340 likes | 570 Views
Amber. - A technical implementation of a hybrid security model -. “Someone can’t make it?! Of course I’m ready!. Amber. - A technical implementation of a hybrid security model -. Disclaimer.
E N D
Amber - A technical implementation of a hybrid security model -
Amber - A technical implementation of a hybrid security model -
Disclaimer I like my job and it is also the only one that I have, so I would like to to keep it. With that in mind, the views and claims (no matter how plausible) are my own and do not reflect the view or opinions of my employer. Even though the presentation is rate A or Awesome (and All ages) I will probably swear because that is how I talk. If that bothers you then I am sorry, and please feel free to leave the room now. Give hugs not drugs, and eat your veggies
About Me (the past) Ex Musician Re-rolled Bcom Econometrics (at here!) Investment Banker (…and you think we have an immoral industry) 2008 Fin Crash! Took an arrow to the knee Re-rolled sysadmin, and slipped into Infosec
About Me (the present) Husband ISO for FNB Wealth / RMB Private Clients (Blue Team Bias) Working towards Msc in infosec… … and hopefully PhD after that (for the lulz) … and because research is the most fun you can have by yourself
About Me (contacts) Email: adam@closehelm.com Website: www.usintrust.com Twitter: @usintrust Channel: Archaeon in #zacon
Our Path The Tool Box Dissembled History Applying new things AMBER! 0day (get excited) Bonus finding
Antivirus If I know who you are, then we already have problems
IPS Don’t you worry. I’ve seen it all
Decision through Detection (DtD) Decisions are driven by detecting known malicious ‘things’
Honeypots Unused space has never been this useful
Decision through Presence (DtP) Decisions are driven by the presence of ‘things’
DtDCost Analysis; Discovery Phase Cost of Detection = (TCoR/n) + (DC * n)
DtDCost Analysis; Action Phase Cost of Action = n * FPRate
DtDmakes this possible: $2 Billion in revenue 7,000 Employees
DtD’s Action phase is cheap and extremely effective. It is the Tony Montana of security models – it leans entirely on the Discovery phase, and executes the outcomes
DtP Cost Analysis; Discovery Phase Cost of Presence = if i
DtP Cost Analysis; Action Phase Cost of Action = ((i * threshold) * RCperi) * n
DtP’s Discovery phase is basically free, instantly classifying information as non-productive. It is The Mentalist of the security model world
Amber Distributed Nodes
Summary There is no Magic Quadrant or compliance tick box for this sort of security control. There is no stick that made us implement it. There is only the carrot of improved security Chase the Carrot