KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
You've probably heard about Cyber Resilience, but what should be the differences between the two terms in the context of Cybersecurity? Cyber Resistance is the same or not?. During this presentation, we will be understanding the differences between Cyber Resistance and Cyber resilience, and how we can apply both concepts to our current technology landscape, besides understanding how we can identify the High-Value Target (HVT) in our organization
You've probably heard about Cyber Resilience, but what should be the differences between the two terms in the context of Cybersecurity? Cyber Resistance is the same or not?. During this presentation, we will be understanding the differences between Cyber Resistance and Cyber resilience, and how we can apply both concepts to our current technology landscape, besides understanding how we can identify the High-Value Target (HVT) in our organization
Thank you. Thank you so much. So first of all, we, we gonna talk about this. This is the topic of this, this talk. And I would like, I do like to say thank you again. And this is my contact to, at Phillip Pierce. Usually I talk online. I was talking, this is the third time that I'm talking in the events for computer. Cool. Once in 2019, it was in person and 2020, it was virtually 22 virtually again and 22 in person. It's very nice because I have an opportunity to talk with the people in person to meet and to exchange knowledge. That's the idea.
And when I prepare this, this presentations, I have heard a lot of information about the cyber resistance, cyber resilience. It's not exactly a big, a new topic, but usually the organizations and the security stuff like to create these kind of new buzzwords, right? So let's investing our money in this. So the idea behind of this talk is, is explain that. So just let me introduce myself, let me, okay. So this is my co contact at social media have here, my webpage and Twitter account, and some projects and researchers in my GitHub.
So if you like to share something with me, so I really appreciate, so I'm secure research at SAP support, by the way, that's the idea about my job in SAP support, because I'm responsible for creating a different attack modules in the, and for this product specifically. So I understand how the permissions the organization needs to have in, in the cloud environment.
And I understand those permissions and I see actually I need to think about how the attacker think, and I create attack modules theological, and I send those informations from the development team and the team create this intelligence, right? And I'm secured advocate of the S since it's global company responsible for providing a pan solutions, the privilege access management, and the idea is to spread the message about the cybersecurity and how important it is, the identities and how you can protect that, creating the idea or to understand about the zero trust concept.
And other thing like this advocate of the hack is not a crime. It's very nice project in us created in us, but the message behind of this project is the hacking needs really not a crime, because if you are a lawyer and you as a good, in bad things, you are a criminal, you're not a bad lawyer, right? So the idea is the hacking is how you can use in your creative mind to find possible vulnerabilities and informing the organizations and to suggesting the best, the other things to, to the company, right? If you are recruiting things for a bad actions, you are criminal.
And that's the point behind of this project. And I'm Nick ambassador from the open source version. Basically when you talk about the application security stuff like this, so how you can develop your product more safe. So I'm application security specialist. So how you can create your product more safely. That's the idea behind of this product? They have a specifically open source project to basically is a SaaS project.
Does statistical analysis scanning when you perform a specific scanning during your code in your cloud environment, and if you are working a cloud native, for example, you perform this scanning during development process, you can increase that. And I'm a lead of the Devcon groups is a community Sao Paulo, Brazil, by the way, and by the way, I'm Brazilian, but I'm living Portugal in this moment. And this community's idea is to express the message from the students and all those peoples about the cybersecurity.
And I'm structured writer and have heard those three magazines here in Europe, right? So that's the that's me. Okay. It's good presentation for my mother, by the way.
And okay, so first of all, what is a threat? So just a simple explanation about that. According to ISO is as simple or potential cause that happen in specifically systems or organization. It's important to understand that because we need to protect using this resistance and cyber resilience. Okay? So it's maybe a software attack, deaf intellectual property, maybe identity, death, or sabotage, or information distortion like a RESO attack, for example, is a kind of threat.
It's very important to understand something is suspicious in your environment, marking our, talked in the last talk about the complexity of the organizations. So you can imagine if you are, if you are watching now, or if you are here, for example, and you have, for example, more than 5,000 entities, you, our organization, or maybe if you have 100, no problem, but you need to manage all those assets or identities.
