About the talk
Okay, have a good one. Thank you very much for joining us. Today. We are going to talk about security analytics. I would like to start with a little bit of introductions first. My name is Martinsville Jack. I'm working for the technical marketing theme as a senior architect. So I have a lot of experience with his legs. Does it cost to make bark noises employ filkins often and last few weeks. I've started working more and more with security. So it's a lot of weight limit of security today and he needs of
experience only insecurity working for companies like Sysco and he joins his get season play. He's responsible for the security analytics as a product manager and he has a little bit of knowledge about Civics. Now. I have one question that I would like to ask all of you. Hey, and how many of you are professional? Yeah, I never see any heads. So the way how we decided to do this session today. It's pretty much to talk to you about security analytics, but it's probably going to be used by someone else in your
organization. It's going to be used by the security team. It's probably not going to be used by the city of steam. So what I always like to do business in this kind of sessions a short introduction to give you an idea, what is the current state of cyber security in 2019 and why we are talking about security analytics why it is important to know what you can do and how we can do it. I'm going to start by talking about the What's currently happening? We decide what to give me a call and usually when I do the sessions, I like to talk about how much professional they are becoming how badly
organized how we start start seeing a lot of the state-sponsored attacks and so on but today I decided I'm going to do it. So I'm going to talk of the numbers. Andy estimated annual revenue of the cyber crime it's the annual revenue is 1.52 billion US Dollars. This is the amount of money that is standing against you. Now the problem that I have here is that this number doesn't tell you anything because they are the big numbers. We are going out to be a good roasting them kind of stealing and after that it's just a big number. So I
wanted to wish you wanted this for you somehow. So what are you looking at? This is the stack of $100 bills together and spent $1,000 for $10,000. You can have a little fun in Vegas. Now we are going to let some human element so you can see kind of the defenses. What is the size? This is $1000000 for $1000000. You could buy the house in San Francisco. This is 1 billion dollars. And by the way, the dimensions and everything. This is the real thing so we actually spend a lot of time with calculating how this is going to look like
you could you shoot every single Marvel movies in the face one including the Avengers the combined body full of them was exactly 1 billion dollars. Now look at the guy on the left. Let's zoom out a little bit so you can still see him in the colon. So the annual revenue of the cyber crime and this is the guys that are standing against you. This is 1.5 billion dollars. This is what they are making in wanting to talk about how professional they are not going to talk about what kind of tools they are you saying? I'm just going to tell you this is
everything they can go and invest back against you. No. Standing in the office is calling and you kind of have to DIYs that in the opposite corner of the side of Hugh Mills. It's not that they don't want to find your security is the business. That's what they are going out of business. and what we are saying is The exit that we have to protect our two going every single weed. So if you aren't working for all the company, you know that you have older than you
and like assistant that you have two secured. If your company have the country of innovation you are getting older latest and you application so your portfolio of the software that you aren't have to secure these actually going as well the best example that I like to use and I can do the whole session only about this is the coyote and antagonize And as you can see the next day the estimate is that we are going to see about 30 billion devices. Now I had and he told me we don't use IOP at my company.
But that means you don't know that you are using its you have some business units will someone go just buy some internet-connected coffee maker or something plug it in. It just means that you don't know what that you had it, but I'm pretty certain that every laundry company have some iot devices on the network. How do you combine all of this together the business is going to the iot devices and they supposed to get him out of the car this number for me to find for this visitation average and is generally things around 200,000 security 11th events every
single day of anything. That is it. So now we've been talking about the effects the bad guys. We've been talking about the business who is standing between them and Beyond to protect them. Audio security to be nice and the big problem that we have. Is there a shortage of the cybersecurity professionals and I like to do this kind of introduction to the guy in state of security every year when I've done this in 2016. This number was 1.2 million 2017 1.5
2018 1.8 dragons number that was like a month ago is Almost Human in professionals that we are missing. And that's by far the biggest problem that we are facing insecurities today. We don't have people we don't have the skill. We cannot be the match keep up with the demands and what you can say. Is that okay? I can easily fix this if I if I don't have security people I can just hide more that's easy. The problem with that is that you are not the only one so this is us when we know that about 77% Plus.
