Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Our guest is Luke Jennings, VP of Research & Development at Push Security, former Chief Researcher at Countercept, Principle Security Consultant at MWR…  He’s been around the industry.  Luke is passionate about tracking the evolution of attacks – how are the bad guys morphing and changing their game in response to our new defenses, and more importantly, new technologies that we use in the first place.  Luke, thank you so much for coming on down to the ‘Ranch! Questions Allan asks Luke: What is the difference between traditional attacks and the new SaaS cyber kill chain? Where is the new perimeter in a fully SaaS/remote company? Is it cloud identities? What is it we’re actually protecting in a fully SaaS/remote company? The data landscape is very distributed now… You’ve mentioned that certain protective technologies are so good that they have inspired new methods of attack. This is the classic arms race metaphor.  What drove the bad guys into attacking SaaS-native companies? Walk me through the modern kill chain in a SaaS-native company. I’m thinking in terms of recon, access, lateral, escalation – the old model has changed, has it not? Let's pick specific attacks from the matrix and review them Sponsored by our good friends at Push Security. Check then out at: https://pushsecurity.com/ranch

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Our guest is Adam Bateman, CEO and Co-Founder at Push Security, based in the UK.  Another of our cyber friends from across the pond!  Is a former director at the security consultancy MWR who were renowned in the industry for their specialist research and red team capability. Adam started off as a red teamer himself, and then went on to build and lead the detection and response division of MWR, where they specialized in defending organizations against state-sponsored attacks.   Adam came up in the world of offensive security, and it shows in his thinking.  He co-founded Push to protect SaaS-native companies, whose data resides in a bazillion places, protected by a bazillion identities.  Or maybe just by SSO.  But probably a mix.  ½ a bazillion known SaaS apps using SSO and another ½ a bazillion using who knows what identity methods? After our first chat with Adam, Allan really got to thinking about this idea we bandy about that “identity is the new perimeter!”  Is that the right model? Is it a complete model?  Are there better models to describe our SaaS sprawl security problem?  Allan posted his ideas on LinkedIn and LinkedIn got very vigorously into the conversation.  We thought Adam and Allan could record a show and hash some of these concepts out, and Adam agreed, so here we are! In one sense, vulnerable Internet-facing credentials have ALWAYS been a problem.  In other words, Identity is not the new perimeter, but is a rather old one.  What are your thoughts? What is happening in the wild?  What do the attacks actually look like? Allan Alford Consulting subscribes to over twenty SaaS applications, and Allan is literally a one-man company.  How many SaaS apps are used by the average enterprise?  What percentage of those are in the SSO fold?  This is truly scary. How do we get everything behind SSO?  How do we get SSO locked down and secure? What’s our best possible world?  Everything behind SSO with a Yubikey?  Next best is everything behind SSO with Smartphone MFA app? Back to this perimeter thing:  J. David Christensen agrees with the idea that identity is not a new perimeter.  He says it has always been THE perimeter!  Jamir Fisher agreed.  Robert Mithcell points out that if and identity provider can be compromised, then identity is the M&M defense after all (hard shell, soft center).  Our friend Abhishek Singh says authZ and authN combine to form Zero Trust.  Once you have zero trust, he says, like it or lump it, identity becomes the attack surface.  What are your thoughts on that formula?  We found it to be a rather tidy summation, as did our other friend Dan Holden.  Thoughts? Lastly, when we talk identity, we always feel the need to point out that humans are just some of the identities crawling our digital world.  Are the solutions we’re crafting for humans using SaaS also good for machine accounts?  Application accounts?  API-to-API connections? Sponsored by our good friends at Push Security. Check then out at: https://pushsecurity.com/ranch

Geoff Hancock, Deputy CEO and CISO for Access Point Consulting, discusses the NIST CSF versions 1.1 and 2.0. Highlights of the conversation include the role of frameworks in cybersecurity, the changes in CSF 2.0, the addition of the GV function, overdue implementation examples, and the focus on supply chain. The chapter also explores starting small with a lightweight framework, the difference between compliance and security, and the importance of supply chain risk management.

