There's a need for MSSPs to move beyond simply watering down alerts and providing a report. it's time to do more detection, provide more value, and make sure that cloud and cloud services are not left out. This is a high-level keynote touching on threats, risk, and ways to think about providing more value.
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Detection + 1 in the Cloud Age
1. Ben Johnson, Co-Founder & CTO
Managed Security Service Conference 2019 | Denver, CO
Delivering “Detection + 1” in the Cloud Age
bjohnson@obsidiansecurity.com
2. BACKGROUND CHECK // BEN JOHNSON
Co-Founder and CTO, Obsidian Security
Co-founder and former CTO of Carbon Black, built the first EDR product;
Previously, NSA CNO and AI Lab
2000 20172010
Employment
Board Seats
1st Technical Advisor (Amicus Curiae) to US FISA
Court
7. @chicagoben | @obsidiansec
Leaky Clouds
Booz Allen
OneLogin
The RNC
Verizon
Accenture
Dow Jones
Viacom
Deloitte
Sweden
California
8. @chicagoben | @obsidiansec
Skills Gap +
Deploy-and-Decay +
= LACK OF CYBER SELF-ESTEEM
Huge Data (more than big)
Attacker Successes +
Many Challenges
9. @chicagoben | @obsidiansec
Adversaries & Motivations
Cybercriminals
• Broad-based and
targeted
• Financially
motivated
• Getting more
sophisticated
Hactivists
• Targeted and
destructive
• Unpredictable
motivations
• Generally less
sophisticated
Nation-States
• Targeted and
multi-stage
• Motivated by data
collection
• Highly sophisticated
with endless
resources
Insiders
• Targeted and
destructive
• Unpredictable
motivations
• Sophistication varies
13. Enterprise Architectures are Complex
Sales
Force
SlackO365
AWS
Surface area is more dynamic with more entropy
HQ
Business
Applications
Databases
Active
Directory
Even with SaaS, YOU are responsible for Identity and Access Management (IAM).
14. @chicagoben | @obsidiansec
Information Security and the Cloud (Reality)
“IT is going from 0 to 100 in the cloud and leaving us in the dust”
- Fmr. CISO, Lending Club
“We’re blind to all these new SaaS accounts”
- Director, Cyber Intelligence, Top Athletics Brand
“We have 300 AWS accounts and no governance”
- Public Tech Company
“Hackers don’t break in, they login.”
- CISO, Cisco
17. @chicagoben | @obsidiansec
SaaS: “OF” versus “IN”
The SaaS provider handles all aspects
except for identity and access
management, client device controls,
and data accountability.
The customer, therefore, must
understand users, devices & all data
related to that service.
18. @chicagoben | @obsidiansec
?
Microsoft handles the underlying
infrastructure, including patching and
updating, and the accessibility of the
service.
You are responsible for what is emailed,
who accesses the email, and how they
access the email.
19. @chicagoben | @obsidiansec
SAAS Integrations
https://developer.salesforce.com/
https://developers.google.com/gsuite/
https://developer.microsoft.com/en-us/office
https://api.slack.com/
https://aws.amazon.com/documentation/
Some are really easy to build Apps and Ingest data.
24. @chicagoben | @obsidiansec
Identity Creep
DORMANT ACCOUNTS
ORPHANED ACCOUNTS
MISMATCHED PERMISSIONS
238 days
181 days
87 days
79 days
22 days
17 days
9 days
8 days
…
20758 lines
26. @chicagoben | @obsidiansec
Dormant Accounts?
Even if you cannot get
buy-in to reduce risk, cost
savings are huge!
At left, a relatively small
company (600 employees)
could save over $300k /
year by right-sizing 3
services!
29. @chicagoben | @obsidiansec
Journey vs. Destination
Security teams put their energy where they have autonomy.
They get comfortable in a never-ending journey instead of
driving toward new destinations.
31. @chicagoben | @obsidiansec
Visibility Drives Defenses
Focus human attention on
high risk, high value assets
No sense preparing for
fires that don’t exist or
protecting low value
assets.
32. @chicagoben | @obsidiansec
Tech Stack Empowers Both Sides
CUSTOMERS SERVICE PROVIDERS
Like the shade a tree
gives, a good tech stack
affords powerful general
protection to all
constituencies.
37. @chicagoben | @obsidiansec
Countering Creep: Quick Provision Process
Then Now
Give me access
to Salesforce
Work ticket generated
IT staff reviews ticket
Manager sign-off
Needs info from
accounting
Weeks later, access granted
Manager
unavailable
Give me access
to Salesforce
Automated assessment,
manager alerted
Minutes later, access granted
Team
39. @chicagoben | @obsidiansec
CliffsNotes
•Include cloud! (Office, Salesforce, AWS, etc)
•Fight risk! Shrink surface area.
•Drive a better baseline (raise the bar).
•Every detection is a teachable moment.
•Enable customers to utilize the tech they pay for.
•There’s a lot of value in tying together best-of-breed.