The document discusses the evolving landscape of cyber security management, emphasizing the changing nature of threats and the importance of understanding adversarial motivations and capabilities. It highlights the necessity for organizations to optimize their security strategies amid increasing reliance on technology and pressure from diverse threat actors. Key recommendations include addressing the return on investment for adversaries and shifting focus from purely vulnerability management to a broader understanding of risk and control dynamics.

1. Insert Your Name
Insert Your Title
Insert Date
Cyber Security Management
In a Highly Innovative World
David Etue, VP Corporate Development Strategy, SafeNet
June 2013
© SafeNet - All Rights Reserved

2. Agenda
About Me and SafeNet
Context
Evolving Adversaries, Evolving Threats
Evolving Technology, Evolving Dependence
Solutions and Ideas

3. About David Etue @djetue
• VP, Corporate Development Strategy at SafeNet
• Former Cyber Security Practice Lead [PRTM Management Consultants] (now
PwC)
• Former VP Products and Markets [Fidelis Security Systems]
• Former Manager, Information Security [General Electric Company]
• Industry
• Faculty: The Institute for Applied Network Security (IANS)
• Certified Information Privacy Professional (CIPP/G)
• Certified CISO (C|CISO)
• Cyber things that interest me
• Adversary innovation
• Applying intelligence cycle / OODA loop in cyber
• Supply chain security
• Cloud and virtualization security

4. Who We Are
Trusted to protect the world’s most sensitive data for
the world’s most trusted brands.
We protect the most
money that moves in
the world, $1 trillion
daily.
We protect the most digital
identities in the world.
We protect the most
sensitive information
in the world.
FOUNDED
1983
REVENUE
~330m
EMPLOYEES
+1,400
In 25 countries
OWENERSHIP
Private
GLOBAL FOOTPRINT
+25,000
Customers in
100 countries
ACCREDITED
Products certified
to the highest
security standard

5. Insert Your Name
Insert Your Title
Insert Date
Context

6. We Have Finite Resources…
We Can Not Protect Everything!
http://commons.wikimedia.org/wiki/File:Fdr_sidefront.jpgLufthansa Airbus A380 D-AIMC with the name "Peking" at Stuttgart
Lasse Fuss
http://commons.wikimedia.org/wiki/File:Lufthansa_A380_D-AIMC.jpg
“Black Box”

7. Consequences: Value & Replaceability
http://blog.cognitivedissidents.com/2011/10/24/a-replaceability-continuum/

8. Misplaced Focus
“With the breach-a-week over the last
two years, the key determinate was
nothing YOU did… but rather was WHO
was after you.”

9. The Control Continuum

10. Insert Your Name
Insert Your Title
Insert Date
Evolving Adversaries…
…Evolving Threats
10

11. What is a “Threat”?
A Threat is an Actor
with a Capability
and a Motive
Threats Are A “Who”, Not a “What”

12. A Modern Pantheon of
Adversary Classes
Methods
“MetaSploit” DoS Phishing Rootkit SQLi Auth Exfiltration Malware Physical
Impacts
Reputational Personal Confidentiality Integrity Availability
Target Assets
Credit Card #s
Web
Properties
Intellectual
Property
PII / Identity
Cyber
Infrastructure
Core Business
Processes
Motivations
Financial Industrial Military Ideological Political Prestige
Actor Classes
States Competitors
Organized
Crime
Script
Kiddies
Terrorists “Hactivists” Insiders Auditors

13. Methods
“MetaSploit” DoS Phishing Rootkit SQLi Auth Exfiltratio
n Malware Physical
Impacts
Reputational Personal Confidentiality Integrity Availability
Target Assets
Credit Card #s
Web
Properties
Intellectual
Property
PII / Identity
Cyber
Infrastructure
Core Business
Processes
Motivations
Financial Industrial Military Ideological Political Prestige
Actor Classes
States Competitors
Organized
Crime
Script
Kiddies
Terrorists “Hactivists” Insiders Auditors
Profiling a Particular Actor

14. Script Kiddies (aka Casual Adversary)
14
“MetaSploit”, SQLi,
Phishing
Confidentially,
Reputation
CCN/Fungible
Profit, Prestige
Skiddie

