Advanced Enterprise Vulnerability
Show transcript [en]
My name is Evgeni Sabev. I work and represent the company SAP, SAP Germany. I work in the Advanced Vulnerability Management Team or its other more fancy name is Attack Surface Reduction Team in Germany, in SAP. We already see it. It is engaged in prevention of everything that the colleagues started talking about. Peter with the regulations, the implementation of the regulations and the colleague in front of me with the prevention of these incidents that are in the public sector, in the state sector, the same attacks can be in the private sector and have in some cases absolutely the same consequences as we saw that there may be for the state. Very briefly, with a few statistics and definitions, I will start. What is ATT&CK Surface? EVM
1 on 1, Advanced Vulnerability Management, so called 1 EVM view, according to the way we understand it and our interpretation of it. And maybe a roadmap for those who will build it first, possibly for the future vision of the country. Before we continue with these things, is there anyone in the room who is engaged in vulnerability management or has a pen testing, red teaming background or works somewhere like a super pen tester, red teamer? Super. My previous job was as an Open Data Rereader in Deloitte. So I didn't expect that on the other hand when a person is dealing with the implementation of the reports that we deliver to the companies and their understanding is as complex as
it is in a large corporation. What is Vulnerability Management? A simple definition. The simplest explanation is that it is very difficult to quantify, but the best explanation is something that is trying to prevent the worst from happening. If the vulnerability management was successful, we would not have such an attack as we saw in the previous talk. several famous people and the GPT chat, of course, define it in different ways. We won't get into read exactly what is written in the chart GPT, but generally speaking, Vulnerability Management is the identification, classification and making some measures to prevent the exploitation of some vulnerabilities or by removing the vulnerability as a whole or, as the colleague was talking about, by adding some other technologies that actually prevent successful
exploitation. Also, vulnerability management is not just a scanner, it is much more important to say, I know that some people think that I am just asking to not mention any product names, because this is not the purpose of the presentation, so I will not do it, but maybe some of you already know what are the vulnerability assessment scanners, This is not vulnerability management, much more than that is. Unfortunately there are a lot of processes, unfortunately there are a lot of regulations, which Peter was talking about, which should also be covered. Yes, some more definitions, what is vulnerability management and yes, actually the most important slide. What we are trying to prove and what we know is actually a very small part of the whole
aspect, of the whole information that is available at the moment, of all the vulnerabilities that someone has. I myself, as a pen tester, have tried to have I want to report some vulnerability somewhere. This is also a big problem. I assume some of you are familiar with bug bounties. I've been doing bug bounties for some time. I assume some of you are also dealing with bug bounties. This is common in companies that have a bug bounty program or some VRP, Vulnerability Responsible Disclosure program. But unfortunately, a big part of big companies still don't have one. And, to be honest, I have seen many times, even the most shameful ones, in forums, where someone has found some kind of vulnerability, whatever it is, I will not go into classifications, but,
for example, the worst is some remote code execution. Nobody pays attention to it and it reaches the point where it writes in Reddit, in forums, and so on. I have this payload and I have a remote code and nobody pays attention to it. We have seen these things, we have seen them in Darknet. We will get to this part with this. Just to move to the next slide. Something, however, is... In this aspect of thinking, what we try to protect is the so called attack surface, for what has already been mentioned. In a big company, as in the state enterprises, I suppose in every enterprise, even in the university, countless devices that are already intelligent, which participate in this surface
attack of every large corporation or every company, every institution. I have shown those which are the most popular or the most commonly perceived things. We have at the moment all kinds of things that are cloud containers, multi-cloud, Azure, AWS instances. Also, every institution, enterprise has its own infrastructure, networking components, routers, firewalls. There is Wi-Fi in the building, I tested it this morning. You are talking about some, I think, I think I mentioned the BGP, end-to-end VPN connections, all these border firewalls that exist in companies. Most of the companies already have some OT components or IoT, the BIMER, the cameras in the building, most of them are in the network, they are smart devices, they can
be available. Some of them are much more complicated, some are relatively more elementary. and there we will go into some aspects for those who are more elementary and more so old. SCAD, ICS, it directly depends on what business you are in, is also a very big topic, but after that it is a topic for a separate talk. And the classic IT things, web applications, virtual machines, mobile devices, bring your own devices, workstations for all employees of the company and servers, data centers are also something that should be protected. How? For those who are trying or will try, and also it is important for the state, for everyone who, I also assume, should have a program at some point, and
