Building a Modern Security Engineering Organization.
|
|
- Claude Newman
- 8 years ago
- Views:
Transcription
1 Building a Modern Security Engineering Organization
2 Who is this guy anyway? Built and led the Etsy Security Team Spoiler alert: what this presentation is about Recently co-founded Signal Sciences to productize effective AppSec approaches
3 This talk is a collection of lessons learned from building and adapting a security team
4 For security teams, the world has changed in fundamental ways: Code deployment is now near-instantaneous
5 For security teams, the world has changed in fundamental ways: Code deployment is now near-instantaneous Merging of development and operations means more people with production access
6 For security teams, the world has changed in fundamental ways: Code deployment is now near-instantaneous Merging of development and operations means more people with production access Cost of attack has significantly dropped
7 Near-instantaneous deployment?
8 A technical diagram of tradi7onal waterfall code deployment
9 What is this shifting to?
10 Etsy pushes to production 30 times a day on average
11 Constant iteration in production via feature flags, ramp ups, A/B testing
12 But doesn t the rapid rate of change mean things are less secure?!
13 Actually, the opposite is true
14 They key to realize is vulnerabilities occur in all development methodologies But there s no such thing as an out-ofband patch in continuous deployment
15 They key to realize is vulnerabilities occur in all development methodologies But there s no such thing as an out-ofband patch in continuous deployment
16 Compared to: We ll rush that security fix. It will go out in about 6 weeks. - Former vendor at Etsy
17 What makes continuous deployment safe?
18
19 Source: h<p:// topics- in- con7nuous- deployment
20 The same culture of graphing and monitoring inherent to continuous deployment can be used for security too
21 Surface security info for everyone, not just the security team
22
23 Don t treat security as a binary event
24 *Mullets sold separately Building a (k- )rad culture
25 In the shift to continuous deployment, speed increases by removing organizational blockers
26 Trying to make security a blocker means you get routed around
27 Instead, the focus becomes on incentivizing teams to reach out to security
28 Keys to incentivizing conversation: Don t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture.
29 Keys to incentivizing conversation: Don t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture. Make realistic tradeoffs. Don t fall in to the trap of thinking every issue is critical. Ex: Letting low risk issues ship with a reasonable remediation window buys you credibility for when things actually do need to be addressed immediately.
30 Keys to incentivizing conversation: Coherently explain impact. This would allow all our user data to be compromised if the attacker did X & Y paints a clear picture, where The input validation in this function is weak does not.
31 Keys to incentivizing conversation: Coherently explain impact. This would allow all our user data to be compromised if the attacker did X & Y paints a clear picture, where The input validation in this function is weak does not. Reward communication with security team. T-Shirts, gift cards, and high fives all work (shockingly) well.
32 Keys to incentivizing conversation: Take the false positive hit yourself. Don t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch. Scale via team leads. Build relationships with technical leads from other teams so they make security part of their teams culture.
33 Keys to incentivizing conversation: Take the false positive hit yourself. Don t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch. Scale via team leads. Build relationships with technical leads from other teams so they make security part of their teams culture.
34 Access restric7ons
35 Startups begin with a simple access control policy: Everyone can access everything
36 As organization grow there will be more pressure to institute access policies
37 The key to remember is don t take away capabilities
38 Methodology: 1. Figure out what capability is needed 2. Build an alternate way to perform the needed function in a safe way 3. Transition the organization over to the safe way 4. Alert on any usage of the old unsafe way
39 Methodology: 1. Figure out what capability is needed 2. Build an alternate way to perform the needed function in a safe way 3. Transition the organization over to the safe way 4. Alert on any usage of the old unsafe way
40 Methodology: 1. Figure out what capability is needed 2. Build an alternate way to perform the needed function in a safe way 3. Transition the organization over to the safe way 4. Alert on any usage of the old unsafe way
41 Methodology: 1. Figure out what capability is needed 2. Build an alternate way to perform the needed function in a safe way 3. Transition the organization over to the safe way 4. Alert on any usage of the old unsafe way
42 EX: SSH access to production systems
43 Security policy goal: Eliminate unneeded access to production systems Why do developers do it? Ex: To view error logs Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) Publicize the new tooling to the organization After majority of transition, alert on any logins to production systems by non-sysops
44 Security policy goal: Eliminate unneeded access to production systems Why do developers do it? Ex: To view error logs Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) Publicize the new tooling to the organization After majority of transition, alert on any logins to production systems by non-sysops
45 Security policy goal: Eliminate unneeded access to production systems Why do developers do it? Ex: To view error logs Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) Publicize the new tooling to the organization After majority of transition, alert on any logins to production systems by non-sysops
46 Security policy goal: Eliminate unneeded access to production systems Why do developers do it? Ex: To view error logs Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) Publicize the new tooling to the organization After majority of transition, alert on any logins to production systems by non-sysops
