Crowdsourced Security at the Government Level: It Takes a Nation (of Hackers)

Similar documents
HEAD TO HEAD. Bug Bounties vs. Penetration Testing. How the crowdsourced model is disrupting traditional penetration testing.

Running a Bug Bounty Program

United States Coast Guard

Penetration Testing Is Dead! (Long Live Penetration Testing!)

UNCLASSIFIED/ AFCEA Alamo Chapter. MG Garrett S. Yee. Acting Cybersecurity Director Army Chief Information Officer/G-6. June 2017 UNCLASSIFIED

GOOD MORNING I D LIKE TO UNDERSCORE THREE OF ITS KEY POINTS:

BUG BOUNTY BUZZWORD BINGO DEEP DIVE UNDER A JUMPED SHARK

CYBER SECURITY PROTECTION. Section III of the DOD Cyber Strategy

Luc Gregoire Chief Financial Officer. Internet & Technology Services Conference. February,

Castles in the Clouds: Do we have the right battlement? (Cyber Situational Awareness)

LOE 1 - Unified Network

Jobvite and GroupM Team Up to Create Recruiting Success

Lt Gen BJ Shwedo. Chief, Information Dominance and Chief Information Officer SAF/ CIO A6

DEPARTMENT OF THE NAVY CYBERSPACE INFORMATION TECHNOLOGY AND CYBERSECURITY WORKFORCE MANAGEMENT AND QUALIFICATION

CAPT Jody Grady, USN USCYBERCOM LNO to USPACOM

DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON DC

DEFENSE LOGISTICS AGENCY THE NATION S COMBAT LOGISTICS SUPPORT AGENCY

Cryptologic and Cyber Systems Division

UNCLASSIFIED. UNCLASSIFIED Air Force Page 1 of 5 R-1 Line #199

UNCLASSIFIED. UNCLASSIFIED Air Force Page 1 of 7 R-1 Line #198

The Guide to Smart Outsourcing (Nov 06)

USCYBERCOM 2018 Cyberspace Strategy Symposium Proceedings

Follow the Money: Security Researchers, Disclosure, Confidence and Profit

Recruiting Game- Changing Talent

JRSS Discussion Panel Joint Regional Security Stack

DOD Insider Threat Management and Analysis Center COUNTERINTELLIGENCE AWARENESS WEBINAR SERIES

THE JOINT STAFF Research, Development, Test and Evaluation (RDT&E), Defense-Wide Fiscal Year (FY) 2009 Budget Estimates

Cybersecurity United States National Security Strategy President Barack Obama

Protecting US Military s Technical Advantage: Assessing the Impact of Compromised Unclassified Controlled Technical Information

INSIDER THREATS. DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems

GATEWAY TO SILICON VALLEY SAMPLE SCHEDULE *

SECRETARY OF THE ARMY WASHINGTON

8/11/2015. Navigation in the Meeting Room. Cyber Enabled Threats to Cleared Industry. Host: Rebecca Morgan Counterintelligence Instructor CDSE

Contents. Ad Tech Big Data Creative Information Security. Marketing Media, Planning & Buying. Project Management & Client Services

AVIONICS CYBER TEST AND EVALUATION

UNCLASSIFIED FY 2016 OCO. FY 2016 Base

Security Asset Protection Professional Certification (SAPPC) Competency Preparatory Tools (CPT)

Exhibit R-2, RDT&E Budget Item Justification Date: February 2008 Appropriation/Budget Activity RDT&E, Dw BA 07

Using Innovation to Advance Interoperability

WEST POINT CYBER INITIATIVES

Accelerating Commercial Innovation for National Defense

A Call to the Future

ABOUT MONSTER GOVERNMENT SOLUTIONS. FIND the people you need today and. HIRE the right people with speed, DEVELOP your workforce with diversity,

Digiwage. Decentralized Freelance Marketplace

ASMC National 2016 PDI. June 1-3, 2016

OVERVIEW. Helping people live healthier lives and helping make the health system work better for everyone

National Security Cyber Trends ALAMO ACE Presentation

JFHQ DODIN Update. The overall classification of this briefing is: UNCLASSIFIED Lt Col Patrick Daniel JFHQ-DODIN J5 As of: 21 April 2016 UNCLASSIFIED

2016 Bug Bounty Hacker Report

A Market-based Approach to Software Evolution

GREGORY A. SCOVEL. Work Experience Bent Creek Terrace Leesburg, VA (703)

