Defense in Depth

Find all links and images from this episode on CISO Series (https://cisoseries.com/defense-in-depth-is-the-cybersecurity-industry-solving-our-problems/) Is the cybersecurity industry solving our problems? We've got lots of new entrants. Are they doing anything new, or just doing the same thing slightly better? Check out this post and discussion for the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest this week is Taylor Lehmann (@BostonCyberGuy), CISO, Wellforce. Thanks to this week's podcast sponsor, Remediant Eighty one percent of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant's SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment. On this episode of Defense in Depth, you'll learn: Industry is just growing symptoms to core issues. The cybersecurity industry is motivated by marketplace which justifies investment. As one might expect many security solutions are just hyped rather than built on innovations. While many of our listeners are rather savvy, we expect most purchases are reactive rather proactive. And if this continues, then the profit-minded vendors will still deliver reactive-based solutions. We've got a radical increase in problems. We're just chasing the problems by spending more money. Security people know that the solution is people, process, and technology, but far too often we're looking for a 'box' to solve our problems. We don't look at the tougher challenge of people and processes. So much of the security market is reactive in its purchase decision. To improve your success rate in cybersecurity you need to be forward-thinking about building out your security program and your spend. One area of opportunity that not enough companies are taking advantage of is offering dramatically cheaper solutions than alternatives even though they don't perform as well. There is a definite market for those types of solutions. We always lean on security products to solve our problems rather looking internally at our people and processes. There is always a losing comparison between attackers and defenders. An attacker can come up with a new variant of attack in minutes to hours. Defenders in enterprises often take months to implement patches for known vulnerabilities.

This is a special episode of Defense in Depth being shared on this feed. Find the full post with links and images on the CISO Series site here (https://cisoseries.com/defense-in-depth-vulnerability-management/) So many breaches happen through ports of known vulnerabilities. What is the organizational vulnerability in vulnerability management? Check out this post and discussion and this one for the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is Justin Berman (@justinmberman), CISO for Zenefits. Vulcan's vulnerability response automation platform allows enterprises to automate their TVM programs. Vulcan integrates to existing IT DevOps and security tools to fuse enterprise data with propriety intelligence which allows to accurately and subjectively priorities and remediate vulnerabilities - either using a patch workaround or compensating control. On this episode of Defense in Depth, you'll learn: As the CIS 20 concurs, vulnerability management is the first security measure you should take right after asset inventory. Vulnerability management needs to be everyone's issue and managed by all departments. Lots of discussion around vulnerability management being driven by culture which is a very hard concept to define. To get a "vulnerability management culture" look to a combination of awareness and risk management. Vulnerabilities don't get patched and managed without someone taking on ownership. Without that, people are just talking and not doing. Increased visibility across the life cycle of a vulnerability will allow all departments to see the associated risk. Who are the risk owners? Once you can answer that questions you'll be able to assign accountability and responsibility.

If you can't see all the show notes (with images and links) head here: https://cisoseries.com/defense-in-depth-privileged-access-management-pam/ Where does privileged access management (PAM) fit in the order of operations? Check out this post and discussion and this one for the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our sponsored guest for this episode is Tim Keeler, CEO and co-founder of Remediant. Thanks to this week's podcast sponsor, Remediant Eighty one percent of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant's SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment. On this episode of Defense in Depth, you'll learn: Privileged access management is designed to control lateral movement when an intruder gets legitimate access to your network. You can't protect what you don't know. A privileged access management program is ineffective without complete asset inventory and classification. Don't wait to begin instituting a PAM solution. It's unrealistic to believe you'd have a complete inventory right away that you could begin PAM. You'll probably have to work with what you've got. It's a moving target for all. It may be an incomplete target as well... at the beginning. Two-factor authentication (2FA) has a role. It can help with both initial intrusion and escalation. PAM's role is more refined with its ability to prevent escalation. One of the debated issues was how does PAM negatively affect the user experience. Concerns of pushback and productivity issues resulted in companies refusing to implement 2FA or PAM.

