BSides Delhi 2018: Securing Supply Chain- A Risk Based Assessment Framework

•

0 likes•140 views

Presenter: Prithvinder Singh & Prashanth Sulegaon Abstract: What is supply chain security? Supply Chain is a system of organizations, people, process, information, technology and resources involved in moving a product or service from a supplier to the intended customer. An unsecured supply chain can introduce great risk to any organization and if vendors, solutions or hardware aren’t properly vetted, it can lead to huge data loss. Why is it required? An unsecured supply chain can introduce great risk to an organization. If vendor aren’t properly vetted, or if we purchase software that does not meet our security standards, we can lose data. These days several companies have had data breaches that allowed hundreds of millions of customer records to be compromised. On average, it takes 229 days after a breach for it to be detected. Often, these breaches were caused by a vulnerability in third-party software or services being exploited, costing companies tens of millions of dollars and damaging customers’ confidence. In this Session: Everyone knows, 3rd party softwares bring lot of risk to an organization. However does traditional vetting of supplier solutions work? Will it really reduce the risk? can we perform effective assessments? Is it scalable? Can we do continuous monitoring? In this session we will talk about what are the risks currently associated with the 3rd Party Softwares and how to surface them for effective risk reduction. This session will focus on securing supply chain using risk based 3rd party framework which encompasses integration of multiple security checkpoints at various stages of solution life cycle We will talk about: * Supply Chain Universe * Current challenges in Supply Chain Security * Secure life-cycle of 3rd party software from on-boarding till termination. * Supplier Risk Profiling * Point in time vs Continuous Assurance

Technology

Speakers:
Prithvinder Singh & Prashanth Sulegaon
Securing Supply Chain –
A Risk Based Assessment Framework
#BSidesDelhi2018

What is Supply Chain?
Software
Supply Chain
Source/
Dependencies
Build Systems/
Engineers
Application
Repo
Deployed
System
Network
Traditional
Supply Chain
#BSidesDelhi2018

WHY IS SUPPLY CHAIN “SECURITY” IMPORTANT?
#Besides2018
#BSidesDelhi2018

Breaches due to 3rd party solutions
#BSidesDelhi2018

AT LEAST
56%of organizations have had a breach that was
caused by one of their vendors 49
56
2016 2017
TrendYoY
On Average, U.S Companies Pay
$7,350,000PER BREACH IN FINES, REMEDIATION COSTS AND LOSS OF CUSTOMERS - UP 10%
#BSidesDelhi2018Source- https://www.opus.com/ponemon/

57%
Don’t have
an inventory of 3rd parties with
which they share sensitive
information
JUST
17%
feel they’re highly
effective at
mitigating third-party
risks
60%
Feel
Unprepared to
tackle the
underlying risk
COMPANIES LACKVISIBILITY INTO
THE SECURITY PRACTICES OFTHIRD
PARTIES, BUT CONTINUETO SHARE
DATA
#BSidesDelhi2018Source- https://www.opus.com/ponemon/

HOW TO ADDRESS THIS PROBLEM?
#BSidesDelhi2018

Supply Chain Universe
Solutions
- SaaS
- COTS
- Desktop
Services
- Hardware
- Consulting
- Staffing
Supply Chain Universe
Factory
-Testing
- Manufacturing
Offshore
Facility
#BSidesDelhi2018

Types of Solutions
SaaS /Third Party
Hosted solutions
COTS / Server Software /
On-prem solutions
Desktop / Client Only /
Stand Alone solutions
Hybrid Solutions / IoT /
SMART device solutions
Open Source / Freeware
solutions
#BSidesDelhi2018

Challenges
Inventory- No single source of truth
Coverage – Breadth vs Depth
Limited Resources/Skills
Focus on Risk driven decision
Ineffective use of contracts
#BSidesDelhi2018

“PRIORITIZATION” IS THE KEY
#BSidesDelhi2018

Key Risk Indicators
Spend
Data Storage
Data Sensitivity
Critical Systems
GDPR
Connectivity
External Endpoints
PII
User Count
HighRiskEnvironments
Compliance
Instance Count
#BSidesDelhi2018

