In the world of security monitoring and alerting, there is an increasing number of opportunities and advanced technologies. People look for better ways to gain insights from large datasets and are tasked with the responsibility of communicating that data throughout the entire organization. In this talk, we explore how to democratize the security of your next-gen infrastructure by building measurement directly into systems, factoring in security-related KPIs and OKRs. Attendees learn how everyone, from SMBs to enterprises, securely scale their infrastructure while continuing to enable innovation at the speed of business. This session is brought to you by AWS partner, Threat Stack.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Observability:
Democratizing Security in the
Cloud
Christopher Murdock
Security Architect
Conga
D E V 2 0 6 - S
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Business risk
Human visual processing
Security observability
Data gathering
Democratization
Putting it into practice

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
About Me:
Christopher Murdock is a Security
Architect at Conga, a top provider of
solutions on the Salesforce
AppExchange specializing in digital
document transformation. He works
closely with the CISO and internal
teams to ensure the secure design of
all applications, infrastructure, and
security toolsets. Pulling from over 15
years of DevOps and IT operations
experience, Murdock has a unique skill
set that aligns DevOps and security to
increase business effectiveness. In his
personal time, he enjoys spending time
with his wife in beautiful Colorado.

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

6. “Cyber and technology risk management programs going
through the motions on risk management, putting policies,
processes and technologies in place without addressing the
fundamentals of well-informed decision-making and
reliable execution. As a result, these programs are more
likely to …”
FAIR Institute
2017 Risk Management Maturity
Benchmark Survey Findings

7. “Struggle with identifying and maintaining a
focus on their most significant priorities,
wasting limited resources on lower risk
concerns and potentially delaying
remediation of truly high risk concerns.”
FAIR Institute
2017 Risk Management Maturity
Benchmark Survey Findings

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Understanding a company’s definition of risk

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Visuals are more persuasive and convey important
information quickly

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is the health of
this environment?
Good?
Bad?
Stable?

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Private data plus public S3 buckets

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud security observability
Achieving true understanding of the cloud requires going
beyond visualization of data sets from the environment –
Contextualization must be continuous and adaptable

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Specific data is incomplete without a baseline or
reference point

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Specific data is incomplete without a baseline or
reference point

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dynamic and complex

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key performance indicators are the data that are used
to create the visuals to tell your security story

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Understanding objectives and key results
• Objectives – Align to company and business goals
• Key results – Defined and measurable
Objective Key Results Key Performance Indicator
Lower data exposure
potential
Align with AWS security best
practices
Threat stack AWS Config audit
results >95%
Increase customer
trust by adopting
industry standard
certifications
Achieve SOC Type II
Threat stack host-based IDS deploy
rate =100%
Reduce incident time
to resolution
Improve Mean Time to Know
(MTTK)
Critical incident alert time
<5m

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How Conga socializes security data to key
stakeholders
Data are accessible
Security, development, and operations teams
DevSecOps
Discussions about data are held
Open communications channels
Security is included
Part of the planning and execution teams

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Build an action plan
Identify the company risks
• Work with key stakeholders across the business to
understand the company definition of risk
• Develop objectives and key results tied to each risk
Measure the key performance indicators (KPIs)
• Align KPI measurements with OKRs
Visuals speed mean time to understanding
• KPIs should be presented that clearly and cleanly indicate
progress towards a key result
Democratize data to provide business value
• Broad understanding of the data sets increases business
value
Socialize
• Data and visuals should be openly shared with
stakeholders

25. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Christopher Murdock
murdock@getconga.com
Twitter: @generic42
linkedin.com/in/murdock42

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.