Red Team Village - Anticipate threats with SOC automation
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Alternativer Titel |
| |
| Serientitel | ||
| Anzahl der Teile | ||
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/49192 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
00:00
ATMServiceorientierte ArchitekturEntscheidungstheorieMultiplikationsoperatorMomentenproblemDatensatzKybernetikComputersicherheitVererbungshierarchieSoftwaretestFormation <Mathematik>Stochastische AbhängigkeitTexteditorWort <Informatik>Computeranimation
00:58
ATMOperations ResearchKontrollstrukturIntelCodeNichtlinearer OperatorDatenverwaltungAbenteuerspielComputersicherheitVersionsverwaltungLinearisierungGamecontrollerSoftwaretestSchnitt <Mathematik>CodeWeb-ApplikationZweiFlussdiagramm
01:44
Open SourceSystemplattformATMSchnittmengeComputersicherheitMathematikPortscannerKeller <Informatik>DatenbankSchedulingTaskInternetworkingSichtenkonzeptBasis <Mathematik>SoftwareschwachstelleKybernetikPhysikalisches SystemMAPOpen SourceFramework <Informatik>EindeutigkeitSystemplattformNichtlinearer Operator
03:10
ATMStrom <Mathematik>KybernetikComputersicherheitKanalkapazitätProzess <Informatik>Strategisches SpielBildverstehenNichtlinearer OperatorComputersicherheitCoxeter-GruppeEvoluteSchnittmengeProgrammierparadigmaFrequenzProgrammierungMereologieBildschirmfensterProdukt <Mathematik>Prozess <Informatik>Kartesische KoordinatenFirmwareMultiplikationsoperatorSignalverarbeitungIntegriertes InformationssystemKybernetikProgrammbibliothekMathematikMomentenproblemDigitalisierungMetrisches SystemZahlenbereichSoftwarePhysikalisches SystemTaskGraphTypentheorieMatrizenrechnungProjektive EbeneTeilbarkeitPunktSichtenkonzeptVersionsverwaltungFramework <Informatik>SoftwareschwachstelleComputeranimation
06:17
ComputersicherheitStrom <Mathematik>KybernetikATMInformationDirekte numerische SimulationMalwareAnalysisPhysikalisches SystemTechnische InformatikPortscannerInformationstheorieIdentifizierbarkeitVektorpotenzialDatenbankGraphDatenverwaltungIndexberechnungAbschattungSoftwareschwachstelleKoordinatentransformationComputersicherheitLeckSchnittmengeStrategisches SpielDichte <Physik>VariablePunktspektrum
08:04
ComputersicherheitKybernetikATMSoftwareschwachstelleKybernetikBildschirmfensterComputersicherheitInternetworkingLikelihood-FunktionComputeranimation
08:56
ATMTaskSoftwaretestDatenverwaltungKoordinatenServerComputerforensikWurm <Informatik>InternetworkingPunktDatenfeldProzess <Informatik>PortscannerSichtenkonzeptDefaultService providerNetzadresseKumulanteComputeranimation
10:40
ATMDemoszene <Programmierung>KybernetikÜberlagerung <Mathematik>Inklusion <Mathematik>StandardabweichungRegulator <Mathematik>BenchmarkWidgetTeilmengeComputersicherheitGamecontrollerMultiplikationsoperatorTwitter <Softwareplattform>BenchmarkTaskGraphStandardabweichungKeller <Informatik>ProgrammierungBildschirmfensterUmfangFunktionentheorieCASE <Informatik>PermanenteComputeranimation
12:25
ATMAtomarität <Informatik>Inverser LimesTotal <Mathematik>KybernetikStrategisches SpielGeradeZahlenbereichCoxeter-GruppeMultiplikationsoperatorKybernetikProzessautomationGamecontrollerStrategisches SpielInverser LimesÜberlagerung <Mathematik>ZahlenbereichOrtsoperatorComputeranimation
13:48
StandardabweichungATMComputersicherheitPrognoseverfahrenHöhere ProgrammierspracheNichtlinearer OperatorMAPCMM <Software Engineering>SystemplattformSpeicherabzugGamecontrollerGrenzschichtablösungLeistung <Physik>ComputersicherheitSichtenkonzeptPortscannerKartesische KoordinatenZusammenhängender GraphBimodulMereologiePunktPunktwolkeKeller <Informatik>VorhersagbarkeitSoftwareschwachstelleSkeleton <Programmierung>Ausdruck <Logik>Cloud ComputingWeb-Applikation
15:43
Architektur <Informatik>ATMSchnittmengeDatenverwaltungExploitMusterspracheSystemverwaltungComputersicherheitBitGrenzschichtablösungTypentheorieDateiformatBenutzerbeteiligungSoftwareKartesische KoordinatenEindeutigkeitMakrobefehlMAPPunktSystemplattformInternetworkingPortscannerStochastische AbhängigkeitZentrische StreckungServerOpen SourceDebuggingPasswortREST <Informatik>Translation <Mathematik>Computeranimation
18:11
ATMInternetworkingDebuggingVerschlingungRechnernetzPortscannerService providerPhysikalisches SystemGruppenoperationKartesische KoordinatenZusammenhängender GraphDatenverwaltungSystemplattformBitResultanteZweiInhalt <Mathematik>SoftwareComputeranimation
19:32
