Prac%cal'Security'Automa%on
Jason&Chan
Data$Theorem$Advisory$Board
12/5/2014
VisibilityKnowing'the'Environment
Discover
Inventory
Discover
Inventory
Test
Discover
Inventory
Test
Report
Knowing'the'Environment'/'TakeawaysTailor'discovery'to'rate'of'change
Think&about&normaliza0on&of&discovery&data
VisibilityRisk%Priori)za)on
Risk%Priori)za)on%-%TakeawaysWhat%is%measurable?%(objec3vely)
Use$as$an$input,$not$law
VisibilityMul$%Layer+Security+Tes$ng
Deconstruc*ng,security,tes*ng
Integrated)tes+ng)for)CI/CD
Mul$%Layer+Security+Tes$ng+%+TakeawaysWhat%conversa-ons%can%you%avoid?
Is#there#a#pyramid#you#can#leverage?
VisibilityConfigura)on*Monitoring
Configura)on*Monitoring*.*TakeawaysConfig&changes&have&a&con-nuum&of&safety
Find%ways%to%observe%and%differen1ate
VisibilityIntelligence)Discovery)and)Disposi3on
GoalsFind%Ne(lix+relevant%security%intelligence
Do#something#(ideally,#via#automa4on)
Intelligence)Discovery)and)Disposi3on)4)Takeaways
Develop'and'priori-ze'an'intel'taxonomy
VisibilitySignal'Refinement'and'Response
Key$Ques(onsWhat%alerts%require%response?
How$quickly?
What%ac'ons%do%you%take?
GoalReduce&'me&to:
detect/triage/contain/eradicate
Step%1Alert&is&generated&and&sent&to&FIDO
(Cyphort,*Carbon*Black/Bit9,*Sophos,*PAN,*Aruba,*etc.)
Step%2Gather'data
(on$issue,$target,$machine,$etc.)
Step%3Score&the&issue
(user,'machine,'threat,'trust)
Step%4Take%ac'on
(ignore,)remediate,)etc.)
Signal'Refinement'and'Response'1'TakeawaysStart%small
API$as$build/buy$criteria
Thank&you!chan@ne'lix.com.:.@chanjbs