Defense in Depth

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-the-cloud-and-shared-security/) When your business enters the cloud, you are transferring risk, but also adding new risk. How do you deal with sharing your security obligations with cloud vendors? Check out this LinkedIn post for the basis of this show's conversation on shared responsibility of security with a digital transformation to the cloud. This episode is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Paul Calatayud (@paulcatalayud), CSO for Americas, Palo Alto Networks. Thanks to this week’s podcast sponsor, Palo Alto Networks. Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. On this episode of Defense in Depth, you’ll learn: You have to have a business reason to go to the cloud. Usually it's done as a business imperative in order to stay competitive. Security is rarely the primary reason businesses move to the cloud. It's often an adjunct reason. Moving to the cloud may transfer risk, but it also introduces new risk. Security professionals have long avoided the cloud because they feel they give up perceived control. If I can't see or touch it, how can I secure it? One issue security people need to grapple with during digital transformation and a move to the cloud is what does it mean to manage risk when you don't own the program? Much of the online discussion was about getting your service license agreements (SLAs) in place. But if you're a small- to medium-sized businss (SMB) you're going to have a hard if not impossible time negotiating. Don't lean on SLAs to be your entire risk profile. It's like using insurance as your only means of security. Cloud security requires setting up automation guard rails. For cloud evolution you'll need a change in talent and it probably won't be your traditional network engineers. Because of performance, privacy, and data protection issues you're probably going to find your business moving apps in and out of the cloud. The Cloud Controls Matrix (CCM), from the Cloud Security Alliance (CSA) is a controls framework designed to help you assess the risk of a cloud security provider.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-is-product-security-improving/) We've been at this cybersecurity thing for a long time. Are products improving their security? A recent study says they aren't. Check out this tweet and the ensuing discussion for the information on the study and the concerns people have about the history of poor security in consumer-grade networking products. This episode is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Michael L. Woodson (@mlwoodson), CISO, MBTA. Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. On this episode of Defense in Depth, you’ll learn: We focus our conversation mostly on consumer products, most notably networking, which was the focus of the relevant study. Some basic measurements of security such as stack guards and buffer overflow protection showed no noticeable improvement. Margins are so slim on consumer products that manufacturers are put in a bind. They can't overcharge and stay competitive, so they have to underdeliver, and often security protections are cut as a result. People accept the failures of cybersecurity products by just accepting the end user license agreement (EULA). Be very careful with these agreements. Often a vendor will make outrageous claims like saying they own the data. When we have security incidents companies are not blamed or liable. What type of pressure would need to be put on manufacturers to get them to improve security? Will it have to be standards, regulations, or government regulations?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-best-starting-security-framework/) If you were building a security program from scratch, which many of our listeners have done, which framework would be your starting point? Check out this post initiated by Sean Walls, vp, CISO of Visionworks, who asked, "If you were building a security program from scratch, would you align with ISO 27001, NIST CSF, or another framework, and why?" That conversation sparked this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Omar Khawaja (@smallersecurity), CISO, Highmark Health. Thanks to this week’s podcast sponsor, Palo Alto Networks. Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices.  On this episode of Defense in Depth, you’ll learn: When determining a starting security framework, always lead with the "Why?" What are you trying to accomplish and achieve? In some cases you're building a framework to build trust. Although most in security take a risk-based approach. That's not always necessary when picking a framework. Frameworks are often very regulatory driven. Framework decisions will be built on both internal and external pressures. If you don't have a specific security problem, a specific security solution makes no sense. The Secure Controls Framework is a free meta-framework that allows users to pick and choose elements from multiple frameworks. Check out Allan Alford's four-year mapping of NIST CSF, CIS CSC 20, and ISO 27001. While there are plenty of great frameworks out there, for someone who is truly starting from scratch, many security professionals pointed to the CIS top 20 because it maps to frameworks like NIST and ISO.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cyber-defense-matrix/) A simple way to visualize your entire security program and all the tools that support it. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Sounil Yu (@sounilyu), creator of the Cyber Defense Matrix and former chief security scientist at Bank of America. Thanks to this week’s podcast sponsor, Verodin. The Verodin Security Instrumentation Platform proactively identifies gaps in security effectiveness attributable to equipment misconfiguration, changes in the IT environment, evolving attacker tactics, and more. Learn how Verodin, part of FireEye, has made it possible for organizations to validate the effectiveness of cyber security controls, thereby protecting their reputation and economic value. On this episode of Defense in Depth, you’ll learn: First, just look at the darn thing and it'll start to make sense. The Cyber Defense Matrix's original purpose was to provide a visual way to see where your gaps are in your technology. Users have found lots more uses for the matrix, such as seeing those same gaps in people, processes, and trying to map out the vendor landscape. By visualizing, you can see also where you have too much and you can actually get rid of technologies. The matrix provides structural awareness of your vulnerabilities. The matrix admittedly gets a little wonky when cloud technologies are introduced. They often bleed across categories, not neatly fitting into any specific buckets.