SlideShare a Scribd company logo

Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)

David Etue
David Etue

Control Quotient: Adaptive Strategies For Gracefully Losing Control as presented at Hacker Halted 2014 on October 17, 2014 (https://www.hackerhalted.com/2014/us/?page_id=1174) Abstract: Cloud, virtualization, mobility, and consumerization have greatly changed how IT assets are owned and operated. Rather than focusing on loss of security control, the path forward is cultural change that finds serenity and harnesses the control we’ve kept. The Control Quotient is a model based on control and trust, allowing proper application of security controls, even in challenging environments.

Internet
1 of 49
Download to read offline
Control Quo*ent: Adap*ve Strategies For Gracefully Losing Control
Agenda Context The Control Quo*ent Today’s Reality Making it Personal Examples Transcending “Control” Apply
CONTEXT
Forces of Constant Change Evolving Threats BUSINESS COMPLEXITY = RISING COSTS Evolving Technologies Evolving Compliance Evolving Economics Evolving Business Needs
The IT Drunken Bender
The Control Con*nuum Dictator Surrender
Sphere of Control Control
Sphere of Influence vs. Control Influence Control
THE CONTROL QUOTIENT
The Control Quo*ent Defini*on • QuoGent: (from hOp://www.merriam-­‐webster.com/dic*onary/quo*ent ) – the number resul*ng from the division of one number by another – the numerical ra*o usually mul*plied by 100 between a test score and a standard value – quota, share – the magnitude of a specified characterisGc or quality • Control QuoGent: opGmizaGon of a security control based on the maximum efficacy within sphere of control (or influence or trust) of the underlying infrastructure* • *unless there is an independent variable…
History • RSA Conference US 2009 P2P with @joshcorman – An endpoint has a comprehensive, but suspect, view – The network has a trustworthy, but incomplete, view
In Theory There Is An Op*mal Place to Deploy a Control… But Degrees Of Separa/on Happen….
Avoiding the Proverbial…
TODAY’S REALITY
Today’s Reality • Administra*ve control of en*re system is lost • Increased aOack surface • Abstrac*on has made systems difficult to assess • Expecta*on of any*me-­‐anywhere access from any device
The Control Quo*ent and the SPI Stack Security Management & GRC IdenGty/EnGty Security Data Security Host Network Infrastructure Security ApplicaGon Security CSA Cloud Model Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
The Control Quo*ent and the SPI Stack CSA Cloud Model Security Management & GRC IdenGty/EnGty Security Data Security Host Network Infrastructure Security ApplicaGon Security Virtualiza/on, So:ware Defined Networks, and Public/Hybrid/Community Cloud Forces a Change in How Security Controls Are Evaluated and Deployed
Half Full or Half Empty? To Be Successful, We Must Focus on the Control Kept (or Gained!), NOT the Control Lost…
Controls Gained!!! • Virtualiza*on and Cloud – Asset, Configura*on and Change Management – Snapshot – Rollback – Pause • VDI – Asset, Configura*on and Change Management • Mobility – Encryp*on (with containers) • Sogware-­‐As-­‐A-­‐Service – Logging!
MAKING IT PERSONAL
A Parent’s Most Valuable Asset?
A Parent’s Most Valuable Asset?
Most Valuable Asset? …Yet Most Parents Allow Their Kids to Leave Their Control
Choosing Child Care? NaGonal AssociaGon for the EducaGon of Young Children
EXAMPLES
Virtualiza*on and Cloud Created An En*re New Defini*on of Privilege
The Control Quo*ent and the SPI Stack Amazon EC2 - IaaS Salesforce - SaaS Google AppEngine - PaaS Stack by Chris Hoff -­‐> CSA Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue. “Stack” by Chris Hoff -­‐> CSA
The Control Quo*ent and the SPI Stack The lower down the stack the Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself. Amazon EC2 - IaaS Salesforce - SaaS Google AppEngine - PaaS Stack by Chris Hoff -­‐> CSA Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue. “Stack” by Chris Hoff -­‐> CSA
So, Whose Cloud Is It Anyway? Model Private Cloud IaaS in Hybrid / Community / Public Cloud PaaS/SaaS Whose Privilege Users? Customer Provider Provider Whose Infrastructure? Customer Provider Provider Whose VM / Instance? Customer Customer Provider Whose ApplicaGon? Customer Customer Provider Government Discovery Contact? Customer Provider Provider
