Cyber Security Operations Topics, Trends, and Articles
LinkedIn article, August 30, 2019
An evolving and emerging view that's finally gaining traction: The CISO doesn’t belong within IT. The CISO is more accurately an advisory and oversight function than it is an IT service delivery function. A strategic contributor — not a quarterly report maker and not trotted out on occasion to give a few prepared words at an executive meeting.
The CISO pedigree now requires less hyper-focus on tech and more focus on business acumen and financial risk. The CEO wants the CISO to be as cost-conscious and business savvy as the CFO. To use novel approaches and apply sensible and cost-conscious controls or changes.
Traditionally, the CISO may have come up through the tech ranks and possessed a deep tech background. This is changing. The CISO is still technically-astute and can discern good advice from bad — fantasy from reality. But the modern-era CISO should be focused on big picture strategy and not only the day-to-day tactical. And to support this, an IT Security leader will have identified a trusted 2ic (second in command/deputy) and built strong, competent and empowered teams to support the entire function from the governance, defense, and operations standpoint.
CSO article, August 29, 2019
Data breach costs can be ongoing for years, a new study finds. Here's the breakdown of costs and advice on how to minimize them.
Data breaches and security incidents are becoming increasingly costly. Canadian lender Desjardins Group recent revealed it had spent C$70 million ($53 million) in the wake of a breach earlier in the year that exposed personal information of 2.9 million members. Manufacturer Norsk Hydro said the final bill for its crippling cyberattack could be as high as $75 million. British Airways and Marriott have had to add $100 million each onto the final cost of their incidents after falling foul of GDPR.
While these examples are the most high-profile and extreme ends of the scale, the financial impact of suffering a data breach continues to increase year over year for companies of all shapes and sizes. The average cost of a data breach has risen to $3.92 million, according to a new report from IBM and the Ponemon Institute.
CSO article, August 27, 2019
Finding out after the fact that a big chunk of your internet traffic has been incorrectly routed through a server in China due to Border Gateway Protocol (BGP) routing security issues is....not great. Want to stop that from happening? Tough one. It's an age-old — or rather, internet-old — problem, and no single enterprise can prevent this on its own.
How do you solve a collective action problem? By acting collectively.
That's the idea behind the Mutually Agreed Norms for Routing Security (MANRS) project. Developed by the Internet Society (ISOC), and listing 204 network operators (ISPs) and 35 internet exchange points (IXPs) as members so far, plus newcomers Google and Microsoft, this coalition of the willing seeks to prevent BGP security issues that affect interdomain routing among autonomous systems.
AccountingToday article, August 26, 2019
The recent spate of ransomware attacks against cloud-based accounting platforms has left many firms on edge, wondering about the security of data within their own firms — and rightly so. When a cyberattack strikes a hosted accounting system, it impacts the firm’s data and, more importantly, can expose critical client data.
Ransomware, which is frequently delivered through spear-phishing emails (emails that use social engineering to trick the receiver into giving out private information), is a type of malicious software that blocks users from accessing critical systems and data until a ransom is paid. According to FBI statistics, in 2018 alone U.S. businesses paid more than $3.6 million to hackers in these kinds of attacks. And that number doesn’t even include lost business, time, wages, files, equipment or third-party remediation services.
CyberSaint blog post, August 25, 2019
This week, I had the opportunity to speak at the ISACA 2019 Governance Risk and Control Conference in Ft. Lauderdale, FL. Having spent a career as both a cybersecurity practitioner and leader, the most recent trend of Board- and CEO-level concern around cyber has emerged as a top-of-mind issue facing many information security leaders. The need to be able to communicate cybersecurity as a business function has always been prevalent. With the massive breaches occurring now, we see the bottom-line impact of fragmented and static cybersecurity practices.
Being able to communicate an organization’s cyber posture is no longer simply a matter of securing more budget. With the events like the Marriot and, more recently, the Capital One breaches, information security is having as direct an impact on bottom lines and stock prices as any other business function within the organization. Information security leaders must prepare themselves to be able to articulate their programs as effectively and held to the same standards as other members of the C-suite.
CIO article, August 21, 2019
As digital transformation continues apace, CEOs see cybersecurity as the number one threat to the global economy in the next decade.
In its 2019 CEO Imperative Study, Ernst & Young surveyed 200 global CEOs from the Forbes Global 2000 and Forbes Largest Private Companies across the Americas, Europe, the Middle East, Africa, and the Asia-Pacific region. Also interviewed were 100 senior investors from global firms that manage at least $100 billion in assets.
However, regardless of their location, CEOs, board directors and institutional investors cited national and corporate gaps in cybersecurity as the biggest threats to business growth and the global economy. Income inequality and job losses stemming from technological change came second and third in the list of threats, while ethics in artificial intelligence and climate change respectively rounded out the top five.
The cybersecurity finding has far-reaching and disruptive implications for the future of work, consumer trust and government regulation.
