Defense in Depth

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-employee-hacking/) A cyber professional needs their staff, non-IT workers, and the board to take certain actions to achieve the goals of their security program. Should a CISO use the hacking mindset on their own people? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Yael Nagler (@MavenYael), consultant. Thanks to this week’s podcast sponsor, Anomali. Anomali harnesses threat data, information, and intelligence to drive effective cyber security decisions. On this episode of Defense in Depth, you'll learn: Employee hacking is an effort to get employees to do what you need them to do in order to pull off your security program There's a grand debate as to whether you should be hacking employees (use the tools you've got) or working with them (don't trick). Many listeners likened this motivation technique to be no different than sales persuasion methods. But these methods are focused on getting individuals to take a single action, to purchase. This is not the case for a CISO who must change a wide ranging set of behaviors that are often not connected to individual desires. To complicate matters even more, a CISO must sell a process and culture change, NOT a product. It's not easy to change human behavior. Manipulation is a tainted word. You need to respect differences and find a common ground to motivate employees to show concern to want to stay with a security program. One way to get people to care about security is to internally explain what do big security news items have to do with your business and how a similar breach could or couldn't happen to your business. While you're trying to win someone over, it's not a selfish interest. It's of interest to the individual and the company. It's just the individual has to understand why they're changing behavior and see value in making that change.

100% Security. A great idea that's impossible to achieve. Regardless, CEOs are still asking for it. How should security people respond and we'll discuss the philosophical implications of 100% security. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Rich Friedberg (@richf321), CISO, Blackbaud. Thanks to this week’s podcast sponsor, Anomali. Anomali harnesses threat data, information, and intelligence to drive effective cyber security decisions. On this episode of Defense in Depth, you'll learn: Even though security people learned a long time ago that 100 percent security is not achievable if you can run a business, CEOs are still asking their security departments to deliver it. The most common response to the 100 percent security request is to point out that nothing in business is 100 percent. Everything is a type of a risk. Pointing out that everything is a risk doesn't necessarily endear a CISO to the security department. Instead, use empathy and try to understand what are they really asking when they make the 100 percent security request. It's often difficult for a CEO to initiate a discussion about risk. The question shouldn't be "how safe are we" but rather "how prepared are we". Should a breach happen, which seems inevitable these days, how quickly can the business respond and continue to function. A breach doesn't need to destroy a business. The best way to connect with the business on security risk is to correlate it to another risk decision that makes sense to them. For example, battling fraud. No business tries to eliminate 100 percent of fraud because at one point the cost to eliminate the remaining fraud far exceeds the cost of the remaining fraud. As a theoretical exercise, most agreed that if you truly did try to achieve 100 percent security, the business would cease to function.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-proactive-security/) How proactive should we be about security? What's the value of threat intelligence vs. just having security programs in place with no knowledge of what attackers are trying to do? Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is AJ Nash, director of cyber intelligence strategy, Anomali. Thanks to this week’s podcast sponsor, Anomali Anomali harnesses threat data, information, and intelligence to drive effective cyber security decisions. On this episode of Defense in Depth, you'll learn: You can't start a threat intelligence until you understand your internal threat landscape and business mission. Sadly, very few organizations have a good answer to "What and where are your crown jewels, your high valued assets?" But if you can answer that question, your threat intelligence will be far more effective. It's possible to understand internal and external landscape in parallel. But you won't get great value of your intelligence until you understand your environment. How do we judge the value of intelligence? It's all about dealing with costs before the "boom" vs. afterwards. Because afterwards is far more expensive. The reason to invest in threat intelligence is because once you know your assets, and you know what your adversaries are after, you can adjust your defenses accordingly. If your goal is to harden everything, you're going to be very busy. It's not economically and physically possible. Make sure you're manning the threat intelligence and incident response teams properly. This is a common misstep that many shops make. If you don't have intelligence you're doing reactive security, which nobody wants, yet that's what many often end up doing.

