SlideShare ist ein Scribd-Unternehmen logo

Who should the security team hire next?

Source Conference
Source Conference

The document discusses sources of data on security breaches and where to find qualified security personnel. It analyzes breach data trends from vendors, incident response firms, and mandatory disclosure databases. The analysis finds that while common problems still exist, attacks are becoming more advanced, and good security experts can be found in a variety of companies and roles, not just large firms or traditional security jobs. Hiring should focus on technical skills rather than titles or certifications.

TechnologieBusiness
1 von 37
Downloaden Sie, um offline zu lesen
Who Should You Hire to Improve Company Security? Myles Conley Auspices LLC
No, I DON’T know AppSec experts looking for work Auspices  LLC   2  
What to expect this hour •  Where do elite security gurus work? –  Do they work for elite companies? •  Reviewing breach data trends •  Who to hire to address those trends •  Scope –  US commercial only. –  Fortune 500 Other Auspices  LLC   3  
How to find “Good” AppSec People? - Have found a real bug - Can understand bug implications -­‐  Not  by  Cer5fica5on   -­‐  Not  by  Survey   -­‐  Not  by  School?     Auspices  LLC   4  
Why Not try Bugtraq Mail List? Pros Cons •  20-45K subscribers •  Cultural Bias •  Data since 1999 •  Out of date •  They have found bugs •  Nyms, Corporate postings •  Part of complete security team •  Bias towards self promoters Auspices  LLC   5  
Bugtraq Mapping 19,085   Unique  Posters    Less   Non-­‐U.S.,  An5-­‐Spam,  Truncated  Names    Less   Pseudonyms,  Roles     7,352   Total  Plausible  Names   4,128  Found  on  LinkedIN   Auspices  LLC  
Where BugTraqers Work Other   1405   Security  specialists   876   Fortune  500   638   .gov,  .edu,  non  US,  non  commercial   485   High  Tech   468   Vendor  of  SoV/Hardware   351   Other  Financial   153   Other  Healthcare   84   0%   5%   10%   15%   20%   25%   30%   35%   Auspices  LLC   7  
More Bugtraq at mature companies? Fortune  500  Companies   Breached  Companies   Have   Have   Bugtraqer   Bugtraqer   Don't   Don't   638  Bugtraqers   447  Bugtraqers   •  71  companies,  average  9   •  55  employers  out  of  1158   •  Actually  concentrated  at   •  Average  of  8   Google,  IBM,  MicrosoV,  HP,   etc.     Auspices  LLC   8  
Avoid Bugtraq Bias? •  People who submitted a security bug for Mozilla 1905   Unique  Bug  Submi_ers    Less   Non-­‐U.S.,  Truncated  Names    Less   Pseudonyms   1414   Total  Plausible  Names   632  Found  on  LinkedIN   661  Employers…  only  47  have  1  bug  reporter   Auspices  LLC   9  
Where Mozilla Helpers Work US  Based  Mozilla  Cri:cal  Security  Bug  Reporters   Security  specialists   Other   Vendor  of  SoV/Hardware   High  Tech   .gov,  .edu,  non  commercial   Fortune  500   Other  Financial   Other  Healthcare   0%   5%   10%   15%   20%   25%   30%   Auspices  LLC   10  
AppSec Conclusions •  Good help is widely distributed –  20% are in security consulting companies –  There is a long tail •  Lots of companies chose not to hire people who post on BugTraq –  Or are using contractors –  Or are hiring now –  Or hire youngsters •  So… why is it always AppSec? Themes we learn from the news •  Helpless against 0day attacks •  Security Development Lifecycle is working Auspices  LLC   11  
How Security Team Primes Security Application Security Ops Security Strategy •  Pen Test •  Pen Test •  QA integration •  ….. FUD •  Metrics •  …. Peer comparisons •  Dev Tools Training •  … Look over There ! •  Developers own Security •  .. Controls –  SDL •  Change in Capabilities Maturity Level Auspices  LLC   12  
Fixing Overall Security What do security team managers need to do? •  Figure where we’re having problems •  Find who could have prevented problems •  Find if we can hire them. First, where can we learn about the problems –  Vendors –  Incident Response the Underground –  Mandatory Disclosure –  News Wire –  Surveys Auspices  LLC   13  
