Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Moving beyond Vulnerability Testing 
Gopal Padinjaruveetil CISA, CISM,CRISC, CGEIT, TOGAF9 
Chief Application Security and...
Let’s take a closer look at where we are today 
iwnniotvha tyinog u
I am tired of catching up.. I need resilience 
“A fever is a symptom. There's an underlying disease that causes it. Giving...
“You can fix it on the drawing board with an eraser or you can fix it on the site with a sledgehammer" - 
Frank Lloyd Wrig...
The Internet as it is today .. And this picture is changing fast 
HP Discover 2014 | Gopal Padinjaruveetil | December 2014...
Technology growing at an exponential rate 
If technology is growing at exponential rate and if we do nothing, the security...
HP Discover 2014 | Gopal Padinjaruveetil | December 2014 
Copyright © Capgemini 2014 – All Rights Reserved 7 
Deep web How...
Do we realize the seriousness of the problem? 
Denial is not an option 
There are only two types of companies: 
Those that...
“ Now, here, you see, it takes all the 
running you can do, to keep in the 
same place. If you want to get 
somewhere else...
“Unless we change our direction, we are likely to end up 
where we are headed” - unknown 
HP Discover 2014 | Gopal Padinja...
We need to build Trust in Information Technology 
HP Discover 2014 | Gopal Padinjaruveetil | December 2014 
Copyright © Ca...
HP Discover 2014 | Gopal Padinjaruveetil | December 2014 
Copyright © Capgemini 2014 – All Rights Reserved 12 
What can we...
wgitrohw yinog u 
Secure by Design, Not Chance
The natural world is a good example of an Intelligent Design for Security 
! The Central Nervous system 
! The Blood Brain...
How will an intelligent Secure by Design in IT look like? 
HP Discover 2014 | Gopal Padinjaruveetil | December 2014 
Copyr...
acwceilethra tyinog u 
Adapt, Evolve and Mutate
Preys and Predators – The natural world is a hostile place 
Even the best intelligent design will not protect you 100%.. 
...
Change is inevitable.. Adaptation is Optional 
HP Discover 2014 | Gopal Padinjaruveetil | December 2014 
Copyright © Capge...
Evolutionary Design- 
Embraces the fact of an evolving system understanding, and helps system’s design evolve 
Evolving an...
How does this concept translate to CyberSecurity ? 
HP Discover 2014 | Gopal Padinjaruveetil | December 2014 
Copyright © ...
iwnniotvha tyinog u 
Changing Behavior and Culture
The Big Conundrum 
The Risk Tolerance should be reflected in the Organization Culture and policies 
HP Discover 2014 | Gop...
Consider all layers (Both the visible and invisible realms) 
HP Discover 2014 | Gopal Padinjaruveetil | December 2014 
Cop...
A few change considerations to think about.. 
! Cyber Security as a Strategic Driver. 
! Cyber Security is not an IT probl...
To bring behavior changes in Cyber Security, we need to understand how Human Brain, 
Cognition and Awareness works – addre...
collwabiothra tyinog u 
HP Discover 2014 | Gopal Padinjaruveetil | December 2014 
Copyright © Capgemini 2014 – All Rights ...
If Penguins are collaborating.. Why can’t we humans? 
For more on collaborative systems present in nature watch: http://ww...
The Bad People are Collaborating.. So why not the good people? 
“Offense must Inform Defense..” 
Maintaining a code of sil...
We need collaboration not just within and between 
people but.. 
" Trusted Collaboration within and between Governments 
"...
HP Discover 2014 | Gopal Padinjaruveetil | December 2014 
Copyright © Capgemini 2014 – All Rights Reserved 30 
Let’s Build...
Gracias Spain 
HP Discover 2014 | Gopal Padinjaruveetil | December 2014 
Copyright © Capgemini 2014 – All Rights Reserved ...
HP Discover 2014 | Gopal Padinjaruveetil | December 2014 
Copyright © Capgemini 2014 – All Rights Reserved 32 
Presenter C...
www.capgemini.com 
The information contained in this presentation is proprietary. 
© 2012 Capgemini – Internal use only. A...
Upcoming SlideShare
Loading in …5
×

Moving beyond Vulnerability Testing

Most organizations have started to include either static or dynamic application security testing as part of their overall test strategy.

This additional test effort is due in large part to the cyber security risks that are emerging. These risks create an urgent need to move beyond testing and to institutionalize security as part of every organization’s software development/acquisition culture.

This presentation covers real-life examples of how to enable this type of behavioral change in your organization.

