Keynote for AGC's annual security conference / meat market in San Francisco ahead of the RSA Conference, February 2017.
"This is your industry
I will not let inside me - NO
I steered clear, long (and hard) ago
I wiped the slate clean
As the whistle I hear
Downtown - noon
Within a visible distance
It's with invisible distance"
-- Universal Order of Armageddon, Baltimore, 1996
https://www.youtube.com/watch?v=yfi9dtZj6Y8
3. Disruptive Innovation
An innovation that creates a new market
by providing a different set of values,
which ultimately (and unexpectedly)
overtakes an existing market
15. A Portrait Of The Hacker As A Young Man (ca. 1999)
Break Build
Authentication
dsniff,
Kerberos v4
OpenSSH,
RPCSEC_GSS (NFSv4)
Firewalls
Cisco PIX,
Check Point FW-1
pf (OpenBSD)
VPN Check Point FW-1
OpenBSD IPSEC,
dsocks
IDS / IPS Sourcefire, ISS, etc.
Anzen/NFR (Check Point),
Arbor Networks
16.
17.
18. “A lot of people think that nation-
states are running on zero-days, but
there are so many more vectors that
are easier, productive, and less risky.”
Rob Joyce, NSA TAO, Jan 2016
19. “In the world of advanced persistent
threat actors, credentials are king for
gaining access to systems.”
Rob Joyce, NSA TAO, Jan 2016
20. “Better-defended networks require
specific methods for accessing
resources, monitoring credential use,
looking for anomalous behavior, and
two-factor authentication.”
Rob Joyce, NSA TAO, Jan 2016
21. 95% OF BREACHES
involve stolen credentials
— Verizon 2015 Data Breach Investigations Report
#1: Users
22. #2: Devices
75% Of Breaches Involve Compromised Devices
Source: Duo analysis of 2M+ devices, Jan 2016
26. President Obama’s $19 Billion Cybersecurity Proposal
Calls for 35% Increase Over 2016 Enacted Level
Major Pieces of the Cybersecurity National Action Plan
Critiques from the Tech Industry
• While manyin the techindustryhave applauded
the president’s proposal for investment, many
of the suggestionsare seen as basic and a sign
at how woefully behind our governmentis on
cybersecurity.BrianBarrett,a writer for Wired
magazine,compares the plan to “standard
advice you’d give a tech novice”.
• With the proposalcoming from a “lame-duck”
president nearingthe end of his second term,
there is a growingpessimismthat pieces that
require congressionalaction will go unfunded.
• Despite being a basic tenet of internet security,
encryptionis notablyabsentfromthe
president’s press release.While many in the
tech communitybelieve encryption is necessary
for continued cyber safety, the topic remains
controversialin Congress.
Full Multi-StepAuthentication Rollout
While a large portion of the government uses 2-step or multi-step
authenticationfor internal logins,the initiativeplans to extend this extra
layer of security to citizen-facingfederal governmentdigital services.The
President hopes this switch will also increase public awarenessof this
identity proofing mechanism,encouragingmore wide use amongprivate
online systems.
$3.1billionInformation TechnologyModernization Fund
This fund enables the retirement, replacementand modernizationof IT
equipment throughout the government.Many see this initiative as overdue
as some branches of the governmentare running antiquated as old as
Windows XP which Microsoft stopped officiallysupporting in 2014.
National Initiative for CybersecurityEducation
$62 billion is requested to invest in educatingthe nation’s next generation of cybersecuritypersonnel. Proposed programs
include the CyberCorpsReserve which would offer scholarshipsfor Americanswho wish to obtain cybersecurityeducation in
exchange for civil service in government.
EINSTEINandthe ContinuousDiagnostic andMitigation Program
The president proposes allocatingincreasedfunding to the government’s
primarycyberdefense system: EINSTEIN,which has faced significantcriticism
since it is currently unable to dynamicallydetect new kinds of cyber
intrusions, makingit only useful against known threats.
27. President Obama’s $19 Billion Cybersecurity Proposal
Calls for 35% Increase Over 2016 Enacted Level
Major Pieces of the Cybersecurity National Action Plan
Critiques from the Tech Industry
• While manyin the techindustryhave applauded
the president’s proposal for investment, many
of the suggestionsare seen as basic and a sign
at how woefully behind our governmentis on
cybersecurity.BrianBarrett,a writer for Wired
magazine,compares the plan to “standard
advice you’d give a tech novice”.
• With the proposalcoming from a “lame-duck”
president nearingthe end of his second term,
there is a growingpessimismthat pieces that
require congressionalaction will go unfunded.
• Despite being a basic tenet of internet security,
encryptionis notablyabsentfromthe
president’s press release.While many in the
tech communitybelieve encryption is necessary
for continued cyber safety, the topic remains
controversialin Congress.
Full Multi-StepAuthentication Rollout
While a large portion of the government uses 2-step or multi-step
authenticationfor internal logins,the initiativeplans to extend this extra
layer of security to citizen-facingfederal governmentdigital services.The
President hopes this switch will also increase public awarenessof this
identity proofing mechanism,encouragingmore wide use amongprivate
online systems.
$3.1billionInformation TechnologyModernization Fund
This fund enables the retirement, replacementand modernizationof IT
equipment throughout the government.Many see this initiative as overdue
as some branches of the governmentare running antiquated as old as
Windows XP which Microsoft stopped officiallysupporting in 2014.
