the evolving practice of security
play

The evolving practice of security Michael Brunton-Spall - PowerPoint PPT Presentation

Sep 16, 2023 •26 likes •1.11k views

The evolving practice of security Michael Brunton-Spall Bruntonspall Ltd Michael Brunton-Spall He/His/Him michael@bruntonspall.com https://tinyletter.com/cyberweekly Michael Brunton-Spall Bruntonspall Ltd Why is security evolving Where

  1. The evolving practice of security Michael Brunton-Spall Bruntonspall Ltd

  2. Michael Brunton-Spall He/His/Him michael@bruntonspall.com https://tinyletter.com/cyberweekly Michael Brunton-Spall Bruntonspall Ltd

  3. Why is security evolving Where we’ve come from Where we are going Michael Brunton-Spall Bruntonspall Ltd

  4. How to rethink security practices in organisations Michael Brunton-Spall Bruntonspall Ltd

  5. Some Context Michael Brunton-Spall Bruntonspall Ltd

  6. 2005 Michael Brunton-Spall Bruntonspall Ltd 08/03/2019 6

  7. 2010 Michael Brunton-Spall Bruntonspall Ltd 08/03/2019 7

  8. 2013 Michael Brunton-Spall Bruntonspall Ltd 08/03/2019 8

  9. 2018 2018 Michael Brunton-Spall Bruntonspall Ltd 08/03/2019 9

  10. Maginot Line Michael Brunton-Spall Bruntonspall Ltd

  11. 1930 France “We’d really like the Germans not to invade” Michael Brunton-Spall Bruntonspall Ltd

  12. Michael Brunton-Spall Bruntonspall Ltd

  13. Michael Brunton-Spall Bruntonspall Ltd

  14. In WW1, they came slowly overland and built trenches Michael Brunton-Spall Bruntonspall Ltd

  15. Michael Brunton-Spall Bruntonspall Ltd

  16. The Germans had invented Blitzkrieg “Lightning Strike” which simply went around Michael Brunton-Spall Bruntonspall Ltd

  17. Michael Brunton-Spall Bruntonspall Ltd

  18. The French were fighting a war from 1920 against an adversary using 1939 techniques Michael Brunton-Spall Bruntonspall Ltd

  19. The evolution of compute Michael Brunton-Spall Bruntonspall Ltd

  20. Michael Brunton-Spall Bruntonspall Ltd

  21. From on premise to cloud Michael Brunton-Spall Bruntonspall Ltd

  22. Physical machine Michael Brunton-Spall Bruntonspall Ltd

  23. Remote hosted machine Michael Brunton-Spall Bruntonspall Ltd

  24. Virtual machines in a data center Michael Brunton-Spall Bruntonspall Ltd

  25. Virtual machines at scale Michael Brunton-Spall Bruntonspall Ltd

  26. Side note: Wardley Mapping Michael Brunton-Spall Bruntonspall Ltd

  27. Michael Brunton-Spall Bruntonspall Ltd

  28. Michael Brunton-Spall Bruntonspall Ltd

  29. Michael Brunton-Spall Bruntonspall Ltd

  30. Why Wardley Maps? Michael Brunton-Spall Bruntonspall Ltd

  31. We can see changing landscapes Michael Brunton-Spall Bruntonspall Ltd

  32. We can discuss strategies Michael Brunton-Spall Bruntonspall Ltd

  33. A map isn’t reality, it’s just an abstraction Michael Brunton-Spall Bruntonspall Ltd

  34. Things evolve Michael Brunton-Spall Bruntonspall Ltd

  35. As servers move from physical to virtual, single to multiple, practice evolves Michael Brunton-Spall Bruntonspall Ltd

