SlideShare a Scribd company logo

0Day to HeroDay: Surviving an Attack and Establishing a Security Organization

Download as PPTX, PDF
R
Ryan Wisniewski

Discover how to recover an organization from a ransomware attack, and how to setup a security organization and project portfolio quickly.

Technology
1 of 70
0Day to HeroDay Surviving an Attack and Establishing a Security Organization Ryan Wisniewski Principal Security Consultant Active Defense, LLC March 30, 2019 ©2018 Active Defense, LLC. All rights reserved
SECURITY IMPLEMENTATION TALKS: AN ACTIVE DEFENSE SERIES ©2018 Active Defense, LLC. All rights reserved 2 Starting from Scratch 0Day to HeroDay Starting from Basic IT Implementations Scrapping for Pennies Maturing to a Scalable Operation Scaling the Mountain https://www.slideshare.net/RyanWisniewski
THESE ARE REAL LIFE SITUATIONS ©2018 Active Defense, LLC. All rights reserved 3 Small Business Schools Charities = Underfunded IT… Non-existent security
UPDATE: THESE ARE REAL LIFE SITUATIONS!!!!!! ©2018 Active Defense, LLC. All rights reserved 4 The result was more than $10 billion in total damages NotPetya https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
UPDATE: THESE ARE REAL LIFE SITUATIONS!!!!!! ©2018 Active Defense, LLC. All rights reserved 5https://twitter.com/vfemail
©2018 Active Defense, LLC. All rights reserved 6 Let’s take a hypothetical situation…
©2018 Active Defense, LLC. All rights reserved 7
©2018 Active Defense, LLC. All rights reserved 9
11
©2018 Active Defense, LLC. All rights reserved 12 INCIDENT RESPONSE?
©2018 Active Defense, LLC. All rights reserved 13
©2018 Active Defense, LLC. All rights reserved 14 DISASTER RECOVERY?
©2018 Active Defense, LLC. All rights reserved 15
©2018 Active Defense, LLC. All rights reserved 16 SYSTEM DOCUMENTATION? CAN ANYONE TELL ME HOW THESE SYSTEMS WERE BUILT?
©2018 Active Defense, LLC. All rights reserved 17
©2018 Active Defense, LLC. All rights reserved 18 HOLD MY BEER…
©2018 Active Defense, LLC. All rights reserved 19
©2018 Active Defense, LLC. All rights reserved 20 LESSON 1: RECOVERY FROM SCOURCHED EARTH
©2018 Active Defense, LLC. All rights reserved 21 “Slow is Smooth, Smooth is Fast” - U.S. Navy Seals “Embrace the Suck” - U.S. Marines STEP 0: BREATHE
©2018 Active Defense, LLC. All rights reserved 22 STEP 0.1: CALL FOR ASSISTENCE LEGAL INCIDENT RESPONSE
©2018 Active Defense, LLC. All rights reserved 23 STEP 1: STABILIZE THE PATIENT What do we know? How do we stop this from getting worse? Will our actions make it worse?
WHAT DO WE KNOW? – NORMAL STATE ©2018 Active Defense, LLC. All rights reserved 24 LEGACY WINDOWS CLOUD CLIENTS IBM ERP INTERNET
INTERNET WHAT DO WE KNOW? – IMPACTED STATE ©2018 Active Defense, LLC. All rights reserved 25 SOME CLIENTS IMPACTED C2 TRAFFIC MALICIOUS TRAFFIC ALL WIN IMPACTED CLIENTS SPREADING SEEMS OK SEEMS OK LEGACY WINDOWSIBM ERP CLOUD CLIENTS FLAT NETWORK
IBM ERP HOW DO WE STOP IT FROM GETTING WORSE? ©2018 Active Defense, LLC. All rights reserved 26 DISCONNECT INTERNET? DISABLE USERS? DISCONNECT THE CLOUD? FIND THE MALWARE? POWER DOWN SERVERS? DISCONNECT ERP AND B2B? LIST YOUR CONTAINMENT ACTIONS POWER DOWN SERVERS? INTERNET CLOUD CLIENTSLEGACY WINDOWS
IBM ERP LEGACY WINDOWS INTERNET CLOUD CLIENTS ARE WE MAKING IT WORSE? ©2018 Active Defense, LLC. All rights reserved 27 DISCONNECT INTERNET? DISABLE USERS? DISCONNECT THE CLOUD? FIND THE MALWARE? POWER DOWN SERVERS? DISCONNECT ERP AND B2B? LIST NEGATIVE OUTCOMES POWER DOWN SERVERS? NO BUSINESS TRANSACTIONS NO BUSINESS TRANSACTIONS CORRUPT TRANSACTIONS MAY TAKE AWHILE NO ONE WORKING NO BUSINESS TRANSACTIONS
EXECUTE ©2018 Active Defense, LLC. All rights reserved 28 ISOLATED AREAS OF INVESTIGATION AND RECOVERY 1. DISABLE ROUTING 2. DISABLE DOMAIN ACCOUNTS 3. SEND PEOPLE HOME 4. GET MANAGEMENT TO FIGURE OUT BCP
START CLOCK! THE BUSINESS IS DOWN! ©2018 Active Defense, LLC. All rights reserved 29
©2018 Active Defense, LLC. All rights reserved 30 STEP 2: ASSESS AND PLAN HOW BAD IS IT? WHAT IS BROKEN? WHAT DO WE NEED TO FIX? WHAT DO WE DO FIRST?
©2018 Active Defense, LLC. All rights reserved 31 WHAT IS BROKEN?
EVERYTHING!!!!!! ALL SYSTEMS DOWN!!!! NO TECHNOLOGY!!!!!!!! NO EMAIL, NO INTERNET, NO PHONES!!! ©2018 Active Defense, LLC. All rights reserved 32
33 ©2018 Active Defense, LLC. All rights reserved 33
©2018 Active Defense, LLC. All rights reserved 34 WHAT DO WE NEED TO DO TO STAY IN BUSINESS?
©2018 Active Defense, LLC. All rights reserved 35 WHAT DO WE NEED TO DO TO STAY IN BUSINESS? TAKE ORDERS MAKE PRODUCT SHIP PRODUCT PAY BILLS RECEIVE PAYMENTS
©2018 Active Defense, LLC. All rights reserved 36 HOW DO WE DO THOSE THINGS?
37 ANY INFORMATION IS GOOD INFORMATION PROTIP: START DRAWING ON A WHITEBOARD AND PLACE ALL INFO WHERE IT RELATES System doc Floppy disks Microfiche Network logs Paper copies Audit Records Hand notes SIEM logs Nmap scans System configsISP configs DB Tables Stone Tablets ©2018 Active Defense, LLC. All rights reserved 37 FIND EVERY SYSTEM NEEDED TO PERFORM CRITICAL FUNCTIONS
38 ©2018 Active Defense, LLC. All rights reserved 38
39 ©2018 Active Defense, LLC. All rights reserved 39