First presented at HP Discover Barlceona 2014 by Gopal Padinjaruveetil, Chief Application Security and Compliance Architect, Capgemini

  • Login to see the comments

  • Be the first to like this

Moving beyond Vulnerability Testing

  1. 1. Moving beyond Vulnerability Testing Gopal Padinjaruveetil CISA, CISM,CRISC, CGEIT, TOGAF9 Chief Application Security and Compliance Architect December 04 2014 #HPdiscover @pkgopala
  2. 2. Let’s take a closer look at where we are today iwnniotvha tyinog u
  3. 3. I am tired of catching up.. I need resilience “A fever is a symptom. There's an underlying disease that causes it. Giving you a fever (sitting in a sauna) doesn't make you sick, and getting rid of the fever (in a cold bath, for example) doesn't always get rid of the illness… Spending time and money gaming symptoms and effects is common and urgent, but it's often true that you'd be better off focusing on the disease (the cause) instead. ” – Seth Godin Security vulnerability is a symptom, The root cause is always something else HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 3
  4. 4. “You can fix it on the drawing board with an eraser or you can fix it on the site with a sledgehammer" - Frank Lloyd Wright HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 4
  5. 5. The Internet as it is today .. And this picture is changing fast HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 5 Source: Shodan
  6. 6. Technology growing at an exponential rate If technology is growing at exponential rate and if we do nothing, the security threats too would rise exponentially.. IPV4= 4 Billion devices(size of postage stamp) IPV6 = 340 Trillion Trillion Trillion (Undecilion) devices (Size of Solar system) 50 billion Connected Devices by 2020 9.9 Trillion market Value Over 80 trillion email spam messages a year Connected Cars, Connected cities, Connected Devices 2025? Connected Bodies (BYBN ) 2035? Finally Singularity* in 2045? * According to Ray Kurzweil, by the year 2045, “human intelligence will enhance a billion-fold thanks to high-tech brain extensions” to a phenomenon as the “singularity,” a point at which humans and computers will merge into one. This sort of “one in two” will create serious challenges for security and in the allocation of moral accountability between the two… HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 6 263 = 18,446,744,073,709,551,615
  7. 7. HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 7 Deep web How deep? If we do nothing we have to assume the deep web would expand on a logarithmic scale ! Deep Web is currently 400 to 550 times larger than the commonly defined World Wide Web. ! The deep Web contains 7,500 terabytes of information compared to 19 terabytes of information in the surface Web. ! The deep Web contains nearly 550 billion individual documents compared to the 1 billion of the surface Web. ! $ 45 Billion industry - Yankee Group ! Google Number of Systems: 500,000 ! Bandwidth = 1500 Gps ! Botnets: Number of systems: 6,400,000 ! Bandwidth: 28 Terabits What will the numbers be in 2020?
  8. 8. Do we realize the seriousness of the problem? Denial is not an option There are only two types of companies: Those that have been hacked, and those that will be. Even that is merging into one category: Those that have been hacked and will be again. Maintaining a code of silence will not serve us in the long run. HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 8 FBI Director Robert Mueller
  9. 9. “ Now, here, you see, it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!” - The Red Queen, to Alice, in Lewis Carroll’s Through the Looking Glass HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 9 A real lesson from a kids fantasy tale The adversary is constantly advancing its capabilities.. Can we overtake them at the current pace?
  10. 10. “Unless we change our direction, we are likely to end up where we are headed” - unknown HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 10
  11. 11. We need to build Trust in Information Technology HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 11 " Trust in People, " Trust in Organizations " Trust in Governments " Trust in Devices " Trust in Data " Trust in Systems and Applications " Trust in communication networks (Internet)
  12. 12. HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 12 What can we do? 1 Secure by Design, not Chance 2 Adapt, Evolve and Mutate 3 Change Behaviors 4 Collaborate
  13. 13. wgitrohw yinog u Secure by Design, Not Chance
  14. 14. The natural world is a good example of an Intelligent Design for Security ! The Central Nervous system ! The Blood Brain Barrier ! The Immune system ! The Camouflage ! The Reflex Action ! The Adrenaline ! Many More.. Survival of the fittest (Resilience)requires design as a "way of thinking” HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 14
  15. 15. How will an intelligent Secure by Design in IT look like? HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 15 # Secure at Design Time $ Prevention as the overarching design principle % Digital Identity and Access – Humans and Things % Protect sensitive information in transit and rest (structured and unstructured) % Protect your end points (including human end points) % Optimize your attack surface % Every component must protect itself - (There are no more boundaries) # Secure at Run Time $ Detect and Respond in Real Time as the overarching design principle % Capability to scan the environment and be vigilant for threats all the time (internal and external) % Reflex- How fast can you respond to threats % Is the response context aware % Continuous evaluation of the defense % Defense to be automated as much as possible
  16. 16. acwceilethra tyinog u Adapt, Evolve and Mutate
  17. 17. Preys and Predators – The natural world is a hostile place Even the best intelligent design will not protect you 100%.. HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 17 Same in the World of Information Technology
  18. 18. Change is inevitable.. Adaptation is Optional HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 18
  19. 19. Evolutionary Design- Embraces the fact of an evolving system understanding, and helps system’s design evolve Evolving and adapting through Mutation the only way to survive in a hostile world HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 19
