← All talks

Security BSides St. John's 2022 LIVE!

BSides St. John's9:17:45472 viewsPublished 2022-09Watch on YouTube ↗
About this talk
We're pleased to present this year's conference as a livestream, to enable those who may be unable to attend in-person (thanks Covid 🙄) to get an opportunity to see the great speakers we've got lined up this year. Background: Security BSides St. John's is a community-organized cybersecurity conference, held in St. John's, Newfoundland and Labrador, Canada. We're the longest consecutively-running BSides event in Canada, and one of the longest globally. After a pandemic-induced hiatus, we're back with our 10th anniversary event!
Show transcript [en]

foreign [Music]

[Music]

[Music] thank you [Music] thank you foreign [Music]

[Music] foreign [Music]

foreign [Music]

[Music] foreign [Music] [Music]

[Music] foreign [Music] foreign

[Music]

[Music]

[Music] foreign [Music]

[Music]

[Music]

[Music]

let's go

[Music] thank you

[Music] thank you [Music] [Music] foreign [Music]

thank you

[Music] foreign [Music]

[Music]

[Music] foreign [Music] thank you [Music] thank you [Music] foreign [Music] foreign

[Music]

[Music] thank you [Music] foreign [Music] thank you foreign [Music] thank you

[Music] foreign

[Music] thank you [Music] thank you [Music] [Music]

[Music] foreign [Music] foreign [Music] foreign [Music]

[Music] foreign [Music]

foreign [Music]

foreign

[Music] [Music]

[Music] foreign [Music] [Applause] [Music]

[Music] [Applause] [Music]

foreign [Music]

[Music]

[Music]

[Music] foreign

[Music]

[Applause] [Music] foreign [Music] [Applause] [Music]

foreign [Music]

[Music]

foreign [Music]

[Music] foreign [Music] foreign [Music] thank you [Music] thank you [Music]

[Music]

[Music]

foreign [Music]

[Music] thank you foreign [Music] foreign [Music]

[Music]

thank you [Music] foreign [Music]

[Music]

[Music]

[Music] thank you foreign

[Music]

foreign

[Music] foreign

foreign

[Music] foreign [Music]

foreign [Music] everyone get a seat we'll get started

everybody

all right um we're going to get started um we have a pretty tight schedule today so I know we'll run a little bit behind so hopefully we'll keep things running very smoothly and not have too many delays um so welcome to b-sides St John's 2022. um absolutely and uh for those that don't know this is our 10-year anniversary um and if we pretend that cover never happened uh this is our 10th consecutive year so we're just going to forget about the last two years and say we've had 10 consecutive years of of these sites um so we are still one of the longest running events in North America um I believe we are the longest running

one in Canada and we are in the top five or six for the launch running in the world so globally um that's pretty good achievement all right um so for those that don't know me uh my name is Robert and so I work at a local company called collab software so I the VP of security there um and if you want to know more than that um you can look me up on LinkedIn and introduce yourself today and I'll be more than happy to share some information um and I am also one of the many volunteers uh that dedicate their time to making this event possible um without them obviously none of this would be possible and we all do this in

our spare time so it's a pretty big [Applause] um so we do have a few special thank yous that I want to um to mention um without these individuals and companies um this event definitely would not be possible at all um an absolute very special thank you to our partner Tech NL um honestly without them we definitely would not be able to do this they handle all the like Logistics behind the scene for the invoicing for the vendors and um all the payments collecting all the funds and doing our reimbursements it's honestly without them and honestly a very special thank you to Allison from Tech NL um just without her none of this would be possible

[Applause] um I want to say a big thank you to again all the volunteers that make this happen um people don't realize the amount of work that is needed to pull this event off it is an absolute tremendous amount of work so when you see the folks walking around with these red t-shirts on um just go and say thank you it's um it's a lot of work a lot of late nights and a tremendous amount of effort I want to say a very special thank you to all of our sponsors without them and their support of course not as possible we um none of this is done for profit it's whatever money we collect to put out the event it's used

to put out the event and that's it it's done um so make sure that you go and talk to all of the sponsors today hear what they have to say thank them you know collect some swag you know they've got some great stuff out there everybody loves sway um and of course lastly um thank all of you folks um again you know without having the attendance that we have what's the point not the conference so um absolutely thank you to every each and every one of you um so a few housekeeping items before I turn it over um we have a nice lunch today uh it's gonna be soup and sandwiches uh there's a sort of sandwiches and wraps uh we do

have a limited quantity of gluten-free and vegetarian options as well um so if you don't have requirements for gluten-free and vegetarian please you know take the regular stuff because there is a limited quantity uh lunch will be buffet style so to keep things moving we're going to do it in sections so we're gonna call point out and then you can go get a lunch come back sit down you know try and keep everything running smoothly again we have a very tight schedule today we are running behind um which I should have anticipated for because it happens every single year but you know I'm optimistic um so to help keep things moving with launch it would be really great if you

use the tables the rectangle ones in the back for your dishes so just when you're finished just go and put them back there that will help the staff you know be able to keep things clean and also minimize the disruptions that might happen with having people come and collect stuff from the tables um we have an evening social again as always that will be immediately following the last presentation of the day and our grand prize draws and we have some great prizes as always um the prized rise use the admit one tickets that you should have gotten with your registration and your ID card so if you didn't get one when we go to do the

prize draws we'll just make sure that whoever didn't get one they'll get a ticket before him and then we'll do the prize draws um we'll be doing multiple throughout the day and then we'll do the kind of like the grand prize draw at the end um an important thing to remember is that you have to be here to win we don't have names associated with those tickets it's a number not called a number and if you're not here it goes I pull another one and I'll keep doing that until somebody wins um so we also have uh captured flag this evening um hosted by hack the box and with that we've got some really great prizes

um a couple PlayStation fives some gaming gear so I think somebody's going pretty darn happy when they leave here today um so something else that we have this year that's going to be a little fun um so many of you know that we have these challenge coins that we give out every year to speakers and to the ones of the capture the flag so of course because of covid um we missed two years and these coins are engraved with the year on it so we ended up with a pile of coins for 2020 and 2021 with nothing to do with them so this year you may have seen the um Matt put out a social media post saying

uh you know come with a 20 bill so we're going to give these away in exchange for a 20 Bill and um all the money is gonna go to charity we're going to give it to the um the Keith Keating Memorial Tournament fundraiser for Cancer Care in this province uh they're doing a fantastic job of raising money

Yeah so basically you get a uh you know in exchange for 20 bill you get a nice commemorative token for an event that never happens all right um as always the bar will open after lunch uh drink tickets are available you should have gotten some already um these tickets are good for anything so if it's a liquid you can drink it you can have it take it for it it doesn't have to be for alcohol I tried to get just tickets to say drink refreshment the entire city is cleaned out of those tickets for some reason um so your tickets are going to say alcohol but it's not just for alcohol it's for whatever you want to drink

um of course it goes without saying that um don't drink and drive um if you need a cab um there's phones out in the lobby or you can let one of the volunteers know and you will be more than happy to call a cab for you and send you on your way um if you have any questions at any time or any concerns or you need help in any way please speak to one of the volunteers or come talk to me directly more than happy to help again all the volunteers we're in the red shirts so Chris Parsons is going to kick things off today by introducing our first speaker thank you very much folks enjoy your day

[Applause]

awesome well thank you Robert and it is awesome to be back in person um so we're running a bit late so we'll get the show on the go our first speaker is Patrick Curtin who is talking about Ransom Margaret yes talking about ransomware here first

nice

right good morning everyone can you hear me good all right excellent place okay so ransomware is a very hot topic of course probably the hottest Topic in cyber security Now um when you think about cyber security there's a lot of different ways of looking at the problem my personal favorite way of doing it is what we're going to do here which is looking at an actual incident and walking it through and seeing what happened and what could have been done better what worked well in this case not very much the problem with this this way of looking at cyber security is you almost never know enough to do what we're going to do here and there's a reason why this one is an

exception so if you're doing incident response at your own organization sure you're going to know hopefully you'll be able to figure out what happened but when you read about them in the Press there's little Snippets there's almost never enough for you to build a picture this ransomware example from Ireland is a bit different and it's an excellent way of illustrating how important executing fundamentals are in the field of cyber security because this is a worst case scenario this is one employee making a couple of mouse clicks bringing down a whole organization and not just any organization a critical infrastructure provider so what we're going to do is we're going to start by looking at the targeted

organization figure look at at how they were set up we'll look at the threat actor and then we'll look at the Timeline the steps that that occurred in the uh in the compromise and the recovery we'll talk about the impact and then we'll look at the post incident analysis and finally we'll talk a little bit about prevention so the uh the graphic on the right is the cover page of a of the post incident report which was made public this is super rare okay it's a big report 150 Pages written by pricewaterhousecoopers um it is redacted so there's about 10 pages of technical details that are completely blacked out but other than that it's all

available out there for everyone uh it's an excellent read um and this again I can't emphasize this enough it almost never happens it only happened here because the targeted organization some enlightened Soul decided this story needed to be shared because there's a lot to learn here so a shout out to the HSC for for publishing this so who is the HSC it's the health services executive in Ireland it is basically the Health Care system of Ireland so Ireland 5 million people this makes the HSE the largest employer in Ireland at about 130 000 employees it is a designated critical infrastructure provider huge budget of course health care for an entire country 22 billion Euro um the it budget about 200 million euro

okay that sounds like a lot of money but if you look at the budget it's less than one percent one percent is a bit challenging and we'll get into a bit about you know the different tensions going on with budget in a healthcare organization but in the U.S the benchmarks I've seen is it's about three or four percent Banks would spell spend more eight or nine or ten percent but one percent is is your first sign that maybe not as all is well here and they're supporting a lot they got 70 000 devices spread over a wide Enterprise you know over a thousand sorry over 4 000 locations you know this would be not just big hospitals but little clinics

and that kind of thing lots of applications supported by 350 staff that's not a lot out of an employee base of 130 000. okay so let's look at the network now I'm going to generalize a bit there's a few exceptions to what I'm going to say but in in essence this was a flat Network it was done that to make it easy for staff to access the applications we need so we're right away illustrating the tension between convenience and security so there weren't enclaves generally set up in this network few exceptions and those exceptions in what's going to happen here made the difference for those places that did that were not uh completely open so a third of their servers several

thousand servers out of support thirty thousand Windows 7 desktops these windows 7's desktops hadn't been moved forward to Windows 10 because they had a problem running their medical imagery applications there was a way around this some of the hospitals on their own figured out how to do this but by and large the Enterprise hadn't moved off for that reason so whole bunch of workstations whole bunch of servers not being patched there was no sizo no Chief Information Security Officer they did have a CIO but no sizo unusual for an organization of that size no sock no security Operation Center no hub to to act as the quarterback for security operations 15 cyber security staff so when you think about 350 IT staff 15

cyber security staff that is really really small when this incident happened they were in the process of doubling their I.T they were they had received authorization to go from 350 to 650 staff they're just starting to do that so at least there was some recognition they didn't have enough people the cyber security staff I didn't write it here but in the post in its incident report they are described as not having the necessary expertise or experience to do their work which is a pretty damning statement but when we get to some of the observations I think there's other things we need to consider Beyond just these poor 15 cyber security staff that would have been run

off their feet okay think back to Spring 2021 that's this incident happened not too long ago right only a bit more than a year ago spring of 2021 spring of 2021 Western health organizations are rolling out covid vaccines right and there's applications involved there's I.T to support that so those some of those cyber security people were peeled off to help support this high priority effort so not only do they have enough or not enough but they're also working on other things and cyber security was a recognized high and likely risk this was presented to the HSE board in the fall of 2020. so people were aware there were problems here it was actually presented at the board

level the highest level now that presentation is not public but uh it sounds as though it was just kind of an observational thing and it didn't talk about impacts didn't say hey if we don't do something about this we might grind to a halt and I suspect if it had they would have been told no no no no you're exaggerating so I'll see what's going to happen so this is how I feel as a cyber security professional when I look at this this is a train wreck you know it's surprising something didn't happen sooner but this is an accident waiting to happen and you know it's it's appalling it's it's terrifying when you think that it's a

it's a healthcare setting of a setting where you know literally life and death all right let's shift gear to to the shift gears to the thread actor uh in this particular case it's a group known as Conti you'll hear them referred to as a cybercrime gang it's also uh their their ransomware is known as conti ransomware and it's a bit confusing because these guys are currently rebranding they're in the news a lot um so they they really hit the news big with this um and they've subsequently I'll talk about it a bit they've been involved in other high profile things but they've actually decided to to Rebrand and it's not clear exactly what's going on but it looks

like they're based in St Petersburg about 200 people and they have a very wide Playbook okay they have some very sophisticated techniques but their Hallmark is what we call living off the land which is where you once you get on a network you're gonna harness admin tools that are already found there so you're not having to move malware in that could get detected you're just going to use stuff that's all sitting there in the admins uh toolbox so the FBI uh as of about six months ago they had estimated that these that this group had over 700 major ransomware victims and in 2021 they extorted somewhere between 150 and 180 million so that's a lot of money when you think

only about 200 people are behind it that's a if that was a company they'd be doing pretty well and they've been described as an unparalleled big game killing machine they've you know 700 major victims in a few years they are they're very good at what they do and at the bottom there they're good enough that the FBI issued a a ransomware advisory about them so that is also available for everyone to see this is from about a year ago September 2021.

themselves excuse me I'm gonna have to get some water my uh no it's already getting a little dry

sorry right so in the fall about a year ago they were uh actually I say fall 2020 sorry that's uh fall 2021 and March 2022. so in the fall they were breached by a disgruntled former employee if you could call them that and this employee classic Insider threat brought all kinds of their intellectual property out brought out their playbooks published it all on tour so of course cyber security researchers had field day with that um and then strangely enough they're based in Russia when Russia invaded Ukraine they came out and said we're in complete support of the Russian government we're completely against Ukraine and United States we're going to act in support of the Russian government no surprise

there's always been thought that that you know russian-based cyber crime actors are Loosely connected with the government well when they did that they then got targeted and a whole bunch of other things got leaked including chat logs so again cyber security researchers were able to digest this stuff analyze it and build a picture of what they're like and it it reveals a pretty grueling work environment they've got a lot of attrition at the working level there's a ton of pressure people are some of them are remote they're they're always expected to produce um and one of the researchers uh is quoted saying the leaks paint a picture of a surprisingly normal Tech startup and so this is what they look like if

you the the this is checkpoint did this there's about 200 blobs there these are people so they were identifying able to identify leadership people that are like doing HR people that are uh you know just doing their back end people doing their software development just like a startup all right so let's get to the middle of March 2021 March 14th um particular person at the HSC gets uh fishing email not a spear phishing email just a phishing email and I get them all the time but the ones I get are pretty crappy I'm never going to click on them the ones these guys do are really good um two of the themes they use is Apple

uh Apple cards and Amazon cards and when you look at them there's no spelling mistakes all the fonts are perfect all the graphics are perfect so you'd have to look at it a bit more closely and say yeah yeah this is still good too good to be true why would someone be me sending me this um but this particular employee and there were others it wasn't a mass campaign across the HSE but there were numbers of employees getting them and this employee had actually received them some I think four times in the past had never clicked but this time for whatever reason March 18th they click again infected that's the initial compromise right there and that uh that workstation is

known as patient zero over the next five days nothing happens March 23rd threat actor goes in and gains persistence so in those five days the workstation had just been cycled off or have been something had been detected it could have been cleaned very easily um but that didn't happen so threat actor goes back in establishes persistence just on that Workstation March 31st third actor goes back in and their enter the Enterprise antivirus detects the use of cobalt strike so Cobalt strike is um penetration testing tool it's pretty common out there it's also common for bad guys to use it that's why the Enterprise antivirus detected it now that Workstation hadn't been patched in something like a

year the workstation had empty Enterprise antivirus but the signatures on the antivirus had also not been updated in something like a year but it still detected this it detected it and that alert just went to the floor now this is kind of surprising here five weeks for the next five weeks almost nothing happens okay there's very little threat activity showing up in the logs there's no reason to think there was I think what this indicates it goes back to that grueling work environment these guys are infecting so many people and they're not going to have a very organized workflow right so some cyber crime operator at a console somewhere finally is like okay let's go in now

they probably had a full dance card up until then so five weeks later there's uh they're leaving Fingerprints of reconnaissance lateral movement and privilege escalation so this is like okay things are starting to get really serious here they've they took their Beach head spread out they've escalated privileges so they've got admin rights in a bunch of places um so this is not good this is this is definitely a sign that things are escalating then a day later there's file activity they're looking at they're basically looking to see what they can get what kind of files are out there what information is there now I've I've cleaned this up a bit over the next few days there's there's a few

more things happening there are alerts starting to go off some of the some of the hospitals are operated some of my autonomous autonomously and some of them are detecting activity they don't like there's actually One hospital that goes to the center and says hey we've seen something coming from you guys coming from corporate um and someone on the corporate side comes back and said no no the problem's on your end which is not true um so there's some confusion there but it's getting serious enough that the Enterprise antivirus company with their own Telemetry is starting to see oh my goodness something serious is going on they start emailing their contacts within the HSE saying hey you've got

unhandled threat events and I would imagine the threat actor at this point is figuring out that they've been detected and on May the 14th you have the ransomware detonation so what we're going to see here was a pretty huge deal in Ireland but it didn't make the radar here very much there's a reason for that and that's the colonial pipeline compromise so right around the time this is happening Colonial pipeline down Eastern us gets hit that was a big cyber security story right there again critical infrastructure being threatened there was some thought that aviation fuel would stop flowing on the East Coast which didn't happen but it was it was a pretty serious deal and it did get a lot

of uh Traction in the press and that kind of drowned this story out a bit on this side of the Atlantic here it was still a big story in Europe okay so let's look at what happened on the day of May 14th 1 a.m so the threat actor is deliberately deciding to set things off in the middle of the night in Ireland okay um fewest people would have eyes on at that point makes sense but you know a couple hours later the first reports are starting to hit the national service desk so this is like the help desk this is not security people this is just reports going to the help desk hey you know

