Defense at Scale

Jan Schaumann
Jan Schaumann
Defense  at  Scale   an  op.mis.c  #infosec  talk  in  two  slides   BSidesNYC   2016   Jan  Schaumann   @jschauma  h8ps://v.gd/defenseAtScale  
@jschauma  
¯ˉ_(ツ)_/¯ˉ   h8ps://v.gd/defenseAtScale03  
Defense  at  Scale   an  op.mis.c  #infosec  talk  in  two  or  more  slides   BSidesNYC   2016   Jan  Schaumann   @jschauma  
Defense at Scale
1  in  a  million  is  next  Tuesday.   h8ps://v.gd/defenseAtScale04  
h8ps://v.gd/defenseAtScale05   Got  phished.   Downloaded  drive-­‐by  malware.   Got  pwned  by  script  kiddies.   Uses  Flash   Actually  targeted  by  NSA.  
h8ps://v.gd/defenseAtScale06  
h8ps://v.gd/defenseAtScale07  
Defense at Scale
💩  
You  get  to  drink  from  the  FIREHOSE!!!  
No  capYon  necessary.  
Defense at Scale
Defense at Scale
Skin  in  the  Game   •  Who  carries  the  cost  of  fixing  security   problems?   •  Who  pays  out  the  Bug  Bounty  for  the  same  set   of  command-­‐injecYon  or  XSS  vulnerabiliYes?   •  Who  is  incenYvized  to  improve  security?  
PrioriYze.  
100%  secure  is  impossible  –   but  that’s  ok.     Raising  the  cost  of  an  a8ack  is  ofen   sufficient.    (Know  your  Threat  Model.)  
Fucks  don’t  scale.  
“Prevent,  Detect,  React”   💩  
“Prevent,  Detect,  React”     Firewalls,  Monitoring,  Patching     💩  
“Prevent,  Detect,  React”     Firewalls,  Monitoring,  Patching     Vendor  Crap,  Vendor  Crap,  ¯ˉ_(ツ)_/¯ˉ     💩  
“Are  vulnerabili-es  in  so0ware  dense  or  sparse?   If  they  are  sparse,  then  every  one  you  find  and   fix   meaningfully   lowers   the   number   of   avenues   of  a?ack  that  are  extant.    If  they  are  dense,  then   finding   and   fixing   one   more   is   essen-ally   irrelevant   to   security   and   a   waste   of   the   resources  spent  finding  it.  Six-­‐take-­‐away-­‐one  is  a   15%  improvement.  Six-­‐thousand-­‐take-­‐  away-­‐one   has  no  detectable  value.”                          Geer/Schneier   h8ps://v.gd/defenseAtScale08  
Defense at Scale
If  you  can  make  things  be8er  without   making  things  worse,  do  it.     Even  if  it  doesn't  make  things  perfect.   h8ps://v.gd/defenseAtScale09  
If  what  you’re  doing  doesn't  make   things  be8er,  stop  doing  it.     Even  if  you've  always  done  it.     Even  if  it  took  a  lot  of  effort  to  start   doing.   h8ps://v.gd/defenseAtScale09  
Think  big.  
VulnerabiliYes  are  not  sparse.     Don’t  fix  individual  bugs,  focus  on   eliminaYng  enYre  vulnerability   classes  instead.  
If  you  keep  fixing  the  same  issue   over  and  over  again,  you’re  not   making  progress.  
Defense at Scale
h8ps://v.gd/defenseAtScale10  
