Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

For the best experience please use the latest Chrome, Safari or Firefox browser.

Was I Supposed to Mix the Security in Before I Baked It?

Security Beyond the Cliché

W. Brandon Martin

  • Welcome
  • Thank you to 49'th Cyber division and CarolinaCon for the opportunity the sponsor and attendees for offering the meeting space
  • Conversational invitation
  • Inspiration for the cliché
    • Baked-in vs. Bolt-on
    • Better is not the enemy of perfect.
    • Push security left.
    • Complexity is the enemy of security.
    • DOD Grade security
    • The only secure system is a powered-down system
  • Brief introduction to set the stage for the rest of the conversation.

01 - Introduction

About Me


All opinions are my own and do not necessarily represent any one else's view.

Disney Castle
  • Raised in a barn - cliché that doesn't make a whole lot of sense
  • Brace yourself for memes. - A couple reasons
    • If you're bored, you'll hopefully get a chuckle every 3 or 4 slides and wake yourself up.
    • Memes are a way to communicate with a diverse audience
    • Memes teach us about ourselves.
    • After all, this is a talk about security beyond the cliché.

The Next 45 Minutes

  1. Background and Overview
  2. Security v. Business
  3. Security Balance
  4. Architectural Solutions
  5. Security Practitioners
  6. Questions
Cyber is coming.
  • Wave your had with questions any time, I want this to be conversational.

02 - Background & Overview

Problem Statement

There is the problem.
  • What Problem are we trying to solve.
  • Meme credit: https://knowyourmeme.com/memes/well-theres-your-problem

Goals

Super Sweet.
  • To really tackle the problem, we have to understand the motivations of each stakeholder.
  • Sometimes we get it right, sometimes we don't
  • Engineers vs. architects and why security has to start moving left (earlier) in our project inception.
  • Confession Time - accountability and redemption
  • Not to late to bounce and not hurt my feelings
  • Meme Credit: https://www.mememaker.net/meme/get-ready-for-these-super-sweet-dance-moves

03 - Security v. Business

Reality

Epic Battle
  • Gridlock
  • Immovable object meets an unstoppable force
  • Meme Credit: https://www.memecenter.com/fun/537920/epic-battle

Security Requirements

Requirements Fail.
  • Business people are focused on planned functionality.
  • Security people are worried about unplanned functionality.
  • Requirements can be difficult because it's so obvious to the visionary.
  • Meme Credit https://imgflip.com/i/1a6k84

Business Requirements

requirements fail
  • Business people and planned functionality
  • Meme Credit: https://memegenerator.net/instance/75439838/roll-safe-hd2-cant-fail-to-meet-requirements-if-there-are-no-requirements

Technical Requirements

Yes Requirements.
  • No plan to dwell on technical requirements
  • Illustrate the challenges technical stakeholders have to address
  • Meme Credit: https://makeameme.org/meme/yes-these-requirements

The Result

We are at an impasse.
  • It took me 4 slides to get there, but here is the problem in business terms.
  • Chief Scape Goat

Security Balance

Security Overpowers Business

Not What you think.
  • I didn't know Germany had professional basketball teams...
    • Scoreboard laptop was due for patching
    • https://www.exoplatform.com/blog/2017/08/01/5-of-the-biggest-information-technology-failures-and-scares/
  • Imagine a security consultant sits down with a new account
  • GrooveShark is a sideways example - security, more specifically compliance, overpowered the business objects later than it should have. https://www.businessinsider.com/startups-that-failed-in-2015-2015-12#grooveshark-5
  • Meme Credit: https://www.blackhillsinfosec.com/five-signs-organization-failing-security/

Business Overpowers Security

Not personal.
  • Thanks to insecure IoT, routers, etc, we now have this looming threat of botnets
  • Target http://fortune.com/2017/05/23/target-settlement-data-breach-lawsuits/
  • I'm usually not interested in politics, but this scandal fit too well.
  • Meme Credit: https://memegenerator.net/instance/66630633/the-godfather-its-not-personal-its-business

Balance is Key

Miyagi say balance.
  • These are the fundamental problems I see in my practice
  • Microsoft deems patching so important everything else must stop
  • A CIO deems something else more important and does not prioritize patching on public facing servers
  • We live in a polarizing time. Political and social issues force us to one side or the other and social media has encouraged us to fight for our right to think and oppress anyone who thinks differently.
  • We also see technology and security evolving so rapidly that anyone outside the space struggles to stay informed.
  • Meme Credit: https://memegenerator.net/instance/55533851/mr-miyagi-miyagi-say-balance-is-key

