Your SlideShare is downloading. ×
0
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Who should the security team hire next?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Who should the security team hire next?

1,017

Published on

SOURCE Seattle 2011 - Myles Conley

SOURCE Seattle 2011 - Myles Conley

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,017
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Who Should You Hireto Improve Company Security? Myles Conley Auspices LLC
  • 2. No, I DON’T know AppSec experts looking for work Auspices  LLC   2  
  • 3. What to expect this hour•  Where do elite security gurus work? –  Do they work for elite companies?•  Reviewing breach data trends•  Who to hire to address those trends•  Scope –  US commercial only. –  Fortune 500 Other Auspices  LLC   3  
  • 4. How to find “Good” AppSec People?- Have found a real bug- Can understand bug implications -­‐  Not  by  Cer5fica5on   -­‐  Not  by  Survey   -­‐  Not  by  School?     Auspices  LLC   4  
  • 5. Why Not try Bugtraq Mail List?Pros Cons•  20-45K subscribers •  Cultural Bias•  Data since 1999 •  Out of date•  They have found bugs •  Nyms, Corporate postings•  Part of complete security team •  Bias towards self promoters Auspices  LLC   5  
  • 6. Bugtraq Mapping19,085   Unique  Posters    Less   Non-­‐U.S.,  An5-­‐Spam,  Truncated  Names    Less   Pseudonyms,  Roles    7,352   Total  Plausible  Names   4,128  Found  on  LinkedIN   Auspices  LLC  
  • 7. Where BugTraqers Work Other   1405   Security  specialists   876   Fortune  500   638  .gov,  .edu,  non  US,  non  commercial   485   High  Tech   468   Vendor  of  SoV/Hardware   351   Other  Financial   153   Other  Healthcare   84   0%   5%   10%   15%   20%   25%   30%   35%   Auspices  LLC   7  
  • 8. More Bugtraq at mature companies? Fortune  500  Companies   Breached  Companies   Have   Have   Bugtraqer   Bugtraqer   Dont   Dont   638  Bugtraqers   447  Bugtraqers  •  71  companies,  average  9   •  55  employers  out  of  1158  •  Actually  concentrated  at   •  Average  of  8   Google,  IBM,  MicrosoV,  HP,   etc.     Auspices  LLC   8  
  • 9. Avoid Bugtraq Bias?•  People who submitted a security bug for Mozilla 1905   Unique  Bug  Submi_ers    Less   Non-­‐U.S.,  Truncated  Names    Less   Pseudonyms   1414   Total  Plausible  Names   632  Found  on  LinkedIN   661  Employers…  only  47  have  1  bug  reporter   Auspices  LLC   9  
  • 10. Where Mozilla Helpers Work US  Based  Mozilla  Cri:cal  Security  Bug  Reporters   Security  specialists   Other   Vendor  of  SoV/Hardware   High  Tech  .gov,  .edu,  non  commercial   Fortune  500   Other  Financial   Other  Healthcare   0%   5%   10%   15%   20%   25%   30%   Auspices  LLC   10  
  • 11. AppSec Conclusions•  Good help is widely distributed –  20% are in security consulting companies –  There is a long tail•  Lots of companies chose not to hire people who post on BugTraq –  Or are using contractors –  Or are hiring now –  Or hire youngsters•  So… why is it always AppSec? Themes we learn from the news •  Helpless against 0day attacks •  Security Development Lifecycle is working Auspices  LLC   11  
  • 12. How Security Team Primes Security Application Security Ops Security Strategy•  Pen Test •  Pen Test•  QA integration •  ….. FUD•  Metrics •  …. Peer comparisons•  Dev Tools Training •  … Look over There !•  Developers own Security •  .. Controls –  SDL •  Change in Capabilities Maturity Level Auspices  LLC   12  
  • 13. Fixing Overall SecurityWhat do security team managers need to do?•  Figure where we’re having problems•  Find who could have prevented problems•  Find if we can hire them.First, where can we learn about the problems–  Vendors–  Incident Response the Underground–  Mandatory Disclosure–  News Wire–  Surveys Auspices  LLC   13  
