Two weeks ago I was speaking at a very interesting information security event – CyberThursday. This is a meeting of a closed Information Security practitioners group. The group is about 70 people, mainly from the financial organizations, telecoms and security vendors.
These meetings have a rather unique atmosphere. Almost everyone knows each other. The event has no permanent place. It constantly moves between the offices of large Russian companies. The hoster, usually a CISO, can bring his IT and InfoSec colleagues. For others, only “bring a friend” format is available. This helps keep the event focussed and very informal. Participants propose and approve the topics by voting in the chat group. There is no place for marketing, all topics are practical and relevant.
I was talking about “Asset Inventory for Internal Network and Perimeter”.
You can see all the content in this posts:
- What I expect from IT Asset Inventory
- Asset Inventory for Network Perimeter: from Declarations to Active Scanning
- Asset Inventory for Internal Network: problems with Active Scanning and advantages of Splunk
And here are the conclusions:
- It would be great to have an advanced Asset Inventory system, that will magically show us all active hosts.
- It’s not clear whether it’s possible to buy such system from some vendor or the only way is to create it yourself.
- It’s not clear who should make it: IT or Information Security team, or somehow both of them
- We can deal with perimeter hosts by parsing Wiki pages and the data from DNS server + by performing Active Scanning.
- For inventorying the hosts in Internal Network we can make our own connectors for Splunk. It is a great tool for analysis and it is theoretically possible to use a free version with 500 mb a day limit.
Continuing the Asset Inventory topic, Ruslan Ivanov from Cisco System told us how they were limiting the types of assets used in the company. It is all started with organizational methods and policies. And, the most important, with the political will to implement them. 😉 From the technical perspective, it was especially interesting to learn about the processes related to the Asset Cards: how they keep them in up-to-date state. Ruslan also told us about anomaly detection in netflow and ip inspection.
Then Andrey Popov was talking about PenTest vs RedTeam. It was a great presentation, I liked it a lot. The main idea was that “PenTest is not better than RedTeam-ing and vice versa”. These are the different tools for the different goals. And, what is the most important, it makes sense to implement them in organizations with high maturity level of security process and significant budgets. This is not what you should start with. For the start, implement a Vulnerability Management process and then try to order a commercial PenTest.
Networking part of the event was also pretty intense 😉
So, I think the event was quite positive and was useful for all attendees. And I hope to see you soon 🙂
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.