All images and links for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-attck-matrix/) Is the ATT&CK Matrix the best model to build resiliency in your security team? What is the best way to take advantage of the ATT&CK framework and how do you square away conflicting data coming in from your tools. What can you trust and not trust? And is the disparity of results the fault of the tool, the user, or neither? Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Ian McShane (@ianmcshane), VP, product marketing, Endgame. Thanks to this week’s podcast sponsor, Endgame Endgame makes endpoint protection as simple as anti-virus. Their converged endpoint security platform is transforming security programs - their people, processes and technology - with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. On this episode of Defense in Depth, you'll learn: ATT&CK Matrix should be used both strategically and tactically. Use it strategically to understand gaps in your security program. As for tactics, it's great for blue team exercises. When you're being attacked, it helps you understand what's going to happen next. You can use ATT&CK framework even on 0 day viruses. It allows you to focus on the techniques in an attack rather that the specifics of an attack. When you're being attacked, be wary of getting conflicting information from your tools. If you have a tool that's constantly producing noise, you have two options: either fix it or dump it. The reason two seemingly similar tools are producing different results is because they're taking different paths. Once you understand the paths you'll understand the variances. The goal would be for industry standardization or maybe even a third party to come in and act as middleware to offer standardization. Is that even possible?  

All images and links for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-hacker-culture/) The hacker community needs a new PR campaign. Far too many people equate hacker with criminal. But hacker is a mindset of how one approaches security. What is that approach and why are CISOs so attracted to hiring hackers? Check out this post for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Joseph Menn (@josephmenn), journalist, Reuters, and author of "Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World". Thanks to this week’s podcast sponsor, Trend Micro On this episode of Defense in Depth, you'll learn: Hacking's definitions are varied, but the one that speaks to all theories is that hacking is critical thinking. Hackers don't follow a manual. They look at systems with an open mind. Hackers nurture the sense of the inner rebel. They want to truly understand the inner workings of a system. Hackers aren't creating havoc, they're exposing problems that are already there. And they do it because it's the only way to get attention to the problem. Security professionals understand the value of finding existing problems, that's why they instituted and support bug bounty programs that provide a financial incentive to hack. Hackers are not afraid to be challenged. If cybersecurity students jump straight from schooling to the corporate world, and they don't have time to explore their desire to hack, they won't have the opportunity to create their own moral code when it comes to hacking. It's important for a hacker to discover their moral compass, because there are going to be situations where a hacker will have the opportunity to do bad things without getting caught. How will they handle it?

All images and links for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-bad-best-practices/) All professionals like to glom onto "best practices." But in security, "best" practices may be bad out of the gate, become useless over time, or they're not necessarily appropriate for all situations. Stay tuned, we're about to expose some of the worst "best" practices. Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Yaron Levi (@0xL3v1), CISO, Blue Cross/Blue Shield of Kansas City. Thanks to this week’s podcast sponsor, Endgame Endgame makes endpoint protection as simple as anti-virus. Their converged endpoint security platform is transforming security programs - their people, processes and technology - with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. On this episode of Defense in Depth, you'll learn: The response of "This is how we've always done it", is not a reason to continue a "best" practice. One of the most universally bad "best" practices is counting the number of people who fall for a phishing test. Both Allan and Yaron told stories of phishing test reports that could swing wildly based on the type of email sent. CISOs argue that a better metric to track is the number of people who report the phishing email. Let employees know that you're going to test them. If you don't it can be seen as a means to discipline them, which you're not. Cybersecurity best practices don't stand the test of time. If a best practice seems off, challenge it by simply asking, "Why?" Awareness training should be measured by testing afterwards, not by the number of people who actually took it.

All images and links are available on CISO Series (https://cisoseries.com/defense-in-depth-cyber-harassment/) Whether a jilted lover or someone trying to wield their power over another, cyber harassment takes many forms and it doesn't stay in the digital world. It comes into our real world and gets very dangerous. What is it and how can it be thwarted? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Parry Aftab (@parryaftab), founder of StopCyberbullying Global. Thanks to this week’s podcast sponsor, Endgame Endgame makes endpoint protection as simple as anti-virus. Their converged endpoint security platform is transforming security programs - their people, processes and technology - with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. On this episode of Defense in Depth, you'll learn: You can be public or anonymous in your effort to stop cyber harassment. If you are public about your efforts, you are putting yourself out there to be a target for harassment yourself. Our guest has received death threats and also been SWATted. Cyber harassment can be devastating to the one who is being attacked. The fear of it can stay with you for years even after it's been "resolved." Traditional response to cyber harassment is to stop, block, and tell. Ignoring is one technique, but it doesn't always work if they're trying to blackmail you. Cyber harassers can often just be bored. They're looking for something to do and sending death threats can be "fun." Cyber harassers are looking for attention. It could be a situation of an employee feeling they weren't given the promotion they wanted or a jilted lover who's looking for revenge. One best technique for prevention is early detection. Do regular Google searches of your name and all your online handles to see if someone is starting to mess with your online reputation.

