SlideShare a Scribd company logo

Glasswall - How to Prevent, Detect and React to Ransomware incidents

Dinis Cruz
Dinis Cruz

Presentation delivered at the https://www.sccongressuk.com/ on 29th June 2019

Technology
1 of 54
Download to read offline
How to prevent, detect and react to Ransomware incidents 29th june 2020 Dinis Cruz CISO and SVP Engineering
Ransomware Incident React: What should the focus be during and after an incident so that the business and customer impact of the incident is minimised? Detect: Once you are are a victim of an attack, what are techniques you can use to gain an advantage on the malicious behaviour? (which will dramatically reduce the impact of the attack) Prevent: What are the most effective solutions (people, process and technology) that help with preventing Ransomware incidents?
Public/Media sequence of events Stage 1 ⁄ Breaking news ⁄ What happened? Stage 2 ⁄ Story telling ⁄ Make it personal (attackers and victims) Stage 3 ⁄ Crisis Analysis ⁄ Aftermath Stage 4 ⁄ Anniversary stories The final version of the ‘incident story’ will depend on how you behaved during the incident
How you react and behave! ...before during and after the event... Is more important ...to your customers, employees and regulators... Than `what happened?`
With Ransomware - what are you protecting? ⁄ Confidentiality - Don’t play this game ⁄ Integrity - So far we have been lucky ⁄ Availability - This is what is all about Focus on restoring Availability of your Data and Operations ⁄ Customer Data ⁄ Employee Data ⁄ Server’s Availability ⁄ Backups ⁄ Business Operations ⁄ Customer Trust ⁄ Compliance
Key activities covered in this presentation ⁄ Prevent files from reaching users - Reduce quantity of Patient Zero ⁄ Network Segmentation - Reduce Blast Radius ⁄ Endpoint protection - Block Propagation and Detonation ⁄ User Education - Reduce Payloads Activated ⁄ Incident Response Playbooks - Prepare and Rehearse Response ⁄ Asset Protection - Reduce Impact ⁄ Application Catalogue - Understand Attack Surface ⁄ Situational Awareness (SOC) - See What is Happening ⁄ Incident Response Team - Respond to Events ⁄ Immutable Infrastructure - Reduce Targets ⁄ Everything as Code - Automate Recovery
Prevent
What are the most effective solutions (people, process and technology) that help with preventing Ransomware incidents?
All of the ones below(x investment before incident = 10x reduction in impact) ⁄ Prevent files from reaching users - Reduce quantity of Patient Zero ⁄ Network Segmentation - Reduce Blast Radius ⁄ Endpoint protection - Block Propagation and Detonation ⁄ User Education - Reduce Payloads Activated ⁄ Incident Response Playbooks - Prepare and Rehearse Response ⁄ Asset Protection - Reduce Impact ⁄ Application Catalogue - Understand Attack Surface ⁄ Situational Awareness (SOC) - See What is Happening ⁄ Incident Response Team - Respond to Events ⁄ Immutable Infrastructure - Reduce Targets ⁄ Everything as Code - Automate Recovery
Let start with this one: ⁄ Prevent files from reaching users - Reduce quantity of Patient Zero ⁄ Network Segmentation - Reduce Blast Radius ⁄ Endpoint protection - Block Propagation and Detonation ⁄ User Education - Reduce Payloads Activated ⁄ Incident Response Playbooks - Prepare and Rehearse Response ⁄ Asset Protection - Reduce Impact ⁄ Application Catalogue - Understand Attack Surface ⁄ Situational Awareness (SOC) - See What is Happening ⁄ Incident Response Team - Respond to Events ⁄ Immutable Infrastructure - Reduce Targets ⁄ Everything as Code - Automate Recovery
Preventing Malware files to reach the User
Reducing instances of Patient Zero
User Stories As a CISO I don’t want to worry That my security defences Rely on users not to Open and Execute files As a User I don’t want to worry That the file that I want to open is Going to be Malicious As a CISO I don’t want my users To focus on Security And to have Security Skills (since that doesn’t scale) As a User I want to focus on my Job And be able to open all files Sent to me in a Safe way
Reducing quantity of Patient Zero ⁄ Patient zero is the first device that executes malicious code ⁄ Reducing the number of Patient Zero is an effective solution that balances usability, business risk and business impact ⁄ Augment solutions that are hard to scale ○ User Education ○ Network Segmentation ○ Endpoint protection ⁄ Common infection points ○ Email ○ Downloaded files ○ Compromised installers of ‘benign application’
