Enterprise Class Threat Management Like a Boss

uh thanks everybody for coming and thanks beside rochester i'm um quick show of hands i did a talk last year at b-sides rochester they're similarly themed called enterprise class vulnerability management like a boss anybody sit in on that one cool so the first couple of slides might be i look at you first couple of slides might be a little bit repetitive just going over uh kind of why we're here and then uh you know basically content about enterprise security architecture and what it does so um real quick uh i'm rocky uh i've been doing this a long time uh i i also organized besides cleveland which is coming up in june um uh i pen test i do risk assessment

enterprise security architecture we do a lot of purple team stuff so our attacking knowledge kind of like you know gets distributed over to the blue teams looking for really specific advanced adversary type tactics and this is really kind of a product a byproduct of what some of the stuff that i've been working on with our clients over the last couple years at this point um and so from a history lesson perspective uh in 2007 this guy here gunner peterson who's really smart so look him up um he and his the organization that he was with at the time um put together this paper called security architecture blueprint now for um for a security uh we all know what moore's law is right

so for a security document to be as relative as it is today almost 10 years ago um that says something the this is just kind of a an illustration of where we are today and there's some problems going on right um the information is beautiful you know.net site world's biggest data breaches we updated this or they updated it uh very recently so now we've got even the voter database breach which is what just ended up being giant uh the other side of the slide on the on the right hand side of the slide the top is um 2007 to 2014 gartner's spend it spend globally in trillions of dollars okay so for the most part a pretty nice big

uptick below that is the verizon data breach report from 2008 to 2014 and for the most part kind of still an uptick so that tells me that there's something wrong we're spending a lot of money and we're still getting breached right um the way i really um did you have a question because they're spending so much money no no no we're spending more money and we're continuing to get reached more right reporting yeah yeah i mean that absolutely could have you know that could that could skew the numbers in you know some way shape or form absolutely um but realistically from my perspective and having been doing this a couple of decades organizations really understand that

protecting business critical data is crucial to the business right but um they're typically looking at it from two ways and both of those ways are really kind of flawed fundamentally the first is from a project by project basis right we need a new firewall we need to upgrade the vpns etc there's no business need there's no strategy behind any of that stuff it's just okay you know we're kind of this is the natural course of our our professional lives right the other way is from a compliance perspective right organizations are basing their security programs on compliance which on one hand does kind of make sense because if you are found in not complying with some type of regulatory uh mandate

what happens say that again i said you lose the ability to to deal with that agency or that client or that income stream sure sure all right so so you know this gentleman right here said you lose the ability to work with you know let's say the organizations that require you to be compliant et cetera that's absolutely true that is a business impact the second business impact is somebody back there said fines thank you right so we have so that it does kind of make sense that organizations are basing their their security programs around compliance because there are there are business impacts but all the security nerds like me have historically said this for years at this

point right and beating a dead horse i can't believe i'm gonna have to drink just saying it if you're if you're compliant you're probably not secure but if you're secure you're also going to be compliant to whatever framework you you have to be compliant with right so again this is really just kind of history of of you know before we actually get into the threat management portion of this right um complexity enterprises are complex and you therefore to solve the complexity issue not just with information security but you know complexity in general of organizations of businesses right we need some type of architecture and that's where the enterprise security architecture concept comes into play in

relation to enterprise security and protecting risk business critical data right we can we can break it down very simply right uh you know we need to have organizational goals we need to understand and take into consideration the environment where these systems are being built okay and then the technical capabilities required to build and operate those systems that's architecture at its most broken down right and the idea is to organize complexity right again you know i'm sure everybody in here has also heard the phrase you know if the more complex a system is anyone thank you right the less securities so so we need to really rely on architecture to organize the complexity of large enterprises right benefits you

know you can read but you know again one of the things that i am going to focus on here is one of the areas that most organizations just fail miserably at and that's metrics right but that's really important because that's how we on the technical whether it's it or is right whether whether you're in you know system administration or actual you know security roles within your organization that's how we communicate back up into the business right our business leaders the cio should not be the technical experts but you can argue that right but typically are not going to be the the the technical experts to understand exactly what you're trying to tell them because you're the technical expert right and so

