SlideShare una empresa de Scribd logo
1 de 48
Descargar para leer sin conexión
Defense at Hyperscale:
Technologies and Policies for a
Defensible Cyberspace
Jason Healey
Senior Research Scholar, Columbia University SIPA
@Jason_Healey
Outline
1. De-buzzwording This Talk
2. Bad Guys Finish First
3. A More Defensible Cyberspace
4. Payout for Getting it Right (or Wrong)
Not Trying to Make This an RSA Talk…
• Forget “Hyperscale” and “Defensible”
• Substitute “Internet and connected devices”
instead of “cyberspace” if that helps
Core Ideas
Beyond Buzzwords
• No central strategy behind infosec today
– To drive our actions
– To judge between competing public goods
– To measure our overall strategic progress against
Core Ideas
• “Making _________ more defensible” is the strategy
My Organization
My Sector
Cyberspace as a whole
• Being defensible means solutions with advantage
and scale
• To find future advantage and scale, we must know
what has so succeeded in the past
Outline
1. De-buzzwording This Talk
2. Bad Guys Finish First
3. A More Defensible Cyberspace
4. Payout for Getting it Right (or Wrong)
Bad Guys Finish First
“Few if any contemporary computer
security controls have prevented a [red
team] from easily accessing any
information sought.”
Bad Guys Finish First
“Few if any contemporary computer
security controls have prevented a [red
team] from easily accessing any
information sought.”
O>D
Bad Guys Finish First
Lt Col Roger Schell (USAF) in 1979
“Few if any contemporary computer
security controls have prevented a [red
team] from easily accessing any
information sought.”
Why is O>D?
A dollar (or hour) spent on attack
buys far more than a dollar spent
on defense
Why is O>D?
1. Internet architecture
“The Internet is not insecure because it is
buggy, but because of specific design
decisions.” (David Clark, 2015)
A dollar (or hour) spent on attack buys far more than a dollar spent on defense
Why is O>D?
1. Internet architecture
“The Internet is not insecure because it is
buggy, but because of specific design
decisions.” (David Clark, 2015)
2. Software weaknesses
“Today there are no real consequences for
having bad security or having low-quality
software of any kind. Even worse, the
marketplace often rewards low quality.”
(Bruce Schneier, 2003)
A dollar (or hour) spent on attack buys far more than a dollar spent on defense
Why is O>D?
1. Internet architecture
“The Internet is not insecure because it is
buggy, but because of specific design
decisions.” (David Clark, 2015)
2. Software weaknesses
“Today there are no real consequences for
having bad security or having low-quality
software of any kind. Even worse, the
marketplace often rewards low quality.”
(Bruce Schneier, 2003)
3. Attacker initiative
“Attacker must find but one of possibly
multiple vulnerabilities in order to
succeed; the security specialist must
develop countermeasures for all”
(Computers at Risk report, 1991)
A dollar (or hour) spent on attack buys far more than a dollar spent on defense
Why is O>D?
1. Internet architecture
“The Internet is not insecure because it is
buggy, but because of specific design
decisions.” (David Clark, 2015)
2. Software weaknesses
“Today there are no real consequences for
having bad security or having low-quality
software of any kind. Even worse, the
marketplace often rewards low quality.”
(Bruce Schneier, 2003)
3. Attacker initiative
“Attacker must find but one of possibly
multiple vulnerabilities in order to
succeed; the security specialist must
develop countermeasures for all”
(Computers at Risk report, 1991)
4. Incremental and mis-aimed solutions
"We need more secure products, not
more security products.” (Phil Venables,
2004)
A dollar (or hour) spent on attack buys far more than a dollar spent on defense
Why is O>D?
1. Internet architecture
“The Internet is not insecure because it is
buggy, but because of specific design
decisions.” (David Clark, 2015)
2. Software weaknesses
“Today there are no real consequences for
having bad security or having low-quality
software of any kind. Even worse, the
marketplace often rewards low quality.”
(Bruce Schneier, 2003)
3. Attacker initiative
“Attacker must find but one of possibly
multiple vulnerabilities in order to
succeed; the security specialist must
develop countermeasures for all”
(Computers at Risk report, 1991)
4. Incremental and mis-aimed solutions
"We need more secure products, not
more security products.” (Phil Venables,
2004)
5. Complexity and high cost of control
Resulting complex systems: “processes
that can be described, but not really
understood ... often discovered through
trial and error” (Charles Perrow)
A dollar (or hour) spent on attack buys far more than a dollar spent on defense
Why is O>D?
1. Internet architecture
“The Internet is not insecure because it is
buggy, but because of specific design
decisions.” (David Clark, 2015)
2. Software weaknesses
“Today there are no real consequences for
having bad security or having low-quality
software of any kind. Even worse, the
marketplace often rewards low quality.”
(Bruce Schneier, 2003)
3. Attacker initiative
“Attacker must find but one of possibly
multiple vulnerabilities in order to
succeed; the security specialist must
develop countermeasures for all”
(Computers at Risk report, 1991)
4. Incremental and mis-aimed solutions
"We need more secure products, not
more security products.” (Phil Venables,
2004)
5. Complexity and high cost of control