SpezialrechnerDienst <Informatik>ATMPunktwolkeBildgebendes VerfahrenInstallation <Informatik>Domain <Netzwerk>Bus <Informatik>Dynamisches SystemAnalysisFramework <Informatik>RechenschieberGamecontrollerLinearisierungREST <Informatik>HydrostatikInstantiierungSpannweite <Stochastik>Physikalisches SystemMAPCodeÄußere Algebra eines ModulsPortscannerSoftwareschwachstelleOffene Menge
21:19
DatenverwaltungSoftwareschwachstellePunktwolkeATMW3C-StandardFramework <Informatik>Serviceorientierte ArchitekturNotepad-ComputerBenutzerbeteiligungLeckLinearisierungDatenverwaltungDifferenteCASE <Informatik>Web-ApplikationPortscannerOpen SourceGravitationVerschlingungComputeranimation
21:58
TLSObjektverfolgungMathematikAdditionOpen SourceFreewareStrategisches SpielATMDesintegration <Mathematik>FlächeninhaltClientElektronischer FingerabdruckDirekte numerische SimulationDomain <Netzwerk>CodeLeckStetige FunktionDokumentenserverSpezielle unitäre GruppeRepository <Informatik>CASE <Informatik>SkriptspracheKartesische KoordinatenDienst <Informatik>MusterspracheSoftwaretestVorzeichen <Mathematik>DokumentenserverProgrammbibliothekDomain <Netzwerk>ComputersicherheitREST <Informatik>Web-ApplikationHydrostatikMathematikGemeinsamer SpeicherQuellcodeMAPWeb SiteTypentheorieMultiplikationsoperatorCodeSoftwareentwicklerMereologieLeckRepository <Informatik>Physikalisches SystemPasswortSchlüsselverwaltungClientZweiAnalysisDigitales ZertifikatElektronischer FingerabdruckVorhersagbarkeitAdressraumSchnittmengeAggregatzustandSensitivitätsanalyseCoxeter-GruppeSystemplattform
26:29
ATMCodeLeckNotepad-ComputerPhysikalisches SystemSystemplattformZeitbereichPortscannerExplosion <Stochastik>W3C-StandardCASE <Informatik>Office-PaketComputersicherheitBitTopologieComputeranimation
27:27
ATMKoroutineKanalkapazitätEreignishorizontKoroutineSoftwareschwachstelleEndliche ModelltheorieMultiplikationsoperatorMathematik
28:15
ATMHypermediaMIDI <Musikelektronik>MetadatenSoftwareschwachstelleWeb logComputersicherheitSoftwareschwachstelleMAPEreignishorizontMultiplikationsoperatorMetadatenPatch <Software>InternetworkingHypermediaGeradeGraphEinflussgrößeTeilbarkeitMathematikDatenverwaltungSoftwareentwicklerComputersicherheitWeb logErwartungswertService providerQuick-SortGravitationLikelihood-FunktionVariableSpeicherabzugProgramm/Quellcode
30:48
TeilbarkeitDatenverwaltungSoftwareschwachstelleATMContent ManagementSpezielle unitäre GruppeStandardabweichungIntegriertes InformationssystemTeilbarkeitSoftwareschwachstelleClientCharakteristisches PolynomWeb-SeiteVarietät <Mathematik>NormalvektorProgrammierumgebungZusammenhängender GraphKontextbezogenes SystemMereologieVektorraumService providerMultiplikationsoperatorVariableInformationstheorieSystemaufrufDivergente ReiheComputeranimation
32:45
DatenverwaltungTeilbarkeitATMPatch <Software>Interface <Schaltung>DistributionenraumProgrammierumgebungProzess <Informatik>SoftwareDistributionenraumLikelihood-FunktionCMM <Software Engineering>Patch <Software>InformationstheorieVorzeichen <Mathematik>Reelle ZahlBenutzerfreundlichkeitWeb SiteStandardabweichungDatenverwaltungInternetworkingPunktExploitMultiplikationVariableÄhnlichkeitsgeometrieGraphSoftwareschwachstelleErwartungswertMatrizenrechnungTemporale LogikMinimumComputeranimation
35:47
DistributionenraumInterface <Schaltung>Patch <Software>ATMSoftwareschwachstelleZweiKorrelationsfunktionWorkstation <Musikinstrument>VariableMatchingEntscheidungstheorieGruppenoperationTypentheorieCoxeter-Gruppe
37:12
ATMArchitektur <Informatik>Gewicht <Ausgleichsrechnung>InternetworkingKartesische KoordinatenSoftwareschwachstelleDistributionenraumBitratePasswortProdukt <Mathematik>MathematikService providerKreisflächeSoftwareMetadatenMetrisches SystemComputersicherheitCASE <Informatik>Technische InformatikMusterspracheOpen SourceDatenverwaltungProjektive EbeneE-MailEreignishorizontWinkelverteilungVersionsverwaltungInformationsspeicherungFitnessfunktionPortscannerSerielle SchnittstelleSystemplattformMAPComputeranimation
40:02
SkalierbarkeitATMOpen SourceNummernsystemPortscannerSoundverarbeitungPasswortSelbst organisierendes SystemComputersicherheitCoxeter-GruppeService providerMinimalgradIdentitätsverwaltungDreiecksfreier GraphExpertensystemZusammenhängender GraphProdukt <Mathematik>TemplateKeller <Informatik>KanalkapazitätBildgebendes VerfahrenEchtzeitsystemIntegral
42:27
