Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
BLACKHAT ASIA 2017NETSQUARE
The Seven Axioms
of Security
SAUMIL SHAH
CEO, NET SQUARE
@therealsaumil
BLACKHAT ASIA – SINGAP...
BLACKHAT ASIA 2017NETSQUARE
WARNING! Disruptive Thoughts
Ahead
BLACKHAT ASIA 2017NETSQUARE
WARNING!
Block
Diagrams
Ahead
BLACKHAT ASIA 2017NETSQUARE
About Me
Saumil Shah
CEO, Net Square
@therealsaumil
hacker, trainer, speaker,
photographer, re...
BLACKHAT ASIA 2017NETSQUARE
The Evolution of Attacks: 2001-17
BLACKHAT ASIA 2017NETSQUARE
Servers Applications Desktops
Browsers Pockets Populations
The Evolution of Targets: 2001-17
BLACKHAT ASIA 2017NETSQUARE
...Defense:
2001-17
Firewalls
IDS/IPS
Antivirus
WAF
DLP, EPS
DEP, ASLR
Sandbox
One-way Attacks...
BLACKHAT ASIA 2017NETSQUARE
Example: ROWHAMMER
By Dsimic https://commons.wikimedia.org/w/index.php?curid=38868341
BLACKHAT ASIA 2017NETSQUARE
IMAJS
STEGO-
DECODER
JAVASCRIPT
TARGET BROWSER
POLYGLOT
PIXEL
ENCODER
EXPLOIT
CODE
IMAGE
ENCOD...
BLACKHAT ASIA 2017NETSQUARE
There
will be
Vulnerabilities
BLACKHAT ASIA 2017NETSQUARE
wherein buildings reveal near-
infinite interiors, capable of being
traversed through all manne...
BLACKHAT ASIA 2017NETSQUARE
Attacks
succeed
because the
defense is
REACTIVE...
BLACKHAT ASIA 2017NETSQUARE
Exploit Development - 2002
Individual effort.
1 week dev time.
3-6 months shelf life.
Hundreds ...
BLACKHAT ASIA 2017NETSQUARE
The evolution of a new species
Credit @halvarflake
BLACKHAT ASIA 2017NETSQUARE
The MitiGator raises the bar...
...until it sees no more exploits
Credit @halvarflake
BLACKHAT ASIA 2017NETSQUARE
Exploit Development - 2012
2-12 month dev time.
24h to 10d shelf life.
Public domain
exploits ...
BLACKHAT ASIA 2017NETSQUARE
The defenders
tried to buy
back their
bugs...
BLACKHAT ASIA 2017NETSQUARE
Bug Bounties: high stakes game
Chris Evans – Pwnium: Element 1337
BLACKHAT ASIA 2017NETSQUARE
Bug Bounties
tried to fill a
REACTIVE
need.
BLACKHAT ASIA 2017NETSQUARE
Bug Bounties
Backfiring?
BLACKHAT ASIA 2017NETSQUARE
BLACKHAT ASIA 2017NETSQUARE
More
Reactive
Security
BLACKHAT ASIA 2017NETSQUARE
Compliance != Security
BLACKHAT ASIA 2017NETSQUARE
BLACKHAT ASIA 2017NETSQUARE
Security = "RISK REDUCTION"
Rules
Signatures
Updates
Machine Learning
BLACKHAT ASIA 2017NETSQUARE
BLACKHAT ASIA 2017NETSQUARE
Existing defense
measures
do not match
attacker
tactics.
BLACKHAT ASIA 2017NETSQUARE
Attackers
don't follow
standards and
certifications.
BLACKHAT ASIA 2017NETSQUARE
The CISO: 2001-2017
BLACKHAT ASIA 2017NETSQUARE
In 2001...
CIO CIO
INFOTECH =
BUSINESS
ENABLER
CISO
INFOSEC =
RISK
REDUCER
$$$
C.Y.A.
BLACKHAT ASIA 2017NETSQUARE
Who is Scarier?
The Attacker or The Auditor
BLACKHAT ASIA 2017NETSQUARE
It is time we
...not by building firewalls...
BLACKHAT ASIA 2017NETSQUARE
@therealsaumil's
SEVEN AXIOMS
of Security
BLACKHAT ASIA 2017NETSQUARE
Intelligence Driven Defense
From REACTIVE to PROACTIVE
BLACKHAT ASIA 2017NETSQUARE
Defense
doesn't mean
Risk Reduction
Seven Axioms of Security: 1
