Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hack.LU - The Infosec Crossroads


Published on

"Today’s attacks succeed because the defense is reactive". It is time to transition defense from being reactive to proactive. This is a keynote level talk, which discusses my seven axioms for implementing proactive defense strategy and measures for the future, concluding with a blueprint of the next evolution of pro-active defense architecture.

Published in: Technology

Hack.LU - The Infosec Crossroads

  1. 1. HACK.LU 2016NETSQUARE 2016: The Infosec Crossroads
  2. 2. HACK.LU 2016NETSQUARE About Me @therealsaumil saumilshah hacker, trainer, speaker, author, photographer educating, entertaining and exasperating audiences since 1999 Saumil Shah CEO, Net-Square
  3. 3. HACK.LU 2016NETSQUARE Today's attacks succeed because the defense is REACTIVE
  4. 4. HACK.LU 2016NETSQUARE The Evolution of Attacks
  5. 5. HACK.LU 2016NETSQUARE Servers Applications Desktops Browsers Pockets How Have Targets Shifted?
  6. 6. HACK.LU 2016NETSQUARE Attacks Follow The Money Defacement DDoS Phishing ID Theft Financial Transactions Targeted APT
  7. 7. HACK.LU 2016NETSQUARE Today's Fashion: Breaches
  8. 8. HACK.LU 2016NETSQUARE Firewalls IDS/IPS Antivirus WAF Endpoint Security DEP, ASLR Sandbox One-way Hacking Fragmented Packets Obfuscation Character Encoding DNS Exfiltration ROP, Infoleak Jailbreak Hackers Have A Positive Outlook
  10. 10. HACK.LU 2016NETSQUARE wherein buildings reveal near- infinite interiors, capable of being traversed through all manner of non-architectural means Nakatomi Space
  11. 11. HACK.LU 2016NETSQUARE It was different 12 years ago! Individual effort. 1 week dev time. 3-6 months shelf life. Hundreds of public domain exploits. "We did it for the lols."
  12. 12. HACK.LU 2016NETSQUARE Today... Team effort. 2-12 month dev time. 24h to 10d shelf life. Public domain exploits nearly zero. Cost,value of exploits has significantly risen. WEAPONIZATION.
  13. 13. HACK.LU 2016NETSQUARE The defenders tried to buy back their bugs...
  14. 14. HACK.LU 2016NETSQUARE Bug Bounties: high stakes game Chris Evans – Pwnium: Element 1337
  15. 15. HACK.LU 2016NETSQUARE Bug Bounties tried to fill a reactive need.
  16. 16. HACK.LU 2016NETSQUARE Bug Bounties Backfiring?
  17. 17. HACK.LU 2016NETSQUARE
  18. 18. HACK.LU 2016NETSQUARE The (d)evolution of Users
  19. 19. HACK.LU 2016NETSQUARE Advanced Technology Is...Advanced
  20. 20. HACK.LU 2016NETSQUARE Technology in the hands of users @needadebitcard
  21. 21. HACK.LU 2016NETSQUARE The user's going to pick dancing pigs over security every time. Bruce Schneier
  22. 22. HACK.LU 2016NETSQUARE The Reactive Approach to defense
  23. 23. HACK.LU 2016NETSQUARE Compliance != Security
  24. 24. HACK.LU 2016NETSQUARE
  25. 25. HACK.LU 2016NETSQUARE Attackers don't follow standards and certifications.
  26. 26. HACK.LU 2016NETSQUARE Today's Infosec Defence? Rules Signatures Updates Machine Learning
  27. 27. HACK.LU 2016NETSQUARE
  28. 28. HACK.LU 2016NETSQUARE Existing strategies do not match attacker tactics.
  29. 29. HACK.LU 2016NETSQUARE Intelligence Driven Security net-square From REACTIVE to PROACTIVE
  30. 30. HACK.LU 2016NETSQUARE "The Universe tells you everything you need to know about it, as long as you are prepared to watch, to listen, to smell, in short to OBSERVE." Sources of Security Intelligence?
  31. 31. HACK.LU 2016NETSQUARE PROACTIVE Security Testing...
  32. 32. HACK.LU 2016NETSQUARE @therealsaumil's SEVEN AXIOMS of Security
