Developing your 2022 Security Plan EcoCast

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello and welcome to the eco cast by actual tech media it's the end of 2021 and we're all planning for 2022. security has been the hottest topic in the industry with malicious attacks and ransomware infections happening left and right there's no better time than now to develop your 2022 security plan on today's ecocast you'll hear from our expert speakers from know before gigamon security scorecard rubric crowdstrike net enrich salt illumio ping identity palo alto networks duo sim space attack iq and cyber arc what an incredible lineup of some of the most innovative security focused companies in the technology industry today thank you so much for joining us on this ecocast event this is going to be a lot of fun you're going to learn a lot i hope that you get all your questions answered we want this to be educational and we want to help you to better protect your it organization and your company's data now before we get started there's just a few things that you should know about the event my name is david davis from actual tech media and i'll be serving as the moderator with my fellow moderator scott becker also of actual tech media we're going to have some awesome prizes we've upped the number of prizes on this ecocast event from our normal eco cast because of the length of this event and i'll be talking about those prizes here in just a moment but i also want to encourage you to check out the questions paying there in your audience console many of you have already said hello and good morning we love that participation from the actual tech media audience but we also want your technical questions as the event goes along we'll be doing live q a sessions with each of today's expert presenters and we need your technical questions like i said we want to help to solve your security challenges and it's going to be hard to do that if you don't ask questions we even have a best question prize for each session to help encourage those questions we also want this to be a social event you can tweet directly from your audience console and the twitter hashtag for today's ecocast will be automatically appended and then finally i encourage you to check out the resources that are available for download there in your audience console in the handouts tab you'll find special trial links ebooks solution briefs case studies white papers and more now the prices on the ecocast today are 10 amazon 500 gift cards thankfully i can do some simple math and that's 5 000 in gift card prizes on the ecocast today of course you must be live in attendance to qualify i will be announcing the winners periodically during the event as if that wasn't enough we also have our best question prizes for some 13 additional amazon 50 gift cards prize winners will be selected and contacted via email after the event of course all prize winners must meet the actual tech media prize terms and conditions and you always have an option to make a donation to our selected charities all prize winners must submit an irs form w-9 to actual tech media the prize terms and conditions can be found in your handouts tab and these are the selected charities that we've partnered with over the years we've donated thousands of dollars to these charities thanks to generous prize winners such as yourselves so if you win a prize and you'd like to help someone less fortunate we would love to help you do that the hashtag for today over on twitter is atm ecocast and like i said if you tweet from your console that hashtag will be automatically appended you can follow actual tech media there on twitter and meet your moderator david m davis as well subscribe to all the actual tech media social channels youtube facebook and our 10 on tech podcast in the itunes podcast store and then we post all of our latest and greatest content over on linkedin i also want to encourage you to check out the gorilla guide book club the link to that is there in your handouts tab it's there that you can download free easy to read enterprise it books yes i said free they're completely free it's a great way to stay up to date on trending enterprise technology and these are written by top industry experts they even work on your kindle or mobile device again gorilla.guide is the website it's there in your handouts tab another great way to win some amazon cash is to refer an i.t friend or co-worker to upcoming actual tech media online events and you both could win a 300 amazon gift card no you don't have to split it you both win a 300 amazon gift card we hold those drawings monthly and we promise not to spam your it friends or co-workers we send them one invitation with a list of upcoming events and then we'll do one more follow-up if they don't respond then no worries all right so with that housekeeping out of the way it's now time for our keynote presentation and we've got an awesome keynote interview lined up for you today to get us ready for today's topic of 2022 security planning we have brought in a chief information security officer or cso he's also a consultant and a microsoft mvp welcome mr john o'neill senior he's going to be chatting with scott becker here of actual tech media and that topic is your top five 2022 security tips in just five minutes john and scott take it away your end is always a great time to both you know reflect and look forward so let's let's do that with security um let's start out with your top recommendation what's the number one thing you know that you see organizations not doing right now that could greatly improve their security posture so my number one tip for anyone out there is to change their approach to cyber security from a reactive to a proactive and what i mean by that is if you're not doing advanced threat protection where you're actually doing some threat hunting in advance and all those kind of things you need to start doing that now rather than just waiting for an attack and then dealing with it okay um let's look at an emergency emerging problem so to the extent that you can predict what's your crystal ball view the thing that's maybe a nascent problem or a nascent solution right now do you think it's going to be a big deal in terms of securing the enterprise so this one um you know i'm going to i'm going to go a bit outside probably where most people would think i would go and i'm going to go to identity management people groups entities i.t pros executives they don't seem to give much thought to really what identity management means to their organization and the fact of the matter is most of the attacks that we're seeing these days involve some sort of compromise credential right and so if you're not giving the care and feeding the love to your identity management processes policies technology you just increase the odds that you'll be the one that gets compromised from something like that and and so to give that in a pure concise tip it's get your identity management down to one root system as much as possible so quit using the built-in local authentication identity management from your application so don't use sql native authentication integrate it with active directory right don't use your erp system's local password database integrate it with active directory or whatever your identity management system is but get it down to where you're only managing one system and have that system be built from the ground up to focus on identity management great advice so uh lightning round we promised five tips uh we've got three to go so lay them on us john what are what are the three more things organizations should be doing right now okay so uh let's see if i can i can do this in the five minutes now the the i'm gonna go along with that identity management one tip that we give a lot nowadays to help protect against current ransomware events and those that we see evolving is create a secure fabric or a second identity domain using the same technology but where you have extremely limited access so i'm talking about only you know one or two admins have access to this and this is where your host infrastructure lives so this is where your vmware esxi hosts or your hyper-v host they live in this this space if you use azure stack this is where your clusters exist and that kind of thing because if your production your daily use systems are compromised you still have access to that underlying architecture so you can rebuild a lot faster and then going forward from that on your backups okay just because you're in the cloud doesn't mean you're protected from ransomware right you it's it's just another storage location so make sure that you're using it and storing backups that are isolated and can't be compromised during an event because we know from looking at the data from analyzing the data that most ransomware lives in an organization for 45 plus days and it hunts for your backups because it doesn't want you to be able to restore those right and so you need to make sure that you get that good air gapped uh backup and one technique i have for that is is is every you know 30 or 45 days will turn on a network port that gives connectivity to a location for just long enough to run a backup and then an automated job inside the switch or whatever disables that port again so effectively that storage location is air grabbed that's just one idea and then as far as the third and final goes get trained up keep that continuing education going that knowledge development going so one example microsoft just today released new criteria and questions for the microsoft security operations analyst certification or their test i love that certification because it's got a lot of very current content in it and i mean it can't get much more current than today although it wasn't developed today but it just dropped today but whatever you choose get that knowledge in hand keep that exercise of of reading and and gaining knowledge in place look at the nist documents that cover least privilege and zero trust and those kind of things and so there you have it there's my uh five tips for cyber security did i hit our five minute mark you did and that was great stuff i appreciate it john it's always good to see you you see same to you scott thank you all right john scott excellent presentation i love the five tips in five minutes from a chief information security officer great way to kick off today's security eco-cast event i've just brought up our first poll the question here on the screen is what are your top security priorities for 2022 so john and scott talked about a lot of different actionable you know steps to take and i'm curious you know which which of these are your priorities and i will share the results of this with you here and you can see how you can see how you stack up with your peers on the ecocast today if you haven't answered one of these polls before you just do it right there in the slides window this is a multi-select question so feel free to you know select more than one answer to this if you don't see a poll question you know try refresh on your web browser and that always resolves it in my experience and i love this uh comment here from bradford he said you know john might have mentioned watching actual tech media ecocast you know for more information thank you bradford great point all right thank you to everyone who responded there to that poll let me share the results of this with you and it looks like uh 55 on my screen here said improving ransomware defenses that's the number one uh top security priority for 2022 followed by 42 said getting better visibility into threats and really i mean there was there was uh almost none of these that that had a low response rate uh pretty much all the rest of them are in the 30s or the 20 you know upper 20 percentage response rate so lots of security priorities for 2022 but you know leading with improving ransomware defense and getting better visibility into threats thank you to everyone who responded there to that poll second poll and last poll before i introduce you to our first presenter is now on the screen and that's your time frame you know what's your time frame for taking some kind of action you identified your security priorities for 2022 if you see a solution on the event today that you think might help you out with that what's your time frame for taking some sort of action to either implement one of these solutions or to update you know or replace uh existing security solutions that you have in your it organization all right thank you to everyone who responded there to that poll we do appreciate your feedback we'll have other polls throughout the mega throughout the ecocast today and of course we always appreciate your feedback on our poll questions so with that it's time now to kick off today's ecocast event on developing your 2022 security plan with our first expert presenter it's always great to have him on he's so educational so energetic welcome mr roger grimes data driven defense evangelist at know before take it away thanks david and thanks everybody for showing up today from my pesky password problem policies that help you gain upper hand on the bad guys uh if you haven't met me before roger grimes i've been doing computer security 34 years earned all of these gray hairs written 13 books there's some my books ransomware protection playbook and if there's nothing else besides that i write a lot and i speak a lot is that i speak fast and i'm especially going to speak fast today because i'm going to try to teach you as much as i can about password attacks and defenses in the next 25 minutes i work for no before we're the world's largest integrated security awareness training simulated fishing platform vendor which means we try to help you not to get fished and help you to help your co-workers not to get fish but today we're talking about password attacks and defenses and what your password policy should be at least in the next 25 minutes i'd like to start off by saying the biggest problem with passwords the reason why they get hacked most the time is that the average person has to log on to 170 plus websites in a year but only has three to 19 passwords which means there's a lot of password sharing going on if one of those websites gets compromised by a hacker or if your password gets compromised by a hacker it can break into multiple websites all at one it means one compromise is able to be leveraged to compromise more websites and services more easily so above all you should not use the same password on any two different websites and services that's recommendation number one but how do passwords attacks occur uh overall well they can be stolen they can be guessed at the attackers can also still sometimes steal your password hashes and try to crack them guess at your passwords from getting the password hashes we'll talk more about that or they can just do an unauthorized password reset they can kind of claim that they are you and they lost their password or they'll try to bypass your password so here this is the four main ways password theft password guessing password hash theft and cracking which is really kind of the same as guessing but guessing that password hashes or unauthorized password reset uh resetting or bypassing this is the the four major ways that your password can be compromised there's lots of ways that they can seal it the number one way that your password gets compromised is a hacker steals it and they can steal it doing a whole bunch of different ways i'll cover the main ways here the number the most common way by far is social engineering you know you're you're you get this email that claims it oh you know you need to log in someone tried to log into your account click here to fix the problem or whatever it might be or click in here to pick up your email or something like that and when you click in there if you don't realize that you've been sent to a fake domain for whatever they're claiming to be that really isn't instagram that really isn't no before's webmail or something like that uh you know you can be tricked or like here's an email somebody got on the right one of our no before customers got an email claiming to be from us saying it was a training reminder you know hey you got to take your training but if when you hover over the link they told them to click that when this person clicked on that it didn't really go to it didn't go to knowbefore.com it went to where did it go to oh turbo boulder.ru russia ru is the country good for russia we do not have any offices or customers in russia so this is not really from know before so the most common ways that people's passwords are compromised is they get tricked into providing their real credentials uh into a email or a website or something where they think it's really going somewhere else very common uh also a lot of times malware when it gets on a computer if you if you accidentally get tricked into running malware it will steal passwords out of your browser and look around your computer scene computer screen and instill them as you type them in uh probably the most common password stealing malware program today is trick bot uh it is just it's been used for like a decade to steal passwords and uh it's very commonly the trickbot owner kind of retired said he made his billion bucks and was retiring and uh he gave away the source code and that source code is now used by many other malware programs but you know again it will run around your computer if you ever save your passwords in your browser hey save my password so you can log in automatically next time you visit that website it gets that thing uh you know every time you type in a password it gets it it will look around your computer and look on your disk and look in memory and take passwords there even sometimes hackers just being on your network can listen in they'll try to do what's called a man in the middle attack and then they can actually pick up your passwords or trick you or trick your computer into authenticating to them and pick up your password that way empire powershell toolkit was a really popular way for a lot of years it recently got deprecated uh because there's better tools out there but it still had you know 285 attack modules and a lot of them would allow you to attack and still passwords mimikatz has been around for over a decade that's a windows only tool but if you ran that on someone's machine or on the network you could uh try to steal passwords or password hashes and and do other things like that and metasploit is a free and commercial tool these are all actually used by good guys to do password testing and penetration testing and stuff like that but it's also used by the bad guys and the bad guys have don't need the bad guys don't need to use these tools uh the reason these tools exist is to help the good guys test what the bad guys would do but sometimes the bad guys do use these tools to do bad things but there are literally hundreds of tools out there on the internet that allow them to steal passwords off of computers that they're on or across the network they can do what's called eavesdropping across the network they can do a middle attack and then if you are if your session gets caught in that man-in-the-middle attack they can capture your login negotiations and steal your password hash or still your password uh there's a lot of tools out there for this here's one called responder and again all an attacker has to do is trick somebody into going to one of these fake links and they can trick their computer system into trying to log in even the end user doesn't even know what's going on it's just all done in the background but that that hacking website can then trick the computer into sending or trying to log in and it can capture either the password or what's called the password challenge response information that's what it's showing you here in this particular responder one is capturing the challenge response information and then an attacker can get what's called the password hash and from that crack it back to the plain text password of course sometimes physically you can just see people's passwords around like here's a real picture of somebody's username and password of a laptop that was in a public uh boardroom of a government a state government office i walked in to this government building but i was going to a public area where anybody in the public could sit and on a computer logged into their network was this user name and password and i remember one of the sys admins was there and i was like please tell me that this is not connected to your network and the guy said if that makes you feel good great you know but he's telling me no this was a real login name and password that would get you on the network uh you know because of all the ways to steal your password there are literally tens of billions of passwords out there my password is out there like 10 20 times most people's passwords are out there at some point if they've been compromised let me say they're not anything that i did wrong it was websites that i won't belong to like facebook and twitter and instagram that got hacked and then my password's stolen there so there are literally tens of billions of login names and passwords in these what's called password dump collections and just one of these collections has three billion login names and passwords and there are dozens of these huge password lists all around the internet and there are hacking tools like recon ng in this case where literally a hacker can say okay the domain i want to break in today is no before.com boom go out and it will bring back every login name and password that it can find in any of these password dump lists and tell you what the login name and password is there's many tools that do this so the hackers don't even have to go to the list they just fire up a tool that links to those lists and they can put off their query and you may say to yourself roger how can i find it if my login name and password is out there on the internet there's lots of resources out there uh nobo4 has a really great password exposure test tool that you can download for free and we'll check it for all pat logging names and passwords on your internet or you can use troy hunts have i been pawned or some of the password manager programs you have have that sort of check in there the most famous website probably is troy honey used to work from microsoft you could still work for microsoft he has a site called have ibn.com uh anybody can go to it you put in your email address as if it was your login name and it will tell you in this first case you see i'm putting in roger g no before.com and they're saying good news no one has stolen your password no bondage found but i put in my 35 year personal password and you can see it's like oh no you've been you know there's been your your email address and password has been stolen by 10 websites and again it will tell you which websites it was and if things like amazon.com wasn't amazon was facebook twitter instagram techsmith all these adobe.com they are legitimate websites that got compromised that meant my password and this is why you should always make sure you change your password at least once a year because many times your password gets out there and it did it wasn't that you got fish it wasn't that you got infected by some malware program is that some website you belong to and this is why you should have a different login name and password for every website and service because the longer you're on the internet the more likely this is to happen again download uh no before password exposure test tool and you can check this for everybody that's on your network which is kind of nice it'll look for weak passwords and passwords that are out there on these password dump lists and stuff that's a really great free tool that we encourage anybody to download and use some attack sometimes attackers just guess at your passwords like they can just guess you know randomly a abc or whatever most the time they're using a dictionary a password dictionary that contains words these base words that are in your language uh you know whatever it happens to be and then they'll start adding complexity to it and numbers and symbols and that sort of stuff uh so most password guessing attacks do these what's called dictionary attacks and they know uh that you know if you have a complex password it's likely to be an uppercase first character followed by a lowercase val and if there's a number it's probably gonna be one or two and b at the end and that sort of stuff so they try to guess intelligently sometimes uh they'll do it manually just by finding some login prompt that doesn't require multi-factor authentication and just try to guess against it using your login name and then trying different password attacks although most of the time they use these automated password guest attack tools i got four of them on the screen here but you basically just you know the hacker points that at a particular website that you log into then they have a password dictionary and they have a bunch of login names to try and they just go you know go off and try that and we'll try millions and millions of tries especially if the site doesn't the password login that they're guessing against if it doesn't have account lockout you would like to say if you guessed too many bad times like if there's if you know whatever's guessing that the password tries more than three times or six times that it locks out the account or something that's what you hope that there's account lockout but a lot of times there isn't account lockout and they can just guess millions and billions of times until they eventually guess what your password is even if account lockouts enabled they'll learn what your account lockout policy is and guess slow enough that it doesn't violate or kick off your account lockout policy um last form of kind of password stealing is they'll get your password hash and crack it now the hardest part is they have to somehow get your password hash normally that takes somebody compromising your device and getting complete control of your device getting what's called admin or root or if they're on an active directory domain controller they're giving domain admin or enterprise admin but if they're on your computer system or on your network and they have full control admin administrator or root they can then download and copy your the your password hashes to their computer and what's called a password hash cracking rig with a bunch of graphical processing units in it and crack billions of times a second until they figure out what password hash equals what password so again they've got to somehow get your password hashes that's a big deal and then they have to then they will take those hashes put in their password hash cracking rig they'll guess at it called cracking until they match the password hash that they've stolen from you as it matches some plain text password uh if you don't know about this whenever you type in your password and most modern day operating systems your password let's say your password is frog when you type in your plain text password it gets it gets changed into what's called a password hash a cryptographic hash there's different cryptographic hashes for different operating systems like windows systems now use what's called the nt hash that's the third one there used to be windows used the lm hash for a long long time linux and max and bsd and unix they use they used to use what's called md5 hash but the mp5 and lan man lm hashes are now considered weak and vulnerable today most of them use was called shaw 2 hashes the strongest hat the strongest password hash out there is vcrip by bruce schneier but anyways most windows systems are using nt hashes most linux systems are using sha-2 and if attacker can get those they can then start cracking like they can download this hash and then they have a password dictionary that guesses against and says oh this hash equals this called password hash cracking again the hardest part is they got to steal the password hash somehow off your computer or off your network normally they've got to be admin or root or something like that although i can also send you an email and if i can convince you and clicking on that link that link will sometimes trick your computer or your email client and trying to log into my malicious website and from that i can get your password hash once i've got your password hash again i i can import the password hash into a password hash cracking tool this one's called opt crack it's a pretty gooey windows one most people don't use this one because it's gooey and slower than what the the number one password hash cracking software today is called hashcat it's many times very very fast but the concept is the same that you download the the stolen hashes you have a password dictionary database and then you tell the password hash tracking software to guess against it as fast as it can to see if it can convert some of those passwords stolen password hashes into passwords different password hashes are more or less susceptible to password hash cracking again lan man md5 rc4 rc5 they're all considered super weak you should never use them they can be immediately cracked if someone gets them nt hashes which are used in windows systems today moderately hard to crack they can still guess billions of times a second but it's not as easy as the previous hashes and pbk df2 that's also used in windows that's considered really really hard as well but it's not used in log on for log on passwords as we know them most linux unix systems max systems use shaw one shot two that's considered fairly hard to crack uh and then bcrypt if you have the brew schneider bcrip one that's only in some of the more secure operating systems like open bsd but that's considered the hardest one to crack and again what what i mean by heart is it just takes more effort more computational power if i've got you know a bcrypt hash or a shot to hash and i've got the same amount of computing power they're going to be harder to crack a hash from there than it is an nt hash is essentially what it means but how fast can they guess well these days you can actually buy computers built called password hash cracking rigs that are full of these graphical processing units you can either do crypto mining or password cracking but you can buy these really complex rigs that are built uh you know for cracking password hashes and they can literally guess hundreds of billions of times a second against your password how fast look at this the fastest guessing for a single gpu rig was a 121 billion nt password tri-second so imagine this they get your nt hash and then they can guess at 121 billion different passwords a second i don't know about you but even my password is likely going to fall to that the most number of password guesses per second the world record for any number of gpus was 350 billion tries a second uh that's just amazing but you know most people's passwords are gonna fail uh any eight character nt password hash so if you have an eight character windows password it can be cracked in under two hours on a normal password hash tracking rig or in 12 minutes using 25 dollars of cloud processing power so if you have an 8 character password windows password and the attacker gets your hash it's not going to last long uh a maverick day 10 character shaw 256 hash so a 10 character password on linux or bsd or mac got cracked in five days most people's passwords don't expire or they expire once a year or once every 90 days or something well they're cracking 10 character passwords on linux systems in five days if they get your hash matter of fact in order for your password to be considered unhackable if they get your password hash it has to be 16 characters or bigger that's the big thing to remember here if you want to have a password that if they steal your password hash they've got to somehow get your password hash but if you get your password hash your password needs to be 16 characters or longer in order not to be guessed by a that we know from a known password hash cracking rig although maybe the nsa or china already has something and can break even 16 character passwords but so far we do not know of anybody that has ever publicly broken a 16 character password from having that hash but you know sometimes it's you know instead of trying to crack it you can just ask people for it if you want to see something funny go to i can't show you the link today but go to this jimmy kimmel password video it's on youtube and this is jimmy kimmel's producers just stopping random people in the street and asking them what's your real password and you would think nobody's going to answer this but that video is 10 minutes of people telling them the real passwords like it one of the funniest things i cry i watch this at least once every six months and i cry from laughing so hard i have many many times asked people for their passwords and had them tell me their passwords even i go up in companies and go hi my name is roger grimes i've been hired by know before to do password hash cracking or password testing what's your password uh and i've done this when i work for foundstone or from microsoft literally just walked up to people's hi my name is roger grimes i'm working for microsoft i'm doing password penetration testing what's your password how often do they give me their password every single time i've ever asked in my entire career and let me say i'm not unique it's not that i'm able to charm people it's just that people it's amazing just asking people how many times they'll just give you your password so knowing all of these attacks that i just gave you what is my password policy recommendation well first recognized by that out of all the different types of password attacks that i just told you about most of them out of the out of the uh six seven eight different types of password attacks i told you about the vast majority don't care whether your password is weak or strong if someone social engineers you out of your password steals your password key logs your password bypasses your password they don't care what your password is you could have a 20 character password but if they social engineer you and to type it into a fake website they're going to get it so the vast majority of password attack types do not care whether your password is long or short that's important there's only two types of attacks that care whether or not your password is strong or not and that's password guessing or password hash cracking and that's why you have to have longer more complex passwords but the vast majority attacks do not care whether your password is long or short or strong or complex only two types password guessing where someone's trying to guess your password either manually or automated or password hash cracking and remember if they get your password hash they many times don't even have to crack it they can just use it on windows networks you can replace somebody's hash as if it was a password and log on in and do things so this is my advice knowing all the attacks that i just gave you this is my advice for your password policy first of all if you can use multi-factor authentication if you have multi-factor authentication enabled you cannot have your password stolen so use multi-factor authentication where you can unfortunately mfa multi-factor authentication doesn't work with most websites and services and so you're going to have to use passwords and when you use a password make sure that they are long complex and different for every website and service don't reuse or reshare passwords nothing easily guessable change it at least annually if you can use a password manager password manager is a program that allows you to create long complex and very random passwords that are different for every website and service humans have a hard time creating and using long complex random passwords computers do not so if you can use a password manager i recommend that every single person on this planet use a password manager because it again it allows you to create and use long complex passwords random looking as possible at every different website or service and once you get used to using them it's a pain for a couple days and you hate it after a couple days you don't even notice you have one but you got to do some weird keystrokes but you don't have to type in the password right at the very least you can do edit copy edit paste the password most of the time you click in the password manager and it automatically logs you into the website there's nothing easier than that if you cannot use a password manager and you must create your own passwords make sure they're at least eight characters long that's the bare minimum anything below that is just too easily guessable and really you want to have a password that's 12 or more characters to fight password guest attacks we have seen people that have guessed against 11 character passwords successfully if you if you if they get to a website where they can guess millions of times like you know there's a kind of a famous password hack i think there's another lens and the password was welcome 2020 with a capital w so welcome it was actually in the dutch word welcome with the k 2020. uh that's an 11 i think an 11 character password and it took them a year but the password attack guessers were allowed to guess up to a half a million times a day and after over a year they finally broke that password so you want to make sure that all your websites that you can control and hopefully the ones that you're logging into have some account lockout policy that says if someone guesses more than three times or six times incorrectly that locks the account out or they have to reset it but you want to have at least a 12 character password to prevent password guessing attacks if you want to prevent password cracking attacks you need 16 characters or longer passwords so let me tell you personally i don't worry about password hash cracks as much because they're they're really not that common these days and really once they attack or get your hash it's kind of game over in most cases you know they're most the time they're already on your computer as administrator or root and they can just key log your password or put a trojan in there or whatever it's kind of game over but there are some people that do worry about password hash cracking attacks and if you want to prevent the most types of password attacks that you can you want a 16 character password how do i think you should do that well you should use mfa if you can first if not then use the password manager and if you can't do that make sure you use at least an 8 character password really a 12 character password is what i use 12 characters or more and then really 16 characters or more if you're worried about password hash cracking with that just know i work it for know before we're big believers in training we believe that everybody should be trained about different types of attacks and get simulated phishing testing as part of that training we know that our customers that do do that that get trained at least monthly and get simulated fishing tests at least monthly will decrease the percentage of fish attacks that they're prone to from about thirty percent to below five percent in less than a year since the vast majority attacks involve social engineering and people getting their passwords stolen decreasing people's uh likelihood to be socially engineered means they're less likely to be hacked and less likely to have their passwords stolen with that i've run out of my 25 minutes thanks for putting it up with me here i hope you've learned a few things today and if not if you have some questions email me at roger g at no before dot com and of course you can follow me on linkedin and twitter look forward talking to you next time take care wow awesome presentation from roger it's always mind-blowing um these presentations that roger comes up with i learned so much we've gotten so many comments from everyone out there in the audience so many questions thank you for those we do appreciate those we are routing those over to roger and the no before team but roger has also so graciously provided his email address roger g at no before dot com as he always does if you want to just shoot him an email directly feel free to do that as well the poll question about know before is on the screen right now what what additional information would you like about the no before solution i'm not afraid to say we use know before here at actual tech media i've taken the training every month i always learned something always enjoy it it's it's not painful at all in fact it's pretty fun so check out the no before resource there in the handouts tab as well for additional information in fact this time we have a link over to the no before week password test webinar where you can sign up and find out more about a weak password testing and of course if you'd like to try out know before for yourself you know just put that there i in the poll question just indicate that there is an option for that as well all right thank you to everyone who responded to the poll we do appreciate your feedback and of course we appreciate your questions as well don't forget about our best question prize we are running for each session on the ecocast today but we do need to keep the ecocast moving because we've got just a ton of amazing presentations still to come of course and with that let me go ahead now and introduce you to our next presenter i'm excited to bring in fayez rajpari senior director of product management at gigamon fiez great to have you take it away hello and thank you for having me today uh my name is fayaz rashbari and i will be talking about gigamon thread insight guided sas ndr so uh before i get into gigamon's guided test thrown inside ndr i thought it would be nice to kind of talk about you know what we are up against in our threat landscape um you know some general themes in of things that have occurred over the past year um is essentially that attackers are getting uh really really good at evading um you know detections across the board um they are also uh staying into in environments for a long time before uh the good guys or organizations can actually respond some stats here around this and if you look across the board with various different reports that are out there one coming from ibm security states that average detection and response times are still over 250 days so organizations really really need a strong security posture and ways to be able to actually defend against the adversaries and actually proactively hunt for uh what is occurring in their environments to be able to get to the adversary when they're still in the environment at a a a time that's quicker some other stats that i want to share is the speed of the defender you know many of you may be aware of a a key metric that is discussed across the board across security environments which is mean time to detect but meantime to detect is really meaningless without the response there's another terminology called mean time to respond that also becomes very very important because if mean time to detect is is extremely high that usually typically will mean that mean time to respond is also going to be high so it's very important to actually have those coincide and looking at numbers too right over the past couple of years starting from 2019 and it just goes way before there right defender speed um has always been typically slow in most organizations not all of them but most organizations you know security posture and defender speed has been slow to identify and contain a actual breach and if you look at numbers those numbers have pretty much stayed the same if not actually gone higher when it when when you start talking about response times uh going from 279 in 2019 all the way to basically about the same 287 in 2021 so as attackers are evading endpoint detection efforts uh organizations and teams really need to get better tools and understand um you know when the adversaries are in the environment how far back they can go to actually respond and actually have the data and visibility they need to be able to respond in a meaningful uh way and also uh in in a timely way as well so when you look at mean time to detect um you know some stats that i want to share right so if you look at uh the sock analysts and understanding uh how long it takes the stock analyst to be