loader from loading.io

Threat Intelligence Usage in API Security and DevSecOps with Snap Finance Chief Security Officer Upendra Mardikar

the CYBER5

Release Date: 05/24/2022

Insider Threats and Social Engineering Tactics by Counterintelligence Institute’s Peter Warmka show art Insider Threats and Social Engineering Tactics by Counterintelligence Institute’s Peter Warmka

the CYBER5

In Episode 90 of TheCyber5, we are joined by , founder of the Counterintelligence Institute. Warmka is a retired senior intelligence officer with the U.S. Central Intelligence Agency (CIA) where he specialized in clandestine HUMINT (human intelligence) collection. With 20+ years of breaching security overseas for a living, Warmka now teaches individuals and businesses about the strategy and tactics of “human hacking”.  Warmka highlights how insiders are targeted, the methods used by nationstates for committing crimes, and what organizations need to help focus their security training...

info_outline
The Top Nisos Investigations Of the Last Seven Years with Nisos Research Principal Vincas Ciziunas show art The Top Nisos Investigations Of the Last Seven Years with Nisos Research Principal Vincas Ciziunas

the CYBER5

In Episode 89 of TheCyber5, we are joined by Nisos Research Principal,  It was 7 years ago, at a restaurant in Ashburn, Virginia, when Nisos’ co-founders Justin Zeefe and Landon Winkelvoss met Vincas. At the time, Vincas was working as a contractor for the US government but was considering a pivot into the private sector.  It was Vincas’ impressive intellect, strategic thinking, and technical capabilities that made him the ideal intelligence operator on whom to depend for the launch of Nisos. Over the course of several years, Vincas’ experience, as a developer, open threat...

info_outline
The Vital Role of Customer Success in Intel Programs with Senior Director of Nisos Brandon Kappus show art The Vital Role of Customer Success in Intel Programs with Senior Director of Nisos Brandon Kappus

the CYBER5

In Episode 88 of TheCyber5, we are joined by Nisos Senior Director for Customer Success, .   Here are five topics we discuss in this episode:   Intelligence Playbooks Start with Education to the Customer  Playbooks should include three major steps. The first step is education on how intelligence is going to be consumed and not be nonstop noise. Discussions between customers and vendors should start around requirements that customers are trying to address with business stakeholders.    Understanding Commercially and Publicly Available Data to Avoid Noise The next...

info_outline
Identifying When Attribution of Threat Actors Matters and How to Track the Outcomes with Senior Information Security Leader Charles Garzoni show art Identifying When Attribution of Threat Actors Matters and How to Track the Outcomes with Senior Information Security Leader Charles Garzoni

the CYBER5

In Episode 87 of TheCyber5, we are joined by senior information security leader . Here are five topics we discuss in this episode: Defining When Attribution is Relevant and Necessary  Many corporations are not overly concerned with attribution against cyber adversaries, they just want to get back to business operations. However, if someone robbed your house, you would want to know if it was a random drive-by, or if it was your neighbor because that will inform your defenses much more appropriately.  Defending Against Nation States Versus Crime Groups The ability to attribute...

info_outline
Properly Defining a Threat Management Department within Enterprise with Senior Manager of Nvidia Chris Cottrell show art Properly Defining a Threat Management Department within Enterprise with Senior Manager of Nvidia Chris Cottrell

the CYBER5

In Episode 86 of TheCyber5, we are joined by Senior Manager of Threat Management for Nvidia .   Here are six topics we discuss in this episode:   What is a threat management department within enterprise security? Threat management departments are usually formed when security teams become mature and have table stakes functions within threat intelligence, red team, penetration testing, and threat hunting. These functions are usually formed after compliance, risk, governance, vulnerability management, and security operations center (SOC) are operational. Unfortunately, threat...

info_outline
Operational Resiliency Framework Pertaining to Supply Chains by Foundation for Defense of Democracies George Shea show art Operational Resiliency Framework Pertaining to Supply Chains by Foundation for Defense of Democracies George Shea

the CYBER5

In Episode 85 of TheCyber5, we are joined by Chief Technologist of Transformative Cyber Innovation Lab for the Foundation for Defense of Democracies (FDD) Here are four topics we discuss in this episode: What is the Operational Resiliency Framework (ORF)?  The Operational Resiliency Framework (ORF) is a framework that is intended to be used by executives to ensure business continuity processes when their suppliers are knocked offline during natural disasters and cyber attacks.  Defining Minimum Viable Services Step one, and the most important step, is defining a minimum level of...

info_outline
Integrating Attack Simulation with Intelligence to Provide Actionable Outcomes with CrossCountry Consulting show art Integrating Attack Simulation with Intelligence to Provide Actionable Outcomes with CrossCountry Consulting

the CYBER5

In Episode 84 of TheCyber5, we are joined by members of the CrossCountry Consulting team:  , Offensive R&D Lead, , Associate Director, and , Director, Cyber and Privacy.  Here are five topics we discuss in this episode: Adversary Emulation vs. Simulation and Use of Threat Intelligence Replaying attacks from adversaries is considered . The pros of emulation are you can react and defend against threat intelligence and the actual techniques during a penetration test. The cons are that many times these are yesterday’s threats. Simulation is the art of coming up with new attack...

info_outline
Data Governance and Threat Intelligence Converge with Egnyte’s Chief Governance Officer Jeff Sizemore show art Data Governance and Threat Intelligence Converge with Egnyte’s Chief Governance Officer Jeff Sizemore

the CYBER5

Topic: Title: Data Governance and Threat Intelligence Converge In Episode 83 of TheCyber5, we are joined by our guest, Egnyte’s Chief Governance Officer, Jeff Sizemore. We discuss the Cybersecurity Maturity Model Certification (CMMC) and the impact on Department of Defense (DOD) contractors to mature their cybersecurity hygiene in order to compete for US government contracts. CMMC was based on NIST Standards 800-71.  Here are 4 topics we discuss in this episode: Why Does CMMC Matter? In the near future, contracts are going to be rated L1-3 and if contractors are not certified up to a...

