Defense in Depth

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cybersecurity-readiness-as-hiring-criteria/) What if every candidate interviewed was tested on their cybersecurity competency? How would that affect hiring and how would that affect your company's security? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Greg van der Gaast, head of information security, University of Salford. Thanks to this week's podcast sponsor, Enzoic. Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through compromised credential detection. Organizations can use Enzoic solutions to screen customer and employee accounts for exposed username and password combinations to identity accounts at risk and mitigate unauthorized access. Learn more about Enzoic. On this episode of Defense in Depth, you'll learn: For all candidates, whether in cybersecurity or not, gauge their current level of cybersecurity awareness. There was a time we put knowledge of Microsoft Word and Excel on our resumes. Now you never see it because it's common knowledge. Security knowledge is not common. At this stage it would be seen as a valuable bonus to have it on your resume. There are always small things that hiring managers look for to tip the scales in a candidates favor. Cybersecurity skills should be one of them. For candidates who would have the most to gain from cybersecurity awareness, bring in the CISO to ask one or two questions during the hiring process. Different departments bounce candidates off each other even if they're not going to be working in a specific department. They want to know how well a person will or won't interface with your department. There's a strong fear that adding cybersecurity into the hiring criteria will greatly slow down the hiring process which could damage business productivity. There was much debate around seemingly great candidates, such as an accountant with 20 years of experience, who fails miserably on cyber awareness. Would that raise a red flag?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cybersecurity-and-the-media/) Cybersecurity and the media. It rides the line between providing valuable information and feeding the FUD cycle. What's the media's role? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Dave Bittner (@bittner), producer and host of The CyberWire Podcast, Hacking Humans podcast, and Recorded Future podcast. Thanks to this week's podcast sponsor, Verodin. The Verodin Security Instrumentation Platform proactively identifies gaps in security effectiveness attributable to equipment misconfiguration, changes in the IT environment, evolving attacker tactics, and more. Learn how Verodin, part of FireEye, has made it possible for organizations to validate the effectiveness of cyber security controls, thereby protecting their reputation and economic value. On this episode of Defense in Depth, you'll learn: Stop laying blame on the media for negative cybersecurity perceptions. They're acting as a reflection of ourselves, both good and bad. When done right, the media can bring about much needed attention to issues, most often to enlighten those not in the know. A good indicator of media's success in informing us is when our friends and family, who are not as cybersavvy, start asking us our thoughts on big security issues. Disturbing trend is the media referring to an attack as "sophisticated" when it's often a poorly secure server that was just waiting to be breached. Given this trend, many are eager for the media to demystify these supposedly "advanced" attacks demonstrating that the rest of us can protect ourselves even if we're not cyber-sophisticated. Social engineering demos are often done for the purpose of humor rather than showing how dangerous it can be when we let our guard down. Outside of someone like Bruce Schneier, the cybersecurity industry needs the equivalent of a high-profile expert who can speak to the lay person, à la Bill Nye, The Science Guy.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-the-cloud-and-shared-security/) When your business enters the cloud, you are transferring risk, but also adding new risk. How do you deal with sharing your security obligations with cloud vendors? Check out this LinkedIn post for the basis of this show's conversation on shared responsibility of security with a digital transformation to the cloud. This episode is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Paul Calatayud (@paulcatalayud), CSO for Americas, Palo Alto Networks. Thanks to this week's podcast sponsor, Palo Alto Networks. Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. On this episode of Defense in Depth, you'll learn: You have to have a business reason to go to the cloud. Usually it's done as a business imperative in order to stay competitive. Security is rarely the primary reason businesses move to the cloud. It's often an adjunct reason. Moving to the cloud may transfer risk, but it also introduces new risk. Security professionals have long avoided the cloud because they feel they give up perceived control. If I can't see or touch it, how can I secure it? One issue security people need to grapple with during digital transformation and a move to the cloud is what does it mean to manage risk when you don't own the program? Much of the online discussion was about getting your service license agreements (SLAs) in place. But if you're a small- to medium-sized businss (SMB) you're going to have a hard if not impossible time negotiating. Don't lean on SLAs to be your entire risk profile. It's like using insurance as your only means of security. Cloud security requires setting up automation guard rails. For cloud evolution you'll need a change in talent and it probably won't be your traditional network engineers. Because of performance, privacy, and data protection issues you're probably going to find your business moving apps in and out of the cloud. The Cloud Controls Matrix (CCM), from the Cloud Security Alliance (CSA) is a controls framework designed to help you assess the risk of a cloud security provider.