Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
#ITWebSS2017NETSQUARENETSQUARE
The Seven Axioms Of Security
SAUMIL SHAH
CEO, NET SQUARE
@therealsaumil
ITWeb Security Summ...
#ITWebSS2017NETSQUARE
WARNING! Disruptive Thoughts
Ahead
#ITWebSS2017NETSQUARE
WARNING!
Block
Diagrams
Ahead
#ITWebSS2017NETSQUARE
About Me
Saumil Shah
CEO, Net Square
@therealsaumil
hacker, trainer, speaker,
photographer, rebel
ed...
#ITWebSS2017NETSQUARE
The Evolution of Attacks: 2001-17
#ITWebSS2017NETSQUARE
Servers Applications Desktops
Browsers Pockets Populations
The Evolution of Targets: 2001-17
#ITWebSS2017NETSQUARE
...Defense:
2001-17
Firewalls
IDS/IPS
Antivirus
WAF
DLP, EPS
DEP, ASLR
Sandbox
One-way Attacks
FragR...
#ITWebSS2017NETSQUARE @Shakespeare doth twate
#ITWebSS2017NETSQUARE
Strange Targets: ROWHAMMER
By Dsimic https://commons.wikimedia.org/w/index.php?curid=38868341
#ITWebSS2017NETSQUARE
IMAJS
STEGO-
DECODER
JAVASCRIPT
TARGET BROWSER
POLYGLOT
PIXEL
ENCODER
EXPLOIT
CODE
IMAGE
ENCODED IMA...
#ITWebSS2017NETSQUARE
There
will always be
vulnerabilities..
#ITWebSS2017NETSQUARE
wherein buildings reveal near-
infinite interiors, capable of being
traversed through all manner of
n...
#ITWebSS2017NETSQUARE
Attacks
succeed
because
today's defense
is REACTIVE.
#ITWebSS2017NETSQUARE
Exploit Development - 2002
Individual effort.
1 week dev time.
3-6 months shelf life.
Hundreds of pub...
#ITWebSS2017NETSQUARE
TWO TIMELINES >
#ITWebSS2017NETSQUARE
Evolution of a new species
MitiGator
RaiseBar-us Myopus
Discovered by
@halvarflake
SafeSEH
DEP
ASLR
C...
#ITWebSS2017NETSQUARE
MitiGator raises the bar...
...until it sees no more exploits
Credit @halvarflake
#ITWebSS2017NETSQUARE
A long time ago in a galaxy far,
far away...
MICROSOFT
STRIKES BACK
#ITWebSS2017NETSQUARE
#ITWebSS2017NETSQUARE
2005: Ciscogate – Michael Lynn
https://www.schneier.com/blog/archives/2005/07/cisco_harasses.html
#ITWebSS2017NETSQUARE
2009
CAN
SEC
WEST
Photo credit: Garrett Gee
#ITWebSS2017NETSQUARE
Exploit Development - 2012
2-12 month dev time.
24h to 10d shelf life.
Public domain
exploits = zero...
#ITWebSS2017NETSQUARE
The defenders
tried to buy
back their
bugs...
#ITWebSS2017NETSQUARE
Bug Bounties: high stakes game
Chris Evans – Pwnium: Element 1337
#ITWebSS2017NETSQUARE
Bug Bounties
tried to fill a
REACTIVE
need.
#ITWebSS2017NETSQUARE
Bug Bounties
Backfiring?
#ITWebSS2017NETSQUARE
#ITWebSS2017NETSQUARE
More on
Reactive
Security
#ITWebSS2017NETSQUARE
Compliance != Security
#ITWebSS2017NETSQUARE
#ITWebSS2017NETSQUARE
Security = "RISK REDUCTION"
Rules
Signatures
Updates
Machine Learning
#ITWebSS2017NETSQUARE
#ITWebSS2017NETSQUARE
Existing defense
measures
do not match
attacker
tactics.
#ITWebSS2017NETSQUARE
Attackers
don't follow
compliance
standards and
certifications.
#ITWebSS2017NETSQUARE
The CISO: 2001-2017
#ITWebSS2017NETSQUARE
In 2001...
CIO CIO
INFOTECH =
BUSINESS
ENABLER
CISO
INFOSEC =
RISK
REDUCTION
$$$
C.Y.A.
