Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
We are rapidly approaching the next era of security where we need to be focused on the ability to recover from irrecoverable attacks. This can also be defined as resiliency. The traditional view of resiliency attempts to quickly restore assets that support services that we care about. This new approach/paradigm looks at resilience in ways that promote design patterns (distributed, immutable, ephemeral) where we do not care about a given asset at all while still keeping the overall service functioning. This new approach allows us to avoid having to deal with security at all.
The Cyber Defense Matrix helps people organize and understand gaps in their overall security program. These slides describe several additional use cases of the Cyber Defense Matrix, including how to map the latest startup vendors and security trends, anticipate gaps, develop program roadmaps, capture metrics, reconcile inventories, improve situational awareness, and create a board-level view of their entire program.
See the 2016 version at: http://bit.ly/cyberdefensematrix
See the 2019 version at: http://bit.ly/cyberdefensematrixreloaded
Who should attend? Anyone that works in security and wants to leverage their machine data to detect internal and advanced threats, monitor activities in real time, and improve their organization's security posture.
Description: Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
Cyber Security Awareness Session conducted by Lightracers Consulting, for Management and non-IT employees. In this learning presentation, we will look at - What is Cyber Crime, Types of Cyber crime, What is Cyber Security, Types of Threats, Social Engineering techniques, Identifying legitimate and secure websites, Protection measures, Cyber Law in India followed by a small quiz.
New Paradigms for the Next Era of SecuritySounil Yu
As we enter the 2020s, we will see the attacks culminate to where machines, infrastructure, and data become irrecoverable. In these scenarios, our old security paradigm of confidentiality, integrity, and availability no longer apply. Instead, we need a new paradigm of distributed, immutable, and ephemeral design patterns for the next era.
This is an update to the Cyber Defense Matrix briefing given at the 2019 RSA Conference. Cybersecurity practitioners can use this to organize vendors, find gaps in security portfolios, understand how to organize security measurements, prioritize investments, minimize business impact, visualize attack surfaces, align other existing frameworks, and gain a fuller understanding of the entire space of cybersecurity.
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
We are rapidly approaching the next era of security where we need to be focused on the ability to recover from irrecoverable attacks. This can also be defined as resiliency. The traditional view of resiliency attempts to quickly restore assets that support services that we care about. This new approach/paradigm looks at resilience in ways that promote design patterns (distributed, immutable, ephemeral) where we do not care about a given asset at all while still keeping the overall service functioning. This new approach allows us to avoid having to deal with security at all.
The Cyber Defense Matrix helps people organize and understand gaps in their overall security program. These slides describe several additional use cases of the Cyber Defense Matrix, including how to map the latest startup vendors and security trends, anticipate gaps, develop program roadmaps, capture metrics, reconcile inventories, improve situational awareness, and create a board-level view of their entire program.
See the 2016 version at: http://bit.ly/cyberdefensematrix
See the 2019 version at: http://bit.ly/cyberdefensematrixreloaded
Who should attend? Anyone that works in security and wants to leverage their machine data to detect internal and advanced threats, monitor activities in real time, and improve their organization's security posture.
Description: Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
Cyber Security Awareness Session conducted by Lightracers Consulting, for Management and non-IT employees. In this learning presentation, we will look at - What is Cyber Crime, Types of Cyber crime, What is Cyber Security, Types of Threats, Social Engineering techniques, Identifying legitimate and secure websites, Protection measures, Cyber Law in India followed by a small quiz.
New Paradigms for the Next Era of SecuritySounil Yu
As we enter the 2020s, we will see the attacks culminate to where machines, infrastructure, and data become irrecoverable. In these scenarios, our old security paradigm of confidentiality, integrity, and availability no longer apply. Instead, we need a new paradigm of distributed, immutable, and ephemeral design patterns for the next era.
This is an update to the Cyber Defense Matrix briefing given at the 2019 RSA Conference. Cybersecurity practitioners can use this to organize vendors, find gaps in security portfolios, understand how to organize security measurements, prioritize investments, minimize business impact, visualize attack surfaces, align other existing frameworks, and gain a fuller understanding of the entire space of cybersecurity.
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
You own a SIEM, but to be secure, you need a Security Operations Center! How do you cross the chasm? Do you hire staff or outsource? And what skills are needed? Mike Ostrowski, a cybersecurity industry veteran, will review common pitfalls experienced through the journey from SIEM to SOC, the pros and cons of an all in-house SOC vs. outsourcing, and the benefits of a hybrid SOC model.
Learning Objectives:
1: You own a SIEM, but to be secure, you need a SOC. How do you cross the chasm?
