who should the security team hire next?
DESCRIPTION
SOURCE Seattle 2011 - Myles ConleyTRANSCRIPT
Who Should You Hire to Improve Company
Security?���
Myles Conley Auspices LLC
No, I DON’T know ���AppSec experts ���looking for work
Auspices LLC 2
What to expect this hour
• Where do elite security gurus work? – Do they work for elite companies?
• Reviewing breach data trends • Who to hire to address those trends
• Scope – US & commercial only. – Fortune 500 & Other
Auspices LLC 3
How to find “Good” AppSec People?
- Have found a real bug - Can understand bug implications
Auspices LLC 4
-‐ Not by Cer5fica5on -‐ Not by Survey -‐ Not by School?
Why Not try Bugtraq Mail List?
Pros
• 20-45K subscribers • Data since 1999 • They have found bugs • Part of complete security team
Cons
• Cultural Bias • Out of date • Nyms, Corporate postings • Bias towards self promoters
Auspices LLC 5
Bugtraq Mapping
19,085 Unique Posters Less Non-‐U.S., An5-‐Spam, Truncated Names Less Pseudonyms, Roles 7,352 Total Plausible Names
4,128 Found on LinkedIN
Auspices LLC
Where BugTraqers Work
Auspices LLC 7
84
153
351
468
485
638
876
1405
0% 5% 10% 15% 20% 25% 30% 35%
Other Healthcare
Other Financial
Vendor of SoV/Hardware
High Tech
.gov, .edu, non US, non commercial
Fortune 500
Security specialists
Other
More Bugtraq at mature companies?
Fortune 500 Companies
Have Bugtraqer
Don't
638 Bugtraqers • 71 companies, average 9 • Actually concentrated at
Google, IBM, MicrosoV, HP, etc.
Breached Companies
Have Bugtraqer
Don't
447 Bugtraqers • 55 employers out of 1158 • Average of 8
Auspices LLC 8
Avoid Bugtraq Bias?
• People who submitted a security bug for Mozilla
Auspices LLC 9
1905 Unique Bug Submi_ers Less Non-‐U.S., Truncated Names Less Pseudonyms 1414 Total Plausible Names
632 Found on LinkedIN
661 Employers… only 47 have >1 bug reporter
Where Mozilla Helpers Work
Auspices LLC 10
0% 5% 10% 15% 20% 25% 30%
Other Healthcare
Other Financial
Fortune 500
.gov, .edu, non commercial
High Tech
Vendor of SoV/Hardware
Other
Security specialists
US Based Mozilla Cri:cal Security Bug Reporters
AppSec Conclusions
• Good help is widely distributed – 20% are in security consulting companies – There is a long tail
• Lots of companies chose not to hire people who post on BugTraq – Or are using contractors – Or are hiring now – Or hire youngsters
• So… why is it always AppSec?
Auspices LLC 11
Themes we learn from the news • Helpless against 0day attacks • Security Development Lifecycle is working
How Security Team Primes Security
Application Security
• Pen Test • QA integration • Metrics • Dev Tools & Training • Developers own Security
– SDL
Ops & Security Strategy
• Pen Test • ….. FUD • …. Peer comparisons • … Look over There ! • .. Controls • Change in Capabilities
Maturity Level
Auspices LLC 12
Fixing Overall Security
What do security team managers need to do? • Figure where we’re having problems • Find who could have prevented problems • Find if we can hire them. First, where can we learn about the problems – Vendors – Incident Response & the Underground – Mandatory Disclosure – News Wire – Surveys
Auspices LLC 13
Breach Classification
Level Basic Slog Advanced New
Description Known
problems, easy to fix
Ongoing, common
problems, hard to fix
Advanced attacks, hard to predict / fight
Emerging threats
Precedent Old to World Old to You New to World New to You
Sophistication Low Med-High High ?