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-user-centric-security/) How can software and our security programs better be architected to get users involved? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Adrian Ludwig, CISO, Atlassian, a customer of our sponsor, Castle. Thanks to this week’s podcast sponsor, Castle. Castle is helping businesses keep customers’ online accounts safe from targeted account takeovers, automated credential stuffing, and risky user transactions. Castle’s user-centric approach to account security allows organizations to fully automate threat response and account recovery in real-time with risk-based authentication, granular access policies, and custom workflows. Learn more at www.castle.io On this episode of Defense in Depth, you'll learn: It's impossible to create a security system that removes the user from the equation. They are integral and they have to be part of your security program. Security is defined by the individual. The minimum expectation you can have of your users is that they'll operate in good faith. Avoid complexity because as soon as it's introduced it drives problems everywhere. Instead, keep asking yourself, how can I make security more usable? Individuals are suffering from alert fatigue. If you're going to send an alert to a user, make it relevant and actionable. And always be aware that your security alerts are not the only alert the user is seeing and deciding or not deciding to take action on. Think about all the alerts you completely ignore, like the confidentiality warning in a corporate email. One of the main problems with security is the party who suffers is not the one who has to act. The user often does not have any stake in the goods he/she is protecting.

All links and images from this episode can be found at CISO Series (https://cisoseries.com/defense-in-depth-securing-the-new-internet/) If you could re-invent the entire Internet, starting all over again with security in mind, what would you do? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode, Davi Ottenhimer (@daviottenheimer), who happens to be working on this project with Tim Berners-Lee at Inrupt to create a new Internet and secure it. Thanks to this week’s podcast sponsor, Castle. Castle is helping businesses keep customers’ online accounts safe from targeted account takeovers, automated credential stuffing, and risky user transactions. Castle’s user-centric approach to account security allows organizations to fully automate threat response and account recovery in real-time with risk-based authentication, granular access policies, and custom workflows. Learn more at www.castle.io On this episode of Defense in Depth, you'll learn: Much of the advice on how to secure the Internet focused on just improving known protocols such as SMTP, IPv6, and TCP/IP. Is that limited thinking or not? Creating a new Internet has a lot of political and socioeconomic issues connected to it so you have to consider both relative (changing existing protocols) or absolute updates (reinventing and trashing existing protocols). One suggestion was dynamic port assignments which was an interesting tip, but it runs into the issue that at some point someone needs to know where you're communicating. Future of identity is that it's not controlled by one entity. But the solution is not blockchain. That's essentially a spreadsheet of information and banking on a spreadsheet or blockchain would not be wise. Another suggestion would be to create a data-centric approach to the Internet, but this would put a massive load on the endpoints. One core philosophy of securing the new Internet is creating a system where each individual can own their own data, put rights on it to others to use it, rather than being beholden to the rights others give us to manage our own data. Our favorite suggestion was about looking to biomimicry and our millions of years of evolution to help us build an Internet that could learn to evolve on its own. The issue is that history has given us tectonic shifts that come all at once and don't necessarily evolve gradually. Could a security system be built to adapt in that manner?   Creative Commons photo attribution to Joybot.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-resiliency/) How fortified is the business to withstand cyberattacks? Can it absorb the impact of the inevitable hits? Would understanding the business' level of resilience provide the appropriate guidance for our security program? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Anne Marie Zettlemoyer, vp, security engineering and divisional security officer, MasterCard. Thanks to this week’s podcast sponsor, Castle. Castle is helping businesses keep customers’ online accounts safe from targeted account takeovers, automated credential stuffing, and risky user transactions. Castle’s user-centric approach to account security allows organizations to fully automate threat response and account recovery in real-time with risk-based authentication, granular access policies, and custom workflows. Learn more at www.castle.io On this episode of Defense in Depth, you'll learn: Resiliency allows the business to perform in conjunction with risk. A conversation about resilience forces security to think about business processes and the criticality of each one to the business' ability to sustain itself. We're forcing ourselves to think proactively when we have no choice but to react, hopefully automatically. Disaster recovery (DR) and business continuity planning (BCP) come into play here. There's a concern that of the CIA (confidentiality, integrity, and availability) triad, "integrity" doesn't have enough outside forces to insure its credibility. While security teams may just be coming up to speed, or are just thinking of resiliency, the business has been thinking about it since day one of becoming a business. If security begins thinking this way, they will be more in alignment with the business. And here are some items Anne Marie mentioned at the end of the show: Cybersecurity Talent Initiative GCA Cybersecurity Toolkit

