SlideShare ist ein Scribd-Unternehmen logo

Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, SCS Director, Core Security

Core Security
Core Security

Vulnerability Assessments, Penetration Tests and Red Teaming – Do you know what these tactics are all about? In this session, we will present our understanding of these practices in terms of when to apply them and what to expect. Nowadays, organizations run on top of hundreds, if not thousands, of Information Technology assets with some of them on premise and others cloud based. Having control over all of this is a challenging task. Based on our extensive experience with securing our customers, I will show what real findings and attack trends look like while hopefully, shedding some light on how to be prepared to resist current attacks.

Software
1 von 25
Downloaden Sie, um offline zu lesen
CONNECT  2017   Security  Consulting  Services,   Which  is  the  best  option  for  me  ? Understanding  the  offering
AGENDA • Who  we  are   • Security  Consulting  Services • Penetration  Test  and  Red  Team • Software  Security  Assessment
L E A R N M O R E Diego  Sor Security  Consulting  Services,   Director Core  Security About  me Technical • Started  experimenting  with  8-­‐bit  home  computers • BASIC  was  my  first  approach  to  programming • Hardware  and  communications  fan • Electronic  engineer  degree • In  1998  Joined  a  mobile  phone  fraud  prevention   company • In  2001  Joined  Core  Security  as  windows  device   driver  developer • In  2006  Moved  to  the  SCS  team  as  a  security   consultant • Have  been  managing  Consulting  team  since  2012 Not  so  Technical • DYI,  Music,  Architecture  and  playing  with  my   daughter
Security  Consulting  Service Who  we  are We  are  a  group  of  security  engineers  working  along  with  customers  to  secure   their  information  technology  systems • SCS  conduct  security  consulting  service  since  1997 • We  think  and  act  like  attackers   • We  do  vulnerability  research • We  keep  up  to  date
Security  Consulting  Service Why  do  customers  call  us  ? • Recent  public  breaches  made  them  understand  that  real  attackers  are   targets  organizations  like  them • Want  to  protect  PHI  or  other  sensitive  information • Stakeholders  want  to  understand  their  security  posture • Interested  in  exercising  their  security  team   • New  application  features  will  be  put  in  production  soon • Want  to  measure  their  security  operations  center  capabilities • Deployed  new  systems  information  infrastructure • Stick  to  compliance  programs
Security  Services  Terms Terminology  nightmare
SECURITY SERVICES RED TEAM PENETRATION TEST SOFTWARE SECURITY ASSESSMENT Security  Consulting  Services Our  Services
SECURITY SERVICES RED TEAM PENETRATION TEST Security  Consulting  Services Red  Team  and  Penetration  Test
S C O P E Systems  and  components  under   test.  Things  you  want  to  secure O B J E C T I V E S Something  to  achieve.  Concerns   you  may  have  and  want  to  be   evaluated Initial  Information   Key  conversation  between  consultants  and  customers A C T O R S Are  the  individuals  carrying  out   actions.  Consultants  will  mimic   attackers  using  defined  profiles
Red  Team You  know  you  secured  your  environment Evaluate  the  resilience  of  your  organization  against  real-­‐world  attackers.   Consultants  will  find  and  exploit  vulnerabilities  while  using  tactics  an   techniques    (TTP)  to  avoid  detection  and  persist. INCLUSIVE SCOPE Attackers  move  freely.   Include  as  many   components  as  possible. Scope  limitations  create   artificial  barriers. THINK  OF  THREATS OBJECTIVES Think  of  worst  case   scenarios: 1.  Cloud  admin  creds  stolen 2.  IP  documents  extracted ATTACKERS ACTORS Consultants  acting   mimicking  attacker’s   techniques  and  tactics.   Liaison  with  internal   security  team  is  optional FINAL  REPORT OUTCOME Vulnerabilities  exploited   and  attacks  paths.   Description  of  techniques   and  tactics Level  of  readiness  of  you   defense  team Fixes  and  mitigations
Red  Team Steps  to  success • Process  is  iterative • Achieve  defined  objectives  while  minimizing  noise  and  detection • May  or  may  not  fine  tune  repetitive  by  liaising  security  staff reconnaissance compromise  then   escalate persist lateral   move/pivoting cleanup reconnaissance report
Penetration  Test Want  to  challenge  your  security  posture Evaluate  the  resilience  of  your  organization  against  real-­‐world  attacks.   Consultants  will  find  and  exploit  vulnerabilities  to  get  access  to  privileged   systems  and  information INCLUSIVE SCOPE Enumerate  components   and  systems.  Networks,   applications  and  users  are   usual  targets THINK  ON  THREATS OBJECTIVES Think  of  worst  case   scenarios 1.  Cloud  admin  creds  stolen 2.  IP  documents  extracted ATTACKERS ACTORS Consultants  mimicking   attacker’s  techniques FINAL  REPORT OUTCOME Vulnerabilities  exploited   and  attacks  paths.   Description  of  techniques   and  tactics Fixes  and  mitigations
