The document discusses using Splunk to monitor network activity and detect potential security threats. It proposes using Splunk to profile VPN usage and detect abnormal remote access patterns that could indicate security compromises. It also proposes using Splunk to monitor network "jumping" where devices switch between the corporate network and guest network, to detect attempts to bypass security controls or access external websites hosting malware. The approach involves analyzing trends in network activity over time and drilling down on individual users as needed to investigate anomalous behaviors in more depth.
The Critical Security Controls and the StealthWatch SystemLancope, Inc.
Â
As todayâs cyber-attackers become more sophisticated and nefarious, organizations must adopt the right mix of conventional and next-generation security tools to effectively defend their infrastructure from advanced threats. The Critical Security Controls effort is a growing movement that has been helping government agencies and large enterprises prioritize their cyber security spending accordingly.
By leveraging NetFlow and other types of flow data, Lancopeâs StealthWatch System delivers continuous network visibility to fulfill a number of the highest priority controls, enhancing timely detection of targeted threats and improving incident response.
Learn the latest about the Critical Security Controls and hear how the StealthWatch System fits in.
NetStandard CTO John Leek presents 20 Critical Security Controls for the Cloud at Interface Kansas City. This presentation is based on controls set forth by the SANS Institute. Learn more at http://www.netstandard.com.
Building a Next-Generation Security Operations Center (SOC)Sqrrl
Â
So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations.
Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationPriyanka Aash
Â
This session will present a real case study of methodology and advanced cybersecurity tools used along with important tips and lessons learned on implementing an ISOC project at the second largest city of the nation. Topics include the critical success factors, advanced tools and technologies for ISOC, Situational Awareness, Threat Intelligence Sharing and cybersecurity collaboration.
(Source: RSA USA 2016-San Francisco)
7 Steps to Build a SOC with Limited ResourcesLogRhythm
Â
Most organizations don't have the resources to staff a 24x7 security operations center (SOC). This results in events that aren't monitored around the clock, major delays in detecting and responding to incidents, and the inability for the team to proactively hunt for threats. It's a dangerous situation.
But there is a solution. By using the Threat Lifecycle Management framework to combine people, process, and technology to automate manual tasks, your team can rapidly detect and respond to threatsâwithout adding resources. Read on to learn 7 steps to building your SOC, even when your resources are limited.
The Critical Security Controls and the StealthWatch SystemLancope, Inc.
Â
As todayâs cyber-attackers become more sophisticated and nefarious, organizations must adopt the right mix of conventional and next-generation security tools to effectively defend their infrastructure from advanced threats. The Critical Security Controls effort is a growing movement that has been helping government agencies and large enterprises prioritize their cyber security spending accordingly.
By leveraging NetFlow and other types of flow data, Lancopeâs StealthWatch System delivers continuous network visibility to fulfill a number of the highest priority controls, enhancing timely detection of targeted threats and improving incident response.
Learn the latest about the Critical Security Controls and hear how the StealthWatch System fits in.
NetStandard CTO John Leek presents 20 Critical Security Controls for the Cloud at Interface Kansas City. This presentation is based on controls set forth by the SANS Institute. Learn more at http://www.netstandard.com.
Building a Next-Generation Security Operations Center (SOC)Sqrrl
Â
So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations.
Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationPriyanka Aash
Â
This session will present a real case study of methodology and advanced cybersecurity tools used along with important tips and lessons learned on implementing an ISOC project at the second largest city of the nation. Topics include the critical success factors, advanced tools and technologies for ISOC, Situational Awareness, Threat Intelligence Sharing and cybersecurity collaboration.
(Source: RSA USA 2016-San Francisco)
7 Steps to Build a SOC with Limited ResourcesLogRhythm
Â
Most organizations don't have the resources to staff a 24x7 security operations center (SOC). This results in events that aren't monitored around the clock, major delays in detecting and responding to incidents, and the inability for the team to proactively hunt for threats. It's a dangerous situation.
But there is a solution. By using the Threat Lifecycle Management framework to combine people, process, and technology to automate manual tasks, your team can rapidly detect and respond to threatsâwithout adding resources. Read on to learn 7 steps to building your SOC, even when your resources are limited.
Security operations center 5 security controlsAlienVault
Â
An effective Security Operation Center provides the information necessary for organizations to efficiently detect threats and subsequently contain them. While eliminating the threats we face is an impossible goal, reducing the time it takes to respond and contain them is certainly achievable. Learn 5 security controls for an effective security operations center.
Security Operations Center (SOC) Essentials for the SMEAlienVault
Â
Closing the gaps in security controls, systems, people and processes is not an easy feat, particularly for IT practitioners in smaller organizations with limited budgets and few (if any) dedicated security staff. So, what are the essential security capabilities needed to establish a security operations center and start closing those gaps?
Join Javvad Malik of 451 Research and Patrick Bedwell, VP of Product Marketing at AlienVault for this session covering:
*Developments in the threat landscape driving a shift from preventative to detective controls
*Essential security controls needed to defend against modern threats
*Fundamentals for evaluating a security approach that will work for you, not against you
*How a unified approach to security visibility can help you get from install to insight more quickly
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
Â
A key business goal of any organization is to maintain the constant availability of data and systems that can be trusted for decision-making purposes. The evolving threat landscape has resulted in increasing focus, right to board level, on cybersecurity. IT operational and security teams should demonstrate a comprehensive, cohesive approach in their response to security incidents and data breaches.
