1. Shi$
Toward
Dynamic
Cyber
Resilience
Security
in
the
Post-‐AV
Era
Darren
Argyle
CISSP
CISM
Senior
Director,
EMEA
Security
CTO
@
Symantec
Cyber
Security
in
the
Post-‐AV
Era
1
2. So$ware
and
Data
powers
the
world
Cyber
Security
in
the
Post-‐AV
Era
2
4. Cyber
Security
in
the
Post-‐AV
Era
4
Coffee
Shop
Office
Home
Industrial
Devices
Government
Data
Web
Transac?ons
From
a
security
perspecFve
there’s
more
and
more
to
protect
in
more
and
more
places
Airport
…
Corporate
Assets
5. Cyber
Security
in
the
Post-‐AV
Era
We’re
also
moving
toward
an
inherently
insecure
ecosystem
where…
OK
• • • • • •
OK
• Low
power,
mobile,
non-‐sophis?cated
devices
are
common
• Everything
needs
authen?ca?on
–
and
passwords
are
a
really
poor
way
to
protect
your
iden?ty
Ø The
only
thing
between
an
aPacker
and
your
bank
account
is
a
weak
password
5
6.
7. Cyber
Security
in
the
Post-‐AV
Era
7
We’re
not
succeeding
in
solving
this
today…
>500M
idenFFes
were
exposed
last
year
8. Cyber
Security
in
the
Post-‐AV
Era
8
Why?
There’s
an
asymmetry
between
aTackers
and
defenders
ATTACKERS
DEFENDERS
Can
focus
on
one
target
Only
need
to
be
right
once
Hack
can
be
worth
millions
of
dollars
Focus
only
on
geZng
in
ATackers
can
buy
and
test
security
products
Must
defend
everything
Need
to
be
right
every
Fme
Blocks
are
expected
&
maintain
status
quo
Must
balance
defense
with
business
impact
Defenders
can’t
pre-‐test
targeted
malware
9. If
only
we
could
use
our
collecFve
defense
technologies
to
watch
acFviFes,
determine
paTerns,
and
find
anomalies.
Cyber
Security
in
the
Post-‐AV
Era
9
To
balance
this,
we
need
an
asymmetric
advantage
of
our
own
10. Cyber
Security
in
the
Post-‐AV
Era
10
To
balance
this,
we
need
an
asymmetric
advantage
of
our
own
!
We
can
…
Big
Data
AnalyFcs
11. It’s
impossible
to
implement
an
aTack
without
leaving
a
trace
Cyber
Security
in
the
Post-‐AV
Era
11
Big
Data
Approach
Network
Server
Endpoint
12. C L O U D
Cyber
Security
in
the
Post-‐AV
Era
12
What
if
…
Apply
Context
Correlate
&
Priori?ze
• We
could
collect
info
from
every
endpoint,
network
device,
and
server
• We
could
watch
this
data
at
the
enterprise
level
–
looking
for
paPerns
and
anomalies
• We
could
apply
knowledge
and
learning
from
across
many
customers
Indicators
of
Breach
Knowledge
about
URLs,
file
hashes
APack
paPerns
&
actors
Correla?on
across
ecosystem
E N T E R P R I S E
D E V I C E S
13. Cyber
Security
in
the
Post-‐AV
Era
13
We
can
do
those
things
• Data
analysis
value
comes
from
ability
to
apply
intelligence
on
premise
&
in
cloud
• Data
value
comes
from
volume
&
variety
13
E N T E R P R I S E
C L O U D
D E V I C E S
14. Cyber
Security
in
the
Post-‐AV
Era
14
• Trace
• Correlate
&
Priori?ze
• Connect
to
ac?ons
at
other
Enterprises
14
14
E N T E R P R I S E
C L O U D
D E V I C E S
Apply
Context
Correlate
&
Priori?ze
This
allows
us
to
…
Unknown
source
email
received
by
XXX
IoCs
detected
on
device
Connected
to
remote
server
ConnecFon
aTempted
to
other
higher
value
targets
on
enterprise
network
Link
clicked,
connecFon
established
Files