Article by the CISO Collective, August 23, 2019
It is undeniable that the responsibilities of a CISO are quickly evolving and expanding (see “The CISO Ascends from Technologist to Strategic Business Enabler,” Understanding the Cybersecurity Skills Shortage: An Analysis of Employer and Jobseeker Skills and Occupational Demographics Report Series, Fortinet, August 15, 2018). Digital initiatives that expand the boundaries of the network edge, paired with the demands from the board of directors for protecting critical data now require a CISO with both executive and technology expertise. However, the most simplified version of a CISOs biggest priority can be stated as such: secure the organization’s growing attack surface with limited budget and resources.
How does a CISO allocate limited resources to protect an evolving attack surface and meet the needs of the board? This is a question that Forbes Insights explores in a new report that was published in association with Fortinet: “Making Tough Choices: How CISOs Manage Escalating Threats And Limited Resources.” Specifically, the report takes a deep dive into the decision-making processes of leading CISOs to determine how they secure their networks from an array of advanced threats with resource constraints.
IoT World Today article, August 23, 2019
If there is one lesson to draw from this year’s Boeing 737 Max debacle, it is that software glitches can have catastrophic consequences.
That isn’t exactly a new revelation. There are multiple examples in recent decades of software bugs leading to loss of life and other forms of destruction. The story of the Therac-25 computerized radiation therapy machine is one of the most evocative. Produced in the 1980s, the Therac-25 has become a classic example of the potential for software failures to cause injuries and deaths, according to Anura Fernando of UL. Between 1985 and 1987, at least six patients received massive overdoses of radiation. The manufacturer, Atomic Energy of Canada Ltd., designed the system “to take advantage of computer control from the outset,” as Nancy Leveson and Clark Turner wrote in the journal “Computer” in 1993. A single person programmed the machine, modifying code from older devices and apparently documenting little of the process.
The Therac-25 case has been “well-studied academically,” said Fernando, who is UL’s chief innovation architect, medical systems interoperability and security. “A lot of the early medical device software quality requirements were formulated around that case study.”
The fallout from the software failure paved the way for modern software quality requirements. It also helped drive the recognition “that our society was becoming more and more dependent on software,” added Fernando.
Security Boulevard article, August 22, 2019
The current state of cybersecurity is complex, fast-moving and a critical risk to all organizations. Understanding where U.S. businesses stack up in terms of their security knowledge and defense strategy is of utmost importance. It’s critical that leaders—from enterprise to small business and government—gain more awareness of one of the greatest challenges cybersecurity is currently facing.
We’ve entered an era of advanced and persistent layered attacks. To stay ahead of these and other never-before-seen attacks, businesses and security leaders across industries must recognize the dangers they pose. Luckily, by understanding the current landscape and solutions that exist, businesses can enhance and improve their security posture in an ever-evolving threat landscape.
Origin of the Side-Channel Attack
Forbes article, August 21, 2019
Data professionals face an endless challenge to get the buy-in of management and IT to provide the technology and resources needed to efficiently and effectively analyze their constantly growing enterprise data stores. As the CEO and co-founder of a company that offers a data warehouse, one of the primary difficulties I see CDOs and data teams face is the inability to measure business benefits that will result from the improvements they seek in their data pipeline.
PRI article, August 16, 2019
People around the world may be worried about nuclear tensions rising, but I think they’re missing the fact that a major cyberattack could be just as damaging — and hackers are already laying the groundwork.
With the US and Russia pulling out of a key nuclear weapons pact — and beginning to develop new nuclear weapons – plus Iran tensions and North Korea again test-launching missiles, the global threat to civilization is high. Some fear a new nuclear arms race.
That threat is serious — but another could be as serious, and is less visible to the public. So far, most of the well-known hacking incidents, even those with foreign government backing, have done little more than steal data. Unfortunately, there are signs that hackers have placed malicious software inside US power and water systems, where it’s lying in wait, ready to be triggered. The US military has also reportedly penetrated the computers that control Russian electrical systems.
CSO article, August 13, 2019
Attackers are increasingly targeting executives and employees who have access to sensitive enterprise data. Here's how to protect those individuals with personal OPSEC plans.
Criminal hackers are targeting a wide range of employees, from administrative assistants to the C-suite executives they serve. As cybersecurity firm Proofpoint puts it, the hackers’ goals are to “trick your workers into opening an unsafe attachment or clicking on a dubious web link. They impersonate your CEO and order your finance department to wire money. And they con your customers into sharing login credentials with a website they think is yours.”
Most enterprise IT systems are well protected against, though not invulnerable to, cyberattacks. But the personal devices and online tools employees use after hours can be less secure, providing a potential bypass around enterprise security.
Diligent Insights, July 17, 2019
How confident are you that your board is covering all the right bases related to cybersecurity? A brief look at the statistics should urge board directors to start asking questions about where the oversight of cybersecurity is lacking. Here are some figures to get your board talking about cybersecurity:
The FBI lists 41 criminals on the cybercrime list.
