SlideShare une entreprise Scribd logo

Building a Modern Security Engineering Organization

Z
Zane Lackey

Continuous deployment and the DevOps philosophy have forever changed the ways in which businesses operate. This talk with discuss how security adapts effectively to these changes, specifically covering: - Practical advice for building and scaling modern AppSec and NetSec programs - Lessons learned for organizations seeking to launch a bug bounty program - How to run realistic attack simulations and learn the signals of compromise in your environment

Technologie
1  sur  83
Télécharger pour lire hors ligne
Building a Modern Security Engineering Organization zane@signalsciences.com @zanelackey
Who  is  this  guy  anyway?   •  Built and led the Etsy Security Team – Spoiler alert: what this presentation is about •  Recently co-founded Signal Sciences to productize effective AppSec approaches
This talk is a collection of lessons learned from building and adapting a security team
For security teams, the world has changed in fundamental ways: –  Code deployment is now near-instantaneous
For security teams, the world has changed in fundamental ways: –  Code deployment is now near-instantaneous –  Merging of development and operations means more people with production access
For security teams, the world has changed in fundamental ways: –  Code deployment is now near-instantaneous –  Merging of development and operations means more people with production access –  Cost of attack has significantly dropped
Near-instantaneous deployment?
A  technical  diagram  of  tradi7onal  waterfall  code  deployment    
What is this shifting to?
Etsy pushes to production 30 times a day on average
Constant iteration in production via feature flags, ramp ups, A/B testing
But doesn’t the rapid rate of change mean things are less secure?!
Actually,  the  opposite  is   true  
They key to realize is vulnerabilities occur in all development methodologies …But there’s no such thing as an out-of- band patch in continuous deployment
They key to realize is vulnerabilities occur in all development methodologies …But there’s no such thing as an out-of- band patch in continuous deployment
Compared to: “We’ll rush that security fix. It will go out … in about 6 weeks.” - Former vendor at Etsy
What makes continuous deployment safe?
Source:  h<p://www.slideshare.net/mikebri<ain/advanced-­‐topics-­‐in-­‐con7nuous-­‐deployment  
The same culture of graphing and monitoring inherent to continuous deployment can be used for security too
Surface security info for everyone, not just the security team
“Don’t treat security as a binary event” - @ngalbreath
Building  a  (k-­‐)rad  culture   *Mullets  sold  separately    
In the shift to continuous deployment, speed increases by removing organizational blockers
Trying to make security a blocker means you get routed around
Instead, the focus becomes on incentivizing teams to reach out to security
Keys to incentivizing conversation: – Don’t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture.
Keys to incentivizing conversation: – Don’t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture. – Make realistic tradeoffs. Don’t fall in to the trap of thinking every issue is critical. •  Ex: Letting low risk issues ship with a reasonable remediation window buys you credibility for when things actually do need to be addressed immediately.
Keys to incentivizing conversation: – Coherently explain impact. “This would allow all our user data to be compromised if the attacker did X & Y” paints a clear picture, where “The input validation in this function is weak” does not.
Keys to incentivizing conversation: – Coherently explain impact. “This would allow all our user data to be compromised if the attacker did X & Y” paints a clear picture, where “The input validation in this function is weak” does not. – Reward communication with security team. T-Shirts, gift cards, and high fives all work (shockingly) well.
Keys to incentivizing conversation: – Take the false positive hit yourself. Don’t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch. – Scale via team leads. Build relationships with technical leads from other teams so they make security part of their teams culture.
Keys to incentivizing conversation: – Take the false positive hit yourself. Don’t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch. – Scale via team leads. Build relationships with technical leads from other teams so they make security part of their teams culture.
Access  restric7ons  
Startups begin with a simple access control policy: Everyone can access everything
As organization grow there will be more pressure to institute access policies
The key to remember is don’t take away capabilities
Methodology: 1.  Figure out what capability is needed 2.  Build an alternate way to perform the needed function in a safe way 3.  Transition the organization over to the safe way 4.  Alert on any usage of the old unsafe way