SIEMs  don’t  detect  compromises.   A  human  going  “huh,  weird”   detects  a  compromise.  
compromise   indicator   some  of  the  data   you  collect   you  
Lead  by  example.  
Engineer:   “Hey,  can  we  add  the  new  service   account  ‘fishbone’  everywhere?   Needs  full  sudo,  no  password.”   Infosec:   “LOL  what?  No  way.”   Infosec  eng1:   “Hey,  can  we  add  ‘nessus’   everywhere?  Needs  full  sudo,  no   password.”   Infosec  eng2:   “Sure,  one  sec.”  
Lead  by  example.     If  another  team  asked  you,   would  you  say  ’no’?  
Other  people’s  fucks  are  also  limited.   h8ps://v.gd/defenseAtScale11  
VulnerabiliYes  are  dense.   Embrace  automaYon.   CI/CD  is  your  friend.  
CI/CD  is  your  friend.   •  You  cannot  update  individual  systems;    you  can  ensure   all  your  systems  regularly  get  all  updates   automaYcally.   •  You  cannot  remove  individual  vulnerabiliYes;  you  can   gate  deployments  on  using  the  right  libraries.   •  You  cannot  manually  change  a  config  file  on  a  few   hundred  thousand  systems;  you  can  enforce  consistent   convergence  in  idempotent  changesets  prescribed  by   your  configuraYon  management  system.  
Your  endpoint  security  model  should   assume  the  network  is  compromised;     your  network  security  model  should   assume  the  endpoint  is.     Both  in  fact  are.  
Consider  today:   •  auto-­‐update  your  OS,  third-­‐party-­‐  and  custom   sofware   •  mandatory  configuraYon  management  across   your  fleet   •  2FA  SSO  with  Yme-­‐bound  authenYcaYon   tokens   •  provide  libraries  for  common  problems  (secret   management,  input/output  validaYon,   hashing,  encrypYng,  ...)   •  have  exactly  one  TLS  stack  that  everybody   uses  (internally  and  externally)  
…and  what  may  come:   •  Embrace  the  cloud.    You  are  already  operaYng   in  hosYle  networks  and  crossing  trust   boundaries.   •  Rethink  your  ‘trusted  network’  (BeyondCorp).   •  Rethink  the  need  for  user  accounts.   h8ps://v.gd/defenseAtScale13  
•  Containers  are  just  big  ass  staYc  binaries  with   all  their  problems.    Deal  with  it.   •  Build  upon  remote  a8estaYon  of  both   hardware  and  sofware;  signed  containers.   …and  what  may  come:  
Defend  smarter,  not  harder.   •  Don’t  waste  your  Yme  on  busy  work.    Measure   your  impact.    PrioriYze.   •  Embrace  automaYon.  Move  fast.   •  Help  others  take  responsibility.  Guide  them.   •  Have  a  Red  Team.          “You  can’t  grade  your  own  homework.”                                                                                        –  @MicahZenko  
Thanks!   BSidesNYC   2016   Jan  Schaumann   @jschauma  h8ps://v.gd/defenseAtScale  
1 of 45

