Keynote for AGC's annual security conference / meat market in San Francisco ahead of the RSA Conference, February 2017.
"This is your industry
I will not let inside me - NO
I steered clear, long (and hard) ago
I wiped the slate clean
As the whistle I hear
Downtown - noon
Within a visible distance
It's with invisible distance"
-- Universal Order of Armageddon, Baltimore, 1996
https://www.youtube.com/watch?v=yfi9dtZj6Y8
3. Disruptive Innovation
An innovation that creates a new market
by providing a different set of values,
which ultimately (and unexpectedly)
overtakes an existing market
15. A Portrait Of The Hacker As A Young Man (ca. 1999)
Break Build
Authentication
dsniff,āØ
Kerberos v4
OpenSSH,āØ
RPCSEC_GSS (NFSv4)
Firewalls
Cisco PIX,āØ
Check Point FW-1
pf (OpenBSD)
VPN Check Point FW-1
OpenBSD IPSEC,āØ
dsocks
IDS / IPS Sourceļ¬re, ISS, etc.
Anzen/NFR (Check Point),āØ
Arbor Networks
16.
17.
18. āA lot of people think that nation-
states are running on zero-days, but
there are so many more vectors that
are easier, productive, and less risky.ā
Rob Joyce, NSA TAO, Jan 2016
19. āIn the world of advanced persistent
threat actors, credentials are king for
gaining access to systems.ā
Rob Joyce, NSA TAO, Jan 2016
20. āBetter-defended networks require
speciļ¬c methods for accessing
resources, monitoring credential use,
looking for anomalous behavior, and
two-factor authentication.ā
Rob Joyce, NSA TAO, Jan 2016
21. 95% OF BREACHES
involve stolen credentials
ā Verizon 2015 Data Breach Investigations Report
#1: Users
22. #2: Devices
75% Of Breaches Involve Compromised Devices
Source: Duo analysis of 2M+ devices, Jan 2016
26. President Obamaās $19 Billion Cybersecurity Proposal
Calls for 35% Increase Over 2016 Enacted Level
Major Pieces of the Cybersecurity National Action Plan
Critiques from the Tech Industry
ā¢ While manyin the techindustryhave applauded
the presidentās proposal for investment, many
of the suggestionsare seen as basic and a sign
at how woefully behind our governmentis on
cybersecurity.BrianBarrett,a writer for Wired
magazine,compares the plan to āstandard
advice youād give a tech noviceā.
ā¢ With the proposalcoming from a ālame-duckā
president nearingthe end of his second term,
there is a growingpessimismthat pieces that
require congressionalaction will go unfunded.
ā¢ Despite being a basic tenet of internet security,
encryptionis notablyabsentfromthe
presidentās press release.While many in the
tech communitybelieve encryption is necessary
for continued cyber safety, the topic remains
controversialin Congress.
Full Multi-StepAuthentication Rollout
While a large portion of the government uses 2-step or multi-step
authenticationfor internal logins,the initiativeplans to extend this extra
layer of security to citizen-facingfederal governmentdigital services.The
President hopes this switch will also increase public awarenessof this
identity proofing mechanism,encouragingmore wide use amongprivate
online systems.
$3.1billionInformation TechnologyModernization Fund
This fund enables the retirement, replacementand modernizationof IT
equipment throughout the government.Many see this initiative as overdue
as some branches of the governmentare running antiquated as old as
Windows XP which Microsoft stopped officiallysupporting in 2014.
National Initiative for CybersecurityEducation
$62 billion is requested to invest in educatingthe nationās next generation of cybersecuritypersonnel. Proposed programs
include the CyberCorpsReserve which would offer scholarshipsfor Americanswho wish to obtain cybersecurityeducation in
exchange for civil service in government.
EINSTEINandthe ContinuousDiagnostic andMitigation Program
The president proposes allocatingincreasedfunding to the governmentās
primarycyberdefense system: EINSTEIN,which has faced significantcriticism
since it is currently unable to dynamicallydetect new kinds of cyber
intrusions, makingit only useful against known threats.
27. President Obamaās $19 Billion Cybersecurity Proposal
Calls for 35% Increase Over 2016 Enacted Level
Major Pieces of the Cybersecurity National Action Plan
Critiques from the Tech Industry
ā¢ While manyin the techindustryhave applauded
the presidentās proposal for investment, many
of the suggestionsare seen as basic and a sign
at how woefully behind our governmentis on
cybersecurity.BrianBarrett,a writer for Wired
magazine,compares the plan to āstandard
advice youād give a tech noviceā.
ā¢ With the proposalcoming from a ālame-duckā
president nearingthe end of his second term,
there is a growingpessimismthat pieces that
require congressionalaction will go unfunded.
ā¢ Despite being a basic tenet of internet security,
encryptionis notablyabsentfromthe
presidentās press release.While many in the
tech communitybelieve encryption is necessary
for continued cyber safety, the topic remains
controversialin Congress.
Full Multi-StepAuthentication Rollout
While a large portion of the government uses 2-step or multi-step
authenticationfor internal logins,the initiativeplans to extend this extra
layer of security to citizen-facingfederal governmentdigital services.The
President hopes this switch will also increase public awarenessof this
identity proofing mechanism,encouragingmore wide use amongprivate
online systems.
$3.1billionInformation TechnologyModernization Fund
This fund enables the retirement, replacementand modernizationof IT
equipment throughout the government.Many see this initiative as overdue
as some branches of the governmentare running antiquated as old as
Windows XP which Microsoft stopped officiallysupporting in 2014.