#ITWebSS2017NETSQUARE
Dear CISO, Who are Scarier
ATTACKERS or AUDITORS?
#ITWebSS2017NETSQUARE
It is time we
...not by building firewalls...
#ITWebSS2017NETSQUARE
@therealsaumil's
SEVEN AXIOMS
of Security
#ITWebSS2017NETSQUARE
Intelligence Driven Defense
From REACTIVE to PROACTIVE
#ITWebSS2017NETSQUARE
Defense
doesn't mean
Risk Reduction
Axiom 1
#ITWebSS2017NETSQUARE
The CISO's
job is
DEFENSE
Axiom 1
#ITWebSS2017NETSQUARE
Compliance is NOT the CISO's job
"Not my circus,
Not my monkeys"
http://rafeeqrehman.com/2016/10/07/...
#ITWebSS2017NETSQUARE
In 2017...
CISO CISO INFOSEC = DEFENSE
CCO CHIEF COMPLIANCE OFFICER
DEFEND AGAINST ATTACKERS
DEFEND ...
#ITWebSS2017NETSQUARE
Intelligence
begins by
COLLECTING
EVERYTHING!
Axiom 2
#ITWebSS2017NETSQUARE
Collect Everything!
•  Security Data Warehouse: first
step towards proactive security.
•  Retention ...
#ITWebSS2017NETSQUARE
Sources of Security Intelligence?
#ITWebSS2017NETSQUARE
"The Universe
tells you
everything you
need to know
about it,
as long as you are
prepared to
watch, ...
#ITWebSS2017NETSQUARE
Get CREATIVE, Get ORGANIC
ORGANIC SECURITY = Grow It Yourself!
#ITWebSS2017NETSQUARE
Schrödinger's Hack:
Systems exist in both
SECURE and HACKED
states at the
same time.
Axiom 3
#ITWebSS2017NETSQUARE
TEST
REALISTICALLY
Axiom 3 – what it means
#ITWebSS2017NETSQUARE
Forgone Conclusion:
"My System Is SECURE"
Test Strategy that will lead you this conclusion
•  Wait f...
#ITWebSS2017NETSQUARE
Can't MEASURE?
Can't Use.
Axiom 4
#ITWebSS2017NETSQUARE
Why Keep Metrics?
•  To show you are succeeding
–  Corollary: to show you are failing
•  To justify ...
#ITWebSS2017NETSQUARE
How to Establish Metrics
•  Look at your process and make a list of what is
quantifiable
•  Ask your...
#ITWebSS2017NETSQUARE Alberto Brandolini @ziobrando (The Bullshit Asymmetry)
#ITWebSS2017NETSQUARE
Why Metrics Win
•  Often information security becomes what I call
a "battle of two narratives"
–  Yo...
#ITWebSS2017NETSQUARE
Users:
One Size Fits
NONE!
Axiom 5
#ITWebSS2017NETSQUARE
The user's going to pick dancing pigs
over security every time.
Bruce Schneier
#ITWebSS2017NETSQUARE
Technology in the hands of users
@needadebitcard
#ITWebSS2017NETSQUARE
#ITWebSS2017NETSQUARE
NUMBEROFUSERS
INFOSEC MATURITY
HOPELESS UNINFORMED PROACTIVE ROCK STARS
Identify your target users.....
#ITWebSS2017NETSQUARE
...and improve their maturity
HOPELESS UNINFORMED PROACTIVE ROCK STARS
NUMBEROFUSERS
INFOSEC MATURITY
#ITWebSS2017NETSQUARE
The Best Defense
is a CREATIVE
Defense.
Axiom 6
#ITWebSS2017NETSQUARE
A Creative
Defense is an
UNEXPECTED
Defense.
Axiom 6 – attacker's view
#ITWebSS2017NETSQUARE
#ITWebSS2017NETSQUARE
Make Defense
VISIBLE,
Make Defense
COUNT.
Axiom 7
#ITWebSS2017NETSQUARE
Visible Defense
•  Improve the User Maturity Curve.
•  Reduce Blue Team's Response Time.
•  Money Sa...
