Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
#HITB2017AMSNETSQUARE
SAUMIL SHAH
CEO, NET SQUARE
@therealsaumil
#HITB2017AMS
#HITB2017AMSNETSQUARE
WARNING! Disruptive Thoughts
Ahead
#HITB2017AMSNETSQUARE
WARNING!
Block
Diagrams
Ahead
#HITB2017AMSNETSQUARE
About Me
Saumil Shah
CEO, Net Square
@therealsaumil
hacker, trainer, speaker,
photographer, rebel
ed...
#HITB2017AMSNETSQUARE
The Evolution of Attacks: 2001-17
#HITB2017AMSNETSQUARE
Servers Applications Desktops
Browsers Pockets Populations
The Evolution of Targets: 2001-17
#HITB2017AMSNETSQUARE
...Defense:
2001-17
Firewalls
IDS/IPS
Antivirus
WAF
DLP, EPS
DEP, ASLR
Sandbox
One-way Attacks
FragR...
#HITB2017AMSNETSQUARE
Example: ROWHAMMER
By Dsimic https://commons.wikimedia.org/w/index.php?curid=38868341
#HITB2017AMSNETSQUARE
IMAJS
STEGO-
DECODER
JAVASCRIPT
TARGET BROWSER
POLYGLOT
PIXEL
ENCODER
EXPLOIT
CODE
IMAGE
ENCODED IMA...
#HITB2017AMSNETSQUARE
There
will be
Vulnerabilities
#HITB2017AMSNETSQUARE
wherein buildings reveal near-
infinite interiors, capable of being
traversed through all manner of
n...
#HITB2017AMSNETSQUARE
Attacks
succeed
because
today's defense
is REACTIVE.
#HITB2017AMSNETSQUARE
Exploit Development - 2002
Individual effort.
1 week dev time.
3-6 months shelf life.
Hundreds of pub...
#HITB2017AMSNETSQUARE
TWO TIMELINES >
#HITB2017AMSNETSQUARE
The evolution of a new species
Credit @halvarflake
SafeSEH
DEP
ASLR
CFG
Isolated
Heap
NOZZLE
/GS
SEHO...
#HITB2017AMSNETSQUARE
The MitiGator raises the bar...
...until it sees no more exploits
Credit @halvarflake
#HITB2017AMSNETSQUARE
A long time ago in a galaxy far,
far away...
MICROSOFT
STRIKES BACK
#HITB2017AMSNETSQUARE
#HITB2017AMSNETSQUARE
2005: Ciscogate – Michael Lynn
https://www.schneier.com/blog/archives/2005/07/cisco_harasses.html
#HITB2017AMSNETSQUARE
2009
CAN
SEC
WEST
Photo credit: Garrett Gee
#HITB2017AMSNETSQUARE
Exploit Development - 2012
2-12 month dev time.
24h to 10d shelf life.
Public domain
exploits = zero...
#HITB2017AMSNETSQUARE
The defenders
tried to buy
back their
bugs...
#HITB2017AMSNETSQUARE
Bug Bounties: high stakes game
Chris Evans – Pwnium: Element 1337
#HITB2017AMSNETSQUARE
Bug Bounties
tried to fill a
REACTIVE
need.
#HITB2017AMSNETSQUARE
Bug Bounties
Backfiring?
#HITB2017AMSNETSQUARE
#HITB2017AMSNETSQUARE
More
Reactive
Security
#HITB2017AMSNETSQUARE
Compliance != Security
#HITB2017AMSNETSQUARE
#HITB2017AMSNETSQUARE
Security = "RISK REDUCTION"
Rules
Signatures
Updates
Machine Learning
#HITB2017AMSNETSQUARE
#HITB2017AMSNETSQUARE
Existing defense
measures
do not match
attacker
tactics.
#HITB2017AMSNETSQUARE
Attackers
don't follow
compliance
standards and
certifications.
#HITB2017AMSNETSQUARE
The CISO: 2001-2017
#HITB2017AMSNETSQUARE
In 2001...
CIO CIO
INFOTECH =
BUSINESS
ENABLER
CISO
INFOSEC =
RISK
REDUCTION
$$$
C.Y.A.
