peak prevention: moving from prevention to resilience
TRANSCRIPT
Peak Prevention
Daniel MiesslerDirector of Advisory Services, IOActive
AppSec CaliJanuary 24, 2017
Moving from prevention to resilience
Intro
Daniel Miessler (@danielmiessler)
18 years in infosec: mostly as a tester (net/web/app/iot)
Run the consulting practice for IOActive
Read / write / podcast / table tennis
Flow Peaks and valleys
Risky bits
Impact reduction
Preparing for what’s coming
Peak Oil
Peak $THING
We used to have a lot of room to grow.
That growth has stopped.
We now have as much as we’ll ever have.
We need to find another source of what it was providing.
Peak $THING (oil)
We used to have a lot of room to grow. (finding more oil, producing it faster)
That growth has stopped. (we found most of the oil)
We now have as much as we’ll ever have. (it’s all downhill from here)
We need to find another source of what it was providing. (energy)
IMPACTPROBABILITY
RISK
= PreventionFocused
Peak $THING (prevention)
We used to have a lot of room to grow. (add firewalls, AV)
That growth has stopped. (it can all be bypassed)
We now have as much as we’ll ever have. (kind of)
We need to find another source of what it was providing. (risk reduction)
Probability Impact
RISK
909
10
Probability Impact
RISK
648 8
Probability Impact
RISK
09
0
Acceptable 50RiskTarget
Desired
Prev
entio
n (c
hanc
e of
succ
ess)
Resilience (damage taken)
1
76
3
54
2
98
10
10 9 8 7 6 5 4 3 2 1
Acceptable
42
1
Probability Impact
RISK
505
10
Limit
Prev
entio
n (c
hanc
e of
succ
ess)
Resilience (damage taken)
1
76
3
54
2
98
10
10 9 8 7 6 5 4 3 2 1
AcceptablePeak5?7?
30
42
1
Prev
entio
n (c
hanc
e of
succ
ess)
Resilience (damage taken)
1
76
3
54
2
98
10
10 9 8 7 6 5 4 3 2 1
AcceptablePeak?
7
Impact can’t go above 6.
Probability Impact
RISK
707
10
Prev
entio
n (c
hanc
e of
succ
ess)
Resilience (damage taken)
1
76
3
54
2
98
10
10 9 8 7 6 5 4 3 2 1
AcceptablePeak?
7
We need to be here…
Prev
entio
n (c
hanc
e of
succ
ess)
Resilience (damage taken)
1
76
3
54
2
98
10
10 9 8 7 6 5 4 3 2 1
Acceptable
We need to be here…We are here.Need to go that way
Prev
entio
n (c
hanc
e of
succ
ess)
Resilience (damage taken)
1
76
3
54
2
98
10
10 9 8 7 6 5 4 3 2 1
Acceptable
We need to be here…We are here.Need to go that way
1 Make your data unusable when it’s stolen?
2 Insure yourself against loss for when incidents do occur?
3 Change the narrative so people don’t care as much.
(already happening naturally)
4 Have super clean backup and restore procedures.
(ransomware)
5 Have redundant sites for when yours is taken down.
6 less valuable to attackers.
files
salariesMake what you haverecords
PII
secrets
Prepare Yourself
Limits of Prevention
‣ InfoSec breaches
‣ Bad work days
‣ Toxic relationships
‣ Contagious diseases
‣ Terrorism
‣ Safety accidents
‣ Impact N
‣ Impact N+1
Look for Impact Reduction Everywhere
PREVENTION —> RESILIENCE2017, 2018, 2019…
Thank You Twitter: @danielmiessler
Email: [email protected]
Github: https://github.com/danielmiessler
Podcast: https://danielmiessler.com/podcast/
OWASP Game Security Framework:https://www.owasp.org/index.php/OWASP_Game_Security_Framework_Project
Resources
✴ OCTAVE: Cyber Risk and Resilience Managementhttp://www.cert.org/resilience/products-services/octave/
✴ US-CERT Cyber Risk Review (CRR)https://www.us-cert.gov/ccubedvp/assessments
✴ US-CERT Cyber Resilience Management Modelhttp://www.cert.org/resilience/products-services/cert-rmm/