SlideShare a Scribd company logo

Prepare the battlefield: Shape your environment for better cyber defense

Ben Johnson
Ben Johnson

Too often security takes a passive approach -- receive whatever events, projects, etc, come our way. In this talk we discuss how to get more aggressive and focus more on how to improve the environment we are defending, and to focus on default security.

Technology
1 of 52
Download to read offline
@chicagoben | @obsidiansec SHAPE YOUR ENVIRONMENT FOR BETTER CYBER DEFENSE Ben Johnson, CTO, Obsidian Security BSides Augusta 2019 PREPARE YOUR BATTLEFIELD 1
BACKGROUND CHECK // BEN JOHNSON PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben Co-Founder and CTO, Obsidian Security Co-founder and former CTO of Carbon Black, built the first EDR product; Previously, NSA CNO and AI Lab 2000 20172010 Employment Board Seats 1st Technical Advisor (Amicus Curiae) to US FISA Court 2
TODAY’S GOALS PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben Force reflection… Spark contemplation… Give you some stuff to remember… 3
CHALLENGES
YOUR SURFACE AREA IS EXPANDING, CONNECTING EXTERNAL AND INTERNAL USERS TOGETHER WITH NEVER BEFORE SEEN EASE. KEEPING UP WITH SECURITY IS DIFFICULT AS THE COMPANY FOCUS IS ON PRODUCTIVITY. IT’S AN EXPANDING ENTERPRISE 5
LOOK AT EVERYTHING WE’RE DOING! PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben6 Meetings HR Architecture Review Helpdesk Tickets Troubleshooting RFPsBakeoffs Recruiting Reading Blogs Capturing Metrics Tactics, Strategy & Ops
DEFENDER CHALLENGES PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben7 Skills Gap + Deploy-and-Decay + = LACK OF CYBER SELF-ESTEEM Huge Data (more than big) Attacker Successes +
WHO PROTECTS THE CLOUD? HINT: YOU PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben8
CLOUDS TALK TO CLOUDS PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben9
INFORMATION SECURITY AND THE CLOUD PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben10 “IT is going from 0 to 100 in the cloud and leaving us in the dust” - Public Tech Company “We’re blind to all these new SaaS accounts” -Top Athletics Brand “We have 300 AWS accounts and no governance” - Public Tech Company “50% of our IR Engagements are Office 365.” - Incident Response Consultancy
THREATSCAPE
BREACHES ARE ACCELERATING PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben12 2016 2017 2015 2016 2017 2014 2013 2012 2011
2019 HEADLINES PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben13
LEAGUE OF ADVERSARIES PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben14 Cybercriminals • Broad-based and targeted • Financially motivated • Getting more sophisticated Hactivists • Targeted and destructive • Unpredictable motivations • Generally less sophisticated Nation-States • Targeted and 
 multi-stage • Motivated by data collection  • Highly sophisticated with endless resources Insiders • Targeted and destructive • Unpredictable motivations • Sophistication varies
HUMAN FACTOR PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben15 "Hacker’s don’t break-in, they login." • Defenders defend infrastructure yet Attackers Attack Humans • It’s not just a matter of attackers … mistakes happen, too • There’s always the insider threat as well
IS THE ENVIRONMENT HEALTHY? PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben16 The absence of disease does not mean health.
APPROACHING SECURITY
WE MUST DO BETTER PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben18 We can do better. In some ways we are, but it is not enough. It is going to get worse. 127 new devices on the Internet every second. Data is the new oil. Mckinsey 2019
NUMBER ONE SIGN OF A GOOD TEAM… PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben19 Analytical or Engineering? Engineering (700k miles, 700 organizations)
Aggressive Write access We shape the environment SHIFTING OUR MINDSET PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben20 Ç Passive Read-only access Events happen to us BECOMES
“It is about making the wisest possible investment of your time and energy in order to operate at our highest point of contribution by doing only what is essential.”  – Greg McKeown, Author of Essentialism ESSENTIALISM PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben21
SLOWING ATTACKERS DOWN PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben22 For the longest time, we focused on blocking or on locking down what can be done. We continue to need this. “What can I block, what can I prevent?”
BLOCKING IS NOT ENOUGH PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben23 So we shifted more resources, more investments into detection and response. We added tooling. We must find things quicker, react, & clean up more effectively.
ORCHESTRATION PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben24 Alert Generated Validate, Correlate, and Enhance Threat Intelligence Device History User Profile & Behaviors Alert Enriched Block IPs Kill Process, Preserve Evidence Reset Credentials Remediation Actions
HUNTING: FILLING THE DETECTION GAP PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben25 The inevitability of 
 Threat Hunting: 
 there’s always a gap between automated threat detection and the universe of threats. Universe of threats Automated threat detection processes
SPEEDING DEFENDERS UP PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben26 We have done a bunch of stuff beyond blocking. Great, are we good now? Nope. We have to consider employees, contractors, guests, execs, etc.
DISCOURAGE BAD BEHAVIOR PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben27 We start forcing training, we start preaching. “Don’t Click!”
 
