control quotient: adaptive strategies for gracefully losing control (hacker halted 2014)
Post on 23-Jun-2015
92 Views
Preview:
DESCRIPTION
TRANSCRIPT
Control Quo*ent: Adap*ve Strategies For Gracefully Losing Control
Agenda Context
The Control Quo*ent
Today’s Reality
Making it Personal
Examples
Transcending “Control”
Apply
CONTEXT
Forces of Constant Change
BUSINESS COMPLEXITY
= RISING COSTS
Evolving Threats
Evolving Technologies
Evolving Compliance
Evolving Economics
Evolving Business Needs
The IT Drunken Bender
The Control Con*nuum
Dictator Surrender
Control
Sphere of Control
Control
Influence
Sphere of Influence vs. Control
THE CONTROL QUOTIENT
The Control Quo*ent Defini*on • QuoGent: (from hOp://www.merriam-‐webster.com/dic*onary/quo*ent )
– the number resul*ng from the division of one number by another
– the numerical ra*o usually mul*plied by 100 between a test score and a standard value
– quota, share – the magnitude of a specified characterisGc or quality
• Control QuoGent: opGmizaGon of a security control based on the maximum efficacy within sphere of control (or influence or trust) of the underlying infrastructure*
• *unless there is an independent variable…
History • RSA Conference US 2009 P2P with @joshcorman – An endpoint has a comprehensive, but suspect, view
– The network has a trustworthy, but incomplete, view
In Theory There Is An Op*mal Place to Deploy a Control…
But Degrees Of Separa/on Happen….
Avoiding the Proverbial…
TODAY’S REALITY
Today’s Reality
• Administra*ve control of en*re system is lost
• Increased aOack surface • Abstrac*on has made systems difficult to assess
• Expecta*on of any*me-‐anywhere access from any device
Security Management & GRC
IdenGty/EnGty Security
Data Security
Host
Network Infrastructure Security
ApplicaGon Security
CSA Cloud Model The Control Quo*ent and the SPI Stack
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
CSA Cloud Model
Security Management & GRC
IdenGty/EnGty Security
Data Security
Host
Network Infrastructure Security
ApplicaGon Security
Virtualiza/on, So:ware Defined Networks, and Public/Hybrid/Community Cloud Forces a Change
in How Security Controls Are Evaluated and Deployed
The Control Quo*ent and the SPI Stack
To Be Successful, We Must Focus on the Control Kept (or Gained!), NOT the Control Lost…
Half Full or Half Empty?
Controls Gained!!! • Virtualiza*on and Cloud
– Asset, Configura*on and Change Management – Snapshot – Rollback – Pause
• VDI – Asset, Configura*on and Change Management
• Mobility – Encryp*on (with containers)
• Sogware-‐As-‐A-‐Service – Logging!
MAKING IT PERSONAL
A Parent’s Most Valuable Asset?
A Parent’s Most Valuable Asset?
Most Valuable Asset?
…Yet Most Parents Allow Their Kids to Leave Their Control
Choosing Child Care?
NaGonal AssociaGon for the EducaGon of Young
Children
EXAMPLES
Virtualiza*on and Cloud Created An En*re New Defini*on of Privilege
Amazon EC2 - IaaS
Salesforce - SaaS
Google AppEngine - PaaS
Stack by Chris Hoff -‐> CSA
The Control Quo*ent and the SPI Stack
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue. “Stack” by Chris Hoff -‐> CSA
Amazon EC2 - IaaS
The lower down the stack the Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself.
Salesforce - SaaS
Google AppEngine - PaaS
Stack by Chris Hoff -‐> CSA
The Control Quo*ent and the SPI Stack
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue. “Stack” by Chris Hoff -‐> CSA
So, Whose Cloud Is It Anyway? Model Private Cloud IaaS
in Hybrid / Community / Public Cloud
PaaS/SaaS
Whose Privilege Users? Customer Provider Provider
Whose Infrastructure? Customer Provider Provider
Whose VM / Instance? Customer Customer Provider
Whose ApplicaGon? Customer Customer Provider
Government Discovery Contact? Customer Provider Provider
hOp://www.flickr.com/photos/markhillary/6342705495 hOp://www.flickr.com/photos/tallentshow/2399373550
More Than Just Technology…
VDI Server
VDI Image Storage
VDI: Centralizing the Desktop?
hOp://www.flickr.com/photos/patrick-‐allen/4318787860/
Mobile
hOp://www.sodahead.com/fun/eight...blue-‐screen.../ques*on-‐2038989/CachedYou/?slide=2&page=4
IoT / Embedded Devices
Service Providers
Old Ways Don’t Work in New World…
Most organiza/ons are trying to deploy
“tradi/onal” security controls in cloud and virtual environments…but were the controls
even effec/ve then?
