SlideShare a Scribd company logo

"The empirical paradoxes of cybersecurity" - - Pukhraj Singh - DynamicCISO Summit 2021

P
Pukhraj Singh

"The empirical paradoxes of cybersecurity" - - Pukhraj Singh - DynamicCISO Summit 2021

Technology
1 of 36
Download to read offline
Pukhraj Singh Product Owner, Cyber Threat Detection BAe Systems Applied Intelligence The empirical paradoxes of security How they impact decisions, architecture & defence Or The eternal truths about SolarWinds
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence Introduction • 15 years in detection engineering and threat intelligence • Roughly five years in the government • An emphasis on geo-strategic and geopolitical parameters • Trained and advised military commanders on defence and doctrine • Written for the US Military Academy and US Army; op-eds in all the leading national newspapers • Forever a learner…with impostor syndrome ☺
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence Agenda A brief glimpse into how the broad, empirical realities of cybersecurity are divergent from its operational parameters and assumptions PS: I don’t have any solutions to offer
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science Vulnerabilities are the Higgs-Boson particle of the cybersecurity universe. If we don’t understand vulnerabilities, we don’t understand anything else.
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science Are vulnerabilities dense or sparse? - A simple question asked by Bruce Schneier in The Atlantic [1]
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science “If vulnerabilities are sparse, then it's obvious that every vulnerability we find and fix improves security.” If vulnerabilities are plentiful…we don’t really improve general software security by disclosing and patching unknown vulnerabilities.”
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science But what does the industry wants us to believe?
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science As Dan Geer writes, the answer is not that simple [2].
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science As Dan Geer writes, the answer is not that simple [2].
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science “Detection deficit:” How does it impact defence? “Through the variety of areas I explored, the data and analysis continued to highlight a single conclusion: As a community, our ability to detect 0-days being used in the wild is severely lacking to the point that we can’t draw significant conclusions due to the lack of (and biases in) the data we have collected.” -- Maddie Stone, Google Project Zero [3]
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science “Detection deficit:” How does it impact defence? -- Maddie Stone, Google Project Zero [3]
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science Is vulnerability discovery working [4]?
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science Is vulnerability discovery working ?
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science Is vulnerability discovery working?
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science Is vulnerability discovery working?
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science But how do you define a vulnerability? Designers, vendors, and programmers themselves have trouble describing whether a software or hardware feature is operating as intended or is, in fact, a security flaw. Advanced exploitation techniques are rapidly moving towards “the boundary between bug and expected behavior”, “almost the fringe of what can be classified as an explicit hole or flaw.” Advanced exploitation is rapidly becoming synonymous with the system operating exactly as designed—and yet getting manipulated by attackers. -- Sergey Bratus [5]
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science But how do you define a vulnerability? -- Aaron Adams [6]
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science But how do you define a vulnerability? Complex software is built in multiple levels of aggregation and composition. Innovation entails aggregation and composition in unforeseen combinations, at many levels. The hooking pattern implements the fundamental software engineering operation of composing software with other software. For this reason, it is implemented by a great variety of software, with a wide range of techniques and uses. Often the hooking software is developed and released separately; sometimes it is also released together with management tools and automation tools. -- Sergey Bratus [7]
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science But how do you define a vulnerability? Complex software is built in multiple levels of aggregation and composition. Innovation entails aggregation and composition in unforeseen combinations, at many levels. The hooking pattern implements the fundamental software engineering operation of composing software with other software. For this reason, it is implemented by a great variety of software, with a wide range of techniques and uses. Often the hooking software is developed and released separately; sometimes it is also released together with management tools and automation tools. -- Sergey Bratus [7]
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science But how do you define a vulnerability? Let’s go back to 1984… “Reflections on trusting trust” by Ken Thompson [8]
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science *Insert mandatory Grugq quote* Let’s go back to 1984…
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science Trusting trust…
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence N w, ’ k g n v My favourite Mudge posts
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence N w, ’ k g n v My favourite Mudge posts
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence N w, ’ k g n v My favourite Mudge posts
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence N w, ’ k g n v My favourite Mudge posts
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence N w, ’ k g n v With misplaced empiricism, your assumptions fail. For example, killing the Kill Chain.
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence These empirical misassumptions extend to other areas, too
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence On ring -2, bootkits and the industry botch-up of UEFI and Intel Boot Guard
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence Your perimeter is not the boundary of your network it's the boundary of your telemetry -- Grugq
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence On AVs and EDRs, the “foot-soldiers” of cyberwar Defeat Bitdefender total security using windows API unhooking to perform process injection - https://shells.systems/defeat-bitdefender-total-security- using-windows-api-unhooking-to-perform-process-injection/ A tale of EDR bypass methods - https://s3cur3th1ssh1t.github.io/A-tale-of-EDR- bypass-methods/
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence On not-so-easy attribution and botched up CTI datasets Identifying Authorship Style in Malicious Binaries: Techniques, Challenges & Datasets – https://arxiv.org/abs/2101.06124
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence Who takes care of Ambani’s iPhone?
Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence References 1. https://www.theatlantic.com/technology/archive/2014/05/should-hackers-fix- cybersecurity-holes-or-exploit-them/371197/ 2. https://www.usenix.org/system/files/login/articles/login_summer19_12_geer. pdf 3. https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in- review-of-0.html 4. https://milek7.pl/howlongsudofuzz/ 5. https://tac.bis.doc.gov/index.php/documents/pdfs/320-wa-intent-fallacy- bratus-comments/file 6. https://research.nccgroup.com/wp-content/uploads/2020/07/research- insights_vol-7-exploitation-advancements.pdf 7. https://www.usenix.org/system/files/login/articles/wassenaar.pdf 8. https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Reflectionso nTrustingTrust.pdf
Twitter: @RungRage Thank you