Why are Office/PDFs files used to infect Patient Zero ⁄ Users open these files every day ⁄ Users need these files to do their work ⁄ Preventing users from accessing these files will cause significant business disruption ⁄ Users have been trained to open files (and click on links) ⁄ Office and PDF files have ‘built-in’ dangerous functionality (for example: macros or javascript execution) ⁄ Office and PDF files are very complex file formats (reader apps historically have been vulnerable to buffer overflows)
How to prevent malicious files to reach Patient Zero 3 technologies that work (when used together) ○ Anti-Virus ○ Detonation Chambers (Sandboxing) ○ Content Disarm and Reconstruction (CDR) Antivirus = Identify Known Bad Detonation Chambers (Sandboxing ) = Identify Unknown Bad CDR (Content Disarm and Reconstruction) = Rebuild into Known Good
Content Disarm and Reconstruction (CDR)
https://file-drop.co.uk/ CDR in action https://www.youtube.com/watch?v=Lfaj71aGsqY
⁄ Web Proxies = Protect Downloads from Websites ⁄ Email = Protect Attachments ⁄ USB Devices = Protect against USB distributed files ⁄ File Uploads = Protect locations where 3rd-parties upload files ⁄ Cross Domain = Protect networks (using Diodes) Objective: ⁄ Prevent users from exposure to malicious files ⁄ Provide users with visually identical files ○ Minimum business impact ○ Safe files (rebuilt into known good) CDR locations and deployment models
CDR Players and technical information Company Technical Documents Check Point https://blog.checkpoint.com/2019/07/16/practical-prevention-maximum-zero-day-prevention-without-compromising-productivity/ Clearswift https://www.clearswift.com/sites/default/files/Clearswift_CNI_Solution_Brief_Defence_Security_Solutions_UK_Eng_WR.pdf Deep Secure https://www.deep-secure.com/blog/165-what-is-zero-trust-and-can-it-turn-the-tables-in-the-cyber-security-war.php Glasswall https://glasswallsolutions.com/content-disarm-and-reconstruction/ Jiran Security https://drive.google.com/open?id=1uyI4js5YXPEBmSd-YcHJv8HIabNmVrlS MIMEcast https://www.mimecast.com/globalassets/documents/whitepapers/gl-1556-email-security-deep-dive.pdf OD-IX https://odi-x.com/true-cdr-the-next-generation-of-malware-prevention-tools/ Opswat https://www.opswat.com/blog/questions-to-ask-before-you-select-a-cdr-technology Resec https://resec.co/cdr-cybersecurity/ SASA Software https://www.sasa-software.com/our-technology/ SOFTCAMP https://www.softcamp.co.kr/eng/sub/sub_2_4.php Votiro https://cdn2.hubspot.net/hubfs/6559474/Whitepapers/Stopping_threats_with_Votiro_solutions_Booklet.pdf?utm_source=hs_automation Yazamtech https://yazamtech.com/content-disarm-reconstruction-what-does-a-business-really-need-to-ensure-smooth-business-continuity/ Fortinet https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/441368/content-disarm-and-reconstruction-cdr
Detect
Once you are are a victim of an attack, what are techniques you can use to gain an advantage on the malicious behaviour? (which will dramatically reduce the impact of the attack)
The following activities should also be done during incidents
Incidents Are a very effective environment to fix security gaps and improve your capabilities
Next let’s covers these Key activities ⁄ Prevent files from reaching users - Reduce quantity of Patient Zero ⁄ Network Segmentation - Reduce Blast Radius ⁄ Endpoint protection - Block Propagation and Detonation ⁄ User Education - Reduce Payloads Activated ⁄ Incident Response Playbooks - Prepare and Rehearse Response ⁄ Asset Protection - Reduce Impact ⁄ Application Catalogue - Understand Attack Surface ⁄ Situational Awareness (SOC) - See What is Happening ⁄ Incident Response Team - Respond to Events ⁄ Immutable Infrastructure - Reduce Targets ⁄ Everything as Code - Automate Recovery
Sequence of event (each produces a weak signal) (all attackers/malware) - Initial Infection (Patient Zero) - Reconnaissance - Elevation of privilege and Propagation - Asset Enumeration - Encryption Your job is to make it harder for attackers to perform each of these actions Your defence model should be based on the “Attacker making a mistake” (vs you having to protect everything) (more advanced attackers) - Gain Persistence - Additional payloads - Data Extraction