  36. Coevolution of product and practice Michael Brunton-Spall Bruntonspall Ltd

  37. Michael Brunton-Spall Bruntonspall Ltd

  38. Michael Brunton-Spall Bruntonspall Ltd

  39. Michael Brunton-Spall Bruntonspall Ltd

  40. From pets to cattle Michael Brunton-Spall Bruntonspall Ltd

  41. How do we administer servers? Michael Brunton-Spall Bruntonspall Ltd

  42. Worries about hard drives, CPU’s, power etc Michael Brunton-Spall Bruntonspall Ltd

  43. Cloud providers give us abstractions Michael Brunton-Spall Bruntonspall Ltd

  44. Michael Brunton-Spall Bruntonspall Ltd

  45. We stop worrying about whether a hard drive fails in a server Michael Brunton-Spall Bruntonspall Ltd

  46. This results in changing operations practice Michael Brunton-Spall Bruntonspall Ltd

  47. DevOps, SRE Michael Brunton-Spall Bruntonspall Ltd

  48. This results in different developer consumption of operations Michael Brunton-Spall Bruntonspall Ltd

  49. Kubernetes, Serverless Michael Brunton-Spall Bruntonspall Ltd

  50. What does this mean for security? Michael Brunton-Spall Bruntonspall Ltd

  51. How we think about security has to change Michael Brunton-Spall Bruntonspall Ltd

  52. Security practices are evolving Michael Brunton-Spall Bruntonspall Ltd

  53. Michael Brunton-Spall Bruntonspall Ltd

  54. Traditional security is about assurance Michael Brunton-Spall Bruntonspall Ltd

  55. Where will my data sit Michael Brunton-Spall Bruntonspall Ltd

  56. Where does the data go Michael Brunton-Spall Bruntonspall Ltd

  57. Michael Brunton-Spall Bruntonspall Ltd

  58. This works when you have individual servers Michael Brunton-Spall Bruntonspall Ltd

  59. This doesn’t work with modern cloud Michael Brunton-Spall Bruntonspall Ltd

  60. This doesn’t work th the e same same with modern cloud Michael Brunton-Spall Bruntonspall Ltd

  61. Michael Brunton-Spall Bruntonspall Ltd

  62. “Skate to where the puck is going, not where it has been” Wayne Gretsky Michael Brunton-Spall Bruntonspall Ltd

  63. Where the puck was yesterday Michael Brunton-Spall Bruntonspall Ltd

  64. What are solved problems? Michael Brunton-Spall Bruntonspall Ltd

  65. Commonly solved the same way Michael Brunton-Spall Bruntonspall Ltd

  66. Productionised processes Michael Brunton-Spall Bruntonspall Ltd

  67. Michael Brunton-Spall Bruntonspall Ltd

  68. SDLC, Assurance of suppliers, network assurance, hardware assurance Michael Brunton-Spall Bruntonspall Ltd

  69. All cloud customers have similar concerns in this area Michael Brunton-Spall Bruntonspall Ltd

  70. Buy don’t Build Michael Brunton-Spall Bruntonspall Ltd

  71. Compliance via certificates ISO27001, CSA, ISO27017, SOC, FISMA, HIPAA … Michael Brunton-Spall Bruntonspall Ltd

  72. Where the puck is today Michael Brunton-Spall Bruntonspall Ltd

  73. Michael Brunton-Spall Bruntonspall Ltd

  74. Continuous Integration, Continuous Deployment, DevOps Michael Brunton-Spall Bruntonspall Ltd

  75. Patching Michael Brunton-Spall Bruntonspall Ltd

  76. How quickly can you patch? Michael Brunton-Spall Bruntonspall Ltd

  77. DevOps Michael Brunton-Spall Bruntonspall Ltd

  78. How secure is your code? Michael Brunton-Spall Bruntonspall Ltd

  79. Code review and Pull requests Michael Brunton-Spall Bruntonspall Ltd

  80. Staff identity and single sign on Michael Brunton-Spall Bruntonspall Ltd

  81. Zero Trust Networking Michael Brunton-Spall Bruntonspall Ltd

  82. Michael Brunton-Spall Bruntonspall Ltd

  83. But where is the puck going? Michael Brunton-Spall Bruntonspall Ltd

  84. Michael Brunton-Spall Bruntonspall Ltd

  85. Adversary thinking Michael Brunton-Spall Bruntonspall Ltd

  86. ATT&CK Framework Michael Brunton-Spall Bruntonspall Ltd

  87. Goals, Restrictions Michael Brunton-Spall Bruntonspall Ltd

  88. No adversary has unlimited funds, time and energy Michael Brunton-Spall Bruntonspall Ltd

  89. Anti Personas Michael Brunton-Spall Bruntonspall Ltd

  90. Han Solo Motivation Han Solo is motivated primarily by money, but also works with the rebel alliance. Han is capable of using common tools as well as modifying existing tools on the fly Capabilities Han doesn’t want to be caught and so takes an Resources: 2/5 effort to avoid head on confrontations Capability: 4/5 Connections Bravery: 2/5 Rebel Alliance, Hutts Criminal connections: 3/5 Michael Brunton-Spall Bruntonspall Ltd

