Professional Documents
Culture Documents
KEYNOTE 1 - Saumil Shah - Redefining Defense
KEYNOTE 1 - Saumil Shah - Redefining Defense
#HITB2017AMS
NETSQUARE #HITB2017AMS
WARNING! Disruptive Thoughts
Ahead
NETSQUARE #HITB2017AMS
WARNING!
Block
Diagrams
NETSQUARE
Ahead#HITB2017AMS
About Me
Saumil Shah
CEO, Net Square
@therealsaumil
hacker, trainer, speaker,
photographer, rebel
educating, entertaining
and exasperating
audiences since 1999
NETSQUARE #HITB2017AMS
The Evolution of Attacks: 2001-17
NETSQUARE #HITB2017AMS
The Evolution of Targets: 2001-17
NETSQUARE #HITB2017AMS
Firewalls
...Defense:
One-way Attacks
IDS/IPS FragRouter
2001-17
Antivirus Obfuscation
Sandbox Jailbreak
Different....
NETSQUARE
but Same Same #HITB2017AMS
Example: ROWHAMMER
EXPLOIT
CODE
PIXEL
IMAGE
ENCODER
ENCODED IMAGE
STEGO-
DECODER IMAJS
JAVASCRIPT POLYGLOT
TARGET BROWSER
NETSQUARE http://stegosploit.info #HITB2017AMS
There
will be
Vulnerabilities
NETSQUARE #HITB2017AMS
Nakatomi Space
"We did it
for the LOLs."
NETSQUARE #HITB2017AMS
TWO TIMELINES >
NETSQUARE #HITB2017AMS
The evolution of a new species
/GS CFG
RelRO
NOZZLE
Isolated
DEP Heap SEHOP
ASLR SafeSEH
Credit @halvarflake
NETSQUARE #HITB2017AMS
The MitiGator raises the bar...
MICROSOFT
STRIKES BACK
NETSQUARE #HITB2017AMS
NETSQUARE #HITB2017AMS
2005: Ciscogate – Michael Lynn
https://www.schneier.com/blog/archives/2005/07/cisco_harasses.html
NETSQUARE #HITB2017AMS
CAN
NETSQUARE
SEC
WEST
2009 Photo credit: Garrett Gee
#HITB2017AMS
Exploit Development - 2012
2-12 month dev time.
24h to 10d shelf life.
Public domain
exploits = zero.
Cost,value of exploits
has significantly risen.
• COMMERCIALIZED
• WEAPONIZED
• POLITICIZED
NETSQUARE #HITB2017AMS
The defenders
tried to buy
back their
bugs...
NETSQUARE #HITB2017AMS
Bug Bounties: high stakes game
NETSQUARE #HITB2017AMS
NETSQUARE #HITB2017AMS
More
Reactive
Security
NETSQUARE #HITB2017AMS
Compliance != Security
NETSQUARE #HITB2017AMS
NETSQUARE #HITB2017AMS
Security = "RISK REDUCTION"
Rules
Signatures
Updates
Machine Learning
NETSQUARE #HITB2017AMS
NETSQUARE #HITB2017AMS
Existing defense
measures
do not match
attacker
tactics.
NETSQUARE #HITB2017AMS
Attackers
don't follow
compliance
standards and
certifications.
NETSQUARE #HITB2017AMS
The CISO: 2001-2017
NETSQUARE #HITB2017AMS
In 2001...
$$$
INFOTECH =
CIO CIO BUSINESS
ENABLER
INFOSEC =
CISO RISK
REDUCTION
C.Y.A.
NETSQUARE #HITB2017AMS
Dear CISO, Who are Scarier
ATTACKERS or AUDITORS?
