SlideShare ist ein Scribd-Unternehmen logo

Data-Driven Defense Strategy

Als PPTX, PDF herunterladen
R
Roger Grimes

Introduces a Data-Driven Computer Security Defense, a computer security defense strategy introduced by the author. Slide deck complements the book and whitepaper and can be used by anyone.

Daten & Analysen
1 von 32
Imagine an Army… • Two sides – good and evil – engaged in a decades long battle • Evil side is having great success on left flank of battle • Good side responds by building up right flank and even building up in the center, and wonders why their defense is not working This is the way most IT defenders work !? Good 
Data-Driven Defense strategy focuses on: • Reducing Initial Breaches • Identifying Root-Causes of Initial Exploits • Most Likely Attacks • Relevance Drives Risk Assessment • Faster Remediation Cycles • Data-Driven Mitigations Right-Aligned To Most Critical Threats Offering theory described in Data Driven Defense whitepaper: http://aka.ms/datadrivendefense What is it?: A methodology that allocates security resources more efficiently and effectively, to mitigate the top computer and network security threats faster and cheaper.
• Don’t understand their threats and risks as well as they think they do • Don’t use their own data to drive solutions • Don’t put in the right defenses in the right places in the right amounts • Poor communication at all levels • Don’t hold current defenses accountable for what they said they could do • Spend too much resources not getting the right results !? How did it get this way?...After all, nobody wants to defend inefficiently
Problem Definition 8 Examples of Inefficiencies • No one can name the #1 problem • Too many top priorities • Unranked controls, training, every list • Good patching of low risk apps and poor patching of high risk apps • Strategic controls don’t map to the tactical things would have the most risk impact • Expensive solutions sitting on the shelf
Problem Definition – How Did It Get This Way? 9 Problem – Lack of Focus Sheer Number of Threats • Avg: 5K-6K new threats/year • 15/day, day after day
Problem Definition – How Did It Get This Way? 10 Problem – Lack of Focus Competition for Attention • Avalanche of Threats • Compliance Concerns • Too Many Projects • Higher Priority Pet Projects/Politics • Slower Budgeting Cycles • Inefficient IT Organization • Corporate Culture Risk Tolerance
Example: Most humans are more afraid of airplane crashes and shark attacks than the car rides to the locations where those events could possibly take place even though the car ride is tens of thousands of times more risky Evolution: Humans are not great at ranking risks, even when the metrics are known.    1 in 11 Million 1 in 5,000 *sources: Clarke, Ropeik, National Geographic 1 in 3.7 MillionOdds of Fatality*:
• Doesn’t focus enough on actual, local experienced attacks (vs. focusing on mostly externalities) • Inadequate detection • Little to no forensic analysis • Often doesn’t capture root causes • Little to no metrics captured or reported • What is detected isn’t effectively communicated up the chain and to the entire organization ?
? ? ? What’s the number one threat in your environment? • Zero days • Unpatched software • Malware • Social engineering • Password Issues • Data Leaks • Eavesdropping/MitM • Misconfiguration • Denial of Service • Insider/Partner/Consultant/Vendor/3rd Party • User Error • Physical Ask Yourself 3 Key Questions: 1. Can your IT security team give the right answer? 2. Is the answer consistent across team members? 3. Do you have data to back up the right answer?
• End-Users can’t identify top threats • Even IT security team can’t identify top threats • Training doesn’t focus on top threats • Communication of top threats doesn’t happen between organization’s business units/silos • Senior management can’t provide the right resources and controls in the right places because they haven’t been give the right threat prioritization • Strategic controls often don’t include enough tactical details to drive best security solutions Lack of objective data prevents effective communications of top threats
Many of the right solutions end under-utilized or up on the shelf unused. Resulting in: Money down the drain Did the solution do what proponents said it would do? Does the solution fight the right things? Little Accountability for implemented solutions leads to serious problems for IT Defenders. The fingerprints of these problems are easy to identify.
• Identify in a clear and timely way all the threat scenarios they face • Focus on how initial compromises happen (i.e. root causes) versus what happens afterward • Understand the comparative relative risks of different threats • Broadly communicate threats ranked by risk to all stakeholders, including senior management • Efficiently coordinate agreed-upon responses to risk • Measure the success of deployed defensive resources against the threats they were defined to mitigate All these implementation weaknesses lead to misalignment of computer security defenses against the greatest threats
• Not ranking risks correctly relative to each other • Seeing all risks as more equal than they are • Focusing on wrong threats • Focusing on individual threats instead of more inclusive, broader, issues • Belief that malicious events are impossible to stop or minimize • Loss of hope by defenders and the people that rely on those defenders Can lead to a sense of hopelessness by defenders and the people that rely on those defenders