we need to we need to really get better at communicating back into the business via metrics so at its basic at its basic kind of form right this is the overarching blueprint laid out by that 2007 paper by gunner peterson um you know and and his associates and and again i this is so relevant right understand the stakeholder goals and now within the enterprise security architecture we have risk management policy and standards and actual design and security architecture those three pillars are supported by process defense and depth and metrics on the process side of the house you have sdlc right so application life cycle etc you have identity management vulnerability management and threat management defense

and depth is typically what we consider what we normally are are talking about when we talk security right these are the firewalls this is the anti-virus this is everything that all your controls that's your defense and depth right and then i already talked about metrics which were awful at um so this talk is specifically on threat management right and so what does threat management mean so we're breaking this down into typical components uh including your your controls and your logging sources um monitoring threat threat modeling right um incident response and then don't shoot me threat intelligence um again that's getting you know one of the another example of an you know silly buzzword that should anybody know who norse is

okay so there's a lot of laughs good you know what you know what i'm talking about um okay so here we go right this is the threat management process of the enterprise security architecture now what are the challenges here i already brought up moore's law right and that applies to malware right so already for the most part the blue teamers are you know historically always going to be behind the curve right just based on moore's law right but we have excuse me um so the challenges around intelligence right so effectively knowing you know having knowledge of those latest types of attacks and trends communication right um when you get into enterprise incident response all right

your organization is more than likely if you know and again i'm talking enterprise you know level large organizations broken up into many business units okay so if there is a breach somewhere that is going to affect multiple business units how are you communicating throughout your organization to the right people who are accountable for them responding accordingly and collectively contributing to the incident response program right so communication is a giant giant problem coordination is really you know the next step and the next challenge there accountability and i already talked about metrics and talent right the security economics talk earlier this morning was talking about you know the zero unemployment i've heard negative uh negative unemployment in the information

security you know community or or actually that's just you know across industries right but specifically with information security negative unemployment i don't know the numbers but uh based on based on how you know how hard it is that i've seen to actually attract and keep awesome talent i believe it all right i don't i don't think that that's not you know not true what was that there's a lot of mediocre talent out there you're gonna have that right you're gonna have that because um i mean yeah i've been i've been doing this 23 24 years not everybody in here has right and and i sucked at some point you know i'm also that that statement also

assumes that i'm good now so that could be just my subjective you know view of my own security talent uh but so one of the most important one of these other more important um things that we need to deal with here is uh i i read a report it was kind of funny i just kind of came across this report as a sensage scnsage 2012 report that showed that the massive and mostly manual efforts of collecting and analyzing security data has caused a severe downturn in both the mood of security teams as well as the perception of their effectiveness by stakeholders now i'd cite that report but it's a dead link somebody read somebody wrote that report

and then reviewed it and and made that comment which i thought was hilarious and probably very very scarily true um but there's no link so anyway yeah i didn't i mean it was yeah it was live um so right so so you know that that entire process i mean this immediately came to mind right if you i've seen things you people wouldn't believe um and if anybody doesn't know that movie you there's the door right okay so moving on to threat management goals all right here's what we want to try to accomplish within a mature threat management process for our enterprise security architecture we want improved intelligence for quicker decision making a lot of this is

really kind of you know dull but you know buy-in from all service owners and stakeholders is critical especially when we get into incident response right uh integration of an existing vulnerability management process because the two are really aligned in ways that you know you need to have you can't just rely on a mature vulnerability management or a mature threat management process you really need to have these two aligned and maturing as you are growing your enterprise security architecture improved detection and reaction times right you know this is that specific characteristic of this is really why most good uh most good penetration testing teams are moving towards that hybrid model right that purple team testing where the red team is the attacking team

and the blue team is the defender team but the engagements are really more of a hybrid the blue team is watching the red team as they're attacking right the creative juices start to flow they begin to see advanced tactics that they may not have ever you know considered or may not have ever seen and and are really starting to think about well how can i detect that better or how can i react to that better right so this type of hybrid model uh is really geared towards improving the detection and reaction times um excuse me threat prioritization okay so for example and i'll kind of get into this in detail but you know if you