#HITB2017AMSNETSQUARE
Dear CISO, Who are Scarier
ATTACKERS or AUDITORS?
#HITB2017AMSNETSQUARE
It is time we
...not by building firewalls...
#HITB2017AMSNETSQUARE
@therealsaumil's
SEVEN AXIOMS
of Security
#HITB2017AMSNETSQUARE
Intelligence Driven Defense
From REACTIVE to PROACTIVE
#HITB2017AMSNETSQUARE
Defense
doesn't mean
Risk Reduction
Seven Axioms of Security: 1
#HITB2017AMSNETSQUARE
The CISO's
job is
DEFENSE
Seven Axioms of Security: 1
#HITB2017AMSNETSQUARE
Compliance is NOT the CISO's job
"Not my circus,
Not my monkeys"
http://rafeeqrehman.com/2016/10/07/...
#HITB2017AMSNETSQUARE
In 2017...
CISO CISO INFOSEC = DEFENSE
CCO CHIEF COMPLIANCE OFFICER
DEFEND AGAINST ATTACKERS
DEFEND ...
#HITB2017AMSNETSQUARE
Intelligence
begins by
COLLECTING
EVERYTHING!
Seven Axioms of Security: 2
#HITB2017AMSNETSQUARE
Collect Everything!
•  Security Data Warehouse: first
step towards proactive security.
•  Retention ...
#HITB2017AMSNETSQUARE
Sources of Security Intelligence?
#HITB2017AMSNETSQUARE
"The Universe
tells you
everything you
need to know
about it,
as long as you are
prepared to
watch, ...
#HITB2017AMSNETSQUARE
Get CREATIVE, Get ORGANIC
ORGANIC SECURITY = Grow It Yourself!
#HITB2017AMSNETSQUARE
Schrödinger's Hack:
Systems exist in both
SECURE and HACKED
states at the
same time.
Seven Axioms of...
#HITB2017AMSNETSQUARE
TEST
REALISTICALLY
Seven Axioms of Security: 3
#HITB2017AMSNETSQUARE
Forgone conclusion:
"My System Is SECURE"
Test Strategy that will lead you this conclusion
•  Wait f...
#HITB2017AMSNETSQUARE
Can't MEASURE?
Can't Use.
Seven Axioms of Security: 4
#HITB2017AMSNETSQUARE
Why Keep Metrics?
•  To show you are succeeding
–  Corollary: to show you are failing
•  To justify ...
#HITB2017AMSNETSQUARE
How to Establish Metrics
•  Look at your process and make a list of what is
quantifiable
•  Ask your...
#HITB2017AMSNETSQUARE Alberto Brandolini @ziobrando (The Bullshit Asymmetry)
#HITB2017AMSNETSQUARE
Why Metrics Win
•  Often information security becomes what I call
a "battle of two narratives"
–  Yo...
#HITB2017AMSNETSQUARE
Users:
One Size Fits
NONE!
Seven Axioms of Security: 5
#HITB2017AMSNETSQUARE
The user's going to pick dancing pigs
over security every time.
Bruce Schneier
#HITB2017AMSNETSQUARE
Technology in the hands of users
@needadebitcard
#HITB2017AMSNETSQUARE
#HITB2017AMSNETSQUARE
numberofusers
infosec maturity
HOPELESS UNINFORMED PROACTIVE ROCK STARS
Identify your target users.....
#HITB2017AMSNETSQUARE
...and improve their maturitynumberofusers
infosec maturity
HOPELESS UNINFORMED PROACTIVE ROCK STARS
#HITB2017AMSNETSQUARE
The Best Defense
is a CREATIVE
Defense.
Seven Axioms of Security: 6
#HITB2017AMSNETSQUARE
A Creative
Defense is an
UNEXPECTED
Defense.
Seven Axioms of Security: 6
#HITB2017AMSNETSQUARE
#HITB2017AMSNETSQUARE
Make Defense
VISIBLE,
Make Defense
COUNT.
Seven Axioms of Security: 7
#HITB2017AMSNETSQUARE
Visible Defense
•  Improve the User Maturity Curve.
•  Reduce Blue Team's Response Time.