Methodology: 1.  Figure out what capability is needed 2.  Build an alternate way to perform the needed function in a safe way 3.  Transition the organization over to the safe way 4.  Alert on any usage of the old unsafe way
Methodology: 1.  Figure out what capability is needed 2.  Build an alternate way to perform the needed function in a safe way 3.  Transition the organization over to the safe way 4.  Alert on any usage of the old unsafe way
Methodology: 1.  Figure out what capability is needed 2.  Build an alternate way to perform the needed function in a safe way 3.  Transition the organization over to the safe way 4.  Alert on any usage of the old unsafe way
EX: SSH access to production systems
Security policy goal: Eliminate unneeded access to production systems –  Why do developers do it? Ex: To view error logs –  Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) –  Publicize the new tooling to the organization –  After majority of transition, alert on any logins to production systems by non-sysops
Security policy goal: Eliminate unneeded access to production systems –  Why do developers do it? Ex: To view error logs –  Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) –  Publicize the new tooling to the organization –  After majority of transition, alert on any logins to production systems by non-sysops
Security policy goal: Eliminate unneeded access to production systems –  Why do developers do it? Ex: To view error logs –  Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) –  Publicize the new tooling to the organization –  After majority of transition, alert on any logins to production systems by non-sysops
Security policy goal: Eliminate unneeded access to production systems –  Why do developers do it? Ex: To view error logs –  Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) –  Publicize the new tooling to the organization –  After majority of transition, alert on any logins to production systems by non-sysops
Increasing  a<acker  cost  
Specifically, some thoughts on: –  Bug Bounties –  Attack simulations/pentesting
Bug  Boun7es  
Bug bounties are tremendously useful. If you’re not working towards launching one, strongly consider it.
Common concerns about launching a bounty: 1.  Budgetary concerns. Money is almost never the main motivation for researchers, you can launch a bounty with just a hall of fame and still get great submissions. 2.  Risk of inviting attacks. You’re already getting attacked continuously, you’re just not getting the results.
Common concerns about launching a bounty: 1.  Budgetary concerns. Money is rarely the main motivation for participants, you can launch a bounty with just a hall of fame and still get great submissions. 2.  Risk of inviting attacks. You’re already getting attacked continuously, you’re just not getting the results.
Common concerns about launching a bounty: 1.  Budgetary concerns. Money is rarely the main motivation for participants, you can launch a bounty with just a hall of fame and still get great submissions. 2.  Risk of inviting attacks. It’s the Internet. You’re already getting pentested continuously, you’re just not receiving the report.
The ultimate goals of a bug bounty are threefold: 1.  Incentivize people to report issues to you in the first place 2.  Drive up cost of vulnerability discovery and exploitation for attackers 3.  Provide an external validation of if your security program is working (or not)
The ultimate goals of a bug bounty are threefold: 1.  Incentivize people to report issues to you in the first place 2.  Drive up cost of vulnerability discovery and exploitation for attackers 3.  Provide an external validation of if your security program is working (or not)
The ultimate goals of a bug bounty are threefold: 1.  Incentivize people to report issues to you in the first place 2.  Drive up cost of vulnerability discovery and exploitation for attackers 3.  Provide an external validation of where your security program is working (and where it’s not)
Before you launch, record what vulnerability classes you expect to see and what you don’t. Compare this against the issues actually reported.
Before you launch, record what vulnerability classes you expect to see and what you don’t. Compare this against the issues actually reported.
Keep metrics on: – Number of bugs reported and severities – Time to remediation of reported issues You want both of these metrics to trend down over time
Practical considerations: – Inform all teams before bounty launch, especially non-engineering teams •  Ex: Customer Support – Attacks will start almost immediately For Etsy bug bounty launch, time from announcement to first attack: 13min
Practical considerations: – Inform all teams before bounty launch, especially non-engineering teams •  Ex: Customer Support – Attacks will start almost immediately For Etsy bug bounty launch, time from announcement to first attack: 13min