Reduce Blast Radius: ⁄ Break your network into hundred of smaller networks ○ Not that hard to do once you go that path ⁄ Start with Assets ⁄ Redirect patching efforts into network segmentation ○ Patching doesn’t scale ○ Ok to have insecure devices on network as long as they are not exposed Network Segmentation
Block propagation and detonation: ⁄ You need to have visibility into what is happening with your endpoints ⁄ Pay attention to weak signals ⁄ Invest in SOC data consumption and visualisation ⁄ Outsource where it make sense (for example SIEM level 1) Endpoint protection
Reduce Payloads Activated ⁄ Creatively educate your users on your current threat landscape ⁄ Make it relevant for them (both at home and in their business function) ⁄ Gamify it ⁄ Reward detection ⁄ Don’t punish Patient Zero User Education
Prepare and Rehearse Response ⁄ Single most important activity ⁄ View incidents (before Ransomware) as ‘warm up’ events ⁄ Use incident strategically (‘over-allocate’ resources) ⁄ Use Playbook’s maturity as a way to measure preparedness ⁄ People management and communications are the HARDEST to scale Incident Response Playbooks
Reduce Impact: ⁄ Know what are your assets ⁄ Know where they are located ⁄ Monitor assets usage ⁄ Use Security violations (Role based security) as early-warning signals Asset Protection
Understand Attack Surface ⁄ Map all your applications (to your assets) ⁄ Know who owns them ⁄ Understand what should happen if an application is compromised ⁄ Know how to restore it ⁄ Backup everything (not just the data) ⁄ Put it all in a Graph (we use Jira to consolidate all data) Application Catalogue
See What is Happening: ⁄ SOC team is the one that should see it first ⁄ Create model where the attacker needs to make a mistake ⁄ The sooner you can detect malicious activity the less damage will occur ⁄ Before incident, align SOC with Business Intelligence ⁄ Machine Learning is the only way to scale ○ Understand the Known Good status of your network Situational Awareness (SOC)
React
What should the focus be during and after an incident so that the business and customer impact of the incident is minimised?
Activity we are going to cover in this section ⁄ Prevent files from reaching users - Reduce quantity of Patient Zero ⁄ Network Segmentation - Reduce Blast Radius ⁄ Endpoint protection - Block Propagation and Detonation ⁄ User Education - Reduce Payloads Activated ⁄ Incident Response Playbooks - Prepare and Rehearse Response ⁄ Asset Protection - Reduce Impact ⁄ Application Catalogue - Understand Attack Surface ⁄ Situational Awareness (SOC) - See What is Happening ⁄ Incident Response Team - Respond to Events ⁄ Immutable Infrastructure - Reduce Targets ⁄ Everything as Code - Automate Recovery
Incident Response Team Respond to Events: ⁄ The effectiveness of this team will determine the impact of the incident ⁄ Over-provision resources ⁄ Create operational structures to help scaling resources allocated ⁄ Manage People effectively (food, rest, meeting rooms) ⁄ Focus on Process namely on Comms and Stakeholder management ⁄ Effective use of Technology is key
Playbook in action
Immutable Infrastructure Reduce Targets: ⁄ Know what is in a Known Good state ⁄ Know what you can trust ⁄ The less you infrastructure is editable the less the attack surface
Everything as Code (EaC) Automate Recovery: ⁄ The more automation you have in your infrastructure the faster you will recover ⁄ As long as your build scripts are not compromised, rebuild it ⁄ Kick start rebuild process as soon as event occurs (even before you’ll need it)
Ransomware Incident Simulation
Session at Open Security Summit https://open-security-summit.org/training/week-2/ciso-and-risk-management/incident-scenario-exercise/
Rules ⁄ Create multiple teams (one team per ‘persona’ ) ○ Management ○ Operations ○ Customer Group ○ Security Team (Blue Team) ○ Attackers (Red Team) ⁄ Gameplay happens over multiple rounds ⁄ Round one defines initial scenario (first detections) ⁄ Each team meet to decide what they want to do next (for 10 to 15 minutes) ⁄ Incident ‘Scenario’ team is part of each team and adjust scenario based on decisions made ⁄ Sessions executed over Zoom with Slack used to synchronize actions
Event players
Event players
Scenario
What was compromised
Here are the slides created by the “Red Team” with its moves
Try it at your company
Thanks - Questions? dcruz@glasswallsolutions.com @DinisCruz

