Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)

Control Quo*ent: Adap*ve Strategies For Gracefully Losing Control

Agenda Context

The Control Quo*ent

Today’s Reality

Making it Personal

Examples

Transcending “Control”

Apply

CONTEXT

Forces of Constant Change

BUSINESS COMPLEXITY

= RISING COSTS

Evolving Threats

Evolving Technologies

Evolving Compliance

Evolving Economics

Evolving Business Needs

The IT Drunken Bender

The Control Con*nuum

Dictator Surrender

Control

Sphere of Control

Control

Influence

Sphere of Influence vs. Control

THE CONTROL QUOTIENT

The Control Quo*ent Defini*on •  QuoGent: (from hOp://www.merriam-‐webster.com/dic*onary/quo*ent )

–  the number resul*ng from the division of one number by another

–  the numerical ra*o usually mul*plied by 100 between a test score and a standard value

–  quota, share –  the magnitude of a specified characterisGc or quality

•  Control QuoGent: opGmizaGon of a security control based on the maximum efficacy within sphere of control (or influence or trust) of the underlying infrastructure*

•  *unless there is an independent variable…

History •  RSA Conference US 2009 P2P with @joshcorman – An endpoint has a comprehensive, but suspect, view

– The network has a trustworthy, but incomplete, view

In Theory There Is An Op*mal Place to Deploy a Control…

But Degrees Of Separa/on Happen….

Avoiding the Proverbial…

TODAY’S REALITY

Today’s Reality

•  Administra*ve control of en*re system is lost

•  Increased aOack surface •  Abstrac*on has made systems difficult to assess

•  Expecta*on of any*me-‐anywhere access from any device

Security Management & GRC

IdenGty/EnGty Security

Data Security

Host

Network Infrastructure Security

ApplicaGon Security

CSA Cloud Model The Control Quo*ent and the SPI Stack

Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.

CSA Cloud Model

Security Management & GRC

IdenGty/EnGty Security

Data Security

Host

Network Infrastructure Security

ApplicaGon Security

Virtualiza/on, So:ware Defined Networks, and Public/Hybrid/Community Cloud Forces a Change

in How Security Controls Are Evaluated and Deployed

The Control Quo*ent and the SPI Stack

To Be Successful, We Must Focus on the Control Kept (or Gained!), NOT the Control Lost…

Half Full or Half Empty?

Controls Gained!!! •  Virtualiza*on and Cloud

– Asset, Configura*on and Change Management –  Snapshot –  Rollback –  Pause

•  VDI – Asset, Configura*on and Change Management

•  Mobility –  Encryp*on (with containers)

•  Sogware-‐As-‐A-‐Service –  Logging!

MAKING IT PERSONAL

A Parent’s Most Valuable Asset?

A Parent’s Most Valuable Asset?

Most Valuable Asset?

…Yet Most Parents Allow Their Kids to Leave Their Control

Choosing Child Care?

NaGonal AssociaGon for the EducaGon of Young

Children

EXAMPLES

Virtualiza*on and Cloud Created An En*re New Defini*on of Privilege

Amazon EC2 - IaaS

Salesforce - SaaS

Google AppEngine - PaaS

Stack by Chris Hoff -‐> CSA


Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue. “Stack” by Chris Hoff -‐> CSA

Amazon EC2 - IaaS

The lower down the stack the Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself.

Salesforce - SaaS

Google AppEngine - PaaS

Stack by Chris Hoff -‐> CSA


Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue. “Stack” by Chris Hoff -‐> CSA

So, Whose Cloud Is It Anyway? Model Private Cloud IaaS

in Hybrid / Community / Public Cloud

PaaS/SaaS

Whose Privilege Users? Customer Provider Provider

Whose Infrastructure? Customer Provider Provider

Whose VM / Instance? Customer Customer Provider

Whose ApplicaGon? Customer Customer Provider

Government Discovery Contact? Customer Provider Provider

hOp://www.flickr.com/photos/markhillary/6342705495 hOp://www.flickr.com/photos/tallentshow/2399373550

More Than Just Technology…

VDI Server

VDI Image Storage

VDI: Centralizing the Desktop?

hOp://www.flickr.com/photos/patrick-‐allen/4318787860/

Mobile

hOp://www.sodahead.com/fun/eight...blue-‐screen.../ques*on-‐2038989/CachedYou/?slide=2&page=4

IoT / Embedded Devices

Service Providers

Old Ways Don’t Work in New World…

Most organiza/ons are trying to deploy

“tradi/onal” security controls in cloud and virtual environments…but were the controls

even effec/ve then?