47 Increasing a<acker cost
48 Specifically, some thoughts on: Bug Bounties Attack simulations/pentesting
49 Bug Boun7es
50 Bug bounties are tremendously useful. If you re not working towards launching one, strongly consider it.
51 Common concerns about launching a bounty: 1. Budgetary concerns. Money is almost never the main motivation for researchers, you can launch a bounty with just a hall of fame and still get great submissions. 2. Risk of inviting attacks. You re already getting attacked continuously, you re just not getting the results.
52 Common concerns about launching a bounty: 1. Budgetary concerns. Money is rarely the main motivation for participants, you can launch a bounty with just a hall of fame and still get great submissions. 2. Risk of inviting attacks. You re already getting attacked continuously, you re just not getting the results.
53 Common concerns about launching a bounty: 1. Budgetary concerns. Money is rarely the main motivation for participants, you can launch a bounty with just a hall of fame and still get great submissions. 2. Risk of inviting attacks. It s the Internet. You re already getting pentested continuously, you re just not receiving the report.
54 The ultimate goals of a bug bounty are threefold: 1. Incentivize people to report issues to you in the first place 2. Drive up cost of vulnerability discovery and exploitation for attackers 3. Provide an external validation of if your security program is working (or not)
55 The ultimate goals of a bug bounty are threefold: 1. Incentivize people to report issues to you in the first place 2. Drive up cost of vulnerability discovery and exploitation for attackers 3. Provide an external validation of if your security program is working (or not)
56 The ultimate goals of a bug bounty are threefold: 1. Incentivize people to report issues to you in the first place 2. Drive up cost of vulnerability discovery and exploitation for attackers 3. Provide an external validation of where your security program is working (and where it s not)
57 Before you launch, record what vulnerability classes you expect to see and what you don t. Compare this against the issues actually reported.
58 Before you launch, record what vulnerability classes you expect to see and what you don t. Compare this against the issues actually reported.
59 Keep metrics on: Number of bugs reported and severities Time to remediation of reported issues You want both of these metrics to trend down over time
60 Practical considerations: Inform all teams before bounty launch, especially non-engineering teams Ex: Customer Support Attacks will start almost immediately For Etsy bug bounty launch, time from announcement to first attack: 13min
61 Practical considerations: Inform all teams before bounty launch, especially non-engineering teams Ex: Customer Support Attacks will start almost immediately For Etsy bug bounty launch, time from announcement to first attack: 13min
62 Practical considerations: Your first 2-3 weeks will be intense. Have as many people as you can dedicated to triage and response
63 Practical considerations: Operationally review any helper systems for scaling problems beforehand When x traffic hits helper systems your security team uses, what falls over? Money almost never the overriding factor, hall of fame is Researchers are generally great to interact with
64 Practical considerations: Operationally review any helper systems for scaling problems beforehand When x traffic hits helper systems your security team uses, what falls over? Money is almost never the main motivation for bounty participants, hall of fame credit is Researchers are generally great to interact with
65 Practical considerations: Operationally review any helper systems for scaling problems beforehand. When x traffic hits helper systems your security team uses, what falls over? Money is almost never the main motivation for bounty participants, hall of fame credit is Key to great researcher interaction is frequent and transparent communication
66 XXX Running effective attack simulations
67 Problems with pentesting are well understood in the offensive community but not as well in the defensive community
68 Pentests typically result in a list of enumerated known vulnerabilities to be patched, not data on how a real attacker would operate against a given environment
69 Attack simulations should be done to learn how attackers are likely to achieve goals against your organization NOT to show compromise is possible (spoiler alert: it is.)