Defense at Scale

Download to read offline
Internet

Defend smarter, not harder. A talk given at BSidesNYC 2016. Talk transcript/links etc. at www.netmeister.org/blog/defense-at-scale.html

Jan Schaumann
Jan Schaumann

Recommended

Protecting Data in Untrusted Locations by
Protecting Data in Untrusted LocationsProtecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsJan Schaumann
2.3K views40 slides
It's the people, stupid. by
It's the people, stupid.It's the people, stupid.
It's the people, stupid.Jan Schaumann
2.4K views70 slides
Crazy Like A Fox - #Infosec Ideas That Just Might Work by
Crazy Like A Fox - #Infosec Ideas That Just Might WorkCrazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkJan Schaumann
780 views20 slides
Know Your Enemy - An Introduction to Threat Modeling by
Know Your Enemy - An Introduction to Threat ModelingKnow Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingJan Schaumann
1.4K views50 slides
OpSec101 by
OpSec101OpSec101
OpSec101Jan Schaumann
788 views49 slides
Rugged Software Using Rugged Driven Development by
Rugged Software Using Rugged Driven DevelopmentRugged Software Using Rugged Driven Development
Rugged Software Using Rugged Driven DevelopmentJames Wickett
3.9K views200 slides

More Related Content

What's hot

Getting ready for a Capture The Flag Hacking Competition by
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
993 views55 slides
You Spent All That Money And Still Got Owned by
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
7.5K views77 slides
Wireless Pentesting: It's more than cracking WEP by
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPJoe McCray
1.8K views32 slides
So you wanna be a pentester - free webinar to show you how by
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howJoe McCray
8.4K views56 slides
15 years through Infosec by
15 years through Infosec15 years through Infosec
15 years through InfosecSaumil Shah
16.1K views94 slides
A Journey Into Pen-tester land: Myths or Facts! by
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!Ammar WK
1.1K views54 slides

What's hot(20)

Getting ready for a Capture The Flag Hacking Competition by Joe McCray
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking Competition
Joe McCray993 views
You Spent All That Money And Still Got Owned by Joe McCray
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
Joe McCray7.5K views
Wireless Pentesting: It's more than cracking WEP by Joe McCray
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEP
Joe McCray1.8K views
So you wanna be a pentester - free webinar to show you how by Joe McCray
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you how
Joe McCray8.4K views
15 years through Infosec by Saumil Shah
15 years through Infosec15 years through Infosec
15 years through Infosec
Saumil Shah16.1K views
A Journey Into Pen-tester land: Myths or Facts! by Ammar WK
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!
Ammar WK1.1K views
Bug Bounty - Play For Money by Shubham Gupta
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
Shubham Gupta1.8K views
Bug bounty by n|u - The Open Security Community
Bug bountyBug bounty
Bug bounty
n|u - The Open Security Community5.2K views
Bug Bounty #Defconlucknow2016 by Shubham Gupta
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Shubham Gupta2.4K views
Bug Bounty 101 by Shahee Mirza
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
Shahee Mirza5.6K views
The big bang theory by hanyoud
The big bang theoryThe big bang theory
The big bang theory
hanyoud215 views
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed by Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Mazin Ahmed571 views
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A... by Mazin Ahmed
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Mazin Ahmed651 views
Bug bounty null_owasp_2k17 by Sagar M Parmar
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
Sagar M Parmar1.9K views
Bug Bounty - Hackers Job by Arbin Godar
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers Job
Arbin Godar1.3K views
2010 A Net Odyssey by Saumil Shah
2010 A Net Odyssey2010 A Net Odyssey
2010 A Net Odyssey
Saumil Shah652 views
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey by Saumil Shah
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
Saumil Shah4K views
XSS (Cross Site Scripting) by Shubham Gupta
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)
Shubham Gupta293 views
5 Tips to Successfully Running a Bug Bounty Program by bugcrowd
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
bugcrowd1.9K views
Hackfest presentation.pptx by Peter Yaworski
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptx
Peter Yaworski3.6K views

Viewers also liked

FIRE OF DEVOTION (English) by
FIRE OF DEVOTION (English)FIRE OF DEVOTION (English)
FIRE OF DEVOTION (English)Shanmugam Avadaiyappa
2.5K views419 slides
Embriología by
EmbriologíaEmbriología
EmbriologíaIsrael Cristhian Urquiola Molina
122 views2 slides
Reforma íntima by
Reforma íntimaReforma íntima
Reforma íntimaCeadsbcn
727 views18 slides
66 longlane flyer by
66 longlane flyer66 longlane flyer
66 longlane flyerMary Beth Welsh
183 views2 slides
Component based software engineering by
Component based software engineeringComponent based software engineering
Component based software engineeringNadia Nahar
926 views38 slides
#SinLugar: Bordeando la frontera. Historias de 5 minutos, por Amaranta Caball... by
#SinLugar: Bordeando la frontera. Historias de 5 minutos, por Amaranta Caball...#SinLugar: Bordeando la frontera. Historias de 5 minutos, por Amaranta Caball...
#SinLugar: Bordeando la frontera. Historias de 5 minutos, por Amaranta Caball...SinLugar
614 views33 slides

Viewers also liked(20)