©2018 Active Defense, LLC. All rights reserved 40 CREATE A FUNCTIONALITY MATRIX FOR CRITICAL PROCESSES Critical Function System Name Scanned with IoC? Affected/ Infected? System Restored? Data Restored? Tested in Quarantine? Moved to NewProd? Function Restored? Take Orders SYSERP1 Yes No N/A N/A Yes Yes No Take Orders SYSEDI1 Yes Affected Yes N/A No No No Take Orders SYSODB1 Yes Infected No No No No No Take Orders SYSMAIL Yes Infected No No No No No Take Orders SYSPHNE No ? No No No No No Take Orders … … … … … … … … … … … … … … … … … PROTIP: USE COLORS TO SEE WHAT IS NOT DONE PROTIP: PUT THIS ON A TV OR PROJECTOR
©2018 Active Defense, LLC. All rights reserved 41 HOW DO WE RESTORE SAFELY? BACKUP SYSTEM AFFECTED SYSTEMS UNAFFECTED IBM ERP VERIFIED SYSTEMS QUARANTINE RESTORED SYSTEMS NEW NETWORK
©2018 Active Defense, LLC. All rights reserved 42 BACKUP SYSTEM ALSO IMPACTED! BACKUP SYSTEM AFFECTED SYSTEMS UNAFFECTED IBM ERP NEW NETWORK VERIFIED SYSTEMS QUARANTINE RESTORED SYSTEMS
43 ©2018 Active Defense, LLC. All rights reserved 43
©2018 Active Defense, LLC. All rights reserved 44 RESTORE FROM TAPE BACKUP SYSTEM AFFECTED SYSTEMS UNAFFECTED IBM ERP NEW NETWORK VERIFIED SYSTEMS QUARANTINE RESTORED SYSTEMS 2. Rebuild backup catalog from tape 1. Build new backup system
©2018 Active Defense, LLC. All rights reserved 45 HOW DO WE RESTORE SAFELY? BACKUP SYSTEM AFFECTED SYSTEMS UNAFFECTED IBM ERP VERIFIED SYSTEMS QUARANTINE RESTORED SYSTEMS NEW NETWORK - Out-of-band, air-gapped network - Monitor for IOAs and IOCs - Verify clean system and data
©2018 Active Defense, LLC. All rights reserved 46 HOW DO WE RESTORE SAFELY? BACKUP SYSTEM AFFECTED SYSTEMS UNAFFECTED IBM ERP VERIFIED SYSTEMS QUARANTINE RESTORED SYSTEMS NEW NETWORK
©2018 Active Defense, LLC. All rights reserved 47 HOW DO WE RESTORE SAFELY? New Network > SIEM App Aware Firewall GRR IR Toolkit Proxy Filter Network Segmentation RSA MFA WSUS Patch Managers Q Vulnerability Scanner Email Protection AD New Authentication
©2018 Active Defense, LLC. All rights reserved 48 DEFINE A POINT OF BEING DONE How much longer can you keep the business down? Can you perform critical functions? How much more can you do without any sleep? PROTIP: DEFINE THESE CONDITIONS AHEAD OF TIME
©2018 Active Defense, LLC. All rights reserved 49 MISCELLANEOUS TIPS Ensure Secure Out of Band Communications 3-2-1 3 Hours of Sleep 2 Meals 1 Shower Per Day Assign a War Room Manager Save Everything!
©2018 Active Defense, LLC. All rights reserved 50 LESSON 2: BUILDING A SECURITY ORGANIZATION
©2018 Active Defense, LLC. All rights reserved 51 HOW DO I NEVER DO THAT AGAIN?
©2018 Active Defense, LLC. All rights reserved 52 WHERE ARE WE WEAK? HOW DO WE PRIORITIZE?
©2018 Active Defense, LLC. All rights reserved 53 Where are we? Where do we want to be? GAP ANALYSIS How do we get there?
©2018 Active Defense, LLC. All rights reserved 54 WHERE DO WE WANT TO BE?
https://activedefenseus.files.wordpress.com/2018/05/strong-controls-framerwork.pdf©2018 Active Defense, LLC. All rights reserved 55
©2018 Active Defense, LLC. All rights reserved 56 WHERE ARE WE? CAPABILITY MATURITY MODEL
©2018 Active Defense, LLC. All rights reserved 57 WHERE DO WE WANT TO BE? PROTIP: Not everything has to be Level 5 maturity. It will always be a risk-based decision on your environment FOR EACH CONTROL CARD, IDENTIFY THE OPTIMAL LEVEL OF MATURITY
©2018 Active Defense, LLC. All rights reserved 58 ROADMAP ACTIVITIES TO GET THERE Asset Management Program - We implement a system to: - Track assets in the environment, both physically and logically - Manage acquisition, transfers, and disposition of all assets in the environment - Facilitate documentation of the asset inventory to identify IDs, models, support dates, acquisition dates…
©2018 Active Defense, LLC. All rights reserved 59 SECURITY PROJECT PORTFOLIO Vulnerability Management Identity and Access Management Asset Management Monitoring and Alerting Incident Response Disaster Recovery Public Relations
©2018 Active Defense, LLC. All rights reserved 60 WHAT DO WE DO FIRST? THREAT MODEL!
©2018 Active Defense, LLC. All rights reserved 61 THREAT MODEL
©2018 Active Defense, LLC. All rights reserved 62 THREAT MODEL
©2018 Active Defense, LLC. All rights reserved 63
©2018 Active Defense, LLC. All rights reserved 64 THREATS PROTECTION ASSETS
©2018 Active Defense, LLC. All rights reserved 65 WHAT DO WE DO FIRST? IMPACT $10k $100k $1m $10m $100m LIKELIHOOD 10% 50% 100% OPTION 1: LOSS EXPECTANCY
Tough Decisions OK for now Need to Mitigates Tough Decisions ©2018 Active Defense, LLC. All rights reserved 66 WHAT DO WE DO FIRST? IMPACT $10k $100k $1m $10m $100m LIKELIHOOD 10% 50% 100% OPTION 1: LOSS EXPECTANCY
©2018 Active Defense, LLC. All rights reserved 67 WHAT DO WE DO FIRST? LOSS EXPECTANCY $10k $100k $1m $10m $100m EASE OF IMPLEMENTATION Very Difficult Piece of Cake Moderate Effort OPTION 2: BANG FOR BUCK
Big Projects Don’t Pursues No-Brainers When we have times ©2018 Active Defense, LLC. All rights reserved 68 WHAT DO WE DO FIRST? LOSS EXPECTANCY $10k $100k $1m $10m $100m EASE OF IMPLEMENTATION Very Difficult Piece of Cake Moderate Effort OPTION 2: BANG FOR BUCK
©2018 Active Defense, LLC. All rights reserved 69 EXECUTE! Obtain resourcing to complete projects Obtain budget funding for new implementations Govern progress on the project portfolio Reprioritize projects based on business change Continue your gap analysis
©2018 Active Defense, LLC. All rights reserved 70 QUESTIONS? @RY_WIZ RYAN@ACTIVEDEFENSE.US THANK YOU!