Companies are planning to expand security teams this year. So we have limited full of talents and everyone wants to get them. And again you can swing solution is easy. The problem is that this is not you cannot easily fix this just with money because the average salary in security is already very high. Once you start looking for the most scenic people like the lead Security Supplemental a the average salaries are in many cases higher than did you pay for the Cecil? so this is pretty much the definition of the problem that we have and what
are the current again that we see insecurities what's happening? We know that this is the people that we have. This is the people with that we need. How can we fill this Gap if we cannot hire more people? first one is a heavy Reliance on automation large customers that are heavily involved in the Australian security and they told me The mandatory requirement that we have phone security positions is Python and Powershell security is optional. We can teach you security about having the
skating skills knowing how to do the alternation that critical photos. Second thing that we are saying and this is a game. You can watch TV latest to the limited resources that we have is integration. So if you are security expert, what do you want to do is that you want to have one too, but you see everything that is happening the security at the same speed too much for them the same consoles. That's the one place they want to have if you tell them we have all these applications that are going to ask you. How can we get it into the Sim? If you offer
them the Standalone tool and you tell them we have 5 more dashboards where you can find a bait dog. That's definitely not what they want to do because they don't have the game people they don't have time. Now the most important one is augmentation. So if I know that I need 15 people in my security team and I have five are there any technology that can make my security people more productive? Are there any technologies that I can make them work as if they got 15 people? So how many of you went to the black heads or August say on one of the big security conferences?
I want some Geist now. If you don't do this big security conferences, and you don't forget example to the expo hall. Every single window is going to talk about Ai and machine learning. The reason why we do this is that we know we don't have people hate. So what if we replace them with something that can potentially replace humans? That's why you see all the talk about Ai and everything today. It's mostly marketing. Toto result of all of this is the whole state into the following statement 93% of the security teams are overwhelmed
and they are unable to forget many of them. They just never investigate and they just ignored and hope that it's not going to result in the security breach. Now, what's the 3.9 million dollar question? And if you are wondering what this number is, this is the average cost of security breach in the US. So what are the questions did Sakura get the theme song to Yankee Soul aside from where do we hire more people film? How can we secured all applications if I have 2,000 applications? I don't want to invent the security control for each one of them. I want to have something that
I can apply easily to hold a new application for the very basis applications Windows applications everything that I have. Second question is how can I take all this even from all the applications and they said that I have and how can I bring them into the single Sim solution that I music? Ron's big question is so one-sided you have examples of the company that I used to work for you. What if I have 8000 applications and I Blind Faith off all of them into the Sim and I have five security guys.
If I start generating 5 million event every single day, that's completely useless if I have one person for specifics out of 5 million. The definitely doesn't work question that a security team. So I'm going to ask is how can I get use the number of incoming evens? How can I analyze them? How can I focus only on the important stuff? So basically, I'm going to hand it over to the security expert in the room coupons. Be the match the way how I would summarize this opening is following you on experts on the data and application security and
security is a team sport. So what phone is going to show you is how you expect on data and application can provide the data for the security teams that you have inside your company and how we can help them to make your whole company most-acute. Thank you Martin. I'm sure Martin careless with a lot of problems right and security talk about the security. It's all about the problems. When do you want to quickly summarized? you don't need number of trailing zeros that you could read it on the slide is basically it's kind of a
say clearly telling us most of the Enterprises in the world follows the either knowingly or unknowingly following the strategy of security through obscurity. And day by day. Versuri screwing that security through obscurity is not going to work anymore. That's what the number says II pilot from Martin's the reason it's not about you have a chance of money to give your security Investments. even if you have a luxury of unlimited security budget You still have a challenge of
hiring the right Talent who can help you to fight against the constant flood of security threats orchestrated by the individuals. That's not going to stop anymore. So what you need? Again to summarize what Martin said he didn't talk about only the problem Salim talk about the solution test one across the security products with the solid set of automation capabilities. That's the way to go. With my own experience sitting in Security operation Center Salt for quite a long time. This
is one of the constant question. I used to hear from a leadership team. What's our exposure to the Cyber threat, let's say for example, Ryne Sandberg as and when they're here about a new Cyber threat from a media or entrusting Laguna Verde sheer boredom hot data breach conversations across the industry whenever they hear about a conversation in their own Medical. But if you think about this question, it's not a simple question to answer. It is a fully loaded question and interesting you this question might come over in a middle of a night
or when you're busy with your family members on a weekend, but the cracks of is in a specific situation you are boss is going to ask you I need the answer right now because my boss is asking me to answer this question. So what do you need ASAP songs set of Artemis and capabilities that can give you the answer in a timely manner with a full of confidence. That's very much important if y'all have any security operations center analyst The first thing he will talk about time is The crucial thing for me time is station.