2: What are the pros and cons of in-house, fully managed and hybrid security?
3: What considerations go into deciding whether to employ a hybrid strategy?
(Source: RSA Conference USA 2018)
The primary goal of the checklist is to make it useful and as a trusted guide for IT Auditors,Security Consultant in Network Architecture Review assignments.The checklist is drawn from numerous resources referred and my experience in network architecture reviews.Though the essentially doesn't essentially cover all elements of a network architecture review,I have tried to bring in aspects of the security element in a network architecture
SOC Architecture - Building the NextGen SOCPriyanka Aash
Why are APTs difficult to detect
Revisit the cyber kill chain
Process orient detection
NextGen SOC Process
Building your threat mind map
Implement and measure your SOC
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
The Incident Response Playbook for Android and iOSPriyanka Aash
What is your mobile device incident response plan? If you cannot answer that question, you should attend this session. The session will cover the challenges in mobile, how and why it is different from traditional incident response, and the building blocks you can use to craft your own mobile incident response plan.
(Source: RSA USA 2016-San Francisco)
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
The Cyber Defense Matrix enables organizations to define clear categories for the range of products and services that are available in the marketplace to solve our various infosec problems. This model removes confusion around the security technologies that we buy and helps organizations align their vendors to have the right suite of capabilities to execute their information security mission.
See the 2019 version at: http://bit.ly/cyberdefensematrixreloaded
See the 2022 version at: http://bit.ly/cyberdefensematrixrevolutions
Information Security Awareness, Petronas Marketing SudanAhmed Musaad
A two hours security awareness session that I presented for Petronas Marketing Sudan employees. The session includes -- but not limited to -- many topics like Passwords, Email Security, Social Networks Security, Physical Security, and Laptop Security.
You can use this as an introductory session for your security awareness training, but not as a sufficient one time session at all.
Your comments, feedback, and suggestions are much appreciated.
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
You own a SIEM, but to be secure, you need a Security Operations Center! How do you cross the chasm? Do you hire staff or outsource? And what skills are needed? Mike Ostrowski, a cybersecurity industry veteran, will review common pitfalls experienced through the journey from SIEM to SOC, the pros and cons of an all in-house SOC vs. outsourcing, and the benefits of a hybrid SOC model.
Learning Objectives:
1: You own a SIEM, but to be secure, you need a SOC. How do you cross the chasm?
2: What are the pros and cons of in-house, fully managed and hybrid security?
3: What considerations go into deciding whether to employ a hybrid strategy?
(Source: RSA Conference USA 2018)
The primary goal of the checklist is to make it useful and as a trusted guide for IT Auditors,Security Consultant in Network Architecture Review assignments.The checklist is drawn from numerous resources referred and my experience in network architecture reviews.Though the essentially doesn't essentially cover all elements of a network architecture review,I have tried to bring in aspects of the security element in a network architecture
SOC Architecture - Building the NextGen SOCPriyanka Aash
Why are APTs difficult to detect
Revisit the cyber kill chain
Process orient detection
NextGen SOC Process
Building your threat mind map
Implement and measure your SOC
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
The Incident Response Playbook for Android and iOSPriyanka Aash
What is your mobile device incident response plan? If you cannot answer that question, you should attend this session. The session will cover the challenges in mobile, how and why it is different from traditional incident response, and the building blocks you can use to craft your own mobile incident response plan.
(Source: RSA USA 2016-San Francisco)
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
The Cyber Defense Matrix enables organizations to define clear categories for the range of products and services that are available in the marketplace to solve our various infosec problems. This model removes confusion around the security technologies that we buy and helps organizations align their vendors to have the right suite of capabilities to execute their information security mission.
See the 2019 version at: http://bit.ly/cyberdefensematrixreloaded
See the 2022 version at: http://bit.ly/cyberdefensematrixrevolutions
Information Security Awareness, Petronas Marketing SudanAhmed Musaad
A two hours security awareness session that I presented for Petronas Marketing Sudan employees. The session includes -- but not limited to -- many topics like Passwords, Email Security, Social Networks Security, Physical Security, and Laptop Security.
You can use this as an introductory session for your security awareness training, but not as a sufficient one time session at all.
Your comments, feedback, and suggestions are much appreciated.
Sherlock Homepage - A detective story about running large web services - WebN...Maarten Balliauw
The site was slow. CPU and memory usage everywhere! Some dead objects in the corner. Something terrible must have happened! We have some IIS logs. Some traces from a witness. But not enough to find out what was wrong. In this session, we’ll see how effective telemetry, a profiler or two as well as a refresher of how IIS runs our ASP.NET web applications can help solve this server murder mystery.