You, you need to apply specifically policies, specifically rules for the specific applications. That's the challenge here. And this is the complexities, how you can manage all those access here. That's the point here. And Martin show us about the many applications and many tools to use into protect organizations. And that's the big challenge here. So what is exactly cyber resistance? What the idea behind of this or behind of that? Okay. So it specifically is the resistance is the capacity to resist against attacks. It's pretty simple, but you need to resist it in different ways, right?
To reducing the attacks surface. Because in the past we heard a lot about the, the firewall we need to apply the firewall, antivirals, all those applications that you need to apply in your organization. It's pretty important to put that, to, to put in those things in your organization, to set different sensors and using different layers, creating this environment.
But the idea behind of this resistant is to improve and growing the security posture mainly when you not mailing, but if you are using on-prim environment is important, but if you are moving to the cloud or if you are, was born in the cloud, has a cloud in native is very important because that's the complexity. When you talk about the grow very fast in your organization, you start and a startup company and a startup organization, very small with 10 people, 20 people. But after two month you receive an investment and you have a 500 people, 700 developers. So how you can manage a that.
So that's the big challenge, how you can increase this cybersecurity resistance. So you need to develop and, and deployment the cyber controls that limit this extended and mitigate impacts of the attack. So because we have nowadays many developers, different developers, and let's suppose that you are using, for example, AWS environment, you can use an Azure or disappear Okta, Oracle cloud, or different cloud environment. And imagine that you have any specifically policy management to set the configurations and you have this, this specifically full bottom, like a policy management.
If you are an administrator of this cloud environment, you need to apply that. But behind of this specifically full bottom, we have more than one other policies like create policies, update policies, setting new policy, but usually the administration don't, doesn't look for this specifically, others checkbox. That's the point here. It's more easier to simple, like this enable full access management or policy management. That's the point here? So because of that, it's important to looking into have a good cyber controls, right? So this is the idea behind those cyber resistance.
And this is a kind of very interesting, not flow, but the idea about the resistance. So we need to continually secure design. And mainly when you was born in the cloud, it's very important because again, from the, in, from the developer perspective or from the new organization perspective, usually you are your, the concern of the, the board member is about what is about the product, the investment and, and, and how you can sell this specifically product, but, and how you can thinking about the secure designing and the security during the beginning is not.
And nowadays it's not, it's different because again, the board member are looking for a technical and, and the money. And when you talk about the resistance, it's very important to looking for the business perspective, but looking from the security posture, that's the point here. So we need to looking from the match controls environment, experimental learning, threat simulations, and hear about the learning. It's very interesting because Martin mentioned it about that.
The person it's very important about the security, the controls and tools, it's important, but how is the knowledgement that your organization are doing in your environment for your users? Because again, the users is, you know, are working every day using different tools, using email, using applications, internet. So they need to understand how important it is, those assets and those information it's based on specifically and the learning process, right? And group cyber resist, cyber risk decisions. And there is a cyber thready hunting here.
It's almost complex because depend depends of the, the maturity of the organization to creating this. And sometime, if is small, they don't have an investment to putting different teams or products to invest in that. And they need to technical agility and adaptation. That's the point to thinking about the cyber resistance to increase your secured defenses against the threat actors or the attacker? Okay.
So, and from the other hand, we have not, on other hand, actually, it's almost walking together, the cyber resilience. In this case, the cyber resilience refers to an identity ability to continuously deliver the identity, outcoming, the space, adversity, cyber events. In this case, we can, you know, summarize and two and to specifically concept basically an information security and business continuity here for me is the key. Because during our conversation today, we are talking about the information security.
So how you treat the security stuff, looking from the information, looking from the assets, but here we can see the other, a new word business continuity, because that's the point here when you thinking about the board member. So the board member are looking from the business continuity, and that's the point here when you need to think and understand about the resilience, right? Because this word is main basically how you can adapt in different situations, right? And we putting the cyber in front of the word basically. So how we can adopt update against the threat if you summarize that. Okay.