FIRE OF DEVOTION (English) by Shanmugam Avadaiyappa
FIRE OF DEVOTION (English)FIRE OF DEVOTION (English)
FIRE OF DEVOTION (English)
Shanmugam Avadaiyappa2.5K views
Embriología by Israel Cristhian Urquiola Molina
EmbriologíaEmbriología
Embriología
Israel Cristhian Urquiola Molina122 views
Reforma íntima by Ceadsbcn
Reforma íntimaReforma íntima
Reforma íntima
Ceadsbcn727 views
66 longlane flyer by Mary Beth Welsh
66 longlane flyer66 longlane flyer
66 longlane flyer
Mary Beth Welsh183 views
Component based software engineering by Nadia Nahar
Component based software engineeringComponent based software engineering
Component based software engineering
Nadia Nahar926 views
#SinLugar: Bordeando la frontera. Historias de 5 minutos, por Amaranta Caball... by SinLugar
#SinLugar: Bordeando la frontera. Historias de 5 minutos, por Amaranta Caball...#SinLugar: Bordeando la frontera. Historias de 5 minutos, por Amaranta Caball...
#SinLugar: Bordeando la frontera. Historias de 5 minutos, por Amaranta Caball...
SinLugar614 views
Ln izquierdo villena raquel la navidad-pdf (1) by raquelizqui
Ln izquierdo villena raquel la navidad-pdf (1)Ln izquierdo villena raquel la navidad-pdf (1)
Ln izquierdo villena raquel la navidad-pdf (1)
raquelizqui451 views
STI 7001 Data Sheet by JMAC Supply
STI 7001 Data SheetSTI 7001 Data Sheet
STI 7001 Data Sheet
JMAC Supply131 views
Markenjagd Runde 2 by Hirmer
Markenjagd Runde 2Markenjagd Runde 2
Markenjagd Runde 2
Hirmer325 views
Hak kekayaan intelektual animation by PT. KA 2
Hak kekayaan intelektual animationHak kekayaan intelektual animation
Hak kekayaan intelektual animation
PT. KA 21.9K views
Vianet by Grupo Viatek
Vianet Vianet
Vianet
Grupo Viatek585 views
Trabajo de Informatica by Alfredo Santoro
Trabajo de InformaticaTrabajo de Informatica
Trabajo de Informatica
Alfredo Santoro285 views
NP Group Company Overview13226445704706 Phpapp01 111130031703 Phpapp01 by David Clark
NP Group Company Overview13226445704706 Phpapp01 111130031703 Phpapp01NP Group Company Overview13226445704706 Phpapp01 111130031703 Phpapp01
NP Group Company Overview13226445704706 Phpapp01 111130031703 Phpapp01
David Clark440 views
2010 09-30 ectel 2010 vlobato ctic and tel some examples by eMadrid network
2010 09-30 ectel 2010 vlobato ctic and tel some examples2010 09-30 ectel 2010 vlobato ctic and tel some examples
2010 09-30 ectel 2010 vlobato ctic and tel some examples
eMadrid network591 views
Batik merbok edited editor by nurazlinajamal
Batik merbok edited editorBatik merbok edited editor
Batik merbok edited editor
nurazlinajamal1.1K views
Sense/Net Company Profile by Sense/Net Inc.
Sense/Net Company ProfileSense/Net Company Profile
Sense/Net Company Profile
Sense/Net Inc.217 views
10_El Quattrocento_Escultura by Ginio
10_El Quattrocento_Escultura10_El Quattrocento_Escultura
10_El Quattrocento_Escultura
Ginio2.5K views
Genetica raton by Alexander Pintado Angel
Genetica ratonGenetica raton
Genetica raton
Alexander Pintado Angel1.6K views
Curriculum Español by Alejandro Mosquera Rey
Curriculum EspañolCurriculum Español
Curriculum Español
Alejandro Mosquera Rey136 views
mercado virtual y centro comercial virtual by LikaMejia
mercado virtual y centro comercial virtualmercado virtual y centro comercial virtual
mercado virtual y centro comercial virtual
LikaMejia487 views

