CISO Tradecraft®

Our systems generate fantastic amounts of information, but do we have a complete understanding of how we collect, analyze, manage, store, and retrieve possibly petabytes a day? Gal Shpantzer has been doing InfoSec for over 20 years and has managed some huge data engineering projects, and offers a lot of actionable insights in this CISO Tradecraft episode. Gal's LinkedIn Page - https://www.linkedin.com/in/riskmanagement/ Gal's Twitter Page - https://twitter.com/Shpantzer Full Transcript - https://docs.google.com/document/d/14RXnsVttvKlRi6VL94BTrItCjOAjgGem/ Chapters 00:00 Introduction 02:00 How do you Architect Big Data Data Infrastructure 03:33 Are you taking a look at Ransomware? 06:11 Web Scale Technologies are used mostly in Marketing & Fraud Detection 08:11 Data Engineering - The Mindset Shift 10:51 The Iron Triangle of Data Engineering 13:55 Can I Outsource My Logging Pipeline to a Vendor 15:37 Kafka & Flink - Data Engineering in the Pipeline 18:12 Streaming Analytics & Kafka 22:08 How to Enable Data Science Analytics with Streaming Analytics 26:33 Streaming Analytics 30:25 Data Engineering - Is there a Security Log 32:30 Streaming Analytics is a Weird Thing 35:50 How to Get a Handle on a Big Data Pipeline 39:11 Data Engineering Hacks for Big Data Analytics

Has bad governance given you trauma, boring committees, and long speeches on irrelevant issues?  Today we are going to overcome that by talking about what good governance looks like.  We bring on the former CISO of Amazon Whole Foods (Sameer Sait) to discuss his lessons learned as a CISO.  We also highlight key topics of good governance found in the Cyber Security Profile from the Cyber Risk Institute. Cyber Risk Institute - Cyber Security Profile https://cyberriskinstitute.org/the-profile/ Full Transcripts: https://docs.google.com/document/d/1vBM6A0utvhRFMA04wzrZvR8ktNwYo-li Chapters 00:00 Introduction 03:10 Good Governances is a Good Thing, Right? 05:08 Cyber Strategy & Framework 06:43 Is NIST the Same as ISO? 08:40 How to Convince the Executive Leadership Team to Buy In 11:19 The CEO's Challenge is Taking Measured Risk 20:05 Is there a Cybersecurity Policy 22:32 Culture eats Policy for Lunch 24:14 The Role of the CISO 27:52 How do you Convince the Leadership Team that you need extra resources 29:51 How do you Measure Cybersecurity? 32:22 How do we communicate Risk Findings to Senior Management 36:07 Are you Aligning with the Audit Committee

In the US we often focus on SOC-2, NIST Special Pubs, and the Cybersecurity Framework. In Europe (and most of the rest of the world), ISO 27001 is the primary standard. ISO concerns itself with policy, practice, and proof, whereas NIST often shows the method to follow. Michael points out that a CISO is responsible for governance, (internal) consulting, and audit. In early stages of growing a security function, a CISO needs to be technically-focused, but as a security department matures, the CISO must be organizationally-focused. Also, to effectively grow your team, first determine what actions need to take place, how much effort it requires, and how often it needs to take place. Then, build an action sheet and collect data for three months. Finally, take that to your executives and document your requirements for more staff. Michael Krausz LinkedIn Profile: https://www.linkedin.com/in/michael-krausz-b55862/ Michael Krausz Website: https://i-s-c.co.at/ Full Transcript: https://docs.google.com/document/d/13fghym7IWyPvuRANQXUvmv-ulkSj93xv  Chapters 00:00 Introduction 04:01 Is there a Gap Analysis in ISO 27001? 08:05 Is there a Requirement for ISO Standards? 10:57 What is ISO 27001? 13:11 Is there a Parallel Development between the US and EU? 16:57 Do you want to be a trooper? 21:17 What's the Oldest Operating System? 23:09 Is there a Legacy Operating Systems that you can't get away with? 24:11 The Most Important Class for a CISO 26:33 The Secrets of a Successful CISO 29:30 CISO - I need 6 people period 33:40 What's the Primary Skill Needed in a CISO? 37:41 How to Maximize the Number of FTEs