I can't get my workstation to work I got a blue screen I you know

part here the next few hours is um for an organized for an organization this size they do seem to have responded well to something that happened in the middle of the night um by almost five in the morning a critical incident has been invoked that would you know unleash internal protocols about who to contact and what meetings to stand up um five ten there's a call with subject matter experts and they make the decision to disconnect so uh to staunch the bleeding they're going to disconnect and power down six o'clock the CEO notifies the board so think about the CEO of this massive organization is notifying the board at six a.m that means the CEO has been

involved for a few hours media starts getting reports at seven the police are brought in at 10 10 30 they've engaged some third party help you know a third party incident response company uh by noon a malware sample has been shared with the IR firm and two o'clock text going out to staff and at some point during the day a ransom has demanded a 14 million euros over 20 million dollars so if you're a member of the HSC you get into work you know everything's off or should be off you're gonna nothing's working you're gonna you know on your own Twitter maybe if you follow HSC you're going to see this reminder on Twitter um if your workstation's on turn it back

off and the here's a tweet from an obstetrics uh hospital that you know sending a message out we're only doing emergency stuff today if you've got a normal appointment don't show up and this was common across the system with a few exceptions all right so um let's look at right of Boom here after the detonation what happens well they set up a coordination Center um next day off-site um they didn't actually have an on-site place to do this from so um I'll get to that in a second by the 24th their uh instant response helpers have come up with a go to green process for secure recovery so this is a way to recover the workstations

by the middle of June half of the servers and half of the applications have been recovered and by about a year ago so September 21st most of the servers and applications have been recovered okay some of you might be looking at this going I'm missing something and I did Skip something very important that is that on May the 21st they received the decryption key this they didn't pay the ransom so we'll get a little bit into that but that receiving of the decryption key is what actually allowed this whole goater green and recovery process to even happen [Applause] so they uh Conti said we're providing the decryption tool for your network for free but you should understand that we

will sell or publish a lot of private data if you will not connect with us and try to resolve the situation yeah it is more important to be lucky than good now uh why did this happen the most likely scenario is that someone within the ransomware gang is like oh my goodness um this is going to bring a lot of heat on us this is not good for us we gotta walk this back um there's some chat to to support that theory we don't know for sure um they work they do Target other Healthcare organizations maybe it's because Ireland is kind of non-aligned Ireland is not in NATO um who knows okay let's talk about the impact a bit

devastating impact cannot be overstated this is on Irish State media uh early June HSE Chief says cost of Cyber attack could reach 100 million euro since then the estimate is it might be as much as five times as high massive cost it's a huge financial cost but we're talking about health care so let's forget about the financial cost what's the impact on Health Care well first of all okay so when they encrypted um that went pretty broad at least 2 800 servers and 3 500 workstations encrypted but it's probably much more that's where they stopped Counting um so it was it was pretty Broad and the response which they really had to do given their situation you know they had

to disconnect and power down well I think in your own in your own work what would happen if you did that it's going to have a big impact on your work of course one of the biggest things HSE lost its email and email was the way they primarily operated internally um it was you know a lot of us are now doing a ton of stuff on teams that wasn't the case there more importantly Health Care staff lost access to patient and patient information and lab systems so you know you're going in to get a treatment and your doctor can't access your file which in a lot of treatments that's really really important right it's not

just a one-off it's it's how's the you know especially safe with with oncology uh on top of that support staff lost access to financial and procurement system so even in recovering like okay we got to pay for this incident response for firm like they would have been having to do all this stuff without the support of their normal systems they didn't have access even to their employee contact list they didn't have access to their access registers or network diagrams so think about this like in your own work in your own life you got to be ready for a power outage right so hopefully at home you got a few flashlights so it's like 10 o'clock at night

para goes out while you're watching Netflix well it doesn't do you a lot of good if you have flashlights and you don't know where they are so they didn't even know where their flashlights were they did not know you know what their assets were they didn't know they didn't have their Network diagrams to work from and then what does this all lead to when you can't access health records and and test results that has a big impact on medical care they had to revert to handwritten records They had to issue a National Health Care Indemnity this is the government saying Health Care Providers doctors nurses we know you don't have access to what you need

but we're going to assume the risk we want you to carry on and of course the health care people wanted to carry on they just can't provide the same standard to health care and the government basically had to step forward and say well we'll assume the liability here and there's even spill on effects in something like this like when a baby is born in Ireland the information required for the birth certificate and Child Benefits that was all shipped by email so all that ground to a halt and then you have uh big room of people here surely some of us have have loved ones in healthcare you know they've had a real tough time during covid so these folks have been

have been working through covid and now you got another crisis thrown upon you then to add insult to injury some patient records released

[Music]

foreign

can you hear me now okay all right so this organization couldn't have done it on their own obviously so they right away uh the Irish National cyber security Center which is Tiny the Irish military actually came in this one's a bit funny um so you think about the Irish military pulling up he's like oh they're going to bring you know radios no they set up a teams instance for the Health Care system and they also brought in they had some some reservists who were white hat hackers so they had some expertise as well um aib Allied Irish bank I'll just shout out to them because they're kind of the unsung heroes there they weren't recognized in the uh in the report but

one of the members of the HSE board is the CIO of the Allied Irish Bank biggest Irish Bank when this incident happened you threw open his resources they used their incident room they used their staff all for free um so this is a great example of a you know uh another entity recognizing the problem recognizing how important was for the country and let's do something about it there were there was a third party incident response provider that isn't actually spelled out in the uh report or the company isn't identified but PWC they they do this a lot they so they brought out their Matrix of how to analyze um what happened here they they basically

measured the hse's Readiness against their framework they conducted a pile of interviews you know people reviewed thousands of documents so in their Readiness framework of 28 elements 21 of them are noted at a very high risk so you know the in their view HSE was doing very little to reduce their attack surface doing almost nothing to reduce dwell time or to limit blast radius only a few things for recovery so a lot of kinetic terms there but basically you know those basic things you need to do to to have defense in depth and to and to minimize damage when compromises happen well their HSE wasn't doing variable of that uh they did a cyber maturity assessment

not surprisingly it came out as pretty poor so measured against the five nist cyber security domains uh basically if you get a 1.0 that's like you're doing nothing you don't get a zero you get a one um so so they're not very far along the path to cyber security health here so they came out with this report at the end 72 key recommendations now if you've ever seen recommendations for improvement being handed out to someone but you know you normally tap out at four or five um so 72 is a lot um you know not surprisingly it's like we need a you need to have a size 0 in there um you need to have an I.T strategy that

addresses all your technical debt because there's a ton of technical debt there they are saying HSE had to enhance their crisis management capabilities so HSE you know they run hospitals they actually had great crisis management capabilities when it comes to mass casualty event fires earthquakes floods but nothing for this establishes suitably resourced and skilled cyber security team and finally build defense in depth including security monitoring vulnerability management capabilities secured privileged Access Network segmentation list was longer than that but those are some of the basics all right so so there were a lot of opportunities this didn't have to happen so if we think about the initial email well this is the human element you know

training training for your staff training for people on on gene on on not clicking on things you don't expect on you know just basic uh awareness about the cyber security threat that's a thing you can do okay now is it okay for an employee to click on a thing make a mistake and bring down a whole network no it's not okay but that's your first step okay you still have to have safeguards after that so that initial click that should have with a half decent endpoint uh agent that would have set up set off an alarm better an alarm it would have been blocked so you should block this kind of thing but if you don't block it at least detect it

and if you have a way of detecting it at least have someone dealing with that detection persistence being established well that's another different activity probably involved changing registry keys this is another thing you can try to detect you can try to block it's not a super hard problem there are products that do that then if we go to the other steps that were taking place reconnaissance lateral movement privilege escalation all of these things involve certain techniques the threat actor is going to do techniques that can be detected techniques that in some cases can be blocked so again you want to do it wire speed if you can you want to block if you can but if you don't block at least

detect and then have someone in a position to triage those detections and and have a look because there was time here there was time here it wasn't a matter of seconds there was some time at least in this case for people to actually go okay there's something seriously going wrong let's take steps uh similarly with the file activity so basically every step along the way your fingerprints at the the threat actor is leaving behind that you can detect and hopefully block so I'm getting close to wrapping up here this could have been way worse um so if the key had not been provided they wouldn't have been able to do that recovery uh they would have had to start

from scratch and would have had you know the Healthcare System went through weeks of extreme problems it would have been they would have still been going through it um so they're lucky there medical devices weren't targeted they could have been the malware wasn't destructive you know could have been a worm could have been a wiper you've been hearing maybe a bit of a wiper malware being used in in the Ukraine malware could have gone on and just started destroying files that didn't happen but I think what this points to you know organizations if you're operating on the internet you got to take steps to defend yourselves you have to invest it takes money in it and when I say money you

know it's money for systems it's money for people which often gets forgotten and it's also putting those things together it's your workflows it's it's what do you do um it's it's the processes you put in place to make those things work together often too often it's it's really focused just on you know a procurement of a of a system and not how you integrate it into the Enterprise and how you actually get value out of it so no surprise to everyone here you know to talk about cyber security it really matters right like here's an extreme case where you know an organization a really really important one is just brought to its knees the cyber security fundamentals we talk

about okay Network segmentation being shown here multi-factor authentication monitoring these things put together form multiple layers that you know it it means you're moving away from just the perimeter it's it's and in this case they didn't even really have a perimeter you know it's having that multiple levels of Defense so that when someone goes after you and someone will go after you you know if they get in they can't get in get as far as they want to um and at the end of the day threat surface visibility is is critical for attack detection and mitigation so you need to know what you have you need to know if you're assets are patched you need to be

looking at what's going on on those systems you need to be able to hopefully detect hopefully block those things that are going on and in a lot of cases you know we are not talking about a zero day here the minister of Health at one point early on came out and said oh this was a zero day there's nothing we could have done about it okay well a it wasn't sure it wasn't a zero day it was old vulnerabilities B even if it is a a zero day there's still stuff you can do because the threat actor is going to get on and do certain things like escalate privilege and that is something that can be detected that is something

the right solution you can block okay so uh let's see how we're doing for time here I guess I I burned through that a little bit faster and I thought I might but it does leave some time for questions

um so yes and no so in detail no um that's so there's 15 all right sorry 10 or 15 pages I can't remember which of detailed Tech stuff that was uh redacted we did see that um Cobalt strike and mimikats were used so mimikats is something that is used to um to dump credentials and then you can basically even if it's hashed you can sometimes Harvest um the passwords from from those from that dump that hash dump um one of the things that is often done for privilege escalation is uh something called um lsas abuse um that might have been what happened here don't know like my company we have people that are experts in that kind of

thing so you know techniques some of the ways to the techniques keep changing but the basic techniques aren't changing that much and so our solution and others look for that kind of thing

any other questions there's one way at the back

sure yeah unfortunately the report doesn't provide a ton of detail around that but um there were several hospitals that got compromised but the compromises were detected and cleaned up and it's not clear why those hospitals why that happened there and not elsewhere um Isis there was mention of semi-autonomous hospitals and I think some of those hospitals probably had a maybe their own internal resources um the Department of Health interestingly enough was connected to this network but they had their own they basically had their own defenses and so there was an attempt to Traverse from the National Health Care Network into the Department of Health and that was blocked but they did they didn't coordinate back

to the other network to say hey something bad's going on now they didn't have a ton of time but it doesn't look like that happened so there's a re this is where a security Operations Center is really important because it provides that that focal point that Hub I I ran a sock for four years and it it basically is the nerve center for something like this it's the go-to place you know when something's on fire you dial 9-1-1 well if if an I.T security incident is happening that's who you go to and and you have people with playbooks and they're ready to go so maybe some of those entities had a mini version of that I suspect the Department of Health

did but I I you know I'm I'm speculating at this point yeah what are they doing um that that's an interesting one so 72 recommendations they they need to spend a lot of money here and even just spending money they don't have the horsepower to do it so they have to bring in Consultants I tried to find out where they're at today it's not clear at all but this is a massive effort so I think they will have done initial mitigations um but they're probably in not much better position than they were um you know this is a huge project they have to you know modernize their Network and then and simultaneously secure it so I would

imagine there are teams of consultants and a lot of money being spent to make this happen but I I did try to find out and the information unfortunately is just not it's not there yeah this is the downside of having someone like me who's you know I did a bunch of Open Source research there is a lot about the threat actor um and there's this report but there isn't too much else well that thing about Allied Irish bank I got that out of their board minutes so the hse's board minutes are are public so I looked at those and there's not a lot of talk about this but but that was one of the Nuggets I was able to pick up there

how much

okay first I do I wanna I I hope I didn't give the impression that it actually was conscience I think it was risk aversion um I think it was possibly someone in the Russian government saying Ireland's not our problem what are you doing don't know okay but I mean they've gone after other Healthcare entities Conti uh totally mangled Costa Rica's um networks they went after several networks in Governor Costa Rica in the winter they're still recovering from that so um how much worse could this have been well I think you know if if the key had not been provided all of those workstations it's damn near impossible to do recovery of encrypted workstations if you don't have the key even when you

get the key sometimes it doesn't work right so there would have been a lot of Health Care records locked up they had some kind of backups but very inconsistent that was another thing you gotta have consistent off-site backups they didn't have that they had some of it so they might have been able to partially recover but it would have been much longer you know it would probably only be now that they'd be climbing out of this hole you would have you would have had you know probably a year of health care disruption disruption Pro probably longer and you know here they're saying 100 million maybe I saw one case saying up to 500 million euros in cost would have been

even higher it's a huge cost um so yeah it's it's one of these things where not spending on cyber security is a false economy but it's still in spite of everything going on it's I don't want to sound sanctimonious I know it's hard within an Enterprise like in healthcare they want to spell spend money on doctors and nurses and MRIS right that's what they want to spend their money on they don't want to spend the money on the on the I.T in the background but you can't have those things now without properly supporting your it it's just a fact of life and the world hasn't completely come around to that yet

any other questions I apologize for this noise

I'd like to think so um I really would love to have been a fly on the wall in the discussion that would have happened over releasing this report there would have been quite a discussion I'm sure and I there it's not clear who because this is like I can't emphasize this isn't enough this is super unusual right um so someone really went hard to say we should do this for the good of everybody right um and maybe there was that thought that we get this out there there'll be heat on us to actually make sure this this happens but you know the Public's memory is short um I'll go next door so UK has a similar thing the NHS the National

Health System they had a big hack in 2015 so that's right next door to Ireland and you know that didn't trigger anything and NHS just got hit again so you know from a logical perspective it should it should totally put the heat on everyone but it's also um a case of you know we've moved a little bit away from it I don't know how much heat is on them my guess is they're incrementally improving things they still don't have a size though so one of those board uh minutes someone asked Hey where's the size oh and the answer was we're still coming up with the job description um now everyone who works in governments will yeah I came from government I

understand

questions doesn't look like it all right thanks so much and uh Happy 10th anniversary to besides

thank you very much

[Music] thank you foreign [Music]

foreign laughs [Music]

foreign

[Music] foreign

foreign

[Music]

thank you [Music] foreign [Music] so next up we're gonna we're gonna get to uh Stefan uh who's gonna be talking about uh security Frameworks and zero trust right perfect

does he turn it on right away awesome can you hear me there you go thank you am I going to get feedback with this maybe