Alien vault sans cyber threat intelligenceAlienVault
Â
Over the last several years, we have seen that attackers are innovating much faster than defenders are. This trend is steering many companies to look towards cyber threat intelligence (CTI) to help them navigate todayâs threatening landscape. SANS conducted a survey this year to explore who is using cyber threat intelligence and how they are using it. The survey collected responses from 326 IT professionals working in a variety of industries, in all sizes and from many different regions. 69% of the respondents reported implementing CTI to some extent, with only 16% planning not to pursue CTI in their environments. Which side of this percentage do you fall into? The infographic below provides some of the key questions to ask when getting started with threat intelligence, along with data from the SANS survey to show you how others are using threat intelligence.
What Weâve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
Â
The cybersecurity landscape is rapidly evolving, with new threats and threat actors emerging, and traditional security operations centers (SOCs) need to be augmented accordingly. This session will detail the journey of du in building and continually enhancing its SOC, physically and philosophically, to best deal with attack detection (offensively and defensively) and response.
(Source: RSA Conference USA 2017)
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
Â
You own a SIEM, but to be secure, you need a Security Operations Center! How do you cross the chasm? Do you hire staff or outsource? And what skills are needed? Mike Ostrowski, a cybersecurity industry veteran, will review common pitfalls experienced through the journey from SIEM to SOC, the pros and cons of an all in-house SOC vs. outsourcing, and the benefits of a hybrid SOC model.
Learning Objectives:
1: You own a SIEM, but to be secure, you need a SOC. How do you cross the chasm?
2: What are the pros and cons of in-house, fully managed and hybrid security?
3: What considerations go into deciding whether to employ a hybrid strategy?
(Source: RSA Conference USA 2018)
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
Â
Learn about the key mistakes organizations are making when it comes to incident response, presented by the chairman and founder of the Ponemon Institute, Dr. Larry Ponemon, and Lancopeâs director of security research, Tom Cross. Then learn about how the right mix of people, processes and technology can dramatically improve your incident response efforts and elevate the importance of the CSIRT within your organization.
AlienVault Threat Alerts are a simple yet powerful tool that comes built-in with Spiceworks. When a device on your network has been interacting with a known malicious host or suspicious IP, youâll immediately get an alert in your feed and youâll get an alert email.
SOC 3.0: strategic threat intelligence May 2016Sarah Bark
Â
A next generation SOC service which is capable of analysing metadata from dynamic data sources (social media, the dark web, etc) in real-time, when combined with business-centric data, enables the organisation to forecast threats, steer future security spend and direct business decisions. SOC 3.0 services are now becoming available that put next generation threat intelligence within the reach of the SME. Jamal Elmellas, Technical Director, Auriga, outlines how threat intelligence via an and outsourced SOC can be used by the enterprise to anticipate and mitigate cyber attacks.
Black Hat 2014: Donât be a Target: Everything You Know About Vulnerability Pr...Skybox Security
Â
Presented at Black Hat 2014.
Heartbleed. Target. Adobe ⌠businesses are under siege by cybercriminals looking for financial gain and political actors looking for trade secrets. Itâs a wildly uneven match where a motivated attacker can find exploitable attack vectors in minutes and maintain unabated access for months, while the security team continues to rely on time-honored methodology to fix vulnerabilities in order of severity.
But severity-based vulnerability management misses the mark completely, as it overlooks the fact that risk exposure is the real concern. This workshop will focus on identifying critical vulnerabilities so they can be fixed as quickly as possible to ensure a reduction in risk and the shrinking the attack surface over time.
In this deep dive session on vulnerability analysis and prioritization, weâll cover:
- Calculating risk exposure: Risk = Impact * Likelihood * Time
- The data you need to be collecting about assets and vulnerabilities
- Prioritizing vulnerabilities using simple 2 factor relationships
- Asset-to-vulnerability correlation to augment the accuracy and freshness of active scan data
- Techniques to drive down the risk exposure time
Security operations center 5 security controlsAlienVault
Â
An effective Security Operation Center provides the information necessary for organizations to efficiently detect threats and subsequently contain them. While eliminating the threats we face is an impossible goal, reducing the time it takes to respond and contain them is certainly achievable. Learn 5 security controls for an effective security operations center.
Security Operations Center (SOC) Essentials for the SMEAlienVault
Â
Closing the gaps in security controls, systems, people and processes is not an easy feat, particularly for IT practitioners in smaller organizations with limited budgets and few (if any) dedicated security staff. So, what are the essential security capabilities needed to establish a security operations center and start closing those gaps?
Join Javvad Malik of 451 Research and Patrick Bedwell, VP of Product Marketing at AlienVault for this session covering:
*Developments in the threat landscape driving a shift from preventative to detective controls
*Essential security controls needed to defend against modern threats
*Fundamentals for evaluating a security approach that will work for you, not against you
*How a unified approach to security visibility can help you get from install to insight more quickly
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
Â
A key business goal of any organization is to maintain the constant availability of data and systems that can be trusted for decision-making purposes. The evolving threat landscape has resulted in increasing focus, right to board level, on cybersecurity. IT operational and security teams should demonstrate a comprehensive, cohesive approach in their response to security incidents and data breaches.
Alien vault sans cyber threat intelligenceAlienVault
Â
Over the last several years, we have seen that attackers are innovating much faster than defenders are. This trend is steering many companies to look towards cyber threat intelligence (CTI) to help them navigate todayâs threatening landscape. SANS conducted a survey this year to explore who is using cyber threat intelligence and how they are using it. The survey collected responses from 326 IT professionals working in a variety of industries, in all sizes and from many different regions. 69% of the respondents reported implementing CTI to some extent, with only 16% planning not to pursue CTI in their environments. Which side of this percentage do you fall into? The infographic below provides some of the key questions to ask when getting started with threat intelligence, along with data from the SANS survey to show you how others are using threat intelligence.