How can cyber best help the sales organization?  It's a great thought exercise that we bring on Joye Purser to discuss. Learn from her experience as we go over how cybersecurity is becoming an even closer business partner with the creation of a new important role. Full Transcript: https://docs.google.com/document/d/1Shd1Qldb8iKEHBgXJqFez81Iwfpl6JT-/ Chapters 00:00 Introduction 02:58 How did you marry those two cultures? 06:40 Building a Diverse Workforce 08:23 Is this a new role based on Pain Points? 10:27 Global Lead for Field Cyber Security 15:51 Is the Global Lead for Field Cybersecurity linked to sales numbers? 19:07 Is there a Global Lead for Field Cybersecurity? 24:46 Building Relationships in a Security Leadership Role 27:48 Do you have any lessons learned from your success at Global Management Consulting? 29:33 You need to schedule time to get things done 33:33 What about Due Diligence? 37:36 The Chief Technology Officer, CRO, & CTO

Did you ever wonder how much security you can implement with a single vendor?  We did and were surprised by how much you can do using the Australian Top Eight as a template.  We'll bet you can improve your security by using these tips, tools, and techniques that you might not have even known were there. Special thanks to our sponsor Praetorian for supporting this episode. https://www.praetorian.com/ Full Transcripts: https://docs.google.com/document/d/12HsuOhY9an1QzIw9wOREPMX0pXe5hqkJ Helpful Links Essential 8 https://www.microsoft.com/en-au/business/topic/security/essential-eight Blocking Macros https://ite8.com.au/the-essential-8/office-macros-explained/  Windows Defender Application Control or WDAC (available from Windows 10 or Server 2016 or newer) previously Windows had App Locker (Windows 7 / 8) https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control Windows Group Policies https://techexpert.tips/windows/gpo-block-website-url-google-chrome/ https://chromeenterprise.google/policies/#SafeBrowsingAllowlistDomains  https://data.iana.org/TLD/tlds-alpha-by-domain.txt  Software Restriction Policies http://woshub.com/how-to-block-viruses-and-ransomware-using-software-restriction-policies/ Blocking websites URL - only allow (.com, .org, .net, edu, .gov, .mil, and the countries you want).    Locking down Active Directory https://attack.stealthbits.com/tag/active-directory  File Service Resource Management http://woshub.com/using-fsrm-on-windows-file-server-to-prevent-ransomware/ Enable MFA for RDP https://docs.microsoft.com/en-us/azure/active-directory-domain-services/secure-remote-vm-access   https://duo.com/docs/rdp Enable MFA for SSH https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-ssh https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux  Windows Controlled Folder Access https://support.microsoft.com/en-

This episode provides a deep dive into Static Application Security Testing (SAST) tools.  Learn how they work, why they don't work as well as you think they will in certain use cases, and find some novel ways apply them to your organization.  Special thanks to John Steven for coming on the show to share his expertise.     Special thanks to our sponsor Praetorian for supporting this episode. https://www.praetorian.com/ Full Transcripts - https://docs.google.com/document/d/1zoA70k78IjqyJky-2u7_-i2jlWke8_cb Chapters: 00:00 Introduction 02:51 Source Code Analyzers 04:22 The three bears of Static Analysis 06:01 Do Linters work Better? 08:00 The Value of Full Programming Analysis Tools over Linters 11:30 The Impact of a Developer's Analysis on a Developer Environment 13:05 SAST Testing 15:47 OWASP Benchmarking 19:13 The First Static Analysis Tools 20:53 Can you break up that worry about Automated Testing? 22:44 Using Static Analysis for Defect Discovery 24:18 Using Static Analysis to Improve Web Security 31:37 Using Static Analysis to Drive Cloud Security 33:15 The Second Thing to Look Out for When Choosing a Static Analysis Tool 34:55 Using Static Analysis to Build a Vulnerability Management Practice 37:35 Can you use Static Analysis to Find Insider Threat?