Recommended

Scrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetScrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetRyan Wisniewski
 
THE ESSENTIAL ELEMENT OF YOUR SECURITY
THE ESSENTIAL ELEMENT OF YOUR SECURITYTHE ESSENTIAL ELEMENT OF YOUR SECURITY
THE ESSENTIAL ELEMENT OF YOUR SECURITYETDAofficialRegist
 
When a Data Breach Happens, What's Your Plan?
When a Data Breach Happens, What's Your Plan?When a Data Breach Happens, What's Your Plan?
When a Data Breach Happens, What's Your Plan?Edge Pereira
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analyticsChristian Have
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondSecPod Technologies
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 
Cyber response to insider threats 3.1
Cyber response to insider threats 3.1Cyber response to insider threats 3.1
Cyber response to insider threats 3.1David Spinks
 

Recommended

Scrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetScrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetRyan Wisniewski
 
THE ESSENTIAL ELEMENT OF YOUR SECURITY
THE ESSENTIAL ELEMENT OF YOUR SECURITYTHE ESSENTIAL ELEMENT OF YOUR SECURITY
THE ESSENTIAL ELEMENT OF YOUR SECURITYETDAofficialRegist
 
When a Data Breach Happens, What's Your Plan?
When a Data Breach Happens, What's Your Plan?When a Data Breach Happens, What's Your Plan?
When a Data Breach Happens, What's Your Plan?Edge Pereira
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analyticsChristian Have
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondSecPod Technologies
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 
Cyber response to insider threats 3.1
Cyber response to insider threats 3.1Cyber response to insider threats 3.1
Cyber response to insider threats 3.1David Spinks
 
Security Kung Fu: Security vs. Compliance
Security Kung Fu: Security vs. ComplianceSecurity Kung Fu: Security vs. Compliance
Security Kung Fu: Security vs. ComplianceJoshua Berman
 
Unrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALUnrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALWayne Anderson
 
A Perfect Storm: More Security Threats and More Compliance Costs
A Perfect Storm: More Security Threats and More Compliance CostsA Perfect Storm: More Security Threats and More Compliance Costs
A Perfect Storm: More Security Threats and More Compliance CostsTripwire
 
Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4Dr. Ahmed Al Zaidy
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown JewelsIBM Security
 
