"Attack is a technical problem, defense is a political problem". For several years, cyber security has been misjudged as risk reduction. On one hand, business applications and architectures are growing rapidly. On the other hand, the cyber security organisation is struggling to be able to defend them in today's rapidly evolving threat landscape.
This talk explores the gap in thought between the owner and the defender of today's business applications and what needs to be done to bridge it. We shall present proactive steps and measures to overcome the last hurdle in building defendable systems.
11. wherein buildings reveal near-infinite interiors,
capable of being traversed through all manner of
non-architectural means.
NAKATOMI SPACE
http://www.bldgblog.com/2010/01/nakatomi-space/
12. DEAR CISO,
WHO ARE YOU MOST
SCARED OF?
SAUMIL SHAH
"The Seven Axioms Of Security"
BH ASIA 2O17
18. HAVE NOTS HAVES
Capable of
custom analytics
threat detection
and response
Owning Cyber Security
Sucked up all the talent
Not capable
Cyber Security is a
necessary evil
Purely dependent upon
commercial solutions
CYBERSECURITY ASYMMETRY
19. THE ELEMENTS OF A DEFENDABLE SYSTEM
TRANSPARENCY METRICS
RESILIENCE USERS
22. Thomas Dullien
http://addxorrol.blogspot.com/2018/03/a-bank-statement-for-app-activity-and.html
"How could one empower users to account for
their private data, while at the same time helping
platform providers identify malicious software
better?
By providing users with the equivalent of a bank
statement for app/software activity. The way I
imagine it would be roughly as follows:
A separate component of my mobile phone (or
computer) OS keeps detailed track of app activity:
What peripherals are accessed at what times,
what files are accessed, etc."
A BANK STATEMENT FOR
APP/SOFTWARE ACTIVITY
34. numberofusers
infosec maturity
HOPELESS UNINFORMED PROACTIVE ROCK STARS
IDENTIFY YOUR TARGET USERS...
Always
going to be
an enigma.
If properly guided,
these users are willing
to improve their
usage habits.
The
next
Rock Star
users.
Leave them
alone, and
possibly
learn from them.
35. ...AND IMPROVE THEIR MATURITYnumberofusers
infosec maturity
HOPELESS UNINFORMED PROACTIVE ROCK STARS