WEBVTT

00:01.180 --> 00:03.009
This is module for less than

00:03.010 --> 00:05.379
three, researching organizational

00:05.380 --> 00:07.240
capabilities and constraints

00:07.600 --> 00:09.249
and determining tradeoffs.

00:13.060 --> 00:14.229
This lesson, we have three

00:14.230 --> 00:15.553
objectives for you to learn

00:16.239 --> 00:17.954
how to identify your organizational

00:18.160 --> 00:19.870
capabilities and constraints,

00:20.560 --> 00:22.177
identify how to tailor trade offs

00:22.480 --> 00:24.399
for your enterprise, and

00:24.400 --> 00:26.017
understand how to make customized

00:26.110 --> 00:27.700
defensive recommendations.

00:32.430 --> 00:33.779
So this is step three of our

00:33.780 --> 00:35.240
process, research,

00:35.760 --> 00:37.279
organizational capabilities and

00:37.590 --> 00:38.590
constraints,

00:39.540 --> 00:41.639
every organization is

00:41.640 --> 00:42.659
going to have

00:43.500 --> 00:45.019
different aspects that are easy

00:45.840 --> 00:47.261
or harder for them, depending

00:47.670 --> 00:48.944
on some of the things that

00:49.530 --> 00:50.869
they already have in place,

00:51.870 --> 00:53.729
things about their workforce and the

00:53.730 --> 00:55.070
organization itself.

00:56.750 --> 00:58.909
So these are going to be things like

00:59.420 --> 01:01.249
what data sources, defense is

01:01.250 --> 01:03.499
mitigations are already collected

01:03.500 --> 01:04.500
in place.

01:05.360 --> 01:06.634
So if you're already doing

01:06.830 --> 01:08.359
something, already doing something

01:08.360 --> 01:09.536
that's most able to take

01:10.400 --> 01:11.989
care of how an adversary is using a

01:11.990 --> 01:13.939
technique, it may be really

01:13.940 --> 01:15.310
inexpensive or simple.

01:15.890 --> 01:17.719
So maybe something like

01:17.720 --> 01:18.830
if you're already collecting the

01:19.020 --> 01:20.959
data sources, possibly some new

01:20.960 --> 01:23.180
analytics on your existing sources.

01:23.540 --> 01:24.889
So just adding something to your

01:24.890 --> 01:25.890
SIM.

01:27.650 --> 01:29.120
So you can also take a look at

01:29.150 --> 01:30.326
Tool's what products are

01:30.980 --> 01:32.539
already deployed that might have

01:32.540 --> 01:33.940
additional capabilities.

01:34.640 --> 01:36.469
So do you have products

01:36.470 --> 01:38.599
in your enterprise that are already

01:38.600 --> 01:40.459
able to take some of these defensive

01:40.460 --> 01:42.379
measures or match things that we've

01:42.380 --> 01:43.752
said are going to work for a

01:44.030 --> 01:45.647
particular technique, but maybe a

01:45.890 --> 01:47.556
feature isn't turned on or it just

01:47.900 --> 01:49.939
needs to be tuned to match

01:49.940 --> 01:50.940
the particular thing.

01:51.590 --> 01:53.540
So this could be something like

01:53.870 --> 01:56.390
it's able to gather new data sources

01:56.660 --> 01:58.519
or implement new medications

01:58.520 --> 02:00.409
if we add on the right

02:00.410 --> 02:02.076
feature or if we turn on the right

02:02.180 --> 02:03.290
capability for it.

02:04.820 --> 02:06.094
Are there things about the

02:06.110 --> 02:08.599
organization that may preclude

02:08.600 --> 02:09.923
responses, are there things

02:10.460 --> 02:12.126
that are just not on the table for

02:12.470 --> 02:14.659
us? Because the organization

02:15.110 --> 02:16.580
maybe rules we have on data we

02:17.060 --> 02:18.499
are not allowed to collect

02:19.130 --> 02:20.869
maybe something about our users

02:20.870 --> 02:22.291
where their patterns may make

02:22.610 --> 02:24.740
something impossible or easy,

02:25.370 --> 02:26.987
and this could be stuff like user

02:26.990 --> 02:29.090
constraints and usage patterns.