In this SPECIAL EDITION! Allan interviews the 3 CISOs who created the CISO XC series of conferences: Cecil Pineda Jaimin Shah Randy Potts CISO XC is the only conference for CISOs (and their reports) that is put on my a team of 3 CISOs and an awesome all-CISO advisory board. And the amount of money CISO XC gives to charity is MIND BOGGLING.  Hint:  This years's goal is greater than some CISO's salaries!!! In this brief SPECIAL EDITION! you can hear more about CISO XC, its take on it's 3 priorities: Charity,  Community and Collaboration. AND you can learn how to sign up for the biggest event yet in March, 2024.  That's right!  CISO XC is going nationwide! https://registration.socio.events/e/cisoxcspring2024 This spring you can meet Randy, Jaimin and Cecil as well as Allan and a host of other Dallas-Fort Worth security folks.  Practitioners attend free, and the conference will be a blast! Allan will also be giving out a limited number of cowboy hats to those who can answer trivia questions about CISO XC (hints will be provided). Y'all be good now!

Allan takes the show on the road again, this time at his all-time favorite conference: CISO XC! He asks a unique question of each guest, who represent a great deal of breadth in our industry: Dave Belanger, CISO at Bestow Insurance - What is the most effective way to demonstrate and communicate security program progress to the board? Tera Davis, CEO at CyberOne Security – How does a vendor forge relationships with a customer to be a strategic advisor and not just another vendor? Andrew Woolen – Account Executive at Semperis – What do you wish CISOs knew about the vendor side of the fence? Fred Clayton – Vice President Information Security at GI Alliance – What are you doing to develop talent in your teams? Mickey Disabato – vCISO at Booz Allen Hamilton – What are the big differences between vCISO and CISO? Alain Espinosa – Global Director Security Operations at Upbound Group – What is the one thing you would change in cybersecurity today? Josh Kleen -  Enterprise Solutions Architect at Rubrik – As a vendor, how do you see your role in this whole “We’re here to fight the bad guys” thing? Pat Benoit – Global CISO at Brinks – Why are you sleeping well? Russell Swinney – CIO & CISO at Infrastructure, Inc. – What is your secret for good staff retention? Richard Weiss – CISO at AccentCare, Inc. – What are the most unusual, nontraditional cyber skills you have on your team? Sam Baxter – Global CISO and Data Privacy Officer at AppSpace – What are your favorite sources for staying up to date in this industry? Michael Anderson – CISO and Deputy CTO at Dallas Independent School District – Outside of the security space, there are inspirations to be had everywhere.  What is the one that has most inspired you in cybersecurity? Y'all be good now!

Howdy, y'all!  Allan is taking this week off to spend time with family and to give thanks for all the wonderful things in his life - including y'all! For those who don't track it, there is no Cyber Ranch Podcast four times  a year: American Thanksgiving week Christmas week Black Hat week RSA week That gives Allan enough breaks throughout the year to preserve his sanity. Y'all be good now!

Warning, there might be some naughty language in this one! The challenge was issued!!!! Allan teamed up with TWO other podcasts to take on the insufferable marketing that floods the cybersecurity industry in the month of October! Who won??? "Won"? That's right!  Allan, along with George  K and George A from Bare Knuckles & Brass Tacks joined forces with Aaron Pritz and Cody Rivers of Simply Solving Cyber! Together, this trifecta of podcasters weighed in on the October bonanza that is Cybersecurity Awareness Month. While the month started humbly to raise awareness for the general public, it has now become an excuse for vendors to inundate infosec professionals' inboxes with inane messaging. Introducing: The Cyber Community Month challenge! Vendors: we challenged you to come up with campaigns that give back to the customer community rather than sending awareness spam. Client-side practitioners: We asked you to show us how you engage local communities, volunteer at schools, help nonprofits, etc. to spread cyber knowledge! This is the conclusion and awards ceremony! Shout-outs to our winners, all of whom did something special for the community. Carlos Guerrero (deserves special note as a truly committed community builder!) Gerson Rodriguez Guidepoint Security Bugcrowd Enjoy the show, and y'all be good now!

