SlideShare uma empresa Scribd logo

Rebooting the Enterprise Security Program for Defensibility - ISSA International 2013

Rafal Los
Rafal Los

These are the talk slides from ISSA International - discussing the need to reboot Enterprise Security to facilitate better defensibility, more intelligent security, and better operational capabilities.

TecnologiaNegócios
1 de 48
Inconceivable! Rebooting the Enterprise Security Program for Defensibility Rafal M. Los – Principal, Strategic Security Services ISSA International 2013 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com
. whoami Rafal Los Principal, Strategic Security Services HP Enterprise Security Services Advisory group delivering on strategy, operationalization, and tactical response. Detect, Respond, Resolve in a meaningful way. Rafal@HP.com +1 (404) 606-6056 2 Rafal Los, Principal, Strategic Security Services, with HP Enterprise Security Services, brings a pragmatic approach to enterprise security. Combining nearly 15 years of technical, consulting and management skills in Information Security, Rafal draws on his extensive experience to help organizations build intelligent, defensible and operationally efficient security programs. He is an advocate for focus on sound security fundamentals and for the principles of "right defenses, right place, right reason". He is also a contributor to open standards and organizations - volunteering his time to groups such as OWASP and the Cloud Security Alliance. His blog, Following the White Rabbit, is his unique perspective on the various aspects of enterprise security, emerging technologies, and current events and can be found at http://hp.com/go/white-rabbit. Prior to joining HP, Los defined what became the software security program and served as a regional security lead at a Global Fortune 100 contributing to the global organization's security and riskmanagement strategy internally and externally. Rafal prides himself on being able to add a 'tint of corporate realism' to information security. Rafal received his B. S. in Computer Information Systems from Concordia University, River Forest, Ill. © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
Security Risk Defensibility © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
To quote Enigo Montoya: “You keep using that word, I do not think it means what you think it means.” © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
Security of yesterday © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
Security of today © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
your current security is the equivalent of the Maginot Line © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
your enemy will attack where you are weak © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
meanwhile … © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
security must enable the enterprise © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
security must maximize enterprise resources © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
security must adjust to adversaries © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
HOW?! © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
let’s start with adjusting goals © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
we know secure is a myth © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
© Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
so what is more realistic? © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
Detect the incident Respond to the threat Resolve the issue © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
disrupt the attack(ers) © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
The adversary attack ecosystem Research Infiltration Discovery Their ecosystem Our enterprise Capture Exfiltration 21 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
Disrupting the adversary Educating users Research Counter-intelligence Infiltration Discovery Their ecosystem Our enterprise Capture Exfiltration 22 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
Disrupting the adversary Educating users Research Counter-intelligence Infiltration Blocking access Discovery Their ecosystem Our enterprise Capture Exfiltration 23 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
Disrupting the adversary Educating users Research Counter-intelligence Infiltration Blocking access Discovery Identifying attacks Their ecosystem Our enterprise Capture Exfiltration 24 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
Disrupting the adversary Educating users Research Counter-intelligence Infiltration Blocking access Discovery Identifying attacks Their ecosystem Protecting the Capture target asset Our enterprise Exfiltration 25 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
Disrupting the adversary Educating users Research Counter-intelligence Infiltration Blocking access Discovery Identifying attacks Their ecosystem Protecting the Capture target asset Our enterprise Planning Exfiltration damage mitigation 26 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
I know what you’re thinking! © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
“Oh, great, more products?” © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
maybe? © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
Products (alone) don’t solve this Security products don’t get fully implemented Processes and operational capabilities need to be developed Resources primarily spent on prevent Need to detect, respond, resolve 30 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
How well do you do BASICS? © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
assets in your environment © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
changes to your environment © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
situational awareness and context © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
let’s do “security intelligence” © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
structured + unstructured data sets refined analyzed data raw data intelligence © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
Your logs are raw data © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
data analysis means… © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
finding this: © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
in this: © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
NON-TRIVIAL ACTIVITY © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
so now what? © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
now you make decisions © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
in ‘real time’ © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
Developing a scoring methodology (one way) 1 Tiered Scoring process 2 3 Threat Index (1~5) 2 potential impact • Human-based analysis of the threat – Severity 1 – Severe – Severity 2 – Urgent – Severity 3 – Important – Severity 4 – Low – Severity 5 – Inconsequential 3 1 applicability 45 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
The SPR Framework Measure & Improve • Part 1 • Assessment of business ‘criticals’ • Define ‘what’, ‘why’, ‘from whom’ for defensibility Baseline Triage • Part 2 • Mitigate immediate deficiencies • Identify and triage active threats • Part 3 • Define strategic ‘how’ • Align to organizational goals, needs, resources Tactics • Part 4 • Define tactical feedback • Strengthen tactical response Strategy Developed by: Rafal Los 46 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
Measurably improving enterprise security 12-month plan to get you there Improve ability to detect, respond, resolve Implement strategy and measure effectiveness Develop a goal-oriented strategy Understand your current operational state 47 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
Thank you © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