Similar to Defense at Scale

Broken by design (Danny Fullerton) by
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Hackfest Communication
850 views24 slides
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance by
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia InsuranceSplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia InsuranceSplunk
1.6K views21 slides
How to secure web applications by
How to secure web applicationsHow to secure web applications
How to secure web applicationsMohammed A. Imran
2K views51 slides
Technology Based Testing by
Technology Based TestingTechnology Based Testing
Technology Based TestingAlan Richardson
2K views76 slides
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012 by
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
2.1K views47 slides
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo... by
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
92 views84 slides

Similar to Defense at Scale(20)

Broken by design (Danny Fullerton) by Hackfest Communication
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
Hackfest Communication850 views
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance by Splunk
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia InsuranceSplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
Splunk1.6K views
How to secure web applications by Mohammed A. Imran
How to secure web applicationsHow to secure web applications
How to secure web applications
Mohammed A. Imran2K views
Technology Based Testing by Alan Richardson
Technology Based TestingTechnology Based Testing
Technology Based Testing
Alan Richardson2K views
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012 by Nick Galbreath
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Nick Galbreath2.1K views
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo... by Felipe Prado
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado92 views
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7 by Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
Rapid76.7K views
How to prevent cyber terrorism taragana by Gilles Sgro
How to prevent cyber terrorism taraganaHow to prevent cyber terrorism taragana
How to prevent cyber terrorism taragana
Gilles Sgro5.8K views
Teensy Programming for Everyone by Nikhil Mittal
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
Nikhil Mittal3.8K views
How to hide your browser 0-days by Zoltan Balazs
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs2.3K views
Effective approaches to web application security by Zane Lackey
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
Zane Lackey13K views
2600 av evasion_deuce by Db Cooper
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
Db Cooper2.9K views
Needlesand haystacks i360-dublin by Derek King
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
Derek King74 views
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions by Yevgeniy Brikman
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman4.3K views
Shift Left Security by gjdevos
Shift Left SecurityShift Left Security
Shift Left Security
gjdevos138 views
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение by JSFestUA
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложениеJS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JSFestUA816 views
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned by fangjiafu
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu1.5K views
Securing Rails by Alex Payne
Securing RailsSecuring Rails
Securing Rails
Alex Payne1.4K views
Security Automation Simplified - BSides Austin 2019 by Moses Schwartz
Security Automation Simplified - BSides Austin 2019Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019
Moses Schwartz254 views
FBI & Secret Service- Business Email Compromise Workshop by Ernest Staats
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats103 views

More from Jan Schaumann

The Razors Edge - Cutting your TLS Baggage by
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageJan Schaumann
789 views51 slides
Semper Ubi Sub Ubi - Things They Don't Teach You In School by
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolSemper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolJan Schaumann
1.5K views75 slides
Everything is Awful (And You're Not Helping) by
Everything is Awful (And You're Not Helping)Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Jan Schaumann
1.9K views71 slides
Primum non nocere - Ethical Obligations in Internet Operations by
Primum non nocere - Ethical Obligations in Internet OperationsPrimum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsJan Schaumann
4K views47 slides
Headless Host Scanning by
Headless Host ScanningHeadless Host Scanning
Headless Host ScanningJan Schaumann
895 views67 slides
Safely Drinking from the Data Waterhose by
Safely Drinking from the Data WaterhoseSafely Drinking from the Data Waterhose
Safely Drinking from the Data WaterhoseJan Schaumann
7K views20 slides

More from Jan Schaumann(13)