able to respond to incidents typically it's it's within weeks or greater right 79 of that uh is typically the case uh when you look at the stock analysts you're they're also times where they cannot remediate in a timely manner right just because they don't have the visibility right so they have to look at other tools they have to go back and forth to making sure that they have the the data at their disposal to be able to make accurate decisions the other part of this is actually when they actually are in the tools how much time are your stock analysts actually tuning the content or looking at those rules and retuning or making sure that those rules are effective enough to be able to get good precise detections typically what ends up happening is like half the time they're using this to actually create good detections and they cannot use what's out of the box so that becomes another big issue because now there's kind of juggling between tuning the environment or tuning the tech to make sure that the detections that they're getting are effective and then also then the other half of it is then spent on triaging where usually what should happen is spending more time on the actual triaging so that they don't have to do the work on the actual detections and making sure that the proper detections fire lastly stock analysts also report that they don't have the data available right earlier that i was saying with those attack or dwell times an attacker respond uh the defender of response times is so high it's because if that data is not available then it becomes very hard to identify those breaches too so that is why many times you'll see that a third party organization or is is notifying the actual organization that has been victimized and that's because they found out through another means that they are breached and then they have to go back and figure out what has happened but it becomes very difficult to go through this because again if the visibility isn't there and the data isn't there then it becomes hard to understand what has occurred so moving into an example right so as everyone is aware right solar winds attack on the supply chain industry but if you kind of look back and drill into the actual timeline of the solar woods orion attack right this actually started out in october of 2019 where the the earliest indications were identified of modification of the actual software code right and then there was uh uh months of other items occurring through the timeline from november to march where the attacker was actually preparing right and and doing further reconnaissance and understanding what needs to happen so they can actually fully uh uh breach the systems and the organizations that they wanted to to take what they wanted right so solarwinds attacked without knowing right that was occurring and then after that we found the disclosure that fireeye had disclosed back in december of 2020. so literally it took from october 19 of the earliest identification the modification of the software code to literally over a year where fireeye suffered the attack and then they discovered it they discovered it fairly soon afterwards but again it was a year in the making or over a year in the making right and then from then moving forward right there was a lot of other things that that had happened in addition from the security perspective right from actually um you know creating an attacker attack kill switch um actually identifying the attack victims uh the sec filing uh all these other items that that occurred afterwards right so if you look at the entire timeline from october and 2019 moving all the way to january 5th 2021 where russia we found that russia was allegedly behind the attacks so obviously this becomes a huge huge issue where you know if you're looking at data in most most security tools especially when you're looking at network-based solutions network-based solutions tend to get very expensive when you're looking at data past the 30-day range right so the 30-day retention really isn't enough where attackers you know as we can tell from live in real life experiences they're in the environment for over a year so let's take a look at the security maturity model right so you know if you look at the left side of items around from the security perspective those are all foundational items that any organization will have right they're going to have the firewalls antivirus intuition detection systems and intrusion prevention systems even next generation firewalls um and then as they move into other items where they have these foundational elements they need it to correlate back into something which is called a sim right and that's when your maturity starts to kind of get better and understanding of security becomes higher but that's where things start to develop right and that's really when the stock comes in right the security operations center so when you start looking at that right you've got these people that are looking at these events and they're doing some correlations and aggregations but finding that the effectiveness of that stock with the sim is still not enough right you need to do more and then you move into the other components and capabilities as um the organization matures they start looking at threat intelligence how can they prioritize those events to make sure that they're not looking at thousands and thousands of dollars because it's not enough time in the day to look at every single thing some things need to be prioritized versus other things need to get prioritized that's where the whole um you know categorization of threat intelligence comes in and then also um you know the edr and ndr detection capabilities come in right so what's the difference between edr and in in ndr detection components as well from from the aspect of okay well you already have detection uh from antivirus right from the the firewalls from the from the networking solutions but the main difference that i i like to usually say is like that soft and juicy center uh when you're looking at an environment internally in the network right you have these um key things that are occurring in the environment that typically you're not going to get from just like an antivirus solution or like a firewall because those are just typically especially antivirus and ips ideas are typically signature driven they're looking at a known threat right even with firewall solutions right they're going to be able to do dropping of package since they're going to be able to do denies but it's basically um extremely extremely static right and now when you look at an edr ndr types of solutions now you're looking at the soft magician center of what's occurring in the environment and actually providing the full visibility on behaviors and tactics and techniques and procedures that the actual adversary is taking and providing the visibility through these types of solutions and then that's when the cert comes in right the cert is basically your incident response team to be able to take action from this and respond when something has happened that's very nefarious and malicious in the environment to be able to take that data and respond and move to the next steps of response right once the organization is matured enough to be able to do and carry on those types of tasks then they can now start to look proactively right and start to actually look at behavior and identification and start identifying maybe adversary behavior outside of just being knee-jerk in response right and having another entire other whether it's a team or a person or utilizing your technology to be able to carry out the hunting tasks right to be able to look to see if hey nothing is fired in my organization but i'm going to look and maybe create some thesis statements around what if um you know some malicious tasks are carrying out or if um an attacker is using some type of persistence mechanisms or they're trying to move laterally let's just start looking let's hunt in the environment to see if uh my thesis proves out and there's something bad here right so it's actually proactively doing some threat hunting and then utilizing capability capabilities like you would get from a soar to be able to um automate some of these tasks right so where does gigamonth or inside fit into this right so if you look at gigamon throughout insight um we actually provide a guided sas solution and what that really means is essentially what we're doing is we're we're adding the human expertise capability along with this ndr solution that actually allows our clients to reach into gigamon's expertise and use our capabilities and expertise and our the humans in in here to be able to help and guide them along their journey as they get mature um through the security organization right on the bottom here gigamon our gigamon visibility fabric is across the board right and the reason for this is because that visibility fabric can do many things right and they can fit all the way from the foundational elements from essentially doing the most basic things like doing traffic aggregation or being able to send data or network data to a specific security tool or even throughout insight to be able to do ssl decryption to be able to do masking dicing very various functions and functionality that any organization would need the visibility fabric allows for that the thread inside solution obviously is very focused on detection and response on the network and allowing customers to see all types of data all the way from layer two through layer seven application layer visibility and actually enabling the sock team the third team and also enabling tooling like the soar to send that to be able to do automate automation of certain tasks so moving into ndr market options like what what's out there today like what what what choices do customers have right so if you look at the ndr market options it's basically you've got the network detection response you manage yourself type of solution whether it's cloud sas based or an on-prem solution which is very optimized for your environment the team can fully take control of the solution because they have full control of it and of what's occurring and what they get to do out of it but they need to leverage their team skill sets they they need to understand to do instant response or understand what the data means right with that there's actually obviously some downfalls right i mean you've got this deployment uh work that needs to happen you might have some cost surprises because the data that's coming in is extremely expensive so maybe the teams need to purchase more storage and also stock teams many times feel like they're still alone doing this and they don't have they can't reach out to anyone to help other than their own team members of course um the other side of things is completely you know provide it give it to a managed security service provider or an mdr provider where the the deployment cost is extremely low there's there's known cost parameters and how much it's going to cost but again um you know you know what you're getting right you know that you're going to have a team that that you can rely on to be able to get some value from just key alerts and also considering that you know ndr provider mndr providers and mssps are looking at many customer environments so they've got this crowd source view of threat intelligence that they can then leverage to proactively um let you know of what's occurring if there is a adversary campaign that's occurring before it hits your environment but then again it's still generic one says fits all you know detections are very specific to or not specific more generic across the board and not very specific to the customers so what if you could actually take both of them right and bring them in to a solution which essentially is guided sas ndr what their insight provides is providing the capabilities of what you would get with the with an ndr the sas based solution um and also giving you the high touch expertise that we provide from our applied threat research team that have actually are whether either they're data scientists or they've also been in innocent response teams come from a security background and understand how to do ir in addition to that there's also another layer of people and expertise that's provided called technical success managers these guys are also experienced at the responders security analysts that actually enable your team to be able to um look at what matters all the way from deploying the actual solution to providing guided capabilities on industry best practices and actually advice when you're up against something that you either don't understand or you just need an additional eye or you need help in response then these are the guys that you reach out to as part of the whole capability some other things that uh i think that are really important uh are where we're headed right so uh key thing here is we will be providing 365-day retention which is pretty huge considering again like i was saying earlier right network data becomes extremely expensive but we we don't want uh this to be a limiting factor for our customers where they either have to pay a lot to get this data or they have to use a sim or some other tools to get the data that they need right it becomes very important to get all the data they need in the solution especially if it is considered a solution for network detection response or for enabling your sock or for enabling instant responders it becomes very important to have all the visibility that you need the next item is north south east-west right regardless of of where you need the visibility highly recommended of course to be able to provide um visibility across the board whether you have data going outbound um outside of your network or there's this data traversing within your network from system to system you want to be able to see it all right from lateral movement to you know seeing insider threats to any type of espionage that might be occurring you want to be able to see all the data inside as well as data going outside or even things that are coming in that are bad um also we operate in the cloud right so threatening site is a sas based solution we operate in aws but also support uh microsoft azure and and also support regardless of where your branch offices are right um it could be whether the deployments could be cloud-based the deployments could also be we can also offer hard appliances as well if that is the need in addition to that we also have some pretty cool integrations one is with z scaler that provides this other additional capability around visibility to mobile and work from home users i myself right now i'm working from home as most of you probably are as well and that's a huge uh that's a huge uh shift in movement as we all know is that most folks are working from home so how do you have that visibility when it comes to security especially um when you're not in an office and you still need the um that visibility to be able to detect and respond is is having those types of capabilities there this is a this is a pretty important item thread detection with precision right so um what ends up happening happening with threat detection and being in this industry for quite some time is find that um you get detections but then you find that you end up looking at the detections and you find that they're either not accurate um they're false positives there's not enough information and then you need to do further analysis to understand what this is about and many times they end up getting downgraded or they're just not important enough so we actually provide and combine three different ways of doing detection to make sure that anything that pro anything that we provide in our solution uh as triage alerts and rules uh they go through um various different forms of analysis right whether it could be human analysis it could be using a machine learning model or it could be a hybrid analysis which essentially means it's a combination of both human and machine learning so i'll go through some quick examples of this so human analysis basically is intelligence driven approach right so essentially is an intelligence driven approach where you've got this detection that was created for specific technique and here's what that looks like i'm not going to get into a lot of details in the interest of time here machine learning another way of doing detection is related to malware beaconing activity again completely different model no human analysis in here all driven through an ml model and then lastly a hybrid approach where it's a combination of machine learning but then our eyes are also on it to further um provide a accurate detection with preciseness okay quick road map items here we are doing a lot here from the front of providing equipping sock teams to give them uh what they need when it comes to guided investigations and playbooks being able to do investigations together rather than just doing one searches at the time what if you have a team of analysts that need to do more being able to do investigations in parallel and then of course also providing further integrations in the extended reports some details along where and how we integrate and lastly definitely you should check out our blog if you get a chance um i really really um proud to um to talk about this all the time but we have an awesome team within gigamon uh throughout insight uh and have uh in really cyber security in the dna of every single team member here if you haven't seen this before check out our blog to take a look at some of the uh some of the work that we've done uh and also some articles that we wrote write uh almost on a weekly basis around security happenings in the latest is occurring um in the security industry thank you all right great presentation thank you so much fayez um i've just brought the poll question for everyone out there on the screen that says what additional information would you like about gigamon lots of good questions coming in thank you for those i'm afraid we don't have time for live q a with fayez but he is accepting questions electronically he's responding to those as quickly as he can and so we appreciate your questions of course keep those questions coming and i encourage you of course to answer the poll question that's on the screen i will leave that up while i announce our first amazon 500 gift card the first of 10 amazon 500 gift cards on the ecocast today this one is going to adam key part from pennsylvania congratulations adam key part from pennsylvania we also of course have our best question prize drawings as well all right excellent thank you everyone it is now time to move on to our next presentation on the ecocast i'm excited to introduce you to adam denier hampton director of international sales engineering at security scorecard adam thanks for being on the ecocast thank you for having me no problem with phil it's really good to see everybody good afternoon good morning good evening wherever you are in the world as you can probably tell from my accent i'm based in the uk or i am from the uk um thank you very much for having me and i'll get straight into the presentation and we can go from there so um my conversation let's call it a conversation even though it's one-sided uh today is going to be talking about beyond the third third-party horizon so those of you that may know a little bit about security scorecard and i will do a brief introduction of the solution and sorry about that one second apologies the uh perfect timing for apple speakers to go off um so what we're going to do is focus on the third party uh horizon today and as i said what we know about security scorecard is it's a solution that focusing on the risk and cyber risk of third-party organizations and also providing intelligence and public exposure intelligence for organizations around cyber risk on the internet now if we move on to the to the next slide i'm going to give you a brief introduction about scorecard in case people are on the call don't know the solution and just give you some insights about um what it is that we're doing and how we're transferring forming the cyber risk space for third party risk and also as well we're going to go into focusing a little bit more on a specific use case which is very um very important or we feel very important to security scorecard so we're a global leader in cyber security ratings what does that mean if you've ever heard of a rating before we know that ratings are essentially a way of understanding and benchmarking some in the financial industry of course financially but in our space specifically looking at the cyber risk of organizations now our aim is simply this to help provide a safer space for organizations to work together so whilst the majority of security vendors and vendors and organizations certainly that i've worked for and i'm sure many others have worked for focus on ourselves and improving our own cyber hygiene we know that a lot of the communications and the and the community that we work in actually is outward facing it's working with organizations that we partner with sharing information providing access giving sensitive information in order for our organizations to go to market with our with our solutions and our products so we are likely to be across the bottom along the bottom here um actually well recognized in the industry a leader in the forest new wave uh gartner pure insights choice um as of this year and very various other independent solutions out there that are used to identify the value of security scorecard so so some of the some of the areas that we focus on yes we focus on security ratings and i won't labor the point too much here which is is the ability to monitor and benchmark your third parties but we also provide lower level detail around security intelligence uh we also have the ability to provide other services on top of our data which include questionnaire management threat intelligence on on that data and a range of other services along with the security scorecard risk platform now how do the ratings work essentially just to give you a little bit of a background because i think it is very important before we then get into the the more detailed area of the of the of the the talk today well what it is that we're doing is we're monitoring it today around about 12 million companies um actually the slight typo on this presentation and slide is it says 1.6 that's actually gone up as of this year to 12 million organizations that we're monitoring and we have a range of global sensors that we have located around the world approximately 45 that are looking at and identifying assets so everything in the ipv4 space and looking at identifying one of two things what assets belong to which company and of those assets that we can identify which ones have exposures so services that shouldn't be exposed to the internet things like databases and remote desktop and those sorts of things and those things that are exposed to the internet that they should be however they contain a vulnerability that could potentially be exploited so this is data that we collect ourselves and we collect this in in vast masses of of data into a vast mass of of data lake and then what we do is we we start to bring all this together we attribute the things that we collect as i say into an organizational view so that we can then start to benchmark organizations against one another to provide a tailored way of understanding how an organization represents itself in its peer group and to to others now of course there's a lot of extra work that goes on inside of that behind the scenes so some of the patented mechanisms that we use to help these scores or generate these risk scores for organizations and and essentially what they're doing is is providing this data or accruing this data and then providing it in an easy to understand sometimes less technical um perspective because we know that the the technical audiences within organizations are generally quite small so it's about making cyber risk it's about making or giving the opportunity to provide cyber understanding and awareness for all people not just those that are more technically inclined and we do this through this this model of of benchmarking as we say which gives you a risk score in the market and provides a a benchmark of how often or how likely do we think the organization is to have an incident or breach based upon breach data and other informational sources that we have and based upon the current risk score of the organization so we have seven plus years of historical data and that's being factored over and worked against other public indicators that we use and then we provide that overall score to organizations to give them an insight healthy insight not only into their own school car their own risk but also into the risks of those organizations that are directly connected to the companies now again just to put it into context let's think about this individually you as an organization as an individual company are monitoring yourself you're providing your own threat intelligence to your own surface and attack surface but of course there's more to it than that there are many many different organizations that we work with in order to be able to go to market as i as i said earlier some of that will be physical security to organizations where you're outsourcing the the security of the offices but then there's also data providers and email source providers including contractors and lawyers and consultants and various other organizations that we work with to the magnitude on average for an enterprise company well around about 580 or so third parties on average for a uh for for an organization so you know that's on average but as we know you can see on the statistic below 60 of those organizations um actually have a thousand or more third parties looking at the higher end of course uh without trying to create an exaggeration there so for us being able to benchmark all of these providers that we work with gives us a way of understanding what kind of exposures we would be introducing to our company into our organization now getting into the topic at hand into the into the detail as we say what we're looking at is what do we do when we look at the extended horizon so again this may be common knowledge to some people on the uh on the bridge today that okay the the the current horizon is the extended third parties and that's very good and people are taking action today but the extended horizon starts to become almost a little bit daunting because essentially what we're doing is is take the example here we have a hr team that relies on on its third parties and those third parties will of course have services for example we use greenhouse as an example here and those come that the company greenhouse of course will then rely on its vendors who provide systems and processes and products and other tools in order for their solution to be provided to the hrt so it's an ever-connected environment that we live in and very much so now if you think about maybe 15 years ago the number of third parties was was significantly lower but the the model for which which we're seeing now is only extending we're only seeing more and more products and services that the companies are using to streamline automate improve and and essentially make their solutions more uh profitable but also more consumable by their customers so the extended ecosystem really is the bucket on the right-hand side yes we know our direct vendors but what happens if something happens to one of greenhouse's vendors that affects their ability to provide the service greenhouse in this case to our team and that's the that's the kind of area that we want to focus on today historically this isn't anything anything new this is something that i think we're we're all aware of but we almost shy away from because of the because of the economies of scale so we know about certain third parties in our own ecosystem and they're going to be some third parties that we don't know about is almost getting into the realms of that shallow rit element where people are contracting outside of the official procurement processes and then of course there are a bunch of fourth parties that we we just won't know about because it's not necessarily at liberty for the third parties that we work with to divulge that information however with a lot of companies a lot of these organizations there is a huge amount of public data linking on one organization to another organization most of this is is gathered in in the form of web crawling and and really what it requires is a large infrastructure like security scorecard to be able to monitor all of those connections so we have the data right we're collecting billions and billions of security signals we're collecting thousands and thousands of public record about who owns what and what it looks like it's now about connecting the dots and that can only really be achieved when your economies of scale have reached a certain mass to be able to show how those connections work with one another so let's just take an example here and the example being yes we've got a connected environment and companies and horizon and let's say 583 on average it's a statistic that i took but of course it could be lower or or higher than this um what happens when you go into the fourth party so the third parties of your third parties taking a basic uh arithmetic outlook of um n times n which is number of third parties times number of the third parties you're looking at a magnitude of approximately but potentially 400 sorry 340 000 connections of organizations that we work with a daunting prospect certainly for most who would certainly understandably shy away from doing analysis in this space and then looking at um what those connections may in fact look like so security forecast here and this is something going into the horizon okay this is something that we want to provide in in terms of a solution and we currently have this uh internally today again this is part of the developing your cyber security plan for 2022 so this is something that we'll be re we will be releasing uh very shortly within the solution within the security scorecard solution um but what what essentially is it's doing is it's making the data the huge amount of connections that we see more consumable by way of benchmarking and averages so what this diagram is designed to show you here is here's the risk score of uh company a and i've obfuscated the company because it's just an arbitrary company it's not anyone in particular now we see that they have a risk score of 82 their direct risk score and then we also see that there's going to be some third party and fourth party cases so of the third parties that this organization works with this is looking at public connections in and out of that organization the communications that they have we see a supply chain risk score in in this case of the third party and we also see the supply chain risk score of the fourth party now the idea really here is is not to give you a definitive let's pull out exact precise companies because we're not going to be able to go down to that level of detail in terms of the averages is what we really want to look at monitoring and working with 340 000 companies simply isn't going to isn't going to fly in this case the idea really here is if you need to go down to the lower level you can but it's designed to give a litmus test it's what is the ph of my environment is it is it alkaline is it acidic and kind of what level are we at do we need to take potentially some corrective actions or are we seeing a directional change we're seeing our ecosystem both in the third party and the fourth party declining and should we start to then take action so one of the only groups really here is what can we do about it so visibility is the first we can see the connections we can see the event what is it that we then need to do now this is just one example of what we can do to improve uh the environment this example being here's a notification here's another there is a breach that happens within one of the third parties now i'm using solarwinds as the example here just because everyone's heard of it there have been newer ones and more recent ones with microsoft exchange and various others out there but let's just take this one as an arbitrary example what we want to be able to do is to assess the impact of this extent of this this breach of this vendor it will affect your third parties and it will also affect your fourth party so being able to alert and get a notification what percentage of the connections do we believe in certain vendors have actually been affected by this breach what um percentage of companies are now being kind of affected by the impact on this that could potentially impact your business so there's the direct inclination is to look at your third parties but actually going one step further to understand 12 8 50 of my ecosystem beyond my horizon has actually been affected by this and it may be that there's a concentration risk within a certain vector because it's it's heavily affected by the type of breach i.e manufacturing or iot as we've seen in recent weeks and months and being able to get that visibility is the first step to then taking action so being being visible on this or having visibility on this and then being able to alert this is the first step of what we then need to do so not only can we provide visibility with security scorecard on your own risk on your third party risk and then by extension going as far as the fourth party vendors we can also start to take a contact or start to take account of those vendors that we might want to invite now more often than not some of these organizations might know that might not know that they are effective they might not know that there's an impact to their business um they might not know that the there's a particular incident within their environment they've been able to contact those organizations being able to give them the ability to look at their own security posture for free giving them the ability to claim their own school card their risk score card is the first step to creating awareness and action and then of course being able to reduce or mitigate some of the findings that we then see so i'll leave you with the the last point here and hopefully we're almost back into thinking to where we to where we were in terms of the timing um you can take control of the pool parties of course you can as i said just to be very very clear this is something that we are that we are looking to release at the end of this year start of next year in terms of features but the first step to to doing this of course is is getting access to your own school card getting an awareness and an understanding of what security ratings are all about some of the issues and findings and vulnerabilities and exposures that are there and getting a good grounding and understanding cyber risk for uh from a ratings perspective and outside in before we then move on to looking at how we can manage and maintain the extended ecosystem of cyber risk so for everything within security scorecard you can actually claim and gather your own risk score today free of charge indefinitely right so for your own scorecard you can gain access get an instant secure cyber security risk score and also be able to see both the forensic detail and all of the other information that that is available within security scorecard and you can do so at any time within the uh within the within the next whatever you like basically so that brings me to to the end a little bio myself if anybody's interested if not completely understand um thank you very much for taking the time to listen to me present today and of course if there are any questions we can we can take that offline and before the next call absolutely yeah we we do have a lot of good questions coming in for you adam great presentation while we do those questions with the audience i'm just going to bring up this poll for everyone out there that says what additional information would you like about the security scorecard solution and so we'll leave that up we appreciate everyone's feedback on that poll um let's see lots of good questions coming in here first question i guess i'll just bring this one up they're asking you know what sort of staffing is required to to use security's scorecard for various levels of the enterprise yeah absolutely and it is a bit of a tricky question and i'll try and answer it very quickly because there are scales what security scorecard is looking to do is is take a generally manual process of identifying risk within the ecosystem which is sending a questionnaire identifying the risk in response of that questionnaire trying to understand and assess whether or not further assessments are needed this can take a team of five six seven people um to do when looking at just a tier one we call tier one high risk vendors the idea of security scorecard is to automate that so it's not designed to replace individuals you know it's not not taking technology to remove an individual it's designed to say if you have five or six people which we would say for a large enterprise is very common for smaller organizations and medium size you're looking at one person usually as a as a bridge between procurement and um and the security team who do a lot of these assessments it's about giving them the tools to let them do more if i can do 10 assessments a year with one person today then i can do 100 assessments with a technology tool that allows me to streamline and automate those processes and we know if our third-party ecosystem is increasing dramatically what do we need to do well we need to start to automate as much as possible because people don't go on trees and neither do expertise and there's only a finite amount of people out there in order to in order to be able to implement these systems so the idea is actually to take one individual or seven individuals and we have organizations that look at a hundred organizations with one person and we have teams of five people that look at a thousand plus vendors out there and are able to do so because there is a mechanism of benchmarking engaging the vendors that each organization work with so i appreciate that pretty vague and of course i'd be happy to follow up and and give you more details um in a one-on-one if that's appropriate excellent yeah let's see here's another good question um does from rob does your solution require direct engagement with cloud providers being used by the customer does the customer need need to provide api credentials uh etc how does that work yeah so everything that we collect is public so everything that we look at is is the exposure of the organization so the scores that we generate everything that we we provide is essentially what you see from the internet about that organization so it's a non-intrusive non-permission based assessment of an organization and essentially think about when you use google and you search for the company name google's going to go and crawl the entire internet and find everything about that company or or the the word that you've used it's a similar concept to security scorecard but we're focusing in on cyber security so there's no need for the vendor or the cloud vendors or the other vendors that you're working with to provide api access or any any other such information will provide you automatically with the overall risk score global risk score of course of the organizations that you're that you're looking at and this will be broken down right away into the forensic detail of x percentage of ip addresses exposed in the us you may have an insight that you want to go even further that says okay well here's the risk of the organization but i'm using this part of the organization these 10 ip addresses or i'm using this part of the organization i'd like a risk score for those and you can go a step further but if you know your range is putting in your your ranges of the service that you're consuming and getting an even more customized score alongside the risk score of the company so there's no permission that's needed from the third party or the vendors that you work with all of that is incorporated in the assessments that we do on behalf of yourself and looking into those companies and then any other additional information that we gather or gain where you'd like the vendor to engage can be invited in for free with indefinite access to their scorecard to then take action on potential exposures that you would like them to address excellent yeah thank you for clarifying that here's a good question from bradford who wants to know you know based on the recommendations or findings from security scorecard do you all offer any sort of remediation or resolution type services like professional services or some way to assist yeah we do we do actually offer services and it kind of comes as two folds and again i appreciate i can talk for england as they say so i'll try and keep it quite quite short we do offer professional services in the in this way um some of this is actually in-house with our own professional services team we take the solution as far as we possibly can by offering as much information and forensic detail in the platform to the point where we're even recommending down to exactly what you would need to do in terms of references to to actually resolve these in terms of implementing those changes of course that's that's the next level along so we both provide our own professional services um to help organizations do this but we also work with a very very wide partner ecosystem to also provide services on top of our platform to help the remediation so there's a we work in in tandem there where we know that we're only one organization and we can't scale to save the world as much as we would like to and our partner ecosystem is extremely important to us and we do leverage that ecosystem to help provide remediation services to our customers excellent and then what if you have recommendations around you know vendors or invited companies do you all provide some sort of detail to help those vendors or invited companies kind of understand what they need to do to improve their score absolutely so um again we think we can certainly go on to this in terms of uh demonstrations later on if people want to do this on the one-to-one happy to do so but one of the things that's really important is that within the platform the the idea really here is that we're not providing ratings at a kind of ransom if that makes sense which is why anybody in the world can claim their scorecard for free anybody can look at their school card for free anybody can take action on their scorecard for free the idea is that when we engage with the vendor it's not about blame we've got to get past that kind of methodology and mindset that we're using a score to uh you know assign blame to a person for not or an organization for not doing what they're doing more often than not it's the fact that they may not know about the visibility of the risks that they're seeing so the idea here is that we're providing access to the scorecard for an organization so that they can use that to help protect themselves help make themselves a safer organization and by doing that for free by saying that this might be something you don't know about what we're doing is we're going an extra mile we want to go the extra mile because it's really really important it's not just about saying here's a score go away uh best of luck it's about say here's a risk score for your organization and here's how it breaks down and these are the exact findings that make up your school and these are the things that we believe are contributing to the highest likelihood of breach or incident so might be certain services or control services that are open to the internet and these are the recommendations on how we would recommend going about resolving them and removing those risks as well we also going the extra mile as well for each of those free vendors will allow them to work with the support team so if they make a request say hey i think i've resolved this that can go into the support thing that will resolve the issue if it's if it's proven to be fixed and come back to those individuals and let them know the progress of those as well so we're trying to go the extra mile here to prove that what we're doing is is is caring in our community and our