2. Ponemon 2016:
From 874 incidents 568 were caused by employee or contractor negligence
Companies investing upwards of $4 million to mitigate these threats
Verizon Data Breach Investigations report 2017:
Those involved in breaches: 25% from internal actors
2016 IBM Cyber Security Intelligence Index:
60% of all attacks were carried out by insiders
Zero trust model
3. US House of Representatives Committee recommends Zero-trust model to federal
agencies
Forrester Report coins the term Zero-trust model and suggests focus on data-driven
network design
VMWare: Time to build a Zero-Trust network
Trust, but verify (Russian proverb made famous by Roland Reagan in reference to nuclear
disarmament)
Zero trust model cont.
5. Build in four-eyes
Role based access
Divide and Conquer
Modular segregation of duties
No perimeter is the perimeter
Jump hosts, Privileged Access Workstations (PAWs)
Architectural Complexities
6. Logically segment subnets
Control routing behavior
Enable Forced Tunneling
Use Virtual network appliances
Deploy DMZs for security zoning
Avoid exposure to the Internet with dedicated WAN links
Optimize uptime and performance
Use global load balancing
Disable RDP Access to Azure Virtual Machines
Enable Azure Security Center
Extend your datacenter into Azure
Security Best-Practices (Azure)
7. Lock away master keys
Create individual groups
Define policies to govern access permission's
Grant least privilege
Four-eye approval for granting access levels
Configure strong password policies
Enable MFA
Delegate roles instead of sharing
Automate on-boarding, off-boarding procedures
User Access Controls
8. Ensure security policy compliance
Encrypt Data
Limit Access to information
Classify information assets (PII relevancy)
Privacy by design
GDPR and Privacy Best Practices
9. Develop protection mechanisms on the data itself and ensure
it’s transient
Format-Preserving Encryption
Secure Stateless Tokenization
Data-centric security
11. To big to be agile?
Old vs. new mindset:
DevOp’s design (integrated with Sec and Priv Op’s)
SDN’s,
Agile API connectivity
Container technology
Cloud scalability
Federated global access
The Enterprise: A Sleeping Dinosaur
13. Re-build your architectures under the Zero-trust mindset
Fire or re-train existing staff-base
Tear up existing infrastructure (dept-by-dept) and start again, or build out and replace
Hire security, privacy and engineering staff, remove infrastructure, maintenance
Re-architect for data-centric security design
Leverage generic best-practice cloud provided architectures and automatic deployment
Where does the model leave us?
18. Conflicting positions
Outsource, but trust
No choice
Complicated architectures
Not simple
Zero-trust model
Incredibly hard to implement, hinders productivity, transparency, time to market etc.
22. The new trust chain
Now you have a distributed ledger
Powered by your group
(Can remain corporate, but being public offers the most advantages, but now you have to be
transparent)
Can track tampering across platforms
Transparency
25. Chains of trust can be established
Chain your hardware key-chain
TPM is making a come back
Chain your data
With transactional and distributed ledger
Control your ID’s
Trust: “At the heart of everything is identity” - Russinovich
26. Track and Monitor everything!
Really?
Show me the money calls your Splunk agent …
Craziness raises it’s head again
SIEM data storage on average = 6, 9 or 12 months
Statistics on data breach detections:
~4, 6 months globally
~ 15 months in EMEA
APT detection (Stuxnet)?
Compromises usually identified by external source
27. Track and Monitor everything!
HPE Recognised this issue long before anyone else: but will we ever see the fruits of the research
labour: “The Machine”
Data Rich but insight poor
Design a machine that scales
Exponential data explosion
Datacentre energy consumption > UK, forecast to grow
Memory-driven computing
29. Do I think this will work?
At every iteration no one talks about simplification
More intricate architecture to support simplicity
Every abstraction reveals another attack surface
The onion bites back: Row hammer, Spectre, SgxSpectre, Meltdown, etc.
Zero-trust model simply isn’t workable when business demands
lightning response times and agility
Company loyalty dead in an outsourced world
Apple (backup) , Google (MFA) and China?
30. There is always hope – there must be hope!
Aragorn: "What is your name?“
Háleth: "Háleth, son of Háma, my lord.“
Háleth: "The men are saying that we will not live out the night. They say that it is
hopeless.“
Aragorn: "There is always hope."
31. We live in a world of faith not trust!
Reiterating Dan Geer’s Cybersecurity requirements (BH 2014)
1. Mandatory reporting
2. Net neutrality
3. Source code liability
4. Strike back
5. Resiliency
6. Vulnerability finding
7. Right to Be Forgotten
8. Internet voting
9. Abandonment (open src)
10. Convergence (physical and cyber)
11. In-souring (JS)
12. Quantum technologies (JS)