Upload
anton-karpov
View
1.594
Download
8
Embed Size (px)
Citation preview
Obligatory Introduction
I am CISO at Yandex
I work in the security industry since the beginning of the century
I started my career working for vendors
(Deliberately) False Assumptions
Your infrastructure consists entirely of new hardware and software
You do not have existing processes in place
Their product is the only solution you will be using
(Deliberately) False Assumptions
Your infrastructure consists entirely of new hardware and software
You do not have existing processes in place
Their product is the only solution you will be using
Every Product Brings to You…
Yet another review board
Yet another task tracker and reporting system
Yet another management panel
What I Need is…
Rich API
Easy integration with my current tools
Transparent deployment without modification of my current workflows
Speed and Flexibility
“Yes we plan to address issues you reported. In Q4 2017”
— Former vendor at Yandex
“So you want custom integration with your task tracker? Sure thing. 6 months of work, $300k of money”
— Abortive vendor at Yandex
Your machines are already compromised
Do not play these “hide-and-seek” games on a host
Invest into network traffic monitoring and profiling
Scan for vulnerabilities is cheap or even free. Vendors try to make their money by selling appliances and smart control centers
Get yourself a very basic VA scanner
Prioritize vulnerabilities
Build remediation processes
… Then look further
We want to know what vulnerabilities our product have? Lets pentest!
We want to check how secure our network is? Lets pentest it!
We have acquired new company? Lets pentest it!
We want to place some controls in our policies? Let it be pentest!
Penetration tester at vendor might not be motivated, he is on a payroll
Bounty hunters are motivated: more bugs means more money for them
Bug Bounty implies extra operational work, but there are vendors who can help with this
As security industry, we already failed to protect our users
Bad guys will eventually win
Do not give up!