Embed Size (px)
DESCRIPTION
Gus Hunt, former CTO of the CIA, delivered the keynote at Work-Bench's Enterprise Security Summit in NYC on September 30th
Citation preview
Rethinking Security for the 21st Century
Ira A. (Gus) Hunt
CEO, Hunt Technology
Changing Threat Landscape
©Nemertes Research 2011 ! www.nemertes.com ! 888-241-2685 !DN1468
2
obliterating the possibility of a meaningful “perimeter”); and a dramatic increase in the sophistication and motivation of hackers. At the same time, the costs of a breach have gone way up: The past decade has seen a rise in regulatory requirements that, if not met, can have catastrophic consequences for organizations.
Rise in Threat Vectors
As applications and devices have proliferated, there’s been a rise in threat vectors. With applications like social networking, employees can now introduce threats into enterprise environments via chat, instant messaging, and applications like Facebook and Twitter. Vulnerable protocols aren’t just traditional HTTP and SMTP; they now encompass Skype, Facebook IM, Webmail, H.323, SIP, and others.
And the emerging plethora of mobile computing devices (now encompassing tablets and smartphones) adds additional vulnerabilities. By 2012, 70% of employees will be carrying mobile computing devices, and 11% of organizations currently report at least some “mobile-only” users.
Figure 1: The Changing Threat Universe
Virtualization, Decentralization, and the Vanishing Perimeter
Today’s organizations are typically highly distributed, spanning multiple locations, countries, and even continents. More than 89% of employees work away from headquarters, and 90% of organizations say they operate “virtually,” meaning that members of distributed workgroups interact with each other across multiple locations, as well as with partners, suppliers, and customers.
Threat Pace is Increasing
0
500
1000
1500
2000
2500
3000
3500
2000 2002 2004 2006 2008 2010
Named Malware per Day
0
5000
10000
15000
20000
25000
2000 2002 2004 2006 2008 2010
Malware Files per Day
Target
Home Depot
JP Morgan
Chevron
Dairy Queen
eBayMontana Health Dept.
Evernote
Community Health Systems
Domino’s
Feedly
P F Changs
UPS
Sony
Xbox Live
Verizon
12 Months of Cyber Attacks—A Sampler
Current Situation
• Cyber Crime/Cyber Prevention
– Cost US companies $120B (Global ~$600B, ~21st
largest economy)
– USG will spend $10.5B on cyber security in 2015
– Worldwide market for Cyber prevention $140B
– Fastest growing crime trend in US
– 97% of attacks were avoidable
– 85% of attacks took 2+ weeks to discover
5
Putting it in Perspective
• US Cyber Crime Cost:– ~$100-120B/year
– ~0.7-0.8% of GDP
• US “Inventory Shrinkage”:– ~$200-280B/year
– ~1.4-1.9% of GDP
• Intellectual Property Theft (includes theft by cyber crime): – ~$300B/year
– ~2.0% of GDP (same as US exports to Asia
• Annualized Cost of Iraq/Afghan War:– ~$400-600B/year
– ~2.7-4.0% of GDP
6
Sources:The Economic Impact of Cybercrime and Cyber Espionage, McAfee, 2014 The IP Commission Report, IP Commission, 22 May 2013Study: Iraq, Afghan war costs to top $4 trillion, The Washington Post, March 28, 2014
State of the State of Security
• Bad and getting worse– Threats are more sophisticated and moving faster
• Frictionless weapon system– Public market
– Vertical specialization
• Boundaries have evaporated– End points are proliferating
– 10-100X increase with IOT
– You are only as secure as your least secure connection
• Market for Solutions is complex and difficult to navigate– Great ideas, great products--how do you choose
• Solution half-life is decreasing rapidly
State of the State of Security
• Penalties for breaches are increasing– Regulators and insurers are dictating minimum compliance standards
• No business differentiating value in doing it well– Downside only
– Cost are rising
• Average company can’t keep up– Too hard
