1000 Vendors and 1 CISO

Anton Karpov

Obligatory Introduction

I am CISO at Yandex

I work in the security industry since the beginning of the century

I started my career working for vendors

│ Every Big Company is │ Attractive to Vendors

At a Glance

(Deliberately) False Assumptions

Your infrastructure consists entirely of new hardware and software

You do not have existing processes in place

Their product is the only solution you will be using

│ 3 Stages of InfoSec Maturity

9

Stage 1. Fire fighting

galleryhip.com Fireman Rescues Cat

10

Stage 2. “Lets Buy a Tool Solution”

11

Stage 3. Defined Repeatable Processes

│ Most Companies Stays │ on Stage 2

(Deliberately) False Assumptions

Your infrastructure consists entirely of new hardware and software

You do not have existing processes in place

Their product is the only solution you will be using

Every Product Brings to You…

Yet another review board

Yet another task tracker and reporting system

Yet another management panel

│ You Do Not Need 80% │ of Features

What I Need is…

Rich API

Easy integration with my current tools

Transparent deployment without modification of my current workflows

Speed and Flexibility

“Yes we plan to address issues you reported. In Q4 2017”

— Former vendor at Yandex

“So you want custom integration with your task tracker? Sure thing. 6 months of work, $300k of money”

— Abortive vendor at Yandex

Antivirus and Anti-APT

19

“This is our new advanced anti-APT application firewall”

Your machines are already compromised

Do not play these “hide-and-seek” games on a host

Invest into network traffic monitoring and profiling

SIEM

22

“Let’s collect everything into one big backend database storage and try to deal with it”

23

Standardize, then collect relevant and reduced data

Vulnerability Assessment

Scan for vulnerabilities is cheap or even free. Vendors try to make their money by selling appliances and smart control centers

│ You Do Not Need 80% │ of Features

Get yourself a very basic VA scanner

Prioritize vulnerabilities

Build remediation processes

… Then look further

Penetration Tests

We want to know what vulnerabilities our product have? Lets pentest!

We want to check how secure our network is? Lets pentest it!

We have acquired new company? Lets pentest it!

We want to place some controls in our policies? Let it be pentest!

│ 90% Pentests is a Waste │ of Money

Plan

Act

Do

Check

Pentest should happen here

│ Desperately want │ a penetration test? │ Run a Bug Bounty then

Penetration tester at vendor might not be motivated, he is on a payroll

Bounty hunters are motivated: more bugs means more money for them

Bug Bounty implies extra operational work, but there are vendors who can help with this

Summary

As security industry, we already failed to protect our users

Bad guys will eventually win

Do not give up!

Thank you!