The New Security Practitioner
•Als PPTX, PDF herunterladen•
1 gefällt mir•90 views
The security practitioner's role is changing significantly. Trends like mobile, cloud, DevOps, and Zero Trust are creating new roles and erasing others. This presentation navigates these changes and makes some recommendations for folks wanting to keep up with the curve.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie The New Security Practitioner
Ähnlich wie The New Security Practitioner (20)
Mehr von Adrian Sanabria
Mehr von Adrian Sanabria (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
The New Security Practitioner
- 1. The Security Practitioner: An Uncertain Future Knoxville ISC2 Chapter - Sept 21, 2021
- 2. 2 Adrian who? 10 years as a security practitioner 5 years as a security consultant 3 years as an industry analyst 2 years building my own company and working for vendors Founded local cybersecurity community groups: • BSides Knoxville • 10-Sec • DC865 Now: doing cybersecurity product reviews for CyberRisk Alliance
- 4. 4 Early Days of InfoSec • Network security • IDS/IPS • Vulnerability management • Anti-virus • Incident Response
- 5. 5 Current InfoSec A bit more. Source: https://rafeeqrehman.com/wp-content/uploads/2021/07/CISO_Job_MindMap_Rafeeq_Rehman_v_2021.png
- 6. 6 An early mistake “The security industry has made a lot of mistakes along the way, and some of these mistakes have made the security professional's job needlessly difficult. In hindsight, one of these mistakes was to separate security from IT. We need to correct that.” Source: https://www.vice.com/en/article/nz7q37/we-need-to-change-the-psychology-of-security
- 7. 7 A change in thinking
- 8. 8 A change in thinking: IT systems trends
- 9. 9 A change in thinking: Digital Transformation Source: https://marketoonist.com
- 11. 11 What made all this change possible? 1. Always-on Internet 2. Cloud (~2007) 3. True smartphones (2008) 4. DevOps (~2012) 5. Everything-as-a-service (2010-present) 6. Ad-tech: obscene reach (2013-present) 7. Venture Capital: obscene cash (2015-present)
- 12. 12 Why change? 1. Speed 2. Agility 3. Less risk when taking big chances 4. Instant feedback Sources: http://tweetstorm.io/user/pmarca/473910743834693632 https://twitter.com/mrry550/status/524624073779720194
- 13. 13 Security shares many of the same needs • Technology moves fast • Startups move fast • DevOps moves fast • Attackers move fast • Deploying the new SIEM is estimated to take 18 weeks…
- 14. 14 New tricks from our DevOps friends • Immutability (reducing and removing administrative access to production workloads) • high availability (patch and release whenever you want, with no noticeable production impact) • guardrails - autocorrecting configurations • automated vulnerability and policy checks as part of the CI/CD pipeline • short asset age, shorter password age (ephemeral) • automated response and recovery
- 15. 15 The DIE triad • Distributed - highly distributed systems and data remove the need for availability within any one component of the system • Immutable - integrity can't be attacked if data can't be changed • Ephemeral - less need to worry about the confidentiality of systems and data if they have short lifecycles • Use CIA for pets, DIE for cattle https://www.youtube.com/watch?v=_omGtDfaAjI
- 16. 16 MVP, waterfall, agile Source https://blog.crisp.se/2016/01/25/henrikkniberg/making-sense-of-mvp
- 18. 18 Presented at Cloud Security World in 2016 Source https://www.slideshare.net/AdrianSanabria1/cloud-devops-and-the-new-security-practitioner
- 19. 19 Traditional approach to security: • Security is always a secondary or enabling layer • Security must have direct knowledge and experience with the underlying layer in order to be effective at protecting it or recommending feasible solutions • Direct experience in core technical disciplines goes a long way in earning respect and cooperation Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops Understanding security’s role by understanding IT
- 20. 20 Issues with the traditional approach: • Few security teams can ever be ‘well-rounded’ enough • Security team isn’t qualified to advise much of IT • Adversarial/dysfunctional relationships common • IT changes often; attackers adapt quickly • Defenders and security tools adapt slowly Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops Understanding security’s role by understanding IT
- 21. 21 Security An example: going ‘cloud-first’ • Lower-level IT layers are outsourced • Most security practitioner knowledge lies in these layers • Infrastructure-heavy security skillsets lose value • Concept of bi-modal IT further confuses things • As IT changes, so must security Physical Security OS Layer Network Layer Service Desk Dev, QA, Test Web/App Layer Ops Security’s Changing Role
- 22. 22 Cloud and DevOps – an opportunity to redesign security: • Smaller ‘well-rounded’ groups • Dev, ops, infrastructure and security roles are shared • Everyone working towards a clear, common goal • Relationship between security and developers is crucial • Security can’t impact delivery schedule Physical OS Layer Network Layer Service Desk Dev, QA, Test; Web/App Layer; Ops Security Security’s Changing Role
- 23. 23 Questions • Security is redistributed into IT for all operational tasks • Dedicated security staff performs • high-level design, design/architectural input • monitor changes in risk/attackers/landscape • instruct/consult individual SMEs as needed Physical OS Layer Network Layer Service Desk Dev, QA, Test; Web/App Layer; Ops Security SME Internal Security Team Security SME Security SME Security SME What should security’s future role be?