Resulting complex systems: “processes
that can be described, but not really
understood ... often discovered through
trial and error” (Charles Perrow)
6. Troublesome humans:
Even the best and most secure
technological systems can be bypassed
when human users are lazy, confused or
downright tricked.
A dollar (or hour) spent on attack buys far more than a dollar spent on defense
Outline
1. Bad Guys Finish First
2. De-buzzwording This Talk
3. A More Defensible Cyberspace
4. Payout for Getting it Right (or Wrong)
If the problem is O>D
the solution must be D>O (or even D>>O)
Is this even possible?
Key Questions to Tackle D>O
Results from NY Cyber Task Force
1. What is a defensible
cyberspace and why
hasn’t it been defensible
to date?
2. What past interventions
have made the biggest
difference at the largest
scale and least cost?
3. What interventions
should we make today
for the biggest
differences at the largest
scale and least cost?
What Would a Defensible Cyberspace Look Like?
Results from NY Cyber Task Force
Defensible = “Defense Advantage”
1. Agile response and decision-making
2. Instrumented and measurable
3. Multi-stakeholder and collaborative
4. Well-governed and policed
5. Few externalities
6. Resilient: Recovers readily
A dollar (or hour) spent on defense buys far more than a dollar spent on attack!
What past interventions have made
the biggest difference at the largest
scale and least cost?
http://www.economist.com/news/briefing/21618680-our-guide-actions-have-done-most-slow-global-warming-deepest-cuts
Game-Changing Solutions
Results of NY Cyber Task Force
Requires two components:
• Advantage: Dollar of defense must buy more
than a dollar of attack
• Scale: Dollar of defense should give 10x, 100x,
or even 1,000,000x the benefits – hyperscale
Least Game-Changing Solutions
• Generally impose far higher costs to the
defender than the attacker
– Technology: Compliance and other solutions
featuring checking-the-box
– Policy: Wassenaar Agreement to limit “cyber
weapons”
Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
Automated updates:
Including, but not limited to
Microsoft Update. “Once Microsoft
got vested in security they were in
the best position to do something
about it”
(Jeff Moss, Jeff Schmidt)
Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
Cloud-Based architecture:
Including related technologies like
virtualization and
containterization.
"When deployed properly, the
cloud provides several critical
security advantages over
perimeter-based models including
greater automation, self-tailoring,
and self-healing characteristics of
virtualized security."
(Ed Amoroso, Phil Venables)
Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
Encryption:
One of the few places in all
computer science where, if
properly implemented, the
defense has all the advantages
against the attacker
(Steve Bellovin)
“Effective enough that it
dissuades most from breaking it;
there are usually other, less costly
means available to the attacker.”
(Wade Baker)
Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
Secure default configurations:
“Some vendors have made some
progress here (particularly
Microsoft), and it makes a huge
difference. The most impactful
parts of the USG Configuration
Baseline are when vendors just
incorporate it into their standard
configuration.”
(Senior Government Official)
Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
Kerberos: “Changed the way the
entire world did authentication”
(Phil Venables)
Authentication beyond passwords:
Not just authentication, but a slew
of multi-factor solutions such as
algorithmic and the like
(Bruce Schneier)
Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
Mass vulnerability scanning:
“Solutions like nmap gave an easy
and fast enterprise-wide view
making fixing them far easier”
(Mike Aiello)
Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
Built-in NAT for home router:
“Built-in NAT (simple firewall) has
been extremely effective in
stopping direct front door assaults
against systems with open ports
and unknown running services.”
(Marc Sachs)
Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
Address space layout
randomization (ASLR) and kernel
memory protection:
“Measures like stackguard and
ASLR moving from research (ca
2000) to mainstream (ca 2008)
defeated slew of common attacks …
prioritizing security over
compatibility.”
(Jose Nazario, Dan Geer)
Game-Changing Technologies
With Scale and Advantage
1. Automated Updates
2. Cloud-Based architecture
3. Encryption
4. Secure default
configurations
5. Authentication beyond
passwords
6. Mass vulnerability scanning
7. Kerberos
8. Built-in NAT for home
router
9. Address space layout
randomization (ASLR) and
kernel memory protection
10. DDoS protection
DDoS protection:
“If an org can afford Cloudfare, etc.,
they can withstand hundreds of
Gbps and stay online … not ‘solved,’
but defenses can substantially
mitigate impact, unlike so many
other issues.”
(Richard Bejtlich)
Additional Possibilities: Beau Woods
I Am the Cavalry and Atlantic Council
• Language choice
– With C it's really hard to prevent errors and the failure modes are catastrophic to the software
stack. By contrast something like Ruby on Rails has the penalty for failure of a nerf football
• Controls Retirement
– We keep adding one control after another in pursuit of better defense in depth. Most