I'm just going to get him to turn off the microphone sure yeah good morning everybody how's everybody doing good awesome it was a good talk so thank you Patrick for doing this it's really good information so I I want to talk about I guess alongside of what he's mentioned regarding the lateral movement and all that I want to talk about about uh identities right how we manage these uh as it relates to security right so when a hacker is actually going to uh doing his attacks and getting that persistence and doing that lateral movement I want to focus on that and how we actually raise awareness for companies that are not looking at this right now right so it is it is a bit of

a I guess a maturity model right you want to protect the organization first you want to have an EDR solution you want to have an AV solution in place and then what right so we're going to talk about that this morning sorry I'm gonna go go over this so I've been doing this for about 20 years prior to crowdstrike I did about eight years at Microsoft and 10 years at VMware I've been doing endpoint security for a very long time I know I'm old I was actually doing security for Windows 95. there was no security in 95 but we still had to do it right and uh even though I'm from Montreal so I don't have

a French to English translator so if you don't understand me just you know come to our Boot and I got somebody that speaks really good English and I'm a huge basketball fan so what I want to talk about is the challenges that I've been I guess I've been accelerated within that pandemic when we had devices that had to come online for your organization faster than expected it's not a recent problem right I've been talking about BYOD for at least eight years right if not more when I was at VMware when talking about allowing people to bring their own device and connect it to a corporate asset or are you using virtualization and having a desktop that was Secure and

their asset would be just a jump point but that asset is still connected to the network right so Frost and Sullivan had some some I guess some good interesting feedback where it is saying the number of devices connected to our environment so our corporate environment is going up Non-Stop all right so I want to ask you a question if I would ask you today how many devices do you have with you that are used where either work or personal that might be used for works right so let's do one who has only one you have only one you're you're now an exception so who has two two devices three so we're getting more the on the average

right three four four or more just go in the water and use sink so you know so we see that the number of devices people have to support it's just going up right funny enough when I was doing uh talking about BYOD way back when you know one device was and more than enough for everything right and now we're just ease of use you know I want an iPad I want a phone I want a couple laptops a work machine a home machine like these devices are connected so it's just a bigger footprint for the hackers to actually attack the weaker Factor right the people that are working from home that need to connect remotely

and and you don't have to raise your hand because that's a bit of a tricky question but have you ever done War driving it's still a thing today we still have people doing War driving in neighborhoods and just trying to get stuff and now they see okay well I can also get to people's Wi-Fi and oh by the way I get access to a CFO laptop because it's home Wi-Fi security is crap right so it's it's getting more and more like those those remote connectivity those remote machines that need to be corporate connected needs to be secured right so if you have a good AV solution in place if you have an EDR solution in

place that's fine how do we actually get to the next level where we actually validate that the people using those assets are the right people and they should always be using those assets and those assets only to do the work they're supposed to do right I don't know Robert but Robert's maybe something somebody that's actually helping me out on the weekend and he's an admin but should he be connecting to an exchange server at midnight on a Saturday night if he is I I might want to challenge that right I'm paying him for doing this nine to five during the week so why is he doing this on the evening so that might be a crisis you know it could

happen but I need to be able to see that like is he the right guy doing this at the right time for the right reasons or is he a guy that got on Rogue or maybe he actually lost his account or somebody was able to impersonate his account and do something he's not supposed to do we need to be able to see this so what what we're hoping is raise awareness of the people doing what they're doing are the right people and not a hacker that's impersonating an account that he was able to abuse right that's where we're trying to go so we released a few months ago a global threat report where we were talking

about you know what's important of course identities you know endpoints the machine themselves the workloads and data right so we're doing pretty good I think people are getting there and and if you're not there yet that definitely something you need to to do sooner than later I think people are doing good on the codes execution side people are doing well on protecting the machine itself protecting the endpoint and looking over what's going on in that machine so their traditional Security Solutions that got replaced by the you know next thing I think that's fine I think we're doing well there I could be wrong right so and feel free to come and see me at the booth and say no you're

wrong you know we're we're just starting steps and I gotta say maybe the US is a bit further ahead than Canada is but that's that's what I'm seeing right we're doing we're getting there from an endpoint and workload perspective where these machines are usually pretty well protected but we're looking at the identity is hard to manage and are we protecting that data that critical data that needs to stay where it's supposed to be so we that that report is free you don't have to pay for it it's interesting because this is done by the uh the OverWatch team the our threat hunting team we have a pro treating team and they do this full-time so it's um it's

something we release every quarter and we actually talk about what we see in the field right so there's a it's a worldwide team right we cover the globe and we have people looking at this non-stop so we'll tell you right in the last three months here's what we're seeing from these countries from these groups of hackers we call them adversaries and this is what's going on right now and this could be a trend that we've seen a different country that might be coming to Canada for healthcare or that might be coming Canada for retail we have that information we actually released this publicly it's not something we charge for it's a free report but we see more and more like Patrick

was saying we see more and more hackers actually using living off the land built-in tools so built-in tools if using traditional Solutions those tools are not something that might that will raise a detection right or that will trigger something if it's a tool that's built into the OS that's used by valid credentials in a lot of cases they'll go you'll go quiet right nobody will see it or at least it won't it won't raise the detection so we need to find ways to be able to without blocking the people that still legally not legally but I still need to use it we need to be able to block the bad people from using it if that makes sense

right so percentage that percentage is actually increasing uh we we're seeing a trend where we're doing uh we call them malware less attacks right it's it's getting more and more because the hacker are evolving we need to evolve as well right they're getting better at using two of our built in the system we need to be better at actually blocking them for using those tools where they're not supposed to the other one that's good that also released on our site that's free you can you can pull down Gartner pulled out a report about identity detection and prevention this is something that's big this is something that we see increasing that's why I wanted to talk about this

today um you know it is it's been increasing since the beginning of dynamic but it's actually accelerating over the last couple of months um I guess timing wise you know the Bad actors the adversaries we saw from Eastern Europe started this alongside a few months before the Ukrainian Invasion right so January February time frame it is increasing now where Canada is sort of lucky because we're a smaller Target but that's not gonna that's not gonna stop the bad people right if these things are interesting to them that might be some monetization they can do they'll come after us they'll come after the organization in Canada right so we're just it's we're not in a fight yet you

know they're focused more on the Eastern European countries but that's You Know Nothing is Stopping them for just opening up a door if that door is open and just going through and we need to be able to make sure that we can see and manage and protect those identities right it is key to the Enterprise it is key to what you are allowed to do so when you log into your system you're using an identity right everybody needs an identity to log into a corporate system so is is that identity always monitored when I log in sure you know I'll have a Windows Event log or I have a Mac I have Linux whatever I'm using red ads

whatever that is I track that information I know what's going on with my identity but how are you checking if you know Jody who works with me or Patrick if those people tomorrow morning are you know pissed at the company and they they want to say you know what I'm going to grab everything and I'm gonna go right are we actually able to monitor this are we able to say he's doing something his behavior is not normal he's supposed to do these this during the week we have a defined role we know what he's doing or she's doing and they're not doing what they're supposed to do so what's going on and when we can

we actually see it or are we completely blind because they have valid credentials right that's pretty critical so those keys are being uh stolen from from the from the company right they'll be stolen and it'll be something as simple as what Patrick mentioned through a phishing email not even spearfishing or it'll be a Brute Force password spraying right we're talking about mimic ads and doing lsas dumping you know those rainbow tables hashes those rainbow tables dictionaries they're sold on the dark web and they're constantly being updated there's actually a really big Market to actually get those database right they used to be sold and as funny because uh I'm going to show my age now but France was a big market for

this about 10 years ago we're actually selling the rainbow hashes of all the windows potential passwords on CDs you can actually mail order the CDs and then we get there and it was really efficient you would get it in like two days and then you actually do Brute Force hacking against those CDs those those groups got caught but it was just funny like that that hasn't stopped right the hackers are just more well they're well organized they're more organized and they will actually sell you those on dark web so we got to be careful those Brute Force password spring when you got offline lsas you got those credential dumps you can get to those right so we

need to be able to protect those so when we focus on the you know when we actually look at the we zoom in on the first couple of steps on the uh on the Cyber kill chain we see that in a lot of cases the first steps you know when you're getting those initial access and you're getting uh that execution they're using valid accounts right you see sorry about the colors but you see a lot of those steps they're using valid accounts they're using accounts that will bypass normal EDR and AV Solutions because they're not triggering anything we got to be careful about that right and when we look at the the global threat report

that we release we're seeing that at least on a crowdstrike perspective with our customer we're seeing that there's over 80 percent of those attacks that are starting with identity test right or identity compromise whether it be again you know phishing email password spring or just something else as however that actor is actually getting their hands on that on those those password they're not starting at the initial credit the initial access they're starting way down the Cyber kill chain so it's going up and it's not it's not stopping and it's not it's not slowing down and from an increased perspective what other things we see is a lot of a lot more companies have unmanaged host

whether that be a legacy system that for some reason needs to stay in the Enterprise like we're talking about medical imaging is really one a big one um we're talking contractors that are coming in and not actually you're letting come in because they need to do work for you but you're not doing you're not putting all the stuff that you should security tools that you should put on those machines because they're not part of your domains or depending where it is you have a temp workers coming in with Zone machine it's a weak spot right a legacy host and then you get valid credentials and from that you can they can do lateral movement and and

compromise even a managed host we see more and more of that the last year the last 12 months our tread hunting team has an increase of almost 300 percent of abuse of valid credentials the hackers are evolving we need to evolve as well we need to be able to block them we need to find new ways to make sure that they don't you know they don't do the bad stuff that they want to do does that make sense yes still early I get it is this something that you're able to do like just uh by raising hands like is this something that you are talking thinking about today have you started to look at how will I control valid

identities within my environment a few hands that's all there you go it is something we need to do this it is something that everybody you know from a community standpoint we need to be able to look at and Kudos if you have projects Kudos if you're already doing it because it's it's I think for Canada it's it's we're not far enough in that sector and we need to do more right for that standpoint right when you talk about the the identity and the threat actors right their objective is abusing they want to do broad access they want to do broad execution and they want to monetize somehow monetization for e-crime actors again ransomware money some sort of

extortion monetization for state-sponsored you know China Russia Korea they want to get some IP they want to get some credibility they want to get Services down right so they want to go wide and go big so when I get into a system they'll look around the hacker gets on the system he's going to look around he's going to stay quiet he's going to try not to disturb anything he's going to try not to launch tools that will actually trigger detections so he's going to find out who is he what does he have access to where is he trying to go and you know a lot of cases you're opening up a command prompt you know

you're doing an ARP request you're looking at stuff that you have access to oh okay I got these domain controllers I got access to I got these critical infrastructure server I can get to and then he's inside he doesn't have access yet but he's able to run those you know again living off the land tools without triggering anything big that's what he's looking for right so when we talk about the Cyber kill chain and going back to Patrick example right that initial access and they're doing the discovery I guess we're usually pretty good at that but what if the the bad person is actually starting at a lateral movement stage he basically bypass everything you

had put in place on the code execution standpoint everything you had the solutions you put in place to protect yourself is bypassed all of that and he's just starting at a lateral movement stage so if from his timelines what I remember was between a time that the actual patient zero was infected and that lateral movement it was about two months just under two months two months is a long time for a bad person to be an assistant not raising any Flags but Gathering Intel nobody wants that nobody wants to have that person there for so long right even a few minutes is critical so when you're talking about two months and funny enough uh our what we've seen and going

back to the Frost and Sullivan company what they've seen the last 12 months is that the average is actually 250 days of a system someone being in a system and actually doing full resolution and getting back to green right 250 days it's almost a year before they're actually able to get back to normal we need to shorten that window and how do we do that like we need to be able to protect again the valid identities from being abused so going back to my little uh separation right the first part is execution you know stuff like uh Mimi cats or doing anything of credential dumping doing else that's done you know wearable when the Tool is executing itself all

the traditional Solutions on the market will be able to catch that but if they're not using that because they don't need to because they have good identities then we need to have a solution to cover the last mile which is hurting the most right when he's going from a laptop to an exchange server or going from a laptop to a DC that's the part we need to be able to block but first we got to be able to see it in a lot of places people can't see it they're blind to it they don't know what's going on we need to be able to see that part and protect it

I gotta recover that so what's how's the health of your identity store right and and you don't have to answer this because I know sometimes it's a bit uncomfortable to actually raise your hands at this but you know let me ask you this how how many privileged accounts do you have in your organization if I ask you tomorrow morning can you tell me how many privileged accounts you have within your whole organization are you able to say or it's going to take you know a day a week a month to actually be sure that you have all the answers to that how long will it take can you know at any given point why is that

was there a question sorry nope so how are these privileged accounts being used you know active directory is awesome it's been around forever I gotta say because it's been around forever in a lot of cases there's a lot of crap in there right and a lot of people don't have activities projects people actually cleaning up and looking at this day in day out nobody has a Cycles to do this I could be wrong right and so if people have time to do this you are awesome it's really really rare that people will actually go back in on a regular basis look at what actually is in there and say okay I need to clean this up I got 21 privilege accounts or

you know you know jointly embedded in three different distribution groups that maybe they shouldn't be embedded into right it's not something that's easy to do but we have to do it that's how hackers are getting in they're taking advantage of these access and and the fact that it's been around forever nobody's cleaning up let me take advantage of it I'm sure I'll reach at some point an account I was going to have enough privilege to get me to that domain controller identify service accounts again the same questions right do you know how many service accounts you have in the Enterprise how to device sale accounts you know what's your policy when somebody's actually leaving the

organization it was a policy when an account is not being used for months what are you doing with this right is that account going dormant or is it still accessible if it's an admin do you have a different policy for it right so that's something we need to know it's something that you have to need to make sure you have in place and if you do kudos to you A lot of people today don't have that don't don't have that hygiene on the active directory side of course to set assess the risks that's what I talked about you know membership group memberships groups having access to groups having access to groups you know it's not the direct access that's

going to hurt you it's the embedded access it's the ones that you you know you don't look at because it's okay he's part of that group I'm good with that and then you find out oh shoot that group has exchange access or SQL Server act system access oh I didn't know that right because somebody made that change two years ago and that person left and nobody cleaned up that group membership that never happens right and then uh you know at the end of course if you have multiple domains if you're a big organization and you have multiple stores and they're actually you know talking to each other are there any crossovers right are you stitching those

identities are there permissions or going across those boundaries that might be impacting you right nothing worse than being infected by somebody you're actually doing business with or you have a you know a domain join with when that you're doing your job but they're not doing theirs so you're going to fall victim through you know something that's that's permeable and that you're able to get compromised from someone else right so stay sponsored why I agree why I bring this up um Patrick mentioned it through Conti right but we're seeing this in the wild today State sponsor is usually going to be some sort of group or hacking we call them adversaries that are going to be

partially or entirely funded by the country itself and they're going to have really established a place where they need an information but they don't need it quickly right China is famous for getting to places and staying in there for months super disciplined low and steady not raising any Flags but getting to where you need to go and he'll take a long time before you actually know they're there if you're not putting the right the right policies and the right Solutions in place right that's the main difference monetization usually is going to be quicker they're going to go in they're going to make a loud bang they're going to compromise you or they're going to say I want this amount of Bitcoins to

you know to give you the decryption key but the nation state a lot of cases are going to go a lot more a steady slower Pace but they're going to be in your environment for a long time and that's even I think for us at least it's scarier we don't want them in there we don't want them to stay there for a long period of time we want to make sure we're able to see where they are what they're doing right so um so again going back to my code execution and and identity access the the middle part is the impact right for the state-sponsored the people that are state sponsored the group The hacking

groups are stay sponsored is um when they're in there and they have access to a single system it's almost all time almost all the time where they will actually won't raise any trigger until they reach the critical infrastructure server something that's going to be important to you and that's where we're able that that lateral movement piece that's where we need to be able to to see it right so that's usually not going to be you know go big organization you're going to have a lot of those servers but it's usually not going to be as hard to do as monitoring at the same level as scrutiny all the systems right so if you have an organization of five

and five thousand employees you might have 300 servers so it's it's I think it should be easier to look at usage of privileged access on those 300 servers then looking at privileged access on all the machines all the time if that makes any sense right so you'll have basic policies on the EDR side or next gen AV side and you're going to protect those machines from code execution but when you're talking about lateral movement and where the bad people are trying to go you want to be able to to protect that lateral movement so whether it be an RDP connection SMB access uh just you know launching a SQL debugging tool right you need to be able

to see that the account doing this is the right account we're still seeing today's service account we're still seeing today's service account that have interactive login which makes no sense to me but you know still the case today we're still seeing account today they can actually trigger applications on systems that are not even supposed to have access to right so nothing worse than a SQL or Oracle admin coming to see a security Guy saying hey I need domain admin credentials why well it's a SQL Server it's my server you need me give me domain admin credentials why because I need it and if you don't give it to me I'll go to your boss right that never

happens right so giving too much permissions too fast is still a thing right then we need to push back I know it's hard I know you have the hardest job when you need to do that but we need to do it least privilege access and monitor those critical infrastructure servers from those privileged access use another good one that I wanted to bring up and this is something that was observed in a while pretty recently um it was you know I'm not going to name the hacking group but it's a it's a very well known hacking group where they were able to convince um the organization in a Eastern European country to divulge their credentials through a valid office

portal right does it reach your antivirus and EDR solution then it doesn't it's a public portal that person just got lured into entering their credentials they thought it was going through a real Office 365 portal guess what they were not so without even reaching the front door that hacker has valid credentials that person we got I guess we got sort of lucky that person can you actually see anything here is it too small it's pretty good okay I can't see anything here um that person was actually able to get into the system and then run a DCC DC sync on their system itself he would stop you know we got lucky and uh and that person was stopped but it was not

only an execution issue it was also an identity where they were trying to run some um some tools to actually compromise the domain controllers right now I want to talk about the notepack so anybody here had to deal with no pack in November last year nobody I guess you all got lucky and you patch as soon as Microsoft said you needed the patch so no pack was released in November last year right and if you haven't I guess my the Counterpoint to this is if you haven't looked at the CVS yet maybe you should look as if it's not patch you are different in in a high risk situation right now right no pack was basically a

and and why was this actually critical was when no pack was released it was a responsible uh disclosure right so the researcher group and the people actually built a tool disclose it to Microsoft but the turnaround time for Microsoft to actually do something build a pack was super short I can't remember but we're talking days we're not talking months right usually security researchers good people actually find holes in in vermouthies and actually Solutions when they do responsible disclosure they'll give people they'll give companies ultimatum right they'll say you got 30 days to do it and then they release right they won't wait for you but at least they give you time in a lot of

