SlideShare a Scribd company logo

451 and Endgame - Zero breach Tolerance: Earliest protection across the attack lifecycle

Download as PPTX, PDF
Adrian Sanabria
Adrian Sanabria

Enterprise security teams are facing numerous challenges because of evolving threat vectors bypassing existing technology, deluge of alerts, and lack of skilled resources to stop advanced threats. Even if enterprises have a budget to bring in outside incident response and forensics teams to stop the bleeding, by then, damages and loss have already occurred. Security teams must change the shape of their security program to stop threats at the earliest and all stages of the attacker lifecycle. Join 451 Research Senior Analyst, Adrian Sanabria, and Director of Products at Endgame, Mike Nichols, talk about how earliest prevention and instant detection can change the shape and outcome of enterprise security program. This talk will outline strategies for: • Prioritizing the alerts and events that really matter • Identifying parts of the investigation workflow that can be automated • Building a detection methodology that creates confidence and continuously improves defenses

Technology
1 of 41
Where did we go wrong? 1
Where did we go wrong? 1. Addressing information overload/alert fatigue 2. Blind spots 3. Control over environment 2
3
Hi, I’m the needle in this haystack Where did we go wrong? Fatigued yet? BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK!BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK!BARK!
Getting better?
Three big (non-malware) problems in Security today 1. Addressing information overload/alert fatigue 2.Blind spots 3. Control over environment 6
Enterprise security spending vs blind spots 7 Blind Spot #3: The Cloud Most enterprise spending is tied up in the perimeter Blind Spot #1: The Endpoint Blind Spot #2: Internal network Communications (East-West traffic) Blind Spot #4: Data
Three big (non-malware) problems in Security today 1. Addressing information overload/alert fatigue 2. Blind spots 3.Control over environment 8
Where did we go wrong? 1.Not enough root cause analysis 2.Not enough process improvement (if any) 3.Even when we do succeed, we force the attacker to change tactics. Are we ready for that?
Where did we go wrong? Prevention and Evasion Zeus Trojan PE (.exe) Preventative Controls Block Endpoint Protected Day1
Where did we go wrong? Prevention and Evasion Zeus Trojan Java (.jar) Preventative Controls Fail JAR reassembles EXE on Endpoint Endpoint Infected Day2
Where did we go wrong? Prevention and Evasion How did that work?
State of Endpoint Security and EDR Primer 13
Why is the endpoint important? 1. This is where work happens 2. One of the easiest paths into a company 3. BYOD and ShadowIT are unsolved problems
How I see the market Prevention (pre-execution) Detection and Data Collection (post-execution) Platform Hardening 80+ Vendors 50/50 split complementary/ primary
Buzzword Bingo: NGAV and EDR definitions NGAV: The ability to stop threats without prior knowledge of them EDR: Endpoint Data Recorder (a slight acronym modification)
NGAV NEED: a better malware mousetrap WHAT: Automated detection of unknown threats WHY: auto- generated malware gets through EDR NEED: endpoint visibility; serious blind spot otherwise WHAT: Record detailed endpoint data WHY: detect attacks that defeat 1st layers of defense Hardening NEED: More permanent, resilient solutions WHAT: Wide variety of approaches WHY: Passive defenses reduce pressure on frontline defenses Remediation NEED: Contain and clean up threats WHAT: Containment and automated remediation WHY: Reduce expense and labor of dealing with threats Endpoint categories: What’s driving them?
EDR: Endpoint Detection and Response Many use cases: • detection • forensics • incident response • source for automation event triggers Ultimately, EDR is a sensor that provides rich, forensic data before you need it 18
Examples: Ransomware prevention 1. Kill any process attempting to stop the volume shadow service (VSS) 2. If a powershell or CMD process is created shortly after opening an office document, inspect and/or quarantine the office document. 3. Create a hidden folder sure to be the first in an alphabetical list (e.g. __aardvarks). Any file change triggers a containment action (e.g. isolate machine). 19
What about remediation and response? 20
Let’s Fix This: Where do we start? 21
Strategies to get us back on track 1. Change Mindset 2. Better quality visibility (not quantity!) 3. Plan to mature detection capabilities 22
Changing mindset: things I have a problem with 1. Defeatist statements 2. That ‘dwell time’ has become a metric 3. The 1m unfilled jobs myth/rumor 23