a team that deals with this. The most important thing, point one, what your organization is doing, that is, If you are protecting something, you should know what it is, what are all kinds of assets. As for all kinds of assets, I have in mind every single thing. As I said, this beamer is most likely connected to the network, that is, we have seen very interesting Chinese beamers, which are publicly available through some proxies, through some other public services, we are not mentioning products, we said. But they also had direct access and bypassed indirectly some solutions that were implemented. Absolutely every device that is in the network, whatever it is, printers, if you have printers, for
example, this was also a very interesting method that we used in our company and it is used very actively, exploiting a printer, hiding malware in the printer's firmware and waiting, as we understood, some attacks await a convenient moment. The fact that you are not being attacked at the moment doesn't mean that someone is not in your network and is waiting for a specific moment, whatever it is. War, global events, Olympic Games, whatever it is. In the ideal case, It is good to understand if there is such a person or such an attacker before executing them and to understand if there is such a presence at all. Or to block him in the process of trying to hide somewhere in your infrastructure. Here I
am talking about serious big infrastructures, not for a company of 10 people with 10 laptops. The percentage of SaaS and the solutions that are used We should also take into account that in most cases a program like ours is very difficult to interfere with because there are some contracts with the vendor and there is mainly a count of what is included as a contract and we may have much less influence on the solution itself, but nevertheless it is very important to understand what is being used and what would be the consequences if something is mixed up with the solution that is being used. and Network Architecture. I have written it here, but in SAP this is a very complex topic. We can write
20 PhDs on the subject of SAP infrastructure. So, I assume that from company to company, from state institution to state institution is quite complex and quite different. The next thing that most probably and must be Besides all these assets, all these softwares, technologies, how do you maintain all these technologies that are implemented in your company? Who updates the Beemer? Who is in charge of the payment of the Beemer? And the most important question is whether the Beemer we bought is supported by any vendor. It may have been a very cheap Chinese product, yes, we saved some costs for buying a new, cheap Beemer, but After I have worked with the pentesting team, we have spent a wonderful
weekend and we have found about 20 vulnerabilities in this BIMER and there is no way to mediate them, including no answer from the vendor. What do we do in this case if we have 12,000 such BMRs all over the world? These are complex questions and these are just BMRs. When you start to understand each device, here we are talking in our case about many, many millions of assets, each asset, the solution to the problem is becoming more and more complicated. Also, the most important thing, the big companies, what do they do most often? They buy other companies. It happens very often, with some companies we understood very soon, you publicly announce on the Internet that, I will not
give names, company A, a huge corporation, buys company B. Individuals who would be interested in destroying the existence of the company, whether politically, the appetite, who are governmental sponsored, Of course, the company A, which is huge and represents some threat to their country or according to the instructions of the country, will buy company B, which is very small, they have no security at all, they are not involved, but they will become an integral part of the new company in the next 6 months. What happens? Company B on the day of the public announcement of this information somewhere in the Internet, on the same day is exploited, attackers or hackers, whatever you want to call them, the wrong-finders hide the company in resources that even if
there is such a program, as we said, the BIMs, printers, smart devices, RFID reader on the doors, nobody scans them, why should we scan them, what is this, they can't do anything to us with them, absolutely, unfortunately, it's not exactly like that. And finally, after the company B was founded, after 6 months, these people, after the company B became an integral part of the company A, depending on the policies, if there are or not, They are completely normal now, after they have built VPN end-to-end connections from one company to another, without any problems, just open the door, imagine opening this door, this is our company and it has invited company B to come in, just like that and they come in with all their so to speak,
exploited devices, sometimes even the end point stations are not reimagined, they are simply inherited by business lines and this leads to the consequence of seeing the company A in three months later, at the start of the war, to be exploited. For example, because this was a good moment, we talked a lot about this event in February last year, there were a lot of attacks, which I guess were well executed before they happened. And of course, all the complexities must be considered. The so called procurement teams, I won't go into the definition of what is procurement, but every big company that would like to buy something, to achieve it in some way, sometimes there is a big obstacle for that,