have a malware outbreak and it's affecting eight people so far that you know about but one of those people happens to be your senior r d guy and if his machine and everything that he can access is breached that poses a significant risk to the organization for the theft of intellectual property but it's only eight instances within let's say a ten thousand uh staffed enterprise how do you prioritize that right so there needs to be a threat prioritization model and standard as a part of the threat management process itself uh incident response maturity um and then service owner and stakeholder reporting with the metrics so here's a couple of years ago when i started thinking about this is anybody familiar

with the owasp application security verification standard a couple people okay the latest version uh the 2014 and we're now at version three okay the asvs 2014 um this is a model for sdlc okay software development lifecycle and you i'll go through this really quickly but hit as as opposed to the oauth top 20 asvs is actually implementable um the oauth top 20 tends to be just muddled you know i won't get into it um so at the very end so the this is going to be the asbs a very very high level overview of what it is in relation to what it was originally intended to be which is a software development life cycle kind of process

or set of processes and what we're going to do is then apply this model to threat management this is what i did last year when i applied this model to vulnerability management and it seemed to seem to work pretty well and so i was like well i can maybe i can reduce the amount of time i i needed to create a new presentation and just apply this to threat management so that's what i did uh level zero in the asvs is really there's not a lot going on where there's nothing structured within the organization we're actually not gonna we're not gonna focus on that whatsoever all right that's just okay you're you're going on right

level one is called opportunistic from an application perspective that means that um the application can adequately defend itself against application security vulnerabilities that are easy to discover okay so at a high level we'll just kind of leave it at that level two is standard right the application can adequately defend itself against prevalent application security vulnerabilities of moderate to serious risk okay great so we're beginning to develop some type of scale that we can grade against right now i hesitate to say audit it's kind of an audit but it's a really really detailed audit right this is not do you vote scan for vulnerabilities this is how mature is your vulnerability management process and we're going to be grading against

this at this level one level two and level three four-year threat management programs level three the application can adequately defend itself against all advanced applications security and again adequately defend itself this isn't like it's perfect right but can adequately defend itself against all advanced application security vulnerabilities and shows principles of good security design okay so now we have a basic framework for this so we can improve this so we're gonna we're gonna build that upon this framework this asvs framework and and improve this when we talk about threat management again level zero i'm not really gonna concentrate on that's just okay organizations really probably aren't doing anything about it so let's get into the meat of what

you know what we can now utilize because i assume everybody here who's have a security conference probably isn't is not ignoring the security for your organization right so level one asvs opportunistic the organization can adequately defend itself against non-targeted threats that are easy to discover okay so what does that actually mean and this is where this is where now we can begin to put together a framework of again tests that you need to ask yourself and validate and verify that would then put you into this level or even furthering you know into level two and level three right so where i came up with what i felt a good level one set of tests for threat management would

fall looks like this there's no dedicated infrasec or risk group okay just it isn't you know there it's probably let's say a one-man shop right there's no dedicated security you know individuals there's reliance on rudimentary alerts that are coming from your standard defense and depth controls there's a process in place for handling malware infected systems okay typically that's going to be probably looking like a help desk that's you know going to reimagine re-image systems or whatever centralized logging capabilities but no correlation so maybe some syslog you know centralized syslog etc some of the tools are going to be there but there's not really going to be much else going on right sporadic additional quote threat

intelligence right so sans alerts etc there may be an associated vulnerability a level one vulnerability management um you know that that may have an open source or even a commercial scanning tool right but you know going back to what i said your your threat management and your vulnerability management processes need to grow with each other and mature collect you know together uh and then the organization is probably comfortable with the nist slash iso or whatever regulatory hipaa pci type compliance if they feel that if they're compliant within those types of frameworks that we're doing our job that's what i would consider level one you know threat management applied to the asvs so let's talk about level two because in

my opinion that's probably not good enough for most people in this you know in in this room level two is probably where most organizations who aren't in let's say critical infrastructure or or are responsible for human lives being at stake level two is probably where most organizations should really kind of target for their threat management process right so the over um you know the overarching kind of description of level two applied to threat management right the organization can adequately defend itself against prevalent threats of moderate to serious capability such threats could include hacktivists and non-targeted targeting organized crime actors the majority of business organizations should work for this low towards this level right so all right