case in a lot of cases though the the I guess the the gray the gray hat they'll give you a really short period of time right one day two day 48 Hours not more than that and that's where the companies need to turn around faster and release those those patches right so for no pack basically it was uh from an initial access to actually getting the the compromise was super quick we're talking seconds right so the way it works in a high level was the there was a veronthe in the assignment account name and a domain controller impersonation where a hacker built a tool to say I'm able to create a domain a computer account and

then I'm going to rename the computer account to the name of my domain controller and just remove the trailing s right so the account itself and then what happens is you're able to actually reach out to the Kerberos TGT and get a ticket as a domain controller and that's all with just limited domain user accounts he's not he's not a system admin yet and then he actually renamed his his machine to his regular name right because he needs an account a computer name that has the right information with the dollar sign at the end to be able to communicate with the domain but now he has that TGT what we call a golden ticket and he's running another tool and say

it's not my computer name it's a DC name and now he's able to obfuscate and be a domain controller right two tools they were weaponized super quick and people were able actually to use it in a matter of seconds that's pretty impactful that's super high risk right Microsoft did release patches but we don't know how much time actually between the time that the patches were released actually between the time of the disclosure to Microsoft how long it was for the weaponization itself the tools I think his name was Charlie Clark something like that it's already something the tool was released super quick after the patches that's the dangerous part because then you got people all over saying hey let me try

this and you you use it in Cali it works like this I'm not an expert by any mean right it's been at least 10 years I've done really some really really good pen testing I was able to use a tool so even if a manager is able to use the tools a lot of script you did are able to use a tool right and that's the danger people that don't know what they're doing can actually do cause more harm because they don't know what's going on and they don't know what they're doing right so what should have been done what how what approach have we taken instead right so when the name change happened it's not normal

we can actually look for it there was a guy from Splunk that released a really good spawn query that you can if you have Splunk that really good query to say look at all my events through all my environments to see if I have an account name change and if that account name chain has removed the dollar sign should never happen right when you're doing this in one step and then if you do this then you're able to report it to the EDR tool and EDR tool is able to alert you and that's the goal we want to see that change that's suspicious behavior on its own it might be okay I don't see a value

reason why but there might be a reason you know a blue team exercise tabletop somebody actually doing this for the right reason it might be a reason but you know in 99 of the cases there shouldn't be a reason to do this we need to be able to catch it you need a tools to be able to see those suspicious behavior and block it does that make sense and then the famous log for Jay maybe I didn't see any hand raised for no pack but have you guys had to deal with log4j oh thank you I was kind of starting to sweat a bit right lock 4G was another one right using uh they were dropping a shell on

his system they could stay there for a while right they were not getting detected and it took a while for people to actually see you know am I affected do I even know all the log fridge places all the Middle where I have that potentially have that Volvo system they don't know they didn't have any tools to actually even investigate didn't have any tools to look at all the components within their environment and say I might have something I don't know it might be I can't reach it so the bad people that were you leveraging log4j and you know the hosts on burst Fiasco and all that they were able to get in there and stay

in there for a long time before being detected foreign so if we're talking you know command and control the first part you know we're talking about the average that we saw that the actually the customers that were working with us and we're helping out it was about a day it was about 24 hours but between the time they actually dropped the shell and were able to exploit that code do that lateral movement and get compromised it's still seconds right so that's pretty quick that's why we want to be able to block so where do we block it well we would have blocked it you know at the middle right when the adversary uses those credentials right so it was a system

account using system privilege accounts doing something they're not supposed to do it's not easy to actually detect but you have to be able to detect it it's an application on a system that's doing something it's not supposed to do with accounts it's not supposed to do to be doing that we need to be able to detect that and that's again the next level are the identity is being used or that are valid are doing what they're supposed to do are doing something that's suspicious or at least need further investigation we need to be able to block that and if you would have something that would actually be looking at identities it would have been able to block that RDP

connection I guess to the domain controller or whatever that critical infrastructure server was

um I got a couple more those are actually uh super recent so um we um so at crowdstrike we name our the Bad actors the the threat actors that we actually tracked and I guess I want to open a small parenthesis we uh we received I guess a lot of Twitter hink uh at Black Cat and uh and at Defcon this summer because people were saying that we idolize them that's not the case at all we want to name them because we wanted them to for our customers to understand who they are it's a lot easier for a customer to understand okay I got a an adversary group a hacking group that's coming from Russia

and that's targeting Healthcare then I'm gonna say to him while he's using 24 27 8. and they're targeting you know x amount of systems when we put a face to the bad guy it helps it helps our customers that's the whole point of why we do adversaries the whole point we name them and you actually if you want to look at it it's free we got to learn our site it's called adversarita crosstrike.com you can look at it you don't have to agree and you know I'm super open to comment if it looks bad but the whole goal is to be able to name those people show to our customers where they're coming from and who they're targeting

right so we got good graphic artists personally I'm a nerd I like it um you know some people don't but it's it's cool to see and you know you see a bear you see it's Russia you see a panda you know it's China it's easy to remember you see uh well a lot of people don't know this but you see a Kalima Kalima is actually the uh the fictive animal from Korea right it's sort of like a unicorn that has uh that has you know some sort of stuff it's weird but anyway supposed to make sense right um so for this group for this hacking group right the group is called actually Gothic Panda we uh I I had to anonymize

it but uh the the group itself is called garlic Panda and uh we've seen the last couple of months them actually going after targeted attacks in environments where they're gonna run living off the land tools and look at credentials right I gave you a couple examples actually this is our OverWatch team this is live stuff this is customer where that we work with and we helped that said hey so we're using like regular tools but you see here's a couple of cats that were run um I can't even see myself what's written there but basically there was some products assist internal tools so they were able to add credentials there or even just trying to save the uh the lsas

itself offline and then trying to do some Brute Force hacking this is happening now this is not something that's like from two years ago we see this more and more right and this is against customers that are uh that are in North America right like I say to customers but it's close to us it's why as I want to say right so these bad people that we're targeting more Eastern European now are really targeting the nation states are targeting North America and we want to be able to to stop them because they're gonna they're focused eighty percent plus focus on identity the other one was uh so the spiders for us are e-crimes so people that go after

it for money right so rent somewhere or obfuscation of of uh getting getting some sort of dollars for it right and the examples I show here which I can even read myself but I think it's like a few dumps from an lsas memory and trying to get to it and then oh I can see it here there you go the second one was a Powershell we're actually using a debugging tool so SQL dumper is uh is installed with a SQL diagnostic Suite from Microsoft it's free like so a lot of people a lot of SQL developers actually use this and they put it on systems and in some cases which they should never do they will

actually use and install those debugging tools on a SQL Server itself right if you see this so if you haven't done this in the past shame on you don't don't tell me I don't want to know but you know don't let debugging tools be installed in production systems right they're there for a reason and it could they should be remote access Security in the right manner but these tools were used uh on a SQL server and they were able to to go a bit too far a bit further than expected so use cases that I want so I guess sort of wrapping up use cases I want us to keep in mind we're talking about

validating identities and what you need to think about right of course everybody's going to say it you need to secure active directory that's easy to say not easy to do if it's been there for more than a year I guess right but we still need to do to to do it um if we're you're working with an outside firm if you've never done it get some tabletop exercise going right you have I think you have a couple companies here that can do it uh we you can work with us as well get some tabletop you did some red team blue team exercise stops you know start with the easy stuff get with a um if you've never done it

and you don't want to fall off your chair you know stop with more of a collaboration approach where the company is going to come in and work with you and maybe show you ways that way you can protect yourself but if you think you're ready go for that big one go for the red team exercise it's an eye-opener right and and we have you know we work with a lot of banks and and they do this every quarter kudos to them right and I understand something that's going to cost money it's not easy to do so I'm not asking you to do it every quarter but doing those exercises will raise your security awareness and will give

you a better approach to equip yourself to stop the bad guys from doing it right cyber insurance we're starting to see cyber insurer ask for this when you actually sign up with them I think we're sort of Lucky in Canada that it's not required everywhere but if you're working with a cyber Insurance firm in the U.S they're actually starting to put it on the paper itself you need to do every half a pen test you need to show me the result you need to do an audit every quarter you need to show me the results when you sign up with them so maybe it hasn't reached us yet but it's coming and I see this as being even more

important in 2023 Legacy system um of course they're still around there I guess there's a they're a really huge weak point we want to be able to protect them you know if you're still running Windows 98 please please get rid of it you know even even people when we saw it uh with the uh the Ireland hack right a lot of Windows 7 systems still around you know and that's a system that's over 15 years old right so it's uh you know it's time to move on it's hard it's hard and especially if it's actually like um like Patrick was saying with applications are deviated through Imaging to the medical environment the manufacturer needs to certify it on

a new platform which takes years right um so you know even I'm working with a company right now that has a Cadia system and they're on Windows 7 and they're swearing that it can't be migrated and then we find out from another customer in the U.S like well they migrated three or three months ago and they got certification for it right so sometimes it's the vendor and you got to push back right I'm not saying is that that the case all the time but I would you know friendly the Canadian way friendly challenge the vendor to say can we migrate that machine and if not why not and have you had any success or have you

had any customers somewhere else that actually did it right we gotta we gotta accelerate that because it's it's hurting us pretty bad uh if you're not using MFA today definitely strongly recommend to use that MFA Solutions you know it's it's again when you're talking about managing identities and and zero trust it's always looking at what do you have access to and then I challenge you I don't necessarily block you from being able to access that resource because I don't want to stop your work but I want to challenge you again I'm going to take on Patrick right this Patrick is working nine to five during the week there's no reason for him to be in an exchange server on on

the on the weekend after midnight there's no reason for that so if it's a crisis and he's an exchange admin I won't block him because I'm gonna have to wake up and pick up the phone myself but I want to challenge him that's where MFA comes in we need to have system in place if you have MFA already that you can look at and say okay these critical infrastructure servers when somebody's doing something they're not supposed to do whether whatever that policy is you need to be able to challenge it you can unblock it if you want but if you don't want to stop work because it's a valid purpose at least challenge it that's where MFA comes in

and uh if you haven't if you haven't educated yourself on Golden tickets and pass the hash please do this is something that's actually going to be increasing over the next month so we see it we see it as a big risk and uh if you can't look at your ad if you're not sure what to look at you know come see us come see any of the other vendors on the other side uh we need to we need to have to be better protected for this I'll leave you with this you know this kind of sort of Gartner you know modern attacks requires continuous validation of identities right see the path get some real-time response and uh have some

risk-based uh to be able to manage that and I think I'm I did a few I caught you a couple of minutes back but I got time for a few more questions or any questions any questions out there wow should I have done this in French instead yes

that's a great question and if we think that Mac is not a Target that's absolutely false we see more and more attacks being actually done on the max side and even on on because mac Apple has the same issues that Windows has there's a lot of Catalina still out there on patch that are there for a while that Apple hasn't supported for over a year and it's still out there and it is a target it is we see it we actually had to intervene with uh one of our big customers and in the province not here in in Ontario recently about a Mac attack because a lot of cases it's higher exec people or directors and above that have that

want that little nice Shiny Toy and they're using it well guess what they're not patching it right and they will actually block some of those policies so yes we see it and if you think that Mac is not a threat or a Target you you are 100 wrong and same thing for Linux even worse for Linux yes because of all the kernels versions and all that good question thank you and see Patrick give you a pair of socks they're cool socks any other questions

um I guess what I'd like to suggest and I'm not being paid by okay sorry the question was what if you have Legacy systems and that's and that company to actually build a system for you that's purpose built for a specific application is bankrupt defunct that no longer exists what do you do do you just bite the bullet I would have to say before you do that um I would look at and I'm not being paid by VMware or Citrix but I would look at virtualizing that machine and filtering traffic in and out and putting it into a secure Data Center that's what I've been working with with customers in the past before I joined

crowdstrike it's like if you're stuck you got to keep it find a different way to actually make this available you know you can even have you put it into a dirty Network or a sorry a separate Network and then you have a jump box to access that machine so you mitigate your risk you find a way to leave that machine available to your environment but in a much secure manner don't just leave it on their own desk of your secretary or next to a copier machine right uh that's the wrong thing to do so find a different approach to it it's a good question thank you got time for one more yes sir

if they when you're registering a new device logging in and then it's trusted maybe for 30 days or maybe forever is that a bad idea should that be avoided in favor of your daily or more often so I we went the other route every single authentication you do should be challenged right um yes 100 correct like if you're talking about application portals like OCTA or even VMware VMware has workspace one you know it'll be identification and then you're gonna have a session cookie for your browser it'll be good for x amount of minutes I would say if you're able to look at the next level Solutions where you are actually challenging at every single authentication that how you

eliminate the risk completely that's where we're trying to go there might be some in-between Solutions but getting a ticket getting sorry getting an authorization for a device for a window it's how you manage your risk for how long that window is good question thank you I think that's it for me [Applause] awesome [Music] foreign [Music] foreign [Music] foreign [Music] thank you

foreign [Music] foreign [Music]

[Music] foreign [Music]

thank you [Music] thank you [Music]

foreign [Music]

[Music]

[Music] foreign [Music]

[Music]

foreign foreign

[Music]

[Music]

foreign

foreign [Music]

[Music] [Music]

[Music]

[Music] thank you

[Music] [Music] thank you [Music] thank you foreign

foreign [Music]

laughs

[Music] [Applause] foreign [Music]

[Music]

[Music] foreign [Music] foreign [Music] foreign [Music] foreign

[Music]

[Music] foreign [Music]

[Music] foreign [Music]

thank you [Music] foreign [Music] draw there's a if there's any folks outside you want to do a quick little yell out to see if there's anybody out there and get them to come in for a prize draw we are giving away a Nintendo switch and this comes to us courtesy of I code by the Sea uh Jimmy Goodyear no I think there's people outside they're gonna lose out all right here we go but he's going to get the switch all right uh six two five two one nine good all right and by the way you come in multiple times I just put the ticket right back into [Applause]

foreign

next up we have uh Tyler Perry with the great shift lifts am I using this doesn't matter I can use this here I probably won't venture too much from here anyway I'll just okay yeah

foreign so can everyone hear me yes okay so first off um I wanted to thank the b-sides committee for having me here um it's been a while since I've been to Newfoundland and I'm a big fan of both this conference and the province so it's always a no-brainer to try to get back here um I'm gonna be giving a talk today about how we can leverage modern Technologies like cicd pipelines like infrastructure as code and and cloud computing in order to get security involved at earlier stages of the development process and also how to make the security related data that's available in your environment more visible to you so I know shifting left isn't exactly

the newest topic to be talking about but um I think it's a really important one from a security context and I also think uh it's a it's an area where a lot of organizations have room to improve upon so I've been around security for most of my career before joining AWS in 2021 I spent 15 years with the federal government at CSC so at the the communications security establishment where I was a cyber security analyst um and in my experience most of the focus for security tends to be on the detective side of things rather than the preventative side of things but if you think about all of the different breaches and hacks that have made the

news over the last several years many of those aren't the result of some hyper sophisticated nation-state sponsored zero day right they're the result of poorly configured or unpatched resources and sometimes both like Pat was talking about one this morning um so I view cyber security a lot like I view my health if I take time and effort to take preventative measures then it's a lot less likely that I'm going to be experiencing an adverse event as a result so the the CTO of AWS actually has a pretty famous quote that goes everything fails all the time and he says that all the time too and when he says it's it's normally in a high availability or a uh

redundancy resiliency context so basically what he's saying is when you're designing architecture if you design it with the understanding that any component within your architecture can fail at any given time then your design is much less prone to failure and in my opinion you can use the same mindset with security right assume breach and work your way backwards so we'll start with a definition of Shifting left for those who don't know it's a practice intended to to find and prevent defects earlier on in the software delivery process and in a general context that means getting testing involved in the software development process but for today's talk I'm also going to be talking about how we can shift security left by

um baking and security and compliance checks into our deployment stack too so in my mind that that involves getting your your security teams your operations teams and your development teams to to not only spend a little more time together but also start understanding each other's languages a little bit better I find it it's quite common for for these teams kind of be off in their own corners and their own silos doing their own thing until there's a problem with the deployment and I think that's not just a missed opportunity for for these teams to understand what each other is doing more and why um but it also has a penchant for making those interactions between those teams a

little more negative than they need to be

I'm not nervous you're nervous I'm like so anyways this is a quote on screen that I really like and I I think it's a good primer for for this talk and I kind of want you to keep it in mind as as we go through the presentation so if you're getting up there in years like I am you probably remember a time where you you come into your desk with your coffee sit down you SSH into your favorite server probably named after some Battlestar Galactus Galactica ship or something and then you type uptime and you're hoping to see you know a big up time it was kind of a point of Pride but it really shouldn't have been seen

that way then and it definitely shouldn't be seen that way in a modern I.T environment right so instead I think teams should be looking at their their environments and their infrastructure in a more ephemeral way where we're patching and iterating on your environment take precedence over uptime and unlike when uptime was the point of Pride thanks to Technologies like Ci CD pipelines like infrastructure as code and like cloud computing we now have mechanisms available to us that make that patching and iterating easier without affecting the availability of our deployments so I'd also like to point out it's no secret but I am an employee of AWS um so some of this talk today is going

to be centered around AWS specific Technologies and services but everything I touch on is universally applicable doesn't matter if you're in Cloud on-prem whatever so I just happen at AWS the best okay so at the core of this concept is data right and having data available at all levels of your deployment so can we can we design deployments to answer questions like are we deploying in Canada or are we performing backups before we give the green light to actually deploy anything so as it turns out depending on how you design your architecture and your deployment the answer to that question is a pretty surprising degree of yes there's there's actually security information available at every layer of

your environment in your deployment right if you're using infrastructure as code to manage your infrastructure layer then you have data that is both human and machine readable so that means it supports both manual and automated analysis you know at the language level your choice really matters and knowing what languages you're using in your deployment also matters um so for an example there since it's a Memory safe language rust tends to be the language of choice for Amazon's security sensitive projects so for example there our firecracker vmm which is what underpins our Lambda and fargate serverless services are written in Rust now next is understanding your software dependencies right so understanding your dependencies is really important from a

uh from a security posture standpoint right now according to Sona type's state of the software supply chain report up to 90 of modern applications are composed of OSS components right and we already heard one this morning log 4J I'm sure that's seared in most people's minds now um so it's important to know like where are you vulnerable right is that there in my in my uh infrastructure um next we have workflow information right so using CI CD principles uh means it it gives us insight into not only who introduced changes into our environment but how and that's often via an immutable audit Trail right and using tools like graphql for your API that not only allows you to make

input handling auditable from the outside of your environment but it also gives you insight into where you could be more specific about the inputs that you're accepting so we'll be taking a look at how to kind of Leverage all of these aspects throughout the presentation okay so let's take a look at how we can shift left uh at the the infrastructure layer and I'm just going to level set first right so what is infrastructure as code and how can it help all right so as a formal definition infrastructure's code is is the process of provisioning and managing your infrastructure and your resources by writing a template that is both human readable and machine consumable so the templates are usually in yaml or

