Defense in Depth

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-infosec-fatigue/) Have we reached peak InfoSec fatigue? Revolving CISOs and endless cyber recruitment OR the fact that we're spending more money to reduce even greater risk. Is it all leaving our grasp? Check out this post for the basis of our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Helen Patton (@OSUCISOHelen) CISO, The Ohio State University. Thanks to this week's podcast sponsor, Sonrai Security. Identity and data access complexity are exploding in your public cloud. 10,000+ pieces of compute, 1000s of roles, and a dizzying array of interdependencies and inheritances. Sonrai Security delivers an enterprise cloud security platform that identifies and monitors every possible relationship between identities and data that exists inside your public cloud. On this episode of Defense in Depth, you'll learn: Are we sliding in our effort to get ahead of security issues? There's a sense the tools and our ability isn't keeping up with the onslaught. Are we able to prove risk reduction to show that our efforts are successful? Those people who don't burn out are the ones who thrive on the technical and political challenges of cybersecurity. Disagreement on how you lead a discussion. Should it be story-based or data-based? Classic complaint about cybersecurity is success is measured by the absence of activity. Preventative security is not easily quantifiable as reactive security. CISOs have to step up and show evidence of security's success in the most understandable and digestible format. Suggested measures and metrics: likelihood and impact, business impact analysis, security program maturity curve, framework compliance, pen test results, and threat modeling. FUD (fear, uncertainty, and doubt) may be effective in the short run, but it's exhausting. It never works in the long term. Approach cybersecurity altruistically. If it benefits you and those around you, then it's worth doing. Lean on security vendors to help you show the value of their product. The business impact will be on the CISO's shoulder, but the vendor should help build the case.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-securing-a-cloud-migration/) You're migrating to the cloud. When did you develop your security plan? Before, during, or after? How aware are you and the board of the cloud's new security implications? Does your team even know how to apply security controls to the cloud? Check out this post for the basis of our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest Sandy Bird, CTO and co-founder, Sonrai Security. Sandy was the co-founder and CTO of Q1 Labs, which was acquired by IBM in 2011. At IBM, Sandy became the CTO for the global security business and worked closely with research, development, marketing, and sales to develop new and innovative solutions to help the IBM Security business grow to ~$2B in annual revenue. Thanks to this week's podcast sponsor, Sonrai Security. Identity and data access complexity are exploding in your public cloud. 10,000+ pieces of compute, 1000s of roles, and a dizzying array of interdependencies and inheritances. Sonrai Security delivers an enterprise cloud security platform that identifies and monitors every possible relationship between identities and data that exists inside your public cloud. On this episode of Defense in Depth, you'll learn: You can't just migrate to public cloud and secure things like you secure your on-premise servers and applications. You have to think cloud-native in all security decisions. Cloud migrations intensify the focus between data and identity. "Security as an afterthought" is never a good plan. Those who succeed build security into the migration. Don't let IT broker a deal to migrate to cloud and then bring in cyber after the fact. In the cloud, knowing where your data is one step, securing the data is another. There's a multitude of variances with data. There are the API controls on data, who has access through those APIs, is the data cloned or cached, and how are permissions being adjusted to that data? Start by knowing who and what should access your data and build your controls from there. The people side of securing cloud migration is critical. If your staff is not properly trained, a single mistake can be extremely expensive. Speeds in the cloud, especially if you've got a DevOps and CI/CD approach, can make problems move at lightening speed. There's a need for automation and to continuously monitor your controls and coverage. Get ahead of problems. DevOps learned the fail fast technique, but also the ability to recover quickly. If security wants to play as well, they have to develop the same strategy and tools.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-api-security/) APIs are gateways in and out of our kingdom and thus they're also great access points for malicious hackers. How the heck do we secure them without overwhelming ourselves? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest, Roey Eliyahu, CEO, Salt Security. Salt Security protects the APIs at the core of SaaS, web, and mobile applications. By using patented behavioral protection Salt Security automatically and continuously discovers and learns the granular behavior of each unique API and stops attacks. In 2020 Salt Security was named a Gartner Cool Vendor in API Strategy. On this episode of Defense in Depth, you'll learn: The skill set needed to secure APIs is different than web security. The move towards the cloud, DevOps, and the need to have security tools talk to each other has brought a lot more attention to the need for API security. Like in all areas of security, just knowing what you've got is a struggle. Same is true with APIs. Just knowing what APIs you have is not enough. You must know their functionality. Map your APIs to the systems and the data their transmitting. How aware are your developers of the pitfalls of API misuse? There's a myriad of security options but start with strong authenticate using hash-based message authentication. Much of the advice we got was simply shrinking the API attack surface. This can be done by either limiting the functionality of the API or removing unused APIs. The "review the code" advice that we heard often is sadly not realistic. APIs are resistant to both automatic and manual code review. API security seems like a 300 or 400 level security effort. Smaller companies that don't have a security operations center (SOC) may simply not be able to handle it and will need to outsource their API security and SOC needs to a third party or managed security service.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-shared-threat-intelligence/) We all know that shared intelligence has value, yet we're reticent to share our threat intelligence. What prevents us from doing it and what more could we know if shared threat intelligence was mandated? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest, Joel Bork (@cincision), senior threat hunter, IronNet Cybersecurity. Thanks to this week's podcast sponsor, IronNet Cybersecurity. To combat sophisticated cyber threats, companies are increasingly adopting collective defense strategies to actively share intelligence with peer organizations to improve the detection capabilities of the collective. Through faster sharing of behavioral analytics, signature-based, and human threat insights, organizations can more effectively spot malicious activity and reduce attacker dwell time. More on IronNet Cybersecurity. On this episode of Defense in Depth, you'll learn: We all benefit from sharing threat intelligence, so why don't we do it? If threat data is public, is it useful? The argument is that if the good guys know about the threat intelligence, then all the bad guys know as well. But that's if it's in a public forum. If threat intelligence was shared in a more rapid, comprehensive, and secure manner it would have more utility. Sometimes the "intelligence" a company first gets is just a data feed. There has to be a greater discussion of the risks of sharing as compared to the upside. Often, it's so easy to shut the doors and not share with the benefit never calculated into the equation. When an organization is in the middle of their security maturity curve, they hold all their data as close to their chest as possible. As they continue on their journey and continue to learn lessons along they way, they begin to understand that collaboration will help the community as a whole - including themselves. Threat data is really not what professionals need. What they need is intelligence. And this requires a way to onboard and make sense of the data on its own and in aggregate and over time. Each of us are collecting different pieces of the threat landscape puzzle. If someone doesn't provide their piece, then we have an incomplete puzzle and there are now holes in our knowledge and ability to protect ourselves. Threat intelligence does not hold the same weight for every user. What's valuable to someone may not be of value to another. And you may be holding onto that data that you don't necessarily think is valuable. You want threat intel to be actionable, not necessarily responding automatically. We spoke of threat intel with the analogy of animals traveling in herds for protection. The attackers often pick off the weak ones, but when everyone is working together, the stronger animals can actually protect the weak. Even with everything we know and value with shared threat intel, there is still a ton of paranoia around sharing. While there is lots of discussion about data not being identifiable, most choose to opt out of sharing threat intel.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-drudgery-of-cybercrime/) Why does the press persist on referring to all cyber breaches as sophisticated attacks? Is it to make the victim look less weak, or do they simply not know the tedium that's involved in cybercrime? Check out this post by Brian Krebs for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Steve Zalewski, deputy CISO, Levi Strauss. Thanks to this week's podcast sponsor, IronNet Cybersecurity. To combat sophisticated cyber threats, companies are increasingly adopting collective defense strategies to actively share intelligence with peer organizations to improve the detection capabilities of the collective. Through faster sharing of behavioral analytics, signature-based, and human threat insights, organizations can more effectively spot malicious activity and reduce attacker dwell time. More on IronNet Cybersecurity. On this episode of Defense in