Too often security takes a passive approach -- receive whatever events, projects, etc, come our way. In this talk we discuss how to get more aggressive and focus more on how to improve the environment we are defending, and to focus on default security.
Powerful Google developer tools for immediate impact! (2023-24 C)
Prepare the battlefield: Shape your environment for better cyber defense
1. @chicagoben | @obsidiansec
SHAPE YOUR ENVIRONMENT FOR BETTER CYBER DEFENSE
Ben Johnson, CTO, Obsidian Security
BSides Augusta 2019
PREPARE YOUR BATTLEFIELD
1
2. BACKGROUND CHECK // BEN JOHNSON
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben
Co-Founder and CTO, Obsidian Security
Co-founder and former CTO of Carbon Black, built the
first EDR product; Previously, NSA CNO and AI Lab
2000 20172010
Employment
Board Seats
1st Technical Advisor (Amicus Curiae) to US FISA Court
2
3. TODAY’S GOALS
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben
Force reflection…
Spark contemplation…
Give you some stuff to remember…
3
5. YOUR SURFACE AREA IS
EXPANDING, CONNECTING
EXTERNAL AND INTERNAL
USERS TOGETHER WITH
NEVER BEFORE SEEN
EASE. KEEPING UP WITH
SECURITY IS DIFFICULT AS
THE COMPANY FOCUS IS
ON PRODUCTIVITY.
IT’S AN EXPANDING ENTERPRISE
5
6. LOOK AT EVERYTHING WE’RE DOING!
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben6
Meetings
HR
Architecture Review
Helpdesk Tickets
Troubleshooting
RFPsBakeoffs
Recruiting Reading Blogs
Capturing Metrics
Tactics, Strategy & Ops
7. DEFENDER CHALLENGES
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben7
Skills Gap +
Deploy-and-Decay +
= LACK OF CYBER SELF-ESTEEM
Huge Data (more than big)
Attacker Successes +
8. WHO PROTECTS THE CLOUD? HINT: YOU
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben8
9. CLOUDS TALK TO CLOUDS
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben9
10. INFORMATION SECURITY AND THE CLOUD
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben10
“IT is going from 0 to 100 in the
cloud and leaving us in the dust”
- Public Tech Company
“We’re blind to all these new
SaaS accounts”
-Top Athletics Brand
“We have 300 AWS accounts
and no governance”
- Public Tech Company
“50% of our IR Engagements are
Office 365.”
- Incident Response Consultancy
14. LEAGUE OF ADVERSARIES
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben14
Cybercriminals
• Broad-based and
targeted
• Financially
motivated
• Getting more
sophisticated
Hactivists
• Targeted and
destructive
• Unpredictable
motivations
• Generally less
sophisticated
Nation-States
• Targeted and
multi-stage
• Motivated by data
collection
• Highly
sophisticated with
endless resources
Insiders
• Targeted and
destructive
• Unpredictable
motivations
• Sophistication varies
15. HUMAN FACTOR
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben15
"Hacker’s don’t
break-in,
they login."
• Defenders defend infrastructure yet
Attackers Attack Humans
• It’s not just a matter of attackers …
mistakes happen, too
• There’s always the insider threat as well
16. IS THE ENVIRONMENT HEALTHY?
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben16
The absence of disease does not mean health.
18. WE MUST DO BETTER
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben18
We can do better. In some
ways we are, but it is not
enough.
It is going to get worse.
127 new devices on
the Internet every
second.
Data is the new oil.
Mckinsey 2019
19. NUMBER ONE SIGN OF A GOOD TEAM…
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben19
Analytical or Engineering? Engineering
(700k miles, 700 organizations)
20. Aggressive
Write access
We shape the
environment
SHIFTING OUR MINDSET
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben20
Ç
Passive
Read-only access
Events happen
to us
BECOMES
21. “It is about making the wisest possible
investment of your time and energy in order
to operate at our highest point of
contribution by doing only what is
essential.”
– Greg McKeown, Author of Essentialism
ESSENTIALISM
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben21
22. SLOWING ATTACKERS DOWN
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben22
For the longest time, we
focused on blocking or on
locking down what can be
done.
We continue to need this.
“What can I block,
what can I prevent?”
23. BLOCKING IS NOT ENOUGH
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben23
So we shifted more resources,
more investments into detection
and response. We added
tooling.
We must find
things quicker,
react, & clean up
more effectively.
24. ORCHESTRATION
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben24
Alert Generated
Validate, Correlate, and
Enhance
Threat
Intelligence
Device History
User Profile &
Behaviors
Alert Enriched Block IPs
Kill Process, Preserve
Evidence
Reset Credentials
Remediation
Actions
25. HUNTING: FILLING THE DETECTION GAP
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben25
The inevitability of
Threat Hunting:
there’s always a gap
between automated
threat detection and the
universe of threats.