Full post for this episode (https://cisoseries.com/defense-in-depth-machine-learning-failures/) Is garbage in, garbage out the reason for machine learning failures? Or is there more to the equation? Check out this post and discussion for the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Davi Ottenheimer (@daviottenheimer), product security for MongoDB. Thanks to this week's podcast sponsor, Remediant 81% of cyberattacks utilize stolen administrative credentials. Yet, legacy enterprise password vaults solve only a fraction of the problem and are difficult to rollout. Remediant's SecureONE takes a new approach to privileged access management: offering agent-less, vault-less, continuous detection and just-in-time-administration. Learn what Remediant can do in a half-day POC deployment. On this episode of Defense in Depth, you'll learn: Don't fall victim to believing that success and failure of machine learning is isolated to just garbage in/garbage out. It's far more nuanced than that. Some human actually has to determine what is considered garbage in and what is not. It only takes a very small amount of data to completely corrupt and ruin machine learning data. This knowledge of small infection can spread and corrupt all of the data and can have political and economic motivations to do just that. We have failures in human intervention. Machine learning can just magnify that at rapid rates. While there are many warning signs that machine learning can fail, and we have the examples to back it up, many argue that competitive environments don't allow us to ignore it. We're in a use it or lose it scenario. Even when you're aware of the pitfalls, you may have no choice but to utilize machine learning to accelerate development and/or innovation.

The full post (if you're not seeing links and images) can be found here (https://cisoseries.com/defense-in-depth-software-fixing-hardware-problems/) As we have seen with the Boeing 737 MAX crashes, when software tries to fix hardware flaws, it can turn deadly. What are the security implications? Thanks to this week's podcast sponsor, Unbound Tech Check out this post and discussion for the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode Dan Glass (@djglass), former CISO for American Airlines. Founded in 2014, Unbound Tech equips companies with the first pure-software solution to protect cryptographic keys, ensuring they never exist anywhere in complete form. By eliminating the burden of hardware solutions, keys can be distributed across any cloud, endpoint or server to offer a new paradigm for security, privacy and digital innovation. On this episode of Defense in Depth, you'll learn: The reason the Boeing 737 MAX airplane crashes are such a big story is airplanes don't usually crash because the airline industry is ingrained in a culture of safety. Even though safety culture is predominant in the airline industry , there were safety features (e.g., training for the pilots on this new software correcting feature) that were optional for airlines to purchase. Software is now in charge of everything. What company is not a digital company? We can't avoid the fact that we have software running our systems, even items that control our safety. The software industry does not operate in a safety culture like the airline industry. Is this just a data integrity issue? Is that the root cause of problems? How do we increase the integrity of data? Can we override software when we believe it's making a bad decision? Allan brought up one example of a friend who tried to swerve out of his lane to avoid something in the road. The self-driving car forced him back in his lane and he hit the thing he was trying to avoid. Fortunately, it was just a bag, but what if it was a child? The self-correcting software didn't let him takeover and avoid the object in the road.

To see all the notes and links for this episode, go here (https://cisoseries.com/defense-in-depth-tools-for-managing-3rd-party-risk/) Are there any good tools that really help to manage third-party risk? Can tools alone solve this problem? What else is required? Check out this post and discussion for the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Eric Cowperthwaite, director of information security, Esterline. Got feedback? Join the conversation on LinkedIn. Thanks to this week's podcast sponsor, Praetorian As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts. On this episode of Defense in Depth, you'll learn: We question if there's some type of pseudo-protection racket going on with auditors offering to increase vendors' security scores if they go into business with them. The basic model is to help you identify issues and resolve them in order to reduce your risk and protect yourself from certain types of risk. While our risk changes on a daily basis, we're not measuring the risk other 3rd parties may be introducing at the same iteration level. Often it's only annual which doesn't coincide with how we measure our own risk. As a result, there's a desire for ongoing real-time assessment of third party risk. CISOs want the depth of an audit combined with real-time monitoring. Best of breed approach often introduces new risk at the lines of integration.

