SlideShare a Scribd company logo
Cost of Attack
Prioritize security investments by the
cost and impact on attacker operations
Mark Simos
https://aka.ms/markslist | @MarkSimos
Security is complex and challenging
Infrastructure
Application
Data
People
Attackers have a lot of options
 Forcing security into a holistic
complex approach
 Regulatory Sprawl - 200+ daily updates from 750 regulatory bodies
 Threats – Continuously changing threat landscape
 Security Tools – dozens or hundreds of tools at customers
Must secure across everything
 Brand New - IoT, DevOps, and Cloud services, devices and products
 Current/Aging - 5-25 year old enterprise IT servers, products, etc.
 Legacy/Ancient - 30+ year old Operational Technology (OT) systems
Nothing gets retired!
Usually for fear of breaking
something (& getting blamed)
Hybrid of Everything, Everywhere, All at Once
‘Data swamp’ accumulates
managed data + unmanaged ‘dark’ data
10 Laws of Cybersecurity Risk
Not keeping up is falling
behind
Productivity always wins
Attackers don't care
Ruthless Prioritization is a
survival skill
Cybersecurity is a team sport
Your network isn’t as
trustworthy as you think it is
Isolated networks aren’t
automatically secure
Encryption alone isn’t a data
protection solution
Technology doesn't solve
people & process problems
http://aka.ms/SecurityLaws
10
9
8
7
6
5
4
3
2
Security success is ruining the
attacker ROI (return on investment)
1
Cost of Attack
What it is – Analysis of the relative cost / friction to attack your
assets & overall attacker return on investment (ROI)
Prevalence – Relatively new concept that builds on
existing security ROI concept
Primary Use Cases –
• Helps remove biases in defender thinking by requiring consideration of attacker perspective (and triggering
them to see attackers as adaptable and pragmatic humans)
• Increases accuracy of security defense prioritization – by allowing defenders to better predict changes in
attacker behavior (in response to planned/potential defense changes)
Known limitations –
• Prioritization also needs to consider other factors including implementation cost, value of assets, ability to
effectively implement and operate defenses, etc.
• Estimation typically restricted to ordinal numbers (can’t be used accurately to add/multiply/etc.)
Defenders must focus on
A. Strong security controls + effective placement
B. Rapid response to attacks
C. Continuously testing & monitoring controls
Phishing email to admin
Looks like they have
NGFW, IDS/IPS, and DLP
I bet their admins
1. Check email from
admin workstations
2. Click on links for
higher paying jobs
Low
Found passwords.xls
Now, let’s see if admins save
service account passwords
in a spreadsheet…
High
Replace password.xls
‘process’ with
• PIM/PAM
• Workload identities
Sensitive Data Protection & Monitoring
• Discover business critical assets with business,
technology, and security teams
• Increase security protections and monitoring processes
• Encrypt data with Azure Information Protection
Modernize Security Operations
• Add XDR for identity, endpoint (EDR),
cloud apps, and other paths
• Train SecOps analysts on endpoints and
identity authentication flows
Protect Privileged Accounts
Require separate accounts for Admins
and enforce MFA/passwordless
Privileged Access Workstations (PAWs)
+ enforce with Conditional Access
Rigorous Security Hygiene
• Rapid Patching
• Secure Configuration
• Secure Operational Practices
• Insider Coercion/Extortion
• Impersonate via Device/
Workstation Compromise
• Insider Coercion/Extortion • Insider Coercion/Extortion
with sophisticated execution
For more details, see https://aka.ms/spa-account
Example: Account Security
• Password spray / brute force
• Password theft
• Insider Coercion/Extortion
• Impersonate via Device/
Workstation Compromise
Your budget spend should result in
increased attacker cost/friction
Measurability
limitations
Disrupting Attacker Return on Investment (ROI)
• Attackers invest into attacks to get a return (money,
prestige, promotions, etc.)
• Disrupt attackers from getting to their goals with
A. Strong security controls + rapid response
B. Effective placement of controls
C. Continuously testing & monitoring controls
• Prioritize security investments (time, money, attention)
using attacker cost and your cost
• Attacker Cost / Disruption - increase attack friction/cost and reduce
likelihood of success (past some attackers’ breaking points)
• Defender Cost – Practical, effective, and cost-effective (cheap) defenses
These slides are excerpts from Microsoft Security Architecture
Design Session (ADS) Module 1 available through Microsoft Unified

