CyberThursday: Asset Inventory, IT-transformation in Cisco, Pentest vs. RedTeam

Two weeks ago I was speaking at a very interesting information security event – CyberThursday. This is a meeting of a closed Information Security practitioners group. The group is about 70 people, mainly from the financial organizations, telecoms and security vendors.

CyberThursday 2018 Asset Inventory

These meetings have a rather unique atmosphere. Almost everyone knows each other. The event has no permanent place. It constantly moves between the offices of large Russian companies. The hoster, usually a CISO, can bring his IT and InfoSec colleagues. For others, only “bring a friend” format is available. This helps keep the event focussed and very informal. Participants propose and approve the topics by voting in the chat group. There is no place for marketing, all topics are practical and relevant.

I was talking about “Asset Inventory for Internal Network and Perimeter”.

You can see all the content in this posts:

  1. What I expect from IT Asset Inventory
  2. Asset Inventory for Network Perimeter: from Declarations to Active Scanning
  3. Asset Inventory for Internal Network: problems with Active Scanning and advantages of Splunk

And here are the conclusions:

  1. It would be great to have an advanced Asset Inventory system, that will magically show us all active hosts.
  2. It’s not clear whether it’s possible to buy such system from some vendor or the only way is to create it yourself.
  3. It’s not clear who should make it: IT or Information Security team, or somehow both of them
  4. We can deal with perimeter hosts by parsing Wiki pages and the data from DNS server + by performing Active Scanning.
  5. For inventorying the hosts in Internal Network we can make our own connectors for Splunk. It is a great tool for analysis and it is theoretically possible to use a free version with 500 mb a day limit.

Continuing the Asset Inventory topic, Ruslan Ivanov from Cisco System told us how they were limiting the types of assets used in the company. It is all started with organizational methods and policies. And, the most important, with the political will to implement them. 😉 From the technical perspective, it was especially interesting to learn about the processes related to the Asset Cards: how they keep them in up-to-date state. Ruslan also told us about anomaly detection in netflow and ip inspection.

Then Andrey Popov was talking about PenTest vs RedTeam. It was a great presentation, I liked it a lot. The main idea was that “PenTest is not better than RedTeam-ing and vice versa”. These are the different tools for the different goals. And, what is the most important, it makes sense to implement them in organizations with high maturity level of security process and significant budgets. This is not what you should start with. For the  start, implement a Vulnerability Management process and then try to order a commercial PenTest.

Networking part of the event was also pretty intense 😉

CyberThursday 2018 Informal Part

So, I think the event was quite positive and was useful for all attendees. And I hope to see you soon 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.