Are CISOs the most stressed individuals on a security team, or do mental health issues affect everyone in security? Check out this post and discussion for the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Gary Hayslip (@ghayslip), CISO, Webroot. Thanks to this week's podcast sponsor, Praetorian As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts. On this episode of Defense in Depth, you'll learn: You have to come to an acceptance that a security program that's at 90 percent is good enough. Accept that you will never reach the end of the tunnel. You'll never have a perfect defense. The CISO's role is that of a change agent and depending on the depth of your relationship, you may get push back. Don't underestimate the impact you're trying to make on the business culture. Organizations can only change in increments. Stressing that will generate stress in you, the security professional. Since security touches every department and you need to engage with every department, you will deal with a lot of personalities. In addition to dealing with all the departments, you won't have authority over them, but you will be perceived as accountable for their security issues. The business needs to own security and its relevant risk. Don't fall into impostor syndrome where you chronically feel you're doing a bad job. Accept small wins. Break up huge projects into smaller chunks and celebrate those wins.

Is the RSA Conference a must attend for security professionals? Or is it enough to "just be in San Francisco that week"? Check out this post and discussion for the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Tyson Martin, CISO for Lumber Liquidators. David Spark, producer of CISO Series, Tyson Martin, CISO, Lumber Liquidators, and Allan Alford, CISO, Mitel. Thanks to this week's sponsor, Praetorian. As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts. On this episode of Defense in Depth, you'll learn: Is RSAC for education or connecting? Does the value happen in the conference center or outside? This was the initial part of our debate and one argument is you need to graduate from RSAC to make it more of a "connecting outside of the event" type of event. The show floor is overwhelming. As David Gorton of OverwatchID noted, "The circus hides the serious of what we're trying to do." There were a lot of comments about people not having fear of missing out (FOMO), but you can't argue that RSAC has a gravitational force that brings tons of security-minded people to San Francisco for one week every year. There is enormous value in that. The marketing model for vendors during and after the show is starting to grate on practitioners. They're not enjoying the endless cold calls the following week. The expo hall is focused on leads and given that so many of these products are high ticket items, if just a few sales comes through, then the event pays for itself. It's impossible for small booths to compete for visibility with huge booths at the conference.

If a company's brand and value is built on trust, then your security department is critical to building the value of the company. Check out this post and discussion for the basis of our conversation on this week's episode which is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Scott McCool (@McCoolScott), former CIO of Polycomm. Thanks to this week's podcast sponsor, SpyCloud Learn more about how you can protect employees and customers from account takeover with SpyCloud. On this episode of Defense in Depth, you'll learn: When a business becomes an idea, the only thing that matters is the perceived value by the owners. If you deem security is the business, then it no longer can take a consultative role. It must take the role of brand and value building. Explicit value is generating or saving money. Implicit value is what drives those two opposite ends of the spectrum. A security department shouldn't be focused on trying to get more budget for themselves. They should see where they are in the value chain and at any given point in time they must fully understand the business and see which department could generate the most business value. If you only lobby for the security department in terms of its importance for getting budget, and not lobby for the overall business then you will lose credibility with your partners within the business.

Do companies who deliver "threat intelligence" deliver on that promise, or is there more the customer needs to bring to the table to be able to take action? Check out this post and discussion for the basis of our conversation on this week's episode which is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our sponsored guest for this episode is Eric Murphy (@_EricMurphy), VP, security research, SpyCloud. Thanks to this week's podcast sponsor, SpyCloud Learn more about how you can protect employees and customers from account takeover with SpyCloud. On this episode of Defense in Depth, you'll learn: Threat intelligence is about telling a story. And that story is broken up into three parts: strategic, operational, and tactical intelligence. Threat intelligence today really isn't about creating that story. Most of the cases are about correlating data points. Threat intelligence becomes stale when you are reactionary vs. being proactive. Threat intelligence fails when you don't mix multiple intelligence points to form a more complete full story of your adversaries. Feeds are not valuable by themselves. When you combine it with your internal data, that's when you could actually come up with something actionable. If you're not ingesting and onboarding your data appropriately into your internal threat intelligence team, why do you even have it? Find more at CISOSeries.com