Json format or Json adjacent format um and some examples you might be aware of are ansible terraform and cloud formation for something AWS specific so basically it allows you to to provision infrastructure using code right so genius naming convention uh so infrastructure's code has a lot of advantages such as making it easier for you to to edit and deploy environments in an automated and consistent fashion so that makes it easy for you to set up multiple environments for things like uat for prod for testing uh deploy entirely new environments in the case of disaster and it can also help with compliance and security as we'll see in just a minute now some of the other things that can

help you with is uh returning your environment to a known State at any given time and I think that's a pretty powerful contact concept from a security point of view and another thing is testing at scale okay so I used to work on a production environment that had something like 700 cores several terabytes of ram we took millions and millions and millions of files in a day for for analysis and on the other hand our staging environment had uh it was a 2u server something like 12 cores maybe 32 gigs of RAM and um it took a tiny tiny fraction of our deployment traffic so I can't tell you how many times we push a new feature or

a bug fix to staging have everything look hunky-dory only to have everything Catch Fire as soon as we push to production right so cloud computing infrastructure's code really helped with that kind of problem um IEC can also integrate directly with your CI CD pipelines which means you can manage your whole deployment from top to bottom or bottom to top um using CI CD and since it is code then you can treat it as such right so that means things like uh you know feature branches for for new functionality at your infrastructure layer and as I just alluded to IC is multi-purpose right so not only can you use it to to edit and deploy environments in a consistent and

automated fashion but since it's code it can be linted or it can be ingested into other services for compliance purposes now so in my younger and more daring days this probably would have been a live demo um but now I'm older and risk-averse so I'm not going to attempt the live live demo Gods today so you're getting screenshots and I apologize for that but this year on screen is some Json code and what it's doing is setting up a storage bucket in RS3 service so if you're not familiar S3 is our object storage service in in AWS you'll see I'm giving it a name I'm making sure to block all public access and then I'm

making sure that if the cloud formation stack or the IC stack that creates this bucket gets deleted then my bucket sticks around so this here it's infrastructure is code in its purest form so let's chat a little bit about the AWS Cloud development kit or as I like to call it cheating at IAC so while AWS does use cloudformation for deploying infrastructure our cdk allows you to to Define and build your infrastructure using programming languages right and then it automatically generates those cloud formation cloud formation templates for you as part of the deployment process so what it's doing here it's providing you high level constructs for pretty much anything you can deploy in AWS and

it's going to be using same defaults for those as well so for example if you're using cdk in most cases you have to explicitly enable a publicly facing component um cdk enables you to not only have all of your code in the same place but also in the same language and since it is in a programming language it enables you to do things like apply software engineering Concepts to your code your infrastructure code like unit testing for example so we have another snippet of code here this is a simple python stack and it's doing the exact same thing as my Json code was a few screens ago um with the bonus of creating an access

control policy on my bucket as well now from here it's as simple as me typing cdk Deploy on my command line to have this bucket created for me and cdk Destroy would tear it down for me now the deployment process itself it goes through several steps before it actually deploys anything so the first thing it's going to do is it's going to instantiate all of the constructs in my code and Link them together from there it's going to verify that my constructs are actually in a state that can be deployed in AWS um then if they are they're going to be rendered into a set of Deployable artifacts so that is my cloud formation code or a Lambda application bundle for

example if you're using a serverless model uh and then it's finally deployed so by the time the resources are actually being deployed in AWS your cdk app has already exited and the code actually the code here on screen is what I use to generate the Json code from a few screens ago so that was generated as part of the deployment process so infrastructure is code in a nutshell right I've defined a piece of infrastructure in code which I can then check into my repository and treat it like any other piece of code which I think is it's a pretty powerful Concept in and of itself right but like I alluded to earlier defining your infrastructure this way provides

opportunities for compliance and security more code so enter the cdk aspect so aspects are a feature of the cdk that let you apply an operation to all constructs of a given scope okay so they can do things like add tags to the resources you're creating or they can verify the state of a given construct so in this case they're verifying the state of every S3 bucket in my deployment um so in this aspect actually we're doing a couple of checks the first check we're doing is we're ensuring that encryption is enabled on my bucket right that's pretty important encryption at rest next we're making sure that if encryption is enabled on my bucket I'm making sure that it is a KMS managed

type so there are several different ways to encrypt uh S3 buckets one of them being KMS managed KMS is our Key Management Service and it just gives our users more control and oversight on their key material and the keys themselves one of the other types would be S3 managed for example that means the S3 service itself is the one creating owning and rotating your key material so a lot of our customers prefer canvas manage just for the oversight and the management they have on it and as a reminder these checks would occur before any infrastructure was created or altered so here's an aspect in action right it I included the aspect with the cdk code I

showed a few screens before and I ran cdk synth as a build step in my code pipeline so since I didn't have KMS manage encryption enabled the build step failed so that's pretty cool right so let's take that coolness a step further and yes I realize that this is an uncomfortably nerdy concept but I still think it's cool so I'll defend that um cdknag is what I like to call compliances code so it's basically mapping aspects like the one I just outlined to compliance requirements in various different Frameworks as rules and we call these sets of rules in ag packs okay so this is an open source solution and we have nagpax for Frameworks like nist 800-53 HIPAA PCI

DSS AWS Solutions which is just a grouping of AWS best practices and you also have the ability to create and manage your own nagpaks based on your own context and your own compliance requirements so all of this can be baked right into your CI CD process and it it ensures that every single time you create or alter anything at the infrastructure layer then it has to pack pass compliance checks before it gets created so um because I'm a sucker for punishment I also ran the same code with cdknag checking against the nist 800-53 framework and as you can see it didn't go very well um some of the things I missed were encryption at rest

encryption and Transit bucket versioning and replication across uh different buckets or regions uh if you I don't know if you can read that there but you might notice um there's errors generated for both S3 encryption being missing and KMS encryption being missing which might leave you wondering Tyler if I need both KMS encryption and S3 encryption enabled on my bucket in order to pass my compliance checks how am I ever supposed to get a compliant bucket with cdknag and I'm actually super happy or wondering that because um cdknag includes the ability for you to suppress rules as part of this process so in in scenarios like this and it also will print out a full run of all

of the rules that will run against your infrastructure including the suppressed one with every build so I actually found out about this suppression thing when I was stuck in this weird circular rule-based Loop where I basically I created an S3 bucket I checked it in it it failed my build step and it said Tyler you need a log bucket for this S3 bucket and I said you know fair play cdk neg that makes sense so I added the log bucket for my S3 bucket and I checked it into my repository again build step fails and it says Tyler you need a logging bucket for your log bucket and it was then where I sought out this solution and

um you can see I was kind of suppression is useful in scenarios like that and and in the the encryption one as well so all of that to say it's not perfect out of the box by any means it does take some fine tuning depending on what you're deploying and what your compliance requirements are but it's a very very useful tool in terms of of compliance and security okay so now that we've shifted as far left as we can infrastructure is code let's see what's possible at the application Level so I think this is an area that gets a lot of attention already so I'm just going to touch on some topics that I think are

important at a pretty high level I can start gonna I'm gonna start by mentioning the concept of get Ops and git Ops is usually brought up in in a containerized or kubernetes based context but it can also be achieved with modern serverless architectures or pretty much any architecture that could be managed with cicd Pipelines so the idea here is to manage uh or to treat your git repo as as a sole source of Truth okay and then you would have your change management occur via pull requests from or pushes to your environment and you'd have your servers and your infrastructure adjust themselves to the contents of your Repository okay so the security implications there are an environment where it's more easy

to to tell the exact state that your environment is in and also an environment that is more equipped to to quickly answer questions like are we vulnerable so it can also enable you to shift away from from pushing codes to your deployment environment to pulling and having your environment requests those pulls and that reduces your network attack service and it also helps protect your environment from drift now the reason why this concept is is usually brought up with kubernetes is because kubernetes can can really streamline something like this through utilities like flux CD for example so Flex CD is an operator that will consistently check for newly built containers uh that are the result of a

merge and it never lets your environment deviate from the latest approved containers that are built via your CI CD process so if you had a a developer for example they're developing a new feature for your UI they would check that into your repository create a pull request it would have to pass build tests code review it would get merged down to Maine a new container would be built and then something like flux CD would say I have a new container for the UI it would pull that into your cluster and then replace all of the UI containers in your your cluster and then your environment would never let your UI container deviate from that one until that exact process

happened again with a new feature or a new bug fix and I also wanted to mention tools like the the GitHub API and and the coql analysis engine so GitHub isn't just a place where you can essentially manage your code and and have your workflow data um it also understands the code it's hosting right and it records every single action taken on your repository every every issue that's open and closed every pull request um you know all of your workflow data and then it takes that and it represents it as data via its API so that means with API calls you can answer questions like what programming languages am I using what are my dependencies what are

my vulnerabilities and you can also pull your workflow data as well okay so we just had a chat on zero trust and I think we have another talk this afternoon touching on it so I won't spend too much time here but the reason why you're hearing about zero trust so much is because it's a very important concept especially when you're talking about more modern Loosely coupled microservice architectures right so you should start by assuming that every component in your environment has a direct connection to the internet and work from there so that's the the everything fails all the time mindset right um and this means that there's no areas within your deployment where any component should trust any other

component So Gone are the days of the mode and Castle security model and thank the stars for that so from there every interaction between your components should have some form of authentication like Mutual TLS and you should have encryption everywhere from your client to your cluster everywhere within your cluster or your environment and then strong encryption at rest and I will say that to you https no matter what I don't care what the context of your application is if it's unclass you should still be using https um if you're using a containerized deployment uh every commit you should make should create an image every image should be tagged with a hash of that commit and then every image should be

checked into a registry from there you should be continually scanning every image you have in your registry for vulnerabilities and the reason why I suggest you tag your your containers with a hash of a commit is because with cicd you already have a strong mechanism for rolling out new containers but in the case of failure having these tags on your containers makes it easy to roll back so not not only easy to roll back but also it enables you to have a an easy mechanism for to start your investigations into to bug fixes and and incidents as well now we should also be scanning your dependencies for vulnerabilities and updates so utilities like dependabot are

very good at this and they can also help automate the the remediation process as well so this one is more is more mentioned in in a cloud-based context uh but I think it's a really useful one and and it's also one that not many people focus on okay so just to be clear when I mention accounts in an AWS context that is an entire environment where you would be creating users and deploying resources so um you don't have to make any trade-offs or compromises with your design decisions you would have a very predictable and as a result controllable blast radius for your workload um the users that have authorization to modify your environment would be very

obvious to you because they're the only ones working on that deployment and it's also easier to determine what consequences changes would have to your environment since you're the only one using it right so that means you can also have different guardrails and controls in place depending on the workload depending on the context and and depending on the use so as an example there I don't think I know of any customers of mine that use the same guardrails for their Dev and their security environments and and that makes sense right now in your accounts uh Stefan mentioned this earlier in a different context but you should have continual audits of your users to ensure you're enforcing the

concept of lease privilege so your users should only have the exact amount of permissions they need in order to perform their tasking and nothing more and the other thing you should be doing is purging users right so if you have a an employee leave your team or leave your organization then you should be sure to revoke those credentials um I think last December actually there was a breach at Cash app which is pretty well known and they had an attacker reach their infrastructure exfiltrate data that had customer information on it and as it turns out the the attacker was a former employee that still had ballot credentials on their infrastructure so that's one of those scenarios where that

hyper-sophisticated nation-state sponsored zero day isn't required right that he did plenty of damage without that and finally we have kind of a hodgepodge of remaining Concepts that are still very much important so the first is automating your certificate provisioning so this is pretty easy to do with utilities like Amazon certificate manager but equally easy to do with utilities open source utilities like let's encrypt now if you're using kubernetes you can go a step further and terminate your TLS connection right inside your cluster so there's that zero trust topic coming up again next you would be using minimalist host or container images so only install exactly what you need in order to run your workload and nothing more and if

you're using containerization ensure that you you use a minimalist base image to start something like Alpine for example and finally test driven development so test driven development is essentially relying on your software requirements being converted into test cases early on in the software development process and then you track your development um by continually running these test cases against your software so too often I find the test cases and your your unit tests that you write for your software are kind of tacked on at the end of a feature development process and that leaves a lot of room for for gaps and for errors as well so all aspects of your application from the lowest level

of infrastructure all the way up to your HTTP headers should have test cases written for them as part of the feature development process and then from there you should be continually running your test during development you should be running them every pull request and then again on merch okay so let's see what all of this has given us right like how does this shift left help us overall now in my opinion at at the infrastructure level it means that all of your infrastructure is defined as code which at a bare minimum gives you a strong mechanism for automating your deployments and for your disaster recovery now on top of that since we have infrastructures code and infrastructure

as code can be read and interpreted elsewhere um we have the ability to bake in our compliance checks right into our our deployment process which helps ensure that we never deploy any infrastructure that doesn't pass compliance checks now I added a bonus here of a library of compliant resources which could even be broken down into different contexts or different classifications so why bother writing a new S3 bucket or a new load balancer a new VPC if you already have a compliant one that you can just copy and paste into your application right um I think the other really important factor here is is building compliance and security into your infrastructure layer has your developers thinking about

security right out of the gate right so let's say for example you have a new developer on your team they create an S3 bucket they check that into your repository and it fails to build step saying you need encryption on this bucket then they'll add that encryption they'll check it back in it'll pass the build step and next time they go to create an S3 bucket encryption is going to be in their mind right next would be combining your your IAC your pipeline to support zero downtime deployments so deployments can support a rolling model that can replace your images or your functions or your containers without affecting the availability of your application and you should also be able to do the same in

Reverse in the case of failure and that's where containerization again comes in handy and so does versioning now uh push button compliance reports so one of the last things I did in my career in the public sector was a compliance exercise and some of you may know that the term sna or a security assessment and authorization um I had to take screenshots of my console settings and I had to fill out what seemed like a never-ending spreadsheet full of different security controls I had to have covered and I remember just thinking how difficult that would be for the compliance team to determine whether or not the controls I've approved to operate under are actually applied in my environment using

those artifacts right so the the whole idea of an sna is that you're supposed to you get authorization to operate within certain boundaries and then you're supposed to continually monitor your deployment to ensure that you're still in those boundaries and if you exceed those boundaries so let's say you open a new port or you add new functionality to your your service then you should return to the authorization step and then reassess so either you rain your deployment back in or you change your operating parameters so in in my Ideal World every time that we would run a build then we would get a compliance report printed out for us we would have the exact controls that are covered in that

environment at that time right and if you have your infrastructure defined as code and you have your compliance checks built in most of the work is already done there for you um for the application layer here's what I see is kind of an ideal state so it starts by using test driven development right so basing your development processes around testing rather than having testing being an afterthought is going to have your developers thinking about sound principles right out of the gate from there we start using our code repository as a single source of Truth so if we know what is in our environment is an accurate reflection of what's in a repository then you can leverage your

repository for useful security information right um from there we're also scanning all of our containers all of our images um for for dependency or under dependencies for for vulnerabilities and updates right and we're making sure that we have a process in place that if any issues arise then those things are remediated in an automated fashion and finally we're being paranoid right so we're treating every component inner deployment like an island and we're making sure that every island has a past or every visitor to the Island story has a passport okay so what does this all mean for our live environment right to start the components of our production environment are are treated as ephemeral and

immutable right so as I mentioned at the start of this talk we look at uptime as an indicator of risk not as an indicator of Pride and patching and iterating are our new indicators of pride from there we would have limited access to our production environment okay so again if we're using the one account per per workload principle then we know exactly who should have access to that environment and why um I added a bonus Point here for an environment that is only writable by your CI CD pipeline Okay so when your application that is following test driven development principles passes a new build to main then that should trigger automatic replacement of all of the affected components in your

environment you shouldn't you don't really need a reason for users to have access to a live production environment if you're using CI CD um and finally um all of the existing threat detection and incident response apparatus you have in place still applies here right we're not replacing anything we're always going to need doctors and prescriptions right um what we've done here is just try to make it a little less likely that we get that far but as an example there let's say if we take what we have above here and we have an environment that should only be changed by your CI CD pipeline then you would be monitoring for that and if you know that something outside

of your CI CD pipeline made a change to your environment that's an immediate red flag that would need to be investigated and you know at the end of the day this is what it all boils down to right a few years ago nist released this guidebook that looked at organizational cyber security from from top to bottom and basically what they did was they they broke down all of the typical groups that you would see within an organization like your your management your I.T your security your HR and they outlined the cyber security responsibilities those groups have and it's it's a really great read if you haven't read it um but basically we're always going to

have a security Specialists we're always going to have security operations centers unless you're in Ireland um and we're always going to have incidents to respond to um but that doesn't mean that your operations teams and your development teams shouldn't be tackling Security in their own way right so making security more visible through data and throughout your environment is helping everyone tackle that challenge together and I wanted to wrap up by um just talking about my favorite thing about this conference so far so I I arrived in St John's a city I love and I I get to my hotel I go up I open my door the first thing I see is this big round

window with this View and you know I see the city I see Signal Hill The Narrows um I just I love it here but this isn't my favorite thing my favorite thing is I sent this to my account manager Jason so Jason's sitting over there and he replied with his view that in in his hotel room

so that's my favorite thing all right thank you and if any of you have questions I'd be happy to take a few yeah go ahead yes yes like anything like that you know there's a lot of stuff I I see a lot of organizations just take the path of least resistance and a lot of times when you talk about things like that work but also add value then there is no because that's extra work that's extra things I have to learn and extra things I have to manage but anything like that like why wouldn't you right it doesn't cost any money and it has plenty of advantages especially from a security standpoint right so yes

please anyone else okay I guess you're all hungry so thank you very much for your time and enjoy the rest of your day [Applause]