What Weâve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
Â
The cybersecurity landscape is rapidly evolving, with new threats and threat actors emerging, and traditional security operations centers (SOCs) need to be augmented accordingly. This session will detail the journey of du in building and continually enhancing its SOC, physically and philosophically, to best deal with attack detection (offensively and defensively) and response.
(Source: RSA Conference USA 2017)
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
Â
You own a SIEM, but to be secure, you need a Security Operations Center! How do you cross the chasm? Do you hire staff or outsource? And what skills are needed? Mike Ostrowski, a cybersecurity industry veteran, will review common pitfalls experienced through the journey from SIEM to SOC, the pros and cons of an all in-house SOC vs. outsourcing, and the benefits of a hybrid SOC model.
Learning Objectives:
1: You own a SIEM, but to be secure, you need a SOC. How do you cross the chasm?
2: What are the pros and cons of in-house, fully managed and hybrid security?
3: What considerations go into deciding whether to employ a hybrid strategy?
(Source: RSA Conference USA 2018)
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
Â
Learn about the key mistakes organizations are making when it comes to incident response, presented by the chairman and founder of the Ponemon Institute, Dr. Larry Ponemon, and Lancopeâs director of security research, Tom Cross. Then learn about how the right mix of people, processes and technology can dramatically improve your incident response efforts and elevate the importance of the CSIRT within your organization.
AlienVault Threat Alerts are a simple yet powerful tool that comes built-in with Spiceworks. When a device on your network has been interacting with a known malicious host or suspicious IP, youâll immediately get an alert in your feed and youâll get an alert email.
SOC 3.0: strategic threat intelligence May 2016Sarah Bark
Â
A next generation SOC service which is capable of analysing metadata from dynamic data sources (social media, the dark web, etc) in real-time, when combined with business-centric data, enables the organisation to forecast threats, steer future security spend and direct business decisions. SOC 3.0 services are now becoming available that put next generation threat intelligence within the reach of the SME. Jamal Elmellas, Technical Director, Auriga, outlines how threat intelligence via an and outsourced SOC can be used by the enterprise to anticipate and mitigate cyber attacks.
Black Hat 2014: Donât be a Target: Everything You Know About Vulnerability Pr...Skybox Security
Â
Presented at Black Hat 2014.
Heartbleed. Target. Adobe ⌠businesses are under siege by cybercriminals looking for financial gain and political actors looking for trade secrets. Itâs a wildly uneven match where a motivated attacker can find exploitable attack vectors in minutes and maintain unabated access for months, while the security team continues to rely on time-honored methodology to fix vulnerabilities in order of severity.
But severity-based vulnerability management misses the mark completely, as it overlooks the fact that risk exposure is the real concern. This workshop will focus on identifying critical vulnerabilities so they can be fixed as quickly as possible to ensure a reduction in risk and the shrinking the attack surface over time.
In this deep dive session on vulnerability analysis and prioritization, weâll cover:
- Calculating risk exposure: Risk = Impact * Likelihood * Time
- The data you need to be collecting about assets and vulnerabilities
- Prioritizing vulnerabilities using simple 2 factor relationships
- Asset-to-vulnerability correlation to augment the accuracy and freshness of active scan data
- Techniques to drive down the risk exposure time
Measuring method complexity of the case management modeling and notation (CMMN)Mike Marin
Â
Compares modeling notation between CMMN, BPMN, EPC, and UML Activity Diagrams using the meta-model based method complexity approach introduced by Rossi and Brinkkemper
NYC Workshop: Improving the Business Value of your Service Management ProgramNavvia
Â
David Mainville, CEO of Navvia lead this interactive workshop and discussed:
- Whatâs wrong with today's Service Management programs?
- Positioning and selling the value of your Service Management program in Business Terms
- Identifying opportunities for improvement by soliciting feedback directly from your users
- Getting everyone on the same page by designing, documenting and communicating what needs to be done
- Continually improving your value to the Business
For more great content please visit: http://navvia.com/resources/
Kill Chain Model for Use Cases Assist in Incident Response
1- Situational Awareness
Outbound Protocols
Outbound protocols by size
Top destination Countries
Top destination Countries by size
2- Reconnaissance
Port scan activity
ICMP query
3- Weaponization and Delivery
Injection
Cross Site Scripting
Cross Site Request Forgery
Failure to Restrict URL
Downloaded binaries
Top email subjects
Domains mismatching
Malicious or anomalous Office/Java/Adobe files
Suspicious Web pages (iframe + [pdf|html|js])
Consider a logical cross reference or grouping for Cybersecurity Framework subcategories. This could make an assessment easier and more meaningful.
The Cybersecurity Framework identifies categories and subcategories of practice, processes, and activities to be used in a cyber security assessment. But, categories often house unrelated subcategories and subcategories are dependent on other subcategories across various categories.
An overview of how to structure a threat based assessment of risk that is relevant to the business and which clearly ties risk mitigation to the threats being mitigated in a way that business leaders can easily understand.
An immersive workshop at General Assembly, SF. I typically teach this workshop at General Assembly, San Francisco. To see a list of my upcoming classes, visit https://generalassemb.ly/instructors/seth-familian/4813
I also teach this workshop as a private lunch-and-learn or half-day immersive session for corporate clients. To learn more about pricing and availability, please contact me at http://familian1.com
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, and early detection and prevention of events. See a live demonstration that will showcase how to operationalize those resources so that your organization can reap the maximum benefit.
Splunk EMEA Webinar: Scoping infections and disrupting breachesSplunk
Â
To successfully prevent infections from becoming a data breach, security analysts need the ability to continuously collect, analyse, correlate and investigate a diverse set of data.