Rise in viruses in smartphones and mobile devices: 54% increase in 2017.
9% of mobile malware stems from third-party app stores.
Identity theft is up from 15 million in 2017 to 60 million in 2018.
Cybercriminals make the S. their #1 target.
The S. will account for half the data breaches by 2023.
The average cost of a data breach in the U.S. is $7.91 million.
It takes an average of 196 days to identify a data breach.
Cybercriminals see new opportunities as devices and systems become more interconnected.
Risk governance is the identification, assessment, management and communication of risks. Boards have a fiduciary responsibility to take a determined approach in overseeing all aspects of risk governance. The board’s responsibility extends to information security, including protecting the confidentiality of data, preserving the integrity of data and managing the authorized use of data.
LinkedIn article, July 17, 2019
Over the last month as a free agent, I have worked with recruiters and reviewed many CISO job descriptions. With the exception of specific professional certifications, the disparity of how organizations view their CISO requirements has surprised me. My peers have expressed disappointment with the recruiting process in general because, to them, many CISO job descriptions are written for the unicorn 1%, not the other 99% of us who are hardworking CISOs.
Now I understand businesses have unique requirements for their security executives to meet, and I do believe many of those prerequisites are due to the organizations’ current level of maturity, size and business operations. The maturity of a company is just one factor that will influence the type of CISO profile needed, and understanding this context would be beneficial, not only for CISOs searching for their next role but to the business community in general.
LinkedIn article, July 16, 2019
How much should you spend on a cybersecurity program within your enterprise? How do you know if you are resource poor or resource heavy? Given a statement of fiduciary requirement how do you stand behind it? Between all of these questions stands the view of a quizzical executive on what exactly am I paying for if I’m still getting breached. So, lets talk about the nexus between a cybersecurity team and risk.
It seems like anytime you put real numbers to a problem you have people coming out of the woodwork to poke holes in a generalized statement with anecdotal contrarian views. I’m going to say right up front some of these numbers are exemplar but not necessarily will they add up to zero on zero. I get it, and I understand this is the Internet. So the this is a really poor way to start out a story of metrics but I’m all about the different methodologies, and understanding there is a variety of maturity levels within organizations let’s look at right sizing a security program. We’re engaging in a SWAG using guestimates because nobody reading this can use the actual numbers, but can use the pattern to get to real numbers.
CSO article, July 11, 2019
What’s the difference between a company that has a CISO and one where the IT security manager is the highest ranked security professional? Some might say a CISO has a broader range of responsibilities, but the real answer is leadership.
A recent ESG study found that communication and leadership skills were the two most important qualities of a successful CISO. Technical acumen was far less important in the eyes of the respondents than the ability to get the right messages across.
If the CISO being a peer of the CIO is going to ever become the norm – just 12% of UK CIOs say that the CISO is their peer within their organization – security professionals need to learn skills beyond the security function and how to be business leaders.
SecurityRoundtable.org article, July 9, 2019
In the first installment of this series, we peeled back the covers on the problem of imprecise cyber risk assessment, due largely to the reliance on ineffective and incomplete risk assessment tools and techniques. Things like heat maps and other forms of qualitative risk assessments no longer can adequately prepare organizations for the mounting wave of cyber threats—threats that pose increasingly larger peril to our organizations, employees, customers, partners, industries and communities.
Instead of continuing to rely on bad science in providing risk assessment advice to senior executives and board members, network defenders should consider more data-driven approaches to dramatically improve risk assessment accuracy and executive confidence. These include techniques such as Bayes probabilistic algorithms and Monte Carlo simulations in order to build latency curves.
CSO article, March 19, 2019
42% of the nearly 500 leaders surveyed by the National Association of Corporate Directors listed cybersecurity risks as one of the five most pressing concerns they’re facing — just behind changes in the regulatory climate and an economic slowdown.
As a result, security executives are increasingly going before boards to brief them on the risks they face and strategies to mitigate them.
“More boards are saying, ‘Talk to us, tell us what we need to know,’” says Gary Hayslip, CISO of internet security company Webroot and a veteran board member.
Yet, many board members find that they’re not getting the information they need from their chief information security officers.
Forbes article, July 9, 2019
In today’s digital world, with near-instantaneous conveyance of information and data, cyber-events could (and routinely do) rapidly impact brand and shareholder value. While opinions differ on the need for cybersecurity experts on certain boards, there is a general consensus among management, boards, and investors alike that this need is growing.
Given this trend, I spent time with Bob Zukis. Bob is the founder and CEO of the Digital Directors Network, professor of Management and Organization at the USC Marshall School of Business, retired PwC Advisory Partner, and author and speaker on digital governance and the impact of disruptive technology on business strategy. We spoke about what companies can do to minimize cyber threats.
Forbes article, July 8, 2019
Chief Information Security Officers (CISOs) have been corporate fixtures for more than a decade, but there is still a bit of opacity about what ingredients CISOs add to the alphabet soup of C-level jobs.