Heartbleed vulnerability Sandworm Vulnerability Insider Threats USB Attacks Unpatched Software SQL Injection APT Physical Theft Viruses & Worms Anonymous Hacker Group Buffer Overflows Weak Passwords Pass-the- Hash Attacks Phishing Social Engineering Lost Laptops SSL Flaw Ransomware Fraud Stolen Data Espionage Leaked Data Mobile IoT BYOD Adware Spyware Backdoor Trojans “Like bubbles in a glass of champagne” “Every defense is treated equally, or applied disproportionate to threat risk Vuln Detection Vuln Detection DLP Policy Patch Everything Try Anything Vendors Police Some Monitoring Don?t Know Patch Windows Complex Passwords/ 2FA Segment Warnings A little end-user training Policy Config Mgmt Outsource Guessing Disk Encryption Don?t?Know DLP Legal Looking Into Just Give Up Better Auth AV Not Sure/ Ignore Poor perception and application against threats can lead to “Whack-a-mole” defenses applied without data to backup relevance
Risk Ranked Threat Perceptions: • Focuses on root causes • Relevance is a deciding factor • Adware is as important as a malicious Trojan Risk Ranked Defenses: • Mitigates root causes, not specific threats • More efficient resource utilization • Allows clearer cost/benefit considerations #2 Most Impactful Exploit Root Cause Threat Vendors #1 Most Impactful Exploit Root Cause Threat Medium Threat #3 Most Impactful Exploit Root Cause Threat Small Threat Medium Threat Medium Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Defenses Against #2 Most Impactful Exploited Root Cause Threat Vendors Defenses Against #1 Most Impactful Exploit Root Cause Threat Medium Mitigation Defenses Against #3 Most Impactful Exploited Root Cause Threat Small Threat Medium Mitigation Medium Mitigation Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat May decide that the cost of defending against small threats is not a good business decision
Define & Collect Metrics Review an Improve Plan as Needed Select & Deploy Root Cause Defenses Create Effective Communications Plan Rank Risk Appropriately Collect (Better) Localized Threat Intelligence
A key goal of an implemented data-driven computer security defense is to more directly align and funnel mitigations against the root-causes of the most successful threats Alignment Principle: Data Driven Analysis Data Driven Response GOAL: Streamlined Mitigation Against Root-Causes of Successful Exploitation Localized Detecting Root Causes Renewed Focus Tied to Root Causes Aligned to Biggest Threats Are Defenses Successful?
Use your data and metrics to: • Get faster detection/early warning • Measure exploits success in your organization • Measure trends over times Increasing trends require better responses
You should care as much about root causes as you do about what the hacker did after they got into your environment Focusing on individual threats and only what they did after they got in is like worrying about your brakes after your car is stolen Ex: Worrying about Pass-the-Hash attacks without fixing how the hacker got domain admin in the first place isn’t fixing the problem When you’ve adjusted your thinking, found adware is as worrisome as a malicious backdoor Trojan Both took the same effort to get into your environment and is revealing defensive gaps
“The Main Driver is Local Threat Intelligence” 1. Focus on historic and current attacks first 2. New, most likely to happen, “In-the-wild” and industry targeting 3. Everything Else Focus Prioritization:
• If you can’t measure it, you can’t manage it • Data is the conduit of success • Gut feelings should be backed up by data • Key Metric: Capturing root causes • Data is used to drive event alerting • Metrics are needed for comparisons and reporting
A perfect data event to create security alerts should contain the following attributes: • High likelihood that occurrence indicates unauthorized activity • Either a single occurrence or an unexpectedly large number of events in a given time period indicates a high chance of maliciousness • Low number of false-positives • Occurrence should result in an investigativeforensics
• Identify all sources of threat intelligence and IT defense in your company • Including all data input and database structures • Including all reports and other output • Identify all threats and risk relevance to each other and company • What is your detection capability of those threats? • Identify which high-risk threats are not currently detected appropriately • Fix the gaps Threats Detection Abilities Gap & Risk Analysis Fixes
• Evangelize this concept! Use book, whitepaper, and slides • Get a computer security data analytics person or team • Collect all your data into single places for more aggressive data analysis • Figure out what questions to ask • Assess your threat intelligence information collection and how valid and specific it is for your organization • Figure out your top root causes and threats • Assess how well your threat intelligence and defenses align to those threats • Fill in the gaps • Make aligned defenses measurable and accountable
The defensive data comprehensive solution creates a holistic defense strategy • More Intelligent Threat Intelligence • Coordinated Enterprise Security Strategy • Improved Risk Assessment • More Efficient Defenses • Quicker Response to Emerging Threats • Measurable Lower Risk • Better Threat Intelligence and Detection • Measurable Risk Assessment • More Focused Mitigations and Computer Security Defenses • Better Security Metrics • Accountable Defense Outcomes • Better Computer Security Communication & Education Reduce Initial Exploits Defense In Depth Unknown and Assumed Risk Assume Breach Defenses
Data-Driven Defense Strategy

