“We’ve been looking at security the wrong way […] Fortress Mentality insists that building tall electronic walls is how to keep the bad guys out. That method hasn’t worked for 5000 years of warfare, so why should it work for computer security? It can’t and it doesn’t.” — Winn Schwartau.

As much as I love to put my red hat on, as I always explain to my SANS students, pentesting or even red teaming, can become ‘boring’ over time (sorry guys), especially when you are brought into environments where all the organization wants is to have a green check for yearly compliance purposes, or simply to have one more report to ignore. And trust me, that happens more often than not.

That is why I am so happy to see how many security professionals, experienced or not, are making the shift, joining the blue team ranks to learn how to defend their crown jewels in a highly increasingly complex world where technology advances so fast, data is ubiquitous, networks become more opaque and endpoint devices are less trusted than ever.

If this is your goal, and you are willing to get into an exciting, high paced but also highly rewarding field, where learning never stops… welcome aboard! Now, where do you start? There are a plethora of resources out there on how to get started into pentesting, but it seems that it is not so easy to find good resources on how to become an effective cyber defender.

There are many resources I can recommend, but since dropping here a list of 100 links won’t probably help you much, let me recommend you a very easy and light reading to start with: “Time Based Security”. Though it was written in 1999, TBS is still one of the most relevant, effective and terribly simple security models you can apply today. The principles enumerated in this book are absolutely essential for any blue teamer, regardless of whether you are a CISO, a SOC analyst, a security architect or an incident responder. TBS provides a reproducible method to understand how much ‘security’ a product or technology provides, by answering:

• How long are systems exposed?
• How long before we detect a compromise?
• How long before we respond?

While it is usually applied to auditing, TBS is a very practical model to assess and design security architectures too. The method proposed is very simple, but it provides you with the knowledge and the tools required to make systems more secure and resilient. Here’s the main idea:

“If it takes longer to detect and to respond to an intrusion than the amount of protection time afforded by the security measures, that is if P < D + R then effective security is impossible to achieve in this system. It should be becoming a little bit obvious that the choice of a good protection system is not the first thing you need to think about when designing a secure network environment. It’s the efficacy of the detection and reaction processes that really matters.”

If this wasn’t good enough, Winn allows you to download and read his book for free on his website, so please go and grab a free copy of “Time Based Security” now!

https://winnschwartau.com/wp-content/uploads/2019/06/TimeBasedSecurity.pdf

Want to learn more on #BlueTeam? If so, please let me know, and I will follow up this post with a series of articles on how to improve your cyber defense skills. In the meantime check out the series of webinars that Justin Henderson and I recorded here:

Defensible Security Architecture and Engineering – Part 1: How to become an All-Round Defender – the Secret Sauce

Defensible Security Architecture and Engineering – Part 2: Thinking Red, Acting Blue – Mindset & Actions

Defensible Security Architecture and Engineering – Part 3: Protect your Lunch Money – Keeping the Thieves at Bay

The post Do you want to learn how to ‘Blue Team’​? Start with “Time Based Security”​. first appeared on Passionate aboutsecurity.

Full recording of the presentation in English: https://www.youtube.com/watch?v=bUaVt3rjSwc&t=6991s (my talk starts at minute ’59).

Si hace 20 años, cuando trabajaba como desarrollador web para una pequeña ‘.com’ en Málaga, me hubiesen dicho que tendría la oportunidad de diseñar, construir y gestionar el programa de ciberseguridad de la red hospitalaria de la ciudad de Nueva York, el de un Banco en Dubai o el de una empresa de software con sede en Sydney, presentar mis proyectos en BlackHat, diseñar productos de seguridad para McAfee, liderar iniciativas de seguridad en Intel y formar a profesionales de Microsoft, Amazon, NASA o FBI, ¿qué crees que habría pensado? Obviamente… ¡que era imposible!

Pero, ¿no es en eso en lo que consiste la filosofía ‘hacker’? Hacer posible, lo imposible. Y todo empieza por ‘hackearte’ a ti mismo, crear tus oportunidades y sacar el máximo provecho de aquellas que se presentan. ¿Quieres saber cómo? En esta sesión compartiré recomendaciones y experiencias útiles, tanto para aquellos que quieren desarrollar su carrera en ciberseguridad, como aquellos que quieren impulsarla y desarrollar todo su potencial.