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-is-product-security-improving/) We've been at this cybersecurity thing for a long time. Are products improving their security? A recent study says they aren't. Check out this tweet and the ensuing discussion for the information on the study and the concerns people have about the history of poor security in consumer-grade networking products. This episode is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Michael L. Woodson (@mlwoodson), CISO, MBTA. Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. On this episode of Defense in Depth, you'll learn: We focus our conversation mostly on consumer products, most notably networking, which was the focus of the relevant study. Some basic measurements of security such as stack guards and buffer overflow protection showed no noticeable improvement. Margins are so slim on consumer products that manufacturers are put in a bind. They can't overcharge and stay competitive, so they have to underdeliver, and often security protections are cut as a result. People accept the failures of cybersecurity products by just accepting the end user license agreement (EULA). Be very careful with these agreements. Often a vendor will make outrageous claims like saying they own the data. When we have security incidents companies are not blamed or liable. What type of pressure would need to be put on manufacturers to get them to improve security? Will it have to be standards, regulations, or government regulations?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-best-starting-security-framework/) If you were building a security program from scratch, which many of our listeners have done, which framework would be your starting point? Check out this post initiated by Sean Walls, vp, CISO of Visionworks, who asked, "If you were building a security program from scratch, would you align with ISO 27001, NIST CSF, or another framework, and why?" That conversation sparked this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Omar Khawaja (@smallersecurity), CISO, Highmark Health. Thanks to this week's podcast sponsor, Palo Alto Networks. Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. On this episode of Defense in Depth, you'll learn: When determining a starting security framework, always lead with the "Why?" What are you trying to accomplish and achieve? In some cases you're building a framework to build trust. Although most in security take a risk-based approach. That's not always necessary when picking a framework. Frameworks are often very regulatory driven. Framework decisions will be built on both internal and external pressures. If you don't have a specific security problem, a specific security solution makes no sense. The Secure Controls Framework is a free meta-framework that allows users to pick and choose elements from multiple frameworks. Check out Allan Alford's four-year mapping of NIST CSF, CIS CSC 20, and ISO 27001. While there are plenty of great frameworks out there, for someone who is truly starting from scratch, many security professionals pointed to the CIS top 20 because it maps to frameworks like NIST and ISO.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-cyber-defense-matrix/) A simple way to visualize your entire security program and all the tools that support it. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Sounil Yu (@sounilyu), creator of the Cyber Defense Matrix and former chief security scientist at Bank of America. Thanks to this week's podcast sponsor, Verodin. The Verodin Security Instrumentation Platform proactively identifies gaps in security effectiveness attributable to equipment misconfiguration, changes in the IT environment, evolving attacker tactics, and more. Learn how Verodin, part of FireEye, has made it possible for organizations to validate the effectiveness of cyber security controls, thereby protecting their reputation and economic value. On this episode of Defense in Depth, you'll learn: First, just look at the darn thing and it'll start to make sense. The Cyber Defense Matrix's original purpose was to provide a visual way to see where your gaps are in your technology. Users have found lots more uses for the matrix, such as seeing those same gaps in people, processes, and trying to map out the vendor landscape. By visualizing, you can see also where you have too much and you can actually get rid of technologies. The matrix provides structural awareness of your vulnerabilities. The matrix admittedly gets a little wonky when cloud technologies are introduced. They often bleed across categories, not neatly fitting into any specific buckets.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-user-centric-security/) How can software and our security programs better be architected to get users involved? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Adrian Ludwig, CISO, Atlassian, a customer of our sponsor, Castle. Thanks to this week's podcast sponsor, Castle. Castle is helping businesses keep customers' online accounts safe from targeted account takeovers, automated credential stuffing, and risky user transactions. Castle's user-centric approach to account security allows organizations to fully automate threat response and account recovery in real-time with risk-based authentication, granular access policies, and custom workflows. Learn more at www.castle.io On this episode of Defense in Depth, you'll learn: It's impossible to create a security system that removes the user from the equation. They are integral and they have to be part of your security program. Security is defined by the individual. The minimum expectation you can have of your users is that they'll operate in good faith. Avoid complexity because as soon as it's introduced it drives problems everywhere. Instead, keep asking yourself, how can I make security more usable? Individuals are suffering from alert fatigue. If you're going to send an alert to a user, make it relevant and actionable. And always be aware that your security alerts are not the only alert the user is seeing and deciding or not deciding to take action on. Think about all the alerts you completely ignore, like the confidentiality warning in a corporate email. One of the main problems with security is the party who suffers is not the one who has to act. The user often does not have any stake in the goods he/she is protecting.

