A security culture based on Risk, created asymmetric views about company security maturity, across different security functions. My paper wants to suggest an integration and re-design, based on a logical approach and well known methodologies, only moving the focus away from the risk model. The target of this soft talk is to show how each security function should work in concert with the rest of the organization, providing constant feeds to other security teams. The take-away of the talk should be to stimulate the readers to review collaboration across enterprise security functions and automation of input feeds and security team outputs.

1. - Why is security integration important?
- How do you integrate different security functions?
- How do you maintain a security integration?
- How do you measure results?
“The information in this document is provided “AS IS” with no warranties, and confers
no rights. This document does not represent the thoughts, intentions, plans or
strategies of my employer. It is solely my opinion. Product names, logos, brands, and
other trademarks featured or referred to within the document are the property of their
respective trademark holders.” Please note, I am not a law expert but an IT guy, if I
forgot to mention something let me know.
Material under Creative Commons license.
Type: Attribution-NonCommercial-NoDerivs
Credit Images:

2. $whoami
Name: Carlo Dapino
Nickname: Acklost (TCP/IP lover)
IT Security since 2001
Areas:
Security Engineering
Design
Operation
Management
Sectors:
Banking and IT Security Consulting
Expertise:
Infrastructure and Network security
Website/Contact me:
www.acklost.net
Credit Images: Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved

3. Credit Images: Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved

4. Credit Images: Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved

5. Who does help you when you feel alone?
Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reservedCredit Images:

6. Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved
Credit Images:Credit Images: Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved
- Are your security teams well orchestrated across all security functions?
- Do you have solo players?
- Are all security functions sharing info and closing the security loop?
You can have the best security professionals in the market but if each
s/he will play on her/his own, the final overall sound can be terrible!
Is it a technical problem or a people problem?..... BOTH!

7. Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved
Credit Images:Credit Images: Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved
Balance between technology and professionals
Credit Images:
- No security tool can give you experience
- You can buy all tools but, at the end, you are
the one to get the big picture out of that
- Integration across tools and solution is key
- Tools can save you time, to have security
professionals focus on using experience
- With big data, you have big responsibility
- DevSecOps doesn’t mean you skip to have the
right people on board ... if you automate a mistake,
you only amplify the side effects in a quicker
fashion
- Spend more on people than in technology, they
will always be the one you are talking to and you
relay on
- to have a performing brain, you need to have
a good working environment
- Internal threat is also about your sec guy

8. Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved
Credit Images:Credit Images: Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reservedCredit Images:
Let’s be practical ...

9. Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved
Credit Images:Credit Images: Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reservedCredit Images:

10. Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved
Credit Images:Credit Images: Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reservedCredit Images:
So....why the security orchestra’s music doesn’t sound always right?
Each function doesn’t feed other OUTPUTs, creating async views of the security maturity

11. Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved
Credit Images:Credit Images: Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reservedCredit Images:
How do you fix this async view issue?
Be THREAT centric, not RISK centric
IF you drive a CAR
RISK -> To have a car accident
THREAT -> Know if you drive on
WET or SNOW
conditions will change
your actions and
investments (Winter
tyres, chains)....
.... aka remediation
By these details, you can also understand
better if accept, outsource or reject the
risk.
By a threat modeling you will know if you
have to balance by more technology or by
more people. Just a risk analysis will not
give you the full picture.
1.
Credit Image: pixabay.com

12. Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved
Credit Images:Credit Images: Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reservedCredit Images:
How do you fix this async view issue?
2.
Every security function needs to establish infinite loops running 365x24x7 and
continuosly updated by various external updated feeds
Let’s zoom in to one SecOps function, Vulnerability Management Lifecycle, next
slide, I will show you how this loop will integrate with the rest of the security
orchestra
Verify
DiscoverRemediate
Assess
Prioritize
Assets
Report
Vulnerability
Management
Lifecycle
OUTPUT Feed
TO others
SecFunction
INPUT Feed
FROM others
SecFunctions
or external
feed
(CVE,IoC)

13. Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved
Credit Images:Credit Images: Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reservedCredit Images:
How do you fix this async view issue?
3.
Integrate each security function loop and link together ALL outputs
Verify
DiscoverRemediate
Assess
Prioritize
Assets
Report
Incident
Mgmt.
NIST 800-61
SecDevOps
THREAT
MODEL
RISK
CodePlan
Operate
Monitor
Code
Deploy
Release
Test
Preparation
Detection
Containement
Eradication
Recovery
Post-Incident
Vuln.
Mgmt.
INPUT
INPUT
INPUT
GRC
OUTPUT
OUTPUT
OUTPUT
Security
Arch.
Arch.Context
Arch.
Delivery
Transition
Planning
Arch.
Governance
OUTPUT

14. Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved
Credit Images:Credit Images: Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reservedCredit Images:
How do you fix this async view issue?
4.
Keep an overall threat model always updated by specific threat models by topic
(Application, Infrastructure, etc.)
THREAT
MODEL
Application
Infrastructure
Supply Chain
BYOD
Business
Sector
Brand

15. Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved
Credit Images:Credit Images: Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reservedCredit Images:
How do you fix this async view issue?
5. - BE PRACTICAL, not theorical
- DON’T let your threat model to be a
static picture
- AUTOMATE where you can, to be sure
that if Application, Code, Attack vector,
surface or threat is changing your threat
model will be always valid.
- reduce your technology budget
footprint integrating multiple projects,
reflecting the loop you designed for your
lifecycle (API integration is helping)
- to secure something, you need an
expert of that specific topic, s/he doesn’t
have to be CYBER {something} as title
or know how to use Metasploit.
- MONITOR your progress against
achievable small targets and steps.
- TEST it over and over

16. Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved
Credit Images:Credit Images:
Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved
Credit Images:
How do you fix this async view issue?
6.
In rugby every skill can find a role, in security too, diversity and the ability to create
smart teams on the fly, based on the problem is the key. You need investigator,
analyst, engineering, developers, storage, database and sys admin. You can’t have
them all in a security team. Rethink your organization structure, avoid to have a security
silos (also between hands-on and hands-off security members) and exercise smart
teaming and brainstorming sessions. Attackers are creatives, are you too?

17. Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved
Credit Images:Credit Images: Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reservedCredit Images:
How do you fix this async view issue?
7. REUSE projects already out there, to automate the loops of continuous feed. It will
reduce the cost and it will guarantee the quality.
“The ATT&CK Matrix for Enterprise provides a visual representation of the adversarial
techniques described in the ATT&CK for Enterprise threat model. “
Don’t stop on knowing that the project exists, automate that and use it.

18. Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved
Credit Images:Credit Images: Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reservedCredit Images:
How do you fix this async view issue?
8.
Monitor the results
Are all your OUTPUTs aligned?
- Is your Risk Registry in sync with your last Threat Model?
- Is your Vulnerability Management in line with the last lesson learnt during an incident?
- Is your Architecture considering all threats?

19. Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved

20. Copyright © 2018 - Carlo Dapino – Acklost.net - All rights reserved