Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie New Paradigms for Security - DIE Approach
Ähnlich wie New Paradigms for Security - DIE Approach (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
New Paradigms for Security - DIE Approach
- 1. #RSAC SESSION ID: #RSAC SESSION ID: Sounil Yu New Paradigms for the Next Era of Security STR-T10 Author Cyber Defense Matrix @sounilyu
- 2. #RSAC / 2 / $whoami Former Chief Security Scientist at Major Financial Institution Mad Scientist Product Evaluator Red Team Lead Make New Capabilities Test Market Capabilities Break Capabilities @sounilyu
- 3. #RSAC / 3 / Cyber Defense Matrix Identify Protect Detect Respond Recover Technology People Process Devices Applications Networks Data Users Degree of Dependency Why are there so few things here? Is our industry actually solving the right problems? Disclaimer: Vendor logos fuzzily shown are representative only. No endorsement should be construed because they are shown here. https://cyberdefensematrix.com @sounilyu
- 4. #RSAC / 4 / A Quick History of IT and Security 1980s 1990s 2000s 2010s Core Challenges Solutions IT / Security Tension What did we buy and how does it support the biz? Viruses, Server- side Attacks, Insecure Configs Too many logs and alerts, Client- side attacks Assume Breach, Raging Fires, Too Many Privileges Asset Mgt, Systems Mgt Tools Anti-Virus, Firewalls, Secure Configs IDS, SIEM Incident Responders & IR Tools (EDR, SOAR) Era Security Team Composition & Focus None Hobby Shop / Vulnerability Mgt Dedicated Biz Unit / Risk Mgt Sec Ops Center / Threat Mgt STABILITY (CIO) SECURITY (CISO) @sounilyu
- 5. #RSAC / 5 / Mapping to the NIST Cyber Security Framework 1980s 1990s 2000s 2010s Core Challenges Solutions IT / Security Tension What did we buy and how does it support the biz? Viruses, Server- side Attacks, Insecure Configs Too many logs and alerts, Client- side attacks Assume Breach, Raging Fires, Too Many Privileges Asset Mgt, Systems Mgt Tools Anti-Virus, Firewalls, Secure Configs IDS, SIEM Incident Responders & IR Tools (EDR, SOAR) Era Security Team Composition & Focus None Hobby Shop / Vulnerability Mgt Dedicated Biz Unit / Risk Mgt Sec Ops Center / Threat Mgt STABILITY (CIO) SECURITY (CISO) @sounilyu
- 6. #RSAC / 6 / 2020s: Age of Recovery (or Resiliency) What kind of attacks should we see in the 2020s that would challenge to our ability to RECOVER or cause irreversible harm? Confidentiality Integrity Availability Wikileaks Doxxing Ransomware #fakenews PDoS, MBR Wiper, Bricking Firmware @sounilyu
- 7. #RSAC / 7 / 2020s: Age of Recovery (or Resiliency) What kind of solutions directly support our ability to RECOVER or be RESILIENT? @sounilyu
- 8. #RSAC / 8 / Forging ahead or regressing back? A call to go back to the 1990s? How will prevention mitigate the impact of ransomware? – Remember, we learned “assume breach” in the 2010s – Prevention minimizes the occurrences, but does not address the impact or ability to recover JOIN THE PREVENTION AGE STOP CYBER BREACHES Recent advertising campaign from major vendor @sounilyu
- 9. #RSAC / 9 / 2020s: Age of Recovery (or Resiliency) What kind of solutions directly support our ability to RECOVER or be RESILIENT? Copy on Write Computer Hypervisor OS Apps Apps Apps Libraries SERVERLESS ARCHITECTURE Content Delivery Network @sounilyu
- 10. #RSAC / 10 / But wait! How are these “security” solutions? Distributed Immutable Ephemeral DDoS Resistant The best solution against a distributed attack is a distributed service Changes Easier to Detect and Reverse Unauthorized changes stand out and can be reverted to known good Drives Value of Assets Closer to Zero Makes attacker persistence hard and reduces concern for assets at risk Availability Integrity Confidentiality @sounilyu
- 11. #RSAC / 11 / The Alternative: An Endless Conveyor Belt of Vulnerabilities and Threats Risk Never Ending ThreatsNever Ending Vulns Likelihood Impact= x @sounilyu
- 12. #RSAC / 12 / Pets vs Cattle • Given a familiar name • Taken to the vet when sick • Hugged • Branded with an obscure, unpronounceable name • Shot when sick • Eaten/Recycled (sorry PETA) C.I.A. D.I.E. @sounilyu
- 13. #RSAC / 13 / A New Measurement for a New Era: Pets vs Cattle Curve 10000 0 5000 10000 15000 20000 1000 100 10 1 @40 Days Pets = 2.5% @10 Days Pets = 10% Target: @ 10 Days Pets = 2.5% Fewer pets Find design patterns, policies, and incentives that push the curve in these directions Shorter- lived cattle Uptime(inDays) SystemsPets Cattle 2000systems 10 days 500systems 40 days @sounilyu
- 14. #RSAC / 14 / Pets vs Cattle Controls Encourage / Incentivize Discourage / Disincentivize • decommissioning • creative destruction • rebooting/reimaging • ssh’ing into a container • letting an asset live longer than needed • patching in place @sounilyu