Recomendados

5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
Rafal Los
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning wars
Rafal Los
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Rafal Los
 
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data BreachHP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Enterprise Italia
 
Criminal Education: Lessons from the Criminals and Their Methods
Criminal Education: Lessons from the Criminals and Their MethodsCriminal Education: Lessons from the Criminals and Their Methods
Criminal Education: Lessons from the Criminals and Their Methods
HP Enterprise Italia
 
Moving beyond Vulnerability Testing
Moving beyond Vulnerability TestingMoving beyond Vulnerability Testing
Moving beyond Vulnerability Testing
Capgemini
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
CrowdStrike
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
CrowdStrike
 

Recomendados

5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
Rafal Los
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning wars
Rafal Los
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Rafal Los
 
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data BreachHP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Enterprise Italia
 
Criminal Education: Lessons from the Criminals and Their Methods
Criminal Education: Lessons from the Criminals and Their MethodsCriminal Education: Lessons from the Criminals and Their Methods
Criminal Education: Lessons from the Criminals and Their Methods
HP Enterprise Italia
 
Moving beyond Vulnerability Testing
Moving beyond Vulnerability TestingMoving beyond Vulnerability Testing
Moving beyond Vulnerability Testing
Capgemini
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
CrowdStrike
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
CrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
CrowdStrike
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
CrowdStrike
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Zivaro Inc
 
Data Science Perspective and DS demo
Data Science Perspective and DS demo Data Science Perspective and DS demo
Data Science Perspective and DS demo
PivotalOpenSourceHub
 
It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013
Ben Ten (0xA)
 
Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT2
Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT2Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT2
Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT2
Splunk
 
The New Normal: Dealing with the Reality of an Unsecure World
The New Normal: Dealing with the Reality of an Unsecure WorldThe New Normal: Dealing with the Reality of an Unsecure World
The New Normal: Dealing with the Reality of an Unsecure World
Eric Kavanagh
 
Forcepoint - Analýza chování uživatelů
Forcepoint - Analýza chování uživatelůForcepoint - Analýza chování uživatelů
Forcepoint - Analýza chování uživatelů
MarketingArrowECS_CZ
 
DDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & InformationDDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & Information
jenkoon
 
The Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat IntelligenceThe Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat Intelligence
Imperva
 
Paul Sonderegger, Oracle MassTLC Big Data Summit Keynote
Paul Sonderegger, Oracle MassTLC Big Data Summit KeynotePaul Sonderegger, Oracle MassTLC Big Data Summit Keynote
Paul Sonderegger, Oracle MassTLC Big Data Summit Keynote
MassTLC
 
Security asap
Security asapSecurity asap
Security asap
morisson
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
Tunde Ogunkoya
 
Cyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measures
CBIZ, Inc.
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus Solutions
Imperva
 
Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015
Tunde Ogunkoya
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
NowSecure
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
Onapsis Inc.
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
Onapsis Inc.
 