 “Be paranoid!”
 “Don’t circumvent security!”
 “Don’t install that!”
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben28 We need to have more collaboration, more constructive approaches. We’re still accountable for security. We appeal to heart, not mind (apathy vs. intelligence). NO has become “YES, but.” CONSTRUCTIVE APPROACHES
ENCOURAGE GOOD DECISIONS PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben29 We needed to get upstream, get earlier into processes, improve the software lifecycle, procurement process, etc. We need to be a great partner. Enable security & risk assessments early — easier and cheaper to correct.
Ç PUTTING TOGETHER THESE PIECES PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben30 Slow Attackers Down Speed Defenders Up Discourage Bad Behavior Encourage Good Decisions Adversaries Infosec Everyone else *Thanks to Matthew Stits for some original inspiration.
Drive Default Security Discourage Bad Behavior Enable Good Decisions PRACTICAL CYBER FRAMEWORK PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben31 Slow Attackers Down Speed Defenders Up
APPLIED SECURITY
COMMUNICATION PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben33 Can you communicate across your org what you are doing, how you are investing, and why things matter? (That’s why I like this framework).
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben34 • Single Sign-On • Multi-factor Authentication • Disable Legacy Authentication • Anti-Phishing SLOW ATTACKERS DOWN Create fewer entry points and make it harder to compromise.
PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben35 • OAuth App scrutiny • Disable Powershell • Remove Local admin • Whitelist SLOW ATTACKERS DOWN Limit attack vectors and blast radius.
SPEED DEFENDERS UP: VISIBILITY PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben36 Scanning Continuous Recording Continuous Recording + Intelligence Continuous Recording + Intelligence + Prevalence Continuous Recording + Intelligence + Prevalence + Relationships
SPEED DEFENDERS UP: REDUCE ENTROPY PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben37 Ç Ç
SPEED DEFENDERS UP: VENDORS PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben38
SPEED DEFENDERS UP PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben39 • Telemetry • Access • Leverage the hell out of tools • Push on your vendors • Write code • Write code (worthy of 2x) • Retrospectives Did you share any lessons learned this week? Did you add a new rule or tune technology?
DRIVE DEFAULT SECURITY PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben40 • Enlist other members within the business to attend security bootcamps (make it a perk!) • DevOps joins security full-time for 2 weeks, then roll them back out to their team, you now have a more educated, capable, ambassador Top cyber team says the best thing they’ve done is rotating DevOps through security details.
DRIVE DEFAULT SECURITY PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben41 • Give access a half-life • Counter identity creep From the moment access is granted, does it start decaying so that by default it goes way?
DRIVE DEFAULT SECURITY PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben42 • Have a review process before procurement • Have an access review process • Have sponsorship for guests/ contractors • Single Sign-On • File sharing default to having a password and time-limit • Disable mail-forwarding SAAS: Establish processes for review, look for settings to default to more security.
DRIVE DEFAULT SECURITY PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben43 • Default to no public shares, networks, buckets • Centralize access • Automate security scans (static/ dynamic) during the build process • Educate on shared-responsibility model IaaS (i.e. AWS) is really easy to sign-up for. Build relationships to embed security in the process.
WRAPPING UP
IT’S ABOUT PEOPLE PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben45 We CAN turn the ship around. We CAN influence our battlefield. We need LEADERS. We need AGGRESSION. It’s ALL people problems. Our progress is people, our problems are people. How can you get more buy-in from people, how can you influence the mindset of people? Gain buy-in. Make it so people have to go out of their way to be insecure.
CREATE LEVERAGE THROUGH CULTURE PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben46 "Culture eats strategy for breakfast." - P. Drucker
DIFFERENT TEAMS, SAME MISSION PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben47
BUILDING:OPEN SOURCE & APIS PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben48
Attacker only has to be successful once, but defender has to stop 100% of attacks Once the attacker is in your environment, they should have to be 100% perfect. SHAPE YOUR BATTLEFIELD PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben49
Ç PRACTICAL CYBER FRAMEWORK PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben50 Slow Attackers Down Speed Defenders Up Drive Default Security
QUESTIONS (AND BOOK RECOMMENDATIONS) PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben51
@chicagoben | @obsidiansec BEN@OBSIDIANSECURITY.COM @CHICAGOBEN | @OBSIDIANSEC Ben Johnson, CTO, Obsidian Security BSides Augusta 2019 THANK YOU! 52

