SlideShare a Scribd company logo

You Give Us The Fire We'll Give'em Hell!

W
wmetcalf

The document discusses how information security practitioners are overburdened due to the increasing complexity of technologies and rate of change. It proposes forming "Infosec Trust Groups" where organizations in the same sector or region can share resources and intelligence to help specialize skills, increase efficiency, and reduce costs. Working together in these groups could help address issues like staff shortages and help turn raw intelligence into more actionable threat analysis.

TechnologyBusiness
1 of 21
Download to read offline
Disclaimer ● These opinions are mine alone and in no way reflect the opinions of my employer. ● There is a crap load of text in the slide-deck. I don't want the message to be lost in my poor delivery.
Introductions Will Metcalf, wmetcalf@idstotal.com, @node5 Open source community manager for Qualys. I work on the IronBee WAF team. Founding member of the Open Information Security Foundation. In the past I worked for OISF, Emerging Threats, etc. beating the snot out of open source IDS. In a previous life I was a security practitioner for local government/LE.  I have the hots for all security-related FOSS stuff.
something IS Wrong with our Model
INFOSEC STAFF IS OVERBURDENED • Information security practitioners are faced with the insurmountable task of securing an ever-expanding amount of complex technologies. • This problem is compounded by the rate of change in our industry. This is a real issue. To secure a technology you must truly understand how it works, right? • Trying to consume raw data from intelligence sources, open or closed, can become overwhelming. Turning it into actionable intelligence for your organization is time consuming. • The InfoSec pros I know tend to look at InfoSec as a way of life because they are passionate about their craft. Passion can be killed once this lifestyle is no longer a choice but instead a occupational requirement. • If you think I'm full of crap but sense your security geeks may be approaching burnout, an ancillary presentation to this one, along with tips on how to keep InfoSec staff happy can be found here: http://vimeo.com/24650438.
Changing Landscape • Historically InfoSec has been a “tower defense game” [1]. Defenders needed to know a little bit about broad range of technologies. This was a somewhat effective model when paired with a defender's view of the organizational terrain. With increasing complexity and dissolving network borders, this model becomes more difficult to pull off. [1] David J. Bianco @DavidJBianco: “I don't get the fascination with tower defense games. I work in security, so that's pretty much my daily life anyway.”
As an Industry, we breed generalists • Given the history of InfoSec programs in most organizations, i.e., needing to know a little bit about a lot of technologies, it's no wonder that as an industry we tend to breed InfoSec generalists. • Unfortunately today most organizations need InfoSec staff with a multitude of specialized skill sets to provide adequate protection. The sooner that decision- makers realize we can't be experts in everything, the better.
Talent Shortage • Given the generalist conundrum it should be no surprise that there is a severe shortage of specialized talent in the industry. • Even if organizations (want|can afford) to hire specialized talent, they will often have trouble finding it. Most specialized talent today works for the vendors you purchase security products and services from. This compounds the problem of information asymmetry between vendor and buyer[2][3]. • Offloading certain problems to vendors/consulting firms with the desired skill sets might be OK, but be wary of arrangements where the external party has no prior insight into your organization and therefore cannot apply context to a problem. Boutique security consulting firms FTW! [2] “Security derivatives: the downward spiral caused by information asymmetry,” by Josh Corman of the 451 Group http://www.the451group.com:80/report_view/report_view.php?entity_id=60884 [3]http://www.mandiant.com/uploads/presentations/SOH_092310.pdf
Threa Intelligence t Products • Many exist today but finding reliable, consistent, complete threat intelligence products is hard and/or cost-prohibitive. • Having these products does not alleviate the need for in-house specialized skill sets to analyze the intel for applicability in the context of your organization. Without these skills threat intel products will probably have very low SNR once they enter your organization. • An ancillary to this is the fact that security vendors/intelligence providers can realistically only provide coverage for a certain amount of technologies. Niche market technologies are often overlooked.
Intelligence Analysis is performed in silos • Given a piece of intelligence, similar organizations within an industry may independently reach like conclusions about derived threats, their risk to the organization and how to mitigate the risk, i.e., preventative/detective controls. • This leads to unneeded duplication of analyst effort.
