blue ocean it security

Jonathan Sinclair

BLUEOCEANIT Security

Sub headlineAGENDAAGENDA

•Inspiration

•Direction

•3 Pillars•Patching•Resiliance

•Automation

• Inspired from Haroon Meer’s BlackHat Europe 2015 keynote where he made the following observations– An upcoming security apocalypse is on the horizon– There is a crisis of confidence– “For the thousands your organization spends on

security, you can't protect the one guy who is most valuable to you. Worse yet, would you even know if he was popped?”*

* http://blog.thinkst.com/2011/03/our-upcoming-security-apocalypse.html

Sub headlineAGENDABLUE OCEAN IT Security

Inspiration

• The issues facing the IT security field haven’t changed in the last 15 years

• “Draining the swamp” issue leads to misdirection concerning the root-cause of the problem

• A perspective/cultural shift needs to take place concerning the approach


Direction

Patching / Updates (Upgrades)When did we allow this bahviour to become the ‘norm’ and ‘expected’?

3 pillarsBLUE OCEAN STRATEGY

ResilianceWhat happened to load balancing/fail over?

AutomationHave all engineers been swollowed by the Tech firms?

Your own footer Your Logo

Patching / Updates (Upgrades)

Sub headlineAGENDABLUE OCEAN STRATEGY

• Why is patching accepted?– A legacy left over from the hardware days• Since the days of paper tape and punch cards, physical

patching was accepted • It was then translated into the software world• Designed principally as a mitigating action for

unreliable hardware– Hardware resiliance has improved, while software resiliance

has stagnated and in some cases deteriorated



• Do we accept this for microwaves, digital watches or other consumer goods?– You buy an item and don’t expect it to break

within 2 months.– Consumer rights acts exist to protect customers

against such situations (ratified through law)• T&C’s conveniently provide a ‘get-out-of-jail-

free’ card with a no opt-out option.– ‘Our way, or the high way’



• An open door– This mechanism allows 3rd parties access to our

systems at a privileged level– It’s provided the perfect back-dooring model

which everyone accepts (incl. the IT security community)



• The excuse:– Software engineering is hard and you will never

develop a bug free system• The response: – So what?:

• Which bugs really cripple systems operationally, when they’ve been correctly engineered?

• An answer:– Cleanroom software engineering (Harlan Mills)

• e.g. Avionics, mission critical systems etc.




Resiliance


• Build in resilience to your networks– When did it become acceptable to forget

principles of load balancing and fail-over?• e.g. banking site down for the weekend due to

maintenance

– Wasn’t the Cloud supposed to be a solution to this problem?


Resiliance

• Network segmentation and zoning – Identify the threat– Lock down/Contain the threat – Purge the threat


Resiliance

• Honeypots– Where did they go?– Technological resilience out of the box• Monitoring and containment also for free

• Risk based approach– Understand your assets and compartmentalise

them accordingly


Resiliance


Automation


• Strong engineering principles must be adhered to

• Develop strong developer governance around SSDLC– Integrate mandatory security gating into the SDLC

• Internal talent retention– Holistic work flow automation – Internal employees often better positioned to take

birds-eye view to build-out process automation


Automation

• Ensure security controls are automatically checked/reported– Without this, security will be by-passed

• Process automation critical– Excel must be replaced with dynamic reporting.

Static data analytics cripples agility– Remove the human


Automation

blue ocean it security

Technology