Recommended

Webinar: CWAF for Mid Market/Enterprise Organizations
Webinar: CWAF for Mid Market/Enterprise OrganizationsWebinar: CWAF for Mid Market/Enterprise Organizations
Webinar: CWAF for Mid Market/Enterprise Organizations
Sucuri
 
Practical Cyber: Lessons from 500,000 Miles of Security Evangelism
Practical Cyber: Lessons from 500,000 Miles of Security EvangelismPractical Cyber: Lessons from 500,000 Miles of Security Evangelism
Practical Cyber: Lessons from 500,000 Miles of Security Evangelism
Ben Johnson
 
BBCON 2013 - Is Your Website Working For You?
BBCON 2013 - Is Your Website Working For You?BBCON 2013 - Is Your Website Working For You?
BBCON 2013 - Is Your Website Working For You?
Rachel Welsh
 
Hunting bugs - C0r0n4con
Hunting bugs - C0r0n4conHunting bugs - C0r0n4con
Hunting bugs - C0r0n4con
Anchises Moraes
 
The Marketing Abyss - Widening Gap Between Customers & Brands - Laura-Ann Mit...
The Marketing Abyss - Widening Gap Between Customers & Brands - Laura-Ann Mit...The Marketing Abyss - Widening Gap Between Customers & Brands - Laura-Ann Mit...
The Marketing Abyss - Widening Gap Between Customers & Brands - Laura-Ann Mit...
DigiMarCon - Digital Marketing, Media and Advertising Conferences & Exhibitions
 
Mobile Marketing & Student Recruitment: What's Hot & What's Not in 2011
Mobile Marketing & Student Recruitment: What's Hot & What's Not in 2011Mobile Marketing & Student Recruitment: What's Hot & What's Not in 2011
Mobile Marketing & Student Recruitment: What's Hot & What's Not in 2011
Bob Johnson, Ph.D.
 
BioAM Volunteer Night2
BioAM Volunteer Night2BioAM Volunteer Night2
BioAM Volunteer Night2
Jamie Sundsbak
 
Best Practices in Raiser's Edge Data Integrity Management
Best Practices in Raiser's Edge Data Integrity ManagementBest Practices in Raiser's Edge Data Integrity Management
Best Practices in Raiser's Edge Data Integrity Management
Blackbaud
 

Recommended

Webinar: CWAF for Mid Market/Enterprise Organizations
Webinar: CWAF for Mid Market/Enterprise OrganizationsWebinar: CWAF for Mid Market/Enterprise Organizations
Webinar: CWAF for Mid Market/Enterprise Organizations
Sucuri
 
Practical Cyber: Lessons from 500,000 Miles of Security Evangelism
Practical Cyber: Lessons from 500,000 Miles of Security EvangelismPractical Cyber: Lessons from 500,000 Miles of Security Evangelism
Practical Cyber: Lessons from 500,000 Miles of Security Evangelism
Ben Johnson
 
BBCON 2013 - Is Your Website Working For You?
BBCON 2013 - Is Your Website Working For You?BBCON 2013 - Is Your Website Working For You?
BBCON 2013 - Is Your Website Working For You?
Rachel Welsh
 
Hunting bugs - C0r0n4con
Hunting bugs - C0r0n4conHunting bugs - C0r0n4con
Hunting bugs - C0r0n4con
Anchises Moraes
 