02:31.890 --> 02:33.409
So we've gone through with this

02:33.750 --> 02:35.610
user execution example,

02:36.300 --> 02:37.966
so I'm going to give some notional

02:38.070 --> 02:39.990
capabilities and constraints

02:40.380 --> 02:42.060
for our fake organization

02:42.420 --> 02:44.189
so that we can work through

02:44.640 --> 02:45.640
this process.

02:46.680 --> 02:48.240
So notional capabilities,

02:49.380 --> 02:51.839
let's say that our organization

02:51.870 --> 02:53.789
already has Windows events.

02:53.790 --> 02:55.409
So when this event logs

02:55.830 --> 02:57.300
already collected to Assim but

02:57.780 --> 02:59.279
not process info.

02:59.740 --> 03:01.504
So we've got sort of the right types

03:01.830 --> 03:03.779
of data sources, but not necessarily

03:03.780 --> 03:04.860
what we actually need.

03:05.820 --> 03:07.289
The organization is currently

03:07.290 --> 03:08.969
looking at application control

03:08.970 --> 03:09.970
tools.

03:10.140 --> 03:12.479
It's a highly technical workforce.

03:12.490 --> 03:14.219
So ones that already understand

03:14.220 --> 03:15.930
maybe some of the threats,

03:16.560 --> 03:17.879
there's already an email file

03:17.890 --> 03:19.720
detonation appliance in place.

03:19.740 --> 03:21.029
So this has already been bought,

03:21.030 --> 03:22.199
already been installed,

03:22.870 --> 03:24.659
like most organizations

03:24.690 --> 03:26.429
going to assume that we already have

03:26.430 --> 03:28.139
antivirus and all endpoints.

03:29.160 --> 03:30.869
OK, so these are the things that we

03:30.870 --> 03:33.089
have in hand that

03:33.090 --> 03:34.889
are going to enable

03:35.400 --> 03:36.429
certain responses and

03:37.260 --> 03:38.879
make certain responses more easier

03:38.880 --> 03:39.880
than others.

03:40.560 --> 03:42.449
So some notional constraints for our

03:42.450 --> 03:43.680
fake organization.

03:44.250 --> 03:46.229
Let's say that our SIM

03:46.230 --> 03:47.819
is close to our license limit

03:48.210 --> 03:50.039
that in order to get a

03:50.040 --> 03:51.608
lot more events coming in to add

03:51.930 --> 03:53.008
new windows, event log

03:54.000 --> 03:55.372
types might be prohibitively

03:56.070 --> 03:57.589
expensive to get up to the next

03:57.750 --> 03:58.750
level of license.

03:59.670 --> 04:00.748
A large portion of our

04:01.560 --> 04:03.419
organization, let's say, are

04:03.420 --> 04:04.420
developers.

04:04.530 --> 04:06.959
So people who run arbitrary binaries

04:07.980 --> 04:10.319
and that are files and transmit

04:10.560 --> 04:12.330
are usually encrypted

04:12.600 --> 04:14.429
at the point that they go past

04:14.430 --> 04:16.379
a new network intrusion prevention

04:16.380 --> 04:17.380
system.

04:18.300 --> 04:19.509
These are all notional.

04:19.529 --> 04:21.179
These are just getting so that we

04:21.180 --> 04:22.503
can actually take a look at

04:23.100 --> 04:24.668
how some of these would fit into

04:24.720 --> 04:25.930
specific trade offs.

04:27.090 --> 04:28.658
Your organization is going to be

04:28.680 --> 04:29.680
different.

04:32.100 --> 04:34.079
So how do we take those, so

04:34.110 --> 04:35.999
how do each of the options

04:36.000 --> 04:37.979
we identified in earlier steps

04:38.160 --> 04:40.379
now fit into our organization

04:41.340 --> 04:43.649
so we can look at example

04:43.650 --> 04:46.019
positives and negatives for

04:46.020 --> 04:48.360
how each of these options

04:48.390 --> 04:49.999
will work with our organization?

04:50.700 --> 04:51.700
So things like maybe

04:52.740 --> 04:54.540
the options we came up with

04:54.750 --> 04:56.171
are able to leverage existing

04:56.370 --> 04:58.379
strengths, tools and data sources.

04:58.800 --> 05:00.299
So some of that information that we

05:00.300 --> 05:01.829
were just thinking about, about our

05:01.830 --> 05:03.779
organization, it

05:03.780 --> 05:05.299
also could very well fit with a

05:05.550 --> 05:06.550
specific threat.

