SESSION ID: STR-T10 New Paradigms for the Next Era of Security Sounil Yu Author Cyber Defense Matrix @sounilyu #RSAC #RSAC $whoami Former Chief Security Scientist at Major Financial Institution Mad Scientist Make New Capabilities Product Evaluator Test Market Capabilities Red Team Lead Break Capabilities /2/ @sounilyu Disclaimer: Vendor logos fuzzily shown are representative only. No endorsement should be construed because they are shown here. Cyber Defense Matrix https://cyberdefensematrix.com Identify Protect Detect Devices Respond Recover Why are there so few things here? Is our industry actually solving the right problems? Applications Networks Data Users Degree of Technology Dependency People Process /3/ @sounilyu #RSAC #RSAC A Quick History of IT and Security Era 1980s 1990s 2000s 2010s Core Challenges What did we buy and how does it support the biz? Viruses, Serverside Attacks, Insecure Configs Too many logs and alerts, Clientside attacks Assume Breach, Raging Fires, Too Many Privileges Solutions Asset Mgt, Systems Mgt Tools Anti-Virus, Firewalls, Secure Configs IDS, SIEM Incident Responders & IR Tools (EDR, SOAR) Hobby Shop / Vulnerability Mgt Sec Ops Center / Threat Mgt Dedicated Biz Unit / Risk Mgt IT / Security Tension Security Team Composition & Focus STABILITY (CIO) SECURITY (CISO) None /4/ @sounilyu #RSAC Mapping to the NIST Cyber Security Framework Era 1980s 1990s 2000s 2010s Core Challenges What did we buy and how does it support the biz? Viruses, Serverside Attacks, Insecure Configs Too many logs and alerts, Clientside attacks Assume Breach, Raging Fires, Too Many Privileges Solutions Asset Mgt, Systems Mgt Tools Anti-Virus, Firewalls, Secure Configs IDS, SIEM Incident Responders & IR Tools (EDR, SOAR) Hobby Shop / Vulnerability Mgt Sec Ops Center / Threat Mgt Dedicated Biz Unit / Risk Mgt IT / Security Tension Security Team Composition & Focus STABILITY (CIO) SECURITY (CISO) None /5/ @sounilyu #RSAC 2020s: Age of Recovery (or Resiliency) What kind of attacks should we see in the 2020s that would challenge to our ability to RECOVER or cause irreversible harm? Confidentiality Integrity Availability Wikileaks Doxxing Ransomware #fakenews PDoS, MBR Wiper, Bricking Firmware /6/ @sounilyu #RSAC 2020s: Age of Recovery (or Resiliency) What kind of solutions directly support our ability to RECOVER or be RESILIENT? /7/ @sounilyu #RSAC Forging ahead or regressing back? Recent advertising campaign from major vendor A call to go back to the 1990s? 1980 Identify 1990 Protect 2000 Detect 2010 Respond 2020 Recover How will prevention mitigate the impact of ransomware? JOIN THE PREVENTION AGE STOP CYBER BREACHES /8/ – Remember, we learned “assume breach” in the 2010s – Prevention minimizes the occurrences, but does not address the impact or ability to recover @sounilyu #RSAC 2020s: Age of Recovery (or Resiliency) What kind of solutions directly support our ability to RECOVER or be RESILIENT? SERVERLESS ARCHITECTURE Apps Apps Apps Libraries Hypervisor OS Computer Content Delivery Network Copy on Write /9/ @sounilyu #RSAC But wait! How are these “security” solutions? Distributed Immutable Ephemeral DDoS Resistant Changes Easier to Detect and Reverse Drives Value of Assets Closer to Zero The best solution against a distributed attack is a distributed service Unauthorized changes stand out and can be reverted to known good Makes attacker persistence hard and reduces concern for assets at risk Integrity Confidentiality Availability / 10 / @sounilyu The Alternative: An Endless Conveyor Belt of Vulnerabilities and Threats Risk = Likelihood x Impact Never Ending Threats Never Ending Vulns / 11 / @sounilyu #RSAC #RSAC Pets vs Cattle • Given a familiar name • Taken to the vet when sick • Hugged C.I.A. • Branded with an obscure, unpronounceable name • Shot when sick • Eaten/Recycled (sorry PETA) D.I.E. / 12 / @sounilyu A New Measurement for a New Era: Pets vs Cattle Curve 2000 systems Uptime (in Days) 1000 500 systems 10000 Find design patterns, policies, and incentives that push the curve in these directions Fewer pets Shorterlived cattle 100 40 days 10 days 10 1 @40 Days  Pets = 2.5% @10 Days  Pets = 10% Target: @ 10 Days  Pets = 2.5% 0 Pets Cattle 5000 10000 20000 15000 Systems / 13 / @sounilyu #RSAC #RSAC Pets vs Cattle Controls Discourage / Disincen