15. Organized Crime
Malware, Botnets,
Rootkits
Confidentially
Fungible, Banking
Profit
Organized Crime

16. Custom
Malware, SpearPhishing, Physi
cal, ++
Intellectual Property Trade
Secrets Infrastructure
Confidentially,
Reputation
Industrial/Military
State/Espionage
Adaptive Persistent Adversaries

17. Hactivists Chaotic Actors
DoS, SQLi, Phishing
Availability, Confidentiality,
Reputation, Personal
Web
Properties, Individuals, Po
licy
Ideological and/or
LULZ
Chaotic Actor

18. Insert Your Name
Insert Your Title
Insert Date
Evolving Technology…
…Evolving Dependence
18

19. The Value An Organization Delivers
Is Driven By Its Differentiation
Suppliers &
Partners
Your
Organization Customers
Differentiation
Intellectual
Property
Strategy
Core
Processes

20. Competitive Differentiation is Dependent
on Information and the IT Infrastructure
Intellectual
Property
Strategy
Core
Processes
Information Security’s Mission Is To Protect
These Key Digital Assets

21. Optimizing Security Management
Is a Multi-Faceted Challenge
Customer
Needs
Business
Needs
Regulators
(Compliance)
Threats

22. Branch Office
Cloud, Virtualization, Mobile, and
Consumerization! Oh My!
22
Web 2.0 Application
Remote Replication
• Sensitive Data on the Rise
• More IT Dependency
• Compliance
• Variety of Threat Actors
Growing Risk
• Traditional Perimeter GONE!
• SaaS, Cloud & Web 2.0 Apps
• Collaboration Partners
• Growing Mobile Devices
No Physical Controls
Internet
SaaS Cloud
Extranet
WAN
Docs
Offline
Folders
Shared
Folders
DatabaseGroupware
E-Mail
Media Flash-
drive
Data Center
Laptop
Mobile

23. Virtualization and Cloud Computing
Are Economically Compelling and Here to Stay
23

24. What Has Changed?
Perimeter Layers Collaboration Integrated
Amount of
Information
and
Infrastructure
Attack
Surface
Cost of
Failure
Time
As Organizations Have Embraced Technology, the Amount of
Information, Attack Surface, and Cost of Failure Have All
Skyrocketed!

25. Another Change:
The New Definition of Privilege
25

26. Privileged Users Even More Powerful
In Cloud/VIrt
26
Virtual Machine Virtual Machine Virtual Machine
Compute Storage Network
Virtual
Compute
CPU
Virtual Storage
NAS / SAN
Management
Database As-
A-Service
Application
Guest OS
Application Application
Guest OSGuest OS
Virtual
Network
Physical
Network
Hypervisor
Server
Application
OS
CPU Disk
Network
BEFORE AFTER

27. Insert Your Name
Insert Your Title
Insert Date
Solutions and Ideas
27

28. Insert Your Name
Insert Your Title
Insert Date
Adversary ROI

29. Why Adversary ROI
 Adversaries want assets -
vulnerabilities are a means
 Our attack surface is
approaching infinity
 Adversaries have scarce
resources too
Adversaries care if *they* can get a return on
investment from an attack, not you…

30. Adversary ROI Came About By
Looking at Risk
A risk requires a threat and a vulnerability
that results in a negative consequence
We have finite resources, and must optimize the entire
risk equation for our success!
Current State
Threat
Vulnerability
Consequence
Proposed State?

31. Understanding the Risk Equation
Risk = Threat + Vulnerability
Most Cyber Security programs focused solely on vulnerability
management, which necessary but insufficient:
• Technology changes at high rate of speed making vulnerability a moving
target
• Adversary community changes faster than defenders
• Attacks quickly move to the most porous layer
• End users likely to remain a significant vulnerability
Focus of most cyber
security programs
The Cyber Security “arms race” today focuses
Vulnerabilities—Its time to address other variables!

32. Value Favors the Attacker
Public Sensitive
Highly Replicable
Sensitive
Irreplaceable
Information Classification
AttackerGains
Typical IT
Security
Budget
(1-12% of
IT Budget)
Are you prepared to address a
funded nation state targeting
your highest value intellectual
property?