Myth #1: Solving malware changes everything! No, it just shifts the problem – attackers don’t give up, they just change tactics to things like: 1. Interpreted languages (javascript, python, powershell) 2. Social engineering 3. Credential theft 4. Abuse of valid admin tools 5. Web attacks (SQL Injection, XSS, XSRF, etc) 24
Myth #2: Once the bad guys get in… Game Over! Common perspective of getting hacked (prevention only) 1. Attacker’s exploit succeeds. 2. Reality 1. Attacker’s exploit succeeds 2. Attempts to escalate privileges 3. Begins exploring network 4. Sniffs network 5. Pivots to another host using an exploit 6. Dumps and cracks credentials 7. Pivots with credentials 8. Creates domain admin account = detection opportunity Lesson: Layer detection with prevention
Recon & early ops detection Exfiltration detection Dataloss Detection Threat detection and response Threat Hunting When does incident become breach? 26 Initial Hacking Attempts Success! Attacker gets in, pivots, searches Exfiltration Days, Weeks Average of 146 99 days* Sale & Profit of stolen data Discovery DEFENDER Prevention Isolation Forensics IR Automation Security Analytics Dataloss preventionDetection by Deception Fraud detection by a 3rd party Breach Occurs Customer Impact Timeline * Average dwell time, according to Mandiant’s M-Trends Reports
Reducing the attacker’s ability to hide using red flags 27
Red flags are everywhere Why aren’t we looking for them? Basic Red Flag Examples 1. Local account creation 2. VSS disabled; snapshots deleted 3. AV turned off 4. SAM database dumped 5. ARP route poisoning 6. CMD.exe child of POWERPNT.EXE? 28
Strategies to get us back on track 1. Change Mindset 2.Better quality visibility (not quantity!) 3. Plan to mature detection capabilities 29
What are we talking about here, anyway? The importance of visibility and awareness in security cannot be overstated! 30
Detection challenges: Spot the difference
Detection challenges: Spot the difference
Detection challenges: How do we improve quality? We need a way to separate actionable data from anecdotal data. The solution isn’t getting rid of the anecdotal data, it’s hiding it from view until it’s needed.
Detection challenges: fighting the noise 1. Have a baseline – otherwise everything will look suspicious! 2. Instead of tuning the default, consider starting from scratch 3. Explore other methods of alerting (ChatOps, sound, lighting) 4. Understand users/business and apply lessons to monitoring 5. Pick one very important scenario, and build it out...
Strategies to get us back on track 1. Change Mindset 2. Better quality visibility (not quantity!) 3.Plan to mature detection capabilities 35
Detection challenges: fighting the fires 1. Get better prevention 1. Prevention is ‘free’ 2. IR is expensive 3. Minimize need for IR 2. Get tools and processes in place to enable root cause analysis 3. Practice IR as much as possible  Process improvement 4. Automate IR workflows  Process improvement 5. Never, ever skip lessons learned
Detection challenges: Less is More 1. Disable, remove and shut down anything you don’t use. This reduces attack surface AND noise. 2. Take care of Low Hanging Fruit  3. Standardize systems. Less variation makes systems easier to defend & produce less noise 4. Simplify systems – monitor app use and remove unused software or features. Less software = Less attack surface. Low Hanging Fruit • enable click-to-run for Flash • office macro restrictions • powershell restrictions • disable java plugin if not needed • disable Windows EFS if not needed • use free security tools • AppLocker • LAPS • EMET (maybe? maybe not?) • Low or no-impact improvements from CIS benchmarks
Wrapping up 38
What are your endpoint security pain points and goals? Pain Points 1. Cleaning up infections 24/7 2. Catch attacks that bypass preventative controls 3. Catch/prevent non-malware threats 4. Catch insider threats 5. Did a breach actually occur? Goals 1. Better prevention; hardening 2. Better detective controls, better endpoint visibility 3. Better endpoint visibility; hardening 4. Better endpoint visibility 5. Visibility into file movement, data exfiltration 39
Recommendations 1. Think through and act out worst-case scenarios. Test and fail repeatedly. Learn from failures. 2. Don’t turn security products to 11 immediately – deploy slowly. 3. Choose one important attack scenario, and get really good at defending against it. 4. Don’t break the user. 5. Consider time-to-value and labor-to-value ratios. 6. Cut down on attack surface and noise by stripping out everything you don’t need or use 40
Adrian Sanabria @sawaba 41