- 15. #RSAC / 15 / None Hobby Shop / Vulnerability Mgt Dedicated Biz Unit / Risk Mgt Sec Ops Center / Threat Mgt Completing the NIST Cyber Security Framework What did we buy and how does it support the biz? Viruses, Server- side Attacks, Insecure Configs Too many logs and alerts, Client-side attacks Assume Breach, Raging Fires, Too Many Privileges STABILITY (CIO) Asset Mgt, Systems Mgt Tools Anti-Virus, Firewalls, Secure Configs IDS, SIEM Incident Responders & IR Tools (EDR, SOAR) SECURITY (CISO) 1980 Identify 1990 Protect 2000 Detect 2010 Respond 2020 Recover Ransomware, MBR Wiper, DDoS, Firmware Bricking Distributed, Immutable, Ephemeral (DIE!!!) Systems Choose Your Own Destiny Core Challenges Solutions IT / Security Tension Era Security Team Composition & Focus C B A @sounilyu
- 16. #RSAC / 16 / Fragility vs Resilience vs Anti-Fragility Volatility drives changes in configuration that make it even more DIE-like Volatility results in destruction but no change in configuration Volatility causes compounding patchwork and workarounds that create greater fragility CIOCISO ? Icons made by Nhor Phai and FreePik Fragile C.I.A. Antifragile D.I.E. + Creative Destruction = Chaos Engineering Resilient D.I.E. Creative Destruction: Intentional removal of unnecessary pets that exacerbate fragility @sounilyu
- 17. #RSAC / 17 / Do our workforce shortage challenges stem more from having too many pets or having too few qualified workers? Should cyber pet ownership require licensed cyber veterinarians? What factors that result in the creation of more pets and how can that be discouraged? – AI/ML creates more data pets – GDPR/CCPA punishes for the negligence of data pets The more we thinking about securing something, the less we think about how we can live without it The security industry is incentivized to have us create more pets Thoughts and Considerations
- 18. #RSAC / 18 / Summary The next era in IT and Security will manifest more irreversible attacks that challenge and undermine our ability to RECOVER Better PROTECT, DETECT, and RESPOND capabilities may reduce occurrences of malicious events but are insufficient against well-executed destructive/irreversible scenarios Our best countermeasure is to avoid pet creation (that requires CIA) and promote cattle creation (built to DIE) Death to CIA! Long live DIE! @sounilyu
- 19. #RSAC / 19 / Applying D.I.E. Next week you should: – Get uptime measurements and create your own Pets vs Cattle curve In the first three months following this presentation you should: – Track weekly movement of Pets vs Cattle curve – Catalog pet-like and cattle-like design patterns in use within your org Within six months you should: – Create policies and disincentives that discourage pet creation – Create triggers to bring awareness to potential pet owners – Discover and provide alternatives to pet-like design patterns @sounilyu
Hinweis der Redaktion
- So here’s a little bit about me to give you some perspectives on why I focused on this topic and how I arrived at my conclusions. Until recently, I was the Chief Security Scientist at a Major Financial Institution where I had multiple roles including the following: First was as a mad scientist, where we developed new capabilities that we needed for security. Second was as an evaluator of many of the technologies offered by security startups in the market And then third as a Red Team lead where we got to break and undermine these capabilities
- As a part of these roles, I needed something to make sense of the security landscape, so I created something that I call the Cyber Defense Matrix. It's a simple matrix that consists of two dimensions. 5 things that I care about: devices, applications, networks, data, and users. And 5 things that I do in security: Identify, Protect, Detect, Respond, and Recover (or the 5 functions of the NIST Cybersecurity Framework). Now, this webcast is not about the Cyber Defense Matrix, so if you want to find out more about it, feel free to visit the website at cyberdefensematrix.com after you finish watching this webcast. But I need to briefly talk about this matrix to help you understand the problem that I noticed in our industry. So anyway, as I mentioned earlier, one of the things that I did in my role was to evaluate security startups. Well, this matrix was particularly helpful in understanding what many of these security startups do. By putting each startup into this matrix, I was able to organize them in a way that helped me compare products and understand what I may be missing. And as I looked at what I may be missing, I noticed a pattern that I found quite interesting. Now, quick caveat, I'm not endorsing any products here and the specific names of the vendors are not important, so I've fuzzed out their icons. But what I do want you to notice is that the preponderance of the technologies are on the left side of the matrix. And there are very few security startups on the right side of the matrix. This led me to create the degree of dependency spectrum that you see on the bottom of the matrix where it seemed like we had a much greater dependence on Technology on the functions of IDENTIFY and PROTECT. This starts shifting when we hit DETECT and instead of technology startups, I started seeing services oriented companies, which focus on offering people to do DETECT, RESPOND, and RECOVER on the right side of the matrix. But as you can see on the degree of dependency spectrum, I still predicted that we should see some technologies on the right side of the matrix. And I wondered, "Why are there so few technologies on the right side of the matrix"? And overall, as I looked at the plethora of security technologies out there and the many empty boxes that I saw in the matrix, I had to wonder, is our industry really solving the right problems here?
