Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Peak Prevention: Moving from Prevention to Resilience

1,330 views

Published on

We're all familiar with Peak Oil--a concept that says there's a limit to how much oil we can produce, after which point production must decline and new energy sources must be found.

This talk explores the concept of Peak Prevention. This is the idea that there is only so much prevention that can be applied when defending systems from attack, after which point other methods of risk reduction must be employed.

We'll explore the question of how close we are to Peak Prevention currently, and what other approaches to risk reduction we may be available to us.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Peak Prevention: Moving from Prevention to Resilience

  1. 1. Peak Prevention Daniel Miessler Director of Advisory Services, IOActive AppSec Cali January 24, 2017 Moving from prevention to resilience
  2. 2. Intro Daniel Miessler (@danielmiessler) 18 years in infosec: mostly as a tester (net/web/app/iot) Run the consulting practice for IOActive Read / write / podcast / table tennis
  3. 3. Flow Peaks and valleys Risky bits Impact reduction Preparing for what’s coming
  4. 4. Peak Oil
  5. 5. Peak $THING We used to have a lot of room to grow. That growth has stopped. We now have as much as we’ll ever have. We need to find another source of what it was providing.
  6. 6. Peak $THING (oil) We used to have a lot of room to grow. (finding more oil, producing it faster) That growth has stopped. (we found most of the oil) We now have as much as we’ll ever have. (it’s all downhill from here) We need to find another source of what it was providing. (energy)
  7. 7. IMPACTPROBABILITY
  8. 8. = Prevention Focused
  9. 9. Peak $THING (prevention) We used to have a lot of room to grow. (add firewalls, AV) That growth has stopped. (it can all be bypassed) We now have as much as we’ll ever have. (kind of) We need to find another source of what it was providing. (risk reduction)
  10. 10. Probability Impact RISK 90 9 10
  11. 11. Probability Impact RISK 64 8 8
  12. 12. Probability Impact RISK 0 9 0
  13. 13. Acceptable 50Risk Target Desired
  14. 14. Prevention(chanceofsuccess) Resilience (damage taken) 1 7 6 3 5 4 2 9 8 10 10 9 8 7 6 5 4 3 2 1 Acceptable 42 1
  15. 15. Probability Impact RISK 505 10 Limit
  16. 16. Prevention(chanceofsuccess) Resilience (damage taken) 1 7 6 3 5 4 2 9 8 10 10 9 8 7 6 5 4 3 2 1 Acceptable Peak 5? 7? 30 42 1
  17. 17. Prevention(chanceofsuccess) Resilience (damage taken) 1 7 6 3 5 4 2 9 8 10 10 9 8 7 6 5 4 3 2 1 Acceptable Peak? 7 Impact can’t go above 6.
  18. 18. Probability Impact RISK 70 7 10
  19. 19. Prevention(chanceofsuccess) Resilience (damage taken) 1 7 6 3 5 4 2 9 8 10 10 9 8 7 6 5 4 3 2 1 Acceptable Peak? 7 We need to be here…
  20. 20. Prevention(chanceofsuccess) Resilience (damage taken) 1 7 6 3 5 4 2 9 8 10 10 9 8 7 6 5 4 3 2 1 Acceptable We need to be here…We are here. Need to go that way
  21. 21. Prevention(chanceofsuccess) Resilience (damage taken) 1 7 6 3 5 4 2 9 8 10 10 9 8 7 6 5 4 3 2 1 Acceptable We need to be here…We are here. Need to go that way
  22. 22. 1 Make your data unusable when it’s stolen?
  23. 23. 2 Insure yourself against loss for when incidents do occur?
  24. 24. 3 Change the narrative so people don’t care as much. (already happening naturally)
  25. 25. 4 Have super clean backup and restore procedures. (ransomware)
  26. 26. 5 Have redundant sites for when yours is taken down.
  27. 27. 6 less valuable to attackers. files salaries Make what you have records PII secrets
  28. 28. Prepare Yourself
  29. 29. Limits of Prevention ‣ InfoSec breaches ‣ Bad work days ‣ Toxic relationships ‣ Contagious diseases ‣ Terrorism ‣ Safety accidents ‣ Impact N ‣ Impact N+1
  30. 30. Look for Impact Reduction Everywhere
  31. 31. PREVENTION —> RESILIENCE 2017, 2018, 2019…
  32. 32. Thank You Twitter: @danielmiessler Email: daniel.miessler@ioactive.com Github: https://github.com/danielmiessler Podcast: https://danielmiessler.com/podcast/ OWASP Game Security Framework: https://www.owasp.org/index.php/OWASP_Game_Security_Framework_Project
  33. 33. Resources ✴ OCTAVE: Cyber Risk and Resilience Management http://www.cert.org/resilience/products-services/octave/ ✴ US-CERT Cyber Risk Review (CRR) https://www.us-cert.gov/ccubedvp/assessments ✴ US-CERT Cyber Resilience Management Model http://www.cert.org/resilience/products-services/cert-rmm/

×