33. The Adversary ROI Equation
Adversary ROI =
Attack Value
Cost of the Attack
Probability
of Success
Deterrence
Measures
(% Chance of Getting Caught x Cost of Getting Caught)
Value of Assets Compromised +
Adversary Value of Operational Impact
X
-
[ ] Cost of
the Attack
-
( )

34. Ability to
respond and
recover key
Impacting Adversary ROI
It is typically not desirable
to make your assets less
valuable
Impact of getting caught is
typically a government issue
Increase
adversary “Work
Effort”
Ability to
respond and
recover key
Increase
adversary “Work
Effort”
Adversary ROI =
Attack Value
Cost of the Attack
Probability
of Success
Deterrence
Measures
(% Chance of Getting Caught x Cost of Getting Caught)
Value of Assets Compromised +
Adversary Value of Operational Impact
X
-
( ) Cost of
the Attack
-
( )

35. Every Organization Should Know The Key
Components to This Model
Methods
Impacts
Target Assets
Motivations
Actor Classes

36. Insert Your Name
Insert Your Title
Insert Date
The Control Quotient
36

37. The Control Quotient Definition
 Quotient: (from http://www.merriam-webster.com/dictionary/quotient )
• the number resulting from the division of one number by another
• the numerical ratio usually multiplied by 100 between a test score
and a standard value
• quota, share
• the magnitude of a specified characteristic or quality
 Control Quotient: optimization of a security control based
on the maximum efficacy within sphere of control (or
influence or trust) of the underlying infrastructure*
 *unless there is an independent variable…

38. Amazon EC2 - IaaS
The lower down the stack the Cloud
provider stops, the more security you are
tactically responsible for implementing &
managing yourself.
Salesforce - SaaS
Google AppEngine - PaaS
The Control Quotient and the SPI Stack
Stack by Chris Hoff -> CSA

39. Security Management & GRC
Identity/Entity Security
Data Security
Host
Network
Infrastructure Security
Application
Security
CSA Cloud Model
The Control Quotient and the SPI Stack

40. CSA Cloud Model
Security Management & GRC
Identity/Entity Security
Data Security
Host
Network
Infrastructure Security
Application
Security
Virtualization, Software Defined
Networks, and Public/Hybrid/Community
Cloud Forces a Change in How Security
Controls Are Evaluated and Deployed
The Control Quotient and the SPI Stack

41. To Be Successful, We Must Focus on the Control
Kept (or Gained!), NOT the Control Lost…
Half Full or Half Empty?

42. http://www.flickr.com/photos/markhillary/6342705495 http://www.flickr.com/photos/tallentshow/2399373550
More Than Just Technology…

43. Insert Your Name
Insert Your Title
Insert Date
The Secure Breach
43

44. Crunchy on the Outside…
44
http://www.flickr.com/photos/theilr/2240742119/

45. Time to Secure the Breach
45
Breach Prevention Era
Secure Breach Era

46. Key Enablers to the Secure Breach
Encryption (and Key Management)
Identity and Access Management with Strong Authentication
Segmentation
Privilege User Management
Detection and Response Capabilities
Asset, Configuration, and Change Management
46

47. 4 Step Program For Ushering In the
“Secure Breach” Era
• Its time to try something new…
Introspection
• You can’t prevent a perimeter breach…
Acceptance
• Know your enemies and what they are after…
Understanding
• Decrease adversary ROI…
Action
47

48. Insert Your Name
Insert Your Title
Insert Date
Thank You!
Any questions
David Etue
@djetue
Watch the full webcast on demand:
https://www.brighttalk.com/webcast/6319/75109
48

49. Follow SafeNet on Social Media
[Blog] http://data-protection.safenet-inc.com
@safenetinc
http://www.linkedin.com/company/safenet
http://youtube.com/safenetinc
http://facebook.com/safenetinc
https://plus.google.com/+safenet
http://pinterest.com/safenetinc/
http://www.safenet-inc.com/rss.aspx
http://www.slideshare.net/SafeNet
http://www.govloop.com/group/safenetgov
http://www.brighttalk.com/channel/2037
http://community.spiceworks.com/pages/safenetinc
49