Prioritization Model
P0
P1
P2
Deep
Dive
Baseline
Monitor
&
Respond
Rejected Apps
• Cloud Storage
• External Endpoint
• Corp Connected
• Connectivity product (router/FW)
• Spend
• Internet connected
• On Prem data
• High use apps / user count
• Non-Corp connected
• Data Migration tools
• Standalone apps
• Peripherals
Risk
#BSidesDelhi2018

P2
• Operational Controls
P1
• Attestation
• Threat Model Review
• Static Analysis
• Dynamic Analysis
• Industry Certifications
• Operational Controls
P0
• Attestation
• Pen-testing
• Threat Model Review
• Static Analysis
• Dynamic Analysis
• Red Team Pen Test
• Manual Code Review
(if available)
• Host Configurations
• Industry Certifications
• Operational Controls
#BSidesDelhi2018

Point-in-Time vs Continuous Assurance
Monitoring
Reassurance
Assessments
[Point inTime]
• Architecture Review
• Manual/ Automated Pen-test
• Control/Configuration Review
• Vendor Attestation
• Continuous Scanning
• Risk Profiling
• Remediation
• Re-assessment based on the
Risk
#BSidesDelhi2018

Key areas to focus
• Identify the key gaps in your supply chain program
• Adopt or create your own risk based framework for your entire supply chain
• Apply Risk based prioritization model per your org needs to ensure critical risks are addressed first
• Review your contracts language
• Move your program from point in time to continuous monitoring
• Define KPIs which are impactful and tell the story of your program
#BSidesDelhi2018

What's hot

Cybersecurity's Impact on Innovation

Silicon Valley Bank

New fraud protection solutions

Laurent Pacalin

Stop wire fraud aug 2016

Laurent Pacalin

2018 U.S State of Cybercrime

IDG

New Requirements of Fraud Prevention

Guardian Analytics

2018 Global State of Information Security Survey

IDG

State of the CIO 2018 Infographic

IDG

Security in the Hybrid Cloud Now and in 2016

IDG Connect

Serious Games for Cyber Security - The Human Factor

Patrick Bartl

2018 IDG Customer Engagement Study

IDG

2020 Vision: Where Is IT headed for Midmarket and Small Business?

Insight

In a survey of U.S. technology and healthcare executives nationwide, Silicon Valley Bank found that companies believe cyber attacks are a serious threat to both their data and their business continuity. Highlights - 98% are maintaining or increasing resources devoted to cyber security - 50% are increasing their cyber security resources, preparing for when, not if, cyber attacks occur - Just 35% are completely or very confident in the security of their company information, and only 16% feel the same about their business partners

SVB Cybersecurity Impact on Innovation Report - Overview

Silicon Valley Bank

SVB Cybersecurity Impact on Innovation Report

Silicon Valley Bank

Ins and outs of ObserveIT

ObserveIT

HIPAA Audits: The Dos and Don'ts

PYA, P.C.

Security Regulations & Guidelines: Is Your Business on the Path to Compliance?

Blancco

Chapter 19 regulatory irb validation

Quan Risk

New! Omni-Channel Fraud Prevention

Guardian Analytics

Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)

Fujitsu Middle East

There is an old management adage that says “You can’t manage what you don’t measure.” The Building Security in Maturity Model (BSIMM) applies scientific principles to the field of software security to effectively measure security activities across industries and business units. The BSIMM enables experts like you to discover what exists in the application security universe, how those things work today, how they worked in the past and how they are likely to work in the future.

BSIMM: Bringing Science to Software Security

Cigital

What's hot (20)

Cybersecurity's Impact on Innovation

New fraud protection solutions

Stop wire fraud aug 2016

2018 U.S State of Cybercrime

New Requirements of Fraud Prevention

2018 Global State of Information Security Survey

State of the CIO 2018 Infographic

Security in the Hybrid Cloud Now and in 2016

Serious Games for Cyber Security - The Human Factor

2018 IDG Customer Engagement Study

2020 Vision: Where Is IT headed for Midmarket and Small Business?

SVB Cybersecurity Impact on Innovation Report - Overview

SVB Cybersecurity Impact on Innovation Report

Ins and outs of ObserveIT

HIPAA Audits: The Dos and Don'ts

Security Regulations & Guidelines: Is Your Business on the Path to Compliance?