Empfohlen

Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceEvan Francen
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond CyberPhil Huggins FBCS CITP
 
Common and Concerning Risks In IT
Common and Concerning Risks In ITCommon and Concerning Risks In IT
Common and Concerning Risks In ITpbhugenberg3
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013Adrian Wright
 
Pitfalls of Cyber Data
Pitfalls of Cyber DataPitfalls of Cyber Data
Pitfalls of Cyber DataPhil Huggins FBCS CITP
 
when minutes counts
when minutes countswhen minutes counts
when minutes countsMartin Lindgren
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskOsama Salah
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
 

Empfohlen

Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceEvan Francen
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond CyberPhil Huggins FBCS CITP
 
Common and Concerning Risks In IT
Common and Concerning Risks In ITCommon and Concerning Risks In IT
Common and Concerning Risks In ITpbhugenberg3
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013Adrian Wright
 
Pitfalls of Cyber Data
Pitfalls of Cyber DataPitfalls of Cyber Data
Pitfalls of Cyber DataPhil Huggins FBCS CITP
 
when minutes counts
when minutes countswhen minutes counts
when minutes countsMartin Lindgren
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskOsama Salah
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskTony Martin-Vegue
 
Business-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterBusiness-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterNetWize
 
Insider threats
Insider threatsInsider threats
Insider threatsizoologic
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyKomal Zahra
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecuritycentralohioissa
 
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...Sara-Jayne Terp
 
Economically driven Cyber Risk Management
Economically driven Cyber Risk ManagementEconomically driven Cyber Risk Management
Economically driven Cyber Risk ManagementOsama Salah
 
Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Deepa Devadas
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityStephen Cobb
 
Introduction to Open FAIR
Introduction to Open FAIRIntroduction to Open FAIR
Introduction to Open FAIR"Apolonio \"Apps\"" Garcia
 
You will be breached
You will be breachedYou will be breached
You will be breachedMike Saunders
 
