CISO Tradecraft®

This episode provides a deep dive into Static Application Security Testing (SAST) tools.  Learn how they work, why they don't work as well as you think they will in certain use cases, and find some novel ways apply them to your organization.  Special thanks to John Steven for coming on the show to share his expertise.     Special thanks to our sponsor Praetorian for supporting this episode. https://www.praetorian.com/ Full Transcripts - https://docs.google.com/document/d/1zoA70k78IjqyJky-2u7_-i2jlWke8_cb Chapters: 00:00 Introduction 02:51 Source Code Analyzers 04:22 The three bears of Static Analysis 06:01 Do Linters work Better? 08:00 The Value of Full Programming Analysis Tools over Linters 11:30 The Impact of a Developer's Analysis on a Developer Environment 13:05 SAST Testing 15:47 OWASP Benchmarking 19:13 The First Static Analysis Tools 20:53 Can you break up that worry about Automated Testing? 22:44 Using Static Analysis for Defect Discovery 24:18 Using Static Analysis to Improve Web Security 31:37 Using Static Analysis to Drive Cloud Security 33:15 The Second Thing to Look Out for When Choosing a Static Analysis Tool 34:55 Using Static Analysis to Build a Vulnerability Management Practice 37:35 Can you use Static Analysis to Find Insider Threat?

How do you defend against automated attacks in an era of ChatGPT-formulated malware, coordinated nation-state actors, and a host of disgruntled laid-off security professionals? Want to find your vulnerabilities faster than the bad actors do? Come listen to Richard Ford to learn how to apply best practices in attack surface management and defend your crown jewels. Special thanks to our sponsor Praetorian for supporting this episode. Full Transcripts - https://docs.google.com/document/d/18QyrN-7V91nxOyRQ0KsNeJU0-k-bTlqj Chapters: 00:00 Introduction 04:22 The Impact of Continuous Attack Surface Mapping on Security Responses 07:48 What's the Difference between a CTO and a CIO? 10:24 What attracted you to the problem space? 12:53 Is the Attack Surface really exposed? 16:12 Shadow IT - The Unknown Unknowns that could Bite You 19:56 Is there a Shadow IT problem? 23:24 How to get management on board with Shadow IT? 26:38 Building an Attack Surface Management Program 29:57 You Get What You Measure, Right? 33:27 Do I Have Vulnerable Assets? 39:24 Attack Surface Management

Have you ever wanted to be like Neo in "The Matrix" and learn things like Kung Fu in just a few minutes?  Well on today's episode, we try to do just that by cramming powerful leadership concepts into your head in just 45 minutes.  So sit back, relax, and enjoy CISO Tradecraft.   Show Notes with Pictures & References: https://docs.google.com/document/d/1z5FwVwYlNiJlevQXP9IK48Z5kYqG-Ee_/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true Full Transcript: https://docs.google.com/document/d/11iTdKRxtg1UYiQeUn-mdgM7zKqafTq34/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true

Want to know CISO Tradecraft's Top 10 cyber security predictions for 2023?  Listen to the episode to learn more about: Proactive Identity Management = Automated Provisioning of Access + Minimizing Digital Blast Radius Convergence of Security Tools Collaboration Technology Evolution of the Endpoint (Chromebooks or Browser Isolation) Chatbots Vague and unclear cyber laws CISO liability increases Umbrella IT general controls mapping Companies will be less truthful during 3rd party questionnaires Cyber defense will become more difficult because of people Be sure to also check out G Mark Hardy's annual ISACA talk at http://isaca-cmc.org/  Link to full transcripts of the podcast can be found here: https://docs.google.com/document/d/1RkrtkuunBn-qaU-Y9HvgHJzAKoIIszcW/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true

