The document discusses the evolution of information security threats and defenses, highlighting a shift from individual efforts to team-oriented approaches in combating attacks. It emphasizes the need for proactive security measures, including the importance of metrics, user understanding, and intelligence-driven strategies. The speaker advocates for a comprehensive security framework that adapts to evolving attack strategies rather than relying on reactive measures.

1. HACK.LU 2016NETSQUARE
2016:
The Infosec
Crossroads

2. HACK.LU 2016NETSQUARE
About Me
@therealsaumil
saumilshah
hacker, trainer, speaker,
author, photographer
educating, entertaining and
exasperating audiences
since 1999
Saumil Shah
CEO, Net-Square

3. HACK.LU 2016NETSQUARE
Today's attacks
succeed
because the
defense is
REACTIVE

4. HACK.LU 2016NETSQUARE
The Evolution of Attacks

5. HACK.LU 2016NETSQUARE
Servers Applications
Desktops Browsers
Pockets
How Have Targets Shifted?

6. HACK.LU 2016NETSQUARE
Attacks Follow The Money
Defacement DDoS Phishing
ID Theft
Financial
Transactions
Targeted
APT

7. HACK.LU 2016NETSQUARE
Today's Fashion: Breaches

8. HACK.LU 2016NETSQUARE
Firewalls
IDS/IPS
Antivirus
WAF
Endpoint Security
DEP, ASLR
Sandbox
One-way Hacking
Fragmented Packets
Obfuscation
Character Encoding
DNS Exfiltration
ROP, Infoleak
Jailbreak
Hackers Have A Positive Outlook

9. HACK.LU 2016NETSQUARE
Latest Example:
Stegosploit
IMAJS
STEGO-
DECODER
JAVASCRIPT
TARGET BROWSER
POLYGLOT
PIXEL
ENCODER
EXPLOIT
CODE
IMAGE
ENCODED IMAGE

10. HACK.LU 2016NETSQUARE
wherein buildings reveal near-
infinite interiors, capable of being
traversed through all manner of
non-architectural means
http://www.bldgblog.com/2010/01/nakatomi-space/
Nakatomi Space

11. HACK.LU 2016NETSQUARE
It was different 12 years ago!
Individual effort.
1 week dev time.
3-6 months shelf life.
Hundreds of public
domain exploits.
"We did it for the
lols."

12. HACK.LU 2016NETSQUARE
Today...
Team effort.
2-12 month dev time.
24h to 10d shelf life.
Public domain
exploits nearly zero.
Cost,value of exploits
has significantly risen.
WEAPONIZATION.

13. HACK.LU 2016NETSQUARE
The defenders
tried to buy
back their
bugs...

14. HACK.LU 2016NETSQUARE
Bug Bounties: high stakes game
Chris Evans – Pwnium: Element 1337

15. HACK.LU 2016NETSQUARE
Bug Bounties
tried to fill a
reactive
need.

16. HACK.LU 2016NETSQUARE
Bug Bounties
Backfiring?

17. HACK.LU 2016NETSQUARE

18. HACK.LU 2016NETSQUARE
The (d)evolution of Users

19. HACK.LU 2016NETSQUARE
Advanced Technology Is...Advanced

20. HACK.LU 2016NETSQUARE
Technology in the hands of users
@needadebitcard

21. HACK.LU 2016NETSQUARE
The user's going to pick dancing pigs
over security every time.
Bruce Schneier

22. HACK.LU 2016NETSQUARE
The Reactive
Approach to
defense

23. HACK.LU 2016NETSQUARE
Compliance != Security

24. HACK.LU 2016NETSQUARE

25. HACK.LU 2016NETSQUARE
Attackers
don't follow
standards and
certifications.

26. HACK.LU 2016NETSQUARE
Today's Infosec Defence?
Rules
Signatures
Updates
Machine Learning

27. HACK.LU 2016NETSQUARE

28. HACK.LU 2016NETSQUARE
Existing
strategies
do not match
attacker
tactics.

29. HACK.LU 2016NETSQUARE
Intelligence Driven Security
net-square
From REACTIVE to PROACTIVE

30. HACK.LU 2016NETSQUARE
"The Universe
tells you
everything you
need to know
about it,
as long as you are
prepared to
watch, to listen,
to smell, in short
to OBSERVE."
Sources of Security Intelligence?

