The document discusses sources of data on security breaches and where to find qualified security personnel. It analyzes breach data trends from vendors, incident response firms, and mandatory disclosure databases. The analysis finds that while common problems still exist, attacks are becoming more advanced, and good security experts can be found in a variety of companies and roles, not just large firms or traditional security jobs. Hiring should focus on technical skills rather than titles or certifications.
What Are The Drone Anti-jamming Systems Technology?
Who should the security team hire next?
1. Who Should You Hire
to Improve Company
Security?
Myles Conley
Auspices LLC
2. No, I DON’T know
AppSec experts
looking for work
Auspices
LLC
2
3. What to expect this hour
• Where do elite security gurus work?
– Do they work for elite companies?
• Reviewing breach data trends
• Who to hire to address those trends
• Scope
– US commercial only.
– Fortune 500 Other
Auspices
LLC
3
4. How to find “Good” AppSec People?
- Have found a real bug
- Can understand bug implications
-‐ Not
by
Cer5fica5on
-‐ Not
by
Survey
-‐ Not
by
School?
Auspices
LLC
4
5. Why Not try Bugtraq Mail List?
Pros Cons
• 20-45K subscribers • Cultural Bias
• Data since 1999 • Out of date
• They have found bugs • Nyms, Corporate postings
• Part of complete security team • Bias towards self promoters
Auspices
LLC
5
6. Bugtraq Mapping
19,085
Unique
Posters
Less
Non-‐U.S.,
An5-‐Spam,
Truncated
Names
Less
Pseudonyms,
Roles
7,352
Total
Plausible
Names
4,128
Found
on
LinkedIN
Auspices
LLC
7. Where BugTraqers Work
Other
1405
Security
specialists
876
Fortune
500
638
.gov,
.edu,
non
US,
non
commercial
485
High
Tech
468
Vendor
of
SoV/Hardware
351
Other
Financial
153
Other
Healthcare
84
0%
5%
10%
15%
20%
25%
30%
35%
Auspices
LLC
7
8. More Bugtraq at mature companies?
Fortune
500
Companies
Breached
Companies
Have
Have
Bugtraqer
Bugtraqer
Don't
Don't
638
Bugtraqers
447
Bugtraqers
• 71
companies,
average
9
• 55
employers
out
of
1158
• Actually
concentrated
at
• Average
of
8
Google,
IBM,
MicrosoV,
HP,
etc.
Auspices
LLC
8
9. Avoid Bugtraq Bias?
• People who submitted a security bug for Mozilla
1905
Unique
Bug
Submi_ers
Less
Non-‐U.S.,
Truncated
Names
Less
Pseudonyms
1414
Total
Plausible
Names
632
Found
on
LinkedIN
661
Employers…
only
47
have
1
bug
reporter
Auspices
LLC
9
10. Where Mozilla Helpers Work
US
Based
Mozilla
Cri:cal
Security
Bug
Reporters
Security
specialists
Other
Vendor
of
SoV/Hardware
High
Tech
.gov,
.edu,
non
commercial
Fortune
500
Other
Financial
Other
Healthcare
0%
5%
10%
15%
20%
25%
30%
Auspices
LLC
10
11. AppSec Conclusions
• Good help is widely distributed
– 20% are in security consulting companies
– There is a long tail
• Lots of companies chose not to hire people who post on BugTraq
– Or are using contractors
– Or are hiring now
– Or hire youngsters
• So… why is it always AppSec?
Themes we learn from the news
• Helpless against 0day attacks
• Security Development Lifecycle is working
Auspices
LLC
11
12. How Security Team Primes Security
Application Security Ops Security Strategy
• Pen Test • Pen Test
• QA integration • ….. FUD
• Metrics • …. Peer comparisons
• Dev Tools Training • … Look over There !
• Developers own Security • .. Controls
– SDL • Change in Capabilities
Maturity Level
Auspices
LLC
12
13. Fixing Overall Security
What do security team managers need to do?
• Figure where we’re having problems
• Find who could have prevented problems
• Find if we can hire them.
