Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some...
Transcript of Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some...
![Page 1: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/1.jpg)
![Page 2: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/2.jpg)
Welcome
![Page 3: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/3.jpg)
Data-Driven Solutions to Security Challenges
# T C 1 8
Greg Alice
Information Security Engineer
Tableau Operations
Heather Kraus
Information Security Engineer
Tableau Operations
![Page 4: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/4.jpg)
Discussion Points
Data, Measurement, Metrics, and Security
Identifying and Tracking Key Data and Assets
“Big Picture” Access Control
The Art of Managing Phishing
Visualizing Risk
Disclaimer: All data presented here is either example or anonymized data.
![Page 5: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/5.jpg)
Data, Measurement, Metrics, and Security
![Page 6: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/6.jpg)
Choosing Good Metrics
• Look to SLAs• Measure expectations of systems and/or service
• Key Indicators• Risk
• Goal
• Performance
• Start with the basics, then refine and expand• Iterate based on needs and new information
• Don’t stop collecting technical measurements!• Deepen your understanding of technical tool functionality
![Page 7: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/7.jpg)
Choosing Good Metrics
• Compliance
• Awareness
• Productivity
• Technical Security Architecture
• Security Operational Performance
• Security Cost Efficiency
![Page 8: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/8.jpg)
Get Creative with Connecting to Data
• Some data sources can be uncooperative• Limited capability to provide access to the data
• No export functions
• Reports only available as formatted content (Word, Excel, etc.) that is not easily parsed
• No API
• Inability to add fields needed to facilitate meaningful analysis
• Lots of data exists – challenge is connecting to the data in a meaningful way
• One solution is to create a taxonomy for an existing field• Also create queries to see if your taxonomy is working
• Use calculations to parse out meaningful data
![Page 9: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/9.jpg)
Information Security User Tickets
![Page 10: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/10.jpg)
Security Questionnaire Dashboard
![Page 11: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/11.jpg)
Security Questions
What are our top risks?
How many phishing emails are reported each day? How often do people click through?
How often are our users logging in? From where?
Has access been deactivated for all terminated users?
![Page 12: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/12.jpg)
What is My Risk of Data Loss?
<erno> hm. I’ve lost a machine..
literally _lost_, it responds to
ping, it works completely, I just
can’t figure out where in my
apartment it is.
I have an urgent request for gift cards. please reply back soonest.
Superstore CEO
![Page 13: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/13.jpg)
Employee Acknowledgement
![Page 14: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/14.jpg)
Identifying and Tracking Key Data and Assets
![Page 15: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/15.jpg)
Finding Data and Assigning Value
• The power of robots and people
• How much is any one asset worth to you?• Remember tangible and intangible assets
• Total cost of replacement
• Impact of 100% loss
![Page 16: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/16.jpg)
Visualizing Data Locations
![Page 17: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/17.jpg)
Scoping
![Page 18: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/18.jpg)
Reporting
![Page 19: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/19.jpg)
“Big Picture” Access Control
![Page 20: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/20.jpg)
Proper Access Control is Hard
• Core concepts: Separation of Duties and Least Privilege
• May not have enough people to effectively perform separation of duties
• It’s often easier to give more access than is required
![Page 21: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/21.jpg)
Role-Based Access
• As much a business process as a technical one:
• Defining job description in terms of required access
• Verifying personnel during hiring
• Manager verification of required access change after hiring
• How does one define a role?• Job Duty or Title
• Manager’s Reports
• Company Internal
• Home Department
• Building
• Location
![Page 22: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/22.jpg)
Pre-Defined Access Control Lists
Group/Application
Group 1 No Access Read Only No Access Read/Write
Group 2 No Access Read/Write Read Only Read/Write
Group 3 No Access Read/Write Read Only Read/Write
Group 4 Read/Write Read/Write Read Only Read/Write
Group 5 Read Only Audit Audit Read/Write
Group 6 Audit Read/Write Read/Write Read/Write
![Page 23: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/23.jpg)
Calculated Baseline Field
![Page 24: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/24.jpg)
Spotting Abnormalities
![Page 25: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/25.jpg)
Create a Security Baseline with Tableau
1. Take a snapshot of expected values and place into a text file
2. Join live data to snapshot
3. Create a True/False calculated field for each value (field) you wish to monitor
4. Aggregate checks together in another calculated field to watch more than one value
5. Add calculated match field or aggregated calculation into criteria
If [Field1 Current Value] = [Field1 Baseline Value] ThenTrue
ElseFalse
End
If Field1Match AND Field2Match Then…
![Page 26: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/26.jpg)
Calculated Baseline Field
![Page 27: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/27.jpg)
Physical and Logical Access
![Page 28: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/28.jpg)
The Art of Managing Phishing
![Page 29: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/29.jpg)
Phishing Risk
• Phishing is still 98% of all social engineering incidents, with email being the most common vector at 96%
• Only 22% of people clicked on a phish!
