Solving Cybersecurity in the Next Five Years - RSA … · Solving Cybersecurity in the Next Five...
Transcript of Solving Cybersecurity in the Next Five Years - RSA … · Solving Cybersecurity in the Next Five...
SESSION ID:SESSION ID:
#RSAC
Sounil Yu
Solving Cybersecurity in the Next Five YearsSystematizing Progress for the Short Term
MASH-F02
@sounilyu
#RSAC
@sounilyu
Disclaimers
2
The views, opinions, and positions expressed in this presentation are solely my own
It does not necessarily represent the views and opinions of my employer and does not constitute or imply any endorsement from my employer
#RSAC
@sounilyu
The Grand Challenge of Our Generation
3
What should we focus on if we want to solve it within the next five years?
#RSAC
@sounilyu
Perspectives on Defining “Solved”: Car Safety
4
Pre-Accident: Mandatory Driver Ed, Anti-lock Brakes, Tire Pressure Monitoring, Electronic Stability Control, Rollover Protection, Lane Departure Warning, Radar-Guided Automatic Braking, Autonomous Driving, V2V Comms
Post-Accident: Shatter Proof Glass, Seatbelts, Airbags, Crumple Zones
Safety is table stakes, no longer main differentiator for Volvo
Most new improvements largely focus on automatically guarding against threats or eliminating operator error(e.g., self-driving cars)
But even if fully self-driving cars were widely available today, it would still take 10+ years to replace most of the vehicles on the road today
#RSAC
A Quick (and Selective)History of IT & Security
The future is already here –it’s just not evenly distributed.
William Gibson
#RSAC
@sounilyu
1980s
6
Situation: IT reaches general affordability and enterprises start deploying it in mass
Challenges: IT asset management, visibility, and prioritization
What do I have?
How does it support my business?
Solutions: Systems management tools,asset visibility software
Security Focus: None
Lessons Learned: Build systems with visibilityand rich telemetry built in
#RSAC
@sounilyu
1990s
7
Situation: Computers become connected and usable to the masses
Challenges: Viruses, worms, open networks, insecure configurations
Solutions: A/V, firewalls, secureconfiguration guidelines/baselines
Security Focus: Vulnerability Mgt
Lessons Learned: Build systems withsecurity in mind and an ability to keepup to date
#RSAC
@sounilyu
2000s
8
Situation: Broader availability of attacker tools (script kiddies), Platform homogeneity with Windows XP
Challenges: Client-side attacks, too many alerts and logs to review
Solutions: IDS, SIEM
Security Focus: Threat Management, Security Operations Center
Lessons Learned: Protection technologies are not fool proof, humans still remain the weakest link, analysts are needed to review security logs
#RSAC
@sounilyu
2010s
9
Situation: Maturation of attacker ecosystem and tools
Challenges: Lateral movement, persistent targeted attacks
Solutions: EDR, Hunt Teams, Microsegmentation, IdAM
Security Focus: Risk Management, Independent CISO function
Lessons Learned: Assume breach, active hunting needed, traditional network perimeter is insufficient
#RSAC
@sounilyu
Recap
10
1980s 1990s 2000s 2010s
CoreChallenges
Solutions
IT & Security Tension
Asset Inventory, Asset Mgt, Asset
Prioritization
Viruses, Insecure Configs, Server-
side Attacks
Client-side Attacks, Log
Analysis and Mgt
Assume Breach, Too Many Privileges
Systems MgtTools, Scanners
A/V, Firewalls, Secure Configs,
App SecIDS, SIEM Incident Response,
Hunting, EDR, IdAM
Era
SECURITYTEAM
COMPOSITION
NoneHobby Shop /
Vulnerability MgtDedicated Biz Unit /
Risk MgtSec Ops Center /
Threat Mgt
STABILITY(CIO)
SECURITY(CISO)
#RSAC
@sounilyu
Mapping to the NIST Cyber Security Framework
11
1980s 1990s 2000s 2010s
CoreChallenges
Solutions
IT & Security Tension
Asset Inventory, Asset Mgt, Asset
Prioritization
Viruses, Insecure Configs, Server-
side Attacks
Client-side Attacks, Log
Analysis and Mgt
Assume Breach, Too Many Privileges
STABILITY(CIO)
Systems MgtTools, Scanners
A/V, Firewalls, Secure Configs,
App SecIDS, SIEM Incident Response,
Hunting, EDR, IdAM
SECURITY(CISO)
Era
SECURITYTEAM
COMPOSITION
NoneHobby Shop /
Vulnerability MgtDedicated Biz Unit /
Risk MgtSec Ops Center /
Threat Mgt
#RSAC
@sounilyu
2020s: Age of Recovery (or Resiliency)
12
What kind of attacks should we see in the 2020sthat would challenge to our ability to RECOVER
(i.e., causes irreversible harm)?
WikileaksDoxxing
Ransomware Bricking FirmwareMBR Wiper
Confidentiality Integrity Availability
#RSAC
@sounilyu
2020s: Age of Recovery (or Resiliency)
13
What kind of solutions directly supportour ability to RECOVER or be RESILIENT?