70 Use this attack data to focus where/how to build detection mechanisms
71 From an organizational side, attack simulations compliment vulnerability enumeration/compliance/etc
72 Four keys to effective attack simulations: 1. Goal oriented Obtain domain admin, read the CEOs , view credit card data, Ask attack team for input on goals, they ll come up with ones you didn t think of 2. Full ganization in scope Have attack team call a contact if they re about to do something risky several week simulat ion
73 Four keys to effective attack simulations: 1. Goal oriented Obtain domain admin, read the CEOs , view credit card data, Ask attack team for input on goals, they ll come up with ones you didn t think of 2. Full organization in scope Have attack team call a contact if they re about to do something risky Ex: Instead of throwing an exploit that lands most of the time, grant access to the target system with temporary credentials
74 Four keys to effective attack simulations: 3. Simulate realistic compromise patterns Start the attack team on a: standard laptop/desktop to simulate phishing/clientside compromise database or web server to simulate SQL injection/rce 0days aren t cheating, they re reality. Attack team should be encouraged to use them. Break simulation down into iterations: Don t spend the full engagement time on only round of testing, once one team achieve goal(s), then swap in new attack team to achieve the same goal(s) Ex: We try to run 3-4 iterations per several week simulation
75 Four keys to effective attack simulations: 3. Simulate realistic compromise patterns Start the attack team on a: standard laptop/desktop to simulate phishing/clientside compromise database or web server to simulate SQL injection/rce 0days aren t cheating, they re reality. Attack team should be encouraged to use them. 4. Break simulation down into iterations: Don t spend the full engagement time on only round of testing, once one team achieve goal(s), then swap in new attack team to achieve the same goal(s) Ex: We try to run 3-4 iterations per several week simulation
76 The project output should be attack chains showing how attack team went from A->B->C to achieve goals, what steps they took and why
77 Just as importantly, what steps they didn t take Ex: We didn t try to find internal network diagrams on your wiki because zone transfers were enabled so we could got enough data about your network from that
78 Remember, the goal is to simulate realistic attack behaviors and patterns that can be used to enhance detection
79 In addition, simulate varying attack profiles from quick & loud to quietly maintaining persistence
80 Over multiple iterations learn what behaviors overlap between attackers and what strong signals of lateral movement in your environment look like
81 TL;DR (The section formerly known as Conclusions )
82 Adapt security team culture to DevOps and continuous deployment by: Surfacing security monitoring and metrics Incentivize discussions with the security team When creating policy, don t take away capabilities Drive up attacker cost through bug bounty programs, countering phishing, and running realistic attack simulations
83
Hobbled Penetration Testing: The Disconnect Between Testing and Real Attacks
Hobbled Penetration Testing: The Disconnect Between Testing and Real Attacks Jason Wood Principal Security Consultant Secure Ideas Background Info Principal Security Consultant at Secure Ideas Penetration
More informationSecurity at Scale: Effective approaches to web application security. zane@etsy.com @zanelackey
Security at Scale: Effective approaches to web application security zane@etsy.com @zanelackey Who am I? Engineering Manager @ Etsy Lead appsec/netsec/seceng teams Formerly @ isec Partners Books/presentations
More informationPrivileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery
Overview Password Manager Pro offers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it offers three solutions - privileged account
More informationProject 2: Penetration Testing (Phase II)
Project 2: Penetration Testing (Phase II) CS 161 - Joseph/Tygar November 17, 2006 1 Edits If we need to make clarifications or corrections to this document after distributing it, we will post a new version
More informationFrom Rivals to BFF: WAF & VA Unite OWASP 07.23.2009. The OWASP Foundation http://www.owasp.org
From Rivals to BFF: WAF & VA Unite 07.23.2009 Brian Contos, Chief Security Strategist Imperva Inc. brian.contos@imperva.com +1 (650) 832.6054 Copyright The Foundation Permission is granted to copy, distribute
More informationIT & DATA SECURITY BREACH PREVENTION A PRACTICAL GUIDE. Part I: Reducing Employee and Application Risks
IT & DATA SECURITY BREACH PREVENTION A PRACTICAL GUIDE Part I: Reducing Employee and Application Risks As corporate networks increase in complexity, keeping them secure is more challenging. With employees
More informationPenetration Testing - a way for improving our cyber security
OWASP EU Tour Bucharest 2013 The OWASP Foundation http://www.owasp.org Penetration Testing - a way for improving our cyber security Adrian Furtunǎ, PhD, OSCP, CEH adif2k8@gmail.com Copyright The OWASP