Chapter 19 regulatory irb validation

New! Omni-Channel Fraud Prevention

Radical Innovation In Security (New Techniques Applied To Tomorrow’s Risk)

BSIMM: Bringing Science to Software Security

Similar to BSides Delhi 2018: Securing Supply Chain- A Risk Based Assessment Framework

SecureAuth and special guest Forrester Research discuss the trends and strategies that will help you boost security and protect your organization from access threats. In this session, you will hear from Forrester's Andras Cser as he shares the top 5 information security and access control trends to watch for in 2016 and how they will impact your organization. Additionally, Keith Graham, CTO from SecureAuth, will present effective strategies to stay ahead of these trends and protect against advanced cyber attacks with adaptive authentication.

What to Expect in 2016: Top 5 Predictions for Security and Access Control

SecureAuth

G05.2013 gartner top security trends

Satya Harish

The Verizon 2017 Data Breach Investigations Report findings relate specifically to the occurrence (likelihood) of security breaches leading to data compromise. The information, provided in aggregate, is filtered in many ways to make it relevant to you (e.g., by industry, actor motive). It is a piece of the information security puzzle—an awesome corner piece that can get you started—but just a piece nonetheless. This session will discuss the new targets that are identified and some solutions

Learning from Verizon 2017 Data Breach Investigations Report – The New Targets

Ulf Mattsson

Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...

Outpost24

Malware infiltration, spear phishing, data breaches...these are all terrifying words with even more frightening implications. These threats are hitting the technology world fast and hard and can no longer be ignored. The first step to defending yourself against a cyber attack is being proactive in settling the SCORE. Know your risks before it’s too late. Ask us about our SCORE report - a high level IT risk assessment, designed to help you focus on your company's potential IT exposures: http://www.lgcd.com/contact/

Emerging Trends in Information Privacy and Security

Jessica Santamaria

Emerging Trends in Information Privacy and Security

Jessica Santamaria

Today’s security professionals and software developers not only have to do more in less time; they have to do it securely. This means mitigating risk and addressing compliance requirements in an environment where: • The threat landscape continues to evolve. • Application portfolios and their risk profiles continue to shift. • Security tools are difficult to deploy, configure, and integrate into workflows. • Consumption models continue to change. How can your internal resources keep pace in this dynamic environment? Managed application security testing can be just the relief valve your organization needs. In this webinar, we’ll discuss the need for managed application security testing, the sweet spots where it offers maximum value, what you should look for in a managed application security testing provider, and highlights from Synopsys’ Managed Services offering. Today’s security professionals and software developers not only have to do more in less time; they have to do it securely. This means mitigating risk and addressing compliance requirements in an environment where: • The threat landscape continues to evolve. • Application portfolios and their risk profiles continue to shift. • Security tools are difficult to deploy, configure, and integrate into workflows. • Consumption models continue to change. How can your internal resources keep pace in this dynamic environment? Managed application security testing can be just the relief valve your organization needs. In this webinar, we’ll discuss the need for managed application security testing, the sweet spots where it offers maximum value, what you should look for in a managed application security testing provider, and highlights from Synopsys’ Managed Services offering. For more information, please visit our website at https://www.synopsys.com/software-integrity/managed-services.html

Webinar–Best Practices for DevSecOps at Scale

Synopsys Software Integrity Group

Integrated Security for Software Development and Advanced Penetration Testing...