ATMDesintegration <Mathematik>TemplateSoftwaretestUnternehmensarchitekturGebäude <Mathematik>Web ServicesSaaS <Software>ComputersicherheitNotepad-ComputerMusterspracheCASE <Informatik>ComputersicherheitGraphSystemplattformDatenverwaltungOpen SourceExogene VariableIntegralStrömungsrichtungDebuggingProjektive EbeneFront-End <Software>UnternehmensarchitekturComputeranimation
43:41
Open SourceComputersicherheitSoftwaretestSpeicherabzugATMSpezialrechnerProjektive EbeneCASE <Informatik>Open SourceRückkopplung
44:17
Virtuelle RealitätE-MailTwitter <Softwareplattform>ATMSelbst organisierendes SystemCoxeter-GruppeComputeranimation
Transkript: English(automatisch erzeugt)
00:02
Hello everyone, so please take a seat to grab a coffee close the door. Hey, do you hear me? Oh No, I'm sorry. It's It's a critical decision. So I can't argue at the moment as you was listening this record I'll be in holiday in the south of France in my sewing costume
00:23
So give me a question in the chat room. I'll be pleased to answer you at the same time So hello everybody. I'm Nicolas Just if you were to present myself, I mean the parents of a question tester or security editor. I were for decades in this cyber security industry
00:43
No, I've built my own company and I work in the internal red team of a financial institution in France So as you see and heard I'm playing so sorry for my French Thank you We'll talk about
01:01
Automating security version sec ops. What does the cuts means to you and to me today? Everyone has his own definition For me security operations could be related to Adventures activities for now, please consider at least these activities
01:21
I will talk about Petrosian testing security control assessment linearity management CTI and DFI operations security compliance and All about the code review and web application in this We'll see why and how to add automation within this activity
01:45
Will Talk about that's all That's all it's an open source framework for automating and orchestrating tasks and within security Security operations, it provides a solution to get a continuous and full-stack overview of your cyber exposure
02:04
the solutions The solution sorry lets you to define your assets your scans policy and the scan you want to perform the scans give you findings and All these findings are then collected analyzed and aggregated within the unique that about
02:25
Database we develop several engines and connect all to existing security tools And to assess risk on biosecurity demands The idea is to get a risk of a view from IP to data level The scans could be start one shot schedule on
02:44
started on the regular basis And the final goal is to get a continuous monitoring of our assets and our security posture on all stacks All the findings the findings could be a confirmed vulnerability Suspicious change in our systems or suspicious activity over internet
03:05
This finding are very contextualized and tracked over the scans And that's all for me No, of course, it's not a two-point vision no, it's I just want to tell you about
03:22
security operation and about automating sick ops As I told before I work in a system In five year and from my windows There are two major factors of that the key current evolution of the IT landscape this
03:41
That our acceleration and Diversification this applies to our sets the threats and by the way the security incidents We see an acceleration of digital program and diversification of assets so thanks to the
04:00
digital transformation program with the Explosion of IT project the information systems are more and more open to the world and then more and more open to hostilities We have to deal with new technologies everywhere every day the new product new firmware new library in in all these technologies are
04:23
Updated every day. We also see changes in the software delivery processes Remember a few a few years ago when it was about four to five months production period Today thanks to the hype of DevOps activities we can see multiple go live in in a day and
04:47
A go live means a newer new application. And by the way, you can have it is all New you expose it for things The traits are going to the number of CV is growing year after year. It's it's a metric
05:05
I mean, I don't know. It's a good metrics to talk about the number of CV, but it quite be representative About the the attackers they they do a great jobs There are more and more and there are more and more organized and efficient
05:24
from a different part of you We have to cover a quickly changing IT landscape and at the end of the day It's increasingly hard to get a realistic comprehensive And sufficiently updated the vision of our cyber risk exposition