Agile risk management
Agile risk managementAgile risk management
Agile risk management
AgileConsortiumINT
 

Mais conteúdo relacionado

Mais procurados

CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
CrowdStrike
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013
Ben Ten (0xA)
 

Mais procurados (8)

CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
 
Data Science Perspective and DS demo
Data Science Perspective and DS demo Data Science Perspective and DS demo
Data Science Perspective and DS demo
 
It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013
 
Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT2
Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT2Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT2
Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT2
 

Semelhante a Rebooting the Enterprise Security Program for Defensibility - ISSA International 2013

The New Normal: Dealing with the Reality of an Unsecure World
The New Normal: Dealing with the Reality of an Unsecure WorldThe New Normal: Dealing with the Reality of an Unsecure World
The New Normal: Dealing with the Reality of an Unsecure World
Eric Kavanagh
 
The Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat IntelligenceThe Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat Intelligence
Imperva
 
Paul Sonderegger, Oracle MassTLC Big Data Summit Keynote
Paul Sonderegger, Oracle MassTLC Big Data Summit KeynotePaul Sonderegger, Oracle MassTLC Big Data Summit Keynote
Paul Sonderegger, Oracle MassTLC Big Data Summit Keynote
MassTLC
 
Security asap
Security asapSecurity asap
Security asap
morisson
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
Tunde Ogunkoya
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
Onapsis Inc.
 
Reporte de Seguridad Anual de Cisco 2014 - Por Carlos Rienzi
Reporte de Seguridad Anual de Cisco 2014 - Por Carlos RienziReporte de Seguridad Anual de Cisco 2014 - Por Carlos Rienzi
Reporte de Seguridad Anual de Cisco 2014 - Por Carlos Rienzi
Oscar Romano
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linux
viaForensics
 
Black swan decision making sikich 2014 rev 0
Black swan decision making sikich 2014 rev 0Black swan decision making sikich 2014 rev 0
Black swan decision making sikich 2014 rev 0
Geary Sikich
 

Semelhante a Rebooting the Enterprise Security Program for Defensibility - ISSA International 2013 (20)

The New Normal: Dealing with the Reality of an Unsecure World
The New Normal: Dealing with the Reality of an Unsecure WorldThe New Normal: Dealing with the Reality of an Unsecure World
The New Normal: Dealing with the Reality of an Unsecure World
 
Forcepoint - Analýza chování uživatelů
Forcepoint - Analýza chování uživatelůForcepoint - Analýza chování uživatelů
Forcepoint - Analýza chování uživatelů
 
DDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & InformationDDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & Information
 
The Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat IntelligenceThe Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat Intelligence
 
Paul Sonderegger, Oracle MassTLC Big Data Summit Keynote
Paul Sonderegger, Oracle MassTLC Big Data Summit KeynotePaul Sonderegger, Oracle MassTLC Big Data Summit Keynote
Paul Sonderegger, Oracle MassTLC Big Data Summit Keynote
 
Security asap
Security asapSecurity asap
Security asap
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
 
Cyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measures
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus Solutions
 
Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
 
Agile risk management
Agile risk managementAgile risk management
Agile risk management
 
Milton smith 2013
Milton smith 2013Milton smith 2013
Milton smith 2013
 
Reporte de Seguridad Anual de Cisco 2014 - Por Carlos Rienzi
Reporte de Seguridad Anual de Cisco 2014 - Por Carlos RienziReporte de Seguridad Anual de Cisco 2014 - Por Carlos Rienzi
Reporte de Seguridad Anual de Cisco 2014 - Por Carlos Rienzi
 
Stop looking for the silver bullet start thinking like a bad guy - IDC IT Sec...
Stop looking for the silver bullet start thinking like a bad guy - IDC IT Sec...Stop looking for the silver bullet start thinking like a bad guy - IDC IT Sec...
Stop looking for the silver bullet start thinking like a bad guy - IDC IT Sec...
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linux
 
Succeeding in the Age of Co-Creation
Succeeding in the Age of Co-CreationSucceeding in the Age of Co-Creation
Succeeding in the Age of Co-Creation
 
Black swan decision making sikich 2014 rev 0
Black swan decision making sikich 2014 rev 0Black swan decision making sikich 2014 rev 0
Black swan decision making sikich 2014 rev 0
 

Mais de Rafal Los

Making Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessMaking Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in Business
Rafal Los
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...
Rafal Los
 
Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3
Rafal Los
 

Mais de Rafal Los (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfThe 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
 
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityIrrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
 
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
 
Lies, Fables and Security Metrics
Lies, Fables and Security MetricsLies, Fables and Security Metrics
Lies, Fables and Security Metrics
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterprise
 
Making Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessMaking Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in Business
 
Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security Assurance
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with Automation
 
Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI Model
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
 
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
 
The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
 
Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Último (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Rebooting the Enterprise Security Program for Defensibility - ISSA International 2013

  • 1. Inconceivable! Rebooting the Enterprise Security Program for Defensibility Rafal M. Los – Principal, Strategic Security Services ISSA International 2013 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com
  • 2. . whoami Rafal Los Principal, Strategic Security Services HP Enterprise Security Services Advisory group delivering on strategy, operationalization, and tactical response. Detect, Respond, Resolve in a meaningful way. Rafal@HP.com +1 (404) 606-6056 2 Rafal Los, Principal, Strategic Security Services, with HP Enterprise Security Services, brings a pragmatic approach to enterprise security. Combining nearly 15 years of technical, consulting and management skills in Information Security, Rafal draws on his extensive experience to help organizations build intelligent, defensible and operationally efficient security programs. He is an advocate for focus on sound security fundamentals and for the principles of "right defenses, right place, right reason". He is also a contributor to open standards and organizations - volunteering his time to groups such as OWASP and the Cloud Security Alliance. His blog, Following the White Rabbit, is his unique perspective on the various aspects of enterprise security, emerging technologies, and current events and can be found at http://hp.com/go/white-rabbit. Prior to joining HP, Los defined what became the software security program and served as a regional security lead at a Global Fortune 100 contributing to the global organization's security and riskmanagement strategy internally and externally. Rafal prides himself on being able to add a 'tint of corporate realism' to information security. Rafal received his B. S. in Computer Information Systems from Concordia University, River Forest, Ill. © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 3. Security Risk Defensibility © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 4. To quote Enigo Montoya: “You keep using that word, I do not think it means what you think it means.” © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 5. Security of yesterday © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 6. Security of today © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 7. your current security is the equivalent of the Maginot Line © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 8. © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 9. your enemy will attack where you are weak © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 10. meanwhile … © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 11. security must enable the enterprise © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 12. security must maximize enterprise resources © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 13. security must adjust to adversaries © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 14. HOW?! © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 15. let’s start with adjusting goals © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 16. we know secure is a myth © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 17. © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 18. so what is more realistic? © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 19. Detect the incident Respond to the threat Resolve the issue © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 20. disrupt the attack(ers) © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 21. The adversary attack ecosystem Research Infiltration Discovery Their ecosystem Our enterprise Capture Exfiltration 21 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 22. Disrupting the adversary Educating users Research Counter-intelligence Infiltration Discovery Their ecosystem Our enterprise Capture Exfiltration 22 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 23. Disrupting the adversary Educating users Research Counter-intelligence Infiltration Blocking access Discovery Their ecosystem Our enterprise Capture Exfiltration 23 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 24. Disrupting the adversary Educating users Research Counter-intelligence Infiltration Blocking access Discovery Identifying attacks Their ecosystem Our enterprise Capture Exfiltration 24 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 25. Disrupting the adversary Educating users Research Counter-intelligence Infiltration Blocking access Discovery Identifying attacks Their ecosystem Protecting the Capture target asset Our enterprise Exfiltration 25 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 26. Disrupting the adversary Educating users Research Counter-intelligence Infiltration Blocking access Discovery Identifying attacks Their ecosystem Protecting the Capture target asset Our enterprise Planning Exfiltration damage mitigation 26 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 27. I know what you’re thinking! © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 28. “Oh, great, more products?” © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 29. maybe? © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 30. Products (alone) don’t solve this Security products don’t get fully implemented Processes and operational capabilities need to be developed Resources primarily spent on prevent Need to detect, respond, resolve 30 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 31. How well do you do BASICS? © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 32. assets in your environment © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 33. changes to your environment © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 34. situational awareness and context © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 35. let’s do “security intelligence” © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 36. structured + unstructured data sets refined analyzed data raw data intelligence © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 37. Your logs are raw data © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 38. data analysis means… © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 39. finding this: © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 40. in this: © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 41. NON-TRIVIAL ACTIVITY © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 42. so now what? © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 43. now you make decisions © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 44. in ‘real time’ © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 45. Developing a scoring methodology (one way) 1 Tiered Scoring process 2 3 Threat Index (1~5) 2 potential impact • Human-based analysis of the threat – Severity 1 – Severe – Severity 2 – Urgent – Severity 3 – Important – Severity 4 – Low – Severity 5 – Inconsequential 3 1 applicability 45 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 46. The SPR Framework Measure & Improve • Part 1 • Assessment of business ‘criticals’ • Define ‘what’, ‘why’, ‘from whom’ for defensibility Baseline Triage • Part 2 • Mitigate immediate deficiencies • Identify and triage active threats • Part 3 • Define strategic ‘how’ • Align to organizational goals, needs, resources Tactics • Part 4 • Define tactical feedback • Strengthen tactical response Strategy Developed by: Rafal Los 46 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 47. Measurably improving enterprise security 12-month plan to get you there Improve ability to detect, respond, resolve Implement strategy and measure effectiveness Develop a goal-oriented strategy Understand your current operational state 47 © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com ISSA International Conference 2013
  • 48. Thank you © Copyright 2013 Rafal Los – Rafal@IsHackingYou.com