Universe of threats
Automated threat
detection processes
26. SPEEDING DEFENDERS UP
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben26
We have done a bunch of
stuff beyond blocking.
Great, are we good now?
Nope. We have to
consider employees,
contractors, guests,
execs, etc.
27. DISCOURAGE BAD BEHAVIOR
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben27
We start forcing training,
we start preaching.
“Don’t Click!”
“Be paranoid!”
“Don’t circumvent
security!”
“Don’t install that!”
28. PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben28
We need to have more
collaboration, more constructive
approaches.
We’re still accountable for
security.
We appeal to heart, not mind
(apathy vs. intelligence).
NO has become
“YES, but.”
CONSTRUCTIVE APPROACHES
29. ENCOURAGE GOOD DECISIONS
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben29
We needed to get upstream,
get earlier into processes,
improve the software
lifecycle, procurement
process, etc. We need to be
a great partner.
Enable security &
risk assessments
early — easier
and cheaper to
correct.
30. Ç
PUTTING TOGETHER THESE PIECES
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben30
Slow Attackers Down
Speed Defenders Up
Discourage
Bad Behavior
Encourage
Good Decisions
Adversaries
Infosec
Everyone else
*Thanks to Matthew Stits for some original inspiration.
31. Drive Default Security
Discourage Bad Behavior Enable Good Decisions
PRACTICAL CYBER FRAMEWORK
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben31
Slow Attackers Down
Speed Defenders Up
33. COMMUNICATION
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben33
Can you communicate across your org what you
are doing, how you are investing, and why
things matter? (That’s why I like this framework).
34. PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben34
• Single Sign-On
• Multi-factor Authentication
• Disable Legacy Authentication
• Anti-Phishing
SLOW ATTACKERS DOWN
Create fewer
entry points and
make it harder
to compromise.
35. PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben35
• OAuth App scrutiny
• Disable Powershell
• Remove Local admin
• Whitelist
SLOW ATTACKERS DOWN
Limit attack
vectors and
blast radius.
37. SPEED DEFENDERS UP: REDUCE ENTROPY
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben37
Ç Ç
38. SPEED DEFENDERS UP: VENDORS
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben38
39. SPEED DEFENDERS UP
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben39
• Telemetry
• Access
• Leverage the hell out of tools
• Push on your vendors
• Write code
• Write code (worthy of 2x)
• Retrospectives
Did you share
any lessons
learned this
week?
Did you add a
new rule or tune
technology?
40. DRIVE DEFAULT SECURITY
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben40
• Enlist other members within the
business to attend security bootcamps
(make it a perk!)
• DevOps joins security full-time for 2
weeks, then roll them back out to their
team, you now have a more educated,
capable, ambassador
Top cyber team
says the best
thing they’ve
done is rotating
DevOps through
security details.
41. DRIVE DEFAULT SECURITY
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben41
• Give access a half-life
• Counter identity creep From the
moment access
is granted, does
it start decaying
so that by
default it goes
way?
42. DRIVE DEFAULT SECURITY
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben42
• Have a review process before
procurement
• Have an access review process
• Have sponsorship for guests/
contractors
• Single Sign-On
• File sharing default to having a
password and time-limit
• Disable mail-forwarding
SAAS: Establish
processes for
review, look for
settings to
default to more
security.
43. DRIVE DEFAULT SECURITY
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben43
• Default to no public shares,
networks, buckets
• Centralize access
• Automate security scans (static/
dynamic) during the build process
• Educate on shared-responsibility
model
IaaS (i.e. AWS) is
really easy to
sign-up for. Build
relationships to
embed security
in the process.
45. IT’S ABOUT PEOPLE
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben45
We CAN turn the ship around. We CAN influence
our battlefield.
We need LEADERS. We need AGGRESSION.
It’s ALL people problems.
Our progress is people, our problems are people.
How can you get more buy-in from people, how
can you influence the mindset of people?
Gain buy-in.
Make it so people have
to go out of their way to
be insecure.
46. CREATE LEVERAGE THROUGH CULTURE
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben46
"Culture eats strategy for breakfast." - P. Drucker
47. DIFFERENT TEAMS, SAME MISSION
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben47
49. Attacker only has to be successful once, but
defender has to stop 100% of attacks
Once the attacker is in your environment,
they should have to be 100% perfect.
SHAPE YOUR BATTLEFIELD
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben49
50. Ç
PRACTICAL CYBER FRAMEWORK
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben50
Slow Attackers Down
Speed Defenders Up
Drive Default Security
51. QUESTIONS (AND BOOK RECOMMENDATIONS)
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben51