2. Who Am I?
Joined Microsoft in 1990
Worked on MSMoney, IIS, & now Security
Also Worked on “Patch Tuesday” & BlueHat
New-ish Job this Year –
Seeking Non-Technical Security Solutions
Why Am I Here?
Discuss Changes and Suggest Responses
Adaptive Challenge Facing Us
Microsoft & Andrew are committed Brasil
Brasil is Special & Unique
3. Product Life Cycle Policy and Ecosystem
Creation
Conception
Alignment
Release
4. Management
Identity
For Government
For Citizens For the Supply Chain
Employees
Incident Response
People Awareness and Know-How (Citizen, Children, Government Employees…) Collaboration with
Critical
Information/Data Protection Infrastructure
Trusted Stack
Solutions
Public National Intelligence (incl.
eGovernment Education Health
Safety Security CERT)
Infra- Critical National Infrastructure Trusted Government Security
structure (CoreIO) Infrastructure (CoreIO) Community
Engagement
Supply Chain Security
Secure Defense Training
Fundamentals
Partnerships with National Risk Privacy Cyberwarefare
Security/Priv.
Development and
Private Sector Management Legislation Doctrine
Standards Collaboration
Law Enforcement Intelligence
Incident Cybersecurity Enable Secure
Training and Training and
Preparedness Legislation Innovation
Collaboration Collaboration
5. 7th largest IT market WW
6th country in PC Shipments WW
3rd in online time per user – 22h50min/month
5th largest cell phone market - 147M units
60% of all 3G Cell Phones in Latin America
2nd largest WW in number of Companies (620k
new Companies only in 2010)
In the last 5 years, internet active users in total
Population grew from 24% to 43% in 2009
10th in broadband (256 kb) users - 9.1M users
(4.8% of total 190M population)
6. People
Friendly, Smart, Hard-working, Creative,
Stylish!, Proud & Humble at the same time
Culture
Diverse Society and a Rich History
Di Cavalcanti, Vinicius, Jorge Amado
Land of Opportunity
Geography – Huge country that is rich in
resources (and people)
Government - Foundational Principles Rule of
Law
It Works
There is a Brazilian Way
8. Internet users estimated to reach 3 Billion by 2015 w/ bulk of
People users coming from Brazil, Russia, India, China and Indonesia
The number of internet connected devices is predicted to
Devices exceed over 15 billion - twice the world's population by 2015
and will likely 50 Billion by 2020.
It’s estimated that 1 billion new Web pages are created daily
Data and about 32 million domain names are added to the Web
every year with this number expected to rise dramatically in
9. 25 million Facebook users in the country of 1.16 billion people, an increase
of 1.78 million from the start of last month.
Indian Internet to grow from 81 M to 237 M Internet users by 2015
10. Military Economic
Cybercrime Espionage Cyber Warfare
Espionage
11. Usage
Every aspect of our lives is now dependent
on computers
Food, Energy, Finances, Entertainment,
Clothing, Government
Future
Connectivity is like Oxygen
Data, Data, Data
Every aspect of our lives is now dependent
on computers
12. Within a decade, more than 50
billion everyday objects could
be collecting data and making it
available online
A growing amount of Internet
traffic is originating with non-PC
devices. In 2010, only 3 percent
of Internet traffic originated
with non-PC devices, but by
2015 the non-PC share of
Internet traffic will grow to 15
percent.
PC-originated traffic will grow at
a CAGR of 33 percent, while
TVs, tablets, smartphones, and
machine-to-machine (M2M)
modules will have growth rates
of 101 percent, 216 percent, 144
percent, and 258 percent,
respectively.
13. Non-traditional data sources
Sensors
GPS tracks
Web click streams
Non-traditional processing
Massive processing over semi-structured data
Less formal structural schemata
Machine learning grows up
Probabilistic
Ranking
Correlation
Novel use cases
Historical mining to create real-time models
Saving and processing “all-data”
14. 1 billion new Web pages are created daily and
about 32 million domain names are added to the
Web yearly with this sharp increases expected in
2011.
The “terabyte club” will reach 6 million by 2015.
In 2015, there will be 6 million Internet
households worldwide generating over a
terabyte per month in Internet traffic, up from
just a few hundred thousand in 2010. There will be
over 20 million households generating half a
terabyte per month in 2015.