Recommended

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Dinis Cruz
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesDinis Cruz
 
CSS17: Dallas - Thawing the Frozen Middle
CSS17: Dallas - Thawing the Frozen MiddleCSS17: Dallas - Thawing the Frozen Middle
CSS17: Dallas - Thawing the Frozen MiddleAlert Logic
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
The Future of DevSecOps
The Future of DevSecOpsThe Future of DevSecOps
The Future of DevSecOpsStefan Streichsbier
 
Security at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockSecurity at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockAmazon Web Services
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDFranklin Mosley
 

Recommended

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Dinis Cruz
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesDinis Cruz
 
CSS17: Dallas - Thawing the Frozen Middle
CSS17: Dallas - Thawing the Frozen MiddleCSS17: Dallas - Thawing the Frozen Middle
CSS17: Dallas - Thawing the Frozen MiddleAlert Logic
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
The Future of DevSecOps
The Future of DevSecOpsThe Future of DevSecOps
The Future of DevSecOpsStefan Streichsbier
 
Security at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockSecurity at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockAmazon Web Services
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDFranklin Mosley
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonStefan Streichsbier
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersDevOps.com
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsMichael Man
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureStefan Streichsbier
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoDJamesHarmison
 
PIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
How to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budgetHow to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budgetLumension
 
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVIncident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVAlexander Sverdlov
 

More Related Content

What's hot

10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonStefan Streichsbier
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersDevOps.com
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsMichael Man
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoDJamesHarmison
 
PIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 

What's hot (20)

10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} Hackathon
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoD
 
PIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE - DevSecOps Automated
PIACERE - DevSecOps Automated
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 

Similar to Glasswall - How to Prevent, Detect and React to Ransomware incidents

How to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budgetHow to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budgetLumension
 
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVIncident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVAlexander Sverdlov
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013nanderoo
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patchingphanleson
 
Current Article Review1. Locate a current article about Regul.docx
Current Article Review1. Locate a current article about Regul.docxCurrent Article Review1. Locate a current article about Regul.docx
Current Article Review1. Locate a current article about Regul.docxannettsparrow
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
WithSecure Deepguard WhitePaper
WithSecure Deepguard WhitePaperWithSecure Deepguard WhitePaper
WithSecure Deepguard WhitePaperlincktello
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration RecommendationsMeg Weber
 
Kudler Fine Foods IT Security Report And Presentation –...
Kudler Fine Foods IT Security Report And Presentation –...Kudler Fine Foods IT Security Report And Presentation –...
Kudler Fine Foods IT Security Report And Presentation –...Lana Sorrels
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
A Hacker's perspective on ransomware
A Hacker's perspective on ransomwareA Hacker's perspective on ransomware
A Hacker's perspective on ransomwareAvecto
 
Panda Security - Adaptive Defense 360
Panda Security - Adaptive Defense 360Panda Security - Adaptive Defense 360
Panda Security - Adaptive Defense 360Panda Security
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementRedZone Technologies
 
