Upload
david-etue
View
91
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Control Quotient: Adaptive Strategies For Gracefully Losing Control as presented at Hacker Halted 2014 on October 17, 2014 (https://www.hackerhalted.com/2014/us/?page_id=1174) Abstract: Cloud, virtualization, mobility, and consumerization have greatly changed how IT assets are owned and operated. Rather than focusing on loss of security control, the path forward is cultural change that finds serenity and harnesses the control we’ve kept. The Control Quotient is a model based on control and trust, allowing proper application of security controls, even in challenging environments.
Citation preview
Control Quo*ent: Adap*ve Strategies For Gracefully Losing Control
Agenda Context
The Control Quo*ent
Today’s Reality
Making it Personal
Examples
Transcending “Control”
Apply
CONTEXT
Forces of Constant Change
BUSINESS COMPLEXITY
= RISING COSTS
Evolving Threats
Evolving Technologies
Evolving Compliance
Evolving Economics
Evolving Business Needs
The IT Drunken Bender
The Control Con*nuum
Dictator Surrender
Control
Sphere of Control
Control
Influence
Sphere of Influence vs. Control
THE CONTROL QUOTIENT
The Control Quo*ent Defini*on • QuoGent: (from hOp://www.merriam-‐webster.com/dic*onary/quo*ent )
– the number resul*ng from the division of one number by another
– the numerical ra*o usually mul*plied by 100 between a test score and a standard value
– quota, share – the magnitude of a specified characterisGc or quality
• Control QuoGent: opGmizaGon of a security control based on the maximum efficacy within sphere of control (or influence or trust) of the underlying infrastructure*
• *unless there is an independent variable…
History • RSA Conference US 2009 P2P with @joshcorman – An endpoint has a comprehensive, but suspect, view
– The network has a trustworthy, but incomplete, view
In Theory There Is An Op*mal Place to Deploy a Control…
But Degrees Of Separa/on Happen….
Avoiding the Proverbial…
TODAY’S REALITY
Today’s Reality
• Administra*ve control of en*re system is lost
• Increased aOack surface • Abstrac*on has made systems difficult to assess
• Expecta*on of any*me-‐anywhere access from any device
Security Management & GRC
IdenGty/EnGty Security
Data Security
Host
Network Infrastructure Security
ApplicaGon Security
CSA Cloud Model The Control Quo*ent and the SPI Stack
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
CSA Cloud Model
Security Management & GRC
IdenGty/EnGty Security
Data Security
Host
Network Infrastructure Security
ApplicaGon Security
Virtualiza/on, So:ware Defined Networks, and Public/Hybrid/Community Cloud Forces a Change
in How Security Controls Are Evaluated and Deployed
The Control Quo*ent and the SPI Stack
To Be Successful, We Must Focus on the Control Kept (or Gained!), NOT the Control Lost…
Half Full or Half Empty?
Controls Gained!!! • Virtualiza*on and Cloud
– Asset, Configura*on and Change Management – Snapshot – Rollback – Pause
• VDI – Asset, Configura*on and Change Management
• Mobility – Encryp*on (with containers)
• Sogware-‐As-‐A-‐Service – Logging!
MAKING IT PERSONAL
A Parent’s Most Valuable Asset?
A Parent’s Most Valuable Asset?
Most Valuable Asset?
…Yet Most Parents Allow Their Kids to Leave Their Control
Choosing Child Care?
NaGonal AssociaGon for the EducaGon of Young
Children
EXAMPLES
Virtualiza*on and Cloud Created An En*re New Defini*on of Privilege
Amazon EC2 - IaaS
Salesforce - SaaS
Google AppEngine - PaaS
Stack by Chris Hoff -‐> CSA
The Control Quo*ent and the SPI Stack
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue. “Stack” by Chris Hoff -‐> CSA
Amazon EC2 - IaaS
The lower down the stack the Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself.
Salesforce - SaaS
Google AppEngine - PaaS
Stack by Chris Hoff -‐> CSA
The Control Quo*ent and the SPI Stack
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue. “Stack” by Chris Hoff -‐> CSA
So, Whose Cloud Is It Anyway? Model Private Cloud IaaS
in Hybrid / Community / Public Cloud
PaaS/SaaS
Whose Privilege Users? Customer Provider Provider
Whose Infrastructure? Customer Provider Provider
Whose VM / Instance? Customer Customer Provider
Whose ApplicaGon? Customer Customer Provider
Government Discovery Contact? Customer Provider Provider
hOp://www.flickr.com/photos/markhillary/6342705495 hOp://www.flickr.com/photos/tallentshow/2399373550
More Than Just Technology…
VDI Server
VDI Image Storage
VDI: Centralizing the Desktop?
hOp://www.flickr.com/photos/patrick-‐allen/4318787860/
Mobile
hOp://www.sodahead.com/fun/eight...blue-‐screen.../ques*on-‐2038989/CachedYou/?slide=2&page=4
IoT / Embedded Devices
Service Providers
Old Ways Don’t Work in New World…
Most organiza/ons are trying to deploy
“tradi/onal” security controls in cloud and virtual environments…but were the controls
even effec/ve then?