Prior to 1994, the role didn’t even exist. Twenty-five years later, the position has gone from a good idea to a near necessity for enterprises with complex infrastructures and compliance standards.
Whenever I talk about my job, whether it’s at a speaking engagement or in a one-on-one conversation, eventually someone asks me what it’s like being a CISO for a cyber security company. The short answer is that it’s always interesting. The longer, more accurate response is that it requires the ability to see things from different perspectives.
Forbes article, July 8, 2019
The high-speed, always-on digital ecosystem is evolving. As you build your next-generation enterprise on platforms that offer unprecedented power, convenience and economy, keep in mind that cybercriminals are evolving, too.
Today, significant cybersecurity breaches have become so commonplace that it’s easy to gloss over headlines and move on. But the attacks that quickly fade from the news cycle still leave a significant mark. McKinsey reports that 47 percent of c-suite executives claim their company experienced a cyberattack. Of those affected, over a quarter rated the damage as “high” or “severe.” Only 11 percent said the impact had “little or no effect.”
To grasp today’s cybersecurity landscape, keep a close eye on emerging and persistent risks.
Forbes article, July 6, 2019
"The Islamic Republic of Iran and China are standing in a united front," claimed Iran’s ICT Minister Mohammad Javad Azari Jahromi last week, "to confront U.S. unilateralism and hegemony in the field of IT." For confront read "offensive actions," and for IT read "cyber."
Jahromi followed this with similar comments in Beijing a few days later, when he met his opposite number Miao Wei. The ministers discussed "common challenges" in the face of "U.S. unilateralism," of which Jahromi said, “we are facing similar challenges, so we need to find common solutions." The Iranian minister accused the U.S. of "spreading its hegemony on new strategic technologies such as artificial intelligence," and criticized Washington's actions against Huawei and ZTE.
CSO article, July 4, 2019
The dark web is part of the internet that isn't visible to search engines and requires the use of an anonymizing browser called Tor to be accessed.
The dark web is a part of the internet that isn't indexed by search engines. You've no doubt heard talk of the “dark web” as a hotbed of criminal activity — and it is. Researchers Daniel Moore and Thomas Rid of King's College in London classified the contents of 2,723 live dark web sites over a five-week period in 2015 and found that 57% host illicit material.
A 2019 study, Into the Web of Profit, conducted by Dr. Michael McGuires at the University of Surrey, shows that things have become worse. The number of dark web listings that could harm an enterprise has risen by 20% since 2016. Of all listings (excluding those selling drugs), 60% could potentially harm enterprises.
Article in Wall Street Journal, June 24, 2019
Hackers believed to be backed by China’s government have infiltrated the cellular networks of at least 10 global carriers, swiping users’ whereabouts, text-messaging records and call logs, according to a new report, amid growing scrutiny of Beijing’s cyberoffensives.
Forbes article, May 30, 2019
Research and Markets latest 2019 report on identity said that identity verification is expected to grow from $6B in 2019 to $12.8B by 2024. The report highlights the rising number of identity-related frauds and data breaches as well as the need for compliance to drive the adoption of identity verification solutions.
On May 30, 2019, the Maine Legislature voted 35 - 0 to pass a strict internet service privacy (ISP) bill considered to be one of the strongest ISP privacy protections in the country. The bill, LD946, requires consumer consent before ISPs can sell their private data to third parties.
Forbes article, May 16, 2019
DevSecOps means integrating security practices within DevOps. It creates a "security as code" or “security by design” culture with ongoing, flexible collaboration among software development, quality assurance, IT operations and security teams. For many CISOs, DevOps is something that is done elsewhere, but not here — agile is for other people.
Many of us CISOs are not involved with software development, except on bad days that involve a security incident. However, I believe that is changing as numerous CISO roles demand comfort with DevOps. This new business requirement involves education and acceptance that cybersecurity and its controls are ubiquitous, and it takes communication to manage these changing and unique business risks.
DarkReading article, April 19, 2019
Make no mistake: Even the most technologically mature organizations are struggling to keep in check the rising force of third-party cyber-risk. Recent high-profile security incidents, such as the Facebook data leak and the ASUS Shadowhammer attack, bring home the fact that third parties can introduce tremendous risk to business operations, data security, and even the technical integrity of products and services.
Data shows that enterprises of all types are still way behind on instituting the governance and technology to wrap their arms around third-party risks, be they in the software supply chain, access governance, or data handling. And, unfortunately, some experts say the industry isn't moving the needle on third-party risk.
Heller Search Associates blog, April 17, 2019
The role of the Chief Information Security Officer is highly dynamic and presents great challenges for those that serve in the position. There was a time when the information security leader was a purely technical role, focused on firewall configurations and password policies. While these aspects of information security remain important, the role has matured to encompass business leadership responsibilities.
Today, the CISO is recognized as a crucial member of the executive team, no longer confined to the technical side of information security.
In this new context for the role, these are the ten skills that every CISO must have to be successful, in any and all organizations and industries, today and in the foreseeable future.