Recommended

Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...CODE BLUE
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering Aaron Rinehart
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksMighty Guides, Inc.
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019Cameron Townshend
 
LK Inhouse SOC — команда, задачи, грабли
LK Inhouse SOC — команда, задачи, граблиLK Inhouse SOC — команда, задачи, грабли
LK Inhouse SOC — команда, задачи, граблиPositive Hack Days
 

Recommended

Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...CODE BLUE
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering Aaron Rinehart
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksMighty Guides, Inc.
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019Cameron Townshend
 
LK Inhouse SOC — команда, задачи, грабли
LK Inhouse SOC — команда, задачи, граблиLK Inhouse SOC — команда, задачи, грабли
LK Inhouse SOC — команда, задачи, граблиPositive Hack Days
 
Mobile Security - Hakin9 Magazine
Mobile Security - Hakin9 MagazineMobile Security - Hakin9 Magazine
Mobile Security - Hakin9 Magazinelogfusion
 
Butler
ButlerButler
ButlerThomas Butler, CISSP, CEH, CHFI, CISA, CPA, CIA
 
Machine Learning in Cyber Security Domain
Machine Learning in Cyber Security Domain Machine Learning in Cyber Security Domain
Machine Learning in Cyber Security Domain BGA Cyber Security
 
Dev Secops Software Supply Chain
Dev Secops Software Supply ChainDev Secops Software Supply Chain
Dev Secops Software Supply ChainCameron Townshend
 
Hakin9 05 2013
Hakin9 05 2013Hakin9 05 2013
Hakin9 05 2013Rodrigo Gomes Pires
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
 
GDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringGDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringAaron Rinehart
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefYehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefShah Sheikh
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EClare Nelson, CISSP, CIPP-E
 
Core define and_win_cmd_line gr
Core define and_win_cmd_line grCore define and_win_cmd_line gr
Core define and_win_cmd_line grFrancisco Anastácio
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Ed McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat IntelligenceEd McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat Intelligencecentralohioissa
 
MALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSMALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSSergey Gordeychik
 
Cehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingCehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingMehrdad Jingoism
 
Attack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition SystemsAttack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition SystemsClare Nelson, CISSP, CIPP-E
 
An exploration of geographic authentication scheme
An exploration of geographic authentication schemeAn exploration of geographic authentication scheme
An exploration of geographic authentication schemeLeMeniz Infotech
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongDuo Security
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?MITRE - ATT&CKcon
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
Security At The Speed of Innovation - Marudhamaran Gunasekaran
Security At The Speed of Innovation - Marudhamaran GunasekaranSecurity At The Speed of Innovation - Marudhamaran Gunasekaran
Security At The Speed of Innovation - Marudhamaran GunasekaranPiyush Rahate
 

