blue ocean it security
TRANSCRIPT
Jonathan Sinclair
BLUEOCEANIT Security
Sub headlineAGENDAAGENDA
•Inspiration
•Direction
•3 Pillars•Patching•Resiliance
•Automation
• Inspired from Haroon Meer’s BlackHat Europe 2015 keynote where he made the following observations– An upcoming security apocalypse is on the horizon– There is a crisis of confidence– “For the thousands your organization spends on
security, you can't protect the one guy who is most valuable to you. Worse yet, would you even know if he was popped?”*
* http://blog.thinkst.com/2011/03/our-upcoming-security-apocalypse.html
Sub headlineAGENDABLUE OCEAN IT Security
Inspiration
• The issues facing the IT security field haven’t changed in the last 15 years
• “Draining the swamp” issue leads to misdirection concerning the root-cause of the problem
• A perspective/cultural shift needs to take place concerning the approach
Sub headlineAGENDABLUE OCEAN IT Security
Direction
Patching / Updates (Upgrades)When did we allow this bahviour to become the ‘norm’ and ‘expected’?
3 pillarsBLUE OCEAN STRATEGY
ResilianceWhat happened to load balancing/fail over?
AutomationHave all engineers been swollowed by the Tech firms?
Your own footer Your Logo
Patching / Updates (Upgrades)
Sub headlineAGENDABLUE OCEAN STRATEGY
• Why is patching accepted?– A legacy left over from the hardware days• Since the days of paper tape and punch cards, physical
patching was accepted • It was then translated into the software world• Designed principally as a mitigating action for
unreliable hardware– Hardware resiliance has improved, while software resiliance
has stagnated and in some cases deteriorated
Sub headlineAGENDABLUE OCEAN IT Security
Patching / Updates (Upgrades)
• Do we accept this for microwaves, digital watches or other consumer goods?– You buy an item and don’t expect it to break
within 2 months.– Consumer rights acts exist to protect customers
against such situations (ratified through law)• T&C’s conveniently provide a ‘get-out-of-jail-
free’ card with a no opt-out option.– ‘Our way, or the high way’
Sub headlineAGENDABLUE OCEAN IT Security
Patching / Updates (Upgrades)
• An open door– This mechanism allows 3rd parties access to our
systems at a privileged level– It’s provided the perfect back-dooring model
which everyone accepts (incl. the IT security community)
Sub headlineAGENDABLUE OCEAN IT Security
Patching / Updates (Upgrades)
• The excuse:– Software engineering is hard and you will never
develop a bug free system• The response: – So what?:
• Which bugs really cripple systems operationally, when they’ve been correctly engineered?
• An answer:– Cleanroom software engineering (Harlan Mills)
• e.g. Avionics, mission critical systems etc.
Sub headlineAGENDABLUE OCEAN IT Security
Patching / Updates (Upgrades)
Your own footer Your Logo
Resiliance
Sub headlineAGENDABLUE OCEAN STRATEGY
• Build in resilience to your networks– When did it become acceptable to forget
principles of load balancing and fail-over?• e.g. banking site down for the weekend due to
maintenance
– Wasn’t the Cloud supposed to be a solution to this problem?
Sub headlineAGENDABLUE OCEAN IT Security
Resiliance
• Network segmentation and zoning – Identify the threat– Lock down/Contain the threat – Purge the threat
Sub headlineAGENDABLUE OCEAN IT Security
Resiliance
• Honeypots– Where did they go?– Technological resilience out of the box• Monitoring and containment also for free
• Risk based approach– Understand your assets and compartmentalise
them accordingly
Sub headlineAGENDABLUE OCEAN IT Security
Resiliance
Your own footer Your Logo
Automation
Sub headlineAGENDABLUE OCEAN STRATEGY
• Strong engineering principles must be adhered to
• Develop strong developer governance around SSDLC– Integrate mandatory security gating into the SDLC
• Internal talent retention– Holistic work flow automation – Internal employees often better positioned to take
birds-eye view to build-out process automation
Sub headlineAGENDABLUE OCEAN IT Security
Automation
• Ensure security controls are automatically checked/reported– Without this, security will be by-passed
• Process automation critical– Excel must be replaced with dynamic reporting.
Static data analytics cripples agility– Remove the human
Sub headlineAGENDABLUE OCEAN IT Security
Automation