control quotient: adaptive strategies for gracefully losing control (rsac us 2013)
DESCRIPTION
Control Quotient: Adaptive Strategies For Gracefully Losing Control as presented at RSAC US 2013 by @djetue and @joshcorman The security community has spent years on failed approaches to Return On Investment (ROI) on security offerings and Return On Security Investment (ROSI). It’s failed as it evaluates from the wrong perspective. This session flips ROI on its head, looking from the adversary’s perspective. We’ll introduce an “Adversary ROI” model, and show how it can change how you evaluate cyber security investment.TRANSCRIPT
![Page 1: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/1.jpg)
Session ID:Session Classification:
David Etue (@djetue)SafeNet, Inc.
GRC-F41Intermediate
Control Quotient: Adaptive Strategies For Gracefully Losing Control
Joshua Corman (@joshcorman)Akamai
![Page 2: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/2.jpg)
Context
The Control Quotient
Today’s Reality
Making it Personal
Examples
Transcending “Control”
Apply
Agenda
![Page 3: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/3.jpg)
Context
![Page 4: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/4.jpg)
Forces of Security Change
![Page 5: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/5.jpg)
The IT Drunken Bender
![Page 6: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/6.jpg)
The Control Continuum
Dictator Surrender
![Page 7: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/7.jpg)
Sphere of Control
Control
![Page 8: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/8.jpg)
Sphere of Influence vs. Control
Control
Influence
![Page 9: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/9.jpg)
Grant me the Serenity to accept the things I cannot change;
Transparency to the things I cannot control;
Relevant controls for the things I can;
And the Wisdom (and influence) to mitigate risk appropriately.
InfoSec Serenity Prayer
![Page 10: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/10.jpg)
The Control Quotient
![Page 11: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/11.jpg)
► Quotient: (from http://www.merriam-webster.com/dictionary/quotient )► the number resulting from the division of one number by another► the numerical ratio usually multiplied by 100 between a test score
and a standard value► quota, share► the magnitude of a specified characteristic or quality
► Control Quotient: optimization of a security control based on the maximum efficacy within sphere of control (or influence or trust) of the underlying infrastructure*
► *unless there is an independent variable…
The Control Quotient Definition
![Page 12: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/12.jpg)
History
► RSA Conference US 2009 P2P► An endpoint has a comprehensive, but suspect, view► The network has a trustworthy, but incomplete, view
![Page 13: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/13.jpg)
In Theory There Is An Optimal Place to Deploy a Control…
But Degrees Of Separation Happen….
![Page 14: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/14.jpg)
Avoiding the Proverbial…
![Page 15: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/15.jpg)
Today’s Reality
![Page 16: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/16.jpg)
►Administrative control of entire system is lost
► Increased attack surface►Abstraction has made systems
difficult to assess►Expectation of anytime-anywhere
access from any device
Today’s Reality
![Page 17: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/17.jpg)
The Control Quotient and the SPI Stack
Security Management & GRC
Identity/Entity Security
Data Security
Host
NetworkInfrastructure Security
ApplicationSecurity
CSA Cloud Model
![Page 18: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/18.jpg)
The Control Quotient and the SPI StackCSA Cloud Model
Security Management & GRC
Identity/Entity Security
Data Security
Host
NetworkInfrastructure Security
ApplicationSecurity
Virtualization, Software Defined Networks, and Public/Hybrid/Community Cloud Forces a Change in How Security Controls Are Evaluated and Deployed
![Page 19: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/19.jpg)
Half Full or Half Empty?
To Be Successful, We Must Focus on the Control Kept (or Gained!), NOT the Control Lost…
![Page 20: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/20.jpg)
► Virtualization and Cloud► Asset, Configuration and Change Management► Snapshot► Rollback► Pause
► VDI► Asset, Configuration and Change Management
► Mobility► Encryption (with containers)
► Software-As-A-Service► Logging!
Controls Gained!!!
![Page 21: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/21.jpg)
Making It Personal
![Page 22: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/22.jpg)
A Parent’s Most Valuable Asset?
![Page 23: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/23.jpg)
A Parent’s Most Valuable Asset?
![Page 24: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/24.jpg)
Most Valuable Asset?
…Yet Most Parents Allow Their Kids to Leave Their Control
![Page 25: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/25.jpg)
Choosing Child Care?
National Association for the Education of Young
Children
![Page 26: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/26.jpg)
Examples
![Page 27: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/27.jpg)
Virtualization and Cloud Created An Entire New Definition of Privilege
![Page 28: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/28.jpg)
Amazon EC2 - IaaS
The lower down the stack the Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself.