More Related Content

What's hot

Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
Atlantic Training, LLC.
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101
mateenzero
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
William Mann
 
An introduction to Office 365 Advanced Threat Protection (ATP)
An introduction to Office 365 Advanced Threat Protection (ATP)An introduction to Office 365 Advanced Threat Protection (ATP)
An introduction to Office 365 Advanced Threat Protection (ATP)
Robert Crane
 
Information security awareness, middle management
Information security awareness, middle managementInformation security awareness, middle management
Information security awareness, middle management
haneen Emeir, CISA, ISO27001
 
Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing Sudan
Ahmed Musaad
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
Xavier Mertens
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
Community IT Innovators
 
Microsoft 365 Security Overview
Microsoft 365 Security OverviewMicrosoft 365 Security Overview
Microsoft 365 Security Overview
Robert Crane
 
Check point Infinity Overview
Check point Infinity OverviewCheck point Infinity Overview
Check point Infinity Overview
Moti Sagey מוטי שגיא
 
IT Security
IT SecurityIT Security
IT Security
Mohsin Laiq
 
Check Point vs competition security effectiveness
Check Point vs competition security effectiveness Check Point vs competition security effectiveness
Check Point vs competition security effectiveness
Moti Sagey מוטי שגיא
 
Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016
Aujas
 
Segmentation on azure platform
Segmentation on azure platformSegmentation on azure platform
Segmentation on azure platform
Rachata Watthanawong
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
Ken Holmes
 
Cyber-Security-.ppt
Cyber-Security-.pptCyber-Security-.ppt
Cyber-Security-.ppt
mabiratu
 
Email Security Awareness
Email Security AwarenessEmail Security Awareness
Email Security Awareness
Dale Rapp
 
Building an Effective Identity Management Strategy
Building an Effective Identity Management StrategyBuilding an Effective Identity Management Strategy
Building an Effective Identity Management Strategy
NetIQ
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
Denis kisina
 

What's hot (20)

Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
An introduction to Office 365 Advanced Threat Protection (ATP)
An introduction to Office 365 Advanced Threat Protection (ATP)An introduction to Office 365 Advanced Threat Protection (ATP)
An introduction to Office 365 Advanced Threat Protection (ATP)
 
Information security awareness, middle management
Information security awareness, middle managementInformation security awareness, middle management
Information security awareness, middle management
 
Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing Sudan
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
 
Microsoft 365 Security Overview
Microsoft 365 Security OverviewMicrosoft 365 Security Overview
Microsoft 365 Security Overview
 
Check point Infinity Overview
Check point Infinity OverviewCheck point Infinity Overview
Check point Infinity Overview
 
IT Security
IT SecurityIT Security
IT Security
 
Check Point vs competition security effectiveness
Check Point vs competition security effectiveness Check Point vs competition security effectiveness
Check Point vs competition security effectiveness
 
Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016
 
Segmentation on azure platform
Segmentation on azure platformSegmentation on azure platform
Segmentation on azure platform
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
 
Cyber-Security-.ppt
Cyber-Security-.pptCyber-Security-.ppt
Cyber-Security-.ppt
 
Email Security Awareness
Email Security AwarenessEmail Security Awareness
Email Security Awareness
 
Building an Effective Identity Management Strategy
Building an Effective Identity Management StrategyBuilding an Effective Identity Management Strategy
Building an Effective Identity Management Strategy
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
 

Similar to Cost of Attack

MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architecture
angelohammond
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
 
How To Secure MIS
How To Secure MISHow To Secure MIS
How To Secure MIS
AaDi Malik
 
Management Information System Presentation
Management Information System PresentationManagement Information System Presentation
Management Information System Presentation
AaDi Malik
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
rbrockway
 