Join this webinar to hear Matthias Maier, Splunk Security Product Marketing Manager and Filip Wijnholds, Splunk Senior Systems Engineer, discuss the specific data sources and capabilities required to determine the scope of an infection before it turns into a breach.
During this session, you'll learn:
- The capabilities required to distinguish an infection from a breach
- The specific analysis steps to understand the scope of an attack
- The data sources required to gain deep and broad visibility
- What to look for from network and endpoint data sources
We also demonstrate a live incident investigation using this approach, you can view the recording here:
https://splunkevents.webex.com/splunkevents/lsr.php?RCID=cab764b0457c615aa5f02ddfd351fe9f
Endpoints are everywhere, and endpoint security is evolving. Endpoints also remain the most attractive target for hackers as a point of entry for attacks because theyâre connected to the weakest link in enterprise data protection: humans.
View the SlideShare to learn:
--Why evolving threats require increased endpoint defense capabilities.
--What organizations can do to protect against known and unknown threats, while reducing manual processes for administrators.
--The primary capabilities of endpoint detection and response (EDR) tools, and how you can find the right fit for your business.
--Where your organization sits on the endpoint security maturity scale.
--Keys to maturing your endpoint security strategy.
A new generation of products and services is helping organizations keep pace with modern threats and advance beyond traditional, prevention-oriented endpoint protection to a more comprehensive â and realistic â focus on detection and incident response.
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, and early detection and prevention of events. See a live demonstration that will showcase how to operationalize those resources so that your organization can reap the maximum benefit.
Complicate, detect, respond: stopping cyber attacks with identity analyticsCA Technologies
Â
Corporate boards and audit committees are taking a greater interest in cybersecurity and plans to mitigate related risks. Headline-grabbing data breaches are prevalent. Shareholders and oversight bodies are concerned about the potential impact to their organizationsâ financial well-being and reputation.
Today, cyber adversaries are well-organized and well-funded, and they are more able to enter commercial and governmental organizations than ever before. No company has the capability and capacity to prevent all attacks. The only way to operate securely is to assume a breach has occurred, is occurring and will occur. This requires âcomplicate, detect and respondâ mindset when developing and automating controls.
For more information, please visit http://cainc.to/Nv2VOe
Penetration Testing is interesting and difficult work.
The main result of this work is Report. It can be used for Customer Presentation, Vulnerabilities Mitigation and Audit Compliance. Report is final proof of completed work and good overall score of Security Status.
In this presentation we will look at the cause and effect of the problem, analyze preparedness and learn how you can better prepare, detect, respond and recover from cyber-attacks.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Â
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as âpredictable inferenceâ.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Â
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overviewâ
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
Â
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Dev Dives: Train smarter, not harder â active learning and UiPath LLMs for do...UiPathCommunity
Â
đĽ Speed, accuracy, and scaling â discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Miningâ˘:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing â with little to no training required
Get an exclusive demo of the new family of UiPath LLMs â GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
đ¨âđŤ Andras Palfi, Senior Product Manager, UiPath
đŠâđŤ Lenka Dulovicova, Product Program Manager, UiPath
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
Â
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties â USA
Expansion of bot farms â how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks â Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
Â
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
⢠The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
⢠Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
⢠Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
⢠Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Â
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But thereâs more:
In a second workflow supporting the same use case, youâll see:
Your campaign sent to target colleagues for approval
If the âApproveâ button is clicked, a Jira/Zendesk ticket is created for the marketing design team
Butâif the âRejectâ button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Â
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
Â
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
1. Copyright Š 2014 Splunk Inc.
Mapping the Enterprise
Threat, Risk, and
Security Control
Landscape with Splunk
Andrew Gerber
Managing Information Security
Consultant, Wipro
2. Disclaimer
During the course of this presentation, we may make forward looking statements regarding future events or the
expected performance of the company. We caution you that such statements reflect our current expectations and
estimates based on factors currently known to us and that actual events or results could differ materially. For important
factors that may cause actual results to differ from those contained in our forward-looking statements, please review
our filings with the SEC. The forward-looking statements made in the this presentation are being made as of the time
and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or
accurate information. We do not assume any obligation to update any forward looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change at any
time without notice. It is for informational purposes only and shall not, be incorporated into any contract or other
commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include
any such feature or functionality in a future release.
2
3. About
Andrew Gerber is a managing information security consultant at Wipro. Over the last ten
years he has focused on security information and event management (SIEM), security
analytics, and security operations center (SOC) design. Andrew additionally has experience
evaluating information security program maturity and building effective managed security
service offerings. Andrew has worked with clients in North America, Europe, and Asia,
including several Fortune 100 and Fortune Global 100 industry leaders in financial services,
healthcare, manufacturing, retail, and law enforcement. Andrew holds a B.S. in computer
science and an M.B.A. from Purdue University.
Wipro Ltd. (NYSE:WIT) is a global information technology, consulting, and outsourcing company
with over 145,000 employees across 6 continents and over 175 cities. Wipro posted revenues
of $7.3 billion for the financial year ended March 31, 2014. Wipro helps customers do business
better by leveraging our industry-wide experience, deep technology expertise, comprehensive
portfolio of services, and vertically aligned business model. Wipro is proud of its strategic
partnership with Splunk and the value Wipro delivers using Splunk as a platform across
industries and applications, with a focus in enterprise information security managed services.