First, where can we learn about the problems
– Vendors
– Incident Response the Underground
– Mandatory Disclosure
– News Wire
– Surveys
Auspices
LLC
13
14. Breach Classification
Level Basic Slog Advanced New
Ongoing,
Known Advanced
common Emerging
Description problems, attacks, hard to
problems, hard threats
easy to fix predict / fight
to fix
Precedent Old to World Old to You New to World New to You
Sophistication Low Med-High High ?
Bad Malware/ Mobile,
Example APT/ 0 day.
passwords XSS Skimming
Auspices
LLC
14
15. Breach Data from Vendors
Advantages Biases
• Large installed base • Want to sell product
• Research teams • Vendor’s Scope
• Forward looking
Disadvantages • No segmentation
• Annual Report • No raw data
Auspices
LLC
15
16. Symantec Microsoft
Symantec Microsoft
• Threats Identified • Threats Identified
– Targeted attacks with – Java, Browser, Adobe files
Social Network intel – Attacks using software
– Zero day attacks with patch available
– Attack Kits and Root kits
– Mobile • Intelligence
– Software Industry Vulns
decreasing since 2006
Auspices
LLC
16
17. Score So Far
Source of
Basic Slog Advanced New Theme
Breach Data
We need experts!
Vendors 0 1 4 1 Or Vendors!
Incident
Response and
Underground
Mandatory
Disclosure
Auspices
LLC
17
18. Breach Data from Incident Response
Companies
Advantages Bias
• Know their customers • Companies that can
• Sometimes imprison the discover breach
guilty • Companies that need
external help
• Backwards looking
• Intrusion is unit of
measurement
Auspices
LLC
18
19. Verizon
Data Breach Investigations Report
Percent
of
Breached
Companies
by
#
Incidents included Employees
• 94 investigated by Verizon
• 667 investigated by US Secret 10K
employees
Service
1K
employees
Between
Breaches
by
Industry
in
2011
Other
Manufacturing
Tech
Services
Healthcare
Financial
Retail
Hospitality
0
50
100
150
200
250
300
350
Auspices
LLC
19
20. Percent of Breaches Including Vector
Social
Engineering
Malware
via
a_acker
Default
authen5ca5on
Brute
Force
Authen5ca5on
Stolen
creden5als
SQL
injec5on
Abuse
of
fuc5onality
Weak
Authen5ca5on
Buffer
overflow
Malware
via
user
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Auspices
LLC
20
21. Vector Data from Underground
DBIR Intelligence
• 2/3 of malware was customized
• Only 5 vulnerabilities used in 381 attacks
Contagio overview of Exploit Packs
Dan Guido: Exploit Intelligence Project, 2010
• Malware exploits are predictable
• Easy no-patch mitigation for 22 of 27 top malware
Remainder by architecture policy
Auspices
LLC
21
22. Score So Far
Source of
Basic Slog Advanced New Theme
Breach Data
We need experts!
Vendors 0 1 5 1 Or Vendors!
Incident
Old problems, then
Response and 5 4 1 1 Malware
Underground
Mandatory
Disclosure
Auspices
LLC
22
23. Breach Data from Mandatory
Disclosure
Advantages Biases
• Raw Data! • Backwards looking
• DatalossDB.org • Reporting criteria
– PII loss is reported
Disadvantages – Trade secret loss isn’t
• Best effort data assembly.