How do you defend against automated attacks in an era of ChatGPT-formulated malware, coordinated nation-state actors, and a host of disgruntled laid-off security professionals? Want to find your vulnerabilities faster than the bad actors do? Come listen to Richard Ford to learn how to apply best practices in attack surface management and defend your crown jewels. Special thanks to our sponsor Praetorian for supporting this episode. Full Transcripts - https://docs.google.com/document/d/18QyrN-7V91nxOyRQ0KsNeJU0-k-bTlqj Chapters: 00:00 Introduction 04:22 The Impact of Continuous Attack Surface Mapping on Security Responses 07:48 What's the Difference between a CTO and a CIO? 10:24 What attracted you to the problem space? 12:53 Is the Attack Surface really exposed? 16:12 Shadow IT - The Unknown Unknowns that could Bite You 19:56 Is there a Shadow IT problem? 23:24 How to get management on board with Shadow IT? 26:38 Building an Attack Surface Management Program 29:57 You Get What You Measure, Right? 33:27 Do I Have Vulnerable Assets? 39:24 Attack Surface Management

Have you ever wanted to be like Neo in "The Matrix" and learn things like Kung Fu in just a few minutes?  Well on today's episode, we try to do just that by cramming powerful leadership concepts into your head in just 45 minutes.  So sit back, relax, and enjoy CISO Tradecraft.   Show Notes with Pictures & References: https://docs.google.com/document/d/1z5FwVwYlNiJlevQXP9IK48Z5kYqG-Ee_/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true Full Transcript: https://docs.google.com/document/d/11iTdKRxtg1UYiQeUn-mdgM7zKqafTq34/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true

Want to know CISO Tradecraft's Top 10 cyber security predictions for 2023?  Listen to the episode to learn more about: Proactive Identity Management = Automated Provisioning of Access + Minimizing Digital Blast Radius Convergence of Security Tools Collaboration Technology Evolution of the Endpoint (Chromebooks or Browser Isolation) Chatbots Vague and unclear cyber laws CISO liability increases Umbrella IT general controls mapping Companies will be less truthful during 3rd party questionnaires Cyber defense will become more difficult because of people Be sure to also check out G Mark Hardy's annual ISACA talk at http://isaca-cmc.org/  Link to full transcripts of the podcast can be found here: https://docs.google.com/document/d/1RkrtkuunBn-qaU-Y9HvgHJzAKoIIszcW/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true

Success leaves clues, but sometimes we limit ourselves by only looking close by for them.  This week, we pondered what business skills are essential for a successful CISO, and then extended the search to some non-traditional sources to find some very relevant advice.  Take the time to listen and do a self-examination (you don't have to submit for a grade :) and see where you could boost your skills portfolio to increase your success as a security leader.  Some of the essential skills we discuss on this episode of CISO Tradecraft are: Be a leader Manage money and resources Differentiate yourself and your message Communicate with clarity and emphasis Delegate and hold subordinates accountable Build a personal network Mentor your team Be adaptable Be sensitive to cultural and political issues Watch the details and ensure your management makes informed risk-based decisions & Know your limitations We thank our sponsor Nucleus Security for supporting this episode Full Transcript: https://docs.google.com/document/d/1C357cX_4wKTRmhRUsGh_2d9vIMX5LspL/ Show links:   https://www.smallbusiness.wa.gov.au/starting-and-growing/essential-business-skills   https://cisotradecraft.podbean.com/e/108-budgeting-for-cisos-with-nick-vigier/   https://nativeintelligence.com/   https://github.com/cisotradecraft/Podcast#business-management--leadership   https://www.ef.com/wwen/blog/efacademyblog/skills-for-success/   https://www.criticalthinking.org/pages/defining-critical-thinking/766   https://your.yale.edu/learn-and-grow-what-adaptability-workplace   https://openai.com/blog/chatgpt/   https://openai.com/dall-e-2/