3
4. Agenda
New approach to Enterprise Security
â Situational Awareness
â Kill Chain
Techniques using this new approach
â Looking for threat behavior â Profiling VPN access
â Looking for an attacker trying to get out of environment as well as
identifying potential delivery vectors â Profiling Network Jumpers
â A framework for developing additional techniques
Recommendations and best practices for further development and
implementation of this approach
4
5. The Enterprise Security Landscape
Attacks and breaches on the rise, threat actors motivated by previous attacksâ successes
Attackers still have a remarkably easy time getting in
â Organizations are still not implementing basic controls (i.e. geographic restrictions, segmentation,
account lockouts)
A LOT CAN BE DONE WITH BASIC CONTROLS
â Organizations are still not monitoring/responding to IOCs (Indicator of Compromise); a recent breach
analysis showed - multiple alerts on potential malware and malicious activity completely missed
INFORMATION AND ALERTS FROM ALL SOURCES MUST BE ANALYZED
Donât focus solely on alerts for denied or failure events
â FOCUS ON PROFILING BEHAVIOR OVER TIME & ACROSS PLATFORMS TO DISTINGUISH ANOMALIES
5
6. Threats
Threats are increasing, attacker dwell time still well over 200
days on average.
Move from generic malware targeting everyone to deliberate,
smart attackers targeting you, with a specific objective.
With attackers identifying high-value objectives, the
investment they are willing to make increases.
We can see attackersâ methodology evolving over time to
adapt to organizationsâ actions and responses.
People are being targeted more, resulting in more valid-credential
6
based attacks and less need for vulnerability
exploits of network/security devices.
Threat actors now look more like legitimate users. You can
still tell them apart, just not with legacy tools/strategies.
Breaches by Asset Category over Time
From Verizonâs 2014 Data Breach Investigations Report
7. Threats: Who Attacks and Why?
Categories of Attackers Attacker Motivation
7
From IBMâs 2013 Cyber Security Intelligence Index
8. Risks: Clear and Present Danger
Brand / Revenue / Financial Data / Product Data / Customer & Patient Records / Financial Theft /
Blackmail / Job Loss / Operations Disruption and Manipulation / Competitive Espionage / âŚ
8
9. Situational Awareness
Changing threat environments demand enhanced security monitoring, often called âsituational
awarenessâ
Advanced targeted threats have increased the requirement for the proactive detection of
potential incidents above standard due diligence levels.
Situational awareness expands on security information and event management (SIEM)
processes, and requires a combination of asset and threat information and activity data, in
combination with analysis and reporting capabilities.
Advanced analysis capabilities to support âhuman in the loopâ investigation and decision
making are critical requirements. From Gartnerâs note âDelivering Situational Awarenessâ (G00214313)
9
Tech
Process
People
To deliver situational awareness, we need to add a process/approach/model to the
people (us) and the technology (Splunk) deployed to provide enterprise security.
10. Kill Chain
Model to identify threat behavior across the lifecycle of an attack
â Move from looking at single alert or single aspect of the attack
â Must look at entire spectrum of activities (all data) to determine
10
attack/threat
Detection earlier in kill chain = lower impact and mitigation cost
Detection later in kill chain = greater impact, must look back in time
to determine infection/impact and how to contain/mitigate
11. Beyond SIEM â True Security Analytics:
Brings together information that would be time consuming or impossible to
manually analyze (goes beyond centralized logging)
Enables a deep investigation of what otherwise could only be aggregated
and/or ignored
Allows dynamic correlation â visual representation makes anomalies obvious
Enables exploration of loose relationships between events, driven by âhuman-in-
the-loopâ processes, leading to a âhypothesis ď test ď findingsâ approach
instead of an âevent ď evaluateâ approach.
Accelerates analyst decision trees around behavior
Is cohesive and behaviorally driven, with a monitoring/response posture based
on knowing your users, assets, and environment
11
12. Use cases to implement with Splunk
Use Case 1 - Detect inappropriate or malicious remote access
â VPN profiling of employees, contractors, vendors, and other insiders
â Useful to identify following kill chain stages
ďŞ C2, Exfiltration
â Also useful to identify employee/insider Fraud, Theft, & Abuse (FTA)
Use Case 2 - Detect attempted and actual bypass of network controls
â Detect network jumping and off-network activity
â Useful to identify following kill chain stages
ďŞ Delivery, C2, Exfiltration
â Also useful to identify employee/insider Fraud, Theft, & Abuse (FTA)
12
14. What & Why?
Find abnormal remote access usage pattern in remote access
â VPN access with valid credentials used in major attacks, including recent healthcare
14
industry breach
Profile remote usage by employees, contractors, vendors, and other insiders
Look for:
â Indicators of Delivery, C2, Exfiltration, as well as employee or insider FTA
â Identify potentially compromised credentials
Key points to look for:
â Increase in login frequency
â Odd times/locations
â Improbable travel distance between logins or login attempts
(velocity requirements between consecutive geographical login locations too high)
16. Design & Approach - Workflow
Geographic & Network VPN Trends
At-a-glance profiling of VPN login success and failures
Geolocation and domain charting identify normal vs. abnormal access
⢠Top Level Domains and other domain names to find anomalies,
i.e. connections from .edu TLD or external VPN services
User level VPN Trends
Multiple login failures by count and over time and successful logins
provide insight into VPN behavior.
Identify repeat VPN login failure trends by user
Easy to spot outlier and clustered events
16
17. Design & Approach - Workflow
Geographic Analysis with âTravelerâ identification
Per-country trends & users with multiple locations in a given time period
Also identify relative distances for users from a relevant fixed location
âTravelerâ mapping & improbable behavior analysis
Determine unlikely distance/time combinations between VPN logins
17
18. Key Events â VPN Authentication Success/Failure
The key searches are looking for VPN authentication success and failure, which we will expand on throughout this use case.
