Hacker Halted 2014 - Control Quotient: Adaptive Strategies For Gracefully Losing Control
•
1 like•403 views
Cloud, virtualization, mobility, and consumerization have greatly changed how IT assets are owned and operated. Rather than focusing on loss of security control, the path forward is cultural change that finds serenity and harnesses the control we’ve kept. The Control Quotient is a model based on control and trust, allowing proper application of security controls, even in challenging environments.
Recommended
Recommended
More Related Content
Similar to Hacker Halted 2014 - Control Quotient: Adaptive Strategies For Gracefully Losing Control
Similar to Hacker Halted 2014 - Control Quotient: Adaptive Strategies For Gracefully Losing Control (20)
More from EC-Council
More from EC-Council (20)
Recently uploaded
Recently uploaded (20)
Hacker Halted 2014 - Control Quotient: Adaptive Strategies For Gracefully Losing Control
- 1. Control Quo*ent: Adap*ve Strategies For Gracefully Losing Control
- 2. Agenda Context The Control Quo*ent Today’s Reality Making it Personal Examples Transcending “Control” Apply
- 3. CONTEXT
- 4. Forces of Constant Change Evolving Threats BUSINESS COMPLEXITY = RISING COSTS Evolving Technologies Evolving Compliance Evolving Economics Evolving Business Needs
- 5. The IT Drunken Bender
- 6. The Control Con*nuum Dictator Surrender
- 7. Sphere of Control Control
- 8. Sphere of Influence vs. Control Influence Control
- 10. The Control Quo*ent Defini*on • QuoGent: (from hOp://www.merriam-‐webster.com/dic*onary/quo*ent ) – the number resul*ng from the division of one number by another – the numerical ra*o usually mul*plied by 100 between a test score and a standard value – quota, share – the magnitude of a specified characterisGc or quality • Control QuoGent: opGmizaGon of a security control based on the maximum efficacy within sphere of control (or influence or trust) of the underlying infrastructure* • *unless there is an independent variable…
- 11. History • RSA Conference US 2009 P2P with @joshcorman – An endpoint has a comprehensive, but suspect, view – The network has a trustworthy, but incomplete, view
- 12. In Theory There Is An Op*mal Place to Deploy a Control… But Degrees Of Separa/on Happen….
- 14. TODAY’S REALITY
- 15. Today’s Reality • Administra*ve control of en*re system is lost • Increased aOack surface • Abstrac*on has made systems difficult to assess • Expecta*on of any*me-‐anywhere access from any device
- 16. The Control Quo*ent and the SPI Stack Security Management & GRC IdenGty/EnGty Security Data Security Host Network Infrastructure Security ApplicaGon Security CSA Cloud Model Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
- 17. The Control Quo*ent and the SPI Stack CSA Cloud Model Security Management & GRC IdenGty/EnGty Security Data Security Host Network Infrastructure Security ApplicaGon Security Virtualiza/on, So:ware Defined Networks, and Public/Hybrid/Community Cloud Forces a Change in How Security Controls Are Evaluated and Deployed
- 18. Half Full or Half Empty? To Be Successful, We Must Focus on the Control Kept (or Gained!), NOT the Control Lost…
- 19. Controls Gained!!! • Virtualiza*on and Cloud – Asset, Configura*on and Change Management – Snapshot – Rollback – Pause • VDI – Asset, Configura*on and Change Management • Mobility – Encryp*on (with containers) • Sogware-‐As-‐A-‐Service – Logging!
- 21. A Parent’s Most Valuable Asset?
- 22. A Parent’s Most Valuable Asset?
- 23. Most Valuable Asset? …Yet Most Parents Allow Their Kids to Leave Their Control
- 24. Choosing Child Care? NaGonal AssociaGon for the EducaGon of Young Children
- 25. EXAMPLES
- 26. Virtualiza*on and Cloud Created An En*re New Defini*on of Privilege
- 27. The Control Quo*ent and the SPI Stack Amazon EC2 - IaaS Salesforce - SaaS Google AppEngine - PaaS Stack by Chris Hoff -‐> CSA Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue. “Stack” by Chris Hoff -‐> CSA
- 28. The Control Quo*ent and the SPI Stack The lower down the stack the Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself. Amazon EC2 - IaaS Salesforce - SaaS Google AppEngine - PaaS Stack by Chris Hoff -‐> CSA Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue. “Stack” by Chris Hoff -‐> CSA
- 29. So, Whose Cloud Is It Anyway? Model Private Cloud IaaS in Hybrid / Community / Public Cloud PaaS/SaaS Whose Privilege Users? Customer Provider Provider Whose Infrastructure? Customer Provider Provider Whose VM / Instance? Customer Customer Provider Whose ApplicaGon? Customer Customer Provider Government Discovery Contact? Customer Provider Provider
- 30. More Than Just Technology… hOp://www.flickr.com/photos/markhillary/6342705495 hOp://www.flickr.com/photos/tallentshow/2399373550
- 31. VDI: Centralizing the Desktop? VDI Server VDI Image Storage
- 33. IoT / Embedded Devices hOp://www.sodahead.com/fun/eight...blue-‐screen.../ques*on-‐2038989/CachedYou/?slide=2&page=4
- 35. Old Ways Don’t Work in New World… Most organiza/ons are trying to deploy “tradi/onal” security controls in cloud and virtual environments…but were the controls even effec/ve then?