BLACKHAT ASIA 2017NETSQUARE
The CISO's
job is
DEFENSE
Seven Axioms of Security: 1
BLACKHAT ASIA 2017NETSQUARE
Compliance is NOT the CISO's job
"Not my circus,
Not my monkeys"
90% TIME SUCK!
http://rafeeqr...
BLACKHAT ASIA 2017NETSQUARE
In 2017...
CISO CISO INFOSEC = DEFENSE
CCO CHIEF COMPLIANCE OFFICER
"COST OF DOING BUSINESS"
BLACKHAT ASIA 2017NETSQUARE
Intelligence
begins by
COLLECTING
EVERYTHING!
Seven Axioms of Security: 2
BLACKHAT ASIA 2017NETSQUARE
Collect Everything!
•  Security Data Warehouse: first
step towards proactive security.
•  Rete...
BLACKHAT ASIA 2017NETSQUARE
Sources of Security Intelligence?
BLACKHAT ASIA 2017NETSQUARE
"The Universe
tells you
everything you
need to know
about it,
as long as you are
prepared to
w...
BLACKHAT ASIA 2017NETSQUARE
Get CREATIVE, Get ORGANIC
ORGANIC SECURITY = Grow It Yourself!
BLACKHAT ASIA 2017NETSQUARE
Schrödinger's Hack:
Systems exist in both
SECURE and HACKED
states at the
same time.
Seven Axi...
BLACKHAT ASIA 2017NETSQUARE
TEST
REALISTICALLY
Seven Axioms of Security: 3
BLACKHAT ASIA 2017NETSQUARE
"My System Is SECURE"
•  Wait for a new production build.
•  Don't test on production only UAT...
BLACKHAT ASIA 2017NETSQUARE
Can't MEASURE?
Can't Use.
Seven Axioms of Security: 4
BLACKHAT ASIA 2017NETSQUARE
Why Keep Metrics?
•  To show you are succeeding
–  Corollary: to show you are failing
•  To ju...
BLACKHAT ASIA 2017NETSQUARE
How to Establish Metrics
•  Look at your process and make a list of what is
quantifiable
•  As...
BLACKHAT ASIA 2017NETSQUARE
Why Metrics Win
•  Often information security becomes what I call
a "battle of two narratives"...
BLACKHAT ASIA 2017NETSQUARE
Users:
One Size Fits
NONE!
Seven Axioms of Security: 5
BLACKHAT ASIA 2017NETSQUARE
The user's going to pick dancing pigs
over security every time.
Bruce Schneier
BLACKHAT ASIA 2017NETSQUARE
Technology in the hands of users
@needadebitcard
BLACKHAT ASIA 2017NETSQUARE
BLACKHAT ASIA 2017NETSQUARE
numberofusers
infosec maturity
Hopeless Uninformed Proactive Rock Stars
Identify your target u...
BLACKHAT ASIA 2017NETSQUARE
...and improve their maturitynumberofusers
infosec maturity
Hopeless Uninformed Proactive Rock...
BLACKHAT ASIA 2017NETSQUARE
The Best Defense
is a CREATIVE
Defense.
Seven Axioms of Security: 6
BLACKHAT ASIA 2017NETSQUARE
A Creative
Defense is an
UNEXPECTED
Defense.
Seven Axioms of Security: 6
BLACKHAT ASIA 2017NETSQUARE
BLACKHAT ASIA 2017NETSQUARE
Make Defense
VISIBLE,
Make Defense
COUNT.
Seven Axioms of Security: 7
BLACKHAT ASIA 2017NETSQUARE
Visible Defense
•  Improve the User Maturity Curve.
•  Reduce Blue Team's Response Time.
•  Mo...
BLACKHAT ASIA 2017NETSQUARE
ASSET
INVENTORY
REAL-TIME VISIBILITY
OF EVENTS
DETECT
UNAUTHORIZED ACTIVITY
CLASSIFY
UNAUTHORI...
BLACKHAT ASIA 2017NETSQUARE
Is your Infosec
team doing
something
creative
every day?
BLACKHAT ASIA 2017NETSQUARE
@therealsaumil
www.net-square.com
#BHASIA 2017
Thank You, Drive Through
NETSQUARE
Upcoming SlideShare
Loading in …5
×