CISO Relationship Series, April 16, 2019
Sure, we’d like to merge with your company but geez, have you looked at your security posture lately? Uggh. I don’t know if I could be seen in public with your kind let alone acquire your type.
We’re wary as to who wants to enter our digital home on this week’s episode of CISO/Security Vendor Relationship Podcast.
This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Mark Eggleston (@meggleston), vp, chief information security and privacy officer, Health Partners Plans.
TecRepublic article, April 9, 2019
CISOs need to gain a seat at the table to discuss strategy and building cybersecurity into product development. Here's how.
Once buried in the IT department, cybersecurity is increasingly becoming a major priority for all businesses, in the wake of near-constant high-profile breaches that have tarnished brand reputations and even put some companies out of business.
"Security has been buried in a CIO organization," said Aisling MacRunnels, CMO and a founding member of security firm Synack. "It's been an after-product cost center, and the only time a CISO or anyone on the security team really ever hears from anyone else in the company is because something went wrong. It's always a negative."
Accellion blog, April 16, 2019
Lots of C-level executives deal with stress. CISO stress however may be unlike most others. Poorly defined expectations, a lack of training for the role, and exclusion from broader strategic discussions can lead a CISO to drink.
In fact, a recent survey revealed a disturbing number of CISOs deal with work-related stress by consuming alcohol or other forms of self-medication.
The problem requires senior managers to change their views on the CISO role, according to Larry Whiteside, Chief Information Security Officer for Greenway Health. Whiteside is an inaugural member of Accellion’s CISO Advisory Board. He provides valuable insight into the challenges and opportunities inherent with the CISO role in general and the healthcare industry in particular. This blog post is the first in a series.
Forbes article, April 12, 2019
The information age is evolving the very nature of warfare. Today, each nation increasingly depends on closely integrated, high-speed electronic systems across cyberspace, geospace, and space (CGS). But, it’s a cause of great concern if an enemy can easily use a weapon like a small, inexpensive EMP device. An EMP weapon can deny any individual or entity across a nation the ability to use electromagnetic waves for their digital infrastructure and digital connectivity, e.g. radio, infrared, and radar. Moreover, a nuclear blast can also trigger an EMP effect, as can a solar storm. Individually and collectively, this emerging reality understandably changes the nature of warfare, the focus of the war, and the target of warfare, shaking up the very foundation of security.
Electronic warfare is on our doorstep, and no nation seems to be fully prepared. Since electronic warfare appears to already be on our doorstep, in order to meet the complex EMP warfare challenges that are seriously threatening the very progress and advances nations have made in CGS, it is essential to evaluate how prepared each nation is today in their defensive as well as offensive capabilities. How are nations addressing the security challenges to their CGS?
CSO article, April 10, 2019
Cyber criminals now have access to more nation-state technology to launch more sophisticated advanced persistent threat attacks. That's bad news for defenders.
For the past several years, an increasing number of cyberecrime groups have adopted techniques and procedures traditionally used by state-sponsored actors. This trend has caught many organizations unprepared, especially small and medium-sized businesses whose defenses are generally focused on regular malware.
FifthDomain article, April 8, 2019
NATO’s cybersecurity arm is set to launch a four-day exercise April 9 that simulates the response to hackers sowing chaos in a fictitious country conducting national elections.
The scenario places the country of Berylia in a “deteriorating security situation” as people go to the polls, according to a NATO statement. Hostile actors launch coordinated attacks against the country’s civilian communications infrastructure, causing disruptions in water purification systems, the power grid, 4G public safety networks and other essential services. Civil unrest spreads as the attacks twist the public perception of election results.
The drill, dubbed Locked Shields 2019, is billed as a “live-fire” event, which means all actions by six teams of competing network defenders will have immediate effects in the game-like environment.
CSO article, April 5, 2019
Malware that holds data for ransom has been around for years. In 1991, a biologist spread PC Cyborg, the first ever ransomware, by sending floppy disks via surface mail to other AIDS researchers, for instance. In the mid '00s Archiveus was the first ransomware to use encryption, though it's long ago been defeated and you can find its password on its Wikipedia page. In the early '10s, a series of "police" ransomware packages appeared, so called because they purported to be warnings from law enforcement about the victims' illicit activities and demanded payment of "fines"; they began to exploit the new generation of anonymous payment services to better harvest payments without getting caught.
CISO Relationship Series, April 3, 2019
Vulnerability management (VM) has become synonymous with frustration. Breaches often result from exploited vulnerabilities that are known, yet not patched. The compromise was avoidable. Why couldn’t we stop it?
The problem stems from security “trying to manage a mountain of work they usually have little to no control over by pushing other overtaxed teams, such as IT and engineering, to remediate during non-ideal times,” said Yaron Levi (@0xL3v1), CISO, Blue Cross and Blue Shield of Kansas City.