STARTUP INTELLIGENCE STARTUP ACCELERATION

Remote Monitoring Solutions

Revising the National Strategy for Homeland Security

Task Force Innovation Working Groups

Department of Defense DIRECTIVE. DoD Executive Agent (EA) for the DoD Cyber Crime Center (DC3)

Iowa Air National Guard Cyber Protection Team. Maj Brian Dutcher Director of Operations, 168th Cyber Operations Squadron

Nurse Call Communication System

LOS ANGELES COUNTY SHERIFF S DEPARTMENT REQUEST FOR INFORMATION RFI NUMBER 652 SH ONLINE TRAFFIC REPORTS (OLTR)

Joint Information Environment. White Paper. 22 January 2013

The Shifting Sands of Government IP. John McCarthy Karen Hermann Jon Baker

U.S. Air Force. AF Cyber Resiliency Office for Weapon Systems (CROWS) I n t e g r i t y - S e r v i c e - E x c e l l e n c e

OUR MISSION PARTNERS DISA S BUDGET. TOTAL DOD COMPONENT/AGENCY ORDERS FOR DISA DWCF FY16 (in thousands)

Government-University-Industry Partnerships: Global Innovation

America s Airmen are amazing. Even after more than two decades of nonstop. A Call to the Future. The New Air Force Strategic Framework

Information Operations

Prepared Statement. Vice Admiral Raquel Bono, M.D. Director, Defense Health Agency REGARDING ELECTRONIC HEALTH RECORD MANAGEMENT BEFORE THE

RAS. Providing innovative solutions to challenging EW/ELINT problems for the DoD and all the US Services. 111 Dart Circle Rome, NY

Redrawing the lines:

UNCLASSIFIED R-1 ITEM NOMENCLATURE

DOD DIRECTIVE DIRECTOR, DEFENSE DIGITAL SERVICE (DDS)

Kforce Inc. J.P. Morgan Ultimate Services Investor Conference November 14, 2017

Department of Defense DIRECTIVE

Talent Crowdsourcing: The Quick Guide

EVERGREEN IV: STRATEGIC NEEDS

GAO ECONOMIC ESPIONAGE. Information on Threat From U.S. Allies. Testimony Before the Select Committee on Intelligence United States Senate.

HOMELAND SECURITY PRESIDENTIAL DIRECTIVE-4. Subject: National Strategy to Combat Weapons of Mass Destruction

Bug Bounty programs in Switzerland? Florian Badertscher, C1 - public

SMALL BUSINESS INNOVATION RESEARCH (SBIR) PROGRAM SMALL BUSINESS TECHNOLOGY TRANSFER (STTR) PROGRAM

Engaging the DoD Enterprise to Protect U.S. Military Technical Advantage

Strategic Plan. Becoming the Preferred Academic Medical Center of the 21st Century ONEUABMedicine.org/AMC21

WHY STTR???? Congress designated 4 major goals. SBIR Program. Program Extension until 9/30/2008 Output and Outcome Data

NORAD and USNORTHCOM Technology Needs Mr. John Knutson J8 Office of S&T

United States Army. Criminal Investigation Command. Hunting The Hackers CCIU Detectives Deliver Digital Justice

Defense Innovation Unit Experimental (DIUx) Annual Report Silicon Valley Boston Austin Washington D.C.

UNCLASSIFIED FY 2016 OCO. FY 2016 Base

Guide to the SEI Partner Network

Research Opportunities at the NSA. William Klingensmith IAD Trusted Engineering Solutions MARCH 2015

Department of Defense DIRECTIVE

Serving as specialists in cyber communications CRYPTOLOGY TECHNICIAN

DIUx Quarterly Results Q Silicon Valley Boston Austin Washington D.C.

