the most common failure with today's defences

The Most Common Failure With Today's Defences

Mark Nunnikhoven Vice President, Cloud & Emerging Technologies @marknca

Just like you probably can’t see this, I can’t see the backchannel Tweet me now @marknca, I’ll reply after the talk…

Recent attacks The problem What you can do?

Recently…

450 000 000

“Client record” is typically at least [username+password]

27-Nov-2013—15-Dec-2013

First real CEO “resignation” due primarily to information security incident

a/k/a “Target 2” …but worse

Early May-2014—Late Aug-2014

Nominated for “Worst Communications During An Incident”

Late Feb-2014—Mid May-2014

Real reputation risk & impact on ability to conduct business

17-Jun-2013—17-Oct-2014

Should have received more attention More on this one later…

17-Sep-2013—Early Oct-2013

Amazing visualization from Information Is Beautiful “World’s Biggest Data Breaches & Hacks”

Breaches: more frequent, lasting longer, bigger impact on businesses

The Problem

Restrict inbound Restrict outbound Heavily monitor access

Data

Data space: servers, applications, infrastructure, etc.

Restrict inbound Allow outbound Little to no monitoring

User

User space: Where the users are ;-) Endpoints like laptops, desktops, tablets, etc.

Authentication Authorization

Yes, we typically only use 2 controls here

152 million records 40 GB of source code

~44 GB of data exfiltrated

What can you do?

Authentication Authorization

Authentication Authorization

3 is more than 2. That’s an immediate win when reporting up to your boss(es)

Behaviour analysis

What to look at

All traffic leaving user spaceMost organizations have some controls between the user and the world

Need to start to address internal data flow & expand existing controls

What to look for

Malicious patterns

A service or appliance can help here

What to look for

Odd access patterns

Most breaches are access data through authorized channels BUT using odd behavioural patterns

What to do about it

Vary the level of trust in the user* Dynamically vary the level depending on specific criteria and indicators of trust

You may trust me to deliver a talk on security…

But would you trust me to look after your kids?

Trust is a spectrum

Varying trust

A quick example

Normal access

Have a confirmed finding (or high enough confidence)

Not sure what we’ve found

Not sure what we’ve found

Take a deeper look

Not sure what we’ve found? Increase monitoring, block high value access temporarily

Add behavioural analysis Look for odd/malicious patterns Vary the level of trust