More Than Just Technology… hOp://www.flickr.com/photos/markhillary/6342705495 hOp://www.flickr.com/photos/tallentshow/2399373550
VDI: Centralizing the Desktop? VDI Server VDI Image Storage
Mobile hOp://www.flickr.com/photos/patrick-­‐allen/4318787860/
IoT / Embedded Devices hOp://www.sodahead.com/fun/eight...blue-­‐screen.../ques*on-­‐2038989/CachedYou/?slide=2&page=4
Service Providers
Old Ways Don’t Work in New World… Most organiza/ons are trying to deploy “tradi/onal” security controls in cloud and virtual environments…but were the controls even effec/ve then?
TRANSCENDING “CONTROL”
A Modern Pantheon of Adversary Classes Actor Classes Script Kiddies Terrorists “HacGvists” Insiders Auditors Mo*va*ons States CompeGtors Organized Crime Financial Industrial Military Ideological PoliGcal PresGge Target Assets Intellectual Property PII / IdenGty Methods Credit Card #s Web ProperGes “MetaSploit” DoS Phishing Rootkit SQLi Auth Cyber Infrastructure ExfiltraGon Core Business Processes Malware Physical Impacts ReputaGonal Personal ConfidenGality Integrity Availability Link to Full Adversary ROI Presenta.on Source: Adversary ROI: Why Spend $40B Developing It, When You Can Steal It for $1M? (RSA US 2012) by Josh Corman and David Etue.
HD Moore’s Law and AOacker Power • Moore’s Law: Compute power doubles every 18 months • HDMoore’s Law: Casual AOacker Strength grows at the rate of MetaSploit Source: Joshua Corman, hOp://blog.cogni*vedissidents.com/2011/11/01/intro-­‐to-­‐hdmoores-­‐law/
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
ODpeSfeietrCnuaos*aui*obnonletnae Ilar nEml fxArecawaessatllrureuerncenctseeu s rse Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Opera*onal Excellence Defensible SitCuao*uonntearlm Infrastructure Aewaasruerneess s Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Situa*onal Awareness Opera*onal Excellence Defensible Countermeasures Infrastructure Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Countermeasures Situa*onal Awareness Opera*onal Excellence Defensible Infrastructure Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Control “Swim Lanes” Desired Leverage Points Outcomes PCI PHI “IP” Web AV FW IDS/IPS WAF Log Mngt File Integrity Disk Encryp*on Vulnerability Assessment Mul*-­‐Factor Auth An*-­‐SPAM VPN Web Filtering DLP Anomaly Detec*on Network Forensics Advanced Malware NG Firewall DB Security Patch Management SIEM An*-­‐DDoS An*-­‐Fraud … Compliance (1..n) Produc*vity “ROI” Breach / QB sneak … Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Control & Influence “Swim Lanes” Desired Leverage Points Outcomes PCI PHI “IP” Web … AV FW IDS/IPS WAF Log Mngt File Integrity Disk Encryp*on Vulnerability Assessment Mul*-­‐Factor Auth An*-­‐SPAM VPN Web Filtering DLP Anomaly Detec*on Network Forensics Advanced Malware NG Firewall DB Security Patch Management SIEM An*-­‐DDoS An*-­‐Fraud … Compliance (1..n) Produc*vity DevOps “ROI” Breach / QB sneak “Honest Risk” General Counsel Procurement Disrup*on Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Under-­‐tapped Researcher Influence Desired Leverage Points Outcomes PCI PHI “IP” Web … AV FW IDS/IPS WAF Log Mngt File Integrity Disk Encryp*on Vulnerability Assessment Mul*-­‐Factor Auth An*-­‐SPAM VPN Web Filtering DLP Anomaly Detec*on Network Forensics Advanced Malware NG Firewall DB Security Patch Management SIEM An*-­‐DDoS An*-­‐Fraud … Li*ga*on Legisla*on Open Source Hearts & Minds Academia Compliance (1..n) Produc*vity DevOps “ROI” Breach / QB sneak “Honest Risk” General Counsel Procurement Disrup*on Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Poten*al Independent Variables EncrypGon • with good key management… Rootkits • well, rootkits for good… Intermediary Clouds • AnG-­‐DDoS, WAF, Message/Content, IdenGty, etc… IdenGty and Access Management • with proper integraGon and process support Sofware-­‐As-­‐A-­‐Service (SaaS) • *if* the provider harnesses the opportunity
InfoSec Serenity Prayer Grant me the Serenity to accept the things I cannot change; Transparency to the things I cannot control; Relevant controls for the things I can; And the Wisdom (and influence) to mitigate risk appropriately.
Thank You! • TwiOer: @djetue • Resources: – Adversary ROI: • [SlideShare] • [RSA US 2012 Online on YouTube] – The Cyber Security Playbook: Securing Budget and Forming Allies (with @joshcorman) [BrightTALK]

