Threat hunting 101 by Sandeep Singh
Your SlideShare is downloading.
×
Check these out next
More Related Content
Slideshows for you (20)
Viewers also liked (17)
Similar to Security by Collaboration: Rethinking Red Teams versus Blue Teams (20)
More from AlienVault (20)
Recently uploaded (20)
Security by Collaboration: Rethinking Red Teams versus Blue Teams
- 1. Security by Collaboration: Rethinking Red Teams vs. Blue Teams Kevin Johnson CEO Secure Ideas @SecureIdeas Mike Saurbaugh Mgr, Information Security Corning Credit Union @MikeSaurbaugh
- 2. 2 Evaluating Our Approach! Source: http://web.securityinnovation.com/Portals/49125/docs/ponemon-pci-whitepaper.pdf
- 3. 3 United, Not Divided
- 4. 4 “Let’s See How Bad It Is…” Overt vs. Covert
- 5. 5 Security Awareness & Collaboration Not Just “Users” Employees Developers Security Operations http://assessmentcenter.org/KSA%20Scrabble.png
- 6. 6 Security has commonly been split and lacks combined benefits Together builds understanding and comprehensive program Why Rethink Red vs. Blue
- 7. 7 Overview of Awareness & Collaboration 2) Become aware of potential impact(s) and the role they play. It doesn’t mean they know what to do; they‘re simply aware. 3) Through training solutions, employees learn to identify and respond and follow policies and procedures. 1) Employees begin at state of unawareness (risk, policy, procedures, and most impotantly, WHY) 4) Behavioral change occurs as a result of process. Employees begin to take proactive security measures and are more engaged, leading to positive business impact (Not reusing passwords)
- 8. 8 The State of Security Awareness 45% Provide Formal Program, 55% No Formal Program!
- 9. 9 Options Addressing Security Awareness Progress/Output Impact/Outcome
- 10. 10 Collaboration Example
- 11. 11 Collaboration Example The process …w3wp.exe' (as user …) attempted to receive the data '/…?include=../../../../../../../../../etc/passwd '. The operation was denied.
- 12. 12 Benefits of Combining Red & Blue Separating attack and defense causes issues Less comprehensive Missing the understanding of the attack Organizations often treat these as completely different functions SOC vs. Testing vs. Users
- 13. 13 Benefits of Combining Red & Blue Better understanding of risk What is at risk? Understand the attack Understand how to defend Clearer view of vulnerabilities Defense understands controls Offense understands an adversary
- 14. 14 Benefits of Combining Red & Blue How do you know what was test was correct? “Audit the auditor” Healthy discussion on risk Communicate what was tested to non- security people (executives, regulators) A chance to be part of the solution and fix Find, fix, retest Not just going through the motions
- 15. 15 DevOps – popular framework Efficient & fast development Open communication design Security testing/requirements Often neglected Security can’t handle 50-1,000+ per day Communication barriers Integration
- 16. 16 Security testing needs to be embedded Must be part of the process Developer awareness makes this easier Understanding the attack yields controls Knowing how/why increases knowledge Get out of the silo! Integration
- 17. 17 Measuring What’s Important Competitive advantage ($) Measure to Business Behavior change
- 18. 18 Measuring What’s Important Source: http://www.triplepundit.com/2011/01/what-everyone-wants-to-know-about-behavior-change/ “What gets measured, gets managed” – Peter Drucker
- 19. 19 Incident Response 60 60 10 20 0 10 20 30 40 50 60 70 Vendor Client Before After Reporting results measuring to the business
- 20. 20 Plan of Action Assess • Identify key business risk via red team which support competitive advantage • Determine vital behaviors to address for business and personal impact Baseline • Collect data early to illustrate risk to business from attack tactics • Perform financial analysis on current business impact for executive buy-in Identify • Identify target employees and blue team members • Identify appropriate awareness modules for program supporting business Policy • Working with key stakeholders to create governance and AUP • Meet compliance, but strive to change behavior and support business IRP • Form incident response procedures (involving help desk and IRP teams) • Simple process to track and report on effectiveness supporting business
- 21. 21 Next Steps – Summary
- 22. 22 Key Takeaways Collaborate Identify Respond Overt Not Covert Break Then Fix
- 23. THANK YOU!