Forbes article, April 2, 2019
The Dunning-Kruger effect is a remarkable bias: it simultaneously predicts amateurs underestimating complexity and being overconfident and veterans underestimating complexity, with often less confidence than the amateurs! This is well shown in the famous Mount Stupid diagram. Today, we see the rise of hype in technologies like the Internet, blockchain and cloud , three of the big tech flashes in recent history. Some of these soar in hype and deliver, and some crash in delivery proving a false hope. So where do Artificial Intelligence (AI) and Machine Learning (ML) fall with respect to cybersecurity? With AI and ML persist in security vendor marketing and are starting to wane in a hype-cycle sense, it begs the question of how much weight they should be given by cybersecurity practitioners?
In the future AIs will go to war with one another and many security jobs will be run by them, but not today. Technology has a way of defying predictions, coming either much earlier or later than expected. In its early days AI was expected to be “solved soon” and that was 50 years ago.
CSO article, March 25, 2019
Chief information security officers and other enterprise security leaders often don't remain long enough with the same organization to be able to make a strategic difference. Those that do say business focus, the ability to communicate with key stakeholders and knowing how to manage expectations are key to longevity in the CISO role.
Take Andy Ellis. As Akamai's chief security officer for the past eight years, Ellis has played a central role in implementing a zero-trust data access model that has fundamentally transformed the company's security posture. Over a total of 16 years in various security roles at Akamai he has helped define and evolve the organization's core security strategy.
Ellis believes that being at the same company for so long has been critical to his ability to affect change. "I've gotten to mold this position," Ellis says. "As I've gone along, it's been like wearing a comfortable glove. I understand how the organization works; therefore, I can get more done."
Forbes article, March 22, 2019
We in Cybersecurity see ourselves as risk mitigators. It’s our job to stand against a persistent, motivated, intelligent enemy and prevent bad things from happening. It’s self-evident in many ways, and it calls to us. We self-identify as Defenders. When the business asks us “why we exist,” we often answer in our best business voices “to reduce risk.” The problem with this answer is that there is already a language of risk in the business, and by-and-large we don’t know it.
Business exists to take acceptable risk for acceptable return. I can tell you how to face no risks right now: turn everything off. But as soon as you build something, turn something on or scale something, risk creeps in. This is true everywhere within the business, not just in security, from the board room, C-suite and the smallest corporate branch and partnership. Enterprise risk comes in many forms: legal, operational, financial and even non-security IT risk. In Flavors of Risk, I talked about IT Security as opposed to Cybersecurity risk. Let’s instead dive into the divide between those unique security risks and the rest of the risk mitigation processes and behavior of a typical company.
CISO Series article, March 21, 2019
Are CISOs the most stressed individuals on a security team, or do mental health issues affect everyone in security?
Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest for this episode is Gary Hayslip (@ghayslip), CISO, Webroot.
CSO article, March 19, 2019
There was quite a bit of banter about boardroom cybersecurity actions at this year’s RSA Security Conference. No surprise here; business executives understand what’s at stake and are asking CISOs to provide more cyber risk data and metrics, so they can work with them on intelligent risk mitigation strategies.
This is a positive development for the long term, but it also exposes an underappreciated issue – many organizations aren’t very good at monitoring, measuring, or mitigating cyber risk in a timely manner.
TechRadar article, from March 14, 2018
Cybersecurity can be an exhausting job. Between the onslaught of ‘silver bullet’ tools that supposedly protect organizations, and the additional layer of tools needed just to make sense of the first group, even the smartest teams are finding themselves stretched thin. There are signals and control points on the network today that are under utilized from the cyber perspective — instead of adding net new, leverage what you have today.
Adversaries take advantage of blind spots, by focusing on the exact places security teams haven’t gotten around to monitoring. One of those places is DNS.
Until recently, the protocol was relegated to the IT infrastructure team, and dismissed as mere network plumbing. Now, understanding of DNS as a threat vector is palpable. It’s the topic of concern for the DHS, government organizations, telecommunications companies, and much more.
Computer Business Review article, March 15, 2019
IT security professionals play a vital role in keeping businesses safe from serious security incidents. Whether they’re actively defending against targeted cyberattacks or implementing technology and policies to mitigate costly mistakes, the work of the security team can often be all that stands in the way of a major breach with a multi-million-pound price tag, writes Joseph Carson, Chief Security Scientist & Advisory CISO, Thycotic.
Despite the fact that strong cybersecurity is now increasingly essential for business success however, many security professionals themselves all-too-often feel underappreciated and overlooked, with security efforts being seen as a frustrating barrier by both colleagues and the board. Aside from the obvious impact on morale and working relationships, this image problem can also reduce the team’s effectiveness and increase the chances of a security incident.
Splunk blog post, March 13, 2019
If you stopped by the Splunk booth at RSA Conference this year, you probably heard us talking about “chaos.” And what better place to discuss chaos than the largest, busiest and loudest global security event of the year?