Recommended

Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
GFI Software
 
AWS re:Invent Comes to London 2019 - Security Strategy, Tim Rains
AWS re:Invent Comes to London 2019 - Security Strategy, Tim RainsAWS re:Invent Comes to London 2019 - Security Strategy, Tim Rains
AWS re:Invent Comes to London 2019 - Security Strategy, Tim Rains
Amazon Web Services
 
The self control quotient
The self control quotientThe self control quotient
The self control quotient
Chelse Benham
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
David Etue
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
SafeNet
 
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and ControlWhose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
David Etue
 
Grc f41
Grc f41Grc f41
Grc f41
SelectedPresentations
 
2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers
Shawn Wells
 

Recommended

Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
GFI Software
 
AWS re:Invent Comes to London 2019 - Security Strategy, Tim Rains
AWS re:Invent Comes to London 2019 - Security Strategy, Tim RainsAWS re:Invent Comes to London 2019 - Security Strategy, Tim Rains
AWS re:Invent Comes to London 2019 - Security Strategy, Tim Rains
Amazon Web Services
 
The self control quotient
The self control quotientThe self control quotient
The self control quotient
Chelse Benham
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
David Etue
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
SafeNet
 
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and ControlWhose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
David Etue
 
Grc f41
Grc f41Grc f41
Grc f41
SelectedPresentations
 
2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers
Shawn Wells
 
Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
James '​-- Mckinlay
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Amazon Web Services
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
Splunk
 
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
Amazon Web Services
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentation
Ezhilan Elangovan (Eril)
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
SafeNet
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
Splunk
 
Conf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuConf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsu
Splunk
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
John Gilligan
 
Webinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise SecurityWebinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise Security
Georg Knon
 
Demystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorDemystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public Sector
Amazon Web Services
 
Information protection and compliance
Information protection and complianceInformation protection and compliance
Information protection and compliance
Dean Iacovelli
 
What's Next with Government Big Data
What's Next with Government Big Data What's Next with Government Big Data
What's Next with Government Big Data
GovLoop
 
Implementing Governance as Code
Implementing Governance as CodeImplementing Governance as Code
Implementing Governance as Code
Amazon Web Services
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWS
Amazon Web Services
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Amazon Web Services
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
Amazon Web Services
 
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Amazon Web Services
 
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdfATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
Amazon Web Services
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
pbink
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
ukwwuq
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 

More Related Content

Similar to Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)

Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
James '​-- Mckinlay
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Amazon Web Services
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
Splunk
 
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
Amazon Web Services
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentation
Ezhilan Elangovan (Eril)
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
SafeNet
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
Splunk
 
Conf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuConf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsu
Splunk
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
John Gilligan
 
Webinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise SecurityWebinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise Security
Georg Knon
 
Demystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorDemystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public Sector
Amazon Web Services
 
Information protection and compliance
Information protection and complianceInformation protection and compliance
Information protection and compliance
Dean Iacovelli
 
What's Next with Government Big Data
What's Next with Government Big Data What's Next with Government Big Data
What's Next with Government Big Data
GovLoop
 
Implementing Governance as Code
Implementing Governance as CodeImplementing Governance as Code
Implementing Governance as Code
Amazon Web Services
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWS
Amazon Web Services
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Amazon Web Services
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
Amazon Web Services
 
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Amazon Web Services
 
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdfATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
Amazon Web Services
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
pbink
 

Similar to Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014) (20)

Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentation
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
 
Conf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuConf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsu
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
 
Webinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise SecurityWebinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise Security
 
Demystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorDemystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public Sector
 
Information protection and compliance
Information protection and complianceInformation protection and compliance
Information protection and compliance
 
What's Next with Government Big Data
What's Next with Government Big Data What's Next with Government Big Data
What's Next with Government Big Data
 
Implementing Governance as Code
Implementing Governance as CodeImplementing Governance as Code
Implementing Governance as Code
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWS
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
 
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
 
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdfATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 

Recently uploaded

制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
ukwwuq
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
Trending Blogers
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
cuobya
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
bseovas
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 

