who should the security team hire next?
DESCRIPTION
SOURCE Seattle 2011 - Myles ConleyTRANSCRIPT
![Page 1: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/1.jpg)
Who Should You Hire to Improve Company
Security?���
Myles Conley Auspices LLC
![Page 2: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/2.jpg)
No, I DON’T know ���AppSec experts ���looking for work
Auspices LLC 2
![Page 3: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/3.jpg)
What to expect this hour
• Where do elite security gurus work? – Do they work for elite companies?
• Reviewing breach data trends • Who to hire to address those trends
• Scope – US & commercial only. – Fortune 500 & Other
Auspices LLC 3
![Page 4: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/4.jpg)
How to find “Good” AppSec People?
- Have found a real bug - Can understand bug implications
Auspices LLC 4
-‐ Not by Cer5fica5on -‐ Not by Survey -‐ Not by School?
![Page 5: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/5.jpg)
Why Not try Bugtraq Mail List?
Pros
• 20-45K subscribers • Data since 1999 • They have found bugs • Part of complete security team
Cons
• Cultural Bias • Out of date • Nyms, Corporate postings • Bias towards self promoters
Auspices LLC 5
![Page 6: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/6.jpg)
Bugtraq Mapping
19,085 Unique Posters Less Non-‐U.S., An5-‐Spam, Truncated Names Less Pseudonyms, Roles 7,352 Total Plausible Names
4,128 Found on LinkedIN
Auspices LLC
![Page 7: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/7.jpg)
Where BugTraqers Work
Auspices LLC 7
84
153
351
468
485
638
876
1405
0% 5% 10% 15% 20% 25% 30% 35%
Other Healthcare
Other Financial
Vendor of SoV/Hardware
High Tech
.gov, .edu, non US, non commercial
Fortune 500
Security specialists
Other
![Page 8: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/8.jpg)
More Bugtraq at mature companies?
Fortune 500 Companies
Have Bugtraqer
Don't
638 Bugtraqers • 71 companies, average 9 • Actually concentrated at
Google, IBM, MicrosoV, HP, etc.
Breached Companies
Have Bugtraqer
Don't
447 Bugtraqers • 55 employers out of 1158 • Average of 8
Auspices LLC 8
![Page 9: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/9.jpg)
Avoid Bugtraq Bias?
• People who submitted a security bug for Mozilla
Auspices LLC 9
1905 Unique Bug Submi_ers Less Non-‐U.S., Truncated Names Less Pseudonyms 1414 Total Plausible Names
632 Found on LinkedIN
661 Employers… only 47 have >1 bug reporter
![Page 10: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/10.jpg)
Where Mozilla Helpers Work
Auspices LLC 10
0% 5% 10% 15% 20% 25% 30%
Other Healthcare
Other Financial
Fortune 500
.gov, .edu, non commercial
High Tech
Vendor of SoV/Hardware
Other
Security specialists
US Based Mozilla Cri:cal Security Bug Reporters
![Page 11: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/11.jpg)
AppSec Conclusions
• Good help is widely distributed – 20% are in security consulting companies – There is a long tail
• Lots of companies chose not to hire people who post on BugTraq – Or are using contractors – Or are hiring now – Or hire youngsters
• So… why is it always AppSec?
Auspices LLC 11
Themes we learn from the news • Helpless against 0day attacks • Security Development Lifecycle is working
![Page 12: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/12.jpg)
How Security Team Primes Security
Application Security
• Pen Test • QA integration • Metrics • Dev Tools & Training • Developers own Security
– SDL
Ops & Security Strategy
• Pen Test • ….. FUD • …. Peer comparisons • … Look over There ! • .. Controls • Change in Capabilities
Maturity Level
Auspices LLC 12
![Page 13: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/13.jpg)
Fixing Overall Security
What do security team managers need to do? • Figure where we’re having problems • Find who could have prevented problems • Find if we can hire them. First, where can we learn about the problems – Vendors – Incident Response & the Underground – Mandatory Disclosure – News Wire – Surveys
Auspices LLC 13
![Page 14: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/14.jpg)
Breach Classification
Level Basic Slog Advanced New
Description Known
problems, easy to fix
Ongoing, common
problems, hard to fix
Advanced attacks, hard to predict / fight
Emerging threats
Precedent Old to World Old to You New to World New to You
Sophistication Low Med-High High ?
