H5. Evolving Pentesting to Create Measurable Defensive Improvements
Thursday, May 10, 2018
3:15 PM - 4:15 PM
For ages, the industry has tried time and time again to improve its ability to defend by battening down the hatches. We have relied on playing vulnerability “whack-a-mole” and realized that even the most secured and patched system can be used in a full-scale attack. As a response, we have attempted to create better sparring partners to attack the environments and bring light to ways to sink the ship. While that approach has had limited success it still does not scale to the rapid deployment and expansion of today’s enterprise. Combined with the growing shortage of testing talent, this method will have to change in order to break through the barrier of testing debt. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk we will discuss the aging strategies of Penetration Testing and the evolution of value. No more scan based reports. No more waiting to finish the engagement before improvement begins. No more secrets. It is time we change the strategy to work as a team and end the engagement more secure than we started, EVERY TIME.
After the session, learner will understand:
- How to get Value from Testing Defensive Telemetry
Certified Information Systems Security Professional (CISSP) whose main area of expertise is focused on Information security and Social Engineering in order to help companies better defend and protect their critical data and key information systems. He has created a blended methodology to assess, implement, and manage information security realistically and effectively. At Lares, Chris leads a team of security consultants who conduct Security Risk Assessments, which can cover everything from penetration testing and vulnerability assessments, to policy design, computer forensics, Social Engineering, Red Team Testing and regulatory compliance.