InsiderAttack_p3.ppt
InsiderAttack_p3.pptInsiderAttack_p3.ppt
InsiderAttack_p3.ppt
VaishnavGhadge1
 
CISSP Domain 03 Security Architecture and Engineering.pptx
CISSP Domain 03 Security Architecture and Engineering.pptxCISSP Domain 03 Security Architecture and Engineering.pptx
CISSP Domain 03 Security Architecture and Engineering.pptx
gealehegn
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
Mark Simos
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
SafeNet
 
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013   SIEM based …Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013   SIEM based …
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
Andris Soroka
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CloudIDSummit
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
Core Security Technologies
 
Daniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyDaniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity story
Microsoft Österreich
 
Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...
Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...
Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...
powerofgametest
 
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
Sreejesh Madonandy
 
Webinar: Microsoft 365 - Your Gateway to Data Loss Prevention
Webinar: Microsoft 365 - Your Gateway to Data Loss PreventionWebinar: Microsoft 365 - Your Gateway to Data Loss Prevention
Webinar: Microsoft 365 - Your Gateway to Data Loss Prevention
WithumSmith+Brown, formerly Portal Solutions
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
Digital Bond
 
Cloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnCloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate On
Samuel Reed
 
Cyber and information security operations and assurance
Cyber and information security operations and assurance Cyber and information security operations and assurance
Cyber and information security operations and assurance
EyesOpen Association
 

Similar to Cost of Attack (20)

MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architecture
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
How To Secure MIS
How To Secure MISHow To Secure MIS
How To Secure MIS
 
Management Information System Presentation
Management Information System PresentationManagement Information System Presentation
Management Information System Presentation
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
InsiderAttack_p3.ppt
InsiderAttack_p3.pptInsiderAttack_p3.ppt
InsiderAttack_p3.ppt
 
CISSP Domain 03 Security Architecture and Engineering.pptx
CISSP Domain 03 Security Architecture and Engineering.pptxCISSP Domain 03 Security Architecture and Engineering.pptx
CISSP Domain 03 Security Architecture and Engineering.pptx
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
 
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013   SIEM based …Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013   SIEM based …
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
 
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
 
Daniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyDaniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity story
 
Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...
Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...
Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...
 
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
 
Webinar: Microsoft 365 - Your Gateway to Data Loss Prevention
Webinar: Microsoft 365 - Your Gateway to Data Loss PreventionWebinar: Microsoft 365 - Your Gateway to Data Loss Prevention
Webinar: Microsoft 365 - Your Gateway to Data Loss Prevention
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
Cloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnCloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate On
 
Cyber and information security operations and assurance
Cyber and information security operations and assurance Cyber and information security operations and assurance
Cyber and information security operations and assurance
 

Recently uploaded

Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
Ivanti
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
David Wilson
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
AmandaCheung15
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
Arpan Buwa
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
aslasdfmkhan4750
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 

Recently uploaded (20)

Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 

Cost of Attack

  • 1. Cost of Attack Prioritize security investments by the cost and impact on attacker operations Mark Simos https://aka.ms/markslist | @MarkSimos
  • 2. Security is complex and challenging Infrastructure Application Data People Attackers have a lot of options  Forcing security into a holistic complex approach  Regulatory Sprawl - 200+ daily updates from 750 regulatory bodies  Threats – Continuously changing threat landscape  Security Tools – dozens or hundreds of tools at customers Must secure across everything  Brand New - IoT, DevOps, and Cloud services, devices and products  Current/Aging - 5-25 year old enterprise IT servers, products, etc.  Legacy/Ancient - 30+ year old Operational Technology (OT) systems Nothing gets retired! Usually for fear of breaking something (& getting blamed) Hybrid of Everything, Everywhere, All at Once ‘Data swamp’ accumulates managed data + unmanaged ‘dark’ data
  • 3. 10 Laws of Cybersecurity Risk Not keeping up is falling behind Productivity always wins Attackers don't care Ruthless Prioritization is a survival skill Cybersecurity is a team sport Your network isn’t as trustworthy as you think it is Isolated networks aren’t automatically secure Encryption alone isn’t a data protection solution Technology doesn't solve people & process problems http://aka.ms/SecurityLaws 10 9 8 7 6 5 4 3 2 Security success is ruining the attacker ROI (return on investment) 1
  • 4. Cost of Attack What it is – Analysis of the relative cost / friction to attack your assets & overall attacker return on investment (ROI) Prevalence – Relatively new concept that builds on existing security ROI concept Primary Use Cases – • Helps remove biases in defender thinking by requiring consideration of attacker perspective (and triggering them to see attackers as adaptable and pragmatic humans) • Increases accuracy of security defense prioritization – by allowing defenders to better predict changes in attacker behavior (in response to planned/potential defense changes) Known limitations – • Prioritization also needs to consider other factors including implementation cost, value of assets, ability to effectively implement and operate defenses, etc. • Estimation typically restricted to ordinal numbers (can’t be used accurately to add/multiply/etc.)
  • 5. Defenders must focus on A. Strong security controls + effective placement B. Rapid response to attacks C. Continuously testing & monitoring controls
  • 6. Phishing email to admin Looks like they have NGFW, IDS/IPS, and DLP I bet their admins 1. Check email from admin workstations 2. Click on links for higher paying jobs Low Found passwords.xls Now, let’s see if admins save service account passwords in a spreadsheet… High
  • 7. Replace password.xls ‘process’ with • PIM/PAM • Workload identities Sensitive Data Protection & Monitoring • Discover business critical assets with business, technology, and security teams • Increase security protections and monitoring processes • Encrypt data with Azure Information Protection Modernize Security Operations • Add XDR for identity, endpoint (EDR), cloud apps, and other paths • Train SecOps analysts on endpoints and identity authentication flows Protect Privileged Accounts Require separate accounts for Admins and enforce MFA/passwordless Privileged Access Workstations (PAWs) + enforce with Conditional Access Rigorous Security Hygiene • Rapid Patching • Secure Configuration • Secure Operational Practices
  • 8. • Insider Coercion/Extortion • Impersonate via Device/ Workstation Compromise • Insider Coercion/Extortion • Insider Coercion/Extortion with sophisticated execution For more details, see https://aka.ms/spa-account Example: Account Security • Password spray / brute force • Password theft • Insider Coercion/Extortion • Impersonate via Device/ Workstation Compromise
  • 9. Your budget spend should result in increased attacker cost/friction Measurability limitations
  • 10. Disrupting Attacker Return on Investment (ROI) • Attackers invest into attacks to get a return (money, prestige, promotions, etc.) • Disrupt attackers from getting to their goals with A. Strong security controls + rapid response B. Effective placement of controls C. Continuously testing & monitoring controls • Prioritize security investments (time, money, attention) using attacker cost and your cost • Attacker Cost / Disruption - increase attack friction/cost and reduce likelihood of success (past some attackers’ breaking points) • Defender Cost – Practical, effective, and cost-effective (cheap) defenses These slides are excerpts from Microsoft Security Architecture Design Session (ADS) Module 1 available through Microsoft Unified