Recommended

Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletinAdrian Sanabria
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint SecurityAdrian Sanabria
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfAdrian Sanabria
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?Adrian Sanabria
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
 

Recommended

Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletinAdrian Sanabria
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint SecurityAdrian Sanabria
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfAdrian Sanabria
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?Adrian Sanabria
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
 
RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsAdrian Sanabria
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack ModelsSeniorStoryteller
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongDevSecCon
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native securityKennedy
 
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Source Conference
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsSeniorStoryteller
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering Aaron Rinehart
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
 
DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringAaron Rinehart
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringAaron Rinehart
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingAaron Rinehart
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOpsSeniorStoryteller
 
AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 Aaron Rinehart
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...Aaron Rinehart
 
The road goes ever on and on by Ciaran Conliffe
The road goes ever on and on by Ciaran ConliffeThe road goes ever on and on by Ciaran Conliffe
The road goes ever on and on by Ciaran ConliffeDevSecCon
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...Marcin Ludwiszewski
 

More Related Content

What's hot

RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsAdrian Sanabria
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack ModelsSeniorStoryteller
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongDevSecCon
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native securityKennedy
 
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Source Conference
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering Aaron Rinehart
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
 
DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringAaron Rinehart
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringAaron Rinehart
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingAaron Rinehart
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 Aaron Rinehart
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...Aaron Rinehart
 
The road goes ever on and on by Ciaran Conliffe
The road goes ever on and on by Ciaran ConliffeThe road goes ever on and on by Ciaran Conliffe
The road goes ever on and on by Ciaran ConliffeDevSecCon
 

What's hot (20)

RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to Startups
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack Models
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline Wong
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
 
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
 
DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos Engineering
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos Engineering
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos Testing
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
 
AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
 
The road goes ever on and on by Ciaran Conliffe
The road goes ever on and on by Ciaran ConliffeThe road goes ever on and on by Ciaran Conliffe
The road goes ever on and on by Ciaran Conliffe
 

Similar to 451 and Endgame - Zero breach Tolerance: Earliest protection across the attack lifecycle

Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...Marcin Ludwiszewski
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...CODE BLUE
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security FrameworkJerod Brennen
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghNapier University
 
OSB180: Learn More About Ivanti Endpoint Security
OSB180: Learn More About Ivanti Endpoint SecurityOSB180: Learn More About Ivanti Endpoint Security
OSB180: Learn More About Ivanti Endpoint SecurityIvanti
 
Splunk at the Bank of England
Splunk at the Bank of EnglandSplunk at the Bank of England
Splunk at the Bank of EnglandSplunk
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA SensePost
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
 
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...CODE BLUE
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNorth Texas Chapter of the ISSA
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...SurfWatch Labs
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewRobert Herjavec
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
 
ITD BSides PDX Slides
ITD BSides PDX SlidesITD BSides PDX Slides
ITD BSides PDX SlidesEricGoldstrom
 

Similar to 451 and Endgame - Zero breach Tolerance: Earliest protection across the attack lifecycle (20)

Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton Chuvakin
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
 
OSB180: Learn More About Ivanti Endpoint Security
OSB180: Learn More About Ivanti Endpoint SecurityOSB180: Learn More About Ivanti Endpoint Security
OSB180: Learn More About Ivanti Endpoint Security
 
Splunk at the Bank of England
Splunk at the Bank of EnglandSplunk at the Bank of England
Splunk at the Bank of England
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR Overview
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
ITD BSides PDX Slides
ITD BSides PDX SlidesITD BSides PDX Slides
ITD BSides PDX Slides
 

More from Adrian Sanabria

Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Adrian Sanabria
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Adrian Sanabria
 
Lies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaLies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaAdrian Sanabria
 