More Related Content

What's hot

Mobile Security - Hakin9 Magazine
Mobile Security - Hakin9 MagazineMobile Security - Hakin9 Magazine
Mobile Security - Hakin9 Magazinelogfusion
 
Machine Learning in Cyber Security Domain
Machine Learning in Cyber Security Domain Machine Learning in Cyber Security Domain
Machine Learning in Cyber Security Domain BGA Cyber Security
 
Dev Secops Software Supply Chain
Dev Secops Software Supply ChainDev Secops Software Supply Chain
Dev Secops Software Supply ChainCameron Townshend
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
 
GDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringGDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringAaron Rinehart
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefYehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefShah Sheikh
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EClare Nelson, CISSP, CIPP-E
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Ed McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat IntelligenceEd McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat Intelligencecentralohioissa
 
MALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSMALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSSergey Gordeychik
 
Cehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingCehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingMehrdad Jingoism
 
An exploration of geographic authentication scheme
An exploration of geographic authentication schemeAn exploration of geographic authentication scheme
An exploration of geographic authentication schemeLeMeniz Infotech
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongDuo Security
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?MITRE - ATT&CKcon
 

What's hot (20)

Mobile Security - Hakin9 Magazine
Mobile Security - Hakin9 MagazineMobile Security - Hakin9 Magazine
Mobile Security - Hakin9 Magazine
 
Butler
ButlerButler
Butler
 
Machine Learning in Cyber Security Domain
Machine Learning in Cyber Security Domain Machine Learning in Cyber Security Domain
Machine Learning in Cyber Security Domain
 
Dev Secops Software Supply Chain
Dev Secops Software Supply ChainDev Secops Software Supply Chain
Dev Secops Software Supply Chain
 
Hakin9 05 2013
Hakin9 05 2013Hakin9 05 2013
Hakin9 05 2013
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
 
GDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringGDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos Engineering
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefYehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
 
Core define and_win_cmd_line gr
Core define and_win_cmd_line grCore define and_win_cmd_line gr
Core define and_win_cmd_line gr
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Ed McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat IntelligenceEd McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat Intelligence
 
MALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSMALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELS
 
Cehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingCehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hacking
 
Attack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition SystemsAttack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition Systems
 
An exploration of geographic authentication scheme
An exploration of geographic authentication schemeAn exploration of geographic authentication scheme
An exploration of geographic authentication scheme
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?
 

Similar to "The empirical paradoxes of cybersecurity" - - Pukhraj Singh - DynamicCISO Summit 2021

Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
Security At The Speed of Innovation - Marudhamaran Gunasekaran
Security At The Speed of Innovation - Marudhamaran GunasekaranSecurity At The Speed of Innovation - Marudhamaran Gunasekaran
Security At The Speed of Innovation - Marudhamaran GunasekaranPiyush Rahate
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management SystemIRJET Journal
 
Security Presenatation for Onforce Pro Town Hall
Security Presenatation for Onforce Pro Town HallSecurity Presenatation for Onforce Pro Town Hall
Security Presenatation for Onforce Pro Town HallBev Robb
 
Cloudbrew 2019 - Azure Security
Cloudbrew 2019 - Azure SecurityCloudbrew 2019 - Azure Security
Cloudbrew 2019 - Azure SecurityTom Janetscheck
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
[DSC Europe 23][AI:CSI] Dragan Pleskonjic - AI Impact on Cybersecurity and P...
[DSC Europe 23][AI:CSI] Dragan Pleskonjic - AI Impact on Cybersecurity and P...[DSC Europe 23][AI:CSI] Dragan Pleskonjic - AI Impact on Cybersecurity and P...
[DSC Europe 23][AI:CSI] Dragan Pleskonjic - AI Impact on Cybersecurity and P...DataScienceConferenc1
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutDevSecCon
 
Managing Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxManaging Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxjessiehampson
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability ManagementIRJET Journal
 
