Johnathan Wilkes, Palo Alto Networks

Internet exposures are often created unintentionally, and they leave organizations vulnerable to a variety of cyberattacks. In recent years, there has been an unprecedented increase in the use of automation by adversaries for reconnaissance and exploitation. While sophisticated attackers continue using automation to scan the internet for vulnerabilities in order to actively exploit them, how about using it to not only monitor your organization’s attack surface, but actively remediating publicly exposed assets and cloud misconfigurations? One of the biggest offenders (increasing with the demands for telework and cloud computing) is the Remote Desktop Protocol (RDP), which has been determined to be the most utilized initial attack vector for ransomware gangs. With the average cost of a successful ransomware attack totaling over $300k, even a small misconfiguration can become something that all enterprises want to avoid and mitigate as soon as possible. Defensive automation combined with active remediation can be a first necessary step for organizations to prevent such inevitable configuration slips becoming hundreds of thousands of dollars of damage and headline news.

Talk outline
External Attack Surface Management (EASM) is the process of continuously identifying, monitoring and managing all internet-connected assets for potential attack vectors, exposures and risks. However, an ASM solution and attack surface management plan are only parts of the whole equation, because after the exposures have been determined, remediation needs to be prompt and swift. Remember that every second a critical exposure, like RDP open to the internet, is out there, is another opportunity for it to be used as a ransomware attack vector that can cost your organization hundreds of thousands of dollars. Therefore, automation that can collect more information on a vulnerability, notify the right asset owners, and implement remediation as fast as possible should be available to a SOC for easy deployment.

Automated incident response is complicated to create, implement, and execute. It requires several tasks including collection of information about an asset, determining the potential service owner, sending a notification to the service owner, and creating a run book. It is challenging to build such automation as the APIs for product change, credentials need to be securely stored and shared, and true alert triggers should be generated with minimal latency. In this talk, I will present an automation solution that overcomes these challenges and helps an organization remediate the unexpected exposure of assets (e.g., RDP) to the internet.

Speaker's Biography

  • Johnathan Wilkes is a Security Architect with Palo Alto Networks
  • He has worked at Palo Alto Networks for over 2 years
  • Before automating Attack Surface Management remediation, he assisted a state government automate their security operations center
  • He has been helping enterprise and government customers with security and network automation for over 8 years

View More Papers

He-HTLC: Revisiting Incentives in HTLC

Sarisht Wadhwa (Duke University), Jannis Stoeter (Duke University), Fan Zhang (Duke University, Yale University), Kartik Nayak (Duke University)

Read More

An Exploratory study of Malicious Link Posting on Social...

Muhammad Hassan, Mahnoor Jameel, Masooda Bashir (University of Illinois at Urbana Champaign)

Read More

Kids, Cats, and Control: Designing Privacy and Security Dashboard...

Jacob Abbott (Indiana University), Jayati Dev (Indiana University), DongInn Kim (Indiana University), Shakthidhar Reddy Gopavaram (Indiana University), Meera Iyer (Indiana University), Shivani Sadam (Indiana University) , Shirang Mare (Western Washington University), Tatiana Ringenberg (Purdue University), Vafa Andalibi (Indiana University), and L. Jean Camp(Indiana University)

Read More