Practical considerations: – Your first 2-3 weeks will be intense. Have as many people as you can dedicated to triage and response
Practical considerations: – Operationally review any helper systems for scaling problems beforehand •  When 10-100x traffic hits helper systems your security team uses, what falls over? – Money almost never the overriding factor, hall of fame is –  Researchers are generally great to interact with
Practical considerations: – Operationally review any helper systems for scaling problems beforehand •  When 10-100x traffic hits helper systems your security team uses, what falls over? – Money is almost never the main motivation for bounty participants, hall of fame credit is –  Researchers are generally great to interact with
Practical considerations: – Operationally review any helper systems for scaling problems beforehand. •  When 10-100x traffic hits helper systems your security team uses, what falls over? – Money is almost never the main motivation for bounty participants, hall of fame credit is –  Key to great researcher interaction is frequent and transparent communication
XXX   Running effective attack simulations
Problems with “pentesting” are well understood in the offensive community but not as well in the defensive community
Pentests typically result in a list of enumerated known vulnerabilities to be patched, not data on how a real attacker would operate against a given environment
Attack simulations should be done to learn how attackers are likely to achieve goals against your organization NOT to show compromise is possible (spoiler alert: it is.)
Use this attack data to focus where/how to build detection mechanisms
From an organizational side, attack simulations compliment vulnerability enumeration/compliance/etc
Four keys to effective attack simulations: 1.  Goal oriented •  “Obtain domain admin”, “read the CEOs email”, “view credit card data”, … •  Ask attack team for input on goals, they’ll come up with ones you didn’t think of 2.  Full ganization in scope •  Have attack team call a contact if they’re about to do something risky – several week simulat – ion
Four keys to effective attack simulations: 1.  Goal oriented •  “Obtain domain admin”, “read the CEOs email”, “view credit card data”, … •  Ask attack team for input on goals, they’ll come up with ones you didn’t think of 2.  Full organization in scope •  Have attack team call a contact if they’re about to do something risky –  Ex: Instead of throwing an exploit that lands “most of the time”, grant access to the target system with temporary credentials
Four keys to effective attack simulations: 3.  Simulate realistic compromise patterns •  Start the attack team on a: –  standard laptop/desktop to simulate phishing/clientside compromise –  database or web server to simulate SQL injection/RCE •  0days aren’t cheating, they’re reality. Attack team should be encouraged to use them. –  Break simulation down into iterations: •  Don’t spend the full engagement time on only round of testing, once one team achieve goal(s), then swap in new attack team to achieve the same goal(s) –  Ex: We try to run 3-4 iterations per several week simulation
Four keys to effective attack simulations: 3.  Simulate realistic compromise patterns •  Start the attack team on a: –  standard laptop/desktop to simulate phishing/clientside compromise –  database or web server to simulate SQL injection/RCE •  0days aren’t cheating, they’re reality. Attack team should be encouraged to use them. 4.  Break simulation down into iterations: •  Don’t spend the full engagement time on only round of testing, once one team achieve goal(s), then swap in new attack team to achieve the same goal(s) –  Ex: We try to run 3-4 iterations per several week simulation
The project output should be attack chains showing how attack team went from A->B->C to achieve goals, what steps they took and why
Just as importantly, what steps they didn’t take Ex: “We didn’t try to find internal network diagrams on your wiki because zone transfers were enabled so we could got enough data about your network from that”
Remember, the goal is to simulate realistic attack behaviors and patterns that can be used to enhance detection
In addition, simulate varying attack profiles from quick & loud to quietly maintaining persistence
Over multiple iterations learn what behaviors overlap between attackers and what strong signals of lateral movement in your environment look like
TL;DR (The section formerly known as “Conclusions”)
•  Adapt security team culture to DevOps and continuous deployment by: – Surfacing security monitoring and metrics – Incentivize discussions with the security team – When creating policy, don’t take away capabilities •  Drive up attacker cost through bug bounty programs, countering phishing, and running realistic attack simulations
Thanks!   zane@signalsciences.com @zanelackey