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...Adrian Sanabria
 
2019 InfoSec Buyer's Guide
2019 InfoSec Buyer's Guide2019 InfoSec Buyer's Guide
2019 InfoSec Buyer's GuideAdrian Sanabria
 
Equifax Breach Postmortem
Equifax Breach PostmortemEquifax Breach Postmortem
Equifax Breach PostmortemAdrian Sanabria
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021Adrian Sanabria
 
From due diligence to IoT disaster
From due diligence to IoT disasterFrom due diligence to IoT disaster
From due diligence to IoT disasterAdrian Sanabria
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not NightmaresHybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not NightmaresAdrian Sanabria
 
Why does InfoSec play bass?
Why does InfoSec play bass?Why does InfoSec play bass?
Why does InfoSec play bass?Adrian Sanabria
 

More from Adrian Sanabria (14)

Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
 
Lies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaLies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix Enigma
 
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
 
2019 InfoSec Buyer's Guide
2019 InfoSec Buyer's Guide2019 InfoSec Buyer's Guide
2019 InfoSec Buyer's Guide
 
Equifax Breach Postmortem
Equifax Breach PostmortemEquifax Breach Postmortem
Equifax Breach Postmortem
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021
 
The Products We Deserve
The Products We DeserveThe Products We Deserve
The Products We Deserve
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
From due diligence to IoT disaster
From due diligence to IoT disasterFrom due diligence to IoT disaster
From due diligence to IoT disaster
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not NightmaresHybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
 
Why does InfoSec play bass?
Why does InfoSec play bass?Why does InfoSec play bass?
Why does InfoSec play bass?
 

Recently uploaded

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Recently uploaded (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 

451 and Endgame - Zero breach Tolerance: Earliest protection across the attack lifecycle

