Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Assumed Breach Model

Published byPearl Warren Modified over 6 years ago

Similar presentations

Presentation on theme: "The Assumed Breach Model"— Presentation transcript:

1

2 The Assumed Breach Model
A Practical Approach

3 Manager – Security Architecture
Heavily focused on Cloud/AWS Experience includes moving from End User Support, to Sys Admin, to Consulting, to Information Security to Security Architecture

4 Agenda Current Landscape Strategy Next Steps

5 Current Security Landscape
Checking Boxes We play whack-a-mole with security controls and tools

6 Shiny New Toys…Tools This is a firewall without a strategy

7 Primarily Reactive We just collect logs to collect logs

8 What is assumed breach? Simply put: A security strategy that assumes any given endpoint is breached to some extent and controls risk as such.

9 Strategy Access Control Choke Points Trust Zones Detection Capabilities

10 Principles Empower Business Keep It Simple

11 Access Control What is being protected? How do we protect it if we assume it is already breached?

12 Access Control: What is being protected?
Internal Restricted Public Payroll Policies and Procedures PII, PCI, PHI SOX, GLBA Marketing Public Website Access Control: What is being protected?

13 Access Control: Tiered Access
Lateral Movement Administrative Access WannaCry

14 Choke Points Trusted sources Areas of known activity Minimize surface areas for non-standard things (i.e. front gate and not the walls) Not a new concept

15 Choke Points

16 More than network segmentation
We can have segmentation and still have a flat network Must empower businesses Too many hoops to jump through, at best users will be mad, worst case, they will find a way around Trust Zones

17 Medical Devices/ATMs/ICS
Trust Zones Medical Devices/ATMs/ICS User Networks VDI EMR/Mainframe/ICS Servers

18 Detection Strategy Identify the needles before building the haystack Minimize attack surfaces Focus on ‘all hands on deck’ alerts Review alerts vs reports

19 Detection Strategy Don’t try to think like an attacker Stop trying to prevent the latest and greatest 0 day – just assume it is already there

20 Next Steps Access Control Minimize perimeter Control changes
Tiered accounts for administration

21 Next Steps Choke Points Bring the battle to you
Know what normal looks like Tiered Accounts Reduce the noise

22 Next Steps Trust Zones Segment your network
Know what is supposed to talk to each other This should be transparent to users Keep it simple, but not flat

23 Next Steps Detection Capabilities Use guides (see references)
Know what normal is, be able to detect what isn’t Reduce the noise

24 References Don’t Think like an attacker Strategy: Detection:
Mitre ATT&CK – Known IOCs - Threat Hunter Playbook Strategy: - James Tubberville - Andrew Alaniz – 10 Immutable Laws of Assumed Breach - Joe Vest – Using IOCs to control threats - Microsoft - 10 Immutable Laws of Security Detection: - Jessica Payne – Tracking Lateral Movement - Andrew Alaniz – Assumed Breach Model - Resources for capturing Windows Events References

Download ppt "The Assumed Breach Model"

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker.

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
Network security policy: best practices

Network security policy: best practices
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Introduction to Security Architecture

Introduction to Security Architecture
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Cyber Security Audit and Network Monitoring P.D. Mynatt Doug Brown March 19 th 2015.

Cyber Security Audit and Network Monitoring P.D. Mynatt Doug Brown March 19 th 2015.
Information Security Update CTC 18 March 2015 Julianne Tolson.

Information Security Update CTC 18 March 2015 Julianne Tolson.
Information Security Issues at Casinos and eGaming

Information Security Issues at Casinos and eGaming
What is FORENSICS? Why do we need Network Forensics?

What is FORENSICS? Why do we need Network Forensics?
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.

1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 7, 2015 DRAFT1.

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 7, 2015 DRAFT1.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
How to create DNS rule that allow internal network clients DNS access Right click on Firewall Policy ->New- >Access Rule Right click on Firewall.

How to create DNS rule that allow internal network clients DNS access Right click on Firewall Policy ->New- >Access Rule Right click on Firewall.

Similar presentations

Ads by Google