Cybersecurity - How to Protect your Organisation from Cybersecurity Threats
Cybersecurity - How to Protect your Organisation from Cybersecurity Threats Cybersecurity - How to Protect your Organisation from Cybersecurity Threats
Cybersecurity - How to Protect your Organisation from Cybersecurity Threats Craig Thornton
 
Leveraging Log Management to provide business value
Leveraging Log Management to provide business valueLeveraging Log Management to provide business value
Leveraging Log Management to provide business valueEnterprise Technology Management (ETM)
 
GDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumGDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumEric Vanderburg
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?IBM Security
 
SolarWinds Presents Compliance with Log and Event Manager
SolarWinds Presents Compliance with Log and Event ManagerSolarWinds Presents Compliance with Log and Event Manager
SolarWinds Presents Compliance with Log and Event ManagerSolarWinds
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...Eric Vanderburg
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationWilliam McBorrough
 
Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5Dr. Ahmed Al Zaidy
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditSBWebinars
 
Cómo usar la tecnología para generar más Seguridad y desarrollo local
Cómo usar la tecnología para generar más Seguridad y desarrollo localCómo usar la tecnología para generar más Seguridad y desarrollo local
Cómo usar la tecnología para generar más Seguridad y desarrollo localAdrian Mikeliunas
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuNixu Corporation
 
Security Kung Fu: Active Directory Changes
Security Kung Fu: Active Directory ChangesSecurity Kung Fu: Active Directory Changes
Security Kung Fu: Active Directory ChangesJoshua Berman
 
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...ARMA International
 
Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7Dr. Ahmed Al Zaidy
 
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...African Cyber Security Summit
 
WatchGuard Corporate Presentation.pptx
WatchGuard Corporate Presentation.pptxWatchGuard Corporate Presentation.pptx
WatchGuard Corporate Presentation.pptxRachatrinTongrungroj1
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 

More Related Content

What's hot

Security Kung Fu: Security vs. Compliance
Security Kung Fu: Security vs. ComplianceSecurity Kung Fu: Security vs. Compliance
Security Kung Fu: Security vs. ComplianceJoshua Berman
 
Unrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALUnrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALWayne Anderson
 
A Perfect Storm: More Security Threats and More Compliance Costs
A Perfect Storm: More Security Threats and More Compliance CostsA Perfect Storm: More Security Threats and More Compliance Costs
A Perfect Storm: More Security Threats and More Compliance CostsTripwire
 
Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4Dr. Ahmed Al Zaidy
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown JewelsIBM Security
 
Cybersecurity - How to Protect your Organisation from Cybersecurity Threats
Cybersecurity - How to Protect your Organisation from Cybersecurity Threats Cybersecurity - How to Protect your Organisation from Cybersecurity Threats
Cybersecurity - How to Protect your Organisation from Cybersecurity Threats Craig Thornton
 
GDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumGDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumEric Vanderburg
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?IBM Security
 
SolarWinds Presents Compliance with Log and Event Manager
SolarWinds Presents Compliance with Log and Event ManagerSolarWinds Presents Compliance with Log and Event Manager
SolarWinds Presents Compliance with Log and Event ManagerSolarWinds
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...Eric Vanderburg
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationWilliam McBorrough
 
Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5Dr. Ahmed Al Zaidy
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditSBWebinars
 
Cómo usar la tecnología para generar más Seguridad y desarrollo local
Cómo usar la tecnología para generar más Seguridad y desarrollo localCómo usar la tecnología para generar más Seguridad y desarrollo local
Cómo usar la tecnología para generar más Seguridad y desarrollo localAdrian Mikeliunas
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuNixu Corporation
 
Security Kung Fu: Active Directory Changes
Security Kung Fu: Active Directory ChangesSecurity Kung Fu: Active Directory Changes
Security Kung Fu: Active Directory ChangesJoshua Berman
 
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...ARMA International
 
Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7Dr. Ahmed Al Zaidy
 

What's hot (19)

Security Kung Fu: Security vs. Compliance
Security Kung Fu: Security vs. ComplianceSecurity Kung Fu: Security vs. Compliance
Security Kung Fu: Security vs. Compliance
 
Unrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALUnrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINAL
 
A Perfect Storm: More Security Threats and More Compliance Costs
A Perfect Storm: More Security Threats and More Compliance CostsA Perfect Storm: More Security Threats and More Compliance Costs
A Perfect Storm: More Security Threats and More Compliance Costs
 
Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels
 
Cybersecurity - How to Protect your Organisation from Cybersecurity Threats
Cybersecurity - How to Protect your Organisation from Cybersecurity Threats Cybersecurity - How to Protect your Organisation from Cybersecurity Threats
Cybersecurity - How to Protect your Organisation from Cybersecurity Threats
 
Leveraging Log Management to provide business value
Leveraging Log Management to provide business valueLeveraging Log Management to provide business value
Leveraging Log Management to provide business value
 
GDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumGDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT Symposium
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?
 
