Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security by Collaboration: Rethinking Red Teams versus Blue Teams

2,439 views

Published on

Mike Saurbaugh and Kevin Johnson's presentation: "Security by Collaboration: Rethinking Red Teams versus Blue Teams." at CUISPA 2015 in Austin.

Published in: Technology
  • Be the first to comment

Security by Collaboration: Rethinking Red Teams versus Blue Teams

  1. 1. Security by Collaboration: Rethinking Red Teams vs. Blue Teams Kevin Johnson CEO Secure Ideas @SecureIdeas Mike Saurbaugh Mgr, Information Security Corning Credit Union @MikeSaurbaugh
  2. 2. 2 Evaluating Our Approach! Source: http://web.securityinnovation.com/Portals/49125/docs/ponemon-pci-whitepaper.pdf
  3. 3. 3 United, Not Divided
  4. 4. 4 “Let’s See How Bad It Is…” Overt vs. Covert
  5. 5. 5 Security Awareness & Collaboration Not Just “Users” Employees Developers Security Operations http://assessmentcenter.org/KSA%20Scrabble.png
  6. 6. 6  Security has commonly been split and lacks combined benefits  Together builds understanding and comprehensive program Why Rethink Red vs. Blue
  7. 7. 7 Overview of Awareness & Collaboration 2) Become aware of potential impact(s) and the role they play. It doesn’t mean they know what to do; they‘re simply aware. 3) Through training solutions, employees learn to identify and respond and follow policies and procedures. 1) Employees begin at state of unawareness (risk, policy, procedures, and most impotantly, WHY) 4) Behavioral change occurs as a result of process. Employees begin to take proactive security measures and are more engaged, leading to positive business impact (Not reusing passwords)
  8. 8. 8 The State of Security Awareness 45% Provide Formal Program, 55% No Formal Program!
  9. 9. 9 Options Addressing Security Awareness Progress/Output Impact/Outcome
  10. 10. 10 Collaboration Example
  11. 11. 11 Collaboration Example The process …w3wp.exe' (as user …) attempted to receive the data '/…?include=../../../../../../../../../etc/passwd '. The operation was denied.
  12. 12. 12 Benefits of Combining Red & Blue  Separating attack and defense causes issues  Less comprehensive  Missing the understanding of the attack  Organizations often treat these as completely different functions  SOC vs. Testing vs. Users
  13. 13. 13 Benefits of Combining Red & Blue  Better understanding of risk  What is at risk?  Understand the attack  Understand how to defend  Clearer view of vulnerabilities  Defense understands controls  Offense understands an adversary
  14. 14. 14 Benefits of Combining Red & Blue  How do you know what was test was correct?  “Audit the auditor”  Healthy discussion on risk  Communicate what was tested to non- security people (executives, regulators)  A chance to be part of the solution and fix  Find, fix, retest  Not just going through the motions
  15. 15. 15  DevOps – popular framework  Efficient & fast development  Open communication design  Security testing/requirements  Often neglected  Security can’t handle 50-1,000+ per day  Communication barriers Integration
  16. 16. 16  Security testing needs to be embedded  Must be part of the process  Developer awareness makes this easier  Understanding the attack yields controls  Knowing how/why increases knowledge  Get out of the silo! Integration
  17. 17. 17 Measuring What’s Important Competitive advantage ($) Measure to Business Behavior change
  18. 18. 18 Measuring What’s Important Source: http://www.triplepundit.com/2011/01/what-everyone-wants-to-know-about-behavior-change/  “What gets measured, gets managed” – Peter Drucker
  19. 19. 19 Incident Response 60 60 10 20 0 10 20 30 40 50 60 70 Vendor Client Before After  Reporting results measuring to the business
  20. 20. 20 Plan of Action Assess • Identify key business risk via red team which support competitive advantage • Determine vital behaviors to address for business and personal impact Baseline • Collect data early to illustrate risk to business from attack tactics • Perform financial analysis on current business impact for executive buy-in Identify • Identify target employees and blue team members • Identify appropriate awareness modules for program supporting business Policy • Working with key stakeholders to create governance and AUP • Meet compliance, but strive to change behavior and support business IRP • Form incident response procedures (involving help desk and IRP teams) • Simple process to track and report on effectiveness supporting business
  21. 21. 21 Next Steps – Summary
  22. 22. 22 Key Takeaways Collaborate Identify Respond Overt Not Covert Break Then Fix
  23. 23. THANK YOU!

×