Salesforce - SaaS
Google AppEngine - PaaS
The Control Quotient and the SPI StackStack by Chris Hoff ‐> CSA
![Page 29: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/29.jpg)
Amazon EC2 - IaaS
Salesforce - SaaS
Google AppEngine - PaaS
The Control Quotient and the SPI StackStack by Chris Hoff ‐> CSA
![Page 30: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/30.jpg)
Cloud: Who Has Control?
Model Private Cloud IaaS in Hybrid / Community /
Public Cloud
PaaS/SaaS
Who’s PrivilegeUsers? Customer Provider Provider
Who’s Infrastructure? Customer Provider Provider
Who’s VM / Instance? Customer Customer Provider
Who’s Application? Customer Customer Provider
Law Enforcement Contact? Customer Provider Provider
![Page 31: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/31.jpg)
More Than Just Technology…
http://www.flickr.com/photos/markhillary/6342705495 http://www.flickr.com/photos/tallentshow/2399373550
![Page 32: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/32.jpg)
VDI: Centralizing the Desktop?
VDI Server
VDI Image Storage
![Page 33: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/33.jpg)
Mobile
http://www.flickr.com/photos/patrick‐allen/4318787860/
![Page 34: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/34.jpg)
Embedded Devices
http://www.sodahead.com/fun/eight...blue‐screen.../question‐2038989/CachedYou/?slide=2&page=4
![Page 35: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/35.jpg)
Service Providers
![Page 36: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/36.jpg)
Old Ways Don’t Work in New World…
Most organizations are trying to deploy
“traditional” security controls in cloud and virtual environments…but were the controls
even effective then?
![Page 37: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/37.jpg)
Transcending “Control”
![Page 38: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/38.jpg)
A Modern Pantheon of Adversary Classes
MethodsMethods
“MetaSploit” DoS Phishing Rootkit SQLi Auth Exfiltration Malware Physical
ImpactsImpacts
Reputational Personal Confidentiality Integrity Availability
Target AssetsTarget Assets
Credit Card #s Web Properties Intellectual Property PII / Identity Cyber
InfrastructureCore Business Processes
MotivationsMotivations
Financial Industrial Military Ideological Political Prestige
Actor ClassesActor Classes
States Competitors Organized Crime
Script Kiddies Terrorists “Hactivists” Insiders Auditors
http://www.slideshare.net/DavidEtue/adversary‐roi‐evaluating‐security‐from‐the‐threat‐actors‐perspective
![Page 39: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/39.jpg)
HD Moore’s Law and Attacker Power
• Moore’s Law: Compute power doubles every 18 months
• HDMoore’s Law: Casual Attacker Strength grows at the rate of MetaSploit
http://blog.cognitivedissidents.com/2011/11/01/intro‐to‐hdmoores‐law/
![Page 40: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/40.jpg)
![Page 41: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/41.jpg)
CountermeasuresCountermeasuresSituational AwarenessSituational AwarenessOperational ExcellenceOperational ExcellenceDefensible InfrastructureDefensible Infrastructure
![Page 42: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/42.jpg)
CountermeasuresCountermeasuresSituational AwarenessSituational Awareness
Operational ExcellenceOperational Excellence
Defensible InfrastructureDefensible Infrastructure
![Page 43: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/43.jpg)
CountermeasuresCountermeasures
Situational AwarenessSituational Awareness
Operational ExcellenceOperational Excellence
Defensible InfrastructureDefensible Infrastructure
![Page 44: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/44.jpg)
CountermeasuresCountermeasures
Situational AwarenessSituational Awareness
Operational ExcellenceOperational Excellence
Defensible InfrastructureDefensible Infrastructure
![Page 45: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/45.jpg)
PHIPHI
“IP”“IP”
WebWeb
PCIPCI
AVAV
FWFW
IDS/IPSIDS/IPS
WAFWAF
Log MngtLog Mngt
File IntegrityFile Integrity
Disk EncryptionDisk Encryption
Vulnerability AssessmentVulnerability Assessment
Multi‐Factor AuthMulti‐Factor Auth
Anti‐SPAMAnti‐SPAM
VPNVPN
Web FilteringWeb Filtering
DLPDLP
Anomaly DetectionAnomaly Detection
Network ForensicsNetwork Forensics
Advanced MalwareAdvanced Malware
