Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Road To Defendable Systems - Emirates NBD

354 views

Published on

"Attack is a technical problem, defense is a political problem". For several years, cyber security has been misjudged as risk reduction. On one hand, business applications and architectures are growing rapidly. On the other hand, the cyber security organisation is struggling to be able to defend them in today's rapidly evolving threat landscape.

This talk explores the gap in thought between the owner and the defender of today's business applications and what needs to be done to bridge it. We shall present proactive steps and measures to overcome the last hurdle in building defendable systems.

Published in: Software
  • A natural tattoo removal method that is better than laser? click here...  http://t.cn/A67tYDYR
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

The Road To Defendable Systems - Emirates NBD

  1. 1. SAUMIL SHAH CEO, NET SQUARE @therealsaumil #EmiratesNBD 2019 EmiratesNBD 2019 NETSQUARE
  2. 2. # WHO AM I Saumil Shah CEO, Net Square @therealsaumil educating, entertaining and exasperating audiences since 1999
  3. 3. A TALE OF TWO KEYNOTES
  4. 4. ATTACKS ARE A TECHNICAL PROBLEM, DEFENSE IS A POLITICAL PROBLEM THOMAS DULLIEN, "Why we are not building a defendable Internet" BH ASIA 2O17
  5. 5. FIREWALLS IDS/IPS ANTIVIRUS WAF DLP, EPS DEP, ASLR SANDBOX DEFENSE 2001-19 DIFFERENT.... Reactive Approach Block the Bad Things and be Secure again
  6. 6. FIREWALLS IDS/IPS ANTIVIRUS WAF DLP, EPS DEP, ASLR SANDBOX ONE-WAY ATTACK FRAGROUTER OBFUSCATION CHAR ENCODING DNS EXFIL ROP, INFOLEAK JAILBREAK DIFFERENT.... BUT SAME SAME
  7. 7. MEASURES DO NOT MATCH EXISTING DEFENSE ATTACKER TACTICS
  8. 8. ROWHAMMER, SPECTRE, MELTDOWN Have they really gone away?
  9. 9. TARGET BROWSER ENCODED IMAGE STEGOSPLOIT http://stegosploit.info IMAJS STEGO- DECODER JAVASCRIPT POLYGLOT PIXEL ENCODER EXPLOIT CODE IMAGE
  10. 10. VULNERABILITIES THERE WILL BE
  11. 11. wherein buildings reveal near-infinite interiors, capable of being traversed through all manner of non-architectural means. NAKATOMI SPACE http://www.bldgblog.com/2010/01/nakatomi-space/
  12. 12. DEAR CISO, WHO ARE YOU MOST SCARED OF? SAUMIL SHAH "The Seven Axioms Of Security" BH ASIA 2O17
  13. 13. WHO'S SCARIER? ATTACKERS or AUDITORS?
  14. 14. ATTACKERS DON'T FOLLOW COMPLIANCE STANDARDS AND CERTIFICATIONS
  15. 15. WHOSE DEFENSE IS IT ANYWAY? IS CYBER SECURITY A SHARED VISION? If not… …a game of PUSHBACK and COMPLIANCE
  16. 16. MUTUALLY ASSURED DESTRUCTION
  17. 17. SCHRÖDINGER'S HACK HACKED SECURE
  18. 18. HAVE NOTS HAVES Capable of custom analytics threat detection and response Owning Cyber Security Sucked up all the talent Not capable Cyber Security is a necessary evil Purely dependent upon commercial solutions CYBERSECURITY ASYMMETRY
  19. 19. THE ELEMENTS OF A DEFENDABLE SYSTEM TRANSPARENCY METRICS RESILIENCE USERS
  20. 20. BANK STATEMENTS Account Activity Spending Record Account Reconciliation Unauthorized Expenses
  21. 21. Thomas Dullien http://addxorrol.blogspot.com/2018/03/a-bank-statement-for-app-activity-and.html "How could one empower users to account for their private data, while at the same time helping platform providers identify malicious software better? By providing users with the equivalent of a bank statement for app/software activity. The way I imagine it would be roughly as follows: A separate component of my mobile phone (or computer) OS keeps detailed track of app activity: What peripherals are accessed at what times, what files are accessed, etc." A BANK STATEMENT FOR APP/SOFTWARE ACTIVITY
  22. 22. T.A.T. Element 1337 in the Periodic Table: Pwnium Chris Evans, #HITB2012KUL
  23. 23. BREAKERSMAKERS
  24. 24. MAKERS BREAKERS
  25. 25. MAKER AND BREAKER PROCESSES Mature coding practices Continuous Integration Nightly Builds Versioning QA Unit Testing Bug Tracking Bug Fixing/Testing Black Box Testing Crash Dumps, Errors Exploitability Analysis POC
  26. 26. T.A.T. Element 1337 in the Periodic Table: Pwnium Chris Evans, #HITB2012KUL
  27. 27. PEBKAC
  28. 28. THE USER'S GOING TO PICK DANCING PIGS OVER SECURITY ANYTIME Bruce Schneier
  29. 29. TECHNOLOGY CUTS BOTH WAYS @needadebitcard
  30. 30. FITS NONE ONE SIZE USERS:
  31. 31. numberofusers infosec maturity HOPELESS UNINFORMED PROACTIVE ROCK STARS IDENTIFY YOUR TARGET USERS... Always going to be an enigma. If properly guided, these users are willing to improve their usage habits. The next Rock Star users. Leave them alone, and possibly learn from them.
  32. 32. ...AND IMPROVE THEIR MATURITYnumberofusers infosec maturity HOPELESS UNINFORMED PROACTIVE ROCK STARS
  33. 33. LET'S TALK ABOUT PASSWORDS
  34. 34. https://xkcd.com/936 WE'VE SUCCESSFULLY TRAINED EVERYONE TO USE PASSWORDS THAT ARE HARD FOR HUMANS TO REMEMBER, BUT EASY FOR COMPUTERS TO GUESS.
  35. 35. MAKE AUTHENTICATION GREAT AGAIN
  36. 36. PUT THE USER IN CONTROL
  37. 37. RESIST Pass The Parcel Rules, Signatures, Updates, Patches The Next Short-Lived Security Product Encumber Your Users
  38. 38. RESONATE Take Ownership Build Defendable Systems Security and Trustworthiness as a core feature EMPOWER Your Users
  39. 39. THERE IS NO SECRET INGREDIENT
  40. 40. @therealsaumil www.net-square.com #EmiratesNBD 2019 THANK YOU NETSQUARE

×