  • 1. Where did we go wrong? 1
  • 2. Where did we go wrong? 1. Addressing information overload/alert fatigue 2. Blind spots 3. Control over environment 2
  • 3. 3
  • 4. Hi, I’m the needle in this haystack Where did we go wrong? Fatigued yet? BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK!BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK! BARK!BARK!
  • 6. Three big (non-malware) problems in Security today 1. Addressing information overload/alert fatigue 2.Blind spots 3. Control over environment 6
  • 7. Enterprise security spending vs blind spots 7 Blind Spot #3: The Cloud Most enterprise spending is tied up in the perimeter Blind Spot #1: The Endpoint Blind Spot #2: Internal network Communications (East-West traffic) Blind Spot #4: Data
  • 8. Three big (non-malware) problems in Security today 1. Addressing information overload/alert fatigue 2. Blind spots 3.Control over environment 8
  • 9. Where did we go wrong? 1.Not enough root cause analysis 2.Not enough process improvement (if any) 3.Even when we do succeed, we force the attacker to change tactics. Are we ready for that?
  • 10. Where did we go wrong? Prevention and Evasion Zeus Trojan PE (.exe) Preventative Controls Block Endpoint Protected Day1
  • 11. Where did we go wrong? Prevention and Evasion Zeus Trojan Java (.jar) Preventative Controls Fail JAR reassembles EXE on Endpoint Endpoint Infected Day2
  • 12. Where did we go wrong? Prevention and Evasion How did that work?
  • 13. State of Endpoint Security and EDR Primer 13
  • 14. Why is the endpoint important? 1. This is where work happens 2. One of the easiest paths into a company 3. BYOD and ShadowIT are unsolved problems
  • 15. How I see the market Prevention (pre-execution) Detection and Data Collection (post-execution) Platform Hardening 80+ Vendors 50/50 split complementary/ primary
  • 16. Buzzword Bingo: NGAV and EDR definitions NGAV: The ability to stop threats without prior knowledge of them EDR: Endpoint Data Recorder (a slight acronym modification)
  • 17. NGAV NEED: a better malware mousetrap WHAT: Automated detection of unknown threats WHY: auto- generated malware gets through EDR NEED: endpoint visibility; serious blind spot otherwise WHAT: Record detailed endpoint data WHY: detect attacks that defeat 1st layers of defense Hardening NEED: More permanent, resilient solutions WHAT: Wide variety of approaches WHY: Passive defenses reduce pressure on frontline defenses Remediation NEED: Contain and clean up threats WHAT: Containment and automated remediation WHY: Reduce expense and labor of dealing with threats Endpoint categories: What’s driving them?
  • 18. EDR: Endpoint Detection and Response Many use cases: • detection • forensics • incident response • source for automation event triggers Ultimately, EDR is a sensor that provides rich, forensic data before you need it 18
  • 19. Examples: Ransomware prevention 1. Kill any process attempting to stop the volume shadow service (VSS) 2. If a powershell or CMD process is created shortly after opening an office document, inspect and/or quarantine the office document. 3. Create a hidden folder sure to be the first in an alphabetical list (e.g. __aardvarks). Any file change triggers a containment action (e.g. isolate machine). 19
  • 20. What about remediation and response? 20
  • 21. Let’s Fix This: Where do we start? 21
  • 22. Strategies to get us back on track 1. Change Mindset 2. Better quality visibility (not quantity!) 3. Plan to mature detection capabilities 22
  • 23. Changing mindset: things I have a problem with 1. Defeatist statements 2. That ‘dwell time’ has become a metric 3. The 1m unfilled jobs myth/rumor 23
  • 24. Myth #1: Solving malware changes everything! No, it just shifts the problem – attackers don’t give up, they just change tactics to things like: 1. Interpreted languages (javascript, python, powershell) 2. Social engineering 3. Credential theft 4. Abuse of valid admin tools 5. Web attacks (SQL Injection, XSS, XSRF, etc) 24
