Identify • Visibility Data Mapping • Environmental Discovery • Network Topology both Physical & Logical –Map Interdependencies • • • Information Technology Asset Management-Inventory: HW, SW, Cloud VM, Containers, Mobile, Applications, IOT, ICS Identity Access Management • Discover Shadow IT, SDLC flow, 3rd party risk utilizing Purchase & Procurement and Discovery tools Intelligence Sources: Commercial, OSINT, Underground, Internal, Govt • Risk Management Framework: Step 1&2 Categorize, Select, System Security Plans, Audit/Risk Assessment • Penetration testing, Red, Blue Team, Table-Top Exercises TTX Process Mission – Governance Risk Compliance (GRC) • Strategy – Information Security Management Plan, identify and escalate risk at an early stage • Ensure data remains safe and Trustworthy – consult and advise to accept, transfer, or mitigate risk. Implement policies and procedures that aids security • Compliance, ITS operations risk management remediation and resiliency, internal audits • Assess Risk - Register, Portfolio, Management, Appetite • Confidentiality – prevent unauthorize access/data classification/lost/who sees it • Integrity – cannot be modified- hash, encryption • Availability – readily available Threat Intelligence Threat Intelligence - is usually Outsourced • Gather, Classify, Parse and find Relationships. Apply it to your security posture • Make Information to Actionable intelligence Threat Detect Threat Detect - is mostly managed by a 3rd party • Capture, index search-threat hunt- maintain evidence ID find anomalies (find the threats that matter) . Alert- triage – notify- report Guided by Frameworks, Policies and Laws • Global Norms NIST-CSF CIS ISO 27001-27002 • GDPR, SOX, HIPPA, FIPS, FISMA, FEDRAMP • Australia top 35, COBIT, SOX, ITIL • Complying with applicable laws and regulations, Executive orders, Domestic, and International laws International Cyber NORMS • How GRC is applied • Access Control & Approvals – review privilege access/provision/deprovision to AD/ED log-on/off. social media, public emails, file shares • Monitor – Data protection controls, PW management audit logs/DLP Search, print download, user behavior –download approve SW • Communicate a complicated Domain into a common language that regular people understand (leadership, board, public) • Enforce – Admin/tech/physical controls, policy, patching, vulnerability management, Architect, DevSecOps • Training /Awareness – attestation statements, phishing exercises • Investigate – Incident response and forensics/Outside threats and Insider risk Incident Response Incident Response – is mainly contracted on-demand or via retainer • Collect evidence, investigate, malware analysis, forensic, imaging, Report, Return victim to safe state Listcrime.com • Protect Intelligence applied to Infrastructure • Applied to NGFW, IDS,IPS,DLP CASB, Proxy, Content Filtering EDR, EPP • Defense in Depth: Human Firewall - Training & Education Awareness • Data Security, Application hardening, whitelisting, obfuscation, encryption Identity Access Management • • Technical, Administrative, Physical security controls VRF, VLAN, GPO, Policy rules, configuration and settings • Vulnerability management Exploit/Patch/Train • Data Classification/Data Management • Risk Management Framework : Step 3,4 &5 Implement, Assess & Authorize The Role of Cyber Security Detect • Tools to monitor traffic visualization: common collection point for NAC, SOC, SEIM, SOAR, MSSP, MDR • Threat Detection/Hunt – Alert, Event, Incident, Net-flow, S-flow, Logic, Traffic Capture, packet analysis, IOC, APT, TTP, Insider Risk • Logging-event evidence, reach back for information, • Monitor Access Control, Privilege provisioning, Authentication & Authorization, Password Management Zero trust, MFA, Least privilege • Data in Use – processed/volatile • Data in Motion - Transmitted Data at Rest – Stored/logs • Risk Management Framework : Step 6 Monitor People Respond & Recover Technology-How it is used Technology-How it is abused • Response Plan Six Steps: Preparedness, Identify, Contain, Eradication, Recovery, Communicate • Build Resiliency, TTX • Malware analysis Digital Forensic • Technical processes – application focused • Business processes – people focused • Devolution planning • Absorb/bounce back Return time objective/ Maximum time objective/ Mean Time To Contain • Domain, Server, Takedown: UDPR, UDR Deny-listing Blacklist Nullroute block • NIST Cyber Security Framework • Encryption PKI/certificates • Tokens/smart cards/Password Passphrase/Data classification email classification • Zero trust/Network Segmentation/MFA • Automation AI, AA, ML scripting, • Network Access Controls • SEIM/SOAR/SOC/MSSP/MD R/EDR/EPP/ • 5G/Cloud-SaaS/PaaS/IaaS/IaC Containers, • Carrier Grade NAT • Ambient Computing • Net Neutrality • Digital& Crypto currency • How attackers get into your network: Browser/Link/Attachment/Insider/S canning Exploitation & Reconnaissance/Social Engineering • Types of Attacks: Ransomware, Synthetic ID, Deepfake, Malware Misinformation, Malformation, Disinformation, DDOS, Identity thief Phishing, Pharming, Smishing, Vishing, Romance Fraud, Crypto Mining Extortion, Espionage, trademark, copyright, cyber squatting/piracy • Tools: Bulletproof hosting, TOR i2p,Freenet,Bitcoin, Net Neutrality • Abused bandwidth, Domains IP space • Simply put, attacker approach: -you can make money-if you send me money, or you will suffer- unless you send me money (Ransomware/extortion) T E C H N O L O G Y m u s t be ba c k e d u p by P R O C E S S a n d ex ec u t e d b y P E O P L E