Recommandé

Attack-driven defense
Attack-driven defenseAttack-driven defense
Attack-driven defenseZane Lackey
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisObika Gellineau
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Dragos, Inc.
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeAnalyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeDataWorks Summit
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...Mauricio Velazco
 
Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilitiesMayur Mehta
 

Recommandé

Attack-driven defense
Attack-driven defenseAttack-driven defense
Attack-driven defenseZane Lackey
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisObika Gellineau
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Dragos, Inc.
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeAnalyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeDataWorks Summit
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...Mauricio Velazco
 
Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilitiesMayur Mehta
 
Learning Rust the Hard Way for a Production Kafka + ScyllaDB Pipeline
Learning Rust the Hard Way for a Production Kafka + ScyllaDB PipelineLearning Rust the Hard Way for a Production Kafka + ScyllaDB Pipeline
Learning Rust the Hard Way for a Production Kafka + ScyllaDB PipelineScyllaDB
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Kafka: All an engineer needs to know
Kafka: All an engineer needs to knowKafka: All an engineer needs to know
Kafka: All an engineer needs to knowThao Huynh Quang
 
How Netflix Tunes Amazon EC2 Instances for Performance - CMP325 - re:Invent 2017
How Netflix Tunes Amazon EC2 Instances for Performance - CMP325 - re:Invent 2017How Netflix Tunes Amazon EC2 Instances for Performance - CMP325 - re:Invent 2017
How Netflix Tunes Amazon EC2 Instances for Performance - CMP325 - re:Invent 2017Amazon Web Services
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
zero day exploits
zero day exploitszero day exploits
zero day exploitsAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis Cysinfo Cyber Security Community
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Getting started with Splunk
Getting started with SplunkGetting started with Splunk
Getting started with SplunkSplunk
 
XXE - XML External Entity Attack
XXE - XML External Entity Attack XXE - XML External Entity Attack
XXE - XML External Entity Attack Cysinfo Cyber Security Community
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detectionChong-Kuan Chen
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Evan Ellis "Tumblr. Massively Sharded MySQL"
Evan Ellis "Tumblr. Massively Sharded MySQL"Evan Ellis "Tumblr. Massively Sharded MySQL"
Evan Ellis "Tumblr. Massively Sharded MySQL"Alexey Mahotkin
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO
 
Splunk introduction
Splunk introductionSplunk introduction
Splunk introductionTruong Cuong
 
Application Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaApplication Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaRobert Grupe, CSSLP CISSP PE PMP
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Stefan Streichsbier
 

Contenu connexe

Tendances

Learning Rust the Hard Way for a Production Kafka + ScyllaDB Pipeline
Learning Rust the Hard Way for a Production Kafka + ScyllaDB PipelineLearning Rust the Hard Way for a Production Kafka + ScyllaDB Pipeline
Learning Rust the Hard Way for a Production Kafka + ScyllaDB PipelineScyllaDB
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Kafka: All an engineer needs to know
Kafka: All an engineer needs to knowKafka: All an engineer needs to know
Kafka: All an engineer needs to knowThao Huynh Quang
 
How Netflix Tunes Amazon EC2 Instances for Performance - CMP325 - re:Invent 2017
How Netflix Tunes Amazon EC2 Instances for Performance - CMP325 - re:Invent 2017How Netflix Tunes Amazon EC2 Instances for Performance - CMP325 - re:Invent 2017
How Netflix Tunes Amazon EC2 Instances for Performance - CMP325 - re:Invent 2017Amazon Web Services
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Getting started with Splunk
Getting started with SplunkGetting started with Splunk
Getting started with SplunkSplunk
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detectionChong-Kuan Chen
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Evan Ellis "Tumblr. Massively Sharded MySQL"
Evan Ellis "Tumblr. Massively Sharded MySQL"Evan Ellis "Tumblr. Massively Sharded MySQL"
Evan Ellis "Tumblr. Massively Sharded MySQL"Alexey Mahotkin
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO
 
Splunk introduction
Splunk introductionSplunk introduction
Splunk introductionTruong Cuong
 

Tendances (20)

Learning Rust the Hard Way for a Production Kafka + ScyllaDB Pipeline
Learning Rust the Hard Way for a Production Kafka + ScyllaDB PipelineLearning Rust the Hard Way for a Production Kafka + ScyllaDB Pipeline
Learning Rust the Hard Way for a Production Kafka + ScyllaDB Pipeline
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Kafka: All an engineer needs to know
Kafka: All an engineer needs to knowKafka: All an engineer needs to know
Kafka: All an engineer needs to know
 
How Netflix Tunes Amazon EC2 Instances for Performance - CMP325 - re:Invent 2017
How Netflix Tunes Amazon EC2 Instances for Performance - CMP325 - re:Invent 2017How Netflix Tunes Amazon EC2 Instances for Performance - CMP325 - re:Invent 2017
How Netflix Tunes Amazon EC2 Instances for Performance - CMP325 - re:Invent 2017
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
zero day exploits
zero day exploitszero day exploits
zero day exploits
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
Getting started with Splunk
Getting started with SplunkGetting started with Splunk
Getting started with Splunk
 