Breach Classification Level Basic Slog Advanced New Ongoing, Known Advanced common Emerging Description problems, attacks, hard to problems, hard threats easy to fix predict / fight to fix Precedent Old to World Old to You New to World New to You Sophistication Low Med-High High ? Bad Malware/ Mobile, Example APT/ 0 day. passwords XSS Skimming Auspices  LLC   14  
Breach Data from Vendors Advantages Biases •  Large installed base •  Want to sell product •  Research teams •  Vendor’s Scope •  Forward looking Disadvantages •  No segmentation •  Annual Report •  No raw data Auspices  LLC   15  
Symantec Microsoft Symantec Microsoft •  Threats Identified •  Threats Identified –  Targeted attacks with –  Java, Browser, Adobe files Social Network intel –  Attacks using software –  Zero day attacks with patch available –  Attack Kits and Root kits –  Mobile •  Intelligence –  Software Industry Vulns decreasing since 2006 Auspices  LLC   16  
Score So Far Source of Basic Slog Advanced New Theme Breach Data We need experts! Vendors 0 1 4 1 Or Vendors! Incident Response and Underground Mandatory Disclosure Auspices  LLC   17  
Breach Data from Incident Response Companies Advantages Bias •  Know their customers •  Companies that can •  Sometimes imprison the discover breach guilty •  Companies that need external help •  Backwards looking •  Intrusion is unit of measurement Auspices  LLC   18  
Verizon Data Breach Investigations Report Percent  of  Breached  Companies  by  #   Incidents included Employees   •  94 investigated by Verizon •  667 investigated by US Secret 10K  employees   Service 1K  employees   Between   Breaches  by  Industry  in  2011   Other   Manufacturing   Tech  Services   Healthcare   Financial   Retail   Hospitality   0   50   100   150   200   250   300   350   Auspices  LLC   19  
Percent of Breaches Including Vector Social  Engineering   Malware  via  a_acker   Default  authen5ca5on   Brute  Force  Authen5ca5on   Stolen  creden5als   SQL  injec5on   Abuse  of  fuc5onality   Weak  Authen5ca5on   Buffer  overflow   Malware  via  user   0%   5%   10%   15%   20%   25%   30%   35%   40%   45%   Auspices  LLC   20  
Vector Data from Underground DBIR Intelligence •  2/3 of malware was customized •  Only 5 vulnerabilities used in 381 attacks Contagio overview of Exploit Packs Dan Guido: Exploit Intelligence Project, 2010 •  Malware exploits are predictable •  Easy no-patch mitigation for 22 of 27 top malware Remainder by architecture policy Auspices  LLC   21  
Score So Far Source of Basic Slog Advanced New Theme Breach Data We need experts! Vendors 0 1 5 1 Or Vendors! Incident Old problems, then Response and 5 4 1 1 Malware Underground Mandatory Disclosure Auspices  LLC   22  
Breach Data from Mandatory Disclosure Advantages Biases •  Raw Data! •  Backwards looking •  DatalossDB.org •  Reporting criteria –  PII loss is reported Disadvantages –  Trade secret loss isn’t •  Best effort data assembly. •  Legislation changes Auspices  LLC   23  
DataLossDB Biases 120   140   120   100   100   80   Records  Lost   Breaches   80   60   60   40   40   20   20   0   Auspices  LLC   24  
Fortune 500 vs. Others 120   100   80   Breaches   60   40   20   0   Other  Breaches   Fortune  Breaches   Auspices  LLC   25  
Fortune 500 Sized Datasets 1000.00   100.00   10.00   Millions   1.00   0.10   0.01   0.00   2006   2007   2008   2009   2010   2011   Fortune  Records   Other  Records   Auspices  LLC   26  
Fortune 500 Breach Data Breaches  by  Vector  -­‐  Fortune  500   •  Threats Identified Count  of  Breaches   40   –  Missing Encryption 30   20   –  (E)Mail 10   –  Hacking 0   2007   2008   2009   2010   Records  Lost    by  Vector  -­‐  Fortune  500  (Log  Plot)   1000   100   10   Millions   1   0.1   0.01   0.001   2007   2008   2009   2010   Document  Loss   (E)Mail   Fraud   Hacking   Missing  encryp5on   Unknown   Web  configura5on   Auspices  LLC   27  