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...ThreatReel Podcast
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web ApplicationsNadia BENCHIKHA
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityLumension
 
amrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdfamrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdfamrapalibuildersreviews
 

Similar to Glasswall - How to Prevent, Detect and React to Ransomware incidents (20)

How to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budgetHow to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budget
 
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVIncident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patching
 
Current Article Review1. Locate a current article about Regul.docx
Current Article Review1. Locate a current article about Regul.docxCurrent Article Review1. Locate a current article about Regul.docx
Current Article Review1. Locate a current article about Regul.docx
 
Mitigating the clicker
Mitigating the clickerMitigating the clicker
Mitigating the clicker
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Security overview 2
Security overview 2Security overview 2
Security overview 2
 
WithSecure Deepguard WhitePaper
WithSecure Deepguard WhitePaperWithSecure Deepguard WhitePaper
WithSecure Deepguard WhitePaper
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration Recommendations
 
Kudler Fine Foods IT Security Report And Presentation –...
Kudler Fine Foods IT Security Report And Presentation –...Kudler Fine Foods IT Security Report And Presentation –...
Kudler Fine Foods IT Security Report And Presentation –...
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
A Hacker's perspective on ransomware
A Hacker's perspective on ransomwareA Hacker's perspective on ransomware
A Hacker's perspective on ransomware
 
Panda Security - Adaptive Defense 360
Panda Security - Adaptive Defense 360Panda Security - Adaptive Defense 360
Panda Security - Adaptive Defense 360
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
 
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web Applications
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint Security
 
amrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdfamrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdf
 

More from Dinis Cruz

The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceDinis Cruz
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Dinis Cruz
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data scienceDinis Cruz
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyDinis Cruz
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Dinis Cruz
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityDinis Cruz
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsDinis Cruz
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)Dinis Cruz
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 Dinis Cruz
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)Dinis Cruz
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Dinis Cruz
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Dinis Cruz
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)Dinis Cruz
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Dinis Cruz
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febDinis Cruz
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febDinis Cruz
 
Evolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsEvolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsDinis Cruz
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)Dinis Cruz
 
Thinking in graphs v1.0
Thinking in graphs v1.0Thinking in graphs v1.0
Thinking in graphs v1.0Dinis Cruz
 

More from Dinis Cruz (20)

The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC Conference
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data science
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and Strategy
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health security
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th feb
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th feb
 
Evolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsEvolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIs
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)
 
Thinking in graphs v1.0
Thinking in graphs v1.0Thinking in graphs v1.0
Thinking in graphs v1.0
 

Recently uploaded

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...Sri Ambati
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Alison B. Lowndes
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
 
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...QADay
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Product School
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesThousandEyes
 
UiPath New York Community Day in-person event
UiPath New York Community Day in-person eventUiPath New York Community Day in-person event
UiPath New York Community Day in-person eventDianaGray10
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...Elena Simperl
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...Product School
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
 

Recently uploaded (20)

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
UiPath New York Community Day in-person event
UiPath New York Community Day in-person eventUiPath New York Community Day in-person event
UiPath New York Community Day in-person event
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 

