control quotient: adaptive strategies for gracefully losing control (hacker halted 2014)
DESCRIPTION
Control Quotient: Adaptive Strategies For Gracefully Losing Control as presented at Hacker Halted 2014 on October 17, 2014 (https://www.hackerhalted.com/2014/us/?page_id=1174) Abstract: Cloud, virtualization, mobility, and consumerization have greatly changed how IT assets are owned and operated. Rather than focusing on loss of security control, the path forward is cultural change that finds serenity and harnesses the control we’ve kept. The Control Quotient is a model based on control and trust, allowing proper application of security controls, even in challenging environments.TRANSCRIPT
![Page 1: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/1.jpg)
Control Quo*ent: Adap*ve Strategies For Gracefully Losing Control
![Page 2: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/2.jpg)
Agenda Context
The Control Quo*ent
Today’s Reality
Making it Personal
Examples
Transcending “Control”
Apply
![Page 3: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/3.jpg)
CONTEXT
![Page 4: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/4.jpg)
Forces of Constant Change
BUSINESS COMPLEXITY
= RISING COSTS
Evolving Threats
Evolving Technologies
Evolving Compliance
Evolving Economics
Evolving Business Needs
![Page 5: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/5.jpg)
The IT Drunken Bender
![Page 6: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/6.jpg)
The Control Con*nuum
Dictator Surrender
![Page 7: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/7.jpg)
Control
Sphere of Control
![Page 8: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/8.jpg)
Control
Influence
Sphere of Influence vs. Control
![Page 9: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/9.jpg)
THE CONTROL QUOTIENT
![Page 10: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/10.jpg)
The Control Quo*ent Defini*on • QuoGent: (from hOp://www.merriam-‐webster.com/dic*onary/quo*ent )
– the number resul*ng from the division of one number by another
– the numerical ra*o usually mul*plied by 100 between a test score and a standard value
– quota, share – the magnitude of a specified characterisGc or quality
• Control QuoGent: opGmizaGon of a security control based on the maximum efficacy within sphere of control (or influence or trust) of the underlying infrastructure*
• *unless there is an independent variable…
![Page 11: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/11.jpg)
History • RSA Conference US 2009 P2P with @joshcorman – An endpoint has a comprehensive, but suspect, view
– The network has a trustworthy, but incomplete, view
![Page 12: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/12.jpg)
In Theory There Is An Op*mal Place to Deploy a Control…
But Degrees Of Separa/on Happen….
![Page 13: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/13.jpg)
Avoiding the Proverbial…
![Page 14: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/14.jpg)
TODAY’S REALITY
![Page 15: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/15.jpg)
Today’s Reality
• Administra*ve control of en*re system is lost
• Increased aOack surface • Abstrac*on has made systems difficult to assess
• Expecta*on of any*me-‐anywhere access from any device
![Page 16: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/16.jpg)
Security Management & GRC
IdenGty/EnGty Security
Data Security
Host
Network Infrastructure Security
ApplicaGon Security
CSA Cloud Model The Control Quo*ent and the SPI Stack
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
![Page 17: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/17.jpg)
CSA Cloud Model
Security Management & GRC
IdenGty/EnGty Security
Data Security
Host
Network Infrastructure Security
ApplicaGon Security
Virtualiza/on, So:ware Defined Networks, and Public/Hybrid/Community Cloud Forces a Change
in How Security Controls Are Evaluated and Deployed
The Control Quo*ent and the SPI Stack
![Page 18: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/18.jpg)
To Be Successful, We Must Focus on the Control Kept (or Gained!), NOT the Control Lost…
Half Full or Half Empty?
![Page 19: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/19.jpg)
Controls Gained!!! • Virtualiza*on and Cloud
– Asset, Configura*on and Change Management – Snapshot – Rollback – Pause
• VDI – Asset, Configura*on and Change Management
• Mobility – Encryp*on (with containers)
• Sogware-‐As-‐A-‐Service – Logging!
