“INTELLECTUAL PROPERTY PROTECTION IN THE DIGITAL COLLABORATIVE ERA” BROADCOM CORPORATION OCTOBER 27, 2015 Geoff Aranoff Chief Information Security Officer Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 1 AGENDA Broadcom Background The Nature of Broadcom’s Assets Security Threat Vectors Our Approach to Investing in IP Protection The Surrounding Ecosystem CIO’s Summary Perspective Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 2 TECHNOLOGY LEADERSHIP FUELING CUSTOMER EXPANSION Broadband & Connectivity Group Infrastructure & Networking Group Broadcom © 2015 Broadcom Proprietary Corporation. and Confidential. All rights©reserved. 2015 Broadcom Corporation. All rights reserved. 3 COMPETITIVE ADVANTAGES COMPETITIVE ADVANTAGES R&D Innovation Unparalleled Chip Integration ~$2.4B annual investment; ranked #2 by Fortune in R&D intensity StrataXGS® Tomahawk™ SoC; 7B transistors equals one for every person on earth Source: Google Census 2014 Source: Fortune 2014 World-class Engineering Talent ~75% of employees in engineering; two employees on the “World’s Most Prolific Inventors” list IP Portfolio Strength #2 among fabless semiconductor companies; portfolio breadth Source: Wikipedia 2015 Source: IEEE November 2014 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 4 SUSTAINED RECORD OF INTELLECTUAL PROPERTY INNOVATION Total patents issued and pending ~20,650 14,000 10,900 Issued Patents 12,900 8,600 6,800 70 260 460 2001 2002 2003 820 2004 1,630 2005 2,630 2006 3,490 2007 4,500 2008 5,350 2009 2010 2011 2012 2013 2014 Patent Issued Note: patent issued numbers are rounded Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 5 THE NATURE OF BROADCOM’S ASSETS Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 6 BROADCOM’S ASSET BASE Intellectual property in the form of hardware designs and accompanying software Minimal traditional bricks and mortar No production facilities and minimal warehousing/distribution Engineering laboratories and data center compute capacity We are only as successful as our next design win … Our assets primarily take the form of: • • • People & Skills Chip/Hardware Designs Software Functionality Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. • • Customer Confidence Limited Inventory 7 GLOBAL COLLABORATION ENABLES WORLD-CLASS PRODUCTS World’s Most Advanced Ultra-HD STB SoC Team A 3D Graphics – Cambridge Team B Team E Memory Control Audio DSP Video Encoder Audio I/O Gb Ethernet – Irvine Team C Component A - Israel Component B - San Jose Component C - Vancouver Component D - Irvine Team D 28nm, >One Billion Transistors Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. Component E – Irvine Component F – Irvine Component G – Irvine Component H – Tempe Component I – Singapore Team F Component J – Irvine Team G Video Processing Transport Video Encoder Video Decoder DDR Controller SATA3 8 LEVERAGING IP SHARING TO ENHANCE DESIGN EFFICIENCY 3000+ Collaboration Is Part of the Broadcom Cultural Fabric PRODUCT LINE 1 200+ 100 OVER 15,000 INSTANCES OF IP SHARING LAST YEAR!! 500+ 3000+ 5 500+ PRODUCT LINE 2 1500+ 35 CENTRAL ENGINEERING 80 100+ 130 35 75 EXTERNAL PARTNERS 4000+ 70 200 130 Broadcom’s IP Exchange Database Tracks all IP Check-Ins and Check-Outs PRODUCT LINE 3 500+ Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 9 BROADCOM SECURITY THREAT VECTORS Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 10 SECURITY CONCERNS AT BROADCOM Electronic Design Images – Product Build Files are Rendered 100% in Software Sensitive Customer Information and Specifications International Workforce and Privacy Standards Sensitive Employee Data Security must be “designed-in” to Broadcom products for marketplace success and brand protection Software Development Kits (SDK’s) Loss of Proprietary Data Through Personnel Exits Physical Access and Property Security (Prototypes) Contracts and Financial Information Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 11 EVALUATING BROADCOM’S RISK Market Risk Level High Profile Customers in Many Markets 010 110 100 001 0101 1011 101011011011 Unique security requirements in many cases M L H 3rd party intellectual property protection Cyber and Insider Threats Sophisticated external and internal adversaries 31 Design Centers – Global Engineering Custom design for some customers M L H Security cannot impact the performance of the engineering design tools Collaboration High risk regions Over 20,000 Patents and Patents Pending M Multiple design teams to build a single IP stack L H No single design flow standard to create intellectual property Data Governance Hardware and software design tools Engineers Comprise Over 75% of the Global Workforce Wider usage of cloud applications to enable better tools Cloud Security Mobile Devices M L H Social media is pervasive Intellectual property and privacy laws in 25 countries Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 12 THE FACTS ABOUT CYBER The number of Cyber incidents increases year over year External Cyber incidents account for 92% of all data compromises Loss of company proprietary and client data through cyber attacks Damage to company brand Loss of ability to function (Shipping, receiving, financials…) Costs of remediation Most attacks are utilizing variants of known hacking techniques Spear phishing and web links M&A and Partners Compromised credential not the end goal Most Cyber incidents are opportunistic in nature Almost 80% of reported incidents are traced back to security weaknesses Most attacks are not highly complex Proper