Glasswall - How to Prevent, Detect and React to Ransomware incidents

  • 1. How to prevent, detect and react to Ransomware incidents 29th june 2020 Dinis Cruz CISO and SVP Engineering
  • 2. Ransomware Incident React: What should the focus be during and after an incident so that the business and customer impact of the incident is minimised? Detect: Once you are are a victim of an attack, what are techniques you can use to gain an advantage on the malicious behaviour? (which will dramatically reduce the impact of the attack) Prevent: What are the most effective solutions (people, process and technology) that help with preventing Ransomware incidents?
  • 3. Public/Media sequence of events Stage 1 ⁄ Breaking news ⁄ What happened? Stage 2 ⁄ Story telling ⁄ Make it personal (attackers and victims) Stage 3 ⁄ Crisis Analysis ⁄ Aftermath Stage 4 ⁄ Anniversary stories The final version of the ‘incident story’ will depend on how you behaved during the incident
  • 4. How you react and behave! ...before during and after the event... Is more important ...to your customers, employees and regulators... Than `what happened?`
  • 5. With Ransomware - what are you protecting? ⁄ Confidentiality - Don’t play this game ⁄ Integrity - So far we have been lucky ⁄ Availability - This is what is all about Focus on restoring Availability of your Data and Operations ⁄ Customer Data ⁄ Employee Data ⁄ Server’s Availability ⁄ Backups ⁄ Business Operations ⁄ Customer Trust ⁄ Compliance
  • 6. Key activities covered in this presentation ⁄ Prevent files from reaching users - Reduce quantity of Patient Zero ⁄ Network Segmentation - Reduce Blast Radius ⁄ Endpoint protection - Block Propagation and Detonation ⁄ User Education - Reduce Payloads Activated ⁄ Incident Response Playbooks - Prepare and Rehearse Response ⁄ Asset Protection - Reduce Impact ⁄ Application Catalogue - Understand Attack Surface ⁄ Situational Awareness (SOC) - See What is Happening ⁄ Incident Response Team - Respond to Events ⁄ Immutable Infrastructure - Reduce Targets ⁄ Everything as Code - Automate Recovery
  • 8. What are the most effective solutions (people, process and technology) that help with preventing Ransomware incidents?
  • 9. All of the ones below(x investment before incident = 10x reduction in impact) ⁄ Prevent files from reaching users - Reduce quantity of Patient Zero ⁄ Network Segmentation - Reduce Blast Radius ⁄ Endpoint protection - Block Propagation and Detonation ⁄ User Education - Reduce Payloads Activated ⁄ Incident Response Playbooks - Prepare and Rehearse Response ⁄ Asset Protection - Reduce Impact ⁄ Application Catalogue - Understand Attack Surface ⁄ Situational Awareness (SOC) - See What is Happening ⁄ Incident Response Team - Respond to Events ⁄ Immutable Infrastructure - Reduce Targets ⁄ Everything as Code - Automate Recovery
  • 10. Let start with this one: ⁄ Prevent files from reaching users - Reduce quantity of Patient Zero ⁄ Network Segmentation - Reduce Blast Radius ⁄ Endpoint protection - Block Propagation and Detonation ⁄ User Education - Reduce Payloads Activated ⁄ Incident Response Playbooks - Prepare and Rehearse Response ⁄ Asset Protection - Reduce Impact ⁄ Application Catalogue - Understand Attack Surface ⁄ Situational Awareness (SOC) - See What is Happening ⁄ Incident Response Team - Respond to Events ⁄ Immutable Infrastructure - Reduce Targets ⁄ Everything as Code - Automate Recovery
  • 11. Preventing Malware files to reach the User
  • 13. User Stories As a CISO I don’t want to worry That my security defences Rely on users not to Open and Execute files As a User I don’t want to worry That the file that I want to open is Going to be Malicious As a CISO I don’t want my users To focus on Security And to have Security Skills (since that doesn’t scale) As a User I want to focus on my Job And be able to open all files Sent to me in a Safe way
  • 14. Reducing quantity of Patient Zero ⁄ Patient zero is the first device that executes malicious code ⁄ Reducing the number of Patient Zero is an effective solution that balances usability, business risk and business impact ⁄ Augment solutions that are hard to scale ○ User Education ○ Network Segmentation ○ Endpoint protection ⁄ Common infection points ○ Email ○ Downloaded files ○ Compromised installers of ‘benign application’