The Seven Axioms Of Security

1,848 views

Published on

"Today’s attacks succeed because the defense is reactive". I have been researching attacks and offensive techniques since the past 17 years. Defense boils down to reacting to new attacks and then playing catch-up.

It is time to transition defense from being reactive to proactive. This talk discusses seven axioms for implementing proactive defense strategy and measures for the future, concluding with a blueprint of the next evolution of pro-active defense architecture.

Published in: Software
  • Excellent presentation
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

The Seven Axioms Of Security

  1. 1. BLACKHAT ASIA 2017NETSQUARE The Seven Axioms of Security SAUMIL SHAH CEO, NET SQUARE @therealsaumil BLACKHAT ASIA – SINGAPORE 2017NETSQUARE
  2. 2. BLACKHAT ASIA 2017NETSQUARE WARNING! Disruptive Thoughts Ahead
  3. 3. BLACKHAT ASIA 2017NETSQUARE WARNING! Block Diagrams Ahead
  4. 4. BLACKHAT ASIA 2017NETSQUARE About Me Saumil Shah CEO, Net Square @therealsaumil hacker, trainer, speaker, photographer, rebel educating, entertaining and exasperating audiences since 1999 Photo: BLACKHAT ASIA 2001 NETSQUARE
  5. 5. BLACKHAT ASIA 2017NETSQUARE The Evolution of Attacks: 2001-17
  6. 6. BLACKHAT ASIA 2017NETSQUARE Servers Applications Desktops Browsers Pockets Populations The Evolution of Targets: 2001-17
  7. 7. BLACKHAT ASIA 2017NETSQUARE ...Defense: 2001-17 Firewalls IDS/IPS Antivirus WAF DLP, EPS DEP, ASLR Sandbox One-way Attacks FragRouter Obfuscation Char Encoding DNS Exfil ROP, Infoleak Jailbreak Different.... but Same Same
  8. 8. BLACKHAT ASIA 2017NETSQUARE Example: ROWHAMMER By Dsimic https://commons.wikimedia.org/w/index.php?curid=38868341
  9. 9. BLACKHAT ASIA 2017NETSQUARE IMAJS STEGO- DECODER JAVASCRIPT TARGET BROWSER POLYGLOT PIXEL ENCODER EXPLOIT CODE IMAGE ENCODED IMAGE Example: STEGOSPLOIT http://stegosploit.info
  10. 10. BLACKHAT ASIA 2017NETSQUARE There will be Vulnerabilities
  11. 11. BLACKHAT ASIA 2017NETSQUARE wherein buildings reveal near- infinite interiors, capable of being traversed through all manner of non-architectural means http://www.bldgblog.com/2010/01/nakatomi-space/ Nakatomi Space
  12. 12. BLACKHAT ASIA 2017NETSQUARE Attacks succeed because the defense is REACTIVE...
  13. 13. BLACKHAT ASIA 2017NETSQUARE Exploit Development - 2002 Individual effort. 1 week dev time. 3-6 months shelf life. Hundreds of public domain exploits. "We did it for the LOLs."
  14. 14. BLACKHAT ASIA 2017NETSQUARE The evolution of a new species Credit @halvarflake
  15. 15. BLACKHAT ASIA 2017NETSQUARE The MitiGator raises the bar... ...until it sees no more exploits Credit @halvarflake
  16. 16. BLACKHAT ASIA 2017NETSQUARE Exploit Development - 2012 2-12 month dev time. 24h to 10d shelf life. Public domain exploits = zero. Cost,value of exploits has significantly risen. •  COMMERCIALIZED •  WEAPONIZED •  POLITICIZED
  17. 17. BLACKHAT ASIA 2017NETSQUARE The defenders tried to buy back their bugs...
  18. 18. BLACKHAT ASIA 2017NETSQUARE Bug Bounties: high stakes game Chris Evans – Pwnium: Element 1337
