How to Troubleshoot Apps for the Modern Connected Worker
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
1. The Death Of Enterprise
Security As We Know It
Pukhraj Singh
@mleccha
RootConf – 2018, Bangalore
2. Other titles
• Why am I still running an antivirus after 30 years?
• Hackers are atheists, but there are gods in cybersecurity
3. About me
• 13 years of off-and-on experience in security
• 5.5 years in the government
• Imparts you with an altogether different worldview
• “It was the best of times, it was the worst of times” – Charles Dickens
4. This talk
• Ideas gathered from a six-month research on a manuscript
• Not a microscopic, technical deep-dive
• Security can’t be enumerated using feature-sets
• Relying on aphorisms
• How mystics expose the deeper truths the listeners already know
• I truly stand on the shoulder of giants
• Cyber is over-classified; lack of empirical data makes it difficult to see patterns
• I rely on experts who are *way* more prophetic than I am
5. Focus areas
• The security industry is cursed with unpredictability
• “In IT security, offensive problems are technical - but most defensive
problems are political and organisational”
• Small things you could do to liberate your security architecture
6. Cognitive dissonance in security
“The test of a first-rate intelligence is the ability to hold two opposed
ideas in mind at the same time and still retain the ability to function”
-- F. Scott Fitzgerald, The Crack-Up
7. Dense or sparse?
Are vulnerabilities dense or sparse, asks cryptologist Bruce Schneier
Cognitive dissonance: The very lack of an answer may make
vulnerabilities dense
8. Cyber is totally offense-centric
“If we were to score cyber the way we score soccer, the tally would be 462-
456, twenty minutes into the game”
-- Chris Inglis, former Deputy Director of the National Security Agency
9. Insecurity is an emergent property
“Above some threshold of system complexity, it is no longer possible to
test, it is only possible to react to emergent behaviour”
-- Dan Geer, In-Q-Tel
10. Every interface is an attack surface
“Know your network”
-- Advice from Rob Joyce, former head of TAO, NSA
BUT CAN YOU, REALLY?
“Ecology professor Philip Greear would challenge his graduate students to catalog
all the life in a cubic yard of forest floor. Computer
science professor Donald Knuth would challenge his graduate students
to catalog everything their computers had done in the last ten
seconds”
-- Dan Geer, In-Q-Tel
11. Data is code
“Your computer is a state-space, and our data explores it. When it has
no input, your computer program is in all potential quantum states -
literally anything is possible because it is Turing complete if it has
enough complexity. When we give it data, we collapse that waveform
into a particular state of our choosing”
-- Dave Aitel, CEO of Immunity
12. Is the security complexity a threat in itself?
Source: Mudge, Black Hat 2011
14. “If you want to learn exploits today, start with the soft
targets, go with the antivirus”
-- Justin Schuh, Director, Google Chrome Security
15. The animal spirits of the offensive underground
Source: Cyber ITL (Mudge, Sarah Zatko et al), 2016
16. The animal spirits of the offensive underground
Source: Cyber ITL (Mudge, Sarah Zatko et al), 2016
17. The animal spirits of the offensive underground
Source: Cyber ITL (Mudge, Sarah Zatko et al), 2016
18. The human spatial bias in security
“Your perimeter is not the boundary of your network, it’s the boundary
of your telemetry”
-- The Grugq
19. So, is true situational awareness really possible?
20. The defenders are just plain lucky
• Dave Aitel and a Fireeye executive walk into a bar…
• We’ve fully regressed as an industry
• DirtyCow
• “A data centre to protect a data centre” – Alex Stamos, ex-CISO of Facebook
• Market rut: Endpoint instrumentation & telemetry-economies-of-scale
• ML: We don’t have enough to computation to run the full state-space of an
enterprise
21. “In IT security, offensive problems are technical - but most
defensive problems are political and organisational”
-- Halvar Flake, Google
22. "But let me be clear about one thing that may make cybersecurity
different than all else and that is that we have sentient opponents. The
physicist does not. The chemist does not. Not even the economist has
sentient opponents. We do.”
-- Dan Geer, In-Q-Tel
And politics has the biggest influence on human sentience
23. Politics influences:
• The ciphers you use
• The processors, routers and antivirus you run
• The defensive “innovations” in the security industry
• The unjustifiable persistence of centralized architectures like DNS, SSL and BGP, etc.
• Bug classes like Spectre and Meltdown
• What hackers say, or do not say
• …
24. The hybrid war is at an enterprise’s doorstep
“We are fighting at the intersection of a Venn diagram where the finances of a
non-state actor meet the capabilities of a state actor”
-- Le me
• An enterprise can survive a gust of wind, not a Category-4 hurricane
• No demarcation anymore between the private and the public
25. The hybrid war is at an enterprise’s doorstep
“If the cost of attack < the value of information = you will be attacked”
-- Dino Dai Zavi
26. The four misconceptions about offense
• That it is cheap
• That the attacker has an inherent and unprecedented advantage
• That it is a purely a technical thing
• That the attackers use ‘atomic’ exploits (they use toolchains)
• Some rhetoric:
• Defenders need to protect everything, whereas an attacker just needs to
compromise one
• Attackers think in graphs, defenders think in lists
• Attackers target infrastructure
27. The three cardinal principles of offense
-- Matthew Monte, former cyber-offense expert at the Central Intelligence Agency
Source: Network Attacks & Exploitation
28. + The fourth principle: time
“If you attack faster than log replication, you are free”
-- Sacha Faust, Microsoft Azure Red Team
30. + And maybe, the fifth principle: bureaucracy
Source: http://addxorrol.blogspot.in/2006/04/more-on-automated-malware.html
31. Things defenders could do…
• Expand the boundary of their telemetry. Collaborate in state-space
• Escalate the attackers’ costs and degrade their toolchains
• Include geopolitics in their defensive spectrum
• Liberate their security analytics and situational awareness
38. Security response: dumb it down
• Apoptosis
• Human immune system has a remarkably low signature memory
• Even the variance among defensive cells is minimal
• Analysis and response are an anathema
• Creates an artificial resource scarcity
• Don’t analyse, just reset
• In-Q-Tel’s Cyber Reboot
• “Rebalance the equation to increase the cost and complexity for our adversaries…while
reducing cost and complexity for our defenders”
• Threat Intel & Info Sharing + Security Enhanced SDNs + Endpoint Fluxing
39. Thanks
When it comes to driving security innovation, my motto is “Strong
opinions, loosely held”
-- Gunter Ollman, CTO (Security), Microsoft