XXE - XML External Entity Attack
XXE - XML External Entity Attack XXE - XML External Entity Attack
XXE - XML External Entity Attack
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detection
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Evan Ellis "Tumblr. Massively Sharded MySQL"
Evan Ellis "Tumblr. Massively Sharded MySQL"Evan Ellis "Tumblr. Massively Sharded MySQL"
Evan Ellis "Tumblr. Massively Sharded MySQL"
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
 
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
 
Splunk introduction
Splunk introductionSplunk introduction
Splunk introduction
 
Application Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaApplication Security Logging with Splunk using Java
Application Security Logging with Splunk using Java
 

En vedette

How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Stefan Streichsbier
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
From DevOps to DevSecOps: 2 Dimensions of Security for DevOps
From DevOps to DevSecOps: 2 Dimensions of Security for DevOpsFrom DevOps to DevSecOps: 2 Dimensions of Security for DevOps
From DevOps to DevSecOps: 2 Dimensions of Security for DevOpsSanjeev Sharma
 
Growth Hacking with Predictive Analytics
Growth Hacking with Predictive AnalyticsGrowth Hacking with Predictive Analytics
Growth Hacking with Predictive AnalyticsAndrew Ahn
 
Building security leaders ISSA Virtual CISO Series
Building security leaders ISSA Virtual CISO SeriesBuilding security leaders ISSA Virtual CISO Series
Building security leaders ISSA Virtual CISO SeriesAaron Carpenter
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning warsRafal Los
 
II Security At Microsoft
II Security At MicrosoftII Security At Microsoft
II Security At MicrosoftMark J. Feldman
 
Semantic Web, Knowledge Graph, and Other Changes to SERPS – A Google Semantic...
Semantic Web, Knowledge Graph, and Other Changes to SERPS – A Google Semantic...Semantic Web, Knowledge Graph, and Other Changes to SERPS – A Google Semantic...
Semantic Web, Knowledge Graph, and Other Changes to SERPS – A Google Semantic...Bill Slawski
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Health IT Conference – iHT2
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT SecuritySeccuris Inc.
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
Project Execution Methodologies – Rising a Step Further
Project Execution Methodologies – Rising a Step FurtherProject Execution Methodologies – Rising a Step Further
Project Execution Methodologies – Rising a Step FurtherSPEC INDIA
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationPECB
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesJorge Sebastiao
 

En vedette (20)

How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
From DevOps to DevSecOps: 2 Dimensions of Security for DevOps
From DevOps to DevSecOps: 2 Dimensions of Security for DevOpsFrom DevOps to DevSecOps: 2 Dimensions of Security for DevOps
From DevOps to DevSecOps: 2 Dimensions of Security for DevOps
 
Growth Hacking with Predictive Analytics
Growth Hacking with Predictive AnalyticsGrowth Hacking with Predictive Analytics
Growth Hacking with Predictive Analytics
 
Building security leaders ISSA Virtual CISO Series
Building security leaders ISSA Virtual CISO SeriesBuilding security leaders ISSA Virtual CISO Series
Building security leaders ISSA Virtual CISO Series
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning wars
 
II Security At Microsoft
II Security At MicrosoftII Security At Microsoft
II Security At Microsoft
 
Semantic Web, Knowledge Graph, and Other Changes to SERPS – A Google Semantic...
Semantic Web, Knowledge Graph, and Other Changes to SERPS – A Google Semantic...Semantic Web, Knowledge Graph, and Other Changes to SERPS – A Google Semantic...
Semantic Web, Knowledge Graph, and Other Changes to SERPS – A Google Semantic...
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT Security
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
 
Project Execution Methodologies – Rising a Step Further
Project Execution Methodologies – Rising a Step FurtherProject Execution Methodologies – Rising a Step Further
Project Execution Methodologies – Rising a Step Further
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 
Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_security
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
 

Similaire à Building a Modern Security Engineering Organization

Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane LackeyYandex
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security TestingPECB
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environmentArthur Donkers
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранSigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsFireEye, Inc.
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff WilliamsDevSecCon
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Dinis Cruz
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
Selling Infosec to the CSuite
Selling Infosec to the CSuiteSelling Infosec to the CSuite
Selling Infosec to the CSuiteDave R. Taylor
 
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics MethodsSplunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics MethodsSplunk
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
SplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics MethodsSplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics MethodsSplunk
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESIJNSA Journal
 
