Who Should You Hire to Improve Company

Security?���

Myles Conley Auspices LLC

No, I DON’T know ���AppSec experts ���looking for work

Auspices  LLC   2  

What to expect this hour

•  Where do elite security gurus work? – Do they work for elite companies?

•  Reviewing breach data trends •  Who to hire to address those trends

•  Scope – US & commercial only. – Fortune 500 & Other

Auspices  LLC   3  

How to find “Good” AppSec People?

- Have found a real bug - Can understand bug implications

Auspices  LLC   4  

-­‐  Not  by  Cer5fica5on  -­‐  Not  by  Survey  -­‐  Not  by  School?    

Why Not try Bugtraq Mail List?

Pros

•  20-45K subscribers •  Data since 1999 •  They have found bugs •  Part of complete security team

Cons

•  Cultural Bias •  Out of date •  Nyms, Corporate postings •  Bias towards self promoters

Auspices  LLC   5  

Bugtraq Mapping

19,085   Unique  Posters    Less   Non-­‐U.S.,  An5-­‐Spam,  Truncated  Names    Less   Pseudonyms,  Roles    7,352   Total  Plausible  Names  

4,128  Found  on  LinkedIN  

Auspices  LLC  

Where BugTraqers Work

Auspices  LLC   7  

84  

153  

351  

468  

485  

638  

876  

1405  

0%   5%   10%   15%   20%   25%   30%   35%  

Other  Healthcare  

Other  Financial  

Vendor  of  SoV/Hardware  

High  Tech  

.gov,  .edu,  non  US,  non  commercial  

Fortune  500  

Security  specialists  

Other  

More Bugtraq at mature companies?

Fortune  500  Companies  

Have  Bugtraqer  

Don't  

638  Bugtraqers  •  71  companies,  average  9  •  Actually  concentrated  at  

Google,  IBM,  MicrosoV,  HP,  etc.  

 

Breached  Companies  

Have  Bugtraqer  

Don't  

447  Bugtraqers  •  55  employers  out  of  1158  •  Average  of  8  

Auspices  LLC   8  

Avoid Bugtraq Bias?

•  People who submitted a security bug for Mozilla

Auspices  LLC   9  

1905   Unique  Bug  Submi_ers    Less   Non-­‐U.S.,  Truncated  Names    Less   Pseudonyms  1414   Total  Plausible  Names  

632  Found  on  LinkedIN  

661  Employers…  only  47  have  >1  bug  reporter  

Where Mozilla Helpers Work

Auspices  LLC   10  

0%   5%   10%   15%   20%   25%   30%  

Other  Healthcare  

Other  Financial  

Fortune  500  

.gov,  .edu,  non  commercial  

High  Tech  

Vendor  of  SoV/Hardware  

Other  

Security  specialists  

US  Based  Mozilla  Cri:cal  Security  Bug  Reporters  

AppSec Conclusions

•  Good help is widely distributed –  20% are in security consulting companies –  There is a long tail

•  Lots of companies chose not to hire people who post on BugTraq –  Or are using contractors –  Or are hiring now –  Or hire youngsters

•  So… why is it always AppSec?

Auspices  LLC   11  

Themes we learn from the news •  Helpless against 0day attacks •  Security Development Lifecycle is working

How Security Team Primes Security

Application Security

•  Pen Test •  QA integration •  Metrics •  Dev Tools & Training •  Developers own Security

–  SDL

Ops & Security Strategy

•  Pen Test •  ….. FUD •  …. Peer comparisons •  … Look over There ! •  .. Controls •  Change in Capabilities

Maturity Level

Auspices  LLC   12  

Fixing Overall Security

What do security team managers need to do? •  Figure where we’re having problems •  Find who could have prevented problems •  Find if we can hire them. First, where can we learn about the problems –  Vendors –  Incident Response & the Underground –  Mandatory Disclosure –  News Wire –  Surveys

Auspices  LLC   13  

Breach Classification

Level Basic Slog Advanced New

Description Known

problems, easy to fix

Ongoing, common

problems, hard to fix

Advanced attacks, hard to predict / fight

Emerging threats

Precedent Old to World Old to You New to World New to You

Sophistication Low Med-High High ?

