By Joshua Corman, Dir. Security Intelligence, Akamai Technologies (@joshcorman) & David Etue, VP of CorpDev Strategy, SafeNet Inc. (@djetue)
Cloud, virtualization, mobility, and consumerization have greatly changed how IT assets are owned and operated. Rather than focusing on loss of security control, the path forward is cultural change that finds serenity and harnesses the control we’ve kept. The Control Quotient is a model based on control and trust, allowing proper application of security controls, even in challenging environments.
Watch the full webcast: https://www.brighttalk.com/webcast/2037/72187
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
1. Not Going Quietly: Gracefully Losing
Control & Adapting to Cloud and
Mobility
Josh Corman David Etue
Director, Security Intelligence VP, Corp Dev Strategy
@joshcorman @djetue
9. Grant me the Serenity to accept the things I
cannot change;
Transparency to the things I cannot control;
Relevant controls for the things I can;
And the Wisdom (and influence) to mitigate
risk appropriately.
InfoSec Serenity Prayer
11. The Control Quotient Definition
• Quotient: (from http://www.merriam-webster.com/dictionary/quotient )
– the number resulting from the division of one number by
another
– the numerical ratio usually multiplied by 100 between a test
score and a standard value
– quota, share
– the magnitude of a specified characteristic or quality
• Control Quotient: optimization of a security control
based on the maximum efficacy within sphere of control
(or influence or trust) of the underlying infrastructure*
• *unless there is an independent variable…
12. History
• RSA Conference US 2009 P2P
– An endpoint has a comprehensive, but suspect, view
– The network has a trustworthy, but incomplete, view
13. In Theory There Is An Optimal Place to
Deploy a Control…
But Degrees Of Separation Happen….
16. Today’s Reality
• Administrative control of entire system
is lost
• Increased attack surface
• Abstraction has made systems difficult
to assess
• Expectation of anytime-anywhere
access from any device
17. Security Management & GRC
Identity/Entity Security
Data Security
Host
Network
Infrastructure Security
Application
Security
CSA Cloud Model
The Control Quotient and the SPI Stack
18. CSA Cloud Model
Security Management & GRC
Identity/Entity Security
Data Security
Host
Network
Infrastructure Security
Application
Security
Virtualization, Software Defined Networks, and
Public/Hybrid/Community Cloud Forces a Change in
How Security Controls Are Evaluated and Deployed
The Control Quotient and the SPI Stack
19. To Be Successful, We Must Focus on the Control
Kept (or Gained!), NOT the Control Lost…
Half Full or Half Empty?
28. Amazon EC2 - IaaS
Salesforce - SaaS
Google AppEngine - PaaS
Stack by Chris Hoff -> CSA
The Control Quotient and the SPI Stack
29. Amazon EC2 - IaaS
The lower down the stack the Cloud
provider stops, the more security you are
tactically responsible for implementing &
managing yourself.
Salesforce - SaaS
Google AppEngine - PaaS
Stack by Chris Hoff -> CSA
The Control Quotient and the SPI Stack
30. Cloud: Who Has Control?
Model Private Cloud IaaS
in Hybrid / Community /
Public Cloud
PaaS/SaaS
Who’s Privilege
Users?
Customer Provider Provider
Who’s
Infrastructure?
Customer Provider Provider
Who’s VM /
Instance?
Customer Customer Provider
Who’s Application? Customer Customer Provider
Law Enforcement
Contact?
Customer Provider Provider
36. Old Ways Don’t Work in New World…
Most organizations
are trying to deploy
“traditional”
security controls in
cloud and virtual
environments…but
were the controls
even effective then?
38. A Modern Pantheon of
Adversary Classes
Methods
“MetaSploit” DoS Phishing Rootkit SQLi Auth Exfiltration Malware Physical
Impacts
Reputational Personal Confidentiality Integrity Availability
Target Assets
Credit Card #s Web Properties
Intellectual
Property
PII / Identity
Cyber
Infrastructure
Core Business
Processes
Motivations
Financial Industrial Military Ideological Political Prestige
Actor Classes
States Competitors
Organized
Crime
Script
Kiddies
Terrorists “Hactivists” Insiders Auditors
http://www.slideshare.net/DavidEtue/adversary-roi-evaluating-security-from-the-threat-actors-perspective
39. HD Moore’s Law and Attacker Power
• Moore’s Law:
Compute power
doubles every 18
months
• HDMoore’s Law:
Casual Attacker
Strength grows at
the rate of
MetaSploit
http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
45. PHI
“IP”
Web
PCI
AV
FW
IDS/IPS
WAF
Log Mngt
File Integrity
Disk Encryption
Vulnerability Assessment
Multi-Factor Auth
Anti-SPAM
VPN
Web Filtering
DLP
Anomaly Detection
Network Forensics
Advanced Malware
NG Firewall
DB Security
Patch Management
SIEM
Anti-DDoS
Anti-Fraud
…
Desired OutcomesLeverage Points
Compliance (1..n)
“ROI”
Breach / QB sneak
Productivity
…
PHI
PCI
“IP”
Web
Control “Swim Lanes”
46. Web
…
PHI
“IP”
PCI
AV
FW
IDS/IPS
WAF
Log Mngt
File Integrity
Disk Encryption
Vulnerability Assessment
Multi-Factor Auth
Anti-SPAM
VPN
Web Filtering
DLP
Anomaly Detection
Network Forensics
Advanced Malware
NG Firewall
DB Security
Patch Management
SIEM
Anti-DDoS
Anti-Fraud
…
Desired OutcomesLeverage Points
Compliance (1..n)
“ROI”
Breach / QB sneak
Procurement
Disruption
DevOps
Productivity
“Honest Risk”
General Counsel
Control & Influence “Swim Lanes”
47. Web
…
PHI
“IP”
PCI
AV
FW
IDS/IPS
WAF
Log Mngt
File Integrity
Disk Encryption
Vulnerability Assessment
Multi-Factor Auth
Anti-SPAM
VPN
Web Filtering
DLP
Anomaly Detection
Network Forensics
Advanced Malware
NG Firewall
DB Security
Patch Management
SIEM
Anti-DDoS
Anti-Fraud
…
Litigation
Legislation
Open Source
Hearts &
Minds
Academia
Desired OutcomesLeverage Points
Compliance (1..n)
“ROI”
Breach / QB sneak
Procurement
Disruption
DevOps
Productivity
“Honest Risk”
General Counsel
Under-tapped Researcher Influence
48. Potential Independent Variables
•with good key management…
Encryption
•well, rootkits for good…
Rootkits
•Anti-DDoS, WAF, Message/Content, Identity, etc…
Intermediary Clouds
•with proper integration and process support
Identity and Access Management
•*if* the provider harnesses the opportunity
Software-As-A-Service (SaaS)
49. Apply!
• Identify at least one opportunity to leverage a
new swim lane
• Identify one opportunity this year to influence
each layer of the Pyramid
►
►
50. THANK YOU!
Josh Corman David Etue
Director, Security Intelligence VP, Corp Dev Strategy
@joshcorman @djetue
Notas del editor
Cons: Lots of new devices, maybe employee owned!Pros: Actually “gold” image, centralized forensics, base image reversion, backup,