moving beyond vulnerability testing

Moving beyond Vulnerability Testing

December 04 2014

#HPdiscover

@pkgopala

Gopal Padinjaruveetil CISA, CISM,CRISC, CGEIT, TOGAF9

Chief Application Security and Compliance Architect

innovating with you

Let’s take a closer look at where we are today

3 Copyright © Capgemini 2014 – All Rights Reserved

HP Discover 2014 | Gopal Padinjaruveetil | December 2014

I am tired of catching up.. I need resilience

“A fever is a symptom. There's an underlying disease that causes it. Giving you a fever (sitting in a sauna) doesn't make you sick, and getting rid of the fever (in a cold bath, for example) doesn't always get rid of the illness…

Spending time and money gaming symptoms and effects is common and urgent, but it's often true that you'd be better off focusing on the disease (the cause) instead. ”

– Seth Godin

Security vulnerability is a symptom, The root cause is always something else



“You can fix it on the drawing board with an eraser or you can fix it on the site with a sledgehammer" - Frank Lloyd Wright



The Internet as it is today .. And this picture is changing fast

Source: Shodan



Technology growing at an exponential rate If technology is growing at exponential rate and if we do nothing, the security threats too would rise exponentially..

IPV4= 4 Billion devices(size of postage stamp) IPV6 = 340 Trillion Trillion Trillion (Undecilion) devices (Size of Solar system) 50 billion Connected Devices by 2020 9.9 Trillion market Value Over 80 trillion email spam messages a year Connected Cars, Connected cities, Connected Devices 2025? Connected Bodies (BYBN ) 2035? Finally Singularity* in 2045?

263 = 18,446,744,073,709,551,615

* According to Ray Kurzweil, by the year 2045, “human intelligence will enhance a billion-fold thanks to high-tech brain extensions”

to a phenomenon as the “singularity,” a point at which humans and computers will merge into one. This sort of “one in two” will create serious challenges for security

and in the allocation of moral accountability between the two…



Deep web How deep? If we do nothing we have to assume the deep web would expand on a logarithmic scale

!  Deep Web is currently 400 to 550 times larger than the commonly defined World Wide Web.

!  The deep Web contains 7,500 terabytes of information compared to 19 terabytes of information in the surface Web.

!  The deep Web contains nearly 550 billion individual documents compared to the 1 billion of the surface Web.

!  $ 45 Billion industry - Yankee Group !  Google Number of Systems: 500,000 !  Bandwidth = 1500 Gps !  Botnets: Number of systems: 6,400,000 !  Bandwidth: 28 Terabits

What will the numbers be in 2020?



There are only two types of companies: Those that have been hacked, and those that will be. Even that is merging into one category: Those that have been hacked and will be again. Maintaining a code of silence will not serve us in the long run.

FBI Director Robert Mueller

Do we realize the seriousness of the problem? Denial is not an option



“ Now, here, you see, it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!” - The Red Queen, to Alice, in Lewis Carroll’s Through the Looking Glass

A real lesson from a kids fantasy tale

The adversary is constantly advancing its capabilities.. Can we overtake them at the current pace?



“Unless we change our direction, we are likely to end up where we are headed” - unknown



We need to build Trust in Information Technology

" Trust in People, " Trust in Organizations " Trust in Governments " Trust in Devices " Trust in Data " Trust in Systems and Applications " Trust in communication networks (Internet)



Secure by Design, not Chance 1

Adapt, Evolve and Mutate 2

Change Behaviors 3

Collaborate 4

What can we do?

growing with you

Secure by Design, Not Chance



!  The Central Nervous system !  The Blood Brain Barrier !  The Immune system !  The Camouflage !  The Reflex Action !  The Adrenaline !  Many More..

The natural world is a good example of an Intelligent Design for Security

Survival of the fittest (Resilience)requires design as a "way of thinking”



# Secure at Design Time $ Prevention as the overarching design principle

%  Digital Identity and Access – Humans and Things %  Protect sensitive information in transit and rest (structured and unstructured) %  Protect your end points (including human end points) %  Optimize your attack surface %  Every component must protect itself - (There are no more boundaries)

# Secure at Run Time $ Detect and Respond in Real Time as the overarching design principle

%  Capability to scan the environment and be vigilant for threats all the time (internal and external) %  Reflex- How fast can you respond to threats %  Is the response context aware %  Continuous evaluation of the defense %  Defense to be automated as much as possible

How will an intelligent Secure by Design in IT look like?

accelerating with you

Adapt, Evolve and Mutate



Preys and Predators – The natural world is a hostile place Even the best intelligent design will not protect you 100%..

Same in the World of Information Technology



Change is inevitable.. Adaptation is Optional



Evolutionary Design- Embraces the fact of an evolving system understanding, and helps system’s design evolve

Evolving and adapting through Mutation the only way to survive in a hostile world



How does this concept translate to CyberSecurity ?

