Cloud, virtualization, mobility, and consumerization have greatly changed how IT assets are owned and operated. Rather than focusing on loss of security control, the path forward is cultural change that finds serenity and harnesses the control we’ve kept. The Control Quotient is a model based on control and trust, allowing proper application of security controls, even in challenging environments.
10. The
Control
Quo*ent
Defini*on
• QuoGent:
(from
hOp://www.merriam-‐webster.com/dic*onary/quo*ent
)
– the
number
resul*ng
from
the
division
of
one
number
by
another
– the
numerical
ra*o
usually
mul*plied
by
100
between
a
test
score
and
a
standard
value
– quota,
share
– the
magnitude
of
a
specified
characterisGc
or
quality
• Control
QuoGent:
opGmizaGon
of
a
security
control
based
on
the
maximum
efficacy
within
sphere
of
control
(or
influence
or
trust)
of
the
underlying
infrastructure*
• *unless
there
is
an
independent
variable…
11. History
• RSA
Conference
US
2009
P2P
with
@joshcorman
– An
endpoint
has
a
comprehensive,
but
suspect,
view
– The
network
has
a
trustworthy,
but
incomplete,
view
12. In
Theory
There
Is
An
Op*mal
Place
to
Deploy
a
Control…
But
Degrees
Of
Separa/on
Happen….
15. Today’s
Reality
• Administra*ve
control
of
en*re
system
is
lost
• Increased
aOack
surface
• Abstrac*on
has
made
systems
difficult
to
assess
• Expecta*on
of
any*me-‐anywhere
access
from
any
device
16. The
Control
Quo*ent
and
the
SPI
Stack
Security
Management
&
GRC
IdenGty/EnGty
Security
Data
Security
Host
Network
Infrastructure
Security
ApplicaGon
Security
CSA
Cloud
Model
Source:
Control
Quo.ent:
Adap.ve
Strategies
For
Gracefully
Losing
Control
(RSA
US
2013)
by
Josh
Corman
and
David
Etue.
17. The
Control
Quo*ent
and
the
SPI
Stack
CSA
Cloud
Model
Security
Management
&
GRC
IdenGty/EnGty
Security
Data
Security
Host
Network
Infrastructure
Security
ApplicaGon
Security
Virtualiza/on,
So:ware
Defined
Networks,
and
Public/Hybrid/Community
Cloud
Forces
a
Change
in
How
Security
Controls
Are
Evaluated
and
Deployed
18. Half
Full
or
Half
Empty?
To
Be
Successful,
We
Must
Focus
on
the
Control
Kept
(or
Gained!),
NOT
the
Control
Lost…
27. The
Control
Quo*ent
and
the
SPI
Stack
Amazon EC2 - IaaS
Salesforce - SaaS
Google AppEngine - PaaS
Stack
by
Chris
Hoff
-‐>
CSA
Source:
Control
Quo.ent:
Adap.ve
Strategies
For
Gracefully
Losing
Control
(RSA
US
2013)
by
Josh
Corman
and
David
Etue.
“Stack”
by
Chris
Hoff
-‐>
CSA
28. The
Control
Quo*ent
and
the
SPI
Stack
The lower down the stack the Cloud
provider stops, the more security you
are tactically responsible for
implementing & managing yourself.
Amazon EC2 - IaaS
Salesforce - SaaS
Google AppEngine - PaaS
Stack
by
Chris
Hoff
-‐>
CSA
Source:
Control
Quo.ent:
Adap.ve
Strategies
For
Gracefully
Losing
Control
(RSA
US
2013)
by
Josh
Corman
and
David
Etue.
“Stack”
by
Chris
Hoff
-‐>
CSA
29. So,
Whose
Cloud
Is
It
Anyway?
Model
Private
Cloud
IaaS
in
Hybrid
/
Community
/
Public
Cloud
PaaS/SaaS
Whose
Privilege
Users?
Customer
Provider
Provider
Whose
Infrastructure?
Customer
Provider
Provider
Whose
VM
/
Instance?
Customer
Customer
Provider
Whose
ApplicaGon?
Customer
Customer
Provider
Government
Discovery
Contact?
Customer
Provider
Provider
30. More
Than
Just
Technology…
hOp://www.flickr.com/photos/markhillary/6342705495
hOp://www.flickr.com/photos/tallentshow/2399373550
35. Old
Ways
Don’t
Work
in
New
World…
Most
organiza/ons
are
trying
to
deploy
“tradi/onal”
security
controls
in
cloud
and
virtual
environments…but
were
the
controls
even
effec/ve
then?
37. A
Modern
Pantheon
of
Adversary
Classes
Actor
Classes
Script
Kiddies
Terrorists
“HacGvists”
Insiders
Auditors
Mo*va*ons
States
CompeGtors
Organized
Crime
Financial
Industrial
Military
Ideological
PoliGcal
PresGge
Target
Assets
Intellectual
Property
PII
/
IdenGty
Methods
Credit
Card
#s
Web
ProperGes
“MetaSploit”
DoS
Phishing
Rootkit
SQLi
Auth
Cyber
Infrastructure
ExfiltraGon
Core
Business
Processes
Malware
Physical
Impacts
ReputaGonal
Personal
ConfidenGality
Integrity
Availability
Link
to
Full
Adversary
ROI
Presenta.on
Source:
Adversary
ROI:
Why
Spend
$40B
Developing
It,
When
You
Can
Steal
It
for
$1M?
(RSA
US
2012)
by
Josh
Corman
and
David
Etue.