security practices strengthen a company’s defensive position Motivations behind attacks vary Financial gain Competitive and economic advantage Ideology (Hacktivists) State sponsored sabotage Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 13 ACTIVE THREAT STATISTICS – 2015 YEAR TO DATE Cyber Attacks: Broadcom is Attacked Daily Insider Threat: Approximately 8,200 Engineers M&A and Partner Activities Control of User IDs Acquisitions: ~287 malicious phishing attacks that bypassed technology phishing controls Over 71,000 user data transactions reviewed Ensuring Broadcom is not compromised by the acquired company Over 800 roles for all applications Divestitures: Over 437 deep dive reviews ~190,000 malicious attempts to communicate outside of Broadcom’s network were blocked Multiple investigations conducted Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. Protecting valuable IP while separating divested data Partners : Do our partners protect our data as we do? Centralized management and control 14 OUR APPROACH TO IP PROTECTION Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 15 OK, SO WHAT DO WE DO? Fostering executive awareness and agreement is half the battle – Transparency is imperative – risks vs. active threats vs. cost of mitigation – Continue to monitor the environment Develop a strategic plan to address the risks – Lack of a market solution is not an indication that there is no solution, consider all possibilities – Prioritize risks with active threats in the wild – Tie the progress of the plan to business objectives – Be mindful that this is a long term, ongoing strategy Participate in industry groups whenever possible Ensure you have a team of security practitioners – Technologists wear different goggles – Practitioners are passionate about security Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 16 CONSIDER MULTIPLE CYBER INVESTMENT AVENUES Partnerships Team Building Infrastructure Tools Analysis • Advanced threat intelligence • Adversarial tactics • Validation of strategies • Experienced practitioners • Table top exercises • Practice the plan • Formal training • Internet access • Network segmentation • Endpoint management • Advanced detection • Endpoint controls • Blocking • Cyber forensics • Data Loss Prevention (DLP) • Security Operations Center (SOC) • Log consolidation • Baseline normal traffic • Data parsers and correlation Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 17 INVEST IN CYBER CAPABILITY VERTICALS Formal Plans Forensics Cyber Tools Outside Partnerships Objective: Establish a comprehensive and sustainable enterprise wide Cyber Security strategy through: • Multi-year program • Optimizing the interplay of people, processes and technologies • Real time threat protection Incident Response Centralized Account Management Automated Account Management Identity Controls Access Controls Identity Management Standard Security Tools and Processes Patch Management Penetration Testing Vulnerability Testing DMZ Policies Monitoring and Audit Security Operations Center (SOC) Data Correlation SOC Processing Metrics and Tracking Program Pillars Network Segmentation Network Access Control Internal Data Transactions IP Identifications Asset Identification Architecture and Infrastructure Situational Awareness Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. Cross Functional Training Phishing Notifications Phishing Mailbox Executive Support 18 DEFINE A REALISTIC CYBER INVESTMENT TIMELINE CYBER SOPHISTICATION LEVELS INVESTMENT DOLLARS 15,000,000 13,500,000 $$$$$ Execute Next Phase 12,000,000 10,500,000 $$$$ 9,000,000 7,500,000 Implement Phase I $$$ 6,000,000 4,500,000 $$ 3,000,000 Practice, Mature, Plan Analysis and Planning 1,500,000 $ 0 2012 2013 2014 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 2015 2016 2017 2018 19 SECURITY VENDOR SOLICITATIONS: JULY 8, 2015 Protect Against a Security Breach with Simple, Smarter Authentication The Cloud Security Knowledge Center A next-gen firewall deliver more protection with less effort (eGuide) Video: The True Cost of aCommunications Data Breach You're Invited | Investigate Attacks Like Before Technology 5 Steps to Prepare Brief: Is One HP(NYSE: Your of can Your Cyber Employees HPQ) Attack – Intrusion Actually Prevention aNever Spy? & Response Systems Plan Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 20 EMPLOYEE AWARENESS IS VITAL AND ESSENTIALLY FREE Example of Phishing Awareness Memo Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 21 THERE IS NO SUBSTITUTE FOR TALENT Geoff Aranoff, CISO - Veteran of the US Marine Corps, BRCM CISO for 10 years, Chief Privacy Officer for 2 Years, State Department MRPT Certified. Experience working with the US Government Cyber Director - US Naval Reserve Officer with Federal Clearances, MS in Information Security, BS in Computer Science, CISSP, CEH, CISA, and GCIH Cyber Manager - Veteran of the US Army, BS in Computer Information Systems, DOD Clearances. Certified Reverse Engineer (CREA), CEH InfoSec Expert - 20 Years Information Security experience, expertise in Cryptography, BS in Computer Science, BA in Business, CCNP+ Security, CCDA, CEH, and the Cisco-ARCH Forensics Investigator – Orange County Sheriff’s Office Veteran in Homicide, SVU, and Computer Forensics. Managed FBI’s OC Chapter of the Regional Forensics Computer Lab, CFCE, IACIS, EnCE, ACE Forensics Investigator - Orange County Sheriff’s Office Veteran, SVU, and Computer Forensics. FBI’s OC Chapter of the Regional Forensics Computer