that's neat what does it look like and so here's where we start seeing dedicated risk and infosec groups right including a dedicated monitoring resource now we're starting to get into some of the you know we're delineating stuff down you know from threat management into its kind of like associated areas of focus right so we're talking about monitoring at this point integration with the existing level 2 vulnerability management process basic monitoring framework and sim deployment documented incident response framework uh pen red purple purple testing simulating threat actors using real world tactics okay that's also very important the the infosec group itself may utilize an enterprise ticketing system for documenting tickets that tends to be more critical for

the vulnerability management process than the threat management process but it's still good practice right uh and then uh the last one on this page is you know some open source slash internal slash commercial i don't care what it is right but some level of actual threat intelligence additionally we're going to take a look at a standard for reviewing intelligence that defines escalation processes commercial open source tools used for for the actual um logging and sim asset and data classification you need to have asset and data classification down to a t before you can even consider the next one which is role based access control standards based on said classifications we need to define the types of data and the types of

assets before we can then say you're not allowed to touch that type of data because it's not within your your need right a threat modeling standard now we're starting to get into some of the fun stuff advanced endpoint controls how many people actually use emmett one two three like a a handful what's wrong with you people oh my gosh i i'm forgotten i forget i'm following the linux i'm following the linux talk i'm sorry yeah five 5.5 it's it's less than actually yeah yeah

and yeah i totally agree with you guys in the back right but again in a perfect world that would be just it's free and it's looking at behavioral anomalies and it's like work with your own applications please um okay and okay so uh and kind of following up on this right uh corporate cloud adoption standards you know what is what is you know not what is allowed what's not allowed from a cloud perspective we need to know this because this all has to tie into to you know the actual threat management process itself uh third-party risk assessments one final thing that that one final thing is encrypt your [ __ ] right um it still kind of boggles my mind that

organizations are spending millions and millions of dollars on dlp and they're they're not encrypting stuff i see this all the time start with encryption let's you know i get that sure we don't want to let emails go out unencrypted that contain social security numbers but for just encrypt please okay so that's that that's kind of like my feeling around what a level two yes sir so okay

yeah so um i don't have i don't have the silver bullet there right you know i don't think anybody does the you know this again i'm not i'm not i'm not really going to try to suggest the specifics yeah but but you know once you have the framework in place you know the next step is figuring out what's not going to break your [ __ ] you know um so all right now let's talk about level three all right this this indicates that the organization can adequately defend itself against all advanced threats and show principles of good security design this is appropriate for critical that's actually you know for organizations that deal with critical infrastructure protect life etc

protect life um think of things in terms of replaceability right data replaceability uh i think i think josh corman i think corman was the first person i heard talk about it in relation to this has anybody had a credit card stolen what happened thank you it's replaceable data got replaced right um when you start talking about intellectual property you know the the the 11 herbs and spices of kentucky fried chicken if that got stolen and now that represents you know competition potentially you know undercutting price there's stock valuation that's going to be associated with all that that's a big impact to a potential you know a little that's a potential big impact to a business right

um electric cars right electric cars are computers with wheels do we have any red teamers in here right can you not wait till you get your tesla so you can like just start screwing with it right but what's the what's the potential ramification there right that's human life uh bluetooth pacemaker yeah pacemakers with bluetooth connections are you kidding me but you know replaceable data irreplaceable data and when we're dealing with organizations that are really fundamentally you know protecting irreplaceable data now we got to start thinking about this level three right so what does this potentially look like all right so we're going to start with threat prioritization standard right um the way we've broken this down uh

is is is in a kind of like a three-phased approach right so there's a triage which is mostly help desk type activities um what we call suspect which is then the security operation center investigation phase you know that's been escalated up uh and then now we've got incident right the third one is full-on incident that incident then has to have a mature framework which includes buy-in and participation from all business units including and probably especially legal in ethics right because at an enterprise level legal and ethics they need to pretty much kind of to a degree qb how the organization is going to handle let's say an insider threat right tabletop exercises right this is where

this is where the you know the the red slash purple slush whatever you want to call it this is where what are historically considered the attacking teams this is how they really can begin contributing to the blue team defensive kind of um you know capabilities right so simulating domain breaches which means uh in this exercise full-on out-of-band communications right so i know a lot of organizations that when this lever is pulled and we realize that this is a serious incident all communications go to like google right because you can't trust your own infrastructure um fishing high value target right so that could be the guy that actually has access to the secret sauce etc things