The amount of data created, captured, and
replicated in the world is growing at a
compounded rate of 60% a year. By 2011, the
digital universe will be 10 times the size it was
in 2006. (IDC)
15. Threats
No longer just attacks on infrastructure
Attacks against Intellectual Property
And Attacks against the foundations
Attacks against business models
Recent Attacks & News
Anonymous & Lulz
Comodo, DigiNotar
Location issues w/ smart phones
Facial Recognition Talk from Black Hat
http://www.face-to-facebook.net/hacking-monopolism-
trilogy.php
Hacking Microcontrolers - Don Bailey’s BH Europe
16. Borrowing Concept from Harvard Business
Review Article 1997
Key Concept – We need Technical Solutions
&& we need to Adapt (change) our thinking
Get On the Balcony
Identify the Adaptive Challenge
Adaptive Solutions – often from bottom up
Ronald Heifetz & Donald Laurie – HBR article
http://hbr.org/2001/12/the-work-of-leadership/ar/1
17.
18. Dynamic
Rationalized Strategic and Optimal
Continuous Risk
Standardized Holistic and Operational Management
Controlled Risk
Basic Proactive
Threat Management
Threat Intelligence Robust Governance
Tactical Understood Risk
Integrated Security Automated
Undefined Risk Threat Aware
Quantitatively Managed Culture of Security
Threat Ignorance Structured
Service-Oriented
Unpredictable Consistency
Ad-Hoc and Manual Awareness and Training
Unaware
20. Dynamic
Rationalized StrategicandOptimal
ContinuousRisk Management
Standardized HolisticandOperational
ThreatManagement
ControlledRisk
Basic RobustGovernance
Proactive
ThreatIntelligence
UnderstoodRisk Automated
Tactical IntegratedSecurity
ThreatAware CultureofSecurity
UndefinedRisk QuantitativelyManaged
ThreatIgnorance Structured
Service-Oriented
Unpredictable Consistency
Ad-Hocand Manual Awareness and Training
Unaware
Respond
Basic Standardized Rationalized Dynamic
- Desktop Image Engineering - Desktop Optimization and - Desktop Virtualization Solutions - Server Virtualization with Advanced
- Active Directory Design & Configuration Management - Server Virtualization with Advanced Management - High Availability
Deployment - Security for Wireless Services Management - Virtual Desktop Solution
- BitLocker Full-Volume Encryption - Secure Public Key Infrastructure Infrastructure - Seamless Access using DirectAccess
Solutions - Network Access Protection with and TMG
- Strong Authentication using IPSec Enforcement - Enterprise Federated Identity using
Smartcards - Network Isolation Services ADFS
- Application Lifecycle Management - Secure Web & Remote Access using - Application Backup using System
Services 2010 Forefront TMG Center Data Protection Manager
- Network Access Protection with - Enterprise Identity Lifecycle
802.1x Enforcement Management
- Data Protection using Active
Directory Rights Management
- Client Anti-Malware Solutions - Enterprise Configuration - IT Compliance and Reporting: End- - Server Virtualization with Advanced
Management to-End Monitoring Management - Centralized, Policy-
- IT Enterprise Management: End-to- - Audit Collection Services driven Management
End Cross-Platform Monitoring - System Error Reporting & Analysis
- Enterprise Mobile Device Services
Management
- Client and Server Anti-Malware
Solutions
- Windows Error Reporting
Deployment Services
- Premier IR Support and Training - Secure Development Lifecycle
Training and Assessment Services
- Internet Crime and Forensics
Investigations Education and
Training Services
- Enterprise Recovery Services
2
21.
22. Convergence – SSL Trust Agility
Moxie Marlinspike – BH USA
https://www.blackhat.com/html/bh-us-
11/bh-us-11-archives.html#Marlinspike
DARPA RA-11-52 - The Defense Advanced
Research Projects Agency's Cyber Fast
Track program
https://www.blackhat.com/html/bh-us-
11/bh-us-11-archives.html#Zatko
Dan Kaminsky’s NetNoob
23. First BlueHat Prize Challenge:
Design a novel runtime mitigation technology that is capable of
preventing the exploitation of memory safety vulnerabilities
Entry Period: Aug 3, 2011 – Apr 1, 2012
Winners announced: BlackHat USA August 2012
IP remains the property of the inventor, with a license for
Microsoft to use the technology
Grand Prize: • $200,000 in cash
Second Prize: • $50,000 in cash
Third Prize: • MSDN subscription ($10,000 value)
27. Technical Solutions On the Fast Track
Army CDCiber
Big Events – 2014 & 2016
RIC
Broadband
Urgent Need for Adaptive Solutions Too
But few Adaptive Solution Ideas &
Environment continues to favor Technical Solutions
Cloud Transformation
Move to the Cloud is permanent – like concrete over
farmland