Protection against Opportunistic attacks – Easy %  Protect your perimeter %  Protect your end points %  Patch your systems %  Protect against Phishing attacks %  Protect against Zero Day attacks

Protection against Targeted attacks – Difficult %  Digital evidence is often left behind that can reveal the attacker’s intent, skill level, and

knowledge of the target %  Develop capability to detect and respond to an attack at near real time %  Correlation of discrete and disparate events to provide an early warning system %  Big Data and Predictive Data Analytics with Machine Learning (“Learn” from Data) %  Organizational Awareness and behavior change can go along way

innovating with you

Changing Behavior and Culture



The Big Conundrum The Risk Tolerance should be reflected in the Organization Culture and policies

The Digital Transformation is Driving sky high Business Ambition..

VS

The double sided squeeze: The Bad guys on one side and Government Regulations and penalties on the other side is driving enterprises to almost Zero Risk Tolerance

Finding the right balance is key..



Consider all layers (Both the visible and invisible realms)

Government ( Regulations/ Politics) 10

Organizations (Culture/ Politics) 9

User (PICNIC – ID 10T Error)

Application 7

Presentation 6

Session 5

Transport 4

Network 3

Data Link 2

Physical 1

8

The Human Layer

The Technology Layer

“If you know the enemy and know yourself,

you need not fear the result of a hundred battles. If you know yourself but not the enemy,

for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself,

you will succumb in every battle.” Sun Tzu – The Art of war



A few change considerations to think about..

!  Cyber Security as a Strategic Driver. !  Cyber Security is not an IT problem – It is an organizational problem.

•  Cyber Security weakness an organization weakness , not an IT weakness !  Security is everybody’s business – Not just the CISOs and CIOs. !  Culture in Context – Societal , Organizational , People. !  Finding Inhibitors to a Culture of Security and removing or addressing them !  Is Security Funding in line with the enterprise security risk tolerance levels

•  Some bad actors are extremely well funded.. Is your defense well funded? !  Enterprises should regard cyber attack as a certainty not a probability. !  Risk from extended enterprise (vendors, suppliers, contractors ..)

People + Process+ Technology + PERCEPTION



To bring behavior changes in Cyber Security, we need to understand how Human Brain, Cognition and Awareness works – addressing root cause vs symptom



collaborating with you

Collaboration



If Penguins are collaborating.. Why can’t we humans?

For more on collaborative systems present in nature watch: http://www.youtube.com/watch?v=IzS7CRaCEtU#t=424



The Bad People are Collaborating.. So why not the good people? “Offense must Inform Defense..”

Maintaining a code of silence will not serve us in the long run.



We need collaboration not just within and between people but..

" Trusted Collaboration within and between Governments " Trusted Collaboration within and between Organizations " Trusted Collaboration within and between Devices " Trusted Collaboration within and between Systems and Applications " Trusted Collaboration within and between Communication Networks



Let’s Build Windmills – Together..



Thank You

Russia

Danke Germany

Grazie Italy

Gracias Spain

Dank u Belgium

Bedankt Netherlands

Dankschen Austria

Arigato Japan

Takk Norway

Tak Denmark

Jag tackar Finland

Dziekuje Poland

Tack Sweden

Toda Israel

Engraziel Switzerland

Tesekkür ederim Turkey

Dakujem Slovakia

Obrigado Portugal

Thank You United Kingdom

Merci France

Thanks United States

Hindi

Tamil Malayalam



Presenter Contact Information

Gopal Padinjaruveetil CISA, CISM, CRISC, CGEIT, TOGAF9 Chief Application Security and Compliance Architect [email protected]

Insert contact picture

Gopal Padinjaruveetil is Chief Capgemini Application Security and Compliance Architect based out of Capgemini Detroit. He is a certified Enterprise Architect and a certified Governance, Risk and Compliance (GRC) Architect and has led Enterprise Architecture and GRC work at Fortune 50 global companies.

Gopal believes that the 21st enterprises are at a crossroads in Information Technology, where extracting value from the growing information chaos, spurred by disruptive innovative technologies is creating an exponentially increasing risk and threat landscape, solving this requires enterprises to have a new perspective based on design thinking and applying good IT Governance, Risk and Compliance practices

Gopal has these professional certifications to his credit - CISA, CISM, CRISC, CGEIT, IAF, TOGAF 9,. Contact Gopal via: http://www.capgemini.com/experts/security/gopal-padinjaruveetil

The information contained in this presentation is proprietary. © 2012 Capgemini – Internal use only. All rights reserved.

Rightshore® is a trademark belonging to Capgemini.

www.capgemini.com

About Capgemini With around 120,000 people in 40 countries, Capgemini is one of the world's foremost providers of consulting, technology and outsourcing services. The Group reported 2011 global revenues of EUR 9.7 billion. Together with its clients, Capgemini creates and delivers business and technology solutions that fit their needs and drive the results they want. A deeply multicultural organization, Capgemini has developed its own way of working, the Collaborative Business Experience™, and draws on Rightshore®, its worldwide delivery model.

moving beyond vulnerability testing

Technology

deep web

copyright capgemini

surface web

defined world wide web

terabytes ofinformation

connected devices

connected bodies bybn

exponential rateif technology