The Marketing Abyss - Widening Gap Between Customers & Brands - Laura-Ann Mit...
The Marketing Abyss - Widening Gap Between Customers & Brands - Laura-Ann Mit...The Marketing Abyss - Widening Gap Between Customers & Brands - Laura-Ann Mit...
The Marketing Abyss - Widening Gap Between Customers & Brands - Laura-Ann Mit...
DigiMarCon - Digital Marketing, Media and Advertising Conferences & Exhibitions
 
Mobile Marketing & Student Recruitment: What's Hot & What's Not in 2011
Mobile Marketing & Student Recruitment: What's Hot & What's Not in 2011Mobile Marketing & Student Recruitment: What's Hot & What's Not in 2011
Mobile Marketing & Student Recruitment: What's Hot & What's Not in 2011
Bob Johnson, Ph.D.
 
BioAM Volunteer Night2
BioAM Volunteer Night2BioAM Volunteer Night2
BioAM Volunteer Night2
Jamie Sundsbak
 
Best Practices in Raiser's Edge Data Integrity Management
Best Practices in Raiser's Edge Data Integrity ManagementBest Practices in Raiser's Edge Data Integrity Management
Best Practices in Raiser's Edge Data Integrity Management
Blackbaud
 
Mobile Communication Challenges in Higher Education: Issues, Peril, Potential
Mobile Communication Challenges in Higher Education: Issues, Peril, PotentialMobile Communication Challenges in Higher Education: Issues, Peril, Potential
Mobile Communication Challenges in Higher Education: Issues, Peril, Potential
Bob Johnson, Ph.D.
 
How to improve resilience and respond better to Cyber Attacks with ISO 22301?
How to improve resilience and respond better to Cyber Attacks with ISO 22301?How to improve resilience and respond better to Cyber Attacks with ISO 22301?
How to improve resilience and respond better to Cyber Attacks with ISO 22301?
PECB
 
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
Viktor Gazdag
 
BBB Market Monitor: June2 021
BBB Market Monitor: June2 021BBB Market Monitor: June2 021
BBB Market Monitor: June2 021
Better Business Bureau Serving Greater Cleveland
 
Business and Industry Connection Magazine - May 2017
Business and Industry Connection Magazine - May 2017Business and Industry Connection Magazine - May 2017
Business and Industry Connection Magazine - May 2017
MIELKE
 
MTEX Beacon seminar - March 2019
MTEX Beacon seminar - March 2019MTEX Beacon seminar - March 2019
MTEX Beacon seminar - March 2019
nigelbridges
 
Coexisting with Vulnerabilities
Coexisting with VulnerabilitiesCoexisting with Vulnerabilities
Coexisting with Vulnerabilities
Dennis Chaupis
 
Cyber Security for the Employee - AFP Annual Conference 2016
Cyber Security for the Employee - AFP Annual Conference 2016Cyber Security for the Employee - AFP Annual Conference 2016
Cyber Security for the Employee - AFP Annual Conference 2016
Brad Deflin
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
Alex Rudie
 
What Every Database Administrator Needs to Know
What Every Database Administrator Needs to KnowWhat Every Database Administrator Needs to Know
What Every Database Administrator Needs to Know
Blackbaud
 
Mobile Marketing in Higher Education: Challenges and Opportunities
Mobile Marketing in Higher Education: Challenges and OpportunitiesMobile Marketing in Higher Education: Challenges and Opportunities
Mobile Marketing in Higher Education: Challenges and Opportunities
Bob Johnson, Ph.D.
 
What's Next for the Cloud: By the Numbers
What's Next for the Cloud: By the NumbersWhat's Next for the Cloud: By the Numbers
What's Next for the Cloud: By the Numbers
Christian Dawson
 
2020 BSidesSF - Bootstrapping Security
2020 BSidesSF - Bootstrapping Security2020 BSidesSF - Bootstrapping Security
2020 BSidesSF - Bootstrapping Security
Jared Casner
 
The Future of Internal Communication
The Future of Internal CommunicationThe Future of Internal Communication
The Future of Internal Communication
Jonas Bladt Hansen
 
Joe Krkoska, Dow AgroSciences at SCCPulse2017
Joe Krkoska, Dow AgroSciences at SCCPulse2017Joe Krkoska, Dow AgroSciences at SCCPulse2017
Joe Krkoska, Dow AgroSciences at SCCPulse2017
Bristlecone SCC
 