Recently uploaded (20)

制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 

Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)

  • 1. Control Quo*ent: Adap*ve Strategies For Gracefully Losing Control
  • 2. Agenda Context The Control Quo*ent Today’s Reality Making it Personal Examples Transcending “Control” Apply
  • 4. Forces of Constant Change Evolving Threats BUSINESS COMPLEXITY = RISING COSTS Evolving Technologies Evolving Compliance Evolving Economics Evolving Business Needs
  • 5. The IT Drunken Bender
  • 6. The Control Con*nuum Dictator Surrender
  • 8. Sphere of Influence vs. Control Influence Control
  • 10. The Control Quo*ent Defini*on • QuoGent: (from hOp://www.merriam-­‐webster.com/dic*onary/quo*ent ) – the number resul*ng from the division of one number by another – the numerical ra*o usually mul*plied by 100 between a test score and a standard value – quota, share – the magnitude of a specified characterisGc or quality • Control QuoGent: opGmizaGon of a security control based on the maximum efficacy within sphere of control (or influence or trust) of the underlying infrastructure* • *unless there is an independent variable…
  • 11. History • RSA Conference US 2009 P2P with @joshcorman – An endpoint has a comprehensive, but suspect, view – The network has a trustworthy, but incomplete, view
  • 12. In Theory There Is An Op*mal Place to Deploy a Control… But Degrees Of Separa/on Happen….
  • 15. Today’s Reality • Administra*ve control of en*re system is lost • Increased aOack surface • Abstrac*on has made systems difficult to assess • Expecta*on of any*me-­‐anywhere access from any device
  • 16. The Control Quo*ent and the SPI Stack Security Management & GRC IdenGty/EnGty Security Data Security Host Network Infrastructure Security ApplicaGon Security CSA Cloud Model Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
  • 17. The Control Quo*ent and the SPI Stack CSA Cloud Model Security Management & GRC IdenGty/EnGty Security Data Security Host Network Infrastructure Security ApplicaGon Security Virtualiza/on, So:ware Defined Networks, and Public/Hybrid/Community Cloud Forces a Change in How Security Controls Are Evaluated and Deployed
  • 18. Half Full or Half Empty? To Be Successful, We Must Focus on the Control Kept (or Gained!), NOT the Control Lost…
  • 19. Controls Gained!!! • Virtualiza*on and Cloud – Asset, Configura*on and Change Management – Snapshot – Rollback – Pause • VDI – Asset, Configura*on and Change Management • Mobility – Encryp*on (with containers) • Sogware-­‐As-­‐A-­‐Service – Logging!
  • 21. A Parent’s Most Valuable Asset?
  • 22. A Parent’s Most Valuable Asset?
  • 23. Most Valuable Asset? …Yet Most Parents Allow Their Kids to Leave Their Control
  • 24. Choosing Child Care? NaGonal AssociaGon for the EducaGon of Young Children
  • 26. Virtualiza*on and Cloud Created An En*re New Defini*on of Privilege
  • 27. The Control Quo*ent and the SPI Stack Amazon EC2 - IaaS Salesforce - SaaS Google AppEngine - PaaS Stack by Chris Hoff -­‐> CSA Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue. “Stack” by Chris Hoff -­‐> CSA
  • 28. The Control Quo*ent and the SPI Stack The lower down the stack the Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself. Amazon EC2 - IaaS Salesforce - SaaS Google AppEngine - PaaS Stack by Chris Hoff -­‐> CSA Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue. “Stack” by Chris Hoff -­‐> CSA
  • 29. So, Whose Cloud Is It Anyway? Model Private Cloud IaaS in Hybrid / Community / Public Cloud PaaS/SaaS Whose Privilege Users? Customer Provider Provider Whose Infrastructure? Customer Provider Provider Whose VM / Instance? Customer Customer Provider Whose ApplicaGon? Customer Customer Provider Government Discovery Contact? Customer Provider Provider
  • 30. More Than Just Technology… hOp://www.flickr.com/photos/markhillary/6342705495 hOp://www.flickr.com/photos/tallentshow/2399373550
  • 31. VDI: Centralizing the Desktop? VDI Server VDI Image Storage
  • 33. IoT / Embedded Devices hOp://www.sodahead.com/fun/eight...blue-­‐screen.../ques*on-­‐2038989/CachedYou/?slide=2&page=4
