Defense in Depth

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-when-red-teams-break-down/) What happens when red team engagements go sideways? The idea of real world testing of your defenses sounds great, but how do you close the loop and what happens if it's not closed? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest, Dan DeCloss, founder and CEO, PlexTrac. Thanks to this week’s podcast sponsor, PlexTrac. PlexTrac is a revolutionary, yet simple, cybersecurity platform that centralizes all security assessments, penetration test reports, audit findings, and vulnerabilities into a single location. PlexTrac vastly improves the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize important analytics, and collaborate on remediation in real-time. On this episode of Defense in Depth, you’ll learn: Don't make the mistake of red teaming too early. If you don't have your fundamental security program in place, you'll be testing out non-existing defenses. If you're just starting to build up your security program, conduct a vulnerability scan and do some basic patch management. A red team exercise exists to discover risks you didn't even know about and couldn't have predicted in your threat model exercises. Have a plan of what you're going to do after the red team exercise. Just discovering you've got problems with no plan to remediate them will not only be a waste of money, but will also breed discontent. Don't red team just to fill out an audit report. You can do a vulnerability scan for that. Consider moving the red team to purple to actually help the blue team remediate the findings. If you don't have a plan for remediation you'll find yourself running the same red team and filling out the same report. Prioritize! The red (now purple) team can greatly help along with those who've assessed business risks. First to remediate are the ones that are high impact and easy to execute. The rest is determined by an analysis of likelihood and impact.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-what-cyber-pro-are-you-trying-to-hire/) Do companies hiring cybersecurity talent even know what they want? More and more we see management jobs asking for engineering skills, and even CISO jobs with coding requirements. What's breaking down? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Liam Connolly, CISO, Seek. Thanks to this week's podcast sponsor, Salt Security. Salt Security protects the APIs at the core of SaaS, web, and mobile applications. By using patented behavioral protection Salt Security automatically and continuously discovers and learns the granular behavior of each unique API and stops attacks. In 2020 Salt Security was named a Gartner Cool Vendor in API Strategy. On this episode of Defense in Depth, you’ll learn: The poor focus of cybersecurity job listings often exposes either the poor understanding or lack of maturity of a company's information security program. We often see management cyber jobs asking for engineering skills and vice versa. Job listings can also portray the "last guy" syndrome. Those are the job listings that tack on desired skills the last person did not have. When you see too many requirements it comes off as a wish list. It's not what is required, it's more of a question as to how many boxes can a candidate check off. There can be serious harm to a company's ability to hire if they throw down too many requirements or even optional items. People who are truly required for the position you want may never apply because they'll be scared off by the other skills required or desired. CISOs are often hired by non security people and as a result they don't have a full understanding of what type of CISO they want. As a result it's often hard to find two similar CISO job listings. While CISO technical competencies are desired, it's clear that once hired a CISO will not be showing off their technical expertise. As a result, there's a lot of debate as to how much technical skill a CISO really needs. The job requires management, influencing, and communications. Many hiring teams have a hard time parsing out the types of security people they need to build out a security team. That's why you get a single job listing that appears to want to hire five different types of security people. If a CISO isn't given the budget and authority to hire a staff to fill all the necessary gaps for the company's security program, they will become fed up and leave. That starts the whole process again. Many debate that job titles in job listings are just there to massage the ego. But if compensation doesn't match the title, then they realize the title is just for show.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-junior-cyber-people/) There are so few jobs available for junior cybersecurity professionals. Are these cyber beginners not valued? Or are we as managers not creating the right roles for them to improve our own security? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Naomi Buckwalter (@ineedmorecyber), director of information security & privacy at Energage. Thanks to this week's podcast sponsor, Salt Security. Salt Security protects the APIs at the core of SaaS, web, and mobile applications. By using patented behavioral protection Salt Security automatically and continuously discovers and learns the granular behavior of each unique API and stops attacks. In 2020 Salt Security was named a Gartner Cool Vendor in API Strategy. On this episode of Defense in Depth, you’ll learn: There are tons of newbies eager to work in cybersecurity. The shortcoming is not the available pipeline, but a lack of headcount and managers' willingness to train and find appropriate assignments. Because headcount is often the limitation to hiring, leaders will opt to hire the most senior person they can get. Common feeling is hire one experienced person and stress them out rather than hire three junior people and train them. Problem with the former is if you stress that experienced person they will leave and tell others not to work there. There is plenty of good junior-level cybersecurity work, such as asset management cleanup, PII discovery, procedure documentation, filling out security questionnaires, scrubbing and tuning out false positives from alerting systems, reviewing vendor contracts, patch verification, following up on vulnerability management with other teams, launching and managing vulnerability scans, interviewing for shadow IT installations, working with help desk for user account remediation, and scanning logs for anomalies.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-trusting-security-vendor-claims/) Do security vendors deliver on their claims and heck, are they even explaining what they do clearly so CISOs actually know what they're buying? Check out this post and the Valimail survey for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Lee Parrish (@LeeParrish), CISO, Hertz. Thanks to this week's podcast sponsor, AttackIQ. AttackIQ, the leading independent vendor of breach and attack simulation solutions, built the industry’s first Security Optimization Platform for continuous security control validation and improving security program effectiveness and efficiency. AttackIQ is trusted by leading organizations worldwide to plan security improvements and verify that cyberdefenses work as expected, aligned with the MITRE ATT&CK framework.  On this episode of Defense in Depth, you’ll learn: From those surveyed by Valimail survey, a third to a half didn't believe that vendors did a good job explaining what their product does, or that the product actually performed, or there was any way to actually measure that performance. Many questioned those numbers because they feel many security buyers still fall for security vendors' boastful claims. Both can actually be true. Stunned behavior at a trade show is not the indicator of knowledge and susceptibility to vendor pitches. When you're under the gun as a security professional to produce results you often become victim to security vendor claims because you want to deliver on demands from the business. By nature, CISOs should be skeptical about vendor claims and information within their own environment. There's a battle between those vendors truly trying to deliver value and those who are using their marketing savvy to sway industry thinking. Don't place all the blame on the vendors. CISOs still have trouble understanding their requirements, risk, and priorities. Many are guilty of engaging in "random acts of security". Claims can often be more trustworthy if the vendor is willing to explain what they can't do.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-how-vendors-should-approach-cisos/) "How do I approach a CISO?" It's the most common question I get from security vendors. In fact, I have another podcast dedicated to this very question. But now we're going to tackle it on this show. Check out this post for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Ian Amit (@iiamit), CSO, Cimpress. Here also is my original article with Allan Alford when he first launched this engage with vendors campaign. Thanks to this week's podcast sponsor, Sonrai Security. Identity and data access complexity are exploding in your public cloud. 10,000+ pieces of compute, 1000s of roles, and a dizzying array of interdependencies and inheritances. Sonrai Security delivers an enterprise cloud security platform that identifies and monitors every possible relationship between identities and data that exists inside your public cloud.  On this episode of Defense in Depth, you’ll learn: All CISOs are different so any advice we provide will vary from CISO to CISO. Plus, we have an entire other show, CISO/Security Vendor Relationship Podcast, dedicated to this very topic. We acknowledge that this is tough because to be really on target you need to know what the CISO has, what their mix of products are, and how your product could work in their current security maturity and mix of security products and processes. It's all a very tall order for a security vendor. Vendors must stop thinking of themselves as point solutions, but rather how they fit into the overall makeup of a security program. You're not coming in with a blank slate. How do you interoperate with what's existing? There's unfortunately the trend of the people who make the contact, then initiate a meeting, and hand off to someone else. CISOs do not welcome that kind of engagement, although it may be very cost effective for security vendors to hire junior people to make those contacts and hand offs. Lots of argument about the efficacy and the acceptance of cold calling. Those who claim they don't like it are often working at organizations that do it repeatedly to great success. The pushy salesperson who eventually gets through after repeated attempts even when they're told no may show success, but they don't calculate all the people they've angered and the word-of-mouth negativity that has resulted from that behavior. If you push beyond a request to stop, the worse that can happen is your reputation will be destroyed. CISOs are more receptive to market pull into your organization. That can happen through traditional marketing, content marketing, podcasts, analyst reviews, and word-of-mouth. Problem is these techniques don't leave any room for salespeople to operate.