Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CHAOS MONITORING
Svetlana “Mona“ Arkhipova
Lead Information Security expert , QIWI
#:WHOAMI
▸  a.k.a. Mona
▸  Lead infrastructure security expert at QIWI group
▸  Past: security consultant at fintech start-...
TWO TOWERS
▸  Bank way: great amount of approvals, restrictions and
controls
▸  IT way: fast and flexible, basically no tec...
TYPICAL BANK WAY
▸  Limited number of systems and products
▸  Industry regulations
▸  Strict business processes
▸  Securit...
TYPICAL SMALL/MID IT COMPANY: SECURITY...WHAT IS IT?
▸  Most part of companies start thinking about security only
after va...
BRAVE NEW WORLD. BETWEEN IT AND BANKING
▸  Strong regulatory requirements from one side
▸  Strong business needs from the ...
OTHER SIDE OF
THE MOON
ONLY THE STUPID NEED
ORGANIZATION, THE GENIUS
CONTROLS THE CHAOS!
Albert Einstein
COMMON CHALLENGES
▸  In-house development
▸  No strict business processes
▸  Security vs. usability/speed
▸  A bit of necr...
BRAND NEW TECHNOLOGY(C)
▸  Dynamically changing environment
▸  Who needs technological stack, this brand new
technology(tm...
ASSETS AND PROCESSESS
▸  Hardened perimeters
▸  Test labs: this is a test server, there's no need in OS
hardening
▸  Aband...
SECURITY VS USABILITY
▸  Application and technology restrtictions
▸  Performance issues
▸  Tonns of logs
▸  A lot of addit...
WHAT'S NEXT?
▸  Identify
▸  Exmine
▸  Monitor
▸  Respond
IDENTIFY
▸  Track all env changes
▸  IT systems is a great source of raw data
▸  Periodical manual checks
EXAMINE
▸  Common traffic profiling (OS specific, network specific)
▸  App-specific profiling
▸  Systems interconnection
MONITOR
▸  Monitoring is a continuous process
▸  Track logins and network flows
▸  Periodical log sources check
▸  Set up e...
RESPOND
▸  Action plans on typical incidents
▸  Core analysis
▸  Rules/profiling tuning
▸  False positives and false negati...
FALSE (+|-)
▸  “Normal paranormal”
▸  Multiple events in short time range
▸  Traffic controls
▸  Chained events
▸  Events w...
QUESTIONS?
Svetlana Arkhipova
Lead Information Security expert , QIWI
mona@qiwi.ru
monaarkhipova @m0na_sax
Upcoming SlideShare
Loading in …5
×

Chaos monitoring

PentestIT corporate labs guest speech about security monitoring in dynamically changing environment.

Chaos monitoring

  1. 1. CHAOS MONITORING Svetlana “Mona“ Arkhipova Lead Information Security expert , QIWI
  2. 2. #:WHOAMI ▸  a.k.a. Mona ▸  Lead infrastructure security expert at QIWI group ▸  Past: security consultant at fintech start-ups, security analyst at General Electric (GE Capital).
  3. 3. TWO TOWERS ▸  Bank way: great amount of approvals, restrictions and controls ▸  IT way: fast and flexible, basically no technologies limitations ▸  "There's no spoon"
  4. 4. TYPICAL BANK WAY ▸  Limited number of systems and products ▸  Industry regulations ▸  Strict business processes ▸  Security as an initial part of all activities ▸  "Bloody Enterprise"
  5. 5. TYPICAL SMALL/MID IT COMPANY: SECURITY...WHAT IS IT? ▸  Most part of companies start thinking about security only after validated incidents ▸  Security activities performed(or not) by system administrator ▸  Wide stack of technologies
  6. 6. BRAVE NEW WORLD. BETWEEN IT AND BANKING ▸  Strong regulatory requirements from one side ▸  Strong business needs from the other side ▸  Spicy mix of enterprise technologies and in-house development AND TYPICAL BANK WAY IS NOT WORKING IN FINTECH
  7. 7. OTHER SIDE OF THE MOON
  8. 8. ONLY THE STUPID NEED ORGANIZATION, THE GENIUS CONTROLS THE CHAOS! Albert Einstein
  9. 9. COMMON CHALLENGES ▸  In-house development ▸  No strict business processes ▸  Security vs. usability/speed ▸  A bit of necromancy (Very Important Server)
  10. 10. BRAND NEW TECHNOLOGY(C) ▸  Dynamically changing environment ▸  Who needs technological stack, this brand new technology(tm) is our salvation! ▸  App security guide? Devops do not need them.
  11. 11. ASSETS AND PROCESSESS ▸  Hardened perimeters ▸  Test labs: this is a test server, there's no need in OS hardening ▸  Abandoned servers/VDIs/whatever ▸  Network controls?
  12. 12. SECURITY VS USABILITY ▸  Application and technology restrtictions ▸  Performance issues ▸  Tonns of logs ▸  A lot of additional work (especially on investigations)
  13. 13. WHAT'S NEXT? ▸  Identify ▸  Exmine ▸  Monitor ▸  Respond
  14. 14. IDENTIFY ▸  Track all env changes ▸  IT systems is a great source of raw data ▸  Periodical manual checks
  15. 15. EXAMINE ▸  Common traffic profiling (OS specific, network specific) ▸  App-specific profiling ▸  Systems interconnection
  16. 16. MONITOR ▸  Monitoring is a continuous process ▸  Track logins and network flows ▸  Periodical log sources check ▸  Set up emergency alerts on critical events
  17. 17. RESPOND ▸  Action plans on typical incidents ▸  Core analysis ▸  Rules/profiling tuning ▸  False positives and false negatives
  18. 18. FALSE (+|-) ▸  “Normal paranormal” ▸  Multiple events in short time range ▸  Traffic controls ▸  Chained events ▸  Events with low rates (APT) ▸  Continious (pen)tests
  19. 19. QUESTIONS? Svetlana Arkhipova Lead Information Security expert , QIWI mona@qiwi.ru monaarkhipova @m0na_sax

×