Introduces a Data-Driven Computer Security Defense, a computer security defense strategy introduced by the author. Slide deck complements the book and whitepaper and can be used by anyone.
5. Imagine an Army…
• Two sides – good and evil –
engaged in a decades long battle
• Evil side is having great success
on left flank of battle
• Good side responds by building
up right flank and even building
up in the center, and wonders why
their defense is not working
This is the way most IT defenders work
!?
Good
6. Data-Driven Defense strategy focuses on:
• Reducing Initial Breaches
• Identifying Root-Causes of Initial Exploits
• Most Likely Attacks
• Relevance Drives Risk Assessment
• Faster Remediation Cycles
• Data-Driven Mitigations Right-Aligned To Most Critical Threats
Offering theory described in Data Driven Defense whitepaper: http://aka.ms/datadrivendefense
What is it?: A methodology that allocates security resources more efficiently and effectively, to mitigate the top
computer and network security threats faster and cheaper.
7. • Don’t understand their threats and risks as well as they
think they do
• Don’t use their own data to drive solutions
• Don’t put in the right defenses in the right places in the
right amounts
• Poor communication at all levels
• Don’t hold current defenses accountable for what they said
they could do
• Spend too much resources not getting the right results
!?
How did it get this way?...After all, nobody wants to defend inefficiently
8. Problem
Definition
8
Examples of Inefficiencies
• No one can name the #1 problem
• Too many top priorities
• Unranked controls, training, every list
• Good patching of low risk apps and
poor patching of high risk apps
• Strategic controls don’t map to the
tactical things would have the most risk
impact
• Expensive solutions sitting on the shelf
9. Problem
Definition –
How Did It Get
This Way?
9
Problem – Lack of Focus
Sheer Number of Threats
• Avg: 5K-6K new threats/year
• 15/day, day after day
10. Problem
Definition –
How Did It Get
This Way?
10
Problem – Lack of Focus
Competition for Attention
• Avalanche of Threats
• Compliance Concerns
• Too Many Projects
• Higher Priority Pet Projects/Politics
• Slower Budgeting Cycles
• Inefficient IT Organization
• Corporate Culture Risk Tolerance
11. Example: Most humans are more afraid of airplane crashes and
shark attacks than the car rides to the locations where those
events could possibly take place even though the car ride is tens
of thousands of times more risky
Evolution: Humans are
not great at ranking risks,
even when the metrics
are known.
1 in 11 Million 1 in 5,000
*sources: Clarke, Ropeik, National Geographic
1 in 3.7 MillionOdds of Fatality*:
12. • Doesn’t focus enough on actual, local experienced
attacks (vs. focusing on mostly externalities)
• Inadequate detection
• Little to no forensic analysis
• Often doesn’t capture root causes
• Little to no metrics captured or reported
• What is detected isn’t effectively communicated up
the chain and to the entire organization
?
13. ?
?
?
What’s the number one threat in your environment?
• Zero days
• Unpatched software
• Malware
• Social engineering
• Password Issues
• Data Leaks
• Eavesdropping/MitM
• Misconfiguration
• Denial of Service
• Insider/Partner/Consultant/Vendor/3rd Party
• User Error
• Physical
Ask Yourself 3 Key Questions:
1. Can your IT security team give the right answer?
2. Is the answer consistent across team members?
3. Do you have data to back up the right answer?
14. • End-Users can’t identify top threats
• Even IT security team can’t identify top threats
• Training doesn’t focus on top threats
• Communication of top threats doesn’t happen between
organization’s business units/silos
• Senior management can’t provide the right resources
and controls in the right places because they haven’t
been give the right threat prioritization
• Strategic controls often don’t include enough tactical
details to drive best security solutions
Lack of objective data prevents effective communications of top threats
15. Many of the right solutions end
under-utilized or up on the shelf
unused.
Resulting in:
Money down the drain
Did the solution do what proponents
said it would do?
Does the solution fight the right
things?
Little Accountability for implemented solutions leads to serious problems for IT Defenders. The fingerprints of
these problems are easy to identify.