Symptai Consulting Limited

Financial Analytics pafp 11-21-13

gristak

Companies going through digital transformation initiatives need their IT organizations to support an increased business tempo. While DevOps practices have helped IT increase their pace to keep up with market dynamics, security teams still need to follow suit. InfoSec practitioners must modernize their practices to realize efficiencies in some of their most burdensome processes, like patching, credential management, and compliance. By embracing a ‘secure by default’ posture security teams can position themselves as enabling innovation rather than hindering it. Join Pivotal’s Justin Smith and guest speaker, Fernando Montenegro from 451 Research, in a conversation about how security can enable innovation while maintaining best security practices. They will examine best practices and cultural shifts that are required to be secure by default, as well as the role processes and platforms play in this transition. SPEAKERS: Guest Speaker: Fernando Montenegro, Senior Analyst, Information Security, 451 Research Justin Smith, Chief Security Officer for Product, Pivotal Jared Ruckle, Product Marketing Manager, Pivotal

InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps

VMware Tanzu

Conférence CISCO ACSS 2018

African Cyber Security Summit

Security Blind Spots We need to automatically detect and report on security blind spots, including Sensitive Data that was not found in our initial Discovery and failures of deployed security control systems. Without formal and automated processes to detect and alert to new data discovery findings and critical security control failures as soon as possible, the window of time grows that allows attackers to identify a way to compromise the systems and steal sensitive data. This can also impact our real compliance posture.

How can i find my security blind spots ulf mattsson - aug 2016

Ulf Mattsson

According to the fourth annual Federal Cybersecurity Survey from SolarWinds and Market Connections, insider threats are the leading source of threats to federal agencies. Human error is one of the most common insider threats, followed by abuse of privileges, and theft. The increased sophistication of threats, volume of attacks, and end-user policy violations make agencies more vulnerable than ever. In this webinar, we discussed how implementing the right tools, as well as continuously monitoring systems and networks, can provide the data to make informed decisions and help agencies safeguard against insider threats, and quickly identify and fix vulnerabilities. During this webinar our presenters discussed: The 2017 SolarWinds Federal Cybersecurity Survey, and the top sources of threats How the right tools and technologies can provide IT infrastructure data to help safeguard against malicious and non-malicious internal threats, including: Utilizing fault, performance, and log management data to help ensure that devices are continuously monitored and operating correctly Leveraging configuration management to help prevent errors and reduce vulnerabilities How the implementation of Security Incident and Event Management (SIEM) tools can better equip agencies to quickly detect and respond to security threats and help to reduce vulnerability, including: Utilizing log data to detect malicious or out-of-policy actions, fine-tune firewall configurations, and monitor Active Directory® changes How to track devices and users on your network and maintain historic data for forensics

Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...

SolarWinds

As the internet has expanded and criminals have found more ways of creating revenue from stolen information, the need for digital threat intelligence management (DTIM) has increased. Without a means of early identification, companies that are being targeted have no way of knowing their customer’s or employee’s security is threatened or that their brand is being stolen, resulting in an erosion of reputation. DTIM is the early warning system to aid those organizations in identifying the infringements and thefts before severe damage is done. These slides--based on the webinar from leading IT analyst firm Enterprise Management Associates (EMA) and RiskIQ -- highlight why DTIM is a growing necessity for mid- and large-sized organizations.

Investing in Digital Threat Intelligence Management to Protect Your Assets ou...

Enterprise Management Associates

https://www.brighttalk.com/webcast/14723/234829?utm_source=Compliance+Engineering&utm_medium=brighttalk&utm_campaign=234829 : With cyber attacks on the rise, securing your data is more imperative than ever. In future, organizations will face severe penalties if their data isn’t robustly secured. This will have a far reaching impact for how businesses deal with security in terms of managing their cyber risk. Join this presentation to learn the cyber security controls prescribed by regulation, how this impacts compliance, and how cyber risk management helps CISOs understand the degree these controls are in place and where to prioritize their cyber dollars and ensure they are not at risk for fines. Viewers will learn: - The latest cybercrime trends and targets - Trends in board involvement in cybersecurity - How to effectively manage the full range of enterprise risks - How to protect against ransomware - Visibility into third party risk - Data security metrics

Cyber Risk Management in 2017: Challenges & Recommendations

Ulf Mattsson

Threat Management, what it means, how Customers struggle with it, and your entry point for the discussion to be your Customer’s hero in solving their Threat Management problems. Even if you think you know what SIEM means, and especially if you don’t, this Webinar will educate you on the real world problem every Organization faces around Threat Management and the challenges with solutions. Esteemed experts from Cybraics, an industry leader in advanced Threat analytics, will walk us through the problem space, and clearly help you understand how they are differentiated in, and a disruption to, the Threat Management marketplace. Please have your questions ready for this dedicated time with Telarus VP of Biz DEV-Cybersecurity, Dominique Singer and Pete Nicoletti and Nate Grinnell of Cybraics, Inc

TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...