#ITWebSS2017NETSQUARE
ASSET
INVENTORY
REAL-TIME VISIBILITY
OF EVENTS
DETECT
UNAUTHORIZED ACTIVITY
CLASSIFY
UNAUTHORIZED AC...
#ITWebSS2017NETSQUARE
Is your Infosec
team doing
something
creative
every day?
#ITWebSS2017NETSQUARE
@therealsaumil
www.net-square.com
#ITWebSS2017, Johannesburg
Thank You, Drive Through
Upcoming SlideShare
Loading in …5
×

The Seven Axioms of Security - ITWeb 2017

2,120 views

Published on

It is time to transition defense from being reactive to proactive. This talk discusses seven axioms for implementing proactive defense strategy and measures for the future, concluding with a blueprint of the next evolution of pro-active defense architecture.

Published in: Software
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

The Seven Axioms of Security - ITWeb 2017

  1. 1. #ITWebSS2017NETSQUARENETSQUARE The Seven Axioms Of Security SAUMIL SHAH CEO, NET SQUARE @therealsaumil ITWeb Security Summit 2017 Johannesburg, South Africa PhotoCredit:MukeshAcharya
  2. 2. #ITWebSS2017NETSQUARE WARNING! Disruptive Thoughts Ahead
  3. 3. #ITWebSS2017NETSQUARE WARNING! Block Diagrams Ahead
  4. 4. #ITWebSS2017NETSQUARE About Me Saumil Shah CEO, Net Square @therealsaumil hacker, trainer, speaker, photographer, rebel educating, entertaining and exasperating audiences since 1999
  5. 5. #ITWebSS2017NETSQUARE The Evolution of Attacks: 2001-17
  6. 6. #ITWebSS2017NETSQUARE Servers Applications Desktops Browsers Pockets Populations The Evolution of Targets: 2001-17
  7. 7. #ITWebSS2017NETSQUARE ...Defense: 2001-17 Firewalls IDS/IPS Antivirus WAF DLP, EPS DEP, ASLR Sandbox One-way Attacks FragRouter Obfuscation Char Encoding DNS Exfil ROP, Infoleak Jailbreak Different.... but Same Same
  8. 8. #ITWebSS2017NETSQUARE @Shakespeare doth twate
  9. 9. #ITWebSS2017NETSQUARE Strange Targets: ROWHAMMER By Dsimic https://commons.wikimedia.org/w/index.php?curid=38868341
  10. 10. #ITWebSS2017NETSQUARE IMAJS STEGO- DECODER JAVASCRIPT TARGET BROWSER POLYGLOT PIXEL ENCODER EXPLOIT CODE IMAGE ENCODED IMAGE Strange Techniques: STEGOSPLOIT http://stegosploit.info
  11. 11. #ITWebSS2017NETSQUARE There will always be vulnerabilities..
  12. 12. #ITWebSS2017NETSQUARE wherein buildings reveal near- infinite interiors, capable of being traversed through all manner of non-architectural means http://www.bldgblog.com/2010/01/nakatomi-space/ Nakatomi Space
  13. 13. #ITWebSS2017NETSQUARE Attacks succeed because today's defense is REACTIVE.
  14. 14. #ITWebSS2017NETSQUARE Exploit Development - 2002 Individual effort. 1 week dev time. 3-6 months shelf life. Hundreds of public domain exploits. "We did it for the LOLs."
  15. 15. #ITWebSS2017NETSQUARE TWO TIMELINES >
  16. 16. #ITWebSS2017NETSQUARE Evolution of a new species MitiGator RaiseBar-us Myopus Discovered by @halvarflake SafeSEH DEP ASLR CFG Isolated Heap NOZZLE /GS SEHOP RelRO
  17. 17. #ITWebSS2017NETSQUARE MitiGator raises the bar... ...until it sees no more exploits Credit @halvarflake
  18. 18. #ITWebSS2017NETSQUARE A long time ago in a galaxy far, far away... MICROSOFT STRIKES BACK
  19. 19. #ITWebSS2017NETSQUARE
  20. 20. #ITWebSS2017NETSQUARE 2005: Ciscogate – Michael Lynn https://www.schneier.com/blog/archives/2005/07/cisco_harasses.html
  21. 21. #ITWebSS2017NETSQUARE 2009 CAN SEC WEST Photo credit: Garrett Gee
  22. 22. #ITWebSS2017NETSQUARE Exploit Development - 2012 2-12 month dev time. 24h to 10d shelf life. Public domain exploits = zero. Cost,value of exploits has significantly risen. •  COMMERCIALIZED •  WEAPONIZED •  POLITICIZED
  23. 23. #ITWebSS2017NETSQUARE The defenders tried to buy back their bugs...