SolarWinds Presents Compliance with Log and Event Manager
SolarWinds Presents Compliance with Log and Event ManagerSolarWinds Presents Compliance with Log and Event Manager
SolarWinds Presents Compliance with Log and Event Manager
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 
Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance Audit
 
Cómo usar la tecnología para generar más Seguridad y desarrollo local
Cómo usar la tecnología para generar más Seguridad y desarrollo localCómo usar la tecnología para generar más Seguridad y desarrollo local
Cómo usar la tecnología para generar más Seguridad y desarrollo local
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo Nixu
 
Security Kung Fu: Active Directory Changes
Security Kung Fu: Active Directory ChangesSecurity Kung Fu: Active Directory Changes
Security Kung Fu: Active Directory Changes
 
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
 
Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7
 

Similar to 0Day to HeroDay: Surviving an Attack and Establishing a Security Organization

Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...African Cyber Security Summit
 
WatchGuard Corporate Presentation.pptx
WatchGuard Corporate Presentation.pptxWatchGuard Corporate Presentation.pptx
WatchGuard Corporate Presentation.pptxRachatrinTongrungroj1
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 
Leveraging Compliance to “Help” Prevent a Future Breach
Leveraging Compliance to “Help” Prevent a Future BreachLeveraging Compliance to “Help” Prevent a Future Breach
Leveraging Compliance to “Help” Prevent a Future BreachKevin Murphy
 
GRRCON 2019 - Hacking the Board Room: How to communicate effectively and secu...
GRRCON 2019 - Hacking the Board Room: How to communicate effectively and secu...GRRCON 2019 - Hacking the Board Room: How to communicate effectively and secu...
GRRCON 2019 - Hacking the Board Room: How to communicate effectively and secu...Ryan Wisniewski
 
PIONEERING GEN V SECURITY WITH CHECK POINT
PIONEERING GEN V SECURITY WITH CHECK POINTPIONEERING GEN V SECURITY WITH CHECK POINT
PIONEERING GEN V SECURITY WITH CHECK POINTTechnofutur TIC
 
Protecting Sensitive and Critical Financial Data with Privileged Access
Protecting Sensitive and Critical Financial Data with Privileged AccessProtecting Sensitive and Critical Financial Data with Privileged Access
Protecting Sensitive and Critical Financial Data with Privileged AccessBomgar
 
Privilegedaccessinfinancejuly2018bomgarwebinar 180710190904
Privilegedaccessinfinancejuly2018bomgarwebinar 180710190904Privilegedaccessinfinancejuly2018bomgarwebinar 180710190904
Privilegedaccessinfinancejuly2018bomgarwebinar 180710190904Kehinde Tolude
 
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]TrustArc
 
Martin Huddleston: No Service Management, No Security
Martin Huddleston: No Service Management, No SecurityMartin Huddleston: No Service Management, No Security
Martin Huddleston: No Service Management, No SecurityitSMF UK
 
Proactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital DisruptionProactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital DisruptionMike Wons
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations♟Sergej Epp
 
AI : Animal Like Abilities in Applied AI, What can go wrong?
AI : Animal Like Abilities in Applied AI, What can go wrong?AI : Animal Like Abilities in Applied AI, What can go wrong?
AI : Animal Like Abilities in Applied AI, What can go wrong?Jari Koister
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
 
06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware
06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware
06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMwareVMUG IT
 
End to End Security - Check Point
End to End Security - Check PointEnd to End Security - Check Point
End to End Security - Check PointHarry Gunns
 
Don’t Be Left in the Dark: Secure Critical Infrastructure Systems to Defend A...
Don’t Be Left in the Dark: Secure Critical Infrastructure Systems to Defend A...Don’t Be Left in the Dark: Secure Critical Infrastructure Systems to Defend A...
Don’t Be Left in the Dark: Secure Critical Infrastructure Systems to Defend A...Bomgar
 
What the GDPR Means for your Cybersecurity Strategy [Webinar Slides]
What the GDPR Means for your Cybersecurity Strategy [Webinar Slides]What the GDPR Means for your Cybersecurity Strategy [Webinar Slides]
What the GDPR Means for your Cybersecurity Strategy [Webinar Slides]TrustArc
 

Similar to 0Day to HeroDay: Surviving an Attack and Establishing a Security Organization (20)

Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
 
WatchGuard Corporate Presentation.pptx
WatchGuard Corporate Presentation.pptxWatchGuard Corporate Presentation.pptx
WatchGuard Corporate Presentation.pptx
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
Leveraging Compliance to “Help” Prevent a Future Breach
Leveraging Compliance to “Help” Prevent a Future BreachLeveraging Compliance to “Help” Prevent a Future Breach
Leveraging Compliance to “Help” Prevent a Future Breach
 
GRRCON 2019 - Hacking the Board Room: How to communicate effectively and secu...
GRRCON 2019 - Hacking the Board Room: How to communicate effectively and secu...GRRCON 2019 - Hacking the Board Room: How to communicate effectively and secu...
GRRCON 2019 - Hacking the Board Room: How to communicate effectively and secu...
 
Hacking the Boardroom
Hacking the BoardroomHacking the Boardroom
Hacking the Boardroom
 
PIONEERING GEN V SECURITY WITH CHECK POINT
PIONEERING GEN V SECURITY WITH CHECK POINTPIONEERING GEN V SECURITY WITH CHECK POINT
PIONEERING GEN V SECURITY WITH CHECK POINT
 
Protecting Sensitive and Critical Financial Data with Privileged Access
Protecting Sensitive and Critical Financial Data with Privileged AccessProtecting Sensitive and Critical Financial Data with Privileged Access
Protecting Sensitive and Critical Financial Data with Privileged Access
 
Privilegedaccessinfinancejuly2018bomgarwebinar 180710190904
Privilegedaccessinfinancejuly2018bomgarwebinar 180710190904Privilegedaccessinfinancejuly2018bomgarwebinar 180710190904
Privilegedaccessinfinancejuly2018bomgarwebinar 180710190904
 