organizations are up to their neck in DiD and it's suffocating them without benefit. Old
controls like AV aren't really helping but they're costing 8-10B per year.
– Radically different IT thinking obviates some of these old expensive things by fixing root
causes not apparent ones
– Related: Retire legacy infrastructure (Phil Venables)
• MAC not DAC
– Mandatory Access Control is like whitelisting on steroids. The entire OS is hostile to untrusted
code. Especially effective in Mobile, IoT, and other places
• Software Supply Chain
– Modern software platforms are 80-90 percent assembled rather than written
– DevOps is an application of supply chain theory to agile development allowing us to run faster
and stay safer
• Software Bill of Materials
– Even the best vulnerability scanners have high degree of false positives and negatives. SBOMs
are precise and accurate
Possible Next-Gen Game-Changers
Ongoing Work of the NY Cyber Task Force
• Return of Formal Methods, like DARPA’s High-Assurance Cyber Military Systems
“Not unhackable completely. There are certain obvious pathways for attackers that have all been shut
down in a way that’s mathematically proven to be unhackable for those pathways.” (Arati Prabhakar)
• Compiler-Generated Software Diversity:
“After every 100th download of a given app … re-compiles that app with a strong diversity compiler
making the next 100 downloads different from the previous 100. This prevents mass exploitation,
though at a cost: it is no longer possible to confirm whether a given binary corresponds to a given source
blob.” (Dan Geer)
• Security solutions for IoT
If you think cyberspace is insecure today, just wait for the coming Internet of Things. “The first 5 billion
devices won’t be like the next 50 billion. Modern cars are computers on wheels, and cutting edge patient
care is delivered over the Internet. If we get this right, the promise will transform society; if we get this
wrong we eliminate the resilience we seek.” (Beau Woods)
• Security score cards like BitSight to drive insurance, behavior (Phil Venables)
• Data-level protection (Greg Touhill)
Hyperscale: Critical mass of cloud deployment
How Do Techs Become Real Game-Changers
Ongoing Work of the NY Cyber Task Force
1. Take Away Entire Classes of Attacks (Arati Prabhakar)
2. Take User out of the Solution (Bruce Schneier)
3. "Those responsible make a change that helps all their users”
(Jeff Moss)
4. “Improve security by decreasing cost of control” (Phil
Venables)
5. Minimize Consequence - agility, detection, and resilience
(Art Coviello)
Operational and Policy Game-Changers
Harder to Measure
• Creation of the first CERTs in late 1980s
• Operational innovations: kill chain
• Automated threat sharing – STIX, TAXII, CyBox
• Institutionalized bug bounty programs
• Volunteer groups: Conficker, NSP-SEC, I am the Cavalry
• Industry Alliances: ICASI, Cyber Threat Alliance
• Budapest Convention on cyber crime
Operational and Policy Game-Changers
• International norms along
with indictments and
threat of sanctions
• FireEye: massive reduction
of detected Chinese
intrusions from ~70/month
to less than 5/month
• What other solution have
we ever implemented for
such success at so little
cost?
https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-china-espionage.pdf
Operational and Policy Game-Changers
• USG policy of “bias” to
not retain vulnerabilities,
but disclose to vendors
• USG “discloses far more
vulnerabilities than it
decides to keep secret, in
one year keeping only
about two for offensive
purposes out of about
100 the White House
reviewed”
VEP Process - 2014 to Present
Operational and Policy Game-Changers
• USG policy bias to disclose to US companies when
they’ve been pwned
• Result: Law Enforcement now #1 source for breach
notification (esp for botnet takedown), per Verizon
http://www.verizonenterprise.com/verizon-insights-
lab/dbir/2016/
Outline
1. De-buzzwording This Talk
2. Bad Guys Finish First
3. A More Defensible Cyberspace
4. Payout for Getting it Right (or Wrong)
Implications
• Only potential futures aren’t just
– O>D (continued status quo)
– D>O (defense advantage)
• Could be far worse, O>>D
– or far better, D>>O
• Atlantic Council and Zurich Insurance Group
modeled the economic impact of getting it right
(or horribly wrong)
Possible Futures…
Cumulative Annual Benefits and Costs
Economic Impact Through 2030
Best case: ~$30 trillion
Worst case: ~$90 trillion
Difference in government control less
impactful, still meaningful: $30 trillion
Best case is “Cyber Shangri-La” where D>O
Worst case is “Clockwork Orange Internet” where O>>D
If Future Possibilities are “Fat Tail Distribution”
Then Far More Potential Variability
Expected Future
Regular standard deviation
Lower chance of massive, unexpected events
Expected Future
Variance not bounded
Far higher chance for
surprise
Measuring Defensibility
• Verizon Data Breach Investigations Report
– “Detection deficit … is getting worse”
– “Attackers are getting even quicker at compromising their victims”
– Slight improvements in how quickly defenders detect compromises
• Commerce: 45 percent of US online households have stopped some
sensitive online transactions
• Index of Cyber Security
For a More Defensible Cyberspace
And a $120 Trillion Payoff
• Advantage: Dollar of defense must buy more
than a dollar of attack
• Scale: Dollar of defense should give 10x, 100x,
or even 1,000,000x the benefits – hyperscale
THANK YOU @Jason_Healey