05:43
We also have to face Another problem. It's the talent shortage program We have nothing of people to do the job At the moment lots of tasks are repetitive and this led people to lose their motivation And leave the team
06:01
We definitely believe it's time to to adapt our cyber defense paradigm And we have to adapt the way we we do our job and we we monitor our cybersecurity posture to face these challenges
06:22
in The team we try to manage security incidents with two goals. The first one is for the red team It's about identify vulnerabilities on our assets before attacker 2 And for the blue team is to identify indicators of completions, which could be past current or future
06:46
of potential security incidents and to do this We have to to keep us updated from many many things The first one is to be To keep us updated from the the continuous transformation of our assets
07:05
It could be more or less considered as shadow IT in big companies We have to to keep us updated from the infosec knowledge database The new research publications the the talks talking about the new New vulnerability or a new way to detect certain things
07:24
How to exploit the vulnerability And hold the security news And the spectrum of federal is changing also every day. We have to manage lots of feeds of information every day And finally it we we found that scanning our sets is not efficient anymore
07:45
We have to monitor external resources to detect the leak attack signals and To understand how to participate our security posture and For day-to-day work. It's
08:00
Could be very hard to manage all of this this information in the cyber security Industry it's it's a race against the clock And the third aspect we have to tackle is the window of exposure problem. It's all about our reactivity
08:22
Today we know that attacker will attack us not just because we have a bank we are we are a gas industry we are We are something fancy. Oh, it's just because we are on the internet and new vulnerabilities are found everywhere It's just increasing the likelihood of attack scenarios
08:42
But the windows of exposure is a real problem and could be handled in with priority We said that we have to detect and fix the vulnerability and suspicious activities as soon as possible so basically the the challenges we
09:01
We we think about automation and orchestration Just a quick reminder my definitions of automation. It's setting up single step a single task to run And orchestration it's about automating a lot of things at once It's about coordination and management of automated tests
09:25
Before we go Let's have a personal experience a few months ago I've set up a Kubernetes cluster with default configuration exposed to the internet. It was unfiltered Maybe you see what what will be the next thing
09:43
Only 24 hours after I was hacked the practice miner was deployed on my cluster and my server Starts to to mine some kind of cryptocurrencies That's definitely quicker forensics forensic and
10:00
This definitely thinks I was not targeted because I was near nicholas Just because probably A scanner identified that a non-secure service was exposed on the on the public ip and the attacker Automatically deploy his payload on my server. So
10:20
I don't blame it. I don't blame it It he is doing his job. He's doing a great job for for this point of view The fact we have to remember today. It's not that i'm cheap devops No, we have to accept that attackers do automation and better than us in their field
10:41
Why the making? setups the first thing is For a defensive overview is to do more checks to cover a larger and diversified scope To cover bigger perimeter of assets and make more control on each stacks and the second thing is to to do it more often to it could be
11:05
a continuous checks Could be very useful to reduce the windows of exposure to reduce the delay in discovering and fixing a security incident the third
11:21
The something I would like to say it's about efficiency As I told before we have to face a big problem at the time. So sorted program The idea is to reduce the time Affected to to lower the to low value adding the task to focus among complex security cases
11:42
and for doing For doing this we have to automate the the simple That the simple task. It's also a way to reduce and manage cost And to start follow KPIs It could be also very useful to