- 24. 24 The Security Practitioner: old versus new • Monitoring security alerts • Manage network security • Manage endpoint security • IR/Forensics • Pentesting • Vulnerability Scanning • Policies/Standards • Compliance/Regs • Log management • DR/BCP and Security Awareness • Influence design, architecture standards, processes • Automate tasks • Forensics • Security assessments • Identify gaps and recommend fixes • JSON, REST, XML, SQL • Routing, load balancing, nw protocols
- 25. 25 How common are these new skills? • 6 out of the first 10 jobs I looked at required: - coding skills - new tech generation experience and/or skills
- 26. 26 Like what experience or skills? • “Ability to automate tasks using scripting or other programming language” • “Scripting or general-purpose programming languages” • REST, JSON, XML (API scripting) • “Experience with DevOps, CI/CD, Chef, Puppet” • “Experience testing for vulnerabilities in Ruby on Rails applications” • “Experience with various scripting and programming languages” • “Teach secure coding practices to software engineers”
- 27. 27 What should I learn? • Scripting (automation) • Get familiar with cloud, agile, devops, containers, microservices, etc. • AppSec • Data protection • Learn to write code
- 28. 28 What should I learn? • Cloud – focus on AWS, Azure, Digital Ocean (cheap) • Containers – focus on Docker • Pick a language - ruby and python are most common • Jenkins • Ansible, Chef, Puppet, Salt • New attack surface Don’t make security worse! • Automation Make security better!
- 29. 29 Automation was on each of the last 3 slides… Every bit as true today… https://twitter.com/vboykis/status/1098950011415597056
- 31. 31 What should I learn: additional influences • The art of selling • Security innovation: corporate githubs and giving back • Security Chaos Engineering
- 32. 32 Security Chaos Engineering The identification of security control failures through proactive experimentation to build confidence in the system's ability to defend against malicious conditions in production. https://www.verica.io/sce-book/
- 33. 33 Security Chaos Engineering • Things will go wrong: why not figure out what they are now? • Like fuzzing, but at a more macro level • Resilience is the foundation of chaos engineering (the “R” in SRE, sorta) • Confidence: most orgs don’t know if they’re ready to handle an incident until it happens Instead of avoiding failure, accept that it’s a natural state that aids learning
- 34. 34 The bottom line If you want to understand where security is going, stop looking at security, and start following IT innovation, trends and changes
- 35. 35 Additional resources • How to implement cloud security that actually works: https://securityweekly.com/webcasts/how-to-implement- cloud-security-that-actually-works-lessons-from-the- front-lines/
Hinweis der Redaktion
- Go ahead, say it – you know you want to. Let’s just get that out of the way and out of our systems, shall we?
