsers
and
correlation
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
17
INVEST IN CYBER CAPABILITY VERTICALS
Formal Plans
Forensics
Cyber Tools
Outside Partnerships
Objective:
Establish a comprehensive and sustainable
enterprise wide Cyber Security strategy
through:
•
Multi-year program
•
Optimizing the interplay of people,
processes and technologies
•
Real time threat protection
Incident
Response
Centralized Account
Management
Automated Account
Management
Identity Controls
Access Controls
Identity
Management
Standard
Security
Tools and
Processes
Patch Management
Penetration Testing
Vulnerability Testing
DMZ Policies
Monitoring
and Audit
Security Operations
Center (SOC)
Data Correlation
SOC Processing
Metrics and Tracking
Program Pillars
Network Segmentation
Network Access Control
Internal Data
Transactions
IP Identifications
Asset Identification
Architecture
and
Infrastructure
Situational
Awareness
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
Cross Functional Training
Phishing Notifications
Phishing Mailbox
Executive Support
18
DEFINE A REALISTIC CYBER INVESTMENT TIMELINE
CYBER
SOPHISTICATION
LEVELS
INVESTMENT
DOLLARS
15,000,000
13,500,000
$$$$$
Execute
Next Phase
12,000,000
10,500,000
$$$$
9,000,000
7,500,000
Implement
Phase I
$$$
6,000,000
4,500,000
$$
3,000,000
Practice,
Mature,
Plan
Analysis
and
Planning
1,500,000
$
0
2012
2013
2014
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
2015
2016
2017
2018
19
SECURITY VENDOR SOLICITATIONS: JULY 8, 2015
Protect
Against
a
Security
Breach
with
Simple,
Smarter
Authentication
The
Cloud
Security
Knowledge
Center
A
next-gen
firewall
deliver
more
protection
with
less
effort (eGuide)
Video:
The
True
Cost
of
aCommunications
Data
Breach
You're
Invited
| Investigate
Attacks
Like
Before
Technology
5
Steps
to
Prepare
Brief:
Is
One
HP(NYSE:
Your
of can
Your
Cyber
Employees
HPQ)
Attack
–
Intrusion
Actually
Prevention
aNever
Spy?
&
Response
Systems
Plan
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
20
EMPLOYEE AWARENESS IS VITAL AND ESSENTIALLY FREE
Example of Phishing Awareness Memo
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
21
THERE IS NO SUBSTITUTE FOR TALENT
 Geoff Aranoff, CISO - Veteran of the US Marine Corps, BRCM CISO for 10 years, Chief Privacy
Officer for 2 Years, State Department MRPT Certified. Experience working with the US Government
 Cyber Director - US Naval Reserve Officer with Federal Clearances, MS in Information Security, BS
in Computer Science, CISSP, CEH, CISA, and GCIH
 Cyber Manager - Veteran of the US Army, BS in Computer Information Systems, DOD Clearances.
Certified Reverse Engineer (CREA), CEH
 InfoSec Expert - 20 Years Information Security experience, expertise in Cryptography, BS in
Computer Science, BA in Business, CCNP+ Security, CCDA, CEH, and the Cisco-ARCH
 Forensics Investigator – Orange County Sheriff’s Office Veteran in Homicide, SVU, and Computer
Forensics. Managed FBI’s OC Chapter of the Regional Forensics Computer Lab, CFCE, IACIS,
EnCE, ACE
 Forensics Investigator - Orange County Sheriff’s Office Veteran, SVU, and Computer Forensics.
FBI’s OC Chapter of the Regional Forensics Computer Lab, CFCE, IACIS, EnCE, ACE, CART
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
22
HOW DO YOU KNOW IF THE INVESTMENT WORKED?
Measuring Success – increased capability should translate to decreased times to
detect and contain. A mature program will significantly decrease the systems
exposed to attack.
Trends to Track
 Time to detect
 Time to contain
 Types of attacks
 Numbers of compromised systems
 Time to remediate
 Phishing numbers
 Call backs (C2) blocked
 Penetration Testing Statistics
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
23
THE SURROUNDING ECOSYSTEM
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
24
INDUSTRY ACTIONS CAN TRIGGER INCREASED CYBER ACTIVITY
Industry Acquisition Announcements
Intel (INTC) said it will buy fellow chip maker Altera(ALTR) for $54 a share in an all-cash
transaction valued at approximately $16.7 billion that will allow it to expand behind chips
for personal computers into chips for smart cars and other newfangled technologies.
