Defense in Depth

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-resiliency/) How fortified is the business to withstand cyberattacks? Can it absorb the impact of the inevitable hits? Would understanding the business' level of resilience provide the appropriate guidance for our security program? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Anne Marie Zettlemoyer, vp, security engineering and divisional security officer, MasterCard. Thanks to this week's podcast sponsor, Castle. Castle is helping businesses keep customers' online accounts safe from targeted account takeovers, automated credential stuffing, and risky user transactions. Castle's user-centric approach to account security allows organizations to fully automate threat response and account recovery in real-time with risk-based authentication, granular access policies, and custom workflows. Learn more at www.castle.io On this episode of Defense in Depth, you'll learn: Resiliency allows the business to perform in conjunction with risk. A conversation about resilience forces security to think about business processes and the criticality of each one to the business' ability to sustain itself. We're forcing ourselves to think proactively when we have no choice but to react, hopefully automatically. Disaster recovery (DR) and business continuity planning (BCP) come into play here. There's a concern that of the CIA (confidentiality, integrity, and availability) triad, "integrity" doesn't have enough outside forces to insure its credibility. While security teams may just be coming up to speed, or are just thinking of resiliency, the business has been thinking about it since day one of becoming a business. If security begins thinking this way, they will be more in alignment with the business. And here are some items Anne Marie mentioned at the end of the show: Cybersecurity Talent Initiative GCA Cybersecurity Toolkit

All images and links for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ransomware/) Why is Ransomware so prevalent? Why are so many getting caught in its net? And what are some of the best tactics to stop its scourge? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Brian Vecci (@BrianTheVecci), field CTO, Varonis. Thanks to this week's podcast sponsor, Varonis. The most powerful way to find, protect, and monitor sensitive data at scale. Get total control over your unstructured data in the cloud and on-premises. See it in action in a live cyberattack simulation lab. On this episode of Defense in Depth, you'll learn: The ability to exploit the stealing of data takes work. Ransomware requires no knowledge. Ransomware targets the lowest common denominator, just data in general. The attackers often don't need to know much about the data. Ransomware is extremely dangerous when it goes after shared data which probably isn't being monitored. The more savvy ransomware criminals can live dormant in a system, learn where the most valuable data is, and be able to know how much a company can pay. The solution to fighting back requires one to understand that ransomware targets people and files. It's the combination of the two that makes ransomware particularly dangerous. Your best bet to mitigate ransomware's damage is to limit users' file access. Not all users need to be able to access everything at all times. Many security professionals believe the solution to ransomware is just good security hygiene and patching. While patching does narrow your attack surface, it doesn't make you immune to ransomware. Unlike most cybercrime, ransomware is noisy. The attackers want you to know that they're there so you'll pay up.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-top-ciso-communication-issues/) Understanding risk. Communicating with the board. Getting others to understand and care about security. What is the most vexing cybersecurity issue for a CISO? Check out this post by Kate Fazzini, cybersecurity reporter for CNBC, for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Mark Eggleston (@meggleston), CISO, Health Partners Plans. Thanks to this week's podcast sponsor, Varonis. The most powerful way to find, protect, and monitor sensitive data at scale. Get total control over your unstructured data in the cloud and on-premises. See it in action in a live cyberattack simulation lab. On this episode of Defense in Depth, you'll learn: Communications starts with engaging people where they work. CISOs can't have any long-term success selling fear, uncertainty, and doubt (AKA "FUD"). CISOs need to focus on people skills. If a CISO is going to be rolling out a solution it's going to be in his/her hands to get others to adopt. Successful CISOs integrate the community into their thinking. While CISOs want to be proactive, you can't be purely proactive or reactive. It's always a blend. The best start for a CISO is to get the C-suite and board to listen and understand. Not only do CISOs need to have conversations about risk, they need to document it and revisit it. Look at where the company is making money by examining the 10-Q report. See where you can apply risk analysis to all of those revenue streams. Whenever a FUD-like headline appears, the C-suite and board will see it. Don't let them fall into the trap of absorbing the hype. CISOs need to show how they're handling such situations and how they would if something similar happened to them. Top issues for CISOs include having a clear understanding of who owns what risk. And more importantly, individual contributors should acknowledge their specific role in the overall security program.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cybersecurity-excuses/) "I've got all the security I need." "I'm not a target for hackers." These are just a few of the many rationalizations companies make when they're in denial of cyberthreats. Why are these excuses still prevalent and how should a cyberprofessional respond? Check out this post by Ian Murphy, co-founder of LMNTRIX, for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers. Thanks to this week's podcast sponsor, Varonis. The most powerful way to find, protect, and monitor sensitive data at scale. Get total control over your unstructured data in the cloud and on-premises. See it in action in a live cyberattack simulation lab. On this episode of Defense in Depth, you'll learn: Security professionals must endure an endless string of excuses to not improve a security program. On this episode, the ones we saw fall into four categories: "What I've got is good enough", "Denial", "False safety net", "Costs too much time/money". Never rest on what you've got today. Today's configuration is tomorrow's vulnerability. Security is a process, not an end state. There are always issues because humans are involved. Small companies may not have a huge payout, but their defenses are usually weaker making them an easy score. A bunch of small companies add up to a big one. If you have not invested well in a good security program, you are already breached and don't know it. As this show title explains, you can't rely on a single layer of defense (e.g., firewall) to protect you. No CISO is complaining they're spending too much on security. A great security partner is awesome, but you don't hand off your security to someone else. It's a shared responsibility. Don't rely on cyber insurance in the same way you don't leave your front door unlocked even though you've got home insurance.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-employee-hacking/) A cyber professional needs their staff, non-IT workers, and the board to take certain actions to achieve the goals of their security program. Should a CISO use the hacking mindset on their own people? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Yael Nagler (@MavenYael), consultant. Thanks to this week's podcast sponsor, Anomali. Anomali harnesses threat data, information, and intelligence to drive effective cyber security decisions. On this episode of Defense in Depth, you'll learn: Employee hacking is an effort to get employees to do what you need them to do in order to pull off your security program There's a grand debate as to whether you should be hacking employees (use the tools you've got) or working with them (don't trick). Many listeners likened this motivation technique to be no different than sales persuasion methods. But these methods are focused on getting individuals to take a single action, to purchase. This is not the case for a CISO who must change a wide ranging set of behaviors that are often not connected to individual desires. To complicate matters even more, a CISO must sell a process and culture change, NOT a product. It's not easy to change human behavior. Manipulation is a tainted word. You need to respect differences and find a common ground to motivate employees to show concern to want to stay with a security program. One way to get people to care about security is to internally explain what do big security news items have to do with your business and how a similar breach could or couldn't happen to your business. While you're trying to win someone over, it's not a selfish interest. It's of interest to the individual and the company. It's just the individual has to understand why they're changing behavior and see value in making that change.