Red  Team  vs  Penetration  Test I  see  a  lot  similarities • It  is  about  challenging  the  security  of  an  organization • Attackers  can  be  external  and  internal  to  the  organization  (insider  threat) • Red  Team  revisits  the  initial  penetration  test  concept,  where  noise  and   detection  avoidance  were  part  of  the  equation • Penetration  Test  has  evolved  in  many  different  practices  creating  a  softer   definition  and  leaving  space  for  Red  Team  to  create  some  additional   specification • Key  concept  is  mimicking  the  attacks  you  find  in  real-­‐world  scenarios • A  sophisticated  real-­‐world  attacker  will  leverage  trust  relationships  to  gain   access  to  more  valuable  information  assets • Liaison  with  internal  security  staff  lead  to  the  Purple  Team  concept
Red  Team  and  Penetration  Test What  is  in  scope  ? • Time-­‐boxed • You  get  X  hours  of  attackers  challenging  your  security,  let’s  see  what  they  can  do! • Attackers  do  not  ask  for  permission,  the  use  any  available  means • External  facing  servers  and  services • Internal  servers  and  services • Hybrid  systems  – Cloud  and  on  premise • Organization  individuals • Phishing  campaigns • Social  engineering  activities
KNOWLEDGE VULNERABILITY   ASSESSMENT Initial  steps  to  secure  your   organization.  It  finds  as   many  vulnerabilities  as   possible.   Mostly  automatic  tests.   RESILLIANCE PENETRATION TEST You  know  you  secured   your  organization.   Sophisticated  attackers  will   challenge  you  security   posture RESILLIANCE   AND   READINESS RED TEAM More  sophisticated   attackers  will  challenge  the   security  and  readiness  of   your  organization Security  Services  Lifecycle AUDITORS ATTACKERS MATURITY  LEVEL TIME
SECURITY SERVICES SOFTWARE SECURITY ASSESSMENT Security  Consulting  Services Software  Security  Assessment
Software  Security  Assessment Definition  and  key  objectives Assess  the  security  of  an  application  or  group  of  applications,  their  ability  to   resist  attacks.  Evaluate  your  defensive  programming  practices • In  this  context  an  application  is  a  system  or  groups  of  systems  that  are   logically  connected  and  cooperate  to  do  something • Consultants  to  find  as  many  vulnerabilities  as  possible • Consultants  to  evaluate  the  code  quality  in  terms  of  security • Consultants  to  create  running  proof-­‐of-­‐concepts  of  the  findings • Assessing  a  single  isolated  application  is  not  exactly  a  Penetration  Test
Software  Security  Assessment By  Approach Dynamic  Analysis • Tests  carried  out  on  a  running  application • May  or  may  not  have  access  to  source  code • Consultants  mimicking  attackers  with  no  or  some  level  of  knowledge  of   the  application Static  Analysis • Full  access  to  the  source  code  and  application  design • Deep  level  of  understanding  of  the  source  code  being  tested • Consultants  mimicking  attacker  full  source  code  knowledge • Consultants  acting  as  security  quality  assurance
Software  Security  Assessment By  Source  Code  Access White-­‐box • Consultants  have  access  to  source  code  and  documentation Gray-­‐box   • Consultants  have  some  access  to  source  code  and  documentation • Source  code  for  sensitive  functions  crypto,  storage,  authorization  and   authentication Black-­‐box   • Consultants  have  zero  access  to  source  code  and  documentation • Focused  on  the  exposed  interfaces
Software  Security  Assessment Vulnerability  Categories Design • Fundamental  mistake,  the  application  does  what  is   supposed  to  do,  but  it  is  wrong  due  to  failed   specification Implementation   • The  code  usually  doing  that  it  should  do  but  there  is  a   security  problem  in  the  way  specific  action  is  carried  out Operational • These  problems  arise  when  looking  at  context  in  which   the  software  operation.  Has  to  do  with  the  code  but   also  with  the  operation  and  environment DESIGN OPERATIONALIMPLEMENTATION
Software  Security  Assessment White-­‐box  Assessment • Project  setup  cost  can  be  high • Code  isolation  from  3rd party • Sharing  intellectual  property • Interaction  with  developers • Time  and  cost  intensive   • Testers  looking  for  security  bugs  and  bad  code  practices • More  in-­‐depth  analysis  than  black-­‐box  counterpart • Include  the  following  tasks • Code  analysis  tools • Check  the  code  and  then….check  the  code  again
Software  Security  Assessment Black-­‐box  Security  Assessment  AKA  Application  Penetration  Test • Uncover  what  is  visible  and  exposed • Short  time  frame  and  quick  results • QA  or  testing  environment  can  be  used  for  testing • Works  better  having  access  to  source  code • Uncovering  Vulnerabilities  may  include • Dynamic  analysis  tools • Fuzzing • Reverse  engineering  /  Decompiling • Debugging • Instrumentation
Application  Types   Web Mobile Desktop IoT
Final  Words Approach  that  works  for  you • Consultants  to  understand  customer  needs  and  maturity  level • Think  about  threats • The  ones  you  envision  should  work  as  initial  objectives • Do  not  force  a  hard  scope  definition  when  you  do  not  know • Unless  you  are  sure,  be  as  broad  as  possible • Be  incremental  and  continuous • Combine  services  and  approaches • Services  should  be  able  to  adapt  to  your  SDLC
THANK  YOU