ecosystem to make sure that everybody is aware that security ratings are here to help provide safety for everybody not just to necessarily make a revenue although of course that we'd be lying if we if we said we weren't here to obviously make uh make a living for ourselves excellent yeah absolutely all right well adam i'm afraid we're running out of time here in our live q a session but there's a lot more questions still for you in the elec electronic queue maybe you can get back to some of those folks i'm sure they'd appreciate it a great presentation again thank you so much for being on the ecocast thank you very much and for more information on security scorecard check out the handouts tab there's a resource there on your complete guide to building your vendor risk management program and as adam said you can go to security scorecard and get your own free security score for your organization so make sure that you check that out give it a try for yourself i'm very curious to see how this works my myself and i'll be trying it as well all right thank you to everyone who responded there to the poll i'm excited now to bring in uh mr scott becker of actual tech media to introduce our next presenter scott take it away thanks a lot david yeah looking forward to uh to the rest of the session the sessions so far have been fantastic and uh we've got a lot more uh great content coming up so let me bring on our next speaker it's uh tracy attore from rubrik and i'm going to turn things over to tracy hey everyone how is everybody doing today so my name is tracy atorr and i am an inside sales engineer for a mid-market segment here at rubrik thanks for having me again um so today we will be discussing how your organization can use rubric to develop and strengthen your 2022 security plan first let's lay down the problem that rubric is trying to solve you know we often see it in news headlines maybe it it has impacted you directly but you know ransomware is a real problem in this day and age no business smaller large is immune to it cyber criminals don't care who they target they only care about getting paid so how does ransomware go down exactly you know a number of ways it could be through an exposed security vulnerability and unpatched systems or the end user takes the bait whether through an infected email attachment being opened up by an unsuspecting employee who missed the last security seminar hasn't had their morning copy yet uh maybe you missed microsoft patch tuesday the last two months you know clicking on a link where they think they want a free xbox um things like that but in any case the way it works once the malware gets downloaded which is usually a worm it then runs a payload which locks the user system it can then scan and traverse the network spread copies of itself into any machine including servers inside the data center and lock down and encrypt all files folders mission critical applications and databases and even your backups that you thought were once immutable which at that point would be really bad you'll have no option but to pay that ransom unfortunately so where does rubric come in so you know i like to say rubric is the medicine for this ransomware problem we are your go-to last line of defense for when your walls are not thick enough to keep this problem out um as you can see to the left a key challenge with ransomware attacks is that they target your backups which you thought were safeguarded if your backups get compromised perhaps because they are using the same open protocols as your production storage systems they may not be your last line of defense anymore another challenge is assessing the blast radius of an attack what vms and file sets were attacked how would you know organizations are tempted to pay the bad guys because they just don't know what has been compromised yet another complication is protective sensitive data too often it teams don't know whether a ransomware attack compromised sensitive data like pii or data regulated by hipaa and then lastly even if you conclude that you are able to recover applications how long will it take to restore if the recovery process is slow some may be inclined to pay the bad guys this could be touchy when i t teams can't you know immediately pinpoint the last known clear copies of data from which applications can be uh quickly recovered the more downtime an organization has to incur means more loss revenue time is money so as you can see to the right um we do provide a logically air gap solution that contains an immutable file system built from scratch that cannot be infected by any type of ransomware through any discoverable file sharing protocols like nfs or smb and i'll get more into that in a second because i think it's really important to kind of explain really what um all that means but um you know all data backed up by rubrik is encrypted in flight using tls 1.2 encryption and encrypted at rest using aes 256 bit encryption so criminals can lock down your production servers your endpoints or storage arrays however they will not be able to discover your backup sitting on our append only atlas file system and encrypt your backups we're just that secure so speaking of distributed file system atlas which sits at the core of who we are and why we're genuinely immutable our engineer seven years ago built this distributed file system entirely from scratch to ensure data is immune from any type of ransomware activity and so there wouldn't be any single point of failure or or chokepoint um the file system knows what application we're backing up and it's smart enough to identify where ransomware took place to allow you to roll back to the most recent snapshot within a chain all backup is stored in append only state and it's logically air gap so what that means is that while is a connected digital asset by means of logical processes the atlas file system where backups are written sits offline and remains not accessible through any standard network protocols like nfs or smb only the network ports that are required for user interaction with the product and communication between different internal processes are allowed meanwhile all unused ports are otherwise disabled and because data managed by rubric is never available in a read-write state to the client even if you know infected data later did get ingested by rubric it cannot infect other existing files or folders it's just that secure we also complement that file system even further with additional security layers as well to you know really drive home our zero trust story built on the principles of never trust always verify so whether it's to you know to defend against an unauthorized bad actor or a rogue admin you will get the option from rubric to further enhance security by applying extra layers like multi-factor authentication role-based access controls you could designate you know customizable permissions on the principle of least privilege access uh there's also built-in time-based one-time passwords when logging in so you could set that up and retention locked slas that prevents admins from expiring backups prematurely requiring human intervention and rubric support verification to remove that feature in the first place so no backup even at the policy level can be deleted or modified by any admin should that feature actually be turned on um and then of course other layers also include you know web session limits and timeouts where sessions will time out after 50 to 15 to 30 minutes of inactivity to align with corporate security requirements and of course uh like i mentioned before we provide end-to-end encryption whether data is in flight or at rest um so without further ado i do want to jump in our ui real quick to walk you through how we take backups um i'll also touch on radar for a quick ransomware remediation and then if there's enough time left i will talk a little bit about sonar as well so i'm going to go ahead and switch screens real quick so just bear with me then we'll get started all right all right so now you should be able to see the ui here we go so let's say i'm a backup admin i login this is the first thing you're going to see right so i could see all my objects that are under protection they're protected by you know different sla domains that i set um you could see natively we do support vsphere vms hyper vvms linux unix windows physical host nash shares sql server databases oracle databases and more but everything we do is really based on an sla policy approach we don't want you managing any backup jobs ever again so this is how we protect your backups moving forward should you come over to rubrik so what that means really is so if i go to sla domains i'll click on local domains you could see here that i do have you know my sla policies that were uh previously set up this is a demo lab so we do have quite a few um i don't expect any customer really to create any more than three to five and to really dive into what an sla policy is this is where you define how often you want to take backups and how often you want to keep them so here's what that looks like i could say i want to take a snapshot every six hours i need to keep that for seven days i also need to get more granular so i also need a snapshot every day maybe i need to keep that for 30 days and then for those needing you know long-term retention we allow you to set it up to where you know you need to take a yearly and you keep that for say seven years for example um so that's how you would create an sla domain on the second side of this policy it it will give you the option to choose where you want to archive data to so if you don't want to land data you know on the brick longer than 30 days we allow you to take advantage of the cost economics that come with the cloud so we support azure aws gcp wasabi um anything s3 compliant if you still have an on-prem requirement we could uh you could you know archive to an nfs target um maybe you guys still have a requirement to use tape we support q-logic as our tape vendor so yeah you have a number of options in terms of how you want to move that data and take backups as well so what we do really well um before i get into what radar is i do want to show you kind of you know what we can do with those sla policies from a workload standpoint so you could see going back to my catalog of pre-made slas you could see this one policy right here that you know it's taking a snapshot every 12 hours keeping local for 30 days after 30 days um it says it's going to be archived to aws that's what they named it um so if i hover over object count that one sla policy is protecting nine visor vms 17 windows hosts 83 sql databases one managed volume i think you get the picture for nas shares 10 linux physical hosts and oracle database that's a lot of workloads uh that are very different from each other being protected by one sla policy and again this is why i say you will never be managing backups ever again you create as few policies as possible you apply them to your workloads depending if they're mission critical maybe you want a separate policy for your nash shares who knows we give you that flexibility but the point is we want you to protect them with as few possible possible uh slas so with that being said when you're ready to restore you know a virtual machine maybe need to look for a file um i'll just use vmware as an example that seems to be the uh the most popular uh hypervisor that we back up um so i'll go into my vm and i'll show you you know just this calendar view that's about to pop up every green dot that you see in the calendar view is a successful backup in other words a snapshot so if i need to go back to let's say the 26 here are my recovery options just for that vm i could mount the virtual machine i'll create a second copy of that virtual machine so i could do test dev on it um it gets hosted directly on rubrik's data store it doesn't have any impact to your production environment or using production disk so you can use that and get really you know creative with that use case because it literally is just a second copy of a vm that uh that has no networking attached to it but should you need to you know push it into production you could absolutely storage the emotion it over if needed once you're done doing what you need to do to it but beyond that we do support instant recover maybe you got a vm dead in the water you need to instantly recover it from a clean point in time snapshot from your immutable backups may i add we allow you to do that in place recovery is supposed to be the same thing it's a new feature that came with our 6.0 release except it uses less data transfer i'm told and more performance and you don't have to storage vmotion it back into production and then of course we allow you to recover files this is one of my favorite features because we have predictive search functionality so we could find files really quickly and we only ingest metadata which you know also gives way into why it's so quick so if i type in cool cat i could see i have you know this cool cat file here sitting in my c drive i could go ahead and select that it creates kind of like the shopping cart if you will um so if i also need to recover additional files with it i can it'll just add it to what i like to call a shopping cart so you can recover files there you could also come up here and type in that file name and it will also uh give you a list of options here so cool cat i have 46 versions here i'll click on that and here all my options in terms of recovering files from all these different snapshots that i have available obviously i'll probably pick the latest version i'll go ahead and show you what those options are download restore export or select additional files again shopping cart if you need more than one file you could absolutely go ahead and look for that although you want to take the guesswork out of that if you know the name of the file we'll just allow you to search for it set so that is file level recovery um if you ever need to do like a bulk recovery we absolutely support that uh mileage will vary of course depending on your bandwidth requirements uh things like that but if you ever need to do a bulk recovery whether that's a live mount where you're live mounting you know maybe 10 vms we allow you to do that but instant recover if i click next i can now select you know all the vms that i need to instantly recover um back to my production environment from a clean point in time snapshot so if i click next i could do the latest snapshot which is probably the one you're going to select right or you could you know choose the snapshot on a particular day and time so i think that's pretty cool uh but yeah beyond that i know we have a few minutes left i do want to get into radar let me just hit the back button here because i was demoing it earlier i'll just start at the dashboard so radar this is where really all our ransomware remediation um really lives if you will so all of the data that's being backed up here by the brick in rubrik um all of that data we collect it over into polaris as well which is delivered as software as a service um and then we really you know we take those backups and then we really want to make them useful right so hence radar um so right off the bat say i'm a backup admin i'm coming off a long weekend i'm tired it's monday but then i notice you know all right i see all my slays are in compliance okay yada yada but what is going on with radar this is this is where we find all those anomalous events i see three anomalous events i probably want to investigate that right so this is a demo lab so i only have four vms loaded but i could see right off the bat that my environment is getting beaten up by ransomware and so with rubrik radar what we allow you to do is really drill down and investigate the blast radius so and then also given the option to recover from a clean point in time snapshot here so if i want to start with the first one uh what it'll do is it'll give me an event timeline but i'm freaking out as a backup admin i don't have you know the time to really review that right now but i want to investigate this snapshot and just kind of click through and see what happened right so what it's doing really is that uh so radar uses machine learning algorithms to understand normal baseline you know behavior between your backups uh specifically snapshots so it took a snapshot at 8 11 am this morning something happened between 8 11 and 2 11 pm snapshot it detected a high rate of change and this is what radar is alerting me to so now what i'm seeing is that okay something is definitely really wrong in my c drive in this particular vm i have a flag that's calling it suspicious i also see some activity here there's been 3 500 deleted files but 47 have been added that is really weird so let me go ahead and start drilling down and investigating this a little bit further so right off the bat i could see okay something weird is happening in my file shares right so i'm going to go ahead and click in that and this is where it really starts to get interesting i have all my department folders here i could see the engineering department's been hit all the way down to the sales department out of selfish reasons you know i'm in engineering so i'm just gonna poke around in here um and then really see what happened right so i could see that you know this file's been deleted a powerpoint but look what's been added after it a dot encrypted extension so what i'm going to do now is i'm i need to pick and choose what you know perhaps is mission critical what do i need now in order to continue business continuity i need to get these files back right to uh to keep my job essentially so everything that i'm selecting not that everything that i'm selecting here this one file when i click next these are my quick cover options i could download it in place i could overwrite the original or i could recover to a separate folder and that's why we say at rubrik don't pay the ransom because not only your backups are immutable but radar really provides you with you know a great tool that helps you or guides you through the recovery process in itself um if i want to bypass this investigative part because you know obviously it took some you know drilling down and whatnot i could totally go all the way back to the beginning and say screw it instead of investigating i don't have any time to investigate i obviously know something's really wrong here i need a master cover this entire drive we allow you to do that too so i'm going to click next same options download in place overwrite the original files with that clean point in time snapshot continue you know on with your day or i can recover to a separate folder in which case you know a customer who's obviously still cleaning up machines um you know scrubbing them or need to do any sort of forensics they would normally uh select that option but that would be you know our idea of like a mass recovery at this point and again you're not going to be paying the ransom right so so this feature right here is very intuitive um it's smart um and i think you know it's really a game changer in this industry that we allow you to make use of your uh your backups here in polaris in order to detect where uh where ransomware lives and that's uh and that's that that's all i i have today um i want to say thank you for the opportunity i'll definitely stick around for questions and no thank you guys so much for the time i uh i really appreciate it okay great thanks tracy and i do want to put up a poll here what additional information would you like about the rubric solution so anything on there that looks uh looks good to you please uh please fill out that poll and and let us know what uh what rubric can send to you um tracy you're ready for some questions i am thank you super well i have to agree with uh with jorge who said that was it was a great demo um so uh but let's let's get to the first question here a lot of questions coming in about radar so what workloads does does radar support today did you scan vms or is it broader sure so uh today rubrik supports scanning and performing anomaly detection against speedster vms nas file sets windows and linux file sets aix and solaris and also currently we're working on releasing support for scanning nutanix ahd and hyper vvms as well as ec2 instances for next year so definitely stay tuned for that okay super um and uh do you need an appliance to get radar you do so the way radar actually works is that when all the data gets backed up to the brick the appliance uh polaris which is where radar is polaris will then go in and scan only metadata in order to compare any changes that may have occurred against the last clean snapshot and i also want to note because this comes up a lot as well that you know there is also no performance impact to production since our machine learning model runs fully against that backup metadata and also little to no impact on the brick or the appliance itself but all of that analysis is done in polaris against what is backed up onto the brick appliance okay super um another question here uh you know you talked about you know protecting against against ransomware when it gets into the backup so what happens to the snapshots that are infected uh good question nothing really uh they're absolutely no harm to rubric um in their cold immutable state so um some customers you know they will keep them for forensic purposes but we also allow users to delete them as needed and since our atlas file system is append only and all rights are out of place meaning that new rights will never touch data written earlier you can guarantee that uh you know if infected data get ingested by rubric it will not infect existing files or folders it's just that secure okay um you know and you did you mentioned about you know some of some of the anomalies stuff what are some examples of of anomalies that they come through what are the kinds of things that that you're looking out for good question so anything that you know produces a high rate of change between the last clean snapshot versus a new snapshot that was generated the moment that happens a rubric will alert you to them so upon deployment what it really goes out and does is you know it's establishing a baseline using those machine learning algorithms that i mentioned so any sort of change whether that's intentional or maybe you know ransomware got in and obviously all your files are being modified deleted what have you no matter what rubric is going to or sorry radar is going to alert you to them um so there should be uh you know specific settings in radar that you can actually set um to kind of decrease the amount of alerts if you think it's you know actually employees or or the it staff making those changes but uh but otherwise no matter what whether it's ransomware again or users you know changing files things like that if it's high we're definitely going to alert you to them what i'm trying to say all right super um well we're just about out of time uh i do want to mention to everybody that you know to check out the the rubric resource in the handout section um any any tips that you have for people for uh for getting started with rubric yeah just feel free to uh contact your your partner of choice uh we're at you know a channel first uh approach here so whether that's the cdw's or the shi's or you know any sort of bar you know make sure to reach out to your rep and uh they'll put you in contact with your with your rubric representative uh on that side so yeah looking forward to perhaps seeing some of you guys excellent yep we're all looking forward to uh the scenes of people thanks a lot tracy uh really appreciate you uh you coming on and and uh and and talking about the rubric solutions has been has been great yeah thank you for having me appreciate it okay and we do have uh another uh amazon gift card to to award at this point so our next five hundred dollar amazon gift card will go to michael ferber from massachusetts so michael congratulations we'll be reaching out to you about your gift card and how to how to claim it now let's move on for our next presentation we're going to hear from evan kaplan at crowdstrike evan welcome hi thanks well take it away okay great so um i i i think you all have been hearing various various presentations about about strategic planning for the next year and and i'll i'll give you my take um i'll first start by introducing myself this is what i look like when i'm not at home wearing sweatpants um and uh i i lead a team at crowdstrike that does um as it says on the slide strategic advisory consulting uh when you think about crowdstrike you probably uh first think about our our falcon platform which is our product or perhaps our incident response services but crowdstrike also does provide strategic services and i have uh been on that team for the last six years as it has grown um and so we actually do this a fair amount with uh with our customers where we help them um come up with with the right strategies and the right plans for their their own security programs moving forward um when when you think about uh about a security plan or or really any sort of strategic strategic planning with respect to cyber security it it's really risk management there are there are tactical things that may be involved in that plan but uh at the end of the day most strategic cyber security work is is managing cyber security risk and so that's the lens that i and my team look through when we're we're working with any sort of organization to think about what their what their security plans and what their security capabilities ought to be so i i imagine many of you have seen this formula before that risk is a product of threat vulnerability and impact so um threat is is you know who are the bad guys and what are they trying to do vulnerabilities are the things about your organization that they can exploit and then the impact is really what the effect is on you it really is a multiplication problem in that if you could eliminate any one of these three factors you could actually reduce the risk to zero um that's not very feasible and so it ends up that that really need to manage each of those those independently threats are are something that for the most part organizations don't have a lot of ability to control right who who is coming after you and the methods with which they will come after you at least people on the security team aren't necessarily going to have a lot of control over that you know if you have a if you have a business unit that's thinking about opening up opening up a office and in moscow or tehran or shanghai then then maybe maybe you know not doing that could could eliminate a risk but for most of us we don't have a lot of control over what the threat is so instead what we do is we monitor the threats and we look at uh look at what's out there um and the it it can inform our planning in terms of what are the things that were that we're trying to prevent what are the things that we need to be able to detect or have other other plans for and i imagine that over the course of the day you all have heard different things about threat trends ransomware continues to be a a predominant threat and probably the predominant threat to most organizations um but depending on on your organization and and your vertical and the nature of your business there there may be some other threats um you know in insiders are always a threat in in some way shape or form it it may be that they are more or less of a risk in your particular industry um targeted tax i think the same could be said for those supply chain is one where uh where that is that is a it has always been a threat um that that someone will use trusted software or or other other trusted resources to gain a hold into your environment i think it's fair to say that that's something that is increasing and likely to continue to increase so that's certainly something to be keeping an eye on as you're looking to the future so the next thing that you need to consider in in making your security plan are your vulnerabilities and really understanding your vulnerabilities is more than just vulnerability management i think i think you need to take a an expansive definition of the term vulnerability to say what did what is it about my organization that uh that could make us more or less vulnerable to attack so it's not just software vulnerabilities there could be things about your corporate culture or your the way you are structured um as well as the maturity of your organization and so what we often do when we're trying to help customers evaluate themselves and and where they are and where they need to be we ask these three questions rather we have them ask these questions of themselves so am i breached am i mature and am i ready uh and so for each of them crowdstrike has has services that we can offer that can help evaluate those things and depending on what you know about your own strengths and your own gaps it may be helpful for you to whether whether you do something with crowdstrike you do something on your own or you do something with another vendor uh to to evaluate some of some of these these questions through through this lens so they have my breached question hopefully that's not part of your your plan but if if that's where you're starting off um certainly uh you know doing an incident response or some sort of assessment where there's there's a deployment of forensic software where someone can evaluate and attest to the cleanliness of your environment um those are certainly services that that that help make sure that you're starting from a blank slate um the am i mature question i think is is a lot more important especially for strategic planning um it's it's not just am i mature it's really am i mature enough for the risks that i face and uh and that's where something like a maturity assessment or an overall programmatic assessment um can be helpful if you have a sense of where your maturity is already but you want more tailored a more tailored look at specific capabilities like your your security operations capability or active directory or cloud there you could consider doing an assessment of just those to identify gaps in those areas and then the the last the last one am i ready you know if if you have a sense that your program is okay you might consider doing some sort of exercise or simulation that tests your your ability to respond to detect and respond so that could be some combination of of red teening or red team blue team or it could be a tabletop exercise where you're not actually technically doing it but you're testing the response the management type response to uh to an incident um the the other benefit about a tabletop exercise in particular if you're thinking about planning for the future is sometimes budgets are a big component of your your strategic planning and uh if if you have executives who who are skeptical about the the risks that that your organization faces from from cyber security uh a tabletop exercise that illustrates what happens when these risks materialize can often be a a powerful motivator for executives to to want to prevent those things from happening in real life so uh the next area is um is impact right so so uh threat vulnerability and impact and um there there are a lot of different types of effects from from cyber attacks and if you're looking at at uh how how a different threat threat materializes right you've got let's say you have a ransomware actor and um and they're able to exploit some some capability gaps in in your network defenses uh then you're going to be looking at a business disruption type of impact assuming that that the systems that are affected are business critical you're probably also looking at data loss in that case um but the the important thing about gauging impact is not all cyber not all cyber attacks are created equal there are some that are are inconveniences they may have have some some slowing of operational efficiencies they may cost some money but but they're not as dire as others right i think if you uh not to belittle any any one type of of impact because they're all bad but if you're looking at um you know a loss of you know custer customer names and email addresses from a database and that that's not great it probably hurts your reputation a little bit but people are pretty used to having their their information stolen these days whereas if you are dealing with a ransomware attack or theft of some really truly sensitive information those are going to have much much different impacts so understanding the impacts of the different scenarios that you want to avoid is also really important when you're when you're talking about the plans because you can you can implement defensive measures that help limit some of these impacts the questions that you really need to ask yourself uh as as you're evaluating those threats and your own capabilities and then the impacts is what are the things if you're building a plan what are the improvements that are going to reduce your risk the most if i segment my network if i deploy some newfangled next gen tool um what are what are the what are the how does my risk profile actually change what are the threats that i'm able to to detect or prevent as a result of that or what is what are the impacts that i'm able to soften what gaps does it close my capabilities another important question is is balancing quick wins versus long-term projects it's really important to go after the low-hanging fruit even if it even if it's not going to move the needle a lot on the on your risk profile having having some quick wins in your in your plan that allow you to to make some progress and move the needle a little bit are important but they sh they shouldn't give way to long-term projects think about something like network segmentation depending on on what your your current organizational architecture looks like um network segmentation at some organizations is a years long project a years long effort and that doesn't that's not a reason not to do it but but you need to evaluate which of those long-term investments are really the right ones for your organization and uh and plan beyond just 2022 if if you see the need to make improvements that are going to require that that investment with a longer tail um another another question um that is important to ask yourself and really ask your business leaders is how much is enough security um another way of asking that is what are the risks that you're willing to accept uh when when crowdstrike comes and does an assessment like a maturity assessment we provide current and target maturity scores so good enough is is the target score we use a one to five scale and we almost never tell organizations that they need to be at a five sometimes they just need to be at a three or a four um it really depends on on the threat profile that that the organization faces so um that's that's something that that you know is a conversation not just with your security team but but also with your business leaders and and a piece of that is you know not just acceptance transferring risk using using insurance to transfer risk is also uh part of that but i think increasingly people are finding that insurance is is is a more difficult answer to uh to turn to um and then and the last one is are you keeping up with the with the evolving threat landscape um it's this is an industry where if you're standing still you're moving backwards and um so for example when when we do our maturity assessments at cloud strike we change the criteria um for what it means to be level one two three four and five um so that if we evaluate the same company um two years in a row and they haven't done anything their scores will actually go down year over year um because we move the goal posts because the goal posts are moving that's that's how the that's how the environment is um so it's important to be asking yourself that as well you know your your 2022 plan should be planning for 2023 type risks so that when the calendar turns a year from now uh you'll be ready for those as well um another really important thing to keep in mind when you are developing plans is that they're actually only a little bit useful right the dwight eisenhower quote plans are useless but planning is indispensable what this means is that you draw it up you you uh you think that you're you're gonna go in a certain direction and you have plans for how that's going to go and inevitably that gets tossed out the window some something happens and and you need to pivot and so it's important to have flexibility in your plan um there's there's another american who who said this a little more bluntly everyone has planned until they get punched in the mouth um and that's really you should be thinking about that when you are when you are developing your plans not that you should be planning on planning on getting breached but you should plan on needing to address new vulnerabilities new threats or other things in the business environment that cause you to pivot that's that's it for me but i'm i'm happy to take any questions that might be out there okay evan that's that's great great great stuff great quotes and in fact i thought you were gonna say you shouldn't be planning to be punched in the mouth but uh i think the way you said it was better uh really really nice presentation such fascinating stuff you know for for our uh listeners who aren't familiar with crowdstrike um is it um you know the assessments are those consultative and then are there products as well you know as far as tools like what's the portfolio that they should be considering so so crowdstrike uh there's sort of three categories um crowdstrike is a threat intel company we sell threat into threat intelligence and threat intel subscriptions and services around threat intelligence we are a product company we sell the falcon platform which is started as an edr tool uh and it has edr and next-gen av capabilities but it also has additional modules that help evaluate active directory vulnerabilities help you implement zero trust it has a vulnerability scanning module that help helps identify both system and and software vulnerabilities it has a module that does uh asset discovery so you can identify unmanaged assets on your network um and much more there's a there's a managed detection and remediation in mdr service on that is sold along with that um or rather independently of that so so you can have the tool and run it yourself or you can have the tool and um and have someone uh managing it for you um there's there's also uh an add-on for uh managed threat hunting um and then lastly there's a services organization um which is is more consultative and that includes maturity assessments and tabletop exercises and red teaming and cloud assessments as well as a very robust incident response process so if if your organization uh is breached um you know we can we can come and respond gotcha you know and you mentioned uh blue teaming and red teaming uh exercises as well how difficult is that to set up you know for an organization for them for it to be sort of you know realistic um you know and give them real insights into into their own environment well i think i think um the the red team blue team approach that crowdstrike takes is um is pretty good at uh emphasizing realism so our red team is is pretty sharp they do a lot of adversary emulation where it is you know a sort of a black box um test where where the the responders don't know that something is coming and um and they try to socially they scan your perimeter they try to socially engineer their way in etc etc um but then uh there's also a um [Music] so when we do a red team blue team it's there's a bit more of a conversation so so we still use all those techniques um but we also take one of our incident responders and fit them with your incident responders and they talk to the red team or ever every day and say hey you know i went after these systems and i used these tactics what did you see what were you able to see if you saw it how are you containing it um here's how i pivoted away from you after you blocked one avenue where you're able to see that so there's um i mean the not realistic thing is that there's actually a conversation with the red team in the blue team but the very realistic thing is that the red teamer is using real world ttps we often will customize a red team engagement or red team blue team engagement to focus on specific types of actors so you know ransomware actors for example what are the methods that they're using to get in to move laterally to escalate privileges those are the those are the tools that our red team will turn to first to help help move through the environment and make sure that your team is prepared for that if that's the risk that you're facing excellent makes sense um we have a question here from rob you had uh mentioned a little bit about insurance um in and so rob is asking can can using crowdstrike with the monetary loss fraud benefit help reduce cyber security insurance premiums yeah we uh there are there are a couple of things that uh that we do um with different insurers that actually actually will do that so there is one i believe is related to our our product where if you agree to let the insurer do an api call to the project product and see things about your environment they're able to um to give you a better quote because they can it's like the the safe driving thing where they see how fast you're accelerating and breaking whatever um they see they're able to look at your edr tool and see what's going on there um if you grant them access uh another is you know if you have our um our mdr capability um uh there are some insurers who will give you a premium reduction on that and also uh our it's called falcon complete and that service actually comes itself with uh with a million dollar warranty which is underwritten by an insurer uh the the third way is that i believe there is uh it's the red team blue team service is is there is a program with with one underwriter where if you undergo one of our red team engagements and then you address the findings from from that engagement they will give you a premium reduction so there are a number of ways that that does work thank you um we had a question from from jeffrey uh i think asking on behalf of msps in the audience is there a multi-tenant dashboard for msps so i'll step back from that a bit do you guys have an msp program for for any of your products uh we do we do have um an msp program for for falcon and there is a uh i believe there is a multi-tenant dashboard capability i'm not super familiar with it so i um i may be speaking out of school but i'm pretty sure that that is that is the case makes sense okay super so uh yeah check out check out the website uh you know jeffrey for uh for details on msp um a question from charles about what does threat intel mean and what sort of information can we expect to see that's such a big question um because uh because it it really depends and and i think when you talk to intel professionals um they they break it down into uh strategic operational and uh tactical threat intelligence so the the type of intelligence that you get at each level informs the ways you might respond so tactical threat intelligence are things like indicators of compromise where you you're able to look for this new tool or this hash or this this ip address that's known bad um or you know there's there's an attacker that's using a new new technique and and though you might not necessarily be able to detect it um through signatures you might be able to find find other ways to to identify that that technique is being executed in your environment then operational is uh is well actually strategic is at the other end of the spectrum where it's you know china has a new five-year plan in which they are uh announcing the following economic priorities and organizations that whose business intersect with those priorities should anticipate that they might be getting targeted by chinese nation state actors you know it's really sort of grand strategy of who's doing what to whom and why uh and then operational is somewhat in the middle so operational intelligence is understanding um how attacker targeting behavior more granularly might might change like not not necessarily what types of organizations they're going after but what types of information within the organization or what what types of