  • 15. Why are Office/PDFs files used to infect Patient Zero ⁄ Users open these files every day ⁄ Users need these files to do their work ⁄ Preventing users from accessing these files will cause significant business disruption ⁄ Users have been trained to open files (and click on links) ⁄ Office and PDF files have ‘built-in’ dangerous functionality (for example: macros or javascript execution) ⁄ Office and PDF files are very complex file formats (reader apps historically have been vulnerable to buffer overflows)
  • 16. How to prevent malicious files to reach Patient Zero 3 technologies that work (when used together) ○ Anti-Virus ○ Detonation Chambers (Sandboxing) ○ Content Disarm and Reconstruction (CDR) Antivirus = Identify Known Bad Detonation Chambers (Sandboxing ) = Identify Unknown Bad CDR (Content Disarm and Reconstruction) = Rebuild into Known Good
  • 17. Content Disarm and Reconstruction (CDR)
  • 19. ⁄ Web Proxies = Protect Downloads from Websites ⁄ Email = Protect Attachments ⁄ USB Devices = Protect against USB distributed files ⁄ File Uploads = Protect locations where 3rd-parties upload files ⁄ Cross Domain = Protect networks (using Diodes) Objective: ⁄ Prevent users from exposure to malicious files ⁄ Provide users with visually identical files ○ Minimum business impact ○ Safe files (rebuilt into known good) CDR locations and deployment models
  • 20. CDR Players and technical information Company Technical Documents Check Point https://blog.checkpoint.com/2019/07/16/practical-prevention-maximum-zero-day-prevention-without-compromising-productivity/ Clearswift https://www.clearswift.com/sites/default/files/Clearswift_CNI_Solution_Brief_Defence_Security_Solutions_UK_Eng_WR.pdf Deep Secure https://www.deep-secure.com/blog/165-what-is-zero-trust-and-can-it-turn-the-tables-in-the-cyber-security-war.php Glasswall https://glasswallsolutions.com/content-disarm-and-reconstruction/ Jiran Security https://drive.google.com/open?id=1uyI4js5YXPEBmSd-YcHJv8HIabNmVrlS MIMEcast https://www.mimecast.com/globalassets/documents/whitepapers/gl-1556-email-security-deep-dive.pdf OD-IX https://odi-x.com/true-cdr-the-next-generation-of-malware-prevention-tools/ Opswat https://www.opswat.com/blog/questions-to-ask-before-you-select-a-cdr-technology Resec https://resec.co/cdr-cybersecurity/ SASA Software https://www.sasa-software.com/our-technology/ SOFTCAMP https://www.softcamp.co.kr/eng/sub/sub_2_4.php Votiro https://cdn2.hubspot.net/hubfs/6559474/Whitepapers/Stopping_threats_with_Votiro_solutions_Booklet.pdf?utm_source=hs_automation Yazamtech https://yazamtech.com/content-disarm-reconstruction-what-does-a-business-really-need-to-ensure-smooth-business-continuity/ Fortinet https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/441368/content-disarm-and-reconstruction-cdr
  • 22. Once you are are a victim of an attack, what are techniques you can use to gain an advantage on the malicious behaviour? (which will dramatically reduce the impact of the attack)
  • 23. The following activities should also be done during incidents
  • 24. Incidents Are a very effective environment to fix security gaps and improve your capabilities
  • 25. Next let’s covers these Key activities ⁄ Prevent files from reaching users - Reduce quantity of Patient Zero ⁄ Network Segmentation - Reduce Blast Radius ⁄ Endpoint protection - Block Propagation and Detonation ⁄ User Education - Reduce Payloads Activated ⁄ Incident Response Playbooks - Prepare and Rehearse Response ⁄ Asset Protection - Reduce Impact ⁄ Application Catalogue - Understand Attack Surface ⁄ Situational Awareness (SOC) - See What is Happening ⁄ Incident Response Team - Respond to Events ⁄ Immutable Infrastructure - Reduce Targets ⁄ Everything as Code - Automate Recovery
  • 26. Sequence of event (each produces a weak signal) (all attackers/malware) - Initial Infection (Patient Zero) - Reconnaissance - Elevation of privilege and Propagation - Asset Enumeration - Encryption Your job is to make it harder for attackers to perform each of these actions Your defence model should be based on the “Attacker making a mistake” (vs you having to protect everything) (more advanced attackers) - Gain Persistence - Additional payloads - Data Extraction