Workshop: Big Data Visualization for SecurityRaffael Marty
Big Data is the latest hype in the security industry. We will have a closer look at what big data is comprised of: Hadoop, Spark, ElasticSearch, Hive, MongoDB, etc. We will learn how to best manage security data in a small Hadoop cluster for different types of use-cases. Doing so, we will encounter a number of big-data open source tools, such as LogStash and Moloch that help with managing log files and packet captures.
As a second topic we will look at visualization and how we can leverage visualization to learn more about our data. In the hands-on part, we will use some of the big data tools, as well as a number of visualization tools to actively investigate a sample data set.
Monitoring as an entry point for collaborationJulien Pivotto
In the last years, we have been building complex stacks, made from lots of components. All of this backed by multiple teams. This talk will present how you can use monitoring to look at the business side and have everyone looking at the same dashboards, making cooperation a reality.
How we evolved data pipeline at Celtra and what we learned along the wayGrega Kespret
Presented at Data Science Meetup on 4/12/2018.
In this talk, Grega Kespret (head of analytics group) will present Celtra’s data analytics pipeline and how it evolved through the years - sometimes forward, sometimes backward. On this journey, we became early adopter of different technologies: BigQuery, Vertica (pre-join projections), Spark (version 0.5), Databricks (beta users) and Snowflake (one of the first users). As the business grew and the product evolved, volume and complexity of data increased ten-fold, as has the number of users generating insights from this data. How come BigQuery did not scale? Why was choosing Vertica a mistake for our use case, and what have we learned from it? What requirements did we have for the analytics database, why did we have to abandon MySQL, and why we finally chose Snowflake? This talk will be heavily opinionated and will describe our experience and learnings - what worked for us and what didn't.
DEVNET-1140 InterCloud Mapreduce and Spark Workload Migration and Sharing: Fi...Cisco DevNet
Data gravity is a reality when dealing with massive amounts and globally distributed systems. Processing this data requires distributed analytics processing across InterCloud. In this presentation we will share our real world experience with storing, routing, and processing big data workloads on Cisco Cloud Services and Amazon Web Services clouds.
Stay clear of the bugs: Troubleshooting Applications in Microsoft AzureHARMAN Services
Slides from our #GoCloudWebinar series. In this presentation, you will learn how to incorporate the necessary diagnostic tools into your application so you can monitor and take action on your Azure applications. Michael Collier, Principal Cloud Architect at Aditi and our guest speaker, Mike Wood, Technical Evangelist at Cerebrata give you insights on how to best troubleshoot your Microsoft Azure applications.
The Enterprise Guide to Building a Data Mesh - Introducing SpecMeshIanFurlong4
For organisations to successfully adopt data mesh, setting up and maintaining infrastructure needs to be easy.
We believe the best way to achieve this is to leverage the learnings from building a ‘central nervous system‘, commonly used in modern data-streaming ecosystems. This approach formalises and automates of the manual parts of building a data mesh.
This presentation introduces SpecMesh; a methodology and supporting developer toolkit to enable business to build the foundations of their data mesh.
Sherlock Homepage - A detective story about running large web services (VISUG...Maarten Balliauw
The site was slow. CPU and memory usage everywhere! Some dead objects in the corner. Something terrible must have happened! We have some IIS logs. Some traces from a witness. But not enough to find out what was wrong. In this session, we’ll see how effective telemetry, a profiler or two as well as a refresher of how IIS runs our ASP.NET web applications can help solve this server murder mystery.
The site was slow. CPU and memory usage everywhere! Some dead objects in the corner. Something terrible must have happened! We have some IIS logs. Some traces from a witness. But not enough to find out what was wrong. In this session, we’ll see how effective telemetry, a profiler or two as well as a refresher of how IIS runs our ASP.NET web applications can help solve this server murder mystery.
We've known for years that data-driven content was a 'thing' when we'd produce simple infographics that shared a few statistics and they'd get easy traction for us online. The game has lifted and consumers are becoming more and more obsessed with data and are now demanding higher quality and more complex data-driven content. The challenge for us now as "T-Shaped" marketers is that there are increasing demands for us to learn new skills to produce this content but we don't have the time to do this amongst the other things we need to be expert at.
