moving beyond vulnerability testing
DESCRIPTION
Most organizations have started to include either static or dynamic application security testing as part of their overall test strategy. This additional test effort is due in large part to the cyber security risks that are emerging. These risks create an urgent need to move beyond testing and to institutionalize security as part of every organization’s software development/acquisition culture. This presentation covers real-life examples of how to enable this type of behavioral change in your organization. First presented at HP Discover Barlceona 2014 by Gopal Padinjaruveetil, Chief Application Security and Compliance Architect, CapgeminiTRANSCRIPT
Moving beyond Vulnerability Testing
December 04 2014
#HPdiscover
@pkgopala
Gopal Padinjaruveetil CISA, CISM,CRISC, CGEIT, TOGAF9
Chief Application Security and Compliance Architect
innovating with you
Let’s take a closer look at where we are today
3 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
I am tired of catching up.. I need resilience
“A fever is a symptom. There's an underlying disease that causes it. Giving you a fever (sitting in a sauna) doesn't make you sick, and getting rid of the fever (in a cold bath, for example) doesn't always get rid of the illness…
Spending time and money gaming symptoms and effects is common and urgent, but it's often true that you'd be better off focusing on the disease (the cause) instead. ”
– Seth Godin
Security vulnerability is a symptom, The root cause is always something else
4 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
“You can fix it on the drawing board with an eraser or you can fix it on the site with a sledgehammer" - Frank Lloyd Wright
5 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
The Internet as it is today .. And this picture is changing fast
Source: Shodan
6 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
Technology growing at an exponential rate If technology is growing at exponential rate and if we do nothing, the security threats too would rise exponentially..
IPV4= 4 Billion devices(size of postage stamp) IPV6 = 340 Trillion Trillion Trillion (Undecilion) devices (Size of Solar system) 50 billion Connected Devices by 2020 9.9 Trillion market Value Over 80 trillion email spam messages a year Connected Cars, Connected cities, Connected Devices 2025? Connected Bodies (BYBN ) 2035? Finally Singularity* in 2045?
263 = 18,446,744,073,709,551,615
* According to Ray Kurzweil, by the year 2045, “human intelligence will enhance a billion-fold thanks to high-tech brain extensions”
to a phenomenon as the “singularity,” a point at which humans and computers will merge into one. This sort of “one in two” will create serious challenges for security
and in the allocation of moral accountability between the two…
7 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
Deep web How deep? If we do nothing we have to assume the deep web would expand on a logarithmic scale
! Deep Web is currently 400 to 550 times larger than the commonly defined World Wide Web.
! The deep Web contains 7,500 terabytes of information compared to 19 terabytes of information in the surface Web.
! The deep Web contains nearly 550 billion individual documents compared to the 1 billion of the surface Web.
! $ 45 Billion industry - Yankee Group ! Google Number of Systems: 500,000 ! Bandwidth = 1500 Gps ! Botnets: Number of systems: 6,400,000 ! Bandwidth: 28 Terabits
What will the numbers be in 2020?
8 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
There are only two types of companies: Those that have been hacked, and those that will be. Even that is merging into one category: Those that have been hacked and will be again. Maintaining a code of silence will not serve us in the long run.
FBI Director Robert Mueller
Do we realize the seriousness of the problem? Denial is not an option
9 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
“ Now, here, you see, it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!” - The Red Queen, to Alice, in Lewis Carroll’s Through the Looking Glass
A real lesson from a kids fantasy tale
The adversary is constantly advancing its capabilities.. Can we overtake them at the current pace?
10 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
“Unless we change our direction, we are likely to end up where we are headed” - unknown
11 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
We need to build Trust in Information Technology
" Trust in People, " Trust in Organizations " Trust in Governments " Trust in Devices " Trust in Data " Trust in Systems and Applications " Trust in communication networks (Internet)
12 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
Secure by Design, not Chance 1
Adapt, Evolve and Mutate 2
Change Behaviors 3
Collaborate 4
What can we do?
growing with you
Secure by Design, Not Chance
14 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
! The Central Nervous system ! The Blood Brain Barrier ! The Immune system ! The Camouflage ! The Reflex Action ! The Adrenaline ! Many More..
The natural world is a good example of an Intelligent Design for Security
Survival of the fittest (Resilience)requires design as a "way of thinking”
15 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
# Secure at Design Time $ Prevention as the overarching design principle
% Digital Identity and Access – Humans and Things % Protect sensitive information in transit and rest (structured and unstructured) % Protect your end points (including human end points) % Optimize your attack surface % Every component must protect itself - (There are no more boundaries)
# Secure at Run Time $ Detect and Respond in Real Time as the overarching design principle
% Capability to scan the environment and be vigilant for threats all the time (internal and external) % Reflex- How fast can you respond to threats % Is the response context aware % Continuous evaluation of the defense % Defense to be automated as much as possible
How will an intelligent Secure by Design in IT look like?
accelerating with you
Adapt, Evolve and Mutate
17 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
Preys and Predators – The natural world is a hostile place Even the best intelligent design will not protect you 100%..
Same in the World of Information Technology
18 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
Change is inevitable.. Adaptation is Optional
19 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
Evolutionary Design- Embraces the fact of an evolving system understanding, and helps system’s design evolve
Evolving and adapting through Mutation the only way to survive in a hostile world
20 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
How does this concept translate to CyberSecurity ?