even for removing some existing software that is inherited And for various reasons, whether it is a contract, political or not, there are internal and political companies, it is very difficult to implement different events. Bad habits and a few very subtle tricks that you need to be careful with. I think time is going very fast, I will try to be quick. When you build and until the moment your vulnerability management is already existing, the ideal is to get reports from pentesters, red teaming, scanners, vulnerability assessment solutions, all other reports you can get, CTI teams also provide you intelligence, The most important thing that was very often or at least existed with us, existed with other companies was an email with an excel sheet with all the possibilities. It's
just like that, for some people it's a number, a mistake, even confused faces in the email, reach a confidential email to some people who have nothing to do with it. That is, it is extremely important to to classify the vulnerability management as confidential data and the vulnerability management program itself to have in mind that each of you that it actually is something like a critical system in the company which is the ideal goal for each attacker. Why to try to exploit the vulnerability A of the 200,000 attack surface if the assumption is that it can simply try to target your vulnerability management program and take access to everything. Or at least that's what I would
have done. Also, if your EVM program is missing, if there is no support from the executive management in the form of policies and standards, most likely there won't be any success, because as you said in the previous lecture, from the real perspective, many IT people just do their job according to the definition, but the question is for this definition to exist, to be well described in the rules that are mentioned, the policies and standards are the rules that help us to live better in our normal life and also in a big company, and also in the security world. Also, after your program starts working, most likely someone who is very happy that you are doing this, will support you 100%, they are very happy, these people need
to be given credit, they need to be put in the right light of the presentation, to show that this is your team, they are a role model, they do exactly what they need to do, they are very good with the goal, first, to give them the credit they deserve for improving the company's security. From the point of view of "we don't have Windows XP", as we understood, believe me, what they said in the previous lecture, as a consultant in the previous consulting company, in DAX 30 companies in Germany, I saw everything and more than that. This is not only in the country, in Bulgaria, but in the whole world, in big companies, you have heard
about them, some of them you are using them in your hands. Things are really bad or not everywhere they are the way they should be. So this is very important, those who work and improve the situation to get a loan. Also to do regular exercises. What happens when they find a vulnerability? Just for information, for example, we are currently running an emergency from 4 days to the end and we are currently in an emergency mode, the whole corporation, in the whole world, because of vulnerability A, because we think that if it is exploited, it will be fatal for our company. These things need to be well practiced, well trained, because the moment they happen, it turns out that everything
you thought on paper that would happen, somehow somehow you thought, doesn't happen. We saw this, for some of you to have heard about "Walk4J", great, some people have. "Walk4J", I don't know if you had nightmares that we didn't have, but we had very big nightmares, very long weeks. What we thought on paper for the first huge emergency that will happen, that will happen, absolutely nothing of this will happen. Full chaos, everyone does what they want, no one represents, people are worried and even in trying to help, actually they prevent the success of the program. I continue forward, time is very advanced, difficulties, that is, small tricks, whatever tool you buy, From now on I can tell you that he won't allow
you to solve the problems. The problems in many cases are: first of all all tools have bugs, we have tried them all, SAP, you have heard about the company, it has the possibilities, you can afford everything, we are writing software, we have tried everything, we have seen everything, there is no solution that, although it is forbidden for me to mention it, I can mention it and say "this is a mess, I will solve all the problems", there is none, I don't know if it exists, and I don't believe that it will ever exist because of the complexity of this thing that everything has to be included in one program for vulnerability management. Another important thing,
even the most beautiful tool to take, which we like the most, this tool has some limitations and does not cover anything. For example, it can't scan the BIMs for some reason, for example, or a better example, cannot log in to VMware virtual servers for some reason, it crushes their port. This is the case. You cannot use it, there is another solution that works perfectly with this product of VMware. So what do you do in this case? A plan for action must be made, what will happen? I am moving to the last point, the most important thing when you talk to some people from the company about the topic of vulnerability is to speak the language of the person you are talking to.