Notas do Editor

  1. A debit card processing company was breached in India.  To breach into these companies, it is likely that profiles were developed on key employees… There are experts who build profilesI want to attack company X. I find out who the top execs are. I might go on LinkedIn. I look at their Facebook posts. I know his friends. Places he’s been. Restaurants he checks into. Find out what he likes to do. It makes the victim easy to attack because the profiler know things about him or her that not many people should know.If you are an expert profiler, you can build these profiles and sell them on the black market, i.e, the internet to the highest bidder. I have 10 profiles from company X. Who wants them? Hackers buy these profiles because it is more efficient than doing the profiling themselves. It will take way less time to buy them than build them myself. These hackers then breached the company.  They might have used a phishing attack and installed malware to break into the network and use the employee’s credentials. They may build their own toolkits. Or go online and rent bot.net networks for $18/day. Or buy a Zeus kit for $7K or so. They only had to be right once.  It could be likely that after these companies were breached that these hackers raised their hand and sold these breach points to the highest bidder. I have 50 access points. Who wants to buy that? After the breach, we don’t know how long the adversary was there.  It could have been months… years?  Then the person who’s really good at using those access points, figuring out where your sensitive data is, being able to map your environment, figure out your configurations. They create this map… They raise their hand. Sell it on the Internet and sell it to the next person.Eventually they criminals were able to access some critical databases and change the account profile including withdrawal limits and account codes. This information was taken out of the company and provided to their colleagues or sold to a third party.  And from there the cards were made and the teams hit the streets to withdraw cash from the ATMs.  This information is monetized and feeds this entire ecosystem. Are there vertically integrated bad guys? Yes. Nation states, large criminal organizations. But is someone is more efficient and more effective at doing one of those stages, why wouldn’t you just buy it? When talking about cyber security, we focus too much on the specific actors, whether state-sponsored, a “hacktivist” or a cyber criminal. We need to focus on the full marketplace in which these actors participate. The market organizes these actors around the market processes for breach, enabling disparate parties to collaborate. As actors specialize in this marketplace – in order to make more money – innovation is extraordinary. This criminal ecosystem is much more efficient at creating, sharing and acting on the security intelligence than the ecosystem that exists to defend our customers. The standardization of Security policies has done a great deal to raise the bar for our industry. But it will continue to fail to make us secure because it lacks the focus on the adversary. No framework discussed in committee will be able to evolve as fast as a marketplace. We need to build our response in a way that disrupts the adversary at every step of their process.
  2. For us, we need to define a new defense in depth. New defense in depth. Build our capabilities at each stage of their value chain. Obviously we do some of these things.We teach people how to be less vulnerable. How do you go on the internet without clicking on the links that will download the latest virus to your laptop. You are only as secure as the behavior of your employees. We need to do more work here.We spend money building capabilities trying how to keep the adversary out of the organization. We may stop 10,000 attacks, but they only have to be right 1 time. And, they are extremely good at evading us.
  3. For us, we need to define a new defense in depth. New defense in depth. Build our capabilities at each stage of their value chain. Obviously we do some of these things.We teach people how to be less vulnerable. How do you go on the internet without clicking on the links that will download the latest virus to your laptop. You are only as secure as the behavior of your employees. We need to do more work here.We spend money building capabilities trying how to keep the adversary out of the organization. We may stop 10,000 attacks, but they only have to be right 1 time. And, they are extremely good at evading us.