05:06.930 --> 05:08.490
If we've got an option

05:08.790 --> 05:10.769
that exactly matches up

05:10.770 --> 05:12.436
with one and adversaries trying to

05:12.480 --> 05:14.195
do to us, well, maybe that wants to

05:14.520 --> 05:16.199
rise to the top of our

05:16.530 --> 05:17.530
priorities.

05:18.730 --> 05:19.839
There are also some negatives that

05:19.840 --> 05:21.114
can come up as we're going

05:21.730 --> 05:23.709
through each of these options, so

05:24.190 --> 05:25.929
maybe it's something that's going to

05:25.930 --> 05:27.700
be really expensive for us but

05:27.710 --> 05:29.619
doesn't really mitigate much

05:29.620 --> 05:31.237
risk. You know, it's not actually

05:31.420 --> 05:32.589
helping us all that much.

05:33.190 --> 05:34.954
It could also be a poor cultural fit

05:35.110 --> 05:36.039
with our organization.

05:36.040 --> 05:37.461
It could be something that is

05:38.350 --> 05:39.729
going to make it so that our users

05:39.730 --> 05:41.889
can't get their job done or is

05:42.220 --> 05:43.220
extra bad in our

05:44.290 --> 05:45.489
particular industry.

05:46.570 --> 05:47.844
Each option is going to be

05:48.490 --> 05:50.559
highly dependent on your specific

05:50.560 --> 05:51.560
organization.

05:53.580 --> 05:55.559
So continuing to work through

05:55.560 --> 05:57.180
the example we have

05:57.540 --> 05:59.059
and the defensive options we've

05:59.070 --> 06:00.834
gathered and some of the constraints

06:01.290 --> 06:03.509
that we've put together for our

06:03.570 --> 06:05.160
national organization,

06:06.120 --> 06:07.688
so defensive option that we came

06:08.130 --> 06:10.019
up with is increased

06:10.020 --> 06:11.759
user training around clicking on

06:11.760 --> 06:12.760
attachments.

06:13.100 --> 06:15.269
OK, so this covers

06:15.270 --> 06:16.259
the most common use case.

06:16.260 --> 06:18.209
It covers spearfishing where

06:18.420 --> 06:19.859
we're trying to keep people from

06:19.860 --> 06:21.180
clicking on attachments.

06:21.660 --> 06:23.228
We said that we have a technical

06:23.250 --> 06:25.379
workforce, so they

06:25.590 --> 06:27.158
may be very likely to understand

06:27.690 --> 06:29.579
this and may make good sensors

06:29.910 --> 06:31.139
for incoming malware.

06:33.000 --> 06:34.440
As a con, though,

06:35.250 --> 06:37.619
it's, you know, our workforce.

06:37.620 --> 06:39.120
We're putting through more training.

06:39.510 --> 06:40.829
People are sick of security

06:40.830 --> 06:42.510
training. They don't want one more.

06:42.810 --> 06:43.889
You know, we've already given them

06:43.890 --> 06:45.311
some training on spearfishing

06:45.720 --> 06:46.720
in the past.

06:47.130 --> 06:48.809
And so, you know, may, may or may

06:48.810 --> 06:50.069
not work as a trade off.

06:51.580 --> 06:53.319
We said we can do enforcement of

06:53.330 --> 06:55.319
application control now.

06:55.450 --> 06:57.269
Sounds great on paper,

06:57.280 --> 06:58.779
you know, we're already looking at a

06:58.780 --> 07:00.040
solution for this.

07:00.710 --> 07:01.989
We said in our notional

07:02.860 --> 07:04.599
most of the binaries of concern that

07:04.600 --> 07:06.399
are coming in from malicious actors

07:06.400 --> 07:07.959
are not familiar binaries.

07:08.200 --> 07:09.425
Their new hashes, they're

07:10.240 --> 07:11.490
brand new things.

07:11.500 --> 07:13.264
And so application control is likely

07:13.660 --> 07:14.660
going to stop them.

07:15.460 --> 07:16.734
Well, we mentioned that we

07:17.380 --> 07:19.120
have a lot of developers,

07:19.630 --> 07:21.009
developers are creating a lot of

07:21.010 --> 07:22.089
their own binaries.