Empfohlen

Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
 
Threat Dissection - Alberto Soliño Testa Research Director, Core Security
Threat Dissection - Alberto Soliño Testa Research Director, Core SecurityThreat Dissection - Alberto Soliño Testa Research Director, Core Security
Threat Dissection - Alberto Soliño Testa Research Director, Core SecurityCore Security
 
No More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
No More SIlos: Connected Security - Mike Desai and Ryan RowcliffeNo More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
No More SIlos: Connected Security - Mike Desai and Ryan RowcliffeCore Security
 
DC970 Presents: Defense in Depth
DC970 Presents: Defense in DepthDC970 Presents: Defense in Depth
DC970 Presents: Defense in DepthIceQUICK
 
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...SaraPia5
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainYou can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainFidelis Cybersecurity
 
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017FRSecure
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
 

Empfohlen

Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
 
Threat Dissection - Alberto Soliño Testa Research Director, Core Security
Threat Dissection - Alberto Soliño Testa Research Director, Core SecurityThreat Dissection - Alberto Soliño Testa Research Director, Core Security
Threat Dissection - Alberto Soliño Testa Research Director, Core SecurityCore Security
 
No More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
No More SIlos: Connected Security - Mike Desai and Ryan RowcliffeNo More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
No More SIlos: Connected Security - Mike Desai and Ryan RowcliffeCore Security
 
DC970 Presents: Defense in Depth
DC970 Presents: Defense in DepthDC970 Presents: Defense in Depth
DC970 Presents: Defense in DepthIceQUICK
 
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...SaraPia5
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainYou can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainFidelis Cybersecurity
 
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017FRSecure
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Fidelis Cybersecurity
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017FRSecure
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019Fidelis Cybersecurity
 
Career Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed AdamCareer Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed AdamMohammed Adam
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!Outpost24
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Leveraging red for defense
Leveraging red for defenseLeveraging red for defense
Leveraging red for defensePriyanka Aash
 
Challenges2013
Challenges2013Challenges2013
Challenges2013Lancope, Inc.
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation ApproachesPriyanka Aash
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security programOutpost24
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Applying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksApplying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksFidelis Cybersecurity
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Cybersecurity
 
Chris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert CommunicationsChris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert Communicationscentralohioissa
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security EvasionInvincea, Inc.
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information securityAnant Shrivastava
 
Careers in Cyber Security
Careers in Cyber SecurityCareers in Cyber Security
Careers in Cyber SecurityDeep Shankar Yadav
 

Weitere ähnliche Inhalte

Was ist angesagt?

Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Fidelis Cybersecurity
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017FRSecure
 
Career Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed AdamCareer Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed AdamMohammed Adam
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!Outpost24
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Leveraging red for defense
Leveraging red for defenseLeveraging red for defense
Leveraging red for defensePriyanka Aash
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation ApproachesPriyanka Aash
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security programOutpost24
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Applying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksApplying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksFidelis Cybersecurity
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Cybersecurity
 
Chris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert CommunicationsChris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert Communicationscentralohioissa
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security EvasionInvincea, Inc.
 