Success leaves clues, but sometimes we limit ourselves by only looking close by for them.  This week, we pondered what business skills are essential for a successful CISO, and then extended the search to some non-traditional sources to find some very relevant advice.  Take the time to listen and do a self-examination (you don't have to submit for a grade :) and see where you could boost your skills portfolio to increase your success as a security leader.  Some of the essential skills we discuss on this episode of CISO Tradecraft are: Be a leader Manage money and resources Differentiate yourself and your message Communicate with clarity and emphasis Delegate and hold subordinates accountable Build a personal network Mentor your team Be adaptable Be sensitive to cultural and political issues Watch the details and ensure your management makes informed risk-based decisions & Know your limitations We thank our sponsor Nucleus Security for supporting this episode Full Transcript: https://docs.google.com/document/d/1C357cX_4wKTRmhRUsGh_2d9vIMX5LspL/ Show links:   https://www.smallbusiness.wa.gov.au/starting-and-growing/essential-business-skills   https://cisotradecraft.podbean.com/e/108-budgeting-for-cisos-with-nick-vigier/   https://nativeintelligence.com/   https://github.com/cisotradecraft/Podcast#business-management--leadership   https://www.ef.com/wwen/blog/efacademyblog/skills-for-success/   https://www.criticalthinking.org/pages/defining-critical-thinking/766   https://your.yale.edu/learn-and-grow-what-adaptability-workplace   https://openai.com/blog/chatgpt/   https://openai.com/dall-e-2/

There's a lot of things you need to know as a CISO, but one of the things least taught is budgeting best practices.  On today's episode, CISO Nick Vigier stops by to share his lessons learned on the topic.  His conversations focus on spends vs investments.  Remember spends = overhead, whereas investments = growth.  Here's a great point. [10:00] There are opportunities that we have to frame some of these things as investments versus framing them as risk mitigations. And so one of the mantras or things that I like to think about is the business has a limited appetite for risk management, but they have infinite appetite for profits and making money.  So if you're able to frame them as how they're actually going to help accelerate the business or improve the business that brings the CEO and the CFO along on the journey, that you're not just there to lock the doors, you might actually be there to help put another floor on the building and that's a very different conversation. We also thank our sponsor Nucleus Security for supporting this episode. Full Transcript: https://docs.google.com/document/d/1nURiml3BJFnszFRA8qov1CgO_VkDFaCY

Special thanks to Jeff Gouge for sharing his thoughts on consolidating vulnerability management.  We also thank our sponsor Nucleus Security for supporting this episode. Consistently tracking and prioritizing vulnerabilities is a difficult problem.  This episode talks about it in detail and helps you increase your understanding in: Various application security scanning tools (SAST, DAST, SCA, Container, IoT, Secret Scanners, Cloud Security Scans, ...) and why companies need so many How CVSS base scores are actually calculated so you can understand its strengths and weaknesses How Threat Intelligence Data improves CVSS scoring Knowing which vulnerabilities are being actively exploited by bad actors through the CISA Known Exploited Vulnerabilities Catalog Knowing with vulnerabilities are being exploited in your industry or organization Knowing how the Exploit Prediction Scoring System (EPSS) can predict which vulnerabilities will be exploited soon Learning about the Stakeholder-Specific Vulnerability Categorization Guide (SSVC) Note a Full Transcript of this podcast can be found here: https://docs.google.com/document/d/1dWDS8rd-iscZuZ28U27IBuPPfrlFAV69/

Are You Ready To Win Your First CISO role? Apply these techniques into your resume and interview process so both recruiters and hiring managers will offer you the job.  This show focuses on: Highlighting the Different Types of CISO Roles Showing how to progress from a Senior Director Role into a Fortune 100 CISO Resume Tricks and Tips that get you noticed by recruiters How to have a great interview with a recruiter What Hiring Managers want to see from CISOs during their interviews Please note the full show transcript can be found here https://docs.google.com/document/d/18Feg4eXbezHVPiNQ9qO6Pdht3P0eQ5nn