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-secure-access/) What is the Holy Grail of secure access? There are many options, all of which are being strained by our new work from home model. Are we currently at the max? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Rohini Kasturi, chief product officer, Pulse Secure. Thanks to this week’s podcast sponsor, Pulse Secure. Pulse Secure offers easy, comprehensive solutions that provide visibility and seamless, protected connectivity for hybrid IT in a Zero Trust world. Over 24,000 enterprises entrust Pulse Secure to empower their mobile workforce to securely access applications and information in the data center and cloud while ensuring business compliance. On this episode of Defense in Depth, you’ll learn: Multiple technologies, such as VPN, split-tunnel VPN, VDI, SASE, EDR, and secure management, are used in attempts to insure secure access. But given that secure access isn't just about managing endpoints, but users, you also have to look at IAM. We look to conditional access to provide more support than just full VPN access. Argument that we are moving away from endpoints to identity as that's the new perimeter. SASE solution blocks by default, instead of allows by default, and requires permission for access. User is secured dynamically based on a combination of identity and device. Would be great if secure access solutions were universal, but they vary country by country based on costs, availability, and regulations. Secure access models must be user experience first. One possible play that works in this way is IAM + SASE + EDR + secure management. Another factor that prevents the one-size fits all model for secure access is the complexity of stacks.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-infosec-fatigue/) Have we reached peak InfoSec fatigue? Revolving CISOs and endless cyber recruitment OR the fact that we're spending more money to reduce even greater risk. Is it all leaving our grasp? Check out this post for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Helen Patton (@OSUCISOHelen) CISO, The Ohio State University. Thanks to this week's podcast sponsor, Sonrai Security. Identity and data access complexity are exploding in your public cloud. 10,000+ pieces of compute, 1000s of roles, and a dizzying array of interdependencies and inheritances. Sonrai Security delivers an enterprise cloud security platform that identifies and monitors every possible relationship between identities and data that exists inside your public cloud.  On this episode of Defense in Depth, you’ll learn: Are we sliding in our effort to get ahead of security issues? There's a sense the tools and our ability isn't keeping up with the onslaught. Are we able to prove risk reduction to show that our efforts are successful? Those people who don't burn out are the ones who thrive on the technical and political challenges of cybersecurity. Disagreement on how you lead a discussion. Should it be story-based or data-based? Classic complaint about cybersecurity is success is measured by the absence of activity. Preventative security is not easily quantifiable as reactive security. CISOs have to step up and show evidence of security's success in the most understandable and digestible format. Suggested measures and metrics: likelihood and impact, business impact analysis, security program maturity curve, framework compliance, pen test results, and threat modeling. FUD (fear, uncertainty, and doubt) may be effective in the short run, but it's exhausting. It never works in the long term. Approach cybersecurity altruistically. If it benefits you and those around you, then it's worth doing. Lean on security vendors to help you show the value of their product. The business impact will be on the CISO's shoulder, but the vendor should help build the case.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-securing-a-cloud-migration/) You're migrating to the cloud. When did you develop your security plan? Before, during, or after? How aware are you and the board of the cloud's new security implications? Does your team even know how to apply security controls to the cloud? Check out this post for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest Sandy Bird, CTO and co-founder, Sonrai Security. Sandy was the co-founder and CTO of Q1 Labs, which was acquired by IBM in 2011. At IBM, Sandy became the CTO for the global security business and worked closely with research, development, marketing, and sales to develop new and innovative solutions to help the IBM Security business grow to ~$2B in annual revenue. Thanks to this week's podcast sponsor, Sonrai Security. Identity and data access complexity are exploding in your public cloud. 10,000+ pieces of compute, 1000s of roles, and a dizzying array of interdependencies and inheritances. Sonrai Security delivers an enterprise cloud security platform that identifies and monitors every possible relationship between identities and data that exists inside your public cloud.  