![Page 20: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/20.jpg)
MAKING IT PERSONAL
![Page 21: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/21.jpg)
A Parent’s Most Valuable Asset?
![Page 22: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/22.jpg)
A Parent’s Most Valuable Asset?
![Page 23: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/23.jpg)
Most Valuable Asset?
…Yet Most Parents Allow Their Kids to Leave Their Control
![Page 24: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/24.jpg)
Choosing Child Care?
NaGonal AssociaGon for the EducaGon of Young
Children
![Page 25: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/25.jpg)
EXAMPLES
![Page 26: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/26.jpg)
Virtualiza*on and Cloud Created An En*re New Defini*on of Privilege
![Page 27: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/27.jpg)
Amazon EC2 - IaaS
Salesforce - SaaS
Google AppEngine - PaaS
Stack by Chris Hoff -‐> CSA
The Control Quo*ent and the SPI Stack
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue. “Stack” by Chris Hoff -‐> CSA
![Page 28: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/28.jpg)
Amazon EC2 - IaaS
The lower down the stack the Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself.
Salesforce - SaaS
Google AppEngine - PaaS
Stack by Chris Hoff -‐> CSA
The Control Quo*ent and the SPI Stack
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue. “Stack” by Chris Hoff -‐> CSA
![Page 29: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/29.jpg)
So, Whose Cloud Is It Anyway? Model Private Cloud IaaS
in Hybrid / Community / Public Cloud
PaaS/SaaS
Whose Privilege Users? Customer Provider Provider
Whose Infrastructure? Customer Provider Provider
Whose VM / Instance? Customer Customer Provider
Whose ApplicaGon? Customer Customer Provider
Government Discovery Contact? Customer Provider Provider
![Page 30: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/30.jpg)
hOp://www.flickr.com/photos/markhillary/6342705495 hOp://www.flickr.com/photos/tallentshow/2399373550
More Than Just Technology…
![Page 31: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/31.jpg)
VDI Server
VDI Image Storage
VDI: Centralizing the Desktop?
![Page 32: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/32.jpg)
hOp://www.flickr.com/photos/patrick-‐allen/4318787860/
Mobile
![Page 33: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/33.jpg)
hOp://www.sodahead.com/fun/eight...blue-‐screen.../ques*on-‐2038989/CachedYou/?slide=2&page=4
IoT / Embedded Devices
![Page 34: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/34.jpg)
Service Providers
![Page 35: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/35.jpg)
Old Ways Don’t Work in New World…
Most organiza/ons are trying to deploy
“tradi/onal” security controls in cloud and virtual environments…but were the controls
even effec/ve then?
![Page 36: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/36.jpg)
TRANSCENDING “CONTROL”
![Page 37: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/37.jpg)
A Modern Pantheon of Adversary Classes
Methods “MetaSploit” DoS Phishing Rootkit SQLi Auth ExfiltraGon Malware Physical
Impacts ReputaGonal Personal ConfidenGality Integrity Availability
Target Assets
Credit Card #s Web ProperGes Intellectual Property PII / IdenGty Cyber
Infrastructure Core Business Processes
Mo*va*ons
Financial Industrial Military Ideological PoliGcal PresGge
Actor Classes
States CompeGtors Organized Crime
Script Kiddies Terrorists “HacGvists” Insiders Auditors
Link to Full Adversary ROI Presenta.on Source: Adversary ROI: Why Spend $40B Developing It, When You Can Steal It for $1M? (RSA US 2012) by Josh Corman and David Etue.