07:22.090 --> 07:23.560
And so we might heavily impact

07:24.040 --> 07:25.899
our population if

07:25.900 --> 07:27.125
we prevent our population

07:28.090 --> 07:30.129
from running arbitrary binaries

07:30.490 --> 07:32.289
and we may have a high support cost

07:32.620 --> 07:34.299
in order to add these developers

07:34.300 --> 07:35.721
binaries into our application

07:36.550 --> 07:37.550
control solution.

07:39.900 --> 07:41.369
We gave us an option monitoring

07:41.370 --> 07:43.259
command line arguments to create

07:43.260 --> 07:44.534
an analytic looking at the

07:44.610 --> 07:45.610
information coming in,

07:46.740 --> 07:48.329
what we said, we are collecting

07:48.330 --> 07:49.339
witness events already.

07:49.860 --> 07:51.839
So we've got know where those

07:52.230 --> 07:53.651
are going to fit into already

07:53.760 --> 07:54.810
feeding into a SIM.

07:55.440 --> 07:58.170
But we also said in our constraints

07:58.320 --> 08:00.029
earlier that

08:00.270 --> 08:01.593
we really couldn't add more

08:02.220 --> 08:04.259
logs to our existing license.

08:04.260 --> 08:05.399
It probably was going to be an

08:05.400 --> 08:06.720
unacceptable cost

08:08.040 --> 08:09.059
antivirus.

08:09.090 --> 08:10.413
Well, we've already got it.

08:10.740 --> 08:12.259
So, you know, there's no reason

08:12.690 --> 08:13.690
to get rid of it.

08:14.280 --> 08:16.440
But, you know, the downside is

08:16.680 --> 08:18.209
we already have it in place and it

08:18.630 --> 08:19.630
wasn't working out.

08:19.810 --> 08:21.299
So, you know, limited, limited

08:21.300 --> 08:22.300
coverage

08:23.130 --> 08:24.629
we suggest as a possibility

08:24.630 --> 08:26.079
installing endpoint detection

08:26.100 --> 08:27.149
response product.

08:27.810 --> 08:29.999
So could give us an excellent

08:30.000 --> 08:31.859
endpoint visibility without greatly

08:31.860 --> 08:33.330
increasing log volumes.

08:33.929 --> 08:35.729
But we don't already have this is

08:35.730 --> 08:37.230
going to be a big procurement

08:37.620 --> 08:38.894
and it's possibly going to

08:39.450 --> 08:40.859
be a really expensive one.

08:40.980 --> 08:42.209
You know, if we want to go there,

08:43.710 --> 08:45.376
we said we have a email detonation

08:45.960 --> 08:46.960
appliance.

08:46.980 --> 08:49.049
So as a pro, it's already

08:49.050 --> 08:50.050
in place.

08:50.610 --> 08:52.559
But as a con, we also

08:52.560 --> 08:54.539
said that data is encrypted in

08:54.540 --> 08:55.859
places where it's going past our

08:55.860 --> 08:56.819
appliances.

08:56.820 --> 08:58.584
So we might not have full visibility

08:58.890 --> 09:00.389
into our inbound email.

09:03.800 --> 09:05.419
So we've now built up

09:06.260 --> 09:07.909
most of the information we need to

09:07.910 --> 09:09.049
get to the finish line,

09:09.890 --> 09:11.239
learned how to identify

09:11.240 --> 09:13.004
organizationally unique capabilities

09:13.280 --> 09:14.659
and constraints, the sorts of

09:14.660 --> 09:16.609
information that are going to

09:16.610 --> 09:17.835
impact how we can respond

09:18.830 --> 09:20.349
and detect different techniques

09:20.840 --> 09:21.840
and sub techniques.

09:22.660 --> 09:24.049
You've talked a bit about how to

09:24.050 --> 09:25.249
tailor trade offs for your

09:25.250 --> 09:26.929
enterprise. What sorts of things to

09:26.930 --> 09:28.789
look for that are

09:28.790 --> 09:30.505
going to impact what's easy, what's

09:30.710 --> 09:32.376
hard, what's doable and what's not

09:32.630 --> 09:34.070
doable for your organization.

09:34.850 --> 09:36.679
And gotten a bit into

09:36.710 --> 09:38.449
how we can pull those together

09:38.840 --> 09:40.163
into how they work with our

09:40.700 --> 09:42.169
different defensive options and

09:42.170 --> 09:43.999
looking at the pros and cons for

09:44.000 --> 09:44.539
each one.