On this episode of Defense in Depth, you’ll learn: You can't just migrate to public cloud and secure things like you secure your on-premise servers and applications. You have to think cloud-native in all security decisions. Cloud migrations intensify the focus between data and identity. "Security as an afterthought" is never a good plan. Those who succeed build security into the migration. Don't let IT broker a deal to migrate to cloud and then bring in cyber after the fact. In the cloud, knowing where your data is one step, securing the data is another. There's a multitude of variances with data. There are the API controls on data, who has access through those APIs, is the data cloned or cached, and how are permissions being adjusted to that data? Start by knowing who and what should access your data and build your controls from there. The people side of securing cloud migration is critical. If your staff is not properly trained, a single mistake can be extremely expensive. Speeds in the cloud, especially if you've got a DevOps and CI/CD approach, can make problems move at lightening speed. There's a need for automation and to continuously monitor your controls and coverage. Get ahead of problems. DevOps learned the fail fast technique, but also the ability to recover quickly. If security wants to play as well, they have to develop the same strategy and tools.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-api-security/) APIs are gateways in and out of our kingdom and thus they're also great access points for malicious hackers. How the heck do we secure them without overwhelming ourselves? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest, Roey Eliyahu, CEO, Salt Security. Salt Security protects the APIs at the core of SaaS, web, and mobile applications. By using patented behavioral protection Salt Security automatically and continuously discovers and learns the granular behavior of each unique API and stops attacks. In 2020 Salt Security was named a Gartner Cool Vendor in API Strategy. On this episode of Defense in Depth, you’ll learn: The skill set needed to secure APIs is different than web security. The move towards the cloud, DevOps, and the need to have security tools talk to each other has brought a lot more attention to the need for API security. Like in all areas of security, just knowing what you've got is a struggle. Same is true with APIs. Just knowing what APIs you have is not enough. You must know their functionality. Map your APIs to the systems and the data their transmitting. How aware are your developers of the pitfalls of API misuse? There's a myriad of security options but start with strong authenticate using hash-based message authentication. Much of the advice we got was simply shrinking the API attack surface. This can be done by either limiting the functionality of the API or removing unused APIs. The "review the code" advice that we heard often is sadly not realistic. APIs are resistant to both automatic and manual code review. API security seems like a 300 or 400 level security effort. Smaller companies that don't have a security operations center (SOC) may simply not be able to handle it and will need to outsource their API security and SOC needs to a third party or managed security service.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-shared-threat-intelligence/) We all know that shared intelligence has value, yet we're reticent to share our threat intelligence. What prevents us from doing it and what more could we know if shared threat intelligence was mandated? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest, Joel Bork (@cincision), senior threat hunter, IronNet Cybersecurity. Thanks to this week's podcast sponsor, IronNet Cybersecurity. To combat sophisticated cyber threats, companies are increasingly adopting collective defense strategies to actively share intelligence with peer organizations to improve the detection capabilities of the collective. Through faster sharing of behavioral analytics, signature-based, and human threat insights, organizations can more effectively spot malicious activity and reduce attacker dwell time. More on IronNet Cybersecurity. On this episode of Defense in Depth, you’ll learn: We all benefit from sharing threat intelligence, so why don't we do it? If threat data is public, is it useful? The argument is that if the good guys know about the threat intelligence, then all the bad guys know as well. But that's if it's in a public forum. If threat intelligence was shared in a more rapid, comprehensive, and secure manner it would have more utility. Sometimes the "intelligence" a company first gets is just a data feed. There has to be a greater discussion of the risks of sharing as compared to the upside. Often, it's so easy to shut the doors and not share with the benefit never calculated into the equation. When an organization is in the middle of their security maturity curve, they hold all their data as close to their chest as possible. As they continue on their journey and continue to learn lessons along they way, they begin to understand that collaboration will help the community as a whole - including themselves. Threat data is really not what professionals need. What they need is intelligence. And this requires a way to onboard and make sense of the data on its own and in aggregate and over time. Each of us are collecting different pieces of the threat landscape puzzle. If someone doesn't provide their piece, then we have an incomplete puzzle and there are now holes in our knowledge and ability to protect ourselves. Threat intelligence does not hold the same weight for every user. What's valuable to someone may not be of value to another. And you may be holding onto that data that you don't necessarily think is valuable. You want threat intel to be actionable, not necessarily responding automatically. We spoke of threat intel with the analogy of animals traveling in herds for protection. The attackers often pick off the weak ones, but when everyone is working together, the stronger animals can actually protect the weak. Even with everything we know and value with shared threat intel, there is still a ton of paranoia around sharing. While there is lots of discussion about data not being identifiable, most choose to opt out of sharing threat intel.