Protection against Opportunistic attacks – Easy % Protect your perimeter % Protect your end points % Patch your systems % Protect against Phishing attacks % Protect against Zero Day attacks
Protection against Targeted attacks – Difficult % Digital evidence is often left behind that can reveal the attacker’s intent, skill level, and
knowledge of the target % Develop capability to detect and respond to an attack at near real time % Correlation of discrete and disparate events to provide an early warning system % Big Data and Predictive Data Analytics with Machine Learning (“Learn” from Data) % Organizational Awareness and behavior change can go along way
innovating with you
Changing Behavior and Culture
22 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
The Big Conundrum The Risk Tolerance should be reflected in the Organization Culture and policies
The Digital Transformation is Driving sky high Business Ambition..
VS
The double sided squeeze: The Bad guys on one side and Government Regulations and penalties on the other side is driving enterprises to almost Zero Risk Tolerance
Finding the right balance is key..
23 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
Consider all layers (Both the visible and invisible realms)
Government ( Regulations/ Politics) 10
Organizations (Culture/ Politics) 9
User (PICNIC – ID 10T Error)
Application 7
Presentation 6
Session 5
Transport 4
Network 3
Data Link 2
Physical 1
8
The Human Layer
The Technology Layer
“If you know the enemy and know yourself,
you need not fear the result of a hundred battles. If you know yourself but not the enemy,
for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself,
you will succumb in every battle.” Sun Tzu – The Art of war
24 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
A few change considerations to think about..
! Cyber Security as a Strategic Driver. ! Cyber Security is not an IT problem – It is an organizational problem.
• Cyber Security weakness an organization weakness , not an IT weakness ! Security is everybody’s business – Not just the CISOs and CIOs. ! Culture in Context – Societal , Organizational , People. ! Finding Inhibitors to a Culture of Security and removing or addressing them ! Is Security Funding in line with the enterprise security risk tolerance levels
• Some bad actors are extremely well funded.. Is your defense well funded? ! Enterprises should regard cyber attack as a certainty not a probability. ! Risk from extended enterprise (vendors, suppliers, contractors ..)
People + Process+ Technology + PERCEPTION
25 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
To bring behavior changes in Cyber Security, we need to understand how Human Brain, Cognition and Awareness works – addressing root cause vs symptom
26 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
collaborating with you
Collaboration
27 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
If Penguins are collaborating.. Why can’t we humans?
For more on collaborative systems present in nature watch: http://www.youtube.com/watch?v=IzS7CRaCEtU#t=424
28 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
The Bad People are Collaborating.. So why not the good people? “Offense must Inform Defense..”
Maintaining a code of silence will not serve us in the long run.
29 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
We need collaboration not just within and between people but..
" Trusted Collaboration within and between Governments " Trusted Collaboration within and between Organizations " Trusted Collaboration within and between Devices " Trusted Collaboration within and between Systems and Applications " Trusted Collaboration within and between Communication Networks
30 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
Let’s Build Windmills – Together..
31 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
Thank You
Russia
Danke Germany
Grazie Italy
Gracias Spain
Dank u Belgium
Bedankt Netherlands
Dankschen Austria
Arigato Japan
Takk Norway
Tak Denmark
Jag tackar Finland
Dziekuje Poland
Tack Sweden
Toda Israel
Engraziel Switzerland
Tesekkür ederim Turkey
Dakujem Slovakia
Obrigado Portugal
Thank You United Kingdom
Merci France
Thanks United States
Hindi
Tamil Malayalam
32 Copyright © Capgemini 2014 – All Rights Reserved
HP Discover 2014 | Gopal Padinjaruveetil | December 2014
Presenter Contact Information
Gopal Padinjaruveetil CISA, CISM, CRISC, CGEIT, TOGAF9 Chief Application Security and Compliance Architect [email protected]
Insert contact picture
Gopal Padinjaruveetil is Chief Capgemini Application Security and Compliance Architect based out of Capgemini Detroit. He is a certified Enterprise Architect and a certified Governance, Risk and Compliance (GRC) Architect and has led Enterprise Architecture and GRC work at Fortune 50 global companies.
Gopal believes that the 21st enterprises are at a crossroads in Information Technology, where extracting value from the growing information chaos, spurred by disruptive innovative technologies is creating an exponentially increasing risk and threat landscape, solving this requires enterprises to have a new perspective based on design thinking and applying good IT Governance, Risk and Compliance practices
Gopal has these professional certifications to his credit - CISA, CISM, CRISC, CGEIT, IAF, TOGAF 9,. Contact Gopal via: http://www.capgemini.com/experts/security/gopal-padinjaruveetil
The information contained in this presentation is proprietary. © 2012 Capgemini – Internal use only. All rights reserved.
Rightshore® is a trademark belonging to Capgemini.
www.capgemini.com
About Capgemini With around 120,000 people in 40 countries, Capgemini is one of the world's foremost providers of consulting, technology and outsourcing services. The Group reported 2011 global revenues of EUR 9.7 billion. Together with its clients, Capgemini creates and delivers business and technology solutions that fit their needs and drive the results they want. A deeply multicultural organization, Capgemini has developed its own way of working, the Collaborative Business Experience™, and draws on Rightshore®, its worldwide delivery model.