Upload
vale-security-conference
View
583
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Vale Security Conference - 2011 Sábado - 9ª Palestra Palestrante : Andrew Cushman Palestra : Strategies for evolving threats Slide (SlideShare) : http://www.slideshare.net/valesecconf/andrew-9665573
Citation preview
Andrew Cushman Senior Director Trustworthy Computing Security Microsoft Corporation
Who Am I?
Joined Microsoft in 1990
Worked on MSMoney, IIS, & now Security
Also Worked on “Patch Tuesday” & BlueHat
New-ish Job this Year –
Seeking Non-Technical Security Solutions
Why Am I Here?
Discuss Changes and Suggest Responses
Adaptive Challenge Facing Us
Microsoft & Andrew are committed Brasil
Brasil is Special & Unique
Product Life Cycle
Conception
Release
Policy and Ecosystem
Creation
Alignment
Tru
sted
Sta
ck
Iden
tity
Management
Secu
rity
/Pri
v.
Fu
nd
am
en
tals
Secure
Development
Standards
Law Enforcement
Training and
Collaboration
Intelligence
Training and
Collaboration
Defense Training
and
Collaboration
Partnerships with
Private Sector
Incident
Preparedness
National Risk
Management
Cybersecurity
Legislation
Supply Chain Security
Infra-
structure Critical National Infrastructure
(CoreIO)
Trusted Government
Infrastructure (CoreIO)
So
luti
on
s
For Government
Employees
Public
Safety
National
Security Health
Information/Data Protection
People Awareness and Know-How (Citizen, Children, Government Employees…)
For Citizens For the Supply Chain
Security
Community
Engagement
Intelligence (incl.
CERT)
Collaboration with
Critical
Infrastructure
Incident Response
eGovernment
Privacy
Legislation
Enable Secure
Innovation
Cyberwarefare
Doctrine
Education
7th largest IT market WW
6th country in PC Shipments WW
3rd in online time per user – 22h50min/month
5th largest cell phone market - 147M units
60% of all 3G Cell Phones in Latin America
2nd largest WW in number of Companies (620k new Companies only in 2010)
In the last 5 years, internet active users in total Population grew from 24% to 43% in 2009
10th in broadband (256 kb) users - 9.1M users (4.8% of total 190M population)
People Friendly, Smart, Hard-working, Creative, Stylish!, Proud & Humble at the same time
Culture Diverse Society and a Rich History
Di Cavalcanti, Vinicius, Jorge Amado
Land of Opportunity Geography – Huge country that is rich in resources (and people)
Government - Foundational Principles Rule of Law
It Works There is a Brazilian Way
Rapid Evolution and Adoption of Technology
People Internet users estimated to reach 3 Billion by 2015 w/ bulk of
users coming from Brazil, Russia, India, China and Indonesia
Devices The number of internet connected devices is predicted to
exceed over 15 billion - twice the world's population by 2015
and will likely 50 Billion by 2020.
Data It’s estimated that 1 billion new Web pages are created daily
and about 32 million domain names are added to the Web
every year with this number expected to rise dramatically in
2010.
25 million Facebook users in the country of 1.16 billion people, an increase of 1.78 million from the start of last month.
Indian Internet to grow from 81 M to 237 M Internet users by 2015
Cybercrime Economic Espionage
Cyber Warfare Military
Espionage
Usage
Every aspect of our lives is now dependent on computers
Food, Energy, Finances, Entertainment, Clothing, Government
Future
Connectivity is like Oxygen
Data, Data, Data
Every aspect of our lives is now dependent on computers
Within a decade, more than 50 billion everyday objects could be collecting data and making it available online A growing amount of Internet traffic is originating with non-PC devices. In 2010, only 3 percent of Internet traffic originated with non-PC devices, but by 2015 the non-PC share of Internet traffic will grow to 15 percent. PC-originated traffic will grow at a CAGR of 33 percent, while TVs, tablets, smartphones, and machine-to-machine (M2M) modules will have growth rates of 101 percent, 216 percent, 144 percent, and 258 percent, respectively.
Non-traditional data sources Sensors GPS tracks Web click streams
Non-traditional processing Massive processing over semi-structured data Less formal structural schemata Machine learning grows up
Probabilistic Ranking Correlation
Novel use cases Historical mining to create real-time models Saving and processing “all-data”
1 billion new Web pages are created daily and about 32 million domain names are added to the Web yearly with this sharp increases expected in 2011.
The “terabyte club” will reach 6 million by 2015. In 2015, there will be 6 million Internet households worldwide generating over a terabyte per month in Internet traffic, up from just a few hundred thousand in 2010. There will be over 20 million households generating half a terabyte per month in 2015.