• Legislation changes
Auspices
LLC
23
25. Fortune 500 vs. Others
120
100
80
Breaches
60
40
20
0
Other
Breaches
Fortune
Breaches
Auspices
LLC
25
26. Fortune 500 Sized Datasets
1000.00
100.00
10.00
Millions
1.00
0.10
0.01
0.00
2006
2007
2008
2009
2010
2011
Fortune
Records
Other
Records
Auspices
LLC
26
27. Fortune 500 Breach Data
Breaches
by
Vector
-‐
Fortune
500
• Threats Identified
Count
of
Breaches
40
– Missing Encryption
30
20
– (E)Mail
10
– Hacking
0
2007
2008
2009
2010
Records
Lost
by
Vector
-‐
Fortune
500
(Log
Plot)
1000
100
10
Millions
1
0.1
0.01
0.001
2007
2008
2009
2010
Document
Loss
(E)Mail
Fraud
Hacking
Missing
encryp5on
Unknown
Web
configura5on
Auspices
LLC
27
28. Breaches at Non Fortune 500
Breaches
by
Vector
-‐
Non
Fortune
500
Count
of
Breaches
120
100
• Threats Identified
80
– Missing Encryption
60
40
– Web Configuration
20
0
– Email
2007
2008
2009
2010
– Document Loss
Records
Lost
by
Vector
-‐
Non
Fortune
500
(Log
Plot)
– Hacking
100
10
Millions
1
0.1
0.01
0.001
2007
2008
2009
2010
Document
Loss
(e)Mail
Fraud
Hacking
Missing
encryp5on
Unknown
Web
configura5on
28
29. It’s Not Just AppSec
It’s Not Just Advanced
Source of
Basic Slog Advanced New Theme
Breach Data
We need experts!
Vendors - 1 5 1 Or Vendors
Incident
Old problems, then
Response and 5 4 1 1 Malware
Underground
Mandatory
Encryption. Lists
Disclosure – 2 - 1 - Hacking
Fortune 500
Mandatory
Disclosure – 4 - 1 - Basics Hacking
Smaller
Auspices
LLC
29
30. Given These Problems,
Who Should You Hire?
• For each class of breach,
– What does your company need?
– What Roles should you hire?
– What do Managers have to do?
Auspices
LLC
30
31. Basic: Kitchen Hygiene
Company Needs
• Standards Training
• Tools: Red cutting boards / Disk Encryption
• Consistent Deployment
• Consistent Enforcement
Roles Management
• Project Management – Own Goal Risk information
• Glue code developers • Near Misses
– Ops tools, especially AAA • Cost is simplest to estimate
– Enforcement/ near misses
• Metrics
“No CEO is that stupid not to pay attention [to security]. But maybe they pay the same
attention I did, which is giving encouragement and budget to IT but then saying ‘What do I
know about programming? “ -Ted Chung, CEO Hyundai Card/Hyundai Capital
Auspices
LLC
31
32. Long Slog: Factory Model
Company Needs
• Systems knowledge to interrupt threat
– Compartmentalization
– Breaking attack chain
– Mature incident response
• Threat Intelligence
• Metrics
• Peer Group Intelligence
Roles Management
• Threat Intelligence • Control Efficiency
– Vendor – Threat chain status metrics
– Attack chain architects
• Incident Response Management
• Compartmentalization
• Peer Group Intelligence
– Systems + business knowledge experts
• Web Application cleanup
• SIEM / Log glue integrator
Auspices
LLC
32
33. Advanced Threats: E-Coli
Company Needs
• Risk Assessment
• Risk Compartments
• Logfile Watchers
• Appropriate level of defense (AppSec)
Roles Management
• Logwatchers • Risk Management
• Speed dial for the CDC / IR company – By $ or Bodies, not Vectors
• Known Targets • Compartmentalization
– Internal bug finders – Inside is Hostile
Auspices
LLC
33
34. New Threats:
Company Needs
• Practiced Reaction
• Risk Management
• Security Strategy
Roles Management
• Risk Management
• Financial answers
• Security Plan Author
• Agreed-upon plans and systems in
place
Auspices
LLC
34
35. Conclusion
• Elite folks are somewhat hard to find
• You probably don’t need them first
– But need intelligence to be sure
• Most company breaches within power to fix
by hiring
Basic Slog Advanced New
Ongoing, common Advanced attacks,
Known problems,
Description problems, hard to hard to predict / Emerging threats
easy to fix
fix fight
Project Risk Management,
Intelligence, Strategy and
Hiring Action Management Compartments,
Architecture
Management
Organization IR Expertise
Auspices
LLC
35