#RSAC
@sounilyu
Forging ahead or regressing back?
14
A call to go back to the 1990s?
How will prevention mitigate the impact of ransomware?
Remember, we learned“assume breach” in the 2010s
Prevention minimizes the occurrences, but does notaddress the impact or ability to recover
JOIN THE PREVENTION AGESTOP CYBER BREACHES
JOIN THE PREVENTION AGESTOP CYBER BREACHES
1980Identify
1990Protect
2000Detect
2010Respond
2020Recover
#RSAC
@sounilyu
2020s: Age of Recovery (or Resiliency)
15
What kind of solutions directly supportour ability to RECOVER or be RESILIENT?
Copy on Write
Computer
Hypervisor OS
Apps Apps Apps
Libraries
SERVERLESS ARCHITECTURE
Content Delivery Network
#RSAC
@sounilyu
But wait! How are these “security” solutions?
16
Solutions that help business operate with speed and resilience don’toften appear as security solutions but have clear security benefits
Sometimes, there’s even initial resistance by security people (e.g., Docker)
Removing Attacker Persistence: Ability to rapidly rebuild entire immutable or serverless environments makes attacker persistence hard
Easier Anomaly Detection: Declarativepolicy through Infrastructure as Codemakes any unauthorized activityimmediately suspect
Built-in Visibility: IaaS providers offerrich visibility and logging by default
Larger swaths of risk are quickly being eliminated at newer companies, at earlier and earlier stages. And usually not because security was the goal.
Ryan McGeehanhttps://medium.com/starting-up-security/you-dont-need-a-chief-security-officer-3f8d1a76b924
#RSAC
@sounilyu
A Better Way to Get Inside the Attacker OODA Loop?
17
Orient
DecideAct
Observe
Defender OODA Loop
Attacker OODA Loop
Observe
OrientDecide
Act
Act
ObserveOrient
Decide
Natural Business OODA Loop
Business OODA Loopw/Traditional Security Restrictions
Technology and best practices that allow businesses to move faster and be more resilient naturally shorten the OODA loop
OODABusiness – OODACIO = Shadow IT
#RSAC
@sounilyu
2020s: Age of Recovery (or Resiliency)
18
Situation: Tighter integration of IT/IoT into everyday life, safety as a part of the Confidentiality/Integrity/Availability triad
Challenges: Destructive attacks (e.g., Shamoon), irreversible attacks (e.g., Wikileaks), physical impacts (e.g., Black Energy, car crashes)
Solutions: Systems and functions with more resilient architectures and designs that expect failure (e.g., containers, blockchain, immutable infrastructure, content delivery networks, serverless architectures)
Security Focus: Integrated with technology and basic design patterns
Lesson Learned: Systems designed to be resilient to constant change and failure also happen to be pretty secure (and often easier to use)
#RSAC
@sounilyu
NoneHobby Shop / Vulnerability
Mgt
Dedicated Biz Unit /Risk Mgt
Sec Ops Center /Threat Mgt
Mapping to the NIST Cyber Security Framework
19
CoreChallenges
Solutions
IT & Security Tension
Asset Inventory, Asset Mgt, Asset
Prioritization
Viruses, Insecure Configs, Server-
side Attacks
Client-side Attacks, Log
Analysis and Mgt
Assume Breach, Too Many Privileges
STABILITY(CIO)
Systems MgtTools, Scanners
A/V, Firewalls, Secure Configs,
App SecIDS, SIEM
Incident Response,
Hunting, EDR, IdAM
SECURITY(CISO)
Era
SECURITYTEAM
COMPOSITION
1980Identify
1990Protect
2000Detect
2010Respond
2020Recover
Ransomware, MBR Wiper,
DDoS, Firmware Brick
VDI, Containers, CDN, Immutable Infrastructure,
Blockchain
Integrated Team / DevSecOps
#RSAC
@sounilyu
But what about securing _____?
20
Biotech
IoT
Vehicles
Nanotech
Artificial Intelligence
Quantum Computing
#RSAC
@sounilyu
Positive Signs for “Solved”
21
Increasing ability for enterprises to execute and handle greater numbers of controlled change
Less Shadow IT (velocity of the CIO ≅ velocity of the business)
No security baselines (e.g., Docker Swarm – secure out of the box)
Bored security teams
Egregiously high zero day payouts
More cooperation than competitionaround areas involving safety andsecurity (e.g., Volvo’s 3-point seatbelt)
$0
$500,000
$1,000,000
$1,500,000
2012 2013 2014 2015 2016
Zero Day Payouts for iOS
#RSAC
@sounilyu
“Apply” Slide
22
Next week you should:Determine what “era” your organization is in
In the first three months following this presentation you should:Challenge your Red Team to (carefully) simulate destructive attacks (or just run Chaosmonkey)
Find past solutions mismatched against future problems in your tech portfolio / roadmap
Identify resilient design patterns that your business wants to use and champion adoption
Within six months you should:Accelerate adoption of good practices that focus on increasing speed/agility, portability, and resiliency of the business itself
Remind yourself that this is more about people and design and less about technology
Hire the right people that are forward thinking about resilient designs and practices
Within five years you should:Start looking for another job