Breaches at Non Fortune 500 Breaches  by  Vector  -­‐  Non  Fortune  500     Count  of  Breaches   120   100   •  Threats Identified 80   –  Missing Encryption 60   40   –  Web Configuration 20   0   –  Email 2007   2008   2009   2010   –  Document Loss Records  Lost  by  Vector  -­‐  Non  Fortune  500  (Log  Plot)   –  Hacking 100   10   Millions   1   0.1   0.01   0.001   2007   2008   2009   2010   Document  Loss   (e)Mail   Fraud   Hacking   Missing  encryp5on   Unknown   Web  configura5on   28  
It’s Not Just AppSec It’s Not Just Advanced Source of Basic Slog Advanced New Theme Breach Data We need experts! Vendors - 1 5 1 Or Vendors Incident Old problems, then Response and 5 4 1 1 Malware Underground Mandatory Encryption. Lists Disclosure – 2 - 1 - Hacking Fortune 500 Mandatory Disclosure – 4 - 1 - Basics Hacking Smaller Auspices  LLC   29  
Given These Problems, Who Should You Hire? •  For each class of breach, –  What does your company need? –  What Roles should you hire? –  What do Managers have to do? Auspices  LLC   30  
Basic: Kitchen Hygiene Company Needs •  Standards Training •  Tools: Red cutting boards / Disk Encryption •  Consistent Deployment •  Consistent Enforcement Roles Management •  Project Management –  Own Goal Risk information •  Glue code developers •  Near Misses –  Ops tools, especially AAA •  Cost is simplest to estimate –  Enforcement/ near misses •  Metrics “No CEO is that stupid not to pay attention [to security]. But maybe they pay the same attention I did, which is giving encouragement and budget to IT but then saying ‘What do I know about programming? “ -Ted Chung, CEO Hyundai Card/Hyundai Capital Auspices  LLC   31  
Long Slog: Factory Model Company Needs •  Systems knowledge to interrupt threat –  Compartmentalization –  Breaking attack chain –  Mature incident response •  Threat Intelligence •  Metrics •  Peer Group Intelligence Roles Management •  Threat Intelligence •  Control Efficiency –  Vendor –  Threat chain status metrics –  Attack chain architects •  Incident Response Management •  Compartmentalization •  Peer Group Intelligence –  Systems + business knowledge experts •  Web Application cleanup •  SIEM / Log glue integrator Auspices  LLC   32  
Advanced Threats: E-Coli Company Needs •  Risk Assessment •  Risk Compartments •  Logfile Watchers •  Appropriate level of defense (AppSec) Roles Management •  Logwatchers •  Risk Management •  Speed dial for the CDC / IR company –  By $ or Bodies, not Vectors •  Known Targets •  Compartmentalization –  Internal bug finders –  Inside is Hostile Auspices  LLC   33  
New Threats: Company Needs •  Practiced Reaction •  Risk Management •  Security Strategy Roles Management •  Risk Management •  Financial answers •  Security Plan Author •  Agreed-upon plans and systems in place Auspices  LLC   34  
Conclusion •  Elite folks are somewhat hard to find •  You probably don’t need them first –  But need intelligence to be sure •  Most company breaches within power to fix by hiring Basic Slog Advanced New Ongoing, common Advanced attacks, Known problems, Description problems, hard to hard to predict / Emerging threats easy to fix fix fight Project Risk Management, Intelligence, Strategy and Hiring Action Management Compartments, Architecture   Management Organization IR Expertise Auspices  LLC   35  
QA •  Myles Conley •  myles@auspices.org Auspices  LLC   36  
Photo credits •  Thanks for releasing these photos under creative commons attribution or public domain licenses •  Raptor eye jurvetson (flicker) •  P4 hacker Image from http://unix.privacylover.com/page/2/ under creative commons license •  Kitchen photo Photo by H Dragon on flickr •  Cheese factory Photo by Waponi @ flickr •  E-Coli Photo Credit: Rocky Mountain Laboratories, NIAID, NIH •  Mobile phone evolution – wikicommons, user Anders •  Holstein – wikicommons photo by US Government •  Tiger Sumatraanse Tijger, gefotografeerd in Diergaarde Blijdorp - wikicommons •  Gator - wikicommons Auspices  LLC   37  

