Post on 16-Jul-2015
transcript
Security by Collaboration: Rethinking
Red Teams vs. Blue Teams
Kevin Johnson
CEO
Secure Ideas@SecureIdeas
Mike Saurbaugh
Mgr, Information Security
Corning Credit Union@MikeSaurbaugh
2
Evaluating Our Approach!
Source: http://web.securityinnovation.com/Portals/49125/docs/ponemon-pci-whitepaper.pdf
3
United, Not Divided
4
“Let’s See How Bad It Is…”
Overt vs. Covert
5
Security Awareness & Collaboration Not Just “Users”
Employees
Developers
Security
Operations
http://assessmentcenter.org/KSA%20Scrabble.png
6
Security has commonly been split and lacks combined benefits
Together builds understanding and comprehensive program
Why Rethink Red vs. Blue
7
Overview of Awareness & Collaboration
2) Become aware of potential impact(s) and the role they play. It doesn’t mean they know what to do; they‘re simply aware.
3) Through training solutions, employees learn to identify and respond and follow policies and procedures.
1) Employees begin at state of unawareness (risk, policy, procedures, and most impotantly, WHY)
4) Behavioral change occurs as a result of process. Employees begin to take proactive security measures and are more engaged, leading to positive business impact (Not reusing passwords)
8
The State of Security Awareness
45% Provide Formal Program, 55% No Formal Program!
9
Options Addressing Security Awareness
Progress/Output Impact/Outcome
10
Collaboration Example
11
Collaboration Example
The process …\w3wp.exe' (as user …)
attempted to receive the data
'/…?include=../../../../../../../../../etc/passwd
'. The operation was denied.
12
Benefits of Combining Red & Blue
Separating attack and defense causes issues
Less comprehensive
Missing the understanding of the attack
Organizations often treat these as completelydifferent functions
SOC vs. Testing vs. Users
13
Benefits of Combining Red & Blue
Better understanding of risk
What is at risk?
Understand the attack
Understand how to defend
Clearer view of vulnerabilities
Defense understands controls
Offense understands an adversary
14
Benefits of Combining Red & Blue
How do you know what was test was correct?
“Audit the auditor”
Healthy discussion on risk
Communicate what was tested to non-security people (executives, regulators)
A chance to be part of the solution and fix
Find, fix, retest
Not just going through the motions
15
DevOps – popular framework
Efficient & fast development
Open communication design
Security testing/requirements
Often neglected
Security can’t handle 50-1,000+ per day
Communication barriers
Integration
16
Security testing needs to be embedded
Must be part of the process
Developer awareness makes this easier
Understanding the attack yields controls
Knowing how/why increases knowledge
Get out of the silo!
Integration
17
Measuring What’s Important
Competitive advantage ($)
Measure to Business
Behavior change
18
Measuring What’s Important
Source: http://www.triplepundit.com/2011/01/what-everyone-wants-to-know-about-behavior-change/
“What gets measured, gets managed” – Peter Drucker
19
Incident Response
60 60
10
20
0
10
20
30
40
50
60
70
Vendor Client
Before
After
Reporting results measuring to the business
20
Plan of Action
Assess
• Identify key business risk via red team which support competitive advantage
• Determine vital behaviors to address for business and personal impact
Baseline
• Collect data early to illustrate risk to business from attack tactics
• Perform financial analysis on current business impact for executive buy-in
Identify
• Identify target employees and blue team members
• Identify appropriate awareness modules for program supporting business
Policy
• Working with key stakeholders to create governance and AUP
• Meet compliance, but strive to change behavior and support business
IRP
• Form incident response procedures (involving help desk and IRP teams)
• Simple process to track and report on effectiveness supporting business
21
Next Steps – Summary
22
Key Takeaways
Collaborate
Identify
Respond
Overt Not Covert
Break Then Fix
THANK YOU!