infrastructure within a network they are they are most likely to target um it provides a little bit more insight in terms of uh you know what what areas of of your organization do you want to prioritize defending against um but but a little less uh not quite as as granular as the you know individual hashes and and not as broad as the um geopolitics okay great thanks for the those levels that's really helpful um next question you have coming in here you talked about third party assessments as a way to identify where to invest isn't that something i can do myself um yes absolutely it is and uh and most organizations if if you have the time and the capability and the confidence um you should be doing that you should probably be assessing assessing yourself regardless so uh you know you don't need to hire me or my team to do that for you but there are a number of reasons why you might choose to and um you know one might be you know you do your self-assessment and uh and you you've identified the things that that you think are important and now you want to validate it well that you know a third-party assessment's really great for that um or you want to justify it to a leadership team executives or a board of directors you know it's not just my opinion there's also this third-party expert out there that is that is um validating it you know actually we we built a plan and they looked at it and they said yeah this is good but they also suggested doing a b and c it can also help justify additional spend right everyone is going to be asking for more money um but if uh if you have a third party assessment that says you're you're way behind the curve um and these are the risks that that you could face if you don't change that that that might get some executives attention gotcha yeah you know and you talked about those three stages uh you know you know am i breached am i mature am i ready you know when you engage with with clients where do they tend to be in in one area in your experience or are they sort of all across the board well because we have an incident response practice um we we have a lot of customers who are are asking the am i breached question um right but uh but about 50 or more of our customers are are in the other areas um and and i do think it really is a pretty even split between the am i mature and am i ready there's a lot of focus on readiness right now and and especially with with the recent executive order calling for uh for organizations to run exercises and with ransomware in the headlines and executives asking are we prepared for this um we've seen a lot more demand for the am i ready questions um but actually some of the am i mature services do a really good job of uh kind of more holistically answering that question it's not just narrowly around response it's also around prevention yeah you know and while i have you on the line you know when you mentioned am i breached i was i was just interested to hear you know what are you guys seeing as far as dwell time um you know in terms of you know how long attackers are in customers networks um i've seen some studies that seem very indicate like different directions like some of them seem to be getting longer and some seem to be getting substantially shorter yeah so i i think the we we track dwell time um and and we report on it annually it's been almost a year so i don't know i don't know where the current uh the current numbers are but um what i will say is that year over year we've actually seen dwell time coming down but part of the reason for that is that ransomware activity has gone up and so um you know if if you're interested in data theft you probably don't want to ever be detected but a ransomware actor actually wants to be detected at some point and so when they deploy ransomware you know they've they've blown their cover um so i i think dwell time is is less of less of an effective metric currently because of that trend it's sort of you need to look at it you need to separate ransomware instance out from other data to to have a real sense of how dwell time is working well i think that's about all the the time we have um evan thanks uh thanks for all your insights and for a great presentation um you know any uh closing thoughts or anything about uh you know people getting started with uh no just just uh thank you for having me and um the the handout that that um is available for me is is a link to our services team so all of the it breaks down the am i in my breach down my mature am i ready um and the different services under those so if that's something that you're interested in you can go there and see which services sound good to you thank you very much all right thank you bye okay and yep and thanks everybody for uh for all your questions and uh and thank you also if you answered the the poll and uh now we're going to roll on to our next presentation so we have christopher morales of ned and rich he's the chief information security officer and christopher welcome thank you good to be here so uh yeah take it away soon sure sure uh no problem so uh yeah again hi i'm chris with net enrich just know some background is not enriched i know most people haven't heard of us we historically been a master services provider um scaling out operations across all digital ops network security devops uh for lots of the service providers you probably know and heard of or people you've worked with um we've been doing this for 15 years and we're in a transition of a business from looking at operations as a human body kind of aspect so to speak to a technology first kind of uh data driven aspect and that data-driven concept is really what i want to talk about here and it's it's an interesting topic so as we think about going into 2022 you know i took the theme of this very seriously developing your 2022 security plan and i really just want to present on that topic and you know my role here as chief information security officer i'm dealing with all our internal security i also assist in security strategy on what we take to market because it's very much a eat our own dog food so i think about how this works for us for scale we have a thousand employees like 600 of those just in operations and so we're a very large operations organization so that's very much the heart and core of what i think about digital operations and making sure that well it stays up and running is what it comes down to it's you know it's availability so the next few slides i'm just gonna uh it's actually not that long i'm gonna present on you know a methodology that we're using to align ops to risk and how we've produced situational awareness which is leading into a concept that i consider risk operations risk ops so to speak versus just general risk that we do annual quarter however it's treated so just for the problem statement we can state the obvious here it's a digital transformation exposing us to adversaries and threats you know that's a simple statement to make i would think over the last two years through covet in the lockdown it's gotten much worse and it's really started to pull very much at the scenes of organizations us personally net enrich you know we within our operations with 600 people we have we actually have physical buildings for network operations security operations we have these key card systems uh secure access lockdown biometrics whatever it is uh hard pipes to cloud everything segment into zones there's a lot of work that went into this and then then everybody had to go home and well we don't know how that went it's like great so all that security means nothing because we have to keep the business running so let's just put everything out there in the cloud we hadn't had to do this before at the time the thinking was this might just be a few months but we had to plan on the worst and here we are two years later people have only just started going back to work and not all of them so we've as a company that's already completely cloud driven all sas everything we already removed our data centers but we started physical on-prem for operations we've now faced a problem where it's 100 remote and there's nothing left on the inside and this is a trend as i describe ourselves i look outward this is a trend everybody's facing at different levels it's gotten to where you can't even go to a restaurant and eat without having to take out your phone and scan some barcode because menus don't exist anymore and it's online menu systems so digital operations is even impacting our real world and physical to go out we've also seen this with things like the pipeline uh jvs meet supply just et cetera the the whole point of all that is that the takeaway from the last few years is this is a really hostile environment we're living in and our exposure is pretty high and we have to think of that in that way and i don't think it's just netting rich but i think as a as a discipline in security we need to really start thinking about availability and not just data confidentiality so everybody's bought some security they go out there and do these things you do some everybody gets a sim of vulnerability management they start with internal assets you do red teams breach attack simulation etc etc etc right you know doing a sock edr mdr now xdr is the new term what was old is new again it's not new it's just got new buzzwords i've been doing network and endpoint for 20 years now we just want to give it a new name so whatever we do this everybody does this but what ends up happening is that you have this known surface that you're spending all these tools and you're building for yet attacks haven't been worse because there's this unknown surface which is consists of hundreds if not thousands of attack paths and we spend so much time trying to do specific controls like you know it's like we'll say i need endpoint so i'll protect those but then you get compromised by office 365. so then you tactically respond to that oh but now it's gone to somewhere else you have a sas app that somebody installed and you don't have control on it's all over the place you have aws and devops is constantly changing it and configuration things are exposed an admin trying to do his job has turned on rdp so we can get direct access to a server for home and bypass the vpn these are all real things i see all the time and we're building the security stack for the things we know about but attacks don't look for things that you have they don't play nice it's more like path of police resistance and you know just to give a sense of that like i looked at a hospital once who had a thousand employees and they had a hundred thousand attack paths that's a lot of paths to think about and that's a lot of options for an attacker so that's where we're living today that's just the reality of it now obviously what would be ideal is you'd love it if we just combined these and that wouldn't it be nice to say that your security and your assets were aligned as in rather than buy every protection tool or detection tool whatever it is just to have a blanket statement that's kind of a bludgeon hammer approach wouldn't be better to just actually look at your risk and quantify it and prioritize and make a decision on here's where i should spend money and not because that's what i have to do um i'm constantly fighting with my cfo on money trying to explain why do we need to do this or do that and every year it just adds to it so that's the conversation here it's like how do we get from misaligned security to align security and plain and simple it's situational awareness and the concept's not new anybody who's aware of it it's been around for a while came from the air force uh started with the ooda loop you hear it observe oriented decide act you hear it used in different areas different places it's quite simply understanding the operating environment that you're in so that you can make better informed decisions and this is where we get into the whole data-driven aspect so what i'm mapping out in the next few slides i'm just showing kind of the process that we've implemented and now as i bring up this process and we use it internally what we've done here just to be clear is we've built a data lake a data analytics platform that we call resolution intelligence and that platform is driven by our operations team our internal process things like that and we're able to use ml to learn and automate what these processes look like and it's really effectively a huge data analytics platform focused on uh well as the name is resolution intelligence it's like trying to decide what's important and what's not and how to do it and so everything i show from here out in this process are all components of that resolution intelligence platform and it's the way i leverage the platform for my needs so the first thing is quite simply this some of this is pretty basic but still focus on exposure with high business impact what that means is you got to know what on the outside is even a problem do you have user accounts that have been breached have they been are they on have i been owned can somebody take a showdance scanner and scan all your different ports and find what's open do you have vulnerabilities in a wordpress that haven't been patched um the first step is to know what is even out there now knowing what's exposed alone isn't enough i actually looked at it that way and it didn't work what you're left with is a list of all kinds of external exposures and you still don't know which one of those is important which is not so the way to fix that the next trick let's see if this is going to go next there we go so the way to solve for that is to inverse the risk equation instead of starting to go inside and say well what are my high value assets which ends up in a lot of interviews and a lot of debate and discussion we can actually flip on the outside and say who are the adversaries that are targeting these exposures in the wild noun is proven to work what we're able to do is by using natural language processing we're able to scan the internet in real time and correlate data from multiple sites to start to extract and measure and trend what are the active attacks in the wild on an ongoing basis what are the behaviors they use and what are the things they're targeting and this in itself becomes an operational process that we apply a lot of automation to and the goal here is to start to understand and correlate like here is an attack targeting the finance industry this week here are the ways they have successfully got in here are the tools tactics and procedures they use and here are the assets that they target so once all that data is extracted the hard part of all this by the way is all this has been done before but doing it at speed in real time that's that's been the hardest part in where i started into risk operations versus just risk what this information does then does is you correlate that to the external exposures and when you map it you're able to find the matches of like this is the most probable risk of an external exposure but what really defines risk is not just that an attacker is using some method to get in it becomes a question of once they get in what can they do can they reach a mongodb are they going to be able to delete or encrypt it and in order to find that out we're able to extract all the information from internal assets we take an entire picture of say your aws or azure and extract all that data to build a representation of a threat model and using the data from threat intel we're able to look at it and say here is your external exposures and here is a correlation to that external exposure to some internal asset now not necessarily high value but high value to an attacker because that's something that you know if they're going after again mongodb you ask yourself do you have mongodb if they're going after something else you ask yourself do you have that like is it a domain controller what are they looking for and we're able to take a threat model and perform adversary emulation mapped to mitre attack to start to quantify and ascertain the probability of success and all these scenarios are always assumed compromise so the whole point of this is you assume they're going to get in because they will and the question to me now becomes one of resistance and of resilience it's less about will they successfully get into my organization can they succeed the answer is yes to that question universally just tell yourself the answer is always yes it's how long does it take and how hard is it for them to succeed and i don't think that's something we've been answering like i heard a question the last session about how long is an attack normally inside i'm like well you know my experience within secops is that we always ask that but we don't know until something goes wrong so yeah with ransomware it's noisy enough to tell you you know you have a problem now but then there's others like solar winds that persist forever i think the bigger question is how long does an attacker have to be in to succeed which is time to compromise and we don't talk about that enough at all we avoid it in fact as an industry and and and to me it's asking in in saying that we're focused on reducing our time to respond but we don't even know what the time to compromise is you have to have one to quantify how good the other is and what i mean by that is if something takes a day to compromise and your time to respond is three days and it's important you're clearly off however if something takes 10 days to compromise and your time to respond to seven days you're probably and that's a really important point to make because the cost of reducing time to respond starts to escalate the faster you want to get so to me it's a cost risk equation of measuring the attack pass and the attacker themselves and quantifying how long it takes and how long do i need to be able to respond and reduce the impact and if you don't know the time to compromise time to respond is actually kind of dark and we're going to keep going off reports what happens with time to compromise is you get a sliding scale so this is threat forecasting it's a lot like the weather forecasting you're not here to get an absolute accurate it's not about it's exactly one day seven minutes and this will happen it's more probability of things and that's by measuring every type of behavior measuring the attack looking at past release resistance things like that and building a sliding scale saying the compromise of a web server the probability increases over time so we know that the question becomes how much does it increase over time when does it become 50 percent and most importantly what is an acceptable risk level for your organization because more time in means they're more likely to succeed it's just how long do you have for them to succeed you can do this for every asset because i said there's tons of attack paths and then you can take all the assets and all the compromise scenarios and overlay them and start to build a heat map based on probability and consequence looking at the impact of a server compromise how long it takes what is the action they're trying to do and the effective goal of all this is once you take that out is you're then able to start extracting very clear steps for mitigation and detection to understand not how do you prevent an attack or or detect an attack it's more like how do you disrupt an attack and the the rank order process that we use here that i've been using internally is we take a look at all the mitigation steps by creating choke points and overlaying all the different scenarios and then looking for the things that fix or create the most disruption with the least amount of effort so not every step has to be done but every step could be reviewed and say if we make this change in this change then we'll have the greatest impact on the uh probability of an attack succeeding and a time to compromise based on real attacks that are happening in the wild today and the same with the security controls you can start to map that and start to say these are the behaviors they used in mitre here's the data sources that detect that and you start to get alignment of your uh detection strategy so that we start to quantify and create very specific statements saying nobellum is targeting uh service providers this week this is a real one i had to deal with this is the things i care about it's like if they were to compromise a user of ours and fish our office it would take them say i don't remember the exact number now i should know it's five days to get to our platform that serves our customers from the uh the from office.com and this is how they'll do it this is the most likely path and here are the controls you need to mitigate that like i create statements like that that as i start to look at my security and the efforts we do they're all very clear and concise and and very specific so rather than focusing on generic threats i start to focus on risk that's very relevant to us it's very real and happening now and you end up with very tactical bite-sized things to do so that over time you really start to improve your wrist posture one attack at a time rather than trying to take on the whole thing with the goal to be always understanding on a regular basis like a weekly basis like what is it risk what is my exposure how many days is it going to take and how many assets should i care about which ends up with a repetitive process over and over to create risk ops and i don't know if anybody else is using the word risk operations right now it's one i started taking and i've taken all these products that are in these prioritization and trying to make sense of things category and i've put that into a bucket and built a process of using technology across the board and stitched that together that we then stitch into our platform so that whenever we look at any data from it doesn't not just security but from threat detection from devops building cloud to ai or it options they call it doing configuration management whatever it is we're able to provide situational awareness to understand what kind of risk and exposure there is both from threats in the wild and from the daily activities that are happening in real time now and with that i will stop that's actually all the time i needed okay great great presentation chris really appreciate it um i do want to put up the uh the poll question for people uh just about any information that you'd like about the the net enriched solution but uh let's get into some of the the questions that have been coming in uh from the audience okay um let's see so bradford's asking does does net and rich also scan or discover behind the the business unit firewalls for the assessment you mentioned you know all the like you know all the showed in kind of style checks and things um do you get into the you know behind that behind the reports and things so we we ingest data sources i should be clearing that we're very much a data analytics platform and it's designed to take multiple data sources from internal or external feeds there are some data sources that we can do natively such as we can pull in aws or azure cloud config directly from those by integrating in as you start to get into the internal you can also add things like say a qualis vulnerability scan that data can be ingested as well to correlate then there are things about even collecting data passively by monitoring network traffic uh or from pulling firewall configs there's it's interesting how there's a lot of data sources and this is a case of more data is good however having basic data is also fine um but more is always good and it's so i guess the short answer is yes uh the longer answer is any data source that you have or things you add to it but i want to emphasize we're not necessarily a scanner or a detection tool or any of that it's very much like we'll take in a crowdstrike we'll take in a entire splunk we'll take in data for wherever you have it and put it together but we also have i.t data and dev data we have asset management data so we keep track of those kind of things so it's really putting together all these disparate data sources and making sense of it gets an opportunity to to uh to hear uh what hers had to say about it was you know we had a question from the audience about with the shift to remote work as it's late um how does net and rich handle real-time network monitoring um and uh and we brought that question a little bit but uh chris if you don't if you don't mind it love it if you could kind of go back through your thoughts on that yeah no problem so you know we personally again we took like 600 800 people who were always on-prem and overnight everybody was remote so we also cleaned out our data centers our physical data centers and we're 100 sas now so and it's funny because people go which cloud you have we have all of them azure aws gcp maybe not all of them we don't have oracle but we have all the others and then we have a hundred plus sas apps i'm still trying to get my head around some of them that people have um so yeah there's no network there there's just a bunch of apis connectivity some endpoints now saying that i think that the model we took is largely what a lot of i think smb people our size and various people have also seen and for us we use uh z corelight internally and we're able to take all that data put in a data lake and we do all our threat hunting we combine that with other data sources like ad and office 365 and endpoint however the way we look at this is like it doesn't really matter the data source it matters that you have coverage to the right area and for us that means that now we've moved all our zeek to aws and gcp and things like that so we're now monitoring cloud workloads and things like that we can support on-prem still too and and what's interesting is there's also another faction of industries that i've learned uh things like healthcare manufacturing a lot of the i.t service providers especially really big companies they're still doing physical they always will and some of them are actually going into their own private cloud from public so i tend to look at data as like it doesn't really matter where it's at it's just a data source it has to map to a behavior or it has to map to a purpose and so we can support that the short of it is yeah we can support that wherever it is because it changes for everybody and one size doesn't fit all okay well chris that's about all the time we have uh any thoughts as far as if if people want to get started with ned and rich any tips for them um nothing off the top of my head you know it's i could say uh feel free to reach out and i'll put my email out there's christopher.morales.netinrich.com it's very original as any domain yeah yeah i'm happy to have a call but but again i want to emphasize our our business model is to work with our partners and enable them to let them provide these services so if somebody whether it's a partner or somebody has a partner we're happy to work directly we can we can customize or modify as we need but my ultimate goal is to really operationalize risk and kind of democratize it so everybody gets better awareness because whatever we're doing now isn't working very well said all right well chris thanks again for being here really appreciate it no problem thanks for uh yeah thanks for bringing us up to speed on on net and rich all right thanks a lot all right and everybody who has uh filled out the poll appreciate it and we're going to move on to our next um prize drawing so the winner of our next 500 amazon gift card is ron hanma from california ron congratulations we'll be in touch um about uh how to claim your card and now i'd like to bring on our next presenter so we have nick rigo a principal security engineer from salt security nick welcome to the ecocast hey scott thanks for having me i'm really really excited to be able to be here today and talk and present to everybody that's attending yeah our pleasure yeah take it away all right great thanks scott uh hi everybody uh as scott mentioned my name is uh nicaragua i'm a principal security architect and engineer here with uh with salt security been in the digital transformation space api management space for quite a while helped architect some of the largest uh transformation and api management programs really here in the large enterprises on the eastern seaboard in this last year with salt securely security i've been really focused now on helping organizations better secure their apis from design to deployment that's a bit of what we're going to talk about today some of that and some of the complications and and uh hurdles that organizations are seeing while they're trying to adopt um and and modernize to to a lot of these microservice based architectures so as sort of the basis of the conversation here everyone here knows that apis and microservice usage is exploding today every major business driver today digital transformations cloud migrations mobilization and modernization projects they're all powered by apis and and that's great and that's good the bad is that attackers are invading as well and apis have become as predicted by gartner the the most of the most frequent fruitful attack vector today so there's a couple of reasons for why that is and and apologize for or for some of the rap here on the slides but um one of the major reasons is the attack surface is changing you know in yesterday's world we we knew where the entry points to our applications were we knew all the data the ins and outs of the applications in those entry points today the world looks much different with really complex ci cd pipelines and transformations where i have some elements of an application in one cloud others in another cloud some elements still on premise what used to be one entry point to an application now could be hundreds of thousands of entry points with microservices kind of you know gluing everything together so the attack surface itself has really changed and that's brought a lot of chaos into into the picture and so as a result of that attacks have changed as well in the past we've really known and we were able to better predict what the attack types would be especially against you know apis and kind of the old world architectures uh there were known attacks they were one and done attacks i called them grand slam attacks one request kind of looked you know looking for the the crown jewels or or getting all the records the sql injections cross-site scripting type of attacks you know those type of one-off single-call api attacks what we're seeing today is attackers take taking advantage of the you know these really complex cicd and devsecops pipelines and what they're attacking is the business logic of the applications today the doors have been pretty much well closed with uh you know the sql injections the cross-site scripting those type of interfacing but business logic attackers are realizing today that you know amidst all of this chaos all these microservices and these explosions of these apis within organizations there's opportunity there from an app logic standpoint to take advantage think of uh you know think of the case of experian just not too long ago where an attacker figured out hey if i'm authenticated into an api system and i uh and i use uh zeros as a birth date and make up social security numbers i'm able to get other people's credit information there was every security product in the world in front of that api yet that flaw in application logic found its way into uh into the product of the production world and now in the wild and so why is that as a result we're seeing these attacks change and these business logic attacks require some type of reconnaissance so in some cases it's days of weeks of reconnaissance of poking and prodding and twisting and turning of apis to try to find where that hole is so this is leaving organizations who are trying to incorporate a really good devsecops practice to ask some really tough questions right now and there are questions that look like this i mean they're asking themselves do we know where all the apis are running in our environment and do we even know now from a sensitive data standpoint what of all of these hundreds of thousands of endpoints what are the high you know what are the really high priority ones what are the ones that are actually touching our sensitive data that if exposed could the business and what they're basically doing now is they're looking at the tool sets that they already have in place today or the technology in place and then helping and trying to figure out if they can answer those questions and what they're finding out is they're looking in the api world to the last and the api gateways and that they already have in their tool shed and they're finding that wait a second there's no ability to do api discovery there and what we need is we need some way to do an automated discovery of all of our apis are out there i can't protect what i don't know about additionally their organizations are asking themselves if someone were attacking our apis right now how would we even know and how do i even begin to to protect myself against a lot of the owasp api top tens and again looking back at what what organizations already have with their waffs and their gateways they're seeing that they're only able to protect against known attacks right it's a narrow review these are signature based attacks one transaction at a time what they're realizing is i need a solution that captures that sort of logic net over us or security net over on us that understands uh the the unique business and application logic of every api so i can detect when these attackers are doing reconnaissance against my apis or you know really abnormal activity against against these apis so again the whole you know the big picture the whole movie of your api if you will so this has been um you know we've seen enough of these breaches so much so that gartner just recently recognized these uh these holes in their in the in organizations existing security stacks and have recently recognized api security in a category of on in a of its own and to solve this from a technology standpoint you have to attack the problem a bit differently and so i'm going to walk through a little bit of what we do here at salt to help organizations answer these tough questions and how they are in and basically just to give you a high level architecture of what the what the technology looks like first and foremost you need the ability to understand fully understand how apis are used and the only way to do that is really to capture all of your api traffic and to make sense of it so capturing traffic can come from a bunch of different places balancers gateways integrations with uh you know microservices inside any orchestration technology that they that they reside in once you capture that technology and what we do here at salt is then we're feeding our cloud scale big data engine and in that big data engine we're capturing all sorts of structural metadata about apis hundreds of behavioral attributes about apis and this patented technology provides three core functional pillars the first is around discovery helping organizations figure out what are the apis that are out there how are they structured how are they being used how do they if they handle sensitive data or not and from a security posture standpoint are they employed in such a way that where that uh is adhering to best practices best security practices secondly is the ability to help organizations identify when they're under attack and give them the ability that run time protection prevention capability to actually thwart and block attackers and then lastly using this cloud scale big data engine and this ai that we've patented to be able to essentially turn your attackers into pen testers or turn what we find into discovery early on in your development process and cycles into remediation tickets that the ai engine will actually scribe with information to back to the development pipeline on how to fix the issues found now from an architectural standpoint this is all done completely out of man not in line completely frictionless as far as application development developers are concerned so one of the big differentiators that salt has in the space today is that we have done this for over four plus years at this point we have over 50 somewhat different data collectors that we do have the ability excuse me that we do have the ability to collect data from whether they be from api gateways integrations into orchestration systems like kubernetes or openshift integration with traditional systems such as load balancers or firewalls or web servers network tap span ports and also emerging integrations with all the major cloud providers for example aws vpc mirroring the ability to cast a wide net across your company's vpcs to see what apis are running in there once this data is captured what we do is then we will translate that data to api metadata and so this is this is an important piece here the technology that we're using doesn't require the actual raw request response data what we're doing here at salt is we're taking the mirror of the api traffic the request response data and we're translating it into descriptors of the traffic it's a post it has ten parameters parameter one has a is uh is something called xyz and it's always ten digits okay from there we're basically building all of the inventory data classification we're doing with building behavioral templates that we'll use for anomaly detection and prevention and one thing probably to to mention here in in the begin and the center of the screen here you can actually see this idea of a whole hybrid server this gives us the ability to actually do this meta translation on uh an organization's premise so that no raw request response data ever hits the salt cloud so salt will only receive metadata so from a compliance and data residency standpoint no sensitive data is ever sent to the salt cloud now once that data is captured and we have it as i mentioned before we'll be able to take action against it and we're going to integrate with any option management systems that are out there today so we don't want to be another dashboard that at the end of the day that you have to that you have to manage or monitor we'll also provide you with remediation capability so just because we're out of band some of the secret sauce behind this technology is the fact that if we discover something and with the with the cloud scale big data engine that we have we're able to take action against it within seconds by integrating with everything that that an organization already has today whether it be a gateway a waff a firewall an identity provider to thwart the attack or to support the attacker or the bad actor so that they will not have access to the api or the application set any longer now i'm going to show i'm just going to do a quick walkthrough of what the system actually looks like uh and uh i think a picture is worth a thousand words as we as we go through this but it's worth mentioning that there's no shortcuts here uh we have a four year head start uh we're the first to market with this particular technology and our or the only technology out there that has a patent uh with this big data ml and ai architecture that we have the ai engine and the that we have running in the cloud has been as i mentioned running out there for four plus years so again that's that's just something that you can't shortcut as far as deployment this is something that you typically often running in 10 minutes to be able to actually provide value do the discovery and build some behavioral templates and learning templates within hours we have the most customers in this space getting close to 100 customers at this point and we are backed by some of the largest and most well-known vcs in the industry today with some of the largest and most well-known customers across all sorts of different verticals so we're really really really proud and excited about that so uh with that said scott just want to do a quick time check how are we looking right now yeah we're doing great i don't know if there was anything else you wanted to go through before q a yeah i actually i i did i just wanted to go bring up the console real quick and kind of show a little bit of the product i just wanted to check how much time you had left on your end there oh yeah so we have about uh seven minutes about seven minutes perfect all right so what i'll do here is um show my desktop here let's go if you could just be spokane let me know if you can actually see this i do see it thanks okay perfect um what we're looking at here is this is the salt uh console so on the console here i'm able to quickly see once we're capturing metadata i'm able to actually quickly see uh in my demo environment all apis that have been discovered endpoints parameters that are containing sensitive data this is a great overview screen that kind of gives us widgets across all of the different the three different pillars of product function that i've talked about before and we're able to see the system uncovered seven attackers as we call them in the system 11 apis in our discovery here that have been either newly discovered or drastically changed and our ai engine has come back with 49 remediation tickets and basically have found endpoints 49 endpoints that require some type of developer intervention i just want to real quickly in a couple minutes here kind of just show a couple parts of the product here first is on the discovery and the inventorying side of the product here you can actually see salt's ability to actually inventory all of your apis restful json xml soap xml graphql apis today uh the inventory is done in a few different layers so we can see all of your north south east west south to north or vendor apis through here we can quickly see from an endpoint standpoint in the asset inventory everything about the endpoints from methods to whether or not they handle sensitive data the endpoints themselves how active and dormant they are i'll get into sort of this third level of discovery here where we can start to see some of the structural metadata that we capture across requests and responses and different response codes as well so here i can quickly see this post v1 charges charge id api i can see the structure of it i can see from a from a payload perspective one element json element called description it's always letters only another element called fraud details i can see that's a json object with sub elements one's called an amount it's an integer the second one account it's an ibn account number it's a sensitive data so now you can start to see salt's ability to classify data for you just like a data loss prevention solution or data classification solution for quick for you and we do this across hundreds of different categories of sensitive data so that you as an organization now from a compliance audit and regulatory standpoint can have the ability to quickly see how are we ingesting sensitive data in our organization or through our apis and how are we possibly exposing it so again if i wanted to quickly see where we're ingesting from a gdpr standpoint email addresses or i'm possibly exposing social security numbers i'd be able to quickly do that hone in on that api down to a method and parameter and see that we'll also be able to provide you with security insights again giving you insights to where you're not adhering to industry best practices from a security standpoint we have some great stuff from a scanning standpoint to get earlier in the developer life cycle we're about to release here shortly and the ability to provide you with analysis of your documentation and the ability to auto generate documentation for anything that we discover the last thing in the last two minutes here is really just to show you the attack detection prevention capability of the product and the ability to take the structural know-how of your apis that we capture as well as hundreds of behavioral attributes so that we're able to find these bad actors that are hitting your apis we fingerprint them down common denominator and in this particular case you're going to see us fingerprint an attacker down to a user id here we can see everything the attacker's done as far as what they've hit response codes generated attack types associated with them a lot of these are os api top tens things your inline security tools or or gateways are not going to detect