Más contenido relacionado

La actualidad más candente

Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesMajor Hayden
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco moranaMarco Morana
 
"Evolving cybersecurity strategies" - Seizing the Opportunity
"Evolving cybersecurity strategies" - Seizing the Opportunity"Evolving cybersecurity strategies" - Seizing the Opportunity
"Evolving cybersecurity strategies" - Seizing the OpportunityDean Iacovelli
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDragos, Inc.
 
You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!wmetcalf
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Dragos, Inc.
 
Security and Mobility Co Create Week Jakarta
Security and Mobility Co Create Week JakartaSecurity and Mobility Co Create Week Jakarta
Security and Mobility Co Create Week JakartaStefan Streichsbier
 
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)ITCamp
 
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...EC-Council
 
Cyber Security: Strategies, Defence and what’s not working
Cyber Security:Strategies, Defence and what’s not workingCyber Security:Strategies, Defence and what’s not working
Cyber Security: Strategies, Defence and what’s not workingJonathan Sinclair
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityPriyanka Aash
 
Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Dragos, Inc.
 
Omniscient H4D 2020 Lessons Learned
Omniscient H4D 2020 Lessons LearnedOmniscient H4D 2020 Lessons Learned
Omniscient H4D 2020 Lessons LearnedStanford University
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botGroup of company MUK
 
Harry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get WorseHarry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get Worsecentralohioissa
 

La actualidad más candente (20)

Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilities
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
 
Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco morana
 
"Evolving cybersecurity strategies" - Seizing the Opportunity
"Evolving cybersecurity strategies" - Seizing the Opportunity"Evolving cybersecurity strategies" - Seizing the Opportunity
"Evolving cybersecurity strategies" - Seizing the Opportunity
 
Lastline Case Study
Lastline Case StudyLastline Case Study
Lastline Case Study
 
Meletis Belsis -CSIRTs
Meletis Belsis -CSIRTsMeletis Belsis -CSIRTs
Meletis Belsis -CSIRTs
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
 
You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos
 
Security and Mobility Co Create Week Jakarta
Security and Mobility Co Create Week JakartaSecurity and Mobility Co Create Week Jakarta
Security and Mobility Co Create Week Jakarta
 
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
 
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
 
Cyber Security: Strategies, Defence and what’s not working
Cyber Security:Strategies, Defence and what’s not workingCyber Security:Strategies, Defence and what’s not working
Cyber Security: Strategies, Defence and what’s not working
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum Security
 
Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction
 
Omniscient H4D 2020 Lessons Learned
Omniscient H4D 2020 Lessons LearnedOmniscient H4D 2020 Lessons Learned
Omniscient H4D 2020 Lessons Learned
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving bot
 
Harry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get WorseHarry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get Worse
 

Destacado

Learning to love supply chain plans
Learning to love supply chain plansLearning to love supply chain plans
Learning to love supply chain plansBVG Associates
 
On the margins of scholarship
On the margins of scholarshipOn the margins of scholarship
On the margins of scholarshipRichard Davis
 
Natural Resources Wales: Making the most of of all our assets in the Rhondda 2
Natural Resources Wales: Making the most of of all our assets in the Rhondda 2Natural Resources Wales: Making the most of of all our assets in the Rhondda 2
Natural Resources Wales: Making the most of of all our assets in the Rhondda 2scarletdesign
 
Tower Fund Community Consultation
Tower Fund Community Consultation Tower Fund Community Consultation
Tower Fund Community Consultation scarletdesign
 
SPIKE's BIOGRAPHY
SPIKE's BIOGRAPHYSPIKE's BIOGRAPHY
SPIKE's BIOGRAPHYkarthik v
 
Premio colunistas coca-cola-2
Premio colunistas coca-cola-2Premio colunistas coca-cola-2
Premio colunistas coca-cola-2zerotres
 
Three-Hypers Series:Hyperlipidemia – 07 Small, dense LDL - an important risk ...
Three-Hypers Series:Hyperlipidemia – 07 Small, dense LDL - an important risk ...Three-Hypers Series:Hyperlipidemia – 07 Small, dense LDL - an important risk ...
Three-Hypers Series:Hyperlipidemia – 07 Small, dense LDL - an important risk ...SD Shyu
 
Sjogren’s syndrome
Sjogren’s syndromeSjogren’s syndrome
Sjogren’s syndromeDJ CrissCross
 
Approach to a patient with JAUNDICE
Approach to a patient with JAUNDICEApproach to a patient with JAUNDICE
Approach to a patient with JAUNDICEDJ CrissCross
 
Pulmonary Embolism Wells Criteria
Pulmonary Embolism Wells CriteriaPulmonary Embolism Wells Criteria
Pulmonary Embolism Wells CriteriaDJ CrissCross
 
Itc Annual report 2008
Itc Annual report 2008Itc Annual report 2008
Itc Annual report 2008karthik v
 

Destacado (20)

CV Jorge Adrián Morales Pérez
CV Jorge Adrián Morales PérezCV Jorge Adrián Morales Pérez
CV Jorge Adrián Morales Pérez
 
Learning to love supply chain plans
Learning to love supply chain plansLearning to love supply chain plans
Learning to love supply chain plans
 
On the margins of scholarship
On the margins of scholarshipOn the margins of scholarship
On the margins of scholarship
 
Libec LS-22DV
Libec LS-22DVLibec LS-22DV
Libec LS-22DV
 
sistema-calentador-de-agua-vfc
sistema-calentador-de-agua-vfcsistema-calentador-de-agua-vfc
sistema-calentador-de-agua-vfc
 
Natural Resources Wales: Making the most of of all our assets in the Rhondda 2
Natural Resources Wales: Making the most of of all our assets in the Rhondda 2Natural Resources Wales: Making the most of of all our assets in the Rhondda 2
Natural Resources Wales: Making the most of of all our assets in the Rhondda 2
 
Tower Fund Community Consultation
Tower Fund Community Consultation Tower Fund Community Consultation
Tower Fund Community Consultation
 
SPIKE's BIOGRAPHY
SPIKE's BIOGRAPHYSPIKE's BIOGRAPHY
SPIKE's BIOGRAPHY
 
Myeloma
MyelomaMyeloma
Myeloma
 
Presentazione Stesegeo - Forum PA 2014
Presentazione Stesegeo - Forum PA 2014 Presentazione Stesegeo - Forum PA 2014
Presentazione Stesegeo - Forum PA 2014
 
PowerPoint Downhill
PowerPoint DownhillPowerPoint Downhill
PowerPoint Downhill
 
Premio colunistas coca-cola-2
Premio colunistas coca-cola-2Premio colunistas coca-cola-2
Premio colunistas coca-cola-2
 
Three-Hypers Series:Hyperlipidemia – 07 Small, dense LDL - an important risk ...
Three-Hypers Series:Hyperlipidemia – 07 Small, dense LDL - an important risk ...Three-Hypers Series:Hyperlipidemia – 07 Small, dense LDL - an important risk ...
Three-Hypers Series:Hyperlipidemia – 07 Small, dense LDL - an important risk ...
 
