O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Security Operations in the Cloud

1.772 visualizações

Publicada em

An in-depth look at Security Operations in the Cloud. Join us as we discuss: Cloud Security, Secure Cloud Topology, Kill Chain and Threat actor motives.

Publicada em: Tecnologia
  • Login to see the comments

Security Operations in the Cloud

  1. 1. Security Operations In the Cloud Jeff Schilling Chief Security Officer
  2. 2. Today’s Speakers Jeff Schilling, CISM Chief Security Officer FireHost • Former Director of the Global Incident Response practice for Dell SecureWorks • Colonel, Retired – Former Director of the Global Security Operations Center for U.S. Army’s Cyber Command • Former Director of the DOD’s Global NetOps Center for JTF-GNO SECURITY OPERATIONS
  3. 3. Agenda SECURITY OPERATIONS • The Security Landscape – Threats, Actors & Motives • Why SecOps? • SecOps Concept, Roles & Topology • The OODA Loop • Kill Chain • Use Case • Questions & Answers
  4. 4. SECURITY OPERATIONS SECURITY LANDSCAPE THREATS, ACTORS, & MOTIVES
  5. 5. TARGETED THREAT COMMODITY THREAT TYPES OF THREATS ADVANCED TARGETED THREAT
  6. 6. HACKTIVISTS / CYBER WAR CRIME AND FRAUD INTELLECTUAL PROPERTY THEFT THREAT MOTIVES
  7. 7. SECURITY OPERATIONS Why Security Operations? • It’s about Risk Reduction • It’s about reducing your attack surface area • It’s not about the tools you use, it’s about how you use them
  8. 8. PEOPLE, PROCESS, & TECHNOLOGY People, Process, & Technology PEOPLE: The only cloud provider with a CSO, CISO, SecOps and InfoSec team protecting customers, not just internal operations. PROCESS: A security-centric approach to everything we do – from customer onboarding and support to the most advanced security operations of any cloud provider around. TECHNOLOGY: The industry’s only cloud built secure from day one with top security products orchestrated as one automated system unlike any on the market; No bolted-on, added expense gimmicks.
  9. 9. SECURITY OPERATIONAL CONCEPT PROTECT THREAT INTELLIGENCE THREAT INTELLIGENCE CYBER/ PHYSICAL SECURITY DETEC T RESPOND RECOVE R _ = SECURITY THREAT + VULNERABILITY OPS RISK MITIGATION P/D/R/R THREAT INTELLIGENCE
  10. 10. SECURITY OPERATIONS ROLES SECURITY TEAM Threat Intelligence Security Operation Center (SOC) Incident Management Security Device Management Vulnerability Management Forensics Friendly Network Forces Security Architect Security Ops Organization
  11. 11. SECURE CLOUD TOPOLOGY Secure Cloud Topology
  12. 12. DIRECT SUPPORT INDIRECT SUPPORT SECURE CLOUD TOPOLOGY
  13. 13. TARGETING METHODOLOGY – OODA LOOP THE OODA LOOP CLOUD SECURITY FRAMEWORK Military defense created by Air Force in Korean War OBSERVE ORIENT ACT DECIDE
  14. 14. THE KILL CHAIN – THREAT TYPES 1 2 3 4 RECONNAISSANCE EXPLOITATION Open source research Social network research Port scan, IP sweep Infected Word Doc or PDF is opened Java script exploited in browser Command line SQL inject Google research WEAPONIZATION Combine the exploit tool with the method DISTRIBUTION & STRATEGY Phishing email Website drive by SQL inject script ACTION ON TARGET Search the target Destroy or disrupt Package and prepare for and exfil data 5 PERSIST/LATERAL 6 COMMAND 7 MOVEMENT Registry Key changed Privilege Escalation Look for open connections & CONTROL Malware or compromised system reaches out for instructions
  15. 15. THE KILL CHAIN – THREAT TYPES 1 RECONNAISSANCE 2 WEAPONIZATION 3 DISTRIBUTION 4 & STRATEGY ACTION ON TARGET 5 PERSIST/LATERAL 6 COMMAND 7 MOVEMENT & CONTROL EXPLOITATION IPRM WAF vGW NIDS Threat research (happens outside of our network boundaries) IPRM WAF vGW NIDS Malware Detection VTM Malware Detection WAF Malware Protection VTM vGW IPRM WAF vGW NIDS IPRM WAF vGW NIDS
  16. 16. SECURITY OPERATIONS THREAT ACTOR CASE STUDIES
  17. 17. THREAT ACTOR USE CASE Threat Actors compromises a FireHost customer webserver through a WordPress vulnerability and begins using the host to send spam email with malicious attachments outside of the environment. FireHost then receives abuse complaints pursuant to the attack. • Type of attack requires intermediate (B) or more advanced skills, but is commonly seen at the intermediate layer. • Results of this type of attack could lead to FireHost reputation damage due to our IPs being blacklisted, as well as possible data loss to the customer through the mail sender. • SOC detects similar attacks weekly within our customer environment. P-D-R KILL CHAIN MAPPING Threat Scale Rating: 3-4
  18. 18. Threats are everywhere… Security must be too SECURITY OPERATIONS
  19. 19. SECURITY OPERATIONS Questions Answers
  20. 20. SECURITY OPERATIONS Thank You Please visit us at firehost.com Email sales@firehost.com Phone (US) +1 877 262 3473 (UK) +44 800 500 3167

×