things of that nature uh simulated ransomware this is becoming a big hot topic obviously as ransomware matures and is is really going to be moving into the server space right the worm server space etc um you know that that's going to be yes yeah no i mean i don't disagree at all yes it is there but you know it's like now we're seeing just the beginning of the world you know that was a that's a domino and this is going to get really fun uh and then you know simulating that malicious insider all in all incident response i'm sorry internal incident response content management system where all this stuff can be tracked we need to know

communications rhythm who needs to be contacted at what level of incident right and how often those people need to be uh updated with you know the updates on the actual incident process itself ir honeypot and data gathering tools does anybody know what decept is oh for a windows environment look at descent does anybody know what mimikatz is okay right so mimikatz the greatest red team tool ever right can go on to you know a host and depending on the version of windows can scrape clear text credentials out of the lsas process and and scrape the actual hashes the password hashes from people who have logged onto these systems okay that's pretty much game over in most

organizations um you know that that don't really have maybe let's say a level three incident response you know within their threat manager so what decept is i love this the guys at dell secure works they just released this like a month and a half ago it's basically a honey hash i saw your face so it's a client server architecture where on a daily basis every single host on your enterprise there's a little agent right and every day a random 30 character password is injected into the lsats process that random password hash is associated with that asset so now within your sim you're looking for there's a separate sniffing process that has to be on the

same network or spam port as as the actual domain controllers and when that sniffing process sees somebody trying to use what to them as an attacker looks like a domain admin hash it completely alerts you to exactly what host that just came from so now you can shut it down it's really cool yes yeah so um we've done some investigations where um you know honey hashes have been implemented in cases where cash log on credentials are necessary for applications to function yeah i've actually seen hashes popped off the stack which needed to be there and so for some architecture that solution could be very challenging to implement without breaking those applications

so this this probably resonates to the guy in the back who last year i said you should look into emmett but yeah i mean conceptually on paper it's really cool right here the other two that i've listed here kansa is a spectacular powershell based incident response framework right it it utilizes powershell remoting um so in the enterprise space you know it's probably not the best business decision to just have powershell remoting enabled on all of your you know all of your systems without some type of control so the way we've kind of architected solutions around kansa is you know essentially some type of proxy um you know that is ip limited or some type of you know some limitation and to

uh sorry i'm pushing out the actual controls to restrict who can powershell remote into these hosts and it's only for you know for lack of uh just the actual simple example it's only the box that is running the kansa powershell scripts itself right so it's interesting stuff it's really really interesting um all right moving on so process creation auditing um we had a really interesting uh we had a really interesting blue team guy come in from uh fortune 4 and he was talking about um you know here within the windows event logs are some specific things that you should be monitoring for because and and and again you know it's kind of like uh analyze your situation appropriately um

but that guy turns out to be a really good indicator in a lot of environments um of you know something that probably shouldn't be here spawning interesting and weird stuff dop and rights management i don't care it can be homegrown defined by the data classification etc enforceable identity access controls right so this is a big this is a big problem with a lot of organizations that we run into um you know and and typically we see the pen tests come in plug something into the wall in an open ethernet port in some conference room and then within eight hours the domain you know the domain controllers are knocked over so some type of you know system and

again you know we're talking level three so the majority of this stuff is not going to be cheap that's just the reality of it most of it and finally for level three network identity access controls documented threat multipliers you need to have you need to understand what the threat multipliers are going to be in your threat prioritization framework okay adversary capabilities assessment or adversary roi okay now we are starting to get into the part you know the portion of threat management where we need to understand who might be incentivized to steal our stuff and what are their capabilities right now like a lot of qualitative risk assessment that can tend to get voodoo-ish right but it's still a really good exercise to

kind of go through and understand i think at the end of the day the goal really needs to be you know having some semblance of an understanding of who wants to steal your stuff and what their capabilities are because we want to make sure that in our enterprise security architecture when we're when we're designing and deploying these types of controls over time their intent really is to drive the adversary return on investment to zero right make them spend too much time and too much money i was wondering how would that work with a large corporation that needs to do what needs to deal with a small corporation that has or a small company even that has a