We got that money value of time is very critical for any security operations guy in the world. No, nip slip slightly get into the Subspace when I talk about the security Operation Center. Again from my own experience. It is very hard to see any Security operation Center without one of the other team to either it's as blank or curator or outside. Lot of my friends used to say that send me the kind of their second home. Another interesting thing. My mentor is part is all secure you cannot
see any of the security conversations without the security integration integration cell phone lot of security being distant these days. Let's talk about Sim just to recap. Same as a platform as the name says how's the security operations guy to? Getting contacts across multiple data sources when I'm talking about data here is a raw events across the ecosystem so that he should be able to create the problems across the typical incident detection and response. Another name says it helps you to aggregate the data across
the typical system-generated signals like a slug and netflow to the level of business process data directory like a sapling business data and information as well. So it's a platform which collectively aggregate all the information so you should be able to see everything for my single place. Of course you can do it. I'm going to sing fart whenever we talk about Steam and we talked about. You know the security Operation Center everyone talk talks about the incident detection and response, but in all reality Security operation Center
is not only responsible for the well-known incident detection and response that starts from compliance and Reporting an Insider threat to the level of fraud detection. So so far we talk about the good thing, right? If you can go back to Martin's one of the other scary thing on an average security analyst raging 200,000 security events on a daily basis. And one played security operations center always in an angry mood for more and more context. Guess that's the only way for you to
respond to the security events in a kind of a better way. That's a good thing. But if you start dumping lot of data you end up like that's going to shoot if your cos So so far we talked about a lot of scary things. What's the good news? Let's think about this scenario on top of all this already loaded Security operation Center, you know. Let's party is going to tell you guys go to your security operations team and ask them to accept an intensive or are you going from Citrus ecosystem? I'm sure the good news now. We haven't talked to you about
sending you another tens of thousands of humans from Citrix ecosystem rather we have talked to you about where is specifically asking about security incident which are both based on the risk in contact that your security office in Steam can act on it immediately. On the game tickets a back to the security space. When we talked about integrating at another system as part of your already complicated security landscape. Mustafa have a question. Okay, Martin and points is going to talk about another hundred page up document which you need to go
through to configure that's going to take another if you want another few hours or weeks. But I'm sure your it team is not going to accept it. And we also learned enough with our own understanding from the market space complexity is the biggest hurdle for adopting any utility in the world and only security. So we made it very simple. It's a matter of few seconds. You should be able to inject the rest inside. I mean actionable risk Insight from Citrix testatrix ecosystem, which can easily be acted upon by your
security operations team. Just to give her a call and text before we stayed in accent. for any secure communication security second thing you need a mechanism for you to extend your data with the new platform. That's applicant. That's out blank works. Then it can receive their skin side on an ongoing basis. That's it. It's a one-time activity and their way to see it in action. now the system is going to demonstrate how Simple is to start the consecration.