The Razors Edge - Cutting your TLS Baggage by Jan Schaumann
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS Baggage
Jan Schaumann789 views
Semper Ubi Sub Ubi - Things They Don't Teach You In School by Jan Schaumann
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolSemper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In School
Jan Schaumann1.5K views
Everything is Awful (And You're Not Helping) by Jan Schaumann
Everything is Awful (And You're Not Helping)Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)
Jan Schaumann1.9K views
Primum non nocere - Ethical Obligations in Internet Operations by Jan Schaumann
Primum non nocere - Ethical Obligations in Internet OperationsPrimum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet Operations
Jan Schaumann4K views
Headless Host Scanning by Jan Schaumann
Headless Host ScanningHeadless Host Scanning
Headless Host Scanning
Jan Schaumann895 views
Safely Drinking from the Data Waterhose by Jan Schaumann
Safely Drinking from the Data WaterhoseSafely Drinking from the Data Waterhose
Safely Drinking from the Data Waterhose
Jan Schaumann7K views
PGP for Smarties by Jan Schaumann
PGP for SmartiesPGP for Smarties
PGP for Smarties
Jan Schaumann3.7K views
Fancy pants by Jan Schaumann
Fancy pantsFancy pants
Fancy pants
Jan Schaumann4.8K views
Ipv6 basics by Jan Schaumann
Ipv6 basicsIpv6 basics
Ipv6 basics
Jan Schaumann3.9K views
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing by Jan Schaumann
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load BalancingL3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
Jan Schaumann4.7K views
Building better tools by Jan Schaumann
Building better toolsBuilding better tools
Building better tools
Jan Schaumann806 views
Useless use of * by Jan Schaumann
Useless use of *Useless use of *
Useless use of *
Jan Schaumann800 views
DST @ Yahoo! by Jan Schaumann
DST @ Yahoo!DST @ Yahoo!
DST @ Yahoo!
Jan Schaumann1.2K views

Recently uploaded

Building trust in our information ecosystem: who do we trust in an emergency by
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergencyTina Purnat
85 views18 slides
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf by
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfRIPE NCC
15 views11 slides
DU Series - Day 4.pptx by
DU Series - Day 4.pptxDU Series - Day 4.pptx
DU Series - Day 4.pptxUiPathCommunity
94 views28 slides
Audience profile.pptx by
Audience profile.pptxAudience profile.pptx
Audience profile.pptxMollyBrown86
12 views2 slides
informing ideas.docx by
informing ideas.docxinforming ideas.docx
informing ideas.docxMollyBrown86
12 views10 slides
information by
informationinformation
informationkhelgishekhar
7 views4 slides

Recently uploaded(20)