We don't like to share • Organizationally cultivated threat intelligence, while valuable to peers, is rarely shared. • Some organizations believe that their investment into InfoSec should result in enhanced competitive advantage and therefore don't want to share. • Others think participating in open chatter about threats will give away information about their infrastructure. • While some industry information-sharing programs exist, M.O. for semi-open information-sharing programs tend to provide watered-down, high-level analysis with low resolution. • High-resolution information-sharing programs generally exist among various researchers and vendors. This information is typically not available to outsiders as a counter-intelligence measure.
Interlude You're probably thinking to yourself: “Oh, fantastic. Another 'this is our darkest hour' presenter. If I wanted to be depressed, I would have stayed in the office, queued up the 'Requiem for a Dream' soundtrack and spent the afternoon scanning my NIDS logs for evidence of browser- based exploits.” Have no fear, true believer. I have a solution. Well, maybe.
Wild, Wild WEST The InfoSec environment today is like the Wild West. If you're lucky, your org has a sheriff, The Security Guy. If you're really lucky, big enough and have enough cheese, you may have a couple deputies, Security Minions. But what happens when the opposing forces are overwhelming? Let's ask an expert.
WWMVPD WWMVPD:What Would Mario Van Peebles Do? He would form a InfoSec posse, of course.
MVP Alterna tive Course of ACTION MVP may alternatively morph into a gun-toting InfoSec werewolf and try to handle things himself. He is sort of a wild card. I digress.
Our "Posse" Infosec Trust Groups • Build information/resource-sharing agreements with other organizations under NDA in the same business sector, or in close physical proximity to you. Or form trusts to manage custodial arrangements of shared data. • Orgs in the same business sector will face similar problems. Orgs closeby are probably easier to establish agreements with because dialogues are easier to maintain. • Establishing trust groups among government organizations is probably much easier than with companies. • In KC, the Mid-America Regional Council is already in place to foster such relationships among metro-area governments. Information sharing already exists between LE/other entities in these orgs. I mentioned @MARCKCMetro in a tweet on this subject. No response, WTF? :)
Yes, but Why? • Ideally fosters the creation of specialized skill sets by offloading some tasks to the group. This allows practitioners to grow skill sets in areas that interest them. • Have at your disposal specialized skill sets from other orgs. Having resource-sharing agreements for specialized skill sets would allow more efficient IR, because the parties involved would be able to apply preexisting knowledge about organizational context. • The chance to offset cost and increase security posture. This can be accomplished in many ways, such as sharing security infrastructure. Think shared DNSBL servers, Cuckoo Sandboxes, (Dionea|Glasptof|Kippo) low interaction honey pots. You could also create trust group-supported solutions based on FOSS to save money or to fill gaps that vendors don't cover (read: TKL-based appliances).
Would You Like To Know More? • One man's false positive is another man's actionable intelligence. Creating rules to look for activity that is of little value to you, but of high value to others is a win. • Increasing visibility of the threat landscape by sharing security event data. Even if sanitized, data still has value when you are available for inquires about the data sets you produce. The same can be true for other items, such as performance data of WAF/IDS rules.
SHARING IS CARING • Analyze data through information sharing portals. Projects like fordrop look promising, but it can be a frigging restricted-access wiki. Practitioners with areas of expertise can weigh in on detection/mitigation. • When appropriate, publicly publish/share findings with larger InfoSec community. • When I was at Emerging Threats, I tried to think about how I would tackle CVE-2010-3962 if still in OPSEC. I published my findings here: http://rules.emergingthreats.net/research/WMetcalf-CVE-2010-3962/. If exploitation was seen in the wild, the shared analysis dialogue may have gone something like this ...
Together we can do Something beautiful • NIDS Guy: “This will be impossible to sig with NIDS outside of the obfuscated JS sigs that trip. Here are the alerts.” • Log Analysis Guy: “Interesting, my process accounting audit logs show that iexplore.exe, fired off a notepad.exe process, which then fired off cmd.exe. I can sig this.” • EMET Guy: “Using this combination of EMET settings for the iexplore.exe executable, I'm able to stop successful exploitation, and IE seems to function normally others please verify.” • Proxy Guy: “This thing is trying to establish an SSL connection to a C&C server that is using a completely bogus cert. SSLBump + “sslproxy_cert_error deny all” is preventing the connection.” • All Together in Unison: “Boy, I sure am glad we went to Will's talk and decided to start sharing.”
FIN