If I may borrow my front door mat verghese a statement. It's a kind of a 17 solution should be able to talk pretty fast from are you know, the data sources page and now we are in the Country Christmas state. And the username is predefined by Citrix and being a security control. You need to follow all this you have the password regulations. And now you're ready with the country Grayson will also send it in the email where you can keep it handy for the following steps. And now we are downloading the plug-in from Citrix ecosystem.
I'm going to talk about the conservation the typical authentication credentials across the password won't be here and we talked about how you can subscribe to the topic in the cast of messaging somebody follow. Andrea two ways to install add-ons one from the splunkbase that you're still working on it. But right now you're downloading it from the septic system so that you can download it as a local plugin. Now it's ready for you to configure. And once the insulation done, it's pretty straightforward where you can make the regular communication with the citric so that you can start getting
all the risk insights. The horse is the horse that the only populated for from the Citrix perspective and the topic with which takes care of its any insights from Citrix to your plank install base if I may. There are a couple of advanced settings that you may want to configure if if you have a need for that. Otherwise, we are ready to start considering the risk insights know it's about couple of minutes right now. We are validating whether the environment started getting risk insights from Citrix.
Yes, you could see all the responses from subjects you're ready to go and couple of minutes. That's good. So far. I'm going to be talked about all this new edition. And the security guys questions always around for me, right? You're dumping site. So what's the value for me? That's the question. Your security operations team is going to ask you. Play another way, let's eat in axon. What wonders you can do by injecting the actionable risk insights from Citrix.
I'm sure that's a pretty contest. By following the concept of Defense in depth every company have multiple vendors every companies have layers of security products and now we are going to start off a convince your security operations team to indicate an alarm system. Of course, I'm sure you're going to shoot the same cutting board for me. Why should I why should I intake system? What is concise actionable risk insights? Let's see it in action. What's the weather in that you can demonstrate for your security operations team and on the other side your security
operations team can demonstrate the value to your Executives. So let's start with the fact you skip and the security security is no more attack today play security and everyone talks about these days. It's not only talk viruses was everyone talks about it right now. What's the critical of ants in your it landscape? That is you and me. So, let's see how you can use the Sim integration with the power of Citrix risk in size to understand the risk exposure of the most critical assets of the it landscape. That's the users.
So here we are assuming that your sim platform already have big data from active directory. So we are demonstrating how you can see the view of your users rescue Expo across the different organizations or department and you can also see the top five risk exposures that you are ideal landscape is going to and you can all get the answer for the so what now we are getting into understand the kind of devices used by your sales team for example, and the kind of risk exporters yard
sales organization is going through And like I said before security is all about Anthony keep answering the question of Sword, right? That's the reason we keep answering the question with a lot of contacts that you could see it as we speak now. We talked about the organization wide view then we need to drill down basically double click on a specific department. Now, we're talking about that one organization. They say the sale with respect to what's the risk exposure. My
engineering organization is going through. Where do you need it? Because you need to plan for the response as well. This is not about just telling me there's a problem. I need to give you actionable insights. What you need to do for that. You should be able to relate to other so that you can take appropriate security response. It could be a way of educating your users with the security principles or helping them to understand the kind of a critical assets. They have access to the comparison between the organization's
Hope your day is better. Now. Let's let the other use case. If you talk to your it security or another security. The most crucial thing in an entire a tax a phrase from their perspective is the endpoint. It's easy to say I like you in my organization have a hundred points, but I'm not sure 102 right endpoints where you don't have a visibility that's going to be a disaster for your entire security posture. So let's talk about how you can use the Citrix risk in size to
understand the risk exposure of your ideas. Chevy resuming that you have a data from your acid a b or c m d b and that your ID landscape is going through across two different The Paradise one is to be rewarded devices. Another one is the implied warranty vs. Basically the carpet. should be able to see the S6, which have a risk and you can understand the risk inside or the. Of time and we're also giving you enough contacts so that you can easily inject this risk
exposures as part of your instant erection and response run book if you would Okay. I'm sure you you might have the same question now. Okay. What's the uniqueness from here? Uniqueness is around the purpose-built Mason learning models that we birthed specifically for the use cases that we want address for our customers. That's the uniqueness what he had and that is assassin in the afternoon. One of my friend. Jim is going to talk about the nuts and bolts of those metal anymore. So, I don't want
to break this a surprise here. Let me skip to the next exit. In a typical an article I've taken it spans across sense, which is nothing but I need to send what's happening. And then I need to talk about what I collected before. I'm done. I need to respond back. I always use the time like so what security is all about answering the question of Sword. It's not about just telling you there is a problem right? It's a responsibility to help the audience to understand the implication of the problems that you're talking
about. When you talk about sensing? Unlike most of the amount Eagle tools. They're all related on agent some of them say so we don't have any agent Reliance are Citrus products instrumental dinner for us to collect those data. When you talk about Annalise, like I said before we have a purpose-built mercenary models that helps us to differentiate, you know the anomaly. And this is interesting for this is where you need to Citrix. We are not just telling you like and you know handful of dashboards available across the security line. Skip this is not a dashboard.