  91. Red Teams Michael Brunton-Spall Bruntonspall Ltd

  92. Internal pentesting Michael Brunton-Spall Bruntonspall Ltd

  93. Threat Hunting Michael Brunton-Spall Bruntonspall Ltd

  94. DevSecOps Michael Brunton-Spall Bruntonspall Ltd

  95. Security as code Michael Brunton-Spall Bruntonspall Ltd

  96. Compliance as Code Michael Brunton-Spall Bruntonspall Ltd

  97. Michael Brunton-Spall Bruntonspall Ltd

  98. Cloud configuration as code Michael Brunton-Spall Bruntonspall Ltd

  99. Pull requests = audit trail Michael Brunton-Spall Bruntonspall Ltd

  100. Michael Brunton-Spall Bruntonspall Ltd

Recommend

The Evolving Threat Todays cyber security challenges and solutions Are Water Lines At Risk?

The Evolving Threat Todays cyber security challenges and solutions Are Water Lines At Risk?

The Evolving Threat Todays cyber security challenges and solutions Are Water Lines At Risk? n Security lacking in networks controlling critical infrastructure n Hackers, terrorists could find way into controls of nuclear power

319 views • 30 slides
UI Evolving Platform Evolving Architecture Evolving About Me Xianning ( Pronunciation

UI Evolving Platform Evolving Architecture Evolving About Me Xianning ( Pronunciation

UI Evolving Platform Evolving Architecture Evolving About Me Xianning ( Pronunciation Shining) Liu Full Stack Developer, Mobile SME, Lead Consultant @ThoughtWorks Tech Lead & Solution Architect. Recently focusing on scale mobile

854 views • 49 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Biochemical security in a technologically evolving world: converging sciences, challenges and

Biochemical security in a technologically evolving world: converging sciences, challenges and

Biochemical security in a technologically evolving world: converging sciences, challenges and opportunities Jonathan E. Forman, PhD Science Policy Adviser and Secretary to the OPCW Scientific Advisory Board Whic ich h Fiel ield d of of Sc

629 views • 60 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
Analysis, Implications, and Challenges of an Evolving Consumer IoT Security Landscape Christopher

Analysis, Implications, and Challenges of an Evolving Consumer IoT Security Landscape Christopher

Analysis, Implications, and Challenges of an Evolving Consumer IoT Security Landscape Christopher Bellman & Paul C. van Oorschot Carleton University, Ottawa, Canada PST2019, August 28, 2019 chris@ccsl.carleton.ca The Internet of

278 views • 11 slides
Nutrition evidence into practice Francesca Annan RD Evolving recommendations for management

Nutrition evidence into practice Francesca Annan RD Evolving recommendations for management

Nutrition evidence into practice Francesca Annan RD Evolving recommendations for management & care Changes in nutrition recommendations . What do children and teenagers need to eat This bit isnt about diabetes its all

551 views • 23 slides
Data Security/Privacy Class Actions: Identifying and Mitigating the Expanding and Evolving Risks

Data Security/Privacy Class Actions: Identifying and Mitigating the Expanding and Evolving Risks

Presenting a live 90-minute webinar with interactive Q&A Data Security/Privacy Class Actions: Identifying and Mitigating the Expanding and Evolving Risks THURSDAY, DECEMBER 4, 2014 1pm Eastern | 12pm Central | 11am Mountain |

528 views • 48 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Securing PHP Applications By: Ilia Alshanetsky What is Security? Security is a measurement, not

Securing PHP Applications By: Ilia Alshanetsky What is Security? Security is a measurement, not

Securing PHP Applications By: Ilia Alshanetsky What is Security? Security is a measurement, not a characteristic. It s is also an growing problem that requires an continually evolving solution. A good measure of secure application is it

782 views • 74 slides
Evolving Health Literacy Policy & Practice in Ireland Inez Bailey, NALA Outline Health

Evolving Health Literacy Policy & Practice in Ireland Inez Bailey, NALA Outline Health

Evolving Health Literacy Policy & Practice in Ireland Inez Bailey, NALA Outline Health Literacy in Ireland Definition of health literacy Why is it important Government Commitment: Healthy Ireland NALAs role Promoting

533 views • 20 slides
CSC 5290 Cyber Security Practice Fengwei Zhang Wayne State University CSC 5290 Cyber Security

CSC 5290 Cyber Security Practice Fengwei Zhang Wayne State University CSC 5290 Cyber Security

CSC 5290 Cyber Security Practice Fengwei Zhang Wayne State University CSC 5290 Cyber Security Practice 1 Who Am I? Fengwei Zhang Assistant Professor of Computer Science Office: Maccabees Building, Room 14109.3 Emai: fengwei at