18
19. Overview â Geographic & Network VPN Trends
19
index=firewall sourcetype=ACMEvpn "Security Negotiation Complete"
| iplocation IP
| geostats count by Username globallimit=0
index=vpn sourcetype=ACMEvpn "Login failed"
| eval userinfo=user.":".user_bunit
| iplocation src_ip
| geostats count by userinfo globallimit=0
index=firewall sourcetype=ACMEvpn "Security Negotiation Complete"
| stats count by IP
| lookup dnslookup clientip as IP
| rex field=clienthost ".*(?P<toplevel>.w+)$"
| stats count by toplevel
index=firewall sourcetype=ACMEvpn "Security Negotiation Complete"
| stats count by IP
| lookup dnslookup clientip as IP
| rex field=clienthost ".*.(?P<midlevel>w+).(?P<toplevel>w+)$â
| eval thedomain=midlevel.".".toplevel
| eval lendomain=len(thedomain)
| where lendomain>0
| stats count by thedomain
| sort -thedomain
| sort -count
20. Overview â User-based VPN Trends
20
index=firewall (sourcetype=ACMEvpn AND
"AAA user authentication Rejected" AND user=*) OR
(sourcetype=ACMEtraffic AND src_user=* AND to=VPN
AND action!="allowed")
| rename src_user AS fulluser
| rex "users=s(?<fulluser>.*)"
| stats count by fulluser
| search count>3
index=firewall (sourcetype=ACMEvpn AND
"AAA user authentication Rejected" AND user=*) OR
(sourcetype=ACMEtraffic AND src_user=* AND to=VPN
AND action!="allowed")
| rename src_user AS fulluser
| rex "users=s(?<fulluser>.*)"
| top fulluser
index=firewall sourcetype=ACMEvpn
"Security Negotiation Complete"
| stats sparkline(count), count by Username | sort -count
21. Overview â User-based VPN Trends
index=firewall sourcetype=ACMEvpn "AAA user authentication Rejected" user=*
| rex "users=s(?<fulluser>.*)"
| timechart count by fulluser useother=f limit=25
21
22. Geographic Analysis with âTravelerâ identification
22
index=firewall sourcetype=ACMEvpn "Security Negotiation Complete"
| iplocation IP
| eval regionlen=len(Region)
| where regionlen>0
| eval regioncity=City.",".Region
| stats sparkline(dc(IP)),dc(IP) as howmanyIP,dc(regioncity) as howmanyRegion,
values(regioncity) as Locations by Username
| sort -howmanyip
| where howmanyRegion>1
index=firewall index=firewall sourcetype=ACMEvpn "Security Negotiation Complete"
|dedup IP
| iplocation allfields=true IP
|eval citylen=len(City)
| eval short_lon=round(lon,2)
| eval short_lat=round(lat,2)
| strcat short_lat "," short_lon as latlon
| eval HQ="37.235,-115.811"
| where citylen>0
| haversine originField=HQ latlon units=mi | table _time,Username,City,Region,distance
| sort -distance | eval distance=round(distance,0)
24. Design & Extension Notes
Additional panels:
â Simultaneous logins (often rare as a legitimate scenario)
â Increase in data volume over connection (sign of exfiltration, data collection)
â Potential to add algorithms to refine results and accelerate analysis
Additional Information about user access patterns
â âOut-of-Officeâ information - Integrate with Exchange
â PTO/Absence/etc. - Integrate with HR/Time management systems
24
26. What & Why?
Find assets & users jumping from corporate LAN, WLAN to Guest Network
â Detect attempts to bypass security controls
â Detect malware vector of âbenignâ off-network browsing
1 in 566 websites host malware (Symantec 2014 Internet Security Threat Report)
â If controls exist around Guest network usage, still implement this for attestation
Profile jumping behavior to look for patterns and anomalies
â Identify the User, IP address, MAC address
â Identify activity before and after jumping
â Filter out insider Fraud, Thief, Abuse from possible
26
Indicators of Compromise
Key points to look for include
â Assets and users jumping periodically â
Normal business users should be on corporate network
â Network jumps which donât appear to be pre-meditated
(i.e. looking for programmatic jumps)
â Volume, periodicity, destination, traffic type can all be
indicators of potential Exfiltration
â40% [of companies] reported
that they had been exposed to a
security threat as a direct
consequence of an off-network
userâs laptop getting compromised
within the last twelve months.â
From Google report, âOff-Network Workers â
The Weakest Link to Corporate Web Securityâ
27. Design & Approach
Overview â Long/Short Term Off-Net Jumping Trends
Identify a user of interest and drill-down to investigate
Behavior investigation â longitudinal trending
Behavior investigation â Pre-Jump Activity
Behavior investigation â Guest Network Activity
27
28. Design & Approach - Workflow
Long/Short Term Off-Net Jumping Trends
Visual analysis to determine what look abnormal
At-a-glance profiling of corporate credentials used on guest
network â activity for today, 7-days, 14-days
Rapid investigation to identify users of interest
Selection enables deep investigation via initial drilldown into user activity/details
28
Selection to
lookup user
Dynamic drilldown begins at this point on this dashboard:
When you click on the row, the IP, Hostname, MAC is
passed on the following subpanels, this is based on
drilldown parameters being set in this panelâs XML source.
Selection determines drill down
29. Design & Approach - Workflow
Behavior Investigation â Longitudinal Trending
Patterns identify potential repeat offender, or possible C2/exfiltration
look at guest network activity to clarify â compare these two trends
29
30. Design & Approach - Workflow
Behavior Investigation â Pre-Jump Activity
⢠Does the jump make sense? â driven by business logic or âbenignâ behavior
⢠Does the jump look like attacker trying to get out? â more ârandomâ patterns
⢠Does the jump look like insider threat? â exfiltration, etc.