12:02
To help you To help you in your compliance and benchmark activities to redefine and expedite the same control on Subset of of assets and and do it Continuously to see the the trends and how far
12:22
You are compliant with your security standards so At this time of these presentations you should be all convinced of automation so There are several downside we have to discuss now
12:40
Of course, there are limits. It doesn't cover all of the risk in itself. It's If you automate Your your control you you will have an increasing number of alerts to to manage an increasing Number of false positives and we we found also that it's very
13:05
It's very useless inefficient to found functional liabilities We also have to qualify and contextualize all the findings we we have We we are found And about the the tco yes automating we we don't
13:23
Automate things by magics, uh, we we use tool that orchestrate all the two so we have also to manage and exploit the The the tools um At the end of the day a tool is a tool and it's very Useless without a cyber defense strategy. So if you don't have those strategy don't try to automate things
13:50
By the way, we we decide to build a platform for automating and orchestrating the sick ops Because we wanted to improve our level of
14:01
Maturity and to become more efficient to to adapt our work the core concept is to efficiently moving from reactive to predictive Or more or less predictive security posture with the benefits from the the power of
14:22
automation And also we we decided to use To to don't develop our tools But to to use in priority the best of both tools the great tools exist But they are not addressing all the stacks at the same level and that that this use of qualities are very efficient to scale with or
14:44
for vulnerabilities for misconfiguration on infrastructure and your cloud your club Uh Services, but there were application scanners And the component security assessment and the anti-malware modules are not sufficient enough
15:02
We we found that they will come have only one tool to To uh to cover all the All the the security the control we react to to assess I would
15:20
We found that That we have to to support scan the scans policy which are realistic from the attacker point of view and and the the idea was to to To take the benefit from the best part of several sales security tools making easier to define a scan policy
15:41
and to to play it Um, that's all I will talk about that for a little bit That's why it's composed in two independent type of application The first one at the left is the the manager is the front end application Where you the you have your your dashboard you manage your your assets you define your scans you have your your findings and
16:06
And you try to manage your the engines which are the micro application that performs the scan All the application is open source and developed in a way with python or features like
16:22
Reachable through the web ui or the rest APIs The the pattern engines are the the probes the they are the micro application that perform the scans Pass analyze and format the findings into a unique and pivoting format
16:42
I mean this could be deployed on several answers on separate server We can scale the scale that way For example, you can deploy Probs on your on your internet on your internet network and problem your
17:05
And miss translation or the dmz with all your resting networks And easily could be the binding of your end here point and this password engines are
17:21
Sorry They they scan the the the assets For example, we develop an engine for for a map We should we we don't redevelop a map, but we we made a connector to end up and That's where we we can Perform On the same asset security scans
17:42
using for using nesus and map openvas qualities And also say it's a security tool from the From the the same cockpit and all the findings are the the same look And we we can compare and track all the findings on this assets
18:04
issue it by the Several engines we we use a bit deeper Path manager as i've told it's the the front end application is he Here you define your your assets and a group of assets
18:23
You can also define the the scans policy you can schedule scans and manage the scan result Path engines, it's the the second component The Platform engines are the the collectors with the data scanner which could scan the
18:44