Editor's Notes

  1. Key Takeaway: These 10 Laws of Cybersecurity Risk provides a good guideline for security architecture and design Security success is ruining the attacker ROI Security can’t achieve an absolutely secure state so deter attackers by disrupting and degrading their ability to realize Return on Investment (ROI). Increase the attacker’s cost and decreasing the attacker’s return for your most important assets. Not keeping up is falling behind Security is a continuous journey and if you aren't staying current, it will continually get cheaper and cheaper for attackers to successfully take control of your assets.  You must continually update your security patches, security strategies, threat awareness, inventory, security tooling, security hygiene, security monitoring, permission models, and anything else that changes over time. Productivity always wins If security isn’t easy for users, they will work around it to get their job done. Always make sure solutions are secure and usable. Attackers don't care Attackers are willing to use any available method to get into your environment and increase control over it including compromising a networked printer, a fish tank thermometer, a cloud service, a PC, a Server, a Mac, a mobile device, use of a malicious insider, use of a configuration mistake, or just asking for passwords in a phishing email. Your job is to understand and take away the easiest and cheapest options as well as the most useful ones (e.g. anything that leads to administrative privileges across many systems). Ruthless Prioritization is a survival skill Nobody has enough time and resources to eliminate all risks to all resources. Always start with what is most important to the organization, most interesting to attackers, and continuously update this prioritization. CLICK 1 Cybersecurity is a team sport Nobody can do it all, so always focus on the things that only you (or your organization) can do to protect the organization's mission. For things that others can do better or cheaper, have them do it (security vendors, cloud providers, community) Your network isn’t a trustworthy as you think it is A security strategy that relies on passwords and trusting any intranet device is only marginally better than no security strategy at all. Attackers easily evade these defenses so the trust level of each device, user, and application must be proven and validated continuously starting with a level of zero trust Isolated networks aren’t automatically secure While air-gapped networks can offer strong security when maintained correctly, successful examples are extremely rare because each node must be completely isolated from outside risk. If security is critical enough to place resources on an isolated network, you should invest in mitigations to address potential connectivity via methods such as USB media (e.g. required for patches), bridges to intranet network, and external devices (e.g. vendor laptops on a production line), and insider threats that could circumvent all technical controls. Encryption alone isn’t a data protection solution Encryption protects against out of band attacks (on network packets, files, storage, etc.), but data is only as secure as the decryption key (key strength + protections from theft/copying) and other authorized means of access. Technology doesn't solve people and process problems While machine learning, artificial intelligence, and other technologies offer amazing leaps forward in security (if applied correctly), cybersecurity is a human challenge and will never be solved by technology alone. Additional Information For reference, these are the Immutable Laws of Security v2.1 (Technical Focus)  Law #1: If a bad actor can persuade you to run their program on your computer, it's not solely your computer anymore. Law #2: If a bad actor can alter the operating system on your computer, it's not your computer anymore. Law #3: If a bad actor has unrestricted physical access to your computer, it's not your computer anymore. Law #4: If you allow a bad actor to run active content in your website, it's not your website any more. Law #5: Weak passwords trump strong security. Law #6: A computer is only as secure as the administrator is trustworthy. Law #7: Encrypted data is only as secure as its decryption key. Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all. Law #9: Absolute anonymity isn't practically achievable, online or offline. Law #10: Technology is not a panacea.
  2. UNFINISHED SLIDE NOTES Security does require strong controls, but it also requires you to carefully place those controls on all paths that attackers can use. You must also be ready to rapidly respond to attacks so that you can contain any success as they have very quickly. And you must constantly test and validate your controls to ensure that they will work when attackers attack. Security is all about disrupting attackers return on investment (ROI) increase attacker cost/friction lower the returns on investment for an attack (access/change less data, less sensitive data or gain access to less valuable systems Most of the time via cost of attack?
  3. Let’s take a look at this through the eyes of an attacker and use real examples. Attackers will quickly figure out that an organization has NexGen firewalls (NGFW), intrusion detection/prevention systems (IDS/IPS), Xxxxxxxxx Going directly after these resources is generally a high cost of attack for them (unless your organization isn’t applying security updates and configuration best practices to your edge devices) A common tactic that attackers use to get around this is to target IT administrators with fishing attacks. Who wouldn’t be tempted to click on the link that promised hire pay for a similar job role at another company? Most IT admin‘s at most organizations use their administrative desktop for day-to-day email and web browsing, meaning that a successful attack or compromise through that fishing link would actually lead to control of the administrative desktop and all the credentials on it(including the administrative credentials that have privileges throughout the environment). Now let’s say that they don’t get admin accounts right away the attacker would go ahead and explore the local system and search for things like “passwords.XLS“, which is a common way that IT admin‘s use to store service account and other credentials Once the attackers have access to this, it is fairly easy for them to silently access all of the business systems and data that they want for stealing it, altering it, or encrypting it for the purposes of a ransomware extortion payment. Most organizations do not have (rigorous) monitoring of these accounts and how they are used, making them blind to anomalous usage like this.
