3. • Manager – Security Architecture
• Heavily focused on Cloud/AWS
• Experience includes moving from End User
Support, to Sys Admin, to Consulting, to
Information Security to Security Architecture
11. Access Control
• What is being protected?
• How do we protect it if we
assume it is already breached?
12. Access Control:
What is being
protected?
Internal
Restricted
Public
• Payroll
• Policies and
Procedures
• PII, PCI, PHI
• SOX, GLBA
• Marketing
• Public Website
14. Choke Points
• Trusted sources
• Areas of known activity
• Minimize surface areas for non-
standard things (i.e. front gate
and not the walls)
• Not a new concept
16. Trust Zones
• More than network
segmentation
– We can have segmentation and
still have a flat network
• Must empower businesses
– Too many hoops to jump through,
at best users will be mad, worst
case, they will find a way around
18. Detection Strategy
• Identify the needles before
building the haystack
• Minimize attack surfaces
• Focus on ‘all hands on deck’
alerts
• Review alerts vs reports
19. Detection Strategy
• Don’t try to think like an
attacker
• Stop trying to prevent the
latest and greatest 0 day – just
assume it is already there
20. Next Steps • Access Control
– Minimize perimeter
– Control changes
– Tiered accounts for administration
21. Next Steps • Choke Points
– Bring the battle to you
– Know what normal looks like
– Tiered Accounts
– Reduce the noise
22. Next Steps • Trust Zones
– Segment your network
– Know what is supposed to talk to each
other
– This should be transparent to users
– Keep it simple, but not flat
23. Next Steps • Detection Capabilities
– Use guides (see references)
– Know what normal is, be able to detect
what isn’t
– Reduce the noise
24. References
• Don’t Think like an attacker
– Mitre ATT&CK – https://attack.mitre.org/wiki/Main_Page
– Known IOCs - https://github.com/Neo23x0/sigma
– Threat Hunter Playbook https://github.com/Cyb3rWard0g/ThreatHunter-Playbook
• Strategy:
– http://threatexpress.com/2018/01/threat-mitigation-strategies-observations-recommendations/ -
James Tubberville
– http://www.andrewalaniz.com/2017/12/10-immutable-laws-assumed-breach/ - Andrew Alaniz –
10 Immutable Laws of Assumed Breach
– https://www.slideshare.net/JoeVest1/using-ioc-to-design-and-control-threat-activities-during-a-
red-team-engagement - Joe Vest – Using IOCs to control threats
– https://technet.microsoft.com/en-us/library/hh278941.aspx - Microsoft - 10 Immutable Laws of
Security
• Detection:
– https://blogs.technet.microsoft.com/jepayne/2015/11/26/tracking-lateral-movement-part-one-
special-groups-and-specific-service-accounts/ - Jessica Payne – Tracking Lateral Movement
– http://www.andrewalaniz.com/2017/12/assumed-breach-model-practical-approach-part-1/ -
Andrew Alaniz – Assumed Breach Model
– http://www.andrewalaniz.com/2016/10/windows-event-forwarding-collector-resources/ -
Resources for capturing Windows Events