This is a platform where it should be able to understand the security exposures that you are a tax office is going through and you should be able to act on it real life example is not about just calling me and telling me once there's smoke in your house. You should also tell me what is the process for 10. There's a way for me to call someone to fix it right for us to help mitigate the problems or respond to the threat. Now, let's see everything in an architectural sign point I'm saying maybe from Citrix. I
don't think Tim and keep saying it to UNI. Let's see how it works out how it goes. Well with the architectural playoffs African outfits Like I said before it's not a dashboard. It is a platform risk assessment platform, which will help you to do the real time in Fresno instruments in of cyber threat before it hits you in a taxi place. Again, what's the uniqueness I give you my own practical experience the traditional Security operation Center. They have tons of monitoring tools. But they are all completely relying on the system generated
signal like syslog Network packet inspection and then later movement and things like that. I'm not denying that but now there's a huge paradigm shift with the cybercrime marketplace. The Thirst no more triggered by the mall word. That's a kind of a traditional security instant erection and monitoring tools. Candidate for simple reason there's no system data signals here. But even during the same modern-day Tres there are a lot of Behavioral related signal that you should be able to do that
and then you should be able to protect your ecosystem from those cars. But what do you need just a behavioral and I'll take a system. We keep talking about Behavior. What do you mean by Behavior? Different want to give you another thing with the laundry yesterday. When we talked about the modern-day threat, just I want to keep it very clear. Don't forget tomorrow's attack is not going to be same as today's attack. What does it mean? It's not like you can Bill set of rules with a hundred people are buying a lot of
security controls and then stay away relax. No, it's not going to work tomorrow. Saturday would be unique and it's going to be completely different than the attacks that you know today. So what you need is a picture that you have a behavioral and I'll take as part of your security strategy is not going to be today. You cannot rely on with traditional rule-based security control. That's not going to work like the way we keep innovating cybercrime also continued so you need to make sure that
You haven't one or the other behavioral an optical system as part of your Security started that's important. That's good. What do you mean by its Behavior? I tried to simplify the security. I know you might laugh because whenever we talked about simplifying security lot of them used to love to take the same example complex, but I always try to make it simple. What do you mean by Behavior? If you take your typical attacks are fries. Right. Now I'm trying to simplify as much as possible. What are the typical
elements in your attacks are fries. When is subject that you and me and very importantly the light people have a privileged in on the axis? I'm done. You and me trying to ask you something on me a text I freeze which is nothing but a subject that's it. That's a security so far so good, but you and me are right. We have a relationship with objects. That sucks. What kind of relationship one could be accessed later. Relationship that's good as long as the access relationship but not
every access deaccess relationship is going to be a legitimate. And that is an activity Behavior access you're trying to do something with it. It could be a first-time begin activity or could be excessively or doing something. We just aren't supposed to be hard to be initial Behavior. So let's talk about some of the specific examples that you can understand from this additional tax perspective. Let's take an example where my friend I think Martin India. But thank you for the situation. Where as we speak. Now I could see that his identity is being used to access a confidential
file, but the login attempt is being made from India. That's one. Second the same identities trying to keep at Antigua Resorts, which is like a very very confidential document in my team bad Martin's identity not supposed to get taxes think it would be two scenarios. Now. You can go back to my earlier trying to do something for me. Isn't that typical example of identity compromised? Let's take another example. Glad you could directly out of login failures being directed of for the same identity. That's a classic example of a Brute Force attack, that could be
