SESSION ID:SESSION ID:

#RSAC

Sounil Yu

Solving Cybersecurity in the Next Five YearsSystematizing Progress for the Short Term

MASH-F02

@sounilyu

#RSAC

@sounilyu

Disclaimers

2

The views, opinions, and positions expressed in this presentation are solely my own

It does not necessarily represent the views and opinions of my employer and does not constitute or imply any endorsement from my employer

#RSAC

@sounilyu

The Grand Challenge of Our Generation

3

What should we focus on if we want to solve it within the next five years?

#RSAC

@sounilyu

Perspectives on Defining “Solved”: Car Safety

4

Pre-Accident: Mandatory Driver Ed, Anti-lock Brakes, Tire Pressure Monitoring, Electronic Stability Control, Rollover Protection, Lane Departure Warning, Radar-Guided Automatic Braking, Autonomous Driving, V2V Comms

Post-Accident: Shatter Proof Glass, Seatbelts, Airbags, Crumple Zones

Safety is table stakes, no longer main differentiator for Volvo

Most new improvements largely focus on automatically guarding against threats or eliminating operator error(e.g., self-driving cars)

But even if fully self-driving cars were widely available today, it would still take 10+ years to replace most of the vehicles on the road today

#RSAC

A Quick (and Selective)History of IT & Security

The future is already here –it’s just not evenly distributed.

William Gibson

#RSAC

@sounilyu

1980s

6

Situation: IT reaches general affordability and enterprises start deploying it in mass

Challenges: IT asset management, visibility, and prioritization

What do I have?

How does it support my business?

Solutions: Systems management tools,asset visibility software

Security Focus: None

Lessons Learned: Build systems with visibilityand rich telemetry built in

#RSAC

@sounilyu

1990s

7

Situation: Computers become connected and usable to the masses

Challenges: Viruses, worms, open networks, insecure configurations

Solutions: A/V, firewalls, secureconfiguration guidelines/baselines

Security Focus: Vulnerability Mgt

Lessons Learned: Build systems withsecurity in mind and an ability to keepup to date

#RSAC

@sounilyu

2000s

8

Situation: Broader availability of attacker tools (script kiddies), Platform homogeneity with Windows XP

Challenges: Client-side attacks, too many alerts and logs to review

Solutions: IDS, SIEM

Security Focus: Threat Management, Security Operations Center

Lessons Learned: Protection technologies are not fool proof, humans still remain the weakest link, analysts are needed to review security logs

#RSAC

@sounilyu

2010s

9

Situation: Maturation of attacker ecosystem and tools

Challenges: Lateral movement, persistent targeted attacks

Solutions: EDR, Hunt Teams, Microsegmentation, IdAM

Security Focus: Risk Management, Independent CISO function

Lessons Learned: Assume breach, active hunting needed, traditional network perimeter is insufficient

#RSAC

@sounilyu

Recap

10

1980s 1990s 2000s 2010s

CoreChallenges

Solutions

IT & Security Tension

Asset Inventory, Asset Mgt, Asset

Prioritization

Viruses, Insecure Configs, Server-

side Attacks

Client-side Attacks, Log

Analysis and Mgt

Assume Breach, Too Many Privileges

Systems MgtTools, Scanners

A/V, Firewalls, Secure Configs,

App SecIDS, SIEM Incident Response,

Hunting, EDR, IdAM

Era

SECURITYTEAM

COMPOSITION

NoneHobby Shop /

Vulnerability MgtDedicated Biz Unit /

Risk MgtSec Ops Center /

Threat Mgt

STABILITY(CIO)

SECURITY(CISO)

#RSAC

@sounilyu

Mapping to the NIST Cyber Security Framework

11

1980s 1990s 2000s 2010s

CoreChallenges

Solutions

IT & Security Tension

Asset Inventory, Asset Mgt, Asset

Prioritization

Viruses, Insecure Configs, Server-

side Attacks

Client-side Attacks, Log

Analysis and Mgt

Assume Breach, Too Many Privileges

STABILITY(CIO)

Systems MgtTools, Scanners

A/V, Firewalls, Secure Configs,

App SecIDS, SIEM Incident Response,

Hunting, EDR, IdAM

SECURITY(CISO)

Era

SECURITYTEAM

COMPOSITION

NoneHobby Shop /

Vulnerability MgtDedicated Biz Unit /

Risk MgtSec Ops Center /

Threat Mgt

#RSAC

@sounilyu

2020s: Age of Recovery (or Resiliency)

12

What kind of attacks should we see in the 2020sthat would challenge to our ability to RECOVER

(i.e., causes irreversible harm)?

WikileaksDoxxing

Ransomware Bricking FirmwareMBR Wiper

Confidentiality Integrity Availability

#RSAC

@sounilyu

2020s: Age of Recovery (or Resiliency)

13

What kind of solutions directly supportour ability to RECOVER or be RESILIENT?

#RSAC

@sounilyu

Forging ahead or regressing back?

14

A call to go back to the 1990s?

How will prevention mitigate the impact of ransomware?