National Initiative for CybersecurityEducation
$62 billion is requested to invest in educatingthe nation’s next generation of cybersecuritypersonnel. Proposed programs
include the CyberCorpsReserve which would offer scholarshipsfor Americanswho wish to obtain cybersecurityeducation in
exchange for civil service in government.
EINSTEINandthe ContinuousDiagnostic andMitigation Program
The president proposes allocatingincreasedfunding to the government’s
primarycyberdefense system: EINSTEIN,which has faced significantcriticism
since it is currently unable to dynamicallydetect new kinds of cyber
intrusions, makingit only useful against known threats.
✓ Up-to-Date
Devices
28. President Obama’s $19 Billion Cybersecurity Proposal
Calls for 35% Increase Over 2016 Enacted Level
Major Pieces of the Cybersecurity National Action Plan
Critiques from the Tech Industry
• While manyin the techindustryhave applauded
the president’s proposal for investment, many
of the suggestionsare seen as basic and a sign
at how woefully behind our governmentis on
cybersecurity.BrianBarrett,a writer for Wired
magazine,compares the plan to “standard
advice you’d give a tech novice”.
• With the proposalcoming from a “lame-duck”
president nearingthe end of his second term,
there is a growingpessimismthat pieces that
require congressionalaction will go unfunded.
• Despite being a basic tenet of internet security,
encryptionis notablyabsentfromthe
president’s press release.While many in the
tech communitybelieve encryption is necessary
for continued cyber safety, the topic remains
controversialin Congress.
Full Multi-StepAuthentication Rollout
While a large portion of the government uses 2-step or multi-step
authenticationfor internal logins,the initiativeplans to extend this extra
layer of security to citizen-facingfederal governmentdigital services.The
President hopes this switch will also increase public awarenessof this
identity proofing mechanism,encouragingmore wide use amongprivate
online systems.
$3.1billionInformation TechnologyModernization Fund
This fund enables the retirement, replacementand modernizationof IT
equipment throughout the government.Many see this initiative as overdue
as some branches of the governmentare running antiquated as old as
Windows XP which Microsoft stopped officiallysupporting in 2014.
National Initiative for CybersecurityEducation
$62 billion is requested to invest in educatingthe nation’s next generation of cybersecuritypersonnel. Proposed programs
include the CyberCorpsReserve which would offer scholarshipsfor Americanswho wish to obtain cybersecurityeducation in
exchange for civil service in government.
EINSTEINandthe ContinuousDiagnostic andMitigation Program
The president proposes allocatingincreasedfunding to the government’s
primarycyberdefense system: EINSTEIN,which has faced significantcriticism
since it is currently unable to dynamicallydetect new kinds of cyber
intrusions, makingit only useful against known threats.
✓ Up-to-Date
Devices
✓ Two-Factor
Authentication
29. President Obama’s $19 Billion Cybersecurity Proposal
Calls for 35% Increase Over 2016 Enacted Level
Major Pieces of the Cybersecurity National Action Plan
Critiques from the Tech Industry
• While manyin the techindustryhave applauded
the president’s proposal for investment, many
of the suggestionsare seen as basic and a sign
at how woefully behind our governmentis on
cybersecurity.BrianBarrett,a writer for Wired
magazine,compares the plan to “standard
advice you’d give a tech novice”.
• With the proposalcoming from a “lame-duck”
president nearingthe end of his second term,
there is a growingpessimismthat pieces that
require congressionalaction will go unfunded.
• Despite being a basic tenet of internet security,
encryptionis notablyabsentfromthe
president’s press release.While many in the
tech communitybelieve encryption is necessary
for continued cyber safety, the topic remains
controversialin Congress.
Full Multi-StepAuthentication Rollout
While a large portion of the government uses 2-step or multi-step
authenticationfor internal logins,the initiativeplans to extend this extra
layer of security to citizen-facingfederal governmentdigital services.The
President hopes this switch will also increase public awarenessof this
identity proofing mechanism,encouragingmore wide use amongprivate
online systems.
$3.1billionInformation TechnologyModernization Fund
This fund enables the retirement, replacementand modernizationof IT
equipment throughout the government.Many see this initiative as overdue
as some branches of the governmentare running antiquated as old as
Windows XP which Microsoft stopped officiallysupporting in 2014.
National Initiative for CybersecurityEducation
$62 billion is requested to invest in educatingthe nation’s next generation of cybersecuritypersonnel. Proposed programs
include the CyberCorpsReserve which would offer scholarshipsfor Americanswho wish to obtain cybersecurityeducation in
exchange for civil service in government.
EINSTEINandthe ContinuousDiagnostic andMitigation Program
The president proposes allocatingincreasedfunding to the government’s
primarycyberdefense system: EINSTEIN,which has faced significantcriticism
since it is currently unable to dynamicallydetect new kinds of cyber
intrusions, makingit only useful against known threats.
✓ Up-to-Date
Devices
✓ Two-Factor
Authentication
X Encryption?!
THANKS OBAMA
48. 2017DuoProductLine
Duo Free
Easy two-factor
authen1ca1on, free for up
to 10 users.
$0
Duo MFA
Easy, best-of-breed two-
factor authen1ca1on for
cloud and on-premise
applica1ons.
$3
Duo Beyond
Our next-genera1on
security control pla?orm
for modern, perimeter-less
organiza1ons.
$9
Duo Access
Our essen1al security suite
to manage trust and
address risks from mobile,
BYOD, and cloud adop1on.
$6