Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility

763 views

Published on

By Joshua Corman, Dir. Security Intelligence, Akamai Technologies (@joshcorman) & David Etue, VP of CorpDev Strategy, SafeNet Inc. (@djetue)
Cloud, virtualization, mobility, and consumerization have greatly changed how IT assets are owned and operated. Rather than focusing on loss of security control, the path forward is cultural change that finds serenity and harnesses the control we’ve kept. The Control Quotient is a model based on control and trust, allowing proper application of security controls, even in challenging environments.
Watch the full webcast: https://www.brighttalk.com/webcast/2037/72187

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
763
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
8
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Cons: Lots of new devices, maybe employee owned!Pros: Actually “gold” image, centralized forensics, base image reversion, backup,
  • Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility

    1. 1. Not Going Quietly: Gracefully LosingControl & Adapting to Cloud andMobilityJosh Corman David EtueDirector, Security Intelligence VP, Corp Dev Strategy@joshcorman @djetue
    2. 2. AgendaContextThe Control QuotientToday’s RealityMaking it PersonalExamplesTranscending “Control”Apply
    3. 3. CONTEXT
    4. 4. Forces of Security Change
    5. 5. The IT Drunken Bender
    6. 6. The Control Continuum
    7. 7. ControlSphere of Control
    8. 8. ControlInfluenceSphere of Influence vs. Control
    9. 9. Grant me the Serenity to accept the things Icannot change;Transparency to the things I cannot control;Relevant controls for the things I can;And the Wisdom (and influence) to mitigaterisk appropriately.InfoSec Serenity Prayer
    10. 10. THE CONTROL QUOTIENT
    11. 11. The Control Quotient Definition• Quotient: (from http://www.merriam-webster.com/dictionary/quotient )– the number resulting from the division of one number byanother– the numerical ratio usually multiplied by 100 between a testscore and a standard value– quota, share– the magnitude of a specified characteristic or quality• Control Quotient: optimization of a security controlbased on the maximum efficacy within sphere of control(or influence or trust) of the underlying infrastructure*• *unless there is an independent variable…
    12. 12. History• RSA Conference US 2009 P2P– An endpoint has a comprehensive, but suspect, view– The network has a trustworthy, but incomplete, view
    13. 13. In Theory There Is An Optimal Place toDeploy a Control…But Degrees Of Separation Happen….
    14. 14. Avoiding the Proverbial…
    15. 15. TODAY’S REALITY
    16. 16. Today’s Reality• Administrative control of entire systemis lost• Increased attack surface• Abstraction has made systems difficultto assess• Expectation of anytime-anywhereaccess from any device
    17. 17. Security Management & GRCIdentity/Entity SecurityData SecurityHostNetworkInfrastructure SecurityApplicationSecurityCSA Cloud ModelThe Control Quotient and the SPI Stack
    18. 18. CSA Cloud ModelSecurity Management & GRCIdentity/Entity SecurityData SecurityHostNetworkInfrastructure SecurityApplicationSecurityVirtualization, Software Defined Networks, andPublic/Hybrid/Community Cloud Forces a Change inHow Security Controls Are Evaluated and DeployedThe Control Quotient and the SPI Stack
    19. 19. To Be Successful, We Must Focus on the ControlKept (or Gained!), NOT the Control Lost…Half Full or Half Empty?
    20. 20. Controls Gained!!!• Virtualization and Cloud– Asset, Configuration and Change Management– Snapshot– Rollback– Pause• VDI– Asset, Configuration and Change Management• Mobility– Encryption (with containers)• Software-As-A-Service– Logging!
    21. 21. MAKING IT PERSONAL
    22. 22. A Parent’s Most Valuable Asset?
    23. 23. A Parent’s Most Valuable Asset?
    24. 24. Most Valuable Asset?
    25. 25. Choosing Child Care?NationalAssociation for theEducation of YoungChildren
    26. 26. EXAMPLES
    27. 27. Virtualization and Cloud Created AnEntire New Definition of Privilege
    28. 28. Amazon EC2 - IaaSSalesforce - SaaSGoogle AppEngine - PaaSStack by Chris Hoff -> CSAThe Control Quotient and the SPI Stack