Sjogren’s syndrome
Sjogren’s syndromeSjogren’s syndrome
Sjogren’s syndrome
 
Stroke
StrokeStroke
Stroke
 
Approach to a patient with JAUNDICE
Approach to a patient with JAUNDICEApproach to a patient with JAUNDICE
Approach to a patient with JAUNDICE
 
Pulmonary Embolism Wells Criteria
Pulmonary Embolism Wells CriteriaPulmonary Embolism Wells Criteria
Pulmonary Embolism Wells Criteria
 
Itc Annual report 2008
Itc Annual report 2008Itc Annual report 2008
Itc Annual report 2008
 
Project Analysis - PPT
Project Analysis - PPTProject Analysis - PPT
Project Analysis - PPT
 
Epilepsy
EpilepsyEpilepsy
Epilepsy
 

Similar a Technologies and Policies for a Defensible Cyberspace

02-overview.pptx
02-overview.pptx02-overview.pptx
02-overview.pptxEmanAzam
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 
TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean B...
TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean B...TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean B...
TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean B...EC-Council
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof SoodZsolt Nemeth
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopMichele Chubirka
 
Answer each question in one to two paragraphs.Question 1 .docx
Answer each question in one to two paragraphs.Question 1 .docxAnswer each question in one to two paragraphs.Question 1 .docx
Answer each question in one to two paragraphs.Question 1 .docxjustine1simpson78276
 
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...Symbiosis Group
 
American University What Areas Are Concerning when Securing a Network.pdf
American University What Areas Are Concerning when Securing a Network.pdfAmerican University What Areas Are Concerning when Securing a Network.pdf
American University What Areas Are Concerning when Securing a Network.pdfbkbk37
 
Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security Malachi Jones
 
ciso-platform-annual-summit-2013-Hp enterprise security overview
ciso-platform-annual-summit-2013-Hp enterprise security overviewciso-platform-annual-summit-2013-Hp enterprise security overview
ciso-platform-annual-summit-2013-Hp enterprise security overviewPriyanka Aash
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015Daniel Miessler
 
JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...
JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...
JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...JSFestUA
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...AI Frontiers
 
A 2020 Security strategy for Health Care Providers
A 2020 Security strategy for Health Care ProvidersA 2020 Security strategy for Health Care Providers
A 2020 Security strategy for Health Care ProvidersFeisal Nanji
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Dinis Cruz
 

Similar a Technologies and Policies for a Defensible Cyberspace (20)

02-overview.pptx
02-overview.pptx02-overview.pptx
02-overview.pptx
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean B...
TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean B...TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean B...
TakeDownCon Rocket City: Technology Deathmatch, The arms race is on by Sean B...
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof Sood
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
 
Answer each question in one to two paragraphs.Question 1 .docx
Answer each question in one to two paragraphs.Question 1 .docxAnswer each question in one to two paragraphs.Question 1 .docx
Answer each question in one to two paragraphs.Question 1 .docx
 
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
A New Technical and Practical Approach on Securing Cyberspace and Cloud Compu...
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 
American University What Areas Are Concerning when Securing a Network.pdf
American University What Areas Are Concerning when Securing a Network.pdfAmerican University What Areas Are Concerning when Securing a Network.pdf
American University What Areas Are Concerning when Securing a Network.pdf
 
Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security
 
ciso-platform-annual-summit-2013-Hp enterprise security overview
ciso-platform-annual-summit-2013-Hp enterprise security overviewciso-platform-annual-summit-2013-Hp enterprise security overview
ciso-platform-annual-summit-2013-Hp enterprise security overview
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015
 
JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...
JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...
JS Fest 2019. Анастасия Войтова. "Defense in depth": trench warfare principle...
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
 
Incident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOIncident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEO
 
A 2020 Security strategy for Health Care Providers
A 2020 Security strategy for Health Care ProvidersA 2020 Security strategy for Health Care Providers
A 2020 Security strategy for Health Care Providers
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018
 

Más de mark-smith

How Your DRAM Becomes a Security Problem
How Your DRAM Becomes a Security ProblemHow Your DRAM Becomes a Security Problem
How Your DRAM Becomes a Security Problemmark-smith
 
Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox
Remotely Compromising iOS via Wi-Fi and Escaping the SandboxRemotely Compromising iOS via Wi-Fi and Escaping the Sandbox
Remotely Compromising iOS via Wi-Fi and Escaping the Sandboxmark-smith
 
Applied Machine Learning for Data exfil and other fun topics
Applied Machine Learning for Data exfil and other fun topicsApplied Machine Learning for Data exfil and other fun topics
Applied Machine Learning for Data exfil and other fun topicsmark-smith
 
JailBreak DIY- Fried Apple
JailBreak DIY- Fried AppleJailBreak DIY- Fried Apple
JailBreak DIY- Fried Applemark-smith
 
The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10mark-smith
 
Exploiting Curiosity and Context
Exploiting Curiosity and ContextExploiting Curiosity and Context
Exploiting Curiosity and Contextmark-smith
 
Abusing belkin home automation devices
Abusing belkin home automation devicesAbusing belkin home automation devices
Abusing belkin home automation devicesmark-smith
 
Greed for Fame Benefits Large Scale Botnets
Greed for Fame Benefits Large Scale BotnetsGreed for Fame Benefits Large Scale Botnets
Greed for Fame Benefits Large Scale Botnetsmark-smith
 
How your smartphone cpu breaks software level security and privacy
How your smartphone cpu breaks software level security and privacyHow your smartphone cpu breaks software level security and privacy
How your smartphone cpu breaks software level security and privacymark-smith
 
Attacking Network Infrastructure to Generate a 4 Tbs DDoS
Attacking Network Infrastructure to Generate a 4 Tbs DDoSAttacking Network Infrastructure to Generate a 4 Tbs DDoS
Attacking Network Infrastructure to Generate a 4 Tbs DDoSmark-smith
 
