1. Security OPS
for large and small
companies
#PAYMENTSECURITY, Saint-Petersburg, Russia, 2017
2. #whoami
Mona Arkhipova
◎ Unit Manager of information security
architecture and monitoring at software
vendor and cloud services
◎ Co-owner at internet acquiring software
custom development company
◎ Independent security consultant
Past
• Head of SOC and OPS monitoring, Lead information security expert at QIWI
group;
• Security analyst at General Electric (GE Capital);
• Independent security consultant at fintech start-ups;
• *nix systems and network administrator
8. ”Working not as expected”
◎Gather references, mostly from hands-on
specialists
◎Try to pilot on large amount of various
data
◎Performance testing under overload
◎There’s no silver bullet
9. What’s about free solutions?
Small/Mid
◎Good point to start
◎…if your production would
stay the same size
◎May be supported by IT
◎(most) processes may be
easily changed
Mid/Large
◎Also good point to start
◎…if you don’t have
compliance requirements
on retention
◎And if you have enough
resources for internal
development
◎Calculate solution cost
on different lifecycle stages
10. Enterprise solutions
◎Support response speed
◎Patching speed
◎Amount of experts on solution
◎Professional services costs
Does the solution needed/may be
applied only for security?
11. If solution fails
◎Look for enhancements
◎Recheck the covered scopes
◎Solution criticality
◎Calculate TCO
◎Plan changes
15. Typical incidents
◎Prepare detailed response plans
◎Create kb on known issues
◎Alerts may be pushed outside
◎May be partially handled by duty/IT
monitoring team
◎Keep it simple
16. Automate all the things
◎Access workflows
◎CMDB/simple inventory
◎Hardening controls/self-healing
◎Patch management
◎Agents review
19. Common way
◎Limited scope and vectors
◎Single team/vendor
◎Well-known scenarios
◎Approved testing windows
◎Whitelisting as a requirement
20. Common way cons
◎Lack of coverage
◎Toolbox
◎Too much approvals
◎“This is for compliance only”
21. Red team vs Blue team
◎Good for large systems
◎Full coverage of internals
◎Scope is related to all security and
awareness processes (not only IT systems)
◎Greatest way to test your team and tools
◎Safe way to get a ’real’ incident and
apply appropriate mitigations
22. Red team cons
◎Price
◎DoS and urgent changes
◎Urgent reinstall
◎All employees are the target too
◎IT security team overload
◎24x7 attacks