SaraPia5

Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation application security tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can: Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities. Auto verify, prioritize and triage vulnerability findings in real time with 100% confidence. Fully automate secure app delivery and deployment, without the need for extra security scans or processes. Free up DevOps resources to focus on strategic or mission-critical tasks and contributions.

Bridging the Security Testing Gap in Your CI/CD Pipeline

DevOps.com

Secure DevOPS Implementation Guidance

Tej Luthra

Understanding Identity Management and Security.

Chinatu Uzuegbu

In the second webinar of this multi-part series, Building DevOps in the Enterprise, Jonah Kowall, VP of Market Development and Insights at AppDynamics, will present his thoughts and opinions on the current and future state of DevOps. Join Jonah as he explores best practices, concepts, and ideas to enable your enterprise DevOps. You’ll also learn about team management areas that are key for success, like developing ownership, trust, accountability, and how that culture is managed at scale while preserving team autonomy. Key takeaways: Organizational patterns: How to manage teams and foster culture to scale Legacy problems enterprises face: How to work faster despite legacy applications Microservices — Peak Hype: Examine the cycle on this hot trend, balanced with a reality check and raised expectations The Struggle of Bimodal IT: Which apps work best in a lower, yet more predictable and stable mode versus those which need fast iteration and experimentation API-Driven Architectures and Microservices: Learn to solve common DevOps challenges

Building DevOps in the enterprise: Transforming challenges into organizationa...

Jonah Kowall

Similar to BSides Delhi 2018: Securing Supply Chain- A Risk Based Assessment Framework (20)

What to Expect in 2016: Top 5 Predictions for Security and Access Control

G05.2013 gartner top security trends

Learning from Verizon 2017 Data Breach Investigations Report – The New Targets

Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...

Emerging Trends in Information Privacy and Security

Webinar–Best Practices for DevSecOps at Scale

Integrated Security for Software Development and Advanced Penetration Testing...

Financial Analytics pafp 11-21-13

InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps

Conférence CISCO ACSS 2018

How can i find my security blind spots ulf mattsson - aug 2016

Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...

Investing in Digital Threat Intelligence Management to Protect Your Assets ou...

Cyber Risk Management in 2017: Challenges & Recommendations

TIC-TOC: Disrupt the Threat Management Conversation with Dominique Singer and...

Bridging the Security Testing Gap in Your CI/CD Pipeline

Secure DevOPS Implementation Guidance

Understanding Identity Management and Security.

Building DevOps in the enterprise: Transforming challenges into organizationa...

Recently uploaded

Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.

2024 May Patch Tuesday

Ivanti

Generative AI refers to a class of machine learning algorithms that are designed to generate new data samples that are similar to those in the training data. Unlike traditional AI models that are trained to recognize patterns and make predictions, generative AI models have the ability to create entirely new data based on the patterns they have learned. This is achieved through techniques such as generative adversarial networks (GANs), variational autoencoders (VAEs), and transformer architectures, among others.

Generative AI Use Cases and Applications.pdf

alexjohnson7307

Introduction to FIDO Authentication and Passkeys.pptx

FIDO Alliance

الأمن السيبراني - ما لا يسع للمستخدم جهله

Mohamed Sweelam

(Explainable) Data-Centric AI: what are you explaininhg, and to whom?

Paolo Missier

State of the Smart Building Startup Landscape 2024!