Example Bad

passwords Malware/

XSS APT/ 0 day. Mobile,

Skimming

Auspices  LLC   14  

Breach Data from Vendors

Advantages

•  Large installed base •  Research teams

Disadvantages •  Annual Report

Biases

•  Want to sell product •  Vendor’s Scope •  Forward looking •  No segmentation •  No raw data

Auspices  LLC   15  

Symantec & Microsoft ���

Symantec •  Threats Identified

–  Targeted attacks with

Social Network intel

–  Zero day attacks

–  Attack Kits and Root kits

–  Mobile

Microsoft •  Threats Identified

–  Java, Browser, Adobe files

–  Attacks using software

with patch available

•  Intelligence –  Software Industry Vulns

decreasing since 2006

Auspices  LLC   16  

Score So Far Source of Breach Data Basic Slog Advanced New Theme

Vendors 0 1 4 1 We need experts! Or Vendors!

Incident Response and Underground

Mandatory Disclosure

Auspices  LLC   17  

Breach Data from Incident Response Companies

Advantages

•  Know their customers •  Sometimes imprison the

guilty

Bias

•  Companies that can discover breach

•  Companies that need external help

•  Backwards looking •  Intrusion is unit of

measurement

Auspices  LLC   18  

Verizon ���Data Breach Investigations Report

Incidents included •  94 investigated by Verizon •  667 investigated by US Secret

Service

Percent  of  Breached  Companies  by  #  Employees  

>10K  employees  

<1K  employees  

Between  

Hospitality  Retail  

Financial  Healthcare  

Tech  Services  Manufacturing  

Other  

0   50   100   150   200   250   300   350  

Breaches  by  Industry  in  2011  

Auspices  LLC   19  

Percent of Breaches Including Vector

Auspices  LLC   20  

0%   5%   10%   15%   20%   25%   30%   35%   40%   45%  

Malware  via  user  

Buffer  overflow  

Weak  Authen5ca5on  

Abuse  of  fuc5onality  

SQL  injec5on  

Stolen  creden5als  

Brute  Force  Authen5ca5on  

Default  authen5ca5on  

Malware  via  a_acker  

Social  Engineering  

Vector Data from Underground

DBIR Intelligence •  2/3 of malware was customized •  Only 5 vulnerabilities used in 381 attacks

Contagio overview of Exploit Packs

Dan Guido: Exploit Intelligence Project, 2010 •  Malware exploits are predictable •  Easy no-patch mitigation for 22 of 27 top malware

Remainder by architecture & policy

Auspices  LLC   21  

Score So Far Source of Breach Data Basic Slog Advanced New Theme

Vendors 0 1 5 1 We need experts! Or Vendors!

Incident Response and Underground

5 4 1 1 Old problems, then Malware

Mandatory Disclosure

Auspices  LLC   22  

Breach Data from Mandatory Disclosure

Advantages

•  Raw Data! •  DatalossDB.org

Disadvantages •  Legislation changes

Biases

•  Backwards looking •  Reporting criteria

–  PII loss is reported –  Trade secret loss isn’t

•  Best effort data assembly.

Auspices  LLC   23  

DataLossDB Biases

Auspices  LLC   24  

20  

40  

60  

80  

100  

120  

140  

0  

20  

40  

60  

80  

100  

120  

Records  L

ost  

Breaches  

Fortune 500 vs. Others

Auspices  LLC   25  

0  

20  

40  

60  

80  

100  

120  

Breaches  

Other  Breaches   Fortune  Breaches  

Fortune 500 Sized Datasets

Auspices  LLC   26  

0.00  

0.01  

0.10  

1.00  

10.00  

100.00  

1000.00  

2006   2007   2008   2009   2010   2011  

Millions  

Fortune  Records   Other  Records  

Fortune 500 Breach Data

Auspices  LLC   27  

0  

10  

20  

30  

40  

2007   2008   2009   2010  

Coun

t  of  B

reache

s   Breaches  by  Vector  -­‐  Fortune  500  

0.001  

0.01  

0.1  

1  

10  

100  

1000  

2007   2008   2009   2010  

Millions  

Records  Lost    by  Vector  -­‐  Fortune  500  (Log  Plot)  

Document  Loss   (E)Mail   Fraud   Hacking   Missing  encryp5on   Unknown   Web  configura5on  