  • 14. Breach ClassificationLevel Basic Slog Advanced New Ongoing, Known Advanced common EmergingDescription problems, attacks, hard to problems, hard threats easy to fix predict / fight to fixPrecedent Old to World Old to You New to World New to YouSophistication Low Med-High High ? Bad Malware/ Mobile,Example APT/ 0 day. passwords XSS Skimming Auspices  LLC   14  
  • 15. Breach Data from VendorsAdvantages Biases•  Large installed base •  Want to sell product•  Research teams •  Vendor’s Scope •  Forward lookingDisadvantages •  No segmentation•  Annual Report •  No raw data Auspices  LLC   15  
  • 16. Symantec Microsoft Symantec Microsoft•  Threats Identified •  Threats Identified –  Targeted attacks with –  Java, Browser, Adobe files Social Network intel –  Attacks using software –  Zero day attacks with patch available –  Attack Kits and Root kits –  Mobile •  Intelligence –  Software Industry Vulns decreasing since 2006 Auspices  LLC   16  
  • 17. Score So FarSource of Basic Slog Advanced New ThemeBreach Data We need experts!Vendors 0 1 4 1 Or Vendors!IncidentResponse andUndergroundMandatoryDisclosure Auspices  LLC   17  
  • 18. Breach Data from Incident Response CompaniesAdvantages Bias•  Know their customers •  Companies that can•  Sometimes imprison the discover breach guilty •  Companies that need external help •  Backwards looking •  Intrusion is unit of measurement Auspices  LLC   18  
  • 19. Verizon Data Breach Investigations Report Percent  of  Breached  Companies  by  #  Incidents included Employees  •  94 investigated by Verizon•  667 investigated by US Secret 10K  employees   Service 1K  employees   Between   Breaches  by  Industry  in  2011   Other   Manufacturing   Tech  Services   Healthcare   Financial   Retail   Hospitality   0   50   100   150   200   250   300   350   Auspices  LLC   19  
  • 20. Percent of Breaches Including Vector Social  Engineering   Malware  via  a_acker   Default  authen5ca5on  Brute  Force  Authen5ca5on   Stolen  creden5als   SQL  injec5on   Abuse  of  fuc5onality   Weak  Authen5ca5on   Buffer  overflow   Malware  via  user   0%   5%   10%   15%   20%   25%   30%   35%   40%   45%   Auspices  LLC   20  
  • 21. Vector Data from UndergroundDBIR Intelligence•  2/3 of malware was customized•  Only 5 vulnerabilities used in 381 attacksContagio overview of Exploit PacksDan Guido: Exploit Intelligence Project, 2010•  Malware exploits are predictable•  Easy no-patch mitigation for 22 of 27 top malware Remainder by architecture policy Auspices  LLC   21  
  • 22. Score So FarSource of Basic Slog Advanced New ThemeBreach Data We need experts!Vendors 0 1 5 1 Or Vendors!Incident Old problems, thenResponse and 5 4 1 1 MalwareUndergroundMandatoryDisclosure Auspices  LLC   22  
  • 23. Breach Data from Mandatory DisclosureAdvantages Biases•  Raw Data! •  Backwards looking•  DatalossDB.org •  Reporting criteria –  PII loss is reportedDisadvantages –  Trade secret loss isn’t •  Best effort data assembly.•  Legislation changes Auspices  LLC   23  
  • 24. DataLossDB Biases 120   140   120   100   100   80   Records  Lost  Breaches   80   60   60   40   40   20   20   0   Auspices  LLC   24  
  • 25. Fortune 500 vs. Others 120   100   80  Breaches   60   40   20   0   Other  Breaches   Fortune  Breaches   Auspices  LLC   25  
  • 26. Fortune 500 Sized Datasets 1000.00   100.00   10.00  Millions   1.00   0.10   0.01   0.00   2006   2007   2008   2009   2010   2011   Fortune  Records   Other  Records   Auspices  LLC   26  
  • 27. Fortune 500 Breach Data Breaches  by  Vector  -­‐  Fortune  500   •  Threats Identified Count  of  Breaches   40   –  Missing Encryption 30   20   –  (E)Mail 10   –  Hacking 0   2007   2008   2009   2010   Records  Lost    by  Vector  -­‐  Fortune  500  (Log  Plot)   1000   100   10  Millions   1   0.1   0.01   0.001   2007   2008   2009   2010   Document  Loss   (E)Mail   Fraud   Hacking   Missing  encryp5on   Unknown   Web  configura5on   Auspices  LLC   27  