And that's very interesting key here. So in this case, cyber resilience helps business to recognize the attacks, have the advantage. And that's the point here. Many times the attacker has this advantage because they usually, they are one step in front of us because they are looking from the market. They are seeing what happened in the market. And because of that, they usually, they are one step in front of us and they are looking from innovation tools. And by the way, the attackers are looking from the open source tools, that other point interesting here.
And usually they, the attackers like is to looking more deeply about the open source and how they can increase this open source, how they can manage this code inside of specifically putting the malicious stuff inside of this code. And that's the one of those advantage of the attackers other point, it's a element of surprise.
And, and the other thing, when I talk about the element surprise, it's very interesting because if you're looking about the OAS top 10, the 10 vulnerabilities based on O one of the main vulnerabilities, a misconfiguration is not a zero day. It's not a big hacking, a big leak that happened. It's based on misconfiguration that someone apply the policy. And that's the point here, right? And basically this is the element surprise because the organization know that they need to do, and in terms of the configuration, but they putting, they don't use the, the best practice from the cloud providers.
For example, if you're looking from Azure, if you're looking for an AWS, they have more than one best practice to apply they cloud environment. So why we doesn't using this, why we don't use this specifically best practice, right?
So, and that's the, the vantage of the, the, the attackers. And another thing is the concept of the cyber resilience helps to business.
Again, remember we talk about the cyber cyber resilience, and now the business, okay. Information, security and business in this case helps the business to prepare, prevent, and respond against the same attack, successfully recovery. That's at the other point here about the resilience. Okay. So from the security perspective, we need to understand about how my organizations will executing specifically action. If our organization was attacked, attacked, that's the point here?
So how I using my team to respond against this possible incident, remembering the first slide that I show you about the thread. So is a potential cause. So what will be the response from my team if I have a specifically thread or possible thread inside of my environment and how is, could be impacted in my business, right? So that is the, the information about the resilience. So here we can compare both of them, cyber resistant and cyber resilience. We have very interesting flow here because here, as you can see, is more the idea how you can create in those protections in your organization.
But here you can see other difference, like a, a security initiative and problem solving piece of making a decision, making diversity of the cyber capacity, organizational readiness and business problem solving. If you see here is more concept is more looking from the business. It's not too related to any specifically tools, but of course, remember the, the resilience bring us two in two points, important information, security and business continuity. That's the, the point here.
And if you see here, take a look that here, it's more concept looking from the business and here you can see something is more related to how you can use in your tools to protect your environment. So, because of that, it's very interesting you using both of them and using the technical agility and adaptation, because that's a good point that threads are changing all the time. So during our event, on this event, probably someone are creating a new attack or using the identities, the permission that you didn't apply to explore the organizations.
And if you see here specialists in cyber practice, developing ahead of standard is based on this cyber resistance in organizational capabilities cannot be driving from our security. It's more about the business continuity, so you can see both of them, right?
So, okay. So, and now, what can we do this point here? Let's think about that. We have an insider threads. So who is possible this insider thread in our organization. We have a privileged access at demean. Its we need a management, this in our organizations, we have a C lab on access because you know, if you are in startup, for example, probably you are a co you have a 2 0 1 CTOs, you have a, probably two or three developers, one data science and two or three guys for financial. So we have five people. So probably this five people's three or four has full access. Right?
And they are as a level member it's that's correct. It's not wrong. It's correctly. They start up. Okay. But the point is they start up growing, receiving investment, very nice successfully. They have 30 people, but the sea level continue have a full access in all environment. Right? And obviously the sea level board member are the focus of the attackers, right? Other challenge working from home. So remote OK. Workers. So we need to give the access from this guy to works other things, cloud assets.
As I mentioned, mood cloud environments that we have in the organizations and what would be the risk impact of if someone of these guys or ladies have, have a privileged access and not only that, but if they will look at credentials, how is impact if the sum attacker gain the access, what is the risk impact from the York startup, from your business, your organization, right? Other point is developer teams. So if your company is more, is more bigger than, than the startup, for example, and you have 100 peop employees, you have 500 employees.