How to Make People Click on a Dangerous Link Despite their Security Awareness
How to Make People Click on a Dangerous Link Despite their Security Awareness How to Make People Click on a Dangerous Link Despite their Security Awareness
How to Make People Click on a Dangerous Link Despite their Security Awareness mark-smith
 
Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspacemark-smith
 

Más de mark-smith (12)

How Your DRAM Becomes a Security Problem
How Your DRAM Becomes a Security ProblemHow Your DRAM Becomes a Security Problem
How Your DRAM Becomes a Security Problem
 
Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox
Remotely Compromising iOS via Wi-Fi and Escaping the SandboxRemotely Compromising iOS via Wi-Fi and Escaping the Sandbox
Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox
 
Applied Machine Learning for Data exfil and other fun topics
Applied Machine Learning for Data exfil and other fun topicsApplied Machine Learning for Data exfil and other fun topics
Applied Machine Learning for Data exfil and other fun topics
 
JailBreak DIY- Fried Apple
JailBreak DIY- Fried AppleJailBreak DIY- Fried Apple
JailBreak DIY- Fried Apple
 
The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10
 
Exploiting Curiosity and Context
Exploiting Curiosity and ContextExploiting Curiosity and Context
Exploiting Curiosity and Context
 
Abusing belkin home automation devices
Abusing belkin home automation devicesAbusing belkin home automation devices
Abusing belkin home automation devices
 
Greed for Fame Benefits Large Scale Botnets
Greed for Fame Benefits Large Scale BotnetsGreed for Fame Benefits Large Scale Botnets
Greed for Fame Benefits Large Scale Botnets
 
How your smartphone cpu breaks software level security and privacy
How your smartphone cpu breaks software level security and privacyHow your smartphone cpu breaks software level security and privacy
How your smartphone cpu breaks software level security and privacy
 
Attacking Network Infrastructure to Generate a 4 Tbs DDoS
Attacking Network Infrastructure to Generate a 4 Tbs DDoSAttacking Network Infrastructure to Generate a 4 Tbs DDoS
Attacking Network Infrastructure to Generate a 4 Tbs DDoS
 
How to Make People Click on a Dangerous Link Despite their Security Awareness
How to Make People Click on a Dangerous Link Despite their Security Awareness How to Make People Click on a Dangerous Link Despite their Security Awareness
How to Make People Click on a Dangerous Link Despite their Security Awareness
 
Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspace
 

Último

Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsRoxana Stingu
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdfShreedeep Rayamajhi
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024Jan Löffler
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilitiesalihassaah1994
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxnaveenithkrishnan
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteMavein
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpressssuser166378
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSedrianrheine
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSlesteraporado16
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfmchristianalwyn
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Shubham Pant
 

Último (12)

Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilities
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptx
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a Website
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpress
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024
 