Was ist angesagt? (20)

Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019
 
Career Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed AdamCareer Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed Adam
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Leveraging red for defense
Leveraging red for defenseLeveraging red for defense
Leveraging red for defense
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security program
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Applying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksApplying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacks
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration
 
Chris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert CommunicationsChris Haley - Understanding Attackers' Use of Covert Communications
Chris Haley - Understanding Attackers' Use of Covert Communications
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security Evasion
 

Ähnlich wie Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, SCS Director, Core Security

Career In Information security
Career In Information securityCareer In Information security
Career In Information securityAnant Shrivastava
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Preparing a Next Generation IT Strategy
Preparing a Next Generation IT StrategyPreparing a Next Generation IT Strategy
Preparing a Next Generation IT StrategyBishop Fox
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
Threat Modelling | 2023
Threat Modelling | 2023Threat Modelling | 2023
Threat Modelling | 2023KharimMchatta
 
What is penetration testing and career path
What is penetration testing and career pathWhat is penetration testing and career path
What is penetration testing and career pathVikram Khanna
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence programMark Arena
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingKnoldus Inc.
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
SecArmour Security Group
SecArmour Security GroupSecArmour Security Group
SecArmour Security GroupSec Armour
 
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxC4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxbakhtinasiriav
 
EthicalHacking_AakashTakale
EthicalHacking_AakashTakaleEthicalHacking_AakashTakale
EthicalHacking_AakashTakaleAakash Takale
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarEmpired
 
Dell and Deloitte: Managing Risk in the Cloud with Salesforce
Dell and Deloitte: Managing Risk in the Cloud with SalesforceDell and Deloitte: Managing Risk in the Cloud with Salesforce
Dell and Deloitte: Managing Risk in the Cloud with SalesforceDreamforce
 

Ähnlich wie Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, SCS Director, Core Security (20)

Career In Information security
Career In Information securityCareer In Information security
Career In Information security
 
Careers in Cyber Security
Careers in Cyber SecurityCareers in Cyber Security
Careers in Cyber Security
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
Preparing a Next Generation IT Strategy
Preparing a Next Generation IT StrategyPreparing a Next Generation IT Strategy
Preparing a Next Generation IT Strategy
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Threat Modelling | 2023
Threat Modelling | 2023Threat Modelling | 2023
Threat Modelling | 2023
 
What is penetration testing and career path
What is penetration testing and career pathWhat is penetration testing and career path
What is penetration testing and career path
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence program
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat Modelling
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
SecArmour Security Group
SecArmour Security GroupSecArmour Security Group
SecArmour Security Group
 
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxC4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
 
EthicalHacking_AakashTakale
EthicalHacking_AakashTakaleEthicalHacking_AakashTakale
EthicalHacking_AakashTakale
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
It security cognic_systems
It security cognic_systemsIt security cognic_systems
It security cognic_systems
 
Dell and Deloitte: Managing Risk in the Cloud with Salesforce
Dell and Deloitte: Managing Risk in the Cloud with SalesforceDell and Deloitte: Managing Risk in the Cloud with Salesforce
Dell and Deloitte: Managing Risk in the Cloud with Salesforce
 

Mehr von Core Security

How to Solve the Top 3 Struggles with Identity Governance and Administration ...
How to Solve the Top 3 Struggles with Identity Governance and Administration ...How to Solve the Top 3 Struggles with Identity Governance and Administration ...
How to Solve the Top 3 Struggles with Identity Governance and Administration ...Core Security
 
Lazy Penetration Tester Tricks
Lazy Penetration Tester Tricks Lazy Penetration Tester Tricks
Lazy Penetration Tester Tricks Core Security
 
Thanks for All the Phish: Introducing Core Impact 18.1
Thanks for All the Phish: Introducing Core Impact 18.1Thanks for All the Phish: Introducing Core Impact 18.1
Thanks for All the Phish: Introducing Core Impact 18.1Core Security
 
Identity + Security: Welcome to Your New Career
Identity + Security: Welcome to Your New Career Identity + Security: Welcome to Your New Career
Identity + Security: Welcome to Your New Career Core Security
 
Put Analytics And Automation At The Core Of Security – Joseph Blankenship – S...
Put Analytics And Automation At The Core Of Security – Joseph Blankenship – S...Put Analytics And Automation At The Core Of Security – Joseph Blankenship – S...
Put Analytics And Automation At The Core Of Security – Joseph Blankenship – S...Core Security
 
How to Defeat the Vulnerability Hydra - Andy Nickel Sales Engineer, Core Secu...
How to Defeat the Vulnerability Hydra - Andy Nickel Sales Engineer, Core Secu...How to Defeat the Vulnerability Hydra - Andy Nickel Sales Engineer, Core Secu...
How to Defeat the Vulnerability Hydra - Andy Nickel Sales Engineer, Core Secu...Core Security
 
Understanding Network Insight Integrations to Automate Containment and Kick S...
Understanding Network Insight Integrations to Automate Containment and Kick S...Understanding Network Insight Integrations to Automate Containment and Kick S...
Understanding Network Insight Integrations to Automate Containment and Kick S...Core Security
 