  19. 19. BLACKHAT ASIA 2017NETSQUARE Bug Bounties tried to fill a REACTIVE need.
  20. 20. BLACKHAT ASIA 2017NETSQUARE Bug Bounties Backfiring?
  21. 21. BLACKHAT ASIA 2017NETSQUARE
  22. 22. BLACKHAT ASIA 2017NETSQUARE More Reactive Security
  23. 23. BLACKHAT ASIA 2017NETSQUARE Compliance != Security
  24. 24. BLACKHAT ASIA 2017NETSQUARE
  25. 25. BLACKHAT ASIA 2017NETSQUARE Security = "RISK REDUCTION" Rules Signatures Updates Machine Learning
  26. 26. BLACKHAT ASIA 2017NETSQUARE
  27. 27. BLACKHAT ASIA 2017NETSQUARE Existing defense measures do not match attacker tactics.
  28. 28. BLACKHAT ASIA 2017NETSQUARE Attackers don't follow standards and certifications.
  29. 29. BLACKHAT ASIA 2017NETSQUARE The CISO: 2001-2017
  30. 30. BLACKHAT ASIA 2017NETSQUARE In 2001... CIO CIO INFOTECH = BUSINESS ENABLER CISO INFOSEC = RISK REDUCER $$$ C.Y.A.
  31. 31. BLACKHAT ASIA 2017NETSQUARE Who is Scarier? The Attacker or The Auditor
  32. 32. BLACKHAT ASIA 2017NETSQUARE It is time we ...not by building firewalls...
  33. 33. BLACKHAT ASIA 2017NETSQUARE @therealsaumil's SEVEN AXIOMS of Security
  34. 34. BLACKHAT ASIA 2017NETSQUARE Intelligence Driven Defense From REACTIVE to PROACTIVE
  35. 35. BLACKHAT ASIA 2017NETSQUARE Defense doesn't mean Risk Reduction Seven Axioms of Security: 1
  36. 36. BLACKHAT ASIA 2017NETSQUARE The CISO's job is DEFENSE Seven Axioms of Security: 1
  37. 37. BLACKHAT ASIA 2017NETSQUARE Compliance is NOT the CISO's job "Not my circus, Not my monkeys" 90% TIME SUCK! http://rafeeqrehman.com/2016/10/07/announcing-ciso-mindmap-2016/
  38. 38. BLACKHAT ASIA 2017NETSQUARE In 2017... CISO CISO INFOSEC = DEFENSE CCO CHIEF COMPLIANCE OFFICER "COST OF DOING BUSINESS"
  39. 39. BLACKHAT ASIA 2017NETSQUARE Intelligence begins by COLLECTING EVERYTHING! Seven Axioms of Security: 2
  40. 40. BLACKHAT ASIA 2017NETSQUARE Collect Everything! •  Security Data Warehouse: first step towards proactive security. •  Retention is CHEAPER than Deletion. •  Importance of HISTORICAL DATA increases exponentially with time.
  41. 41. BLACKHAT ASIA 2017NETSQUARE Sources of Security Intelligence?
  42. 42. BLACKHAT ASIA 2017NETSQUARE "The Universe tells you everything you need to know about it, as long as you are prepared to watch, to listen, to smell, in short to OBSERVE." Sources of Security Intelligence
  43. 43. BLACKHAT ASIA 2017NETSQUARE Get CREATIVE, Get ORGANIC ORGANIC SECURITY = Grow It Yourself!
  44. 44. BLACKHAT ASIA 2017NETSQUARE Schrödinger's Hack: Systems exist in both SECURE and HACKED states at the same time. Seven Axioms of Security: 3
  45. 45. BLACKHAT ASIA 2017NETSQUARE TEST REALISTICALLY Seven Axioms of Security: 3
  46. 46. BLACKHAT ASIA 2017NETSQUARE "My System Is SECURE" •  Wait for a new production build. •  Don't test on production only UAT. •  Perform Non-intrusive testing. •  X,Y,Z,.. are all out of Scope. •  Test during off-peak hours only.
  47. 47. BLACKHAT ASIA 2017NETSQUARE Can't MEASURE? Can't Use. Seven Axioms of Security: 4
