Events Add an event Speakers Talks Collections
 
Duration 40:01
16+
Play
Video

Cybersecurity Controls: It Isn't Just Technical Controls That Need Testing

Glauco Sampaio
Information Security at Cielo
  • Video
  • Table of contents
  • Video
RSAC 2021
May 20, 2021, Online, USA
RSAC 2021
Request Q&A
RSAC 2021
From the conference
RSAC 2021
Request Q&A
Video
Cybersecurity Controls: It Isn't Just Technical Controls That Need Testing
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Add to favorites
68
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speaker

Glauco Sampaio
Information Security at Cielo

Glauco Sampaio has been a cybersecurity and risk management professional since 1999 in local media companies such as iG and Editora Abril, and in large financial institutions as Santander Bank, Votoratin Bank, Original Bank, and Cielo. Sampaio has worked in leadership positions for the last 14 years facing the challenges and the evolution of the cybersecurity market. Sampaio teaches cybersecurity disciplines in post-degree and specialization courses in Brazil, is a member of the international board of advisors in EC-Council, and is also an active member of the Brazilian cybersecurity community.

View the profile

About the talk

Glauco Sampaio, CISO, Cielo This session will show how to use the continuous control monitoring approach to test not just the technical security controls of environments, but also the whole process that supports them, including response time, the effectiveness of the incident response team, the escalation process, and even the automatic responses.

Share

Hi, Unblock-Us on fire. I'm Chief Information, Security, fraud, prevention and privacy officer at Cielo. In Brazil. Should be here with all of you talking about security cybersecurity Norris, a conference 2021 about we we are professionals, do it all the time, but I want to show something that I consider reading Borton and can bring good results for us and cybersecurity professionals. Are we secure? That's the question. We we heard is a lot from, from our boss or from our Executives or even formed from our team and he's really hard to

ensure this. We cannot ensure that we are secure, but we work hard everyday to be better and to improve the security of our company, but how can we guarantee these? What's the matter? How can we are sick of cybersecurity professionals? Can Ensure again, Elevate the level of the security in our company's, that's part of her job. And to the days we we use a bunch. A lot of type of tests. We have a different types of this. We have weekends with the sand in application-level a Stock

Yards, Master static and dynamic running through applications running manually, we can do tests on on the database security, using vulnerability scams Solutions. We do manifest like ethical hacking and Ben Saxon to try to penetration accompanied by pasta controls. We have a big number of, this is not just this this that that are in the spring. We have more than this. But is this enough that depression All of them, are they they matter. They must be part of our strategy. They are good. They can find it when they can help us to correct. What's wrong, what's

are not following the policies, the soccer development policies. Did they fix Joker? The patch management policies lately, they find this type of our officers and we have to use them to improve. Security must be part of our strategy. But the question is, is is enough. That's my main, my main, my main question in and is something that I'm working hard from from from the beginning. And connects the question that we are we secure I'm not too comfortable to to answer this question that we are secure or not

because we have different Bluetooth to learn all the time. This scenario has changed environment, change, Newton, new technicals, and there's all the time in the desk that we are running before it is. Is not enough to ensure what we are. We are. What we have to do to make sure. So. Is it a big problem? We have a big number of controls. You should take a look at the car companies and and make out a quick map of what we have in place in the, in the, in the environment. We can find hundreds of control from the most basic, like back

management. Final rules to the most advanced in, like they got a prevention, controls web applications, our protections and all of the countries that support our policy since the board what the obstacles of the company. And we have to Spotify job and shortest. Do we have a big number from the most have this, but we have to ensure that this country still working good. We saw the big number of security has been breached datalinkis all the time. You're seeing the media. We are, we are we are seeing their own

companies. We are we are we are working on this all the time. And we have to be mine, that we are in the, in the middle of something. In the middle of the company to respond. And most of the times when we will, look at the big announcement with powder, basically shoes, rrr, find it on the, on the, on the forensic. We saw that controls that must be in place for for for a long is not working anymore and they can cause incidents. We also be surprised by all this fine and all this fight. Not for new things with her all things for for for issues that we sold

it before. We stop these issues before a long time ago. And it did they alter came in find that the control is not working as we design, and we received this refrigerator out Define nsfl security as active is something that make me really, really, really sad. And he stuck in that, I talked to my team that we can and we must avoid the One Outage find that show our. A problem is, something that we always, we, we sold before is not good for us. It's a difficult Detectives. I know. Most of the companies have this change management process to ensure

that every change in the environment are analyzed it in and don't cause anything wrong or can plug them broke. Anything that was in place, but we cannot be be there all the time and you cannot get it to you. And you have a big number of all controls that we are able to guarantee that one change in the environment are not pushing something a control, a process or a security in technology outside the. The design process one changing the in the network can