How to breakthrough barriers and drive more value from your data analytics pr...
How to breakthrough barriers and drive more value from your data analytics pr...How to breakthrough barriers and drive more value from your data analytics pr...
How to breakthrough barriers and drive more value from your data analytics pr...
Jim Kaplan CIA CFE
 
The Intelligent Community Movement: John Jung
The Intelligent Community Movement: John JungThe Intelligent Community Movement: John Jung
The Intelligent Community Movement: John Jung
Ann Treacy
 
Sjterp ds_of_misinfo_feb_2019
Sjterp ds_of_misinfo_feb_2019Sjterp ds_of_misinfo_feb_2019
Sjterp ds_of_misinfo_feb_2019
bodaceacat
 
Success Diaries - Airbnb
Success Diaries - AirbnbSuccess Diaries - Airbnb
Success Diaries - Airbnb
Kalaari Capital
 
More CrowdSourcing with 
Pinterest + Twitter plus SlideShare PRO
More CrowdSourcing with 
Pinterest + Twitter plus SlideShare PRO More CrowdSourcing with 
Pinterest + Twitter plus SlideShare PRO
More CrowdSourcing with 
Pinterest + Twitter plus SlideShare PRO
MARKITECT.me
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the Cloud
Ben Johnson
 
Lean Security
Lean SecurityLean Security
Lean Security
Ben Johnson
 

More Related Content

Similar to Prepare the battlefield: Shape your environment for better cyber defense

How to improve resilience and respond better to Cyber Attacks with ISO 22301?
How to improve resilience and respond better to Cyber Attacks with ISO 22301?How to improve resilience and respond better to Cyber Attacks with ISO 22301?
How to improve resilience and respond better to Cyber Attacks with ISO 22301?
PECB
 
Mobile Marketing in Higher Education: Challenges and Opportunities
Mobile Marketing in Higher Education: Challenges and OpportunitiesMobile Marketing in Higher Education: Challenges and Opportunities
Mobile Marketing in Higher Education: Challenges and Opportunities
Bob Johnson, Ph.D.
 
How to breakthrough barriers and drive more value from your data analytics pr...
How to breakthrough barriers and drive more value from your data analytics pr...How to breakthrough barriers and drive more value from your data analytics pr...
How to breakthrough barriers and drive more value from your data analytics pr...
Jim Kaplan CIA CFE
 

Similar to Prepare the battlefield: Shape your environment for better cyber defense (20)

Mobile Communication Challenges in Higher Education: Issues, Peril, Potential
Mobile Communication Challenges in Higher Education: Issues, Peril, PotentialMobile Communication Challenges in Higher Education: Issues, Peril, Potential
Mobile Communication Challenges in Higher Education: Issues, Peril, Potential
 
How to improve resilience and respond better to Cyber Attacks with ISO 22301?
How to improve resilience and respond better to Cyber Attacks with ISO 22301?How to improve resilience and respond better to Cyber Attacks with ISO 22301?
How to improve resilience and respond better to Cyber Attacks with ISO 22301?
 
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins ...
 
BBB Market Monitor: June2 021
BBB Market Monitor: June2 021BBB Market Monitor: June2 021
BBB Market Monitor: June2 021
 
Business and Industry Connection Magazine - May 2017
Business and Industry Connection Magazine - May 2017Business and Industry Connection Magazine - May 2017
Business and Industry Connection Magazine - May 2017
 
MTEX Beacon seminar - March 2019
MTEX Beacon seminar - March 2019MTEX Beacon seminar - March 2019
MTEX Beacon seminar - March 2019
 
Coexisting with Vulnerabilities
Coexisting with VulnerabilitiesCoexisting with Vulnerabilities
Coexisting with Vulnerabilities
 
Cyber Security for the Employee - AFP Annual Conference 2016
Cyber Security for the Employee - AFP Annual Conference 2016Cyber Security for the Employee - AFP Annual Conference 2016
Cyber Security for the Employee - AFP Annual Conference 2016
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
 
What Every Database Administrator Needs to Know
What Every Database Administrator Needs to KnowWhat Every Database Administrator Needs to Know
What Every Database Administrator Needs to Know
 
Mobile Marketing in Higher Education: Challenges and Opportunities
Mobile Marketing in Higher Education: Challenges and OpportunitiesMobile Marketing in Higher Education: Challenges and Opportunities
Mobile Marketing in Higher Education: Challenges and Opportunities
 