38. HD
Moore’s
Law
and
AOacker
Power
• Moore’s
Law:
Compute
power
doubles
every
18
months
• HDMoore’s
Law:
Casual
AOacker
Strength
grows
at
the
rate
of
MetaSploit
Source:
Joshua
Corman,
hOp://blog.cogni*vedissidents.com/2011/11/01/intro-‐to-‐hdmoores-‐law/
39. Source:
Control
Quo.ent:
Adap.ve
Strategies
For
Gracefully
Losing
Control
(RSA
US
2013)
by
Josh
Corman
and
David
Etue.
40. ODpeSfeietrCnuaos*aui*obnonletnae
Ilar
nEml
fxArecawaessatllrureuerncenctseeu
s
rse
Source:
Control
Quo.ent:
Adap.ve
Strategies
For
Gracefully
Losing
Control
(RSA
US
2013)
by
Josh
Corman
and
David
Etue.
41. Opera*onal
Excellence
Defensible
SitCuao*uonntearlm
Infrastructure
Aewaasruerneess
s
Source:
Control
Quo.ent:
Adap.ve
Strategies
For
Gracefully
Losing
Control
(RSA
US
2013)
by
Josh
Corman
and
David
Etue.
42. Situa*onal
Awareness
Opera*onal
Excellence
Defensible
Countermeasures
Infrastructure
Source:
Control
Quo.ent:
Adap.ve
Strategies
For
Gracefully
Losing
Control
(RSA
US
2013)
by
Josh
Corman
and
David
Etue.
43. Countermeasures
Situa*onal
Awareness
Opera*onal
Excellence
Defensible
Infrastructure
Source:
Control
Quo.ent:
Adap.ve
Strategies
For
Gracefully
Losing
Control
(RSA
US
2013)
by
Josh
Corman
and
David
Etue.
44. Control
“Swim
Lanes”
Desired
Leverage
Points
Outcomes
PCI
PHI
“IP”
Web
AV
FW
IDS/IPS
WAF
Log
Mngt
File
Integrity
Disk
Encryp*on
Vulnerability
Assessment
Mul*-‐Factor
Auth
An*-‐SPAM
VPN
Web
Filtering
DLP
Anomaly
Detec*on
Network
Forensics
Advanced
Malware
NG
Firewall
DB
Security
Patch
Management
SIEM
An*-‐DDoS
An*-‐Fraud
…
Compliance
(1..n)
Produc*vity
“ROI”
Breach
/
QB
sneak
…
Source:
Control
Quo.ent:
Adap.ve
Strategies
For
Gracefully
Losing
Control
(RSA
US
2013)
by
Josh
Corman
and
David
Etue.
45. Control
&
Influence
“Swim
Lanes”
Desired
Leverage
Points
Outcomes
PCI
PHI
“IP”
Web
…
AV
FW
IDS/IPS
WAF
Log
Mngt
File
Integrity
Disk
Encryp*on
Vulnerability
Assessment
Mul*-‐Factor
Auth
An*-‐SPAM
VPN
Web
Filtering
DLP
Anomaly
Detec*on
Network
Forensics
Advanced
Malware
NG
Firewall
DB
Security
Patch
Management
SIEM
An*-‐DDoS
An*-‐Fraud
…
Compliance
(1..n)
Produc*vity
DevOps
“ROI”
Breach
/
QB
sneak
“Honest
Risk”
General
Counsel
Procurement
Disrup*on
Source:
Control
Quo.ent:
Adap.ve
Strategies
For
Gracefully
Losing
Control
(RSA
US
2013)
by
Josh
Corman
and
David
Etue.
46. Under-‐tapped
Researcher
Influence
Desired
Leverage
Points
Outcomes
PCI
PHI
“IP”
Web
…
AV
FW
IDS/IPS
WAF
Log
Mngt
File
Integrity
Disk
Encryp*on
Vulnerability
Assessment
Mul*-‐Factor
Auth
An*-‐SPAM
VPN
Web
Filtering
DLP
Anomaly
Detec*on
Network
Forensics
Advanced
Malware
NG
Firewall
DB
Security
Patch
Management
SIEM
An*-‐DDoS
An*-‐Fraud
…
Li*ga*on
Legisla*on
Open
Source
Hearts
&
Minds
Academia
Compliance
(1..n)
Produc*vity
DevOps
“ROI”
Breach
/
QB
sneak
“Honest
Risk”
General
Counsel
Procurement
Disrup*on
Source:
Control
Quo.ent:
Adap.ve
Strategies
For
Gracefully
Losing
Control
(RSA
US
2013)
by
Josh
Corman
and
David
Etue.
47. Poten*al
Independent
Variables
EncrypGon
• with
good
key
management…
Rootkits
• well,
rootkits
for
good…
Intermediary
Clouds
• AnG-‐DDoS,
WAF,
Message/Content,
IdenGty,
etc…
IdenGty
and
Access
Management
• with
proper
integraGon
and
process
support
Sofware-‐As-‐A-‐Service
(SaaS)
• *if*
the
provider
harnesses
the
opportunity
48. InfoSec
Serenity
Prayer
Grant me the Serenity to accept the things I
cannot change;
Transparency to the things I cannot control;
Relevant controls for the things I can;
And the Wisdom (and influence) to mitigate
risk appropriately.
49. Thank
You!
• TwiOer:
@djetue
• Resources:
– Adversary
ROI:
• [SlideShare]
• [RSA
US
2012
Online
on
YouTube]
– The
Cyber
Security
Playbook:
Securing
Budget
and
Forming
Allies
(with
@joshcorman)
[BrightTALK]