Building trust in our information ecosystem: who do we trust in an emergency by Tina Purnat
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergency
Tina Purnat85 views
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf by RIPE NCC
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
RIPE NCC15 views
DU Series - Day 4.pptx by UiPathCommunity
DU Series - Day 4.pptxDU Series - Day 4.pptx
DU Series - Day 4.pptx
UiPathCommunity94 views
Audience profile.pptx by MollyBrown86
Audience profile.pptxAudience profile.pptx
Audience profile.pptx
MollyBrown8612 views
informing ideas.docx by MollyBrown86
informing ideas.docxinforming ideas.docx
informing ideas.docx
MollyBrown8612 views
information by khelgishekhar
informationinformation
information
khelgishekhar7 views
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲 by Infosec train
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲
Infosec train7 views
Existing documentaries (1).docx by MollyBrown86
Existing documentaries (1).docxExisting documentaries (1).docx
Existing documentaries (1).docx
MollyBrown8613 views
UiPath Document Understanding_Day 3.pptx by UiPathCommunity
UiPath Document Understanding_Day 3.pptxUiPath Document Understanding_Day 3.pptx
UiPath Document Understanding_Day 3.pptx
UiPathCommunity95 views
IETF 118: Starlink Protocol Performance by APNIC
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol Performance
APNIC124 views
google forms survey (1).pptx by MollyBrown86
google forms survey (1).pptxgoogle forms survey (1).pptx
google forms survey (1).pptx
MollyBrown8614 views
Sustainable Marketing by Theo van der Zee
Sustainable MarketingSustainable Marketing
Sustainable Marketing
Theo van der Zee9 views
zotabet.pdf by zotabetcasino
zotabet.pdfzotabet.pdf
zotabet.pdf
zotabetcasino6 views
childcare.pdf by fatma alnaqbi
childcare.pdfchildcare.pdf
childcare.pdf
fatma alnaqbi14 views
WEB 2.O TOOLS: Empowering education.pptx by narmadhamanohar21
WEB 2.O TOOLS: Empowering education.pptxWEB 2.O TOOLS: Empowering education.pptx
WEB 2.O TOOLS: Empowering education.pptx
narmadhamanohar2115 views
Is Entireweb better than Google by sebastianthomasbejan
Is Entireweb better than GoogleIs Entireweb better than Google
Is Entireweb better than Google
sebastianthomasbejan10 views
PORTFOLIO 1 (Bret Michael Pepito).pdf by brejess0410
PORTFOLIO 1 (Bret Michael Pepito).pdfPORTFOLIO 1 (Bret Michael Pepito).pdf
PORTFOLIO 1 (Bret Michael Pepito).pdf
brejess04107 views
We see everywhere that many people are talking about technology.docx by ssuserc5935b
We see everywhere that many people are talking about technology.docxWe see everywhere that many people are talking about technology.docx
We see everywhere that many people are talking about technology.docx
ssuserc5935b6 views
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf by RIPE NCC
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
RIPE NCC9 views
UiPath Document Understanding_Day 2.pptx by RohitRadhakrishnan8
UiPath Document Understanding_Day 2.pptxUiPath Document Understanding_Day 2.pptx
UiPath Document Understanding_Day 2.pptx
RohitRadhakrishnan8282 views

