Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

Making fact based decisions and 4 board decisions (Oct 2019)

Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Cargando en…3
×

Eche un vistazo a continuación

1 de 44 Anuncio
Anuncio

Más Contenido Relacionado

Presentaciones para usted (20)

Similares a Making fact based decisions and 4 board decisions (Oct 2019) (20)

Anuncio

Más de Dinis Cruz (20)

Más reciente (20)

Anuncio

Making fact based decisions and 4 board decisions (Oct 2019)

  1. 1. @DinisCruz Making Fact Based Security Decisions and 4x board scenarios Oct 2019, @DinisCruz Lightning talk (15m)
  2. 2. @DinisCruz This is a story about making Security Scale and giving it a Seat at the Table
  3. 3. @DinisCruz It is about interconnecting all data sources and knowledge that we have access to
  4. 4. @DinisCruz It is about transforming Spreedsheets from sources of pain into sources of massive power
  5. 5. @DinisCruz It about using Data Science and Visualisations to create feedback loops
  6. 6. @DinisCruz It about using DevOps practices for Security Operations Security Data Security Risks Security Decisions
  7. 7. @DinisCruz It is about Risk Dashboards that make sense to Management Stakeholders
  8. 8. Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions Sep 2019, @DinisCruz Lightning talk (15m)
  9. 9. Serverless stack
  10. 10. CLI (Command Line Interface) to your data
  11. 11. REPL (Read Evaluate Print Loop)
  12. 12. Incident workflow automation Real-word example
  13. 13. Workflow Person Credentials Application uses to access conditions generate Alert acknowledged in Slack by entered in action updates status of alert in
  14. 14. Jira as (graph) database
  15. 15. Slack as UI , Jira as Database
  16. 16. Create schema that represents the business
  17. 17. Map reality
  18. 18. Linked Security Policies = Fact based Security Decisions
  19. 19. Hyperlinked policies in Jira Policy’s pdfs do not scale because it is not possible to link real-world data to the respective policy
  20. 20. Convert policy into an graph
  21. 21. Policies Links to Facts Links to Vulns Links to Risks
  22. 22. Context specific Jira projects (for example FACTs)
  23. 23. Connecting Facts with Risks
  24. 24. Connected risk data
  25. 25. Graph project’s to outcomes and threats
  26. 26. Threat Models (in a scalable way)
  27. 27. DataScience your data
  28. 28. Risk workflows
  29. 29. Scale using Workflows RISK Workflow VULN Workflow
  30. 30. Hyperlinked RISKs (from R1s to R4s to V1s to V3s)
  31. 31. Global Dashboards that actually are FACT based
  32. 32. Board dashboards (Delta)
  33. 33. Modern approach to managing security RISKs https://www.soa.org/globalassets/assets/Files/Research/Projects/research-new-approach.pdf
  34. 34. JIRA Schema Graphing Real World
  35. 35. Workflow everything
  36. 36. @DinisCruz 4x board scenarios
  37. 37. @DinisCruz Not preventing incidents Preventing crisis
  38. 38. @DinisCruz Not making you secure Making you safe
  39. 39. @DinisCruz Creating connected risk dashboards
  40. 40. @DinisCruz Making the business case for investing in legacy applications https://www.slideshare.net/DinisCruz/legac ysecdevops-appsec-management-debrief
  41. 41. @DinisCruz In conclusion
  42. 42. @DinisCruz Thanks

×