I assume most of the people here are IT people, pen testers, red teamers, we have seen some of you talking about vulnerabilities, exploits, attack services, all these wonderful words. When you enter the room with the CEO of the company and he is a sub-company, All these words mean nothing to them. Executives can only talk to you about business risk and the financial impact of this business risk. What does the exploitation of the emergencies we are facing mean to me? In financial numbers, most often in numbers. Developers are not interested in these things at all and they ask themselves which package or which library do I need or which library should I take to be good. The administrators are not interested in your wonderful words, they
are interested in the configuration. We heard about Windows, I assume some of you live in the Unix world. What configuration is currently feasible, what should be done to improve the configuration of the image. What update or patch do I need? For those of you who don't know, 5/4 and Tuesday, the most terrible day of the month in most corporations. What do I need? A few very quick things about asset management. Some of you, to be familiar with asset management or to have heard of it, great, there are people, I am very glad that this word means something to someone. This is basically a thing that is like a mirage in companies, you enter and ask where is the
asset management platform and the people are and what you have in mind. Are the people who are in the companies that work? No, no, no, the assets, the IT assets. They are everywhere, right? They are everywhere. I have a laptop, this is one asset, but things don't work like that when you deal with huge corporations. We even heard in the state, a state structure with 3000 offices, this means that the complexity of asset management is very big. In a scattered structure, in organizations that are all over the world, at least in Bulgaria, in Bulgarian Posts, are in Bulgaria in one country. And if you are in 280 or 220, 205 countries with 30-20 offices, then things get
complicated. The most important takeaway is that asset management is extremely important. One platform, only one, not two. Some say two is also ok, but no. One platform in which all assets are. Most often it happens that all assets are in the asset management platform. Yes, but without - There is no such thing. Either with everyone or you have a problem, most likely, if not now, later. What is the criticality of all these assets you have? Just for your information, talking about this, I don't know how many of you are familiar with this, in Germany the state created the so-called program "Critis" for critical infrastructure and the state comes into he goes back to the companies and says "Hello, we have estimated
that you are critical for us and we are giving you a regulation that you have to follow. SAP for your information is a critical important country. Why? Because if they don't hack and don't pay some employees, maybe it's ok, it's a month, there's no problem. It's not a big deal, but it's not the end of the world. However, the company sells software that, for those of you who don't know, is critically important for all the other users of this software, in this respect hospitals, in this respect state structures, which pay for the salaries of employees or pensions with such software. That is, if the software stops existing, even if it is the reason that it
is in the cloud, you use it with a solution, this can cause a humanitarian crisis. In this respect, the state intervenes and says: Everything you do for us is CRITIS and there are special rules for requirements that the company must fulfill. Some of them are described here. CRITIS requirement - tests must be performed when the company is software, different deployment stages, there must be segmentation in the network, segmentation of development processes, CI/CD pipelines and so on. I think I'm way back in time from the point of view of the slides. Patching is something that In general, the patching of all these machines, assets, whatever you have, is something that shouldn't happen after, for example, you had a friendly weekend
with your colleagues and you tried to hack a Beamer, and this should happen automatically. When a vendor releases something in a Dinex, you test it on a test device, ideally, This makes it very difficult when we talk about network components. For some of you who don't know, for example, Microsoft had a downtime about a month ago because of... who said something? No, another case was when they updated the LAN infrastructure, at least in the case I'm talking about, they released a patch of a company called Networking Cisco and at least in Central Europe they stopped working with cloud services. These things need to be tested, they lead to problems very often and to unpleasant consequences,
not performing SLA, keep it in mind if you are such a company. We are not talking about some internal test, staging environment, we are talking about the proper environment, if you release some things it is very good to be tested, so that everything is safe. Prioritization of the patches with certainty, just look at the so called CVS, we will not get into that, CVSS scoring or what is the assessment according to the experts of the difficulty and danger of this kind of vulnerability, but take in consideration all these things that were important for the assets. That is, if the asset is very, very important, even the vulnerability to be with some low priority, take note that this visibility can
be combined with others and have the same negative effect as the more significant visibility. When you have an infrastructure, you scan it, you get a report and here we enter specifically in the part where you will have some scanners, you will scan the infrastructure for high level, low hanging fruit, for the easiest things, we discover with a simple scanner, which tells you for example that machine A has no patch, some patch. It is good to think about it very well. After that I think that your slides will be published, that is, you can see in detail what is described. I won't have time to read them all, but simply put, the frequency of scanning is extremely important and if your executives, which is very important,
are interested in your program, it is very important when you make a report about them, that it should be with the same frequency as your scanning. I say it again, We were afraid of that when it was the opposite. They ask questions that you can't always answer easily, why these numbers look the way they look, even though they are more diverse today. In order not to reach such situations where executives challenge you that the program you are doing is not successful or what is happening, it is good to think about all the things that are described. It is also good to think about what you scan, do you scan the machines themselves, the machines themselves