Memoori

How to Check GPS Location with a Live Tracker in Pakistan

danishmna97

Simplifying Mobile A11y Presentation.pptx

MarkSteadman7

Webinar Recording: https://www.panagenda.com/webinars/alles-neu-macht-der-mai-wir-durchleuchten-den-verbesserten-notes-eigenschaftendialog/ Haben Sie sich schon einmal über den zu kleinen Eigenschaftendialog in Notes geärgert? Mussten Sie einen Agenten oder eine Aktion erstellen, um schnell mal ein Feld zu ändern? Haben Sie jedes mal endlos nach dem zu vergleichenden Feld gesucht, nachdem Sie ein neues Dokument ausgewählt haben? Wollten Sie das verdammte Ding einfach nur größer machen? Zum Glück gibt es dafür eine Lösung – und sie ist wahrscheinlich bereits installiert! Mit dem kostenlosen panagenda Document Properties (Pro) erhalten Sie den Eigenschaftendialog, den Sie schon immer haben wollten. Größer, anpassbar, und im Volltext durchsuchbar. Sehen Sie mehrere Dokumente gleichzeitig oder vergleichen Sie mit einem Diff-Viewer. Ändern Sie beliebige Felder und haben Sie endlich eine einfache Möglichkeit, Profildokumente für alle Benutzer zu verwalten. Entdecken Sie mit HCL Ambassador Marc Thomas, wie Document Properties Ihre Arbeit vereinfachen und Sie bei der täglichen Verwendung von Domino-Anwendungen unterstützen kann – im Client oder im Designer. Sie werden es nicht bereuen! Für Sie in diesem Webinar - Was Document Properties ist, welche Editionen es gibt und wo es in Notes und Domino Designer zu finden ist - Wie Sie nach einem beliebigen Feld suchen und es bearbeiten, Dokumente vergleichen oder alle Daten per CSV exportieren können - Suchen, Bearbeiten und auch Löschen von Profildokumenten - Welche Konfigurationseinstellungen verfügbar sind, um Funktionen anzupassen - Wie Ihre Endbenutzer davon profitieren - Sehen Sie alles in einer Live-Demo

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...

panagenda

Design and Development of a Provenance Capture Platform for Data Science

Paolo Missier

Explore the latest trends and insights on JavaScript usage with Pixlogix's informative blog. Discover key statistics and facts about JavaScript's role in web development, its popularity among developers, and its impact on modern websites. Stay updated with the evolving landscape of JavaScript frameworks and libraries, and learn how they're shaping the future of web development. Gain valuable insights to enhance your JavaScript skills and stay ahead in the digital realm.

JavaScript Usage Statistics 2024 - The Ultimate Guide

Pixlogix Infotech

Design Guidelines for Passkeys 2024.pptx

FIDO Alliance

Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots

Leah Henrickson

Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx

MasterG

Introduction to use of FHIR Documents in ABDM

Kumar Satyam

Working together SRE & Platform Engineering

Marcus Vechiato

Intro to Passkeys and the State of Passwordless.pptx

FIDO Alliance

Vector Search @ sw2con for slideshare.pptx

jbellis

ADP Passwordless Journey Case Study.pptx

FIDO Alliance

AI mind or machine power point presentation

yogeshlabana357357

Recently uploaded (20)

2024 May Patch Tuesday

Generative AI Use Cases and Applications.pdf

Introduction to FIDO Authentication and Passkeys.pptx

الأمن السيبراني - ما لا يسع للمستخدم جهله

(Explainable) Data-Centric AI: what are you explaininhg, and to whom?

State of the Smart Building Startup Landscape 2024!

How to Check GPS Location with a Live Tracker in Pakistan

Simplifying Mobile A11y Presentation.pptx

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...

Design and Development of a Provenance Capture Platform for Data Science

JavaScript Usage Statistics 2024 - The Ultimate Guide

Design Guidelines for Passkeys 2024.pptx

Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots

Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx

Introduction to use of FHIR Documents in ABDM

Working together SRE & Platform Engineering

Intro to Passkeys and the State of Passwordless.pptx

Vector Search @ sw2con for slideshare.pptx

ADP Passwordless Journey Case Study.pptx

AI mind or machine power point presentation

BSides Delhi 2018: Securing Supply Chain- A Risk Based Assessment Framework

1. Speakers: Prithvinder Singh & Prashanth Sulegaon Securing Supply Chain – A Risk Based Assessment Framework #BSidesDelhi2018

2. What is Supply Chain? Software Supply Chain Source/ Dependencies Build Systems/ Engineers Application Repo Deployed System Network Traditional Supply Chain #BSidesDelhi2018

