A Modern Approach to Corporate Security
Embracing Offensive Security as Internal Process
Bio
Francesco Soncina `phra`
- Computer Science @ Alma Mater Studiorum - Università di Bologna
- Offensive Security Certified Professional (OSCP)
- Penetration Tester & Red Team Operator @ ABN AMRO
- CTF Player w/ Donkeys Team @ HackTheBox
- Security Research and Bug Hunting
Agenda
1. The Origins
2. The Middle Ages of Corporate Security
3. The Present
4. Modern Warfare Domains
5. Challenges of the Present and the Future
6. Modern Corporate Security
7. Effective Security Operations
8. Red Team & Adversary Simulation
9. Applying Adversarial Thinking to Internal Processes
10. Q/A
The Origins
The Middle Ages of Corporate Security
Aleksander Karcz - Early Medieval Battle
External Perimeter...
Butrón castle - Spain
...is everything!
Hohenzollern Castle - Germany
Elitarian Knowledge
Philosophy Lesson - Grandes chroniques de France - Anonym
Witch Hunting
Jan Luyken - Execution of Anneken Hendriks in Amsterdam, 1571
Post-Breach Response
Security by Obscurity
Legal is the Primary Defense
The Present
Michelangelo Buonarroti - David
Security by Design
Security in Depth
Security Awareness
Knowledge Sharing
Open Source Tools
Security Research is Encouraged
Ethical Hacking
&
Bug Bounty Programs
Modern Warfare Domains
Data Breach
Ransomware
Industrial Espionage
Black Hat Hackers
Hacktivism
Advanced Persistent Threats
Nation State Groups
Challenges of the Present and the Future
Laws
&
Regulations
Reputation
&
Trust
Business Continuity
Modern Corporate Security
CIA Triad
The Idea
Shift of Assumptions
Assume-Breach Mentality
Target Maturity
Effective Security Operations
Policies
&
Compliance
Access Control
Visibility
Caspar David Friedrich - Wanderer Above The Sea of Fog
Logging
Monitoring
Alerting
Incident Response
Disaster Recovery
Review Analyze Evaluate Assess
Threat Hunting
Red Team
&
Adversary Simulation
Scope
OSINT
&