info_outline
Driving Diversity in Cyber Security and Intelligence with BGH Security CEO Tennisha Martin show art Driving Diversity in Cyber Security and Intelligence with BGH Security CEO Tennisha Martin

the CYBER5

In episode 82 of The Cyber5, we are joined by guest moderator and senior intelligence analyst for Nisos, Valerie G., and CEO of BGH Security, Tennisha Martin.   In this episode, we discuss the challenges and opportunities of promoting and enabling diversity and inclusion in cyber security.   Key Takeaways:   Showing Impact for Diversity and Inclusion (D&I) within Security   Beyond filling cyber security skills gaps, some metrics that show success in D&I include: Jobs Feeling more confident in interviews Recommending minorities for employment opportunities...

info_outline
Leveraging Open Source Intelligence in Insider Threat Programs with Vaillance Group CEO, Shawnee Delaney show art Leveraging Open Source Intelligence in Insider Threat Programs with Vaillance Group CEO, Shawnee Delaney

the CYBER5

In episode 81 of The Cyber5, we are joined by the Head of Insider Threat at Uber and CEO of Vaillance Group, Shawnee Delaney.  In this episode, we provide an overview of different functions within an insider threat program. We also discuss the support open source intelligence provides to such programs and how to change company culture to care about insider threats. We also discuss the ROI metrics that are important to different stakeholders when implementing an insider threat program.  Three Takeaways: Departments and Functions within Insider Threat  Insider threat programs...

info_outline
 
More Episodes

In episode 73 of The Cyber5, we are joined by Snap Finance Chief Security Officer Upendra Mardikar.

We discuss how threat intelligence is used in application programming interface (API) security and development security operations (devsecops). Any organization building an application has data or user-generated content as the primary product.  Once connected to customers, consumers, clients, or partners there is a new set of security considerations generated.

The API serves as the software intermediary that allows two applications to talk to one another. It's bad enough if an attacker exfiltrates sensitive data, but imagine if they are able to gain visibility to see who is querying for the data held in the application. Imagine if Russia can see who is querying certain individuals in a credit bureau data set. That's a whole other set of problems organizations face. 

As we've talked about in previous podcasts, devsecops is the security of protecting the software development lifecycle (SDLC). We talk about why API security should be added to the wider MITRE ATT&CK framework and further discuss the impact of organizational immaturity as it relates to tackling API and DevOps security. 

Five Key Takeaways:

1) APIs are at the Forefront of Digital Transformation and Must be Protected

APIs go north/south between the company and customers and east/west establishing interconnectivity between different applications within the enterprise.  A giant need exists to go “outside the firewall” to observe threats that are attacking APIs because they are fundamental to many enterprise functions, regardless of industry. 

2) API Security is Very Immature in Enterprise

Many security practitioners focus on north/south protections of APIs and implement firewalls and DDoS protections to keep intruders out of the environment. However this is a myopic strategy because it does not protect against lateral movement and privilege escalation when an attacker compromises perimeter security. When perimeter security is compromised, protecting east/west APIs becomes critical. We are seeing trends around Zero Trust.

Zero Trust is based on the premise that location isn’t relevant and users and devices can’t be trusted until they are authenticated and authorized. To gain security from a zero trust security model, we must therefore apply these principles to our APIs. This aligns well since modern API-driven software and apps aren’t contained in a fixed network — they’re in the cloud — and threats exist throughout the application and infrastructure stack.

An API-driven application can have thousands of microservices, making it difficult for security and engineering teams to track all development and their security impact. Adopting zero trust principles ensures that each microservice communicates with the least privilege, preventing the use of open ports and enabling authentication and authorization across each API. The end goal is to make sure that one insecure API doesn’t become the weakest link, compromising the entire application and data.

3) Integrating API Security into the MITRE ATT&CK Framework

API Security is different from traditional application security (OWASP), which is integrated into the MITRE ATT&CK Framework along with attacks on servers, endpoints, and TLS, etc. API security focuses more on the potential attacks of exposed, internet-facing microservices in addition to the business logic. API security primarily focuses on:

  • Users: The most common API vulnerabilities tend to be centered around issues with an authorization that enables access to resources within an API-driven application.
  • Transactions: Ensuring that transport layer security (TLS) encryption is enforced for all transactions between the client and application ensures an extra layer of safety. Since modern applications are built on microservices, software developers should enforce encryption between all microservices.
  • Data: It is increasingly important to ensure sensitive data is protected both at rest and while in motion and that the data can be traced from end-to-end.
  • Monitoring: This means collecting telemetry or meta-data that gives you a panoramic view of an application, how it behaves and how its business logic is structured.

4) Improvements for Threat Intelligence Against APIs of Applications 

Threat intelligence providers need to go beyond the features of user stories, but also be able to alert and automate when malicious actors are targeting the microservices of APIs as the business logic of these APIs are more central to business operations. 

5) Threat Intelligence Should Try to Integrate with Threat Hunting to Conduct Proper Malicious Pattern Matching, Reducing False Positives

Pattern matching to detect malicious behavior over legitimate user traffic has evolved over time:

  • Netflow: track network traffic emanating from the routers to the endpoints
  • Applications: track application traffic to deter anomalies of authentication
  • Data: track data flows in motion and at rest in the data lakes
  • Devices: mapping devices to determine proper asset inventory
  • Users: tracking user behavior such as off business hour queries to sensitive databases

The industry still needs solutions that detect and correlate these behaviors at scale because thus far this has been extremely fragmented.