  24. 24. #ITWebSS2017NETSQUARE Bug Bounties: high stakes game Chris Evans – Pwnium: Element 1337
  25. 25. #ITWebSS2017NETSQUARE Bug Bounties tried to fill a REACTIVE need.
  26. 26. #ITWebSS2017NETSQUARE Bug Bounties Backfiring?
  27. 27. #ITWebSS2017NETSQUARE
  28. 28. #ITWebSS2017NETSQUARE More on Reactive Security
  29. 29. #ITWebSS2017NETSQUARE Compliance != Security
  30. 30. #ITWebSS2017NETSQUARE
  31. 31. #ITWebSS2017NETSQUARE Security = "RISK REDUCTION" Rules Signatures Updates Machine Learning
  32. 32. #ITWebSS2017NETSQUARE
  33. 33. #ITWebSS2017NETSQUARE Existing defense measures do not match attacker tactics.
  34. 34. #ITWebSS2017NETSQUARE Attackers don't follow compliance standards and certifications.
  35. 35. #ITWebSS2017NETSQUARE The CISO: 2001-2017
  36. 36. #ITWebSS2017NETSQUARE In 2001... CIO CIO INFOTECH = BUSINESS ENABLER CISO INFOSEC = RISK REDUCTION $$$ C.Y.A.
  37. 37. #ITWebSS2017NETSQUARE Dear CISO, Who are Scarier ATTACKERS or AUDITORS?
  38. 38. #ITWebSS2017NETSQUARE It is time we ...not by building firewalls...
  39. 39. #ITWebSS2017NETSQUARE @therealsaumil's SEVEN AXIOMS of Security
  40. 40. #ITWebSS2017NETSQUARE Intelligence Driven Defense From REACTIVE to PROACTIVE
  41. 41. #ITWebSS2017NETSQUARE Defense doesn't mean Risk Reduction Axiom 1
  42. 42. #ITWebSS2017NETSQUARE The CISO's job is DEFENSE Axiom 1
  43. 43. #ITWebSS2017NETSQUARE Compliance is NOT the CISO's job "Not my circus, Not my monkeys" http://rafeeqrehman.com/2016/10/07/announcing-ciso-mindmap-2016/ 90% TIME SPENT ON COMPLIANCE!
  44. 44. #ITWebSS2017NETSQUARE In 2017... CISO CISO INFOSEC = DEFENSE CCO CHIEF COMPLIANCE OFFICER DEFEND AGAINST ATTACKERS DEFEND AGAINST AUDITORS
  45. 45. #ITWebSS2017NETSQUARE Intelligence begins by COLLECTING EVERYTHING! Axiom 2
  46. 46. #ITWebSS2017NETSQUARE Collect Everything! •  Security Data Warehouse: first step towards proactive security. •  Retention is CHEAPER than Deletion. •  Importance of HISTORICAL DATA increases exponentially with time.
  47. 47. #ITWebSS2017NETSQUARE Sources of Security Intelligence?
  48. 48. #ITWebSS2017NETSQUARE "The Universe tells you everything you need to know about it, as long as you are prepared to watch, to listen, to smell, in short to OBSERVE." Sources of Security Intelligence
  49. 49. #ITWebSS2017NETSQUARE Get CREATIVE, Get ORGANIC ORGANIC SECURITY = Grow It Yourself!
  50. 50. #ITWebSS2017NETSQUARE Schrödinger's Hack: Systems exist in both SECURE and HACKED states at the same time. Axiom 3
  51. 51. #ITWebSS2017NETSQUARE TEST REALISTICALLY Axiom 3 – what it means
  52. 52. #ITWebSS2017NETSQUARE Forgone Conclusion: "My System Is SECURE" Test Strategy that will lead you this conclusion •  Wait for a new production build. •  Don't test on production only UAT. •  Perform Non-intrusive testing. •  X,Y,Z,.. are all out of Scope. •  Test during off-peak hours only.