Continuous Deployment
Continuous DeploymentContinuous Deployment
Continuous DeploymentBrian Henerey
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopSplunk
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesIJNSA Journal
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityVodqaBLR
 

Similaire à Building a Modern Security Engineering Organization (20)

Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security Teams
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 
Selling Infosec to the CSuite
Selling Infosec to the CSuiteSelling Infosec to the CSuite
Selling Infosec to the CSuite
 
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics MethodsSplunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
SplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics MethodsSplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics Methods
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
 
Continuous Deployment
Continuous DeploymentContinuous Deployment
Continuous Deployment
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM Workshop
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibility
 

Dernier

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 

Dernier (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Building a Modern Security Engineering Organization

  • 1. Building a Modern Security Engineering Organization zane@signalsciences.com @zanelackey
  • 2. Who  is  this  guy  anyway?   •  Built and led the Etsy Security Team – Spoiler alert: what this presentation is about •  Recently co-founded Signal Sciences to productize effective AppSec approaches
  • 3. This talk is a collection of lessons learned from building and adapting a security team
  • 4. For security teams, the world has changed in fundamental ways: –  Code deployment is now near-instantaneous
  • 5. For security teams, the world has changed in fundamental ways: –  Code deployment is now near-instantaneous –  Merging of development and operations means more people with production access
  • 6. For security teams, the world has changed in fundamental ways: –  Code deployment is now near-instantaneous –  Merging of development and operations means more people with production access –  Cost of attack has significantly dropped
  • 8. A  technical  diagram  of  tradi7onal  waterfall  code  deployment    
  • 9. What is this shifting to?
  • 10. Etsy pushes to production 30 times a day on average
  • 11. Constant iteration in production via feature flags, ramp ups, A/B testing
  • 12. But doesn’t the rapid rate of change mean things are less secure?!
  • 13. Actually,  the  opposite  is   true  
  • 14. They key to realize is vulnerabilities occur in all development methodologies …But there’s no such thing as an out-of- band patch in continuous deployment
  • 15. They key to realize is vulnerabilities occur in all development methodologies …But there’s no such thing as an out-of- band patch in continuous deployment
  • 16. Compared to: “We’ll rush that security fix. It will go out … in about 6 weeks.” - Former vendor at Etsy
  • 17. What makes continuous deployment safe?
  • 18.
  • 20. The same culture of graphing and monitoring inherent to continuous deployment can be used for security too
  • 21. Surface security info for everyone, not just the security team
  • 22.
  • 23. “Don’t treat security as a binary event” - @ngalbreath
  • 24. Building  a  (k-­‐)rad  culture   *Mullets  sold  separately    
  • 25. In the shift to continuous deployment, speed increases by removing organizational blockers
  • 26. Trying to make security a blocker means you get routed around
  • 27. Instead, the focus becomes on incentivizing teams to reach out to security
  • 28. Keys to incentivizing conversation: – Don’t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture.
  • 29. Keys to incentivizing conversation: – Don’t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture. – Make realistic tradeoffs. Don’t fall in to the trap of thinking every issue is critical. •  Ex: Letting low risk issues ship with a reasonable remediation window buys you credibility for when things actually do need to be addressed immediately.
  • 30. Keys to incentivizing conversation: – Coherently explain impact. “This would allow all our user data to be compromised if the attacker did X & Y” paints a clear picture, where “The input validation in this function is weak” does not.
  • 31. Keys to incentivizing conversation: – Coherently explain impact. “This would allow all our user data to be compromised if the attacker did X & Y” paints a clear picture, where “The input validation in this function is weak” does not. – Reward communication with security team. T-Shirts, gift cards, and high fives all work (shockingly) well.
  • 32. Keys to incentivizing conversation: – Take the false positive hit yourself. Don’t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch. – Scale via team leads. Build relationships with technical leads from other teams so they make security part of their teams culture.
  • 33. Keys to incentivizing conversation: – Take the false positive hit yourself. Don’t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch. – Scale via team leads. Build relationships with technical leads from other teams so they make security part of their teams culture.