Recommended

Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopMichele Chubirka
 
Beyond top secret
Beyond top secretBeyond top secret
Beyond top secretgorin2008
 
Closing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionClosing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionFindWhitePapers
 
GCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, Doha
GCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, DohaGCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, Doha
GCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, DohaSyed Peer
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyStephanie McVitty
 
Is your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersIs your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersFindWhitePapers
 
Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspacemark-smith
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutionsZsolt Nemeth
 

Recommended

Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopMichele Chubirka
 
Beyond top secret
Beyond top secretBeyond top secret
Beyond top secretgorin2008
 
Closing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionClosing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionFindWhitePapers
 
GCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, Doha
GCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, DohaGCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, Doha
GCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, DohaSyed Peer
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyStephanie McVitty
 
Is your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersIs your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersFindWhitePapers
 
Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspacemark-smith
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutionsZsolt Nemeth
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsZsolt Nemeth
 
Information Security Shake-Up
Information Security Shake-Up Information Security Shake-Up
Information Security Shake-Up EMC
 
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target 2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target Raleigh ISSA
 
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Minh Le
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defenseZsolt Nemeth
 
Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?Global Business Events
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013Imperva
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceSyed Peer
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook SecurityRogers Communications
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourleyGovCloud Network
 
Instedd: Mobile Collaboration for Disaster Response
Instedd: Mobile Collaboration for Disaster ResponseInstedd: Mobile Collaboration for Disaster Response
Instedd: Mobile Collaboration for Disaster ResponseRobert Kirkpatrick
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec
 
Stalking the Kill Chain
Stalking the Kill ChainStalking the Kill Chain
Stalking the Kill ChainEMC
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksIBM
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecuritySvetlana Belyaeva
 
Rothke - A Pragmatic Approach To Purchasing Information Security Products
Rothke - A Pragmatic Approach To Purchasing Information Security ProductsRothke - A Pragmatic Approach To Purchasing Information Security Products
Rothke - A Pragmatic Approach To Purchasing Information Security ProductsBen Rothke
 
Cybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future AttacksCybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future AttacksStrategy&, a member of the PwC network
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?NTEN
 
квест Pons
квест Ponsквест Pons
квест PonsMarkovDA
 
Vasa 1
Vasa 1Vasa 1
Vasa 1pkirk63
 

More Related Content

What's hot

SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsZsolt Nemeth
 
Information Security Shake-Up
Information Security Shake-Up Information Security Shake-Up
Information Security Shake-Up EMC
 
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target 2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target Raleigh ISSA
 
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Minh Le
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defenseZsolt Nemeth
 
Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?Global Business Events
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013Imperva
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceSyed Peer
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourleyGovCloud Network
 
Instedd: Mobile Collaboration for Disaster Response
Instedd: Mobile Collaboration for Disaster ResponseInstedd: Mobile Collaboration for Disaster Response
Instedd: Mobile Collaboration for Disaster ResponseRobert Kirkpatrick
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec
 
Stalking the Kill Chain
Stalking the Kill ChainStalking the Kill Chain
Stalking the Kill ChainEMC
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksIBM
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecuritySvetlana Belyaeva
 
Rothke - A Pragmatic Approach To Purchasing Information Security Products
Rothke - A Pragmatic Approach To Purchasing Information Security ProductsRothke - A Pragmatic Approach To Purchasing Information Security Products
Rothke - A Pragmatic Approach To Purchasing Information Security ProductsBen Rothke
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?NTEN
 

What's hot (20)

SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systems
 
Information Security Shake-Up
Information Security Shake-Up Information Security Shake-Up
Information Security Shake-Up
 
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target 2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
 
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defense
 
Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
Instedd: Mobile Collaboration for Disaster Response
Instedd: Mobile Collaboration for Disaster ResponseInstedd: Mobile Collaboration for Disaster Response
Instedd: Mobile Collaboration for Disaster Response
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
 
Stalking the Kill Chain
Stalking the Kill ChainStalking the Kill Chain
Stalking the Kill Chain
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacks
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity
 
Rothke - A Pragmatic Approach To Purchasing Information Security Products
Rothke - A Pragmatic Approach To Purchasing Information Security ProductsRothke - A Pragmatic Approach To Purchasing Information Security Products
Rothke - A Pragmatic Approach To Purchasing Information Security Products
 
Cybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future AttacksCybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future Attacks
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?
 

Viewers also liked

квест Pons
квест Ponsквест Pons
квест PonsMarkovDA
 
гарчиггүй 1
гарчиггүй 1гарчиггүй 1
гарчиггүй 1mongoo_8301
 
Java Tech & Tools | Grails in the Java Enterprise | Peter Ledbrook
Java Tech & Tools | Grails in the Java Enterprise | Peter LedbrookJava Tech & Tools | Grails in the Java Enterprise | Peter Ledbrook
Java Tech & Tools | Grails in the Java Enterprise | Peter LedbrookJAX London
 
Members of family33
Members of family33Members of family33
Members of family33Digna Rita
 
HSPS 2015 - SharePoint Performance Santiy Checks
HSPS 2015 - SharePoint Performance Santiy ChecksHSPS 2015 - SharePoint Performance Santiy Checks
HSPS 2015 - SharePoint Performance Santiy ChecksAndreas Grabner
 
CleverBear презентация
CleverBear презентацияCleverBear презентация
CleverBear презентацияTrofimov Mikhail
 
Proposal for creation of mhadei tiger reserve by rajendra kerkar
Proposal for creation of mhadei tiger reserve by rajendra kerkarProposal for creation of mhadei tiger reserve by rajendra kerkar
Proposal for creation of mhadei tiger reserve by rajendra kerkartallulahdsilva
 
6 evaluation product scs environmental services chia
6 evaluation product scs environmental services chia6 evaluation product scs environmental services chia
6 evaluation product scs environmental services chiamvvillanueva720
 
eHotelExperts Cerveses montseny - Toni Farres
eHotelExperts Cerveses montseny - Toni FarreseHotelExperts Cerveses montseny - Toni Farres
eHotelExperts Cerveses montseny - Toni FarresHotel Curious
 
Errol morris essay
Errol morris essayErrol morris essay
Errol morris essaypkirk63
 
Keynote | The Rise and Fall and Rise of Java | James Governor
Keynote | The Rise and Fall and Rise of Java | James GovernorKeynote | The Rise and Fall and Rise of Java | James Governor
Keynote | The Rise and Fall and Rise of Java | James GovernorJAX London
 

Viewers also liked (20)

квест Pons
квест Ponsквест Pons
квест Pons
 
Vasa 1
Vasa 1Vasa 1
Vasa 1
 
My day
My dayMy day
My day
 
гарчиггүй 1
гарчиггүй 1гарчиггүй 1
гарчиггүй 1
 
Java Tech & Tools | Grails in the Java Enterprise | Peter Ledbrook
Java Tech & Tools | Grails in the Java Enterprise | Peter LedbrookJava Tech & Tools | Grails in the Java Enterprise | Peter Ledbrook
Java Tech & Tools | Grails in the Java Enterprise | Peter Ledbrook
 
9th Annual Safe Schools Initiative Seminar
9th Annual Safe Schools Initiative Seminar9th Annual Safe Schools Initiative Seminar
9th Annual Safe Schools Initiative Seminar
 