- And so that led me to look back historically on our collective security journey to understand how we got here and where we need to go in the future. So let me briefly walk you through that journey. First, in the 1980s, information technology became cheap and affordable to the masses and so enterprises started buying lots of it and started incorporating IT into every part of their business. The first challenge that we encountered was that of asset visibility and management. Organizations started asking what did we just buy and what business function or mission did it support? We needed to be able to identify our IT assets and classify them according to what they do and how critical they are to our business. The solution to this challenge came about through IT asset management systems. During this era, there was no tension between security and IT because for the most part… there was no security team. Next, in the 1990s, we started seeing really bad viruses and worms propagate through our computers. We saw attackers walk into our networks without anything stopping them. We saw how poorly-configured systems allowed attackers to easily compromise unnecessary services and gain a foothold into our environments. With these challenges, we started to introduce measures to protect our IT assets. These manifested through security configuration guides, antivirus software, and network firewalls. By the way, back in my days as a consultant, I remember my colleagues describing their client’s security program as being stuck in the 1990s. This is probably because all they had was antivirus and firewalls. Anyway, this era was also when tension started to grow between security and IT because forcing someone to patch a system or turn off an unnecessary service or lock down a machine caused headaches and negatively impacted the business. Ultimately, when we treat security as a bolt on component, it destabilizes systems and creates disruptions. And these poorly reflect on the CIO's performance metrics. Security organizations started as a hobby shop within the IT team as security-minded individuals wanted greater institutional focus on vulnerability management and security policies to protect the organization. Next, in the 2000s, we saw that attackers were able to bypass antivirus, firewalls, and other protective controls, so we needed a way to detect when that occurred. In addition, we started getting inundated with logs and thousands of alerts that needed to be examined and investigated to determine if an actual intrusion occurred. It was out of this need that we built technologies such as Security Incident and Event Management (SIEM) systems that helped defenders define alerting rules that triggered on unusual activities discerned through those logs. As the security team continued to gain more executive-level support for enforcing more draconian security policies that created IT and business impact, tension between the security organization and the CIO grew. Security organizations shifted to include threat management programs and started building 24x7 security operations centers staffed with personnel to continuously monitor and act upon security alerts created by these detection systems. In the 2010s, we realized that our protective and detective systems were far from perfect. Antivirus and firewalls were easily evaded. Our analysts were overwhelmed by poorly-tuned SIEMs that churned out false positive alerts. There were cyber fires everywhere, and we needed more firefighters and firefighting tools. It became evident that we should take on an “assumed breach” mentality and be prepared to respond to incidents. In this era, we saw the emergence of solutions that enabled defenders to hunt for intrusions and eradicate those intrusions as thoroughly as possible. In addition, for many organizations, the tension between security and IT reached a breaking point where the security team needed to split off as a separate business unit from the CIO function, enabling the CISO to square off against the CIO when it came to making security decisions that could cause business disruptions. Security organizations became more integrated into the overall risk management program so that the wide range of security issues could be properly prioritized among competing demands for personnel and resources. Hopefully, this is consistent with your perspectives of how security has evolved over the past few decades. Now, what’s interesting about this history and evolution is that the sequence here provides a very clear pointer to the future, so let’s review. The 1980s was an era where we needed to IDENTIFY our assets. The 1990s was an era where we needed to PROTECT our assets. The 2000s was an era where we needed to DETECT intrusions into our assets. The 2010s was an era where we needed to RESPOND to those intrusions.