  • 35. Startups begin with a simple access control policy: Everyone can access everything
  • 36. As organization grow there will be more pressure to institute access policies
  • 37. The key to remember is don’t take away capabilities
  • 38. Methodology: 1.  Figure out what capability is needed 2.  Build an alternate way to perform the needed function in a safe way 3.  Transition the organization over to the safe way 4.  Alert on any usage of the old unsafe way
  • 39. Methodology: 1.  Figure out what capability is needed 2.  Build an alternate way to perform the needed function in a safe way 3.  Transition the organization over to the safe way 4.  Alert on any usage of the old unsafe way
  • 40. Methodology: 1.  Figure out what capability is needed 2.  Build an alternate way to perform the needed function in a safe way 3.  Transition the organization over to the safe way 4.  Alert on any usage of the old unsafe way
  • 41. Methodology: 1.  Figure out what capability is needed 2.  Build an alternate way to perform the needed function in a safe way 3.  Transition the organization over to the safe way 4.  Alert on any usage of the old unsafe way
  • 42. EX: SSH access to production systems
  • 43. Security policy goal: Eliminate unneeded access to production systems –  Why do developers do it? Ex: To view error logs –  Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) –  Publicize the new tooling to the organization –  After majority of transition, alert on any logins to production systems by non-sysops
  • 44. Security policy goal: Eliminate unneeded access to production systems –  Why do developers do it? Ex: To view error logs –  Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) –  Publicize the new tooling to the organization –  After majority of transition, alert on any logins to production systems by non-sysops
  • 45. Security policy goal: Eliminate unneeded access to production systems –  Why do developers do it? Ex: To view error logs –  Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) –  Publicize the new tooling to the organization –  After majority of transition, alert on any logins to production systems by non-sysops
  • 46. Security policy goal: Eliminate unneeded access to production systems –  Why do developers do it? Ex: To view error logs –  Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) –  Publicize the new tooling to the organization –  After majority of transition, alert on any logins to production systems by non-sysops
  • 48. Specifically, some thoughts on: –  Bug Bounties –  Attack simulations/pentesting
  • 50. Bug bounties are tremendously useful. If you’re not working towards launching one, strongly consider it.
  • 51. Common concerns about launching a bounty: 1.  Budgetary concerns. Money is almost never the main motivation for researchers, you can launch a bounty with just a hall of fame and still get great submissions. 2.  Risk of inviting attacks. You’re already getting attacked continuously, you’re just not getting the results.
  • 52. Common concerns about launching a bounty: 1.  Budgetary concerns. Money is rarely the main motivation for participants, you can launch a bounty with just a hall of fame and still get great submissions. 2.  Risk of inviting attacks. You’re already getting attacked continuously, you’re just not getting the results.
  • 53. Common concerns about launching a bounty: 1.  Budgetary concerns. Money is rarely the main motivation for participants, you can launch a bounty with just a hall of fame and still get great submissions. 2.  Risk of inviting attacks. It’s the Internet. You’re already getting pentested continuously, you’re just not receiving the report.
  • 54. The ultimate goals of a bug bounty are threefold: 1.  Incentivize people to report issues to you in the first place 2.  Drive up cost of vulnerability discovery and exploitation for attackers 3.  Provide an external validation of if your security program is working (or not)
  • 55. The ultimate goals of a bug bounty are threefold: 1.  Incentivize people to report issues to you in the first place 2.  Drive up cost of vulnerability discovery and exploitation for attackers 3.  Provide an external validation of if your security program is working (or not)
  • 56. The ultimate goals of a bug bounty are threefold: 1.  Incentivize people to report issues to you in the first place 2.  Drive up cost of vulnerability discovery and exploitation for attackers 3.  Provide an external validation of where your security program is working (and where it’s not)
  • 57. Before you launch, record what vulnerability classes you expect to see and what you don’t. Compare this against the issues actually reported.
  • 58. Before you launch, record what vulnerability classes you expect to see and what you don’t. Compare this against the issues actually reported.
  • 59. Keep metrics on: – Number of bugs reported and severities – Time to remediation of reported issues You want both of these metrics to trend down over time
  • 60. Practical considerations: – Inform all teams before bounty launch, especially non-engineering teams •  Ex: Customer Support – Attacks will start almost immediately For Etsy bug bounty launch, time from announcement to first attack: 13min