  4. We need to look at solutions that help us determine that something is afoot. In building out the capabilities for disrupting the discovery and capture stages, Big data and the ability to process large data sets in real time and at scale is powerful. We need to look at the data that you have in your organization to find something that is unusual. If a verified employee, i.e., the individual who’s profile was hacked, starts doing something uncharacteristic like accessing file shares they haven’t before or changing database records, you should know about it. If data flows don’t match predicted processes, alerts should be set off. Now, what these criminals are looking for is your critical data. IP, customer information, etc.  What are you doing to protect your critical data? Is it encrypted? You should know when it is being moved. Accessed inappropriately or being sent outside the organization in an email, a post on a Facebook account or stored on cloud storage. The increase in the types of information that can be correlated from all over the enterprise and from data outside the enterprise is phenomenal. Organizations are monitoring the cyber black markets for your enterprise’s sensitive data and including data from the cloud infrastructures in your security operations environment. We are working with companies to combine employee sentiment with abnormal access behavior to find malicious insiders. Finally, the adversary will beat us at some point. What capabilities do we have for responding after they have won.
  5. We need to look at solutions that help us determine that something is afoot. In building out the capabilities for disrupting the discovery and capture stages, Big data and the ability to process large data sets in real time and at scale is powerful. We need to look at the data that you have in your organization to find something that is unusual. If a verified employee, i.e., the individual who’s profile was hacked, starts doing something uncharacteristic like accessing file shares they haven’t before or changing database records, you should know about it. If data flows don’t match predicted processes, alerts should be set off. Now, what these criminals are looking for is your critical data. IP, customer information, etc.  What are you doing to protect your critical data? Is it encrypted? You should know when it is being moved. Accessed inappropriately or being sent outside the organization in an email, a post on a Facebook account or stored on cloud storage. The increase in the types of information that can be correlated from all over the enterprise and from data outside the enterprise is phenomenal. Organizations are monitoring the cyber black markets for your enterprise’s sensitive data and including data from the cloud infrastructures in your security operations environment. We are working with companies to combine employee sentiment with abnormal access behavior to find malicious insiders. Finally, the adversary will beat us at some point. What capabilities do we have for responding after they have won.
  6. We need to look at solutions that help us determine that something is afoot. In building out the capabilities for disrupting the discovery and capture stages, Big data and the ability to process large data sets in real time and at scale is powerful. We need to look at the data that you have in your organization to find something that is unusual. If a verified employee, i.e., the individual who’s profile was hacked, starts doing something uncharacteristic like accessing file shares they haven’t before or changing database records, you should know about it. If data flows don’t match predicted processes, alerts should be set off. Now, what these criminals are looking for is your critical data. IP, customer information, etc.  What are you doing to protect your critical data? Is it encrypted? You should know when it is being moved. Accessed inappropriately or being sent outside the organization in an email, a post on a Facebook account or stored on cloud storage. The increase in the types of information that can be correlated from all over the enterprise and from data outside the enterprise is phenomenal. Organizations are monitoring the cyber black markets for your enterprise’s sensitive data and including data from the cloud infrastructures in your security operations environment. We are working with companies to combine employee sentiment with abnormal access behavior to find malicious insiders. Finally, the adversary will beat us at some point. What capabilities do we have for responding after they have won.
  7. How the SPR framework looks at your organization, to analyze and devise a forward-moving plan for measureable improvement.