TRANSCENDING “CONTROL”
A Modern Pantheon of Adversary Classes
Methods “MetaSploit” DoS Phishing Rootkit SQLi Auth ExfiltraGon Malware Physical
Impacts ReputaGonal Personal ConfidenGality Integrity Availability
Target Assets
Credit Card #s Web ProperGes Intellectual Property PII / IdenGty Cyber
Infrastructure Core Business Processes
Mo*va*ons
Financial Industrial Military Ideological PoliGcal PresGge
Actor Classes
States CompeGtors Organized Crime
Script Kiddies Terrorists “HacGvists” Insiders Auditors
Link to Full Adversary ROI Presenta.on Source: Adversary ROI: Why Spend $40B Developing It, When You Can Steal It for $1M? (RSA US 2012) by Josh Corman and David Etue.
HD Moore’s Law and AOacker Power
• Moore’s Law: Compute power doubles every 18 months
• HDMoore’s Law: Casual AOacker Strength grows at the rate of MetaSploit
Source: Joshua Corman, hOp://blog.cogni*vedissidents.com/2011/11/01/intro-‐to-‐hdmoores-‐law/
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Countermeasures Situa*onal Awareness Opera*onal Excellence Defensible Infrastructure
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Countermeasures Situa*onal Awareness
Opera*onal Excellence
Defensible Infrastructure
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Countermeasures
Situa*onal Awareness
Opera*onal Excellence
Defensible Infrastructure
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Countermeasures
Situa*onal Awareness
Opera*onal Excellence
Defensible Infrastructure
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
PHI
“IP”
Web
PCI
AV
FW
IDS/IPS
WAF
Log Mngt
File Integrity
Disk Encryp*on
Vulnerability Assessment
Mul*-‐Factor Auth
An*-‐SPAM
VPN
Web Filtering
DLP
Anomaly Detec*on
Network Forensics
Advanced Malware
NG Firewall
DB Security
Patch Management
SIEM
An*-‐DDoS
An*-‐Fraud
…
Desired Outcomes Leverage Points
Compliance (1..n)
“ROI” Breach / QB sneak
Produc*vity
…
PHI
PCI
“IP”
Web
Control “Swim Lanes”
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Web
…
PHI
“IP”
PCI
AV
FW
IDS/IPS
WAF
Log Mngt
File Integrity
Disk Encryp*on
Vulnerability Assessment
Mul*-‐Factor Auth
An*-‐SPAM
VPN
Web Filtering
DLP
Anomaly Detec*on
Network Forensics
Advanced Malware
NG Firewall
DB Security
Patch Management
SIEM
An*-‐DDoS
An*-‐Fraud
…
Desired Outcomes Leverage Points
Compliance (1..n)
“ROI” Breach / QB sneak
Procurement
Disrup*on
DevOps
Produc*vity
“Honest Risk”
General Counsel
Control & Influence “Swim Lanes”
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Web
…
PHI
“IP”
PCI
AV
FW
IDS/IPS
WAF
Log Mngt
File Integrity
Disk Encryp*on
Vulnerability Assessment
Mul*-‐Factor Auth
An*-‐SPAM
VPN
Web Filtering
DLP
Anomaly Detec*on
Network Forensics
Advanced Malware
NG Firewall
DB Security
Patch Management
SIEM
An*-‐DDoS
An*-‐Fraud
…
Li*ga*on
Legisla*on
Open Source
Hearts & Minds
Academia
Desired Outcomes Leverage Points
Compliance (1..n)
“ROI” Breach / QB sneak
Procurement
Disrup*on
DevOps
Produc*vity
“Honest Risk”
General Counsel
Under-‐tapped Researcher Influence
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Poten*al Independent Variables
• with good key management…
EncrypGon
• well, rootkits for good…
Rootkits
• AnG-‐DDoS, WAF, Message/Content, IdenGty, etc…
Intermediary Clouds
• with proper integraGon and process support
IdenGty and Access Management
• *if* the provider harnesses the opportunity
Sofware-‐As-‐A-‐Service (SaaS)
Grant me the Serenity to accept the things I cannot change;
Transparency to the things I cannot control;
Relevant controls for the things I can;
And the Wisdom (and influence) to mitigate risk appropriately.
InfoSec Serenity Prayer
Thank You!
• TwiOer: @djetue • Resources:
– Adversary ROI: • [SlideShare] • [RSA US 2012 Online on YouTube]
– The Cyber Security Playbook: Securing Budget and Forming Allies (with @joshcorman) [BrightTALK]
top related