  • 35. Old Ways Don’t Work in New World… Most organiza/ons are trying to deploy “tradi/onal” security controls in cloud and virtual environments…but were the controls even effec/ve then?
  • 37. A Modern Pantheon of Adversary Classes Actor Classes Script Kiddies Terrorists “HacGvists” Insiders Auditors Mo*va*ons States CompeGtors Organized Crime Financial Industrial Military Ideological PoliGcal PresGge Target Assets Intellectual Property PII / IdenGty Methods Credit Card #s Web ProperGes “MetaSploit” DoS Phishing Rootkit SQLi Auth Cyber Infrastructure ExfiltraGon Core Business Processes Malware Physical Impacts ReputaGonal Personal ConfidenGality Integrity Availability Link to Full Adversary ROI Presenta.on Source: Adversary ROI: Why Spend $40B Developing It, When You Can Steal It for $1M? (RSA US 2012) by Josh Corman and David Etue.
  • 38. HD Moore’s Law and AOacker Power • Moore’s Law: Compute power doubles every 18 months • HDMoore’s Law: Casual AOacker Strength grows at the rate of MetaSploit Source: Joshua Corman, hOp://blog.cogni*vedissidents.com/2011/11/01/intro-­‐to-­‐hdmoores-­‐law/
  • 39. Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
  • 40. ODpeSfeietrCnuaos*aui*obnonletnae Ilar nEml fxArecawaessatllrureuerncenctseeu s rse Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
  • 41. Opera*onal Excellence Defensible SitCuao*uonntearlm Infrastructure Aewaasruerneess s Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
  • 42. Situa*onal Awareness Opera*onal Excellence Defensible Countermeasures Infrastructure Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
  • 43. Countermeasures Situa*onal Awareness Opera*onal Excellence Defensible Infrastructure Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
  • 44. Control “Swim Lanes” Desired Leverage Points Outcomes PCI PHI “IP” Web AV FW IDS/IPS WAF Log Mngt File Integrity Disk Encryp*on Vulnerability Assessment Mul*-­‐Factor Auth An*-­‐SPAM VPN Web Filtering DLP Anomaly Detec*on Network Forensics Advanced Malware NG Firewall DB Security Patch Management SIEM An*-­‐DDoS An*-­‐Fraud … Compliance (1..n) Produc*vity “ROI” Breach / QB sneak … Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
  • 45. Control & Influence “Swim Lanes” Desired Leverage Points Outcomes PCI PHI “IP” Web … AV FW IDS/IPS WAF Log Mngt File Integrity Disk Encryp*on Vulnerability Assessment Mul*-­‐Factor Auth An*-­‐SPAM VPN Web Filtering DLP Anomaly Detec*on Network Forensics Advanced Malware NG Firewall DB Security Patch Management SIEM An*-­‐DDoS An*-­‐Fraud … Compliance (1..n) Produc*vity DevOps “ROI” Breach / QB sneak “Honest Risk” General Counsel Procurement Disrup*on Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
  • 46. Under-­‐tapped Researcher Influence Desired Leverage Points Outcomes PCI PHI “IP” Web … AV FW IDS/IPS WAF Log Mngt File Integrity Disk Encryp*on Vulnerability Assessment Mul*-­‐Factor Auth An*-­‐SPAM VPN Web Filtering DLP Anomaly Detec*on Network Forensics Advanced Malware NG Firewall DB Security Patch Management SIEM An*-­‐DDoS An*-­‐Fraud … Li*ga*on Legisla*on Open Source Hearts & Minds Academia Compliance (1..n) Produc*vity DevOps “ROI” Breach / QB sneak “Honest Risk” General Counsel Procurement Disrup*on Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
  • 47. Poten*al Independent Variables EncrypGon • with good key management… Rootkits • well, rootkits for good… Intermediary Clouds • AnG-­‐DDoS, WAF, Message/Content, IdenGty, etc… IdenGty and Access Management • with proper integraGon and process support Sofware-­‐As-­‐A-­‐Service (SaaS) • *if* the provider harnesses the opportunity
  • 48. InfoSec Serenity Prayer Grant me the Serenity to accept the things I cannot change; Transparency to the things I cannot control; Relevant controls for the things I can; And the Wisdom (and influence) to mitigate risk appropriately.
  • 49. Thank You! • TwiOer: @djetue • Resources: – Adversary ROI: • [SlideShare] • [RSA US 2012 Online on YouTube] – The Cyber Security Playbook: Securing Budget and Forming Allies (with @joshcorman) [BrightTALK]