Looking back in time from the jump
User activity on the corporate network preceding the jump
Looking back in time to the jump
User device to IP address mapping of jumper
Looking in time after the jump
User activity on the guest network after the jump
30
31. Key Event â Guest network DHCP request
Key search to identify this activity
⢠Look at guest network firewall logs which logs DHCP requests (IP ď MAC ď hostname)
⢠Look at DHCP requests using IP address of one of our corporate networks, and the MAC address.
⢠Eliminate mobile devices, limit results to our corporate hostname naming convention
⢠Database of internal IP space, hostnames, and associated MAC addresses is being built to further refine this.
31
32. Trending â How itâs Done
32
index=firewall sourcetype=âACMEguestFW"
(hostname!=*phone* AND hostname!=*pad* AND hostname!=*android*)
dhcp_msg=Request ip=âACMEipSpaceâ
| regex hostname=âACMEnamingConvention"
| timechart span=4h limit=30 count by hostname
index=firewall sourcetype=âACMEguestFWâ
(hostname!=*phone* AND hostname!=*pad* AND hostname!=*android*)
dhcp_msg=Request ip=âACMEipSpace" earliest=-14d latest=-1d
| regex hostname=âACMEnamingConvention"
| dedup hostname
| timechart span=1h count
| eval StartTime=relative_time(now(),"-48h@h")
| eval Series=if(_time>=StartTime, "Yesterdayâs Count", â2 Week Average")
| eval Hour = strftime(_time,"%H") | chart max(count) by Hour Series
33. Trending â How itâs Done
index=firewall
sourcetype=âACMEguestFW" ip=âACMEipSpace"
(hostname!=*phone* AND hostname!=*pad* AND hostname!=*android*)
dhcp_msg="Request"
| regex hostname=âACMEipSpace"
| timechart span=1h count by hostname
33
34. Identify User, present additional data â How itâs Done
34
index=firewall
(hostname!=*phone* AND hostname!=*pad* AND hostname!=*android*)
sourcetype=âACMEguestFW" ip=âACMEipSpace" dhcp_msg="Request"
| regex hostname=âACMEipSpace"
| stats count by ip,_time,hostname,mac| sort _time
View the XML Source for the
Dashboard (âEdit Sourceâ),
find the panel, and add:
<drilldown>
<set token="source_ip">$row.ip$</set>
<set token="mac">$row.mac$</set>
<set token="hostname">$row.hostname$</set>
</drilldown>
Make this panel only appear when the drilldown is activated:
<panel><single id="jumpername" depends="$source_ip$">
1
Search uses $source_ip$ based on click and searches the internal firewall logs to find the most recent user from that IP address:
index=firewall sourcetype=ACMEfw src=$source_ip$ | rex field=src_user "w+(<browseusername>w+)" | dedup browseusername | table browseusername
2
3
4
Drill-down
to lookup
user
35. Longitudinal Trending â How Itâs Done
This panel is driven by the same drill-down weâve been using, based on $hostname$ from the guest network firewall logs.
The search simply returns the jumping pattern over the past week and charts it in 15-minute spans.
index=firewall hostname=$hostname$ dhcp_msg=Request sourcetype=ACMEguestFW | timechart span=15m count
35
36. Behavior Investigation â Pre-Jump Activity
36
Select âEdit Panelsâ for the Dashboard and then
âAdd Inputâ, select âRadioâ, drag the input to the
panel, and customize in the GUI, or add the XML
code directly in âEdit Sourceâ. This dropdown input
sets the token $category$ to the value selected:
<input type="dropdown" token="categoryâ
searchWhenChanged="true">
<label>Select Category</label>
<populatingSearch earliest="@d" latest="now"
fieldForLabel="category"
fieldForValue="category">index=firewall sourcetype=pan*
src_ip=$source_ip$ | stats count by
category</populatingSearch>
<choice value="*">ALL</choice>
</input>
3
Search the Windows DNS logs for requests and responses triggered by the Jumper on the
corporate network. Still using the same drilldown from before for source_ip:
index=winevents sourcetype="MSAD:NT6:DNS" src_ip=$source_ip$ | stats count by
questionname,questiontype,response,src_ip | rex mode=sed field=questionname
s/(d+)/./g | sort âcount
This is a basic filtering search | stats to take a count of queries made, type and the
response by the source ip | regex to use sed to change format of DNS queries to exclude
(<digits>) | sort by count
1
Selection determines drill down
Combined Static & Dynamic Dropdown input.
Static (default) vaue of ALL maps to a value of
â*â, dynamic options populated by a search:
index=firewall sourcetype=ACMEfw
src_ip=$source_ip$ | stats count by category 2
37. Guest Network Sessions for Jumper
Get a list of IP addresses for the identified jumper based on MAC address from the Guest network firewall logs.
