Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Infosec Crossroads - 44CON 2016

1,172 views

Published on

From Reactive to Proactive Defense - My presentation at 44CON 2016

Published in: Data & Analytics
  • Be the first to comment

The Infosec Crossroads - 44CON 2016

  1. 1. #44CON 2016NETSQUARE 2016: THE INFOSEC crossroads > SAUMIL SHAH - CEO,NET-SQUARE 44CON 2016
  2. 2. #44CON 2016NETSQUARE About Me @therealsaumil saumilshah hacker, trainer, speaker, author, photographer educating, entertaining and exasperating audiences since 1999 Saumil Shah CEO, Net-Square
  3. 3. #44CON 2016NETSQUARE Today's attacks succeed because the defense is REACTIVE
  4. 4. #44CON 2016NETSQUARE The Evolution of Attacks
  5. 5. #44CON 2016NETSQUARE Servers Applications Desktops Browsers Pockets How Have Targets Shifted?
  6. 6. #44CON 2016NETSQUARE Perimeter Security Web Apps Broadband Networks WiFi Social Networks Cellular Data The Game Changers
  7. 7. #44CON 2016NETSQUARE Attacks Follow The Money Defacement DDoS Phishing ID Theft Financial Transactions Targeted APT
  8. 8. #44CON 2016NETSQUARE Today's Fashion: Breaches
  9. 9. #44CON 2016NETSQUARE Firewalls IDS/IPS Antivirus WAF Endpoint Security ASLR, DEP Sandbox One-way Hacking Packet Fragmentation Obfuscation Character Encoding DNS Exfiltration Return Oriented Programming Jailbreak
  10. 10. #44CON 2016NETSQUARE Latest Example: Stegosploit IMAJS STEGO- DECODER JAVASCRIPT TARGET BROWSER POLYGLOT PIXEL ENCODER EXPLOIT CODE IMAGE ENCODED IMAGE
  11. 11. #44CON 2016NETSQUARE "Nakatomi space", wherein buildings reveal near-infinite interiors, capable of being traversed through all manner of non-architectural means http://www.bldgblog.com/2010/01/nakatomi-space/
  12. 12. #44CON 2016NETSQUARE It was different 12 years ago! Individual effort. 1 week dev time. 3-6 months shelf life. Hundreds of public domain exploits. "We did it for the fame. lols."
  13. 13. #44CON 2016NETSQUARE Today... Team effort. 2-12 month dev time. 24h to 10d shelf life. Public domain exploits nearly zero. Cost,value of exploits has significantly risen. WEAPONIZATION.
  14. 14. #44CON 2016NETSQUARE Haroon Meer "For a few hundred K, could you put together a team that would break-in just about anywhere?" CCDCOE Conference on Cyber Conflict - 2010
  15. 15. #44CON 2016NETSQUARE $100k – 500k
  16. 16. #44CON 2016NETSQUARE Attacking is (much) cheaper than defence. Attacker toolchains are far more complex than the public demonstrations we have seen so far.
  17. 17. #44CON 2016NETSQUARE The defenders tried to buy back their bugs...
  18. 18. #44CON 2016NETSQUARE Bug Bounties: high stakes game Chris Evans – Pwnium: Element 1337
  19. 19. #44CON 2016NETSQUARE Bug Bounties tried to fill a reactive need.
  20. 20. #44CON 2016NETSQUARE Bug Bounties: backfiring?
  21. 21. #44CON 2016NETSQUARE
  22. 22. #44CON 2016NETSQUARE The (d)evolution of Users
  23. 23. #44CON 2016NETSQUARE Advanced Technology Is...Advanced
  24. 24. #44CON 2016NETSQUARE Technology in the hands of users
  25. 25. #44CON 2016NETSQUARE The user's going to pick dancing pigs over security every time. Bruce Schneier
  26. 26. #44CON 2016NETSQUARE The more sophisticated the technology, the more vulnerable it is to primitive attack. People often overlook the obvious. Doctor Who, "Pirate Planet" XKCD 358 "Security"
  27. 27. #44CON 2016NETSQUARE
  28. 28. #44CON 2016NETSQUARE The Wrong Approach to defense
  29. 29. #44CON 2016NETSQUARE Compliance != Security
  30. 30. #44CON 2016NETSQUARE
  31. 31. #44CON 2016NETSQUARE Who are you more scared of? Attackers or Auditors?
  32. 32. #44CON 2016NETSQUARE Attackers don't follow standards and certifications.
  33. 33. #44CON 2016NETSQUARE Today's Infosec Defence? Rules Signatures Updates Machine Learning
  34. 34. #44CON 2016NETSQUARE
  35. 35. #44CON 2016NETSQUARE Existing strategies do not match attacker tactics.
  36. 36. #44CON 2016NETSQUARE UNREALISTIC TESTING SCENARIOS •  Wait for new production release •  Don't test on production •  Don't perform intrusive testing •  X is out of scope •  Test during off-peak hours
  37. 37. #44CON 2016NETSQUARE Intelligence Driven Security net-square From REACTIVE to PROACTIVE
  38. 38. #44CON 2016NETSQUARE Security Data Warehouse ANALYSIS AND INTELLIGENCE GATHERING Collectors SENSORS Actions Applications Internal Users External Users Perimeter Activity
  39. 39. #44CON 2016NETSQUARE We already have all the information needed to defend our organization.
  40. 40. #44CON 2016NETSQUARE PROACTIVE Security Testing
  41. 41. #44CON 2016NETSQUARE @therealsaumil's SEVEN AXIOMS of Security
  42. 42. #44CON 2016NETSQUARE Collect EVERYTHING! THE SEVEN AXIOMS OF SECURITY
  43. 43. #44CON 2016NETSQUARE Can't MEASURE? Can't Use. THE SEVEN AXIOMS OF SECURITY
  44. 44. #44CON 2016NETSQUARE Test like an attacker RED TEAM. THE SEVEN AXIOMS OF SECURITY
  45. 45. #44CON 2016NETSQUARE User RATINGS! THE SEVEN AXIOMS OF SECURITY
  46. 46. #44CON 2016NETSQUARE Set BOOBY TRAPS. THE SEVEN AXIOMS OF SECURITY
  47. 47. #44CON 2016NETSQUARE ANALYSIS decide Actions. THE SEVEN AXIOMS OF SECURITY
  48. 48. #44CON 2016NETSQUARE BUY-IN FROM THE TOP And the 7th...
  49. 49. #44CON 2016NETSQUARE Is your infosec team doing something creative every day?
  50. 50. #44CON 2016NETSQUARE THANK YOU > saumil shah www. net-square. com

×