Brighttalk reason 114 for learning math - final
Brighttalk reason 114 for learning math - finalBrighttalk reason 114 for learning math - final
Brighttalk reason 114 for learning math - finalAndrew White
 
The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015Major Hayden
 
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...Stephen Cobb
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingEric Jernigan MSIA, CISSP, CISM, CRISC
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis"Apolonio \"Apps\"" Garcia
 
Brighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalBrighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalAndrew White
 
Risk Analysis Webinar
Risk Analysis WebinarRisk Analysis Webinar
Risk Analysis WebinarJody Keyser
 
VIPRE --Responding to Cyberattacks
VIPRE --Responding to CyberattacksVIPRE --Responding to Cyberattacks
VIPRE --Responding to CyberattacksAbhishek Sood
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3 Kabul Education University
 
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxSAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxhforhassan101
 

Weitere ähnliche Inhalte

Was ist angesagt?

Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskTony Martin-Vegue
 
Business-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterBusiness-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterNetWize
 
Insider threats
Insider threatsInsider threats
Insider threatsizoologic
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyKomal Zahra
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecuritycentralohioissa
 
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...Sara-Jayne Terp
 
Economically driven Cyber Risk Management
Economically driven Cyber Risk ManagementEconomically driven Cyber Risk Management
Economically driven Cyber Risk ManagementOsama Salah
 
Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Deepa Devadas
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityStephen Cobb
 
You will be breached
You will be breachedYou will be breached
You will be breachedMike Saunders
 
Brighttalk reason 114 for learning math - final
Brighttalk reason 114 for learning math - finalBrighttalk reason 114 for learning math - final
Brighttalk reason 114 for learning math - finalAndrew White
 
The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015Major Hayden
 
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...Stephen Cobb
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis"Apolonio \"Apps\"" Garcia
 
Brighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalBrighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalAndrew White
 
Risk Analysis Webinar
Risk Analysis WebinarRisk Analysis Webinar
Risk Analysis WebinarJody Keyser
 
VIPRE --Responding to Cyberattacks
VIPRE --Responding to CyberattacksVIPRE --Responding to Cyberattacks
VIPRE --Responding to CyberattacksAbhishek Sood
 

Was ist angesagt? (20)

Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
 
Business-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterBusiness-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a Disaster
 
Insider threats
Insider threatsInsider threats
Insider threats
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis Policy
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
 
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
 
Economically driven Cyber Risk Management
Economically driven Cyber Risk ManagementEconomically driven Cyber Risk Management
Economically driven Cyber Risk Management
 
Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 
Introduction to Open FAIR
Introduction to Open FAIRIntroduction to Open FAIR
Introduction to Open FAIR
 
You will be breached
You will be breachedYou will be breached
You will be breached
 
Brighttalk reason 114 for learning math - final
Brighttalk reason 114 for learning math - finalBrighttalk reason 114 for learning math - final
Brighttalk reason 114 for learning math - final
 
The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015
 
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
Using Technology and Techno-People to Improve your Threat Resistance and Cybe...
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
 
Brighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalBrighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - final
 
Risk Analysis Webinar
Risk Analysis WebinarRisk Analysis Webinar
Risk Analysis Webinar
 
VIPRE --Responding to Cyberattacks
VIPRE --Responding to CyberattacksVIPRE --Responding to Cyberattacks
VIPRE --Responding to Cyberattacks
 

Ähnlich wie Data-Driven Defense Strategy

SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxSAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxhforhassan101
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceSurfWatch Labs
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Robi Sen
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseSilvioPappalardo
 
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...Levi Shapiro
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA SensePost
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
CHAPTER2Managing Risk Threats, Vulnerabilities, and Exploit.docx
CHAPTER2Managing Risk Threats, Vulnerabilities, and Exploit.docxCHAPTER2Managing Risk Threats, Vulnerabilities, and Exploit.docx
CHAPTER2Managing Risk Threats, Vulnerabilities, and Exploit.docxtiffanyd4
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityStephen Cobb
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesHinne Hettema
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksMatthew Rosenquist
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
 