Technologies and Policies for a Defensible Cyberspace

  • 1. Defense at Hyperscale: Technologies and Policies for a Defensible Cyberspace Jason Healey Senior Research Scholar, Columbia University SIPA @Jason_Healey
  • 2. Outline 1. De-buzzwording This Talk 2. Bad Guys Finish First 3. A More Defensible Cyberspace 4. Payout for Getting it Right (or Wrong)
  • 3. Not Trying to Make This an RSA Talk… • Forget “Hyperscale” and “Defensible” • Substitute “Internet and connected devices” instead of “cyberspace” if that helps
  • 4. Core Ideas Beyond Buzzwords • No central strategy behind infosec today – To drive our actions – To judge between competing public goods – To measure our overall strategic progress against
  • 5. Core Ideas • “Making _________ more defensible” is the strategy My Organization My Sector Cyberspace as a whole • Being defensible means solutions with advantage and scale • To find future advantage and scale, we must know what has so succeeded in the past
  • 6. Outline 1. De-buzzwording This Talk 2. Bad Guys Finish First 3. A More Defensible Cyberspace 4. Payout for Getting it Right (or Wrong)
  • 7. Bad Guys Finish First “Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought.”
  • 8. Bad Guys Finish First “Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought.” O>D
  • 9. Bad Guys Finish First Lt Col Roger Schell (USAF) in 1979 “Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought.”
  • 10. Why is O>D? A dollar (or hour) spent on attack buys far more than a dollar spent on defense
  • 11. Why is O>D? 1. Internet architecture “The Internet is not insecure because it is buggy, but because of specific design decisions.” (David Clark, 2015) A dollar (or hour) spent on attack buys far more than a dollar spent on defense
  • 12. Why is O>D? 1. Internet architecture “The Internet is not insecure because it is buggy, but because of specific design decisions.” (David Clark, 2015) 2. Software weaknesses “Today there are no real consequences for having bad security or having low-quality software of any kind. Even worse, the marketplace often rewards low quality.” (Bruce Schneier, 2003) A dollar (or hour) spent on attack buys far more than a dollar spent on defense
  • 13. Why is O>D? 1. Internet architecture “The Internet is not insecure because it is buggy, but because of specific design decisions.” (David Clark, 2015) 2. Software weaknesses “Today there are no real consequences for having bad security or having low-quality software of any kind. Even worse, the marketplace often rewards low quality.” (Bruce Schneier, 2003) 3. Attacker initiative “Attacker must find but one of possibly multiple vulnerabilities in order to succeed; the security specialist must develop countermeasures for all” (Computers at Risk report, 1991) A dollar (or hour) spent on attack buys far more than a dollar spent on defense
  • 14. Why is O>D? 1. Internet architecture “The Internet is not insecure because it is buggy, but because of specific design decisions.” (David Clark, 2015) 2. Software weaknesses “Today there are no real consequences for having bad security or having low-quality software of any kind. Even worse, the marketplace often rewards low quality.” (Bruce Schneier, 2003) 3. Attacker initiative “Attacker must find but one of possibly multiple vulnerabilities in order to succeed; the security specialist must develop countermeasures for all” (Computers at Risk report, 1991) 4. Incremental and mis-aimed solutions "We need more secure products, not more security products.” (Phil Venables, 2004) A dollar (or hour) spent on attack buys far more than a dollar spent on defense
  • 15. Why is O>D? 1. Internet architecture “The Internet is not insecure because it is buggy, but because of specific design decisions.” (David Clark, 2015) 2. Software weaknesses “Today there are no real consequences for having bad security or having low-quality software of any kind. Even worse, the marketplace often rewards low quality.” (Bruce Schneier, 2003) 3. Attacker initiative “Attacker must find but one of possibly multiple vulnerabilities in order to succeed; the security specialist must develop countermeasures for all” (Computers at Risk report, 1991) 4. Incremental and mis-aimed solutions "We need more secure products, not more security products.” (Phil Venables, 2004) 5. Complexity and high cost of control Resulting complex systems: “processes that can be described, but not really understood ... often discovered through trial and error” (Charles Perrow) A dollar (or hour) spent on attack buys far more than a dollar spent on defense
  • 16. Why is O>D? 1. Internet architecture “The Internet is not insecure because it is buggy, but because of specific design decisions.” (David Clark, 2015) 2. Software weaknesses “Today there are no real consequences for having bad security or having low-quality software of any kind. Even worse, the marketplace often rewards low quality.” (Bruce Schneier, 2003) 3. Attacker initiative “Attacker must find but one of possibly multiple vulnerabilities in order to succeed; the security specialist must develop countermeasures for all” (Computers at Risk report, 1991) 4. Incremental and mis-aimed solutions "We need more secure products, not more security products.” (Phil Venables, 2004) 5. Complexity and high cost of control Resulting complex systems: “processes that can be described, but not really understood ... often discovered through trial and error” (Charles Perrow) 6. Troublesome humans: Even the best and most secure technological systems can be bypassed when human users are lazy, confused or downright tricked. A dollar (or hour) spent on attack buys far more than a dollar spent on defense
  • 17. Outline 1. Bad Guys Finish First 2. De-buzzwording This Talk 3. A More Defensible Cyberspace 4. Payout for Getting it Right (or Wrong)
  • 18. If the problem is O>D the solution must be D>O (or even D>>O) Is this even possible?
  • 19. Key Questions to Tackle D>O Results from NY Cyber Task Force 1. What is a defensible cyberspace and why hasn’t it been defensible to date? 2. What past interventions have made the biggest difference at the largest scale and least cost? 3. What interventions should we make today for the biggest differences at the largest scale and least cost?
  • 20. What Would a Defensible Cyberspace Look Like? Results from NY Cyber Task Force Defensible = “Defense Advantage” 1. Agile response and decision-making 2. Instrumented and measurable 3. Multi-stakeholder and collaborative 4. Well-governed and policed 5. Few externalities 6. Resilient: Recovers readily A dollar (or hour) spent on defense buys far more than a dollar spent on attack!
  • 21. What past interventions have made the biggest difference at the largest scale and least cost?
  • 23. Game-Changing Solutions Results of NY Cyber Task Force Requires two components: • Advantage: Dollar of defense must buy more than a dollar of attack • Scale: Dollar of defense should give 10x, 100x, or even 1,000,000x the benefits – hyperscale
  • 24. Least Game-Changing Solutions • Generally impose far higher costs to the defender than the attacker – Technology: Compliance and other solutions featuring checking-the-box – Policy: Wassenaar Agreement to limit “cyber weapons”
  • 25. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection
  • 26. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Automated updates: Including, but not limited to Microsoft Update. “Once Microsoft got vested in security they were in the best position to do something about it” (Jeff Moss, Jeff Schmidt)
  • 27. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Cloud-Based architecture: Including related technologies like virtualization and containterization. "When deployed properly, the cloud provides several critical security advantages over perimeter-based models including greater automation, self-tailoring, and self-healing characteristics of virtualized security." (Ed Amoroso, Phil Venables)