More informationTHE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols
THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE
More informationHow I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security
How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security PART 1 - COMPLIANCE STANDARDS PART 2 SECURITY IMPACT THEMES BUILD A MODEL THEMES MONITOR FOR FAILURE THEMES DEMONSTRATE
More informationMedical Device Security: The Transition From Patient Privacy To Patient Safety. Scott Erven
Medical Device Security: The Transition From Patient Privacy To Patient Safety Scott Erven Who I Am Scott Erven Associate Director Medical Device & Healthcare Security Security Researcher Over 15 Years
More informationA conversation with Scott Chappell, CMO, Sessions Online Schools of Art and Design
A conversation with Scott Chappell, CMO, Sessions Online Schools of Interviewed by: Steven Groves, StevenGroves.com Guy R. Powell, DemandROMI Can you talk to us a little bit about Sessions and what Sessions
More informationData Security Best Practices & Reasonable Methods
Data Security Best Practices & Reasonable Methods September 2013 Mike Tassey Technical Security Advisor Privacy Technical Assistance Center (PTAC) http://ptac.ed.gov/ E-mail: PrivacyTA@ed.gov Phone: 855-249-3072
More informationPenetration Testing and Vulnerability Scanning
Penetration Testing and Vulnerability Scanning Presented by Steve Spearman VP of HIPAA Compliance Services, Healthicity 20 years in Health Information Technology HIPAA Expert and Speaker Disclaimer: Nothing
More informationThe Tactical Application Security Program: Getting Stuff Done. Cory Scott & David Cintz, LinkedIn
The Tactical Application Security Program: Getting Stuff Done Cory Scott & David Cintz, LinkedIn Who do you want to work with? What security team do you want to work with? Who Are We? Cory Scott David
More informationSocial-Engineering. Hacking a mature security program. Strategic Penetration Testing
Social-Engineering Hacking a mature security program Strategic Penetration Testing Dave Kennedy (ReL1K) http://www.secmaniac.com twitter: Dave_ReL1K A Mature Security Program. Companies have invested a
More informationHow to effect change in the Epistemological Wasteland of Application Security. James Wickett
How to effect change in the Epistemological Wasteland of Application Security James Wickett e g n a h c t c e f f e o How t l a c i g o l o m e t s i p E e h t n i f o d n a l waste y t i r u c e S n
More informationIBM. Vulnerability scanning and best practices
IBM Vulnerability scanning and best practices ii Vulnerability scanning and best practices Contents Vulnerability scanning strategy and best practices.............. 1 Scan types............... 2 Scan duration
More informationSAFECode Security Development Lifecycle (SDL)
SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training
More informationCritical Security Controls
Critical Security Controls Session 2: The Critical Controls v1.0 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter The Critical Security Controls The Critical Security
More informationFREQUENTLY ASKED QUESTIONS
FREQUENTLY ASKED QUESTIONS Secure Bytes, October 2011 This document is confidential and for the use of a Secure Bytes client only. The information contained herein is the property of Secure Bytes and may
More informationBig Data Integration: A Buyer's Guide
SEPTEMBER 2013 Buyer s Guide to Big Data Integration Sponsored by Contents Introduction 1 Challenges of Big Data Integration: New and Old 1 What You Need for Big Data Integration 3 Preferred Technology
More informationTHE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE
THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE How application threat intelligence can make existing enterprise security infrastructures smarter THE BLIND SPOT IN THREAT INTELLIGENCE
More informationVulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD
Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD whoami? Senior Director of a Red Team PSIRT Case Manager Data Analyst Internet Crime Investigator Security Evangelist
More informationDevelopment of Technology for Detecting Advanced Persistent Threat Activities
FOR IMMEDIATE RELEASE Development of Technology for Detecting Advanced Persistent Threat Activities Visualizing correlations among hosts having suspicious activities to detect attacks such as stealth malware
More informationThe Web AppSec How-to: The Defenders Toolbox
The Web AppSec How-to: The Defenders Toolbox Web application security has made headline news in the past few years. Incidents such as the targeting of specific sites as a channel to distribute malware
More informationThe Dirty Little Secret of Software Pricing
WHITEPAPER The Dirty Little Secret of Software Pricing Stan Schneider Mr. Customer, our price is $13,349 dollars per floating development seat. Larger teams need more support, so we charge 20% maintenance
More informationCyber Security RFP Template
