Not Even One Shade of Gray: Stop Tolerating Compromise in Security Rich Boyer, Chief Architect 2 Who is Rich Boyer? • CISO, NTT Innovation Institute, Inc. • And Chief Architect, Global Threat Intelligence Platform © Copyright 2016 - NTT Innovation Institute Inc. For internal use only. 2 Let’s set the stage Where are we now? We live in an always connected digital world … COMPUTING CAPACITY IS GROWING AT AN ANNUAL GROWTH RATE OF 54% STORAGE CAPACITY IS GROWING AT AN ANNUAL GROWTH RATE OF 23% 130 MILLION ENTERPRISE USERS FOR MOBILE CLOUD BY 2014 CLOUD MOBILE BIG DATA NUMBER OF SMART PHONES AND TABLET SHIPMENTS EXCEEDS PC OVER 30 MILLION NETWORK SENSOR NODES IN 2010 GROWING AT 30% A YEAR 30B PIECES OF CONTENT SHARED ON FACEBOOK EVERY MONTH 100 HOURS OF CONTENT IS UPLOADED ON YOUTUBE EVERY MINUTE IOT SOCIAL … and our SECURITY landscape is a mess What everyone says they want from security User Centric Experience Instant Information Security Implementation Expectation EXPECTATION GAP Digitalization of services Security Implementation in reality 2000 2016 EXPLOITATION GAP Ok, lets think about this… How did we get here? 6 Cyber attacks will have cost companies $2,000,000,000,000 (that’s $2 Trillion) over the last 10 years In the last 10 years we spent $500,000,000,000 (That’s $500 billion) on preventing cybercrime 7 Bravo and good job to us! 8 Ok, lets think about this… How did we get here? 9 “In the 1970s and 1980s, there were stories of individual bank teller embezzlements, ‘phone phreaks’ manipulating computerized systems in search of free long distance service, and college students breaking into Department of Defense communications systems.” How did we manage to let this… Become that? “Today, cybercriminals and ‘black hat’ attackers look less like yesterday’s nerdy hackers hunched over computers in basements while harboring a vendetta against “the system.” Now they act more like Mafioso versions of sophisticated Silicon Valley startups. The digital criminal element has worked harder, become more innovative, and successfully broadened their toolset in order to compete, and outstrip, the efforts of the established enterprise security industry. They are more sophisticated and agile than the companies they attack. They are masters at taking full advantage of the cloud, crowdsourcing, open exchange of data, and technologies often untethered to any particular infrastructure.” 10 First of all a bit of story… “Security is a bit like a wedding...” “I’ve done it once, got the ring to prove it... Do I have to show up at your sister’s ceremony, can’t we just go to the reception? And then the bartering begins...” 11 Oh, Dear God! What have we done! 12 Seven Elements that are destroying our world (And we are ignoring!) 13 Seven Elements that are destroying our world (And we are ignoring!) The bad guys are human 14 Seven Elements that are destroying our world (And we are ignoring!) 15 Seven Elements that are destroying our world (And we are ignoring!) There are three billion problems at the carbon layer 16 Seven Elements that are destroying our world (And we are ignoring!) 17 Seven Elements that are destroying our world (And we are ignoring!) We don’t share 18 Seven Elements that are destroying our world (And we are ignoring!) 19 Seven Elements that are destroying our world (And we are ignoring!) Most security is DIY 20 Seven Elements that are destroying our world (And we are ignoring!) 21 Seven Elements that are destroying our world (And we are ignoring!) There is no central reference 22 Seven Elements that are destroying our world (And we are ignoring!) 23 Seven Elements that are destroying our world (And we are ignoring!) Almost no one is arrested 24 Seven Elements that are destroying our world (And we are ignoring!) 25 Seven Elements that are destroying our world (And we are ignoring!) We don’t, won’t and can’t say no 26 No means no… right? 27 We’ll run the software, even if the vendor can’t patch I’ll let the developer have access You’re right, nine character passwords are too hard to remember Sure, we’ll allow contactors through the airgap so they don’t have to come on site No means no… right? You’re a senior executive, of course you can It’s too late to fix, we need to just push it out It’s a medium vulnerability, we’ll deprioritize Sure you can have an exception to the ACL to see if it works 28 What I am suggesting is: We, the information security community are facilitating the problem 29 I also believe we are the only people to solve the problem And I have an idea… 30 Let’s go back two years… and revisit #5 I sat across the table from the CTO of a very large security hardware vendor I asked… “can we share our knowledge of attacks to help protect our customers” He said, “Never going to happen, that is our differentiator” 31 Today I am sharing data with them and four other vendors that said the same thing. Because enough security professionals insisted that we move away from siloes of threat data and the trend is spreading 32 So, what if… 33 We created a manifesto of actually doing the right thing And actually forced it to happen 34 Radical New Security Manifesto 1. We tackle cybersecurity as a human, not a technology problem. 2. We enforce as a unified collaboration a simple common baseline that each of the 7 billion people can follow and continually improve it. 3. We share EVERYTHING about the attacker, the attack and the mechanisms as fast as it happens. 4. We move away from security by happenstance, the term “best practice” means it is a good idea, not a requirement. 5. We create central references that our technology-phobic grandmother can understand. 6. We establish publically available mechanisms to assist in having the bad guys arrested. 7. We stop accepting compromise in security. We say no. 35 Contact: [email protected] 1950 University Ave, Suite 600 East Palo Alto, California 94303 +1 (650) 579-0800 [email protected] www.ntti3.com © Copyright 2016 - NTT Innovation Institute Inc. For internal use only.
© Copyright 2026 Paperzz