Level up your SOC - Guide for a Resilient Education Program.pdf
Level up your SOC - Guide for a Resilient Education Program.pdfLevel up your SOC - Guide for a Resilient Education Program.pdf
Level up your SOC - Guide for a Resilient Education Program.pdfBrandon DeVault
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesIJNSA Journal
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureKaspersky
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
Juniper competitive cheatsheet
Juniper competitive cheatsheetJuniper competitive cheatsheet
Juniper competitive cheatsheetUsman Arif
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESIJNSA Journal
 
Software reusabilitydevelopment through NFL approach For identifying security...
Software reusabilitydevelopment through NFL approach For identifying security...Software reusabilitydevelopment through NFL approach For identifying security...
Software reusabilitydevelopment through NFL approach For identifying security...IJECEIAES
 

Similar to "The empirical paradoxes of cybersecurity" - - Pukhraj Singh - DynamicCISO Summit 2021 (20)

Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
Security At The Speed of Innovation - Marudhamaran Gunasekaran
Security At The Speed of Innovation - Marudhamaran GunasekaranSecurity At The Speed of Innovation - Marudhamaran Gunasekaran
Security At The Speed of Innovation - Marudhamaran Gunasekaran
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management System
 
Security Presenatation for Onforce Pro Town Hall
Security Presenatation for Onforce Pro Town HallSecurity Presenatation for Onforce Pro Town Hall
Security Presenatation for Onforce Pro Town Hall
 
Cloudbrew 2019 - Azure Security
Cloudbrew 2019 - Azure SecurityCloudbrew 2019 - Azure Security
Cloudbrew 2019 - Azure Security
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
[DSC Europe 23][AI:CSI] Dragan Pleskonjic - AI Impact on Cybersecurity and P...
[DSC Europe 23][AI:CSI] Dragan Pleskonjic - AI Impact on Cybersecurity and P...[DSC Europe 23][AI:CSI] Dragan Pleskonjic - AI Impact on Cybersecurity and P...
[DSC Europe 23][AI:CSI] Dragan Pleskonjic - AI Impact on Cybersecurity and P...
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
 
Managing Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxManaging Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docx
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability Management
 
Level up your SOC - Guide for a Resilient Education Program.pdf
Level up your SOC - Guide for a Resilient Education Program.pdfLevel up your SOC - Guide for a Resilient Education Program.pdf
Level up your SOC - Guide for a Resilient Education Program.pdf
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products Secure
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
smpef
smpefsmpef
smpef
 
Juniper competitive cheatsheet
Juniper competitive cheatsheetJuniper competitive cheatsheet
Juniper competitive cheatsheet
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
 
Software reusabilitydevelopment through NFL approach For identifying security...
Software reusabilitydevelopment through NFL approach For identifying security...Software reusabilitydevelopment through NFL approach For identifying security...
Software reusabilitydevelopment through NFL approach For identifying security...
 

More from Pukhraj Singh

AusCERT 2023 - Non-linear, decentralised and multi-stakeholder incident respo...
AusCERT 2023 - Non-linear, decentralised and multi-stakeholder incident respo...AusCERT 2023 - Non-linear, decentralised and multi-stakeholder incident respo...
AusCERT 2023 - Non-linear, decentralised and multi-stakeholder incident respo...Pukhraj Singh
 
In cyber, the generals should lead from behind - College of Air Warfare - Puk...
In cyber, the generals should lead from behind - College of Air Warfare - Puk...In cyber, the generals should lead from behind - College of Air Warfare - Puk...
In cyber, the generals should lead from behind - College of Air Warfare - Puk...Pukhraj Singh
 
Pukhraj Singh - Keynote - ITWeb Security Summit-2019, Johannesburg, South Africa
Pukhraj Singh - Keynote - ITWeb Security Summit-2019, Johannesburg, South AfricaPukhraj Singh - Keynote - ITWeb Security Summit-2019, Johannesburg, South Africa
Pukhraj Singh - Keynote - ITWeb Security Summit-2019, Johannesburg, South AfricaPukhraj Singh
 
Synergy in Joint Cyber Operations - Indian National Defence University & HQ I...
Synergy in Joint Cyber Operations - Indian National Defence University & HQ I...Synergy in Joint Cyber Operations - Indian National Defence University & HQ I...
Synergy in Joint Cyber Operations - Indian National Defence University & HQ I...Pukhraj Singh
 