•  Money Sa...
#HITB2017AMSNETSQUARE
ASSET
INVENTORY
REAL-TIME VISIBILITY
OF EVENTS
DETECT
UNAUTHORIZED ACTIVITY
CLASSIFY
UNAUTHORIZED AC...
#HITB2017AMSNETSQUARE
Is your Infosec
team doing
something
creative
every day?
#HITB2017AMSNETSQUARE
@therealsaumil
www.net-square.com
#HITB2017AMS
Thank You, Drive Through
NETSQUARE
Upcoming SlideShare
Loading in …5
×

Redefining Defense - HITB2017AMS Keynote

1,027 views

Published on

It is time to transition defense from being reactive to proactive. This talk discusses seven axioms for implementing proactive defense strategy and measures for the future, concluding with a blueprint of the next evolution of pro-active defense architecture.

Published in: Software

Redefining Defense - HITB2017AMS Keynote

  1. 1. #HITB2017AMSNETSQUARE SAUMIL SHAH CEO, NET SQUARE @therealsaumil #HITB2017AMS
  2. 2. #HITB2017AMSNETSQUARE WARNING! Disruptive Thoughts Ahead
  3. 3. #HITB2017AMSNETSQUARE WARNING! Block Diagrams Ahead
  4. 4. #HITB2017AMSNETSQUARE About Me Saumil Shah CEO, Net Square @therealsaumil hacker, trainer, speaker, photographer, rebel educating, entertaining and exasperating audiences since 1999
  5. 5. #HITB2017AMSNETSQUARE The Evolution of Attacks: 2001-17
  6. 6. #HITB2017AMSNETSQUARE Servers Applications Desktops Browsers Pockets Populations The Evolution of Targets: 2001-17
  7. 7. #HITB2017AMSNETSQUARE ...Defense: 2001-17 Firewalls IDS/IPS Antivirus WAF DLP, EPS DEP, ASLR Sandbox One-way Attacks FragRouter Obfuscation Char Encoding DNS Exfil ROP, Infoleak Jailbreak Different.... but Same Same
  8. 8. #HITB2017AMSNETSQUARE Example: ROWHAMMER By Dsimic https://commons.wikimedia.org/w/index.php?curid=38868341
  9. 9. #HITB2017AMSNETSQUARE IMAJS STEGO- DECODER JAVASCRIPT TARGET BROWSER POLYGLOT PIXEL ENCODER EXPLOIT CODE IMAGE ENCODED IMAGE Example: STEGOSPLOIT http://stegosploit.info
  10. 10. #HITB2017AMSNETSQUARE There will be Vulnerabilities
  11. 11. #HITB2017AMSNETSQUARE wherein buildings reveal near- infinite interiors, capable of being traversed through all manner of non-architectural means http://www.bldgblog.com/2010/01/nakatomi-space/ Nakatomi Space
  12. 12. #HITB2017AMSNETSQUARE Attacks succeed because today's defense is REACTIVE.
  13. 13. #HITB2017AMSNETSQUARE Exploit Development - 2002 Individual effort. 1 week dev time. 3-6 months shelf life. Hundreds of public domain exploits. "We did it for the LOLs."
  14. 14. #HITB2017AMSNETSQUARE TWO TIMELINES >
  15. 15. #HITB2017AMSNETSQUARE The evolution of a new species Credit @halvarflake SafeSEH DEP ASLR CFG Isolated Heap NOZZLE /GS SEHOP RelRO
  16. 16. #HITB2017AMSNETSQUARE The MitiGator raises the bar... ...until it sees no more exploits Credit @halvarflake
  17. 17. #HITB2017AMSNETSQUARE A long time ago in a galaxy far, far away... MICROSOFT STRIKES BACK
  18. 18. #HITB2017AMSNETSQUARE
  19. 19. #HITB2017AMSNETSQUARE 2005: Ciscogate – Michael Lynn https://www.schneier.com/blog/archives/2005/07/cisco_harasses.html
  20. 20. #HITB2017AMSNETSQUARE 2009 CAN SEC WEST Photo credit: Garrett Gee
  21. 21. #HITB2017AMSNETSQUARE Exploit Development - 2012 2-12 month dev time. 24h to 10d shelf life. Public domain exploits = zero. Cost,value of exploits has significantly risen. •  COMMERCIALIZED •  WEAPONIZED •  POLITICIZED
  22. 22. #HITB2017AMSNETSQUARE The defenders tried to buy back their bugs...