Defense at Scale

  • 1. Defense  at  Scale   an  op.mis.c  #infosec  talk  in  two  slides   BSidesNYC   2016   Jan  Schaumann   @jschauma  h8ps://v.gd/defenseAtScale  
  • 4. Defense  at  Scale   an  op.mis.c  #infosec  talk  in  two  or  more  slides   BSidesNYC   2016   Jan  Schaumann   @jschauma  
  • 6. 1  in  a  million  is  next  Tuesday.   h8ps://v.gd/defenseAtScale04  
  • 7. h8ps://v.gd/defenseAtScale05   Got  phished.   Downloaded  drive-­‐by  malware.   Got  pwned  by  script  kiddies.   Uses  Flash   Actually  targeted  by  NSA.  
  • 12. You  get  to  drink  from  the  FIREHOSE!!!  
  • 16. Skin  in  the  Game   •  Who  carries  the  cost  of  fixing  security   problems?   •  Who  pays  out  the  Bug  Bounty  for  the  same  set   of  command-­‐injecYon  or  XSS  vulnerabiliYes?   •  Who  is  incenYvized  to  improve  security?  
  • 18. 100%  secure  is  impossible  –   but  that’s  ok.     Raising  the  cost  of  an  a8ack  is  ofen   sufficient.    (Know  your  Threat  Model.)  
  • 21. “Prevent,  Detect,  React”     Firewalls,  Monitoring,  Patching     💩  
  • 22. “Prevent,  Detect,  React”     Firewalls,  Monitoring,  Patching     Vendor  Crap,  Vendor  Crap,  ¯ˉ_(ツ)_/¯ˉ     💩  
  • 23. “Are  vulnerabili-es  in  so0ware  dense  or  sparse?   If  they  are  sparse,  then  every  one  you  find  and   fix   meaningfully   lowers   the   number   of   avenues   of  a?ack  that  are  extant.    If  they  are  dense,  then   finding   and   fixing   one   more   is   essen-ally   irrelevant   to   security   and   a   waste   of   the   resources  spent  finding  it.  Six-­‐take-­‐away-­‐one  is  a   15%  improvement.  Six-­‐thousand-­‐take-­‐  away-­‐one   has  no  detectable  value.”                          Geer/Schneier   h8ps://v.gd/defenseAtScale08  
  • 25. If  you  can  make  things  be8er  without   making  things  worse,  do  it.     Even  if  it  doesn't  make  things  perfect.   h8ps://v.gd/defenseAtScale09  
  • 26. If  what  you’re  doing  doesn't  make   things  be8er,  stop  doing  it.     Even  if  you've  always  done  it.     Even  if  it  took  a  lot  of  effort  to  start   doing.   h8ps://v.gd/defenseAtScale09  
  • 28. VulnerabiliYes  are  not  sparse.     Don’t  fix  individual  bugs,  focus  on   eliminaYng  enYre  vulnerability   classes  instead.  
  • 29. If  you  keep  fixing  the  same  issue   over  and  over  again,  you’re  not   making  progress.  
  • 32. SIEMs  don’t  detect  compromises.   A  human  going  “huh,  weird”   detects  a  compromise.  
  • 33. compromise   indicator   some  of  the  data   you  collect   you  
  • 35. Engineer:   “Hey,  can  we  add  the  new  service   account  ‘fishbone’  everywhere?   Needs  full  sudo,  no  password.”   Infosec:   “LOL  what?  No  way.”   Infosec  eng1:   “Hey,  can  we  add  ‘nessus’   everywhere?  Needs  full  sudo,  no   password.”   Infosec  eng2:   “Sure,  one  sec.”  
  • 36. Lead  by  example.     If  another  team  asked  you,   would  you  say  ’no’?  
  • 37. Other  people’s  fucks  are  also  limited.   h8ps://v.gd/defenseAtScale11  
  • 38. VulnerabiliYes  are  dense.   Embrace  automaYon.   CI/CD  is  your  friend.  
  • 39. CI/CD  is  your  friend.   •  You  cannot  update  individual  systems;    you  can  ensure   all  your  systems  regularly  get  all  updates   automaYcally.   •  You  cannot  remove  individual  vulnerabiliYes;  you  can   gate  deployments  on  using  the  right  libraries.   •  You  cannot  manually  change  a  config  file  on  a  few   hundred  thousand  systems;  you  can  enforce  consistent   convergence  in  idempotent  changesets  prescribed  by   your  configuraYon  management  system.  
  • 40. Your  endpoint  security  model  should   assume  the  network  is  compromised;     your  network  security  model  should   assume  the  endpoint  is.     Both  in  fact  are.  
  • 41. Consider  today:   •  auto-­‐update  your  OS,  third-­‐party-­‐  and  custom   sofware   •  mandatory  configuraYon  management  across   your  fleet   •  2FA  SSO  with  Yme-­‐bound  authenYcaYon   tokens   •  provide  libraries  for  common  problems  (secret   management,  input/output  validaYon,   hashing,  encrypYng,  ...)   •  have  exactly  one  TLS  stack  that  everybody   uses  (internally  and  externally)  
  • 42. …and  what  may  come:   •  Embrace  the  cloud.    You  are  already  operaYng   in  hosYle  networks  and  crossing  trust   boundaries.   •  Rethink  your  ‘trusted  network’  (BeyondCorp).   •  Rethink  the  need  for  user  accounts.   h8ps://v.gd/defenseAtScale13  
  • 43. •  Containers  are  just  big  ass  staYc  binaries  with   all  their  problems.    Deal  with  it.   •  Build  upon  remote  a8estaYon  of  both   hardware  and  sofware;  signed  containers.   …and  what  may  come:  
  • 44. Defend  smarter,  not  harder.   •  Don’t  waste  your  Yme  on  busy  work.    Measure   your  impact.    PrioriYze.   •  Embrace  automaYon.  Move  fast.   •  Help  others  take  responsibility.  Guide  them.   •  Have  a  Red  Team.          “You  can’t  grade  your  own  homework.”                                                                                        –  @MicahZenko  
  • 45. Thanks!   BSidesNYC   2016   Jan  Schaumann   @jschauma  h8ps://v.gd/defenseAtScale