Ähnlich wie Data-Driven Defense Strategy (20)

Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxSAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
 
React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident Response
 
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA
 
13734729.ppt
13734729.ppt13734729.ppt
13734729.ppt
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
CHAPTER2Managing Risk Threats, Vulnerabilities, and Exploit.docx
CHAPTER2Managing Risk Threats, Vulnerabilities, and Exploit.docxCHAPTER2Managing Risk Threats, Vulnerabilities, and Exploit.docx
CHAPTER2Managing Risk Threats, Vulnerabilities, and Exploit.docx
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber Security
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity Risks
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 

Kürzlich hochgeladen

2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSINGmarianagonzalez07
 
Defining Constituents, Data Vizzes and Telling a Data Story
Defining Constituents, Data Vizzes and Telling a Data StoryDefining Constituents, Data Vizzes and Telling a Data Story
Defining Constituents, Data Vizzes and Telling a Data StoryJeremy Anderson
 
RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.natarajan8993
 
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort servicejennyeacort
 
Call Girls In Dwarka 9654467111 Escorts Service
Call Girls In Dwarka 9654467111 Escorts ServiceCall Girls In Dwarka 9654467111 Escorts Service
Call Girls In Dwarka 9654467111 Escorts ServiceSapana Sha
 
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...Florian Roscheck
 
RadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfRadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfgstagge
 
办理学位证纽约大学毕业证(NYU毕业证书)原版一比一
办理学位证纽约大学毕业证(NYU毕业证书)原版一比一办理学位证纽约大学毕业证(NYU毕业证书)原版一比一
办理学位证纽约大学毕业证(NYU毕业证书)原版一比一fhwihughh
 
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTDINTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTDRafezzaman
 
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝DelhiRS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhijennyeacort
 
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理e4aez8ss
 
Student profile product demonstration on grades, ability, well-being and mind...
Student profile product demonstration on grades, ability, well-being and mind...Student profile product demonstration on grades, ability, well-being and mind...
Student profile product demonstration on grades, ability, well-being and mind...Seán Kennedy
 
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...Boston Institute of Analytics
 
Identifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population MeanIdentifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population MeanMYRABACSAFRA2
 
How we prevented account sharing with MFA
How we prevented account sharing with MFAHow we prevented account sharing with MFA
How we prevented account sharing with MFAAndrei Kaleshka
 
毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degreeyuu sss
 
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPT
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPTPredictive Analysis for Loan Default Presentation : Data Analysis Project PPT
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPTBoston Institute of Analytics
 
GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]📊 Markus Baersch
 
1:1定制(UQ毕业证)昆士兰大学毕业证成绩单修改留信学历认证原版一模一样
1:1定制(UQ毕业证)昆士兰大学毕业证成绩单修改留信学历认证原版一模一样1:1定制(UQ毕业证)昆士兰大学毕业证成绩单修改留信学历认证原版一模一样
1:1定制(UQ毕业证)昆士兰大学毕业证成绩单修改留信学历认证原版一模一样vhwb25kk
 
Data Factory in Microsoft Fabric (MsBIP #82)
Data Factory in Microsoft Fabric (MsBIP #82)Data Factory in Microsoft Fabric (MsBIP #82)
Data Factory in Microsoft Fabric (MsBIP #82)Cathrine Wilhelmsen
 

Kürzlich hochgeladen (20)

2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
 
Defining Constituents, Data Vizzes and Telling a Data Story
Defining Constituents, Data Vizzes and Telling a Data StoryDefining Constituents, Data Vizzes and Telling a Data Story
Defining Constituents, Data Vizzes and Telling a Data Story
 
RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.
 