cause a security Bypass or even a changing them the, the windows policy & broke. Something can change the configuration of APA security issue. So we cannot trust in the change management, even if we have security, guys, looking at the change, we cannot guarantee that the guy who are implemented, something are completely focused and and don't don't do anything wrong and disabled or change something. Calls on a security flaw on the environment. They can disable a security control. So

what can you do about this? We are not able to see everything that's working. But stepping up that the time zone is in our environment, but we have to do something. We have to do our job and Try to find this disease. We have to run more tests to find that are the countries that are in places in, in company are still working as we asked our design examples of what I'm talking about. The first one is focus on data loss, prevention rules. We all know the importance of this and we have we have a bunch of rules in our DLP solution. 114 the

definition of companies are that we cannot allow credit card information to be sanded and receive it by email. So we create a rule that not allow, this must be blocking when sending an internally or even sternum in as a designer that you can decide if this happened in anyone tries to send a credit card information, to your email at Secrets must be opening in the, in the GOP solution, is it must be blocking. And his tickets must be treated by an analyst in 4 hours. In as part of the process, the rule book, an email must be standard to not buy. The superior of

the Abyss, The Daily Mail Center that is one example of a process that support Ideal Audio. And what we can do, we can force this, we can see late an email. We can generate a database of credit card information, and try to send it to my personal email or to someone in the company to see, if what we designed it is to work. With this test water can get a result. We can see if the deal. Peru is two matching is to blocking. They may rise as high as the room is designer. The tickets is automated automated open

in the system to be treated. By the end of this is just following the rule book. They are doing the incident response as the Liberals are our design, it and run it through a n d s. L a in the 4 hours there were designing, this one is at 4 we can test with one email. We can see if the the whole process are still working and Boarding Builder, the decider security control. Another example is focused on the motorized account creation. It happened to me in every company. We know that, not just the, the, the

cybersecurity and the guys who are in charge of the account creation on exit that has authorization to do this and have to test, if someone are not doing this. So the rule is no one outside the door or the IDM team are allowed me to create users on the actual directory. So if this happened, what the the whole process is designed to to, to do, I think it must be opening. The cheapest tickets must be treated 8 hours and we can't we we designed it to, to block the

account, the new account. And the creator of these accounts must be notified by mail, that he he made something that is not falling the balls. Are we do this? We create create a user in the director outside using a credential that is not allowed and has results. We can see different Center. We we can see if the law is you going to the gym. This is a problem that's happening. All the time. Someone changed something and the locks that was coming to the RCN are not coming anymore. So we have

to to, to Destiny's in this situation can force this this, this scenario. The audit was generated as we designed it to check the work on the outlet and it did, the tickets was open on the system. It's what street is on during the, the day at the fish. Osla. We can force this interest all this, and I love you. Another one is related to provision his collection. We can't allow anyone to include the users in the demands of me or even global dimming or other administrator group. And if this happening or are

we have to also Michael, if he's able to use her and block the guy who's made isn't this inclusion? It's a high-risk. Credential at high risk groups. Do we have to block this the this movement and block who made this and create a ticket to be today? We parted you go there, before, I represent you in Boots, someone in the domain admin group. We see the same, the same result of the receipt. If the log is generated by there, but the server and it's going to ask him if they also mation is, this is working at design, it blocking the user and removing the privilege,

creating the the the the tickets to be threatened by the the analysts in the same time as la We can see that the whole behaviour of this. This process is to working at designer. Another one. It's it's remote access control. This is Focus on guys were working on two vpns in Arabic the corporate policy. Allow known corporate computers to be connected on the VPN. So, if this happen, what we designed it to the zoo, we design a process to automatically blocked

at the IP address that they are are connecting through Toronto. Corporate user is the connection was was, if I reread user and have sex, they can, they have the username and password, you block the user to, and the create a ticket to be honored to be treated by the animal again. We see if the log is student rating. It's do going to the CM, did the Delta mission is used to working, you still working at, as we design it did the behavior of the processes through

working as we have to do to be in the company. Another example is focused on ending point security. No one can disabled or even try to disable the security solutions that running on the endpoints, the in, to borrow the GOP, Asian or order the, ER, or another one that you have in the end point. So, if this happening, it's just happen. What does sore muscle do? The store must see the computer because something's wrong, or the composer of the user are doing something that is not allowed, or the computer has can be compromised if we have to, Pardon scientists, use this computer and open a ticket

to be treated by an ounce. And we discussed with the same almost the same results received. The log is generative going to see him. The rule is working as we designed automation. Is there a quarantine make? The computer is running the the playbook in their sell a base is called, we are testing. If the control is running from the beginning to the end. It's a pita type of test that is designed to test. The whole process has not just the the the control we test our team because the security analyst is running

the Playbook. It's doing, what, what he must be done in in in an incident like this. Is just five of them and I'm sure that we are looking at their companies now and we are seeing a bunch of other controls. That can be simply Justice with you using this method dollars in his approach is not in is nothing. New is nothing so different, but it's a different approach. We don't we don't have. This is approaching mind all the time and we have the consequence of that we suffer is dance with we win. We receive all these fines for something that is is The

