Defense in Depth

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-prevention-vs-detection-and-containment/) We agree that preventing a cyber attack is better than detection and containment. Then why is the overwhelming majority of us doing detection and containment? Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest Steve Salinas (@so_cal_aggie), head of product marketing, Deep Instinct. Thanks to this week's podcast sponsor, Deep Instinct. Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct's on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution's wide covering platform play. On this episode of Defense in Depth, you'll learn: A recent Ponemon study notes that most security professionals agree that prevention is a better security strategy than detection and containment. Even with the acceptance that prevention is a better security posture, most security spending goes into detection and containment. By implementing firewalls, patching, and security training, many of us are already doing prevention, but may not classify it as such. Prevention is not nearly as expensive as creating a detect and respond security program. The two halves work in concert together. No prevention program can be perfect, and that's why you always need a detect and contain program as well. The reason you don't only go with detect and respond without prevention is that the flood of valid information will be too much for a security program to handle. There was a strong argument for detect and respond because it shows the products you spent money on are actually working. This is not just to humor the security professional, but also to give some "evidence" to the senior executives. A lot of prevention comes down to the individual. But since it's so tough to get people to change behavior, there's less friction to just purchase another prevention tool to protect people from their own behavior. Prevention tools won't stop the attackers who sit dormant on a network waiting to attack. Their behavior has to be spotted with the use of detection and containment.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-asset-valuation/) What's the value of your assets? Do you even understand what they are to you or to a criminal looking to steal them? Do those assets become more valuable once you understand the damage they can cause? Check out this post for the basis for our conversation on this week's episode which features me and Allan Alford. Our guest is Bobby Ford, global CISO, Unilever. Thanks to this week's podcast sponsor, CyberArk. At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls. On this episode of Defense in Depth, you'll learn: Allan revised the well known formula for risk (Risk = Likelihood x Impact) to reflect an asset's importance. So instead, Risk = Threat plus Vulnerability as aimed at an Asset. It's hard to get a stakeholder to tell you the value of their assets. Instead, ask them the reverse. Describe the absolute worst breach scenario. What's the second worse? And then on down until you have an understanding of the hierarchy of the assets. A business impact analysis (BIA) will also help uncover asset valuation. Allan Alford has a BIA calculator on his site. The simple question of "What are you defending?" is one that most business leaders struggle to answer. They need to be able to answer that question often. Once you know what to defend the question is how much to defend and then after that is there anything that doesn't need to be defended. You may actually not be able to start this process if you doing know what your asset inventory is. This should be managed with a discovery tool and multiple iterations of discovery. While you're valuing your own assets, try to make sense of what these assets mean to an attacker. That will help you answer the question of "how much to defend".

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-devsecops/) We know that security plays a role in DevOps, but we've been having a hard time inserting ourselves in the conversation and in the process. How can we get the two sides of developers and security to better understand and appreciate each other? Check out this post and this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Sumedh Thakar (@sumedhthakar), president and chief product officer, Qualys. Thanks to this week's podcast sponsor, Qualys. Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. On this episode of Defense in Depth, you'll learn: It's debatable whether the term "DevSecOps" should even exist as a term. The argument for the term is to just make sure that security is part of the discussion, but security people feel that's redundant. Security is not an additional process. It should be baked in. It's an essential ingredient. But should it really be seen as "embedding" or rather a partnership? Developers and operations operate as partners. Instead of dumping security tools on developers and just demanding "implement this" security needs to go through the same transition development had to go through to be part of "Ops". As DevOps looks forward to what's next, how can security do the same? Security is unfortunately seen as an afterthought, and that's antithetical to the DevOps philosophy. Security is an innate property that imbues quality in the entire DevOps effort. Security will slow down DevOps. It's unavoidable. Not everything can be automated. But, if you deliver the security bite-sized chunks you can get to an acceptable level of speed. Business needs to specify the security requirements since they were the ones who specified the speed requirements. That's how we got to DevOps in the first place.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-fix-security-problems-with-what-youve-got/) Stop buying security products. You probably have enough. You're just not using them to their full potential. Dig into what you've got and build your security program. Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Brent Williams (@brentawilliams), CISO, SurveyMonkey. Thanks to this week's podcast sponsor, Deep Instinct. Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct's on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution's wide covering platform play. On this episode of Defense in Depth, you'll learn: It's very possible you're not using the tools you've purchased to their full potential. What would happen if you completely stopped buying security products and tried to fix your problems with the tools you've already purchased? The reason this is such a popular discussion is that as an industry we're still struggling with managing the fundamentals of security. Shelfware happens because we buy before we're ready. Purchase decisions should be made in conjunction with knowing if you have the staff and understand the integration points to implement the solution. Tooling for the few layers must be dealt with first. You don't need a solution selling a higher layer of security if you don't have the foundation built. Much of this argument is based on the messaging we hear from vendors. They're understandably in the business of selling product. Be cognizant of how you're absorbing information. We need to also focus on the people who unfortunately are fallible and can make non-malicious, but poor decisions. If there was going to be any additional spending, the argument was to invest in your people - from the entire staff to specific training for your security staff.