Would you like to hear a master class on what Technology professionals need to know about startups?  On this episode Bob Cousins stops by to share his knowledge and experience on working in technology companies, dealing with founders, and partnering with venture capitalists.  Listen and learn more about: What should a technology professional know about venture capital and dealing with venture capitalists? What is the role of marketing? What do engineers get wrong with helping businesses create profitable growth? What is the value of a product? Subscribe to the CISO Tradecraft LinkedIn Page

Special Thanks to our podcast sponsor, Cymulate.  On this episode, Dave Klein stops by to discuss the 3 Digital Challenges that organizations face: Cyber threats evolve on a daily basis and this constant threat to our environment appears to be only accelerating The level of vulnerabilities today is 30x what it was 10 years ago.  We have more IT infrastructure, complexity, and developers in our current environment. In the pursuit of digital innovation, we are changing our IT infrastructure by the hour.  For Example: Infrastructure as Code capabilities (Chef, Puppet, Terraform, etc.) allow developers to deploy faster and create more opportunities for misconfigured code at scale.   Breach and Attack Simulation tooling address these 3 digital challenges by focusing on Breach Attack Simulation, Vulnerability Prioritization, & Threat Exposure Management.  This combined approach allows a cyber organization to ensure its security is fully optimized and its risk exposure is minimized.  Key benefits of adopting Breach and Attack Simulation software include: Managing organizational cyber-risk end to end Rationalizing security spend Prioritizing mitigations based on validated risks Protecting against the latest threats in near real-time Preventing environmental drift   Welcome back listeners and thank you for continuing your education in CISO Tradecraft.  Today we are excited to share with you a great episode focused on Breach and Attack Simulation software.  To begin we will provide a solid background on Breach and Attack Simulation then we are going to bring on our special guest Dave Klein who will give us the pro tips that help CISOs maximize the value from Breach and Attack Simulation Software.   Starting from the beginning.  What is Breach and Attack Simulation software and why is this needed?  At the end of the day most companies are not on an island.  They need to connect to clients, partners, and vendors.  They need the ability for employees to visit websites.  They need to host public facing websites to sell products and services.  Each of these activities result in creating organizational assets such as IT equipment that has internet connectivity.  Now internet connectivity isn’t a bad thing.  Remember internet connectivity allows companies to generate income which allows the organization to exist.  This income goes to funding expenses like the cyber organization so that is a good thing.     If bad actors with the intent and capability to cause your company harm can find your company's internet connected assets which have vulnerabilities, then you have a risk to your organization.  So enter vulnerability assessment and penetration testing tools that companies can buy to identify and address this risk.  Now sometimes you will hear the terms Cyber Asset Attack Surface Management or (CAASM).  It’s also commonly referred to as continuous threat exposure management.  Essentially these two categories of tools are the latest evolution of vulnerability management tooling that have the additional benefit of ingesting data from multiple sources.  Essentially they are designed to address key questions such as:  How do we get an inventory of what we have? How do we know our vulnerabilities? and  How do we know which vulnerabilities might be exploited by threat actors?     Now if you want to take this line of questioning one step further, then you should consider adopting Breach and Attack Simulation software.  Note Breach and Attack Simulation software overlaps with many of the CAASM capabilities, but it does something unique.  Breach and Attack Simulation software allows you to pose as bad actors on your network and perform red team exercises.  Essentially you learn how bad actors can bypass your cyber tooling and safeguards.  This means you go from knowing where you are vulnerable to actually seeing how well your incident response activities perform.  Example if I can take a normal user's laptop and spawn a Powershell Script or run a tool like MimiKatz to gain Domain Admin level privileges, then I want to know if the Cyber Security Incident Response team was alerted to that activity.  I also want to know if the Incident Response team blocked or disabled this account in a timely manner.  According to the 2022 Microsoft Digital Defense Report the median time it takes for an attacker to access your private data if you fall victim to a phishing email is 1 hour 12 minutes.  The report also stated that the median time for an attacker to begin moving laterally within your corporate network once a device is compromised is 1 hour 42 minutes.  