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
 
Martin Huddleston: No Service Management, No Security
Martin Huddleston: No Service Management, No SecurityMartin Huddleston: No Service Management, No Security
Martin Huddleston: No Service Management, No Security
 
Proactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital DisruptionProactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital Disruption
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations
 
AI : Animal Like Abilities in Applied AI, What can go wrong?
AI : Animal Like Abilities in Applied AI, What can go wrong?AI : Animal Like Abilities in Applied AI, What can go wrong?
AI : Animal Like Abilities in Applied AI, What can go wrong?
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
 
Infosecurity - CDMX 2018
Infosecurity - CDMX 2018Infosecurity - CDMX 2018
Infosecurity - CDMX 2018
 
06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware
06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware
06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware
 
End to End Security - Check Point
End to End Security - Check PointEnd to End Security - Check Point
End to End Security - Check Point
 
Don’t Be Left in the Dark: Secure Critical Infrastructure Systems to Defend A...
Don’t Be Left in the Dark: Secure Critical Infrastructure Systems to Defend A...Don’t Be Left in the Dark: Secure Critical Infrastructure Systems to Defend A...
Don’t Be Left in the Dark: Secure Critical Infrastructure Systems to Defend A...
 
What the GDPR Means for your Cybersecurity Strategy [Webinar Slides]
What the GDPR Means for your Cybersecurity Strategy [Webinar Slides]What the GDPR Means for your Cybersecurity Strategy [Webinar Slides]
What the GDPR Means for your Cybersecurity Strategy [Webinar Slides]
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

