Without further ado again, my name is Alex Sharon. I work for PwC and I lead our Fusion Center practice in our Cyber Security division today. Oops. Today, I'd like to talk to you a little bit about PwC's Fusion Center powered by AWS Security Lake.
So before I jump in, I'll give a quick history of the world on how this kind of came to be. About a year and a half ago, AWS and PwC came together and said, hey, we've got a fantastic relationship here. How do we take this even better and put a security centered lens on it? So over the course of several days brainstorming sessions, we were able to kind of provide some feedback across the table and say, hey, as AWS, you sit on a treasure trove of information and as well as a corresponding opportunity to allow you to make a unique impact in the security landscape.
Fast forward one of the big problems that we're trying to solve with them and they thought they were uniquely positioned to do that was the normalization of log types. So for all of us and security, any time we want to go ahead and create some insights into a particular set of data. One of the big heavy lifts for us historically has been the normalization of that data set.
Fast forward. We landed on OCSF or Open Cybersecurity Schema Framework as the groundwork and basis for that, that was uh then called MOOSE in preview. And then beyond that, it went GA in June of this year, announced it REINFORCE and that it became Amazon Security Lake.
So why do we do this? Well, understanding what's been happening over the over the years with our threat landscape, it's forced all of us to evolve how we're monitoring, detecting and reacting to threats. The advent of APTs and the application of net new zero days at an advanced pace has created an opportunity for our attackers to take advantage of some of our vulnerabilities. And I say that not only a sense of application or system vulnerability but also from an operational perspective.
So we all know the olden days of the knock, securing the perimeter and how that evolved with the advent of the SIM and the application of rules based and threshold alerting all the way through the application with threat detection and making sure that it is evolved into an integrated SOC that's providing the opportunity to do orchestrated managed detection and response. What we're seeing here now is another opportunity and an inflection point that we're trying to visualize on the screen here that is the advent of the fusion center.
So the fusion center specifically in financial services has been a term that's been around for a while now. But as we see it at its core, it's the opportunity to knock down disparate data silos, operational silos and bring those together. One of the things that I liken this to is in a post 911 era, you know, our government agencies and intelligence agencies had a hard time communicating with one another. And in the aftermath, there was a whole new organization and government entity created intentionally to help facilitate that communication, communication across disparate organizations and conversational silos.
So what this means through a fusion lens today is taking those disparate data sets and merging them together, creating a comprehensive and holistic visibility for us in our security posture. Second, there's an operational inefficiencies that are that plague our industry for a long time that that disparate operational silos and organizations has created opportunities for attackers to exploit that and take advantage of us. So moving forward to a situation where you bring all of those operational technologies, not just the IT and security technologies under one roof allows us to move to rapid response and recovery.
And finally, we've seen this happen over the course of the last 20 plus years and that's the increase in the acceleration of the volumes of data that we're seeing come across, not only at the application level but at the entire environment level at its whole. So the application of advanced technologies is imperative that we're able to apply these net new features and functionalities like Amazon Security Lake in a very smart way to take advantage of these opportunities and stay future facing.
So when we talk about future center becoming a reality, we wanted to focus on three very large areas, three very large areas, one analytics. So having the opportunities to have analytics across not just one data set but across the entire digital estate. The second one is that visibility piece, not just in your your SOC, not just in I not just in your fraud ops teams but across the entire digital estate.
And I'll paint a quick picture on this too to kind of help visualize this, think about physical security badge readers. A lot of the times those kind of persist on their own in their own application environment and they're monitored that way. Very seldom. is there an opportunity to bring that with that physical data, with cyber security data and correlate those two together. The same is also true from an operational technology lens and making sure that we're able to apply and ingest operational technology data sets and pull that into the uh the same environment.
And then third and finally, we talked a bit a little bit about it on the previous slide, which is operational excellence. So we all face this challenge and it's too true for us, but we live and breathe in a negative unemployment industry. Today, there are literally not enough people to push the buttons and watch the screens to do the job in an effective manner. Not to mention that it takes a pretty decent amount of time when you get into this industry to become uh effective and knowledgeable about what exactly you're doing when it comes to your, your 9 to 5. So applying some of the technologies afforded to us in AWS has been uh imperative.
So what does it all look like? Well, as you can see here, Security Lake is the foundation of that. So as we went to, to market together with AWS on Security, Like PwC was the number one partner that we launched with them. What does that mean? Well, over the course of that preview period, we were able to identify the fact that unfortunately, that ecosystem of 70 plus source partners that's built around Security Lake who have raised their hands, said, hey, i will participate in this and i will make sure any of my data is going into Security Lake and it's already formatted in OCSF, thereby elevating everybody and not requiring the lift in the normalization effort. On the end of the, the uh the companies and their teams, that's a big lift.