100% Security. A great idea that's impossible to achieve. Regardless, CEOs are still asking for it. How should security people respond and we'll discuss the philosophical implications of 100% security. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Rich Friedberg (@richf321), CISO, Blackbaud. Thanks to this week's podcast sponsor, Anomali. Anomali harnesses threat data, information, and intelligence to drive effective cyber security decisions. On this episode of Defense in Depth, you'll learn: Even though security people learned a long time ago that 100 percent security is not achievable if you can run a business, CEOs are still asking their security departments to deliver it. The most common response to the 100 percent security request is to point out that nothing in business is 100 percent. Everything is a type of a risk. Pointing out that everything is a risk doesn't necessarily endear a CISO to the security department. Instead, use empathy and try to understand what are they really asking when they make the 100 percent security request. It's often difficult for a CEO to initiate a discussion about risk. The question shouldn't be "how safe are we" but rather "how prepared are we". Should a breach happen, which seems inevitable these days, how quickly can the business respond and continue to function. A breach doesn't need to destroy a business. The best way to connect with the business on security risk is to correlate it to another risk decision that makes sense to them. For example, battling fraud. No business tries to eliminate 100 percent of fraud because at one point the cost to eliminate the remaining fraud far exceeds the cost of the remaining fraud. As a theoretical exercise, most agreed that if you truly did try to achieve 100 percent security, the business would cease to function.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-proactive-security/) How proactive should we be about security? What's the value of threat intelligence vs. just having security programs in place with no knowledge of what attackers are trying to do? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is AJ Nash, director of cyber intelligence strategy, Anomali. Thanks to this week's podcast sponsor, Anomali Anomali harnesses threat data, information, and intelligence to drive effective cyber security decisions. On this episode of Defense in Depth, you'll learn: You can't start a threat intelligence until you understand your internal threat landscape and business mission. Sadly, very few organizations have a good answer to "What and where are your crown jewels, your high valued assets?" But if you can answer that question, your threat intelligence will be far more effective. It's possible to understand internal and external landscape in parallel. But you won't get great value of your intelligence until you understand your environment. How do we judge the value of intelligence? It's all about dealing with costs before the "boom" vs. afterwards. Because afterwards is far more expensive. The reason to invest in threat intelligence is because once you know your assets, and you know what your adversaries are after, you can adjust your defenses accordingly. If your goal is to harden everything, you're going to be very busy. It's not economically and physically possible. Make sure you're manning the threat intelligence and incident response teams properly. This is a common misstep that many shops make. If you don't have intelligence you're doing reactive security, which nobody wants, yet that's what many often end up doing.