Again going back to the same drill-down, use the MAC address identified and list guest network IPs associated with the MAC weâve tied to a
corporate asset:
index=firewall sourcetype=âACMEguestFWâ (ip!=âACMEipSpace" AND ip!="0.0.0.0") mac=$mac$| stats count by mac,ip | fields - count
37
38. Behavior investigation â Guest Network Activity
List hosts accessed by the jumper on the guest network, filtered by pass/block/all as per the station radio
input above and using the source selected in the original drilldown on the dashboard:
index=network sourcetype=ACMEguestWLC srcip=$source$ action=$action$ | stats count by
srcip,hostname,action,msg,dstip | sort -count
38
3
Static form input defined to filter the panelâs
search on action field (block, pass, all)
View the XML Source for the
Dashboard (âAdd Inputâ), select
âRadioâ, drag the input to the panel, and customize in the GUI, or add the XML code
directly in âEdit Sourceâ. This radio input sets the token $action$ to the value selected:
<input type="radio" token="action" searchWhenChanged="true">
<choice value="pass">pass</choice>
<choice value="block">block</choice>
<choice value="*">all</choice>
<default>*</default>
</input>
2
1
39. Design & Extension Notes
Areas to continue the investigation
â Select user of interest to drive additional panels â including additional historical trending
â Additional review of DNS requests
â Data volume on guest network
â Threat list mapping for known C2 servers, site hosting malware/malvertising
Practical integrations
â Capture page, walled garden for jumpers with training and/or restriction on Guest Network
Potential to add algorithms to refine results and accelerate analysis
â High level charts â 14 day, 7 day, today
â Integrate additional data sources to further identify behavior
39
41. Developing Additional Use Cases
Have a disciplined approach
Start with a behavior, choose a point on the kill chain
Identify what logs sources you have
Think about and try different visualizations
Use statistics and simple algorithms to clarify the data
Find related log sources
Think longitudinally
Find outliers, shift your parameters, and let more outliers emerge
41
42. Additional Examples
Identifying Pass-the-Hash (PtH) Attacks and other Credential Theft Techniques
â Look for lateral movement, then get specific in your search for specific techniques. Methods include RDP and other
remote access tools, the use of PsExec, as well as Windows Management Instrumentation (WMI).
â The NSA report âSpotting the Adversary with Windows Event Log Monitoringâ provides many good ideas to build on. For
PtH:
ďŞ âThe successful use of PtH for lateral movement between workstations would trigger event ID 4624, with an event
level of Information, from the security log. This behavior would be a LogonType of 3 using NTLM authentication where
it is not a domain logon and not the ANONYMOUS LOGON account.â
ďŞ âA failed logon attempt when trying to move laterally using PtH would trigger an event ID 4625. This would have a
LogonType of 3 using NTLM authentication where it is not a domain logon and not the ANONYMOUS LOGON account.â
Validating and Monitoring Mitigation Actions (Closed-Loop Management)
â When mitigating risks and threats in your environment, you need to validate that your measures take effect while
monitoring and minimizing disruption to mission-critical business operations.
â Look for metrics that are leading indicators to help validate progress
â Look for trailing indicators that show potential disruption
â One example would be forced password expiry impairing users who only use applications with integrated authentication
42
that do not support password resets
44. Security Controls
The average enterprise today has decent but incomplete
coverage via a collection of security controls
In addition to gaps in security controls there is usually an
even larger gap in which security controls are centrally
logged and monitored
Multi-control correlation is rarely done, and even more
rarely done right
Security controls in silos are not enough
Approach to analysis needs to be cohesive and behaviorally
driven, with a monitoring/response posture based on
knowing your users, network, and environment
Need to evolve:
â From compliance reporting to threat detection
â From finding/neutralizing malware to dissecting/disrupting
attack
â From static views of data to longitudinal data analytics
44
45. Security Control Frameworks
45
Security Control
Monitoring Priorities:
⢠Perimeter-in
⢠Critical assets/crown jewels
⢠Kill chain/behavior-based
⢠Quick wins
SANS Critical Security Controls V5 â SANS
Top 20
(ISC)2 Common Body of
Knowledge
(10 Domains)
ISO 27001:2013
(114 Controls in 14 Groups)
NIST Special Publication
800-53 Rev. 4
(224 controls in 18 families)
1. Inventory of Authorized and Unauthorized
Devices
2. Inventory of Authorized and Unauthorized
Software
3. Secure Configurations for Hardware and
Software on Mobile Devices, Laptops,
Workstations, and Servers
4. Continuous Vulnerability Assessment and
Remediation
5. Malware Defenses
6. Application Software Security
7. Wireless Access Control
8. Data Recovery Capability
9. Security Skills Assessment and Appropriate
Training to Fill Gaps
10. Secure Configurations for Network Devices
such as Firewalls, Routers, and Switches
11. Limitation and Control of Network Ports,
Protocols, and Services
12. Controlled Use of Administrative Privileges
13. Boundary Defense
14. Maintenance, Monitoring, and Analysis of
Audit Logs
15. Controlled Access Based on the Need to
Know
16. Account Monitoring and Control
17. Data Protection
18. Incident Response and Management
19. Secure Network Engineering
20. Penetration Tests and Red Team Exercises
1. Access Control
2. Telecommunications
and Network
Security
3. Information Security
Governance and Risk
Management
4. Software
Development
Security
5. Cryptography
6. Security Architecture
and Design
7. Operations Security
8. Business Continuity
and Disaster
Recovery Planning
9. Legal, Regulations,
Investigations and
Compliance
10. Physical
(Environmental)
Security
1. Information security policies (2
controls)
2. Organization of information security
(7 controls)
3. Human resource security - 6
controls that are applied before,
during, or after employment
4. Asset management (10 controls)
5. Access control (14 controls)
6. Cryptography (2 controls)
7. Physical and environmental security
(15 controls)
8. Operations security (14 controls)
9. Communications security (7
controls)
10. System acquisition, development
and maintenance (13 controls)
11. Supplier relationships (5 controls)
12. Information security incident
management (7 controls)
13. Information security aspects of
business continuity management (4
controls)
14. Compliance; with internal
requirements, such as policies, and
with external requirements, such as
laws (8 controls)
1. Access Control
2. Awareness & Training
3. Audit & Accountability
4. Certification,
Accreditation & Security
Assessments
5. Configuration
Management
6. Contingency Planning
7. Identification And
Authentication
8. Incident Response
9. Maintenance
10. Media Protection
11. Physical & Environmental
Protection
12. Planning
13. Personnel Security
14. Risk Assessment
15. System & Services
Acquisition
16. System &
Communication
Protection
17. System & Information
Integrity
18. Program Management