  • 27. Reduce Blast Radius: ⁄ Break your network into hundred of smaller networks ○ Not that hard to do once you go that path ⁄ Start with Assets ⁄ Redirect patching efforts into network segmentation ○ Patching doesn’t scale ○ Ok to have insecure devices on network as long as they are not exposed Network Segmentation
  • 28. Block propagation and detonation: ⁄ You need to have visibility into what is happening with your endpoints ⁄ Pay attention to weak signals ⁄ Invest in SOC data consumption and visualisation ⁄ Outsource where it make sense (for example SIEM level 1) Endpoint protection
  • 29. Reduce Payloads Activated ⁄ Creatively educate your users on your current threat landscape ⁄ Make it relevant for them (both at home and in their business function) ⁄ Gamify it ⁄ Reward detection ⁄ Don’t punish Patient Zero User Education
  • 30. Prepare and Rehearse Response ⁄ Single most important activity ⁄ View incidents (before Ransomware) as ‘warm up’ events ⁄ Use incident strategically (‘over-allocate’ resources) ⁄ Use Playbook’s maturity as a way to measure preparedness ⁄ People management and communications are the HARDEST to scale Incident Response Playbooks
  • 31. Reduce Impact: ⁄ Know what are your assets ⁄ Know where they are located ⁄ Monitor assets usage ⁄ Use Security violations (Role based security) as early-warning signals Asset Protection
  • 32. Understand Attack Surface ⁄ Map all your applications (to your assets) ⁄ Know who owns them ⁄ Understand what should happen if an application is compromised ⁄ Know how to restore it ⁄ Backup everything (not just the data) ⁄ Put it all in a Graph (we use Jira to consolidate all data) Application Catalogue
  • 33. See What is Happening: ⁄ SOC team is the one that should see it first ⁄ Create model where the attacker needs to make a mistake ⁄ The sooner you can detect malicious activity the less damage will occur ⁄ Before incident, align SOC with Business Intelligence ⁄ Machine Learning is the only way to scale ○ Understand the Known Good status of your network Situational Awareness (SOC)
  • 34. React
  • 35. What should the focus be during and after an incident so that the business and customer impact of the incident is minimised?
  • 36. Activity we are going to cover in this section ⁄ Prevent files from reaching users - Reduce quantity of Patient Zero ⁄ Network Segmentation - Reduce Blast Radius ⁄ Endpoint protection - Block Propagation and Detonation ⁄ User Education - Reduce Payloads Activated ⁄ Incident Response Playbooks - Prepare and Rehearse Response ⁄ Asset Protection - Reduce Impact ⁄ Application Catalogue - Understand Attack Surface ⁄ Situational Awareness (SOC) - See What is Happening ⁄ Incident Response Team - Respond to Events ⁄ Immutable Infrastructure - Reduce Targets ⁄ Everything as Code - Automate Recovery
  • 37. Incident Response Team Respond to Events: ⁄ The effectiveness of this team will determine the impact of the incident ⁄ Over-provision resources ⁄ Create operational structures to help scaling resources allocated ⁄ Manage People effectively (food, rest, meeting rooms) ⁄ Focus on Process namely on Comms and Stakeholder management ⁄ Effective use of Technology is key
  • 39. Immutable Infrastructure Reduce Targets: ⁄ Know what is in a Known Good state ⁄ Know what you can trust ⁄ The less you infrastructure is editable the less the attack surface
  • 40. Everything as Code (EaC) Automate Recovery: ⁄ The more automation you have in your infrastructure the faster you will recover ⁄ As long as your build scripts are not compromised, rebuild it ⁄ Kick start rebuild process as soon as event occurs (even before you’ll need it)
  • 42. Session at Open Security Summit https://open-security-summit.org/training/week-2/ciso-and-risk-management/incident-scenario-exercise/
  • 43. Rules ⁄ Create multiple teams (one team per ‘persona’ ) ○ Management ○ Operations ○ Customer Group ○ Security Team (Blue Team) ○ Attackers (Red Team) ⁄ Gameplay happens over multiple rounds ⁄ Round one defines initial scenario (first detections) ⁄ Each team meet to decide what they want to do next (for 10 to 15 minutes) ⁄ Incident ‘Scenario’ team is part of each team and adjust scenario based on decisions made ⁄ Sessions executed over Zoom with Slack used to synchronize actions
  • 48. Here are the slides created by the “Red Team” with its moves
  • 49.
  • 50.
  • 51.
  • 52.
  • 53. Try it at your company