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)Pukhraj Singh
 
Understanding the 'physics' of cyber-operations - Pukhraj Singh
Understanding the 'physics' of cyber-operations - Pukhraj SinghUnderstanding the 'physics' of cyber-operations - Pukhraj Singh
Understanding the 'physics' of cyber-operations - Pukhraj SinghPukhraj Singh
 
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018Pukhraj Singh
 

More from Pukhraj Singh (7)

AusCERT 2023 - Non-linear, decentralised and multi-stakeholder incident respo...
AusCERT 2023 - Non-linear, decentralised and multi-stakeholder incident respo...AusCERT 2023 - Non-linear, decentralised and multi-stakeholder incident respo...
AusCERT 2023 - Non-linear, decentralised and multi-stakeholder incident respo...
 
In cyber, the generals should lead from behind - College of Air Warfare - Puk...
In cyber, the generals should lead from behind - College of Air Warfare - Puk...In cyber, the generals should lead from behind - College of Air Warfare - Puk...
In cyber, the generals should lead from behind - College of Air Warfare - Puk...
 
Pukhraj Singh - Keynote - ITWeb Security Summit-2019, Johannesburg, South Africa
Pukhraj Singh - Keynote - ITWeb Security Summit-2019, Johannesburg, South AfricaPukhraj Singh - Keynote - ITWeb Security Summit-2019, Johannesburg, South Africa
Pukhraj Singh - Keynote - ITWeb Security Summit-2019, Johannesburg, South Africa
 
Synergy in Joint Cyber Operations - Indian National Defence University & HQ I...
Synergy in Joint Cyber Operations - Indian National Defence University & HQ I...Synergy in Joint Cyber Operations - Indian National Defence University & HQ I...
Synergy in Joint Cyber Operations - Indian National Defence University & HQ I...
 
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)
 
Understanding the 'physics' of cyber-operations - Pukhraj Singh
Understanding the 'physics' of cyber-operations - Pukhraj SinghUnderstanding the 'physics' of cyber-operations - Pukhraj Singh
Understanding the 'physics' of cyber-operations - Pukhraj Singh
 
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
 

Recently uploaded

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 

Recently uploaded (20)

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 

"The empirical paradoxes of cybersecurity" - - Pukhraj Singh - DynamicCISO Summit 2021