  48. 48. BLACKHAT ASIA 2017NETSQUARE Why Keep Metrics? •  To show you are succeeding –  Corollary: to show you are failing •  To justify your existence and/or budget •  To argue for change •  For fun! Marcus Ranum Security Metrics: The Quest For Meaning IT Defense 2016, Mainz
  49. 49. BLACKHAT ASIA 2017NETSQUARE How to Establish Metrics •  Look at your process and make a list of what is quantifiable •  Ask yourself what quantities you are interested in –  Once things are quantified they go up, or down – which is about the only convenient thing of metrics: they don't go sideways, too •  Which is a "good" direction: up or down? •  Do you know what constitutes a significant movement? •  Measure and iterate Marcus Ranum Security Metrics: The Quest For Meaning IT Defense 2016, Mainz
  50. 50. BLACKHAT ASIA 2017NETSQUARE Why Metrics Win •  Often information security becomes what I call a "battle of two narratives" –  Your opponent has the advantage of lying: –  "moving this to the cloud will save us $500,000/year!" –  To defend your narrative you need facts (from metrics) and credible extrapolations (based on metrics) or your opponent controls the narrative! * * Plan B is to respond with lies of your own Marcus Ranum Security Metrics: The Quest For Meaning IT Defense 2016, Mainz
  51. 51. BLACKHAT ASIA 2017NETSQUARE Users: One Size Fits NONE! Seven Axioms of Security: 5
  52. 52. BLACKHAT ASIA 2017NETSQUARE The user's going to pick dancing pigs over security every time. Bruce Schneier
  53. 53. BLACKHAT ASIA 2017NETSQUARE Technology in the hands of users @needadebitcard
  54. 54. BLACKHAT ASIA 2017NETSQUARE
  55. 55. BLACKHAT ASIA 2017NETSQUARE numberofusers infosec maturity Hopeless Uninformed Proactive Rock Stars Identify your target users... Always going to be an enigma. If properly guided, these users are willing to improve their usage habits. The next Rock Star users. Leave them alone, and possibly learn from them.
  56. 56. BLACKHAT ASIA 2017NETSQUARE ...and improve their maturitynumberofusers infosec maturity Hopeless Uninformed Proactive Rock Stars
  57. 57. BLACKHAT ASIA 2017NETSQUARE The Best Defense is a CREATIVE Defense. Seven Axioms of Security: 6
  58. 58. BLACKHAT ASIA 2017NETSQUARE A Creative Defense is an UNEXPECTED Defense. Seven Axioms of Security: 6
  59. 59. BLACKHAT ASIA 2017NETSQUARE
  60. 60. BLACKHAT ASIA 2017NETSQUARE Make Defense VISIBLE, Make Defense COUNT. Seven Axioms of Security: 7
  61. 61. BLACKHAT ASIA 2017NETSQUARE Visible Defense •  Improve the User Maturity Curve. •  Reduce Blue Team's Response Time. •  Money Saved = Money Earned Consistent Reduction in Frauds. •  Produce Creative Defense Tools. •  Attract Smarter Talent in Infosec. •  Weekly fitness check...
  62. 62. BLACKHAT ASIA 2017NETSQUARE ASSET INVENTORY REAL-TIME VISIBILITY OF EVENTS DETECT UNAUTHORIZED ACTIVITY CLASSIFY UNAUTHORIZED ACTIVITY ATTACKER CAPABILITY DETECT INTRUSIONS UNCOVER ATTACKERS TRACK ATTACKERS DEFEND & RECOVER ...The CISO Strength Test https://github.com/swannman/ircapabilities
  63. 63. BLACKHAT ASIA 2017NETSQUARE Is your Infosec team doing something creative every day?
  64. 64. BLACKHAT ASIA 2017NETSQUARE @therealsaumil www.net-square.com #BHASIA 2017 Thank You, Drive Through NETSQUARE

×