perceived to be mission critical application that's third party as far as i'm concerned you hear third party risk management a lot but when we get into let's say here's an acquisition and it's not part of the organization no i mean like an outside company even that's a vendor for a particular product if you say oh well that's then absolutely part of the third party risk management you know that that and you know it i'm not going to go back in the slide deck but you know the three pillars of the enterprise security architecture is risk management policy standards and then design architecture right that falls under risk management straight and straight forward right it's so there's an association to threat

management even the vulnerability management right because you need to have an understanding of where that organization sits and are they are they sitting in a manner that is acceptable for your business but it's all you know realistically that's all third-party risk management absolutely uh periodic threat matrix exercises etc and then stakeholder service and owner reporting again going back to the whole metrics right but now now we're talking about metrics okay so let's talk about metrics in relation to threat management itself we want to talk about incident metrics that that that can include the characteristics of that type of incident target system characteristics the timeline of an incident number of systems targeted attack metrics what's the vector right

what's the sophistication was this just a ransomware was this some some oh day uh attack profile characteristics obfuscation techniques right were they trying to really hide their tracks etc data metrics what was the data targeting what was the data compromised was any data exfiltrated right you start begin building these metrics around threat management and now we really can i think twofold and we really begin to uh have a model where we can begin gauging our own improvement over time because a lot of this stuff can be simulated by red and purple teams right but then we also now have the ability to like i said earlier the importance of through metrics being able to communicate back up into the business

right they don't necessarily need to know that uh whatever you know polymorphic encryption was used on this particular attack but we need to at least have some type of metric around those types of attacks and what they were targeting and how they you know were able to succeed et cetera the threats by status really kind of ties into your your enterprise uh ticketing system right so all the stats around open and active etc uh you know tickets around the threat management typically incidents and then a couple of my favorites mean time to compromise and cost to disrupt these are really really fun metrics if you can get to the point within the program you know within your the maturity of the

threat management program to begin deriving these guys right so mean time to compromise again you can simulate a lot of that stuff through red and purple team testing um you know working with an organization that look you know we know that crown jewels may exist on these types of systems or domain controllers or what have you so based on the existing controls the existing you know detection and response capabilities what is the mean time to compromise these types of systems right and now can we begin showing improvement over time and then cost to disrupt right this and this is directly in relation to um you know that adversary roi now how much is it going to cost

the the adversary to you know to get to the point where that compromise succeeds right the cost to disrupt okay so that's really kind of the high level application of threat management within the asvs framework that that i kind of came up with right what i'm going to do is make this all up on github and make it all community based and and all that stuff and contribute whatever you want um i'm gonna a couple of slides here i want to talk briefly about threat modeling there's a couple of different ways again like i'm not going to sit here and say this is the way to do it but here's a couple of ways that i've

seen work very well this is the three tenets threat model the paper here and i'll make all this available but the paper here quantitative metrics and risk assessment the three tenant model of cyber security uh it's an excellent excellent paper all right so take a look at that uh they really kind of go into um they're not they're not just kind of you know being a talking head like me they're going into some really like gnarly risk math and calculations but it's really good and this came from that uh that paper that i've like the application of that three tenants model i've seen work very well from a threat modeling perspective but my personal favorite is this from

bruce potter his derbycon 4 top threat modeling for reels you can't get more straightforward than this all right so here's the threat model that you need to understand the variables right actor does action to asset resulting in outcome because of motivation it's beautiful um what i'm going to do now is it's not really a demo the way like you know i'm not writing code and it's and i'm worried that it's not going to fail the only way that this is going to fail is if is if emmett [ __ ] up excel but uh i'm going to give you a little taste of some of the things that we've been working on uh okay so this is our threat

prioritization matrix so we're starting with input right and in this example these are the this is our defense and depth a lot of our defensive depth uh portion of our enterprise we're working with our sim here's our here's our data inputs uh digital um i'm gonna unfortunately name names here i'm not promoting any of them this just happens to be one of the ones that we liked right this first guy here is removable access controls cognitive threat analytics is actually a weird kind of byproduct of a cisco acquisition it's you would actually have to search for it in order to if you don't know what it is but it's not something that they actually kind of sell but it's really really