Empfohlen

Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxSource Conference
 
James Beeson SOURCE Boston 2011
James Beeson SOURCE Boston 2011James Beeson SOURCE Boston 2011
James Beeson SOURCE Boston 2011Source Conference
 
Dan Crowley - Jack Of All Formats
Dan Crowley - Jack Of All FormatsDan Crowley - Jack Of All Formats
Dan Crowley - Jack Of All FormatsSource Conference
 
Jeremy Allen - Rajendra Umadas - Network Stream Hacking With Mallory
Jeremy Allen - Rajendra Umadas - Network Stream Hacking With MalloryJeremy Allen - Rajendra Umadas - Network Stream Hacking With Mallory
Jeremy Allen - Rajendra Umadas - Network Stream Hacking With MallorySource Conference
 
David Snead - Nailing Down Security Regulations
David Snead - Nailing Down Security RegulationsDavid Snead - Nailing Down Security Regulations
David Snead - Nailing Down Security RegulationsSource Conference
 
Paul Asadoorian - Bringing Sexy Back
Paul Asadoorian - Bringing Sexy BackPaul Asadoorian - Bringing Sexy Back
Paul Asadoorian - Bringing Sexy BackSource Conference
 
Wim Remes SOURCE Boston 2011
Wim Remes SOURCE Boston 2011 Wim Remes SOURCE Boston 2011
Wim Remes SOURCE Boston 2011 Source Conference
 
Security For Free
Security For FreeSecurity For Free
Security For Freegwarden
 

Empfohlen

Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxSource Conference
 
James Beeson SOURCE Boston 2011
James Beeson SOURCE Boston 2011James Beeson SOURCE Boston 2011
James Beeson SOURCE Boston 2011Source Conference
 
Dan Crowley - Jack Of All Formats
Dan Crowley - Jack Of All FormatsDan Crowley - Jack Of All Formats
Dan Crowley - Jack Of All FormatsSource Conference
 
Jeremy Allen - Rajendra Umadas - Network Stream Hacking With Mallory
Jeremy Allen - Rajendra Umadas - Network Stream Hacking With MalloryJeremy Allen - Rajendra Umadas - Network Stream Hacking With Mallory
Jeremy Allen - Rajendra Umadas - Network Stream Hacking With MallorySource Conference
 
David Snead - Nailing Down Security Regulations
David Snead - Nailing Down Security RegulationsDavid Snead - Nailing Down Security Regulations
David Snead - Nailing Down Security RegulationsSource Conference
 
Paul Asadoorian - Bringing Sexy Back
Paul Asadoorian - Bringing Sexy BackPaul Asadoorian - Bringing Sexy Back
Paul Asadoorian - Bringing Sexy BackSource Conference
 
Wim Remes SOURCE Boston 2011
Wim Remes SOURCE Boston 2011 Wim Remes SOURCE Boston 2011
Wim Remes SOURCE Boston 2011 Source Conference
 
Security For Free
Security For FreeSecurity For Free
Security For Freegwarden
 
Sexy defense
Sexy defenseSexy defense
Sexy defenseIftach Ian Amit
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Tackling 5 Taboo Topics in Cybersecurity People Management
Tackling 5 Taboo Topics in Cybersecurity People ManagementTackling 5 Taboo Topics in Cybersecurity People Management
Tackling 5 Taboo Topics in Cybersecurity People ManagementGlobal Knowledge Training
 
Building an innovation culture
Building an innovation cultureBuilding an innovation culture
Building an innovation cultureGeorge Anders
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsShannon Lietz
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsSeniorStoryteller
 
Utilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident ResponseUtilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident ResponseChristopher Beiring
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyResilient Systems
 
Bootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NCBootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NCAll Things Open
 
Employee Monitoring
Employee Monitoring Employee Monitoring
Employee Monitoring AlanPelzSharpe1
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
2015 Cyber Security
2015 Cyber Security2015 Cyber Security
2015 Cyber SecurityAllen Zhang
 
Any of these folks work with you?
Any of these folks work with you?Any of these folks work with you?
Any of these folks work with you?Kevin O'Connor
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
 