Product Vision - Stephen Newman – SecureAuth+Core Security
Product Vision - Stephen Newman – SecureAuth+Core Security Product Vision - Stephen Newman – SecureAuth+Core Security
Product Vision - Stephen Newman – SecureAuth+Core Security Core Security
 
The Good, the Bad, and The Not So Bad: Tracking Threat Operators with Our Thr...
The Good, the Bad, and The Not So Bad: Tracking Threat Operators with Our Thr...The Good, the Bad, and The Not So Bad: Tracking Threat Operators with Our Thr...
The Good, the Bad, and The Not So Bad: Tracking Threat Operators with Our Thr...Core Security
 
Introducing Core Role Designer - Michael Marks Product Manager - Identity, Co...
Introducing Core Role Designer - Michael Marks Product Manager - Identity, Co...Introducing Core Role Designer - Michael Marks Product Manager - Identity, Co...
Introducing Core Role Designer - Michael Marks Product Manager - Identity, Co...Core Security
 
Core Connector API Demo - Michael Marks Product Manager - Identity, Core Secu...
Core Connector API Demo - Michael Marks Product Manager - Identity, Core Secu...Core Connector API Demo - Michael Marks Product Manager - Identity, Core Secu...
Core Connector API Demo - Michael Marks Product Manager - Identity, Core Secu...Core Security
 
Access Assurance Suite Tips & Tricks - Lisa Lombardo Principal Architect Iden...
Access Assurance Suite Tips & Tricks - Lisa Lombardo Principal Architect Iden...Access Assurance Suite Tips & Tricks - Lisa Lombardo Principal Architect Iden...
Access Assurance Suite Tips & Tricks - Lisa Lombardo Principal Architect Iden...Core Security
 
The Why - Keith Graham, CTO – SecureAuth+Core Security
The Why - Keith Graham, CTO – SecureAuth+Core Security The Why - Keith Graham, CTO – SecureAuth+Core Security
The Why - Keith Graham, CTO – SecureAuth+Core Security Core Security
 
Vulnerability Insight Tips & Tricks - Magno Gomes SE Manager, Core Security
Vulnerability Insight Tips & Tricks - Magno Gomes SE Manager, Core SecurityVulnerability Insight Tips & Tricks - Magno Gomes SE Manager, Core Security
Vulnerability Insight Tips & Tricks - Magno Gomes SE Manager, Core SecurityCore Security
 
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...Core Security
 
10 IT Security Trends to Watch for in 2016
10 IT Security Trends to Watch for in 201610 IT Security Trends to Watch for in 2016
10 IT Security Trends to Watch for in 2016Core Security
 
Trending it security threats in the public sector
Trending it security threats in the public sectorTrending it security threats in the public sector
Trending it security threats in the public sectorCore Security
 
What your scanner isn't telling you
What your scanner isn't telling youWhat your scanner isn't telling you
What your scanner isn't telling youCore Security
 
Advanced Pen Testing Techniques-DNS-WMI
Advanced Pen Testing Techniques-DNS-WMIAdvanced Pen Testing Techniques-DNS-WMI
Advanced Pen Testing Techniques-DNS-WMICore Security
 
Core Impact Pro R1-Release Overview
Core Impact Pro R1-Release OverviewCore Impact Pro R1-Release Overview
Core Impact Pro R1-Release OverviewCore Security
 

Mehr von Core Security (20)

How to Solve the Top 3 Struggles with Identity Governance and Administration ...
How to Solve the Top 3 Struggles with Identity Governance and Administration ...How to Solve the Top 3 Struggles with Identity Governance and Administration ...
How to Solve the Top 3 Struggles with Identity Governance and Administration ...
 
Lazy Penetration Tester Tricks
Lazy Penetration Tester Tricks Lazy Penetration Tester Tricks
Lazy Penetration Tester Tricks
 
Thanks for All the Phish: Introducing Core Impact 18.1
Thanks for All the Phish: Introducing Core Impact 18.1Thanks for All the Phish: Introducing Core Impact 18.1
Thanks for All the Phish: Introducing Core Impact 18.1
 
Identity + Security: Welcome to Your New Career
Identity + Security: Welcome to Your New Career Identity + Security: Welcome to Your New Career
Identity + Security: Welcome to Your New Career
 
Put Analytics And Automation At The Core Of Security – Joseph Blankenship – S...
Put Analytics And Automation At The Core Of Security – Joseph Blankenship – S...Put Analytics And Automation At The Core Of Security – Joseph Blankenship – S...
Put Analytics And Automation At The Core Of Security – Joseph Blankenship – S...
 
How to Defeat the Vulnerability Hydra - Andy Nickel Sales Engineer, Core Secu...
How to Defeat the Vulnerability Hydra - Andy Nickel Sales Engineer, Core Secu...How to Defeat the Vulnerability Hydra - Andy Nickel Sales Engineer, Core Secu...
How to Defeat the Vulnerability Hydra - Andy Nickel Sales Engineer, Core Secu...
 
Understanding Network Insight Integrations to Automate Containment and Kick S...
Understanding Network Insight Integrations to Automate Containment and Kick S...Understanding Network Insight Integrations to Automate Containment and Kick S...
Understanding Network Insight Integrations to Automate Containment and Kick S...
 
Product Vision - Stephen Newman – SecureAuth+Core Security
Product Vision - Stephen Newman – SecureAuth+Core Security Product Vision - Stephen Newman – SecureAuth+Core Security
Product Vision - Stephen Newman – SecureAuth+Core Security
 
The Good, the Bad, and The Not So Bad: Tracking Threat Operators with Our Thr...
The Good, the Bad, and The Not So Bad: Tracking Threat Operators with Our Thr...The Good, the Bad, and The Not So Bad: Tracking Threat Operators with Our Thr...
The Good, the Bad, and The Not So Bad: Tracking Threat Operators with Our Thr...
 
Introducing Core Role Designer - Michael Marks Product Manager - Identity, Co...
Introducing Core Role Designer - Michael Marks Product Manager - Identity, Co...Introducing Core Role Designer - Michael Marks Product Manager - Identity, Co...
Introducing Core Role Designer - Michael Marks Product Manager - Identity, Co...
 
Core Connector API Demo - Michael Marks Product Manager - Identity, Core Secu...
Core Connector API Demo - Michael Marks Product Manager - Identity, Core Secu...Core Connector API Demo - Michael Marks Product Manager - Identity, Core Secu...
Core Connector API Demo - Michael Marks Product Manager - Identity, Core Secu...
 
Access Assurance Suite Tips & Tricks - Lisa Lombardo Principal Architect Iden...
Access Assurance Suite Tips & Tricks - Lisa Lombardo Principal Architect Iden...Access Assurance Suite Tips & Tricks - Lisa Lombardo Principal Architect Iden...
Access Assurance Suite Tips & Tricks - Lisa Lombardo Principal Architect Iden...
 
The Why - Keith Graham, CTO – SecureAuth+Core Security
The Why - Keith Graham, CTO – SecureAuth+Core Security The Why - Keith Graham, CTO – SecureAuth+Core Security
The Why - Keith Graham, CTO – SecureAuth+Core Security
 
Vulnerability Insight Tips & Tricks - Magno Gomes SE Manager, Core Security
Vulnerability Insight Tips & Tricks - Magno Gomes SE Manager, Core SecurityVulnerability Insight Tips & Tricks - Magno Gomes SE Manager, Core Security
Vulnerability Insight Tips & Tricks - Magno Gomes SE Manager, Core Security
 
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
 
10 IT Security Trends to Watch for in 2016
10 IT Security Trends to Watch for in 201610 IT Security Trends to Watch for in 2016
10 IT Security Trends to Watch for in 2016
 
Trending it security threats in the public sector
Trending it security threats in the public sectorTrending it security threats in the public sector
Trending it security threats in the public sector
 
What your scanner isn't telling you
What your scanner isn't telling youWhat your scanner isn't telling you
What your scanner isn't telling you
 
Advanced Pen Testing Techniques-DNS-WMI
Advanced Pen Testing Techniques-DNS-WMIAdvanced Pen Testing Techniques-DNS-WMI
Advanced Pen Testing Techniques-DNS-WMI
 
Core Impact Pro R1-Release Overview
Core Impact Pro R1-Release OverviewCore Impact Pro R1-Release Overview
Core Impact Pro R1-Release Overview
 

Kürzlich hochgeladen

10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfVishalKumarJha10
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is insideshinachiaurasa2
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfryanfarris8
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456KiaraTiradoMicha
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...kalichargn70th171
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...Jittipong Loespradit
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 

Kürzlich hochgeladen (20)

10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 

Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, SCS Director, Core Security