  23. 23. #HITB2017AMSNETSQUARE Bug Bounties: high stakes game Chris Evans – Pwnium: Element 1337
  24. 24. #HITB2017AMSNETSQUARE Bug Bounties tried to fill a REACTIVE need.
  25. 25. #HITB2017AMSNETSQUARE Bug Bounties Backfiring?
  26. 26. #HITB2017AMSNETSQUARE
  27. 27. #HITB2017AMSNETSQUARE More Reactive Security
  28. 28. #HITB2017AMSNETSQUARE Compliance != Security
  29. 29. #HITB2017AMSNETSQUARE
  30. 30. #HITB2017AMSNETSQUARE Security = "RISK REDUCTION" Rules Signatures Updates Machine Learning
  31. 31. #HITB2017AMSNETSQUARE
  32. 32. #HITB2017AMSNETSQUARE Existing defense measures do not match attacker tactics.
  33. 33. #HITB2017AMSNETSQUARE Attackers don't follow compliance standards and certifications.
  34. 34. #HITB2017AMSNETSQUARE The CISO: 2001-2017
  35. 35. #HITB2017AMSNETSQUARE In 2001... CIO CIO INFOTECH = BUSINESS ENABLER CISO INFOSEC = RISK REDUCTION $$$ C.Y.A.
  36. 36. #HITB2017AMSNETSQUARE Dear CISO, Who are Scarier ATTACKERS or AUDITORS?
  37. 37. #HITB2017AMSNETSQUARE It is time we ...not by building firewalls...
  38. 38. #HITB2017AMSNETSQUARE @therealsaumil's SEVEN AXIOMS of Security
  39. 39. #HITB2017AMSNETSQUARE Intelligence Driven Defense From REACTIVE to PROACTIVE
  40. 40. #HITB2017AMSNETSQUARE Defense doesn't mean Risk Reduction Seven Axioms of Security: 1
  41. 41. #HITB2017AMSNETSQUARE The CISO's job is DEFENSE Seven Axioms of Security: 1
  42. 42. #HITB2017AMSNETSQUARE Compliance is NOT the CISO's job "Not my circus, Not my monkeys" http://rafeeqrehman.com/2016/10/07/announcing-ciso-mindmap-2016/ 90% TIME SPENT ON COMPLIANCE!
  43. 43. #HITB2017AMSNETSQUARE In 2017... CISO CISO INFOSEC = DEFENSE CCO CHIEF COMPLIANCE OFFICER DEFEND AGAINST ATTACKERS DEFEND AGAINST AUDITORS
  44. 44. #HITB2017AMSNETSQUARE Intelligence begins by COLLECTING EVERYTHING! Seven Axioms of Security: 2
  45. 45. #HITB2017AMSNETSQUARE Collect Everything! •  Security Data Warehouse: first step towards proactive security. •  Retention is CHEAPER than Deletion. •  Importance of HISTORICAL DATA increases exponentially with time.
  46. 46. #HITB2017AMSNETSQUARE Sources of Security Intelligence?
  47. 47. #HITB2017AMSNETSQUARE "The Universe tells you everything you need to know about it, as long as you are prepared to watch, to listen, to smell, in short to OBSERVE." Sources of Security Intelligence
  48. 48. #HITB2017AMSNETSQUARE Get CREATIVE, Get ORGANIC ORGANIC SECURITY = Grow It Yourself!
  49. 49. #HITB2017AMSNETSQUARE Schrödinger's Hack: Systems exist in both SECURE and HACKED states at the same time. Seven Axioms of Security: 3
  50. 50. #HITB2017AMSNETSQUARE TEST REALISTICALLY Seven Axioms of Security: 3
  51. 51. #HITB2017AMSNETSQUARE Forgone conclusion: "My System Is SECURE" Test Strategy that will lead you this conclusion •  Wait for a new production build. •  Don't test on production only UAT. •  Perform Non-intrusive testing. •  X,Y,Z,.. are all out of Scope. •  Test during off-peak hours only.