  • 28. Breaches at Non Fortune 500 Breaches  by  Vector  -­‐  Non  Fortune  500    Count  of  Breaches   120   100   •  Threats Identified 80   –  Missing Encryption 60   40   –  Web Configuration 20   0   –  Email 2007   2008   2009   2010   –  Document Loss Records  Lost  by  Vector  -­‐  Non  Fortune  500  (Log  Plot)   –  Hacking 100   10   Millions   1   0.1   0.01   0.001   2007   2008   2009   2010   Document  Loss   (e)Mail   Fraud   Hacking   Missing  encryp5on   Unknown   Web  configura5on   28  
  • 29. It’s Not Just AppSec It’s Not Just AdvancedSource of Basic Slog Advanced New ThemeBreach Data We need experts!Vendors - 1 5 1 Or VendorsIncident Old problems, thenResponse and 5 4 1 1 MalwareUndergroundMandatory Encryption. Lists Disclosure – 2 - 1 - HackingFortune 500MandatoryDisclosure – 4 - 1 - Basics HackingSmaller Auspices  LLC   29  
  • 30. Given These Problems, Who Should You Hire?•  For each class of breach, –  What does your company need? –  What Roles should you hire? –  What do Managers have to do? Auspices  LLC   30  
  • 31. Basic: Kitchen Hygiene Company Needs •  Standards Training •  Tools: Red cutting boards / Disk Encryption •  Consistent Deployment •  Consistent Enforcement Roles Management•  Project Management –  Own Goal Risk information•  Glue code developers •  Near Misses –  Ops tools, especially AAA •  Cost is simplest to estimate –  Enforcement/ near misses•  Metrics “No CEO is that stupid not to pay attention [to security]. But maybe they pay the same attention I did, which is giving encouragement and budget to IT but then saying ‘What do I know about programming? “ -Ted Chung, CEO Hyundai Card/Hyundai Capital Auspices  LLC   31  
  • 32. Long Slog: Factory Model Company Needs •  Systems knowledge to interrupt threat –  Compartmentalization –  Breaking attack chain –  Mature incident response •  Threat Intelligence •  Metrics •  Peer Group Intelligence Roles Management•  Threat Intelligence •  Control Efficiency –  Vendor –  Threat chain status metrics –  Attack chain architects •  Incident Response Management•  Compartmentalization •  Peer Group Intelligence –  Systems + business knowledge experts•  Web Application cleanup•  SIEM / Log glue integrator Auspices  LLC   32  
  • 33. Advanced Threats: E-Coli Company Needs •  Risk Assessment •  Risk Compartments •  Logfile Watchers •  Appropriate level of defense (AppSec) Roles Management•  Logwatchers •  Risk Management•  Speed dial for the CDC / IR company –  By $ or Bodies, not Vectors•  Known Targets •  Compartmentalization –  Internal bug finders –  Inside is Hostile Auspices  LLC   33  
  • 34. New Threats: Company Needs •  Practiced Reaction •  Risk Management •  Security Strategy Roles Management•  Risk Management •  Financial answers•  Security Plan Author •  Agreed-upon plans and systems in place Auspices  LLC   34  
  • 35. Conclusion •  Elite folks are somewhat hard to find •  You probably don’t need them first –  But need intelligence to be sure •  Most company breaches within power to fix by hiring Basic Slog Advanced New Ongoing, common Advanced attacks, Known problems,Description problems, hard to hard to predict / Emerging threats easy to fix fix fight Project Risk Management, Intelligence, Strategy andHiring Action Management Compartments, Architecture   Management Organization IR Expertise Auspices  LLC   35  
  • 36. QA•  Myles Conley•  myles@auspices.org Auspices  LLC   36  
  • 37. Photo credits•  Thanks for releasing these photos under creative commons attribution or public domain licenses•  Raptor eye jurvetson (flicker)•  P4 hacker Image from http://unix.privacylover.com/page/2/ under creative commons license•  Kitchen photo Photo by H Dragon on flickr•  Cheese factory Photo by Waponi @ flickr•  E-Coli Photo Credit: Rocky Mountain Laboratories, NIAID, NIH•  Mobile phone evolution – wikicommons, user Anders•  Holstein – wikicommons photo by US Government•  Tiger Sumatraanse Tijger, gefotografeerd in Diergaarde Blijdorp - wikicommons•  Gator - wikicommons Auspices  LLC   37  

×