Example Bad
passwords Malware/
XSS APT/ 0 day. Mobile,
Skimming
Auspices LLC 14
![Page 15: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/15.jpg)
Breach Data from Vendors
Advantages
• Large installed base • Research teams
Disadvantages • Annual Report
Biases
• Want to sell product • Vendor’s Scope • Forward looking • No segmentation • No raw data
Auspices LLC 15
![Page 16: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/16.jpg)
Symantec & Microsoft ���
Symantec • Threats Identified
– Targeted attacks with
Social Network intel
– Zero day attacks
– Attack Kits and Root kits
– Mobile
Microsoft • Threats Identified
– Java, Browser, Adobe files
– Attacks using software
with patch available
• Intelligence – Software Industry Vulns
decreasing since 2006
Auspices LLC 16
![Page 17: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/17.jpg)
Score So Far Source of Breach Data Basic Slog Advanced New Theme
Vendors 0 1 4 1 We need experts! Or Vendors!
Incident Response and Underground
Mandatory Disclosure
Auspices LLC 17
![Page 18: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/18.jpg)
Breach Data from Incident Response Companies
Advantages
• Know their customers • Sometimes imprison the
guilty
Bias
• Companies that can discover breach
• Companies that need external help
• Backwards looking • Intrusion is unit of
measurement
Auspices LLC 18
![Page 19: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/19.jpg)
Verizon ���Data Breach Investigations Report
Incidents included • 94 investigated by Verizon • 667 investigated by US Secret
Service
Percent of Breached Companies by # Employees
>10K employees
<1K employees
Between
Hospitality Retail
Financial Healthcare
Tech Services Manufacturing
Other
0 50 100 150 200 250 300 350
Breaches by Industry in 2011
Auspices LLC 19
![Page 20: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/20.jpg)
Percent of Breaches Including Vector
Auspices LLC 20
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Malware via user
Buffer overflow
Weak Authen5ca5on
Abuse of fuc5onality
SQL injec5on
Stolen creden5als
Brute Force Authen5ca5on
Default authen5ca5on
Malware via a_acker
Social Engineering
![Page 21: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/21.jpg)
Vector Data from Underground
DBIR Intelligence • 2/3 of malware was customized • Only 5 vulnerabilities used in 381 attacks
Contagio overview of Exploit Packs
Dan Guido: Exploit Intelligence Project, 2010 • Malware exploits are predictable • Easy no-patch mitigation for 22 of 27 top malware
Remainder by architecture & policy
Auspices LLC 21
![Page 22: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/22.jpg)
Score So Far Source of Breach Data Basic Slog Advanced New Theme
Vendors 0 1 5 1 We need experts! Or Vendors!
Incident Response and Underground
5 4 1 1 Old problems, then Malware
Mandatory Disclosure
Auspices LLC 22
![Page 23: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/23.jpg)
Breach Data from Mandatory Disclosure
Advantages
• Raw Data! • DatalossDB.org
Disadvantages • Legislation changes
Biases
• Backwards looking • Reporting criteria
– PII loss is reported – Trade secret loss isn’t
• Best effort data assembly.
Auspices LLC 23
![Page 24: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/24.jpg)
DataLossDB Biases
Auspices LLC 24
20
40
60
80
100
120
140
0
20
40
60
80
100
120
Records L
ost
Breaches
![Page 25: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/25.jpg)
Fortune 500 vs. Others
Auspices LLC 25
0
20
40
60
80
100
120
Breaches
Other Breaches Fortune Breaches
![Page 26: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/26.jpg)
Fortune 500 Sized Datasets
Auspices LLC 26
0.00
0.01
0.10
1.00
10.00
100.00
1000.00
2006 2007 2008 2009 2010 2011
Millions
Fortune Records Other Records
![Page 27: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/27.jpg)
Fortune 500 Breach Data
Auspices LLC 27
0
10
20
30
40
2007 2008 2009 2010
Coun
t of B
reache
s Breaches by Vector -‐ Fortune 500
0.001
0.01
0.1
1
10
100
1000
2007 2008 2009 2010
Millions
Records Lost by Vector -‐ Fortune 500 (Log Plot)
Document Loss (E)Mail Fraud Hacking Missing encryp5on Unknown Web configura5on
• Threats Identified
– Missing Encryption
– (E)Mail
– Hacking
![Page 28: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/28.jpg)
Breaches at Non Fortune 500
28
0 20 40 60 80
100 120
2007 2008 2009 2010 Coun
t of B
reache
s
Breaches by Vector -‐ Non Fortune 500
0.001
0.01
0.1
1
10
100
2007 2008 2009 2010
Millions
Records Lost by Vector -‐ Non Fortune 500 (Log Plot)
Document Loss (e)Mail Fraud Hacking Missing encryp5on Unknown Web configura5on
• Threats Identified
– Missing Encryption
– Web Configuration
– Document Loss
– Hacking
![Page 29: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/29.jpg)
It’s Not Just AppSec ���It’s Not Just Advanced
Source of Breach Data Basic Slog Advanced New Theme
Vendors - 1 5 1 We need experts! Or Vendors
Incident Response and Underground
5 4 1 1 Old problems, then Malware
Mandatory Disclosure – Fortune 500
2 - 1 - Encryption. Lists & Hacking
Mandatory Disclosure – Smaller
4 - 1 - Basics & Hacking
Auspices LLC 29
![Page 30: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/30.jpg)
Given These Problems, ���Who Should You Hire?
