Defense in Depth

Links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-camry-security/) The Camry is not the fastest car, nor is it the sexiest. But, it is one of the most popular cars because it delivers the best value. When CISOs are looking for security products, are they also shopping for Camry's instead of "best of breed" Cadillacs? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Lee Vorthman (@leevorthman), sr. director, global security engineering and architecture, Pearson. Thanks to this week’s podcast sponsor, SpyCloud. Learn more about how you can protect employees and customers from account takeover with SpyCloud. On this episode of Defense in Depth, you'll learn: CISOs have budgets and they simply can't purchase the most expensive and best option for every InfoSec need. Good enough is often exactly what they want. It's often not possible to take advantage of all the features on a Cadillac-type security product. So you end up paying for shelfware, or tools that never end up being used. The tool's complexity factors into the cost. This is often an argument against open source software which has been branded, most often by the proprietary software community, as "tough to use." Each tool creates a new demand on your staff in terms of time and complexity. What new costs are you introducing by acquiring and deploying a new tool? "Best of breed" everything can also turn into an integration nightmare. If you don't need everything a company is trying to offer, try to de-scope the requirements. Some companies are so big that they have no choice but to purchase the Cadillac for everything since so many departments will need access to the tool. It's far too complicated to create an RFP that takes into account everyone's needs. To speed access to the tool these large companies just get the product that "does everything" and then let all the departments "have at it" once it's available for use.  

All links and images can be found on CISO Series (https://cisoseries.com/defense-in-depth-amplifying-your-security-posture/) In security, you never have enough of anything. But the scarecest resource are dedicated security people. When you're running lean, what are some creative ways and techniques to improve overall security? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Matt Southworth (@bronx), CISO of Priceline. Thanks to this week’s podcast sponsor, SecurityBridge Advanced cybersecurity for SAP, from codebase to production. Powered by anomaly detection, detect threats in real-time so that they can be remediated before any harm is done. Eliminate false-positives and focus on actionable intelligence. Ensure compliance with direction to actual vulnerabilities, with amazing intelligence dashboards guiding remediation. On this episode of Defense in Depth, you'll learn: When you manage too many people you get to a point of saturation. Are you doing security or are you managing people? Core success comes from looking outside your immediate staff for security help. Most common programs are Security Champions and Security Prime. The first are just people outside of the InfoSec team who really want to learn about security, and the Prime players are actually implementing it. Look for ways to reduce overheard in terms of paperwork, meetings, and unnecessary programs. If what you're doing is not helping, stop doing it. Empower individuals to make their own decisions about security without the chain of command of approvals. Avoid giving orders, because once you do you'll always be called into a meeting on that topic. Use artificial intelligence (AI) to take work off of the security operations center (SOC) and incident response team. The "lazy" sysadmin who automates all his tasks is a highly productive member. Communicate to everyone that security requires the entire company's support, not just the security staff. And here's Jan Schaumann's presentation at BsidesNYC 2016 entitled "Defense at Scale". Matt mentioned it on the show.  

All images and links for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-erp-security/) For most organizations, their ERP solution holds its crown jewels. Should custom and complex applications that trade such vital customer and corporate data be secured any differently? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Branden Newman, CISO, adidas, brought to us by our sponsor, SecurityBridge. Thanks to this week’s podcast sponsor, SecurityBridge Advanced cybersecurity for SAP, from codebase to production. Powered by anomaly detection, detect threats in real-time so that they can be remediated before any harm is done. Eliminate false-positives and focus on actionable intelligence. Ensure compliance with direction to actual vulnerabilities, with amazing intelligence dashboards guiding remediation. On this episode of Defense in Depth, you'll learn: The volume of log files are so overwhelming from an ERP system that most security groups just turn them off. The reason you want an ERP-specific security solution is that they handle a lot of the log management and customization for you. You'll still need to do plenty of customization on your part, but these tools take away a lot of the heavy lifting. Make sure you're on a first-name basis with all the key people whose departments are in the ERP system. You're going to need their support and knowledge to build out the effective ERP solution matrix. If you have ERP or SAP installed, move an ERP-specific security solution to the front of your security maturity program.  