About this document This RFP template was created to help IT security personnel make an informed decision when choosing a cyber security solution. In this template you will find categories for initial
More informationEVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke
EVALUATING COMMERCIAL WEB APPLICATION SECURITY By Aaron Parke Outline Project background What and why? Targeted sites Testing process Burp s findings Technical talk My findings and thoughts Questions Project
More informationSecure Software Begins in the Development Process
A S P E S D L C Tr a i n i n g Secure Software Begins in the Development Process A WHITE PAPER PROVIDED TO ASPE BY SECURITY INNOVATION Secure Software Begins in the Development Process written for CIO
More informationInformation Security and Risk Management
Information Security and Risk Management COSO and COBIT Standards and Requirements Page 1 Topics Information Security Industry Standards and COBIT Framework Relation to COSO Internal Control Risk Management
More informationTargeted attacks: Tools and techniques
Targeted attacks: Tools and techniques Performing «red-team» penetration tests Lessons learned Presented on 17/03/2014 For JSSI OSSIR 2014 By Renaud Feil Agenda Objective: Present tools techniques that
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationI Hunt Penetration Testers!
I Hunt Penetration Testers! More Weaknesses in Tools and Procedures Wesley McGrew, Ph.D. Distributed Analytics and Security Institute Mississippi State University http://mcgrewsecurity.com wesley@mcgrewsecurity.com
More informationLessons Learned from Tool Adoption 1
Lessons Learned from Tool Adoption 1 Karl E. Wiegers Process Impact www.processimpact.com Software engineers talk a lot about using tools to help them perform development, project management, and quality
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationHow To Test For Security On A Network Without Being Hacked
A Simple Guide to Successful Penetration Testing Table of Contents Penetration Testing, Simplified. Scanning is Not Testing. Test Well. Test Often. Pen Test to Avoid a Mess. Six-phase Methodology. A Few
More information1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.
Employee Security Awareness Survey Trenton Bond trent.bond@gmail.com Admin - Version 1.3 Security Awareness One of the most significant security risks that organizations and corporations face today is
More informationSoftware that provides secure access to technology, everywhere.
Software that provides secure access to technology, everywhere. Joseph Patrick Schorr @JoeSchorr October, 2015 2015 BOMGAR CORPORATION ALL RIGHTS RESERVED WORLDWIDE 1 Agenda What are we dealing with? How
More informationSession 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness
Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness Wayne A. Wheeler The Aerospace Corporation GSAW 2015, Los Angeles, CA, March 2015 Agenda Emerging cyber
More informationAnatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow
Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow Agenda Background & Threat landscape Breach: A Case Study Incident Response Best Practices Lessons Learned
More informationThings To Do After You ve Been Hacked
Problem: You ve been hacked! Now what? Solution: Proactive, automated incident response from inside the network Things To Do After You ve Been Hacked Tube web share It only takes one click to compromise
More informationExternal Network & Web Application Assessment. For The XXX Group LLC October 2012
External Network & Web Application Assessment For The XXX Group LLC October 2012 This report is solely for the use of client personal. No part of it may be circulated, quoted, or reproduced for distribution
More informationBUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM
BUILDING AN OFFENSIVE SECURITY PROGRAM Common Gaps in Security Programs Outsourcing highly skilled security resources can be cost prohibitive. Annual assessments don t provide the coverage necessary. Software
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationAfter the Attack: RSA's Security Operations Transformed
After the Attack: RSA's Security Operations Transformed Ben Smith, CISSP RSA Field CTO (East), Security Portfolio Senior Member, ISSA Northern Virginia 1 The Environment ~ 2,000 security devices ~55M security
More informationDeep Security Vulnerability Protection Summary
Deep Security Vulnerability Protection Summary Trend Micro, Incorporated This documents outlines the process behind rules creation and answers common questions about vulnerability coverage for Deep Security
More informationHow To Perform An External Security Vulnerability Assessment Of An External Computer System
External Vulnerability Assessment -Executive Summary- Prepared for: ABC ORGANIZATION On March 9, 2008 Prepared by: AOS Security Solutions 1 of 5 Table of Contents Executive Summary... 3 Immediate Focus
More informationPenetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, 2011. Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.