National Initiative for CybersecurityEducation
$62 billion is requested to invest in educatingthe nationās next generation of cybersecuritypersonnel. Proposed programs
include the CyberCorpsReserve which would offer scholarshipsfor Americanswho wish to obtain cybersecurityeducation in
exchange for civil service in government.
EINSTEINandthe ContinuousDiagnostic andMitigation Program
The president proposes allocatingincreasedfunding to the governmentās
primarycyberdefense system: EINSTEIN,which has faced significantcriticism
since it is currently unable to dynamicallydetect new kinds of cyber
intrusions, makingit only useful against known threats.
ā Up-to-Date
Devices
28. President Obamaās $19 Billion Cybersecurity Proposal
Calls for 35% Increase Over 2016 Enacted Level
Major Pieces of the Cybersecurity National Action Plan
Critiques from the Tech Industry
ā¢ While manyin the techindustryhave applauded
the presidentās proposal for investment, many
of the suggestionsare seen as basic and a sign
at how woefully behind our governmentis on
cybersecurity.BrianBarrett,a writer for Wired
magazine,compares the plan to āstandard
advice youād give a tech noviceā.
ā¢ With the proposalcoming from a ālame-duckā
president nearingthe end of his second term,
there is a growingpessimismthat pieces that
require congressionalaction will go unfunded.
ā¢ Despite being a basic tenet of internet security,
encryptionis notablyabsentfromthe
presidentās press release.While many in the
tech communitybelieve encryption is necessary
for continued cyber safety, the topic remains
controversialin Congress.
Full Multi-StepAuthentication Rollout
While a large portion of the government uses 2-step or multi-step
authenticationfor internal logins,the initiativeplans to extend this extra
layer of security to citizen-facingfederal governmentdigital services.The
President hopes this switch will also increase public awarenessof this
identity proofing mechanism,encouragingmore wide use amongprivate
online systems.
$3.1billionInformation TechnologyModernization Fund
This fund enables the retirement, replacementand modernizationof IT
equipment throughout the government.Many see this initiative as overdue
as some branches of the governmentare running antiquated as old as
Windows XP which Microsoft stopped officiallysupporting in 2014.
National Initiative for CybersecurityEducation
$62 billion is requested to invest in educatingthe nationās next generation of cybersecuritypersonnel. Proposed programs
include the CyberCorpsReserve which would offer scholarshipsfor Americanswho wish to obtain cybersecurityeducation in
exchange for civil service in government.
EINSTEINandthe ContinuousDiagnostic andMitigation Program
The president proposes allocatingincreasedfunding to the governmentās
primarycyberdefense system: EINSTEIN,which has faced significantcriticism
since it is currently unable to dynamicallydetect new kinds of cyber
intrusions, makingit only useful against known threats.
ā Up-to-Date
Devices
ā Two-Factor
Authentication
29. President Obamaās $19 Billion Cybersecurity Proposal
Calls for 35% Increase Over 2016 Enacted Level
Major Pieces of the Cybersecurity National Action Plan
Critiques from the Tech Industry
ā¢ While manyin the techindustryhave applauded
the presidentās proposal for investment, many
of the suggestionsare seen as basic and a sign
at how woefully behind our governmentis on
cybersecurity.BrianBarrett,a writer for Wired
magazine,compares the plan to āstandard
advice youād give a tech noviceā.
ā¢ With the proposalcoming from a ālame-duckā
president nearingthe end of his second term,
there is a growingpessimismthat pieces that
require congressionalaction will go unfunded.
ā¢ Despite being a basic tenet of internet security,
encryptionis notablyabsentfromthe
presidentās press release.While many in the
tech communitybelieve encryption is necessary
for continued cyber safety, the topic remains
controversialin Congress.
Full Multi-StepAuthentication Rollout
While a large portion of the government uses 2-step or multi-step
authenticationfor internal logins,the initiativeplans to extend this extra
layer of security to citizen-facingfederal governmentdigital services.The
President hopes this switch will also increase public awarenessof this
identity proofing mechanism,encouragingmore wide use amongprivate
online systems.
$3.1billionInformation TechnologyModernization Fund
This fund enables the retirement, replacementand modernizationof IT
equipment throughout the government.Many see this initiative as overdue
as some branches of the governmentare running antiquated as old as
Windows XP which Microsoft stopped officiallysupporting in 2014.
National Initiative for CybersecurityEducation
$62 billion is requested to invest in educatingthe nationās next generation of cybersecuritypersonnel. Proposed programs
include the CyberCorpsReserve which would offer scholarshipsfor Americanswho wish to obtain cybersecurityeducation in
exchange for civil service in government.
EINSTEINandthe ContinuousDiagnostic andMitigation Program
The president proposes allocatingincreasedfunding to the governmentās
primarycyberdefense system: EINSTEIN,which has faced significantcriticism
since it is currently unable to dynamicallydetect new kinds of cyber
intrusions, makingit only useful against known threats.
ā Up-to-Date
Devices
ā Two-Factor
Authentication
X Encryption?!āØ
āØ
THANKS OBAMA
48. 2017DuoProductLine
Duo Free
Easy two-factor
authen1ca1on, free for up
to 10 users.
$0
Duo MFA
Easy, best-of-breed two-
factor authen1ca1on for
cloud and on-premise
applica1ons.
$3
Duo Beyond
Our next-genera1on
security control pla?orm
for modern, perimeter-less
organiza1ons.
$9
Duo Access
Our essen1al security suite
to manage trust and
address risks from mobile,
BYOD, and cloud adop1on.
$6