Peak Prevention: Moving from Prevention to Resilience
•Télécharger en tant que PPTX, PDF•
0 j'aime•2,472 vues
Daniel Miessler discusses moving from a prevention-focused approach to security to a resilience-focused approach. He argues that, like "peak oil", our ability to continue growing prevention capabilities has limits and we need to find new ways to reduce the impact of incidents that do occur. Miessler advocates preparing for inevitable risks by making data unusable if stolen, insuring against losses, improving response and recovery, and reducing the value of what attackers can access. The goal is shifting from fully preventing incidents to reducing their impact when they do happen.
Recommandé
Contenu connexe
En vedette
En vedette (16)
Plus de Daniel Miessler
Dernier
Dernier (20)
Peak Prevention: Moving from Prevention to Resilience
- 1. Peak Prevention Daniel Miessler Director of Advisory Services, IOActive AppSec Cali January 24, 2017 Moving from prevention to resilience
- 2. Intro Daniel Miessler (@danielmiessler) 18 years in infosec: mostly as a tester (net/web/app/iot) Run the consulting practice for IOActive Read / write / podcast / table tennis
- 3. Flow Peaks and valleys Risky bits Impact reduction Preparing for what’s coming
- 4. Peak Oil
- 5. Peak $THING We used to have a lot of room to grow. That growth has stopped. We now have as much as we’ll ever have. We need to find another source of what it was providing.
- 6. Peak $THING (oil) We used to have a lot of room to grow. (finding more oil, producing it faster) That growth has stopped. (we found most of the oil) We now have as much as we’ll ever have. (it’s all downhill from here) We need to find another source of what it was providing. (energy)
- 10. Peak $THING (prevention) We used to have a lot of room to grow. (add firewalls, AV) That growth has stopped. (it can all be bypassed) We now have as much as we’ll ever have. (kind of) We need to find another source of what it was providing. (risk reduction)
- 15. Prevention(chanceofsuccess) Resilience (damage taken) 1 7 6 3 5 4 2 9 8 10 10 9 8 7 6 5 4 3 2 1 Acceptable 42 1
- 17. Prevention(chanceofsuccess) Resilience (damage taken) 1 7 6 3 5 4 2 9 8 10 10 9 8 7 6 5 4 3 2 1 Acceptable Peak 5? 7? 30 42 1
- 18. Prevention(chanceofsuccess) Resilience (damage taken) 1 7 6 3 5 4 2 9 8 10 10 9 8 7 6 5 4 3 2 1 Acceptable Peak? 7 Impact can’t go above 6.
- 20. Prevention(chanceofsuccess) Resilience (damage taken) 1 7 6 3 5 4 2 9 8 10 10 9 8 7 6 5 4 3 2 1 Acceptable Peak? 7 We need to be here…
- 21. Prevention(chanceofsuccess) Resilience (damage taken) 1 7 6 3 5 4 2 9 8 10 10 9 8 7 6 5 4 3 2 1 Acceptable We need to be here…We are here. Need to go that way
- 22. Prevention(chanceofsuccess) Resilience (damage taken) 1 7 6 3 5 4 2 9 8 10 10 9 8 7 6 5 4 3 2 1 Acceptable We need to be here…We are here. Need to go that way
- 24. 1 Make your data unusable when it’s stolen?
- 25. 2 Insure yourself against loss for when incidents do occur?
- 26. 3 Change the narrative so people don’t care as much. (already happening naturally)
- 27. 4 Have super clean backup and restore procedures. (ransomware)
- 28. 5 Have redundant sites for when yours is taken down.
- 29. 6 less valuable to attackers. files salaries Make what you have records PII secrets
- 30. Prepare Yourself
- 33. Limits of Prevention ‣ InfoSec breaches ‣ Bad work days ‣ Toxic relationships ‣ Contagious diseases ‣ Terrorism ‣ Safety accidents ‣ Impact N ‣ Impact N+1
- 34. Look for Impact Reduction Everywhere
- 35. PREVENTION —> RESILIENCE 2017, 2018, 2019…
- 37. Thank You Twitter: @danielmiessler Email: daniel.miessler@ioactive.com Github: https://github.com/danielmiessler Podcast: https://danielmiessler.com/podcast/ OWASP Game Security Framework: https://www.owasp.org/index.php/OWASP_Game_Security_Framework_Project
- 38. Resources ✴ OCTAVE: Cyber Risk and Resilience Management http://www.cert.org/resilience/products-services/octave/ ✴ US-CERT Cyber Risk Review (CRR) https://www.us-cert.gov/ccubedvp/assessments ✴ US-CERT Cyber Resilience Management Model http://www.cert.org/resilience/products-services/cert-rmm/
Notes de l'éditeur
- This is not about a tool. It’s not about a service. It’s about an idea. You should be able to apply this whether you’re in senior management, doing technical defense, and whether you’re a vendor or an internal resource.
- Who knows what peak oil is?
- You can abstract PEAK to anything.
- … So energy was the thing we wanted, oil was giving it to us, and now we need another source.
- So with infosec we have an equation for RISK, which is probability x impact. We’ve been getting our energy from oil, so where have we been getting our risk reduction?
- WE STOP THIS, WE PREVENT THIS How many booths have you seen where the focus was making it ok if you got hacked?
- So if we plug prevention in here we get something like this.
- So if we take a look at how the risk equation plays out, we can see something like this. It’s multiplication.
- So you change the ratings for probability and impact, and the risk score changes.
- Anything times zero is 0.
- So let’s say our acceptable risk is 40-60—say 50.
- So here’s where we’re tying to get.
- Well here’s the problem. Our impact is jacked up. And we are reaching our limit for prevention. So we can spend millions more on more prevention technologies, and still not get much reduction in probability.
- If we peak at 7 for prevention, we get locked in for impact. One more thing about the prevention peak. Are we REALLY peaked at 5? Who thinks we’re doing the best we can in prevention? Great. And who things it’s going to get better in the next 1-5 years?
- So if we’re locked in at 7 for prevention, impact can’t go above 6.
- But we’re not at 6. We’re at a 10. Or a 9. Everything bad that happens is catastrophic, because RSA (and the entire narrative) is bent around prevention.
- So if we want to move into the green box, and we’re spent on prevention, we need to get into THIS area for impact.
- But the problem is that we’re here. This is the problem. We’re way too focused on prevention.
- And this applies to SO MANY THINGS. Terrorism. 9/11 cost the country over 5 trillion dollars and hundreds of thousands of lives. Think about the damage that 10 people can do to the country with basic pipe bombs. How do you prevent 10 people with pipe bombs? You don’t. How do you prevent skilled attackers from getting into most networks? You don’t.
- Great. So what do we do? We need to find ways to reduce impact when bad things do happen.
- I’m not going to name tools because that’s not what this is about. There are solutions starting to come out now.
- Longer term.
- I take the takeaways seriously.
- We have more control over the impact side of the equation than the probability side. We need to use it.
- Look for impact reduction in all your threat scenarios.
- Expect to see this shift.
- Finally, think about what this shift is going to do to decision making in the C-Suite. What happens when CEOs and CISOs start asking questions?
- That’s what I wanted to share today. Hopefully I’ve given you something to think about. Thanks for having me.