• For each class of breach, – What does your company need? – What Roles should you hire? – What do Managers have to do?
Auspices LLC 30
![Page 31: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/31.jpg)
Basic: Kitchen Hygiene Company Needs • Standards & Training • Tools: Red cutting boards / Disk Encryption • Consistent Deployment • Consistent Enforcement
Auspices LLC 31
Roles
• Project Management • Glue code developers
– Ops tools, especially AAA – Enforcement/ near misses
• Metrics
Management – Own Goal Risk information
• Near Misses • Cost is simplest to estimate
“No CEO is that stupid not to pay attention [to security]. But maybe they pay the same attention I did, which is giving encouragement and budget to IT but then saying ‘What do I
know about programming? “ -Ted Chung, CEO Hyundai Card/Hyundai Capital
![Page 32: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/32.jpg)
Long Slog: Factory Model Company Needs • Systems knowledge to interrupt threat
– Compartmentalization – Breaking attack chain – Mature incident response
• Threat Intelligence
• Metrics • Peer Group Intelligence
Auspices LLC 32
Roles • Threat Intelligence
– Vendor – Attack chain architects
• Compartmentalization – Systems + business knowledge experts
• Web Application cleanup • SIEM / Log glue integrator
Management • Control Efficiency
– Threat chain status & metrics • Incident Response Management • Peer Group Intelligence
![Page 33: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/33.jpg)
Advanced Threats: E-Coli Company Needs • Risk Assessment • Risk Compartments • Logfile Watchers • Appropriate level of defense (AppSec)
Auspices LLC 33
Roles • Logwatchers • Speed dial for the CDC / IR company • Known Targets
– Internal bug finders
Management • Risk Management
– By $ or Bodies, not Vectors • Compartmentalization
– Inside is Hostile
![Page 34: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/34.jpg)
New Threats: Company Needs • Practiced Reaction • Risk Management • Security Strategy
Auspices LLC 34
Roles • Risk Management
• Financial answers • Security Plan Author
• Agreed-upon plans and systems in place
Management
![Page 35: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/35.jpg)
Conclusion
Basic Slog Advanced New
Description Known problems,
easy to fix
Ongoing, common problems, hard to
fix
Advanced attacks, hard to predict /
fight Emerging threats
Hiring Action Project
Management Organization
Intelligence, Architecture
Risk Management, Compartments,
IR Expertise
Strategy and Management
Auspices LLC 35
• Elite folks are somewhat hard to find • You probably don’t need them first – But need intelligence to be sure
• Most company breaches within power to fix by hiring
![Page 37: Who should the security team hire next?](https://reader033.vdocuments.mx/reader033/viewer/2022052820/549bf686b47959bd318b45d7/html5/thumbnails/37.jpg)
Photo credits • Thanks for releasing these photos under creative commons attribution or public domain licenses
• Raptor eye jurvetson (flicker) • P4 hacker Image from http://unix.privacylover.com/page/2/ under creative commons license
• Kitchen photo Photo by H Dragon on flickr • Cheese factory Photo by Waponi @ flickr • E-Coli Photo Credit: Rocky Mountain Laboratories, NIAID, NIH
• Mobile phone evolution – wikicommons, user Anders • Holstein – wikicommons photo by US Government
• Tiger Sumatraanse Tijger, gefotografeerd in Diergaarde Blijdorp - wikicommons • Gator - wikicommons
Auspices LLC 37