– Too complex
– Too expensive
– Skills are scarce
• C-suite exhaustion
Insanity: Doing the same things over and overagain expecting different results
A Different Approach
• Absolute security is absolutely impossible– Assume you’ll be had (ie: the trusted insider)
– Continue to minimize the opportunity (today)
– Minimize the loss (tomorrow)
– Move to data centric security
– Make it hard for attackers to find you
– “User” centric behavior analysis (continuous monitoring)
– Security must be “built-in” not a “bolt-on”
– Move to Security as a Service (SECaaS)—let experts do it
Data
Network and HostProtections
End-user and DeviceProtections
Traditional Cyber Security
Hardens the perimeter, but leaves the data “soft”
RouterFirewall
Malware DetectionUser ID and Password
Data
Data
Host VirtualizationIDS
RouterFirewall
VPNPKI
Malware DetectionUser ID and Password
DataSW & HW Certificates
IPSPacket Inspection
SSLHost Virtualization
IDSRouterFirewall
Hard TokensContainerization
VirtualizationVPNPKI
Malware DetectionUser ID and Password
14
It’s the Data…- Apologies to James Carville
Data Centric Security
Data Centric Security
• Separate
– Data from Applications
– Applications from Security
– Security from the Rules
– Rules from the Data
• Separate
– Roles and Responsibilities from Accesses
• Make Data Smart and Under Your Control
– Tag, mark and sign all data and objects
– Create controlled digital objects (CDOs)
Data Centric Security
• Encrypt all Data all the Time
– In transit and at rest
– Enforced at the OS level or below
– Transparent to the user
– Key Management and data recovery are the hard problems
• Audit, Analyze, Act in Real-time
– Turn on the big data lens
Become Hard to Find
• Fixed, static system are easily located and thus more vulnerable to attack
• Make it a shell game
• Become polymorphic attack surface
17
Become Hard to Find
• Embrace the cloud—Software Defined Everything
– Leverage Elastic Computing—compute in motion• Economic benefits
• Security
– Sign and vault code out of band
– Re-image from the vault
– Pre-emptively plan to kill and re-start long running images
• Run everything its own encrypted and controlled “cloudlet”
– Software Define Storage—data in motion• Encrypt, shard and distribute data
– Network Abstraction—network in motion• Dynamic and changing pathways
18
Security as a Service (SECaaS)
• “ADT” for Cyber Security
– Instrument the enterprise
– 24x7 Monitoring, Alerting, and Response
– Expert security engineering skills and expertise
– Economies of scale
– Advanced detection and remediation
– Scale enables better outcomes
Cyber Security Perfect Storm
• Traditional approaches are inadequate
• Complexity of threats and solutions is baffling
• Costs are soaring
• Creating enormous opportunity– Deliver Security as a Service (SECaaS)
– Critical consulting on solutions—build systems right
– Security Engineering Talent
– Virtual SOC for multiple enterprises
Privacy
• “Privacy is dead, get over it!”—Scott McNeely, Sun, 1999
– True from 1999 to ~2020
• Return to privacy by default
• Intelligent data objects
– Your data under your control, even outside of your boundary
– Binding of data with DRM, DLP, and Encryption
– Fine grained data marking, classification, and tokenization
– Data phone home
22
Identity by 3-axis accelerometer
Gender (71%)
Height--tall or short (80%)
Weight--heavy or light (80%)
You by your gait (100%)
Actitracker—Android App
New Definitions of PII?
Final Thoughts
• Cyber security is just too hard– Ripe for reinvention/re-thinking
– Data-Centric Security
– Polymorphic Systems
– SECaaS
– Silicon Root of Trust is emerging
• Return to Privacy– Control in the hands of the users
– Encryption on chip
– Profound implications for the advertising driven world
– Profound implications for knowledge sharing
– The definition of PII will broaden and change
