Prac%cal'Security'Automa%on

Jason&Chan

Data$Theorem$Advisory$Board

12/5/2014

VisibilityKnowing'the'Environment

Discover

Discover

Inventory

Discover

Inventory

Test

Discover

Inventory

Test

Report

Knowing'the'Environment'/'TakeawaysTailor'discovery'to'rate'of'change

Think&about&normaliza0on&of&discovery&data

VisibilityRisk%Priori)za)on

Risk%Priori)za)on%-%TakeawaysWhat%is%measurable?%(objec3vely)

Use$as$an$input,$not$law

VisibilityMul$%Layer+Security+Tes$ng

Deconstruc*ng,security,tes*ng

Integrated)tes+ng)for)CI/CD

Mul$%Layer+Security+Tes$ng+%+TakeawaysWhat%conversa-ons%can%you%avoid?

Is#there#a#pyramid#you#can#leverage?

VisibilityConfigura)on*Monitoring

Security)Monkey

Configura)on*Monitoring*.*TakeawaysConfig&changes&have&a&con-nuum&of&safety

Find%ways%to%observe%and%differen1ate

VisibilityIntelligence)Discovery)and)Disposi3on

GoalsFind%Ne(lix+relevant%security%intelligence

Do#something#(ideally,#via#automa4on)

Intelligence)Discovery)and)Disposi3on)4)Takeaways

Develop'and'priori-ze'an'intel'taxonomy

VisibilitySignal'Refinement'and'Response

Key$Ques(onsWhat%alerts%require%response?

How$quickly?

What%ac'ons%do%you%take?

GoalReduce&'me&to:

detect/triage/contain/eradicate

Step%1Alert&is&generated&and&sent&to&FIDO

(Cyphort,*Carbon*Black/Bit9,*Sophos,*PAN,*Aruba,*etc.)

Step%2Gather'data

(on$issue,$target,$machine,$etc.)

Step%3Score&the&issue

(user,'machine,'threat,'trust)

Step%4Take%ac'on

(ignore,)remediate,)etc.)

Signal'Refinement'and'Response'1'TakeawaysStart%small

API$as$build/buy$criteria

Thank&you!chan@ne'lix.com.:.@chanjbs