- 37. A Modern Pantheon of Adversary Classes Actor Classes Script Kiddies Terrorists “HacGvists” Insiders Auditors Mo*va*ons States CompeGtors Organized Crime Financial Industrial Military Ideological PoliGcal PresGge Target Assets Intellectual Property PII / IdenGty Methods Credit Card #s Web ProperGes “MetaSploit” DoS Phishing Rootkit SQLi Auth Cyber Infrastructure ExfiltraGon Core Business Processes Malware Physical Impacts ReputaGonal Personal ConfidenGality Integrity Availability Link to Full Adversary ROI Presenta.on Source: Adversary ROI: Why Spend $40B Developing It, When You Can Steal It for $1M? (RSA US 2012) by Josh Corman and David Etue.
- 38. HD Moore’s Law and AOacker Power • Moore’s Law: Compute power doubles every 18 months • HDMoore’s Law: Casual AOacker Strength grows at the rate of MetaSploit Source: Joshua Corman, hOp://blog.cogni*vedissidents.com/2011/11/01/intro-‐to-‐hdmoores-‐law/
- 39. Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
- 40. ODpeSfeietrCnuaos*aui*obnonletnae Ilar nEml fxArecawaessatllrureuerncenctseeu s rse Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
- 41. Opera*onal Excellence Defensible SitCuao*uonntearlm Infrastructure Aewaasruerneess s Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
- 42. Situa*onal Awareness Opera*onal Excellence Defensible Countermeasures Infrastructure Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
- 43. Countermeasures Situa*onal Awareness Opera*onal Excellence Defensible Infrastructure Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
- 44. Control “Swim Lanes” Desired Leverage Points Outcomes PCI PHI “IP” Web AV FW IDS/IPS WAF Log Mngt File Integrity Disk Encryp*on Vulnerability Assessment Mul*-‐Factor Auth An*-‐SPAM VPN Web Filtering DLP Anomaly Detec*on Network Forensics Advanced Malware NG Firewall DB Security Patch Management SIEM An*-‐DDoS An*-‐Fraud … Compliance (1..n) Produc*vity “ROI” Breach / QB sneak … Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
- 45. Control & Influence “Swim Lanes” Desired Leverage Points Outcomes PCI PHI “IP” Web … AV FW IDS/IPS WAF Log Mngt File Integrity Disk Encryp*on Vulnerability Assessment Mul*-‐Factor Auth An*-‐SPAM VPN Web Filtering DLP Anomaly Detec*on Network Forensics Advanced Malware NG Firewall DB Security Patch Management SIEM An*-‐DDoS An*-‐Fraud … Compliance (1..n) Produc*vity DevOps “ROI” Breach / QB sneak “Honest Risk” General Counsel Procurement Disrup*on Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
- 46. Under-‐tapped Researcher Influence Desired Leverage Points Outcomes PCI PHI “IP” Web … AV FW IDS/IPS WAF Log Mngt File Integrity Disk Encryp*on Vulnerability Assessment Mul*-‐Factor Auth An*-‐SPAM VPN Web Filtering DLP Anomaly Detec*on Network Forensics Advanced Malware NG Firewall DB Security Patch Management SIEM An*-‐DDoS An*-‐Fraud … Li*ga*on Legisla*on Open Source Hearts & Minds Academia Compliance (1..n) Produc*vity DevOps “ROI” Breach / QB sneak “Honest Risk” General Counsel Procurement Disrup*on Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
- 47. Poten*al Independent Variables EncrypGon • with good key management… Rootkits • well, rootkits for good… Intermediary Clouds • AnG-‐DDoS, WAF, Message/Content, IdenGty, etc… IdenGty and Access Management • with proper integraGon and process support Sofware-‐As-‐A-‐Service (SaaS) • *if* the provider harnesses the opportunity
- 48. InfoSec Serenity Prayer Grant me the Serenity to accept the things I cannot change; Transparency to the things I cannot control; Relevant controls for the things I can; And the Wisdom (and influence) to mitigate risk appropriately.
- 49. Thank You! • TwiOer: @djetue • Resources: – Adversary ROI: • [SlideShare] • [RSA US 2012 Online on YouTube] – The Cyber Security Playbook: Securing Budget and Forming Allies (with @joshcorman) [BrightTALK]