The assets could be on the internet or you internal data network and The pathogens could could be also linked to a link to An external scan scanning service
19:02
Or a link to your cti Vp there You can also create the tickets or Or inject the alert or raise alert to your the fire system you can also inject the data in your sim or on your elk if you want to
19:25
to To analyze or to to make the alerts on the different way As today we developed a leverage range of engines in various domains
19:40
for for each engine We we create a docker image Including the tool the tool needed and the rest api to deal with them so you don't have to install tool Dependencies or manage the system requirements. It's just as simple as a docker pull
20:01
oh, it's it's It's true excepting from several From several engines alike in this use of a bus we or a map with the the the documents the Do not embed the scanner, but it could be linked to your to your instance
20:27
on this slide where we see a lot of engines a lot of Various There is the lens the idea of patrol it's is It's a framework you can build you your tool to
20:45
The detection On the the control you have to to perform I don't see many many Companies that you touch for with all of these engines it's More or less separated between the linearity assessment or the
21:06
the italics or the the the Static static code analysis or dynamic code analysis So
21:21
We also have a lot of id for the net engines regarding linearity management pastis cti web web application scanners The containers data leaks and and and so on so we It's a the difference The engines are also open source and we we accept and uh and contribute
21:45
Any contribution to to create or to give us id to develop any engines? Please do maybe we'll start to talk about use cases. The first one is
22:01
If we are I come from the the right team. I come from a pet Russian tester and the assessments are Are always the the same We the the first steps of the the the pen test is To perform the the recon activities
22:23
So we uh, we serve for subdomains. We result ip we We try to to discover the the port The open part we fingerprint this the the services we touch for vulnerabilities And and so on and for this we use several tools with the same
22:47
More or less the same settings on the on the on your assets, so we with that one we We we use patrol is our in our security assessment
23:02
To to do this as quick as possible and to do it to do this continuously the second use case is to To examine to the the source code and the running web applications to for security defects
23:21
Is to to to be involved in the the cicd pipeline And so on each commit We take on the the Repository we are able to to clone the project and start a static code analysis using the what the defensive checks or the retails for the gs dependencies
23:44
and The the code is static is believed And so on and once the the web application is deployed on the state in our environment or on the predictions We can also orchestrate autonomous scan or using our reckoning that and and
24:06
and That one is available through the rest API and we also developed a platform for pi clients Which is a python library, so it's very easy to integrate with all those security tools
24:25
The third one is about phishing preparation scenario we We we use it to serve for early sign of malicious domains and And the website presents the the idea is to search for
24:40
Suspicious domains of the type of cross-quoted domain And we once we identify them we can monitor them To to look for for changes are they still parked are they still parked where where are they should certificate? Uh, what is the the web applications look like?
25:03
Are they new exposed services and and so on and if we have any suspicious change on the the attacker's assets we present alerts and And we manage them the third use case is code leaks on
25:23
github Many many many times secure Devops All it people are leaking something on on github because I don't know. It's easy. That's the way we don't really know how to to use it and we don't really know that it's
25:44
For our public repo it's it's public so we We want to search for layer leaked internal resources code for source code. Sorry API keys password scripts and we we developed a just a
26:00
simple scraper on github to to monitor our keywords and and our Our patterns Uh to just to detect that we don't have leaked any security Have there's a system script or a clear application?
