The Future of Global Information Security: Information Security Five-Year Scenario Perry Carpenter, MSIA, C|CISO Leadership Partner EITL Security & Risk Management Gartner Application Architecture, Development & Integration Summit December 8-10, 2014 Caesars Palace Las Vegas, NV Paul Proctor

Controls Help Us Achieve the Target Level of Security But with hundreds of potential controls, we need a way to select the right ones The Strategy Tool: Four strategies for selecting controls Search & Destroy Psy Ops Castles & Moats Behavior Jujitsu

Fact: The Real World Changes It no longer works to base control decisions on past performance We need a way to plan for the ways the world might become, not how it was We need a five-year planning guide that: Identifies possible future conditions Provides a way of detecting shifts in direction (guideposts) Calls out control requirements early

Problem Statement How will the Nexus of Forces (cloud, mobile, social and big data) plus other forces and trends, transform the practice of information security and IT risk management between 2014 and 2019? What are the two most powerful uncertain forces driving change? How might those forces interact? What evidence exists now?

Critical Issues How the world might change? How shall we detect that change? How shall we deal with that change?

Threats Against Targets: A Moving Target As servers move into the cloud As enterprise security improves As mobility drives increased connectivity out to the edge As the value at the edge increases As end-node compromise tools continue to become more automated And …

Now assume that 90% stay on the "white hat" side. Orders of Magnitude … as the number of highly trained cyber-students increases by orders of magnitude: Over 100 "white hat" hacker university degree programs in U.S. funded by NSA and DHS. Similar programs in UK. 10th through 12th grade training for all in Israel. Similar programs growing worldwide. China in a leadership position? Now assume that 90% stay on the "white hat" side.

Trend: Our X Axis TARGET Security compromise of enterprise accounts may become more heavily weighted to indirect attacks through captured end nodes, or may focus even more clearly on servers. TARGET Enterprise Individual

Who Will Save Us … … From the chaos that is the Internet? Nation-states want to carve the Internet into manageable pieces. Cloud and Big Data push toward less regulation. Governments threaten to regulate. "Critical infrastructure" is continuously redefined. But very little actually gets done. And what does get done takes a looooong time.

Trend: Our Y Axis AUTHORITY The level of market intervention can vary dramatically, shifting costs and influencing business flexibility. Tribal AUTHORITY Monolithic

The Gartner Security Scenario 2014-2020 Coalition Rule Neighborhood Watch Regulated Risk Controlling Parent How we select from and apply our four control strategies will depend on how the world changes for our organization.

The Gartner Security Scenario 2014-2020 Tribal AUTHORITY 2 4 Enterprise Individual TARGET 1 3 Monolithic

Enterprise Target Centralized Authority Regulated Risk Enterprise Target Centralized Authority 1 Governments use regulation to provide safety An attack can become an act of war All infrastructure becomes critical infrastructure Enterprises are held responsible for actions of employees Additional regulations Gov't disclosure of breach Cyber "Monroe Doctrine" RoE Software liability defined PUSHING TOWARD THE CORNER Attack publicized Public shaming and fines NATO cybersecurity division Int'l cyberwar convention Milestones: Additional regulations Increase in public acknowledgment of attacks Increase in government disclosure of breach info Public shaming and fines for breaches Publication of a "Monroe Doctrine" for cyber-security rules of engagement NATO creates a cyber-security division Software liability established International convention on cyber-war: And one major nation refuses to sign because it limits their responses Evidence: Critical infrastructure directive

Enterprise Target Fragmented Authority Coalition Rule Enterprise Target Fragmented Authority 2 Warlords and cartels rule Corporations establish fiefdoms, suppress independent innovation Aggressive corporate and national espionage Supply chain for offensive activities Underground economy grows Corporate counterattack Cyberwar merc. co. IPO Cyberinsurance fails PUSHING TOWARD THE CORNER Cyberwar dept. in finance Crypto-extortion schemes $100 million cyberblackmail Milestones: Evidence of corporate counter-attack A major financial industry company forms cyber-war department IPO for cyber-war mercenary company Increase in crypto-extortion schemes Cyber-insurance fails, is withdrawn Public corporation records $100 million charge for cyber- blackmail Evidence: Cyber and Cloud Security Alliances; drug cartel use of Internet

Individual Target Centralized Authority Controlling Parent Individual Target Centralized Authority 3 Attacks against individuals push government to act Governments try to establish a norm of personal responsibility Theft-oriented botnets proliferate Surveillance society grows Strong privacy regulations emerge Mobile devices become closed, curated ISPs retain transactions U.S. class action lawsuits User database PUSHING TOWARD THE CORNER CPSC/FTC take action School training Milestones: ISPs (outside of Europe) ordered to retain all transactions CPSC/FTC takes action against product vulnerabilities U.S. class action lawsuits over vulnerabilities School training and (in some areas) license to browse Creation of a computer user database Evidence: Do not call list; FISA amendments