Links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ciso-series-one-year-review/)  The CISO/Security Vendor Relationship Podcast is now more than a year old. On this episode, the hosts of both podcasts, reflect on the series and we respond to listeners critiques, raves, and opinions. Check out this post and this post for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is the co-host of the CISO/Security Vendor Relationship Podcast, Mike Johnson. Thanks to this week’s podcast sponsor, Trend Micro On this episode of Defense in Depth, you'll learn: We provide the definitive story of how the CISO/Security Vendor Relationship Podcast started and how David, Allan, and Mike all connected. We've been challenging many of the sales techniques that have essentially irked CISOs. The podcast has become a validation tool for sales people to show to their management and say, "We need to change direction." One of the critiques we've heard is the desire to understand more of the sales process. We are actually very much in the dark as to the different levels of incentives are for sales staff. A security sale is often a long and involved process and we know the incentives are more involved than just a sales commission. We've actually done webinars that take a look behind the scenes of sales and we plan to do more. Those who feel isolated with their company enjoy hearing the different viewpoints. There is actually a real return on investment to listening to our show. Sales people say that they've changed their strategy based on advice on the show and it has proved to be fruitful.

All images and links for this episode available at CISO Series (https://cisoseries.com/defense-in-depth-economics-of-data/)  Do we understand the value of our data? Do our adversaries? And is the way we're protecting it making it too expensive for them to steal? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Chip Witt (@rt_clik), head of product strategy for SpyCloud. Thanks to this week’s podcast sponsor, SpyCloud Learn more about how you can protect employees and customers from account takeover with SpyCloud. On this episode of Defense in Depth, you'll learn: Understand what your crown jewels are and what is the most important data to protect. Many companies have a hard time answering that question and they end up trying to protect everything and that can get very costly. Be strategic about understanding what it costs to go after your data. Look for ways to auto protect your assets. Most people do not spend a lot of time understanding the underground economy. On average, your employees have 207 online accounts. Those seemingly innocuous sites (e.g., fantasy football) sites can often be used as opportunities to break into your network and as we know, most people use the same password on multiple accounts. Criminal enterprises operate like any other business. They're looking to generate ROI. Make it so there is no ROI or it's too difficult to achieve it. Focus on credential theft. Check your set of users for exposed credentials because people use weak credentials to access valuable credentials. As a business you also want to protect your employees' personal accounts from account takeover.  

All links and images can be found on CISO Series (https://cisoseries.com/defense-in-depth-tool-consolidation/) While cybersecurity professionals always want more tools, more often than not they're dealing with too many tools delivering identical services. The redundancy is causing confusion and more importantly, cost. Why should you pay for it? How does it happen and how do InfoSec leaders consolidate tools? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Adam Glick, vp, cybersecurity, Brown Brothers Harriman. Thanks to this week’s podcast sponsor, SpyCloud. Learn more about how you can protect employees and customers from account takeover with SpyCloud. On this episode of Defense in Depth, you'll learn: The tools bloat problem does not happen overnight. Often you have no choice with tools bloat. It's a function of the industry that companies add new capabilities and they acquire companies so you start to get redundancy even if you didn't plan on it. You can run into the trap of having excellent independent tools, but then they cause overlap and because they're independent and not integrated you eventually fall on the side of going with the lesser tool because it has integration with other capabilities. Best of breed doesn't sit still. It starts to morph and doesn't necessarily become the best anymore. Even if you did a great job consolidating, you can't set it and forget it. Given the industry's behavioral morphs and your growing needs, you'll need to revisit the issue at least once or twice a year. You need to do a tools audit. A lot of political issues will come into play as people will defend the tools they love, built upon, and use. If you can't figure out a way to mediate, you'll need to hire a third party to do the audit and make the assessment. Integration is critical. If there aren't APIs and other ways for the tools to communicate, it doesn't matter how awesome it is, the tool will need to be dumped.