from the inside, if they allow this device, if someone, I mean, I suppose we can manage to modify some vulnerability agent scanner and run it in firmware, but this will be some pointless exercise, super complicated and most likely it will not give any results. That is, think very well about what you scan, devices that can't be scanned with agents, they have to be scanned with some scanners. Ideally, however, these devices that scan from the inside of the machine, don't give you an inside look of the rest of the machine. That is, you have, again, the outside of the attack surface is not clear to you, because you... Yes, I'm listening. Exactly. We are reaching the web applications, in a little while, absolutely at a point, the agents still don't
understand what happens with web applications, that's why it's very good in your program specifically to separate the web things, yes, from scanning just for patches, from scanning some services that run purely externally on your asset that you scan in the case. Even this device, most likely if we scan now, we will see some interesting ports and services that do not know what they are doing for us. The most important thing you should do is to undervalue your networking infrastructure. Can you do it yourself and create a full house in your network? Yes, I have tested it. Can there be consequences of your scanning for other services that run with it. Yes, it is possible. Not every thing that you think you can scan and it can really be scanned,
it is good to scan it. I give a good example, I think I have seen here BMS system, Building Management System, but there are such or at least the big companies have. For example, they also, things can be mixed up, I have seen to start the fire system because of some bug. That is, have in mind all these aspects of what you scan, what you do, even to talk about the Pentesters. The fact that someone runs a map doesn't mean that he can run it, it doesn't mean that he should run it, and this is extremely valid, we won't talk about this in this lecture, industrial systems, ICSK, there is a completely different world. with
or without authentication. This is the question that the colleague asked. It is mandatory for all devices that allow it. Use it with, so you can see what is happening in the machine, but do not underestimate the external part of the system. You will reach a point when your program works, you scan, you provide reports of business units with the central system. Everything is very cool. and you look at your system that generates you, pen testing reports, bug bounty, you see all the vulnerabilities that you have for specific components, for specific servers and you say "what happens, should they be reduced or just increased, why last month?" Because first of all, maybe someone can't cope with the frequency of the crowd. And
also, what happens very often is that the business students come and raise their hands and say "I want an exception". That is, make an exception, I won't be able to achieve what you want from me and I won't participate. and they are fully responsible even before Executive Management Meetings. This is ok, in some cases it is understandable, for example, at the moment it is the end of the first quarter of the year, that is, in the next two weeks a specific group of people, a specific group of assets will be extremely busy to complete all transactions. That is, the financial systems will have an extremely high reliability to be able to complete all transactions. That is, if for some reason, for example, 5.40 was on Tuesday,
now you are rebooting because you are installing, for example, 70 000 Windows server patches, which is great, but sales team, financial team and 10 other teams that are in a deal with a client in Dubai, they can't log in, trust me, most likely you won't be able to work on Monday. But this is nothing that your responsibility is very big, cyber security, everyone discovered this, it's very important. Don't underestimate who pays for this cybersecurity and for the existence of your team. These are revenue generating teams and there has to be a very complex balance between security and business. The existence of the business, which unfortunately is very complex and very difficult and requires a lot
of effort and compromises from both sides. Also, the most important thing when you reach the moment when you already have these huge databases, you have generated, you have bug bounty programs, you have everything, you scan different things in the network, you scan 700 thousand devices or more or millions, and who do you send this to? Who receives this information? Do you have the recipients of these vulnerabilities, the mega-listings, in a company with 20 people It is clear that we are all working in the office and we can talk to each other. In a company with 150 thousand people or 700 thousand employees things get complicated and it is very very complicated. In your asset management platform or what
we do and we try to do and asset ownership or responsibility, who is responsible for this system Unfortunately, this is not effective enough, because in one system, besides having an operating system, there are 20 other products in it. Big, corporate, complex products. Who is responsible for them? The system administrator. You send him, for example, or he enters a system, accesses it or receives a notification that there is a critical thing that needs to be fixed in a product. And he says "I haven't seen this product, I don't know what, I have nothing to do with this product, for example sales team uses this product". Yes, but sales team are in Dubai today and they are picking at clients
because they are not interested in your problem and there is nothing to do because they are not technically familiar. It turns out that there is a team C, which is in Australia, which is in charge of the installation of these products in the entire corporation, which consists of 4 people and no one knows about their existence. Key takeaway - find for each asset, for each product of that asset. I think we are talking about software build of materials. In the systems you have and in the products you develop, sooner or later, we talked about CRITIS, companies also to a certain extent for the software they create, they need to have software build of materials. Why?
