improving threat intelligence, detection, and response for ... · open s3 buckets overly permissive...

Improving Threat Intelligence, Detection, and Response for Cloud

WorkloadsDan Constantino

Director, Security Operations

Cox Automotive

Improving Threat Intelligence, Detection, and Response for Cloud Workloads

Dan Constantino Director, Security Operations

No exceptions

Threat actors don’t break in, they log in or exploit old

vulnerabilities/misconfigurations

Cloud environments can widen the scope of

a company’s risk

Here’s the brutal truth:

FINANCIAL SOLUTIONS

INTERNATIONAL

INVENTORY SOLUTIONS

RETAILSOLUTIONS

MOBILITYSOLUTIONS

IN THE CLOUD

Corporate Applications(SaaS)

Customer-Facing Systems (IaaS/SaaS/PaaS)

CLOUD RISKSOverly Permissive Security Groups

Open S3 Buckets

Overly Permissive IAM Roles

Exposed API Keys

CI/CD Pipeline Misconfigurations (Jenkins)

Remote Code Execution – Vulnerabilities

DBAQA/ RELEASE

ENGINEER

PII

Threat INTELLIGENCE

Threat DETECTION

Threat RESPONSE

Threat Intelligence, Detection, and Response for Cloud Workloads

How We Built Our:

Built a threat intel ecosystem to better understand our threats

1

• Create your own threat intel

• Integrate on-prem and cloud threat intelligence within a single platform

• Age out/expire threat intel

• Use your IR artifacts/findings

• Automate 2-way integration of threat intel

• Leverage your threat intel to prioritize vulnerability remediation

THREAT INTELLIGENCE

Threat INTELLIGENCE

TIP

S

Updated our detection capabilities to identify cloud threats and established self-service model for low-level threat alerts2

THREAT DETECTIONThreat

DETECTION

Anomalous Events

& Activities

Excessive Privileges

CompromisedAccount

or System

Resource Misuse

Scaled threat response through automated alerts and actions

3THREAT RESPONSE

Threat RESPONSE

Any/Any Security Group

INCIDENTS BY MONTH

Phishing

Crypto mining

Acct Compromise

Create a playbook and runbook for use cases

Build IR investigation dashboards Create logical

process diagrams

Track metrics

OPERATIONALIZE

KEY TAKEAWAYS

• Fully understand your cloud risks and threats

• Create your own threat intel ecosystem

• Set up accurate and actionable alerting

• Automate response for commodity-based threats

• Build a playbook with your use cases

THANK YOU

Dan Constantino Director, Security Operations

Vulnerability Management:Q&A Panel Discussion

Jason CatheyCISO

Bank OZK

Dan ConstantinoDirector,

Security OperationsCox Automotive

Todd TherrienInterim CISO

City of Phoenix

Moderator: Bob Bragdon, Publisher, CSO