2. Monotype.
1. Intro , Mission , Past Metrics
2. Tool : Current Metrics & Issues
3. Risks
4. Improvements , Suggestions
5. Next Steps
Agenda
3. Monotype.
• In the past 6 years, we have had 11 incidents escalated to senior management.
• In the past 3 years, we have had 4 incidents escalated to senior management.
• In the past 2 years, we have had 0 incidents escalated to senior management.
• In the past 6 years, we have had 0 incidents that would have required us to disclose a data breach.
• In the past 5 years, we have had 0 incidents of active malware on a properly configured system.
We had the AWS incident just a week back.
What have we learnt from it?
Are we waiting for a bigger incident?
Are we identifying gaps regularly?
Are our controls working?
4. Monotype.
Target – 800
Areas of Concern:
a) Web Application Security – Grade C – 186 open findings ( 10% - Bad / Warn)
b) DKIM Records – Grade C – 23 findings in Bad/Warn
Bit Sight Status
5. Monotype.
Black Kite Status
Target – A+
Areas of Concern:
a) Web Application Security – Grade
D
b) Patch Management – F
c) Customer Facing – Impacts our
standing
6. Monotype.
Most important area which needs attention is
Application Security – 6273
Must also keep a close watch on our vendors.
Attacks may happen due to vulnerabilities
present in the Vendor’s software which hasn’t
been patched.
Security Scorecard
9. Monotype.
Numbers do not tell the complete story.
Difficult to mitigate all risks in one go.
Breakdown and focus on specific aspects can help improve security posture and mitigate critical risks.
• Only 7 vulnerabilities with VPR score greater than 9. ( Achievable & Quick Closure)
• 67 misconfigurations are highly critical. 41 out of which relate to IAM , infrastructure security and
configuration. Closing these high level gaps can improve the security posture by 50%.
• Total of 17K vulnerabilities – 1.5 K with VPR score of >9. Analyzing this data can help divide this task
between IT , SRE and DevOps etc can break down and achieve 20% improvement QoQ. Further , this
can be prioritized with critical and internet facing assets to be patched before.
• Cause of concern – 3200+ vulnerabilities not patched for more than 90+ days. Compliance issues and
external audits concerns.
• Security Operations team must track vulnerabilities closely. Patching activity must be owned by IT ,
Prod Engg.
Step by Step Approach
14. Monotype.
We will face the same issues , if we do not do a proper evaluation – Team has logged in only once or twice in the
tool.
Are we evaluating the tools properly?
15. Monotype.
It is impossible for one person to know everything
about:
Okta (Authorization)
DUO (Authentication)
Azure (Multi Purpose)
AWS (Multi Purpose)
Cloudflare (WAF)
Area1 (Email Security)
Umbrella (DNS Security)
Black Kite (Vulnerability Mgt & Third Party Mgt)
Security ScoreCard (Vulnerability Mgt)
Bitsight (Vulnerability Mgt)
Auth0 (Authentication)
What else are we not using / not fully using?
Tenable (Vulnerability/Asset/Configuration/Event
SIEMonster (Incident Management)
Meraki (Firewall/IPS)
Recorded Future (Threat Intelligence)
SentinelOne (MDR/XDR)
Honeypots (Deceptive)
Checkmarx (SAST/SCA)
Burpsuite (DAST)
ISO 27001/27002/27004/27005
CSA CSM
NIST CSF
CIS CSC
16. Monotype.
• We need a maintenance schedule for all systems we depend upon to ensure they’re fully deployed at current
versions.
• SentinelOne
• Wazuh
• Tenable
• Umbrella
• We need to leverage the full capacity of all of the software we have.
• We need to consistently capture data regarding what we’re doing so that it can be used to improve our
processes.
• Our incident response process
• Our penetration tests/security assessments
• We need to automate, which depends upon known standard operating procedures in both SE and SO.
• We need to give IT and PE the resources to intelligently manage our vulnerabilities.
• We need to innovate, but first we need to get the basics right.
We need to do better
17. Monotype.
• Three reasons:
• If we don’t, there will be an impactful incident.
• Some customers are asking for a SOC 2 Type II audit, if given today we would fail badly.
• We’ll all be more relaxed.
Why?
18. Monotype.
Shift to a measurable quantifiable approach – Identify and track metric and report on
fortnightly/monthly basis.
• Set targets to achieve at the beginning of the quarter for tools that the SME manages.
• Work on as an initiative to achieve that target.
• Report metrics on fortnightly basis after every sprint to showcase the improvement and
incremental change in achieving the final target.
• Better Planning – Quarterly Plan to prioritize the upcoming sprints well in advance.
• Advantage when a dependency on other teams.
• Better planning helps achieve clarity.
• Ownership of the security. With follow ups , its shows “I don’t care” attitude. Must change to “I’m
already working on it” attitude. Working together.
• Initiatives are important to learn ,upskill and showcase a difference. Researching and suggesting
aspects that are coming up in the industry.
Suggestions/ Improvements to Operations