  • 25. Myth #2: Once the bad guys get in… Game Over! Common perspective of getting hacked (prevention only) 1. Attacker’s exploit succeeds. 2. Reality 1. Attacker’s exploit succeeds 2. Attempts to escalate privileges 3. Begins exploring network 4. Sniffs network 5. Pivots to another host using an exploit 6. Dumps and cracks credentials 7. Pivots with credentials 8. Creates domain admin account = detection opportunity Lesson: Layer detection with prevention
  • 26. Recon & early ops detection Exfiltration detection Dataloss Detection Threat detection and response Threat Hunting When does incident become breach? 26 Initial Hacking Attempts Success! Attacker gets in, pivots, searches Exfiltration Days, Weeks Average of 146 99 days* Sale & Profit of stolen data Discovery DEFENDER Prevention Isolation Forensics IR Automation Security Analytics Dataloss preventionDetection by Deception Fraud detection by a 3rd party Breach Occurs Customer Impact Timeline * Average dwell time, according to Mandiant’s M-Trends Reports
  • 27. Reducing the attacker’s ability to hide using red flags 27
  • 28. Red flags are everywhere Why aren’t we looking for them? Basic Red Flag Examples 1. Local account creation 2. VSS disabled; snapshots deleted 3. AV turned off 4. SAM database dumped 5. ARP route poisoning 6. CMD.exe child of POWERPNT.EXE? 28
  • 29. Strategies to get us back on track 1. Change Mindset 2.Better quality visibility (not quantity!) 3. Plan to mature detection capabilities 29
  • 30. What are we talking about here, anyway? The importance of visibility and awareness in security cannot be overstated! 30
  • 31. Detection challenges: Spot the difference
  • 32. Detection challenges: Spot the difference
  • 33. Detection challenges: How do we improve quality? We need a way to separate actionable data from anecdotal data. The solution isn’t getting rid of the anecdotal data, it’s hiding it from view until it’s needed.
  • 34. Detection challenges: fighting the noise 1. Have a baseline – otherwise everything will look suspicious! 2. Instead of tuning the default, consider starting from scratch 3. Explore other methods of alerting (ChatOps, sound, lighting) 4. Understand users/business and apply lessons to monitoring 5. Pick one very important scenario, and build it out...
  • 35. Strategies to get us back on track 1. Change Mindset 2. Better quality visibility (not quantity!) 3.Plan to mature detection capabilities 35
  • 36. Detection challenges: fighting the fires 1. Get better prevention 1. Prevention is ‘free’ 2. IR is expensive 3. Minimize need for IR 2. Get tools and processes in place to enable root cause analysis 3. Practice IR as much as possible  Process improvement 4. Automate IR workflows  Process improvement 5. Never, ever skip lessons learned
  • 37. Detection challenges: Less is More 1. Disable, remove and shut down anything you don’t use. This reduces attack surface AND noise. 2. Take care of Low Hanging Fruit  3. Standardize systems. Less variation makes systems easier to defend & produce less noise 4. Simplify systems – monitor app use and remove unused software or features. Less software = Less attack surface. Low Hanging Fruit • enable click-to-run for Flash • office macro restrictions • powershell restrictions • disable java plugin if not needed • disable Windows EFS if not needed • use free security tools • AppLocker • LAPS • EMET (maybe? maybe not?) • Low or no-impact improvements from CIS benchmarks
  • 39. What are your endpoint security pain points and goals? Pain Points 1. Cleaning up infections 24/7 2. Catch attacks that bypass preventative controls 3. Catch/prevent non-malware threats 4. Catch insider threats 5. Did a breach actually occur? Goals 1. Better prevention; hardening 2. Better detective controls, better endpoint visibility 3. Better endpoint visibility; hardening 4. Better endpoint visibility 5. Visibility into file movement, data exfiltration 39
  • 40. Recommendations 1. Think through and act out worst-case scenarios. Test and fail repeatedly. Learn from failures. 2. Don’t turn security products to 11 immediately – deploy slowly. 3. Choose one important attack scenario, and get really good at defending against it. 4. Don’t break the user. 5. Consider time-to-value and labor-to-value ratios. 6. Cut down on attack surface and noise by stripping out everything you don’t need or use 40

