Defense in Depth

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ux-in-cybersecurity/) Security products and programs may be functional and work correctly, but are they usable in the sense that it fits into the work patterns of our users? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Rakesh Patwari (@rakeshpatwari), UX lead, Salesforce and UX instructor at UC Berkeley Extension. Thanks to this week's podcast sponsor, Enzoic. Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through compromised credential detection. Organizations can use Enzoic solutions to screen customer and employee accounts for exposed username and password combinations to identity accounts at risk and mitigate unauthorized access. Learn more about Enzoic. On this episode of Defense in Depth, you'll learn: There is the path to security you create and the path that your users take, or the desired path. As a security and UX professional you should plan to make those two the same path. If not, your users will take the simpler route and circumvent your security controls. Users will always choose the easier path which is not necessarily the most secure path. Security is an "ask." You're requesting users do something, but it's hard to get them to keep doing that "ask" if you don't give them feedback as to the reason or value of the ask. Error messages historically provide little to no information to the user and thus no guidance to solve the problem. We often have to go outside of the environment (a search engine) to find a solution. Security professionals need to take on the role of a UX designer which requires defining work processes by interviewing users, not deciding what you want those processes to be. Creating a simple process is far more difficult than creating a complex process. Secure processes don't require users to constantly turn functions on and off or go through additional unnecessary steps to get their job done. View your users as customers where you're trying to sell them on your process rather than dictating which will eventually be avoided.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-infosec-trends-for-2020/) We're coming to the end of the year and that means it's time to make our predictions for 2020. Mark this episode and check back in one year to see how we did. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest is Rob Potter, chief revenue officer for Verodin. Thanks to this week's podcast sponsor, Verodin. The Verodin Security Instrumentation Platform proactively identifies gaps in security effectiveness attributable to equipment misconfiguration, changes in the IT environment, evolving attacker tactics, and more. Learn how Verodin, part of FireEye, has made it possible for organizations to validate the effectiveness of cyber security controls, thereby protecting their reputation and economic value. On this episode of Defense in Depth, you'll learn: More large scale breaches is not a prediction. At this stage that's an inevitability. ML/AI/Blockchain will continue to be oversold and under-delivered. Most cloud breaches are configuration errors. They are not mastermind attacks. They can't be called a breach if they were never secured properly in the first place. Note that cyber insurance does not pay out unless proper protections were in place. "Better" cloud and Internet of Things (IoT) security is not possible given how far it's been mismanaged up to this point. There are so many insecure nodes out there that it appears an impossibility to create any type of patch protection. There was strong debate as to whether this was a true statement or not. Strongest prediction (and it's already in motion) is the convergence of privacy and security. Privacy will be driven by regulations and as a result more people will be instituting chief privacy officers to avoid being in violation.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cybersecurity-readiness-as-hiring-criteria/) What if every candidate interviewed was tested on their cybersecurity competency? How would that affect hiring and how would that affect your company's security? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Greg van der Gaast, head of information security, University of Salford. Thanks to this week's podcast sponsor, Enzoic. Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through compromised credential detection. Organizations can use Enzoic solutions to screen customer and employee accounts for exposed username and password combinations to identity accounts at risk and mitigate unauthorized access. Learn more about Enzoic. On this episode of Defense in Depth, you'll learn: For all candidates, whether in cybersecurity or not, gauge their current level of cybersecurity awareness. There was a time we put knowledge of Microsoft Word and Excel on our resumes. Now you never see it because it's common knowledge. Security knowledge is not common. At this stage it would be seen as a valuable bonus to have it on your resume. There are always small things that hiring managers look for to tip the scales in a candidates favor. Cybersecurity skills should be one of them. For candidates who would have the most to gain from cybersecurity awareness, bring in the CISO to ask one or two questions during the hiring process. Different departments bounce candidates off each other even if they're not going to be working in a specific department. They want to know how well a person will or won't interface with your department. There's a strong fear that adding cybersecurity into the hiring criteria will greatly slow down the hiring process which could damage business productivity. There was much debate around seemingly great candidates, such as an accountant with 20 years of experience, who fails miserably on cyber awareness. Would that raise a red flag?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cybersecurity-and-the-media/) Cybersecurity and the media. It rides the line between providing valuable information and feeding the FUD cycle. What's the media's role? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Dave Bittner (@bittner), producer and host of The CyberWire Podcast, Hacking Humans podcast, and Recorded Future podcast. Thanks to this week's podcast sponsor, Verodin. The Verodin Security Instrumentation Platform proactively identifies gaps in security effectiveness attributable to equipment misconfiguration, changes in the IT environment, evolving attacker tactics, and more. Learn how Verodin, part of FireEye, has made it possible for organizations to validate the effectiveness of cyber security controls, thereby protecting their reputation and economic value. On this episode of Defense in Depth, you'll learn: Stop laying blame on the media for negative cybersecurity perceptions. They're acting as a reflection of ourselves, both good and bad. When done right, the media can bring about much needed attention to issues, most often to enlighten those not in the know. A good indicator of media's success in informing us is when our friends and family, who are not as cybersavvy, start asking us our thoughts on big security issues. Disturbing trend is the media referring to an attack as "sophisticated" when it's often a poorly secure server that was just waiting to be breached. Given this trend, many are eager for the media to demystify these supposedly "advanced" attacks demonstrating that the rest of us can protect ourselves even if we're not cyber-sophisticated. Social engineering demos are often done for the purpose of humor rather than showing how dangerous it can be when we let our guard down. Outside of someone like Bruce Schneier, the cybersecurity industry needs the equivalent of a high-profile expert who can speak to the lay person, à la Bill Nye, The Science Guy.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-the-cloud-and-shared-security/) When your business enters the cloud, you are transferring risk, but also adding new risk. How do you deal with sharing your security obligations with cloud vendors? Check out this LinkedIn post for the basis of this show's conversation on shared responsibility of security with a digital transformation to the cloud. This episode is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Paul Calatayud (@paulcatalayud), CSO for Americas, Palo Alto Networks. Thanks to this week's podcast sponsor, Palo Alto Networks. Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. On this episode of Defense in Depth, you'll learn: You have to have a business reason to go to the cloud. Usually it's done as a business imperative in order to stay competitive. Security is rarely the primary reason businesses move to the cloud. It's often an adjunct reason. Moving to the cloud may transfer risk, but it also introduces new risk. Security professionals have long avoided the cloud because they feel they give up perceived control. If I can't see or touch it, how can I secure it? One issue security people need to grapple with during digital transformation and a move to the cloud is what does it mean to manage risk when you don't own the program? Much of the online discussion was about getting your service license agreements (SLAs) in place. But if you're a small- to medium-sized businss (SMB) you're going to have a hard if not impossible time negotiating. Don't lean on SLAs to be your entire risk profile. It's like using insurance as your only means of security. Cloud security requires setting up automation guard rails. For cloud evolution you'll need a change in talent and it probably won't be your traditional network engineers. Because of performance, privacy, and data protection issues you're probably going to find your business moving apps in and out of the cloud. The Cloud Controls Matrix (CCM), from the Cloud Security Alliance (CSA) is a controls framework designed to help you assess the risk of a cloud security provider.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-is-product-security-improving/) We've been at this cybersecurity thing for a long time. Are products improving their security? A recent study says they aren't. Check out this tweet and the ensuing discussion for the information on the study and the concerns people have about the history of poor security in consumer-grade networking products. This episode is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Michael L. Woodson (@mlwoodson), CISO, MBTA. Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. On this episode of Defense in Depth, you'll learn: We focus our conversation mostly on consumer products, most notably networking, which was the focus of the relevant study. Some basic measurements of security such as stack guards and buffer overflow protection showed no noticeable improvement. Margins are so slim on consumer products that manufacturers are put in a bind. They can't overcharge and stay competitive, so they have to underdeliver, and often security protections are cut as a result. People accept the failures of cybersecurity products by just accepting the end user license agreement (EULA). Be very careful with these agreements. Often a vendor will make outrageous claims like saying they own the data. When we have security incidents companies are not blamed or liable. What type of pressure would need to be put on manufacturers to get them to improve security? Will it have to be standards, regulations, or government regulations?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-best-starting-security-framework/) If you were building a security program from scratch, which many of our listeners have done, which framework would be your starting point? Check out this post initiated by Sean Walls, vp, CISO of Visionworks, who asked, "If you were building a security program from scratch, would you align with ISO 27001, NIST CSF, or another framework, and why?" That conversation sparked this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Omar Khawaja (@smallersecurity), CISO, Highmark Health. Thanks to this week's podcast sponsor, Palo Alto Networks. Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. On this episode of Defense in Depth, you'll learn: When determining a starting security framework, always lead with the "Why?" What are you trying to accomplish and achieve? In some cases you're building a framework to build trust. Although most in security take a risk-based approach. That's not always necessary when picking a framework. Frameworks are often very regulatory driven. Framework decisions will be built on both internal and external pressures. If you don't have a specific security problem, a specific security solution makes no sense. The Secure Controls Framework is a free meta-framework that allows users to pick and choose elements from multiple frameworks. Check out Allan Alford's four-year mapping of NIST CSF, CIS CSC 20, and ISO 27001. While there are plenty of great frameworks out there, for someone who is truly starting from scratch, many security professionals pointed to the CIS top 20 because it maps to frameworks like NIST and ISO.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cyber-defense-matrix/) A simple way to visualize your entire security program and all the tools that support it. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Sounil Yu (@sounilyu), creator of the Cyber Defense Matrix and former chief security scientist at Bank of America. Thanks to this week's podcast sponsor, Verodin. The Verodin Security Instrumentation Platform proactively identifies gaps in security effectiveness attributable to equipment misconfiguration, changes in the IT environment, evolving attacker tactics, and more. Learn how Verodin, part of FireEye, has made it possible for organizations to validate the effectiveness of cyber security controls, thereby protecting their reputation and economic value. On this episode of Defense in Depth, you'll learn: First, just look at the darn thing and it'll start to make sense. The Cyber Defense Matrix's original purpose was to provide a visual way to see where your gaps are in your technology. Users have found lots more uses for the matrix, such as seeing those same gaps in people, processes, and trying to map out the vendor landscape. By visualizing, you can see also where you have too much and you can actually get rid of technologies. The matrix provides structural awareness of your vulnerabilities. The matrix admittedly gets a little wonky when cloud technologies are introduced. They often bleed across categories, not neatly fitting into any specific buckets.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-user-centric-security/) How can software and our security programs better be architected to get users involved? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Adrian Ludwig, CISO, Atlassian, a customer of our sponsor, Castle. Thanks to this week's podcast sponsor, Castle. Castle is helping businesses keep customers' online accounts safe from targeted account takeovers, automated credential stuffing, and risky user transactions. Castle's user-centric approach to account security allows organizations to fully automate threat response and account recovery in real-time with risk-based authentication, granular access policies, and custom workflows. Learn more at www.castle.io On this episode of Defense in Depth, you'll learn: It's impossible to create a security system that removes the user from the equation. They are integral and they have to be part of your security program. Security is defined by the individual. The minimum expectation you can have of your users is that they'll operate in good faith. Avoid complexity because as soon as it's introduced it drives problems everywhere. Instead, keep asking yourself, how can I make security more usable? Individuals are suffering from alert fatigue. If you're going to send an alert to a user, make it relevant and actionable. And always be aware that your security alerts are not the only alert the user is seeing and deciding or not deciding to take action on. Think about all the alerts you completely ignore, like the confidentiality warning in a corporate email. One of the main problems with security is the party who suffers is not the one who has to act. The user often does not have any stake in the goods he/she is protecting.

All links and images from this episode can be found at CISO Series (https://cisoseries.com/defense-in-depth-securing-the-new-internet/) If you could re-invent the entire Internet, starting all over again with security in mind, what would you do? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode, Davi Ottenhimer (@daviottenheimer), who happens to be working on this project with Tim Berners-Lee at Inrupt to create a new Internet and secure it. Thanks to this week's podcast sponsor, Castle. Castle is helping businesses keep customers' online accounts safe from targeted account takeovers, automated credential stuffing, and risky user transactions. Castle's user-centric approach to account security allows organizations to fully automate threat response and account recovery in real-time with risk-based authentication, granular access policies, and custom workflows. Learn more at www.castle.io On this episode of Defense in Depth, you'll learn: Much of the advice on how to secure the Internet focused on just improving known protocols such as SMTP, IPv6, and TCP/IP. Is that limited thinking or not? Creating a new Internet has a lot of political and socioeconomic issues connected to it so you have to consider both relative (changing existing protocols) or absolute updates (reinventing and trashing existing protocols). One suggestion was dynamic port assignments which was an interesting tip, but it runs into the issue that at some point someone needs to know where you're communicating. Future of identity is that it's not controlled by one entity. But the solution is not blockchain. That's essentially a spreadsheet of information and banking on a spreadsheet or blockchain would not be wise. Another suggestion would be to create a data-centric approach to the Internet, but this would put a massive load on the endpoints. One core philosophy of securing the new Internet is creating a system where each individual can own their own data, put rights on it to others to use it, rather than being beholden to the rights others give us to manage our own data. Our favorite suggestion was about looking to biomimicry and our millions of years of evolution to help us build an Internet that could learn to evolve on its own. The issue is that history has given us tectonic shifts that come all at once and don't necessarily evolve gradually. Could a security system be built to adapt in that manner? Creative Commons photo attribution to Joybot.