  20. 20. How does this concept translate to CyberSecurity ? HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 20 Protection against Opportunistic attacks – Easy % Protect your perimeter % Protect your end points % Patch your systems % Protect against Phishing attacks % Protect against Zero Day attacks Protection against Targeted attacks – Difficult % Digital evidence is often left behind that can reveal the attacker’s intent, skill level, and knowledge of the target % Develop capability to detect and respond to an attack at near real time % Correlation of discrete and disparate events to provide an early warning system % Big Data and Predictive Data Analytics with Machine Learning (“Learn” from Data) % Organizational Awareness and behavior change can go along way
  21. 21. iwnniotvha tyinog u Changing Behavior and Culture
  22. 22. The Big Conundrum The Risk Tolerance should be reflected in the Organization Culture and policies HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 22 The Digital Transformation is Driving sky high Business Ambition.. VS The double sided squeeze: The Bad guys on one side and Government Regulations and penalties on the other side is driving enterprises to almost Zero Risk Tolerance Finding the right balance is key..
  23. 23. Consider all layers (Both the visible and invisible realms) HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 23 10 Government ( Regulations/ Politics) 9 Organizations (Culture/ Politics) User (PICNIC – ID 10T Error) 8 7 Application 6 Presentation 5 Session 4 Transport 3 Network “If you know the enemy and know yourself, you need not fear the result of a hundred battles. 2 Data Link 1 Physical The Human Layer The Technology Layer If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Sun Tzu – The Art of war
  24. 24. A few change considerations to think about.. ! Cyber Security as a Strategic Driver. ! Cyber Security is not an IT problem – It is an organizational problem. • Cyber Security weakness an organization weakness , not an IT weakness ! Security is everybody’s business – Not just the CISOs and CIOs. ! Culture in Context – Societal , Organizational , People. ! Finding Inhibitors to a Culture of Security and removing or addressing them ! Is Security Funding in line with the enterprise security risk tolerance levels • Some bad actors are extremely well funded.. Is your defense well funded? ! Enterprises should regard cyber attack as a certainty not a probability. ! Risk from extended enterprise (vendors, suppliers, contractors ..) HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 24 People + Process+ Technology + PERCEPTION
  25. 25. To bring behavior changes in Cyber Security, we need to understand how Human Brain, Cognition and Awareness works – addressing root cause vs symptom HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 25
  26. 26. collwabiothra tyinog u HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 26 Collaboration
  27. 27. If Penguins are collaborating.. Why can’t we humans? For more on collaborative systems present in nature watch: http://www.youtube.com/watch?v=IzS7CRaCEtU#t=424 HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 27
  28. 28. The Bad People are Collaborating.. So why not the good people? “Offense must Inform Defense..” Maintaining a code of silence will not serve us in the long run. HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 28
  29. 29. We need collaboration not just within and between people but.. " Trusted Collaboration within and between Governments " Trusted Collaboration within and between Organizations " Trusted Collaboration within and between Devices " Trusted Collaboration within and between Systems and Applications " Trusted Collaboration within and between Communication Networks HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 29
  30. 30. HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 30 Let’s Build Windmills – Together..
  31. 31. Gracias Spain HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 31 Thank You Russia Danke Germany Grazie Italy Dank u Belgium Bedankt Netherlands Dankschen Austria Arigato Japan Takk Norway Tak Denmark Jag tackar Finland Dziekuje Poland Tack Sweden Toda Israel Engraziel Switzerland Tesekkür ederim Turkey Dakujem Slovakia Obrigado Portugal Thank You United Kingdom Merci France Thanks United States Hindi Tamil Malayalam
  32. 32. HP Discover 2014 | Gopal Padinjaruveetil | December 2014 Copyright © Capgemini 2014 – All Rights Reserved 32 Presenter Contact Information Gopal Padinjaruveetil CISA, CISM, CRISC, CGEIT, TOGAF9 Chief Application Security and Compliance Architect gopal.padinjaruveetil@capgemini.com Insert contact picture Gopal Padinjaruveetil is Chief Capgemini Application Security and Compliance Architect based out of Capgemini Detroit. He is a certified Enterprise Architect and a certified Governance, Risk and Compliance (GRC) Architect and has led Enterprise Architecture and GRC work at Fortune 50 global companies. Gopal believes that the 21st enterprises are at a crossroads in Information Technology, where extracting value from the growing information chaos, spurred by disruptive innovative technologies is creating an exponentially increasing risk and threat landscape, solving this requires enterprises to have a new perspective based on design thinking and applying good IT Governance, Risk and Compliance practices Gopal has these professional certifications to his credit - CISA, CISM, CRISC, CGEIT, IAF, TOGAF 9,. Contact Gopal via: http://www.capgemini.com/experts/security/gopal-padinjaruveetil
  33. 33. www.capgemini.com The information contained in this presentation is proprietary. © 2012 Capgemini – Internal use only. All rights reserved. Rightshore® is a trademark belonging to Capgemini. About Capgemini With around 120,000 people in 40 countries, Capgemini is one of the world's foremost providers of consulting, technology and outsourcing services. The Group reported 2011 global revenues of EUR 9.7 billion. Together with its clients, Capgemini creates and delivers business and technology solutions that fit their needs and drive the results they want. A deeply multicultural organization, Capgemini has developed its own way of working, the Collaborative Business Experience™, and draws on Rightshore®, its worldwide delivery model.

×