Protecting your business ideas including crowdfunding
Protecting your business ideas including crowdfundingProtecting your business ideas including crowdfunding
Protecting your business ideas including crowdfundingTraklight.com
 
Example of Irish Recruiters Tuesday Club 2009 Content e twitter to recruit tu...
Example of Irish Recruiters Tuesday Club 2009 Content e twitter to recruit tu...Example of Irish Recruiters Tuesday Club 2009 Content e twitter to recruit tu...
Example of Irish Recruiters Tuesday Club 2009 Content e twitter to recruit tu...Declan Fitzgerald
 
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITEE2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITEe2-labs
 
A6 pragmatic journey into cyber security
A6 pragmatic journey into cyber securityA6 pragmatic journey into cyber security
A6 pragmatic journey into cyber securityJorge Sebastiao
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetSource Conference
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 

Weitere ähnliche Inhalte

Ähnlich wie Who should the security team hire next?

11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Tackling 5 Taboo Topics in Cybersecurity People Management
Tackling 5 Taboo Topics in Cybersecurity People ManagementTackling 5 Taboo Topics in Cybersecurity People Management
Tackling 5 Taboo Topics in Cybersecurity People ManagementGlobal Knowledge Training
 
Building an innovation culture
Building an innovation cultureBuilding an innovation culture
Building an innovation cultureGeorge Anders
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsShannon Lietz
 
Utilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident ResponseUtilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident ResponseChristopher Beiring
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyResilient Systems
 
Bootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NCBootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NCAll Things Open
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
2015 Cyber Security
2015 Cyber Security2015 Cyber Security
2015 Cyber SecurityAllen Zhang
 
Any of these folks work with you?
Any of these folks work with you?Any of these folks work with you?
Any of these folks work with you?Kevin O'Connor
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
 
Protecting your business ideas including crowdfunding
Protecting your business ideas including crowdfundingProtecting your business ideas including crowdfunding
Protecting your business ideas including crowdfundingTraklight.com
 
Example of Irish Recruiters Tuesday Club 2009 Content e twitter to recruit tu...
Example of Irish Recruiters Tuesday Club 2009 Content e twitter to recruit tu...Example of Irish Recruiters Tuesday Club 2009 Content e twitter to recruit tu...
Example of Irish Recruiters Tuesday Club 2009 Content e twitter to recruit tu...Declan Fitzgerald
 
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITEE2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITEe2-labs
 
A6 pragmatic journey into cyber security
A6 pragmatic journey into cyber securityA6 pragmatic journey into cyber security
A6 pragmatic journey into cyber securityJorge Sebastiao
 

Ähnlich wie Who should the security team hire next? (20)

Sexy defense
Sexy defenseSexy defense
Sexy defense
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
 
Tackling 5 Taboo Topics in Cybersecurity People Management
Tackling 5 Taboo Topics in Cybersecurity People ManagementTackling 5 Taboo Topics in Cybersecurity People Management
Tackling 5 Taboo Topics in Cybersecurity People Management
 
Building an innovation culture
Building an innovation cultureBuilding an innovation culture
Building an innovation culture
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Utilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident ResponseUtilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident Response
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The Ugly
 
Bootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NCBootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NC
 
Employee Monitoring
Employee Monitoring Employee Monitoring
Employee Monitoring
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
2015 Cyber Security
2015 Cyber Security2015 Cyber Security
2015 Cyber Security
 
Any of these folks work with you?
Any of these folks work with you?Any of these folks work with you?
Any of these folks work with you?
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
Protecting your business ideas including crowdfunding
Protecting your business ideas including crowdfundingProtecting your business ideas including crowdfunding
Protecting your business ideas including crowdfunding
 
Example of Irish Recruiters Tuesday Club 2009 Content e twitter to recruit tu...
Example of Irish Recruiters Tuesday Club 2009 Content e twitter to recruit tu...Example of Irish Recruiters Tuesday Club 2009 Content e twitter to recruit tu...
Example of Irish Recruiters Tuesday Club 2009 Content e twitter to recruit tu...
 
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITEE2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
 
A6 pragmatic journey into cyber security
A6 pragmatic journey into cyber securityA6 pragmatic journey into cyber security
A6 pragmatic journey into cyber security
 

Mehr von Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationSource Conference
 

Mehr von Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 

Kürzlich hochgeladen

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

Who should the security team hire next?