0Day to HeroDay: Surviving an Attack and Establishing a Security Organization

  • 1. 0Day to HeroDay Surviving an Attack and Establishing a Security Organization Ryan Wisniewski Principal Security Consultant Active Defense, LLC March 30, 2019 ©2018 Active Defense, LLC. All rights reserved
  • 2. SECURITY IMPLEMENTATION TALKS: AN ACTIVE DEFENSE SERIES ©2018 Active Defense, LLC. All rights reserved 2 Starting from Scratch 0Day to HeroDay Starting from Basic IT Implementations Scrapping for Pennies Maturing to a Scalable Operation Scaling the Mountain https://www.slideshare.net/RyanWisniewski
  • 3. THESE ARE REAL LIFE SITUATIONS ©2018 Active Defense, LLC. All rights reserved 3 Small Business Schools Charities = Underfunded IT… Non-existent security
  • 4. UPDATE: THESE ARE REAL LIFE SITUATIONS!!!!!! ©2018 Active Defense, LLC. All rights reserved 4 The result was more than $10 billion in total damages NotPetya https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
  • 5. UPDATE: THESE ARE REAL LIFE SITUATIONS!!!!!! ©2018 Active Defense, LLC. All rights reserved 5https://twitter.com/vfemail
  • 6. ©2018 Active Defense, LLC. All rights reserved 6 Let’s take a hypothetical situation…
  • 7. ©2018 Active Defense, LLC. All rights reserved 7
  • 8.
  • 9. ©2018 Active Defense, LLC. All rights reserved 9
  • 10.
  • 11. 11
  • 12. ©2018 Active Defense, LLC. All rights reserved 12 INCIDENT RESPONSE?
  • 13. ©2018 Active Defense, LLC. All rights reserved 13
  • 14. ©2018 Active Defense, LLC. All rights reserved 14 DISASTER RECOVERY?
  • 15. ©2018 Active Defense, LLC. All rights reserved 15
  • 16. ©2018 Active Defense, LLC. All rights reserved 16 SYSTEM DOCUMENTATION? CAN ANYONE TELL ME HOW THESE SYSTEMS WERE BUILT?
  • 17. ©2018 Active Defense, LLC. All rights reserved 17
  • 18. ©2018 Active Defense, LLC. All rights reserved 18 HOLD MY BEER…
  • 19. ©2018 Active Defense, LLC. All rights reserved 19
  • 20. ©2018 Active Defense, LLC. All rights reserved 20 LESSON 1: RECOVERY FROM SCOURCHED EARTH
  • 21. ©2018 Active Defense, LLC. All rights reserved 21 “Slow is Smooth, Smooth is Fast” - U.S. Navy Seals “Embrace the Suck” - U.S. Marines STEP 0: BREATHE
  • 22. ©2018 Active Defense, LLC. All rights reserved 22 STEP 0.1: CALL FOR ASSISTENCE LEGAL INCIDENT RESPONSE
  • 23. ©2018 Active Defense, LLC. All rights reserved 23 STEP 1: STABILIZE THE PATIENT What do we know? How do we stop this from getting worse? Will our actions make it worse?
  • 24. WHAT DO WE KNOW? – NORMAL STATE ©2018 Active Defense, LLC. All rights reserved 24 LEGACY WINDOWS CLOUD CLIENTS IBM ERP INTERNET
  • 25. INTERNET WHAT DO WE KNOW? – IMPACTED STATE ©2018 Active Defense, LLC. All rights reserved 25 SOME CLIENTS IMPACTED C2 TRAFFIC MALICIOUS TRAFFIC ALL WIN IMPACTED CLIENTS SPREADING SEEMS OK SEEMS OK LEGACY WINDOWSIBM ERP CLOUD CLIENTS FLAT NETWORK
  • 26. IBM ERP HOW DO WE STOP IT FROM GETTING WORSE? ©2018 Active Defense, LLC. All rights reserved 26 DISCONNECT INTERNET? DISABLE USERS? DISCONNECT THE CLOUD? FIND THE MALWARE? POWER DOWN SERVERS? DISCONNECT ERP AND B2B? LIST YOUR CONTAINMENT ACTIONS POWER DOWN SERVERS? INTERNET CLOUD CLIENTSLEGACY WINDOWS
  • 27. IBM ERP LEGACY WINDOWS INTERNET CLOUD CLIENTS ARE WE MAKING IT WORSE? ©2018 Active Defense, LLC. All rights reserved 27 DISCONNECT INTERNET? DISABLE USERS? DISCONNECT THE CLOUD? FIND THE MALWARE? POWER DOWN SERVERS? DISCONNECT ERP AND B2B? LIST NEGATIVE OUTCOMES POWER DOWN SERVERS? NO BUSINESS TRANSACTIONS NO BUSINESS TRANSACTIONS CORRUPT TRANSACTIONS MAY TAKE AWHILE NO ONE WORKING NO BUSINESS TRANSACTIONS
  • 28. EXECUTE ©2018 Active Defense, LLC. All rights reserved 28 ISOLATED AREAS OF INVESTIGATION AND RECOVERY 1. DISABLE ROUTING 2. DISABLE DOMAIN ACCOUNTS 3. SEND PEOPLE HOME 4. GET MANAGEMENT TO FIGURE OUT BCP
  • 29. START CLOCK! THE BUSINESS IS DOWN! ©2018 Active Defense, LLC. All rights reserved 29
  • 30. ©2018 Active Defense, LLC. All rights reserved 30 STEP 2: ASSESS AND PLAN HOW BAD IS IT? WHAT IS BROKEN? WHAT DO WE NEED TO FIX? WHAT DO WE DO FIRST?
  • 31. ©2018 Active Defense, LLC. All rights reserved 31 WHAT IS BROKEN?
  • 32. EVERYTHING!!!!!! ALL SYSTEMS DOWN!!!! NO TECHNOLOGY!!!!!!!! NO EMAIL, NO INTERNET, NO PHONES!!! ©2018 Active Defense, LLC. All rights reserved 32
  • 33. 33 ©2018 Active Defense, LLC. All rights reserved 33
  • 34. ©2018 Active Defense, LLC. All rights reserved 34 WHAT DO WE NEED TO DO TO STAY IN BUSINESS?
  • 35. ©2018 Active Defense, LLC. All rights reserved 35 WHAT DO WE NEED TO DO TO STAY IN BUSINESS? TAKE ORDERS MAKE PRODUCT SHIP PRODUCT PAY BILLS RECEIVE PAYMENTS
  • 36. ©2018 Active Defense, LLC. All rights reserved 36 HOW DO WE DO THOSE THINGS?
  • 37. 37 ANY INFORMATION IS GOOD INFORMATION PROTIP: START DRAWING ON A WHITEBOARD AND PLACE ALL INFO WHERE IT RELATES System doc Floppy disks Microfiche Network logs Paper copies Audit Records Hand notes SIEM logs Nmap scans System configsISP configs DB Tables Stone Tablets ©2018 Active Defense, LLC. All rights reserved 37 FIND EVERY SYSTEM NEEDED TO PERFORM CRITICAL FUNCTIONS
  • 38. 38 ©2018 Active Defense, LLC. All rights reserved 38
  • 39. 39 ©2018 Active Defense, LLC. All rights reserved 39