TRANSCENDING “CONTROL”

A Modern Pantheon of Adversary Classes

Methods “MetaSploit” DoS Phishing Rootkit SQLi Auth ExfiltraGon Malware Physical

Impacts ReputaGonal Personal ConfidenGality Integrity Availability

Target Assets

Credit Card #s Web ProperGes Intellectual Property PII / IdenGty Cyber

Infrastructure Core Business Processes

Mo*va*ons

Financial Industrial Military Ideological PoliGcal PresGge

Actor Classes

States CompeGtors Organized Crime

Script Kiddies Terrorists “HacGvists” Insiders Auditors

Link to Full Adversary ROI Presenta.on Source: Adversary ROI: Why Spend $40B Developing It, When You Can Steal It for $1M? (RSA US 2012) by Josh Corman and David Etue.

HD Moore’s Law and AOacker Power

•  Moore’s Law: Compute power doubles every 18 months

•  HDMoore’s Law: Casual AOacker Strength grows at the rate of MetaSploit

Source: Joshua Corman, hOp://blog.cogni*vedissidents.com/2011/11/01/intro-‐to-‐hdmoores-‐law/


Countermeasures Situa*onal Awareness Opera*onal Excellence Defensible Infrastructure


Countermeasures Situa*onal Awareness

Opera*onal Excellence

Defensible Infrastructure


Countermeasures

Situa*onal Awareness




Countermeasures

Situa*onal Awareness




PHI

“IP”

Web

PCI

AV

FW

IDS/IPS

WAF

Log Mngt

File Integrity

Disk Encryp*on

Vulnerability Assessment

Mul*-‐Factor Auth

An*-‐SPAM

VPN

Web Filtering

DLP

Anomaly Detec*on

Network Forensics

Advanced Malware

NG Firewall

DB Security

Patch Management

SIEM

An*-‐DDoS

An*-‐Fraud

…

Desired Outcomes Leverage Points

Compliance (1..n)

“ROI” Breach / QB sneak

Produc*vity

…

PHI

PCI

“IP”

Web

Control “Swim Lanes”


Web

…

PHI

“IP”

PCI

AV

FW

IDS/IPS

WAF

Log Mngt

File Integrity

Disk Encryp*on


Mul*-‐Factor Auth

An*-‐SPAM

VPN

Web Filtering

DLP

Anomaly Detec*on

Network Forensics

Advanced Malware

NG Firewall

DB Security

Patch Management

SIEM

An*-‐DDoS

An*-‐Fraud

…


Compliance (1..n)


Procurement

Disrup*on

DevOps

Produc*vity

“Honest Risk”

General Counsel

Control & Influence “Swim Lanes”


Web

…

PHI

“IP”

PCI

AV

FW

IDS/IPS

WAF

Log Mngt

File Integrity

Disk Encryp*on


Mul*-‐Factor Auth

An*-‐SPAM

VPN

Web Filtering

DLP

Anomaly Detec*on

Network Forensics

Advanced Malware

NG Firewall

DB Security

Patch Management

SIEM

An*-‐DDoS

An*-‐Fraud

…

Li*ga*on

Legisla*on

Open Source

Hearts & Minds

Academia


Compliance (1..n)


Procurement

Disrup*on

DevOps

Produc*vity

“Honest Risk”

General Counsel

Under-‐tapped Researcher Influence


Poten*al Independent Variables

• with good key management…

EncrypGon

• well, rootkits for good…

Rootkits

• AnG-‐DDoS, WAF, Message/Content, IdenGty, etc…

Intermediary Clouds

• with proper integraGon and process support

IdenGty and Access Management

• *if* the provider harnesses the opportunity

Sofware-‐As-‐A-‐Service (SaaS)

Grant me the Serenity to accept the things I cannot change;

Transparency to the things I cannot control;

Relevant controls for the things I can;

And the Wisdom (and influence) to mitigate risk appropriately.

InfoSec Serenity Prayer

Thank You!

•  TwiOer: @djetue •  Resources:

– Adversary ROI: •  [SlideShare] •  [RSA US 2012 Online on YouTube]

– The Cyber Security Playbook: Securing Budget and Forming Allies (with @joshcorman) [BrightTALK]

Internet

Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)