Connect with us   ​  

Michael Sutton

Michael Sutton has dedicated his career to conducting leading-edge security research, building world-class security teams and educating others on a variety of security topics. As CISO, Sutton drives internal security and heads Zscaler's Office of the CISO, a team engaging security executives at a peer level to drive best practices and facilitate industry wide collaboration on emerging security topics. The Office of the CISO is also responsible for providing subject matter expertise through speaking engagements, blogging and media collaboration.

Prior to Zscaler, Michael helped build other pioneering security startups, including SPI Dynamics (acquired by Hewlett-Packard) and iDefense (acquired by VeriSign). Sutton is also the co-author “Fuzzing: Brute Force Vulnerabilities,” an Addison-Wesley publication.

Presentation Title
Criminals don’t wear orange jumpsuits in public

Nabbing criminals would be so much easier if they simply wore orange jumpsuits while walking down the street. We could clearly see them, avoid them and lock them up. Stopping malware is no different. If a webpage or a binary file had clear attributes to identify it as malicious, stopping threats wouldn’t be a challenge. Unfortunately, that’s not the case. Malware authors, like criminals, know that blending in is key to not getting caught…and they’re very good at it. Despite this fact, the majority of enterprises heavily rely on security controls that are able to accurately separate good traffic from bad. This approach not only creates a significant point of failure, but the average enterprise has massive blind spots due to their network architecture, corporate policies and misplaced trust.

For the same reasons that enterprises have adopted hosting services and cloud based platforms, so too have attackers. Malware is hosted on the same servers, domains and IP addresses as legitimate traffic. Source is no longer a reliable attribute for identifying risk, which has rendered many black/whitelisting and reputation based controls ineffective. To complicate matters further, even when security controls would be effective, the traffic itself often can’t be inspected. Due in large part to privacy concerns stoked by the Snowden revelations, Internet properties are racing to implement SSL by default on all sites. Most enterprises are unable to inspect SSL traffic, either because they lack the necessary infrastructure to do so, or because they have not tackled regulatory hurdles or internal perception issues that would permit inspection in the first place. Additionally, traffic from trusted sources often receives lesser or no scrutiny whatsoever. In the end, we’re left with a fragile and porous security framework with only a portion of traffic inspected and controls largely relying on the ability to spot orange jumpsuits.

As a cloud based platform, we have the luxury of observing not only the attacks targeting millions of end users, but also the policies put in place to combat these threats. In this talk, we’ll walk through case studies for specific real-world threats and review statistics gathered from observing traffic patterns and security policies for the thousands of enterprises leveraging the Zscaler cloud. We’ll identify the approaches to threat protection that are working and those that aren’t in a world where we can’t rely on spotting orange jumpsuits.


Conference Highlights

New Venue
Don't miss the best cyber security conference in Australia at the Surfers Paradise Marriott, only 150 m from Surfers Paradise beach

Conference MC
Comedian and Mathematician Adam Spencer will host the conference, Gala Dinner and Speed Debate

Career Café
Retreat to the back of the exhibition away from the noise for a real coffee at the AusCERT2016 Career Café and chat with specialist Infosec recruiters