All links and images from this episode can be found at CISO Series (https://cisoseries.com/defense-in-depth-managing-obsolete-yet-business-critical-systems/) Obsolete systems that are critical to your business. They're abandoned, unpatchable and unmanaged. We've all got them, and often upgrading is not an option. What do you do? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Mitch Parker (@mitchparkerCISO), Exec. Director, InfoSec and Compliance, Indiana University Health. Thanks to this week’s podcast sponsor, SecurityBridge Advanced cybersecurity for SAP, from codebase to production. Powered by anomaly detection, detect threats in real-time so that they can be remediated before any harm is done. Eliminate false-positives and focus on actionable intelligence. Ensure compliance with direction to actual vulnerabilities, with amazing intelligence dashboards guiding remediation. On this episode of Defense in Depth, you'll learn: This issue appears to affect every security and IT person. At one time they've all had to deal with it. Obsolete technology should not be treated like any new technology. It needs to be isolated. Lots of great advice from the community regarding containing the outdated technology through firewalls, air gapping, segmenting, virtual machines, and a jump box. Constantly measure the risk of not just intrusion of the outdated technology, but the cost of keeping the thing running as you can't rely on outside support or updates. As you're reporting the risk, constantly push for solutions to end reliance on this outdated technology. The obsolete technology is often an expensive and critical piece of hardware that's difficult if not impossible to replace. The UK National Cyber Security Center has some great guidance on what to do with obsolete platforms.  

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cybersecurity-hiring/) Everyone needs more security talent, but what kind of talent, how specialized, and what kind of pressure is hiring requirements putting on security professionals? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is one our favorite InfoSec gadflies, Greg van der Gaast. Thanks to this week’s podcast sponsor, Morphisec Detection-based security technologies are by definition reactive, responding to threats after they’ve hit. Morphisec takes an offensive strategy to advanced attacks, dismantling the attack pathways to prevent an attack from ever landing. No detection, no hunting, no clean-up. Watch the on-demand webinar to see how it works. More at www.morphisec.com. On this episode of Defense in Depth, you'll learn: Specialization also veers towards simplifying as Greg said, "A lot of middle of the road positions are being narrowed and dumbed down in a push towards commoditization." Is the collection of so many tools pushing us to more specialization? Have we created our own hiring problem? There are needs for specialists and generalists in cybersecurity. The issue is where do you find the balance from the creation of your toolset to your hiring? Too many open positions for security analysts which isn't a defined role. Sometimes there's an inherent laziness in hiring managers just wanting "a security person" and not understanding their environment as to what they really need. Greg notes that "you can often tell how broken an infosec organisation is just by looking at the job roles they're looking to fill and the job descriptions." If you're developing a tech stack and then looking for people to manage it, that is the reverse way you should be building a security program. Students are eager to learn, but degrees are useless when companies are hiring for specific tools.

Find images and links for this episode on CISO Series (https://cisoseries.com/defense-in-depth-how-cisos-discover-new-solutions/) Are security professionals so burned out by aggressive cybersecurity marketing that they're giving up on discovering new and innovative solutions? What are the best ways for cyber professionals to discover new solutions? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel.  Our guest for this episode is Yaron Levi (@0xl3v1), CISO, Blue Cross and Blue Shield of Kansas City. Thanks to this week’s podcast sponsor, ComplianceForge ComplianceForge is a business accelerator. ComplianceForge offers a full-stack of cybersecurity documentation that ranges from policies and standards, to controls, metrics, procedures and program-level documentation to provide evidence of due diligence in managing risk, vulnerabilities, secure design and other pertinent areas that requires clear and concise documentation. On this episode of Defense in Depth, you'll learn: The two tactics of carpet bombing with marketing emails and cold calls are universally hated, but they must produce results and that's why they continue. If a CISO wants to discover new solutions, they must expose themselves somehow to what's out there. New solutions aren't magically going to land in your lap. Many CISOs rely on their networks of CISOs but that can limit your thinking if none of the CISOs are willing to venture outside of the group. Don't rely on your own discovery. Task your staff members to do it as well. Encourage and reward the showing of new ideas to the group which can and will foster disruption and innovation. You need a trusted partner, a reseller, or a vendor who can be your eyes and ears. Finding that trusted partner doesn't come easily, but when you find it, hold onto it because you're going to need them. Your trusted partner should be proactive about giving you quarterly updates. Large conferences and vendor emails act as touch points, but they don't act as a valuable source of information. Engage in smaller local conferences where you can meet and build trust with your local experts. If you do go to a large conference, and you walk the trade show floor, aim for the edges where you find the smaller companies. Best advice for CISOs was to create a form for vendors to fill out if they want the chance to meet with you. Yelp-like review sites have questionable credibility, but they are a touch point in tool discovery. Lean on podcasts and discussion groups, such as Slack.