Individual Target Authority Breakdown Neighborhood Watch Individual Target Authority Breakdown 4 E-militia emerge — self-organizing protection societies Extreme anarcho-hacktivism Internet resembles gangs of New York Corporate and communal walled gardens form Extensive darknet and dependence on anonymity E-commerce declines due to distrust Cybermilitias Refusal to hold personal info Facebook loses members PUSHING TOWARD THE CORNER Anonymous focus on CEOs Cyberbullying E-commerce slows Milestones: Formation of cyber-militias Anonymous focuses on CEOs rather than business operations Corporations start refusing to hold personal information Harassment, reputation attacks, cyber-bullying become common Facebook loses 10% of its members Slowdown in e-commerce growth rate Evidence: Islamic Internet efforts; increase in identity theft; "net nanny" approaches

The Gartner Security Scenario: Evidence for Every Direction Tribal Islamic Internet CSA Enterprise NOW Individual CID DNC Monolithic

So Watch for the Milestones Tribal Enterprise Individual Monolithic

Four Different Threats and Opportunities Regulated Risk: Threat: Over-regulation increases cost without decreasing risk Opportunity: Lobbying can influence direction and degree Coalition Rule: Threat: Increase in attacks could cause severe damage Opportunity: Found (then dominate) an industry standards group Controlling Parent: Threat: Privacy regulations will inhibit business operations Opportunity: Surveillance society benefits those who do Big Data well Neighborhood Watch: Threat: E-commerce drop; reputation and trust failures Opportunity: Form your own protection society for your customers

Understanding the Strategy Tool Active Controls Technical Controls Search & Destroy Psy. Ops. Castles & Moats Behavioral Controls Passive Controls Behavior Jujitsu

Four Control Directions Castles and Moats: Traditional passive technical controls Isolation via network architecture and access controls Behavior Jujitsu: Improved security training programs as passive (defensive) behavioral controls Search and Destroy: Active technical approach to returning fire Psy. Ops.: Advanced behavioral intervention

The Controls We Need Vary With the Environment We Are in Coalition Rule Neighborhood Watch Regulated Risk Controlling Parent

Control Interdependence ACTIVE TECHNOLOGICAL SWG Admin SIEM Usage Guideline PASSIVE BEHAVIORAL The interdependence of control types drives the formation of a security strategy. For example, a SIEM tool escalates a proxy log entry (passive, technological) to a security engineer who reconfigures (active, behavioral) the Secure Web Gateway (active, technological) and inform users of a rule change regarding Web use (passive, behavioral). In a similar fashion, many controls blur the lines between active and passive (e.g.: combining logging and active response).

Building a Strategic Response Confront Tailgaters ACTIVE TECHNOLOGICAL Event Log Report Incident Acceptable Use Guide BEHAVIORAL PASSIVE Traditional security control strategy focuses on defensive techniques that minimize vulnerabilities and maintain system integrity. These techniques are primarily expressed through infrastructure (e.g.: firewalls, EPP) with a minor investment in user behavior management (aka: Security Awareness).The four scenarios for the future of security require new security capabilities that expand beyond existing strategic options. In particular, security capabilities must expand beyond primarily passive, defensive approaches to include, potentially, more active aggressive approaches. An example of the difference between active and passive controls is the common practice of disabling logins after a defined number of failed login attempts. This process incorporates a passive control — logging a failed login attempt — and an active control — disabling login for the UserID involved after a certain number of failures. At the extreme, an active control would actually attack the source of an active threat, rather than simply block or minimize vulnerabilities targeted by the threat, while an extreme passive control would simply monitor an attack. There is a second factor that combines with the active/passive gradient: Technology versus Behavioral. The vast bulk of security investment is in technological controls. Most organizations sustain a minor investment in security education. This minor investment is an attempt to create behavioral controls. As with technological controls, behavioral controls can be active or passive. For example, asking users to reported suspected security incidents is essentially passive as the action will not directly terminate the incident. In contrast, asking users to physically confront or block a person attempting to tailgate through a secure entrance is an active behavioral control. Active and passive controls are effective in different ways in different contexts. Technological and behavioral controls are also effective in different contexts. All of these forms of control interact and affect the others.

Using the Strategy Tool — an Example Coalition Rule Neighborhood Watch Neighborhood Watch: Threat: E-commerce drop; reputation and trust failures. Opportunity: Form your own protection society for your customers. Regulated Risk Controlling Parent Control requirements? Distributed, autonomous: Can run in isolation on consumer endpoints. Extended perimeter (VPN): Centrally managed but remotely initiated. Endpoint neutralization: DDoS of attack sources. Control options? Passive behavioral: Observe and report. Passive technological: EPP platform with VPN agent. Active technological: Identify and attack apparent attack sources via neighborhood watch botnet.

To Do List Gartner: You: Special report phase 1 Special report phase 2 Ongoing research publication You: Analyze the impact of the four quadrants on your organization Outline your response to each of the four quadrants using the strategy tool Monitor the environment for milestones as they occur Shift your controls strategy as change happens