All images and links for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-attck-matrix/) Is the ATT&CK Matrix the best model to build resiliency in your security team? What is the best way to take advantage of the ATT&CK framework and how do you square away conflicting data coming in from your tools. What can you trust and not trust? And is the disparity of results the fault of the tool, the user, or neither? Check out this post and this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Ian McShane (@ianmcshane), VP, product marketing, Endgame. Thanks to this week's podcast sponsor, Endgame Endgame makes endpoint protection as simple as anti-virus. Their converged endpoint security platform is transforming security programs - their people, processes and technology - with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. On this episode of Defense in Depth, you'll learn: ATT&CK Matrix should be used both strategically and tactically. Use it strategically to understand gaps in your security program. As for tactics, it's great for blue team exercises. When you're being attacked, it helps you understand what's going to happen next. You can use ATT&CK framework even on 0 day viruses. It allows you to focus on the techniques in an attack rather that the specifics of an attack. When you're being attacked, be wary of getting conflicting information from your tools. If you have a tool that's constantly producing noise, you have two options: either fix it or dump it. The reason two seemingly similar tools are producing different results is because they're taking different paths. Once you understand the paths you'll understand the variances. The goal would be for industry standardization or maybe even a third party to come in and act as middleware to offer standardization. Is that even possible?

All images and links for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-hacker-culture/) The hacker community needs a new PR campaign. Far too many people equate hacker with criminal. But hacker is a mindset of how one approaches security. What is that approach and why are CISOs so attracted to hiring hackers? Check out this post for the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Joseph Menn (@josephmenn), journalist, Reuters, and author of "Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World". Thanks to this week's podcast sponsor, Trend Micro On this episode of Defense in Depth, you'll learn: Hacking's definitions are varied, but the one that speaks to all theories is that hacking is critical thinking. Hackers don't follow a manual. They look at systems with an open mind. Hackers nurture the sense of the inner rebel. They want to truly understand the inner workings of a system. Hackers aren't creating havoc, they're exposing problems that are already there. And they do it because it's the only way to get attention to the problem. Security professionals understand the value of finding existing problems, that's why they instituted and support bug bounty programs that provide a financial incentive to hack. Hackers are not afraid to be challenged. If cybersecurity students jump straight from schooling to the corporate world, and they don't have time to explore their desire to hack, they won't have the opportunity to create their own moral code when it comes to hacking. It's important for a hacker to discover their moral compass, because there are going to be situations where a hacker will have the opportunity to do bad things without getting caught. How will they handle it?

All images and links for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-bad-best-practices/) All professionals like to glom onto "best practices." But in security, "best" practices may be bad out of the gate, become useless over time, or they're not necessarily appropriate for all situations. Stay tuned, we're about to expose some of the worst "best" practices. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Yaron Levi (@0xL3v1), CISO, Blue Cross/Blue Shield of Kansas City. Thanks to this week's podcast sponsor, Endgame Endgame makes endpoint protection as simple as anti-virus. Their converged endpoint security platform is transforming security programs - their people, processes and technology - with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. On this episode of Defense in Depth, you'll learn: The response of "This is how we've always done it", is not a reason to continue a "best" practice. One of the most universally bad "best" practices is counting the number of people who fall for a phishing test. Both Allan and Yaron told stories of phishing test reports that could swing wildly based on the type of email sent. CISOs argue that a better metric to track is the number of people who report the phishing email. Let employees know that you're going to test them. If you don't it can be seen as a means to discipline them, which you're not. Cybersecurity best practices don't stand the test of time. If a best practice seems off, challenge it by simply asking, "Why?" Awareness training should be measured by testing afterwards, not by the number of people who actually took it.