  • 1. CONNECT  2017   Security  Consulting  Services,   Which  is  the  best  option  for  me  ? Understanding  the  offering
  • 2. AGENDA • Who  we  are   • Security  Consulting  Services • Penetration  Test  and  Red  Team • Software  Security  Assessment
  • 3. L E A R N M O R E Diego  Sor Security  Consulting  Services,   Director Core  Security About  me Technical • Started  experimenting  with  8-­‐bit  home  computers • BASIC  was  my  first  approach  to  programming • Hardware  and  communications  fan • Electronic  engineer  degree • In  1998  Joined  a  mobile  phone  fraud  prevention   company • In  2001  Joined  Core  Security  as  windows  device   driver  developer • In  2006  Moved  to  the  SCS  team  as  a  security   consultant • Have  been  managing  Consulting  team  since  2012 Not  so  Technical • DYI,  Music,  Architecture  and  playing  with  my   daughter
  • 4. Security  Consulting  Service Who  we  are We  are  a  group  of  security  engineers  working  along  with  customers  to  secure   their  information  technology  systems • SCS  conduct  security  consulting  service  since  1997 • We  think  and  act  like  attackers   • We  do  vulnerability  research • We  keep  up  to  date
  • 5. Security  Consulting  Service Why  do  customers  call  us  ? • Recent  public  breaches  made  them  understand  that  real  attackers  are   targets  organizations  like  them • Want  to  protect  PHI  or  other  sensitive  information • Stakeholders  want  to  understand  their  security  posture • Interested  in  exercising  their  security  team   • New  application  features  will  be  put  in  production  soon • Want  to  measure  their  security  operations  center  capabilities • Deployed  new  systems  information  infrastructure • Stick  to  compliance  programs
  • 7. SECURITY SERVICES RED TEAM PENETRATION TEST SOFTWARE SECURITY ASSESSMENT Security  Consulting  Services Our  Services
  • 8. SECURITY SERVICES RED TEAM PENETRATION TEST Security  Consulting  Services Red  Team  and  Penetration  Test
  • 9. S C O P E Systems  and  components  under   test.  Things  you  want  to  secure O B J E C T I V E S Something  to  achieve.  Concerns   you  may  have  and  want  to  be   evaluated Initial  Information   Key  conversation  between  consultants  and  customers A C T O R S Are  the  individuals  carrying  out   actions.  Consultants  will  mimic   attackers  using  defined  profiles
  • 10. Red  Team You  know  you  secured  your  environment Evaluate  the  resilience  of  your  organization  against  real-­‐world  attackers.   Consultants  will  find  and  exploit  vulnerabilities  while  using  tactics  an   techniques    (TTP)  to  avoid  detection  and  persist. INCLUSIVE SCOPE Attackers  move  freely.   Include  as  many   components  as  possible. Scope  limitations  create   artificial  barriers. THINK  OF  THREATS OBJECTIVES Think  of  worst  case   scenarios: 1.  Cloud  admin  creds  stolen 2.  IP  documents  extracted ATTACKERS ACTORS Consultants  acting   mimicking  attacker’s   techniques  and  tactics.   Liaison  with  internal   security  team  is  optional FINAL  REPORT OUTCOME Vulnerabilities  exploited   and  attacks  paths.   Description  of  techniques   and  tactics Level  of  readiness  of  you   defense  team Fixes  and  mitigations
  • 11. Red  Team Steps  to  success • Process  is  iterative • Achieve  defined  objectives  while  minimizing  noise  and  detection • May  or  may  not  fine  tune  repetitive  by  liaising  security  staff reconnaissance compromise  then   escalate persist lateral   move/pivoting cleanup reconnaissance report
  • 12. Penetration  Test Want  to  challenge  your  security  posture Evaluate  the  resilience  of  your  organization  against  real-­‐world  attacks.   Consultants  will  find  and  exploit  vulnerabilities  to  get  access  to  privileged   systems  and  information INCLUSIVE SCOPE Enumerate  components   and  systems.  Networks,   applications  and  users  are   usual  targets THINK  ON  THREATS OBJECTIVES Think  of  worst  case   scenarios 1.  Cloud  admin  creds  stolen 2.  IP  documents  extracted ATTACKERS ACTORS Consultants  mimicking   attacker’s  techniques FINAL  REPORT OUTCOME Vulnerabilities  exploited   and  attacks  paths.   Description  of  techniques   and  tactics Fixes  and  mitigations
  • 13. Red  Team  vs  Penetration  Test I  see  a  lot  similarities • It  is  about  challenging  the  security  of  an  organization • Attackers  can  be  external  and  internal  to  the  organization  (insider  threat) • Red  Team  revisits  the  initial  penetration  test  concept,  where  noise  and   detection  avoidance  were  part  of  the  equation • Penetration  Test  has  evolved  in  many  different  practices  creating  a  softer   definition  and  leaving  space  for  Red  Team  to  create  some  additional   specification • Key  concept  is  mimicking  the  attacks  you  find  in  real-­‐world  scenarios • A  sophisticated  real-­‐world  attacker  will  leverage  trust  relationships  to  gain   access  to  more  valuable  information  assets • Liaison  with  internal  security  staff  lead  to  the  Purple  Team  concept
  • 14. Red  Team  and  Penetration  Test What  is  in  scope  ? • Time-­‐boxed • You  get  X  hours  of  attackers  challenging  your  security,  let’s  see  what  they  can  do! • Attackers  do  not  ask  for  permission,  the  use  any  available  means • External  facing  servers  and  services • Internal  servers  and  services • Hybrid  systems  – Cloud  and  on  premise • Organization  individuals • Phishing  campaigns • Social  engineering  activities
  • 15. KNOWLEDGE VULNERABILITY   ASSESSMENT Initial  steps  to  secure  your   organization.  It  finds  as   many  vulnerabilities  as   possible.   Mostly  automatic  tests.   RESILLIANCE PENETRATION TEST You  know  you  secured   your  organization.   Sophisticated  attackers  will   challenge  you  security   posture RESILLIANCE   AND   READINESS RED TEAM More  sophisticated   attackers  will  challenge  the   security  and  readiness  of   your  organization Security  Services  Lifecycle AUDITORS ATTACKERS MATURITY  LEVEL TIME
  • 16. SECURITY SERVICES SOFTWARE SECURITY ASSESSMENT Security  Consulting  Services Software  Security  Assessment
  • 17. Software  Security  Assessment Definition  and  key  objectives Assess  the  security  of  an  application  or  group  of  applications,  their  ability  to   resist  attacks.  Evaluate  your  defensive  programming  practices • In  this  context  an  application  is  a  system  or  groups  of  systems  that  are   logically  connected  and  cooperate  to  do  something • Consultants  to  find  as  many  vulnerabilities  as  possible • Consultants  to  evaluate  the  code  quality  in  terms  of  security • Consultants  to  create  running  proof-­‐of-­‐concepts  of  the  findings • Assessing  a  single  isolated  application  is  not  exactly  a  Penetration  Test
  • 18. Software  Security  Assessment By  Approach Dynamic  Analysis • Tests  carried  out  on  a  running  application • May  or  may  not  have  access  to  source  code • Consultants  mimicking  attackers  with  no  or  some  level  of  knowledge  of   the  application Static  Analysis • Full  access  to  the  source  code  and  application  design • Deep  level  of  understanding  of  the  source  code  being  tested • Consultants  mimicking  attacker  full  source  code  knowledge • Consultants  acting  as  security  quality  assurance
  • 19. Software  Security  Assessment By  Source  Code  Access White-­‐box • Consultants  have  access  to  source  code  and  documentation Gray-­‐box   • Consultants  have  some  access  to  source  code  and  documentation • Source  code  for  sensitive  functions  crypto,  storage,  authorization  and   authentication Black-­‐box   • Consultants  have  zero  access  to  source  code  and  documentation • Focused  on  the  exposed  interfaces
  • 20. Software  Security  Assessment Vulnerability  Categories Design • Fundamental  mistake,  the  application  does  what  is   supposed  to  do,  but  it  is  wrong  due  to  failed   specification Implementation   • The  code  usually  doing  that  it  should  do  but  there  is  a   security  problem  in  the  way  specific  action  is  carried  out Operational • These  problems  arise  when  looking  at  context  in  which   the  software  operation.  Has  to  do  with  the  code  but   also  with  the  operation  and  environment DESIGN OPERATIONALIMPLEMENTATION
  • 21. Software  Security  Assessment White-­‐box  Assessment • Project  setup  cost  can  be  high • Code  isolation  from  3rd party • Sharing  intellectual  property • Interaction  with  developers • Time  and  cost  intensive   • Testers  looking  for  security  bugs  and  bad  code  practices • More  in-­‐depth  analysis  than  black-­‐box  counterpart • Include  the  following  tasks • Code  analysis  tools • Check  the  code  and  then….check  the  code  again
  • 22. Software  Security  Assessment Black-­‐box  Security  Assessment  AKA  Application  Penetration  Test • Uncover  what  is  visible  and  exposed • Short  time  frame  and  quick  results • QA  or  testing  environment  can  be  used  for  testing • Works  better  having  access  to  source  code • Uncovering  Vulnerabilities  may  include • Dynamic  analysis  tools • Fuzzing • Reverse  engineering  /  Decompiling • Debugging • Instrumentation
  • 23. Application  Types   Web Mobile Desktop IoT
  • 24. Final  Words Approach  that  works  for  you • Consultants  to  understand  customer  needs  and  maturity  level • Think  about  threats • The  ones  you  envision  should  work  as  initial  objectives • Do  not  force  a  hard  scope  definition  when  you  do  not  know • Unless  you  are  sure,  be  as  broad  as  possible • Be  incremental  and  continuous • Combine  services  and  approaches • Services  should  be  able  to  adapt  to  your  SDLC