- IDENTIFY, PROTECT, DETECT, RESPOND. Sound familiar? These are the first four functions of the NIST Cybersecurity Framework. The fifth and last function? RECOVER.
- So then the 2020s will be the age of recover, or as I would prefer to call it, it’s the age of resiliency. But what might the RECOVER or RESILIENCY era look like? Or more specifically, what types of problems will we see in this era that will challenge our ability to recover? If we map potential challenges against the traditional security paradigm of Confidentiality, Integrity, and Availability, then the types of attacks that we would see in the Age of Recovery are attacks that undermine our ability to recover from the loss of CIA. I would propose that such challenges will manifest in the form of destructive or irreversible attacks that result in our inability to recover. Of course, we have already seen manifestations of this type of attack in the form of Wikileaks, Shamoon, and NotPetya. But these are all just the tip of the iceberg. In the 2020s, we will see the full maturation of irreversible attacks that completely undermine our ability to recover.
- So if the problems facing us are irreversible and irrecoverable attacks, what solutions are security vendors offering?
- If I went to the security marketplace today and told vendors, ”I’m concerned about ransomware. I need something that directly addresses my underlying challenge with ransomware,” the following advertising campaign is representative of what we will typically get. Basically, this ad is saying that I should go join the Prevention Age?!? But the Prevention Age is the 1990s! Is this a call to go back to past solutions for tomorrow's problems? In each era, we faced new challenges that directly undermined our ability to IDENTIFY, PROTECT, DETECT, or RESPOND. We had to develop new solutions to help overcome each of these new challenges. The prior era's solutions did not solve the current era's problems. Ransomware is a new type of challenge that directly undermines our ability to RECOVER. But what you get from security vendors is just more PROTECT, DETECT, and RESPOND! How will more old-era solutions of PROTECT, DETECT, and RESPOND address a new-era attack against our ability to RECOVER? The old-era capabilities may minimize the likelihood of occurrence, but they do not fundamentally address the impact from ransomware or the ability to RECOVER.
- If we fully embrace the "assume breach" mentality that we adopted in the 2010s, then we must look for those solutions that truly help us RECOVER. If the solutions of the past are not fit for problems of the future, then what should we be looking for? Well, as I looked for RECOVER-oriented solutions, I ended up with an interesting assortment of design patterns and capabilities, such as… Content delivery networks Principles such as copy on write
- As I looked across all these recover-oriented solutions, I found three new paradigms that undergirded these solutions. Now you may wonder, how do these paradigms help with security? But more than just helping with security, it turns out, these new patterns can eliminate the need for security at all. If I have something that is highly distributed, why do I need to worry about a single system’s availability? If I have something that is immutable, why do I need to worry about its integrity. If I have something that is highly ephemeral, why do I need to worry about its confidentiality? It turns out, if we leverage these three paradigms of DIE, we might not need to worry about CIA. If we can have our assets DIE, then do we need to CIA them? (If we start trying to secure K8s, are we going to make it more pet-like? What can we do to make it cattle-like). (anything managing keys, data, identities should remain pets, forever?)
- And one of the reasons why we may need look at focusing on DIE becomes clear when we consider the traditional risk analysis equation.
- The security industry is incentivized to have us create more pets.
- Some policies promote pet creation (data retention). Most security policies promote pet creation. Security tries to protect and in doing so introduce opportunities to break things.