Amber- A technical implementation of a hybrid security model -

“Someone can’t make it?! Of course I’m ready!

Amber- A technical implementation of a hybrid security model -

DisclaimerI like my job and it is also the only one that I have, so I would like to to keep it. With that in mind, the views and claims (no matter how plausible) are my own and do not reflect the view or opinions of my employer.

Even though the presentation is rate A or Awesome (and All ages) I will probably swear because that is how I talk. If that bothers you then I am sorry, and please feel free to leave the room now.

Give hugs not drugs, and eat your veggies

About Me (the past)

Ex Musician

Re-rolled Bcom Econometrics (at here!)

Investment Banker (…and you think we have an immoral industry)

2008 Fin Crash! Took an arrow to the knee

Re-rolled sysadmin, and slipped into Infosec

About Me (the present)

Husband

ISO for FNB Wealth / RMB Private Clients (Blue Team Bias)

Working towards Msc in infosec…

… and hopefully PhD after that (for the lulz)

… and because research is the most fun you can have by yourself

About Me (contacts)

Email: adam@closehelm.com

Website: www.usintrust.com

Twitter: @usintrust

Channel: Archaeon in #zacon

Our Path

The Tool Box Dissembled

History

Applying new things

AMBER!

0day (get excited)

Bonus finding

If I know who you are, then we already have problems

Antivirus

Don’t you worry. I’ve seen it all

IPS

Decisions are driven by detecting known malicious ‘things’

Decision through Detection (DtD)

Unused space has never been this useful

Honeypots

Decisions are driven by the presence of ‘things’

Decision through Presence (DtP)

DtD and DtP

Open relay Honeypots

Your doing it wrong

DtD and DtP

Cost of Detection = (TCoR/n) + (DC * n)

DtD Cost Analysis; Discovery Phase

Cost of Action = n * FPRate

DtD Cost Analysis; Action Phase

DtD makes this possible:

$2 Billion in revenue7,000 Employees

DtD’s Action phase is cheap and extremely effective. It is the Tony Montana of security models – it leans entirely on the Discovery phase, and executes the

outcomes

Cost of Presence = if i

DtP Cost Analysis; Discovery Phase

Cost of Action = ((i * threshold) * RCper i) * n

DtP Cost Analysis; Action Phase

DtP’s Discovery phase is basically free, instantly classifying information as non-productive. It is The

Mentalist of the security model world

Amber

AmberDistributed Nodes

ZA-amber Node

US-amber Node

DE-amber Node

Here comes the 0day!

There is no Magic Quadrant or compliance tick box for this sort of security control. There is no stick that made us implement it. There is only the carrot of

improved security

Chase the Carrot

Summary