and ultimately we're going to find attacks that look like this and i'm going to leave you with with this just one example here this is an example of an attack salt detected that would typically be allowed through your waff or an inline inline gateway technology this is ebola we typically see 40 of successful api attacks today are of the bola variety salt detected that two elements of data here headed data didn't match in this customer's endpoint if i take a look at it i just want to really highlight this example just real quickly to kind of illustrate what salt does from a data request standpoint this customer's endpoint the attacker used an authorization token 90 of attacks over 95 of attacks are authorized users hitting apis we decode the whole jot token look at everything all of the payload headers content cookie parameter data here i can see response data and response headers coming back from a waft standpoint no signatures would be flags would be raised here from a gateway standpoint the scheme is perfectly fine salt detected something's wrong however and what it detected was that two elements of data typically match each other uh in the headers they didn't and it detected that the response usually matches this user id and the response usually matches the authenticated user in the in the jot token and it didn't and so what the attacker figured out that when i'm authenticated if i just now use a random or make up user ids i'm not getting my data back i'm getting someone else's data back so now i stay low and slow and exfiltrate this data out of the organization this is a really simple example we typically capture hundreds of or examples where we see tens to hundreds of parameters twisted and turned and most of the time we'll capture elements like this or attacks like this where the user really is just in reconnaissance road mode they're getting 401s but we're attacking for detecting them early enough that we can take action against them the last thing worth mentioning is we can do things such as block and you know as i mentioned before at the waft at the api gateways at your identity providers to take action and remediate but the ai engine will also scribe fix how to fix the issues back into your development cycle jira github issues get bucket wherever your developers are convening and we'll give that doctor's prescription on how to fix it it's this end point and this api you've got to make sure the user id parameter matches the authenticated user in the jot token or respond back with the 400 and we'll do this for even less severe severe incidents like parameter tampering where application security folks just don't have time to do this so the ai engine will do it and send this back into the dev cycle and help the organization fix the issue so again providing you with the ability to actually do discovery to kind of know have the know-how what apis are out there how are they what sensitive data are they handling how are they structured and giving you that security net of of protecting you from application logic attacks with what you already have running in the wild uh today and then providing remediation feedback to the developers and how to fix it so really quick demo and i hope this was helpful for everyone to uh to uh to see this i don't know scott if we had time for a couple of questions here if anything's sort of popped up we do yeah uh great presentation uh and uh and uh vent cat remarked that uh the demo was really interesting uh which i have to agree with um i'm going to uh put the poll up here for you know if anybody wants more information from from salt security um you can just click on there what you what you'd like to see um and uh and i'd also like to point out the in the handout section there's uh material from from salt um but uh yeah you know we did have a question come in what are some of the biggest factors that contribute to the unique challenges of protecting apis yeah i think the biggest problem that folks are running into right now with protecting apis is that organizations know when they go out the door with an api into production they're only typically able to scan and test for up to 20 to 30 percent of different permutations of data so what i mean by that is what happens when i twist and i turn this or if i move this parameter here or use this type of data element in conjunction with another that's the threat right now and that's where attackers are going after they're basically trying to find what you're not testing or those holes in those application logics you know if we're uh because they know just in the case of like facebook not too long ago where there was that 18-month breach there for authorization tokens that was a marriage of two might two apis the view as api and a video upload api that together actually was when working in in tandem together was actually responding back there was a code flaw that was giving mac authorization token so those are the things that they're looking for how do i find and poke and prod to basically find you know areas of application logic that just aren't being isn't being tested today really interesting um probably have time for one more question i wanted to ask you know if api gateways and and uh and laughs aren't effective to protect against most api attacks does that mean the those solutions are becoming obsolete no they're still very key in your whole application security stack and from a gate api gateway perspective that's a key part of your api life cycle in governance you need that you need it for also for abstraction a lot of code out of the application layer into the api gateway from a last standpoint you know you still need the you'll still need the waft because waps protect beyond apis as well they're going to protect you know your generic web applications and those interfaces running you know https um custom tcp applications as well so you still need to use that as your first line of defense to thwart you know a lot of the signature or known attack types before they actually get to that next you know next application level in your environment gotcha well nick thanks for a great presentation and and all your insights on the uh here in the q a portion and in the demo really good stuff appreciate the update on social security all right great thanks for having me and thanks to everybody who's uh who's answered the poll appreciate it now we're gonna move ahead to our next presentation so we have nathaniel iverson uh chief evangelist for illumio nathaniel welcome to the call hey thanks so much it's a pleasure to be here happy to have you so uh the floor is yours all right fantastic well um it is a pleasure to be able to spend a little bit of time with everyone this morning and as we approach the end of the year a lot of us are busy making our plans for next year and developing the uh the wish list if you will for the things that we hope to accomplish and so what we wanted to do is just share a few of the things that we have heard and reflect on them as we look into this next year you know in security it's often easy to ask for things that are hard to get and what we've discovered is that a lot of people are very interested in a couple of key themes as we leave as we leave 2021 and look into the future and the first is that as cloud is increasingly out there people are discovering the visibility gaps in the previous session you heard about a little bit of some of those visibility gaps from an api perspective from the salt team that's one aspect of it another of it is just what is communicating to what how do all of those cloud services actually tie together and function at the network level when you don't have access to the switches and the underlying infrastructure we've had a lot of people interested in how to de-risk ransomware it's out there it's a thing you educate your users it's never quite enough what do you do to remove the residual tail risk that you can't control and how do people isolate and protect their high value assets lots of noise in the marketplace about xero trust which is a worthy destination but what if you just want to control some of your most critical assets and put some rings and fences around the things that matter most well these kind of wishes are things that santa can grant this year and so what we want to do is talk a little bit about what can be done to remove cloud visibility gaps an interesting thing is that idc would say that about 80 of companies have had some kind of incident in the past 18 months in the cloud and that's kind of a big number when you match that with gartner's observation that 99 of those breaches basically were an accident there was a root cause that was just some kind of a mistake or a misconfiguration by end users lots of complexity lots of moving parts lots of dynamic infrastructure that's actually changing under algorithmic control so in that what do we actually need if we want to know what's happening inside the cloud we don't want it to be a fog after all so we think we would start with a need for agentless visibility and control once you start talking about cloud you're talking about typically a mix of cloud native services that you don't own or control as well as things that maybe you built there in terms of infrastructure that you're renting effectively from the cloud provider most organizations that have one cloud have two if you have windows things that need to go to the cloud odds are there in azure and if you've got developers doing a bunch of brand new developments from a linux perspective they're probably in amazon and if you have things in one cloud and the other cloud do they talk to each other the both of them talk to the data center and how do things work across both of those environments and so in that kind of complexity how is it that we would go around managing and prioritizing the risk so that you could actually get control of the things that are in the different places what regardless of the infrastructure and irregardless of the function well to do that the first thing is to get risk-based visibility at some level all of the cloud providers will output flow information in other words things like netflow s flow jpol the kind of thing that you're used to getting in your data center environment but just like in the data center environment how useful is that data does it actually prioritize and show you risk does it actually call out the places where vulnerabilities may be exploited probably not and so that is where the move from just being able to perhaps draw some kind of dependency map to being able to overlay risk and vulnerabilities and to begin to assess the potential damage of a particular flow or connection being exploited that becomes an incredibly useful capability the interesting thing is is that if you can map not only the infrastructure that you might control like virtual machines or um you know things in ec2 or something like that but you can actually also map all of the flows between cloud native services the different software subscriptions that you use on the back end for different services how would that change your perspective of what's involved in the application it's risk so on and so forth and that is the thing that really transforms understanding is when you can see across the cloud native applications in other words whether it's a vm whether it's a serverless thing a managed database an eni if it's flows application dependencies what if you could just see all of that in a single pane of glass and it wouldn't matter if some of those things were in azure if some of those things weren't amazon if some of those things were in the data center if all of that could be brought together and you could clearly see component of the application whether it's a rented service or something that you've built that all of a sudden begins to form a more complete picture and understanding of the residual risk and of course from the security perspective once we know what's going on and we can actually understand it our attention immediately shifts to a response activity that is how do we prioritize what we've seen you know it's the old thing if you have one alert that's good if you have three alerts that's manageable if you have 300 000 alerts that's not helpful and so being able to assess prioritize things and then put in necessary protection as you go that's the goal that i think that everybody wants to get to so if we can see everything that's going on in the cloud and we don't have blind spots we have a real-time uh traffic flow an application map and we can see what's going on how can we then assess and prioritize what's actually happening well the ideal situation is where we can know exactly what did or didn't happen with reference to a policy so if i say that these five services should collaborate together to form an application or a service that's going to you know do something for my application is that what's actually occurring are people or apis or something trying to go around that policy are there other things happening and can i actually then see the risk in other words where are the vulnerabilities that might be discovered by my vulnerability scanners can i actually see those things and then optimize the rules so that the rules are kind of as tight as they can be but no tighter in other words we don't want to break things and can all of that then be automated and brought under automation so that it can be kept continuously up to date well that's certainly the goal is to move from understanding and from prioritization to an ability to program and orchestrate those policies so that they're api driven you could almost think of it as segmentation as a service if you could call and ensure that an application got exactly what it's needed that all of the components were covered whether they were cloud native services things that you built or things in the data center that would go a long way towards making xero trust work in what is perhaps the most complex application environment that you have ultimately this goal of collecting object metadata and flow telemetry that's the raw input if you will we take in flow data we take in object lists from the cloud and bring those together to build these application dependency maps and ultimately then to recommend rules and optimizations that work at scale so that's useful that is a big help if we can do those things i think that for many people the areas of cloud security are things that they're working actively on to keep pace with the change of development there elsewhere in the organization almost everybody has done something in this past year to deal with ransomware i hope for you it was not actually dealing with the outcome of a breach for many it's being very aware of all of the methods the things that are happening out there and then combing through our internal lists of connections and systems to see whether or not we would have been exploited by some particular attack some particular vector some particular piece of software and so i think most of us understand that ransomware ends up being successful because somewhere detection fails everyone has scanners everyone has a variety of find the needle in the haystack infrastructure but in the cases that ransomware has been effective that detection has failed for whatever reason and then some small relatively small incursion establishes a footprint from which things spread over a period of days weeks or months and ultimately after critical assets have been compromised and data removed then a trap is sprung and the critical assets are actually held for ransomware and so typically that encryption step is the very last part of a rather lengthy process and what we've had a lot of requests for is for a way to contain that ransomware to limit the breach exposure in other words i can't control necessarily if someone in my organization clicks on a bad link we're going to educate them but if they do what do what else happens well if you can limit the breach exposure by controlling where things can talk and over what ports and protocols they can talk even if something's compromised it may not be able to get very far if you have strong risk-based visibility where you understand how vulnerable ports and protocols are exposed in your environment you may be able to either prioritize patching or to put in place segmentation that limits the exposure of those vulnerable services and vulnerable ports and in this way it becomes possible to contain ransomware to give it less surface areas to control the paths that it might look to use to move out and about in the wild wide world in this we understand of course that some ports are riskier than others some ports are by nature highly connected things like core services of course they talk to everything in the data center or everything in the cloud peer-to-peer ports some protocols are meant to communicate on an almost unlimited basis and some ports are simply well-known they've been around a long time and so by nature they just have more bugs and they have more known exploits for those things regardless of what category being able to control these things holds the key to containing and limiting the spread of ransomware some of the strategies that organizations are looking to take include being able to block those risky ports i bet some of them you don't even use so why not just shut them down and make it so that they can't be exploited some of the ports like rdp are quite necessary for administrative access but how can they be limited so that only the people and only the pathways maybe a jump host are available for use with rdp and there's not an ability to go from arbitrary server to arbitrary server inside the environment how quickly could you put a ring or a fence around uninfected assets if you needed to or know exactly where communications had occurred if somebody was in the environment in the end if you're able to have some of these types of control it improves a post-intrusion response i mean if heaven forbid ransomware got into any one of our environments what's our first impulse well our first impulse is basically to say what can i lock down how can i stop it from spreading any further and so we've been having conversations with people around creating containment switches a capability that you could trigger either through soar or an api or manual effort that would basically it's the break glass in case of emergency uh switch it's the ability to say whatever my current segmentation is if something goes wrong how quickly could i put in some new rings or new fences around the infrastructure that i consider most critical whether that's an environment certain servers certain user endpoints what's possible and how quickly could that be put into place to bolster intrusion response on the proactive side is it possible to stop ransomware spread at the source in other words typically the way that ransomware enters an environment is through the user machine the endpoints and so it follows that if the user endpoints have some controls on them it may be possible to stop ransomware spread right at the source for example it may be that one user endpoint is an administrator and they need to be able to use rdp to get into the data center or to get into a cloud environment it may be that me as a different user who doesn't have i.t responsibilities at illumio i probably should not have rdp access to anything and so it may be that whole swaths of the user population can have these protocols simply turned off and limited to only the people that need to have them many of the peer-to-peer protocols are designed to allow any machine to talk to any other machine are these protocols actually necessary do you expect to have users mounting smb file shares from other users or do they do that only to a small handful of servers inside the data center by eliminating these pathways even if something heaven forbid were to get onto a machine when it goes to look for that well-known pathway and the way that it's used to moving around in the world wouldn't it be wonderful if it simply found that door closed and barred and unable to be used for exploit and if you could tie these policies to identity then all of a sudden it would be possible to have a group of administrators have the access they need while a group of other users inside the organization would simply not be able to access things that they shouldn't well this is all good news because what it does is it presents a full life cycle opportunity for ransomware mitigation prior to an attack you can reduce the operational network by eliminating unnecessary paths if the organization has a policy that ftp and telnet shouldn't be used well then let's get those turned off globally so that they just don't work this improves all threat hunting and detection by making the operational network smaller before an attack you can create test and stage one of these containment switches the ability to have an emergency plan that you can activate quickly if you need to and if your infrastructure and team find some kind of intrusion or incursion then you can set in place that plan trigger those plans and you can activate those policies that would then isolate and protect critical systems whether that is as tight as simply cutting them off from other things which you might do for certain core databases or financial systems you might not want to run that way for very long but you might want to run that way long enough to get the problem resolved wherever it's happened in the environment well let's move on and talk a little bit more about that area of isolating critical assets i mean if you could in 2022 take care of seeing into your cloud if you could mitigate and contain the possibility of ransom or having effect in the environment and you could also do a better job on critical assets i bet somebody would be pretty happy with the outcome of 2022 so with respect to critical assets a simple goal is just to eliminate unnecessary communication between applications that is if my application doesn't need to talk to yours it simply shouldn't be able to even if they're in the same subnet even if they're in the same vlan even if they're in the same infrastructure in the cloud they just shouldn't be able to talk that way if my application is compromised it can't get to yours so this fundamental idea of least privilege or zero trust if you will automatically reduces risk everywhere lots of things you can do to manage risk but if you actually control the ability of systems to communicate with each other you reduce risk with every policy that you put in place and by eliminating these east-west paths you can basically make it all but impossible for an attack to spread and to remain undetected as it tries to do so the way that it would work is simple most people have controls at the environment level that is they can keep dev and prod and staging separate they can segment off their pci environment from the rest of the things that are in the infrastructure but if somebody wanted to put a ring or a fence around something as small as a single application how easy or how hard would that be in other words like could i separate one application from another in the same subnet vlan or zone if you could what would happen is if something did get in and compromise one application it would be the compromise of one application or one system all of the other systems would still have their rings or their fences in place and remain unaffected by the breach and so by being able to take at first i mean it might be a noble goal to get every system done but what if you took your most important systems your most critical databases the places where you have pii the places where you have intellectual property health care data the critical things that run your business what if those systems were simply carved out from the rest of the things in the data center it would be a meaningful and valuable risk reduction i suspect i think the things you'd want to look for as you look to do this is to find situations where you can get help with automatic policy creation where you can have a system that simply says how do you want to separate this do you just want to put a ring or a fence around the whole application do you want to separate it out tier by tier do you want to do it system by system how would you like to do it and then have some intelligence actually run that down for you so that no one's stuck typing a bunch of apples and firewall type rules and the key to doing this is to be able to enforce everywhere to leverage firewalls that you already have in place like sure we've talked about the things that may be separating dev and prod but what about the firewalls built into the operating system ip tables and the windows filtering platform what about being able to use them completely independent from the network what about being able to leverage your load balancers being able to leverage firewalls that are kind of found across the infrastructure so that whatever your policy is it can be enforced no matter whether it's highly granular or maybe it's a little bit less granular in summary if you can minimize the ways that application services connect you can minimize the impact of breaches whether they're ransomware or otherwise simply by removing the paths that things spread think about it ultimately hackers malicious actors these are all people that are going to try to use well-known paths and well-known things they need to use things that are common they don't know the finer points of your custom built application and if those pathways are controlled and you can only go in the ways that are intended all of a sudden it reduces the risk across every single attack vector that you could imagine and it protects the things that matter most to all of us so as we think about how to have a great 2022 i would suggest to you that a good way to do this is to first get better visibility into the total environment whether it's things in the cloud the data center colo facilities endpoints data centers vms enis whatever the collection of things are that make up your world let's get all of that mapped and risk analyzed so that you can see clearly exactly what's communicating to what and how that reflects the various vulnerabilities that exist in the environment it's great practice to close and control the common and risky ports that are usually exploited by ransomware and it can fundamentally make a huge difference we know of one organization that did this they had some ransomware get in their environment it was able to get on four systems they immediately detected it they removed it and what had been a catastrophic attack at one of their competitors just months before was literally snuffed out within 40 minutes with no adverse effect to the organization beyond minor inconvenience it really matters if you can control ransomware and not end up in the news and if you could then move your security posture forward you might not want or need to get to full zero trust implementation in 2022 but what if you isolated your crown jewels and your most important traffic and got that all tightened up and under control well we think that uh that would actually be a pretty good thing and we've got a case study uh that you can get i believe uh by uh clicking on the uh the appropriate things here in the interface you can actually download uh this customer story it's real world about exactly how somebody secured their move to the cloud so um i will leave that as reading for you but well worthwhile to see exactly how some of these benefits uh you know can be taken out so with that i want to thank you for taking the time to be with us today and to consider some of the great things that would be possible for you in 2022 and i'd be happy to take some questions if there are any okay great thanks nathaniel and i'm going to go ahead and put the poll up here for you know if you'd like any additional information about the illumio solution um and just to confirm uh you know what nathaniel was saying about the uh that presentation or the i'm sorry the the pdf uh that is available in your handout section so you just click on handouts and it's number eight illumio there um and you can get that uh that case study but nathaniel we do have a few minutes for a couple of questions and and the first one i want to ask you is what's the mix of native versus agent-based controls that's necessary to achieve these outcomes um you know how to know where to use each of them yeah that's a that's a really good point because i think that what happens is that most people don't realize it at first but as soon as you think about it you realize that almost everything in the data center or in the public cloud has the ability to take apple has the ability to take firewall rules i mean you think about the kind of virtual infrastructure that's in the cloud the virtual infrastructure to the hypervisor the inbuilt firewalls that are part of the operating system the hardware firewalls load balancers vpn gateways all you know core routers and switches and all of a sudden you realize oh my goodness literally everything in the world that has a network stack almost has some kind of filtering capability but it's really hard to use because they're all different and they can figure differently in their scalability issues but it starts to raise an interesting question of like i know how to configure the firewalls that are at my perimeter i the firewalls that might be in the cloud configure similarly and they're very manual and hard to do um but are there places that i need more granularity well i think that's one of the first dividing lines is if you need more granularity that is i need something that's more granular than dev and prod i need something that's more granular than a vlan i need something that's more granular than a subnet or a zone well those are all places that looking for inbuilt or native controls are going to be very important because you know frankly the physical firewall just doesn't have the granularity do the job without backhauling the traffic inside the cloud using the cloud native controls is important almost from the get-go if your whole world lives in amazon ec2 well you know you may be able to use firewalls that are built into the operating systems that you deploy in amazon but most people that are in amazon are using a whole mix of cloud native services from amazon from other third parties development and code libraries they're tying it back to ec2 they're exchanging data back into the data center and in these cases the only infrastructure that's capable of addressing all of those places is the cloud native infrastructure and so i think what we see is that it's a mix people use their physical infrastructure for some things they use their cloud native infrastructure for some things they use the host native infrastructure for some things and the important thing is if you can tie that all together with a uniform set of policy and visibility great hey we had a question here also from from bradford um does the illumio product define uh and he describes it as unnecessary communication or is that the role of of my net ops humans ah um it's a combination of things um we certainly there are systems for which uh you know having human input is helpful to say hey this is the way this application works and this is what we want to have done with it we also take in a lot of data from vulnerability scanners and other sources to establish you know what's a traffic baseline number one you know are things deviating from that and then number two are there vulnerabilities that are sitting at the end of some of those pathways that need extra attention so as you might expect it's a combination of human desire things i want to be true as well as than things that are observable about the environment itself okay gotcha well nathaniel i think that's unfortunately all the time that we have there are some other questions um in there in the console that uh you know you might be able to uh to address um electronically but thanks so much for uh for coming on and for bringing us up to speed on on illumio really appreciate it it's been my pleasure thanks so much okay now we're going to move on to our next prize winner um the of an amazon gift card these are the 500 amazon gift cards and card number four goes to shen oo yang shan from tennessee so shen we will be reaching out to you about uh how to how to get your card so congratulations to shen and with that i'm going to bring down this poll thanks to everyone who's answered it appreciate it and we're going to move on to our next presentation and i'm happy to welcome back aubry turner from ping identity i'm going to turn things over to aubrey and welcome there's more 2021 behind us than in front of us and with 2022 upon us before we know it we will be singing old langsang my name is all returner i am an executive advisor at ping identity and for the next 20 minutes or so i would like to share some thoughts with you on developing your 2022 security plan now you've probably already started down that down that road so hopefully this session this presentation will validate some of the things that you have in your 2022 security plan uh but also hopefully there's some fresh and new insights that can help you continue to shape that plan for 2022 and beyond so with that let's dive right in uh i'd like to talk a little bit about ping identity's mission to to kick this off and so historically experience and security were opposing requirements but identity has now recently brought the two closer than ever together uh and really experience and security ignited uh by identity again to in a better partnership it's it's almost as if identity had to mediate and vouch for each other so experience and security could find common ground i'm i'm hopeful that there isn't as much debate about this one as uh pineapple on on pizza uh or basically anything with with pickle juice i really don't think identity can improve the pickleback but let's talk about what identity can do the the common ground the common goal excuse me of frictionless security and user experience can be achieved in partnership with identity and that's our mission at ping find the intersection of frictionless security uh and the mission which can only be achieved through identity and this is a theme that will you know will continue to play out through the rest of this presentation at ping identity we serve enterprise we serve some of the largest banks health plans biopharma and retailers tis the season so roughly 60 of the fortune 100 uh our partners and and customers and over 2 billion identities secured so hopefully that helps give you an idea about uh ping identity our mission and uh who we who we serve let's talk a little bit about why identity matters you likely have some your own ideas but let's let's kind of get on get on the same page and talk about why identity matters identity has been slowly making inroads uh and coming to the forefront with its cyber security peers and and and you know other other domains in cyber security it's almost as if identity has gone from you know a d or c list to uh a list red carpet cyber security celebrity in the last few few years uh but i'll point to some some incidents and some breaches that happened in 2021 to kind of illustrate why identity matters and of course 2021 continued the trend of of breaches albeit with a slight twist that i'll get to here in them in a moment what you're looking at is a snapshot of a tweet from a a researcher or and or analyst or reporter who uh covered went a little bit more in depth and covered one of the breaches that happened in 2021 uh really the the to kind of boil this down stolen credentials were being used to to register a device for a multi-factor authentication so the attackers could gain further access and is often at times it's a business partner who discovers that something is amiss before even the target organization but here again illustrating that identity identity matters as part of how this breach was discovered we we know about personally identifiable information and the theft of of that type of data and that can be a slow burn oftentimes the data is stolen and may sit unused for a period of time and then sort of rears its head much later and there's 15 billion credentials on the on the dark web by the way in this situation vpn not often used vpn the credentials for it were were compromised leading to a a breach and what i mean by sort of the more immediate effect was citizens were impacted as a result of gasoline shortages it created a lot of anxiety fear and even some bad human behavior among citizens so imagine this on a larger scale with other utilities and critical critical infrastructure and you can see why identity matters by the way just a quick note here i'm predicting maybe we'll see some more tort and class action lawsuits going forward as a result of breaches and and incidents uh not necessarily a good thing but just something to for us all to keep our eye on so identity matters so much uh a presidential executive order on improving the nation's cyber security well let's and not not to pile on but we add the most inflation that we've seen in years economic volatility supply chain issues and conditions are ripe for attackers so identity matters more than ever earning that a-list red carpet celebrity status if you will so in the the the holidays in the spirit of the holidays which are which are upon us um you've probably got a a wish list of things that you're looking for and besides the gi joe with the kung fu grip your priorities and the things that you want from a cyber security perspective include cloud you know a zero trust stocking stuffer and passwordless the the greatest gift of of all but if you're again again i don't know what um what our audience's backgrounds are but i'll just call it out these these three priorities all have one thing in common and that's they are all identity related identity is related to all three so let's you know break down these these presents right and and share a little bit more about uh each of these three uh going forward so uh allow me to present and unwrap a few of our capability maturity models the first one being journey to cloud really what these illustrators we have a vision and we are a strategic partner and and we have a story from an identity perspective and that's the backdrop of these of these journey journeys so in the journey to cloud we start with unified clouded men because we want to unify deployment we want to unify administration automating routine tasks move on to a cloud authentication authority we can think of this as a as a identity control plane with apis public apis applications running everywhere data residing everywhere and the the the need to to move fast and let's face it most of the digital transformation has occurred outside the four walls we need a cloud authentication authority that can centralize and manage all of the identities and access uh associated with these these varying factors and the evolving nature of how we how we build and run our businesses so this is almost like uh we need a identity is it needs to be part of this journey and it's it's like our passport and passport allows us to on a journey to visit multiple countries and that's sort of identities akin to that as far as the journey to cloud as well as the upcoming journeys that i'll share with you so we we go we move on to verification uh we got to know who we are who we're doing business with and who we are who's asking and requesting access we need to be intelligent about that so we layer in risk that is that has machine learning and artificial intelligence built into it and certainly multi-factor authentication and so though that that becomes part of the journey and then we can also move to retiring legacy access management systems and technology so this journey will allow us to save money time maximize our effort and minimize complexity moving on to the journey to zero trust we've moved from implicit trust to zero trust uh never trust always verify uh and similar to the previous journey we're establishing an identity foundation some of the first steps from a zero trust perspective uh knowing your users knowing your identities and knowing your devices sso everything mfa everywhere those are the concepts by the way this is an identity centric zero trust model that that i'm speaking to any user on any device connecting to any application or service but all of that is again treated as if it was originated on the public internet take and assume you've been breached approach so those are all those concepts so once we've established that foundation we optimized the new perimeter which is really identity we add intelligence and risk and that's a vis-a-vis again knowing being able to proof and validate the level or determine the right level of assurance for the identity based on what they are trying to access we do that smartly and intelligently through again risk and risk signals and this can be from multiple sources and that takes us to reducing friction and reducing friction or frictionless security is all about speed convenience and intelligence and so again following this journey to xero trust will help take us there then this is really about helping the business take advantage of cloud and the promise of cloud for agility and flexibility uh this model this identity-centric model will allow us to do that uh enable the right people to have the right access uh at the right time in a secure and friction-less manner so that's the journey to zero trust ah and journey to passwordless did i mention we're coming for your passwords and and here's how we'll here's how we'll do that again centralized authentication you see a see a theme here phase out passwords via single sign-on and multi-factor authentications use passwords less and certainly having risk again intelligent risk could be part of that leaning into fido which is a standard for passwordless authentication and then ultimately taking us to zero login where the user may never actually know the password uh and or a password is actually never created because we have trust from uh from the from the start of the registration process we know who the user is because we've verified them we have a level of assurance that that user is who they say they are so we can use other forms of authentication and actually never even establish a password think of that as zero login or recognition we still may have a username or we we may not there's again various methods but the idea here is certainly using less reducing the number of passwords and eventually taking us to a state where there are no passwords all of these journeys by the way accelerated by identity again identity being that that fulcrum between uh convenience and security bridging that gap uh helping us achieve that common ground that that mission of frictionless security that's just kind of part of the story the there's there's more and this is actually the the really really exciting part and that was some of uh somewhat of a warm-up so we have these journeys how do we maximize this um if we're being honest with ourselves identity hasn't always been let's say easy uh to again maximize the the capabilities and lead us to the cyber security outcomes that we're looking for uh and may in some cases have held back efforts due to some of the integration that was required we need to go faster we need to keep up we need to help the business accelerate any answer to that is orchestration so if we're on these various journeys how do we tie them together how do we make these things work how do we go faster how do we time is money how do we add speed to this um that is orchestration which i'm going to talk to you of course a little bit more about that now and kind of the the central really theme of this and kind of what we hope is part of and what we think should be part of your security plans for 2022. your users are on a journey with you uh you know start by verifying them knowing who they are creating a profile that you manage certainly authenticating them uh you know making sure that that authentication process is secure but frictionless uh certainly authorizing them you know is this the right person should they have access to this service and or data and then safeguarding the user as part of their journey with you uh from a customer's perspective uh the the user experience is is key here personalizing that uh making sure our users trust us and trust that we are maintaining their their their