This presentation is going to give you specific help on how to produce data-driven content without any programming skill. After watching this presentation you'll have the confidence to build your own data-driven content with the knowledge of:
- blueprints for data-driven content ideas
- scraping tools, frameworks and methodologies
- how to brief in a data scraping project to your in-house team or a freelancer
- how to turn your data into visually appealing content
- channels for promoting data-driven content to ensure it gets traction
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
How I Learned to Stop Information Sharing and Love the DIKW
1. How I Learned to Stop Information
Sharing and Love the DIKW*Withapologies toStanley Kubrick
SOUNIL YU
2. Alignment of Two Pyramids
What are we sharing now? What should we be sharing instead?
@sounilyu 2June 2016
Wisdom
Knowledge
Data
Information
Joining of
wholes
Formation of
a whole
Connection
of parts
Gathering
of parts
Explanation
Why
Instruction
How To
Descriptive
What
Raw sensor
information
Future
Past
Novelty
Experience
DIKW Pyramid
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
David Bianco’s
Pyramid of Pain
(with color modifications)
TTPs
Network/Host
Artifacts
Hash Values
IP Addresses
Tools
Domain Names
3. Decoupled Security Stack
@sounilyu 3June 2016
Actions
Decisions
Analytics
Sensors
Sensing:
raw telemetry, netflow,
logs, external threat intel
Sense making:
correlation, machine
learning, heuristics
Decision making:
orchestration, courses of
action, recipes for action
Acting:
actuators, block, stop,
start, delete, quarantine
What we share
DIKW Pyramid
Wisdom
Knowledge
Data
Information
Joining of
wholes
Formation of
a whole
Connection
of parts
Gathering
of parts
Explanation
Why
Instruction
How To
Descriptive
What
Raw sensor
information
Future
Past
Novelty
Experience
4. Dangers of Sharing the Wrong Things and Automagically
Applying Them Incorrectly
@sounilyu 4June 2016
Originating
Organization
Receiving
Organization
Actions
Decisions
Analytics
Sensors
Actions
Decisions
Analytics
Sensors
Not
shared
Not
shared
Dangerous
CURRENT STATE
What we share
5. Dangers of Sharing the Wrong Things and Automagically
Applying Them Incorrectly
@sounilyu 5June 2016
Originating
Organization
Receiving
Organization
Actions
Decisions
Analytics
Sensors
Actions
Decisions
Analytics
Sensors
Optimal
Shared/Collective
Sensor Grid (e.g.,
Passive DNS)
FUTURE STATE
Originating
Organization
Receiving
Organization
Actions
Decisions
Analytics
Sensors
Actions
Decisions
Analytics
Sensors
Not
shared
Not
shared
Dangerous
CURRENT STATE
What we share
6. Analytics Sharing Example:
The ThreatHunting Project (www.threathunting.net,also byDavid Bianco)
@sounilyu 6June 2016
How we share
Procedures Indexed by Goal
0-day Exploits
• EMET Log Mining
Attacker tools in use
• Suspicious Process Creation
• Windows Service Analysis
• Psexec Windows Events
BIOS/Firmware tampering
• RAM Dumping
Command and Control (C2)
• C2 via Dynamic DNS
• Finding the Unknown with HTTP URIs
Compromise of Internet-Facing Service
• Internet-Facing HTTP Request Analysis
• Checking How Outsiders See You
• RDP External Access
• Finding Known-Bad in Antivirus Logs
• Finding Webshells
• Webshell Behavior
• . . .
Finding Web Shells
Purpose
• Identify web shells (stand-alone|injected)
Data Required
• Web server logs (apache, IIS, etc.)
Collection Considerations
• Collect from all webservers, and ensure that parameters are
collected.
• POST data should be collected.
• For apache consider using mod_security or mod_dumpio
• For IIS use Failed Request Tracing / Custom Logging
Analysis Techniques:
• Stack counting
• String matching
Description
• Stack by page hits -- pages with few hits are a typical sign
• Add more fidelity by combining views from below (none if the
above is giving higher fidelity, one, two or all):
• No referer from client
• Stack by unique visits per IP -- most only visit the webshell
(no other page hits, no js, no images, etc.)
• this isn't true of injected webshells (where they are
injected into an existing page)
• Stack by UA uniqueness. This is not always rock solid, but
good, because many webshells have client software that
sets the UA and many don't change the default
• Look for parameters passed to image files (e.g., /bad.png?zz=ls)
• More specific to inject webshells that inject into an existing page:
• Stack by parameter counts per page -- webshells that create
new params on an existing page
• Again, you can look if referer is missing, UA uniqueness
. . .