NG FirewallNG Firewall
DB SecurityDB Security
Patch ManagementPatch Management
SIEMSIEM
Anti‐DDoSAnti‐DDoS
Anti‐FraudAnti‐Fraud
……
Control “Swim Lanes”
Desired OutcomesLeverage Points
Compliance (1..n)
“ROI”“ROI”Breach / QB sneakBreach / QB sneak
Productivity
……
PHIPHI
PCIPCI
“IP”“IP”
WebWeb
![Page 46: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/46.jpg)
WebWeb
……
PHIPHI
“IP”“IP”
PCIPCI
AVAV
FWFW
IDS/IPSIDS/IPS
WAFWAF
Log MngtLog Mngt
File IntegrityFile Integrity
Disk EncryptionDisk Encryption
Vulnerability AssessmentVulnerability Assessment
Multi‐Factor AuthMulti‐Factor Auth
Anti‐SPAMAnti‐SPAM
VPNVPN
Web FilteringWeb Filtering
DLPDLP
Anomaly DetectionAnomaly Detection
Network ForensicsNetwork Forensics
Advanced MalwareAdvanced Malware
NG FirewallNG Firewall
DB SecurityDB Security
Patch ManagementPatch Management
SIEMSIEM
Anti‐DDoSAnti‐DDoS
Anti‐FraudAnti‐Fraud
……
Control & Influence “Swim Lanes”
Desired OutcomesLeverage Points
Compliance (1..n)
“ROI”“ROI”Breach / QB sneakBreach / QB sneak
Procurement
Disruption
DevOps
Productivity
“Honest Risk”
General Counsel
![Page 47: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/47.jpg)
WebWeb
……
PHIPHI
“IP”“IP”
PCIPCI
AVAV
FWFW
IDS/IPSIDS/IPS
WAFWAF
Log MngtLog Mngt
File IntegrityFile Integrity
Disk EncryptionDisk Encryption
Vulnerability AssessmentVulnerability Assessment
Multi‐Factor AuthMulti‐Factor Auth
Anti‐SPAMAnti‐SPAM
VPNVPN
Web FilteringWeb Filtering
DLPDLP
Anomaly DetectionAnomaly Detection
Network ForensicsNetwork Forensics
Advanced MalwareAdvanced Malware
NG FirewallNG Firewall
DB SecurityDB Security
Patch ManagementPatch Management
SIEMSIEM
Anti‐DDoSAnti‐DDoS
Anti‐FraudAnti‐Fraud
……
LitigationLitigation
LegislationLegislation
Open SourceOpen Source
Hearts & Minds
Hearts & Minds
AcademiaAcademia
Under-tapped Researcher Influence
Desired OutcomesLeverage Points
Compliance (1..n)
“ROI”“ROI”Breach / QB sneakBreach / QB sneak
Procurement
Disruption
DevOps
Productivity
“Honest Risk”
General Counsel
![Page 48: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/48.jpg)
•with good key management…
Encryption
•well, rootkits for good…
Rootkits
•Anti‐DDoS, WAF, Message/Content, Identity, etc…
Intermediary Clouds
•with proper integration and process support
Identity and Access Management
•*if* the provider harnesses the opportunity
Software‐As‐A‐Service (SaaS)
Potential Independent Variables
![Page 49: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/49.jpg)
► Identify at least one opportunity to leverage a new swim lane
► Identify one opportunity this year to influence each layer of the Pyramid
APPLY!
► Leverage a control gained!
► Leverage the Rugged Handbook (ruggedsoftware.org)
![Page 50: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/50.jpg)
Session ID:Session Classification:
David Etue (@djetue)SafeNet, Inc.
GRC-F41Intermediate
Thank You!
Joshua Corman (@joshcorman)Akamai
![Page 51: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/51.jpg)
► Director of Security Intelligence for Akamai Technologies► Former Research Director, Enterprise Security [The 451 Group]► Former Principal Security Strategist [IBM ISS]
► Industry:► Faculty: The Institute for Applied Network Security (IANS)► 2009 NetworkWorld Top 10 Tech People to Know► Co‐Founder of “Rugged Software” www.ruggedsoftware.org► BLOG: www.cognitivedissidents.com
► Things I’ve been researching:► Compliance vs Security► Disruptive Security for Disruptive Innovations► Chaotic Actors► Espionage► Security Metrics
About Joshua Corman @joshcorman
![Page 52: Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US 2013)](https://reader033.vdocuments.net/reader033/viewer/2022052621/558987d2d8b42a0c278b4624/html5/thumbnails/52.jpg)
► VP, Corporate Development Strategy at SafeNet► Former Cyber Security Practice Lead [PRTM Management Consultants] (now
PwC)► Former VP Products and Markets [Fidelis Security Systems]► Former Manager, Information Security [General Electric Company]
► Industry:► Faculty: The Institute for Applied Network Security (IANS)► Leads Washington Relations for Cyber Security Forum Initiative► Certified Information Privacy Professional (CIPP/G)
► Cyber things that interest me:► Adversary innovation► Social media security► Applying intelligence cycle / OODA loop in cyber► Supply chain security
About David Etue @djetue