Members of family33
Members of family33Members of family33
Members of family33
 
DIY to CMS
DIY to CMSDIY to CMS
DIY to CMS
 
My day Jordi
My day JordiMy day Jordi
My day Jordi
 
HSPS 2015 - SharePoint Performance Santiy Checks
HSPS 2015 - SharePoint Performance Santiy ChecksHSPS 2015 - SharePoint Performance Santiy Checks
HSPS 2015 - SharePoint Performance Santiy Checks
 
Ojo ahumado
Ojo ahumadoOjo ahumado
Ojo ahumado
 
Tsahim 2
Tsahim 2Tsahim 2
Tsahim 2
 
Noooo
NooooNoooo
Noooo
 
CleverBear презентация
CleverBear презентацияCleverBear презентация
CleverBear презентация
 
Proposal for creation of mhadei tiger reserve by rajendra kerkar
Proposal for creation of mhadei tiger reserve by rajendra kerkarProposal for creation of mhadei tiger reserve by rajendra kerkar
Proposal for creation of mhadei tiger reserve by rajendra kerkar
 
6 evaluation product scs environmental services chia
6 evaluation product scs environmental services chia6 evaluation product scs environmental services chia
6 evaluation product scs environmental services chia
 
eHotelExperts Cerveses montseny - Toni Farres
eHotelExperts Cerveses montseny - Toni FarreseHotelExperts Cerveses montseny - Toni Farres
eHotelExperts Cerveses montseny - Toni Farres
 
Tsahim 1
Tsahim 1Tsahim 1
Tsahim 1
 
Errol morris essay
Errol morris essayErrol morris essay
Errol morris essay
 
Keynote | The Rise and Fall and Rise of Java | James Governor
Keynote | The Rise and Fall and Rise of Java | James GovernorKeynote | The Rise and Fall and Rise of Java | James Governor
Keynote | The Rise and Fall and Rise of Java | James Governor
 

Similar to You Give Us The Fire We'll Give'em Hell!

Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapDominic Vogel
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistMyNOG
 
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourEXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourYasser Mohammed
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 
The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1William Kiss
 
Influential Business Leaders in Security services | CIO Look
Influential Business Leaders in Security services | CIO LookInfluential Business Leaders in Security services | CIO Look
Influential Business Leaders in Security services | CIO LookCIO Look Magazine
 
The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperBen Rothke
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesMighty Guides, Inc.
 
All About Cybersecurity Frameworks.pdf
All About Cybersecurity Frameworks.pdfAll About Cybersecurity Frameworks.pdf
All About Cybersecurity Frameworks.pdfMetaorange
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsInfonaligy
 
The significance of the 7 Colors of Information Security
The significance of the 7 Colors of Information SecurityThe significance of the 7 Colors of Information Security
The significance of the 7 Colors of Information Securitylearntransformation0
 

Similar to You Give Us The Fire We'll Give'em Hell! (20)

Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 
Select idps
Select idpsSelect idps
Select idps
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourEXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
 
6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1The Silver Bullet of Cyber Security v1.1
The Silver Bullet of Cyber Security v1.1
 
Influential Business Leaders in Security services | CIO Look
Influential Business Leaders in Security services | CIO LookInfluential Business Leaders in Security services | CIO Look
Influential Business Leaders in Security services | CIO Look
 
Cloudsourcing2013
Cloudsourcing2013Cloudsourcing2013
Cloudsourcing2013
 
The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White Paper
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
 
232 a7d01
232 a7d01232 a7d01
232 a7d01
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
 
All About Cybersecurity Frameworks.pdf
All About Cybersecurity Frameworks.pdfAll About Cybersecurity Frameworks.pdf
All About Cybersecurity Frameworks.pdf
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control Systems
 
The significance of the 7 Colors of Information Security
The significance of the 7 Colors of Information SecurityThe significance of the 7 Colors of Information Security
The significance of the 7 Colors of Information Security
 

Recently uploaded

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 

Recently uploaded (20)

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 

You Give Us The Fire We'll Give'em Hell!