  • 1. Pukhraj Singh Product Owner, Cyber Threat Detection BAe Systems Applied Intelligence The empirical paradoxes of security How they impact decisions, architecture & defence Or The eternal truths about SolarWinds
  • 2. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence Introduction • 15 years in detection engineering and threat intelligence • Roughly five years in the government • An emphasis on geo-strategic and geopolitical parameters • Trained and advised military commanders on defence and doctrine • Written for the US Military Academy and US Army; op-eds in all the leading national newspapers • Forever a learner…with impostor syndrome ☺
  • 3. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence Agenda A brief glimpse into how the broad, empirical realities of cybersecurity are divergent from its operational parameters and assumptions PS: I don’t have any solutions to offer
  • 4. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science Vulnerabilities are the Higgs-Boson particle of the cybersecurity universe. If we don’t understand vulnerabilities, we don’t understand anything else.
  • 5. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science Are vulnerabilities dense or sparse? - A simple question asked by Bruce Schneier in The Atlantic [1]
  • 6. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science “If vulnerabilities are sparse, then it's obvious that every vulnerability we find and fix improves security.” If vulnerabilities are plentiful…we don’t really improve general software security by disclosing and patching unknown vulnerabilities.”
  • 7. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science But what does the industry wants us to believe?
  • 8. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science
  • 9. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science As Dan Geer writes, the answer is not that simple [2].
  • 10. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science As Dan Geer writes, the answer is not that simple [2].
  • 11. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science “Detection deficit:” How does it impact defence? “Through the variety of areas I explored, the data and analysis continued to highlight a single conclusion: As a community, our ability to detect 0-days being used in the wild is severely lacking to the point that we can’t draw significant conclusions due to the lack of (and biases in) the data we have collected.” -- Maddie Stone, Google Project Zero [3]
  • 12. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science “Detection deficit:” How does it impact defence? -- Maddie Stone, Google Project Zero [3]
  • 13. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science Is vulnerability discovery working [4]?
  • 14. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science Is vulnerability discovery working ?
  • 15. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science Is vulnerability discovery working?
  • 16. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science Is vulnerability discovery working?
  • 17. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science But how do you define a vulnerability? Designers, vendors, and programmers themselves have trouble describing whether a software or hardware feature is operating as intended or is, in fact, a security flaw. Advanced exploitation techniques are rapidly moving towards “the boundary between bug and expected behavior”, “almost the fringe of what can be classified as an explicit hole or flaw.” Advanced exploitation is rapidly becoming synonymous with the system operating exactly as designed—and yet getting manipulated by attackers. -- Sergey Bratus [5]
  • 18. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science But how do you define a vulnerability? -- Aaron Adams [6]
  • 19. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science But how do you define a vulnerability? Complex software is built in multiple levels of aggregation and composition. Innovation entails aggregation and composition in unforeseen combinations, at many levels. The hooking pattern implements the fundamental software engineering operation of composing software with other software. For this reason, it is implemented by a great variety of software, with a wide range of techniques and uses. Often the hooking software is developed and released separately; sometimes it is also released together with management tools and automation tools. -- Sergey Bratus [7]
  • 20. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science But how do you define a vulnerability? Complex software is built in multiple levels of aggregation and composition. Innovation entails aggregation and composition in unforeseen combinations, at many levels. The hooking pattern implements the fundamental software engineering operation of composing software with other software. For this reason, it is implemented by a great variety of software, with a wide range of techniques and uses. Often the hooking software is developed and released separately; sometimes it is also released together with management tools and automation tools. -- Sergey Bratus [7]
  • 21. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science But how do you define a vulnerability? Let’s go back to 1984… “Reflections on trusting trust” by Ken Thompson [8]
  • 22. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science *Insert mandatory Grugq quote* Let’s go back to 1984…
  • 23. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence The lopsided vulnerability science Trusting trust…
  • 24. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence N w, ’ k g n v My favourite Mudge posts
  • 25. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence N w, ’ k g n v My favourite Mudge posts
  • 26. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence N w, ’ k g n v My favourite Mudge posts
  • 27. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence N w, ’ k g n v My favourite Mudge posts
  • 28. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence N w, ’ k g n v With misplaced empiricism, your assumptions fail. For example, killing the Kill Chain.
  • 29. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence These empirical misassumptions extend to other areas, too
  • 30. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence On ring -2, bootkits and the industry botch-up of UEFI and Intel Boot Guard
  • 31. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence Your perimeter is not the boundary of your network it's the boundary of your telemetry -- Grugq
  • 32. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence On AVs and EDRs, the “foot-soldiers” of cyberwar Defeat Bitdefender total security using windows API unhooking to perform process injection - https://shells.systems/defeat-bitdefender-total-security- using-windows-api-unhooking-to-perform-process-injection/ A tale of EDR bypass methods - https://s3cur3th1ssh1t.github.io/A-tale-of-EDR- bypass-methods/
  • 33. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence On not-so-easy attribution and botched up CTI datasets Identifying Authorship Style in Malicious Binaries: Techniques, Challenges & Datasets – https://arxiv.org/abs/2101.06124
  • 34. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence Who takes care of Ambani’s iPhone?
  • 35. Pukhraj Singh, Product Owner – Cyber Threat Detection, BAE Systems Applied Intelligence References 1. https://www.theatlantic.com/technology/archive/2014/05/should-hackers-fix- cybersecurity-holes-or-exploit-them/371197/ 2. https://www.usenix.org/system/files/login/articles/login_summer19_12_geer. pdf 3. https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in- review-of-0.html 4. https://milek7.pl/howlongsudofuzz/ 5. https://tac.bis.doc.gov/index.php/documents/pdfs/320-wa-intent-fallacy- bratus-comments/file 6. https://research.nccgroup.com/wp-content/uploads/2020/07/research- insights_vol-7-exploitation-advancements.pdf 7. https://www.usenix.org/system/files/login/articles/wassenaar.pdf 8. https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Reflectionso nTrustingTrust.pdf