conventional defenses + unconventional adversaries ??? joshua corman director of security...
TRANSCRIPT
Conventional Defenses+
Unconventional Adversaries
???Joshua Corman
Director of Security IntelligenceAkamai Technologies
@joshcorman
Joshua CormanDirector of Security Intelligence
Akamai Technologies
@joshcorman
Akamai Confidential ©2011 AkamaiPowering a Better Internet
About Joshua Corman• Director of Security Intelligence for Akamai Technologies
• Former Research Director, Enterprise Security [The 451 Group]• Former Principal Security Strategist [IBM ISS]
• Industry Experience:• Expert Faculty: The Institute for Applied Network Security (IANS)• 2009 NetworkWorld Top 10 Tech People to Know• Co-Founder of “Rugged Software” www.ruggedsoftware.org
• Things I’ve been researching:• Compliance vs Security• Disruptive Security for Disruptive Innovations• Chaotic Actors• Espionage• Security Metrics
4
Relative Risk
Replaceability
Irreplaceable Highly Replaceable
Human Life Intellectual Property PHI Credit Cards
2011 VZ DBIR
Mission Accomplished (no, not really)
Key Points from 2011 VZ DBIR
All-Time High # of Incidents
All-Time Low # of Breached Records
Higher Value Records
All but one thing got worse
MOST cases SMB
Non-CCN Asset Type Breakdown
2009141 incidents
2010761 incidents
Delta
Intellectual Property 10 41 + 31
National Security Data 1 20 + 19
Sensitive Organizational 13 81 + 68
System Information ZERO 41 + 41
2010 Unholy Trinity:• Google.cn and Operation Aurora• Stuxnet• Bradley Manning/WikiLeaks (and Operation Payback)
2011:• Anonymous• EMC/RSA SecurID• Sony’s Punishment Campaign• LulzSec• Lockheed• IMF
RSA 2011PechaKucha Happy Hour
20 Slides x 20 Seconds(6 min 40 sec)
Joshua Corman@joshcormanResearch DirectorEnterprise Security
PechaKucha Happy Hour
Why Zombies Love PCI:or “No Zombie Left Behind Act”
Joshua CormanResearch DirectorEnterprise SecurityThe 451 Group
SPEAKER:
Why Zombies?
Hungry
Persistent
1 at a time vs…
Zombies ++
14RSA Conference 2011
Is PCI The No Child Left Behind Act for Information Security?
Early Adopters Mainstream Laggards
15
When “good enough”… isn’t
16
It’s all about Zombies
It’s all about Zombies
EvolvingThreat
EvolvingCompliance
EvolvingTechnology
EvolvingEconomics
EvolvingBusiness
CostComplexity
Risk
Disruptive Changes
19
Evolving Threat:Adaptive Persistent Adversaries
Fear the auditor more than the attacker
21
We broke the Information Security Market
EvolvingThreat
EvolvingCompliance
EvolvingTechnology
EvolvingEconomics
EvolvingBusiness
CostComplexity
Risk
HIPAAHITECH
SOXGLB
Thriller
24
1984 1994 2004 2014?
Sony Walkman Sony Discman iPod ?
?Signature AV Signature AV Signature AV Signature AV
25
94%
89%
0%
26
Defensible Infrastructure
Survival Guide/Pyramid
www.ruggedsoftware.org
Defensible Infrastructure
Operational Discipline
Survival Guide/Pyramid
Defensible Infrastructure
Operational Discipline
Situational Awareness
Survival Guide/Pyramid
Defensible Infrastructure
Operational Discipline
Situational Awareness
Countermeasures
Survival Guide/Pyramid
Evolving Threat: Adaptive Persistent Adversaries
Anonymous
An Alignment Chart
Anon Unmasked? (Alleged Participants)
APT
You must be *this* tall to ride…
Moore’s Law
Moore’s Law:
Compute power doubles every 18 months
HDMoore’s Law:
Casual Attacker Strength grows at the rate of MetaSploit
1 2 3 4 5 6 7 8 9 10 110
20
40
60
80
100
120
Security InvestmentCasual SuccessAnon/Lulz SuccessAPT?APA SuccessQSA
HDMoore’s Law
Attacker Drop-Offs: Casual
1 2 3 4 5 6 7 8 9 10 110
20
40
60
80
100
120
Security InvestmentCasual SuccessAnon/Lulz SuccessAPT?APA SuccessQSA
Attacker Drop-Offs : QSAs
1 2 3 4 5 6 7 8 9 10 110
20
40
60
80
100
120
Security InvestmentCasual SuccessAnon/Lulz SuccessAPT?APA SuccessQSA
Attacker Drop-Offs: APTs/APAs
1 2 3 4 5 6 7 8 9 10 110
20
40
60
80
100
120
Security InvestmentCasual SuccessAnon/Lulz SuccessAPT?APA SuccessQSA
Attacker Drop-Offs: Chaotic Actors
Does it matter?
Top Threat Action Types used to steal INTELLECTUAL PROPERTY AND CLASSIFIED INFORMATION by number of breaches - (excludes breaches only involving payment card data, bank account information, personal information, etc)
Was #18 in overall
DBIR
Compare and contrast
QSACasual
AttackerChaotic Actor
APT/APA
Asset Focus CCNs CCNs… Reputation, Dirty
LaundryDDoS/
Availability
IP, Trade Secrets, National Security
Data
Timeframe Annual Anytime Flash Mobs Long Cons
Target Stickiness NA LOW HIGH HIGH
Probability 100% MED ? ?
“Impact” Annual $ 1 and done Relentless Varies
Early Adopters Mainstream Laggards
YouAre
Here
Case Study: Zombie Killer of the Week?
Case Study: Zombie KillerLanCope
BigFix (IBM)
NetWitness (RSA)
Fidelis XPS
HBGary
FireEye
ArcSight (HP)
Defensible Infrastructure
Operational Discipline
Situational Awareness
Countermeasures
A real use case of 'better security' in the face of adaptive adversarieshttp://www.the451group.com/report_view/report_view.php?entity_id=66991
Which classes of adversaries are we likely to face?
Which assets are most at risk as a consequence?
How tall do we need to be?
Table Top Exercises
An ounce of prevention?
Recovery may not be technical…
Failing Well
Q&AJoshua Corman
Director of Security Intelligence, Akamai Technologies
@joshcorman
@RuggedSoftware