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-should-risk-lead-grc/) Defining risk for the business. Is that where a governance, risk, and compliance effort should begin? How does risk inform the other two, or does calculating risk take too long that you can't start with it? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Allan Alford (@AllanAlfordinTX). Our guest is Marnie Wilking (@mhwilking), global head of security & technology risk management, Wayfair. Thanks to this week's podcast sponsor, Qualys. Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. On this episode of Defense in Depth, you'll learn: The model of risk = likelihood x impact doesn't take into account the value of assets. Assets have to be valued first before you calculate risk. Is the reason risk isn't used to lead governance, risk, and compliance (GRC) because it's so darn hard to calculate? Many CISOs say their toughest job starting out is trying to understand what the crown jewels are and what the board's risk tolerance is. Risk management allows the board to know when you have enough security. Some assets may require eight layers where others may only require one or two. Determining likelihood of an attack involves a good amount of guesswork. We've discussed on a previous episode of CISO/Security Vendor Relationship Podcastthat we don't go back to see how good our risk predictions were. If you want to get better at it, you should. Otherwise, it will always be guesswork. Even if you can get someone to agree what their risk tolerance is, or what asset is of importance, trying to get agreement among a group can be a blocker. Keep in mind that each person is going to have a different viewpoint and concerns. Knowing risk appetite is critical. You can apply security controls without knowing it, but that's providing a unified security layer across all data, people, and applications when they are all not equal when it comes to asset valuation.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-responsible-disclosure/) Security researchers and hackers find vulnerabilities. What's their responsibility in disclosure? What about the vendors when they hear the vulnerabilities? And do journalists have to adhere to the same timelines? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Tom Merritt (@acedtect), host, Daily Tech News Show. Thanks to this week's podcast sponsor, Qualys. Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. On this episode of Defense in Depth, you'll learn: Manufacturers, software companies, researchers, hackers, and journalists all play a role in responsible disclosure. Vulnerabilities will exist, they will be found, and how companies want to be alerted about those issues and inform their public are key elements in the process of responsible disclosure. While there are CERT guidelines for responsible disclosure, there are no real hard and fast rules. There will always be judgement calls involved. But like the doctor's Hippocratic Oath, the goal is to minimize harm. You can't announce a vulnerability without offering a fix. It's opening the door to the bad guys to come in and cause havoc. There is a long history of how vulnerabilities have been disclosed. It often was a surprise and malicious. The trend of responsible disclosure and bug bounties has given rise to the legitimacy of white hat hackers and the process of exposing vulnerabilities. One listener argued that the term "responsible disclosure" implies a moral judgement. He argued that it should be referred to as "coordinated disclosure." There is still frustration on multiple sides with how responsible disclosure should be handled. Researchers sometimes argue they're not getting recognized or paid. Companies often feel extorted by researchers who want answers on their timelines. And journalists have to weigh the importance and criticality of a vulnerability. Should they let people know about it even if there really isn't a good fix yet.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth:-internet-of-things/) When Internet of Things or IoT devices first came onto the market, security wasn't even a thought, let alone an afterthought. Now we're flooded with devices with no security and their openness and connectivity are being used to launch malicious attacks. What are methods to secure environments today and how should these IoT devices being secured in the future? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Josh Corman (@joshcorman), founder of I Am The Cavalry. Thanks to this week's podcast sponsor, Pulse Secure. Pulse Secure offers easy, comprehensive solutions that provide visibility and seamless, protected connectivity for hybrid IT in a Zero Trust world. Over 20,000 enterprises entrust Pulse Secure to empower their mobile workforce to securely access applications and information in the data center and cloud while ensuring business compliance. On this episode of Defense in Depth, you'll learn: For years, manufacturers didn't consider device security. As a result, attackers have used insecure devices like connected webcams to gain entry into a corporate network. If you're manufacturing devices, then make security and patches a top concern even after end of life support. Big gap between public trust and the reality. Almost all people trust manufacturers to secure their devices. The reality is most manufacturers aren't securing their devices. While we've seen webcams used to launch distributed denial of service (DDoS) attacks, the greatest concern is of a similar style attack being launched against industrial IoT. The discussion of IoT security goes beyond security of devices. We know there are devices with zero security connected to our network. This is where a larger discussion of zero trust and defense in depth style security programming comes into play. We have a growing number of unmanaged devices. Devices that are just always on and connected to the Internet providing simple functions like reading their environment. How much responsibility do manufacturers have for the security of their devices after they've been purchased and shipped? They can create updates and patches, but they can't enforce them.

