This document discusses various techniques for improving security automation and visibility, including discovering and inventorying assets, prioritizing risks, performing multi-layer security testing, monitoring configurations, discovering and handling security intelligence, and refining security signals and response. Key recommendations include tailoring discovery to the rate of change, considering data normalization, using risk prioritization as an input not a law, avoiding certain conversations, leveraging security testing pyramids, recognizing a continuum of configuration safety, developing an intelligence taxonomy, and starting small with signal refinement and response automation.

1. Prac%cal'Security'
Automa%on
Jason&Chan
Data$Theorem$Advisory$Board
12/5/2014

7. Visibility
Knowing'the'Environment

9. Discover

10. Discover
Inventory

11. Discover
Inventory
Test

12. Discover
Inventory
Test
Report

13. Knowing'the'Environment'/'Takeaways
Tailor'discovery'to'rate'of'change
Think&about&normaliza0on&of&discovery&data

14. Visibility
Risk%Priori)za)on

20. Risk%Priori)za)on%-%Takeaways
What%is%measurable?%(objec3vely)
Use$as$an$input,$not$law

21. Visibility
Mul$%Layer+Security+Tes$ng

22. Deconstruc*ng,security,tes*ng

26. Integrated)tes+ng)for)CI/CD

29. Mul$%Layer+Security+Tes$ng+%+Takeaways
What%conversa-ons%can%you%avoid?
Is#there#a#pyramid#you#can#leverage?

30. Visibility
Configura)on*Monitoring

32. Security)Monkey

34. Configura)on*Monitoring*.*Takeaways
Config&changes&have&a&con-nuum&of&safety
Find%ways%to%observe%and%differen1ate

35. Visibility
Intelligence)Discovery)and)Disposi3on

37. Goals
Find%Ne(lix+relevant%security%intelligence
Do#something#(ideally,#via#automa4on)

42. Intelligence)Discovery)and)Disposi3on)4)
Takeaways
Develop'and'priori-ze'an'intel'taxonomy

43. Visibility
Signal'Refinement'and'Response

44. Key$Ques(ons
What%alerts%require%response?
How$quickly?
What%ac'ons%do%you%take?

47. Goal
Reduce&'me&to:
detect/triage/contain/eradicate

48. Step%1
Alert&is&generated&and&sent&to&FIDO
(Cyphort,*Carbon*Black/Bit9,*Sophos,*PAN,*Aruba,*etc.)

49. Step%2
Gather'data
(on$issue,$target,$machine,$etc.)

50. Step%3
Score&the&issue
(user,'machine,'threat,'trust)

56. Step%4
Take%ac'on
(ignore,)remediate,)etc.)

59. Signal'Refinement'and'Response'1'Takeaways
Start%small
API$as$build/buy$criteria

60. Thank&you!
chan@ne'lix.com.:.@chanjbs