Yes, cybersecurity professionals around the world are living in chaotic times. Just look at the news coming out of RSA this year—nation-state hacks continue to rise, concerns around data privacy are mounting and several cybersecurity executives went before Congress to discuss their latest challenges with emerging threats. At the center of it all? Data. As data continues to anchor every Security Operations Center (SOC), it’s important to embrace the chaos.
Here are three things to remember to help your SOC thrive.
CSO article by Jon Oltsik, March 11, 2019
Like many other cybersecurity professionals, I spent last week at the RSA security conference in rainy San Francisco. Here are a few of my impressions:
LinkedIn article by Gary Hayslip, March 8, 2019
****Original abbreviated article was published March 8th 2019 on Forbes Magazines Technology Council Community Voice.
This version of the article is the complete version with eleven challenges I find many of my peers face daily as they work to serve their teams and their organizations.
Having spent the last 12 years as a CISO in multiple roles, I sometimes think I have seen everything that could stop my security program from being successful. Then along comes yet another squirrel to prove me wrong. I could use a more colorful adjective, but I think we all can grasp the picture of a squirrel that is annoying and distracts you with its constant chatter and antics. Cybersecurity as a profession is unique because when you think about it, the CISO and their team are protecting a business from itself. Of course, you also have the fact that companies don’t like to admit they need protection.
With this in mind, I want to talk about challenges CISOs face that make the job stressful and demanding. Let’s face it: Those of us who serve in the CISO role and deal with its challenges are here because we believe what we do in our job matters and we love helping people. However, at times the job does suck. Now that I have everyone in a positive mood, let’s discuss some problems that CISOs face and how they can overcome them. Please keep in mind this isn’t a complete list.
BizTech article (video), March 8, 2019
One of the biggest forces of change in an organization can be the establishment of impactful leadership. While chief information security officers are not new, they are growing in number and being challenged with a complex, evolving cyberthreat landscape. We spoke with a number of CISOs while at the RSA Conference about the perspective they bring to their organizations, their challenges and their priorities as cybersecurity leaders.
View more of our coverage from the 2019 RSA Conference and gain insight into how the conversation on cybersecurity is growing and evolving.
CSO article by Jon Oltsik, from February 19, 2019
CISOs must manage cybersecurity based upon their organization’s mission, goals, and business processes, not the technology underpinnings.
When I first entered the cybersecurity market in 2003, I’d already been working in the IT industry for about 16 years in storage, networking, and telecommunications previously. By the early 2000s, all three sectors had moved on from bits and bytes to focusing on how each technology could help organizations meet their business goals. Oh sure, we still talked speeds and feeds, but we led with things like business agility, productivity, and cost cutting. The technology was a means to an end rather than an end in itself.
When I got to the cybersecurity industry, I was surprised by what I saw. Unlike other areas of IT, cybersecurity was still deep in the weeds, focused on things such as IP packets, application protocols, and malicious code. In other words, cybersecurity remained a “bottom-up” discipline as the cybersecurity team viewed the world from networks and devices “up the stack” to applications and the business.
LinkedIn article, February 22, 2019
For the second straight year, Oracle and KPMG have partnered to bring you the insights into what 450 global organizations are experiencing as they lift and shift their workloads to the cloud. Some are experiencing tremendous successes with effective planning, while some are realizing the difficulties because of mis-understanding cloud security principals.
This year’s report touches on a wide range of challenges that have been reported, and a leading practices approach to help reduce the impact from threats and implement proper risk reduction measures across the business. We also look at the education of cyber teams, users, and helping to elevate the CISO and the role the entire org plays in collaborating with the CISO to ensure data privacy is a company wide concern.
Homeland Security article, February 19, 2019
The Global Cyber Alliance (GCA) and Mastercard today released a new Cybersecurity Toolkit specifically designed for small and medium businesses. This free online resource is available worldwide and offers actionable guidance and tools with clear directions to combat the increasing volume of cyberattacks.
The GCA Cybersecurity Toolkit arms small business owners with basic security controls and guidance, including:
Homeland Security Today article, from February 24, 2019
Critical skills are necessary to make a successful Chief Information Security Officer (CISO). It is critically important that the CISO is tightly integrated with the organization’s mission. Focusing on skills in this way helps the CISO to be part of the organization’s strategic planning process, which leads to a much more resilient organization. In this article, Darren Death explores 10 critical success factors that an organization’s CISO must exhibit in order to be successful in the role.
Security Current article, February 18, 2019
While cybersecurity is dynamic, there are things that are constant. These are the skills that every CISO must have to be successful, whatever the organization and industry, today and in the foreseeable future.
In this latest Security Current/ CISOs Connect report, ASRC Federal’s CISO Darren Death combines previous research and his own findings to provide practical advice on how CISOs can use ten must-have skills in daily corporate settings to do their jobs better and secure their environments.
The skills range from communication and presentation, policy development and administration, political skills, knowledge and understanding of the business and its mission, collaboration and conflict management, planning and strategic management, supervisory skills, incident management, knowledge of regulation and compliance with standards, to risk assessment and management.