The 2013 Budget: Investing in Our Future

Research Funding Overview

Department of Defense DIRECTIVE. SUBJECT: Information Assurance Training, Certification, and Workforce Management

UNCLASSIFIED R-1 ITEM NOMENCLATURE

Joint Targeting Staff Course Syllabus. 18 May 2017

National Grid Ventures. Lisa Lambert, SVP, CTIO June 2018

SUBJECT: Directive-Type Memorandum (DTM) Law Enforcement Reporting of Suspicious Activity

The best days in this job are when I have the privilege of visiting our Soldiers, Sailors, Airmen,

$7.34 billion $7.72 billion 5.2 percent. $325 million $450 million 38 percent

Transcription:

SESSION ID: ASD-W11 Crowdsourced Security at the Government Level: It Takes a Nation (of Hackers) Jay Kaplan CEO/Cofounder Synack @JayKaplan

whois jay@synack.com @jaykaplan www.synack.com leverages the best combination of crowdsourcing researchers and leveraging technology to discover security vulnerabilities in our customers web apps, mobile apps, IoT devices and infrastructure endpoints 2

Crowdsourcing: It s Everywhere 4

Crowdsourcing: It s Everywhere 5

Why? Diversity of ideas Access to talent and expertise Scalability Incentive-driven motivation 6

Idea Generation & Corporate Innovation 7

Idea Generation & Corporate Innovation 8

Government Agencies Leveraging Crowdsourcing DoD NSA NIH HHS EPA NIST FDA NASA to name a few 9

Some challenge.gov examples Robocall Challenge (FTC, 2012) Objective: Block illegal robocalls Prize: $50,000 Astronaut Glove Challenge (NASA, 2010) Objective: Design an improved, flexible glove for use by NASA s astronauts Prize: $450,000 ($250,000 for first place) Wendy Schmidt Oil Cleanup X Challenge (NOAA, Dept of Interior) Objective: Create highly efficient method of cleaning up oil spills from the ocean surface Prize: $1.4M ($1M for first place) 10

What about Cyber Security? Over 70% of security professionals believe the cybersecurity skills shortage does direct & measurable Over 93% of organizations take just minutes to compromise damage to the organization Over 75% of organizations report Over 1 Million cybersecurity jobs remain unfilled (1.5 Million by 2019) at least one breach/year (that they know about ) 11

The Government wants to respond 12

But it s not that easy Recruiting and retaining Army civilian cyber talent is challenging. -Lt. Gen Edward Cardon, frmr. Commander, Army Cyber Command We are about halfway through the overall build, in terms of manning for the cyber mission. -Lt. Col. Valerie Henderson, Pentagon 13

Yet the attacks continue The cyber threat is real...cyber threats are increasing in frequency, scale, sophistication and severity of impact - James Clapper, (now former) Director of National Intelligence. Clapper declared to Congress last year that cybersecurity is the top threat our nation faces, even more so than terrorism. 14

The gap is widening Sources: GAO Report on Information Security, FISMA Annual Report to Congress, Morgan Stanley Blue Paper on Cybersecurity, Synack Analysis 15

16

Could Hackers be the Answer? NOT the Problem? Would the government ever consider crowdsourcing hackers to help fill this gap? 17

Enterprise Organizations Are Doing It PUBLIC Hundreds, if not thousands of programs today PRIVATE/ INVITE-ONLY >80% of programs are private 18

Bug Bounty: How it Works Bug Bounty programs pay external security researchers a bounty for finding vulnerabilities in a company s IT assets 1 2 3 4 Crowd of bug Submit Internal and/or Valid bugs Passed Bounty bounty vulnerabilities external security onto Payment/Administrati participants/ha through web team(s) reviews remediation/dev on team rewards the ckers platform or submissions team hackers security@ inbox 19

Historical Adoption of Bug Bounty Programs Netscape started one of the first Bugs Bounty back in 1995, big gap in time until further adoption 2010 saw adoption by Google, fellow tech giants soon followed Early programs were open self-managed bug bounty programs Massive transition toward the private/invite-only model + HUNDREDS of other organizations 1995 2004 2010 2011 2012 2013 2014 2015 2016 20

Benefits of Bug Bounties Advantages of Bug Bounty Programs Adversarial/Hacker Perspective External hackers provide visibility into what adversaries truly see Incentive-based Testing Bounty rewards drive testing activity. No valid bug reports, no rewards Scalable Grow pen testing and red teams with hundreds/thousands of hackers Diverse & Adaptive Not limited in diversity, instead fueled by a multitude of hacker vantage points Continuous Not limited in time & scope, instead can provide 21 continuous testing coverage

So Let s Look back to RSAC 2016 22

It works! 23

The results Through this pilot, we ve found a cost-effective way to support what our dedicated people do every day to defend our systems and networks and we ve done it securely and effectively. And the results exceeded our expectations. 24