privacy but customers spend more with brands that they trust but we need to be able to integrate uh sort of marketing solutions be able to support our customers and again build loyalty solutions and so that's very very important uh as part uh customers requiring more as well as employees and this is really from a productivity perspective uh productivity for employees regardless of where they are whether they are still in your offices and hybrid remote models or business partners that that are you know uh all over the all over the world again uh making sure that they are productive and uh you know certainly use cases and identities of all types including those that are industry-based healthcare and retail come to mind again to the season uh you know creating end user creating great end user experiences that are secure hasn't been an easy task not an easy task necessarily but what if i told you you could tie all these pieces together in one place you'd be interested in hearing about that right and of course i'm gonna i'm gonna tell you about that so paying identities uh identity orchestration service solution uh currently known as singular key is the one place the one beautiful place i should say to manage it all in one so across all the identities that you have all of the use cases all of the the flows even those that are industry based tying all that together singular key essentially collapses thousands of lines into a single api the tagline if you can whiteboard it you can build it you can configure it and you can deploy it so creating great end user experiences that are secure this orchestration the identity orchestration service the ping identity identity excuse me the ping identity orchestration service transforms how companies onboard customers perform identity proofing identity verification know your customer uh even in financial services such as things that are required anti-money laundering authenticate the the mfa enrollment uh passwordless fraud detection and mitigation uh stitching all of these things together so any user uh connecting to any asset service data for example this cross cross channel platform integrates and orchestrates over a hundred vendors across these capabilities again collapsing hundreds of lines of code into an api and by the way this is certainly within the pink stack but also disparate heterogeneous vendors that again one of things mantras is we partner with your partners and you have these these capabilities that may exist within very various tools and again the idea is we can orchestrate that for you connect any user to any asset tie that together across the user journey another way to think about this is uh you know in a symphony uh sort of one person uh playing may sound they sound good you know sort of a violinist or cellos or whatever one person playing may sound great but when the conductor brings the entire orchestra together they amplify each other and yields a beautiful result in composition and that's the idea here of orchestration tying various types of instruments together to yield a beautiful result and outcome i'm not much into identity cyber security hyperbole but this is a game changer like the iphone or tesla model s for battery electric vehicles this is a a game changer for the identity industry so of course really excited about what this holds for our securing identities and securing business going forward so what are what are your what are your priorities i'm not much into new year's resolutions but what are your goals for 2022 will you be ready for even 2023 ping can help you get there and make the most of your investments we can support all journeys through identity orchestration we would love to show you how so please and i as always i encourage questions and feedback and please reach out in the meantime have a great rest of the year and i hope uh your cyber security plans are are fulfilled and essentially come come through for 2022. with that thank you and stay well take care okay great thanks aubry appreciate that presentation and i do want to put up the poll for anybody who wants some more information about ping identity if you could just uh enter what you're interested in there we will uh be sure to get those out to you and aubrey are you ready for some questions i sure am let's go excellent all right well that was a really nice presentation especially like the uh the road maps for uh you know journeys to you know mfa zero trust and passwordless and orchestration uh as a security priority for 2022 makes a lot of sense um we have some questions in here so uh what are the main obstacles to passwordless adoption yeah there's there's a there's a handful of them and and in you know all the conversations that i've had let's just say even from the start of 20 20 21 to now i can kind of summarize all of the the challenges into sort of three basic things one technical debt and compatibility issues real or perceived and that has to deal with you know the um the tech not catching up well the the tech finally catching up with the hype of kill the password right so in the last you know 18 months to two years that's that's happened so we've made steady progress around addressing some of the compatibility challenges and tech that issues that's not to say that they are eliminated they they still exist the second thing that uh that i've seen that i can can share is uh sort of all the the use cases there are various scenarios you take a given given industry such as healthcare or manufacturing or others that you you can you know think of their various user scenarios so the passwordless sort of method that you uh may need for somebody who is you know in you know a corporate um administrator at a hospital versus somebody who's actually on a you know on the hospital floor uh in a you know a clinician um who's you know actually on the floor actually uh doing health healthcare things so the methods that you may need differ and you need to be able to to adopt and and offer different methods uh and this this applies even on the consumer side as well right you kind of need to meet the customer where they're comfortable um you know engaging with you so that's the sort of second kind of summary uh bucket and then the the the third and oftentimes this is the biggest challenge is is fear uh human behavior right and just kind of changing human behavior and i see it on on two ends right it's sometimes organizations are hesitant to put in these changes and cust passwordless for for customers um also fearing that they might get pushed back from employees and business partners and then we're really comfortable with passports despite all of the bad things that happened despite the 15 billion credentials available on the dark web decide besides the the poor user experience besides having to use a password manager to you know to maintain hundreds of passwords uh we're still comfortable with them so it's that fear of change and leading people through change both as again those that would be putting in passwordless uh and those that would be on the the the user side of it uh so there's there's a lot to to work through and overcome there but we're seeing we're seeing organizations make inroads against those things like i said the the technology has caught up um we can focus on you know piloting specific use cases and their their techniques from a change management perspective that we can help people um you know overcome their apprehension uh and then the last the last thing really you know the password list may not even be the best term right because really at the start of it as you as you we all saw in that journey that i walk through it's about fewer it's about less and fewer authentications not necessarily eliminating the password right off the bat you're not gonna be able to do that uh per se so fewer authentications paired with risk intelligence that's the roadmap and that's what we're seeing work and be successful a lot of great points there in sticking with passwordless we had a question from from dave asking if you know basically if if covid and all the remote workers changed passwordless or made it you know more difficult to implement or makes it more difficult to implement with you know a lot of you know employees in the office likely using their own devices um what have you seen there yeah and this is and this is where we can um do a couple of things one identity proofing is is an option there to to confirm who the user is claiming to be against a trusted source so um you know to kind of pick uh an example a very very obvious one is driver's license right there are other options passports and other types of identification and we can through kind of like a live selfie and and other other attributes about the user compare that selfie to trusted sources and verify that person is who they say they are as part of registration as part of authentication or even account recovery like let's just say somebody forgets and then there there are some things from the device management perspective that we we can do obviously here again there's some various things that we would ne work through is it a corporate device is it a personal device which i think dave is talking about here we can actually query the device to see if it hasn't been jailbroken um is it is it current up to date um those are some things those are some signals that we can we can take in and process uh along with the identity verification and all of this depends on the level of assurance right that you're looking for uh risk is a is a key element but we can take and process risk signals look at other forms of authentication by metrics but the type of method i should say and look at all of that and and make a decision about whether um somebody should be authenticated or whether we need to step them up again in that passwordless journey we're talking about fewer authentication so we've got to be intelligent we've got to leverage signals and leverage risk as part of that those are some things that i've seen again help us in this day and age where people are remote and may not come into the office it does become about alternative means of of establishing trust and again understanding the level of assurance that you need uh candidly uh you know authentication is not as binary as it used to be it kind of used to be like a yes no kind of thing because we were in trusted environments we had implicit trust we're on a network we're on a corporate device et cetera et cetera obviously those days are gone so we've got to look at other methods to establish that i trust um vis-a-vis some of the things that that i shared with that if that makes sense so that helped yeah absolutely and aubry unfortunately uh we're running out of time so i think we're going to have to leave it there uh i will say there's been a lot of questions coming over the transom here so you know if you have a few minutes and you can answer some of those electronically i'm sure everyone would appreciate it yeah i'll say one one thing um that to dave's point and this is where orchestration comes in being able to stitch all these different user journeys together to yield a better outcome and if you can sort of imagine it and we're really only limited from a use case perspective by what you can imagine and certainly not every technology is is integrated yet but again rapidly adding all the connectors into the orchestration service this is exactly where orchestration could come into play build this user journey um and then you can test various iterations of it so kind of do a and b testing today's point and figure out which is the best journey to take that user on who may be working from home who hasn't been into the office so i just i'll i'll leave it there and go ahead and answer some of the questions in the chat but hopefully people found this helpful and uh like i said i encourage feedback and additional questions uh don't hesitate to reach out and thanks thank you yeah no i know i found it helpful or informative um so aubry thank you and and thanks for uh for the update on ping identity really appreciate your participation today yeah my pleasure thank you very much and with that i'm going to turn things over to my colleague dave davis david thanks scott i'm excited now to come back in so i can announce the winner of our next amazon 500 gift card this is going to ryan hopkins from california congratulations we'll reach out to you to deliver that prize all right so with that it's now time for our next presentation on today's security eco cast i'm excited now to introduce paul caspian principal product marketing manager at palo alto networks paul it's great to have you on thanks for having me great to be here excellent well take it away all right uh well hey great segue to our next topic i can't believe we're already talking about security in 2022 but i mean our technology partner ping identity who just presented talked a little bit in the end on the q a about implicit trust and that's exactly the topic i want to be talking about today around delivering the zero trust enterprise so as you're thinking ahead to 2022 i'm sure this is on your list of topics whether you've kind of started your zero trust journey you have some zero trust initiatives in play or you're just sort of thinking about that mapping that out i think this will be helpful in terms of sort of that process for getting ready for next year so um to dive in i'll talk a little bit about the state of zero trust going forward in 2022 some of the strategic opportunities that it presents and really maybe more importantly i'm sure many of you out there as you kind of start reading about xero trust and some of the different the great stuff published by organizations like nif that talk about how to kind of implement it you're probably wondering you know how do i go do this right so we're going to focus on how to make it actionable and a little bit about how powerful networks can can help you do that so uh to kind of jump in i'm sure many of you back in may saw the executive order around zero trust it was really pretty interesting right because we haven't i mean not to my knowledge i've never seen uh something like this where the federal government actually has an executive order that addresses cyber security in such an explicit way and i think we you know we've seen i think this kind of activity is really speaks to the criticality of the different attacks have been happening the more sophisticated targeted attacks some of the things we've seen on the supply chain side but also just in terms of sophistication of a lot of the different threat actors out there that i'm sure you heard a lot about today from some of the other presentations and so this is really a huge move and we've really seen a big uptick ever since this was this directive came out in may and a lot of interest in zero trust architectures in general and just really again going back to sort of you know how do i do this you know given my infrastructure this mixture of legacy stuff newer stuff you know how do i do it where do i start things like that um so you know i kind of mentioned nist and organizations like nist have developed some excellent guidance around zero trust it's very explicit it's very prescriptive um if you take a look at you know 800-207 it gives you a very very good idea of kind of the spectrum of different considerations when it comes to zero trust you know things like identity and the folks out there that do a really good job at stuff like mfa and strong authentication things like that all the way to you know how do you create a policy around zero trust how do you implement least access things like that unfortunately you know there's still a lot of confusion out there about you know how do i go do this right given my current security tool set things like that and so there is the nccoe uh national uh cybersecurity center of excellence which is part of nist um pallets of networks is one of 20 vendors that have been selected to help sort of flesh this out right and figure out okay what are reference architectures that help go do some of this stuff what types of tools should i use in doing it and also given the tools that i have today you know if you have things like our next in firewall or other types of security tools how do you go out and use those tools to put those zero trust controls in place and so that's something that you know in terms of zero trust and kind of evolving the standard and sort of how we do it that's something that we're really focused on at palo alto networks and really working closely with nist as part of their nccoe to really kind of take it to the next level in regards to how you go and do this if we step back and kind of look at zero trust from a very very high level you know there's a lot of debate about what is it and what is it not and things like that it's really a strategic approach it's not definitely not a single product and it's really focused on and i kind of opened up with this and it was mentioned in the last session it's about eliminating implicit trust uh and in that you do that by continuously validating each stage you know throughout a transaction or a digital interaction and that's really become sort of important from the standpoint that you know our environments have dramatically changed we've seen that you know with the sort of exes from the office that we had during you know the start of the pandemic and everyone working remote um the world has really changed in terms of our infrastructure and sort of this digital transformation i think the problem really is and i know many of you can relate to this is that we have this kind of tendency in the security industry to sort of play this whack-a-mole game where a new security you know risk comes out or a new threat comes out and we go off and we find a new tool to go whack that particular mole you know and try to solve that problem and we've kind of created this scenario where we have i think i saw a number that most enterprises now have over 100 different security tools that they're using right and so we've created this enormous amount of complexity in terms of trying to kind of keep ratcheting up security and dealing with sort of the next problem and i think that really speaks to the need for something like xero trust that is really much more of a broad holistic strategic approach to security versus a kind of point-by-point approach so if we look at it you know from kind of a business opportunity or enabling opportunity xero trust really gives us an ability to take these initiatives we have today you know things like network transformation data center you know moving our applications to the cloud transforming our security operations it gives us an opportunity to go back and really rebuild and retool some of the ways that we do security in general right and you know i talk to a lot of customers that say well you know i don't really know if i have the budget for this i don't know if i have the expertise for this you know it's kind of it's going to make things more complicated but in essence if you really do zero trust the right way not only should you have better security but you should actually simplify your security operations to a great deal and really reduce complexity overall because you're not treating particular users differently based on where they're connecting from you're not treating um you know one scenario in a certain way in another scenario in a different way you're really enforcing the highest possible level of security and you're doing that regardless of physical location things like that so if we kind of talk about how do we sort of deliver on this you know this problem with xero trust how do we create the zero trust enterprise and how do you start thinking about this you know in 2022 we sort of you know our orientation of palestine networks or our point of view we look at it from sort of three different ways one is users another is applications and the third is really around infrastructure and you know users is where many of you probably think when you're thinking zero trust you know things like zero trust network access as an example you know ztna which is a subset of zero trust or maybe you start thinking about identity right which is a really important component of applying xero trust users but if we look at it kind of across the board xero trust is really something that needs to be thought about in the context of not just users and not just connectivity but also more broadly across the infrastructure your cloud applications your hybrid cloud your infrastructure your supply chain things like iot those all need to be sort of part of the equation when you're thinking about zero trust so you know we look at users this is sort of the way you can kind of progress through the stages or the use cases around users it starts with strong identity strong authentication doing things like mfa doing you know challenges for identity constantly validating that identity going back to kind of that definition of zero trust but you also have to look at things like the device integrity you need to look at enforcing things like least access so if you read through things like nist 800-207 it talks about least access segmentation really locking down those users of those devices and things like that and then also you know constantly inspecting all those transactions looking for malicious content either coming from the user coming from the device or obviously inbound right from the internet coming to the user or to the device those are really the important kind of aspects of those four areas when we're talking about traditional things like looking at users now i kind of mentioned you know users is just part of the equation and so if you you can apply this kind of same methodology as you as you evaluate your own security posture and your own zero trust posture and you can apply it to applications right do am i validating developers devops you know administrators in terms of these applications in this case am i am i verifying the integrity of the workload right in the cloud am i enforcing least access for those applications you know those workloads and the exact same kind of thing can be applied to things like infrastructure and so if you take something like iot which is highly interesting to to me and many in the industry from from a security standpoint um iot presents a really big security challenge in the sense that it's really growing the attack surface devices are highly vulnerable you know and being able to see those devices have visibility and then also apply those same zero trust best practices like east access at least privilege it's really key to locking those devices down making sure they're not doing something malicious they're not enabling things like lateral movement things like that so i think you can kind of see a common theme emerging here across these three pillars is kind of looking at the identity the device workload the access and then also the trend the ongoing transactions and kind of the continuous monitoring of that and so if you boil that down to kind of the you know the different use cases this is a good way of kind of looking at it across you know those three pillars and users applications and infrastructure and this makes it really clear too in terms of those different those four kind of stages or those steps that you might look at as you're evaluating you know zero trust across you know those three domains um from our standpoint at palo alto networks uh you know we have a really broad set of capabilities a broad security platform and we can actually help you with a great deal of those different use cases you know we don't focus on things like enterprise i am we have some great technology partners that do a very very good job of providing you know a very modern approach to identity that really fits nicely into you know sort of a zero trust approach but in many other areas you know around things like device integrity for users we have things like cortex xdr which does a great job of protecting those endpoints our network security platform with our next gen firewall does a great job of enabling you to create policies that actually enforce least access for users whether they're looking at you know older on-prem applications or you're looking at sas applications if you really want to lock down the things that each user can do or the things that each iot device can do and things like that we give you a very easy way to sort of do that within our network security platform and then finally on the application side as i kind of alluded to we have things like prismacloud that does a great job of really looking at the identity for cloud infrastructure looking at the workloads and really being able to again apply those same exact kind of zero trust best practices and security guidelines to your cloud infrastructure and so this is a good representation of serve our capabilities across those three pillars and we have really good you know tight integrations with our identity partners to ensure that identity is kind of a seamless piece to enable this policy creation and the ongoing enforcement of the montreal as well so i want to give you a couple examples of this um you know i kind of gave you broad strokes in terms of you know what does a zero trust approach look like what does it look like across users applications and infrastructure and a few of those use cases that i'm sure many of you actually have implemented a lot of these so i you know a lot of customers i talk to as well are kind of surprised to find out that a lot of the things they're doing today are very zero trust you know they already have a really good identity strategy they're already you know enforcing they have a dtna approach for remote access where they're enforcing least access for users that are coming in a lot of you are probably already doing a lot of sort of the zero trust best practices so part of it is really just looking at what you're doing today looking at where there might be gaps in your your zero trust posture and then just identifying those gaps and really prioritizing and so i want to give you a couple examples of what some of those use cases might look like in regards to users you know again if once you have kind of the identity portion figured out and you started implementing strong authentication mfa and even context aware identity where maybe you know identity is being stepped up based on the particular context or some of the behavioral telemetry that it seems so maybe doing things like you know push challenges and things like that based on context that's a great place to start then it's a matter of really locking down you know your endpoints with really modern endpoint protection things like quartet xdr and then if we kind of move through the access and the transaction part of this um you know things that we have that are kind of par you know a core part of our next-gen firewall platform user awareness you know application awareness device awareness that's kind of the gateway to creating some of those zero trust policies that you can really control in a very granular way what users are able to access on which devices and also do that not only on traditional kinds of applications but also sas applications and things like that and then constantly look for those different types of threats right so it could be phishing attacks or you know ransomware or command and control you know there's a whole wide a myriad of different types of things that you're going to want to kind of inspect when it comes to users and this this is really the way that you know you kind of do end and zero trust is really starting an identity creating a policy that puts controls in place and then continuously monitoring uh beyond that another one i talked about a little bit was iot and again this is something near and dear to me because i think it's a big problem in security i don't think we've really totally solved it yet and so you know this is a good example as well as like discovering and profiling all those different devices and then iot makes it a little easier for you compared to users it's a lot more static right so security cameras should only be you know communicating with a security storage server or security camera head end right they shouldn't be talking to other things on the network they shouldn't be communicating to china they shouldn't be doing anything besides getting firmware updates and uh you know transmitting video right and same thing with things like medical devices they're very purpose-built they really do one thing and so it's very easy to lock those devices down using some of the xero trust best practices it's a lot easier to do that with iot than it is with users because these are just unpredictable they're much more dynamic they access a lot wider range of things much much harder to kind of solve that problem but iot is much easier we have a module called iot security that essentially does this as part of our next-gen firewall platform it finds iot devices it gives you risk scoring and it also does policy recommendations try to actually implement those zero trust these privileged controls as well so one thing i didn't mention and you might have been wondering as we're kind of talking about this is you know where does the stock fit in as an example right that's one thing that's really important if you look at most guidance on xero trust it talks about continuous monitoring but it isn't maybe as explicit about this you know the way that we look at the sock is that you know and you kind of saw me step through this is that there's sort of the discovery phase of things you know making sure you have visibility maybe doing asset discovery knowing where your critical data is there's the kind of policy portion where you're putting those zero trust controls in place right the least access the least privilege but the other question is how do you sort of tune that right and how do you know that those controls you put in place or the right ones as an example right and so things like you know behavioral analytics uh in some of the the modern tool sets we have that the sock is using is really helpful from a zero truss standpoint as well because the controls are really only one piece of it you need to be able to monitor you know do the continuous monitoring on an ongoing basis to determine whether those are the right controls they're stringent enough that you you know you basically accounted for different types of risks and that's really kind of where the stock meets zero trust it's really an audit point for those zero trust decisions and it's a really important component when you're sort of looking at the bigger picture you know around zero trust um some of the ways that we do that you know we talk about cortex xdr as an example for doing endpoint protection but it's a lot broader than that we really use the cortex portfolio for a platform across detection response and automation and this is really part of the way that we help you know automate security operations this is the way that we kind of tie everything together we ingest a ton of telemetry from lots of different types of security you know solutions and data and that's one of the ways that we use to kind of do that audit point on xero trust and look at the zero trust posture and make sure that that the right controls are in place so uh one thing i wanted to kind of kind of close with is that you know one of the parts that we don't talk about a lot with xero trust is really around the expertise right and even though you know you hear a lot in the market about if you buy x product you get zero trust we know that isn't the case and we even know if you if you implement 20 different tools or 10 different tools and you really cover it from a broad perspective they're only really as good as sort of the policies behind the tools right and the and sort of the strategy behind the tools so i would encourage you if you haven't really delved you know much into zero trust or you're kind of in the starting point of your journey definitely engage you know a partner that has that expertise at palpatine networks we do work with a lot of customers around this to basically help them just start out kind of the basics of doing asset discovery where is their critical data you know what types of um you know how should we sort of design their network and then also how do you actually go and implement it right how do you actually go do it um so that's a really important part of sort of the zero trust puzzle as well and as you're thinking forward to 2022 you know regardless of where you're at so in this journey we would love an opportunity to sort of help you you know move that forward in terms of zero trust i want to close with just a couple takeaways here uh one is is that as i mentioned earlier zero trust is really a strategic initiative ideally it should be top down where you kind of start at the top and figure out what the approach is versus kind of doing it tactically or project by project you really want to you know try to implement those in different stages and hopefully give you some ideas of what those look like look like from identity to device to access to transactions and you know pelta networks can really help you take some of the great guidance from folks like nist and and some of the sort of best practices and really make them actionable you know within your particular organization or your environment if you haven't had a chance you know definitely go and re check out nist 800-207 as a good reference point there is the cyber security center of excellence project which i mentioned we're one of the 20 vendors that participate in that also some very good prescriptive information and also there'll be some reference architectures coming out around zero trust and so i'd really encourage you to take a look at some of those resources if you hadn't had a chance to do so and with that i'll turn it back and we can jump into the q a great presentation paul we do have some questions for you while we do that i'm just going to bring up this poll for everyone out there in the audience that says what additional information would you like about the palo alto networks solution and we appreciate your feedback there on the poll so let's see lots of good questions coming in here from the audience um first one i'll ask you here i like this raul is wanting to know is it possible to implement xero trust both in the cloud as well as on-prem at the same time yeah absolutely that's a great question um that's exactly right rel i mean um there are certain zero trust controls that you'd want to implement on-prem right you have on-prem applications uh things like that um and then in terms of the cloud you obviously could have you know on-prem cloud or you could have public proud public cloud or hybrid cloud but um the best way to think about it is that yeah there's there's absolutely certain types of controls that would be implemented in an on-prem uh type of fashion and then when you have as you're moving applications maybe from on-prem into the public cloud or hybrid cloud that's where you also want to look at xero trust as well it should sort of span those domains and hopefully give you some ideas in the presentation and how to think about that but as you look at sort of that cloud migration you're going to want to start thinking about things like you know workloads micro segmentation identity and access to those applications and things like that got it okay john is asking how does prismacloud how does the prismacloud and xero truss kind of work together how do the how would those fit together yeah so um very similar honestly to the last last question so when you're looking at things like like users right and you talk about stuff like segmentation you're typically talking about you know segmenting certain types of users from other users on the network as an example or things like that when you're talking about it in the context of cloud and you're looking at some of the capabilities of things like prismacloud now you're now you're talking about the same kinds of ideas right you're talking about segmentation and micro segmentation but now you're looking at how do i actually do segmentation within say a kubernetes environment as an example how do i make sure that that i can ensure workload integrity the right workloads are running things like that um so it's basically in essence it's the same ideas it's the same kind of concepts within security but it's just a different kind of domain that you're that you're considering so i would just kind of summarize by saying prismacloud gives you a really great way to implement zero trust best practices when it comes to cloud applications got it okay and then what about um when it comes to zero trusts how does zero trust address the threats um that i mean the biggest threats we're facing today really around ransomware yeah so um if you look at some of the high profile ransomware attacks and you also look at some of the you know deceptible and related supply chain attacks there's some very common sort of things that happen right in those attacks things very simple stuff like lateral movement right so um you know one one machine was compromised and that was able to propagate throughout the network across multiple machines or thousands of machines in the case of ransomware encrypting that data and things like that um in non-ransomware types of attacks it's just you know data theft or things like that same kinds of problems you know even like an iot device is compromised that iot device is used to laterally move within the network and they move on to a higher higher value target from that right and so zero trust is a methodology is really good for stopping that lateral movement as you start to segment those different pieces as you're continuously monitoring um the activity and things like that and you're assuming that there has been compromise and that that part of the you know infrastructure is unsafe or even hostile um it really does help you mitigate a lot of the risk related to some of the activities related to ransomware related to supply chain attacks and things like that excellent yeah it sounds like this could really help a lot of companies out there i mean ransomware is just pla plaguing companies of all sizes so this looks like a great solution that could really help um paul i'm afraid we're running out of time here in our live q a session but there's a number of really great questions in the queue for you still electronically maybe you can get back to those folks in the electronic queue but we're really thankful to have you on the ecocast today great presentation thanks for having me and thank you to palo alto networks for supporting the event check out the link there in your handouts tab that'll take you to a pdf resource on architecting the xero trust enterprise from palo alto networks all right i'll leave up the poll for everyone to answer while i announce our next amazon 500 gift card this is going to jonathan miller from massachusetts congratulations and now i'm excited to introduce you to our next presenter on today's ecocast event welcome ganesh empathy product marketing manager at duo ganesh are you there hello thank you for having me thank you so much for being on take it away good morning good afternoon everyone thank you for taking the time to join this session i'm ganesha mapathi product marketing manager at duo and over the next 15 to 20 minutes i would like to talk to you about secure access what's in what we do today and what's in stockholder tomorrow at a high level we'll talk about how secure access how most organizations implement secure access today and then we'll give a sneak peak into what we think it's coming in the near future and how secure access will evolve and we'll talk about best practices you can implement today and then we'll have some time for q and a so without further ado let's get started so today when organizations deploy or implement secure access uh there's this concept of zero trust i'm sure you'll be hearing that multiple times today in our course sessions it's become really popular and at the core of it it's this philosophy of never trusting and always verifying users and devices before granting access so today if we just uh define the two stages of access which is pre-login and post login so before users log into an application they typically enter the passwords and then there's a form of additional verification such as multi-factor authentication or device posture assessments that really verifies the user's identity and the devices and then they get access to their applications so that's typically how most organizations implement sector access today but there are threads that compromise passwords and there are uh multi-factor authentication options that are not as secure as others not all our msa options are as secure as others the the varying assurance levels for authentication options we'll touch upon that later in the presentation but there are attackers are getting more savvy they try to navigate through the security controls we have in place so organizations have implemented risk some sort of risk based authentication there's the device posture assessment that goes into the risk analysis but there's also some other information such as location uh information where the user is logging in from this typically relies on the ip addresses uh and then again as you see there's nothing that we really do in post login once this user gets access and the session is established there's nothing that really re-evaluates the trust once the user gains access so in post login there's nothing that happens so the threat in the pre-login stage the traditional way we do risk-based authentication which mainly relies on iq assist is not very foolproof because you can easily obscure ipl address using a vpn and the need for a stronger more reliable risk signal there and the new attack surface that we see is that once a session is established the trust uh indicators might vary so once a user logs into an application of this device from his home network he might go to a coffee shop and open his laptop you might decide to go to work during the coffee shop in the afternoon starbucks and then join the starbucks network and then you're on a public wi-fi but the the session might still be established so the session might have changed or the user must might have changed the security settings of the device by like turning off the firewall on the device or turning off the antivirus agent so there are some trust indicators that can change over time once a session is established and we want to make sure that to get true zero trust value we want to continuously re-evaluate trust even after the user has been authenticated so that's what we're looking at tomorrow so today there's because of technology we are limited to what we can do today but in the near future we're really excited to see some of these new uh frameworks and technologies coming in to help continuously evaluate trust and give us that real true zero trust access philosophy of never assumed trust and always verify even after the user logs in so in our world from the purest perspective we want in the idea where the access experience would look like this the user would log into a single sign-on solution in a password-less manner so we are not forcing users to remember their anniversary dates and then once they're in the logging in you analyze risk signals so here we are very excited to uh share that we are working on a novel way to identify the location of the user's device and where i've highlighted the wi-fi put footprint so this is a better way a more reliable way to identify where the access device actually is rather than relying on ipads alone so we can look at what i uh wi-fi network the access device is seeing and then that and that can help us identify the location so we are very excited to bring that to market we're currently in beta for that feature and we'll be bringing it to public preview early next year so that will go into analyzing the risk of uh risk of analyzing the risk free login and then post login we want to make sure that we continuously verify the trust of the user and the device and here we are excited to partner with open id foundation they're a non-profit internet based organization for standardization and we're working with uh internet behaviors like google microsoft to develop standards and frameworks to share signals and risk events uh that can help continuously verify and reauthorize access and the framework is called shared signals and events we've recently published a guide if you want to know more information about this framework it's called shared signals dot guide and uh please visit that website if you're interested and you can see if you are how you want to contribute to the framework there's an active working group by open id and we're very very excited to partner with that working group and bring some of those shared signals uh and events uh technology into the market again next year so that way you are both analyzing risk free login and continuously verifying trust post login to get that zero trust access for applications so that's what's coming that's what's coming in the near future so let's talk about what we can start doing today i wanted to share some learnings that we've learned from our own journey heroes internally and also what we see on how our customers are implementing to so one of the main things that we see both within you and from our customers is that most security professionals today are understanding the need for usability security should not create friction for end users otherwise they'll find workarounds which creates security gaps on its own so they won't find a perfect balance between usability and security and there are things that you can do on both these sites on usability side security professionals want to provide delightful experiences for users by getting out of their way and only introducing friction when needed so minimizing user friction by using technologies like single pylon or passwordless authentication when applicable and meeting where users are so some not all applications will enable password lists from all authentication scenarios with the personal devices you might want to increase that friction to validate the trust uh so we want to provide flexible authentication options uh for users to meet where they are and also employ them with self-service so managing what devices they want to access what are your devices they want to register uh for their multi-factor authentication so that they're not um a bottleneck by having to reach out to it all the time and last but not the least uh this is very important is fostering a security culture and including your workforce as that final layer of human firewall so that they understand the need for security and why they have to uh authenticate with uh with the meta factor authentication solution because it's one additional step they need to do so all these things help in users understanding the importance of security and also helping them access their applications and do their job without introducing much friction on the security side there are a few things we can do i talked about the assurance levels earlier not all authentication options are equal so when you look at the multi-factor authentication options voice or telephony calls or sms otps are typically the least uh provide the least level of assurance because they can they're very easily susceptible to man in the middle attacks so for critical applications that have sensitive data we want to make sure that the multi-factor authenticate with a more higher level of assurance so ideally it would be a 502 security key that uses web option that will provide the highest level of assurance but the push notification also provides a good enough assurance for most applications introducing passwordless authentication were applicable so again this is a file to base authentication cue this web broker inherently and it eliminates the needs for passwords we talked about not forcing users to remember anything and it's inherently multi-factor meaning uh in one seamless workflow the user is verifying who he is whether with a biometric uh verification like touch id or face id and he's also proving uh something that he has which is his access device or a mobile device so in one seamless action of authenticating uh with a touch id or windows hello his multi-factor authenticating into the application and this experience is not only the best for users but it's also uh resistant efficient because it's not susceptible to manual material attacks because there's nothing that the user needs to remember to gain access to and it also prevents attackers from using phishing websites because there's a secure uh exchange between the authenticator which is your touch id and the application that the user is uh accessing so there's no way an attacker can introduce a fake phishing website that's really cool and the next thing that we can do on the security side is increasing the level of device trust again personal devices devices that are not known to the it provide a risk uh create a risk for the idea organizations because they don't know what they can't see so having some level of control uh some level of compliance increases the level of trust in devices a lot this could be like making sure they're running the latest version of the operating system patches windows as well has a patch tuesday which is second tuesday of every month and most of these patches have a lot of physical security updates off late and same with mac os so how do you ensure that those devices are up to date and compliance with your security requirements and other uh compliance requirements could be like making sure the password is enabled the screen lock is enabled uh the disk encryption is enabled in certain scenarios so all those provide a good level of compliance requirements without requiring uh a corporate managed device and obviously the highest level of assurance will be through a corporate issue device where it has full control of what's being installed on their uh devices and what should go and they can go ahead and configure the security options themselves so including the device trust also helps uh taking the security to the next level so how can viewer help so with duo obviously students can implement secure access that's very easy for the end users and also the idea administrators because audio is a completely cloud-based solution so we are easy to deploy and manage and we can cater to any application whether it's sas application uh custom applications that is hosted in the custom cloud private cloud or public cloud like aws or azure or even traditional legacy on-prem applications you can come and provide a single sign-on experience for all these types of applications and administrators can centralize and apply per application policies uh for each of these applications but really enforces that least privileged zero trust model for each applications and with jio you get those adaptive policies and some of those risk signal based policies that you're launching really soon and the continuous verification uh for access so you're able to set comprehensive context aware policies for each application i wanted to share some of the reasons why customers choose you uh because once we talked about this ease of use uh we have a healthcare customer uc health they they that when they trusted our duo they found out that the clinicians who want uh have a very low threshold for fiction love the experience with duo for multi-factor authentication which is required for compliance for the electronic prescriptions so they just love the experience and the simplicity that devo could provide and that's why they chose zero another customer chose jewel because it was lowering the total cost of ownership because uh tours uh helps organizations reduce their i.t tickets whether it's because of multi-factor authentication related tickets or deployment related tickets you can really simplify those things and we can provide the broadest coverage not only in terms of what applications we can protect but also what users we can protect and what devices the users can access from so that's why we are very popular in the higher education space where the user population is very diverse last but not the least speed to security this has been especially important in the last few or one and a half years because overnight most organizations transform to a remote work model and now they're transforming to a hybrid work model so they wanted to have a solution that provided uh users a secure access and with duo they were able to do it over a weekend without compromising on their security requirements so that was really cool so i wanted to leave with a few key takeaways one is emphasize on user experience and security culture those two are really critical to make security work and zero trust work and for authentication options and secure access evaluate the assurance levels by understanding what kind of data an application might house and what what kind of assurance levels they want the users to authenticate with last but not least when you're planning your secure access tools and how you want to implement secure access going forward explore options about how you can continuously wi-fi trust even after the user has authenticated uh so that's really something that's coming up very soon and we're excited to see where where that technology goes forward so with that i wanted to see present q a absolutely ganesh we have a lot of questions coming in for you while we take those questions i'm just going to bring up a poll here for everyone out there that says what additional information would you like about duo security and of course we appreciate your feedback on the poll question as well so let's see first question i'll go ahead and just start with this one they're asking how do personal devices affect anti-phishing strategy so again uh one of the recent uh uh reaches that we saw or the or the it was very popular a year ago i see the user or the cyber attacker actually uh worked around uh to do a fish push phishing kind of scenario where the user logs into a fake website and and then he gets a push notification and simultaneously the user the cyber attacker takes the password from the fake website and logs into the real website and the the user thinking that the push notification or the multi-factor authentication gave a request came in because he was logging in he approved that request and then the attacker was able to get it uh so this was a a scenario that's becoming more more common where attackers are getting more salary they're doing a lot of social engineering on who to target and how to target understanding what infrastructure the organizations have so to get on these kind of social engineered phishing attacks to get that initial access device trust can really help because uh when the attacker logs in from uh to an application they're doing it from a device that uh ide does not know uh or have access to so it's an unknown device it could be a personal device it could be a compromised device so having a level of visibility into what device is being accessed is your use to access your corporate applications can significantly improve uh this barrier for threat actors okay okay that's that's good to know thank you for explaining that another question here how can a user know that a push request is authentic or if it's been sent by an attacker sure so one of the uh cool things about deo's push notification is we provide a lot of contextual information in the app itself when you get the notification it shows uh where the access is being requested from and which application is uh being uh accessed so this is this is a good enough context for users to see and decide whether it is really he who initiated that request or it's a fraudulent request and if it's a formula and request the user can go ahead and mark that in the app itself that this was a fraud or a mistake so that user has an option but we do see that a lot of users uh typically just blindly approve because they use this much effective authentication many multiple times a day so in those scenarios there is a uh we are introducing a capability where we call more secure push so to enhance that friction to just high uh verify the trust a little more so that way we can do a more secure push might include something like adding the passcode in addition to the push notification to really make sure the user engages with multi-factor authentication and make sure that it's not a fake push so there are things that you can do uh to uh to make the push more secure and additionally you could also use uh the fighter to wear broken based authentication which provides a much higher uh level of assurance and mitigates any kind of phishing kind of threats okay okay that makes sense thank you and then um what about phishing education how do you handle users that that fail the exercises yeah that's a good question so we internally have a full-time uh security uh team that uh creates all the training programs and they're it's about re-education and so when the users fail it's uh educating them on what what why they failed and what was the or some uh educating them on what they might have missed that made them choose the wrong answer uh or why definitely so it's all about re-education making them understand uh what could go wrong and how it could go wrong so that next time they see they're able to identify those red flags and mark them as fraud or phishing and then help over in the end make the organization more secure okay okay absolutely yeah that uh that fishing education is just i know so important out there we've got to keep educating our users all the time um another question here they're asking um uh our vend i believe is how you say their name they say as we talk about personal devices any risk with the corporate mobile devices for phishing or security lapses i mean do we have the same risk with with corporate devices that we have with personal personal devices really it really depends on how the security tools are implemented you could have an mdm but may not um uh not have it implemented properly so it just depends on how you're implementing it and what's the level of assurance you need uh for the device so typically it's uh uh it's kind of assumed that corporate managed devices provide a higher level of assurance or trust because the it administrator has complete control over the device so they can go in and check what's installed what the os version and things like that so typically corporate managed devices uh are assumed to have a higher level of trust uh personal devices can can have a good level of trust good enough level of trust by having those device assessments and and that's where jio really excels we have a lightweight application uh the both on the mobile device and uh the desktops and laptops where the application can assess what's the os version it just has uh it just provides visibility into what uh uh what's the security configurations for the device and making sure it's compliant with the requirements that our mission has and if not enable the users to self-remediate where applicable for example if the browser is out of date the application educates the user on how to update so that he can gain access so things like that you can do on personal devices as well to improve the level of trust excellent excellent yeah because i know every company is going to have a different mix perhaps of devices so it's good to know that we can protect um both both types so can actually folks want to get started with duo what do you recommend so we have a free trial uh the link should be on uh on this portal uh so it's signup.geo.com if you go and sign up you get a free 30-day trial and we have three different uh subscription plans of choice we start with the basic mfa edition where you get uh the basic nfa and single sign-on features and the next level is the access edition where you get some of those adaptive access policies and device trust features and the final edition is called we call that beyond edition which helps organizations implement that zero trust model for both sas and private applications uh so really with this president uh when you sign up you like i believe you get access edition for 30 days and if you're interested in testing out beyond that issues uh if you reach out to your dear representative usually you can make that possible too so why if you want to give your get some hands-on experience with your i encourage you to go and sign up for the free trial excellent yeah i see the right here in the handouts tab signup.duo.com i encourage everyone to check that out sign up for the free 30-day trial of the duo security solution ganesh it's been great having you on the ecocast today thank you so much well thank you so much everyone for tuning in we've got a number of more technical questions there for ganesh in the queue and he'll do his best to get back to you thank you everyone for your excellent questions we didn't have time to get to all of them in our live q a but we do appreciate them i'll leave the poll question up for everyone to respond to while i announce our next prize winner this amazon 500 gift card is going to then cat kindy from virginia congratulations all right and with that i'm excited now to bring in our next presenter on today's security eco-cast welcome sean walsh vice president for global marketing at simspace hey sean it's great to have you on thank you how are you doing today doing great excited to have simspace on the ecocast today so take it away thank you i appreciate that so one of the things that when i was thinking about this webcast and i looked at the the overall agenda uh you know because i'm a marketing guy talking about a technical subject i always try and you know be a bit more serious as i look at this so i'm going to do my best not to be as salesy as i can and hopefully what we're talking about follows the script that we put out so i put the agenda in directly from the web page so looking at what did we see are the big takeaways from last year what do we see changing in the landscape how do we think we can help and some thoughts on what you should be looking at as you look at your strategies for next year and as we look at the last year i think the biggest difference when you look at 20 over 21 beyond the pandemic beyond all the other things that are there is the fact that the gap in human beings that are skilled for this role continues to grow this particular data point comes from isc squared i've seen others and the number ranges between two and a half and four million people and i think that what we're seeing is we're throwing more money at the problem but it isn't going to be fixed until we get the human problem addressed and the result of spending more money on security is that we have more complex environments if there's one thing we don't have in this industry it's a shortage of security tools according to our friends at gartner about 83 percent of folks have over 20 tools and that makes for a pretty complex stack and then when you have a zero day hit you've got to do patches across those how do you make sure it all works um the the the translation on this slide it should be 15.6 but what we've seen is that those companies that have to publicly announce breaches have seen a three-year decline over their stock value versus their s p counterparts so the impact of this human gap in cyber security is very very real one of the data points that i found that really surprised me was this bottom one on sixty percent of breaches caused by lack of patching uh the articles linked here from dark reading and the data point comes from our friends at auto box but the thing that struck me as i was reading this is the fact that people are saying look we just don't have the resources to put every single patch out that is out there and again this goes back to the human challenge and then the other things that are on here in terms of growth of ransomware in terms of growth of attack surface those i think are two of the things that really transpired over the last year that will change how we look at what we need to do for security in 2022 so i want to share with you what we see is the top eight security landscape challenges for 22. so again coming back to this theme people people people and this is people who are deploying technology people who are monitoring the technology and doing the threat hunting and the people who use our technology inside our organizations but one of the data points that this one came from enterprise strategy group via their isis survey is that there's a 58 higher retention rate when companies invest in their people via trading and keeping people current keeping people feeling like what they do is important to the organization i think is the biggest takeaway from all of this and i think what we will discover in 2022 is that the roi on investing in people is much higher than investing in tools the never ending attack surface expansion doubles i think that's a conservative number but again that's coming from our friends at gartner but if you look at our continued march towards sas platforms remote work hasn't gone away and is growing as we hire new people and you look at the drop in the unemployment rate at least domestically and then you throw in mobile iot and now the concerns around operational technology i don't think that any of us are surprised that operational technology has moved up the stack but things like the colonial pipeline attack really showed how they can have a significant impact in our society i also think that ransomware as a covered part of its cyber insurance policy is facing an extinction event this year we've seen axa already suspend ransomware payments in france we've seen lloyds make changes in the uk and i just think that the risk of this because of how well coordinated the threat actors are here this is going to be another burden that shifts onto it so we're going to see lower coverage and higher bills uh and they're going to redefine what insurance means and increment uh what insurance for ransomware means and incrementally phase it out uh according to gartner we're seeing a significant effort to reduce complexity in the security stack so we can improve the roi i said this a bit in the first slide that money alone won't fix it um the investment has to be in the people and the process is to go with the technology we've all seen bloat in features and all the platforms that we use for a variety of things and that is becoming exponentially more difficult as we look at 22. the other thing we have to do is move beyond the zero-day patch and pray we have to know before we go live and we're seeing a number of customers and i'll talk about one of those case studies here invest in a security development platform so that when they move things into operations it's ready to go security is a sales tool um i think this might have come up in one of the earlier broadcasts but right now the safety of your network the reliability of your company as a partner some of the new government mandates actually makes security a product and company vendor differentiator and it's one of the things that the sales team isn't using in your organization they should definitely do it and then the last is that again we talked about the impact to stocks that's going to be even worse this year breaches are going to be very very aggressive the threat actors have turned this into a very profitable model and boards want to know what the answer is to it and we are going to continue to see an increased advocacy from the executive and the board level and we're going to see that also drive increased focus on compliance and regulatory and one of the interesting things that we've been spending a lot of time talking to customers about is the difference between cyber security and compliance and regulatory sometimes those things get muddled together and they are very distinct disciplines so with that let me talk a little bit about what we're seeing in terms of some of the consolidation reports this data point comes from gartner and basically what it's saying is that people have on average between 16 and 46 different tools they're spending a lot of money they're not being used effectively the teams don't know how to use them completely and optimizing that stack is a way to make sure that you improve the operations in your security op center and that's one of the areas where when we look at the model that we're going to show you in terms of how we see the cyber model evolving in 2022 having a dedicated development and staging environment for security is going to be critical and then the last or the next point here is talking about business expectations so this survey was done with members of boards of directors and look at those top three regulatory risk cyber security and then supply chain which really ties back in many cases to the security and the regulatory compliance risk it is at the top of the priority chain i'm probably saying something you already know but i think it's something that as you think about preparing and talking about the funding that you need this is an important data point that can help justify some of that spend for you now one of the things that because we do deploy cyber range a lot of people immediately say oh you're a breach at a tax simulation company and we think this is one of the things that when you look at your 22 plan that you need to separate in your mind and look at strategically because when you look at breach attack they tend to be production tools they're protecting your current availability of your security stack and your product systems they're doing continuous attacks driven by threat intel versus changes in security or compliance they're giving you monitoring tools where when you look at a development range the goal here is to be able to push the envelope to do as aggressive and complete attacks as possible to take zero trust architecture deploy the virtual environment and then run 15 different scenarios against it to see which one gives you the best results so it's about taking a strategic approach building something that then goes into production and then have that monitored via bass and other tools that are out there so we think this is a fundamental change in how you should consider deploying your resources in 22. and i deliver i guess deliberately but i blatantly ripped this off from the cicd devops world and we've all seen these types of graphs but i think it's very apropos as we're talking about how to segregate the workload and get security operations so i'm going to start here with the security strategy in the bottom part here that flows into your security engineering so whether it's deploying zero trust architecture looking at cmmc or whatever it is that you feel you need to engineer to make sure your stack is right then you can let your team hack away at it change it blow it up do anything you need until you find the right set of skills on the team to go with the stack optimization that'll tell you what you need to do in terms of your process improvements especially with global around the clock handoffs and making sure that the degree in which each team understands the problem and knows what's being handed from sock to sock and shift to shift is available make sure you're ready to optimize your cyber insurance compliance posture to lower those costs and now you establish a new security baseline you can take that baseline move that into production optimization plan deploy update your policies do your threat hunting and if this is done correctly it will reduce the number of tickets it will reduce the number of incidents and we've seen a lot of this work work done very well with palo alto and sentinel one and a number of our other partners then you can continue to monitor that with bass take your analytics and analysis and then do the next turn on the cyber security evolution and we think that this model and formula deployed in 2022 will have a significant benefit both in terms of your team retention the effectiveness of your security plan and reducing cost and meeting compliance so what i want to share with you next is a case study from a global bank as almost everyone knows in the security world no one wants to confess what they're using but uh we'll tell you the story behind what they're using so in this case they had four global socks about 40 analysts about a dozen threat hunters they had five degrees of expertise across their team from entry level to threat hunters at the top and what they discovered was they couldn't address all the cases with the staff they had they had inconsistency in terms of reporting in tools and almost none of these people had ever really worked together they were in different places they never worked on the same scenarios and the biggest difference that they got out of using this cyber range was all operating together on the same platform dealing with the same issues and again you heard me talk about people and you'll hear that over and over again because it's not just the technology it's how the people are trained to use it so what they said was you know what we're going to let the threat hunters tell us what we need to use for training and that's where they leveraged sands and a number of other folks to put that training and skills analysis together that allowed them to then put together a strong remediation program because they understood the skill sets of each of the people and each of the technologies better having run them through these simulations and then those simulations gave them the ability to work together pre-test production changes before they put it in and i thought this one quote was very apropos uh i'm going to use the american term soccer versus uh international football but they said it was sometimes like watching a bunch of kids in when they first started playing soccer they all swarm around the ball and sort of playing their position well the problem is they didn't know what their position was and this process gave them the ability to understand what position to play how to work together and ultimately how to optimize their environment what they experienced was about a 40 year-over-year improvement in loss avoidance and breaches and they said a lot of this was due not just to using the technology better but for the people working together better so how how does all this play out in terms of the platform today well we have this readiness platform as we call it and it's what most of you would call a cyber range and there's three elements to it how you configure the range simulating your security stack and then creating the right competency framework for your team we don't just mean training we don't just mean working together as a as a group we need making sure that they are competent from end to end on all of the pieces that go into that then we can also work with you in terms of putting together the right services to support it risk assessments and then if there's any custom integration because almost every time we work with a with a client they have incremental pieces in their stack that we need to add and it's a very simple process we're able to scale these very very large the foundation of the company comes out of a legacy of being the range for the u.s cyber defense command and we have built these out to tens of thousands of nodes and this is an example of one of our more modest maps with about a thousand uh virtual environments but what we want you to take away from this is no matter how big your organization is you're able to put those together create a very realistic simulation and be able to make all of that be graded get at the raw data and take that as analytics and use it to improve your configuration uh this is just a small sampling of some of the different products that we put together and there are thousands more behind this as we go forward and when you think about what the ultimate piece to this is it's about the outcomes and improvement so what we've seen from our customers is a 45 improvement in their attack defense their time to resolve and identify those taxes improved by almost 50 percent and the reduction in configuration related breaches has dropped by 40 and this is the result of teams working together having hyper realistic views of what they have in their production environments in the range environment and being able to work on that together as a team so just a couple of closing thoughts as we go forward when we think about cyber ranges they are going to help you manage your stack complexity and help you protect your production environment they will not necessarily close the skills gap but they'll help you keep the team you have and up level the skills of the team you have through simspace we know this is used by five of the top global banks in the u.s cyber command but them to build their readiness gartner published one of their top trends for 2021 and 2022 which included cyber ranges and for building maturity and readiness and it's probably the most viable tool you have to train and prepare against threat actors because you can do destructive tests inside the range without hurting your production environment and then you can take the learnings from that destructive test and properly apply that to your production cyber ops security operations so with that i will move on to questions great presentation this is really cool stuff i love learning about what you all are doing here at sims space shawn we do have some questions for you from the audience and i'm just going to bring up a poll question for everyone out there while we answer some of these great questions that have come in uh first one for you sean here they want to know exactly how do you go about building a range so basically it's it's kind of like in a lot of ways going aws you go in and you pick your your environment you pick your operating systems you pick the tools that are in your stack we'll build those out into the virtual environment and then you can pick the type of training you want to run the type of scenarios red team blue team purple team and it's all built from a front end console and again it's very much like configuring resources through aws or any other resource platform that you use nice nice yeah it doesn't sound hard at all um what about can you simulate cloud environments absolutely um we live in the in the hybrid world or the cloud only world for many of our customers and you're able to do that quite easily as a matter of fact a number of universities university of texas uses our uh our range and the undergrad and grad students use it so we know that it's pretty easy to deploy good good and it's cool that can simulate clouds as well so um what about compliance i know that's a hot topic can this help companies to prove that they're compliant it can and again talking about that split between cyber security and compliance and risk so the first thing we can do is help you apply the right rules or the right framework so whether you you're marching towards a nist or a miter or something like that we can score the test versus those frameworks and then we can also apply a specific set of tests and scoring based on the compliance uh tool that you pick so whether you need to support high trust or pci dss or other types of vertical things within your industry we can apply tests that specifically validate uh the requirements they have so for a gdpr making sure you don't have data exfiltration you don't have credential compromise that lets people that gets personal data out there and it also helps you track where personal data resides within the greater security environment to make sure that if someone requests that your personal data gets deleted you know all the places that are there and you know that it has been secured the whole time because you have audit trail behind it nice nice and i have to ask this question because this is one of my favorite games of all time is this just like sim city it is just like sin city you build it out it grows you test it you learn you make adjustments and it's very much like playing sim city but with a very very strategic outcome nice nice and i mean the strategic outcome is you're you're better you've better security your environment you're more compliant you're better protected so awesome um well let's see there's some more technical questions for you there sean in the queue i'm afraid we don't have time for you in our live q a time slot here but uh really cutting edge stuff that you all are doing there at simspace thank you so much for joining us on the security ecocast today my pleasure thanks for the invite and for more information on simspace check out their resource it's available for download there in your audience console it talks about simspace cyber range and of course visit their website for additional information and and we appreciate your feedback on the poll as well i will leave that up while i announce our next prize winner we have another amazon five hundred dollar gift card this one going to luke airkenbrock from utah luke erkenbrock from utah all right thank you to everyone who responded there to the poll it's now time to move on to our next presentation on today's eco cast i'm excited now to bring in ben oppel senior director for customer solutions engineering at attack iq hey ben are you there yeah how's it going going great it's good to have you on the ecocast ben i'm excited to learn about attack iq take it away absolutely so um how's it going everybody um as introduced my name is ben uh and also as introduced i work at attack iq we're a briefing attack simulation company um i'll talk to you more about that later but not at length um i wanted to call something out here because i had the chance to listen to the previous speaker the last 10 minutes or so of his talk which by the way was great um and he made reference to ransomware no longer being something covered by cyber insurance in the future and i think that's a fantastic move on the part of the insurers um for various reasons i'll kind of get into that as i talk it's apropos uh what i'm getting into today because what i want to talk about is as you see on the title slide seeing the forest for the shiny new threat trees um and that's because the thing that folks should consider going into 2022 i'm not a new year's resolution guy but um you know it's a good chance to really take stock of what's going on in your life and or your security program is to stop putting so much stake in single threats in timely or dare i say shiny new things that come down the threat intel pipeline or god forbid from the news so without without further ado let's be about it what i'm going to talk about today you know um what do we do in security what's our thing why why why do we do what we do now we're going to talk about um somewhat strangely compared to what i just said uh we're going to talk about designing an emulation plan okay and we're around a uh a maze ransomware capability i'm sure many of you are familiar with maze ransomware uh they'll talk about some additional resources and training and i i'm going to make a point at some point throughout these slides so just you know don't worry too much so the goal in our line of work is to get good all right we we are here to protect something we are here to secure company assets we're here to secure a mission and we cannot afford to be scatterbrained while we do this we have to be very focused we have to understand very clearly what it is we are defending against and what we are defending so why test well because if you test you understand where you stand uh if you don't test you are flying blind all right now you test so that you can answer that question that every security professional of the world over for since time immemorial has been unable to answer we can only answer with kind of a shrug of our shoulders we know when they say well are we secure or are we secure against this we're like well yeah well mostly kinda but we think so we can't tell you for certain because we haven't tested it um now i know you're saying well ben you're dumb pen tests are a thing and you're absolutely right pen tests are a thing um but you know i would ask for a show of hands but we're not in an auditorium who has an in-house pen testing team you know unless you work for a major corporation you probably don't um and you know very likely it is that you don't pen test more than a few times a year okay got it and that's fine you are testing but again we're kind of getting the purpose of testing if we don't test often so if we know why we test we have to figure out how to test so that's the thing i'm going to go through here for a minute i'm going to do some intros a little bit of introduction some concepts and some terms that i'll use throughout this relatively short talk but we're gonna get into this and talk about what it means to actually understand how you would stand up to an attack and how to define the questions to ask to know you know how you would stand up to it so the point of testing is yes to understand you know what works and what doesn't in your security stack um but if you just test willy nilly you can do anything willy-nilly you're not really going to make a ton of progress maybe you might get lucky but we don't want to count on that not not with what we do so we do what's called what we should be doing by the way is called threading form defense okay and it has three key aspects to it what you see here and this is defined by miter um center for threat and form defense by the way they're there they're they do a lot of open source research very cool stuff and i highly recommend you check them out that's miter ctid so we start off with intelligence analysis moving to defensive engagement of the threat and then you know when we've gained a lot of good information about about the threat and our response to it we do a lot of sharing and collaboration so that the entire organization could benefit from it this is the top level this is 50 000 feet so let's dive in you know let's go down a little bit intelligence analysis so we're talking about looking at malware hashes we're talking about understanding malicious domains but most importantly we are talking about understanding adversary ttps um again malware hashes and which is domains if you want to play the high limit table you've got to put up the ante and that's what this is we are all at the high limit table folks um and if you can't pay the ante you're out of the game so by all means do your malware hashes and malevolence domains do your signature based checking and that's good and have that intelligence coming in but if you are not receiving good intelligence and processing and using that stuff having to do with ttps and adversary habits of action um you're not playing you're not playing with the big kids so to speak um because the adversaries they are big kids and they are they are playing for keeps so intelligent analysis it's what it sounds like it's using the right intelligence to ask the right questions and one way you can go about this is by using the miter crips framework which you see here attack artifacts life cycles malware versus engineering environmental influences and that's a whole nother talk on its own but they're there and then kind of connecting everything together and understanding what this means in terms of defining what an adversary has done and is likely to do to you now that second piece from those top three that i showed you 50 000 feet defensive engagement of the threat we take intelligence analysis we get all that good stuff out of it and we put it into some kind of testing framework now i'm not going to lie to you i work for a breach and attack simulation company we make we make a fantastic product i'm not going to lie to you fact is you can execute your test in a variety of ways you can use an automated testing capability you can use a red team you can do it a variety of ways but the whole point of taking of doing the intelligence analysis is applying it from an adversarial perspective and an adversarial footing against yourself and understanding the worst case scenarios of all the scenarios you can imagine in terms of your defensive capabilities this is engaging the threat in a safe way obviously and then we go to focus sharing and collaboration now what you're seeing here on this slide are a syrian is a set of organizations and centers that do this kind of collaboration because it's what they do it's their job um but you can also you also have to look at this as a collaborative collaboration inside your organization um is helping is making sure the right people know that you've done the intelligence analysis that you have engaged the threat with your defenses and that you understand at least something about how you'll perform against them because that's how you're going to get fixes done that's how you're