- The security industry has made a lot of mistakes along the way, and some of these mistakes have made the security professional's job needlessly difficult. In hindsight, one of these mistakes was to separate security from IT. We need to correct that. We can't fix security's problems by throwing more people at them security will never be large enough to secure the entire organization on its own we must have help from asset owners - they should own responsibility for security on their assets In fact, if security isn't part of someone's job, that doesn't make them neutral. It usually results in them working against us. expense-in-depth vs defense-in-depth teams focused on operational activities and digging through the mess of alerts created by security tools, instead of doing security work FOMO - we want to know about all the logs, all the alerts, all the vulns. This isn't productive or feasible Sifting through giant piles of alerts isn't work security folks enjoy doing - it results in churn and more folks interested in offensive work, rather than defense. I mean, when the winning team is obvious, it's tough to recruit people to the losing side Security is not just a role, it's a skill. It's a way of thinking. AI/ML can help security analysts, but it won't replace them. It can't. By nature, detecting and avoiding threats is an exercise in avoiding patterns. ML is designed to identify patterns - it's literally designed in a way that makes it infinitely evadable Need to dismantle the idea of security as a gatekeeper - we should be partners and advisors the business can leverage and come to with questions or concerns. Almost like an HR, but for non-human assets!
- TL;DR – major changes in technology come more quickly now and most of them will impact security. I think it’s important for security folks to keep up with technology AT&T’s “You Will” ad campaign was surprisingly prescient. Back in the 90’s predictions were something that would eventually come, in some unspecified year in the future, thanks to some unspecified technological advances. Today, predictions are something someone could be building now, or could have already built – we’re just waiting for the announcement to drop. To remain competitive, businesses today are expected to truly innovate and predict competitors’ innovations for example, it took Uber less than half a decade to replace 50% of taxi rides. Similarly, Netflix blew past Blockbuster in a similar timeframe.
- The way we often think about these problems is like each era is replaced by the last. Which isn’t really true! Mainframes, AS/400s, modems… Windows XP – they’re all still in use today, alongside a lot of the newer stuff (at least, in large, older orgs) Uber, predictably looks a lot like a 21st century, cloud-first organization. At least, if you’re looking at the driver and rider facing app. Look at the backoffice stuff and you’ll find they’ve got SAP, laser printers, Cisco switches, and guest WiFi.
- Again, with the importance of keeping up with technological changes We often find we don’t even understand what we’re driving towards or what the goal is But… it will hit us eventually, whether we’re prepared or not My point here is not that companies need to be better prepared… but that you, as an individual should understand these trends and have opinions on them you can help drive, or be a passenger I generally think security folks who are drivers go farther (also, possibly, get fired more often)
- It's a different way of thinking and doing business. While AT&T was predicting things that could happen if certain technologies got created or took off, we're in the future where most of the prerequisites exist. Internet is ubiquitous. Mobile computing is ubiquitous. Compute and storage can be rented for pennies and scaled in minutes or hours. VC cash flows steadily. Apps can be built in hours, not months. Ad platforms can reach hundreds of millions, almost instantly. These days, if you have an idea for a disruptive business, there's not much holding you back. Understanding this, I think, can help you understand why we're seeing such a dramatic shift in how systems are managed. (re:#3 - somewhere, an ex-Blackberry exec is triggered…)
- In the early 2010s, this was just a quirky thing that Amazon, Etsy, and other crazy west-coast startups and tech giants were playing with. But the results were too good to ignore So suddenly, the startup way of doing things just becomes the way of doing things. And that really, finally landed the definition of “Digital Transformation” in a tangible way. Shorter cycle times gave businesses the ability to fail quickly, recover, try again
- More and more, agile has been accepted as the more ideal development model. What’s more, we see it used for any sort of development, including building security controls and a security program!
- I really didn’t have to change much here!
- We could also throw some other things in here as well. People (security awareness training) HR Data Supply Chain/Third party partners Compliance/regulation Design/Architecture Identity
- We could also throw some other things in here as well. People (security awareness training) HR Data Supply Chain/Third party partners Compliance/regulation Design/Architecture Identity
- We could also throw some other things in here as well. People (security awareness training) HR Data Supply Chain/Third party partners Compliance/regulation Design/Architecture Identity
- We could also throw some other things in here as well. People (security awareness training) HR Data Supply Chain/Third party partners Compliance/regulation Design/Architecture Identity
- Just an idea – doesn’t have to be precisely like this. Depends on the business, the culture, trial/error and a hundred other factors. The general idea though, is to get security responsibility and expertise closer to where the work is done.
- The ability to sell a new security project or change is essential. We’re well past “you got to do it because security”
- But obviously, we want to force failure in controlled ways, so that it doesn’t cause harm to the business!