04 - Architectural Solutions

Architecting the Internet - TCP/IP

TCIP Graphic
  • Walk through an architectural success
  • Remember, when Al Gore architected the internetÍ IT was about information sharing between universities. The problem to solve was not how do we keep people out, the problem they were solving was how to include more brainpower for the other problems facing academia and society.
  • Secured in the 90's TLS - Transport layer security. Lot's of challenges and improvements over the years, but Netscape enabled confidentiality and integrity over the World Wide Web in 1994. https://sites.google.com/site/tlsssloverview/history
  • The point I want to make is that Robert Kahn and Vinton Cerf somehow architected a solution that not only solved their immediate problem, but provided a framework that solved 40 years of problems. https://en.wikipedia.org/wiki/Internet_protocol_suite

Architecting the Internet - DNS

DNS Design DNS Abuse
  • Walkthrough an architectural fail
  • No slight to Paul Mockapetris, DNS is an amazing solutions verified by our continued use and support
  • Designed for a smaller, less hostile internet and networks.
  • VERY Fast. Doesn't have time for authentication. So the engineers had to bolt-on security after the solution was fully rolled-out.
  • Elegant solution designed, but not adopted. Still leaves local race attacks.
  • http://www.webhostingsearch.com/articles/history-of-domains-names.php
  • https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
  • https://stats.labs.apnic.net/dnssec/XA?c=XA&x=1&g=1&r=1&w=7&g=0

Lessons Learned

Lesson learned.
  • http://www.webhostingsearch.com/articles/history-of-domains-names.php
  • https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
  • https://stats.labs.apnic.net/dnssec/XA?c=XA&x=1&g=1&r=1&w=7&g=0

Improving Security

Containers
  • Most of us are not solving problems at Internet scale like TCP/IP and DNS
  • Want to highlight several technologies and approaches that SHOULD be changing the way we build solutions.
  • Containers are the next evolutionary step of Virtualization to over-simplify
  • They provide a new layer in the stack that we can secure.
  • They also create a new layer that has to be secured.
  • Tool to improve security and simultaneously reminds us that we need to be careful when we pick up a loaded gun.
  • Changes the way we apply security patches.
  • Changes the way we build systems, which leads us to DevSecOps
  • DevSecOps is consolidation of three distinct views that have to work together.
  • Model for addressing security, development and Operations concerns throughout the life cycle.
  • The tools in this space are providing assurance to technology managers that at least some form of security review occurred at the source code and running application level.
  • Frameworks
  • Great example of using software frameworks - Cross Site Request Forgery fell off the OWASP top 10
  • Developers are writing less code to solve problems. Hopefully copy/pasting fewer snippets and relying on a reviewed and wholistic solution.
  • Meme Credit https://memegenerator.net/instance/56153570/yo-dawg-yo-dawg-i-heard-you-like-containers-so-i-put-a-container-in-your-container

05 - Security Practitioners

Partner Perceptions

No because no.
  • Meme Credit: https://weheartit.com/entry/64669958

Ideals

yes and.
  • Transition: As security practitioners, the perception is clear, the ideals are clear, what's the problem
  • Meme Credit: https://www.nelsenbiomedical.com/2015/09/08/say-yes-and-how-the-rules-of-improv-improve-your-success-in-business/

Hard to find good help

Cheaper
  • Full stacking Reference - https://itnext.io/the-cloud-skills-shortage-and-the-unemployed-army-of-the-certified-bd405784cef1
  • Meme Credit: https://me.me/i/there-is-always-someone-willing-to-do-it-cheaper-21853204

Addressing the Talent Gap

Skills.
  • This is not a new problem. But our fast paced technology and extreme division of labor blinds us to the solution.
  • We want to send someone to a boot camp and have them return a security practitioner.
  • We want to send someone a 4-year college to earn a bachelor's degree in cybersecurity.
  • Maybe we just need a consultant that says they understand the security problem. And now, feed our retention monster.
  • Steel Industry early 2000's - unable to find high caliber engineersÍ we may have to invest in new talent again.
  • Cybersecurity Education
  • Meet very few Cybersecurity bachelors degrees that are fluent in Security
  • Cybersecurity degrees need to become the liberal arts of technology.
  • And this is my lesson learned over the last 30 years. We need to equip people to sell ideas. The amazing technical resources that I meet often have trouble conveying their ideas.
  • Meme Credit: http://www.quickmeme.com/meme/3totnk

06 - Questions