Procedures Indexed by Data
Anti-Virus Logs
• Finding Known-Bad in Antivirus Logs
Bro NSM Logs
• RDP External Access
• C2 via Dynamic DNS
• Finding the Unknown with HTTP URIs
DNS Query Logs
• C2 via Dynamic DNS
Host Dumps (RAM, Registry, Process, etc)
• NTFS Extended Attribute Analysis
• Search for Rogue Listeners
• Autoruns Analysis
• Windows Driver Analysis
• Windows Prefetch Cache Analysis
• Windows Service Analysis
HTTP Proxy Logs
• Beacon Detection
• User Agent Analysis
• . . .
7. Analytics Sharing Example:
Cyber Analytic Repository (MITRE)
@sounilyu 7June 2016
CAR-2014-07-001: Search Path Interception
Hypothesis:
As described in ATT&CK, one method of escalation
is intercepting the search path for services, so that
legitimate services point to the binary inserted at
an intercepted location. This can be done where
there are spaces in the path and it is unquoted.
Instantiation:
Eventtype=process_start parent_image_path="*system32services.exe" command_line!="
"*" command_line="* *"
| rex field=image_path ".(?<img_exe>.*)
| rex field=img_exe "(?<img_base>.*)..*"
| where NOT like(lower(command_line ), lower("%"+img_exe+"%")) AND
like(lower(command_line),lower("%"+img_base+"%"))
| table _time hostname ppid pid parent_image_path image_path command_line img_exe
ATT&CK Framework
How we share
8. A community for sharing sense-making
@sounilyu 8June 2016
Organization A
I can find intrusions
by looking for search
path interception in
XYZ way
Eventtype=process_start
parent_image_path="*system32ser
vices.exe" command_line!=""*"
command_line="**"| rex
field=image_path".(?<img_exe>.*)|
rex field=img_exe
"(?<img_base>.*)..*"
Organization A
Cyber Analytic
Repository
Existing
Sharing
Communities
5444ff573794d853d24fbce00548227b
module.832.13cc55060.9a0000.dll
hxxp://speedtest[.]netcologne[.]de/test_100mb.bin
Byproducts
and Indicators
Shared Cyber
Analytic Repository
A. Analytic Method
Eventtype=process_start
parent_image_path="*system32services.exe" command_line!="
"*" command_line="* *"| rex field=image_path ".(?<img_exe>.*)|
rex field=img_exe "(?<img_base>.*)..*"
B. Efficacy of Analytic Method
Regression Test Results: 1 TP, 0 FPs over 50K transactions over 1 month
C. Cost/Toxicity of Analytic Method
Low cost query completing in 25 msec
D. Context of True Positives
True Positives found in Human Resource systems
E. Resilient Security Design Patterns
Containment and malware detonation solutions in use
Organization B
Eventtype=process_start
parent_image_path="*system32ser
vices.exe" command_line!="
"*" command_line="**"| rex
field=image_path".(?<img_exe>.*)|
rex field=img_exe
"(?<img_base>.*)..*"
Organization B
Cyber Analytic
Repository
Byproducts
and Indicators
436b772438826e2410ef2a45015bc936
costura.aforge.video.dll
hxxp://speedtest[.]reliableservers[.]com/100MBtest.bin
①
②
③ ④
⑤
⑥
⑦
⑧
⑨
STEPS
1. Someone discovers a new
method for finding badness
2. The new method for discovering
that badness is captured as a
machine consumable query
3. The byproducts of that method
are discovered as indicators
4. Indicators are shared through
existing sharing channels
5. The analytic method is stored in
the local Cyber Analytic
Repository
6. The new method is offered to
community. Included with that
new method are four other
pieces of information:
b. Regression tests showing
efficacy of this new method in
terms of true positives and
false positives against
historical data
c. The cost or toxicity of running
the new method
d. The functional context of the
systems where the new
method is effective
e. The security design for the
relevant systems
7. Members consume new method
8. Based on risk tolerance for
efficacy and toxicity, members
run new method to discover their
own indicators, which may also
be shared through existing
channels
9. Results and improved methods
are shared back to community
A. Improved Analytic Method
Eventtype=process_start parent_image_path="*system32services.exe"
command_line!=" "*" command_line="* *"| rex field=image_path
".(?<img_exe>.*)| rex field=img_exe "(?<img_base>.*)..*" | where NOT
like(lower(command_line ), lower("%"+img_exe+"%")) AND
lower("%"+img_base+"%"))
B. Efficacy of Analytic Method
Regression Test Results: 1 TP, 1 FPs over 100K transactions over 2 weeks
C. Cost/Toxicity of Analytic Method
Medium cost query completing in 34 sec
D. Context of True Positives
True Positives found in Human Resource systems
E. Resilient Security Design Patterns
Antivirus and IDS/IPS in use
Putting It All Together