Cyber attacks are reaching pandemic levels. State-sponsored groups and organized crime are successfully stealing valuable intellectual property—including critical infrastructure and operational readiness information, businesses’ and consumers’ financial data—often without anyone realizing the attack has occurred!
But preparedness cannot be delegated solely to the IT department. The involvement of the entire enterprise, armed with an understanding of the highly dynamic landscape, is vital for warding off potential threats.
Author: David Etue, VP of CorpDev Strategy, SafeNet
Watch the webcast on demand: https://www.brighttalk.com/webcast/6319/75109
2. Agenda
About Me and SafeNet
Context
Evolving Adversaries, Evolving Threats
Evolving Technology, Evolving Dependence
Solutions and Ideas
3. About David Etue @djetue
• VP, Corporate Development Strategy at SafeNet
• Former Cyber Security Practice Lead [PRTM Management Consultants] (now
PwC)
• Former VP Products and Markets [Fidelis Security Systems]
• Former Manager, Information Security [General Electric Company]
• Industry
• Faculty: The Institute for Applied Network Security (IANS)
• Certified Information Privacy Professional (CIPP/G)
• Certified CISO (C|CISO)
• Cyber things that interest me
• Adversary innovation
• Applying intelligence cycle / OODA loop in cyber
• Supply chain security
• Cloud and virtualization security
4. Who We Are
Trusted to protect the world’s most sensitive data for
the world’s most trusted brands.
We protect the most
money that moves in
the world, $1 trillion
daily.
We protect the most digital
identities in the world.
We protect the most
sensitive information
in the world.
FOUNDED
1983
REVENUE
~330m
EMPLOYEES
+1,400
In 25 countries
OWENERSHIP
Private
GLOBAL FOOTPRINT
+25,000
Customers in
100 countries
ACCREDITED
Products certified
to the highest
security standard
6. We Have Finite Resources…
We Can Not Protect Everything!
http://commons.wikimedia.org/wiki/File:Fdr_sidefront.jpgLufthansa Airbus A380 D-AIMC with the name "Peking" at Stuttgart
Lasse Fuss
http://commons.wikimedia.org/wiki/File:Lufthansa_A380_D-AIMC.jpg
“Black Box”
7. Consequences: Value & Replaceability
http://blog.cognitivedissidents.com/2011/10/24/a-replaceability-continuum/
8. Misplaced Focus
“With the breach-a-week over the last
two years, the key determinate was
nothing YOU did… but rather was WHO
was after you.”
19. The Value An Organization Delivers
Is Driven By Its Differentiation
Suppliers &
Partners
Your
Organization Customers
Differentiation
Intellectual
Property
Strategy
Core
Processes
20. Competitive Differentiation is Dependent
on Information and the IT Infrastructure
Intellectual
Property
Strategy
Core
Processes
Information Security’s Mission Is To Protect
These Key Digital Assets
22. Branch Office
Cloud, Virtualization, Mobile, and
Consumerization! Oh My!
22
Web 2.0 Application
Remote Replication
• Sensitive Data on the Rise
• More IT Dependency
• Compliance
• Variety of Threat Actors
Growing Risk
• Traditional Perimeter GONE!
• SaaS, Cloud & Web 2.0 Apps
• Collaboration Partners
• Growing Mobile Devices
No Physical Controls
Internet
SaaS Cloud
Extranet
WAN
Docs
Offline
Folders
Shared
Folders
DatabaseGroupware
E-Mail
Media Flash-
drive
Data Center
Laptop
Mobile
24. What Has Changed?
Perimeter Layers Collaboration Integrated
Amount of
Information
and
Infrastructure
Attack
Surface
Cost of
Failure
Time
As Organizations Have Embraced Technology, the Amount of
Information, Attack Surface, and Cost of Failure Have All
Skyrocketed!
26. Privileged Users Even More Powerful
In Cloud/VIrt
26
Virtual Machine Virtual Machine Virtual Machine
Compute Storage Network
Virtual
Compute
CPU
Virtual Storage
NAS / SAN
Management
Database As-
A-Service
Application
Guest OS
Application Application
Guest OSGuest OS
Virtual
Network
Physical
Network
Hypervisor
Server
Application
OS
CPU Disk
Network
BEFORE AFTER
29. Why Adversary ROI
Adversaries want assets -
vulnerabilities are a means
Our attack surface is
approaching infinity
Adversaries have scarce
resources too
Adversaries care if *they* can get a return on
investment from an attack, not you…
30. Adversary ROI Came About By
Looking at Risk
A risk requires a threat and a vulnerability
that results in a negative consequence
We have finite resources, and must optimize the entire
risk equation for our success!
Current State
Threat
Vulnerability
Consequence
Proposed State?
31. Understanding the Risk Equation
Risk = Threat + Vulnerability
Most Cyber Security programs focused solely on vulnerability
management, which necessary but insufficient:
• Technology changes at high rate of speed making vulnerability a moving
target
• Adversary community changes faster than defenders
• Attacks quickly move to the most porous layer
• End users likely to remain a significant vulnerability
Focus of most cyber
security programs
The Cyber Security “arms race” today focuses
Vulnerabilities—Its time to address other variables!
