Today, at the very end of 2019, I want to write about the event I attended in April. Sorry for the delay . This doesn't mean that CISO Forum 2019 was not Interesting or I had nothing to share. Not at all! In fact, it was the most inspiring event of the year, and I wanted to make a truly monumental report about it. And I began to write it, but, as it usually happens, more urgent tasks and topics appeared, so the work eventually stopped until now.
At CISO Forum 2019 I participated in two panel discussions. The first one was about Offensive Security and Red Teams in particular.
Honestly, Offensive Security is not my topic at all. I work on the Defensive side. But in fact, the discussion became very interesting. There were the colleagues who work on security within organizations:
And the guys from security consulting and system integration:
The discussion was moderated by Dmitry Gadar, CISO of Tinkoff.
We started our conversation with the question: does pentest make any practical sense? For the most part, we agreed that pentest makes sense if the organization already has some implemented security processes that should be verified (or it will be just a formality). Pentest can be used for begging money from the business. But this means that communication between security and business is broken. The business is also used to such fear selling, so such methods don't work well anymore.
Pentests/Red Teaming usually begin with a Vulnerability Scan, so I had the opportunity to share my opinion on how to do it right. I started by mentioning the presentation of colleagues from Informzaschita. They talked about "shades of Red Teaming" just before the discussion. Red Teaming can be hardcore and practical ("burgundy") or you can give the attackers more additional data about the infrastructure ("pink"). And here was my point: the VM process should provide all neccesery information for the Red Team.
Then I talked about my attitude towards the Breach and Attack simulation solutions. I'm still skeptical. If they really attack and get an access to the systems - that's great. If they only show a “theoretical” possibility of exploitation, it is not very interesting.
I believe that in the ideal case, when we can automatically fix any vulnerability in our infrastructure or say for sure that's it's not exploitable, we could live with Vulnerability Management only. To say the truth, all attempts to optimize the installation of security updates ("patch this, it's critical; don't patch this - it's not"), including the latest Predictive Prioritization concept, seem quite weak and awkward if you keep in mind how little we know about all existing vulnerabilities. I REALLY want to see the universal fully automated remediation and Patch Management as well, but I DON'T think we are close to that and what we have on the VM market has many compromises. So, until we have much better Vulnerability Prioritization and Vulnerability Remediation, additional verification work is required. It can be done inside Vulnerability Management team, but it would be much better to perform it as part of the Red / Pink Team activities.
And of course, do not forget about alternative measures when normal remediation is impossible. Another big topic: vulnerability remediation requires a lot of communication with IT and it that can be rough (here are some more links to my telegram channel):
The second Panel Discussion I participated in was about building InfoSec career abroad. I was the only one in this panel among 10 other people who didn't work abroad even a day of my life. I was there because of my interest in the topic and my vacancy monitoring project. And I certainly had some experience in job interviews, got some job offers, just didn't accept them.
I gave a short presentation about my view on this topic:
These additional benefits were discussed by colleagues in the hall and by teleconference. I will not mention all this, the moderator of the discussion Andrey Prozorov put it all together in his blog (in Russian): part1, part2. part3. part4.
It was an excellent conference. I really liked it and I am going to participate in 2020 as well.