1 Penetration Testing NTS330 Unit 1 Penetration V1.0 February 20, 2011 Juan Ortega Juan Ortega, juaorteg@uat.edu 1 Juan Ortega, juaorteg@uat.edu 2 Document Properties Title Version V1.0 Author Pen-testers
More informationWhy Your SIEM Isn t Adding Value And Why It May Not Be The Tool s Fault. Best Practices Whitepaper June 18, 2014
Why Your SIEM Isn t Adding Value And Why It May Not Be The Tool s Fault Best Practices Whitepaper June 18, 2014 2 Table of Contents LIVING UP TO THE SALES PITCH... 3 THE INITIAL PURCHASE AND SELECTION
More informationPREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES
PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES Ira Winkler Codenomicon Session ID: MBS-W05 Session Classification: Intermediate Zero Day Attacks Zero day attacks are rising in prominence They tend to be
More informationMaking Your Enterprise SSL Security Less of a Gamble
Making Your Enterprise SSL Security Less of a Gamble Rob Glickman Sr. Director, Product Marketing Amar Doshi Sr. Manager, Product Management Symantec Vision 2012 The VeriSign Seal is Now the Norton Secured
More informationReal World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services
Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons
More informationGalleon Documentation
Galleon Documentation Welcome to Galleon Forums. Support information, including bug and enhancement requests, support forums, etc., may be found at http://galleon.riaforge.org. For version number and release
More informationThreat Modelling for Web Application Deployment. Ivan Ristic ivanr@webkreator.com (Thinking Stone)
Threat Modelling for Web Application Deployment Ivan Ristic ivanr@webkreator.com (Thinking Stone) Talk Overview 1. Introducing Threat Modelling 2. Real-world Example 3. Questions Who Am I? Developer /
More informationBe Fast, but be Secure a New Approach to Application Security July 23, 2015
Be Fast, but be Secure a New Approach to Application Security July 23, 2015 Copyright 2015 Vivit Worldwide Copyright 2015 Vivit Worldwide Brought to you by Copyright 2015 Vivit Worldwide Hosted by Paul
More informationCyber Watch. Written by Peter Buxbaum
Cyber Watch Written by Peter Buxbaum Security is a challenge for every agency, said Stanley Tyliszczak, vice president for technology integration at General Dynamics Information Technology. There needs
More informationRSA Security Anatomy of an Attack Lessons learned
RSA Security Anatomy of an Attack Lessons learned Malcolm Dundas Account Executive John Hurley Senior Technology Consultant 1 Agenda Advanced Enterprise/ Threats The RSA Breach A chronology of the attack
More informationHow To Protect Your Mobile Device From Attack
Manage and Secure the Mobile Data, Not Just the Device Stijn Paumen VP Business Development, Wandera The Great Platform Shift 60,000,000 iphone BlackBerry 50,000,000 40,000,000 30,000,000 20,000,000 10,000,000
More informationHow Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER
WHITE PAPER CHALLENGES Protecting company systems and data from costly hacker intrusions Finding tools and training to affordably and effectively enhance IT security Building More Secure Companies (and
More informationLearning from Patient Zero: Dissecting Recent Data Breaches to Evolve Our Defenses. March 25, 2015; New York; Andrew Hay
Learning from Patient Zero: Dissecting Recent Data Breaches to Evolve Our Defenses March 25, 2015; New York; Andrew Hay Agenda Overview of Recent Data Breaches Investigating Past Breaches Assessing the
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationHow to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01
How to build and use a Honeypot By Ralph Edward Sutton, Jr DTEC 6873 Section 01 Abstract Everybody has gotten hacked one way or another when dealing with computers. When I ran across the idea of a honeypot
More informationFastTrack User Guide - Microsoft & Partners
FastTrack User Guide - Microsoft & Partners This guide contains step by step instructions to help Microsoft and Microsoft partner users understand the new FastTrack site. This guide covers site registration,
More informationNetwork and Host-based Vulnerability Assessment
Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:
More informationWasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute
Wasting Money on the Tools? Automating the Most Critical Security Controls Bonus: Gaining Support From Top Managers for Security Investments Mason Brown Director, The SANS Institute The Most Trusted Name
More informationDon t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure
Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure Security studies back up this fact: It takes less than 20
More informationTop 10 reasons your ecommerce site will fail during peak periods
An AppDynamics Business White Paper Top 10 reasons your ecommerce site will fail during peak periods For U.S.-based ecommerce organizations, the last weekend of November is the most important time of the
More informationHoneypot that can bite: Reverse penetration
Honeypot that can bite: Reverse penetration By Alexey Sintsov, Russian Defcon Group #7812 Introduction The objectives of this work are to determine the benefits and opportunities in conducting counter
More informationCyber Security for Start-ups: An Affordable 10-Step Plan
SESSION ID: ECO-W03 Cyber Security for Start-ups: An Affordable 10-Step Plan David Cowan Partner Bessemer Venture Partners @davidcowan Acknowledgements Startups don't like friction to get their job done.
More informationNetwork Assessment. Prepared For: Prospect Or Customer Prepared By: Your Company Name
Network Assessment Prepared For: Prospect Or Customer Prepared By: Your Company Name Environment Risk and Issue Score Issue Review Next Steps Agenda Environment - Overview Domain Domain Controllers 4 Number
More informationFIVE PRACTICAL STEPS
WHITEPAPER FIVE PRACTICAL STEPS To Protecting Your Organization Against Breach How Security Intelligence & Reducing Information Risk Play Strategic Roles in Driving Your Business CEOs, CIOs, CTOs, AND
More informationSaaS Attacks Happen: How Cloud Scale Changes the Security Game Sara Manning Dawson
SESSION ID: CSV W04 SaaS Attacks Happen: How Cloud Scale Changes the Security Game Sara Manning Dawson Group Program Manager Office 365 Security Engineering @SManningDawson Goals How can the unique properties
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationDeveloping Secure Software in the Age of Advanced Persistent Threats
Developing Secure Software in the Age of Advanced Persistent Threats ERIC BAIZE EMC Corporation DAVE MARTIN EMC Corporation Session ID: ASEC-201 Session Classification: Intermediate Our Job: Keep our Employer
More informationDRUPAL WEBSITE PLATFORM BUYER S GUIDE
THE DRUPAL WEBSITE PLATFORM BUYER S GUIDE 5 Steps to Selecting the Best Technology to Build, Launch, and Manage Your Drupal Site 1 The Drupal Website Platform Buyer s Guide EVERYTHING YOU NEED TO KNOW
More informationSecuring Database Servers. Database security for enterprise information systems and security professionals
Securing Database Servers Database security for enterprise information systems and security professionals Introduction: Database servers are the foundation of virtually every Electronic Business, Financial,
More information1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information
1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information Proteggere i dati direttamente nel database Una proposta tecnologica Angelo Maria Bosis Sales Consulting Senior Manager
More informationRACK911 Labs. Year in Review. May 6, 2014
RACK911 Labs Year in Review May 6, 014 The security of the hosting industry has always been a concern of RACK911 and in May of 013 we decided to take a more proactive role by creating a new brand called
More informationSeven Practical Steps to Delivering More Secure Software. January 2011
Seven Practical Steps to Delivering More Secure Software January 2011 Table of Contents Actions You Can Take Today 3 Delivering More Secure Code: The Seven Steps 4 Step 1: Quick Evaluation and Plan 5 Step
More information2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report
2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report 28 September 2012 Submitted to: Donald Lafleur IS Audit Manager ND State Auditor
More informationA Case for Managed Security
A Case for Managed Security By Christopher Harper Managing Director, Security Superior Managed IT & Security Services 1. INTRODUCTION Most firms believe security breaches happen because of one key malfunction