31. HACK.LU 2016NETSQUARE
PROACTIVE
Security
Testing...

32. HACK.LU 2016NETSQUARE
@therealsaumil's
SEVEN AXIOMS
of Security

33. HACK.LU 2016NETSQUARE
Collect
EVERYTHING!
Seven Axioms of Security: 1

34. HACK.LU 2016NETSQUARE
Collect Everything!
• Security Data Warehouse: first
step towards proactive security.
• Retention is CHEAPER than Deletion.
• Importance of HISTORICAL DATA
increases exponentially with time.

35. HACK.LU 2016NETSQUARE
Can't MEASURE?
Can't Use.
Seven Axioms of Security: 2

36. HACK.LU 2016NETSQUARE
Why Keep Metrics?
• To show you are succeeding
– Corollary: to show you are failing
• To justify your existence and/or budget
• To argue for change
• For fun!
Marcus Ranum
Security Metrics: The Quest For Meaning
IT Defense 2016, Mainz

37. HACK.LU 2016NETSQUARE
How to Establish Metrics
• Look at your process and make a list of what is
quantifiable
• Ask yourself what quantities you are interested in
– Once things are quantified they go up, or down – which is about
the only convenient thing of metrics: they don't go sideways, too
• Which is a "good" direction: up or down?
• Do you know what constitutes a significant movement?
• Measure and iterate
Marcus Ranum
Security Metrics: The Quest For Meaning
IT Defense 2016, Mainz

38. HACK.LU 2016NETSQUARE
Why Metrics Win
• Often information security becomes what I call
a "battle of two narratives"
– Your opponent has the advantage of lying:
– "moving this to the cloud will save us $500,000/year!"
– To defend your narrative you need facts (from metrics) and
credible extrapolations (based on metrics) or your
opponent controls the narrative! *
* Plan B is to respond with lies of your own
Marcus Ranum
Security Metrics: The Quest For Meaning
IT Defense 2016, Mainz

39. HACK.LU 2016NETSQUARE
Test like an
attacker:
RED TEAM.
Seven Axioms of Security: 3

40. HACK.LU 2016NETSQUARE
UNREALISTIC PEN-TESTING
SCENARIOS
• Wait for new production release
• Don't test on production
• Don't perform intrusive testing
• X is out of scope
• Test during off-peak hours

41. HACK.LU 2016NETSQUARE
Who are you more scared of?
Attackers or Auditors?

42. HACK.LU 2016NETSQUARE
User RATINGS!
Seven Axioms of Security: 4

43. HACK.LU 2016NETSQUARE

44. HACK.LU 2016NETSQUARE
numberofusers
infosec maturity
Hopeless Uninformed Proactive Rock Stars
Identify your target users...
Always
going to be
an enigma.
If properly guided,
these users are willing
to improve their
usage habits.
The
next
Rock Star
users.
Leave them alone,
and possibly
learn from them.

45. HACK.LU 2016NETSQUARE
...and improve their maturitynumberofusers
infosec maturity
Hopeless Uninformed Proactive Rock Stars

46. HACK.LU 2016NETSQUARE
Set BOOBY
TRAPS.
Seven Axioms of Security: 5

47. HACK.LU 2016NETSQUARE

48. HACK.LU 2016NETSQUARE
ANALYSIS decide
Actions.
Seven Axioms of Security: 6

49. HACK.LU 2016NETSQUARE
WARNING!
Block
Diagrams
Ahead!

50. HACK.LU 2016NETSQUARE
Take Informed Decisions
Analysis
NEW
INITIATIVE
Estimate
Impact
Collect
Metrics
Determine
Actual Impact

51. HACK.LU 2016NETSQUARE
Security
Data
Warehouse
ANALYSIS AND INTELLIGENCE GATHERING
Collectors SENSORS Actions
Applications
Internal
Users
External
Users
Perimeter
Activity

52. HACK.LU 2016NETSQUARE
BUY-IN FROM THE TOP
And the 7th...

53. HACK.LU 2016NETSQUARE
The greatest time-suck for CISOs
"Not my circus,
Not my monkeys"

54. HACK.LU 2016NETSQUARE
Is your infosec
team doing
something
creative
every day?

55. HACK.LU 2016NETSQUARE
@therealsaumil
www.net-square.com
#hacklu 2016
Thank You, Drive Through