  • 61. Practical considerations: – Inform all teams before bounty launch, especially non-engineering teams •  Ex: Customer Support – Attacks will start almost immediately For Etsy bug bounty launch, time from announcement to first attack: 13min
  • 62. Practical considerations: – Your first 2-3 weeks will be intense. Have as many people as you can dedicated to triage and response
  • 63. Practical considerations: – Operationally review any helper systems for scaling problems beforehand •  When 10-100x traffic hits helper systems your security team uses, what falls over? – Money almost never the overriding factor, hall of fame is –  Researchers are generally great to interact with
  • 64. Practical considerations: – Operationally review any helper systems for scaling problems beforehand •  When 10-100x traffic hits helper systems your security team uses, what falls over? – Money is almost never the main motivation for bounty participants, hall of fame credit is –  Researchers are generally great to interact with
  • 65. Practical considerations: – Operationally review any helper systems for scaling problems beforehand. •  When 10-100x traffic hits helper systems your security team uses, what falls over? – Money is almost never the main motivation for bounty participants, hall of fame credit is –  Key to great researcher interaction is frequent and transparent communication
  • 66. XXX   Running effective attack simulations
  • 67. Problems with “pentesting” are well understood in the offensive community but not as well in the defensive community
  • 68. Pentests typically result in a list of enumerated known vulnerabilities to be patched, not data on how a real attacker would operate against a given environment
  • 69. Attack simulations should be done to learn how attackers are likely to achieve goals against your organization NOT to show compromise is possible (spoiler alert: it is.)
  • 70. Use this attack data to focus where/how to build detection mechanisms
  • 71. From an organizational side, attack simulations compliment vulnerability enumeration/compliance/etc
  • 72. Four keys to effective attack simulations: 1.  Goal oriented •  “Obtain domain admin”, “read the CEOs email”, “view credit card data”, … •  Ask attack team for input on goals, they’ll come up with ones you didn’t think of 2.  Full ganization in scope •  Have attack team call a contact if they’re about to do something risky – several week simulat – ion
  • 73. Four keys to effective attack simulations: 1.  Goal oriented •  “Obtain domain admin”, “read the CEOs email”, “view credit card data”, … •  Ask attack team for input on goals, they’ll come up with ones you didn’t think of 2.  Full organization in scope •  Have attack team call a contact if they’re about to do something risky –  Ex: Instead of throwing an exploit that lands “most of the time”, grant access to the target system with temporary credentials
  • 74. Four keys to effective attack simulations: 3.  Simulate realistic compromise patterns •  Start the attack team on a: –  standard laptop/desktop to simulate phishing/clientside compromise –  database or web server to simulate SQL injection/RCE •  0days aren’t cheating, they’re reality. Attack team should be encouraged to use them. –  Break simulation down into iterations: •  Don’t spend the full engagement time on only round of testing, once one team achieve goal(s), then swap in new attack team to achieve the same goal(s) –  Ex: We try to run 3-4 iterations per several week simulation
  • 75. Four keys to effective attack simulations: 3.  Simulate realistic compromise patterns •  Start the attack team on a: –  standard laptop/desktop to simulate phishing/clientside compromise –  database or web server to simulate SQL injection/RCE •  0days aren’t cheating, they’re reality. Attack team should be encouraged to use them. 4.  Break simulation down into iterations: •  Don’t spend the full engagement time on only round of testing, once one team achieve goal(s), then swap in new attack team to achieve the same goal(s) –  Ex: We try to run 3-4 iterations per several week simulation
  • 76. The project output should be attack chains showing how attack team went from A->B->C to achieve goals, what steps they took and why
  • 77. Just as importantly, what steps they didn’t take Ex: “We didn’t try to find internal network diagrams on your wiki because zone transfers were enabled so we could got enough data about your network from that”
  • 78. Remember, the goal is to simulate realistic attack behaviors and patterns that can be used to enhance detection
  • 79. In addition, simulate varying attack profiles from quick & loud to quietly maintaining persistence
  • 80. Over multiple iterations learn what behaviors overlap between attackers and what strong signals of lateral movement in your environment look like
  • 81. TL;DR (The section formerly known as “Conclusions”)
  • 82. •  Adapt security team culture to DevOps and continuous deployment by: – Surfacing security monitoring and metrics – Incentivize discussions with the security team – When creating policy, don’t take away capabilities •  Drive up attacker cost through bug bounty programs, countering phishing, and running realistic attack simulations