NoVA ARMA February 2015 Tony Sager The Future of Cyberdefense is… Information Management
The optimal place to solve a security problem is … …never where you found it. --Corollary: and the information for the solution is never in the right form.
If it is happening to you today, then... …it happened to someone else yesterday, and it will happen to someone else tomorrow. --Corollary: and you probably don’t know them
After you figured out what happened, there were... …plenty of signs that could have told you it was coming. --Corollary: but not all the signs are in “cyberspace”, or available to “cyber defenders”
So the future of cyberdefense is... …an information management problem.
Information Plumbing
The Security “Fog of More” standards SDL supply-chain security security bulletins user awareness training browser isolation two-factor authentication encryption incident response security controls threat intelligence whitelisting need-to-know SIEM virtualization sandbox compliance maturity model anti-malware penetration testing audit logs baseline configuration risk management framework continuous monitoring DLP threat feed certification assessment best practice governance
Some Unfortunate Facts The vast majority of compromises are based on known problems that have known solutions 85% of the incidents managed by the US-CERT come down to the same 5 basic defenses Most attacks should have been blocked at the perimeter Very few attackers use “stealth” techniques Very few defenders have automated workflow
The Defender’s Challenges How can I extend my information ‘reach’ to get a more complete picture of what’s going on? Who can I trust to help me cut through the fog? How can the data be translated into prioritized action? How will I know if something relevant changes? How can I do the right thing – and then prove it?!?
The management of cyber information… from many sources “inside my borders” – and of many types (not just security) must be findable from “over the horizon” in forms that are actionable “passively collected” and “actively generated” in a churn of constant new information where each bit of information has a trust value
The Critical Security Controls
The Center for Internet Security “making best practice common practice”