  • 1.
  • 2. Disclaimer ● These opinions are mine alone and in no way reflect the opinions of my employer. ● There is a crap load of text in the slide-deck. I don't want the message to be lost in my poor delivery.
  • 3. Introductions Will Metcalf, wmetcalf@idstotal.com, @node5 Open source community manager for Qualys. I work on the IronBee WAF team. Founding member of the Open Information Security Foundation. In the past I worked for OISF, Emerging Threats, etc. beating the snot out of open source IDS. In a previous life I was a security practitioner for local government/LE.  I have the hots for all security-related FOSS stuff.
  • 4. something IS Wrong with our Model
  • 5. INFOSEC STAFF IS OVERBURDENED • Information security practitioners are faced with the insurmountable task of securing an ever-expanding amount of complex technologies. • This problem is compounded by the rate of change in our industry. This is a real issue. To secure a technology you must truly understand how it works, right? • Trying to consume raw data from intelligence sources, open or closed, can become overwhelming. Turning it into actionable intelligence for your organization is time consuming. • The InfoSec pros I know tend to look at InfoSec as a way of life because they are passionate about their craft. Passion can be killed once this lifestyle is no longer a choice but instead a occupational requirement. • If you think I'm full of crap but sense your security geeks may be approaching burnout, an ancillary presentation to this one, along with tips on how to keep InfoSec staff happy can be found here: http://vimeo.com/24650438.
  • 6. Changing Landscape • Historically InfoSec has been a “tower defense game” [1]. Defenders needed to know a little bit about broad range of technologies. This was a somewhat effective model when paired with a defender's view of the organizational terrain. With increasing complexity and dissolving network borders, this model becomes more difficult to pull off. [1] David J. Bianco @DavidJBianco: “I don't get the fascination with tower defense games. I work in security, so that's pretty much my daily life anyway.”
  • 7. As an Industry, we breed generalists • Given the history of InfoSec programs in most organizations, i.e., needing to know a little bit about a lot of technologies, it's no wonder that as an industry we tend to breed InfoSec generalists. • Unfortunately today most organizations need InfoSec staff with a multitude of specialized skill sets to provide adequate protection. The sooner that decision- makers realize we can't be experts in everything, the better.
  • 8. Talent Shortage • Given the generalist conundrum it should be no surprise that there is a severe shortage of specialized talent in the industry. • Even if organizations (want|can afford) to hire specialized talent, they will often have trouble finding it. Most specialized talent today works for the vendors you purchase security products and services from. This compounds the problem of information asymmetry between vendor and buyer[2][3]. • Offloading certain problems to vendors/consulting firms with the desired skill sets might be OK, but be wary of arrangements where the external party has no prior insight into your organization and therefore cannot apply context to a problem. Boutique security consulting firms FTW! [2] “Security derivatives: the downward spiral caused by information asymmetry,” by Josh Corman of the 451 Group http://www.the451group.com:80/report_view/report_view.php?entity_id=60884 [3]http://www.mandiant.com/uploads/presentations/SOH_092310.pdf
  • 9. Threa Intelligence t Products • Many exist today but finding reliable, consistent, complete threat intelligence products is hard and/or cost-prohibitive. • Having these products does not alleviate the need for in-house specialized skill sets to analyze the intel for applicability in the context of your organization. Without these skills threat intel products will probably have very low SNR once they enter your organization. • An ancillary to this is the fact that security vendors/intelligence providers can realistically only provide coverage for a certain amount of technologies. Niche market technologies are often overlooked.
  • 10. Intelligence Analysis is performed in silos • Given a piece of intelligence, similar organizations within an industry may independently reach like conclusions about derived threats, their risk to the organization and how to mitigate the risk, i.e., preventative/detective controls. • This leads to unneeded duplication of analyst effort.