Example Bad
passwords Malware/
XSS APT/ 0 day. Mobile,
Skimming
Auspices LLC 14
Breach Data from Vendors
Advantages
• Large installed base • Research teams
Disadvantages • Annual Report
Biases
• Want to sell product • Vendor’s Scope • Forward looking • No segmentation • No raw data
Auspices LLC 15
Symantec & Microsoft ���
Symantec • Threats Identified
– Targeted attacks with
Social Network intel
– Zero day attacks
– Attack Kits and Root kits
– Mobile
Microsoft • Threats Identified
– Java, Browser, Adobe files
– Attacks using software
with patch available
• Intelligence – Software Industry Vulns
decreasing since 2006
Auspices LLC 16
Score So Far Source of Breach Data Basic Slog Advanced New Theme
Vendors 0 1 4 1 We need experts! Or Vendors!
Incident Response and Underground
Mandatory Disclosure
Auspices LLC 17
Breach Data from Incident Response Companies
Advantages
• Know their customers • Sometimes imprison the
guilty
Bias
• Companies that can discover breach
• Companies that need external help
• Backwards looking • Intrusion is unit of
measurement
Auspices LLC 18
Verizon ���Data Breach Investigations Report
Incidents included • 94 investigated by Verizon • 667 investigated by US Secret
Service
Percent of Breached Companies by # Employees
>10K employees
<1K employees
Between
Hospitality Retail
Financial Healthcare
Tech Services Manufacturing
Other
0 50 100 150 200 250 300 350
Breaches by Industry in 2011
Auspices LLC 19
Percent of Breaches Including Vector
Auspices LLC 20
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Malware via user
Buffer overflow
Weak Authen5ca5on
Abuse of fuc5onality
SQL injec5on
Stolen creden5als
Brute Force Authen5ca5on
Default authen5ca5on
Malware via a_acker
Social Engineering
Vector Data from Underground
DBIR Intelligence • 2/3 of malware was customized • Only 5 vulnerabilities used in 381 attacks
Contagio overview of Exploit Packs
Dan Guido: Exploit Intelligence Project, 2010 • Malware exploits are predictable • Easy no-patch mitigation for 22 of 27 top malware
Remainder by architecture & policy
Auspices LLC 21
Score So Far Source of Breach Data Basic Slog Advanced New Theme
Vendors 0 1 5 1 We need experts! Or Vendors!
Incident Response and Underground
5 4 1 1 Old problems, then Malware
Mandatory Disclosure
Auspices LLC 22
Breach Data from Mandatory Disclosure
Advantages
• Raw Data! • DatalossDB.org
Disadvantages • Legislation changes
Biases
• Backwards looking • Reporting criteria
– PII loss is reported – Trade secret loss isn’t
• Best effort data assembly.
Auspices LLC 23
DataLossDB Biases
Auspices LLC 24
20
40
60
80
100
120
140
0
20
40
60
80
100
120
Records L
ost
Breaches
Fortune 500 vs. Others
Auspices LLC 25
0
20
40
60
80
100
120
Breaches
Other Breaches Fortune Breaches
Fortune 500 Sized Datasets
Auspices LLC 26
0.00
0.01
0.10
1.00
10.00
100.00
1000.00
2006 2007 2008 2009 2010 2011
Millions
Fortune Records Other Records
Fortune 500 Breach Data
Auspices LLC 27
0
10
20
30
40
2007 2008 2009 2010
Coun
t of B
reache
s Breaches by Vector -‐ Fortune 500
0.001
0.01
0.1
1
10
100
1000
2007 2008 2009 2010
Millions
Records Lost by Vector -‐ Fortune 500 (Log Plot)
Document Loss (E)Mail Fraud Hacking Missing encryp5on Unknown Web configura5on
• Threats Identified
– Missing Encryption
– (E)Mail
– Hacking
Breaches at Non Fortune 500
28
0 20 40 60 80
100 120
2007 2008 2009 2010 Coun
t of B
reache
s
Breaches by Vector -‐ Non Fortune 500
0.001
0.01
0.1
1
10
100
2007 2008 2009 2010
Millions
Records Lost by Vector -‐ Non Fortune 500 (Log Plot)
Document Loss (e)Mail Fraud Hacking Missing encryp5on Unknown Web configura5on
• Threats Identified
– Missing Encryption
– Web Configuration
– Document Loss
– Hacking
It’s Not Just AppSec ���It’s Not Just Advanced
Source of Breach Data Basic Slog Advanced New Theme
Vendors - 1 5 1 We need experts! Or Vendors
Incident Response and Underground
5 4 1 1 Old problems, then Malware
Mandatory Disclosure – Fortune 500
2 - 1 - Encryption. Lists & Hacking
Mandatory Disclosure – Smaller
4 - 1 - Basics & Hacking
Auspices LLC 29
Given These Problems, ���Who Should You Hire?