- USA TODAY, June 1, 2015
Press Releases Pertaining to New Technology
A breakthrough in the real-time observation of fuel cell catalyst degradation could lead to
a new generation of more efficient and durable fuel cell stacks.
- Autoblog.com, Toyota City, Japan, May 18, 2015
Publication of Contracts and Industry Awards
The export version of General Atomics' Predator drone conducted a 40-hour test flight
this week, according to Defense News, marking a record for the company's aircraft.
- Washington Business Journal, February 13, 2015
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
25
INDUSTRY ACTIONS CAN TRIGGER INCREASED CYBER ACTIVITY (CON’T)
Very Visible Legal Actions
“T-Mobile USA claims Chinese telecom giant Huawei Technologies stole its software,
specifications and other secrets for a cellphone-testing robot nicknamed “Tappy” — and
it’s not happy. In a lawsuit filed Sept. 2 in federal court in Seattle, T-Mobile says …”
- The Seattle Times, September 5, 2014
High Profile Events and Activities
“A month after hackers launched an attack on Sony Pictures, the fallout initially led the
Hollywood studio to cancel the release of satirical comedy “The Interview,” which
involves a plot to assassinate North Korean leader Kim Jong-un.”
- BBC NEWS, December 29, 2014
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
26
CAN WE COUNT ON THE GOVERNMENT TO HELP?
The U.S. Government is helpful once you’ve been targeted. The FBI is often a good
source of support
Other agencies have specific agendas that primarily focus on Government
contractors and their own organizational needs
The U.S. Government is challenged in working with multinational or overseas
firms for obvious reasons
Lots of discussion today about facilitating sharing of information, but antitrust
laws are complex and tend to work against all of us in most instances
You are still better off working with technically competent firms such as FireEye,
Crowdstrike, PwC, Accenture and others to obtain timely support
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
27
GOVERNMENT IS SOMETIMES PART OF THE CHALLENGE
The Office of Personnel Management included the findings in a statement
Thursday on the investigation into a pair of major hacks believed carried out by
China.
"The team has now concluded with high confidence that sensitive information,
including the Social Security Numbers (SSNs) of 21.5 million individuals, was
stolen from the background investigation databases," the agency said of the
second breach, which affected background investigation files.”
- Fox News, July 9, 2015
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
28
SUMMARY PERSPECTIVE
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
29
ASK YOURSELF: HOW SECURE IS YOUR PERIMETER?
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
30
WHAT SHOULD A CIO LOOK FOR AS INDICATORS OF
ORGANIZATIONAL SECURITY AWARENESS?
When was the last
comprehensive penetration test
completed?
Are high quality passwords
utilized by the workforce with
mandatory password changes?
Are routine and thorough server
and network gear software
patching cycles pursued?
Complete instrumentation of
Internet egress points?
Comprehensive firewall
architecture employed?
Intelligent web application
design, sans basic
vulnerabilities?
Anti-phishing reminders and
user awareness campaign?
How thoroughly have company
acquisitions been integrated?
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
31
ADVANCED CONSIDERATIONS: CYBER AND INSIDER THREAT
There are more advanced markers of organizational success
 Respected industry partners utilized
 Well-defined security event escalation process engaged
 SIEM tools and advanced Cyber detection capabilities employed
 Proactive SOC operational
 Mapped business process flows with identified vulnerabilities (ex. supply chain)
 Thorough understanding of expected traffic patterns versus anomalies
 Forensic and investigative capabilities available
 Previous or current security clearances held by some team members
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
32
BOARD LEVEL EXPOSURE AND EXPECTATIONS
Is Cyber expertise represented on most Boards today?
 Audit Committee stewardship is generally expected
 Shareholder activist lawsuits have become common
 ERM processes expose a full range of possible threat vectors
 Many historical precedents exist across government and industry
 A regular, open exchange with company leadership is warranted
 Company managers can lose their jobs over Cyber events
The CIO / CISO has an obligation to promote Corporate Cyber Governance
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
33
THANK YOU!
Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved.
34