32. Value Favors the Attacker
Public Sensitive
Highly Replicable
Sensitive
Irreplaceable
Information Classification
AttackerGains
Typical IT
Security
Budget
(1-12% of
IT Budget)
Are you prepared to address a
funded nation state targeting
your highest value intellectual
property?
33. The Adversary ROI Equation
Adversary ROI =
Attack Value
Cost of the Attack
Probability
of Success
Deterrence
Measures
(% Chance of Getting Caught x Cost of Getting Caught)
Value of Assets Compromised +
Adversary Value of Operational Impact
X
-
[ ] Cost of
the Attack
-
( )
34. Ability to
respond and
recover key
Impacting Adversary ROI
It is typically not desirable
to make your assets less
valuable
Impact of getting caught is
typically a government issue
Increase
adversary “Work
Effort”
Ability to
respond and
recover key
Increase
adversary “Work
Effort”
Adversary ROI =
Attack Value
Cost of the Attack
Probability
of Success
Deterrence
Measures
(% Chance of Getting Caught x Cost of Getting Caught)
Value of Assets Compromised +
Adversary Value of Operational Impact
X
-
( ) Cost of
the Attack
-
( )
35. Every Organization Should Know The Key
Components to This Model
Methods
Impacts
Target Assets
Motivations
Actor Classes
37. The Control Quotient Definition
Quotient: (from http://www.merriam-webster.com/dictionary/quotient )
• the number resulting from the division of one number by another
• the numerical ratio usually multiplied by 100 between a test score
and a standard value
• quota, share
• the magnitude of a specified characteristic or quality
Control Quotient: optimization of a security control based
on the maximum efficacy within sphere of control (or
influence or trust) of the underlying infrastructure*
*unless there is an independent variable…
38. Amazon EC2 - IaaS
The lower down the stack the Cloud
provider stops, the more security you are
tactically responsible for implementing &
managing yourself.
Salesforce - SaaS
Google AppEngine - PaaS
The Control Quotient and the SPI Stack
Stack by Chris Hoff -> CSA
39. Security Management & GRC
Identity/Entity Security
Data Security
Host
Network
Infrastructure Security
Application
Security
CSA Cloud Model
The Control Quotient and the SPI Stack
40. CSA Cloud Model
Security Management & GRC
Identity/Entity Security
Data Security
Host
Network
Infrastructure Security
Application
Security
Virtualization, Software Defined
Networks, and Public/Hybrid/Community
Cloud Forces a Change in How Security
Controls Are Evaluated and Deployed
The Control Quotient and the SPI Stack
41. To Be Successful, We Must Focus on the Control
Kept (or Gained!), NOT the Control Lost…
Half Full or Half Empty?
44. Crunchy on the Outside…
44
http://www.flickr.com/photos/theilr/2240742119/
45. Time to Secure the Breach
45
Breach Prevention Era
Secure Breach Era
46. Key Enablers to the Secure Breach
Encryption (and Key Management)
Identity and Access Management with Strong Authentication
Segmentation
Privilege User Management
Detection and Response Capabilities
Asset, Configuration, and Change Management
46
47. 4 Step Program For Ushering In the
“Secure Breach” Era
• Its time to try something new…
Introspection
• You can’t prevent a perimeter breach…
Acceptance
• Know your enemies and what they are after…
Understanding
• Decrease adversary ROI…
Action
47
48. Insert Your Name
Insert Your Title
Insert Date
Thank You!
Any questions
David Etue
@djetue
Watch the full webcast on demand:
https://www.brighttalk.com/webcast/6319/75109
48
49. Follow SafeNet on Social Media
[Blog] http://data-protection.safenet-inc.com
@safenetinc
http://www.linkedin.com/company/safenet
http://youtube.com/safenetinc
http://facebook.com/safenetinc
https://plus.google.com/+safenet
http://pinterest.com/safenetinc/
http://www.safenet-inc.com/rss.aspx
http://www.slideshare.net/SafeNet
http://www.govloop.com/group/safenetgov
http://www.brighttalk.com/channel/2037
http://community.spiceworks.com/pages/safenetinc
49
Notes de l'éditeur
Economics is the study of how society allocates scarce resources and goods. A well managed Info/Cyber/Security/Assurance program requires intelligent allocation of scarce resources–we can not protect everythingWe can’t build the entire airplane out of the “black box”
Classes of actors can be identified (and even particular actors in some cases)Capabilities can be estimated (and potentially managed by working Governments and Law Enforcement)Motive can be analyzed via “Adversary ROI”
Rorschach Test: http://en.wikipedia.org/wiki/Rorschach_testWe see in Anonymous what we WANT to see.. We project. Our perceptions say more about us than they do about the multitude of subgroups/causes in Anonymous.
When our attack surfaces approach infinity, its easier to manage threatsCONTROL QUOTIENTMost security programs focused solely on vulnerability management, which necessary but insufficientTechnology changes at high rate of speed making vulnerability a moving targetAdversary community changes faster than defendersAttacks quickly move to the most porous layerEnd users likely to remain a significant vulnerability