IMG_5301

IMG_5302

IMG_5303

Slides:

Grabación completa del día Viernes, 30 de Noviembre. Mi presentación comienza en el minuto ’59:

Entrevista en el Diario Sur con motivo de la conferencia:

The post En Málaga o en Nueva York: Cómo ‘hackear’ tu carrera en ciberseguridad (Spanish) first appeared on Passionate aboutsecurity.

Slides:

The post Getting SecOps Foundations Right with Techniques, Tactics, and Procedures Zero (TTP0) first appeared on Passionate aboutsecurity.

“I thought all I had to do was show the data and people would understand. It doesn’t work. You have to tell a story” – Cliff Stoll.

Easier said than done, right? Being able to tell a compelling story that can answer key questions like: who is attacking us, what is their motivation, were they here before, how do they operate, what is the impact to our business, and will they come back, should be one of the ultimate goals of any effective blue team. However, being successful at embedding cyber threat intel in SecOps require something else: maintaining a solid understanding of the environment we are defending, as well as a systematic way to identify and prioritize applicable threats and assess impact, so we can respond appropriately to these attacks.

In this talk, Ismael Valenzuela, Certified SANS Instructor and GSE #132, will share lessons learned and practical tips on how blue teams can not only consume but also produce actionable and contextual threat intelligence using tools, processes, models and taxonomies that are available to the community.

Slides:

The post Intelligence Driven Defense: Successfully Embedding Cyber Threat Intel in Security Operations first appeared on Passionate aboutsecurity.

If you’re at BH USA this year, please stop by and say hi!

BlackHat USA 2018 – https://www.blackhat.com/us-18/presenters/Ismael-Valenzuela.html

BlackHat USA 2017 – https://www.blackhat.com/us-17/sponsored-sessions/Ismael-Valenzuela.html

BlackHat USA 2016 – https://www.blackhat.com/us-16/presenters/Ismael-Valenzuela.html

The post Speaking at BlackHat USA 2018 first appeared on Passionate aboutsecurity.

https://www.recordedfuture.com/cyber-threat-hunting/

Here’s an excerpt of this article:

As the saying goes, the best defense is a good offense. When it comes to cybersecurity, that means shifting from merely responding to intrusions and attacks to actively searching out threats and destroying them. Having the capacity and know-how to make this stance shift is a key element of a mature information security operations center (SOC), says Ismael Valenzuela, who recently gave a presentation on threat hunting at RFUN 2017.

Valenzuela has worked in cybersecurity for decades and has been a member of the Foundstone team at McAfee for six years, performing incident response in the United States, Europe, and the Middle East. He is also a SANS-certified instructor who has taught classes on continuous monitoring, forensics, and security operations for the past seven years.

During his presentation, Valenzuela talked extensively about the difference between incident response and threat hunting, focusing on the qualities that a SOC needs to effectively hunt threats and some of the challenges they face, as well as what he called the three big “knows” that every SOC should focus on: knowing your enemy, knowing your network, and knowing your tools. He concluded his talk with a look at how automation, artificial intelligence, and machine learning are impacting the field, arguing that they are ultimately just new tools that can supplement, but never replace, a team of experienced humans.

The post Disrupting the Disruptors: How to Threat Hunt Like a Pro first appeared on Passionate aboutsecurity.

https://wiki.securityweekly.com/ES_Episode70

The post Interview: Enterprise Security Weekly #70 first appeared on Passionate aboutsecurity.

https://www.tenable.com/whitepapers/cdm-from-the-frontlines

The post My contribution to the “CDM From The Frontlines” ebook first appeared on Passionate aboutsecurity.

The webinar is available here (registration required): https://www.sans.org/webcasts/105480 

Abstract: Each day, exponentially more data and computing power becomes available. We’re able to task machines to learn and understand more than ever before and, when combined with human analysis, this process can dramatically reduce laborious tasks. However, even with this surge in applicability, machine learning is still often considered a technology of the future.

Join this webcast to:

• Understand why machine learning is gaining prominence and how it will impact the future.
• Learn how you can take machine beyond simple automation and orchestration.
• Gain insight into how machines can analyze data to produce threat intelligence.
• Examine real-world use cases of how machine learning can drive practical applications in your organization.

The post Machine Learning: Practical Applications for Cyber Security first appeared on Passionate aboutsecurity.

The post On Cyber Security Interviews with Douglas Brush first appeared on Passionate aboutsecurity.