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Our guest today is Evan Wolff, partner at Crowell & Moring, and Allan's favorite cyber attorney.  Evan has led and managed 100s of investigations including cybersecurity, data breach, insider threats, security incidents and suspected terrorist incidents. Evan also teaches a class at Columbia University in New York City on “Great Hacks in Cybersecurity”.  Evan and Allan are good friends and Evan is friends with many other CISOs as well.  Evan has never lost sight of his cybersecurity roots, and is still worthy of the title “hacker”.  Evan is our go-to whenever the intersection of law and cybersecurity arises.  As such, he was the first one we thought of to chat about the latest SEC/SolarWinds situation.  Evan, thank you so much for coming on down to the ‘Ranch!   What kind of lawyer is Evan and why can he speak on this topic? What does disclosure mean, how does this change disclosure? What is the role of the CISO in all this? Key Takeaways? What countries do not have extradition treaties with the USA?  (Obviously a tongue in cheek question!)

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  That’s Tim Rohrbaugh, Founder/Principal at DefaultDenySec, former CISO for JetBlue Airways, advisor, investor: yup!  Another Cyber Ranch guest with an awesome history!  Tim and Allan were chatting a while back about budgeting cybersecurity programs, and they found out that they disagreed on a rather key point.  In true Cyber Ranch fashion, Allan immediately asked Tim to come back to the show and to dig into the issue with him.  They are starting with disagreement, which always makes for a better show... Allan maintains that the cybersecurity budget should be tied to specific risks identified vs. specific business processes and/or assets as determined by Business Impact Analysis. In other words, we identify WHAT we care about, use BIA to tell ourselves HOW MUCH we care, and then we chart the risks to those processes and assets.  We then stack rank the risks based on impact but also plausibility (see prior show with Andy Ellis and Chris Roberts as to why Allan uses plausibility and not probability).  We then can sit down with the business and say: For $x we can address these top 5 risks For $y we can address these top 7 risks Etc, etc. Budgets are tight? Lower the risks addressed.  It’s that simple! NOTE: Allan is cheating here with this simplification.  Run rate matters.  Our existing tech stack is already in play before we address specific risks.  So there is accretion there that must be acknowledged.  And the question is also begged:  How much does the already established run rate actually tackle specific risks vs. broad strokes?  EDR, for example, should already be present.  Do we say that EDR addresses the ransomware risk or the data leakage risk of HR data or the data theft risk of customer data, and/or…  You get the point.  Allan's model is not perfect.  But what Allan has ALWAYS stood against is the idea that the cyber budget should simply be expressed as percentage of revenue or percentage of IT budget or percentage of anything external to cybersecurity, really. Tim, disagrees and finds flaws in Allan's model: Should we be tied to IT budget at all?  Tim says YES! Should we only be a percentage of revenue or overall organizational budget?  Tim says YES! What is the value in capping budget via external measures like %age of IT spend or %age of revenue? How do we tackle run rate vs. specific projects in your model? How does one choose what remains and what gets cut from the to-do list when budget tightening occurs? What other benefits exist to Tim's model? Is there a way to reconcile the two models? Is that reconciliation even necessary?

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  We're joined today by Jacqueline (AKA “Jack”) Powell, CISO at Allianz Life and former Deputy CISO at Hanes.  She has also consulted, and has worked at Chevron, General Dynamics, and SACI.  Jack has an illustrious career!  Jack is here today talking with Allan about the new SEC regulations about cybersecurity.  For our listeners, the final version of the SEC ruling came out in late July, and publicly traded companies in America have 5 months to comply.  Mid-December is when the switch gets thrown… Topics covered in this show: The new ruling and tell me its highlights Disclosure Risk Management Board expertise What are the implications of the disclosure rules?  What are the challenges businesses face?  What tools can be leveraged? It seems that “materiality” is the key term upon which all of this pivots. That term has definition and precedence in financial circles, but how is a cybersecurity professional to interpret it? What are the implications of the Risk Management rule? If you work with a cybersecurity framework like NIST CSF, for example, you’ve already got at least the basics in place? And now we get to Board Expertise… CISOs are all anticipating getting board roles overnight, but it’s not that easy. NACD in conjunction with CISA put some material together. How should CISOS prepare themselves to be ready for a possible board role?