Depth, you'll learn: There's a dichotomy between how the press glorifies cybercrime as being "sophisticated" when the reality is much of cybercrime is drudgery. Most cybercrime is under a pay-for-hire or a web-based service model. Cybercriminals have to deal with many of the same business-related issues we all do, such as support, infrastructure, customer relations, and sales. Given that the cybercriminals are usually doing work for someone else, they have customers and those customers will often complain if they are not getting the expected service. There was question if cybercrime does pay. It seemed that if you had some basic technical talents then legitimate InfoSec was a far more lucrative field that would probably offer benefits that cybercrime couldn't offer. The paper states that low-skilled administrators often don't know much about the systems they maintain. This would lead one to believe they're also far removed from the criminal activity. Many of these claims of the boredom of cybercrime can be made of the InfoSec community as well. Once you understand that cybercrime is a business with a need for ROI like any other business, the goal in protecting oneself is to simply make it too costly and not financially attractive to be hacked.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-security-budgets/) How do you calculate a security budget? Is it a percentage of the IT budget? Something else? And why does it grow so drastically after a breach? Thanks to this week's podcast sponsor, IronNet Cybersecurity. To combat sophisticated cyber threats, companies are increasingly adopting collective defense strategies to actively share intelligence with peer organizations to improve the detection capabilities of the collective. Through faster sharing of behavioral analytics, signature-based, and human threat insights, organizations can more effectively spot malicious activity and reduce attacker dwell time. More on IronNet Cybersecurity. On this episode of Defense in Depth, you'll learn: The general consensus among the community is cybersecurity is a spend it now or spend more later decision. While everyone wants to find a metric to determine how much to spend on cybersecurity, there doesn't seem to be any that are useful. The CISO's job is to provide data about risks so the business can make the decision about cybersecurity spending. Most assume that after a breach there's more cybersecurity budget, but what you get first is cooperation. Look at security as a market differentiator. What if you could withstand a cyber attack but your competition couldn't? Or possibly you could deliver a higher level of reliability to your customers. How would your business be perceived by the market? A business impact analysis calculator can help understand your risk levels. Allan Alford has one his site. Many felt the biggest cost to a company suffering a breach isn't loss of data or the regulatory fines, but the damage to the company brand. The cost of proactive protection always beats the cost of suffering a data breach. One listener recommended that MBA programs should have a breach case study as part of their curriculum.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-role-of-the-biso/) What is a business information security officer or BISO? Do you need one? Is it just an extension of the CISO or is it simply taking on the business aspect of the CISO role? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Nicole Dove (@IssaUrbanGirl), BISO, ADP, and host of Urban Girl Corporate World podcast. Thanks to this week's podcast sponsor, Deep Instinct. Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct's on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution's wide covering platform play. On this episode of Defense in Depth, you'll learn: A BISO becomes very valuable where they can be mapped to a specific business unit (by locale or business line). The BISO role has become important because practically all companies are reliant on data and technology. The BISO must have power to do their job. That requires autonomy and decision making ability. Another way to describe a BISO is as a senior business analyst with a security focus. From CISO to project manager, roles change often for a BISO. Geo-aligned positions for BISOs have become extremely valuable in light of different and growing territorial regulations. BISO is a good role for a wannabe CISO. Only large companies have room for a BISO. A BISO who can cozy up to a particular business units sales strategy is of enormous value. Make sure the BISO is actually bringing value and not just acting as a gatekeeper between security and the business.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-shared-accounts/) As bad as all security professionals know, shared accounts are a fact in the business world. They still linger, and from an operational standpoint they're hard to secure and get accountability. Why are they still around and what can be done about them? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest Jake King (@jakeking), CEO, Cmd. Thanks to this week's podcast sponsor, Cmd. Cmd provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems. On this episode of Defense in Depth, you'll learn: As much as it makes security professionals cringe, shared accounts are a business reality that can't be avoided. Certain business processes force shared accounts to exist, but that doesn't mean as a security professional you shouldn't grill to find out why the shared account exists and if there's a way you can remove that shared privilege. Get an inventory of your shared accounts. Also, you can do this with mapping credentials with location information. Time pressures in a physical environment often force shared accounts. You need to shine a light on shared accounts even if they're not going to go away. It's part of your GRC (governance, risk, and compliance) program. There are compensating controls one can put around shared accounts such as password rotation, monitoring usage, and alerts. Privileged access management (PAM) is the favorite solution for dealing with shared accounts. Often you don't need compensating controls if you have a dynamic PAM solution in place. The need for accountability is key here. If you don't have an equal understanding of its importance then those eventual issues are simply going to magnify.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-bug-bounties/) What is the successful formula for a bug bounty program? Should it be run internally, by a third party, or should you open it up to the public? Or, maybe a mixture of everything? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Justin Berman (@justinmberman), head of security, Dropbox. Thanks to this week's podcast sponsor, Cmd. Cmd provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems. On this episode of Defense in Depth, you'll learn: Like red teaming, you need outside eyes looking at your environment and vulnerabilities. There was much debate between internal, private, and public bug bounty programs. But it was agreed that if you do them, that you do them in that order. There was another concern regarding the cost of a bug bounty program. Whether you do them or not, you're still going to pay for coding errors and vulnerabilities one way or another. It's either upfront or later. Those new to bug bounty programs are not aware of the additional costs of management and engaging with the researchers and white hat hackers. That is a critical part of the bug bounty program. Before you begin, set up a system to manage the flow of problems reported. If not, you and your staff could very quickly be overwhelmed. Having a consistent and clear way you handle the findings is often more important than the findings. Have you allocated budget to remediate the findings? Are you going to need to make cases as each weakness is found? Keep in mind that companies don't go into bug bounty programs for the same reason. Some go into it for reasons of publicity or forming relationships with researchers. Communications between your engineers and the bug bounty researchers is critical. If your team is non-responsive, the bug bounty program could backfire. Most people are wary of public bug bounty programs because of the low signal-to-noise ratio. As there is a rush for attention and money, the whole effort may implode.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-data-classification/) The more data we horde, the less useful any of it becomes, and the more risk we carry. If we got rid of data, we could reduce risk. Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Nina Wyatt, CISO, Sunflower Bank. Thanks to this week's podcast sponsor, Cmd. Cmd provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems. On this episode of Defense in Depth, you'll learn: Usable, user-friendly, viable-in-every-scenario data protection that is invisible, seamless, and always on does not exist, but could exist, and should exist. Classification tools that tout automation, really aren't. There is still a good amount of manual intervention. Another way to solve the data protection issue is to get rid of data. Our data protection problem amplifies as we find ourselves protecting more data. But a lot of data simply doesn't need to be protected. It could be classified for non-protection or just destroyed. Data is mostly unstructured and it needs to be structured to the sense that you know how data is flowing, and that is extremely difficult to do. We spend more time on hardware and networking diagrams but what we should be doing is diagramming data flow. Mandate retention limits on data. People don't like it, but it's going to make you a lot safer. Just mandate the lifespan of data. If it's not needed or accessed in a certain period of time, archive it or possibly kill it. People think holding onto data is costless, but reality is the more you hold onto it becomes very costly from a security perspective. Utility to you vs. utility to the bad guys is relative. For example, a bank statement from five years ago has little utility to you now, but if a bad guy is looking for information, that has the same value as a bank statement from today. The questions you need to be asking: Is your data sensitive, does it have open permissions, how long has it been since the data was accessed? Data with PII is both an asset and a liability. Classifying data also has a major problem with consistency. Often data can be put into multiple categories or classes. Security of data is usually not the factor many consider. We are often thinking about the security around data.