Log4j. They ask their clients: "We are using your product or a product of a big company, can we get it?" And the product team doesn't know. We don't know if it's a library or not. It can be found, but it takes a lot of time. If you have 20,000 products, it's complicated. The reaction time, as we understood, sometimes 1 hour, sometimes 6 hours, sometimes 15 minutes. That is, a very short time for a reaction to collect an information that is almost impossible to collect in 6 hours, even in 6 days or 6 months in some cases. That is, be ready for these things and you should have in mind that they will most likely be required by you if the company is larger. Very
quickly After your program exists, you probably need to have some base lines or some basic times that you follow. Because if this patch was released on Tuesday, and you deploy it for a year at that time, it would be reliable. Does our program actually make sense if things work with such a big delay? After we realized that The statistics say that after a violation is published, sometimes within 48 hours the first exploits are seen. The worst thing is that the latest report of Mandiant, a big company that deals with 3D Intel and with other services, that the new vulnerabilities are not that scary, but 68% of the attacks are caused by vulnerabilities with life or existence for 2-3 years. That is, the old things
that you have in your infrastructure are probably the ones that will lead you and will lead to the failure of the existence of your company at some point, unfortunately, if this happens. Someone to deal with containers I have literally 5 minutes. Great. If someone is dealing with containers, they think that they will just run some kind of scanner and scan them and then you will have things. This absolutely will not work. You will have very big problems with devops teams. They will be very tired of what you want from them. container scanning requires a completely different approach and in fact there things are so agile and so dynamic that you can afford the so-called shift left, that is, to turn the security to the left
at the beginning of the development process and the creation of your containers and to clear all the vulnerabilities, whether it's from libraries, whether it's from reports, from pen testing colleagues, from red teamers, from misconfigurations, whatever has been found there somewhere, It should be clear in the creation of your product, if it is a microservices or whatever you create there. Otherwise, in the long run, you will fall into this cycle again, something existing, which is destroying, it should be… In principle, what we do is to execute some kind of scanner, some kind of system in containers, which do different things, but executing from containers and attacking other containers is easy, yes, many things can happen. The question is how to clean the existing containers, the so-called shift left approach,
taking out the security, possibly on the left, in the planning and creation of the product you create with these containers and cleaning the images themselves, because most of the containers, management systems have redundancies and they allow dynamic removal of some containers and their upload within seconds with some new image, that is literally cleaning up all existing things known in a long period without downtime, which is one of the big obstacles for updating downtime, which your clients or your employees themselves have to survive to clean up all the errors. Web scanning, as the colleague mentioned, is mandatory. If you do web scanning, integrate it into your EVM program, to be an integral part, and not just to be somewhere else, to exist, the information
to be correlated with what you already know, with other scans. If you don't have it, it's good to think about it after this lesson, to start having it. And also, if you use some SaaS things, Not all of them, the bigger ones you can scan them, they have the policies, but the most important takeaway is that there is a service that you bought from a company somewhere and they are on cloud and you can access them because they are on the internet, it doesn't mean that you can scan them. Scanning other companies from yours is illegal, unless you have a permission to do it. So, keep this in mind. It didn't happen to us, because we know it very well, but I have seen a company
being convicted for scanning another company, simply because they were convinced that they can do it and so on. Many things can be mixed up, especially the humanitarian crisis, because the company A scans the company B because that's how it was decided. Keep this in mind and read the policies of the company you scan. If they don't have such a connection, ask them if they can. We want to ensure our company and the services we provide. We want to do this and that. Compliance scans - there is no way, I'm sorry, I saw that people already felt that we are talking a little bit about compliance. Yes, it is mandatory, this is part of the thing. Many of
the results that we use are used by the colleagues who are engaged in governance, to cover various specific requirements that are imposed on them and which other auditors who pass through the company are looking to see. For example, do you have a vulnerability management program? Yes. What are you doing there? Yes, you are checking some checks. This is for pity or for happiness, maybe for happiness, it is good to have such things. Your program will inevitably be included in this and will also be audited. That is, what you do and someone will come to tell you that for example you don't do it well or you do it very well, it is also possible to
