Transcript Joshua Corman Director of Security Intelligence Akamai

Conventional Defenses
+
Unconventional Adversaries
???
Joshua Corman
Director of Security Intelligence
Akamai Technologies
@joshcorman
Joshua Corman
Director of Security Intelligence
Akamai Technologies
@joshcorman
About Joshua Corman
• Director of Security Intelligence for Akamai Technologies
• Former Research Director, Enterprise Security [The 451 Group]
• Former Principal Security Strategist [IBM ISS]
• Industry Experience:
• Expert Faculty: The Institute for Applied Network Security (IANS)
• 2009 NetworkWorld Top 10 Tech People to Know
• Co-Founder of “Rugged Software” www.ruggedsoftware.org
• Things I’ve been researching:
• Compliance vs Security
• Disruptive Security for Disruptive Innovations
• Chaotic Actors
• Espionage
• Security Metrics
4
Akamai Confidential
Powering a Better Internet
©2011 Akamai
Relative Risk
Replaceability
Irreplaceable
Human Life
Highly Replaceable
Intellectual Property
PHI
Credit Cards
Mission Accomplished
(no, not really)
2011 VZ DBIR
Key Points from 2011 VZ DBIR
All-Time High # of Incidents
All-Time Low # of Breached Records
Higher Value Records
All but one thing got worse
MOST cases SMB
Non-CCN Asset Type Breakdown
2009
141 incidents
2010
761 incidents
Delta
Intellectual Property
10
41
+ 31
National Security Data
1
20
+ 19
Sensitive Organizational
13
81
+ 68
ZERO
41
+ 41
System Information
2010 Unholy Trinity:
•
•
•
Google.cn and Operation Aurora
Stuxnet
Bradley Manning/WikiLeaks (and Operation Payback)
2011:
•
•
•
•
•
•
Anonymous
EMC/RSA SecurID
Sony’s Punishment Campaign
LulzSec
Lockheed
IMF
20 Slides
x 20 Seconds
(6 min 40 sec)
Joshua Corman
@joshcorman
Research Director
Enterprise Security
RSA 2011
PechaKucha Happy Hour
Why Zombies Love PCI:
or “No Zombie Left Behind Act”
SPEAKER:
Joshua Corman
Research Director
Enterprise Security
The 451 Group
PechaKucha Happy Hour
Hungry
Persistent
1 at a time vs…
Why Zombies?
Zombies ++
RSA Conference 2011
14
Is PCI The No Child Left Behind Act for
Information Security?
Early Adopters
Mainstream
15
Laggards
When “good enough”… isn’t
16
It’s all about Zombies
It’s all about Zombies
Disruptive Changes
Evolving
Threat
Evolving
Compliance
Cost
Complexity
Risk
Evolving
Economics
Evolving
Technology
Evolving
Business
19
Evolving Threat:
Adaptive Persistent Adversaries
Fear the auditor more than the attacker
21
We broke the Information Security Market
Evolving
Threat
Evolving
Compliance
Cost
Complexity
Risk
Evolving
Economics
Evolving
Technology
Evolving
Business
HIPAA
HITECH
SOX
GLB
Thriller
1984
1994
2004
2014?
Sony Walkman
Sony Discman
iPod
?
?
Signature AV
Signature AV
Signature AV
24
Signature AV
94%
89%
0%
25
26
Survival Guide/Pyramid
www.ruggedsoftware.org
Defensible Infrastructure
Survival Guide/Pyramid
Operational Discipline
Defensible Infrastructure
Survival Guide/Pyramid
Situational Awareness
Operational Discipline
Defensible Infrastructure
Survival Guide/Pyramid
Countermeasures
Situational Awareness
Operational Discipline
Defensible Infrastructure
[email protected]
@joshcorman
Hungry
Persistent
1 at a time vs…
Surviving The Zombie Apocalypse
Evolving Threat: Adaptive Persistent Adversaries
Anonymous
An Alignment Chart
Anon Unmasked? (Alleged Participants)
You must be *this* tall to ride…
Moore’s Law
Moore’s Law:
Compute power doubles every 18 months
HDMoore’s Law:
Casual Attacker Strength grows at the rate of
MetaSploit
Attacker Drop-Offs: Casual
120
HDMoore’s Law
100
80
Security Investment
Casual Success
60
Anon/Lulz Success
APT?APA Success
QSA
40
20
0
1
2
3
4
5
6
7
8
9
10
11
Attacker Drop-Offs : QSAs
120
100
80
Security Investment
Casual Success
60
Anon/Lulz Success
APT?APA Success
QSA
40
20
0
1
2
3
4
5
6
7
8
9
10
11
Attacker Drop-Offs: APTs/APAs
120
100
80
Security Investment
Casual Success
60
Anon/Lulz Success
APT?APA Success
QSA
40
20
0
1
2
3
4
5
6
7
8
9
10
11
Attacker Drop-Offs: Chaotic Actors
120
100
80
Security Investment
Casual Success
60
Anon/Lulz Success
APT?APA Success
QSA
40
20
0
1
2
3
4
5
6
7
8
9
10
11
Does it matter?
Was #18
in overall
DBIR
Top Threat Action Types used to steal INTELLECTUAL PROPERTY AND
CLASSIFIED INFORMATION by number of breaches - (excludes breaches only
involving payment card data, bank account information, personal information, etc)
Compare and contrast
QSA
Casual
Attacker
Chaotic
Actor
APT/APA
Asset Focus
CCNs
CCNs…
Reputation,
Dirty
Laundry
DDoS/Availa
bility
IP, Trade
Secrets,
National
Security
Data
Timeframe
Annual
Anytime
Flash Mobs
Long Cons
NA
LOW
HIGH
HIGH
100%
MED
?
?
Annual $
1 and done
Relentless
Varies
Target Stickiness
Probability
“Impact”
Case Study: Zombie Killer of the Week?
Early Adopters
Mainstream
You
Are
Here
Laggards
Case Study: Zombie Killer
LanCope
BigFix (IBM)
NetWitness (RSA)
Countermeasures
Situational Awareness
Fidelis XPS
HBGary
FireEye
Operational Discipline
Defensible Infrastructure
ArcSight (HP)
A real use case of 'better security' in the face of adaptive
adversarieshttp://www.the451group.com/report_view/report_view.php?entity_id=66991
Which classes of adversaries are we likely to
face?
Which assets are most at risk as a consequence?
How tall do we need to be?
Table Top Exercises
An ounce of prevention?
Recovery may not be technical…
Failing Well
Q&A
Joshua Corman
Director of Security Intelligence, Akamai Technologies
@joshcorman
@RuggedSoftware
[email protected]