Remember, we learned“assume breach” in the 2010s

Prevention minimizes the occurrences, but does notaddress the impact or ability to recover

JOIN THE PREVENTION AGESTOP CYBER BREACHES

JOIN THE PREVENTION AGESTOP CYBER BREACHES

1980Identify

1990Protect

2000Detect

2010Respond

2020Recover

#RSAC

@sounilyu

2020s: Age of Recovery (or Resiliency)

15

What kind of solutions directly supportour ability to RECOVER or be RESILIENT?

Copy on Write

Computer

Hypervisor OS

Apps Apps Apps

Libraries

SERVERLESS ARCHITECTURE

Content Delivery Network

#RSAC

@sounilyu

But wait! How are these “security” solutions?

16

Solutions that help business operate with speed and resilience don’toften appear as security solutions but have clear security benefits

Sometimes, there’s even initial resistance by security people (e.g., Docker)

Removing Attacker Persistence: Ability to rapidly rebuild entire immutable or serverless environments makes attacker persistence hard

Easier Anomaly Detection: Declarativepolicy through Infrastructure as Codemakes any unauthorized activityimmediately suspect

Built-in Visibility: IaaS providers offerrich visibility and logging by default

Larger swaths of risk are quickly being eliminated at newer companies, at earlier and earlier stages. And usually not because security was the goal.

Ryan McGeehanhttps://medium.com/starting-up-security/you-dont-need-a-chief-security-officer-3f8d1a76b924

#RSAC

@sounilyu

A Better Way to Get Inside the Attacker OODA Loop?

17

Orient

DecideAct

Observe

Defender OODA Loop

Attacker OODA Loop

Observe

OrientDecide

Act

Act

ObserveOrient

Decide

Natural Business OODA Loop

Business OODA Loopw/Traditional Security Restrictions

Technology and best practices that allow businesses to move faster and be more resilient naturally shorten the OODA loop

OODABusiness – OODACIO = Shadow IT

#RSAC

@sounilyu

2020s: Age of Recovery (or Resiliency)

18

Situation: Tighter integration of IT/IoT into everyday life, safety as a part of the Confidentiality/Integrity/Availability triad

Challenges: Destructive attacks (e.g., Shamoon), irreversible attacks (e.g., Wikileaks), physical impacts (e.g., Black Energy, car crashes)

Solutions: Systems and functions with more resilient architectures and designs that expect failure (e.g., containers, blockchain, immutable infrastructure, content delivery networks, serverless architectures)

Security Focus: Integrated with technology and basic design patterns

Lesson Learned: Systems designed to be resilient to constant change and failure also happen to be pretty secure (and often easier to use)

#RSAC

@sounilyu

NoneHobby Shop / Vulnerability

Mgt

Dedicated Biz Unit /Risk Mgt

Sec Ops Center /Threat Mgt

Mapping to the NIST Cyber Security Framework

19

CoreChallenges

Solutions

IT & Security Tension

Asset Inventory, Asset Mgt, Asset

Prioritization

Viruses, Insecure Configs, Server-

side Attacks

Client-side Attacks, Log

Analysis and Mgt

Assume Breach, Too Many Privileges

STABILITY(CIO)

Systems MgtTools, Scanners

A/V, Firewalls, Secure Configs,

App SecIDS, SIEM

Incident Response,

Hunting, EDR, IdAM

SECURITY(CISO)

Era

SECURITYTEAM

COMPOSITION

1980Identify

1990Protect

2000Detect

2010Respond

2020Recover

Ransomware, MBR Wiper,

DDoS, Firmware Brick

VDI, Containers, CDN, Immutable Infrastructure,

Blockchain

Integrated Team / DevSecOps

#RSAC

@sounilyu

But what about securing _____?

20

Biotech

IoT

Vehicles

Nanotech

Artificial Intelligence

Quantum Computing

#RSAC

@sounilyu

Positive Signs for “Solved”

21

Increasing ability for enterprises to execute and handle greater numbers of controlled change

Less Shadow IT (velocity of the CIO ≅ velocity of the business)

No security baselines (e.g., Docker Swarm – secure out of the box)

Bored security teams

Egregiously high zero day payouts

More cooperation than competitionaround areas involving safety andsecurity (e.g., Volvo’s 3-point seatbelt)

$0

$500,000

$1,000,000

$1,500,000

2012 2013 2014 2015 2016

Zero Day Payouts for iOS

#RSAC

@sounilyu

“Apply” Slide

22

Next week you should:Determine what “era” your organization is in

In the first three months following this presentation you should:Challenge your Red Team to (carefully) simulate destructive attacks (or just run Chaosmonkey)

Find past solutions mismatched against future problems in your tech portfolio / roadmap

Identify resilient design patterns that your business wants to use and champion adoption

Within six months you should:Accelerate adoption of good practices that focus on increasing speed/agility, portability, and resiliency of the business itself

Remind yourself that this is more about people and design and less about technology

Hire the right people that are forward thinking about resilient designs and practices

Within five years you should:Start looking for another job

#RSAC

Questions?

sounil@gmail.com

@sounilyu