What's Next for the Cloud: By the Numbers
What's Next for the Cloud: By the NumbersWhat's Next for the Cloud: By the Numbers
What's Next for the Cloud: By the Numbers
 
2020 BSidesSF - Bootstrapping Security
2020 BSidesSF - Bootstrapping Security2020 BSidesSF - Bootstrapping Security
2020 BSidesSF - Bootstrapping Security
 
The Future of Internal Communication
The Future of Internal CommunicationThe Future of Internal Communication
The Future of Internal Communication
 
Joe Krkoska, Dow AgroSciences at SCCPulse2017
Joe Krkoska, Dow AgroSciences at SCCPulse2017Joe Krkoska, Dow AgroSciences at SCCPulse2017
Joe Krkoska, Dow AgroSciences at SCCPulse2017
 
How to breakthrough barriers and drive more value from your data analytics pr...
How to breakthrough barriers and drive more value from your data analytics pr...How to breakthrough barriers and drive more value from your data analytics pr...
How to breakthrough barriers and drive more value from your data analytics pr...
 
The Intelligent Community Movement: John Jung
The Intelligent Community Movement: John JungThe Intelligent Community Movement: John Jung
The Intelligent Community Movement: John Jung
 
Sjterp ds_of_misinfo_feb_2019
Sjterp ds_of_misinfo_feb_2019Sjterp ds_of_misinfo_feb_2019
Sjterp ds_of_misinfo_feb_2019
 
Success Diaries - Airbnb
Success Diaries - AirbnbSuccess Diaries - Airbnb
Success Diaries - Airbnb
 
More CrowdSourcing with 
Pinterest + Twitter plus SlideShare PRO
More CrowdSourcing with 
Pinterest + Twitter plus SlideShare PRO More CrowdSourcing with 
Pinterest + Twitter plus SlideShare PRO
More CrowdSourcing with 
Pinterest + Twitter plus SlideShare PRO
 

More from Ben Johnson

Seeing through the Fog: Navigating the Security Landscape of a Cloud-First World
Seeing through the Fog: Navigating the Security Landscape of a Cloud-First WorldSeeing through the Fog: Navigating the Security Landscape of a Cloud-First World
Seeing through the Fog: Navigating the Security Landscape of a Cloud-First World
Ben Johnson
 

More from Ben Johnson (6)

Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the Cloud
 
Lean Security
Lean SecurityLean Security
Lean Security
 
Detection + 1 in the Cloud Age
Detection + 1 in the Cloud AgeDetection + 1 in the Cloud Age
Detection + 1 in the Cloud Age
 
State of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry InsiderState of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry Insider
 
Lean Hunting
Lean HuntingLean Hunting
Lean Hunting
 
Seeing through the Fog: Navigating the Security Landscape of a Cloud-First World
Seeing through the Fog: Navigating the Security Landscape of a Cloud-First WorldSeeing through the Fog: Navigating the Security Landscape of a Cloud-First World
Seeing through the Fog: Navigating the Security Landscape of a Cloud-First World
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Recently uploaded (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Prepare the battlefield: Shape your environment for better cyber defense