26:24
Or any sensitive domain address We will talk about the use cases, but we we found that we could automate When we automate all these security tools, we can address a lot of uh, of uh, of use cases
26:49
So I want to talk about it just step step back a bit If you orchestrate
27:02
The the security security tools you will perform more control and do it more often It will result in more findings And it will result to more alerts and the security Dashboard will look like a christmas tree
27:23
as very very very soon so well the all these events are Are relevant so but we have to to prioritize the the things and it's
27:41
It's a it's the the key change to today because we have the capacity To detect things to to To find out the the first positive we have the technology and the experience but we don't have the time To manage every every alex so we have to prioritize
28:05
And if you commit I will share my model routine with the the society my working When a new vulnerability is discovered every every morning we talk about this and we talk we
28:22
We share question The first thing is when a new variability discovered when we talk about the cvss best core We we talk about uh, if we are vulnerable or not. Are we exposed on the internet with this vulnerability? This this vulnerability has been identified on a critical asset
28:46
Are we aware of any functional exploit with different ability? either Any patch or compensation measure available? Are there any likelihood catalyst?
29:02
Is this The rbt has been exploited in the world while the media hype level Has been as the gravity has been exploding with relevant to threat actors And we ask for the cti team We also Have the the question
29:21
Have we already found? And the fia where the team is Is in charge to investigate and reassure us if uh, if we we can And the next question is are we really able to detect expectation of this and
29:41
At the end of the the day at the end of my morning for you And the the manager say okay. Are we have enough data to initiate a crisis? and to uh to This in a priority
30:00
It's definitely a teamwork, uh, it's not just become within the the sort of CCDFIR the shock of the cti team It's very a teamwork All the it and business service lines are involved and The second thing is that vulnerability metadata are not static. They are continuously evolving on over the time
30:28
Everything changed when a new patch is available when a new exploit is placed And when a new security or a soft blog is available
30:40
One event could could change the the way to uh to manage a security incident And as you remember We we start using the the cbss basco and we thought We want to know today if the cbss basco is sufficiently enough to to be a primary factor of discrimination
31:05
Just a quick quick quick quick reminder of the cbss scoring cbss scoring there are three vectors the basco which will represent the intersect The Infinimatale characteristic of the vulnerability also has a temporal vector
31:23
Which represents the characteristic of the varieties that change over the time And we have a another component about the environmental which represents the characteristics of the variability within the the client context Cbss is the norm is the standard value I adopt
31:42
But The cbss basco, uh, it just is usually provided but the temporal and the Environmental scores are on our behalf. We we have clues
32:01
We have uh informations for from many parts which are not On the same To always on the same page and it's just a score A best score and for example, we have
32:23
That's fun fact probably was called at five and specter was score at minus five so it we just have the The service the cbss best score as the primary
32:42
The discriminator It's We're hoping to see if it's uh, it's it's very sufficiently enough to to to do our jobs so Just go go go deeper with it. We found that we have to
33:01
To manage multiple criteria for Prioritization And we have to manage the the cbss best score About the the patch availability the edge of the vulnerability we have to To manage the discovery is and the detection is all of this data are available from
33:23
various Sites or feeds of information so But all of these are publicly and quite in quite good quality All the criteria of prioritization it's all about the threat bottom temporal matrix
33:43
It's about the explore the variability explore maturity and the ease of expectations Also, the the threat intensity is very very useful to to know Because it's it's a sign of the the maturity and
34:04
and the likelihood of occurrence on Of the the risk We thought about we also with the mitre attack it And the the cti feeds the informations. It could be useful to
34:22
To to know about the the threat Relevancy, sorry, it's very hard to say that i'm french remember and it's Exploded by monitors protectors or not And the The third tiler it's about the assets in itself the vulnerable assets
34:45
Is the assets it's is uh, it's critical or not What is the the exposure of the asset are we reliable from an asset exposed on from the internet or Restricting network and what about the distribution of the the variability?