More informationGoals. Understanding security testing
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
More informationITEC441- IS Security. Chapter 15 Performing a Penetration Test
1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and
More informationSecuring SharePoint 101. Rob Rachwald Imperva
Securing SharePoint 101 Rob Rachwald Imperva Major SharePoint Deployment Types Internal Portal Uses include SharePoint as a file repository Only accessible by internal users Company Intranet External Portal
More informationDesigning and Implementing Your Communication s Dashboard: Lessons Learned
Designing and Implementing Your Communication s Dashboard: Lessons Learned By Katie Delahaye Paine President, Paine & Partners Contact Information: Katie Delahaye Paine CEO KDPaine & Partners Durham, NH
More informationUbisecure. White Paper Series. e-service Maturity Model
Ubisecure White Paper Series e-service Maturity Model 2 e-service Maturity Model What we ve seen when we ve been dealing with the extranets and e-services, where companies can offer always available, easy-to-use
More information5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain
5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain Introduction Cybersecurity for the enterprise. There is no silver bullet. But as business becomes more connected and as data moves
More informationMigrating Within the Cloud, SaaS to SaaS
Migrating Within the Cloud, SaaS to SaaS A Real World Experience COLLABORATIVE WHITEPAPER SERIES COLLABORATIVE WHITE PAPER SERIES: Migrating Within the Cloud, SaaS to SaaS How do you know when a technology
More informationAchieving Continuous Integration with Drupal
23 Au gu Achieving Continuous Integration with Drupal st 20 12 Achieving Continuous Integration with Drupal Drupalcon Munich 2012 Barry Jaspan barry.jaspan@acquia.com The Evolution of a Drupal Developer
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationGetting Started with Web Application Security
Written by Gregory Leonard February 2016 Sponsored by Veracode 2016 SANS Institute Since as far back as 2005, 1 web applications have been attackers predominant target for the rich data that can be pulled
More informationBreach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security
Breach Findings for Large Merchants 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security Disclaimer The information or recommendations contained herein are
More informationMaking the Business Case for Email Authentication
Making the Business Case for Email Authentication 2Q 2015 Introduction to DMARC.org DMARC.org is an initiative of the non-profit Trusted Domain Project (TDP). The mission of DMARC.org is to promote the
More informationMITB Grabbing Login Credentials
MITB Grabbing Login Credentials Original pre-login fields UID, password & site Modified pre-login fields Now with ATM details and MMN New fields added MITB malware inserted additional fields. Records them,
More informationThe AppSec How-To: Achieving Security in DevOps
The AppSec How-To: Achieving Security in DevOps How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be
More informationDevOps. Happiest People Happiest Customers
DevOps Happiest People Happiest Customers Contents Introduction...3 What Is DevOps?...3 Do We Really Need DevOps?...4 Survey of DevOps Quantifiable Benefits...5 How Does DevOps Work Anyways?...5 Challenges
More informationProtecting against cyber threats and security breaches
Protecting against cyber threats and security breaches IBM APT Survival Kit Alberto Benavente Martínez abenaventem@es.ibm.com IBM Security Services Jun 11, 2015 (Madrid, Spain) 12015 IBM Corporation So
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationCONTINUOUS INTEGRATION, DELIVERY & DEPLOYMENT BEST PRACTICES. BETSOL The Right Solution,Right Now
CONTINUOUS INTEGRATION, DELIVERY & DEPLOYMENT BEST PRACTICES BETSOL The Right Solution,Right Now TABLE OF CONTENTS DRASTICALLY CHANGE SOFTWARE TIME TO MARKET As innovation excels, moving features to market
More informationClient logo placeholder XXX REPORT. Page 1 of 37
Client logo placeholder XXX REPORT Page 1 of 37 Report Details Title Xxx Penetration Testing Report Version V1.0 Author Tester(s) Approved by Client Classification Confidential Recipient Name Title Company
More information