All links and images from this episode can be found at CISO Series (https://cisoseries.com/defense-in-depth-securing-the-new-internet/) If you could re-invent the entire Internet, starting all over again with security in mind, what would you do? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode, Davi Ottenhimer (@daviottenheimer), who happens to be working on this project with Tim Berners-Lee at Inrupt to create a new Internet and secure it. Thanks to this week's podcast sponsor, Castle. Castle is helping businesses keep customers' online accounts safe from targeted account takeovers, automated credential stuffing, and risky user transactions. Castle's user-centric approach to account security allows organizations to fully automate threat response and account recovery in real-time with risk-based authentication, granular access policies, and custom workflows. Learn more at www.castle.io On this episode of Defense in Depth, you'll learn: Much of the advice on how to secure the Internet focused on just improving known protocols such as SMTP, IPv6, and TCP/IP. Is that limited thinking or not? Creating a new Internet has a lot of political and socioeconomic issues connected to it so you have to consider both relative (changing existing protocols) or absolute updates (reinventing and trashing existing protocols). One suggestion was dynamic port assignments which was an interesting tip, but it runs into the issue that at some point someone needs to know where you're communicating. Future of identity is that it's not controlled by one entity. But the solution is not blockchain. That's essentially a spreadsheet of information and banking on a spreadsheet or blockchain would not be wise. Another suggestion would be to create a data-centric approach to the Internet, but this would put a massive load on the endpoints. One core philosophy of securing the new Internet is creating a system where each individual can own their own data, put rights on it to others to use it, rather than being beholden to the rights others give us to manage our own data. Our favorite suggestion was about looking to biomimicry and our millions of years of evolution to help us build an Internet that could learn to evolve on its own. The issue is that history has given us tectonic shifts that come all at once and don't necessarily evolve gradually. Could a security system be built to adapt in that manner? Creative Commons photo attribution to Joybot.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-resiliency/) How fortified is the business to withstand cyberattacks? Can it absorb the impact of the inevitable hits? Would understanding the business' level of resilience provide the appropriate guidance for our security program? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Anne Marie Zettlemoyer, vp, security engineering and divisional security officer, MasterCard. Thanks to this week's podcast sponsor, Castle. Castle is helping businesses keep customers' online accounts safe from targeted account takeovers, automated credential stuffing, and risky user transactions. Castle's user-centric approach to account security allows organizations to fully automate threat response and account recovery in real-time with risk-based authentication, granular access policies, and custom workflows. Learn more at www.castle.io On this episode of Defense in Depth, you'll learn: Resiliency allows the business to perform in conjunction with risk. A conversation about resilience forces security to think about business processes and the criticality of each one to the business' ability to sustain itself. We're forcing ourselves to think proactively when we have no choice but to react, hopefully automatically. Disaster recovery (DR) and business continuity planning (BCP) come into play here. There's a concern that of the CIA (confidentiality, integrity, and availability) triad, "integrity" doesn't have enough outside forces to insure its credibility. While security teams may just be coming up to speed, or are just thinking of resiliency, the business has been thinking about it since day one of becoming a business. If security begins thinking this way, they will be more in alignment with the business. And here are some items Anne Marie mentioned at the end of the show: Cybersecurity Talent Initiative GCA Cybersecurity Toolkit

All images and links for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-ransomware/) Why is Ransomware so prevalent? Why are so many getting caught in its net? And what are some of the best tactics to stop its scourge? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Brian Vecci (@BrianTheVecci), field CTO, Varonis. Thanks to this week's podcast sponsor, Varonis. The most powerful way to find, protect, and monitor sensitive data at scale. Get total control over your unstructured data in the cloud and on-premises. See it in action in a live cyberattack simulation lab. On this episode of Defense in Depth, you'll learn: The ability to exploit the stealing of data takes work. Ransomware requires no knowledge. Ransomware targets the lowest common denominator, just data in general. The attackers often don't need to know much about the data. Ransomware is extremely dangerous when it goes after shared data which probably isn't being monitored. The more savvy ransomware criminals can live dormant in a system, learn where the most valuable data is, and be able to know how much a company can pay. The solution to fighting back requires one to understand that ransomware targets people and files. It's the combination of the two that makes ransomware particularly dangerous. Your best bet to mitigate ransomware's damage is to limit users' file access. Not all users need to be able to access everything at all times. Many security professionals believe the solution to ransomware is just good security hygiene and patching. While patching does narrow your attack surface, it doesn't make you immune to ransomware. Unlike most cybercrime, ransomware is noisy. The attackers want you to know that they're there so you'll pay up.