•  Threats Identified

–  Missing Encryption

–  (E)Mail

–  Hacking

Breaches at Non Fortune 500

28  

0  20  40  60  80  

100  120  

2007   2008   2009   2010  Coun

t  of  B

reache

s  

Breaches  by  Vector  -­‐  Non  Fortune  500    

0.001  

0.01  

0.1  

1  

10  

100  

2007   2008   2009   2010  

Millions  

Records  Lost  by  Vector  -­‐  Non  Fortune  500  (Log  Plot)  

Document  Loss   (e)Mail   Fraud   Hacking   Missing  encryp5on   Unknown   Web  configura5on  

•  Threats Identified

–  Missing Encryption

–  Web Configuration

–  Email

–  Document Loss

–  Hacking

It’s Not Just AppSec ���It’s Not Just Advanced

Source of Breach Data Basic Slog Advanced New Theme

Vendors - 1 5 1 We need experts! Or Vendors

Incident Response and Underground

5 4 1 1 Old problems, then Malware

Mandatory Disclosure – Fortune 500

2 - 1 - Encryption. Lists & Hacking

Mandatory Disclosure – Smaller

4 - 1 - Basics & Hacking

Auspices  LLC   29  

Given These Problems, ���Who Should You Hire?

•  For each class of breach, –  What does your company need? –  What Roles should you hire? –  What do Managers have to do?

Auspices  LLC   30  

Basic: Kitchen Hygiene Company Needs •  Standards & Training •  Tools: Red cutting boards / Disk Encryption •  Consistent Deployment •  Consistent Enforcement

Auspices  LLC   31  

Roles

•  Project Management •  Glue code developers

–  Ops tools, especially AAA –  Enforcement/ near misses

•  Metrics

Management –  Own Goal Risk information

•  Near Misses •  Cost is simplest to estimate

“No CEO is that stupid not to pay attention [to security]. But maybe they pay the same attention I did, which is giving encouragement and budget to IT but then saying ‘What do I

know about programming? “ -Ted Chung, CEO Hyundai Card/Hyundai Capital

Long Slog: Factory Model Company Needs •  Systems knowledge to interrupt threat

–  Compartmentalization –  Breaking attack chain –  Mature incident response

•  Threat Intelligence

•  Metrics •  Peer Group Intelligence

Auspices  LLC   32  

Roles •  Threat Intelligence

–  Vendor –  Attack chain architects

•  Compartmentalization –  Systems + business knowledge experts

•  Web Application cleanup •  SIEM / Log glue integrator

Management •  Control Efficiency

–  Threat chain status & metrics •  Incident Response Management •  Peer Group Intelligence

Advanced Threats: E-Coli Company Needs •  Risk Assessment •  Risk Compartments •  Logfile Watchers •  Appropriate level of defense (AppSec)

Auspices  LLC   33  

Roles •  Logwatchers •  Speed dial for the CDC / IR company •  Known Targets

–  Internal bug finders

Management •  Risk Management

–  By $ or Bodies, not Vectors •  Compartmentalization

–  Inside is Hostile

New Threats: Company Needs •  Practiced Reaction •  Risk Management •  Security Strategy

Auspices  LLC   34  

Roles •  Risk Management

•  Financial answers •  Security Plan Author

•  Agreed-upon plans and systems in place

Management

Conclusion

Basic Slog Advanced New

Description Known problems,

easy to fix

Ongoing, common problems, hard to

fix

Advanced attacks, hard to predict /

fight Emerging threats

Hiring Action Project

Management Organization

Intelligence, Architecture  

Risk Management, Compartments,

IR Expertise

Strategy and Management

Auspices  LLC   35  

•  Elite folks are somewhat hard to find •  You probably don’t need them first – But need intelligence to be sure

•  Most company breaches within power to fix by hiring

Q&A

•  Myles Conley •  myles@auspices.org

Auspices  LLC   36  

Photo credits •  Thanks for releasing these photos under creative commons attribution or public domain licenses

•  Raptor eye jurvetson (flicker) •  P4 hacker Image from http://unix.privacylover.com/page/2/ under creative commons license

•  Kitchen photo Photo by H Dragon on flickr •  Cheese factory Photo by Waponi @ flickr •  E-Coli Photo Credit: Rocky Mountain Laboratories, NIAID, NIH

•  Mobile phone evolution – wikicommons, user Anders •  Holstein – wikicommons photo by US Government

•  Tiger Sumatraanse Tijger, gefotografeerd in Diergaarde Blijdorp - wikicommons •  Gator - wikicommons

Auspices  LLC   37