All images and links for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ransomware/) Why is Ransomware so prevalent? Why are so many getting caught in its net? And what are some of the best tactics to stop its scourge? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Brian Vecci (@BrianTheVecci), field CTO, Varonis. Thanks to this week’s podcast sponsor, Varonis. The most powerful way to find, protect, and monitor sensitive data at scale. Get total control over your unstructured data in the cloud and on-premises. See it in action in a live cyberattack simulation lab. On this episode of Defense in Depth, you'll learn: The ability to exploit the stealing of data takes work. Ransomware requires no knowledge. Ransomware targets the lowest common denominator, just data in general. The attackers often don't need to know much about the data. Ransomware is extremely dangerous when it goes after shared data which probably isn't being monitored. The more savvy ransomware criminals can live dormant in a system, learn where the most valuable data is, and be able to know how much a company can pay. The solution to fighting back requires one to understand that ransomware targets people and files. It's the combination of the two that makes ransomware particularly dangerous. Your best bet to mitigate ransomware's damage is to limit users' file access. Not all users need to be able to access everything at all times. Many security professionals believe the solution to ransomware is just good security hygiene and patching. While patching does narrow your attack surface, it doesn't make you immune to ransomware. Unlike most cybercrime, ransomware is noisy. The attackers want you to know that they're there so you'll pay up.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-top-ciso-communication-issues/) Understanding risk. Communicating with the board. Getting others to understand and care about security. What is the most vexing cybersecurity issue for a CISO? Check out this post by Kate Fazzini, cybersecurity reporter for CNBC, for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Mark Eggleston (@meggleston), CISO, Health Partners Plans. Thanks to this week’s podcast sponsor, Varonis. The most powerful way to find, protect, and monitor sensitive data at scale. Get total control over your unstructured data in the cloud and on-premises. See it in action in a live cyberattack simulation lab. On this episode of Defense in Depth, you'll learn: Communications starts with engaging people where they work. CISOs can't have any long-term success selling fear, uncertainty, and doubt (AKA "FUD"). CISOs need to focus on people skills. If a CISO is going to be rolling out a solution it's going to be in his/her hands to get others to adopt. Successful CISOs integrate the community into their thinking. While CISOs want to be proactive, you can't be purely proactive or reactive. It's always a blend. The best start for a CISO is to get the C-suite and board to listen and understand. Not only do CISOs need to have conversations about risk, they need to document it and revisit it. Look at where the company is making money by examining the 10-Q report. See where you can apply risk analysis to all of those revenue streams. Whenever a FUD-like headline appears, the C-suite and board will see it. Don't let them fall into the trap of absorbing the hype. CISOs need to show how they're handling such situations and how they would if something similar happened to them. Top issues for CISOs include having a clear understanding of who owns what risk. And more importantly, individual contributors should acknowledge their specific role in the overall security program.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cybersecurity-excuses/) "I've got all the security I need." "I'm not a target for hackers." These are just a few of the many rationalizations companies make when they're in denial of cyberthreats. Why are these excuses still prevalent and how should a cyberprofessional respond? Check out this post by Ian Murphy, co-founder of LMNTRIX, for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers. Thanks to this week’s podcast sponsor, Varonis. The most powerful way to find, protect, and monitor sensitive data at scale. Get total control over your unstructured data in the cloud and on-premises. See it in action in a live cyberattack simulation lab. On this episode of Defense in Depth, you'll learn: Security professionals must endure an endless string of excuses to not improve a security program. On this episode, the ones we saw fall into four categories: "What I've got is good enough", "Denial", "False safety net", "Costs too much time/money". Never rest on what you've got today. Today's configuration is tomorrow's vulnerability. Security is a process, not an end state. There are always issues because humans are involved. Small companies may not have a huge payout, but their defenses are usually weaker making them an easy score. A bunch of small companies add up to a big one. If you have not invested well in a good security program, you are already breached and don't know it. As this show title explains, you can't rely on a single layer of defense (e.g., firewall) to protect you. No CISO is complaining they're spending too much on security. A great security partner is awesome, but you don't hand off your security to someone else. It's a shared responsibility. Don't rely on cyber insurance in the same way you don't leave your front door unlocked even though you've got home insurance.