If you have, I dunno, 6,000 employees have a developer team and not different squads, different trips, whatever name you prefer. No, no, no, no. It's not a problem here, but what, how you can manage this access from the developer. Okay. And develop team because you need to automatize the process. It's pretty important. You automatize this. So they need to access many systems because they will automatize the code using code, into creating the CI CT pipeline, implementing dev, maybe implementing dev sec pop future to putting the security inside of the DevOps process.
But again, here we have people, we have a users and you have an access and we have database teams, the team responsible for providers, database, these informations, the important informations cloud team, other important informations and team leader of the business units. The many times when you creating these access on AWS on Asia, again, you need to give the access. You need to enable the checkbox and the people has the access. Okay. So how we deliver that? Okay. The very nice phrase that I heard is attacker love complexity. They like this.
And not only that, but the attack, the adversaries leverage the attack, surface complexity to their advantage because if you, our environment or if organization is totally, complicative, it's more easier from the attacker perspective. So they look, they, the attacker looking from the shortest path to achiever day goals. That's the point here and I am working a lot. And this is specifically top I'm research, how the attacker think and how you can creating possible protections. Because again, from the attacker perspective, the attacker will try find the shorted attack path to achieve the goal.
Remember that if you go for this, if you go your home after the event, and if you learn about this phrase or this word, shortest attack path, for me, I'm happy because that's the idea from the attacker perspective. And let's think about that. So this is a simple open source to that. I'm reer making some research and I have here specifically for users, as you can see here, the CEO, the support guy, the tour is a other user important user and the manager. And we have a four users here. And if you see I'm using here in a graph way is basically on no JS basically.
And you have here a good picture. And if you see here, it's only four users, okay.
It's, I'm a start here. Let's suppose that start my, my startup here, the th or take a look at. So I have an SEO and support guy and the audio user called tour and manager. And if you see here, I'm sitting here specifically cipher query based on no JS, you can use in the open source version as well. Okay.
And, and basically these tools open source works with a, they using specifically AWS principal. I'm using here collecting information from AWS basically, but you can use in here in Azure, you can use in GCP, you can thinking about the other cloud environments.
No, no words about that, but pay attention of this important thing is how you can increase the resistance. Because remember the attacker will try find the shortest path to achieve goal. So this is the goal, the co access. Okay.
So, but here I set. If you see here, I will try to find specifically identity access management. It's a policy, okay.
And AWS, and set the full policy version. It's a simple configuration that you can find inside AWS. It's not a, a vulnerability from the, from the AWS, not it's a configuration that you can set, enable simple checkbox, this a part of the policy management inside of the AEM policies of the AWS.
I mean, what that means in this case. So when you need to apply specifically policy, you can chose policy management enable all things, or you can set a specifically policies. And one of these policies is set default policy version, and this case, all those users has this policy. That's the query that I'm using here. So are you looking from this specifically policy?
Okay, Phillip, I understand that you're putting this, but what's, that means in this case. So if you see here, I have the support guy, they have this specifically ver policy applied. Thor has this apply it, this policy applied, the manager has this policy applied and CEO as well. So my question is why the CEO needs to have this permission set the full policy version. It's a CEO is a board member. Don't need to have this policy. On the other hand, the manager, why the manager ha needs to have this policy don't need to have the tour.
So we don't know what this guy doing are doing this company, but he has support, but maybe support needs to have. So in this case, that's the point here we have here, two user that don't need to have these policies, apply it. On the other hand, the thought it's a full administration guy. He is here. So if you see here, I have a support guy that have, and the full resource th has the full resource and the co have an access and the full resources in AWS. So if you're an attacker, I can collect those access from this guy I can use in this permission to set a new permission.
If this guy have another permission, like a full access, I can change. And I can choose from the, the full policy version. Let's suppose that this user has three policies. One is administrator or a support guy, limited, limited access, but they have another, policy's a full access. So if is executing this in AWS CLI console, I can change the policy and I can gain this new access and I can through from this network. So that's the point here. I can walk from this complexity. I'm talking just for users, that the point here. Okay guys.
So this, some books about this talks that I can recommend you if you want. And I finish here, my presentation. I really appreciate again from the time. And if you have any question, please let me know. Thank you again.
