It’s Time For Change! - CounterMeasure 2019...WAF RASP CDN WAF Signals Based Attack Detection...
Transcript of It’s Time For Change! - CounterMeasure 2019...WAF RASP CDN WAF Signals Based Attack Detection...
It’s Time For Change!The 1990’s called – They want their appsec program back.
June 1980-something!
Security EngineerSecurity ConsultantSecurity ResearcherBusiness AnalystVP Marketing?!
How The World Does Business Has Fundamentally Changed…
“The modern business world is completely decentralized and mobile. In a knowledge
economy you have to go where the knowledge is.”
Tyler Shields - 2016
Work In The 1990s
Tyler’s Home Office 1999
Work Today
• Decentralized
• Mobile
• Collaborative
• Rapid
• Empowered
Signal Sciences Offices: Venice California. We’re HIRING!
“In a hyper connected world, experience doesn’t matter as much as total sum of
wisdom and the speed in which we can find an answer.”
Tyler Shields - 2016
Experience Curve
As you increase volume of production the lower the cost per unit (1960s)
• Improvements in process
• Labor efficiency
• Product redesign
• Automation improvements
Collaboration Curve
The more participants–and interactions between those participants–you add to a carefully designed and nurtured environment, the more the rate of performance improvement goes up.
• Human capital network effect
• How does this work with decentralization?!
Technology Integration Advancements
Bug Tracking
• Jira
• Bugzilla
• Pivotal Tracker
ChatOps
• Slack
• HipChat
Alerting Services
• PagerDuty
• OpsGenie
• VictorOps
• DataDog
CI/CD
• Jenkins
• Travis CI
• Puppet
• Chef
• Anisble
Vulnerability Tracking
• Rapid7
• Beyond Security
• Qualys
Logging
• Splunk
• Kibana
• QRadar
“Markets and buyers change their mind faster than ever before. Buyers are fickle.
Here today, GONE tomorrow.”
Tyler Shields - 2016
Path To 50M Users…
Question:
How quickly did these fall and what replaced them?
Pace of the climb is matching pace of the eventual fall.
Business Success Demands Speed Of Innovation…
http://techbeacon.com/10-companies-killing-it-devops
Etsy
•"Over 50 Deploys A Day"
Amazon
•"Deploys to production on average every 11.6 seconds"
•"Minimum of bi-weekly app updates"
Adobe
•"Sees more than 60% increase in app delivery rate with DevOps Platform”
Sony Pictures Digital Media Group
•"Since adopting a continuous delivery model, DMG has cut down it’s month long delivery time to just minutes”
Fidelity
•”Implemented DevOps reducing release time from 2-3 days to 2-3 hours.”
Agility refers to distinct qualities that allow an entity to respond rapidly to changes in the internal and external environment without
losing momentum or vision.
Tyler Shields - 2016
Business
Find Product Market Fit
Fail Fast
“In”trepreneurial Innovation
Lean Business Model
Technology
Embrace Change
Push Often
Data and Visibility
Rapid Response
Technology Agility Achieved Via The Cloud…
• Everything As A Service
• Workloads Vs. Processes
• Rapid Prototyping
• Minimum Viable Product
http://www.winter-park.com/strategy/
“Safety can lead to irrelevance. Chaos is full of risk. The edge of chaos is continual adaptation. This is where relevance and growth live.”
#EDGEOFCHAOS
YET Security Remains Static…
“In security, the root of all evil lies in exactly two locations: errors in code and
errors in business processes.
There is nothing else.”
Tyler Shields - 2016
Verizon DBIR 2016: Web Application Attacks Are The #1 Source Of Data Breaches
Traditional App Security Technology Stack
Manual Assessment
• Late 1990s
DAST
• Early 2000s
WAF
• Mid 2000s
SAST
• Mid 2000s
1999
2000
1999
2001
2001
1997-2004
2002
2004
2011
2006
2003-2010
Manual Assessment
Humans are expensive
Humans are error prone
Humans are inconsistent
Humans are SLOW
Dynamic Application Security Testing
Typically “Quick and Dirty”
FN/FP Prone
Increases workload of your security analysts
Unsure of code coverage
Multi-step attacks typically undiscoverable without human interaction
Web Application Firewall
• Expensive to maintain
• Not scalable
• Resource draining
• Breaks everything!