  • 40. ©2018 Active Defense, LLC. All rights reserved 40 CREATE A FUNCTIONALITY MATRIX FOR CRITICAL PROCESSES Critical Function System Name Scanned with IoC? Affected/ Infected? System Restored? Data Restored? Tested in Quarantine? Moved to NewProd? Function Restored? Take Orders SYSERP1 Yes No N/A N/A Yes Yes No Take Orders SYSEDI1 Yes Affected Yes N/A No No No Take Orders SYSODB1 Yes Infected No No No No No Take Orders SYSMAIL Yes Infected No No No No No Take Orders SYSPHNE No ? No No No No No Take Orders … … … … … … … … … … … … … … … … … PROTIP: USE COLORS TO SEE WHAT IS NOT DONE PROTIP: PUT THIS ON A TV OR PROJECTOR
  • 41. ©2018 Active Defense, LLC. All rights reserved 41 HOW DO WE RESTORE SAFELY? BACKUP SYSTEM AFFECTED SYSTEMS UNAFFECTED IBM ERP VERIFIED SYSTEMS QUARANTINE RESTORED SYSTEMS NEW NETWORK
  • 42. ©2018 Active Defense, LLC. All rights reserved 42 BACKUP SYSTEM ALSO IMPACTED! BACKUP SYSTEM AFFECTED SYSTEMS UNAFFECTED IBM ERP NEW NETWORK VERIFIED SYSTEMS QUARANTINE RESTORED SYSTEMS
  • 43. 43 ©2018 Active Defense, LLC. All rights reserved 43
  • 44. ©2018 Active Defense, LLC. All rights reserved 44 RESTORE FROM TAPE BACKUP SYSTEM AFFECTED SYSTEMS UNAFFECTED IBM ERP NEW NETWORK VERIFIED SYSTEMS QUARANTINE RESTORED SYSTEMS 2. Rebuild backup catalog from tape 1. Build new backup system
  • 45. ©2018 Active Defense, LLC. All rights reserved 45 HOW DO WE RESTORE SAFELY? BACKUP SYSTEM AFFECTED SYSTEMS UNAFFECTED IBM ERP VERIFIED SYSTEMS QUARANTINE RESTORED SYSTEMS NEW NETWORK - Out-of-band, air-gapped network - Monitor for IOAs and IOCs - Verify clean system and data
  • 46. ©2018 Active Defense, LLC. All rights reserved 46 HOW DO WE RESTORE SAFELY? BACKUP SYSTEM AFFECTED SYSTEMS UNAFFECTED IBM ERP VERIFIED SYSTEMS QUARANTINE RESTORED SYSTEMS NEW NETWORK
  • 47. ©2018 Active Defense, LLC. All rights reserved 47 HOW DO WE RESTORE SAFELY? New Network > SIEM App Aware Firewall GRR IR Toolkit Proxy Filter Network Segmentation RSA MFA WSUS Patch Managers Q Vulnerability Scanner Email Protection AD New Authentication
  • 48. ©2018 Active Defense, LLC. All rights reserved 48 DEFINE A POINT OF BEING DONE How much longer can you keep the business down? Can you perform critical functions? How much more can you do without any sleep? PROTIP: DEFINE THESE CONDITIONS AHEAD OF TIME
  • 49. ©2018 Active Defense, LLC. All rights reserved 49 MISCELLANEOUS TIPS Ensure Secure Out of Band Communications 3-2-1 3 Hours of Sleep 2 Meals 1 Shower Per Day Assign a War Room Manager Save Everything!
  • 50. ©2018 Active Defense, LLC. All rights reserved 50 LESSON 2: BUILDING A SECURITY ORGANIZATION
  • 51. ©2018 Active Defense, LLC. All rights reserved 51 HOW DO I NEVER DO THAT AGAIN?
  • 52. ©2018 Active Defense, LLC. All rights reserved 52 WHERE ARE WE WEAK? HOW DO WE PRIORITIZE?
  • 53. ©2018 Active Defense, LLC. All rights reserved 53 Where are we? Where do we want to be? GAP ANALYSIS How do we get there?
  • 54. ©2018 Active Defense, LLC. All rights reserved 54 WHERE DO WE WANT TO BE?
  • 56. ©2018 Active Defense, LLC. All rights reserved 56 WHERE ARE WE? CAPABILITY MATURITY MODEL
  • 57. ©2018 Active Defense, LLC. All rights reserved 57 WHERE DO WE WANT TO BE? PROTIP: Not everything has to be Level 5 maturity. It will always be a risk-based decision on your environment FOR EACH CONTROL CARD, IDENTIFY THE OPTIMAL LEVEL OF MATURITY
  • 58. ©2018 Active Defense, LLC. All rights reserved 58 ROADMAP ACTIVITIES TO GET THERE Asset Management Program - We implement a system to: - Track assets in the environment, both physically and logically - Manage acquisition, transfers, and disposition of all assets in the environment - Facilitate documentation of the asset inventory to identify IDs, models, support dates, acquisition dates…
  • 59. ©2018 Active Defense, LLC. All rights reserved 59 SECURITY PROJECT PORTFOLIO Vulnerability Management Identity and Access Management Asset Management Monitoring and Alerting Incident Response Disaster Recovery Public Relations
  • 60. ©2018 Active Defense, LLC. All rights reserved 60 WHAT DO WE DO FIRST? THREAT MODEL!
  • 61. ©2018 Active Defense, LLC. All rights reserved 61 THREAT MODEL
  • 62. ©2018 Active Defense, LLC. All rights reserved 62 THREAT MODEL
  • 63. ©2018 Active Defense, LLC. All rights reserved 63
  • 64. ©2018 Active Defense, LLC. All rights reserved 64 THREATS PROTECTION ASSETS
  • 65. ©2018 Active Defense, LLC. All rights reserved 65 WHAT DO WE DO FIRST? IMPACT $10k $100k $1m $10m $100m LIKELIHOOD 10% 50% 100% OPTION 1: LOSS EXPECTANCY
  • 66. Tough Decisions OK for now Need to Mitigates Tough Decisions ©2018 Active Defense, LLC. All rights reserved 66 WHAT DO WE DO FIRST? IMPACT $10k $100k $1m $10m $100m LIKELIHOOD 10% 50% 100% OPTION 1: LOSS EXPECTANCY
  • 67. ©2018 Active Defense, LLC. All rights reserved 67 WHAT DO WE DO FIRST? LOSS EXPECTANCY $10k $100k $1m $10m $100m EASE OF IMPLEMENTATION Very Difficult Piece of Cake Moderate Effort OPTION 2: BANG FOR BUCK
  • 68. Big Projects Don’t Pursues No-Brainers When we have times ©2018 Active Defense, LLC. All rights reserved 68 WHAT DO WE DO FIRST? LOSS EXPECTANCY $10k $100k $1m $10m $100m EASE OF IMPLEMENTATION Very Difficult Piece of Cake Moderate Effort OPTION 2: BANG FOR BUCK
  • 69. ©2018 Active Defense, LLC. All rights reserved 69 EXECUTE! Obtain resourcing to complete projects Obtain budget funding for new implementations Govern progress on the project portfolio Reprioritize projects based on business change Continue your gap analysis
  • 70. ©2018 Active Defense, LLC. All rights reserved 70 QUESTIONS? @RY_WIZ RYAN@ACTIVEDEFENSE.US THANK YOU!