  4. UNFINISHED SLIDE NOTES So what kinds of technical controls can help an organization mitigate these risks? First, applying security controls to the Business Critical assets that matter most to the organization so that they have elevated preventive controls and monitoring/response processes to quickly block, detect, and recover from attacks on them. Next, focusing on privileged accounts that has access to all assets across the organization and all of the means to gain control of them (such as compromising the admin‘s desktop, The storage of service account passwords, etc.) Applying security hygiene like patching, configuration validation, and establishing safe standard processes for administrative practices. Updating security operations tools, skills, and processes so that they are monitoring anomalies at the identity, application, data, and other layers in addition to monitoring for Network layer anomalies Think of all controls as “parts of a whole” defense Flip the “get 99% right and do one thing wrong” onto the attacker Highlight ADS is built to show how to do this with identiy/access, SOC, infra, etc.
  5. Key Takeaway – Defenders should be focusing on ruining the attacker's model by raising the cost of attack. The example here describes how to increase the cost of attacking a users or admin‘s account. Increasing the cost of attack is designed to shift the landscape of security and the return on investment for attackers This changes the: “Defenders dilemma” – one mistake in your defenses and the adversary will be successful anyways, sending defenders ‘back to the drawing board’ To an “Attackers Dilemma” – one mistake in your attack campaign will undo the hard work put into the attack - planning, researching, finding/purchasing vulnerabilities, etc. and send the attackers ‘back to the drawing board’ CLICK 1 You should block the cheapest path to techniques first. These are attack techniques that have been used against you, your industry peers in others in industry. Blocking these will rapidly raise the cost to attack your environment CLICK 2 You need good detection and response processes/capabilities to limit the time and freedom of attackers to conduct attacks while on your environment and to explore while they are there. These capabilities will also quickly raise the cost to attack your environment CLICK 3 Other investments should default to a lower priority than known attacks and detection/response. Once you have solid detection/response in place and key defenses against known attacks, your investments can start shifting toward potential and future attacks, but this is not a luxury most organizations can afford in their security budget or as an acceptable risk. Consider your full return on investment - When evaluating security investments, you should also consider the level of effort required. Consider if the security activity will consume a high amount of team time and resources (e.g. manual certificate management) that would be better spent on more effective defenses (e.g. applying patches, hunting for threats, implementing a different solution for device identity, etc.)
  6. Key Takeaway –focusing on raising cost of attack for attackers makes your organization more resilient to cybersecurity risk Various types of attackers have different thresholds of cost of attack that they can withstand in the pursuit of their objectives (mission and money driven alike) CLICK 1 A defender’s budget should raise the cost of attack for all types of attackers (who may be specifically targeting the organization or opportunistically targeting many organizations) CLICK 2 Microsoft is focusing on simplifying the application and integration of advanced security techniques so that many organizations can benefit from these capabilities and help increase attacker cost. Additional Information Organized crime (especially ransomware/extortion gangs) can have a budget in excess of many nation state actors, but they are focused on profit opportunities so they are often less determined to compromise a specific organization than a nation state actor.
  7. Key Takeaway: Cost of attack is a useful and powerful tool for guiding decisions despite some serious limitations on precisely measuring it. While the term “cost” in cost of attack frequently makes people expect that it is a clear “ratio” measurement like any other business costs in a budget spreadsheet, the precise number is actually very difficult to obtain and calculate. This is because attackers rarely publish these numbers (except occasionally in secretive dark markets / online forums). Additionally, the cost of attack for any given organization can vary considerably from another one and wouldn’t normally be posted in these markets. Despite this limitation, cost of attack can be very useful for organization as they consider and select security initiatives and capabilities to invest in. Some examples Many organizations purchase security products for advanced features and capabilities (which often require further investment in training and operational staff). These organizations rarely ask whether these capabilities will add more friction/cost to for the top attack profiles vs. other alternatives such as investment into security hygiene (like applying security patches) lower cost initiative that uses existing security data/tools Consolidate technical solutions to lower the burden on analysts and increase their ability to detect and respond to threats A business may find it more effective (and cost effective) to implement business processes for employees handling money transfers (e.g. phone call with someone who recognizes the CFO’s voice) vs. investing in expensive technical controls.