Dutch or something that was in place for the loan. So, We we re we all know that is important, we have and we have hundreds than there is to do the deck this and we can, we can do. Allow big list, five minutes with parte, custody of our team and Brooke told them to, to, to use approach. And I sure that we will have good results. And two to help you in this. In this, this journey, I will show it to you. Add steps to to to me, to be to be in place. In the next two weeks to start this process.

We must try this norcom in the first week. We can focus on Mapco. I know that you have a big list on your mind, but you must focus on controls that is really the crown jewels. It's something that most of the companies having mine and must address their the is approach because before we have a lot of control and we are not able to test all of them on the first time. So we have to focus on the most critical security control and the most critical are related to the crown jewels. Access. We are testing on a brooch, so

don't don't. Don't put efforts on. I'm big scenarios or even controls that are really, really hard to test focus on the crown jewels and something that is quite easy to to run as fast. Getting rid of this process. You can run tests on her own high level of security control, but you can start with the smallest one talked to you already know you're a teen has a really good view of your environment in knowledge to to help you finding these controls and find where you can approach. When you can use this approaching run the test, use the previews of the times. We have the, the

audit reports there and we can use use reports to find security controls that are are Are you playing a place at around around the crown jewels or eat or in the past? And we can use the report to bring this this knowledge and help us to create this list. And then I'm telling about thinking his mouth at beginning. Don't try to use a big number of tickets controls or even try to test so hard in in ZIP codes in area. Start small. On the second week, you can choose three or five of the

scenarios and use them to start Define. We have to to map if you do if you don't have from from from the implementation of the control, we have to map what we expect to be to, to be the food processor that are around this. This scenario as I told you before, the example, we have to test proces. So the council must be must do this. The end of this month, do they say? That's the expected response. So, we have to Mac this because we bought them to to to, to follow all this scenario, and see if the response are are correct from

the beginning to the end. Create that used us case, use the Red Sea, expertise to show them what you are, what you want to do, and use them to create the desk. They know how to test. They know how to bypass the the control. So use your change to grade the test. End, run, run the test, run the test and wait and wait for the results as designing. Congratulation. Your can be up a happy security professional and go home. If not, You must understand what's happening. And now there's a

correction. Understanding the scenario can see where the problems are and address of Correction. You can find with the result that the guys wasn't in charge of the process. What's happening and apply the correct help. Help the team, 222 sold a she and after that the corrections applies only, when the apartments run the test again and wait, wait to that the results. If something wrong again, and it's been happening with the process can in failing on my mother bar in another. Another guy from the team you can you can test the

other, the analysts different entities in or you can have suicida in the process are running from the beginning to the end rooster. After that, you must share the results, sociological results with. We must take the guys wasn't part of the deposit and show them, show them that you are to do. What's the result that you expect? Because most of these tasks are putting fingers to the security guards. Do this, share the results of them just after that, show the results to the management. And to this day,,

This is important than all the tests, but you must show this before the second coaching. Otherwise, we will we will have a big number of enemies in the company. Establish a formal process of texts after that. After show 222 your stakeholder to your boss or to the to the other stakeholders. You must propose a formal process to that. I'm sure that no one on earth in the company will see the results and will not support your weight. We are creating something that brings balance to the company and business Executives. Understand a store.

Propose a formal process. Best do this. Define a routine to run this test. Try to automate this. Even if you, if you We will use script for this. We don't have a big solution for a for a store. Looking for information. We can use crystal to today. And you must Define a list, a big list, you do try with five three scenarios, but I'm sure that we have a big list of so, out of control. So that so Define a civilization list of the security control. We are not be able to run this. Just ask for the the whole bunch of our control that we have on the environment

at the same time. So, Define upright after ization list in focus, on the most critical control and create a routine for all the new security controls implemented on your environment. Generates textbook, to be part of this process. You can use the new information to create new best scenario in Fulton, New York formal process. I talked a little bit about information. It's quite important, but you can start without them before I go to Mason. And today we have solutions for that. We have the business at the beach and attack simulation that can help