going to get investments made and that's how you're actually going to gain benefit from being threatened formed and as i'll talk about before mitre center profit and form defense free open source research they got a github tons of great stuff a lot of cool projects that they're doing we're obviously we're part of it we think it's a good thing to be we think it's a good thing they're doing um and you know things like these emulation plan projects which you'll see there if you go up on their git um are very similar in nature what i'm going to talk about today it's it is a mapping of how an adversary does business and how to emulate what they do yourself so we have this notion of being threatened formed down um and so now we're going to talk about kind of at the at the basic level how to how to do that how how do i do something how do i be threat informed right because yet you are informed somewhat if you do intelligence analysis but you're not really there until you start coming up with test cases and applying them so how do you build this emulation plan those are the test cases so i might slip into my company vernacular if i do i'm not going to apologize because i'm giving you the answer key scenario that's a unit test that is an adversary behavior emulated by any means you choose you choose an asset it's a host where you are running your on which you are executing the technique that's it if i say assessment i mean an entire not so much a campaign but a chain of techniques and this is the part of my ransomware talk where i put a picture of a maze because i'm talking about maze ransomware but you know if you didn't gather from the beginning that's not what i'm here to do um i'm not here to talk about ransomware as important as it is to understand what ransomware is it's more important to understand that ransomware is just malware with an encryption module you're welcome so let's step on and do something useful so maze happens to use uh as one of its behaviors um bloodhound now if you're not familiar with bloodhound it is an active directory reconnaissance tool it is super cool i think it's awesome um you know my red my red team side of my brain says that this is fun to use and the bluetooth side of my brain says well this is tricky to detect because it uses everything that's native inside it uses native stuff in the os and it uses uh normal global catalog enumeration to find out what's going on in your aeg environment and map out your environment so okay this sounds like something that we should think hard about because if it's you know you go that far and you're thinking to understand that this is a native tool you need to put some more analysis into it understand how you're going to detect it so what i'm doing right now is describing a single technique because this is how we break things down in emulation planning and understanding how it works because you can't emulate something if you don't know how it works so in this case bloodhound does a global catalog enumeration uh and there are multiple ways to detect that now you'll need to apply this kind of a detection in this you know in a careful way because again your hosts are generally looking in the global catalog fairly often but if you look here on the left there's a sigma rule for it there's a bunch of them actually there's a bunch of different ones you can use to detect this and it's going to be looking for very specific traffic under in a very specific time frame from ips you know from specific ips that's going to say this is suspicious somebody might be enumerating your network okay so we understand right now what bloodhound does that it is a piece of the maze ransomware or it can be it's been used by them before and there is a way to detect it okay this is where we start this is from our intelligence digest right we did our intelligence analysis we understand this piece about our adversary awesome now we have to plan our test so we call this assessment design theory so don't worry about that but that's just what we call it so there are a couple things to go through here before we can really call ours or our emulation plan or at least our test case uh complete so there are some questions to be answered we have to know which assets we're going to test we have to know which scenarios are which which behavior specifically we're going to run in this case bloodhound and then we have to kind of schedule this thing so that we're getting good data so we're you know we're not i'm not irritating people along the way so test planning this is when you come up with what we call a problem statement um because as you know in i.t and infosec we're at large we have nothing but problems but you know predominance of problems um and we're just struggling to find solutions through them so problem statement what is wrong that we are trying to get after what is the threat what is the risk that we are kind of trying to understand uh and come to grips with well in this case we can just make a general statement you know we haven't seen detections from our av we haven't seen you know specific rules pop for certain types of traffic uh but we do think things are working as they should be right that's a problem saying that's very broad but it's something you use to frame out your planning and so from this we're going to step into you know since we have this context of this problem statement and our intelligence analysis we're going to make a semi-authoritative statement about specifically what the adversary is able to do and what our defenses are able to do in response so we ask the question can bloodhounds scan my environment without me knowing well since we do our we do our level best to you know make things work right and make a defensible architecture and configure things the right way i hypothesize that i believe that the normal that abnormal ldap traffic generated by global catalog enumeration which is bloodhound doing its thing would flag in my security tools okay cool let's test that hypothesis so let's if we have a hypothesis to test we are going to decide where we're going to test it all right so the thing is since we know or we assume that high volumes of queries from noble normal domain users will produce an alert on my sim i'm going to test across my domain because the environment doesn't really have much of an impact on my detection capability because ldap is going across your network all the time so we can put it anywhere so we want to test it as broadly as we can so i'm going to pick two workstations from each business unit um and they're going to be tested in the context of a domain user because domain users have access to you know they make those calls all the time okay good pick those up we're going to decide which behaviors or scenarios we're going to run so i'm going to run a bloodhound ingested right there bottom right there in scenarios pretty simple we talked about it then when i come up with a schedule and because you don't want to just let these things sit after you do them once configuration drift is a thing i heard my my predecessor in these talks talked about something similar so let's put it on there for twice a month no closer than 10 days apart just because we want to make sure that you know things have a chance to change before we test again otherwise we're getting uh what you might call a high level false negative we don't want that so now that we have and by the way the most important thing about scheduling is that people know when you're going to do this kind of stuff by the way um obviously we schedule out in excruciating detail how we'll use our red teams our bas tools whatever they are because again people can become alarmed when you start flagging tons of um tons of alerts on your security tools and it's it's good that they're alerting but people want to know that it's not an actual emergency so scheduled so if you didn't notice that took about eight minutes to describe how to design a test case and it is a broadly applicable thing which i'll get into here in a second so we describe the theory and application of threat and form defense i talked to you about how you can immediately start being threatened formed it's a fairly simple concept it takes some more to take some time it takes a specialist or two but again you don't you don't need an entire cadre of cyber ninjas to do this not at all then we broke down that maze ransomware recon technique and we designed a test to check the fences against it it was all very simple um and this is this this is something that should be fundamental to any security program um the ability to break down a threat this way and describe the means by which you can understand if it is actual threat to you so testing ransomware is good understanding ransomware is good caring about ransomware it's it's good but being broadly threatened formed is better and if you want to be seriously broadly threatened formed and have your defenses aligned that way against the things that are relevant to your mission as an organization you have to be able to test and to be able to test you have to be able to analyze a threat understand what's important to your organization and actually do something relevant okay this methodology is applicable to every actor and every technique ransomware is just malware which falls under that any actor any technique thing and i want to remind everybody that there's a time to focus on specific threats but what's important is not necessarily what's timely and something that took me you know a good chunk of my my 10 years in the field to figure out um because the factors are going to use whatever they can to get in and you're going to leave stuff open i don't care how good you are you could be the mossad you could be the nsa i don't really care you're going to leave things open that's why we test it and if something is open it's important not just because it's something that came across the boss's desk or he saw it in his twitter feed or she saw it on tv that said i encourage you all to be better in 2022 just like the gentleman is saying uh in the lovely meme we can do better than focus on shiny new threats and or and spend all our time talking about what this latest ransomware family is doing you know we could spend our time doing analyzing that ransomware family understanding what the new techniques are that make it that make them different from the things we've been dealing with already devise tests for those that family and actually be defended against it all right i'm off my i'm off my soapbox i'm going to recommend a couple of some wreaths i'm not learning i can't go anywhere without saying this attack iq academy it's free totally free tons of training on there i might have written some of it so watch out for the stuff that has my face on it if you didn't like what i had to say today uh if you did then also look out for the stuff has my face on it um give it a look we've got over 25 000 students great reviews on this stuff we are always coming up with new material um and we want to know from you that we are putting stuff out there for the community at large for free it is useful that's all we want to do with this so it's academy.attack iq.com and like i said 100 free and with that i'm going to stop talking at least for a minute or two great presentation ben really cool stuff attack iq academy i i've got to check that out myself i encourage everyone to do that as well great information here we're going to bring up a poll while we take questions from the audience the question on the screen for everyone out there is what additional information would you like about attack iq and first question i see here that came in ben they're asking or they're saying decomposing attacks the way you describe is a big lift how could a smaller team benefit from this so any team is able to test so like i said in the beginning um testing isn't just uh sicking your totally bamf red team on something uh testing it could be as simple as running a script that replicates an artifact or a behavior that the adversary does um and if you've got somebody some some sharp you know person in i.t who is good at powershell man you can run a lot of tests tell you what as long as as long as manager says it's okay and smaller teams can always benefit from automation don't get me wrong there's a lot of ways to automate testing and i'd be remiss if i didn't say that we're one of them um and one of the better ones obviously that said you don't have to put an entire team on this if you're a small organization you've got one or two folks who you can commit half of their day to doing this a couple times a week you can get this done and you do that by taking small bites and what i just described today was a small bite you can look at a technique or a couple of techniques that are a particular import because of the way your architecture is configured because of the things that your organization does and test those and you know come to a better understanding of what your specific tools are doing for you right now um and you can do this and there's a ton of open source stuff out there for doing that yeah absolutely another one here they say you know you talk about a lot of different things as though they're common knowledge but they aren't necessarily so at least when it comes to implementing an effective logging backup and testing plan where do we get that kind of information any kind of recommendations for resources yeah so i think i've got a bit of like uh there's a specific term in psychology for the kind of bias i have about this and sometimes i speak to it so sorry about that this stuff should be common um everyone should be looking at the way that at their architectures from adversarial lens more than half the time now resources for doing this are um accordingly uh kind of scarce um not terribly i mean there's there's stuff out there people care about this uh but it's somewhat niche when you start thinking about things in terms of these emulation plans um so the first thing i'll say is attack iq academy we have entire classes specifically on this um and again like i said they're free and they're pretty darn good um if you haven't seen the blue team or red team or actually there's a purple team field manual out now those are great practical application guides for actually doing these things uh you know on a keyboard um you know but again the best practices you'll find in the major things like cis controls even in things like nist yes even there you can get good ideas about how to how to set up an overall architecture and configure it so that you can make assumptions about what it can do and therefore you can test those assumptions so the body of knowledge is out there it's just not so it's not formalized outside of a few places attack iq being one of them okay and then this is a good question uh do you think folks should focus on ransomware or should they focus more on just security in general that you know will protect them from rants aware as well as other threats i'll say this much if you don't have a good law good log aggregation and correlations game and somebody in your shop says it's time to go zero trust um you should have a very frank conversation with them probably behind closed doors and when i say that i mean fundamentals are very important if you don't have the wherewithal the technical wherewithal to approach uh basic threats or you know simple antivirus log collection and alerting um you shouldn't be talking about specific ransomware threats if you catch my drift it's not like they don't matter they absolutely matter but if you get the fundamentals down and you can unders you can break down a threat into how it actually works the things it does that are detectable by your tools you're on the right path if you can do that um and ransomware simply becomes another piece of intelligence that informs your analysis um the the only notable malware uh is the malware that has a you know a a unique or novel means of execution um out you know and within that frame within that frame of mind you know everything falls and if you're and if you can break down one technique you can find ways to break down the others so yeah i mean yes should be worth yes you should worry about ransomware should you worry about it no should you should you be aware of it yes should you worry about it well no it's like any other attack you're going to get breached so how far is it going to get before the tools that you've that you've properly tested stop it wise advice i like that all right well i'm afraid we're running out of time here in our live q a session but there's some really excellent questions still there for you in the electronic queue ben um thank you so much for your excellent presentation today on the ecocast absolutely thanks for your time everybody and for more information on attack iq check out the handouts tab as well there's a cool cool document here called threat informed defense 101 looks like the college rule you know notebooks and uh well done asset make sure you check that out download it before you go and also respond to the poll question there while i have it on the screen we do want your feedback on that i'll leave it up here for just a few more seconds while i announce our next amazon 500 gift card winner this is going to ben french from texas congratulations ben fretsch from texas and with that i'm now excited to introduce you to our next presenter on today's security eco-cast event welcome now andy thompson research evangelist at cyber ark hey raymond andy are you there yes i am can you hear me okay yes sir you sound great thanks for being on excellent thank you for having me and ben congratulations uh i'm a fellow texan here so i just wanted to introduce myself and say hello um quick introduction about who i am um we're going to be talking about endpoint privilege manager in cyber arc really the fundamentals like our previous speaker was talking about relative to least privilege and application control but before we get into that again a little bit about myself i have a very cool job at cyber arc as i'm a researcher and technical evangelist for our cyber arc labs division this is the division of cyberark that invests in offensive security research vulnerability reverse engineering that sort of uh sort of research it's really fascinating bleeding edge stuff and i get to talk all about it i'm also very active in the dallas hacking community where i'm one of the organizers of the dallas hackers association and i'm known as a travel hacker i my wife and i we travel all over the world on a shoestring budget but anyway we're here to talk about the uh the endpoint really and how it is the initial attack vector for many different types of cyber attacks quite often what's going to happen is is that they will go in with a limited amount of privilege elevate to a local admin or higher level privilege and then execute their end game that's really kind of the the tried and true path that we've seen for so many different types of attack uh and i kind of mentioned this earlier just now that you know we assume that they're going to get in with the low privilege but that's often not the case because one once they get in with a privileged level of local admin for example it's very easy to go in and shut down your existing complimentary suite of security solutions such as edr av any sort of group policy configuration changes can be really shut down once local admin rights have been granted also regarding vulnerabilities and the reporting there of vulnerabilities usually the bones that require privileged access to facilitate their attack are deemed a lesser score so often we find that those are often the vulnerabilities that are not patched or are prioritized less in a patching regimen just simply because they only have enough time to address the higher severity cvs scores so uh cd scores so that's why you want uh to be aware that privileged access is a risk coming into your organization and you can see here i'm not going to read it for you but basically 87 organizations are basically giving their end users free reign with local admin rights into their their endpoints and now this isn't something that cyberark is telling you to do well it kind of is but uh don't just take our word for it gartner uh the sans top 18 now i believe is the cis top 18 they're telling us to really focus on the standard blocking and tackling the fundamentals and basics and cyborg we're not perfect we can't do it all but we can do certain things in those recommendations really really well one of which is extending least privilege and application control into not just the endpoint but the server infrastructure as well if we have time we'll cover that in a moment the other piece is the ability to really restrict user controls restrict the ability to not only execute certain applications but what they can do within those applications the other piece of this is is really kind of uh proper and aggressive application control through uh data handling controls and again i'll dive into what exactly i'm talking about relative to data handling controls shortly as the presentation progresses but needless to say it's as simple as this microsoft office is only allowed to open microsoft office files any rogue process script binary or thread that's trying to access these files if it's not authorized don't get access to said files that makes it a lot easier all right so along with those fundamentals this is kind of fundamental 101 here where we talk about the additional capacity that cyberark and our endpoint privilege manager can provide versus through lease privilege really restricting the user to the minimum amounts a minimum amount of rights to do their job followed by uh application control now i thought this was kind of an interesting comment here computationally the cheapest and most effective security technology what does that mean well i had to think about it for a while but then it actually clicked it made sense if we're actually restricting the processes from even executing then the attack stops there there's no additional uh after effect you know it's it's essentially computationally fairly cheap so uh it stops the attack from even happening through aggressive application control now additional functionality that we'll cover in a second is the privilege defense aspect of this security fundamental we'll talk about credential theft protection for their we found that certain processes certain registry keys certain database stores are ripe for for credentials to be attacked i know exactly where to go if i'm attacking putty or when scp for example and so we actually go ahead and protect those data stores on behalf of these up other applications it's really powerful stuff uh and then on top of all of that we are protecting we have certain policies and rules specifically out of the box uh that are configured to address the ransomware threat so again we'll talk about this in a second i hope but the point is is this really is a great complement to your existing edr it's not meant to be a replacement it really goes well into that defense and depth strategy that we often hear about so much in the i.t security realm now it seems easy right it's a great it's it's like socialism it's great on paper i hate um the problem with it is it's it's so much more difficult to actually execute because where we're at today is basically the far left here uh local it's like the wild wild west folks uh we've given all our users local admin rights we've deputized them to go around doing whatever they want the risk is out there because well not only do we not know what software is out there but we don't know what versions they're running right we're completely exposed to any sorts of malware including ransomware and the fact is is by having so much local privilege given uh our security tools aren't as strong as they could be and where we want to be is is again going back to those fundamentals that i talked about least privilege role-based access control making sure that we have an updated accurate inventory of our assets i mean that's what we want to get to but this is the problem folks this is the catch 22 of local administrator rights and least privilege if we give that access away we'd lose all you know secure oversight we have happy productive users but we we really have a whole bunch of security incidences because we have no security controls uh users are able to install malware as as at will right but what happens if we flip the switch and we actually implement security properly we implement least privilege in in its rawest form we have a problem because yeah we're secure but operationally we've grinded things to a halt our there's a huge burden on our end users a just as big burden on our help desk so there's it's that catch-22 that i was talking about and that really inhibits us from jumping over and building that bridge that we saw and that's really what cyberarts endpoint privilege manager does is it helps bridge that gap and makes that implementation that much easier and not only is it making it easier but more importantly it's making it secure hear me out on this so with day one we don't necessarily start with just going in and discovering all the software and then elevating it there are certain things that we just have to do out of the gate that shuts things down it requires certain processes that we already know are basically uh block listed right uh it's this process here that we call our quick start config where uh we really mitigate the most amount of risk uh as quickly as possible uh from a least privileged application control perspective if you want to learn more about this we have a great team of strategists that work with our clients to help you know define what the right roadmap is for them so if you want to learn more about exactly what that mis risk mitigation strategy looks like let us know we're always down to have that conversation but back to that original thing i was talking about when we first roll out why do we not start off with just monitoring well there's no benefit to it out of the gate everybody's still local admins if we're just scanning for software right we're just scanning for privilege we have that delta period between when we're discovering data and when we're actually implementing some change so uh even then there's no benefit the captured data has to be interpreted in only after the fact so all these events have to go down whether they're legitimate they're false positives you name it before we can actually interpret that data there's a lot of other reasons that we want to move forward with risk mitigation over just kicking off these policies the point here is is that the landscape is evolving and the policies are going to have to too and so that's why we started off with our rules those initial policies um and again it starts off with least privilege uh this combination really uh is what we see uh in mature organizations uh not just the instantiation of least privilege not just lee's uh application control but using those two uh to actually create real just-in-time elevation i i don't believe that you can have just in time without least privilege you know these these concepts go hand in hand uh the other piece of the endpoint privilege manager in its ability to provide value is its impact in again uh protecting other applications uh beyond the capacity of themselves like i said uh filezilla win sep uh your local lsas these we can apply another layer of credential harvesting protection from them i'm actually going to show you a demo of this in shortly the out of the box ransomware protection policies are amazing because they address that data handler issue that i was talking about in fact let's go to that slide and i'll cover it next to the privileged deception piece the ransomware protection really defines how approved content handlers are the only applications that are allowed to interact with the files that you designate so you specify why uh why a certain process should be allowed to access the pdf files or only microsoft office and teams can access your files of office and you know word and excel and whatnot um this prevents rogue scripts rogue processes that may have a malicious uh code in memory excuse me a little nervous here my point here is if i as an attacker have a a reverse shell running in a process that i can't access the word files or the crown jewels that i'm seeking for only the approved content handlers have access to that folder or that data this is actually a quick demo i'm hoping this will play to show you uh some of the trusted processes and whatnot this is a usb bash bunny that when plugged in emulates a keyboard so it bypasses any sort of signature based av and immediately types out a powershell script it bypasses uac automatically runs the script and it initially establishes a reverse shell back to my command and control system so once we have the green line here that shows that the agent has connected uh to the command and control now we're going to interact with that compromised computer and at this point we've got command line access to the machine what we're going to do is we're going to dump the memory of this victim's machine in order to harvest some credentials so powershell empire makes this super easy there is a function called powerdump which dumps the memory from the lsas process if i'm not mistaken and it will see that shortly here we run the uh function and it should spit out all our admin usernames and their uh ntlm hashes which then i would just take to hashcat and in bruteforce which funny enough i'm actually doing on my machine over here it's a totally different project but still nonetheless fun let me show you what it looks like from the defensive perspective though one of the ways that we could skim the cat here would be to block unsigned powershell functions from executing so not only do we have the built-in policies but we also have some additional advanced policies one of which is blocking any unsigned powershell from executing so let's go ahead and implement that policy and we'll go ahead and run re-run the attack again you'll see that the code is able to be typed but because it's unsigned powershell powershell is not being launched so that's one of the many west methods the other way that we could have prevented the credential theft from happening is to implement the credential theft protection policy uh there are several different ones that we're going to actually implement here the first is blocking the sam dump from the registry the next one is going in and blocking i believe it's the elf sass here we go sam harvesting here and then the lsas credential harvesting there's a couple of these policies that we're instantiating here but again it's just a matter of taking these existing policies going in changing them from block to enable or detect however you want to set it and away you go the policies are instantiated all right so we've gone ahead and we have enabled blocking on a bunch here all right one more there we go now we'll go back to the the command and control function here we're going to run the power dump again but take a look at what happens now the process is going to try to reach out to the lsas process and well let's take a look nothing happens nothing happens folks that's not what an attacker wants to see but that's everything we as a defender want to see um unfortunately the power dump well fortunately i guess for us the power dump failed and so we didn't get the credential harvesting that the attacker was attempting to do so that's kind of anti-climactic but there you go folks that's a epm in action not only do we block the attack as well but we can also see from a metrics perspective what process was trying to dump the lsats what machine it was coming from very detailed information all right so i mentioned this earlier about how the endpoint is the point of uh of attack for many different attack cyber attacks and that is the case but we also have to realize that there are other processes there are other attack vectors in our enterprise organizations it's not just the pc we also have you know windows servers that have you know active directory obviously integrated with them as well so we've got server infrastructures your linux your unix your bsd your aix those are all systems including mac that need to be protected with least privilege and application control we also talk about you know your processes regarding rpa and your ci cd pipelines these things are peppered with privilege all throughout them and need to be approached the same way that we approach our endpoints from a least privileged and application control perspective so these are just things that you need to be aware of uh this isn't just a concept that's restricted to our endpoints we have that many and more systems running in the cloud that do need to have some level of least privilege and application control applied to them so let's see so basically server managing practices amplify the risk servers are accessed and managed by privileged users this is really where we start talking about how it's not just about locking down the machines but also the users as well this is about privileged identity as well the other thing is from my personal experience for the sake of operational uh efficiency many of the times our servers are installed with bare bones and minimal security tools and because of the fact that like i mentioned earlier people assume that the endpoints are what's being attacked yes they are but as attackers as pen testers as red teamers as apts what they'll do is they'll pivot in because they're not just going to sit on the end point attackers are more interested in pivoting and weaseling into your tier 1 tier 2 infrastructure and getting those crown jewels let's see highly targeted because they house and access yeah exactly my point being here is in this slide is that yes the endpoint is at a super high risk but that's because it's the largest attack vector they're going to target and zone in on your tier 1 and tier two assets really anything that correlates to your business continuity program really kind of kind of correlates as to what the attackers are going to be focusing on uh relative to a privileged attack let's see here and now this kind of solidifies what our our entire vision of uh identity driven security is uh again it starts with the end point right at the center right and it's a matter of again understanding that least privilege application control that continuous risk awareness that's constantly being updated in your pr your portfolio really provides that sound security vision i didn't really touch about this very much because there's just so much to talk about relative to the endpoint privilege manager solution but the ability to not only elevate on demand but actually challenge the user with adaptive multi-factor authentication so you it's really cool stuff and i highly highly encourage you to take a look at uh one of our demos of the product it is amazing but i digress here my point is is that you see our vision of security uh on the endpoint and it does feed in from admin privileges from devops processes rpa robots even third party vendors they are they are some level of access into the endpoint is something that we have to consider uh i i can't spend all day talking about you know just vendor access but needless to say uh this is just a small spoke in the the real overall arching image of privileged identity and so you can see where endpoint privilege manager fits into that this is more of our entire suite of solutions but you can see where we where we prioritize access privilege and devops as some of our core foundational components so that really uh concludes most of my talk today uh if you want to learn more about the endpoint privilege manager i highly recommend you check out our three-point series that's actually talking about strengthening endpoints if you like my talk today you're really going to like the the follow-up series that we have in store for you also we have a 30-day free trial of the product so if you want uh just to kick the tires and light the fires feel free to check out the 30-day free trial uh so that concludes my presentation i think we've got some q a here absolutely yeah we do have some questions for you andy a great presentation really cool demos i love seeing those thank you for sharing those um i want to encourage everyone to you know check out the 30-day free trial before we move on you can click on that link right there that says register today actually that's a hyperlink if you click on that that'll open a new web browser tab or window in your web browser so with that let's go ahead and move on to our poll while we take your questions the poll on the screen says what additional information would you like about cyber arc all right so let's see andy first question i want to ask you here they're wanting to know can cyberark you know really protect our endpoints from becoming infected with ransomware yes so i this is where i get to talk about uh the cool stuff that's coming from the labs division we actually have a ransomware lab where we are throwing hundreds of thousands of samples at this daily and weekly and we're confident that the combination of least privilege and application control in conjunction with each other really stop ransomware from uh from happening it's really the execution of any malware like the previous speaker was saying we're certain that we've done 3.6 million samples and we've yet to have a ransomware infection i mean that's a big number to to quote but that's how confident we are in it um i hope that answers your question yeah absolutely here's a good one from dave he says you know with covet 19 they've got you know so many employees uh accessing the network remotely with i'm sure you know bring your own desktop type devices he's asking how can we turn on and off local admin essentially allowing these users to do what they need to do but without having too much privilege all right so in a byod world that is a unique challenge and it's really hard about flipping the switches on somebody else's machine so what we often find is vdi access for these remote users tends to be well done also if we have corporate assets then there's a huge challenge of managing the local admin account from remotely especially if we have organizations that aren't connected via vpn on occasion so how do we manage the local admin it's a manner of using a solution like cyberarks enterprise password vault solution in conjunction with epm actually to rotate those passwords off the network um but how do we facilitate remote access this is this is a the kind of like a part two to his question um this is really where uh another product the ident remote identity is is really powerful uh vpn lists remotelist agent i'm sorry agentless vpnless remote access from the web browser that allows for zero trust access in as a vendor as a remote user into the enterprise so uh that's that's what we would recommend for remote access is they just need a web browser as far as managing the local admin privilege of the client machine that is uh that is where the epm product and the agent really shine as far as feature functionality i hope that answers your question yeah excellent and then so if folks want to get started with this in their their company which department is it that typically starts rolling out a least privileged solution like this oh that's a great question um it's it's funny because depending on who you roll out your program to can make or break it um you really have to uh get the most bang for your buck but also not uh break the product i mean not break the product but uh break your productivity so what we recommend is focus on uh if you've got a frog to swallow swallow the biggest one first i think is what marked me in mark twain said and so what we recommend is focusing on your i.t department first usually as systems administrators because they have the most difficult policies out of the box but once you address those rolling it out to the remainder of the infrastructure is a piece of cake and so that really facilitates more adoption over time yeah it's a little bit of a hurdle at first but then everything else is just easy peasy great advice i like that good good mark uh twain quote there um and then so this person's asking you know their antivirus has some exploit prevention built into it how does this compare to how does this compare to that another great question and this is something that i'm glad that you asked because i accidentally uh i'm not as prepared as i normally am but uh for these sorts of things but the one of the things i wanted to talk about was how edr and av do complement but don't yet replace something like least privilege and application control here's the deal is these sorts of solutions require something to have happen first whether it's in existing infections generating a signature for an av or malicious actions of some degree that can be detected and then immediately responded upon so at least in a ransomware event there might be one to two files perhaps that may be encrypted in the process before your edr can immediately snap that into action these are the things that we want to prevent and are completely prevented if the application isn't even allowed to execute in the first place so that's that's kind of how we provide some additional value in the fact that by stopping the initial uh attack we also more secure those third-party complimentary solutions um we saw with a solar winds attack for example the attackers waited 30 days before they would shut down av solutions endpoint privilege manager was actually listed in their list of applications that wouldn't work so it actually would stall the installation of the malware just because epm was installed on it so uh look at this as not uh if and what is it and or but uh within both you know the they're supposed to complement not uh not contrast each other i think that made sense yeah good point i mean this is going to prevent the attack before it ever happens i like that um so i'm afraid we're running out of time here in our live q a if folks want to get started with this you said that there's a free 30-day trial is that right that is correct there's a 30-day trial it's a sas based service it works great you can uh implement it now download it and you can have uh you can be protected from ransomware by the end of the afternoon awesome cyber arc endpoint privilege manager all right well andy it's been great having you on the event today thank you so much for being here say hi to texas for me and we'll see you next time thank you again for having me really appreciate it take care all right and thank you to cyberark check out the handout it's there in your audience console cyberark endpoint privilege manager there's a solution brief there and then of course you can go to their website and download the free 30-day trial and like andy said you know be protected from ransomware by the end of the day cool stuff seems like it would fit in very well with your 2022 security plan all right with that it's now time for our final amazon 500 gift card announcement i'll leave up the poll let you announce let you respond to that while i announce the final gift card winner this is going to aaron weyrich from wisconsin aaron weyrich from wisconsin i will post all the prize winners names there in the questions box all right that is done and thank you to everyone who responded to the poll uh before you go of course don't forget to subscribe to the 10 on tech podcast over in the itunes store if you are a potential sponsor of an upcoming megacast or ecocast reach out to us at connect actual techmedia.com don't forget about the gorilla guide book club it's there at gorilla.guide or in your handouts tab download free educational it books and at the end of the event here in just a moment you'll be automatically redirected to our refer and it friend or co-worker page where both you and your it friend could win an amazon 300 gift card thank you so much for joining us on today's ecocast developing your 2022 security plan i hope that you learned a lot i hope that you had a lot of fun and i hope that you'll stay safe and prepare your plan for 2022 to be better protected have a good evening take care bye [Music] you

Info

Channel: ActualTech Media -

Views: 43

Rating: undefined out of 5

Keywords:

Id: nInoSCqx4Y0

Channel Id: undefined

Length: 391min 50sec (23510 seconds)

Published: Tue Dec 07 2021