interesting in terms of threat analytics cisco i will say is is the one organization that with the talos they might know what talos is all right talos is really interesting because that is basically tying every single cisco security device to a degree into a centralized global threat database right they have analysts that are something gets found that may represent a threat to an organization and there's the ability for that information and then get redistributed out to all of their cisco devices and there's a lot of those out there it's kind of interesting so ips camp av sky high is a cloud thing uh cws etc anyway the point here is that once we have under an understanding of once we

have a good set of inputs we can begin looking at things like okay what type of malware are we are we dealing with is it a back door right and so um our threshold for these first right so malware type volume court id now this corp id is really kind of getting to all right how important are you within the organization all right so i can call this power so i can you know call a few powershell commands and get an idea of what groups you are um you know within active directory and now i can associate those groups with what should be an existing critical asset or critical function services and functions within the

organization if your groups that you are a member of tie into let's say the top ten critical services within the business that's going to be a threat multiplier right um service level etc so what we've done here our thresholds and i'll kind of bump this up here i'll make that a big boy uh oops wrong one this guy all right so our threshold in this particular little spreadsheet was 13 and anything above 13 we want to escalate so now that particular thing gets escalated to the sock team sock team is now taking a look at things that you may or may not have actual access to you may not understand like who um you know what what's the origin what

is the intent of this potential a threat right so those then we consider threat multipliers if you know that that's going to affect the overarching threat result the scoring here so to speak um but at the end of the day and i'll kind of muck with this a little bit here you can see that here okay we've got our rating we've got our description response accountability who to notify communications rhythm and post report if i drop this down to something that's not as serious all that stuff's going to change and now we kind of have a rough idea of what our threat reaction or the reaction should be in relation to some type of threat within the

organization now again that's something that we just put together for a specific organ you know a specific client of ours and it works for them all of this can be completely you know modulated modified etc to fit your needs the other one that i want to take a look at is this is really where i think some of the value of applying this to the asvs is going to come through the asbs actually provides you can just download this actual spreadsheet all right so this spreadsheet then you can see does this first thing which is verify all pages and resource require authentication except those specifically attended whatever all right um it shows you is that a

requirement for level one is that a requirement for level two is that a requirement for level three all right and it's you can go down throughout the entire asvs set of requirements and begin and again this is where this is where the grade line between an audit and something more you know sophisticated that has more teeth this has teeth okay and so now we can really begin saying okay it's not about necessarily are you scanning you know the example is are you scanning for vulnerabilities it's how mature your vulnerability management program is right and so what i've begun to do is apply this over to threat management so kind of come over here a little bit

all right so a lot of the stuff that i've talked about now i'm gonna i'm gonna do the same thing i'm gonna do the same thing for vulnerability management and i'm gonna make all this you know i'm gonna make all this uh public open source and you can contribute in github and all that um but i think at this point now we have a a much more manageable framework that does have teeth that you can kind of say okay my goal is to at least get to level two from a threat management perspective and where do i lack what do i need to focus on right does that make sense all right back to this

of course

okay so uh what is next um i think in relation to in relation to the actual set of processes within the enterprise security architecture the asvs is the stlc process okay that's what it was originally intended to do i did that last year applied this to vulnerability management and now this is the asus application again all this is going to get open source but i think the next step logically is identity management and so with all that kind of set up you know public i think that i i mean i believe and i i really kind of hope that this kind of this kind of testing with these types of frameworks to understand the maturity of these processes

is a much more important and much more successful way to really kind of begin measuring more of the objective security in a way that isn't you know that that you know you're not actually getting like super super you know knee deep into into the weeds but also you know it's not a compliance audit right so that's pretty much uh that's what i got guys so uh we've got a few minutes are there any questions

i'm sorry can we get to your slides on the internet i'll put them up on slideshare yeah yeah i'll let her i'll i'll let the rochester organizers know yes sir you keep saying information right so but you would also throw a robotic surgery device assets yeah yeah absolutely yeah you're right yeah my lexicon was probably very information specific but at the end of the day right the the critical one of the most critical components here is understanding what are the critical assets that support your business critical data right and then and then who has access to that and all that yeah but absolutely yes yep yep thank you questions comments am i completely off my rocker

not yet not yet i'm looking forward to it all right there's no no questions then thank you appreciate it