Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018

891 views

Published on

My keynote at RootConf 2018.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018

  1. 1. The Death Of Enterprise Security As We Know It Pukhraj Singh @mleccha RootConf – 2018, Bangalore
  2. 2. Other titles • Why am I still running an antivirus after 30 years? • Hackers are atheists, but there are gods in cybersecurity
  3. 3. About me • 13 years of off-and-on experience in security • 5.5 years in the government • Imparts you with an altogether different worldview • “It was the best of times, it was the worst of times” – Charles Dickens
  4. 4. This talk • Ideas gathered from a six-month research on a manuscript • Not a microscopic, technical deep-dive • Security can’t be enumerated using feature-sets • Relying on aphorisms • How mystics expose the deeper truths the listeners already know • I truly stand on the shoulder of giants • Cyber is over-classified; lack of empirical data makes it difficult to see patterns • I rely on experts who are *way* more prophetic than I am
  5. 5. Focus areas • The security industry is cursed with unpredictability • “In IT security, offensive problems are technical - but most defensive problems are political and organisational” • Small things you could do to liberate your security architecture
  6. 6. Cognitive dissonance in security “The test of a first-rate intelligence is the ability to hold two opposed ideas in mind at the same time and still retain the ability to function” -- F. Scott Fitzgerald, The Crack-Up
  7. 7. Dense or sparse? Are vulnerabilities dense or sparse, asks cryptologist Bruce Schneier Cognitive dissonance: The very lack of an answer may make vulnerabilities dense
  8. 8. Cyber is totally offense-centric “If we were to score cyber the way we score soccer, the tally would be 462- 456, twenty minutes into the game” -- Chris Inglis, former Deputy Director of the National Security Agency
  9. 9. Insecurity is an emergent property “Above some threshold of system complexity, it is no longer possible to test, it is only possible to react to emergent behaviour” -- Dan Geer, In-Q-Tel
  10. 10. Every interface is an attack surface “Know your network” -- Advice from Rob Joyce, former head of TAO, NSA BUT CAN YOU, REALLY? “Ecology professor Philip Greear would challenge his graduate students to catalog all the life in a cubic yard of forest floor. Computer science professor Donald Knuth would challenge his graduate students to catalog everything their computers had done in the last ten seconds” -- Dan Geer, In-Q-Tel
  11. 11. Data is code “Your computer is a state-space, and our data explores it. When it has no input, your computer program is in all potential quantum states - literally anything is possible because it is Turing complete if it has enough complexity. When we give it data, we collapse that waveform into a particular state of our choosing” -- Dave Aitel, CEO of Immunity
  12. 12. Is the security complexity a threat in itself? Source: Mudge, Black Hat 2011
  13. 13. Is the security complexity a threat in itself?
  14. 14. “If you want to learn exploits today, start with the soft targets, go with the antivirus” -- Justin Schuh, Director, Google Chrome Security
  15. 15. The animal spirits of the offensive underground Source: Cyber ITL (Mudge, Sarah Zatko et al), 2016
  16. 16. The animal spirits of the offensive underground Source: Cyber ITL (Mudge, Sarah Zatko et al), 2016
  17. 17. The animal spirits of the offensive underground Source: Cyber ITL (Mudge, Sarah Zatko et al), 2016
  18. 18. The human spatial bias in security “Your perimeter is not the boundary of your network, it’s the boundary of your telemetry” -- The Grugq
  19. 19. So, is true situational awareness really possible?
  20. 20. The defenders are just plain lucky • Dave Aitel and a Fireeye executive walk into a bar… • We’ve fully regressed as an industry • DirtyCow • “A data centre to protect a data centre” – Alex Stamos, ex-CISO of Facebook • Market rut: Endpoint instrumentation & telemetry-economies-of-scale • ML: We don’t have enough to computation to run the full state-space of an enterprise
  21. 21. “In IT security, offensive problems are technical - but most defensive problems are political and organisational” -- Halvar Flake, Google
  22. 22. "But let me be clear about one thing that may make cybersecurity different than all else and that is that we have sentient opponents. The physicist does not. The chemist does not. Not even the economist has sentient opponents. We do.” -- Dan Geer, In-Q-Tel And politics has the biggest influence on human sentience
  23. 23. Politics influences: • The ciphers you use • The processors, routers and antivirus you run • The defensive “innovations” in the security industry • The unjustifiable persistence of centralized architectures like DNS, SSL and BGP, etc. • Bug classes like Spectre and Meltdown • What hackers say, or do not say • …
  24. 24. The hybrid war is at an enterprise’s doorstep “We are fighting at the intersection of a Venn diagram where the finances of a non-state actor meet the capabilities of a state actor” -- Le me • An enterprise can survive a gust of wind, not a Category-4 hurricane • No demarcation anymore between the private and the public
  25. 25. The hybrid war is at an enterprise’s doorstep “If the cost of attack < the value of information = you will be attacked” -- Dino Dai Zavi
  26. 26. The four misconceptions about offense • That it is cheap • That the attacker has an inherent and unprecedented advantage • That it is a purely a technical thing • That the attackers use ‘atomic’ exploits (they use toolchains) • Some rhetoric: • Defenders need to protect everything, whereas an attacker just needs to compromise one • Attackers think in graphs, defenders think in lists • Attackers target infrastructure
  27. 27. The three cardinal principles of offense -- Matthew Monte, former cyber-offense expert at the Central Intelligence Agency Source: Network Attacks & Exploitation
  28. 28. + The fourth principle: time “If you attack faster than log replication, you are free” -- Sacha Faust, Microsoft Azure Red Team
  29. 29. + And maybe, the fifth principle: bureaucracy
  30. 30. + And maybe, the fifth principle: bureaucracy Source: http://addxorrol.blogspot.in/2006/04/more-on-automated-malware.html
  31. 31. Things defenders could do… • Expand the boundary of their telemetry. Collaborate in state-space • Escalate the attackers’ costs and degrade their toolchains • Include geopolitics in their defensive spectrum • Liberate their security analytics and situational awareness
  32. 32. The general’s patents
  33. 33. Machine-to-machine standards: STIX/TAXII
  34. 34. Machine-to-machine standards: OpenC2
  35. 35. Open attack taxonomy: MITRE’s ATT&CK
  36. 36. Open security analytics stacks: Apache Metron
  37. 37. Open security analytics stacks: Apache Spot
  38. 38. Security response: dumb it down • Apoptosis • Human immune system has a remarkably low signature memory • Even the variance among defensive cells is minimal • Analysis and response are an anathema • Creates an artificial resource scarcity • Don’t analyse, just reset • In-Q-Tel’s Cyber Reboot • “Rebalance the equation to increase the cost and complexity for our adversaries…while reducing cost and complexity for our defenders” • Threat Intel & Info Sharing + Security Enhanced SDNs + Endpoint Fluxing
  39. 39. Thanks When it comes to driving security innovation, my motto is “Strong opinions, loosely held” -- Gunter Ollman, CTO (Security), Microsoft

×