Time for Expansion 25

What did it look like? 26

FA1 vs. FA2: Scope FA1 FA2 intends to conduct crowdsourced vulnerability discovery & disclosure services against several websites and their subdomain, owned by one of the Military Departments has static content and dynamic field with HR data in the backend. conduct private crowdsourced vulnerability discovery & disclosure activities against the source code and operational instantiation of one or more modules in a DoD file transfer capability includes dozens of distinct components, scope would include 1.) ~200-500k lines of DoD contractor developed and maintained code owned by DoD and 2.) live internal DoD application accessible via the DoD intranet 27

FA1 vs. FA2: Eligible Participants FA1 FA2 The challenge will be opened to all U.S. persons but limited to 400 registrants, preferably recruited based upon expertise by the contractor. Both the proprietary code and software are sensitive Government assets. Therefore, the FA2 contractor will be required to maintain a private community of skilled and trusted researchers, diverse in skillset, and able to conduct both deep binary hacking, webbased attacks, reverse engineering, and network and system exploitation 28 will be closed by invite only passed criminal background checks. For this FA2 task order, Gov t expects researcher quality over quantity.

FA1 vs. FA2: Task Execution & Platform Capabilities FA1 FA2 platform mechanism for: Participants to apply/participate & submit vuln reports Communication between contractor & participants Contractor to triage reports & submit to Gov t. remediation teams Gov t remediation team to communicate & coordinate with contractor s triage team platform mechanism for: Comprehensive vuln report triaging, validation, prioritization & reporting to DoD w/in 48 hrs Secure Portal through which all testing occurs with full packet capture > continuous monitoring & auditability Participants apply (vetting) and submit full reports Conduct all mgmt. & coordination with researcher community and project mgmt. & coordination w/ DoD remediation teams 29

Government Acquisition Processes 30

Defense Digital Service moved at Silicon Valley Speed Agile Acquisition! 6/22/2016 7/8/2016 8/9/2016 9/8/2016 9/30/2016 RFI out RFI due RFP out RFP due Award 31

DoD Expansion > Two-pronged effort (Review) Functional Area 1: Public Facing Domains Functional Area 2: Sensitive IT Assets Participants Open to all US persons Vetted, cleared, invite only crowd Process Triage of all vulnerabilities Triage + full audibility Technology Vulnerability Management System Vulnerability Management System, Secure Gateway & full packet capture 32

Bug Bounty vs. Hack the Pentagon For the first time in DoD history, the Pentagon invited a crowd of ethical hackers to test one of their sensitive systems 1 2 3 4 US & allies most Replicated target in a Critical vulns start Real-time Contractor rewards advanced researchers cyber range. All flowing in! Contractor adversarial hackers with bounties are vetted and invited researcher activity triages and intelligence is for each vuln submitted! to participate via the routed through a prioritizes all passed onto DoD contractor platform secure gateway submissions remediation teams and trackable IP and SECDEF Mattis addresses 33

Hack the Pentagon Mentality Shift Hack the Pentagon has become increasingly progressive in its targets Hacking a DoD Launching a Hacking an Army Hacking Internal Marketing Site Crowdsourced Security Recruiting Website Sensitive Assets Policy DoD Vulnerability Disclosure Policy Hack the Pentagon: Critical Assets 34

Recent Success Hack the Pentagon: Critical Systems For the first time, the DoD invited a crowd of hackers to test one of their complex, sensitive systems. Some of the results: 80 Top Researchers <24 hours to find first critical vulnerabilities >$30,000 payout for a vulnerability

Adoption of Crowdsourced Security Gartner predicts 5 to 10 years to mainstream market adoption 36

What s next? Platforms? Mission Control Systems? Databases? Critical Infrastructure? 37

Why Wait? How Can You Get Started Today? Decide how much risk you re willing to take on, paired with your overall objectives a few things to consider 1. Nice to have vs. Key Component/Replacement of Security Testing 2. Public vs. Private/Invite-Only 3. Self-Run vs. Hosted vs. Fully-Managed 4. Requirements & Controls 5. Budget, Value & ROI 38

Why Wait? How Can You Get Started Today? What You ll Need 1. Clear Scope & Rules of Engagement (ROE) 2. Clearly documented submission guidelines & process flow for researchers 3. Clear bounty/swag/acknowledgement expectations 4. Dedicated triage, response, and award personnel 5. Plans to integrate valid bugs into remediation workflows 6. Legal, Security, Business, PR/Comms alignment But there are companies here to help 39

That said, will we be asking about your crowdsourced network of hackers next year, not your Ubers? 40

Thank You 41

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback