Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Modern security using graphs, automation and data science

768 Aufrufe

Veröffentlicht am

Presented by Dinis cruz at https://www.inspiredbusinessmedia.com/event/ciso-conference-november-2019/

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Modern security using graphs, automation and data science

  1. 1. @DinisCruz Modern Security using Graphs, Maps, Automation and Data Science Dinis Cruz Nov 2019
  2. 2. @DinisCruz Security (and CISO) world is broken, reactive and not scaling
  3. 3. @DinisCruz Security is not the Destination
  4. 4. @DinisCruz Security is a Property
  5. 5. @DinisCruz We don’t want Security We want Safety
  6. 6. @DinisCruz Businesses/Orgs need to operate within their Accepted & Approved & Acknowledged Risk appetite
  7. 7. @DinisCruz Security and Safety are emerging characteristics of well executed operations
  8. 8. @DinisCruz Just like pollution is a side effect of bad Bad Engineering Weak Processes Network Externalities
  9. 9. @DinisCruz … and buggy companies... https://www.techrepublic.com/blog/tech-decision-maker/buggy-software-why-do-we-accept-it/
  10. 10. @DinisCruz The question is not How to we Secure the Business?
  11. 11. @DinisCruz The question is How to we Change the Business?
  12. 12. @DinisCruz Modern Org Design/Operations
  13. 13. @DinisCruz Modern Org design - Everybody is an Enabler ● We talk about Security being an ‘Enabler’ (and we get it in Security) ● Now we need every part of the business to behave also behave like that ○ HR, Finance, Procurement ○ IT Ops, DevOps ○ Dev teams ○ Jira Admins ● Who in the company is making the company more productive and efficient? ● Security has become the ‘Department of YES’ ● What about the rest of the business? ● The way to do this is with a org structure based on Products and Services
  14. 14. @DinisCruz Companies run on spreadsheets
  15. 15. @DinisCruz Projects and Services
  16. 16. @DinisCruz Products and Services everywhere ● The way to do this is for every team in the company to: ○ Have a Product team - build capabilities for its Services ○ Provide Services to the rest of the business - packaged in easy to use (consumer focused) ● Apply the same principles and focus that we have for the ‘external’ Customer to the ‘internal’ Customer ○ Ironically, the more the internal customer is effective, the better is the services provided to the ‘external’ customer ● Security (CISO) has naturally evolved into thinking like this ● Security (CISO) can now play a role in driving similar transformations in other parts of the business
  17. 17. @DinisCruz Pollution analogy (vs Technical Debt)
  18. 18. @DinisCruz The pollution analogy (by David Rice) https://vimeo.com/15506033
  19. 19. @DinisCruz Pollution Lifecycle Atoms Bytes
  20. 20. @DinisCruz Evolution of Pollution and Security https://www.slideshare.net/amitkapoor/the-sustainable-value-framework https://www.youtube.com/watch?v=O8sLSwnId9c
  21. 21. @DinisCruz Wardley Maps
  22. 22. @DinisCruz Simon Wardley
  23. 23. @DinisCruz Start with the users and their needs
  24. 24. @DinisCruz Add capabilities
  25. 25. @DinisCruz Create Value Chain
  26. 26. @DinisCruz Create a Map
  27. 27. @DinisCruz 4 types of Evolution
  28. 28. @DinisCruz Zooming in on Evolution
  29. 29. @DinisCruz From Genesis to Commodity
  30. 30. @DinisCruz Use appropriate methods
  31. 31. @DinisCruz GDS* Case study * Government Digital Services
  32. 32. @DinisCruz Start with User needs https://hackernoon.com/rebooting-gds-96b1595096fa
  33. 33. @DinisCruz Know the details
  34. 34. @DinisCruz Remove duplication
  35. 35. @DinisCruz Challenge and Question (why are we building this?)
  36. 36. @DinisCruz Focus on Doctrine (Phase I)
  37. 37. @DinisCruz Break into small contracts/projects
  38. 38. @DinisCruz Use appropriate methods
  39. 39. @DinisCruz Understand what works on each area
  40. 40. @DinisCruz Pioneers, Settlers and Town Planners
  41. 41. @DinisCruz Security Wardley Maps
  42. 42. @DinisCruz Bug Bounty Workflow
  43. 43. @DinisCruz Threat Landscape
  44. 44. @DinisCruz SOC
  45. 45. @DinisCruz Mapping: Handling an Security event
  46. 46. @DinisCruz GDPR Analysis
  47. 47. @DinisCruz GDPR Readiness
  48. 48. @DinisCruz PCI Audit (before and after)
  49. 49. @DinisCruz PCI Audit (maturity)
  50. 50. @DinisCruz
  51. 51. @DinisCruz Privacy Preserving techniques https://drive.google.com/file/d/1syRvOQiIc-cMri3Dq4YQtRa9502wc4cS/edit
  52. 52. @DinisCruz MPC Submap (MultiParty Computation)
  53. 53. @DinisCruz Mapping a Security Champion Programme
  54. 54. @DinisCruz Threat Modeling Maturity
  55. 55. @DinisCruz Mapping Cloud Security (SecOps)
  56. 56. @DinisCruz Mapping Cyber Attacks
  57. 57. @DinisCruz Mapping Security Domain Knowledge
  58. 58. @DinisCruz Mapping SOC Analyst activity
  59. 59. @DinisCruz Mapping Security Testing automation
  60. 60. @DinisCruz Mapping Endpoint Security Compliance
  61. 61. @DinisCruz Amazon Strategy (in Maps)
  62. 62. @DinisCruz Commodities creates new opportunities
  63. 63. @DinisCruz Co-Evolution
  64. 64. @DinisCruz Key Pattern 1. Create Platform 2. View what users are doing in your Platform a. What they are moving from Genesis to Custom Build 3. Productize and Commoditize that 4. Rise and Repeat ● For example: ○ EC2 -> Lambda ○ EC2 -> Lambda -> API Gateway automations ○ EC2 -> MySQL as a Service -> Serverless MySQL ○ EC2 -> Elastic Container Service (ECS) -> Fargate ○ EC2 -> LightSail
  65. 65. @DinisCruz Mapping Money Flows
  66. 66. @DinisCruz Mapping a cup of tea
  67. 67. @DinisCruz Understanding P&L and cash flows
  68. 68. @DinisCruz Automatic Generation of Maps (using Serveless)
  69. 69. @DinisCruz Slack Bot
  70. 70. @DinisCruz Jira and Jupyter Notebooks
  71. 71. @DinisCruz Using Jira to capture data
  72. 72. @DinisCruz But before Maps you need Graphs
  73. 73. @DinisCruz Property Graphs
  74. 74. @DinisCruz Using Jira has a Graph Database
  75. 75. @DinisCruz TechStack (with serverless workflow)
  76. 76. @DinisCruz CLI (Command Line Interface) to your data
  77. 77. @DinisCruz REPL (Read Evaluate Print Loop)
  78. 78. @DinisCruz Connected risk data
  79. 79. @DinisCruz Graph project’s to outcomes and threats
  80. 80. @DinisCruz Threat Models (in a scalable way)
  81. 81. @DinisCruz Creating PDFs from Jira data
  82. 82. @DinisCruz Creating Slides/Powerpoint from Jira
  83. 83. @DinisCruz Linked Security Policies = Fact based Security Decisions
  84. 84. @DinisCruz Hyperlinked policies in Jira Policy’s pdfs do not scale because it is not possible to link real-world data to the respective policy
  85. 85. @DinisCruz Convert policy into an graph
  86. 86. @DinisCruz Policies Links to Facts Links to Vulns Links to Risks
  87. 87. @DinisCruz Context specific Jira projects (for example FACTs)
  88. 88. @DinisCruz Scaling Incident event operations Based on Serverless workflow
  89. 89. @DinisCruz Workflow Person Credentials Application uses to access conditions generate Alert acknowledged in Slack by entered in action updates status of alert in
  90. 90. @DinisCruz Jira as (graph) database
  91. 91. @DinisCruz Slack as UI , Jira as Database
  92. 92. @DinisCruz The ‘Schema’ for your business How the business actual works
  93. 93. @DinisCruz Create schema that represents the business
  94. 94. @DinisCruz Map reality
  95. 95. @DinisCruz Jira schema
  96. 96. @DinisCruz Risk and Vuln Workflows (driving accountability) RISK Workflow VULN Workflow
  97. 97. @DinisCruz Hyperlinked RISKs (from R1s to R4s to V1s to V3s)
  98. 98. @DinisCruz Creating Global Dashboards (risks linked to vulns)
  99. 99. @DinisCruz Measure evolution/impact (Budget, Project, Product)
  100. 100. @DinisCruz Risk Framework that the board understands https://www.linkedin.com/in/ciara-feeney-87392067/ Next slides based on this great presentation by Ciara Feeney
  101. 101. @DinisCruz IT Risk Framework (top of the graph)
  102. 102. @DinisCruz Agree risk appetite
  103. 103. @DinisCruz Complete Risk Analysis
  104. 104. @DinisCruz Map to risk Matrix
  105. 105. @DinisCruz Top 10 Risks (evolution)
  106. 106. @DinisCruz Cost Serverless
  107. 107. @DinisCruz When you do it right, not that much Serverless environments enable event-driven workflows that dramatically change the scalability and cost of Security Operations
  108. 108. @DinisCruz Data Science
  109. 109. @DinisCruz From GSheet to Jira
  110. 110. @DinisCruz Final Thought: Security has an Center of Excellence
  111. 111. @DinisCruz QUESTIONS?
  112. 112. @DinisCruz References (source materials of images) ● https://agilebusinessmanifesto.com/agilebusiness/a-structure-for-continuous-innovation-pioneers-settlers-town-planners/ ● https://blog.gardeviance.org/2015/04/the-only-structure-youll-ever-need.html ● https://wall-skills.com/2018/pioneers-settlers-and-town-planners-3-types-of-innovation/
  113. 113. @DinisCruz Extra slides
  114. 114. @DinisCruz
  115. 115. @DinisCruz
  116. 116. @DinisCruz PST
  117. 117. @DinisCruz
  118. 118. @DinisCruz
  119. 119. @DinisCruz Wardley Maps
  120. 120. @DinisCruz Security MindMap (where to focus?)
  121. 121. @DinisCruz Discover cluster and bias

×