Lab, CFCE, IACIS, EnCE, ACE, CART Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 22 HOW DO YOU KNOW IF THE INVESTMENT WORKED? Measuring Success – increased capability should translate to decreased times to detect and contain. A mature program will significantly decrease the systems exposed to attack. Trends to Track Time to detect Time to contain Types of attacks Numbers of compromised systems Time to remediate Phishing numbers Call backs (C2) blocked Penetration Testing Statistics Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 23 THE SURROUNDING ECOSYSTEM Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 24 INDUSTRY ACTIONS CAN TRIGGER INCREASED CYBER ACTIVITY Industry Acquisition Announcements Intel (INTC) said it will buy fellow chip maker Altera(ALTR) for $54 a share in an all-cash transaction valued at approximately $16.7 billion that will allow it to expand behind chips for personal computers into chips for smart cars and other newfangled technologies. - USA TODAY, June 1, 2015 Press Releases Pertaining to New Technology A breakthrough in the real-time observation of fuel cell catalyst degradation could lead to a new generation of more efficient and durable fuel cell stacks. - Autoblog.com, Toyota City, Japan, May 18, 2015 Publication of Contracts and Industry Awards The export version of General Atomics' Predator drone conducted a 40-hour test flight this week, according to Defense News, marking a record for the company's aircraft. - Washington Business Journal, February 13, 2015 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 25 INDUSTRY ACTIONS CAN TRIGGER INCREASED CYBER ACTIVITY (CON’T) Very Visible Legal Actions “T-Mobile USA claims Chinese telecom giant Huawei Technologies stole its software, specifications and other secrets for a cellphone-testing robot nicknamed “Tappy” — and it’s not happy. In a lawsuit filed Sept. 2 in federal court in Seattle, T-Mobile says …” - The Seattle Times, September 5, 2014 High Profile Events and Activities “A month after hackers launched an attack on Sony Pictures, the fallout initially led the Hollywood studio to cancel the release of satirical comedy “The Interview,” which involves a plot to assassinate North Korean leader Kim Jong-un.” - BBC NEWS, December 29, 2014 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 26 CAN WE COUNT ON THE GOVERNMENT TO HELP? The U.S. Government is helpful once you’ve been targeted. The FBI is often a good source of support Other agencies have specific agendas that primarily focus on Government contractors and their own organizational needs The U.S. Government is challenged in working with multinational or overseas firms for obvious reasons Lots of discussion today about facilitating sharing of information, but antitrust laws are complex and tend to work against all of us in most instances You are still better off working with technically competent firms such as FireEye, Crowdstrike, PwC, Accenture and others to obtain timely support Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 27 GOVERNMENT IS SOMETIMES PART OF THE CHALLENGE The Office of Personnel Management included the findings in a statement Thursday on the investigation into a pair of major hacks believed carried out by China. "The team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases," the agency said of the second breach, which affected background investigation files.” - Fox News, July 9, 2015 Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 28 SUMMARY PERSPECTIVE Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 29 ASK YOURSELF: HOW SECURE IS YOUR PERIMETER? Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 30 WHAT SHOULD A CIO LOOK FOR AS INDICATORS OF ORGANIZATIONAL SECURITY AWARENESS? When was the last comprehensive penetration test completed? Are high quality passwords utilized by the workforce with mandatory password changes? Are routine and thorough server and network gear software patching cycles pursued? Complete instrumentation of Internet egress points? Comprehensive firewall architecture employed? Intelligent web application design, sans basic vulnerabilities? Anti-phishing reminders and user awareness campaign? How thoroughly have company acquisitions been integrated? Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 31 ADVANCED CONSIDERATIONS: CYBER AND INSIDER THREAT There are more advanced markers of organizational success Respected industry partners utilized Well-defined security event escalation process engaged SIEM tools and advanced Cyber detection capabilities employed Proactive SOC operational Mapped business process flows with identified vulnerabilities (ex. supply chain) Thorough understanding of expected traffic patterns versus anomalies Forensic and investigative capabilities available Previous or current security clearances held by some team members Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 32 BOARD LEVEL EXPOSURE AND EXPECTATIONS Is Cyber expertise represented on most Boards today? Audit Committee stewardship is generally expected Shareholder activist lawsuits have become common ERM processes expose a full range of possible threat vectors Many historical precedents exist across government and industry A regular, open exchange with company leadership is warranted Company managers can lose their jobs over Cyber events The CIO / CISO has an obligation to promote Corporate Cyber Governance Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 33 THANK YOU! Broadcom Proprietary and Confidential. © 2015 Broadcom Corporation. All rights reserved. 34