[Music] thank you [Music] foreign [Music] foreign foreign [Music]

foreign

[Music]

thank you [Music] [Music]

[Music] [Applause] foreign [Music] foreign [Music] foreign [Music]

thank you [Music]

foreign [Music]

[Music] foreign [Music]

[Music]

[Music]

foreign

[Music] thank you [Music] [Music]

[Music] foreign [Music]

[Music]

[Music]

thank you [Music]

foreign [Music] thank you [Music] [Music] foreign [Music] [Applause]

[Music] [Applause] foreign [Music]

[Music] wait for everybody to come back in maybe if I speak really loud people will come in from outside

somebody close to the door want to do me a favor and just open the door and yell out and say uh we're going to draw for prizes and we're going to start the presentation

that gets everybody in oh really yeah

not gonna be after yours

foreign

so I'm going to draw for a Sony Bluetooth speaker um I'm not sure it looks like it's water waterproof maybe I don't know but that and plus I got a set of um these Galaxy buds two separate prizes let's see all right so the first one six two five two four two four two anybody no all right next

six two five three one zero three one zero all right next you snooze you lose six two five two five eight

wow a lot of people losing I'll just asking what your number is 625-154

my gosh all right um how about two three six all right awesome [Applause] all right and next one uh one three six one

speaker or earbuds technology

all right so next up we have um Ally from netscope sorry too many net things in my mind close enough hi folks so before we start we're going to do a quick draw based on some of the questions that you've probably seen on the screen hopefully you have good memory so starting what year was the first b-sides event ever held in Saint John

next question where was the Saint John event held who said that I

think third question what year was the first ever besides event ever held anywhere

question before last where was the first ever besides event held yes great answer the gentleman over there

and Final question an easy one I think name another city where b-sides has been held Vegas [Laughter]

that's it all right all right let's begin so hello everyone my name is Ali zadisa I'm a cyber security specialist at netscout or the Scouts of the net and the title of the presentation is a convenient truth uh it's kind of a joke because the convenient truth is that the network uh is something that everybody today relies on and needs in one way or the other and the network depends on the packets you're gonna see that as a trend during my presentation packets and the packets themselves whether you you want to admit it or not they're the absolute source of fruit packets do not lie and cannot be altered or modified so that's the bottom

line of my presentation so a lot of things have changed when I started working in cyber security it seems to me that a lot of Trends right now affecting the market um Cloud ease of access Global Network new laws in Quebec Europe and and elsewhere punitive measures all of these things affect effectiveness of cyber security programs and by definition put the assets at risk so how you define risk and how can you measure risk in real time it's somewhat easy to have you know sit down and from a security perspective say what is your risk tolerance but to be able to do it in real time have clear indicators of if you're deviating from that level in real time it's it's very

hard to do and anybody tells you otherwise that I'm being honest with you so that is something that a lot of people have challenged with uh in in my opinion one of the reasons behind that is from the beginning we use different and separate metrics to measure the effectiveness the effectiveness of cyber security versus operations the workload which is ironic because security is there to support operations well we use different tools different metrics different teams we don't talk to each other and that style in itself creates opportunities for the bad guys to win so what is the the question that I ask you is what is the acceptable level of risk so think about that as I go through

my presentation so the threats themselves have evolved as we evolved I used to be an sc uh and remember when I started the don't do no such thing as Cloud so it's very easy in Data Center and that made it easy uh you have a perimeter you defend yourself but now you're everywhere consuming everything from on-prem to cloud and sometimes you catch up on new services that you're not aware of but the threats also have evolved as operation Productions have evolved and they're persistent depending on the sophistication the Bad actors sometimes their National States sometimes they're you know your average your average kid but the threats evolved in such a way that the detection period

it takes a lot longer the incursion period happens well before detection there's active reconnaissance attempts every single day so yeah the attacks have evolved and they're they're more advanced but our defense our strategy has not changed regarding these new threats at least based on every stats that I've looked at and all the numbers that we've all seen it seems to be that the bad guys are winning and the good guys are not winning I believe some of the stats that I've seen out of Canada us and Europe the success rate for an advanced threat was 60 and above and these are numbers that you can validate to uh mandiant report for example so the cyber security strategy for so

long has been relied on things such as logs they're great they're convenient but the reason why we chose logs back then because it was less costly than packets it was less management overhead but logs by themselves are not being successful against these new threats if logs were sufficient you're you're serious in some response team would not need to come in and start capturing packets because you already have the logs so there's a need for packets and the technologies that we have been implementing to implement using to implement that strategy was for so so long was using pack oh sorry it was using logs so the question that I asked to team and ask yourself is has that

strategy been working for you are you really getting your money's worth the Cyber defense world and the security world you're familiar there's no shortage of good vendors a lot of solutions and we should in my opinion we should stop chasing the magic bullet or the one solution or the buzzword of the day and focus on the process and procedures and overall visibility the defense in depth it's something that's old but it actually works the challenge is what layers of your defense in depth needs more love or attention and how you go about finding that and you know focusing energy there are better Technologies out there and the security sector especially uh regarding packet analysis and the packet inspection has

evolved tremendously uh today we can with ease analyze packets in real time create metadata on those packets which can be used from security to netapps to devops different contexts different use case so a lot of benefits that are available today that was not available before and one thing also has changed the dependency of these new cool and nice features are easy to consume has hidden the complexity behind it it's easy to access a service but that creates bigger attack surface this complexity created more dependency on cyber security to have a more more situational awareness in real time it's not enough to say that uh have this IP and IC is talking to I don't know email that the levels in

malware but what is the impact behind that malware it's which service what a use case of the service what is the context of that service within your environment are they transactional are they testing what is it you come out of it because if you cannot have that information real time and kind of superpose the security versus operations you're not focusing on things that matter you're not focusing on your crown jewels and that is what's missing and that is actually the security Gap that we have in the market today so going back to the question what layers of your defense in depth needs more love my answer to you is Network packets something that you already have

the networks of today are Enterprise networks have evolved tremendously um from sd1 Jackass is the cloud and it seems to be there's always some kind of project regard to network so the network for me is foundational element and this ever-changing entity creates complexities and blind spots if you are you ask your average customer or you know secure architect do you know how everything's connected you truly know in real time the dependencies between those Services the user the session the middleware they can't it's a it's a it's an unfair question to ask it's because we don't have the right data set to give those honest answers in real time if imagine if you could tell in real time

the dependencies that you have on your your average cloud provider under ability Zone if you see that it's being saturated and you have to migrate to a different Zone that creates a risk for your cyber security strategy in real time we often neglect that we we have we're consuming services such as UC collaboration but that's a target for cyber security and most vendors don't focus on you see as if it was a it's a thing apart it's just but it's actually a thing so you need to have proper visibility and that could come only by leveraging the packets that you all have in your environments why packets because they give you comprehensive visibility what do I mean by that it's to put

things in context again traditionally the approach was threat based approach everybody as I said losing logs that approach has not been working successfully based on the number of incident response that a lot of companies are doing and the successors are Bad actors which means by default that you have to change your strategy from a threat-based approach to a risk-based approach in order to for you to be aware of all the risks you have to leverage every single data that you have already in your environment and packets being the absolute source of Truth as I mentioned cannot be modified altered or erased such as logs give you that context and using the packet inspection or DPI in real time gives you multiple

benefits to have that situational awareness to put things in context more importantly allows you to eliminate the silos that exist between the teams because the benefit you get from from Network can be enhanced by like adding the layers of your cake on top to security to devops and just as an example so what they got to when to act the time is now ask yourself are you seeing truly what you need to see based on everything that you have are you acting uh the data that you you are using is it enough is it sufficient do you read using right data set you obviously there's a lot of stuff that multiple Solutions and vendors in place

but are you seeing the proper context between ldap DNS and DHCP and the session the user do you know what's normal in real time for that specific user and that specific applications versus abnormal for YouTube's actions to say you know what I'm saying Jitter or a different packet entropy for that application that is not normal let's investigate because from a network perspective that could be just performance or you know availability but from a secure perspective as you may all be aware of it changed Sudden Change in package entry before it got to the application where Jitter could be a clear indicator of compromise for an attack it's only by superposing these different teams and silos through packets and leveraging the

same data set from different contexts you could put things in perspective and by doing so you'll focus on things that matter because you can understand what is normal traffic for a specific user and application in the context of their reality transactional database and so on you focus on things that matter first so your average analyst when you see that ticket sees the IP hey this is important I'm going to separate this instead of investigating start capturing packets reactively and then understanding what the consequences are and this also gives you other benefits by leveraging packets in real time and having metadata you'll always have the right information regarding reconnaissance because you see everything as far as sessions what was

the first attempt of a TCP Max happening three months ago or two months ago who was targeted where's it coming from do you have capability of doing contact tracing it's not important to say I have a malicious IP uh that was talking to blah blah blah okay who was patient zero what level credentials they have who were they talking to six months ago can you go back in time and to be able to back in time application of iuc's like tomorrow if there's a new version of log4j can you truly say or admit to yourself oh this was here also six weeks ago or you have to go back or you have no means of going back by leveraging

packets in real time and creating metadata to DPI as we can do today you have all those side benefits which saves a lot of time in actual troubles you know actual day-to-day secure operations streamlining eliminating silos but also incident response and investigations and this allows you to get ahead of threats so what are the final benefits of using DPI well it is scalable from a money perspective investment the benefit you get from troubleshooting and availability uh based on network can be layered from a cyber security from a devops perspective you eliminate the silos you know where the dependencies are in real time if you see changes you can act upon it so it's very good from a

TCO perspective the data set that you get is a lot more Rich you get the full session conversation DHCP DNS and all those sexy passports so this gives you more data again the right data not just more tools but the right data set this allows you to have a better integration within your security stack as well to put things in context you can effectively by using packets in real time measure if you're deviating from the acceptable levels of risk so if a CSO asks you where are we with that where are we risk wise you have proper metrics to give those answers and you can put things in context if you're running new service or using all

service you can know what the compressive visibility is and have proper answers with regard what is normal healthy behavior for that user session applications and so on so when you see changes that are not normal you can just put aside and say it's just a performance issue it could be security a lot of times Advanced threats are hidden and we ignore them because we say it's performance it's it has to be availability but when you dig you know enough you understand that cyber security and it's just hidden well enough we have to use these tools that we already have from different perspective that's it guys thank you so much for your time

thank you questions okay

thank you thank you all right folks um it's lunchtime I see the uh the staff are bringing out the food now so we'll just give them a few minutes to get everything prepped for us and then we'll start calling tables um so I think Nancy you're gonna kind of direct tables but we'll just start you know getting a few roads tables to go and get their meal sit down and we'll just keep everything flowing so we'll just wait and uh when the food's out we'll let you know [Music]

thank you thank you [Music]

foreign [Music] foreign

[Music]

thank you [Music]

[Music] thank you foreign

[Music]

[Music] [Applause] [Music] foreign [Music]

[Music] foreign

[Music] foreign [Music] [Music] foreign [Music]

[Music]

[Music] foreign [Music]

[Music]

[Music] foreign

[Music]

[Music]

[Music] foreign

[Music]

[Music]

[Music]

[Music]

[Music] thank you [Music] thank you [Music] foreign [Music] foreign [Music]

foreign [Music] [Applause] [Music] foreign

[Music] thank you [Music]

[Music] foreign [Music] foreign [Music] foreign [Music]

thank you foreign [Music] [Music]

good morning foreign [Music] foreign

[Music] foreign [Music] foreign [Music] thank you

[Music] foreign [Music] foreign [Music] thank you

[Music]

foreign [Music]

[Music] thank you [Music]

foreign [Music] thank you [Music]

[Music]

foreign [Music]

[Music]

thank you

[Music]

[Applause] foreign

[Music]

[Applause] [Music] foreign [Music] [Music] [Applause] [Music] foreign [Music]

foreign

[Music]

[Music]

foreign [Music] foreign [Music]

thank you [Music] thank you [Music] laughs

[Music] foreign [Music] foreign [Music] [Music] foreign foreign

[Music] foreign [Music]

foreign [Music] thank you [Music]

thank you foreign

[Music] foreign [Music] thank you

[Music] thank you [Music]

[Music] thank you [Music]

[Music]

foreign [Music]

[Applause] [Music] [Applause] [Music] foreign [Music]

[Music]

[Music]

[Music] foreign [Music] [Applause] [Music] foreign

[Music] foreign [Music] foreign [Music]

foreign [Music]

[Music] thank you [Music] thank you [Music] thank you [Music] thank you [Music] [Music] thank you [Music] [Music]

[Music] thank you [Music] thank you [Music] [Music] foreign [Music]

[Music] foreign [Music] [Applause] [Music] thank you [Music]

foreign [Music]

foreign

[Music]

foreign [Music] thank you [Music] foreign [Music] foreign [Music]

[Music] foreign [Music] foreign [Music] thank you

[Music] [Applause] thank you [Music] [Applause] [Music] [Applause] [Music]

[Music] thank you foreign [Music]

foreign [Music] [Laughter] [Music] foreign [Music]

[Music]

foreign

[Music] foreign [Music] foreign [Music]

[Music]

[Music] thank you [Music] foreign [Music] [Music] foreign

[Music] foreign [Music] foreign

[Music]

foreign

foreign [Music]

[Music] thank you [Music] foreign [Music]

foreign [Music]

[Music] foreign [Music] [Music]

[Music]

foreign [Music] [Music] [Music] [Music] foreign

[Music]

[Music] foreign [Music]

foreign [Music] foreign [Music] foreign [Music] [Music] [Music]

[Music] foreign [Music] foreign [Music]

[Music] we're going to start again and we're going to start by doing another prize draw try and get everybody back in the room for the next talk all right so the first thing that we're going to draw for is a Marley Bluetooth speaker

it is not a Harley 625-262.

nobody next 625-308

you got two six two all right come on down which one 308. you got 308 all right come on up I got I got three prizes here so here you go you get that one awesome nah all right so would you rather have a uh the Echo Show or these cool Bluetooth uh glasses that got speakers built in it they're called smart glasses