  • 11. We don't like to share • Organizationally cultivated threat intelligence, while valuable to peers, is rarely shared. • Some organizations believe that their investment into InfoSec should result in enhanced competitive advantage and therefore don't want to share. • Others think participating in open chatter about threats will give away information about their infrastructure. • While some industry information-sharing programs exist, M.O. for semi-open information-sharing programs tend to provide watered-down, high-level analysis with low resolution. • High-resolution information-sharing programs generally exist among various researchers and vendors. This information is typically not available to outsiders as a counter-intelligence measure.
  • 12. Interlude You're probably thinking to yourself: “Oh, fantastic. Another 'this is our darkest hour' presenter. If I wanted to be depressed, I would have stayed in the office, queued up the 'Requiem for a Dream' soundtrack and spent the afternoon scanning my NIDS logs for evidence of browser- based exploits.” Have no fear, true believer. I have a solution. Well, maybe.
  • 13. Wild, Wild WEST The InfoSec environment today is like the Wild West. If you're lucky, your org has a sheriff, The Security Guy. If you're really lucky, big enough and have enough cheese, you may have a couple deputies, Security Minions. But what happens when the opposing forces are overwhelming? Let's ask an expert.
  • 14. WWMVPD WWMVPD:What Would Mario Van Peebles Do? He would form a InfoSec posse, of course.
  • 15. MVP Alterna tive Course of ACTION MVP may alternatively morph into a gun-toting InfoSec werewolf and try to handle things himself. He is sort of a wild card. I digress.
  • 16. Our "Posse" Infosec Trust Groups • Build information/resource-sharing agreements with other organizations under NDA in the same business sector, or in close physical proximity to you. Or form trusts to manage custodial arrangements of shared data. • Orgs in the same business sector will face similar problems. Orgs closeby are probably easier to establish agreements with because dialogues are easier to maintain. • Establishing trust groups among government organizations is probably much easier than with companies. • In KC, the Mid-America Regional Council is already in place to foster such relationships among metro-area governments. Information sharing already exists between LE/other entities in these orgs. I mentioned @MARCKCMetro in a tweet on this subject. No response, WTF? :)
  • 17. Yes, but Why? • Ideally fosters the creation of specialized skill sets by offloading some tasks to the group. This allows practitioners to grow skill sets in areas that interest them. • Have at your disposal specialized skill sets from other orgs. Having resource-sharing agreements for specialized skill sets would allow more efficient IR, because the parties involved would be able to apply preexisting knowledge about organizational context. • The chance to offset cost and increase security posture. This can be accomplished in many ways, such as sharing security infrastructure. Think shared DNSBL servers, Cuckoo Sandboxes, (Dionea|Glasptof|Kippo) low interaction honey pots. You could also create trust group-supported solutions based on FOSS to save money or to fill gaps that vendors don't cover (read: TKL-based appliances).
  • 18. Would You Like To Know More? • One man's false positive is another man's actionable intelligence. Creating rules to look for activity that is of little value to you, but of high value to others is a win. • Increasing visibility of the threat landscape by sharing security event data. Even if sanitized, data still has value when you are available for inquires about the data sets you produce. The same can be true for other items, such as performance data of WAF/IDS rules.
  • 19. SHARING IS CARING • Analyze data through information sharing portals. Projects like fordrop look promising, but it can be a frigging restricted-access wiki. Practitioners with areas of expertise can weigh in on detection/mitigation. • When appropriate, publicly publish/share findings with larger InfoSec community. • When I was at Emerging Threats, I tried to think about how I would tackle CVE-2010-3962 if still in OPSEC. I published my findings here: http://rules.emergingthreats.net/research/WMetcalf-CVE-2010-3962/. If exploitation was seen in the wild, the shared analysis dialogue may have gone something like this ...
  • 20. Together we can do Something beautiful • NIDS Guy: “This will be impossible to sig with NIDS outside of the obfuscated JS sigs that trip. Here are the alerts.” • Log Analysis Guy: “Interesting, my process accounting audit logs show that iexplore.exe, fired off a notepad.exe process, which then fired off cmd.exe. I can sig this.” • EMET Guy: “Using this combination of EMET settings for the iexplore.exe executable, I'm able to stop successful exploitation, and IE seems to function normally others please verify.” • Proxy Guy: “This thing is trying to establish an SSL connection to a C&C server that is using a completely bogus cert. SSLBump + “sslproxy_cert_error deny all” is preventing the connection.” • All Together in Unison: “Boy, I sure am glad we went to Will's talk and decided to start sharing.”
  • 21. FIN