  • 1. @chicagoben | @obsidiansec SHAPE YOUR ENVIRONMENT FOR BETTER CYBER DEFENSE Ben Johnson, CTO, Obsidian Security BSides Augusta 2019 PREPARE YOUR BATTLEFIELD 1
  • 2. BACKGROUND CHECK // BEN JOHNSON PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben Co-Founder and CTO, Obsidian Security Co-founder and former CTO of Carbon Black, built the first EDR product; Previously, NSA CNO and AI Lab 2000 20172010 Employment Board Seats 1st Technical Advisor (Amicus Curiae) to US FISA Court 2
  • 3. TODAY’S GOALS PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben Force reflection… Spark contemplation… Give you some stuff to remember… 3
  • 5. YOUR SURFACE AREA IS EXPANDING, CONNECTING EXTERNAL AND INTERNAL USERS TOGETHER WITH NEVER BEFORE SEEN EASE. KEEPING UP WITH SECURITY IS DIFFICULT AS THE COMPANY FOCUS IS ON PRODUCTIVITY. IT’S AN EXPANDING ENTERPRISE 5
  • 6. LOOK AT EVERYTHING WE’RE DOING! PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben6 Meetings HR Architecture Review Helpdesk Tickets Troubleshooting RFPsBakeoffs Recruiting Reading Blogs Capturing Metrics Tactics, Strategy & Ops
  • 7. DEFENDER CHALLENGES PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben7 Skills Gap + Deploy-and-Decay + = LACK OF CYBER SELF-ESTEEM Huge Data (more than big) Attacker Successes +
  • 8. WHO PROTECTS THE CLOUD? HINT: YOU PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben8
  • 9. CLOUDS TALK TO CLOUDS PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben9
  • 10. INFORMATION SECURITY AND THE CLOUD PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben10 “IT is going from 0 to 100 in the cloud and leaving us in the dust” - Public Tech Company “We’re blind to all these new SaaS accounts” -Top Athletics Brand “We have 300 AWS accounts and no governance” - Public Tech Company “50% of our IR Engagements are Office 365.” - Incident Response Consultancy
  • 12. BREACHES ARE ACCELERATING PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben12 2016 2017 2015 2016 2017 2014 2013 2012 2011
  • 13. 2019 HEADLINES PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben13
  • 14. LEAGUE OF ADVERSARIES PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben14 Cybercriminals • Broad-based and targeted • Financially motivated • Getting more sophisticated Hactivists • Targeted and destructive • Unpredictable motivations • Generally less sophisticated Nation-States • Targeted and 
 multi-stage • Motivated by data collection  • Highly sophisticated with endless resources Insiders • Targeted and destructive • Unpredictable motivations • Sophistication varies
  • 15. HUMAN FACTOR PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben15 "Hacker’s don’t break-in, they login." • Defenders defend infrastructure yet Attackers Attack Humans • It’s not just a matter of attackers … mistakes happen, too • There’s always the insider threat as well
  • 16. IS THE ENVIRONMENT HEALTHY? PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben16 The absence of disease does not mean health.
  • 18. WE MUST DO BETTER PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben18 We can do better. In some ways we are, but it is not enough. It is going to get worse. 127 new devices on the Internet every second. Data is the new oil. Mckinsey 2019
  • 19. NUMBER ONE SIGN OF A GOOD TEAM… PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben19 Analytical or Engineering? Engineering (700k miles, 700 organizations)
  • 20. Aggressive Write access We shape the environment SHIFTING OUR MINDSET PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben20 Ç Passive Read-only access Events happen to us BECOMES
  • 21. “It is about making the wisest possible investment of your time and energy in order to operate at our highest point of contribution by doing only what is essential.”  – Greg McKeown, Author of Essentialism ESSENTIALISM PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben21
  • 22. SLOWING ATTACKERS DOWN PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben22 For the longest time, we focused on blocking or on locking down what can be done. We continue to need this. “What can I block, what can I prevent?”
  • 23. BLOCKING IS NOT ENOUGH PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben23 So we shifted more resources, more investments into detection and response. We added tooling. We must find things quicker, react, & clean up more effectively.
  • 24. ORCHESTRATION PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben24 Alert Generated Validate, Correlate, and Enhance Threat Intelligence Device History User Profile & Behaviors Alert Enriched Block IPs Kill Process, Preserve Evidence Reset Credentials Remediation Actions
  • 25. HUNTING: FILLING THE DETECTION GAP PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben25 The inevitability of 
 Threat Hunting: 
 there’s always a gap between automated threat detection and the universe of threats. Universe of threats Automated threat detection processes
  • 26. SPEEDING DEFENDERS UP PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben26 We have done a bunch of stuff beyond blocking. Great, are we good now? Nope. We have to consider employees, contractors, guests, execs, etc.
  • 27. DISCOURAGE BAD BEHAVIOR PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben27 We start forcing training, we start preaching. “Don’t Click!”
 