TRANSCENDING “CONTROL”
A Modern Pantheon of Adversary Classes
Methods “MetaSploit” DoS Phishing Rootkit SQLi Auth ExfiltraGon Malware Physical
Impacts ReputaGonal Personal ConfidenGality Integrity Availability
Target Assets
Credit Card #s Web ProperGes Intellectual Property PII / IdenGty Cyber
Infrastructure Core Business Processes
Mo*va*ons
Financial Industrial Military Ideological PoliGcal PresGge
Actor Classes
States CompeGtors Organized Crime
Script Kiddies Terrorists “HacGvists” Insiders Auditors
Link to Full Adversary ROI Presenta.on Source: Adversary ROI: Why Spend $40B Developing It, When You Can Steal It for $1M? (RSA US 2012) by Josh Corman and David Etue.
HD Moore’s Law and AOacker Power
• Moore’s Law: Compute power doubles every 18 months
• HDMoore’s Law: Casual AOacker Strength grows at the rate of MetaSploit
Source: Joshua Corman, hOp://blog.cogni*vedissidents.com/2011/11/01/intro-‐to-‐hdmoores-‐law/
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Countermeasures Situa*onal Awareness Opera*onal Excellence Defensible Infrastructure
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Countermeasures Situa*onal Awareness
Opera*onal Excellence
Defensible Infrastructure
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Countermeasures
Situa*onal Awareness
Opera*onal Excellence
Defensible Infrastructure
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Countermeasures
Situa*onal Awareness
Opera*onal Excellence
Defensible Infrastructure
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
PHI
“IP”
Web
PCI
AV
FW
IDS/IPS
WAF
Log Mngt
File Integrity
Disk Encryp*on
Vulnerability Assessment
Mul*-‐Factor Auth
An*-‐SPAM
VPN
Web Filtering
DLP
Anomaly Detec*on
Network Forensics
Advanced Malware
NG Firewall
DB Security
Patch Management
SIEM
An*-‐DDoS
An*-‐Fraud
…
Desired Outcomes Leverage Points
Compliance (1..n)
“ROI” Breach / QB sneak
Produc*vity
…
PHI
PCI
“IP”
Web
Control “Swim Lanes”
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Web
…
PHI
“IP”
PCI
AV
FW
IDS/IPS
WAF
Log Mngt
File Integrity
Disk Encryp*on
Vulnerability Assessment
Mul*-‐Factor Auth
An*-‐SPAM
VPN
Web Filtering
DLP
Anomaly Detec*on
Network Forensics
Advanced Malware
NG Firewall
DB Security
Patch Management
SIEM
An*-‐DDoS
An*-‐Fraud
…
Desired Outcomes Leverage Points
Compliance (1..n)
“ROI” Breach / QB sneak
Procurement
Disrup*on
DevOps
Produc*vity
“Honest Risk”
General Counsel
Control & Influence “Swim Lanes”
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Web
…
PHI
“IP”
PCI
AV
FW
IDS/IPS
WAF
Log Mngt
File Integrity
Disk Encryp*on
Vulnerability Assessment
Mul*-‐Factor Auth
An*-‐SPAM
VPN
Web Filtering
DLP
Anomaly Detec*on
Network Forensics
Advanced Malware
NG Firewall
DB Security
Patch Management
SIEM
An*-‐DDoS
An*-‐Fraud
…
Li*ga*on
Legisla*on
Open Source
Hearts & Minds
Academia
Desired Outcomes Leverage Points
Compliance (1..n)
“ROI” Breach / QB sneak
Procurement
Disrup*on
DevOps
Produc*vity
“Honest Risk”
General Counsel
Under-‐tapped Researcher Influence
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Poten*al Independent Variables
• with good key management…
EncrypGon
• well, rootkits for good…
Rootkits
• AnG-‐DDoS, WAF, Message/Content, IdenGty, etc…
Intermediary Clouds
• with proper integraGon and process support
IdenGty and Access Management
• *if* the provider harnesses the opportunity
Sofware-‐As-‐A-‐Service (SaaS)
Grant me the Serenity to accept the things I cannot change;
Transparency to the things I cannot control;
Relevant controls for the things I can;
And the Wisdom (and influence) to mitigate risk appropriately.
InfoSec Serenity Prayer
Thank You!
• TwiOer: @djetue • Resources:
– Adversary ROI: • [SlideShare] • [RSA US 2012 Online on YouTube]
– The Cyber Security Playbook: Securing Budget and Forming Allies (with @joshcorman) [BrightTALK]