improving threat intelligence, detection, and response for ... · open s3 buckets overly permissive...
TRANSCRIPT
Improving Threat Intelligence, Detection, and Response for Cloud
WorkloadsDan Constantino
Director, Security Operations
Cox Automotive
Improving Threat Intelligence, Detection, and Response for Cloud Workloads
Dan Constantino Director, Security Operations
No exceptions
Threat actors don’t break in, they log in or exploit old
vulnerabilities/misconfigurations
Cloud environments can widen the scope of
a company’s risk
Here’s the brutal truth:
FINANCIAL SOLUTIONS
INTERNATIONAL
INVENTORY SOLUTIONS
RETAILSOLUTIONS
MOBILITYSOLUTIONS
IN THE CLOUD
Corporate Applications(SaaS)
Customer-Facing Systems (IaaS/SaaS/PaaS)
CLOUD RISKSOverly Permissive Security Groups
Open S3 Buckets
Overly Permissive IAM Roles
Exposed API Keys
CI/CD Pipeline Misconfigurations (Jenkins)
Remote Code Execution – Vulnerabilities
DBAQA/ RELEASE
ENGINEER
PII
Threat INTELLIGENCE
Threat DETECTION
Threat RESPONSE
Threat Intelligence, Detection, and Response for Cloud Workloads
How We Built Our:
Built a threat intel ecosystem to better understand our threats
1
• Create your own threat intel
• Integrate on-prem and cloud threat intelligence within a single platform
• Age out/expire threat intel
• Use your IR artifacts/findings
• Automate 2-way integration of threat intel
• Leverage your threat intel to prioritize vulnerability remediation
THREAT INTELLIGENCE
Threat INTELLIGENCE
TIP
S
Updated our detection capabilities to identify cloud threats and established self-service model for low-level threat alerts2
THREAT DETECTIONThreat
DETECTION
Anomalous Events
& Activities
Excessive Privileges
CompromisedAccount
or System
Resource Misuse
Scaled threat response through automated alerts and actions
3THREAT RESPONSE
Threat RESPONSE
Any/Any Security Group
INCIDENTS BY MONTH
Phishing
Crypto mining
Acct Compromise
Create a playbook and runbook for use cases
Build IR investigation dashboards Create logical
process diagrams
Track metrics
OPERATIONALIZE
KEY TAKEAWAYS
• Fully understand your cloud risks and threats
• Create your own threat intel ecosystem
• Set up accurate and actionable alerting
• Automate response for commodity-based threats
• Build a playbook with your use cases
THANK YOU
Dan Constantino Director, Security Operations
Vulnerability Management:Q&A Panel Discussion
Jason CatheyCISO
Bank OZK
Dan ConstantinoDirector,
Security OperationsCox Automotive
Todd TherrienInterim CISO
City of Phoenix
Moderator: Bob Bragdon, Publisher, CSO