Remember the difference to responding to these attacks in minutes vs hours can be the difference between how much files get encrypted when ransomware actors get into your environment.     Another thing that CISOs need to ensure is that vulnerabilities get fixed.  How do you test that?  You have to replay the attack.     You can think of fire drills as the comparison.  If an organization only did one fire drill every 24 months, then chances are the company’s time to exit the building isn’t going to decrease all that much.  It’s likely to stay the same.  Now if an organization does 8-12 fire drills over the course of 24 months, then you would generally see a good decrease in departure times as people get familiar with knowing how to leave the building in a timely fashion.  The good thing on Breach and Attack Simulation tools is they have the ability to replay numerous attacks with the click of a button.  This can save your penetration testing team hours over manual exploitation activities which would have to be repeated to confirm successful patches and mitigations.   If we look at Breach and Attack Simulation software the tools have typically come in two flavors.  One is an agent based approach.  Example.  A company might install an attack agent on a laptop inside the corporate environment that runs Data Loss Protection software.  The attack agent might look at how much data it can exfiltrate which is not stopped by the DLP tool.  The attack agent could also run similar attacks with how much malware the Antivirus detects, how much sensitive email it send outside the company despite there being an email protection solution.  These attack agents can also be placed on servers to determine how effective web applications firewalls are at stopping attacks.   Essentially having an attack agent on the internal side of a trusted network and one on the outside allows an organization to evaluate the effectiveness of various cyber tools.  Now there’s a few concerns with this type of approach.  One, companies don't want to add more agents across their network because it steals critical system resources and makes things slower.  Two, the time it takes to install and test agents means the value you can get out of these tools is delayed because cyber needs approvals from the desktop team, the network team, the firewall team, etc. before these solutions can be deployed.  Three, by having an agent you don’t always truly simulate what an attacker would do since you don't have to live off the land and gain permissions the attacker did.  Your agent may not be know to antivirus or EDR tools, but using windows libraries to gain access does.    Now let’s compare this with an agentless approach.  This approach is quite popular since labs where agents are run don’t always look like a production environment.  Example they lack the amount of traffic, don’t possess the same amount of production data, or contain last month’s versions of software.     Here attacker software may start with the premise what happens if someone from the Accounting Team opens an Excel document containing a malicious macro.  Let’s see how we can automate an attack after that initial compromise step occurs.  Then let’s walk through every attack identified by the Mitre Attack Framework and see what gets caught and what doesn’t.  The tooling can then look at the technical safeguards in the organization that should have been applied and provide recommendations on how to increase their effectiveness.  This might be something simple like adding a Windows Group Policy to stop an attack.  Also breach and attack simulation tools can provide alerting recommendations to the SIEM that help identify when an endpoint attack occurred.  Example: Instead of knowing that bad actors can run an attack, the Breach and Attack Simulation software actually gives you the Splunk Signature that your SOC team can leverage.  That’s a great add to minimize the amount of time to improve your alerting capabilities.     Now when the breach and attack simulation software replays attacks each month, cyber leadership can look at how fast the Incident Response team detected and remediated the attack.  It might be as simple as we stopped this attack before it could happen by applying the new Windows Group Policy or it took the team 4 hours to determine XYZ account had been taken over.  These metrics allow you to know how well your Response plans work.  So you get the value of a penetration test with the automation & scaling of vulnerability management tools.     What’s even more impressive is how these tools are evolving to meet the larger mission of cyber organizations.     Example: Most Financial and Health Care organizations have to demonstrate evidence that IT controls are working effectively.  Generally this is a manual process done in the Governance Risk and Compliance (GRC) team within a cyber organization.  GRC teams have to ask developers to provide evidence to various IT controls such as are you monitoring and alerting to privilege activity.  Now imagine if you had an automated tool that showed evidence that monitoring tools are installed on 99% of endpoints and these tools actually stopped various MITRE attacks immediately.  That evidence would minimize the data call which takes time from the developer teams.