a password play on multiple ways of detecting it doesn't making it simple for you to understand what I'm talking about Aniversario should be around ten point so we talked about endpoints multiple times and point is pre-industrial point of compromise that everyone bothers always. So let's assume that there is a faucet failure being a porter and then the same incident shows that you know, the access is being made from a rooted device example of endpoint compromise. Let's talk about activity. Property
taxes, let's assume that it's a legitimate access and I'm trying to learn from mistakes are necessary. For example, I'm trying to access the source code fight that could be because you know because of the privilege of the group that I still have the access and I continue to access those conference in 5 seconds are in trying to download lot of files to my local disk. Listen to the classical and the indications AR points is trying to look for a job and then trying to explain greater possible Right. Think of another scenario bad from Martinsburg
identity dark web conferences. So maybe he has a lot of interest example Walmart inside and it is fine to access road of risky websites where we landed the risk exposure of those websites, very height. Body specific identities fine to do a command and control communication with a remote site after successful exploit of the particular perimeter. Last but not least on this specific activity behaviors and renaming observations. It could be a classic simple. I tried to make it simple so that you can understand what I'm talking about
from and behavioral contact. What differentiates A Normal and abnormal behavior? It's very easy to say like there's something abnormal. That's the context. We from citrate. We understand the normal behavior of Interest assistant better than anyone but we should be able to build a model that can differentiate the normal behavior with abnormal behavior. picture of the kind of a summary across all the behavioral use cases that seat cover and let's talk about another interesting value prop that you can talk about it right
on like a traditional cyber rest inside a truck has a uniqueness where you need to get lot of data from a non it sort of like a HR that's where we took two dimensional aspect of HR One Stop performance Decline and then the salary increase problems right factors that impact the motivational aspects of an employee who you're trying to Showcase light how it impacts someone to start doing it. They write Sprint racing with another way then say that I should be able to see it and then we are giving you a granular view of the sword cutting. Why why are you saying Lucy Martinez a high-risk
user because he's disappointed with not getting right? Ok, just so you know Martin is trying to access lot of sensitive files, and then he's downloading a lot of files as well maybe. right Okay, maybe it's interesting. I'll request Martin to summarize before we arrive at 4. Okay. So thank you everyone about staying with us. I would like to ask you one final question all of you. How many of you want to be responsible for security? That's perfect and pretty
much everything that we've been talking about today is we are responsible for siblings. We are responsible for the application and they thought we don't have time because we are overloaded with the new windows Bill send you applications and Swan Works application and they talked with the work of people iPhones that are using same and I had to give me like the first time that we showed you that you can about 2 and 1/2 minutes. That's pretty much how long it takes to connect old
pyramid Every Single Seed explode out that you have with the existing security pins. So if your manager will come to you and he's going to tell you we we see all the security breaches. What can we do about it? You aren't you at work you are going to do that two-factor authentication you are going to make sure that the windows images are most accurate, but it's only the beginning. If you aren't being asked to do this is a really good time for you to actually talk to your security teams and tell you what you can do. Tell them we have this solution while you can easily block everything that we
have inside the gates into your security solution. And on the way, we don't want it as a service Citrix can filter out the data and they can highlight whatever. It is considered a potential escape from security perspective. That being said, I would like to thank you very much for your attention one final thing. If you don't have yet the bags own stickers. We are going to stay here for a little bit. So definitely come up and take some of your tickets. Thank you very much, and thank you for your thank you.
Buy this talk
Access to all the recordings of the event
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.