But what we found was a lot of the time the field mapping uh associated with OCSF was not actually what we saw a lot of the times we saw visual objects just jammed in and they're raising their hands and saying, i'm all done. I'm OCSF compliant now, I'm ready to rock and roll. Unfortunately, that wasn't the case. So when it, when it came out, we were able to take a look at what's going on, not only with the, the uh marketplace community surrounding Security Lake, but also broader than that.
Most people are thinking right now. Well, heck you know, all of my enterprise applications are not just in AWS but tend to be multi cloud and or hybrid in nature. And so from a hybrid perspective, how do i go ahead and ingest my logs this way from a multi cloud perspective, how do i make sure that i'm not only ingesting but also normalizing these data sets in OCSF so i can action them in a fus in our fusion center.
So we have a custom landing zone that will ingest not only prem based logs but also multi cloud logs to do this in a comprehensive sense across visibility for the entire digital estate. um this is done in a modular fashion. So everybody has a lot of systems in place today that they spent an inordinate amount of time and money tweaking, tuning and getting them to operate exactly how they want. The last thing that anybody wants to hear at this day and age is a rip and replace value proposition. Everyone kind of the eyes roll back in the head and they don't even want to think about that. And it, it's a, it's a heavy lift.
So our approach in this space was not to provide just a SaaS service and, and then license out the technology and we didn't want to have a value prop behind the rip and replace. So we said we will integrate with whatever the existing tech stack that you have in your environment. So thinking about this entirely agnostic and having the capability to be extensible and exposed our functionality both ways to an existing set of systems.
I'll give you one example, one that comes up a lot is workflow management. So there are some £800 gorillas in this space that I'm sure that a lot of you use today and you spent again a lot of time and money to make sure that it's operating exactly how you want it to instead of us saying you have to adopt our native workflow management feature. Let's go ahead and have the ability to kick what we're seeing, the alerts and the cases into a client environment. And so they don't have to swivel chair back and forth. After all, one of the value props is having everything in one consolidated place.
The other big piece behind this is Security Lake by itself is uh Security Lake by itself is a giant data repository with normalized data sets. Clients are saying to us saying, hey, i want an easy and effective way to use Security Lake without having to build my data pipelines, my visualization layer, my analytics layer behind all of this. And so what we did is we said, hey, we'll go ahead and do all this on behalf of our clients, deploy the entire platform as infrastructure as code in a client environment.
So we're not going to host it. Your data is yours, your visibility stays with you. And this is a professional services e engagement from a BWC perspective. So the idea behind that is everybody gets comfortable exactly having it in their environment and having it stood up in a matter of moments, quite literally have the ins infrastructure built up in just a few moments as IAC using CDK, specifically what we have a aaa big struggling point over the years has also been a lot of tools have been exclusively built for one persona, whether that's the SOC analyst or whether that's the CXO very seldom do we see platforms or tools have the flexibility to think about the entire user base behind this.
So on our journey, we took a persona based approach in building this out, had over 100 different personas that we interviewed. We boiled 100 plus down to 14 discrete personas going from the SOC analyst all the way up to the CXO in every, every position in between. So the idea is you have a customizable view that is uh created specifically for your position within your organization.
What we found is the feedback behind this is, hey, this requires far fewer clicks for me to get to the results that i want to see or the results that i need to action to do my job effectively. We found in our studies that it was 17 clicks on average to get some a set of data to a set of data that a SOC analyst would want to use. It's wild, we reduce that down to less than five. And we think it's a pretty darn good job as a result of that from a visualization perspective, this is actually a screenshot of the front end of the platform here.
So the idea behind this is having an entirely customizable view uh for ACXO or C level executive that is one a moment in time view across the entire digital estate. So think about this from a compliance perspective, think about this, from a regulatory perspective, think about this from, hey, how is my team performing right now? Just from an operational lens? The idea behind this is having this entirely customizable. You can throw it against frameworks, you could throw it against regulation and have it all visualized in a way that is uh smart and insightful right in front of you.
So you don't have to go search for this. The other key piece that we're seeing here, especially nowadays is uh boards, boards of directors being held liable for that's going on in a lot of companies with, specifically, with regard to their security posture. So instead of the exercises that historically have taken months and months and months to prepare for board meetings and just as they have one, the game clock resets and the whole process starts again, this is a tool that they use and they can walk into these meetings fully informed and being ready to educate the board of directors exactly what's going on.
So i, i talked at you there for a, for a while. I wanted to keep this uh conversational. We do have a microphone now instead of uh just kind of going throughout the presentation. But i wanted it to open up for both comments and questions.
扫一扫
1683
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