The amount of data created, captured, and replicated in the world is growing at a compounded rate of 60% a year. By 2011, the digital universe will be 10 times the size it was in 2006. (IDC)
Threats
No longer just attacks on infrastructure
Attacks against Intellectual Property
And Attacks against the foundations
Attacks against business models
Recent Attacks & News
Anonymous & Lulz
Comodo, DigiNotar
Location issues w/ smart phones
Facial Recognition Talk from Black Hat http://www.face-to-facebook.net/hacking-monopolism-
trilogy.php
Hacking Microcontrolers - Don Bailey’s BH Europe
Borrowing Concept from Harvard Business Review Article 1997
Key Concept – We need Technical Solutions && we need to Adapt (change) our thinking
Get On the Balcony
Identify the Adaptive Challenge
Adaptive Solutions – often from bottom up Ronald Heifetz & Donald Laurie – HBR article
http://hbr.org/2001/12/the-work-of-leadership/ar/1
Proactive
Understood Risk
Threat Aware
Structured
Consistency
Awareness and Training
Tactical
Undefined Risk
Threat Ignorance
Unpredictable
Ad-Hoc and Manual
Unaware
Basic
Standardized
Rationalized
Dynamic
Holistic and Operational
Controlled Risk
Threat Intelligence
Integrated Security
Quantitatively Managed
Service-Oriented
Strategic and Optimal
Continuous Risk Management
Threat Management
Robust Governance
Automated
Culture of Security
Defend
Protect Detect
Respond Recover
Asset Classification
Identity Mgmt
- Users
- Devices
Access Control
- Network
- Machine & Data
Training
Monitor
- Baseline
- Intrusions
Assessment
- Vulnerabilities
- Configurations
Reporting
Incident Response
Emergency response
Communicate
Remediate
- Quarantine
- Clean
- Patch
Update
- Software
- Hardware
- Procedures
- Training
- Defenses
Restore
- Data & Facilities
Proactive
Understood Risk
Threat Aware
Structured
Consistency
Awareness and Training
Tactical
Undefined Risk
Threat Ignorance
Unpredictable
Ad-Hoc and Manual
Unaware
Basic
Standardized
Rationalized
Dynamic
Holistic and Operational
Controlled Risk
Threat Intelligence
Integrated Security
Quantitatively Managed
Service-Oriented
Strategic and Optimal
Continuous Risk Management
Threat Management
Robust Governance
Automated
Culture of Security
2
1
Basic Standardized Rationalized Dynamic
- Desktop Image Engineering
- Active Directory Design &
Deployment
- BitLocker Full-Volume Encryption
- Desktop Optimization and
Configuration Management
- Security for Wireless Services
- Secure Public Key Infrastructure
Solutions
- Strong Authentication using
Smartcards
- Application Lifecycle Management
Services 2010
- Network Access Protection with
802.1x Enforcement
- Desktop Virtualization Solutions
- Server Virtualization with Advanced
Management - Virtual Desktop
Infrastructure
- Network Access Protection with
IPSec Enforcement
- Network Isolation Services
- Secure Web & Remote Access using
Forefront TMG
- Enterprise Identity Lifecycle
Management
- Data Protection using Active
Directory Rights Management
- Server Virtualization with Advanced
Management - High Availability
Solution
- Seamless Access using DirectAccess
and TMG
- Enterprise Federated Identity using
ADFS
- Application Backup using System
Center Data Protection Manager
- Client Anti-Malware Solutions - Enterprise Configuration
Management
- IT Enterprise Management: End-to-
End Cross-Platform Monitoring
- Enterprise Mobile Device
Management
- Client and Server Anti-Malware
Solutions
- Windows Error Reporting
Deployment Services
- IT Compliance and Reporting: End-
to-End Monitoring
- Audit Collection Services
- System Error Reporting & Analysis
Services
- Server Virtualization with Advanced
Management - Centralized, Policy-
driven Management
- Premier IR Support and Training
- Secure Development Lifecycle
Training and Assessment Services
- Internet Crime and Forensics
Investigations Education and
Training Services
- Enterprise Recovery Services
Respond
Convergence – SSL Trust Agility
Moxie Marlinspike – BH USA
https://www.blackhat.com/html/bh-us-11/bh-us-11-archives.html#Marlinspike
DARPA RA-11-52 - The Defense Advanced Research Projects Agency's Cyber Fast Track program
https://www.blackhat.com/html/bh-us-11/bh-us-11-archives.html#Zatko
Dan Kaminsky’s NetNoob
First BlueHat Prize Challenge: Design a novel runtime mitigation technology that is capable of preventing the exploitation of memory safety vulnerabilities
Entry Period: Aug 3, 2011 – Apr 1, 2012
Winners announced: BlackHat USA August 2012
IP remains the property of the inventor, with a license for Microsoft to use the technology
• $200,000 in cash Grand Prize:
• $50,000 in cash Second Prize:
• MSDN subscription ($10,000 value) Third Prize:
Microsoft Confidential
Things that give me pause…
Technical Solutions On the Fast Track
Army CDCiber
Big Events – 2014 & 2016
RIC
Broadband
Urgent Need for Adaptive Solutions Too
But few Adaptive Solution Ideas &
Environment continues to favor Technical Solutions
Cloud Transformation Move to the Cloud is permanent – like concrete over farmland
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or
trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft
Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.