  • 28. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Encryption: One of the few places in all computer science where, if properly implemented, the defense has all the advantages against the attacker (Steve Bellovin) “Effective enough that it dissuades most from breaking it; there are usually other, less costly means available to the attacker.” (Wade Baker)
  • 29. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Secure default configurations: “Some vendors have made some progress here (particularly Microsoft), and it makes a huge difference. The most impactful parts of the USG Configuration Baseline are when vendors just incorporate it into their standard configuration.” (Senior Government Official)
  • 30. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Kerberos: “Changed the way the entire world did authentication” (Phil Venables) Authentication beyond passwords: Not just authentication, but a slew of multi-factor solutions such as algorithmic and the like (Bruce Schneier)
  • 31. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Mass vulnerability scanning: “Solutions like nmap gave an easy and fast enterprise-wide view making fixing them far easier” (Mike Aiello)
  • 32. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Built-in NAT for home router: “Built-in NAT (simple firewall) has been extremely effective in stopping direct front door assaults against systems with open ports and unknown running services.” (Marc Sachs)
  • 33. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Address space layout randomization (ASLR) and kernel memory protection: “Measures like stackguard and ASLR moving from research (ca 2000) to mainstream (ca 2008) defeated slew of common attacks … prioritizing security over compatibility.” (Jose Nazario, Dan Geer)
  • 34. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection DDoS protection: “If an org can afford Cloudfare, etc., they can withstand hundreds of Gbps and stay online … not ‘solved,’ but defenses can substantially mitigate impact, unlike so many other issues.” (Richard Bejtlich)
  • 35. Additional Possibilities: Beau Woods I Am the Cavalry and Atlantic Council • Language choice – With C it's really hard to prevent errors and the failure modes are catastrophic to the software stack. By contrast something like Ruby on Rails has the penalty for failure of a nerf football • Controls Retirement – We keep adding one control after another in pursuit of better defense in depth. Most organizations are up to their neck in DiD and it's suffocating them without benefit. Old controls like AV aren't really helping but they're costing 8-10B per year. – Radically different IT thinking obviates some of these old expensive things by fixing root causes not apparent ones – Related: Retire legacy infrastructure (Phil Venables) • MAC not DAC – Mandatory Access Control is like whitelisting on steroids. The entire OS is hostile to untrusted code. Especially effective in Mobile, IoT, and other places • Software Supply Chain – Modern software platforms are 80-90 percent assembled rather than written – DevOps is an application of supply chain theory to agile development allowing us to run faster and stay safer • Software Bill of Materials – Even the best vulnerability scanners have high degree of false positives and negatives. SBOMs are precise and accurate
  • 36. Possible Next-Gen Game-Changers Ongoing Work of the NY Cyber Task Force • Return of Formal Methods, like DARPA’s High-Assurance Cyber Military Systems “Not unhackable completely. There are certain obvious pathways for attackers that have all been shut down in a way that’s mathematically proven to be unhackable for those pathways.” (Arati Prabhakar) • Compiler-Generated Software Diversity: “After every 100th download of a given app … re-compiles that app with a strong diversity compiler making the next 100 downloads different from the previous 100. This prevents mass exploitation, though at a cost: it is no longer possible to confirm whether a given binary corresponds to a given source blob.” (Dan Geer) • Security solutions for IoT If you think cyberspace is insecure today, just wait for the coming Internet of Things. “The first 5 billion devices won’t be like the next 50 billion. Modern cars are computers on wheels, and cutting edge patient care is delivered over the Internet. If we get this right, the promise will transform society; if we get this wrong we eliminate the resilience we seek.” (Beau Woods) • Security score cards like BitSight to drive insurance, behavior (Phil Venables) • Data-level protection (Greg Touhill) Hyperscale: Critical mass of cloud deployment
  • 37. How Do Techs Become Real Game-Changers Ongoing Work of the NY Cyber Task Force 1. Take Away Entire Classes of Attacks (Arati Prabhakar) 2. Take User out of the Solution (Bruce Schneier) 3. "Those responsible make a change that helps all their users” (Jeff Moss) 4. “Improve security by decreasing cost of control” (Phil Venables) 5. Minimize Consequence - agility, detection, and resilience (Art Coviello)
  • 38. Operational and Policy Game-Changers Harder to Measure • Creation of the first CERTs in late 1980s • Operational innovations: kill chain • Automated threat sharing – STIX, TAXII, CyBox • Institutionalized bug bounty programs • Volunteer groups: Conficker, NSP-SEC, I am the Cavalry • Industry Alliances: ICASI, Cyber Threat Alliance • Budapest Convention on cyber crime
  • 39. Operational and Policy Game-Changers • International norms along with indictments and threat of sanctions • FireEye: massive reduction of detected Chinese intrusions from ~70/month to less than 5/month • What other solution have we ever implemented for such success at so little cost? https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-china-espionage.pdf
  • 40. Operational and Policy Game-Changers • USG policy of “bias” to not retain vulnerabilities, but disclose to vendors • USG “discloses far more vulnerabilities than it decides to keep secret, in one year keeping only about two for offensive purposes out of about 100 the White House reviewed” VEP Process - 2014 to Present
  • 41. Operational and Policy Game-Changers • USG policy bias to disclose to US companies when they’ve been pwned • Result: Law Enforcement now #1 source for breach notification (esp for botnet takedown), per Verizon http://www.verizonenterprise.com/verizon-insights- lab/dbir/2016/
  • 42. Outline 1. De-buzzwording This Talk 2. Bad Guys Finish First 3. A More Defensible Cyberspace 4. Payout for Getting it Right (or Wrong)
  • 43. Implications • Only potential futures aren’t just – O>D (continued status quo) – D>O (defense advantage) • Could be far worse, O>>D – or far better, D>>O • Atlantic Council and Zurich Insurance Group modeled the economic impact of getting it right (or horribly wrong)
  • 44. Possible Futures… Cumulative Annual Benefits and Costs Economic Impact Through 2030 Best case: ~$30 trillion Worst case: ~$90 trillion Difference in government control less impactful, still meaningful: $30 trillion Best case is “Cyber Shangri-La” where D>O Worst case is “Clockwork Orange Internet” where O>>D
  • 45. If Future Possibilities are “Fat Tail Distribution” Then Far More Potential Variability Expected Future Regular standard deviation Lower chance of massive, unexpected events Expected Future Variance not bounded Far higher chance for surprise
  • 46. Measuring Defensibility • Verizon Data Breach Investigations Report – “Detection deficit … is getting worse” – “Attackers are getting even quicker at compromising their victims” – Slight improvements in how quickly defenders detect compromises • Commerce: 45 percent of US online households have stopped some sensitive online transactions • Index of Cyber Security
  • 47. For a More Defensible Cyberspace And a $120 Trillion Payoff • Advantage: Dollar of defense must buy more than a dollar of attack • Scale: Dollar of defense should give 10x, 100x, or even 1,000,000x the benefits – hyperscale