 “Be paranoid!”
 “Don’t circumvent security!”
 “Don’t install that!”
  • 28. PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben28 We need to have more collaboration, more constructive approaches. We’re still accountable for security. We appeal to heart, not mind (apathy vs. intelligence). NO has become “YES, but.” CONSTRUCTIVE APPROACHES
  • 29. ENCOURAGE GOOD DECISIONS PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben29 We needed to get upstream, get earlier into processes, improve the software lifecycle, procurement process, etc. We need to be a great partner. Enable security & risk assessments early — easier and cheaper to correct.
  • 30. Ç PUTTING TOGETHER THESE PIECES PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben30 Slow Attackers Down Speed Defenders Up Discourage Bad Behavior Encourage Good Decisions Adversaries Infosec Everyone else *Thanks to Matthew Stits for some original inspiration.
  • 31. Drive Default Security Discourage Bad Behavior Enable Good Decisions PRACTICAL CYBER FRAMEWORK PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben31 Slow Attackers Down Speed Defenders Up
  • 33. COMMUNICATION PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben33 Can you communicate across your org what you are doing, how you are investing, and why things matter? (That’s why I like this framework).
  • 34. PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben34 • Single Sign-On • Multi-factor Authentication • Disable Legacy Authentication • Anti-Phishing SLOW ATTACKERS DOWN Create fewer entry points and make it harder to compromise.
  • 35. PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben35 • OAuth App scrutiny • Disable Powershell • Remove Local admin • Whitelist SLOW ATTACKERS DOWN Limit attack vectors and blast radius.
  • 36. SPEED DEFENDERS UP: VISIBILITY PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben36 Scanning Continuous Recording Continuous Recording + Intelligence Continuous Recording + Intelligence + Prevalence Continuous Recording + Intelligence + Prevalence + Relationships
  • 37. SPEED DEFENDERS UP: REDUCE ENTROPY PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben37 Ç Ç
  • 38. SPEED DEFENDERS UP: VENDORS PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben38
  • 39. SPEED DEFENDERS UP PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben39 • Telemetry • Access • Leverage the hell out of tools • Push on your vendors • Write code • Write code (worthy of 2x) • Retrospectives Did you share any lessons learned this week? Did you add a new rule or tune technology?
  • 40. DRIVE DEFAULT SECURITY PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben40 • Enlist other members within the business to attend security bootcamps (make it a perk!) • DevOps joins security full-time for 2 weeks, then roll them back out to their team, you now have a more educated, capable, ambassador Top cyber team says the best thing they’ve done is rotating DevOps through security details.
  • 41. DRIVE DEFAULT SECURITY PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben41 • Give access a half-life • Counter identity creep From the moment access is granted, does it start decaying so that by default it goes way?
  • 42. DRIVE DEFAULT SECURITY PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben42 • Have a review process before procurement • Have an access review process • Have sponsorship for guests/ contractors • Single Sign-On • File sharing default to having a password and time-limit • Disable mail-forwarding SAAS: Establish processes for review, look for settings to default to more security.
  • 43. DRIVE DEFAULT SECURITY PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben43 • Default to no public shares, networks, buckets • Centralize access • Automate security scans (static/ dynamic) during the build process • Educate on shared-responsibility model IaaS (i.e. AWS) is really easy to sign-up for. Build relationships to embed security in the process.
  • 45. IT’S ABOUT PEOPLE PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben45 We CAN turn the ship around. We CAN influence our battlefield. We need LEADERS. We need AGGRESSION. It’s ALL people problems. Our progress is people, our problems are people. How can you get more buy-in from people, how can you influence the mindset of people? Gain buy-in. Make it so people have to go out of their way to be insecure.
  • 46. CREATE LEVERAGE THROUGH CULTURE PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben46 "Culture eats strategy for breakfast." - P. Drucker
  • 47. DIFFERENT TEAMS, SAME MISSION PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben47
  • 48. BUILDING:OPEN SOURCE & APIS PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben48
  • 49. Attacker only has to be successful once, but defender has to stop 100% of attacks Once the attacker is in your environment, they should have to be 100% perfect. SHAPE YOUR BATTLEFIELD PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben49
  • 50. Ç PRACTICAL CYBER FRAMEWORK PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben50 Slow Attackers Down Speed Defenders Up Drive Default Security
  • 51. QUESTIONS (AND BOOK RECOMMENDATIONS) PREPARE YOUR BATTLEFIELD 2019 | Ben Johnson | @chicagoben51
  • 52. @chicagoben | @obsidiansec BEN@OBSIDIANSECURITY.COM @CHICAGOBEN | @OBSIDIANSEC Ben Johnson, CTO, Obsidian Security BSides Augusta 2019 THANK YOU! 52