  52. 52. #HITB2017AMSNETSQUARE Can't MEASURE? Can't Use. Seven Axioms of Security: 4
  53. 53. #HITB2017AMSNETSQUARE Why Keep Metrics? •  To show you are succeeding –  Corollary: to show you are failing •  To justify your existence and/or budget •  To argue for change •  For fun! Marcus Ranum Security Metrics: The Quest For Meaning IT Defense 2016, Mainz
  54. 54. #HITB2017AMSNETSQUARE How to Establish Metrics •  Look at your process and make a list of what is quantifiable •  Ask yourself what quantities you are interested in –  Once things are quantified they go up, or down – which is about the only convenient thing of metrics: they don't go sideways, too •  Which is a "good" direction: up or down? •  Do you know what constitutes a significant movement? •  Measure and iterate Marcus Ranum Security Metrics: The Quest For Meaning IT Defense 2016, Mainz
  55. 55. #HITB2017AMSNETSQUARE Alberto Brandolini @ziobrando (The Bullshit Asymmetry)
  56. 56. #HITB2017AMSNETSQUARE Why Metrics Win •  Often information security becomes what I call a "battle of two narratives" –  Your opponent has the advantage of lying: –  "moving this to the cloud will save us $500,000/year!" –  To defend your narrative you need facts (from metrics) and credible extrapolations (based on metrics) or your opponent controls the narrative! * * Plan B is to respond with lies of your own Marcus Ranum Security Metrics: The Quest For Meaning IT Defense 2016, Mainz
  57. 57. #HITB2017AMSNETSQUARE Users: One Size Fits NONE! Seven Axioms of Security: 5
  58. 58. #HITB2017AMSNETSQUARE The user's going to pick dancing pigs over security every time. Bruce Schneier
  59. 59. #HITB2017AMSNETSQUARE Technology in the hands of users @needadebitcard
  60. 60. #HITB2017AMSNETSQUARE
  61. 61. #HITB2017AMSNETSQUARE numberofusers infosec maturity HOPELESS UNINFORMED PROACTIVE ROCK STARS Identify your target users... Always going to be an enigma. If properly guided, these users are willing to improve their usage habits. The next Rock Star users. Leave them alone, and possibly learn from them.
  62. 62. #HITB2017AMSNETSQUARE ...and improve their maturitynumberofusers infosec maturity HOPELESS UNINFORMED PROACTIVE ROCK STARS
  63. 63. #HITB2017AMSNETSQUARE The Best Defense is a CREATIVE Defense. Seven Axioms of Security: 6
  64. 64. #HITB2017AMSNETSQUARE A Creative Defense is an UNEXPECTED Defense. Seven Axioms of Security: 6
  65. 65. #HITB2017AMSNETSQUARE
  66. 66. #HITB2017AMSNETSQUARE Make Defense VISIBLE, Make Defense COUNT. Seven Axioms of Security: 7
  67. 67. #HITB2017AMSNETSQUARE Visible Defense •  Improve the User Maturity Curve. •  Reduce Blue Team's Response Time. •  Money Saved = Money Earned Consistent Reduction in Frauds. •  Produce Creative Defense Tools. •  Attract Smarter Talent in Infosec. •  Weekly fitness check...
  68. 68. #HITB2017AMSNETSQUARE ASSET INVENTORY REAL-TIME VISIBILITY OF EVENTS DETECT UNAUTHORIZED ACTIVITY CLASSIFY UNAUTHORIZED ACTIVITY ATTACKER CAPABILITY DETECT INTRUSIONS UNCOVER ATTACKERS TRACK ATTACKERS DEFEND & RECOVER ...The CISO Strength Test https://github.com/swannman/ircapabilities
  69. 69. #HITB2017AMSNETSQUARE Is your Infosec team doing something creative every day?
  70. 70. #HITB2017AMSNETSQUARE @therealsaumil www.net-square.com #HITB2017AMS Thank You, Drive Through NETSQUARE

×