us, but they won't solve the problem because most of his Illusions are focus on tests technical tasks. You can't, you can Implement Sally a little bit of all browsers, testing through for this, but they're not completed. They can help you to to get a larger scale on the under the controls, but they don't solve the problems. As the same day are Pure Barre, PA Solutions. You can use our PA solutions to run the test for you and you are able to run a big number of the best. A large number of tests

on this thing for you to do the same in the same. Since I'm using. Our PA Solutions is important, but I told you before is not a Is modern military issue. You can start doing this memory. I know, I know companies who started this with just a few hours off of an analyst of the security analyst and get really good results with this. and, To the end. I want to share what I learned in my back. Hurts. I'm working in security for a loan for more than 20 years. And I'm working, we meet with this model for almost 10 years from now. And I'm demanding in

three different companies and I will share, I can share with you a little bit of my experience. What's the challenge? And what's the benefits of this is a crotch? The main challenge for everything that we, we made it in cyber security. We don't have resources, don't have an today's. We don't have cyber Security Professionals in in our team and our team's doing nothing. They are all full of job. They are, they are running tests. They are running the operation, but we have to find. We can find a little little part of the

time. These analysts to implement this week and get half an hour of the e-channel is, I'm sure. They are able to run this, that they are able to design their do the test scenarios. They think they can dedicate half an hour, 1 hour to start the process. For sure in the future with this running a big number of tests you we will we will have truly dedicated team to this. But in the beginning we can use your our own team to start this process. Don't create enemies

more almonds because we love to to, to create an amazing product companies. Be careful when you, when, when presenting when showing the results to the technical team to your candy. Cuz before we are dancing this Saturday in, during the testing, the technical team based in the IT team, so be careful when when presenting this to 2. The guy was in charge of the closest, no one's like to, to receive a critical issue on what he's doing all the time. Be careful with this partnership

approach, show them the results show that you are doing this to avoid issues. Avoid outage, find that that's a really worse than then is what position by you. And don't start with a big number of tests, focus on the most critical control the controls that are not so hard to test. And don't try to do a hundred of different test on the first time. Growing this number during the time, start to start small and put new app, one scenario to scenario 345 every month, every day. You you

can, you can create. This is routine and grow the number of of scenarios without starting with the big one. Starts with a big, a big number. You're beautiful, not able to finish the test and you cannot create the routine to run this task because this must be a routine. You you must run the tests all the time, every month every week because that's the problem can. Can can appear now or can I be there to block a month or a year after the implementation? That's the importance of

run the test. And talking about the benefits. What what can we generate for the company? This distresses? We can reduce things certainly about the cyber security controls. As the first question that I that I showed re-secure with this, I can guarantee that we aren't, we, we reduce the uncertainty of risk of this answer is not, we are not be 100% secure but as a new type of test, will you, we are bringing more security. The company we reduce the audience finds over existing controls that as I told you before this something. Not so good

for all the time. Exactly professional and professionals and four star security. Directives receiver aside, right after which points in a person control is not so good. And you meet gate, the risk of incidents. We've run into a bunch of control and we have to guarantee that it's good. That. Just controls are there just so they could get the rest. And with this we can mitigate the the The risk of instruments online Apartments Professionals in sadr City detectives. We can try to sleep a little bit better. Then we sleep all the deliveries you smile. Every time that we

passed a scenario that we test our control and which we see that this control is working as designer. We can try to sleep a little bit better. So, I hope that everyone are good with this. New approach is not a crate before 4 for the other type. As I told you before, we have to run this, this this test too, but this approach a continuous control approach for further. The December security control is something that I really believe. That's bring value to the company F and 4S for us

a certificate, professional. Thank you.

Cackle comments for the website

Buy this talk

Access to the talk “Cybersecurity Controls: It Isn't Just Technical Controls That Need Testing”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Ticket

Get access to all videos “RSAC 2021”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Ticket

Similar talks

Lynda Grindstaff
Vice President of content operations and assessment, at McAfee
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Keith Rebello
Program Manager at Defense Advanced Research Projects Agency (DARPA)
+ 3 speakers
Samuel Levin
Solutions Consultant at Independent Security Evaluators
+ 3 speakers
John Gleason
DevOps Engineer at Independent Security Evaluators
+ 3 speakers
Mark Loveless
Senior Security Engineer at GitLab Inc.
+ 3 speakers
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Asaf Hecht
Security Researcher at CyberArk
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Buy this video

Video

Access to the talk “Cybersecurity Controls: It Isn't Just Technical Controls That Need Testing”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
816 conferences
32658 speakers
12329 hours of content