downloaded
15. Cyber
Security
in
the
Post-‐AV
Era
15
Result
We
can
apply
our
asymmetric
advantage
against
theirs
We
ALSO
need
an
approach
to
protec?ng
the
insecure
ecosystem:
Need
to
make
it
easier
to
be
secure
16. PROBLEM:
Devices
don’t
allow
visibility
&
control
SOLUTION:
App-‐Centric
Protec?on
PROTECT
APPS/DATA
– App:
Before
installing,
understand
what
behaviors
the
app
will
perform
Manage
the
apps
in
the
device
with
containers
– Data:
Seal
apps
in
a
container
that
ensures
sensi?ve
data
is
managed
and
encrypted
PROTECT
CONNECTIONS
– Wifi
hotspot
reputa?on
(use
big
data
to
collect
data)
– VPNs
Cyber
Security
in
the
Post-‐AV
Era
16
Lock
down
the
insecure
system
and
connecFons
17. Cyber
Security
in
the
Post-‐AV
Era
17
Move
past
idenFty
through
passwords
YESTERDAY’S
NEEDS
TOMORROW’S
NEEDS
STATIC
devices,
users
&
servers
MOVING
AND
CHANGING
devices,
users
&
servers
SEPARATE
PASSWORDS
for
everything
SINGLE
BIOMETRIC
AUTHENTICATION
BROKERED
TRUST
with
certs
&
federated
roots
of
trust
18. Cyber
Security
in
the
Post-‐AV
Era
18
Self
Driving
Cars
Medical
Devices
“Internet
of
Things”
We’re
reaching
a
criFcal
point
–
New
technologies
willl
require
people
to
feel
more
secure
Photo
by:
Steve
Jurvetson/Wikipedia
Crea?ve
Commons
20.
Tradi&onal
Security
Approach
–
80%
External
Threat
Intelligence
and
Trending
Enhanced
Intelligence
Exchange
&
Sharing
Incident
Response,
Malware
Analysis
&
Forensics
Cyber
Risk
Assessment
Business
Awareness
&
Involvement
Informa?on
Governance
Advanced
Threat
Protec?on
So
what
Do
I
Need
to
Do
Differently?
20
21. A
definiFon…..
Cyber-‐resilience
is
the
organiza?on's
capability
to
withstand
nega?ve
impacts
due
to
known,
predictable,
unknown,
unpredictable,
uncertain
and
unexpected
threats
from
ac?vi?es
in
cyberspace.
(Informa>on
Security
Forum)
……it’s
now
a
business
conversa>on?
From
cyber-‐security
to
cyber-‐resilience
22. Welcome
to
a
new
era
of
Cyber-‐Resilience
• It’s
the
acknowledgement
that
something
bad
will
happen,
or
has
happened
alreday,
and
you
don’t
even
know
it
yet
• From
known
risks
to
unknown
threats
• Requirement
to
extend
controls
beyond
just
your
enterprise
• Look
beyond
your
own
back
yard,
collabora?on
more,
gather
and
share
Cyber-‐intelligence
(internal
&
external)
• Different
audiences
will
now
care
that
didn’t
before.
New
language
=
more
engagement
from
the
business
23. TIMELINE
Recognise
breach
is
inevitable
and
become
resilient
OF
ORGANIZATIONS
HAVE
>25
INCIDENTS
EACH
MONTH1
AVERAGE
NUMBER
OF
DAYS
TO
DISCOVER
A
BREACH
60%
243
PREPARE
PREVENT
DETECT
&
RESPOND
RECOVER
24. TIMELINE
PROTECT
COMPANY
INFORMATION
FROM
MALICIOUS
ATTACK
AND
MISUSE
REDUCE
TIME
TO
RECOVERY
TO
MAINTAIN
BUSINESS
CONTINUITY
WHERE
IS
MY
SENSITIVE
DATA
-‐
UNDERSTAND
MY
SECURITY
&
RISK
POSTURE
PROVIDE
RAPID
DETECTION
AND
RESPONSE
TO
SECURITY
INCIDENTS
RISK
MANAGEMENT
RESPONSE
PLANNING
TRANSFORM
PREPARE
PREVENT
DETECT
&
RESPOND
RECOVER
25. Our
Vision
–
InformaFon
Governance
and
Cyber
Resilience
26. What’s
your
–
InformaFon
Governance
and
Cyber
Resilience
posture?