• For each class of breach, – What does your company need? – What Roles should you hire? – What do Managers have to do?
Auspices LLC 30
Basic: Kitchen Hygiene Company Needs • Standards & Training • Tools: Red cutting boards / Disk Encryption • Consistent Deployment • Consistent Enforcement
Auspices LLC 31
Roles
• Project Management • Glue code developers
– Ops tools, especially AAA – Enforcement/ near misses
• Metrics
Management – Own Goal Risk information
• Near Misses • Cost is simplest to estimate
“No CEO is that stupid not to pay attention [to security]. But maybe they pay the same attention I did, which is giving encouragement and budget to IT but then saying ‘What do I
know about programming? “ -Ted Chung, CEO Hyundai Card/Hyundai Capital
Long Slog: Factory Model Company Needs • Systems knowledge to interrupt threat
– Compartmentalization – Breaking attack chain – Mature incident response
• Threat Intelligence
• Metrics • Peer Group Intelligence
Auspices LLC 32
Roles • Threat Intelligence
– Vendor – Attack chain architects
• Compartmentalization – Systems + business knowledge experts
• Web Application cleanup • SIEM / Log glue integrator
Management • Control Efficiency
– Threat chain status & metrics • Incident Response Management • Peer Group Intelligence
Advanced Threats: E-Coli Company Needs • Risk Assessment • Risk Compartments • Logfile Watchers • Appropriate level of defense (AppSec)
Auspices LLC 33
Roles • Logwatchers • Speed dial for the CDC / IR company • Known Targets
– Internal bug finders
Management • Risk Management
– By $ or Bodies, not Vectors • Compartmentalization
– Inside is Hostile
New Threats: Company Needs • Practiced Reaction • Risk Management • Security Strategy
Auspices LLC 34
Roles • Risk Management
• Financial answers • Security Plan Author
• Agreed-upon plans and systems in place
Management
Conclusion
Basic Slog Advanced New
Description Known problems,
easy to fix
Ongoing, common problems, hard to
fix
Advanced attacks, hard to predict /
fight Emerging threats
Hiring Action Project
Management Organization
Intelligence, Architecture
Risk Management, Compartments,
IR Expertise
Strategy and Management
Auspices LLC 35
• Elite folks are somewhat hard to find • You probably don’t need them first – But need intelligence to be sure
• Most company breaches within power to fix by hiring
Photo credits • Thanks for releasing these photos under creative commons attribution or public domain licenses
• Raptor eye jurvetson (flicker) • P4 hacker Image from http://unix.privacylover.com/page/2/ under creative commons license
• Kitchen photo Photo by H Dragon on flickr • Cheese factory Photo by Waponi @ flickr • E-Coli Photo Credit: Rocky Mountain Laboratories, NIAID, NIH
• Mobile phone evolution – wikicommons, user Anders • Holstein – wikicommons photo by US Government
• Tiger Sumatraanse Tijger, gefotografeerd in Diergaarde Blijdorp - wikicommons • Gator - wikicommons
Auspices LLC 37