  33. 33. HACK.LU 2016NETSQUARE Collect EVERYTHING! Seven Axioms of Security: 1
  34. 34. HACK.LU 2016NETSQUARE Collect Everything! •  Security Data Warehouse: first step towards proactive security. •  Retention is CHEAPER than Deletion. •  Importance of HISTORICAL DATA increases exponentially with time.
  35. 35. HACK.LU 2016NETSQUARE Can't MEASURE? Can't Use. Seven Axioms of Security: 2
  36. 36. HACK.LU 2016NETSQUARE Why Keep Metrics? •  To show you are succeeding –  Corollary: to show you are failing •  To justify your existence and/or budget •  To argue for change •  For fun! Marcus Ranum Security Metrics: The Quest For Meaning IT Defense 2016, Mainz
  37. 37. HACK.LU 2016NETSQUARE How to Establish Metrics •  Look at your process and make a list of what is quantifiable •  Ask yourself what quantities you are interested in –  Once things are quantified they go up, or down – which is about the only convenient thing of metrics: they don't go sideways, too •  Which is a "good" direction: up or down? •  Do you know what constitutes a significant movement? •  Measure and iterate Marcus Ranum Security Metrics: The Quest For Meaning IT Defense 2016, Mainz
  38. 38. HACK.LU 2016NETSQUARE Why Metrics Win •  Often information security becomes what I call a "battle of two narratives" –  Your opponent has the advantage of lying: –  "moving this to the cloud will save us $500,000/year!" –  To defend your narrative you need facts (from metrics) and credible extrapolations (based on metrics) or your opponent controls the narrative! * * Plan B is to respond with lies of your own Marcus Ranum Security Metrics: The Quest For Meaning IT Defense 2016, Mainz
  39. 39. HACK.LU 2016NETSQUARE Test like an attacker: RED TEAM. Seven Axioms of Security: 3
  40. 40. HACK.LU 2016NETSQUARE UNREALISTIC PEN-TESTING SCENARIOS •  Wait for new production release •  Don't test on production •  Don't perform intrusive testing •  X is out of scope •  Test during off-peak hours
  41. 41. HACK.LU 2016NETSQUARE Who are you more scared of? Attackers or Auditors?
  42. 42. HACK.LU 2016NETSQUARE User RATINGS! Seven Axioms of Security: 4
  43. 43. HACK.LU 2016NETSQUARE
  44. 44. HACK.LU 2016NETSQUARE numberofusers infosec maturity Hopeless Uninformed Proactive Rock Stars Identify your target users... Always going to be an enigma. If properly guided, these users are willing to improve their usage habits. The next Rock Star users. Leave them alone, and possibly learn from them.
  45. 45. HACK.LU 2016NETSQUARE ...and improve their maturitynumberofusers infosec maturity Hopeless Uninformed Proactive Rock Stars
  46. 46. HACK.LU 2016NETSQUARE Set BOOBY TRAPS. Seven Axioms of Security: 5
  47. 47. HACK.LU 2016NETSQUARE
  48. 48. HACK.LU 2016NETSQUARE ANALYSIS decide Actions. Seven Axioms of Security: 6
  49. 49. HACK.LU 2016NETSQUARE WARNING! Block Diagrams Ahead!
  50. 50. HACK.LU 2016NETSQUARE Take Informed Decisions Analysis NEW INITIATIVE Estimate Impact Collect Metrics Determine Actual Impact
  51. 51. HACK.LU 2016NETSQUARE Security Data Warehouse ANALYSIS AND INTELLIGENCE GATHERING Collectors SENSORS Actions Applications Internal Users External Users Perimeter Activity
  52. 52. HACK.LU 2016NETSQUARE BUY-IN FROM THE TOP And the 7th...
  53. 53. HACK.LU 2016NETSQUARE The greatest time-suck for CISOs "Not my circus, Not my monkeys"
  54. 54. HACK.LU 2016NETSQUARE Is your infosec team doing something creative every day?
  55. 55. HACK.LU 2016NETSQUARE @therealsaumil #hacklu 2016 Thank You, Drive Through