  • 1. Who Should You Hire to Improve Company Security? Myles Conley Auspices LLC
  • 2. No, I DON’T know AppSec experts looking for work Auspices  LLC   2  
  • 3. What to expect this hour •  Where do elite security gurus work? –  Do they work for elite companies? •  Reviewing breach data trends •  Who to hire to address those trends •  Scope –  US commercial only. –  Fortune 500 Other Auspices  LLC   3  
  • 4. How to find “Good” AppSec People? - Have found a real bug - Can understand bug implications -­‐  Not  by  Cer5fica5on   -­‐  Not  by  Survey   -­‐  Not  by  School?     Auspices  LLC   4  
  • 5. Why Not try Bugtraq Mail List? Pros Cons •  20-45K subscribers •  Cultural Bias •  Data since 1999 •  Out of date •  They have found bugs •  Nyms, Corporate postings •  Part of complete security team •  Bias towards self promoters Auspices  LLC   5  
  • 6. Bugtraq Mapping 19,085   Unique  Posters    Less   Non-­‐U.S.,  An5-­‐Spam,  Truncated  Names    Less   Pseudonyms,  Roles     7,352   Total  Plausible  Names   4,128  Found  on  LinkedIN   Auspices  LLC  
  • 7. Where BugTraqers Work Other   1405   Security  specialists   876   Fortune  500   638   .gov,  .edu,  non  US,  non  commercial   485   High  Tech   468   Vendor  of  SoV/Hardware   351   Other  Financial   153   Other  Healthcare   84   0%   5%   10%   15%   20%   25%   30%   35%   Auspices  LLC   7  
  • 8. More Bugtraq at mature companies? Fortune  500  Companies   Breached  Companies   Have   Have   Bugtraqer   Bugtraqer   Don't   Don't   638  Bugtraqers   447  Bugtraqers   •  71  companies,  average  9   •  55  employers  out  of  1158   •  Actually  concentrated  at   •  Average  of  8   Google,  IBM,  MicrosoV,  HP,   etc.     Auspices  LLC   8  
  • 9. Avoid Bugtraq Bias? •  People who submitted a security bug for Mozilla 1905   Unique  Bug  Submi_ers    Less   Non-­‐U.S.,  Truncated  Names    Less   Pseudonyms   1414   Total  Plausible  Names   632  Found  on  LinkedIN   661  Employers…  only  47  have  1  bug  reporter   Auspices  LLC   9  
  • 10. Where Mozilla Helpers Work US  Based  Mozilla  Cri:cal  Security  Bug  Reporters   Security  specialists   Other   Vendor  of  SoV/Hardware   High  Tech   .gov,  .edu,  non  commercial   Fortune  500   Other  Financial   Other  Healthcare   0%   5%   10%   15%   20%   25%   30%   Auspices  LLC   10  
  • 11. AppSec Conclusions •  Good help is widely distributed –  20% are in security consulting companies –  There is a long tail •  Lots of companies chose not to hire people who post on BugTraq –  Or are using contractors –  Or are hiring now –  Or hire youngsters •  So… why is it always AppSec? Themes we learn from the news •  Helpless against 0day attacks •  Security Development Lifecycle is working Auspices  LLC   11  
  • 12. How Security Team Primes Security Application Security Ops Security Strategy •  Pen Test •  Pen Test •  QA integration •  ….. FUD •  Metrics •  …. Peer comparisons •  Dev Tools Training •  … Look over There ! •  Developers own Security •  .. Controls –  SDL •  Change in Capabilities Maturity Level Auspices  LLC   12  
  • 13. Fixing Overall Security What do security team managers need to do? •  Figure where we’re having problems •  Find who could have prevented problems •  Find if we can hire them. First, where can we learn about the problems –  Vendors –  Incident Response the Underground –  Mandatory Disclosure –  News Wire –  Surveys Auspices  LLC   13  
  • 14. Breach Classification Level Basic Slog Advanced New Ongoing, Known Advanced common Emerging Description problems, attacks, hard to problems, hard threats easy to fix predict / fight to fix Precedent Old to World Old to You New to World New to You Sophistication Low Med-High High ? Bad Malware/ Mobile, Example APT/ 0 day. passwords XSS Skimming Auspices  LLC   14  
