"Attack is a technical problem, defense is a political problem". For several years, cyber security has been misjudged as risk reduction. On one hand, business applications and architectures are growing rapidly. On the other hand, the cyber security organisation is struggling to be able to defend them in today's rapidly evolving threat landscape. This talk explores the gap in thought between the owner and the defender of today's business applications and what needs to be done to bridge it. We shall present proactive steps and measures to overcome the last hurdle in building defendable systems.

1. SAUMIL SHAH
CEO, NET SQUARE
@therealsaumil
#EmiratesNBD 2019
EmiratesNBD 2019
NETSQUARE

2. # WHO AM I
Saumil Shah
CEO, Net Square
@therealsaumil
educating, entertaining
and exasperating
audiences since 1999

3. A TALE OF TWO KEYNOTES

4. ATTACKS ARE A
TECHNICAL PROBLEM,
DEFENSE IS A
POLITICAL PROBLEM
THOMAS DULLIEN,
"Why we are not building a
defendable Internet" BH ASIA 2O17

5. FIREWALLS
IDS/IPS
ANTIVIRUS
WAF
DLP, EPS
DEP, ASLR
SANDBOX
DEFENSE 2001-19
DIFFERENT....
Reactive Approach
Block the Bad Things
and be Secure again

6. FIREWALLS
IDS/IPS
ANTIVIRUS
WAF
DLP, EPS
DEP, ASLR
SANDBOX
ONE-WAY ATTACK
FRAGROUTER
OBFUSCATION
CHAR ENCODING
DNS EXFIL
ROP, INFOLEAK
JAILBREAK
DIFFERENT.... BUT SAME SAME

7. MEASURES
DO NOT MATCH
EXISTING DEFENSE
ATTACKER
TACTICS

8. ROWHAMMER, SPECTRE, MELTDOWN
Have they really gone away?

9. TARGET BROWSER
ENCODED IMAGE
STEGOSPLOIT
http://stegosploit.info
IMAJS
STEGO-
DECODER
JAVASCRIPT POLYGLOT
PIXEL
ENCODER
EXPLOIT
CODE
IMAGE

10. VULNERABILITIES
THERE WILL BE

11. wherein buildings reveal near-infinite interiors,
capable of being traversed through all manner of
non-architectural means.
NAKATOMI SPACE
http://www.bldgblog.com/2010/01/nakatomi-space/

12. DEAR CISO,
WHO ARE YOU MOST
SCARED OF?
SAUMIL SHAH
"The Seven Axioms Of Security"
BH ASIA 2O17

13. WHO'S SCARIER?
ATTACKERS or AUDITORS?

14. ATTACKERS
DON'T FOLLOW
COMPLIANCE
STANDARDS AND
CERTIFICATIONS

15. WHOSE DEFENSE IS IT ANYWAY?
IS CYBER
SECURITY A
SHARED VISION?
If not…
…a game of PUSHBACK
and COMPLIANCE

16. MUTUALLY ASSURED DESTRUCTION

17. SCHRÖDINGER'S HACK
HACKED
SECURE

18. HAVE NOTS HAVES
Capable of
custom analytics
threat detection
and response
Owning Cyber Security
Sucked up all the talent
Not capable
Cyber Security is a
necessary evil
Purely dependent upon
commercial solutions
CYBERSECURITY ASYMMETRY

19. THE ELEMENTS OF A DEFENDABLE SYSTEM
TRANSPARENCY METRICS
RESILIENCE USERS

21. BANK STATEMENTS
Account
Activity
Spending
Record
Account
Reconciliation
Unauthorized
Expenses

22. Thomas Dullien
http://addxorrol.blogspot.com/2018/03/a-bank-statement-for-app-activity-and.html
"How could one empower users to account for
their private data, while at the same time helping
platform providers identify malicious software
better?
By providing users with the equivalent of a bank
statement for app/software activity. The way I
imagine it would be roughly as follows:
A separate component of my mobile phone (or
computer) OS keeps detailed track of app activity:
What peripherals are accessed at what times,
what files are accessed, etc."
A BANK STATEMENT FOR
APP/SOFTWARE ACTIVITY

24. T.A.T.
Element 1337 in the Periodic Table: Pwnium
Chris Evans, #HITB2012KUL

25. BREAKERSMAKERS

26. MAKERS BREAKERS

27. MAKER AND BREAKER PROCESSES
Mature coding
practices
Continuous Integration
Nightly Builds
Versioning
QA
Unit Testing
Bug Tracking
Bug Fixing/Testing
Black Box Testing
Crash Dumps, Errors
Exploitability Analysis
POC

28. T.A.T.
Element 1337 in the Periodic Table: Pwnium
Chris Evans, #HITB2012KUL

29. PEBKAC

31. THE USER'S GOING TO PICK DANCING PIGS
OVER SECURITY ANYTIME
Bruce Schneier

32. TECHNOLOGY CUTS BOTH WAYS
@needadebitcard

33. FITS NONE
ONE SIZE
USERS:

34. numberofusers
infosec maturity
HOPELESS UNINFORMED PROACTIVE ROCK STARS
IDENTIFY YOUR TARGET USERS...
Always
going to be
an enigma.
If properly guided,
these users are willing
to improve their
usage habits.
The
next
Rock Star
users.
Leave them
alone, and
possibly
learn from them.

35. ...AND IMPROVE THEIR MATURITYnumberofusers
infosec maturity
HOPELESS UNINFORMED PROACTIVE ROCK STARS

36. LET'S TALK ABOUT PASSWORDS

37. https://xkcd.com/936
WE'VE SUCCESSFULLY TRAINED EVERYONE
TO USE PASSWORDS THAT ARE
HARD FOR HUMANS TO REMEMBER,
BUT EASY FOR COMPUTERS TO GUESS.

38. MAKE AUTHENTICATION GREAT AGAIN

39. PUT THE USER
IN CONTROL

42. RESIST
Pass The Parcel
Rules, Signatures,
Updates, Patches
The Next Short-Lived
Security Product
Encumber
Your Users

43. RESONATE
Take Ownership
Build Defendable
Systems
Security and
Trustworthiness
as a core feature
EMPOWER
Your Users

44. THERE
IS NO
SECRET
INGREDIENT

45. @therealsaumil
www.net-square.com
#EmiratesNBD 2019
THANK YOU
NETSQUARE