Static Application Security Testing
Expertise Required
Developer Heavy
Long Processing Time
FP / FN Prone
Practically rocket science!
Security Technology Adoption
Amy DeMartine: The State Of Application Security: 2016 And Beyond – Forrester Research
Architecture Reviews
SAST DAST Fuzz TestingManual
Penetration Testing
2013
2016
31% 27% 26% 14% 30%
+4% +5% +4% +11% +6%
Rick Holland: Forrester Blog 2015
“Expense in Depth: The multilayered approach to ensuring minimal return on
investment.”
To Fix The Problem Security Must…
“Apply the learnings of modern successful business practices to security
programs and processes.”
Tyler Shields - 2016
Security MUST: Decentralize and Become
Mobile
ACTION: GET THE HELL OUT OF THE WAY OF BUSINESS!
Security MUST: Increase the SPEED of decisions and execution.
ACTION: FIND WAYS TO INCREASE EXECUTION SPEED
Signal Sciences Customer 2016 – Developer BullPen
Security MUST: Provide security visibility to ALL!
ACTION: NO MORE SILOS! SHARE SHARE SHARE!
Security MUST: Ease the burden of security concepts
ACTION: MAKE YOUR DATA CONSUMABLE – NOT ROCKET SCIENCE
37
Security MUST: Increase collaboration between individuals and teams. Eventually becoming a part of the culture.
ACTION: MAKE YOURSELF INVISIBILE
Security MUST: Embrace life on the edge of chaos. It’s not such a horrible place to live
after all.
Tyler Shields: 2016
It Might Feel Like This…
But really it’s just about finding the
right vantage point to view
reality.
It’s Time To Change..
• Decentralize and mobilize your security program
• Go faster, become an enabler, just say yes, get SHIT DONE!
• Break down silos. Share data with everyone. Collaboration is king.
• Demystify security data. Knowledge is power, give your entire company knowledge.
• Become invisible. Security wins when it ceases to exist.
• Embrace life at the edge of security chaos.
Thanks A Bunch!
Tyler Shields
VP Marketing Strategy Partnerships
@signalsciences
@txs
Complexity
Complex is made up of two Latin words:
com (meaning: "together")
plex (meaning: woven)
Intelligence
Intelligence:
"understanding, knowledge, power of discerning”
Innovation
- What is it
- What has it done to the world
- What has it done to security? Problem statement.
- How come we haven’t solved the problem…
- What can we do to solve the problem?
November 23, 2016 46
November 23, 2016 47
November 23, 2016 48
November 23, 2016 49
November 23, 2016 50
Example Title
Lorem ipsum dolor sit amet, aliquam class et nulla at, a integer etiam pedeleo, dolor congue.
Etiam venenatis tellus eget risus sit, leo adipiscing eleifend lacus integer ligula, a suscipit pharetra wisi, tempus purus curabitur elit erat diam. Velmauris ligula mattis donec urna a.
• Nec elit. Ipsum vulputate, elit non. Commodo sed et convallis. Leo aenean congue tortor, sed vitae ante vestibulum. Maecenas turpis dui ultrices sed vel. Rhoncus magna donec risus aliquam cursus.
Lacus lacus gravida, bibendum sit, justo egestas
November 23, 2016 51
November 23, 2016 52
Signal Sciences
NGWAFWAF RASP CDN WAF
Signals Based Attack Detection ✓ ✓ ✓ ✓
Blocking Used in Production ✓ ✓ ✓
Maintenance ✓ ✓ ✓
Ease of Installation ✓ ✓
Deployment Scalability ✓ ✓
Anomaly Data Detection ✓ ✓ ✓
Detection of Business Logic Attacks ✓ ✓
Policy and Compliance ✓ ✓ ✓ ✓
Successful Attack Detection* ✓ ✓
Language Support / Cross Platform ✓ ✓ ✓
Performance Impact ✓ ✓ ✓ ✓
November 23, 2016 53
November 23, 2016 54
Text
TextText
November 23, 2016 55
Q1 Q2 Q3 Q4
Content Content Content Content
Continuous Improvement
Increased Integration Counts
November 23, 2016 56
November 23, 2016 57
November 23, 2016 58
November 23, 2016 59
November 23, 2016 60
November 23, 2016 61
November 23, 2016 62
November 23, 2016 63