Editor's Notes

  1. Talk about why I have them in this particular order! Aka Alert Fatigue – we spend far too much time reviewing “alerts” and events that don’t matter – some of this is done through integration/correlation, some is being addressed with security analytics – let a machine go through the noise and pluck out the relevant bits. We have blind spots in the enterprise – primarily the internal network and endpoints (incl asset mgmt, mobile, etc) In the past decade, technologies have given us greater control over on-prem and mobile assets, but we still have little visibility or control over what happens to our DATA
  2. Once you hear enough barking, you learn to tune it out, and it all becomes noise. This is the battle in security today: how do we ensure what is really important floats to the top and doesn’t get lost? (Target reference again here) Note: In real life, the really important alert is just another bark, not helpfully highlighted in a different color  Credit to Chuck Beeler for coining the phrase almost 10 years ago
  3. Well, turns out, a lot of the people that say none actually check a few alerts and then mark the rest as ‘read’, which isn’t really “checking them all”
  4. Talk about why I have them in this particular order! Aka Alert Fatigue – we spend far too much time reviewing “alerts” and events that don’t matter – some of this is done through integration/correlation, some is being addressed with security analytics – let a machine go through the noise and pluck out the relevant bits. We have blind spots in the enterprise – primarily the internal network and endpoints (incl asset mgmt, mobile, etc) In the past decade, technologies have given us greater control over on-prem and mobile assets, but we still have little visibility or control over what happens to our DATA
  5. There are red flags everywhere. Some of them are near 100% signs of a compromise, whereas others are more yellow flags. The idea here, is that if you have enough visibility across the enterprise, you can ignore the yellow flags, and the red flags will paint the true picture of a compromise and an attacker’s movements through the enterprise. Also, as we have control over our environment, we have an opportunity to set traps and force generation of our own custom red flats.
  6. Talk about why I have them in this particular order! Aka Alert Fatigue – we spend far too much time reviewing “alerts” and events that don’t matter – some of this is done through integration/correlation, some is being addressed with security analytics – let a machine go through the noise and pluck out the relevant bits. We have blind spots in the enterprise – primarily the internal network and endpoints (incl asset mgmt, mobile, etc) In the past decade, technologies have given us greater control over on-prem and mobile assets, but we still have little visibility or control over what happens to our DATA
  7. We typically don’t have the skills or spend the time to do root cause analysis When we succeed, we force the attacker to change behavior. Lack of root cause analysis and process improvement We need durable 5 year solutions, not 6 month solutions Ransomware example
  8. In fact, there is evidence of the attackers already sidestepping network-based anti-malware sandboxes.
  9. In fact, there is evidence of the attackers already sidestepping network-based anti-malware sandboxes.
  10. It is where work happens It is one of the easiest paths into a company BYOD and ShadowIT is still an unsolved problem
  11. Three Categories Prevention Detection/Data collection Platform Hardening Privilege Management Application Control Removing attack surface Dynamic attack surface reduction Hey, we see you don’t EVER USE X, Y or Z, so we’re going to turn them off, okay? OR, how about we do like Android 6? You don’t get permissions until they’re needed and then you get prompted to turn them on, and decide then and there whether or not you need them.
  12. And you know what? I like Endpoint Data Recorder better anyway, because a lot of EDR products out there have little to no detection or response capabilities.
  13. Remediation vs containment
  14. Helpless and defeatist statements like “It’s only a matter of time before the breach happens” and “there’s only two kinds of organizations, those that know they’ve been breached and those that don’t know yet” I’d argue that you also have the flipside – organizations that THOUGHT they had a breach, but actually DIDN’T. The reason they declared a breach was because, due to the lack of intelligence they had, they were forced to assume the worst! Indications that we’ve messed up as an industry: most of the 1 million cybersecurity jobs we supposedly have a need for are warm bodies in a SOC. Why? To compensate for noisy cybersecurity products the fact that “dwell time” is even a thing
  15. No, attacks are the threat we should be worried about, and regardless of what study you look at, a significant percentage of successful breaches don’t use malware at all.
  16. Point out: In the “reality” version, no malware was actually necessary, and if it was used, it was only to get the initial foothold. Mention: According to the most recent Verizon data breach report, at least 45% of attacks didn’t use malware at all.
  17. The point here is that the defender isn’t helpless – there’s something they can do at each stage of the attack campaign. The attacker stops to order a pizza The attacker stops to eat said pizza Baffled by Structured Query Language, the attacker searches online for ‘SQL CheatSheets’ The attacker takes a break to brag about his exploits to undercover FBI on online forums.
  18. There are red flags everywhere. Some of them are near 100% signs of a compromise, whereas others are more yellow flags. The idea here, is that if you have enough visibility across the enterprise, you can ignore the yellow flags, and the red flags will paint the true picture of a compromise and an attacker’s movements through the enterprise. Also, as we have control over our environment, we have an opportunity to set traps and force generation of our own custom red flats.
  19. Sure, someone gets in, fine. You have about 30,000 more opportunities to catch them. Take a deep breath and start looking for red flags (IoAs). You know what would be REALLY handy? If you could AUTOMATE the search for red flags. THAT would be NICE (HINT HINT NUDGE) I’m just gonna call them “red flags from now on. That’s what they are - we don’t need a fancy name! Lots of examples Things that are ALWAYS representative of something suspicious Mention automated honeynets/decoys/deception? Malware isn’t necessarily used! Verizon DBIR statistic here. Most next-gen anti-malware, anti-APT and stuff labeled “advanced” is just looking for Win32 binaries that are threats. What happens when someone doesn’t use malware at all? What happens when they come right in the appropriate door with the appropriate credentials?
  20. Keep this in mind, because it applies to a lot more than just what we’re talking about today – nearly every big trend we’re seeing in security today stems from lessons we’ve learned from over a decade of breaches.
  21. Realistically, it is unlikely you’ll block 100% of attacks or even malware, so you need to know what’s going on when an attacker or malware DOES get in. Relates to a concept Will will touch on – breaches don’t happen instantly.
  22. Realistically, it is unlikely you’ll block 100% of attacks or even malware, so you need to know what’s going on when an attacker or malware DOES get in. Relates to a concept Will will touch on – breaches don’t happen instantly.
  23. For #2, mention Eric Ogren’s 200k/daily DLP alert anecdote
  24. For #2, mention Eric Ogren’s 200k/daily DLP alert anecdote
  25. For #2, mention Eric Ogren’s 200k/daily DLP alert anecdote
  26. For #2, mention Eric Ogren’s 200k/daily DLP alert anecdote
  27. if you couldn’t patch and couldn’t use endpoint security software, what would your anti-malware strategy look like? --- test and enable AV/NGAV/EDR functionality a bit at a time Security products are far from infallible Any product that prevents the user from getting the job done will fail or be bypassed. How long before you get it up and working? How much effort/people do you need to get there and keep it there?