Find all links and images from this episode on CISO Series (https://cisoseries.com/defense-in-depth-is-the-cybersecurity-industry-solving-our-problems/) Is the cybersecurity industry solving our problems? We've got lots of new entrants. Are they doing anything new, or just doing the same thing slightly better? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel.  Our guest this week is Taylor Lehmann (@BostonCyberGuy), CISO, Wellforce. Thanks to this week’s podcast sponsor, Remediant Eighty one percent of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant's SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment. On this episode of Defense in Depth, you'll learn: Industry is just growing symptoms to core issues. The cybersecurity industry is motivated by marketplace which justifies investment. As one might expect many security solutions are just hyped rather than built on innovations. While many of our listeners are rather savvy, we expect most purchases are reactive rather proactive. And if this continues, then the profit-minded vendors will still deliver reactive-based solutions. We've got a radical increase in problems. We're just chasing the problems by spending more money. Security people know that the solution is people, process, and technology, but far too often we're looking for a 'box' to solve our problems. We don't look at the tougher challenge of people and processes. So much of the security market is reactive in its purchase decision. To improve your success rate in cybersecurity you need to be forward-thinking about building out your security program and your spend. One area of opportunity that not enough companies are taking advantage of is offering dramatically cheaper solutions than alternatives even though they don't perform as well. There is a definite market for those types of solutions. We always lean on security products to solve our problems rather looking internally at our people and processes. There is always a losing comparison between attackers and defenders. An attacker can come up with a new variant of attack in minutes to hours. Defenders in enterprises often take months to implement patches for known vulnerabilities.

This is a special episode of Defense in Depth being shared on this feed. Find the full post with links and images on the CISO Series site here (https://cisoseries.com/defense-in-depth-vulnerability-management/) So many breaches happen through ports of known vulnerabilities. What is the organizational vulnerability in vulnerability management? Check out this post and discussion and this one for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is Justin Berman (@justinmberman), CISO for Zenefits. Vulcan’s vulnerability response automation platform allows enterprises to automate their TVM programs. Vulcan integrates to existing IT DevOps and security tools to fuse enterprise data with propriety intelligence which allows to accurately and subjectively priorities and remediate vulnerabilities - either using a patch workaround or compensating control. On this episode of Defense in Depth, you'll learn: As the CIS 20 concurs, vulnerability management is the first security measure you should take right after asset inventory. Vulnerability management needs to be everyone's issue and managed by all departments. Lots of discussion around vulnerability management being driven by culture which is a very hard concept to define. To get a "vulnerability management culture" look to a combination of awareness and risk management. Vulnerabilities don't get patched and managed without someone taking on ownership. Without that, people are just talking and not doing. Increased visibility across the life cycle of a vulnerability will allow all departments to see the associated risk. Who are the risk owners? Once you can answer that questions you'll be able to assign accountability and responsibility.

If you can't see all the show notes (with images and links) head here: https://cisoseries.com/defense-in-depth-privileged-access-management-pam/ Where does privileged access management (PAM) fit in the order of operations? Check out this post and discussion and this one for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our sponsored guest for this episode is Tim Keeler, CEO and co-founder of Remediant. Thanks to this week’s podcast sponsor, Remediant Eighty one percent of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant's SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment. On this episode of Defense in Depth, you'll learn: Privileged access management is designed to control lateral movement when an intruder gets legitimate access to your network. You can't protect what you don't know. A privileged access management program is ineffective without complete asset inventory and classification. Don't wait to begin instituting a PAM solution. It's unrealistic to believe you'd have a complete inventory right away that you could begin PAM. You'll probably have to work with what you've got. It's a moving target for all. It may be an incomplete target as well... at the beginning. Two-factor authentication (2FA) has a role. It can help with both initial intrusion and escalation. PAM's role is more refined with its ability to prevent escalation. One of the debated issues was how does PAM negatively affect the user experience. Concerns of pushback and productivity issues resulted in companies refusing to implement 2FA or PAM.

Full post for this episode (https://cisoseries.com/defense-in-depth-machine-learning-failures/) Is garbage in, garbage out the reason for machine learning failures? Or is there more to the equation? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Davi Ottenheimer (@daviottenheimer), product security for MongoDB. Thanks to this week’s podcast sponsor, Remediant 81% of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant's SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment. On this episode of Defense in Depth, you'll learn: Don't fall victim to believing that success and failure of machine learning is isolated to just garbage in/garbage out. It's far more nuanced than that. Some human actually has to determine what is considered garbage in and what is not. It only takes a very small amount of data to completely corrupt and ruin machine learning data. This knowledge of small infection can spread and corrupt all of the data and can have political and economic motivations to do just that. We have failures in human intervention. Machine learning can just magnify that at rapid rates. While there are many warning signs that machine learning can fail, and we have the examples to back it up, many argue that competitive environments don't allow us to ignore it. We're in a use it or lose it scenario. Even when you're aware of the pitfalls, you may have no choice but to utilize machine learning to accelerate development and/or innovation.