• 4% of people will click on any given phishing campaign
• Only 17% of campaigns were reported
• Phishing is still used as an opening attack volley• Malware installation and ultimately data exfiltration follow a successful phish
• Timing is everything• Time until first click: 16 minutes
• Most clicks: within 90 minutes
• First report: 28 minutes
• Half of reports: 33 minutes
Source: Verizon DBIR 2018
![Page 30: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/30.jpg)
Phishing Campaigns and Actors
• Actors can launch multiple campaigns over time
• Campaigns aren’t limited to a single organization
• Threat intelligence is critical • Open Source Intelligence is a powerful tool
• What campaigns and actors are affecting similar organizations?
• What campaigns and actors have affected YOU in the past?
![Page 31: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/31.jpg)
Finding Phish Patterns
• Sender and Subject
• Email headers
• Body of message
![Page 32: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/32.jpg)
Tracking Actors and Methods
![Page 33: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/33.jpg)
C-Suite Fraud
![Page 34: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/34.jpg)
Your Targets?
• Common types of targets:• 4% that will click anything
• Address that scammers think are part of that 4%
• Well-known group email lists or mailboxes
• Public email addresses
• Awareness: Train users to report!• Goal: Increase reporting percentage and decrease
click percentage
• Constant reinforcement is key
• Testing: Conduct phishing tests to identify your organizational 4%• Once identified, specialized awareness material can be crafted …
• … Or at least additional monitoring
![Page 35: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/35.jpg)
Finding the Repeat Offenders
![Page 36: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/36.jpg)
Visualizing Risk
![Page 37: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/37.jpg)
What is Risk?
• Simply: Risk = Probability of a bad event occurring ✖️ Amount of loss incurred from the event
• Important to document inputs and reasoning behind how those values are decided
• Balance result with organization risk tolerance
![Page 38: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/38.jpg)
Managing Risk
• Identify
• Assess
• Monitoring
• Mitigation
• Reporting
![Page 39: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/39.jpg)
Rank, Rack & Stack, Prioritize Risk
![Page 40: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/40.jpg)
Rank, Rack & Stack, Prioritize Risk
![Page 41: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/41.jpg)
Rank, Rack & Stack, Prioritize Risk
![Page 42: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/42.jpg)
Rank, Rack & Stack, Prioritize Risk
![Page 43: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/43.jpg)
Risk Visualization
![Page 44: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/44.jpg)
Visualizing Risk
![Page 45: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/45.jpg)
Visualizing Risk
![Page 46: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/46.jpg)
What’s My Risk of Data Loss?
• What kind of data do I have?
• Do I know where my data is?
• Have I labeled my data?
• Are employees aware of how to handle data?
• Who has access to the data?
• Are employees who have access to that data likely to be phished?
![Page 47: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/47.jpg)
Security Meetup
R E L AT E D S E S S I O N S
Wed | 1:45 – 2:45 | MCCNO – L1 – Hall B2-1
Tableau Server Security in DepthThurs | 2:15 – 3:15 | MCCNO – L3 – 351
![Page 48: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/48.jpg)
IT @ Tableau | Data-Driven Solutions to Security Challenges
S E S S I O N R E P E AT S
Tues | 10:45 – 11:45 | MCCNO – L2 - 263
IT @ Tableau | Data-Driven Solutions to Security Challenges
Wed | 10:45 – 11:45 | MCCNO – L2 - 263
![Page 49: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/49.jpg)
Please complete the
session survey from the My
Evaluations menu
in your TC18 app
![Page 51: Welcome - New Orleans | October 22-25 | #TC18€¦ · Get Creative with Connecting to Data •Some data sources can be uncooperative •Limited capability to provide access to the](https://reader035.fdocuments.us/reader035/viewer/2022070717/5edd9a55ad6a402d6668bd35/html5/thumbnails/51.jpg)