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
 
Call Girls In Dwarka 9654467111 Escorts Service
Call Girls In Dwarka 9654467111 Escorts ServiceCall Girls In Dwarka 9654467111 Escorts Service
Call Girls In Dwarka 9654467111 Escorts Service
 
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
 
RadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfRadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdf
 
办理学位证纽约大学毕业证(NYU毕业证书)原版一比一
办理学位证纽约大学毕业证(NYU毕业证书)原版一比一办理学位证纽约大学毕业证(NYU毕业证书)原版一比一
办理学位证纽约大学毕业证(NYU毕业证书)原版一比一
 
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTDINTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
 
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝DelhiRS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
 
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
 
Student profile product demonstration on grades, ability, well-being and mind...
Student profile product demonstration on grades, ability, well-being and mind...Student profile product demonstration on grades, ability, well-being and mind...
Student profile product demonstration on grades, ability, well-being and mind...
 
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
 
Identifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population MeanIdentifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population Mean
 
How we prevented account sharing with MFA
How we prevented account sharing with MFAHow we prevented account sharing with MFA
How we prevented account sharing with MFA
 
毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
毕业文凭制作#回国入职#diploma#degree澳洲中央昆士兰大学毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#degree
 
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPT
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPTPredictive Analysis for Loan Default Presentation : Data Analysis Project PPT
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPT
 
GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]
 
1:1定制(UQ毕业证)昆士兰大学毕业证成绩单修改留信学历认证原版一模一样
1:1定制(UQ毕业证)昆士兰大学毕业证成绩单修改留信学历认证原版一模一样1:1定制(UQ毕业证)昆士兰大学毕业证成绩单修改留信学历认证原版一模一样
1:1定制(UQ毕业证)昆士兰大学毕业证成绩单修改留信学历认证原版一模一样
 
Data Factory in Microsoft Fabric (MsBIP #82)
Data Factory in Microsoft Fabric (MsBIP #82)Data Factory in Microsoft Fabric (MsBIP #82)
Data Factory in Microsoft Fabric (MsBIP #82)
 