559 views • 19 slides
Stop Thinking IT Security Think Business Risk! Simon Piff, Vice President, Security Practice

Stop Thinking IT Security Think Business Risk! Simon Piff, Vice President, Security Practice

Stop Thinking IT Security Think Business Risk! Simon Piff, Vice President, Security Practice IDC Asia Pacific @spiffatidc www.cloudsec.com | #CLOUDSEC IDC FutureScape: IT Security Products and Services APeJ Implications By

613 views • 21 slides
Evolving Neural Networks This lecture is based on Xin Yaos tutorial slides From Evolving

Evolving Neural Networks This lecture is based on Xin Yaos tutorial slides From Evolving

Evolving Neural Networks This lecture is based on Xin Yaos tutorial slides From Evolving Single Neural Networks to Evolving Ensembles presented at CEC 2007. Literature: Evolving Artificial Neural Networks , Xin Yao, Proceedings of the

281 views • 16 slides
Knowledge development and transfer of best practice on bio-safety/bio- security/bio-risk

Knowledge development and transfer of best practice on bio-safety/bio- security/bio-risk

EU CBRN CoE Project 3 Knowledge development and transfer of best practice on bio-safety/bio- security/bio-risk management Roberta Ballabio, Project Manager Geneva, 7 August 2014 ICIS - Insubria Center on International Security Presentation

369 views • 18 slides
Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security:

Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security:

Material and some slide content from: - Software Architecture: Foundations, Theory, and Practice - Krzysztof Czarnecki Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security: The protection a ff orded a

160 views • 4 slides
Evolving Data Access Evolving Data Access Evolving Data Access Evolving Data Access

Evolving Data Access Evolving Data Access Evolving Data Access Evolving Data Access

Evolving Data Access Evolving Data Access Evolving Data Access Evolving Data Access Methodologies and Standards Methodologies and Standards John de Longa Solutions Architect Solutions Architect DataDirect Technologies

499 views • 24 slides
Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day David Harper Practice Principal Fortify on Demand #MicroFocusCyberSummit Agenda The Application Security Problem Security Gate Secure DevOps

37.39k views • 30 slides
CSC 4992: Cyber Security Practice Team Projects Fengwei Zhang Wayne State University CSC 4992

CSC 4992: Cyber Security Practice Team Projects Fengwei Zhang Wayne State University CSC 4992

CSC 4992: Cyber Security Practice Team Projects Fengwei Zhang Wayne State University CSC 4992 Cyber Security Practice 1 General Information A research project with 3-5 individuals Building a new system Improving an existing

405 views • 9 slides
CSC 5290: Cyber Security Practice Term Projects Fengwei Zhang Wayne State University CSC 5290

CSC 5290: Cyber Security Practice Term Projects Fengwei Zhang Wayne State University CSC 5290

CSC 5290: Cyber Security Practice Term Projects Fengwei Zhang Wayne State University CSC 5290 Cyber Security Practice 1 General Information A research project with 1-2 individuals Building a new system Improving an existing

104 views • 9 slides
Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson -

Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson -

Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson - @kennyog Based on joint work with Martin Albrecht, Jean Paul Degabriele and Torben Hansen Information Security Group Overview 1. Introducing SSH 2. SSH

817 views • 52 slides
Principles into practice: embedding dignity and respect in a Scottish social security system

Principles into practice: embedding dignity and respect in a Scottish social security system

Principles into practice: embedding dignity and respect in a Scottish social security system Grinne McKeever ulster.ac.uk Social Security (Scotland) Act 2018 Vision of social security as important to everyone and something that should be

476 views • 23 slides
Climate change, migration & security Best Practice Policy and Operational Options for Mexico

Climate change, migration & security Best Practice Policy and Operational Options for Mexico

Climate change, migration & security Best Practice Policy and Operational Options for Mexico Elizabeth Deheza and Jorge Mora Royal United Services Institute for Defence & Security Studies

436 views • 17 slides
Fiduciary Challenges in an Evolving Legal Landscape CalPERS Board of Administration Offsite

Fiduciary Challenges in an Evolving Legal Landscape CalPERS Board of Administration Offsite

Fiduciary Challenges in an Evolving Legal Landscape CalPERS Board of Administration Offsite Workshop Presented by: Ashley K. Dunning, Co-Chair, Public Pensions & Investments Practice Group Nossaman LLP January 18, 2018 Board of

306 views • 27 slides

More recommend