2. #:WHOAMI
▸ a.k.a. Mona
▸ Lead infrastructure security expert at QIWI group
▸ Past: security consultant at fintech start-ups, security
analyst at General Electric (GE Capital).
3. TWO TOWERS
▸ Bank way: great amount of approvals, restrictions and
controls
▸ IT way: fast and flexible, basically no technologies
limitations
▸ "There's no spoon"
4. TYPICAL BANK WAY
▸ Limited number of systems and products
▸ Industry regulations
▸ Strict business processes
▸ Security as an initial part of all activities
▸ "Bloody Enterprise"
5. TYPICAL SMALL/MID IT COMPANY: SECURITY...WHAT IS IT?
▸ Most part of companies start thinking about security only
after validated incidents
▸ Security activities performed(or not) by system
administrator
▸ Wide stack of technologies
6. BRAVE NEW WORLD. BETWEEN IT AND BANKING
▸ Strong regulatory requirements from one side
▸ Strong business needs from the other side
▸ Spicy mix of enterprise technologies and in-house
development
AND TYPICAL BANK WAY IS NOT WORKING IN FINTECH
8. ONLY THE STUPID NEED
ORGANIZATION, THE GENIUS
CONTROLS THE CHAOS!
Albert Einstein
9. COMMON CHALLENGES
▸ In-house development
▸ No strict business processes
▸ Security vs. usability/speed
▸ A bit of necromancy (Very Important Server)
10. BRAND NEW TECHNOLOGY(C)
▸ Dynamically changing environment
▸ Who needs technological stack, this brand new
technology(tm) is our salvation!
▸ App security guide? Devops do not need them.
11. ASSETS AND PROCESSESS
▸ Hardened perimeters
▸ Test labs: this is a test server, there's no need in OS
hardening
▸ Abandoned servers/VDIs/whatever
▸ Network controls?
12. SECURITY VS USABILITY
▸ Application and technology restrtictions
▸ Performance issues
▸ Tonns of logs
▸ A lot of additional work (especially on investigations)
14. IDENTIFY
▸ Track all env changes
▸ IT systems is a great source of raw data
▸ Periodical manual checks
15. EXAMINE
▸ Common traffic profiling (OS specific, network specific)
▸ App-specific profiling
▸ Systems interconnection
16. MONITOR
▸ Monitoring is a continuous process
▸ Track logins and network flows
▸ Periodical log sources check
▸ Set up emergency alerts on critical events
17. RESPOND
▸ Action plans on typical incidents
▸ Core analysis
▸ Rules/profiling tuning
▸ False positives and false negatives
18. FALSE (+|-)
▸ “Normal paranormal”
▸ Multiple events in short time range
▸ Traffic controls
▸ Chained events
▸ Events with low rates (APT)
▸ Continious (pen)tests