16. • Identify in a clear and timely way all the threat scenarios they face
• Focus on how initial compromises happen (i.e. root causes) versus what happens
afterward
• Understand the comparative relative risks of different threats
• Broadly communicate threats ranked by risk to all stakeholders, including senior
management
• Efficiently coordinate agreed-upon responses to risk
• Measure the success of deployed defensive resources against the threats they were
defined to mitigate
All these implementation weaknesses lead to misalignment of computer security defenses against
the greatest threats
17. • Not ranking risks correctly relative to each other
• Seeing all risks as more equal than they are
• Focusing on wrong threats
• Focusing on individual threats instead of more
inclusive, broader, issues
• Belief that malicious events are impossible to stop or
minimize
• Loss of hope by defenders and the people that rely on
those defenders
Can lead to a sense of hopelessness by defenders and the people that rely on those defenders
19. Risk Ranked Threat Perceptions:
• Focuses on root causes
• Relevance is a deciding factor
• Adware is as important as a malicious Trojan
Risk Ranked Defenses:
• Mitigates root causes, not specific threats
• More efficient resource utilization
• Allows clearer cost/benefit considerations
#2
Most Impactful
Exploit
Root Cause
Threat
Vendors
#1
Most Impactful
Exploit
Root Cause
Threat
Medium
Threat
#3
Most Impactful
Exploit
Root Cause
Threat
Small
Threat
Medium
Threat
Medium
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Defenses
Against
#2 Most Impactful
Exploited Root
Cause
Threat
Vendors
Defenses
Against
#1
Most Impactful
Exploit
Root Cause
Threat
Medium
Mitigation
Defenses
Against
#3 Most Impactful
Exploited
Root Cause
Threat
Small
Threat
Medium
Mitigation
Medium
Mitigation
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
Small
Threat
May decide that the cost of defending against small threats is not a good business decision
20. Define & Collect Metrics
Review an Improve
Plan as Needed
Select & Deploy
Root Cause Defenses
Create Effective
Communications Plan
Rank Risk
Appropriately
Collect (Better) Localized
Threat Intelligence
21. A key goal of an implemented data-driven computer security defense is to more directly align and funnel
mitigations against the root-causes of the most successful threats
Alignment Principle:
Data Driven Analysis Data Driven Response
GOAL:
Streamlined Mitigation Against
Root-Causes of Successful
Exploitation
Localized
Detecting Root
Causes
Renewed Focus
Tied to Root
Causes
Aligned to Biggest
Threats
Are Defenses
Successful?
22.
23.
24. Use your data and metrics to:
• Get faster detection/early warning
• Measure exploits success in your organization
• Measure trends over times
Increasing trends require better responses
25. You should care as much about root causes as you do about what the hacker did after
they got into your environment
Focusing on individual threats and only what they did after they got in is
like worrying about your brakes after your car is stolen
Ex: Worrying about Pass-the-Hash attacks without fixing how the hacker got
domain admin in the first place isn’t fixing the problem
When you’ve adjusted your thinking, found adware is as worrisome as a
malicious backdoor Trojan
Both took the same effort to get into your environment and is revealing
defensive gaps
26. “The Main Driver is Local Threat
Intelligence”
1. Focus on historic and
current attacks first
2. New, most likely to
happen, “In-the-wild”
and industry targeting
3. Everything Else
Focus Prioritization:
27. • If you can’t measure it, you can’t manage it
• Data is the conduit of success
• Gut feelings should be backed up by data
• Key Metric: Capturing root causes
• Data is used to drive event alerting
• Metrics are needed for comparisons and reporting
28. A perfect data event to create security alerts should contain the
following attributes:
• High likelihood that occurrence indicates unauthorized activity
• Either a single occurrence or an unexpectedly large number of events
in a given time period indicates a high chance of maliciousness
• Low number of false-positives
• Occurrence should result in an investigativeforensics
29. • Identify all sources of threat intelligence and IT defense in your company
• Including all data input and database structures
• Including all reports and other output
• Identify all threats and risk relevance to each other and company
• What is your detection capability of those threats?
• Identify which high-risk threats are not currently detected appropriately
• Fix the gaps
Threats Detection Abilities Gap & Risk Analysis Fixes
30. • Evangelize this concept! Use book, whitepaper, and slides
• Get a computer security data analytics person or team
• Collect all your data into single places for more aggressive data analysis
• Figure out what questions to ask
• Assess your threat intelligence information collection and how valid and
specific it is for your organization
• Figure out your top root causes and threats
• Assess how well your threat intelligence and defenses align to those threats
• Fill in the gaps
• Make aligned defenses measurable and accountable
31. The defensive data comprehensive solution creates a holistic defense strategy
• More Intelligent Threat Intelligence
• Coordinated Enterprise Security Strategy
• Improved Risk Assessment
• More Efficient Defenses
• Quicker Response to Emerging Threats
• Measurable Lower Risk
• Better Threat Intelligence and Detection
• Measurable Risk Assessment
• More Focused Mitigations and Computer Security Defenses
• Better Security Metrics
• Accountable Defense Outcomes
• Better Computer Security Communication & Education
Reduce
Initial
Exploits
Defense
In
Depth
Unknown
and
Assumed
Risk
Assume
Breach
Defenses