  • 15. Breach Data from Vendors Advantages Biases •  Large installed base •  Want to sell product •  Research teams •  Vendor’s Scope •  Forward looking Disadvantages •  No segmentation •  Annual Report •  No raw data Auspices  LLC   15  
  • 16. Symantec Microsoft Symantec Microsoft •  Threats Identified •  Threats Identified –  Targeted attacks with –  Java, Browser, Adobe files Social Network intel –  Attacks using software –  Zero day attacks with patch available –  Attack Kits and Root kits –  Mobile •  Intelligence –  Software Industry Vulns decreasing since 2006 Auspices  LLC   16  
  • 17. Score So Far Source of Basic Slog Advanced New Theme Breach Data We need experts! Vendors 0 1 4 1 Or Vendors! Incident Response and Underground Mandatory Disclosure Auspices  LLC   17  
  • 18. Breach Data from Incident Response Companies Advantages Bias •  Know their customers •  Companies that can •  Sometimes imprison the discover breach guilty •  Companies that need external help •  Backwards looking •  Intrusion is unit of measurement Auspices  LLC   18  
  • 19. Verizon Data Breach Investigations Report Percent  of  Breached  Companies  by  #   Incidents included Employees   •  94 investigated by Verizon •  667 investigated by US Secret 10K  employees   Service 1K  employees   Between   Breaches  by  Industry  in  2011   Other   Manufacturing   Tech  Services   Healthcare   Financial   Retail   Hospitality   0   50   100   150   200   250   300   350   Auspices  LLC   19  
  • 20. Percent of Breaches Including Vector Social  Engineering   Malware  via  a_acker   Default  authen5ca5on   Brute  Force  Authen5ca5on   Stolen  creden5als   SQL  injec5on   Abuse  of  fuc5onality   Weak  Authen5ca5on   Buffer  overflow   Malware  via  user   0%   5%   10%   15%   20%   25%   30%   35%   40%   45%   Auspices  LLC   20  
  • 21. Vector Data from Underground DBIR Intelligence •  2/3 of malware was customized •  Only 5 vulnerabilities used in 381 attacks Contagio overview of Exploit Packs Dan Guido: Exploit Intelligence Project, 2010 •  Malware exploits are predictable •  Easy no-patch mitigation for 22 of 27 top malware Remainder by architecture policy Auspices  LLC   21  
  • 22. Score So Far Source of Basic Slog Advanced New Theme Breach Data We need experts! Vendors 0 1 5 1 Or Vendors! Incident Old problems, then Response and 5 4 1 1 Malware Underground Mandatory Disclosure Auspices  LLC   22  
  • 23. Breach Data from Mandatory Disclosure Advantages Biases •  Raw Data! •  Backwards looking •  DatalossDB.org •  Reporting criteria –  PII loss is reported Disadvantages –  Trade secret loss isn’t •  Best effort data assembly. •  Legislation changes Auspices  LLC   23  
  • 24. DataLossDB Biases 120   140   120   100   100   80   Records  Lost   Breaches   80   60   60   40   40   20   20   0   Auspices  LLC   24  
  • 25. Fortune 500 vs. Others 120   100   80   Breaches   60   40   20   0   Other  Breaches   Fortune  Breaches   Auspices  LLC   25  
  • 26. Fortune 500 Sized Datasets 1000.00   100.00   10.00   Millions   1.00   0.10   0.01   0.00   2006   2007   2008   2009   2010   2011   Fortune  Records   Other  Records   Auspices  LLC   26  
  • 27. Fortune 500 Breach Data Breaches  by  Vector  -­‐  Fortune  500   •  Threats Identified Count  of  Breaches   40   –  Missing Encryption 30   20   –  (E)Mail 10   –  Hacking 0   2007   2008   2009   2010   Records  Lost    by  Vector  -­‐  Fortune  500  (Log  Plot)   1000   100   10   Millions   1   0.1   0.01   0.001   2007   2008   2009   2010   Document  Loss   (E)Mail   Fraud   Hacking   Missing  encryp5on   Unknown   Web  configura5on   Auspices  LLC   27  