Data-Driven Defense Strategy

  • 1.
  • 2.
  • 3.
  • 4.
  • 5. Imagine an Army… • Two sides – good and evil – engaged in a decades long battle • Evil side is having great success on left flank of battle • Good side responds by building up right flank and even building up in the center, and wonders why their defense is not working This is the way most IT defenders work !? Good 
  • 6. Data-Driven Defense strategy focuses on: • Reducing Initial Breaches • Identifying Root-Causes of Initial Exploits • Most Likely Attacks • Relevance Drives Risk Assessment • Faster Remediation Cycles • Data-Driven Mitigations Right-Aligned To Most Critical Threats Offering theory described in Data Driven Defense whitepaper: http://aka.ms/datadrivendefense What is it?: A methodology that allocates security resources more efficiently and effectively, to mitigate the top computer and network security threats faster and cheaper.
  • 7. • Don’t understand their threats and risks as well as they think they do • Don’t use their own data to drive solutions • Don’t put in the right defenses in the right places in the right amounts • Poor communication at all levels • Don’t hold current defenses accountable for what they said they could do • Spend too much resources not getting the right results !? How did it get this way?...After all, nobody wants to defend inefficiently
  • 8. Problem Definition 8 Examples of Inefficiencies • No one can name the #1 problem • Too many top priorities • Unranked controls, training, every list • Good patching of low risk apps and poor patching of high risk apps • Strategic controls don’t map to the tactical things would have the most risk impact • Expensive solutions sitting on the shelf
  • 9. Problem Definition – How Did It Get This Way? 9 Problem – Lack of Focus Sheer Number of Threats • Avg: 5K-6K new threats/year • 15/day, day after day
  • 10. Problem Definition – How Did It Get This Way? 10 Problem – Lack of Focus Competition for Attention • Avalanche of Threats • Compliance Concerns • Too Many Projects • Higher Priority Pet Projects/Politics • Slower Budgeting Cycles • Inefficient IT Organization • Corporate Culture Risk Tolerance
  • 11. Example: Most humans are more afraid of airplane crashes and shark attacks than the car rides to the locations where those events could possibly take place even though the car ride is tens of thousands of times more risky Evolution: Humans are not great at ranking risks, even when the metrics are known.    1 in 11 Million 1 in 5,000 *sources: Clarke, Ropeik, National Geographic 1 in 3.7 MillionOdds of Fatality*:
  • 12. • Doesn’t focus enough on actual, local experienced attacks (vs. focusing on mostly externalities) • Inadequate detection • Little to no forensic analysis • Often doesn’t capture root causes • Little to no metrics captured or reported • What is detected isn’t effectively communicated up the chain and to the entire organization ?
  • 13. ? ? ? What’s the number one threat in your environment? • Zero days • Unpatched software • Malware • Social engineering • Password Issues • Data Leaks • Eavesdropping/MitM • Misconfiguration • Denial of Service • Insider/Partner/Consultant/Vendor/3rd Party • User Error • Physical Ask Yourself 3 Key Questions: 1. Can your IT security team give the right answer? 2. Is the answer consistent across team members? 3. Do you have data to back up the right answer?
  • 14. • End-Users can’t identify top threats • Even IT security team can’t identify top threats • Training doesn’t focus on top threats • Communication of top threats doesn’t happen between organization’s business units/silos • Senior management can’t provide the right resources and controls in the right places because they haven’t been give the right threat prioritization • Strategic controls often don’t include enough tactical details to drive best security solutions Lack of objective data prevents effective communications of top threats
  • 15. Many of the right solutions end under-utilized or up on the shelf unused. Resulting in: Money down the drain Did the solution do what proponents said it would do? Does the solution fight the right things? Little Accountability for implemented solutions leads to serious problems for IT Defenders. The fingerprints of these problems are easy to identify.
  • 16. • Identify in a clear and timely way all the threat scenarios they face • Focus on how initial compromises happen (i.e. root causes) versus what happens afterward • Understand the comparative relative risks of different threats • Broadly communicate threats ranked by risk to all stakeholders, including senior management • Efficiently coordinate agreed-upon responses to risk • Measure the success of deployed defensive resources against the threats they were defined to mitigate All these implementation weaknesses lead to misalignment of computer security defenses against the greatest threats
  • 17. • Not ranking risks correctly relative to each other • Seeing all risks as more equal than they are • Focusing on wrong threats • Focusing on individual threats instead of more inclusive, broader, issues • Belief that malicious events are impossible to stop or minimize • Loss of hope by defenders and the people that rely on those defenders Can lead to a sense of hopelessness by defenders and the people that rely on those defenders