![Page 38: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/38.jpg)
HD Moore’s Law and AOacker Power
• Moore’s Law: Compute power doubles every 18 months
• HDMoore’s Law: Casual AOacker Strength grows at the rate of MetaSploit
Source: Joshua Corman, hOp://blog.cogni*vedissidents.com/2011/11/01/intro-‐to-‐hdmoores-‐law/
![Page 39: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/39.jpg)
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
![Page 40: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/40.jpg)
Countermeasures Situa*onal Awareness Opera*onal Excellence Defensible Infrastructure
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
![Page 41: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/41.jpg)
Countermeasures Situa*onal Awareness
Opera*onal Excellence
Defensible Infrastructure
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
![Page 42: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/42.jpg)
Countermeasures
Situa*onal Awareness
Opera*onal Excellence
Defensible Infrastructure
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
![Page 43: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/43.jpg)
Countermeasures
Situa*onal Awareness
Opera*onal Excellence
Defensible Infrastructure
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
![Page 44: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/44.jpg)
PHI
“IP”
Web
PCI
AV
FW
IDS/IPS
WAF
Log Mngt
File Integrity
Disk Encryp*on
Vulnerability Assessment
Mul*-‐Factor Auth
An*-‐SPAM
VPN
Web Filtering
DLP
Anomaly Detec*on
Network Forensics
Advanced Malware
NG Firewall
DB Security
Patch Management
SIEM
An*-‐DDoS
An*-‐Fraud
…
Desired Outcomes Leverage Points
Compliance (1..n)
“ROI” Breach / QB sneak
Produc*vity
…
PHI
PCI
“IP”
Web
Control “Swim Lanes”
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
![Page 45: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/45.jpg)
Web
…
PHI
“IP”
PCI
AV
FW
IDS/IPS
WAF
Log Mngt
File Integrity
Disk Encryp*on
Vulnerability Assessment
Mul*-‐Factor Auth
An*-‐SPAM
VPN
Web Filtering
DLP
Anomaly Detec*on
Network Forensics
Advanced Malware
NG Firewall
DB Security
Patch Management
SIEM
An*-‐DDoS
An*-‐Fraud
…
Desired Outcomes Leverage Points
Compliance (1..n)
“ROI” Breach / QB sneak
Procurement
Disrup*on
DevOps
Produc*vity
“Honest Risk”
General Counsel
Control & Influence “Swim Lanes”
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
![Page 46: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/46.jpg)
Web
…
PHI
“IP”
PCI
AV
FW
IDS/IPS
WAF
Log Mngt
File Integrity
Disk Encryp*on
Vulnerability Assessment
Mul*-‐Factor Auth
An*-‐SPAM
VPN
Web Filtering
DLP
Anomaly Detec*on
Network Forensics
Advanced Malware
NG Firewall
DB Security
Patch Management
SIEM
An*-‐DDoS
An*-‐Fraud
…
Li*ga*on
Legisla*on
Open Source
Hearts & Minds
Academia
Desired Outcomes Leverage Points
Compliance (1..n)
“ROI” Breach / QB sneak
Procurement
Disrup*on
DevOps
Produc*vity
“Honest Risk”
General Counsel
Under-‐tapped Researcher Influence
Source: Control Quo.ent: Adap.ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
![Page 47: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/47.jpg)
Poten*al Independent Variables
• with good key management…
EncrypGon
• well, rootkits for good…
Rootkits
• AnG-‐DDoS, WAF, Message/Content, IdenGty, etc…
Intermediary Clouds
• with proper integraGon and process support
IdenGty and Access Management
• *if* the provider harnesses the opportunity
Sofware-‐As-‐A-‐Service (SaaS)
![Page 48: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/48.jpg)
Grant me the Serenity to accept the things I cannot change;
Transparency to the things I cannot control;
Relevant controls for the things I can;
And the Wisdom (and influence) to mitigate risk appropriately.
InfoSec Serenity Prayer
![Page 49: Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker Halted 2014)](https://reader036.vdocument.in/reader036/viewer/2022081404/558985ced8b42a4f748b470a/html5/thumbnails/49.jpg)
Thank You!
• TwiOer: @djetue • Resources:
– Adversary ROI: • [SlideShare] • [RSA US 2012 Online on YouTube]
– The Cyber Security Playbook: Securing Budget and Forming Allies (with @joshcorman) [BrightTALK]