happen. I am almost at the end. Threat intelligence, some of you to deal with threat intel or to receive such Legal or not legal? Ok, great. We get all of them, I'm kidding. Third Intel, which you didn't know, this is the most simple one. What is the status of some vulnerability that has appeared in the last days, yesterday, today, what is happening with it, is it exploited in the wild, weaponized? what additional modifications are being made to this vulnerability and how complicated it is. In the end, the complexity is also very important, which is something very easy. ScriptKiddy, people who don't have much to present, but have some basic computer skills, can also use this and
harm your company absolutely elementary. The exploitation of the law, as we understood, some of these attacks that are happening, are happening from people, we may have an ethics among us, we don't know, who are engaged in sponsored attacks from the state. That is, the state pays a group of people, they execute an attack on another country or another corporation with a purpose, any purpose, political, financial, killing competition and many other things, creating a humanitarian crisis, absolutely the same. Also, the delivery of your 3D Intel is very important to be integrated in your AVM program, if you have one, to be filtered for your specific needs. If you use only Unix systems, what do you care about, that there is ransomware and someone who uses the latest one from the
last update from Microsoft or vulnerability that is fixed from the last update from Microsoft. If you don't use it, it's good to know it, but if a colleague is familiar with 3D Intel, the information is so much that the enthusiasm will be lost very quickly. After one or two days of receiving such information, you will just understand that you need to filter, otherwise it makes no sense. This is the end of the presentation. Key takeaway, you can see it in the slides. An example from our point of view, what or how a wonderful EVM program would look like. The most important thing in the middle, in the circle in the slide is automation. Many of the programs that I saw before
joining my current company and in my current company before we started doing what we do, it took us two years, were manual things, someone sends something somewhere, decentralization, teams don't talk to each other, nobody knows what the other team is doing. The most important thing is first centralization, that's why we talk about one EVM and the second thing is automation. In case you have an emergency, for example now, if you want to call Let's say 500 scanners within 5 hours. Even if you have 20 people, you probably won't be able to stop them. Even if you have some pen testers and they won't stop. Even your pen testers should think in this direction when they are part of
your program for automation, automated execution of some things in order to faster absorb the information and the results you need. Product security, if you are a company that develops products, turn on the products, know what happens to your products, because most likely you are the users of them and it is good to know what happens there. We said pen testing, red teaming, bug bounty, exceptions, it is very important to turn on your program, to be turned off in cases where they are approved and understood what are the consequences of them. Asset management and software asset management are in the order of Bills of Materials. Do you know what your products include? Incident response team, some of you, let someone be an incident responder. Super,
yes, talk to these people, they are your friends number one. When something can potentially go wrong, they should know best and expect that an attack can happen there. And also 3D intelligence, we already said it, you can see other things on the left, orphan management, probably like any other company bigger and yours if it is like that, you will have orphan management. What does this mean? You have for example a server or something next to you and it is part of the network and you can even sit there virtually, or container or whatever you want. This is not a good thing, probably it shouldn't be allowed, but it happens in every big company and it should be very well controlled and all these kinds of orphans, whatever they
are, even we are talking here about a printer that has become an orphan, nobody knows, it is part of the network, nobody controls it. It can't be printed on it, because it's not part of the AD, but it's part of the network and can be accessed by some specific networks. This is a danger, it's not good, the printer is forbidden, it's not repaid. This is a very long slide, we won't go into it. Our special magic formula or recipe with the burgers is after you have a CVSS score, take it, make a risk assessment, what does this mean for you in the specific vulnerability, make the so-called classification of the data that you have found or are connected to this asset, And the system's criticality. If this is a
system, but contains every critical data, it is a test system, this does not mean that you will not bake the test system, or you are not interested, or that someone will exploit it, and what of that. Some of the exploits of large companies are due to their actions in the system, and they are most often neglected and forgotten. This is also quite often the case. Vulnerability urgency or what is the benefit of this vulnerability and the most important things are specific for your organization. As we said, all these things from the asset management slide, what is specific for you, what interests you and finally the sum of all these things or the integration of all
these knowledge will give you some priority, that is, you can prioritize the various vulnerabilities at the top and bottom in time. And this is the way to the successful program - synchronization of operations, synchronization of people and tools. If these three things don't work together and you buy the most expensive products, they won't solve the problem, I guarantee. And as Peter said, in a year I will tell you the same thing. So that's all from me. Thank you very much. I apologize for the delay.
Related talks
55:20
34:59
34:16
36:47
26:33
33:45