Mustapha Kebbeh, CISO at Brinks, shares his deep insights on the intersection of governance, risk management, and compliance (GRC). He emphasizes that strong governance practices are essential for meaningful GRC programs. Without effective leadership, achieving compliance becomes challenging. The discussion covers how actionable and accountable policies drive successful outcomes and the significance of integrating stakeholder perspectives for cohesive risk management. Discover how prioritizing governance can help organizations navigate the complexities of cybersecurity.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-who-should-the-ciso-report-to/) Who should the CISO report to? What factors determine that decision? And why is that single decision so critical to a company's overall security? Check out this post for the basis for our conversation on this week's episode which features me, special guest co-host Yaron Levi (@0xL3v1) CISO, Blue Cross Blue Shield of Kansas City. Our guest is Gary Harbison, vp, global CISO, Bayer. Thanks to this week's podcast sponsor, IBM Security. IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research, provides security solutions to help organizations stop threats, prove compliance, and grow securely. IBM operates one of the broadest and deepest security research, development and delivery organizations. It monitors more than two trillion events per month in more than 130 countries and holds more than 3,000 security patents. On this episode of Defense in Depth, you'll learn: We're having this discussion because as Allison Berey, M:CALIBRATE explained, "Wrong reporting lines can mean poor decision-making." There is no definitive answers as to what the reporting line should be. The final answer on this this discussion was "it depends." A CISO's placement within an organization should depend on where a company derives its value. All companies say security is important. How they place the CISO within the reporting structure and the influence they have on the organization is very telling as to whether the company truly does value security. There was a lot of concern reporting to other C-level executives that are not the CEO as the CISO's concerns could play second fiddle to a CFO, CIO, or CRO's primary desires. Many felt the most desirable reporting line was CISO-to-CEO. But, assuming every department is dealing with some sort of business risk, don't they all have the right to report to the CISO? Where do you draw the line?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-hybrid-cloud/) The consistency of your security program becomes a challenge once you introduce the cloud. Controls and visibility are not necessarily transferable. How do you maintain the control you want in a hybrid environment? Check out this post for the basis for our conversation on this week's episode which features me, special guest co-host Taylor Lehmann (@BostonCyberGuy), vp, CISO, athenahealth, and our sponsored guest, Chris Meenan (@chris_meenan), director, offering management and strategy, IBM Security. Chris Meenan, director, offering management and strategy, IBM Security, David Spark, producer, CISO Series, Taylor Lehmann, vp, CISO, athenahealth. Thanks to this week's podcast sponsor, IBM Security. IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research, provides security solutions to help organizations stop threats, prove compliance, and grow securely. IBM operates one of the broadest and deepest security research, development and delivery organizations. It monitors more than two trillion events per month in more than 130 countries and holds more than 3,000 security patents. On this episode of Defense in Depth, you'll learn: Moving to the cloud, like any other technology initiative, is a business decision. What controls are you ceding over to the cloud provider? What service level agreements (SLAs) and performance measurements do you have for the provider? Be realistic about what's going to be done if a service provider violates the SLA. You're not going to all of a sudden dump the provider. You're going to put some types of corrections in place. Make sure you know what those are and how that can be handled, realistically. Understand your shared responsibility in the cloud. According to a report by FireMon on hybrid cloud use and adoption, about one-third do not fully understand the shared responsibility model of the cloud. Start slow. While you may need to go with multiple cloud providers to fill distribution and requirements, begin with one and learn from that experience. Use cloud adoption as an excuse to join forces with your privacy team to understand where data is being placed and what control you have over it. Cloud providers are not interchangeable like a utility. Cloud providers are chosen based on the services they offer.