    29. 29. Amazon EC2 - IaaSThe lower down the stack the Cloudprovider stops, the more security you aretactically responsible for implementing &managing yourself.Salesforce - SaaSGoogle AppEngine - PaaSStack by Chris Hoff -> CSAThe Control Quotient and the SPI Stack
    30. 30. Cloud: Who Has Control?Model Private Cloud IaaSin Hybrid / Community /Public CloudPaaS/SaaSWho’s PrivilegeUsers?Customer Provider ProviderWho’sInfrastructure?Customer Provider ProviderWho’s VM /Instance?Customer Customer ProviderWho’s Application? Customer Customer ProviderLaw EnforcementContact?Customer Provider Provider
    31. 31. http://www.flickr.com/photos/markhillary/6342705495 http://www.flickr.com/photos/tallentshow/2399373550More Than Just Technology…
    32. 32. VDIServerVDI ImageStorageVDI: Centralizing the Desktop?
    33. 33. http://www.flickr.com/photos/patrick-allen/4318787860/Mobile
    34. 34. http://www.sodahead.com/fun/eight...blue-screen.../question-2038989/CachedYou/?slide=2&page=4Embedded Devices
    35. 35. Service Providers
    36. 36. Old Ways Don’t Work in New World…Most organizationsare trying to deploy“traditional”security controls incloud and virtualenvironments…butwere the controlseven effective then?
    37. 37. TRANSCENDING “CONTROL”
    38. 38. A Modern Pantheon ofAdversary ClassesMethods“MetaSploit” DoS Phishing Rootkit SQLi Auth Exfiltration Malware PhysicalImpactsReputational Personal Confidentiality Integrity AvailabilityTarget AssetsCredit Card #s Web PropertiesIntellectualPropertyPII / IdentityCyberInfrastructureCore BusinessProcessesMotivationsFinancial Industrial Military Ideological Political PrestigeActor ClassesStates CompetitorsOrganizedCrimeScriptKiddiesTerrorists “Hactivists” Insiders Auditorshttp://www.slideshare.net/DavidEtue/adversary-roi-evaluating-security-from-the-threat-actors-perspective
    39. 39. HD Moore’s Law and Attacker Power• Moore’s Law:Compute powerdoubles every 18months• HDMoore’s Law:Casual AttackerStrength grows atthe rate ofMetaSploithttp://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
    40. 40. CountermeasuresSituational AwarenessOperational ExcellenceDefensible Infrastructure
    41. 41. CountermeasuresSituational AwarenessOperational ExcellenceDefensible Infrastructure
    42. 42. CountermeasuresSituational AwarenessOperational ExcellenceDefensible Infrastructure
    43. 43. CountermeasuresSituational AwarenessOperational ExcellenceDefensible Infrastructure
    44. 44. PHI“IP”WebPCIAVFWIDS/IPSWAFLog MngtFile IntegrityDisk EncryptionVulnerability AssessmentMulti-Factor AuthAnti-SPAMVPNWeb FilteringDLPAnomaly DetectionNetwork ForensicsAdvanced MalwareNG FirewallDB SecurityPatch ManagementSIEMAnti-DDoSAnti-Fraud…Desired OutcomesLeverage PointsCompliance (1..n)“ROI”Breach / QB sneakProductivity…PHIPCI“IP”WebControl “Swim Lanes”
    45. 45. Web…PHI“IP”PCIAVFWIDS/IPSWAFLog MngtFile IntegrityDisk EncryptionVulnerability AssessmentMulti-Factor AuthAnti-SPAMVPNWeb FilteringDLPAnomaly DetectionNetwork ForensicsAdvanced MalwareNG FirewallDB SecurityPatch ManagementSIEMAnti-DDoSAnti-Fraud…Desired OutcomesLeverage PointsCompliance (1..n)“ROI”Breach / QB sneakProcurementDisruptionDevOpsProductivity“Honest Risk”General CounselControl & Influence “Swim Lanes”
    46. 46. Web…PHI“IP”PCIAVFWIDS/IPSWAFLog MngtFile IntegrityDisk EncryptionVulnerability AssessmentMulti-Factor AuthAnti-SPAMVPNWeb FilteringDLPAnomaly DetectionNetwork ForensicsAdvanced MalwareNG FirewallDB SecurityPatch ManagementSIEMAnti-DDoSAnti-Fraud…LitigationLegislationOpen SourceHearts &MindsAcademiaDesired OutcomesLeverage PointsCompliance (1..n)“ROI”Breach / QB sneakProcurementDisruptionDevOpsProductivity“Honest Risk”General CounselUnder-tapped Researcher Influence
    47. 47. Potential Independent Variables•with good key management…Encryption•well, rootkits for good…Rootkits•Anti-DDoS, WAF, Message/Content, Identity, etc…Intermediary Clouds•with proper integration and process supportIdentity and Access Management•*if* the provider harnesses the opportunitySoftware-As-A-Service (SaaS)
    48. 48. Apply!• Identify at least one opportunity to leverage anew swim lane• Identify one opportunity this year to influenceeach layer of the Pyramid►►
    49. 49. THANK YOU!Josh Corman David EtueDirector, Security Intelligence VP, Corp Dev Strategy@joshcorman @djetue

    ×