35:06
If we have a vulnerability with With a high cvss without Without a personal exploit On the net restricted network
35:22
it's it's It's not very high the the the real priority but similarity with a standard middle Cvss basket, but exposed on the internet with a With an exploit available and a large distribution. It's the the top point priority
35:48
So we we take all this criteria for presentation and We have to make decisions to To check if we have to to manage this as quick as possible or not
36:02
the first thing is Okay, it's very uh, it's very recent. We have to to ask for an immediate correction and we We start the crisis We we open the crisis room the second is
36:20
okay, it's uh, it's urgent we we ask for an immediate correction and we We uh, we assess that the correlations is efficient the third So third action is okay It's a vulnerability. We we know about this apply the fix and in the the next action campaign
36:42
but but no more and finally If the the vulnerability a match no no No top criteria Okay Apply is fixed if possible, but we we don't have any attention of this we we have to choose our battle
37:04
but The type of vulnerability we don't we don't manage this so for that for that we We are working on the new tool
37:22
Which is battle here um The the open sourcing of the the releasing open source This uh, this application is a security is a execution. I hope it will be the case um The idea of a battle here is the to manage all these criteria all these metrics
37:45
and we We use we massively use the civil search and uh via for cve tools which have open source tools released by the circle and the idea is to grab a some
38:02
To collect and clean data like cve cpe cross sentences to create an update vulnerability metadata from this On the the nvd the exploit db back at storm metasploit talos
38:21
at enable db and so on And to to compute the vulnerability prioritization the rating using the the vulnerability metadata And the asset criticality and exposure and this uh, this uh, this sector Are known by password because by password manager, sorry
38:44
because in pattern manager, we know that We we found a vulnerability on the asset exposed on the internet on on the internet network and we know about the the the distribution too
39:01
And the idea is to to provide password manager a rating from the uh on the The vulnerability found using Any any scanner as well? We can also use battle here to to track changing on the changes. Sorry On vulnerability like cvss exploit known and so on and to to perform alerting
39:27
uh, like if we found that If we found a vulnerability on the monetary project or Our product versions, okay, we send automatically an email we send on the
39:41
The hive event we send a slack we open a giraffe ticket and so on and and finally Uh, it's the the idea is also to to share fit with using patful and ncti So we will talk about this
40:01
Later I reached the end of the presentation so if we can Just have to stay back and think about all automating Let's say your your your cycles. It's quite possible The idea is to have a cost effective
40:23
activities we We serve to rational the tool intuition the product licenses and all the schemes And needed to deploy and use the the various security scanners
40:40
we We have to And the second one is to to provide turnkey solutions Every component is available. So doc images is very easy to use and they deployed we provide templates for scan policy and so on the third one is That's all and all of the
41:01
The tool galaxy is open source and easily customers are going to your specific needs and we is We have documentation. We also have to Improve this documentation, but everything is available
41:21
Globally it's a full stacks and a continuous assessment. The idea is to have to A 360 degree overview on your assets to Perform a real time with with the assessment with relevant data to keep you updated from Every source we where we can
41:42
Finally it's made by with love with by pay expense. Sorry We we and all the the community the password community is is My is composed by a security expert
42:02
and finally if we can summarize with two things for for big company is Is quite an opportunity to aggregate findings from different existing to you already have in place And for newcomers and small organizations
42:20
It can bring you Uh capacities to quickly improve your your security identity So what what next We have a roadmap, of course, we we we are working hard to uh to To improve our integration with uh
42:42
with all the tools and Especially two tools that the hype which is a security incident response and rudder Which is an idea for automation and security compliance tools Uh, all of them are open source Project very very mature project and we we definitely want to to have more integration with this
43:09
We also try to to improve the the pattern for p for pi. Sorry, it's the python kita p we are in Currently redesigning the uh, the the front end
43:22
The front end of the the platform manager We are also testing endlessly new use case in the debugging providing quality and security global security of the the platform And we also are building an enterprise solution. So
43:42
but It's an open source subject and project and it will be always the the case So contribution is really really needed so If you have the ability to to test it and give up feedback It would be very very grateful for us
44:03
and if you want to contribute and to also, just to to push new new issues issues where we will be very happy to to to have this so
44:21
We are at the end of the presentation so if you have any any question, please Please Do it in the chat room and finally uh I know it's a lot late to to say that so but I really want to to thank the the defcom organization
44:44
Thank you for having accepting my my thoughts and thank you for you guys and and girls To to have attended this session. Thank you. Thank you very much and And go go for questions Thank you