NETSQUARE #HITB2017AMS
It is time we
SEVEN AXIOMS
of Security
NETSQUARE #HITB2017AMS
Intelligence Driven Defense
Defense
doesn't mean
Risk Reduction
NETSQUARE #HITB2017AMS
Seven Axioms of Security: 1
The CISO's
job is
DEFENSE
NETSQUARE #HITB2017AMS
Compliance is NOT the CISO's job
"Not my circus,
Not my monkeys"
http://rafeeqrehman.com/2016/10/07/announcing-ciso-mindmap-2016/
INFOSEC = DEFENSE
CISO CISO DEFEND AGAINST ATTACKERS
NETSQUARE #HITB2017AMS
Seven Axioms of Security: 2
Intelligence
begins by
COLLECTING
EVERYTHING!
NETSQUARE #HITB2017AMS
Collect Everything!
NETSQUARE #HITB2017AMS
Sources of Security Intelligence?
NETSQUARE #HITB2017AMS
Sources of Security Intelligence
"The Universe
tells you
everything you
need to know
about it,
as long as you are
prepared to
watch, to listen,
to smell, in short
to OBSERVE."
NETSQUARE #HITB2017AMS
Get CREATIVE, Get ORGANIC
Schrödinger's Hack:
Systems exist in both
SECURE and HACKED
states at the
same time.
NETSQUARE #HITB2017AMS
Seven Axioms of Security: 3
TEST
REALISTICALLY
NETSQUARE #HITB2017AMS
Forgone conclusion:
"My System Is SECURE"
Test Strategy that will lead you this conclusion
Can't MEASURE?
Can't Use.
NETSQUARE #HITB2017AMS
Why Keep Metrics?
• To show you are succeeding
– Corollary: to show you are failing
• To justify your existence and/or budget
• To argue for change
• For fun!
Marcus Ranum
Security Metrics: The Quest For Meaning
NETSQUARE IT Defense #HITB2017AMS
2016, Mainz
How to Establish Metrics
• Look at your process and make a list of what is
quantifiable
• Ask yourself what quantities you are interested in
– Once things are quantified they go up, or down – which is about
the only convenient thing of metrics: they don't go sideways, too
• Which is a "good" direction: up or down?
• Do you know what constitutes a significant movement?
• Measure and iterate
Marcus Ranum
Security Metrics: The Quest For Meaning
NETSQUARE IT Defense #HITB2017AMS
2016, Mainz
NETSQUARE Alberto Brandolini @ziobrando (The Bullshit#HITB2017AMS
Asymmetry)
Why Metrics Win
• Often information security becomes what I call
a "battle of two narratives"
– Your opponent has the advantage of lying:
– "moving this to the cloud will save us $500,000/year!"
– To defend your narrative you need facts (from metrics) and
credible extrapolations (based on metrics) or your
opponent controls the narrative! *
Marcus Ranum
Security Metrics: The Quest For Meaning
NETSQUARE IT Defense #HITB2017AMS
2016, Mainz
Seven Axioms of Security: 5
Users:
One Size Fits
NONE!
NETSQUARE #HITB2017AMS
The user's going to pick dancing pigs
over security every time.
Bruce Schneier
NETSQUARE #HITB2017AMS
Technology in the hands of users
@needadebitcard
NETSQUARE #HITB2017AMS
NETSQUARE #HITB2017AMS
Identify your target users...
HOPELESS UNINFORMED PROACTIVE ROCK STARS
number of users
A Creative
Defense is an
UNEXPECTED
Defense.
NETSQUARE #HITB2017AMS
NETSQUARE #HITB2017AMS
Seven Axioms of Security: 7
Make Defense
VISIBLE,
Make Defense
COUNT.
NETSQUARE #HITB2017AMS
Visible Defense
DETECT INTRUSIONS
ATTACKER CAPABILITY
Test
CLASSIFY
UNAUTHORIZED ACTIVITY
DETECT
UNAUTHORIZED ACTIVITY
REAL-TIME VISIBILITY
OF EVENTS
ASSET
INVENTORY
NETSQUARE https://github.com/swannman/ircapabilities
#HITB2017AMS
Is your Infosec
team doing
something
creative
every day?
NETSQUARE #HITB2017AMS
Thank You, Drive Through
@therealsaumil
www.net-square.com
#HITB2017AMS
NETSQUARE
NETSQUARE #HITB2017AMS