Conventional Defenses+

Unconventional Adversaries

???Joshua Corman

Director of Security IntelligenceAkamai Technologies

@joshcorman

Joshua CormanDirector of Security Intelligence

Akamai Technologies

@joshcorman

Akamai Confidential ©2011 AkamaiPowering a Better Internet

About Joshua Corman• Director of Security Intelligence for Akamai Technologies

• Former Research Director, Enterprise Security [The 451 Group]• Former Principal Security Strategist [IBM ISS]

• Industry Experience:• Expert Faculty: The Institute for Applied Network Security (IANS)• 2009 NetworkWorld Top 10 Tech People to Know• Co-Founder of “Rugged Software” www.ruggedsoftware.org

• Things I’ve been researching:• Compliance vs Security• Disruptive Security for Disruptive Innovations• Chaotic Actors• Espionage• Security Metrics

4

Relative Risk

Replaceability

Irreplaceable Highly Replaceable

Human Life Intellectual Property PHI Credit Cards

2011 VZ DBIR

Mission Accomplished (no, not really)

Key Points from 2011 VZ DBIR

All-Time High # of Incidents

All-Time Low # of Breached Records

Higher Value Records

All but one thing got worse

MOST cases SMB

Non-CCN Asset Type Breakdown

2009141 incidents

2010761 incidents

Delta

Intellectual Property 10 41 + 31

National Security Data 1 20 + 19

Sensitive Organizational 13 81 + 68

System Information ZERO 41 + 41

2010 Unholy Trinity:• Google.cn and Operation Aurora• Stuxnet• Bradley Manning/WikiLeaks (and Operation Payback)

2011:• Anonymous• EMC/RSA SecurID• Sony’s Punishment Campaign• LulzSec• Lockheed• IMF

RSA 2011PechaKucha Happy Hour

20 Slides x 20 Seconds(6 min 40 sec)

Joshua Corman@joshcormanResearch DirectorEnterprise Security

PechaKucha Happy Hour

Why Zombies Love PCI:or “No Zombie Left Behind Act”

Joshua CormanResearch DirectorEnterprise SecurityThe 451 Group

SPEAKER:

Why Zombies?

Hungry

Persistent

1 at a time vs…

Zombies ++

14RSA Conference 2011

Is PCI The No Child Left Behind Act for Information Security?

Early Adopters Mainstream Laggards

15

When “good enough”… isn’t

16

It’s all about Zombies

It’s all about Zombies

EvolvingThreat

EvolvingCompliance

EvolvingTechnology

EvolvingEconomics

EvolvingBusiness

CostComplexity

Risk

Disruptive Changes

19

Evolving Threat:Adaptive Persistent Adversaries

Fear the auditor more than the attacker

21

We broke the Information Security Market

EvolvingThreat

EvolvingCompliance

EvolvingTechnology

EvolvingEconomics

EvolvingBusiness

CostComplexity

Risk

HIPAAHITECH

SOXGLB

Thriller

24

1984 1994 2004 2014?

Sony Walkman Sony Discman iPod ?

?Signature AV Signature AV Signature AV Signature AV

25

94%

89%

0%

26

Defensible Infrastructure

Survival Guide/Pyramid

www.ruggedsoftware.org

Defensible Infrastructure

Operational Discipline

Survival Guide/Pyramid

Defensible Infrastructure

Operational Discipline

Situational Awareness

Survival Guide/Pyramid

Defensible Infrastructure

Operational Discipline

Situational Awareness

Countermeasures

Survival Guide/Pyramid

Surviving The Zombie Apocalypse

Hungry

Persistent

1 at a time vs…

jcorman@akamai.com@joshcorman

Evolving Threat: Adaptive Persistent Adversaries

Anonymous

An Alignment Chart

Anon Unmasked? (Alleged Participants)

APT

You must be *this* tall to ride…

Moore’s Law

Moore’s Law:

Compute power doubles every 18 months

HDMoore’s Law:

Casual Attacker Strength grows at the rate of MetaSploit

1 2 3 4 5 6 7 8 9 10 110

20

40

60

80

100

120

Security InvestmentCasual SuccessAnon/Lulz SuccessAPT?APA SuccessQSA

HDMoore’s Law

Attacker Drop-Offs: Casual

1 2 3 4 5 6 7 8 9 10 110

20

40

60

80

100

120

Security InvestmentCasual SuccessAnon/Lulz SuccessAPT?APA SuccessQSA

Attacker Drop-Offs : QSAs

1 2 3 4 5 6 7 8 9 10 110

20

40

60

80

100

120

Security InvestmentCasual SuccessAnon/Lulz SuccessAPT?APA SuccessQSA

Attacker Drop-Offs: APTs/APAs

1 2 3 4 5 6 7 8 9 10 110

20

40

60

80

100

120

Security InvestmentCasual SuccessAnon/Lulz SuccessAPT?APA SuccessQSA

Attacker Drop-Offs: Chaotic Actors

Does it matter?

Top Threat Action Types used to steal INTELLECTUAL PROPERTY AND CLASSIFIED INFORMATION by number of breaches - (excludes breaches only involving payment card data, bank account information, personal information, etc)

Was #18 in overall

DBIR

Compare and contrast

QSACasual

AttackerChaotic Actor

APT/APA

Asset Focus CCNs CCNs… Reputation, Dirty

LaundryDDoS/

Availability

IP, Trade Secrets, National Security

Data

Timeframe Annual Anytime Flash Mobs Long Cons

Target Stickiness NA LOW HIGH HIGH

Probability 100% MED ? ?

“Impact” Annual $ 1 and done Relentless Varies

Early Adopters Mainstream Laggards

YouAre

Here

Case Study: Zombie Killer of the Week?

Case Study: Zombie KillerLanCope

BigFix (IBM)

NetWitness (RSA)

Fidelis XPS

HBGary

FireEye

ArcSight (HP)

Defensible Infrastructure

Operational Discipline

Situational Awareness

Countermeasures

A real use case of 'better security' in the face of adaptive adversarieshttp://www.the451group.com/report_view/report_view.php?entity_id=66991

Which classes of adversaries are we likely to face?

Which assets are most at risk as a consequence?

How tall do we need to be?

Table Top Exercises

An ounce of prevention?

Recovery may not be technical…

Failing Well

Q&AJoshua Corman

Director of Security Intelligence, Akamai Technologies

@joshcorman

@RuggedSoftware

jcorman@akamai.com