3. WHY IS SUPPLY CHAIN “SECURITY” IMPORTANT? #Besides2018 #BSidesDelhi2018

4. Breaches due to 3rd party solutions #BSidesDelhi2018

5. AT LEAST 56%of organizations have had a breach that was caused by one of their vendors 49 56 2016 2017 TrendYoY On Average, U.S Companies Pay $7,350,000PER BREACH IN FINES, REMEDIATION COSTS AND LOSS OF CUSTOMERS - UP 10% #BSidesDelhi2018Source- https://www.opus.com/ponemon/

6. #BSidesDelhi2018

7. THAT’S NOT ALL… #BSidesDelhi2018

8. 57% Don’t have an inventory of 3rd parties with which they share sensitive information JUST 17% feel they’re highly effective at mitigating third-party risks 60% Feel Unprepared to tackle the underlying risk COMPANIES LACKVISIBILITY INTO THE SECURITY PRACTICES OFTHIRD PARTIES, BUT CONTINUETO SHARE DATA #BSidesDelhi2018Source- https://www.opus.com/ponemon/

9. HOW TO ADDRESS THIS PROBLEM? #BSidesDelhi2018

10. Supply Chain Universe Solutions - SaaS - COTS - Desktop Services - Hardware - Consulting - Staffing Supply Chain Universe Factory -Testing - Manufacturing Offshore Facility #BSidesDelhi2018

11. Types of Solutions SaaS /Third Party Hosted solutions COTS / Server Software / On-prem solutions Desktop / Client Only / Stand Alone solutions Hybrid Solutions / IoT / SMART device solutions Open Source / Freeware solutions #BSidesDelhi2018

12. Challenges Inventory- No single source of truth Coverage – Breadth vs Depth Limited Resources/Skills Focus on Risk driven decision Ineffective use of contracts #BSidesDelhi2018

13. “PRIORITIZATION” IS THE KEY #BSidesDelhi2018

14. Key Risk Indicators Spend Data Storage Data Sensitivity Critical Systems GDPR Connectivity External Endpoints PII User Count HighRiskEnvironments Compliance Instance Count #BSidesDelhi2018

15. Prioritization Model P0 P1 P2 Deep Dive Baseline Monitor & Respond Rejected Apps • Cloud Storage • External Endpoint • Corp Connected • Connectivity product (router/FW) • Spend • Internet connected • On Prem data • High use apps / user count • Non-Corp connected • Data Migration tools • Standalone apps • Peripherals Risk #BSidesDelhi2018

16. ASSESSMENT ACTIVITIES #BSidesDelhi2018

17. P2 • Operational Controls P1 • Attestation • Threat Model Review • Static Analysis • Dynamic Analysis • Industry Certifications • Operational Controls P0 • Attestation • Pen-testing • Threat Model Review • Static Analysis • Dynamic Analysis • Red Team Pen Test • Manual Code Review (if available) • Host Configurations • Industry Certifications • Operational Controls #BSidesDelhi2018

18. Is this Adequate? #BSidesDelhi2018

19. Point-in-Time vs Continuous Assurance Monitoring Reassurance Assessments [Point inTime] • Architecture Review • Manual/ Automated Pen-test • Control/Configuration Review • Vendor Attestation • Continuous Scanning • Risk Profiling • Remediation • Re-assessment based on the Risk #BSidesDelhi2018

20. Key areas to focus • Identify the key gaps in your supply chain program • Adopt or create your own risk based framework for your entire supply chain • Apply Risk based prioritization model per your org needs to ensure critical risks are addressed first • Review your contracts language • Move your program from point in time to continuous monitoring • Define KPIs which are impactful and tell the story of your program #BSidesDelhi2018

21. Q&A #BSidesDelhi2018

BSides Delhi 2018: Securing Supply Chain- A Risk Based Assessment Framework

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to BSides Delhi 2018: Securing Supply Chain- A Risk Based Assessment Framework

Similar to BSides Delhi 2018: Securing Supply Chain- A Risk Based Assessment Framework (20)

Recently uploaded

Recently uploaded (20)

BSides Delhi 2018: Securing Supply Chain- A Risk Based Assessment Framework