I have no idea all right cool all right next so we have a um the Alexa Echo Show

all right two three eight two three eight all right [Applause] all right do we have our next speaker close by there we go Chris you can introduce him everything

all right you want to use the wireless or I cannot stand here just make sure you click that on the summer because yeah make weird noises if you don't feel like oh sorry

does it work better on the outside

no that's fine yeah which one is for was the HDMI video do you need power I don't know this for oh you have HBO right here there it is got it I don't need power

there it is working yeah perfect all right so welcome back everyone for our first talk after lunch we have Jerry Chapman with uh Chapman Jerry Chapman with optiv with zero trust

one

test one test test there it is all right yeah no worries well good afternoon and hope everyone had an enjoyable lunch my name is uh Jared Chapman I work for optiv uh my goal here as an employee of octave I've been I'm an engineering fellow with optiv so I get to do a lot of things around thought leadership whatever that means in the industry um I am a uh well let me just go further a little bit I am a co-author of a book called zero trust security um an Enterprise guide so I've been in this a little bit for a little bit of time um the the goal today really is to give you

an agnostic understanding of zero trust to hopefully as practitioners walk away from this and have a clear very precise understanding because I'll just say this I when I wrote my book we wrote a paragraph and a half to describe zero trust right and it's why because we had to fill pages right you have to fill pages when you're writing a book so we write a paragraph and a half just to Define zero trust what I want to tell you is zero trust is in three words seems to be very clear um I want to talk about that I want to talk about a journey I'm going to talk about um uh what it looks like and how to do

zero trust um and hopefully give you some strategies to walk away with and then more importantly what I find uh when I have this conversation is if if you take away the notion that I have very specific Solutions you being the practitioners very specific Solutions in my environment that can lead down the path of zero trust and you and you hear that you're like yeah I get that then you're like yeah this the the the vendor conversations those are great vendors talk about zero trust they talk about from their product which is fantastic they do that they do it very well um but if you look at it from a what do I have where do I go and how do I move

forward and then most importantly because I'm about to say I'm an identity guy I've been an identity guy for well over 20 years I talk about identity all the time we're going to lead security with identity that's that's what I talk about how do we lead security with identity right so let's kind of get into this a little bit so if I start to talk about zero trust first off I use my own USB device because I don't trust devices let's be very clear um the first thing I talk about is space security so if you're talking about context-based security that's a bunch of marketing terms first off understand that zero trust is more than marketer I

call it Market sure but it is more than Market sure and then you see something like identity based security or I'm sorry contact context based security like well that's just more marketing terms Jerry you're absolutely right let me add to what that actually means you take identity you take security controls and then you take risk you bring those three things together you've got a context-based security model and I don't mean the identity providers that tell you well we do geolocation services for Step Up authentication and those types of things yeah they do they've been doing that for five years that's not what I'm talking about I'm talking about bringing an external Telemetry to drive risk-based decisions

that's how you get the identity security and risk model to drive context-based security the second thing you've heard this trust nothing right that's what everyone tells you what zero trust is that's absolutely right but if you don't want to impact the users and and a lot of conversations and security is what is the user experience and there's this weight and measure between user experience and and uh security right what I tell you and what I can show you and prove to you and we're going to talk a little bit about this is how do I make the user experience better and how do I ultimately increase my security and security controls to support a zero trust framework

so while it is default to trust nothing ultimately it becomes a earned trust conversation you have to earn the trust that you have and if that something changes with that trust like I don't know I'm in I have never been here by the way it's beautiful area love the country it's awesome I've never been here but when I log onto my network there is no way I should just log on and say yeah MFA that's wonderful no Jerry where are you what are you doing why are you trying to do this you've never been there that is risk that is where earned trust and if I start coming up here regularly now our client manager here at Opti is going to

try to bring me up here as much as she can thank you Kelsey by the way that will change because if I come up more regularly it's like oh wait Jerry's goes to that location he's able to support it and then that becomes earned Trust that's what the default to trust nothing really means the third one here the design Dynamic micro perimeters when people read that they say Jerry you're talking about micro segmentation I hear that all the time no I'm not micro segmentation is a part of the conversation in a micro perimeter conversation micro segmentation is a way to support things like micro perimeters but if I'm talking about data and if I'm talking about more than just

um segmenting my pii data to some network data that's fine I can segment my pii data to some network but what happens when I get through that Network because I quote unquote have access to that data what about all the data inside of there that segmentation does nothing for that so there's different technology to support that things like data protection that includes things like data classification data governance that has nothing to do with micro segmentation that's why I call it micro perimeters then the question is why is it dynamic here's the truth you've been we've been doing the principle of least privilege for well over 20 years the the the the the the military has been used coined the phrase

defense in depth about 20 years ago they've been doing it for 20 plus years in the IT industry we've been doing it well over 20 years so what's different about zero trust because we're talking about defense and depth we're talking about a principle of least privilege Jerry everyone has said it before what am I saying that's different in zero trust what I'm saying is now we can do things like just in time access well we've been talking about that in theory forever but what I'm going to tell you for the last five years the vendors the industry has come to an integrated model where now we have standards where we can integrate our Technologies and integrate our solutions

to drive just in time access I'm going to show you an example that here in my SL in my presentation in a few minutes because I think it's important for you to understand what what do I mean by just-in-time access okay simple definition right I spend 10 minutes on a slide you're like yeah that's simple Jerry I get it identity security and risk that's the three words you need to remember for zero trust and what that means every organization has some level of maturity around zero trust whether it's fundamental by the way if you look at this slide you see fundamental you see things you've been doing for 20 years yeah I'm doing network security yeah I'm doing identity

yeah I'm doing data protection yeah that's great have you integrated your identity solution with your security Solution that's what that next level is the integrated model and most organizations quite frankly stop there yeah it's great I can take my active directory users and groups I can integrate them with my next-gen firewalls and when I integrate them with my next-gen firewalls I can do things like user-based routing so a user gets access to a network segment because they're in some Active Directory Group well I would challenge you is do you have a governance solution associated with that identity to determine whether they should even have access to that Network through that user group and active directory

so that's what really what that may or may not get there they get there with some level of of maturity or some level of integration because now they're bringing in things like uh your your sim solutions that have a uba ingrained in them they're bringing in things like Source Solutions so now your sock analysts or your sock solution is now saying oh wait I've got an incident it's not a false positive let me forward that on to something and say we have a problem we have an incident let's do something about this and more importantly this is where I start talking about leading security with identity if that Source solution is notifying my identity solution my identity solution

should be able to say oh wait this is a change go change what's going on kill the authentication kill the access whatever that means terminate it and that's where an Adaptive model starts to drive your zero trust program okay moving on so I've told you what it is right pretty simple I've told you kind of that maturity Journey kind of where you bring identity security and risk together let's talk about how you do it now there's a whole lot on this slide so I apologize for that from the outset if you haven't read the nist 800 207 it's a great conceptual guide to tell you what zero trust is they did a great job in defining what is your trust what

are pdps what are peps they've got all this stuff out in it go look up the nist 800 207 if you haven't seen it yet fantastic document what I've done and what we have done is said listen let's make this simple because to me it needs to be simple how do I get to zero trust so if I look at the first box and by the way the boxes across the top they are the uh they are the steps that I'm about to walk through quickly the bottom tells how we align to the nist 80207 principles so what this means is I'm not just making this stuff up this is not something I said oh let's just throw

some stuff out here and figure it out no this is stuff that aligns to what the industry is saying that are good ways to do this so the first one is Define a micro perimeter that's easy right no there's three ways to do that there's oh I'm just going to go buy a VPN solution I talk a little bit about this in a few minutes around technology and so forth but it's I just need to protect my castle and moat with my moat right I'm just going to keep doing that and I'm going to add I need to do something with my VPN maybe I've been doing VPN for years maybe I'm going to augment it maybe if you're talking to

some of the vendors out there and they're they're fine replace the VPN I personally say replace it but that's a different conversation because it's sometimes you can't just replace your VPN solution it's not even an option you've invested 10 million dollars over the last 15 years into your VPN solution sometimes it's not optional so maybe that's not the path the real path to define a micro perimeter is defining and understanding critical Business Systems what it may be that that's that's a vague term too right I'm trying to drill down into some of these vague terms if you have a critical business system that drives your business and more importantly If part of that system generates I don't know 50 60 70 percent

of your Revenue in your organization guess what that's a critical business system and if you start to understand that critical business and when I say understand that means you understand what's going in and out of that first we'll start at OSI model three through seven right you start to understand the network layer you are you know what's going on Acro up the top all the way to the application layer you can get that that's pretty easy there are solutions that don't tell you that that's that's not hard but then you get into things like the application layer security that the network stuff is not going to give you that the ztna solutions that are fantastic are not going to give you

you have to figure that out you have to figure out what does the user experience in that environment so there's a whole lot of stuff I just said there right understanding the business system understanding at the at the high level where do you get all the way down to the the attribute level if necessary in active directory to say oh yeah if you have this attribute this is what your user experience looks like there's a lot said there now take zero trust out of that conversation that drives cyber resiliency think of that for a second that drives your cyber resiliency because now you understand what's going on in the organization that is your most threat so

some of the ransomware stuff we heard earlier today you know how to protect that stuff you know how to get past that so if you understand that here's what you start doing you start drawing circles around those components in that business system and you say oh I can create a micro perimeter here I can create it here I can create it here and it's going to be different for each one of those Solutions or which each one of those circles and that's okay because what you're doing now is you're protecting the business and what you're moving towards and this is the hard part what you're moving towards is implicit deny with explicit allow and when I say that people say oh Jerry

you're talking about white listing yeah I am why because we're only giving you access if you should have access period in the story conversation over it's hard yes I know I'll talk about governance of that in a minute the next thing you see up there is identity listen if you can't define an identity and I don't mean just a user identity I mean a a machine identity a device identity service accounts all of those things Drive identities iot miot that's a lot big conversation I'm having lately is around medical iot and I'm completely separating it from just iot just be clear OT all of those things are driving identities so if you've got a microparometer

and you've understand the identities what you can now do is start saying well I can Define who and what can get in and out of that micro perimeter that's the point of understanding the identity this goes back to Let's lead security with identity it's my favorite catchphrase these days okay so the third one enhanced security now I'm an identity guy and I talk about MFA all the time MFA is not perfect it's not sometimes we we spend way too much time with with pushing buttons from the authenticator apps and and people get very tired of that conversation they're like yeah I'm just going to push a button right I heard someone else say early this morning education absolutely

education MFA is one of those another one I talk about a lot is dynamic pki because let's face it you're not doing interactive logins with service accounts and you shouldn't be I heard that earlier today too don't do that that's just wrong but if I can do dynamic pki now I'm not doing interactive logins I'm doing one-time certificate authentications and then there's technology today that I can support this without having a huge pki infrastructure that has a CA and I got to manage the crl and I got to do all those things that drives my certificate management no there's ways to get past that better ways because now we're not relying on The Human Condition to

support it the last one visibility I can create all the micro perimeters I want I can Define all the identities I can have MFA Dynamic pki whatever I want if I can have all of that and it's perfectly inside a little cube a little circle whatever I however I want to Define that but at the end of the day if you don't have visibility into that micro primer guess what doesn't matter because when that ransomware gets in there if you can't maintain what you have if you can't monitor the environment and then most importantly if you can't respond what's the point you've done nothing you've changed nothing so visibility sorry I get very passionate about this

subject fish can't tell it's a lot of fun for me so those four things in mind when you start thinking about zero trust how do I create a micro perimeter how do I bring identity into the conversation what does enhanced security look like and quite frankly how do I have visibility into the environment those are important that's how you do it oops sorry I'm excited all right moving on so let's talk about strategies by the way I usually can talk about these things for hours so sometimes I just have to check myself so let's talk about different strategies then this 80207 has some great strategies they talk about uh using enhanced identity governance now they

talk about using enhanced identity governments but the the sisa within the nist environment they tried this and what they came back to to the environment or to the to the industry and said is our daily Government Solutions aren't ready they can't do what I'm talking about they can't do enhanced identity governance with things like you know open network protocols with with you know portal modeling the the attribute-based stuff they're saying they can't do it now I'm going to argue that point in a few minutes but they're saying they can't do it that's Jerry's opinion that's what it is but that's okay we'll talk about that in a second I'll I'll show you I'll give you my support for that in a second

they're also talking about micro segmentation listen we're doing this forever micro segwits uh next-gen firewalls all the stuff that I've already talked about they're talking about what's the other one sdp sdp is my favorite topic when you start talking about software defined perimeter or when you start talking about ztna because quite frankly sdp is based on the simple fact that you have to have an authentication header before you do anything if you don't have an authentication header the packet gets dropped conversation over and you don't even get a response so you just get the response timed out message if you try to attack an environment or talk to an environment you get it drops so sdp is a great technology

I encourage you to look into it if you haven't I encourage you to to see what it looks like in your environment potentially because it's all about that authentication header all right so if that's missed then Jerry obviously has something to say about it I have a lot to say about a lot of things but we'll keep it here for now first thing is there are two ways in my mind to drive a zero trust approach or to to to to Encompass a strategy first is technology driven I'm going what's that left to right from your perspective right to left technology driven VPN replacement easy conversation all your ztna vendors are talking about it yes

you should do it VPN is the number one attack Vector period everyone knows about it it's not hard that's an easy conversation the second thing here is data governance data governance is an easy conversation too if you really start thinking about it you should understand your data you should know who has access to your day you should be able to classify that data you can get a solution in here to drive it good way to drive zero trust the third one up here again I'm an identity guy SSO and MFA absolutely if you're not doing SSO and multi-factor authentication as a means to get to zero trust a you're not increasing or enhancing the user experience

and B you're not even going to touch zero trust because if zero trust is about authentication and authorization and getting access to something if you don't have a mechanism to automate that process forget it conversation over move towards SSO and MFA and quite frankly you can't do The Next Step Beyond SSO and MFA and this is my favorite topic one of my favorite topics passwordless why should you do passwordless because if I am doing passwordless my user experience has just increased I'm not changing my password every 90 days 180 days whatever it is Microsoft says you should do it every year I can explain why they say that that's the windows hello environment the nist framework says never change the

password just create a very long password never change it

so the password was initiative or the password list is a step into zero trust this is again technology focused method mechanism to implement zero trust it gives you that first step because if I can do that the user experience is great what is as an I.T person as a security person if the user experience is wonderful guess what now the security controls I put in place is not going to negatively impact the user because now I can start stepping up authentication and they're like yeah I'm okay with this because I'm just clicking a button you educate them the fatigue of hitting the authenticator you educate and guess what the next step is oh I get

it if I'm not making the request I don't hit the button period but if I'm doing passwordless I Now understand that because it's a normal part of my day it's a normal part of my job and I'm not changing my password every 90 days and I'm not creating a long calls or long you know long days where it's just trying to reset my password on all my devices because all my devices have passwords all across them this has given me access into my environment I hate changing my password because now I'm on my iPhone I'm on the Android device I'm all these things just to get into the environments really a headache should not be have should not have to do

that and it just affects my experience which means I don't want my CSO implementing anything that's going to change what I do because it's a pain right now we're Security Professionals we're it we don't care we're like yeah of course I'll do that your user Community does not want that that's the truth so that's where I talk about the technology driven the second thing I talk about is a policy or outcome based now I list three here but I want to talk about just one of them because I again I typically go way over if I talk about all three but I want to talk about network access control what does that mean policy-based control

about policy or outcome based in a network access control environment well first that means I got to have a policy well Jerry what is that that's you're very general now I know this is very general and I appreciate that because it's going to be different for a lot of people but a policy starts with a subject sorry what's the subject an identity whether it's a user whether it's a machine whether it's iot OT miot a service account it's an identity it is a subject and then what are they going to do what should that subject do whatever that is keep in mind I'm going from implicit deny and explicit allow so implicit I'm going to sorry implicit deny with explicit

allow we've always been implicit allowed with an explicit deny unfortunately that's a reality because it's easier I'm flipping that on his head okay so I've had action I also have to have to have a Target what if I'm doing this to and then ultimately what's the condition that's the risk stuff so let me just give you a sample policy CIS admin well probably a few CIS admins in here probably a few domain admins whatever that looks like generically let's go with sysadmin need access to a production environment through very specific protocols so they can do their job and I just name a production environment whatever that looks like for you right yeah that that's not hard that's the

easy stuff here's the interesting thing the condition quite frankly you're not getting to that system unless there's a ticket open in my chicken itsm system period I heard earlier and and he's not wrong um the have a have MFA if you're an exchange admin or whatever that looks like you should have MFA to get into that system if it's three o'clock in the morning I argue they said no you should not get into that in system with three o'clock in the morning on a weekend unless there's a ticket open you should not have unfettered access into that environment unless there's a reason to be in that environment and then let's give you that reason go do what you have to do and as soon as

that ticket is closed I think I have a diagram here I'll just build it out because I'm not going to walk through it unless that ticket is open and then ultimately closed and there's multiple ways to close it you don't have access when it's open you get in when it's closed access is removed by the way it's not on the slide I apologize I I know this every time I show the slide I just haven't updated it remove that excess now here's what I want you to take out of this conversation right here this this is one of my favorite slides and one of my favorite things to talk about here's why every organization every person in this

room sitting in this room more than likely has active directory sorry Microsoft gave us the drugs in the 2000s and we said yeah we're gonna do it yay right yeah active directory we and now we are here we are 22 years later I blame Bill Gates Bill Gates in 2004 said at the RSA conference in 2004 we need to go past our list I'm like really bill you've got active directory and everyone's using it and you will you won't let me turn it off until 2008 then he said smart cards and blah blah we can I can have that conversation but everyone has active directory more than likely high probability I I bet on that