  • 28. Breaches at Non Fortune 500 Breaches  by  Vector  -­‐  Non  Fortune  500     Count  of  Breaches   120   100   •  Threats Identified 80   –  Missing Encryption 60   40   –  Web Configuration 20   0   –  Email 2007   2008   2009   2010   –  Document Loss Records  Lost  by  Vector  -­‐  Non  Fortune  500  (Log  Plot)   –  Hacking 100   10   Millions   1   0.1   0.01   0.001   2007   2008   2009   2010   Document  Loss   (e)Mail   Fraud   Hacking   Missing  encryp5on   Unknown   Web  configura5on   28  
  • 29. It’s Not Just AppSec It’s Not Just Advanced Source of Basic Slog Advanced New Theme Breach Data We need experts! Vendors - 1 5 1 Or Vendors Incident Old problems, then Response and 5 4 1 1 Malware Underground Mandatory Encryption. Lists Disclosure – 2 - 1 - Hacking Fortune 500 Mandatory Disclosure – 4 - 1 - Basics Hacking Smaller Auspices  LLC   29  
  • 30. Given These Problems, Who Should You Hire? •  For each class of breach, –  What does your company need? –  What Roles should you hire? –  What do Managers have to do? Auspices  LLC   30  
  • 31. Basic: Kitchen Hygiene Company Needs •  Standards Training •  Tools: Red cutting boards / Disk Encryption •  Consistent Deployment •  Consistent Enforcement Roles Management •  Project Management –  Own Goal Risk information •  Glue code developers •  Near Misses –  Ops tools, especially AAA •  Cost is simplest to estimate –  Enforcement/ near misses •  Metrics “No CEO is that stupid not to pay attention [to security]. But maybe they pay the same attention I did, which is giving encouragement and budget to IT but then saying ‘What do I know about programming? “ -Ted Chung, CEO Hyundai Card/Hyundai Capital Auspices  LLC   31  
  • 32. Long Slog: Factory Model Company Needs •  Systems knowledge to interrupt threat –  Compartmentalization –  Breaking attack chain –  Mature incident response •  Threat Intelligence •  Metrics •  Peer Group Intelligence Roles Management •  Threat Intelligence •  Control Efficiency –  Vendor –  Threat chain status metrics –  Attack chain architects •  Incident Response Management •  Compartmentalization •  Peer Group Intelligence –  Systems + business knowledge experts •  Web Application cleanup •  SIEM / Log glue integrator Auspices  LLC   32  
  • 33. Advanced Threats: E-Coli Company Needs •  Risk Assessment •  Risk Compartments •  Logfile Watchers •  Appropriate level of defense (AppSec) Roles Management •  Logwatchers •  Risk Management •  Speed dial for the CDC / IR company –  By $ or Bodies, not Vectors •  Known Targets •  Compartmentalization –  Internal bug finders –  Inside is Hostile Auspices  LLC   33  
  • 34. New Threats: Company Needs •  Practiced Reaction •  Risk Management •  Security Strategy Roles Management •  Risk Management •  Financial answers •  Security Plan Author •  Agreed-upon plans and systems in place Auspices  LLC   34  
  • 35. Conclusion •  Elite folks are somewhat hard to find •  You probably don’t need them first –  But need intelligence to be sure •  Most company breaches within power to fix by hiring Basic Slog Advanced New Ongoing, common Advanced attacks, Known problems, Description problems, hard to hard to predict / Emerging threats easy to fix fix fight Project Risk Management, Intelligence, Strategy and Hiring Action Management Compartments, Architecture   Management Organization IR Expertise Auspices  LLC   35  
  • 36. QA •  Myles Conley •  myles@auspices.org Auspices  LLC   36  
  • 37. Photo credits •  Thanks for releasing these photos under creative commons attribution or public domain licenses •  Raptor eye jurvetson (flicker) •  P4 hacker Image from http://unix.privacylover.com/page/2/ under creative commons license •  Kitchen photo Photo by H Dragon on flickr •  Cheese factory Photo by Waponi @ flickr •  E-Coli Photo Credit: Rocky Mountain Laboratories, NIAID, NIH •  Mobile phone evolution – wikicommons, user Anders •  Holstein – wikicommons photo by US Government •  Tiger Sumatraanse Tijger, gefotografeerd in Diergaarde Blijdorp - wikicommons •  Gator - wikicommons Auspices  LLC   37