3. • Inspired from Haroon Meer’s BlackHat Europe
2015 keynote where he made the following
observations
– An upcoming security apocalypse is on the horizon
– There is a crisis of confidence
– “For the thousands your organization spends on
security, you can't protect the one guy who is
most valuable to you. Worse yet, would you even
know if he was popped?”*
* http://blog.thinkst.com/2011/03/our-upcoming-security-apocalypse.html
Sub headline
AGENDABLUE OCEAN IT Security
Inspiration
4. • The issues facing the IT security field haven’t
changed in the last 15 years
• “Draining the swamp” issue leads to
misdirection concerning the root-cause of the
problem
• A perspective/cultural shift needs to take
place concerning the approach
Sub headline
AGENDABLUE OCEAN IT Security
Direction
5. Patching / Updates
(Upgrades)
When did we allow this bahviour to
become the ‘norm’ and
‘expected’?
3 pillars
BLUE OCEAN STRATEGY
Resiliance
What happened to load
balancing/fail over?
Automation
Have all engineers been swollowed
by the Tech firms?
6. Your own footer Your Logo
Patching / Updates (Upgrades)
Sub headline
AGENDABLUE OCEAN STRATEGY
7. • Why is patching accepted?
– A legacy left over from the hardware days
• Since the days of paper tape and punch cards, physical
patching was accepted
• It was then translated into the software world
• Designed principally as a mitigating action for
unreliable hardware
– Hardware resiliance has improved, while software resiliance
has stagnated and in some cases deteriorated
Sub headline
AGENDABLUE OCEAN IT Security
Patching / Updates (Upgrades)
8. • Do we accept this for microwaves, digital
watches or other consumer goods?
– You buy an item and don’t expect it to break
within 2 months.
– Consumer rights acts exist to protect customers
against such situations (ratified through law)
• T&C’s conveniently provide a ‘get-out-of-jail-
free’ card with a no opt-out option.
– ‘Our way, or the high way’
Sub headline
AGENDABLUE OCEAN IT Security
Patching / Updates (Upgrades)
9. • An open door
– This mechanism allows 3rd parties access to our
systems at a privileged level
– It’s provided the perfect back-dooring model
which everyone accepts (incl. the IT security
community)
Sub headline
AGENDABLUE OCEAN IT Security
Patching / Updates (Upgrades)
10. • The excuse:
– Software engineering is hard and you will never
develop a bug free system
• The response:
– So what?:
• Which bugs really cripple systems operationally, when
they’ve been correctly engineered?
• An answer:
– Cleanroom software engineering (Harlan Mills)
• e.g. Avionics, mission critical systems etc.
Sub headline
AGENDABLUE OCEAN IT Security
Patching / Updates (Upgrades)
11. Your own footer Your Logo
Resiliance
Sub headline
AGENDABLUE OCEAN STRATEGY
12. • Build in resilience to your networks
– When did it become acceptable to forget
principles of load balancing and fail-over?
• e.g. banking site down for the weekend due to
maintenance
– Wasn’t the Cloud supposed to be a solution to this
problem?
Sub headline
AGENDABLUE OCEAN IT Security
Resiliance
13. • Network segmentation and zoning
– Identify the threat
– Lock down/Contain the threat
– Purge the threat
Sub headline
AGENDABLUE OCEAN IT Security
Resiliance
14. • Honeypots
– Where did they go?
– Technological resilience out of the box
• Monitoring and containment also for free
• Risk based approach
– Understand your assets and compartmentalise
them accordingly
Sub headline
AGENDABLUE OCEAN IT Security
Resiliance
15. Your own footer Your Logo
Automation
Sub headline
AGENDABLUE OCEAN STRATEGY
16. • Strong engineering principles must be
adhered to
• Develop strong developer governance around
SSDLC
– Integrate mandatory security gating into the SDLC
• Internal talent retention
– Holistic work flow automation
– Internal employees often better positioned to
take birds-eye view to build-out process
automation
Sub headline
AGENDABLUE OCEAN IT Security
Automation
17. • Ensure security controls are automatically
checked/reported
– Without this, security will be by-passed
• Process automation critical
– Excel must be replaced with dynamic reporting.
Static data analytics cripples agility
– Remove the human
Sub headline
AGENDABLUE OCEAN IT Security
Automation