I'd bet those odds let's just say that you probably have some sort of firewall sort of system and I would guess you have some sort of next-gen firewalls because you're protecting your environments so you're probably running the next gen firewalls whether they're ciscos or paulos or or fortinets or whatever they happen to be you're probably doing that which is fantastic they will support user-based routing integrate those firewalls with your active directory environment if you haven't done that yet and you'll be surprised how many people haven't do it that's the first step to user-based routing is the first step to this and then we can go to Pam Solutions because I'm an identity guy I can talk about

privilege access management putting jump boxes into place using privileged session management all kinds of things I can talk about but more importantly I want to integrate those things with my ticketing system and most importantly I want to integrate them with my identity governance solution that does life cycle management that drives whether I should have access not not just oh it's a you know it's three in the morning and I should do FFA it's great you shouldn't be able to do it unless you have this access and the solutions you have today I guarantee you will integrate and you can do it that's what makes me most excited because my good job is to help you

understand what you have how to bring it together to do this to drive zero trust principles okay you see where I am all right still good so I've been talking a lot about this and I and and this is a passion right and I talk about let's lead security with identity and I talk about well identity and zero trust this is a huge part of the conversation right how do I do identity in zero trust and before I build this out because I want to build this out a little slower because I think there's impact but what I'm about to show you think about what I said what the nist uh or the cesa said within this that there

is no identity governance engine that can do the things that I'm talking about I argue that point and say yes you can I can do it with the current technologies that exist today what it takes is a mindset change or a shift a paradigm shift of mindset whatever you want to call it it's a shift in thinking and how we use identity governance engines an identity governance engine today and and listen I'm just as I'm I'm to blame I'll take I'll take the blame I'm an identity guy I've been preaching our back and well-based access control and application security for 20 years I've been doing that about five years ago I said seven years ago I said wait a minute

this is not the answer because it's not that is not the answer if you properly deploy an identity governance engine into your environment that engine should have its tentacles and I'm being very specific with that word tentacles because it should reach into everything in your infrastructure and if it's not you need to go back and think about what you're doing it should be helping set policy in your firewalls it should be helping set policy in your data protection solution and your data governance solution it'd be it should be setting policy across in your applications one of my favorite questions is what about applications or Legacy applications listen I know it's hard you can externalize access control in

applications if you really want to and there's Solutions today that will make it easy for you and you bring that into the data governance engine now first off I I know everyone's probably said Jerry you're talking pie in the pie in the sky type stuff no I'm really not I promise you I'm not I do these things every day with customers this is what I do and my goal is to get them to where they're thinking about their governance engine as a policy decision point that can drive policy across my environment does that mean probably across their environment in their infrastructure in their Cloud environments on their on-prem environments in the in the uh hybrid

environments they can drive all of those things where they properly deployed identity governance engine okay so how do we make that happen so we've got identities right identities drive all this and again identities is everything I've already talked about I'm not going to repeat that but more importantly now we have to bring brisk into that country remember identity security risk right I'm right back to the same things I started with how do I bring risk well listen these identity governance engines a lot of your risk engines your Sims your sores uh your data protection Solutions uh ubas casbis all of these things have analytics as part of the conversation and there's no reason you can't bring

that analytics into your environment that's risk you want to bring them in and then you can start initiating workflow or sorry also Intel I forgot the intelligence sorry that's threat intelligence right what are the vulnerabilities what are the things we need to know about because that impacts my policy and what I need to change potentially so if I bring in my attributes so that's the standard identity stuff right I'm bringing in HR and active directory and all these things that define who and what I am and I bring in Risk information Telemetry data things like um things like and I I like to hate talking about vendors but I I just have to say this Microsoft is probably the biggest

um uh or the largest attacked organization in the world they're everywhere everyone wants to talk attack Microsoft and because why the attackers know that you have your email system most of you ninety percent of the world was on active directory and there's and if their own active directory which means they were probably on Exchange which means they probably migrated into the cloud now I'm playing percentages again these are percentages these are I'm not a Gambling Man but I would bet on these percentages the Telemetry data that Microsoft has you can bring into your environment they call it identity protection you don't like Microsoft I get it you don't have to micro like Microsoft there are other partners out there that do

things like compromise credentials so they know they've been you know they search the web the dark web they get in there and they bring in these credentials they know what credentials are being compromised and if it's your organization they can say oh wait it's these domain names here's the names I'm searching for yep here they are here's the compromise credentials and if I have those what do I do with that well I need to do something about that in my identity solution now some would say We'll change the password shouldn't have to change a password shouldn't even be on a password number one what does that mean well that means the credentials are no longer valid

right I put those dots together okay and then finally if I'm bringing in any kind of the threat intelligence and I'm bringing them into the entity that I'm managing and in my policy I called it a subject I'm bringing it into the subject and all of the environments and all of the conditions that drive how I gain access and if I do that what that's going to do is it's going to go across my infrastructure it's going to apply policy across my infrastructure it's going to apply policy against my data it's going to apply a policy against applications layer 3 to 7 and up I usually do eight nine and ten and I make that up all the

time but if you do that and you bring your engine to support that that's where you start to get that policy decision point that the nist 80207 talks about that the nist CC and what group says you can't do yeah I think you can and I do this I talk to customers about this all the time this is not Jerry making stuff up this is stuff I work actively with customers to do and I think it's important that if you if you go back to your organization you talk to your csos or you talk to your directors or whomever you start thinking about huh we have an identity governance engine where is it deployed and I think you

start looking at it here's what you're going to see you're going to say or I'm protecting applications we're doing wall base Access Control that's what you're doing again that's my fault I own that I'm telling you need to change it here's the other thing you need to change Birthright privileges ooh I'm an identity guy and I'm saying change Birthright privileges right that's my fault too I'll own that for 15 years I told you go do Birthright because it's easy it makes the user experience better Wrong conversation identity guys hate me right now by the way they talk they hear me like Jerry you need to stop talking I had a VP in my own organization I was presenting to

a client he was sitting in the room I said what I just said and he just gave me the look and I've known this guy for 16 years he's like Jerry what the heck are you telling these people I'm telling them what they need to know so they can effective ly zero trust period that's what I'm doing now does that mean birth rights go away no you've got to get a laptop you're going to get an active directory environment or an Azure ad environment office 365. those are things that are that's table Stakes you should have those things everything else you need to earn it you have to earn trust you have to request it I have a

friend of mine who travels between Atlanta to Denver all the time and when he first took on this job he's like Jerry this is such a pain because every time I get on my computer at home I have to log in I have to do MFA I have to do Step Up authentication I get on the plane from Atlanta to Denver I do the same thing I get into Denver I'm doing the same thing and then I come back and but after about two weeks of traveling guess what he's like Jerry this is cool I'm not entering anything in anymore it knows where I am it's driving risk analytics to tell me whether I should be

doing more stuff and I just met him I just saw him um three weeks ago he was in Kansas City he's like yeah I'd do it again Jerry I had to go to Kansas City yep that's what should happen that should be the experience and if we're educating our users to understand that that is the experience guess what they get they start to expect that but they also expect it to be okay when they're not doing something abnormal so there is a a ramp up time there is the bell curve you kind of go up yeah it's a little bit of painful but after about a week and a half two weeks it goes back down unless you start doing

something abnormal so if if ransomware gets a hold of your identity and starts elevating privileges with some of these identities guess what's going to happen Conversation Over stopped it's not going anywhere there's no elevation of identities if they're trying to send data out to some outside Source right they're searching the data they're in the environment they got the environment they're searching there oh I found some data send it out that's not going to happen because they're not going to get out okay I think that's my last slide no one more sorry and then I'm done I promise I'm I'm almost done last piece of this is you know I talk about identity I talk about leading

security identity um and I just want to just re-highlight some of the things I talk about with identity that emphasizes zero trust or emphasizes leading security identity listen if you don't want to ever say the word zero trust because some csos are like get out my office if you don't find don't don't talk about it from that perspective say I'm going to lead security with identity huh what does that mean that means I'm going to build a policy engine in my identity governance solution I'm going to figure that out we'll make that happen that's first on my roadmap secondly I'm going to do identity governance I'm going to drive an identity governance program where I understand where users are what

they do what they should have access to I am re-certifying that they actually have access and require the access that they're actually they actually have I was in a quick story I was in a uh an organization the organization was divesting from the organization that owned them for 20 years so they were completely separating and I went in to do some life cycle management stuff and the guy I was working with said hey I told him I see it I need access to the parent company's active directory environment nobody said first off he said well I haven't worked as an active domain director or an active domain administrator in 15 years but let me give you my credentials because they

still work I said no number one I said no let's call them and talk to them but but that's the point without it identity government solution you're not going to have that not effectively third thing I talk about here is SSO MFA modern authentication my favorite question is what about Legacy apps I could talk about that for hours too I've been on that pedestal for pedestal for since 2002 right we talk about getting rid of the Mainframe oh no we're never let's talk about that I've been talking about that since 2002 and what that means and then the last one yes start a passwordless initiative right forget don't forget don't worry about the password change

solution self-service password management again that's my fault self-service password management we've been talking about that forever it's the same problem start a passwordless initiative and listen I'm not telling you to do that across the entire organization what I'm going to tell you is do that in a small proof of concept way let your system admins test it just to show it and then bring in the business bring in one or two users from the business because now if you've got the business engaged you can do whatever you want okay that was my last slide um I appreciate the time I'm really going to enjoy my weekend here this weekend because I brought my wife up and

we're going to enjoy the weekend so I appreciate that um I'll take any questions you have at this point yes sir

so the question is what are my key points on measuring endpoint posture I'm going to tell you I'm not an endpoint guy I don't have agents I don't work with agents I have um I have a team around me when I talk about zero trust if when certain things come up like hey come with me or I talk to our vendors our partners say Hey you know come with me because I'm not that expert I can talk about everything and anything identity won't have a problem there but when you start talking to the the metrics and the key metrics and and more importantly some of the algorithms and that's that's not Jerry's not answering that question but

I will bring a person to answer that question for you so I don't have a better I wish I had a better way to answer that foreign yes there are the the the the the integration of the Technologies today is incredible and if you're not taking advantage of that then you're just buying stop Gap Solutions and then you get a bunch of shelf wear anywhere else yes sir

so what do I mean by passwordless is is the question right so first let's just be very clear when I say passwordless what I mean is you are removing the password from the attack surface period that's the end of the conversation so depending on your identity provider let's let's use active directory because everyone loves active directory right in active directory the only way to remove the password from the attack surface is to check the box that says smart cart Microsoft did it in 2008 I used to go around the Microsoft sites all the time in 2008. everyone was on a smart card everyone had a smart card a little smart card with the certificates and everything they needed back then it

was a little harder to manage but today there are solutions that will do that for you and make your device your smart your a private certificate Authority so now the certificate is your authentication mechanism that's number one now if I add to that you get things like 502 and and web of thin and all the things that 502 is driven to say this is what password looks like passwordless looks like sometimes that removes the password from the authentication process sometimes it doesn't it really is going to depend on the uh the identity provider you use and to drive how they do path how they do authentication does that help excellent yes sir

magic link yeah which

which I guess do you have to be careful when you're talking about password list to make sure that it's as as you described some sort of Hardware thing I suppose yeah so you you bring up a good point and and the question is do you have to be careful around passwordless and what does it really mean and and and what is the impact and what is the the administration and the registration and all those things that all those use cases the answer is yes to give you the short answer the answer is yes you have to be careful with that but let me give you the little bit longer answer if you can create a passwordless experience for the

user Community what you do in the back end becomes whatever you want to do right because if you fix the user experience so now whether they are actually using a password or think they're using a password who cares because if you change the experience so that they are now passwordless and they're not entering a password they're doing MFA Step Up authentication whatever it is then on the back end you can do whatever you have to do and that could be moving towards a truly Past released experience and migrating and navigating navigating those Waters I think I'm a little over am I am a little over all right any other questions before I call it a

day I appreciate your time thank you for having me [Applause] [Applause]

thank you for that by the way that's pretty cool

um that's not mine I know someone has forgot their clicker the last presenter I think this was our s yeah someone yeah of course just make sure we're trying to position it so that you're not touching this as much possible

this is ours you can use it if you like I know um is it HDMI only no there's do you have HDMI oh yeah you do okay there is USBC

give me a couple of seconds here

okay Mike

basically a quick intro while you're doing this yeah of course all right so um for our next talk we have Alex correct me if I'm pronouncing your name wrong our Juris ardris there you go Alex ardris um and we're going to be having some prizes after this so stick around

can you guys hear me will Mike is smart perfect

let's start let's go ahead um so I don't remember correctly this summer I did look at LinkedIn and I saw a post from Robert saying thanks God right B-side is coming back on track in person so okay what the heck I'm going to present this year I'm not quite sure for so for those of you who know me um I've been a security Analyst at Bell Canada for many years and then I move into the Obscure world of sales um with Cisco uh eight years ago um so my core business is typically tripped from endpoint email and network security in general um so two or three years ago um I decided to move as well to another

world which is um devops or SEC devops right with xdr so with this it come everything related to API of course right we tend to integrate everything with Epi so when I saw a post from Robert say okay what the heck I'm going to present this year and I say okay I think I'm going to talk about API um first of all I'm not an expert on API security at all okay so I did some research um and prepare to be able to build that slide deck um so hopefully for the next 30 minutes or so we will have a nice discussion on API security and of course I came up with a great title

pretty sure you guys are or at least if someone has asked me a couple of years ago or even last year what is the most or the the tread Vector right the most thread Vector that is used by cyber criminal and so on so far I would say email right um but I'm not quite sure if this is going to still be email in the next couple of years right it may be API in reality so let's let's try to figure this out um so just a little bit about myself for those of you who don't know me um as I said I work for Cisco uh as a security analyst or another secret and

sorry sales engineer focusing on security um and I've been presenting at B-side for many years thanks to teams of B-side uh on multiple different uh subjects from DNS sync calling uh crypto SSL decryption or not a couple of those one as well a funds topic of course right um so I like to do skiing over winter um big fan of road bike as well um and I have very nice family okay you're lucky that's that's that's part of the story as well you're lucky because every year B-side is exactly the same week as my birthday wife um so so it's always like am I going am I not so the end of the story I'm Gonna Fly

tomorrow morning with the fly at 5am back to Montreal that's uh that's the end of story anyway um so typically I consider my talk as sexy right or fun right funny with some videos and all that reference to some external stuff that are nice to look at and stuff like that but unfortunately API is not sexy at all it's it's almost boring at some point right um so let's try to um to see what we can come up with for the next couple of uh minutes here um so um a couple of warning here of course um I'm here on my own right I'm not representing Cisco at all um and please please typically I will

say please ask question so it's going to be boring but this year I'm gonna say you know what don't ask too much question I'm not a security expert on API instead add comments right raise your hand say if Alexander you're totally wrong right uh that's not what's gonna happen in the next couple of years or here is that the reality of uh API and so on so forth right um so I can be able to learn from you guys and you also going to be able to share that content as well or that knowledge with the other folks in the room as well make sense um so first of all I do have a ton of pigs here and those of you are

farming with the snork pigs uh I didn't know until I walk here what I was going to do with it but I always have a dream to be able to throw those one right in a room um so if caddy one for you okay one for you oh so if you guys had any comments that are nice right I will do it as well Ken one for you over there or if you want any of those one after the talk I'm I'm sure you're too far oh I'm sure that we will have a bunch of those one available at the boots as well okay so uh let's stay let's set the table okay make sure that everyone is on the

same page um so first of all when we talk about API those statistics essentially are based on on a couple of research that I did they are all available of course and I have the reference at the bottom of the page as well um so and I was very very impressed by that number on the top okay it's in 2021 so I guess that number has probably increased a lot as well in 2022 but I know I don't know about you guys but at home I have three children there are almost all teenager and and when I look at my firewall the statistic it's more roughly 99.9 of tick tock uh YouTube and Netflix and so on so for and

not Epi but in reality if you look at traffic apparently the vast majority of the traffic over the web it's API okay so what we do with that okay um and other statistics that are pretty interesting to look at as well this is from redware they say that most of the organization are seeing a lot of increase into the usage of API okay so I guess my guess is all your organization are probably using a lot of API to do all kind of thinking stuff with it um so this statistic is pretty interesting as well if you look at that it's from Salt security um based on a report that they are our survey that they did if you look at the

percentage of those API attack come over the the last year comparing to the increase of Epi traffic and overall for the last with the same period it's it's crazy right um so that's why that's one of the reason why I think API probably going to be a very big problem for us in the next couple of years um if you look at the other statistic as well we're almost 100 99 98 99 95 sorry percent of the respondents said that they have been suffering from a potential trip leveraging API as a vector right essentially so there's a bunch of number over here as well if you look at that text but essentially the most important thing in

my mind is the documentation right having apis that are well known by your organization or API that at least are known by the organization right it's mean that most of the organization do have API that are leveraging probably on a daily basic that they do not know right so what about if that API is vulnerable for example has a as a security Patcher need to be applied or so on so forth so who here thinks that um microservices and container or whatever SAS application or even low low level API are secure by default you're totally reason I'm I'm sure that they're not right um typically and and if you look at most of the product out there and I consider

my product at Cisco or any other product as well with from any other competitor they are made to be simple right so bird default we do not apply too much security right so typically we will say um go ahead and apply this in that to make it more secure same thing apply here with the API that's my guess if you look at the other statistic as well it said that open source code a code are more secure I I will tend to say yes right um it's it's all depend perspective some people will say no some people will say yes of course um but if you look at open source code um typically there's a bunch a bunch of

people that are looking at that code that's first card and make it better so let's take a setback and and let's look at the base of what API is I'm pretty sure there are some of you you may uh but don't really know what API is okay um so if you look at that description over here which is coming here um it's a little bit old and I say that there it's not only true anymore okay it said that API is typically a way to communicate between uh two Services um to application to server ri

Related talks

10:26:56
BSides St. John's 2023 LIVE!
BSides St. John's
8:18:26
2025 B-Sides
BSides St. John's
8:14:31
BSides St. John's 2024 LIVE!
BSides St. John's · 2024
46:42
Patrick Curtin - The Ireland HSE Ransomware Attack: A Cautionary Tale for All Organizations
BSides St. John's
40:07
Alexandre Argeris -Amplifying your XDR experience by leveraging free API services for maximum impact
BSides St. John's
34:14
Julien Richard - What the F* is Phishing Resistant MFA Anyways
BSides St. John's