  • 18. Heartbleed vulnerability Sandworm Vulnerability Insider Threats USB Attacks Unpatched Software SQL Injection APT Physical Theft Viruses & Worms Anonymous Hacker Group Buffer Overflows Weak Passwords Pass-the- Hash Attacks Phishing Social Engineering Lost Laptops SSL Flaw Ransomware Fraud Stolen Data Espionage Leaked Data Mobile IoT BYOD Adware Spyware Backdoor Trojans “Like bubbles in a glass of champagne” “Every defense is treated equally, or applied disproportionate to threat risk Vuln Detection Vuln Detection DLP Policy Patch Everything Try Anything Vendors Police Some Monitoring Don?t Know Patch Windows Complex Passwords/ 2FA Segment Warnings A little end-user training Policy Config Mgmt Outsource Guessing Disk Encryption Don?t?Know DLP Legal Looking Into Just Give Up Better Auth AV Not Sure/ Ignore Poor perception and application against threats can lead to “Whack-a-mole” defenses applied without data to backup relevance
  • 19. Risk Ranked Threat Perceptions: • Focuses on root causes • Relevance is a deciding factor • Adware is as important as a malicious Trojan Risk Ranked Defenses: • Mitigates root causes, not specific threats • More efficient resource utilization • Allows clearer cost/benefit considerations #2 Most Impactful Exploit Root Cause Threat Vendors #1 Most Impactful Exploit Root Cause Threat Medium Threat #3 Most Impactful Exploit Root Cause Threat Small Threat Medium Threat Medium Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Defenses Against #2 Most Impactful Exploited Root Cause Threat Vendors Defenses Against #1 Most Impactful Exploit Root Cause Threat Medium Mitigation Defenses Against #3 Most Impactful Exploited Root Cause Threat Small Threat Medium Mitigation Medium Mitigation Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat Small Threat May decide that the cost of defending against small threats is not a good business decision
  • 20. Define & Collect Metrics Review an Improve Plan as Needed Select & Deploy Root Cause Defenses Create Effective Communications Plan Rank Risk Appropriately Collect (Better) Localized Threat Intelligence
  • 21. A key goal of an implemented data-driven computer security defense is to more directly align and funnel mitigations against the root-causes of the most successful threats Alignment Principle: Data Driven Analysis Data Driven Response GOAL: Streamlined Mitigation Against Root-Causes of Successful Exploitation Localized Detecting Root Causes Renewed Focus Tied to Root Causes Aligned to Biggest Threats Are Defenses Successful?
  • 22.
  • 23.
  • 24. Use your data and metrics to: • Get faster detection/early warning • Measure exploits success in your organization • Measure trends over times Increasing trends require better responses
  • 25. You should care as much about root causes as you do about what the hacker did after they got into your environment Focusing on individual threats and only what they did after they got in is like worrying about your brakes after your car is stolen Ex: Worrying about Pass-the-Hash attacks without fixing how the hacker got domain admin in the first place isn’t fixing the problem When you’ve adjusted your thinking, found adware is as worrisome as a malicious backdoor Trojan Both took the same effort to get into your environment and is revealing defensive gaps
  • 26. “The Main Driver is Local Threat Intelligence” 1. Focus on historic and current attacks first 2. New, most likely to happen, “In-the-wild” and industry targeting 3. Everything Else Focus Prioritization:
  • 27. • If you can’t measure it, you can’t manage it • Data is the conduit of success • Gut feelings should be backed up by data • Key Metric: Capturing root causes • Data is used to drive event alerting • Metrics are needed for comparisons and reporting
  • 28. A perfect data event to create security alerts should contain the following attributes: • High likelihood that occurrence indicates unauthorized activity • Either a single occurrence or an unexpectedly large number of events in a given time period indicates a high chance of maliciousness • Low number of false-positives • Occurrence should result in an investigativeforensics
  • 29. • Identify all sources of threat intelligence and IT defense in your company • Including all data input and database structures • Including all reports and other output • Identify all threats and risk relevance to each other and company • What is your detection capability of those threats? • Identify which high-risk threats are not currently detected appropriately • Fix the gaps Threats Detection Abilities Gap & Risk Analysis Fixes
  • 30. • Evangelize this concept! Use book, whitepaper, and slides • Get a computer security data analytics person or team • Collect all your data into single places for more aggressive data analysis • Figure out what questions to ask • Assess your threat intelligence information collection and how valid and specific it is for your organization • Figure out your top root causes and threats • Assess how well your threat intelligence and defenses align to those threats • Fill in the gaps • Make aligned defenses measurable and accountable
  • 31. The defensive data comprehensive solution creates a holistic defense strategy • More Intelligent Threat Intelligence • Coordinated Enterprise Security Strategy • Improved Risk Assessment • More Efficient Defenses • Quicker Response to Emerging Threats • Measurable Lower Risk • Better Threat Intelligence and Detection • Measurable Risk Assessment • More Focused Mitigations and Computer Security Defenses • Better Security Metrics • Accountable Defense Outcomes • Better Computer Security Communication & Education Reduce Initial Exploits Defense In Depth Unknown and Assumed Risk Assume Breach Defenses