A Data-Driven Blueprint to Scaling Cloud Operations …...Security Intelligence 10 Analyze data to bubble up interesting tidbits of security relevant information Security insights

© 2019 Adobe. All Rights Reserved. Adobe Confidential.

A Data-Driven Blueprint to Scaling Cloud Operations SecurityMohit Kalra | Director, Cloud Operations Security, Adobe

© 2019 Adobe. All Rights Reserved.

$7.3BFY2017

Revenue

Adobe is one of the largest and most diversifiedsoftware companies in the world

.

+35Years of

revolutionizing industries

~4,300Patents*

76%Of employees work in

LEED certified workspaces

~20,000Employees in37 countries

* As of October 2018

$36.4MGiven to the

community in 2017

© 2019 Adobe. All Rights Reserved.Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.

Adobe’s Business Has Changed

…and so has the risk and technology landscape

2010

20001990

1980

2012

Post Script LanguageDigital Fonts

Shrink-WrapVolume Licensing

Post Scripte-Commerce Steps in Volume Licensing

e-CommerceShrink-Wrap

Post Script

SubscriptionE-commerceCC, MC & DC 2017

Cloud Security

Ransomware Attacks

Machine Learning/AI

SecurityAutomation

Physical security

Corporate Espionage

Natural Disasters

FinancialReporting

Piracy, Physical thefts

SOX

Data Security

LicenseCompliance

EmergingMarkets

APT

BYOD

Compliance to safeguardthe customer

Cyberattacks

Zero Days Data Breaches

Multi-Cloud

© 2019 Adobe. All Rights Reserved. Adobe Confidential. 4

Desired outcome of a security program

High return on investment Scalability Risk Prioritization


The Human Security SME Engagement

5

▪ High touch engagement with product teams by security SMEs.

▪ Perform security architecture / design reviews, threat models and technical deep dives.

▪ Create a curated contextual security roadmap.

▪ Very high return on investment.

▪ Scalability is proportional to the team size.

▪ Focuses on critical products.

▪ Hiring security talent is challenging.


The Security Stack (Tooling / automation)

6

▪ Set of tools to scale security across multiple clouds and hosts.

▪ Provides both monitoring and security solutions.

▪ Quick determination of potential security gaps in our environment.

▪ Scales very well across products.

▪ Quality is proportional to the tooling capabilities.

▪ Can be noisy if not tuned properly.

▪ Findings are product agnostic.


The third dimension to security?

7

▪ Can security scale further when driven by data?

▪ If you collect security data, you may have all the answers already.

▪ Data driven security is all about asking the right questions from the data you collected.

▪ Create views from the data that provoke action.


An adoption first view of data.

8

▪ Invisible potential risks cannot be mitigated against.

▪ Adoption first strategy = analyze data to remove security blind spots.

▪ Do we monitor all our asset ?

▪ Is the security stack adopted across services?

▪ Does collected data match the real world?


A risk first view of the data.

9

▪ Analyze data to drive down a particular category of risk.

▪ Address risk across both critical and longtail products.

▪ Keep refreshing definition of risk.

▪ Mitigate against EOL software.

▪ Review highest risk findings from a review.


Security Intelligence

10

▪ Analyze data to bubble up interesting tidbits of security relevant information

▪ Security insights can be used by security teams.

▪ Abstract a product environment in terms of security properties that help during a threat model.

▪ Use of roles that are overly permissive.

▪ Use of features that need additional security oversight.

▪ Measure footprint of a product’s infrastructure.


Better data = better decisions.

11

▪ Tools / process layered with data on top produce good results.

▪ Bad inputs, lack of data collection, lack of data sanity can lead to security blind spots.

▪ Unit test the data for integrity and monitor for anomalies.


Conclusion

12

▪ Security requires a fine balance between high touch engagements and automation.

▪ Don’t ignore the security data.

▪ A data driven approach is the catalyst to scaling security.


Resources

13

Trust Centerhttps://trust.adobe.com

Open Source CCF v2.0https://www.adobe.com/go/open-source-ccf

Security @ Adobe bloghttps://blogs.adobe.com/security/

Advisories and updateshttps://www.adobe.com/support/security

Twitter: @AdobeSecurity

https://trust.adobe.com/https://www.adobe.com/go/open-source-ccfhttps://blogs.adobe.com/security/http://www.adobe.com/support/security

A Data-Driven Blueprint to Scaling Cloud Operations …...Security Intelligence 10 Analyze data to bubble up interesting tidbits of security relevant information Security insights

Documents