  53. 53. #ITWebSS2017NETSQUARE Can't MEASURE? Can't Use. Axiom 4
  54. 54. #ITWebSS2017NETSQUARE Why Keep Metrics? •  To show you are succeeding –  Corollary: to show you are failing •  To justify your existence and/or budget •  To argue for change •  For fun! Marcus Ranum Security Metrics: The Quest For Meaning IT Defense 2016, Mainz
  55. 55. #ITWebSS2017NETSQUARE How to Establish Metrics •  Look at your process and make a list of what is quantifiable •  Ask yourself what quantities you are interested in –  Once things are quantified they go up, or down – which is about the only convenient thing of metrics: they don't go sideways, too •  Which is a "good" direction: up or down? •  Do you know what constitutes a significant movement? •  Measure and iterate Marcus Ranum Security Metrics: The Quest For Meaning IT Defense 2016, Mainz
  56. 56. #ITWebSS2017NETSQUARE Alberto Brandolini @ziobrando (The Bullshit Asymmetry)
  57. 57. #ITWebSS2017NETSQUARE Why Metrics Win •  Often information security becomes what I call a "battle of two narratives" –  Your opponent has the advantage of lying: –  "moving this to the cloud will save us $500,000/year!" –  To defend your narrative you need facts (from metrics) and credible extrapolations (based on metrics) or your opponent controls the narrative! * * Plan B is to respond with lies of your own Marcus Ranum Security Metrics: The Quest For Meaning IT Defense 2016, Mainz
  58. 58. #ITWebSS2017NETSQUARE Users: One Size Fits NONE! Axiom 5
  59. 59. #ITWebSS2017NETSQUARE The user's going to pick dancing pigs over security every time. Bruce Schneier
  60. 60. #ITWebSS2017NETSQUARE Technology in the hands of users @needadebitcard
  61. 61. #ITWebSS2017NETSQUARE
  62. 62. #ITWebSS2017NETSQUARE NUMBEROFUSERS INFOSEC MATURITY HOPELESS UNINFORMED PROACTIVE ROCK STARS Identify your target users... ALWAYS GOING TO BE AN ENIGMA IF PROPERLY GUIDED THESE USERS ARE WILLING TO IMPROVE THEIR USAGE HABITS THE NEXT ROCK STAR USERS LEAVE THEM ALONE AND POSSIBLY LEARN FROM THEM
  63. 63. #ITWebSS2017NETSQUARE ...and improve their maturity HOPELESS UNINFORMED PROACTIVE ROCK STARS NUMBEROFUSERS INFOSEC MATURITY
  64. 64. #ITWebSS2017NETSQUARE The Best Defense is a CREATIVE Defense. Axiom 6
  65. 65. #ITWebSS2017NETSQUARE A Creative Defense is an UNEXPECTED Defense. Axiom 6 – attacker's view
  66. 66. #ITWebSS2017NETSQUARE
  67. 67. #ITWebSS2017NETSQUARE Make Defense VISIBLE, Make Defense COUNT. Axiom 7
  68. 68. #ITWebSS2017NETSQUARE Visible Defense •  Improve the User Maturity Curve. •  Reduce Blue Team's Response Time. •  Money Saved = Money Earned Consistent Reduction in Frauds. •  Produce Creative Defense Tools. •  Attract Smarter Talent in Infosec. •  Weekly fitness check...
  69. 69. #ITWebSS2017NETSQUARE ASSET INVENTORY REAL-TIME VISIBILITY OF EVENTS DETECT UNAUTHORIZED ACTIVITY CLASSIFY UNAUTHORIZED ACTIVITY ATTACKER CAPABILITY DETECT INTRUSIONS UNCOVER ATTACKERS TRACK ATTACKERS DEFEND & RECOVER ...The CISO Strength Test https://github.com/swannman/ircapabilities
  70. 70. #ITWebSS2017NETSQUARE Is your Infosec team doing something creative every day?
  71. 71. #ITWebSS2017NETSQUARE @therealsaumil www.net-square.com #ITWebSS2017, Johannesburg Thank You, Drive Through

×