LinkedIn article, February 15, 2019
The role of Chief Information Security Officers (CISO) is evolving and requires a complex skill set. Long perceived as cost center that constrains the business in order to reduce losses from cyberattacks and to meet regulatory compliance, cybersecurity is now transforming into a critical function that must contribute to overall competitiveness.
It is a mindset change. CISO’s will continue to manage the risks through establishing and enforcing policies, but now must also help the organization seize opportunities and be successful. The next generation of CISO’s will position themselves as an enabler for the business to move faster, build trust, and remain effective in the eyes of shareholders and customers.
LinkedIn article by Scott Foote, September 3, 2018
The idea of a “Digital Twin” is not new. Engineers and other professionals have been using digital simulation models for many decades to provide the contextual awareness that informs their decision making. These digital simulations are simply formal, detailed versions of the anecdotally-collected mental models that most of us carry around in our heads. With the added benefit of course that digital models can be shared for continuous evolution, verification & validation; and persisted to survive the turnover of personalities and staff.
What is new… is the application of these digital models to the high-tempo, high-risk decision making of Cyber Security Operations.
The surge toward digital transformation continues to compound the complexities of contemporary business models as well as the underlying information technology that supports them. This exponential growth in inter-dependencies and rapid adoption of leading-edge technologies creates RISK. A direct result of the ever growing attack surface that adversaries are increasingly better prepared to exploit. While Cyber Defenders are hard pressed to keep pace, struggling to maintain effective comprehension of their “enterprise architecture” as it continuously morphs in pursuit of greater business value.
Forbes article, February 15, 2019
“What use could this company make of an electrical toy?” asked Western Union president William Orton, brusquely turning down the chance to buy the patent for Alexander Graham Bell’s telephone in 1877. Over 100 years later, Nokia squandered its position as the global leader in mobile phones by refusing to recognize that data — not voice — was the future of communication. Though a century apart, both of these companies failed to heed the headwinds of new technology, to their detriment.
In hindsight, it’s easy to laugh at this sort of hubris, yet today, many CEOs and their executives are at risk of taking precisely the same approach with digital technology, and it’s putting their companies at risk. Emerging technologies such as artificial intelligence, big data analytics and virtual assistants are transforming business operations, product manufacturing and service delivery, while many new entrants and tech giants are capitalizing on their scale and (analytical) prowess to disrupt new industries. In today’s environment, embracing digital is no longer merely advised -- it’s a mandate for survival. In fact, a 2017 survey found that 56% of CEOs who adopted digital initiatives reported an increase in profits as a result of their efforts.
TechRepublic article, February 14,2019
CISOs experience mounting external and internal stressors in their jobs, according to a report from Nominet released on Thursday. The majority (91%) of these professionals said they face moderate to high stress in their leadership positions, with 60% admitting they rarely disconnect from work, the report found.
The report surveyed 408 CISOs in the US and UK, who all oversee their business' cybersecurity efforts. With immense social, digital, and security pressures, the modern CISO has trouble staying afloat, the report found.
Peerlyst article, January 3, 2019
As in recent times, the cyber threats will continue to get worse before they get better. Those that think “good enough” security or risk management will be sorely disappointed in the large gaps they will leave open for the cybercriminals and nation-state actors to easily breach and compromise their enterprise.
2019 and beyond will no doubt be interesting for all of us, stretching those that will be attempting to adapt to this increasingly dynamic threat environment and may be harsh for those that are settling for “good enough” security.
Peerlyst article, January 7, 2019
In earlier years, everyone depends on SOC (includes firewalls, WAF, SIEM, etc.) and the prioritize in building the SOC provides security and the CIA was maintained. However, later the emerge of the attacks and the threat actors becomes more challenge and the existing SOC will not able to provide better security over the CIA. There are many reasons for the failure of the existing SOC, where it only depends on the SIEM. Many organizations, believed integrating all the security devices like Firewall, Routers, AV and DB solutions in SIEM and the correlating the use cases will provide them 100% security over the CIA of the datas. However, it all fails, since the APT emerges.
Forbes article, February 12, 2019
We’ve heard the pundits’ criticism: Marriott should have known better. The hospitality company’s recent and well-publicized security breach occurred when hackers exploited network-security vulnerabilities in its Starwood division, a subsidiary that Marriott purchased only three years ago. And actually, it’s the news of the breach that’s recent. The breaching itself began in 2014.
With the benefit of 20/20 hindsight, it’s easy to cast the first stones: In 2016, Marriott purchased a company with compromised infrastructure, and then unknowingly integrated that compromised network into its own infrastructure. The Marriott story doesn’t paint a pretty picture of traditional castle-and-moat security. (“Ignore that extra drawbridge.”)
Instead of piling on further, let’s instead learn from Marriott’s experience. (We in the cybersecurity industry should never let a breach go to waste.) This is a mergers and acquisitions (M&A) object lesson and highlights the crucial role cybersecurity validation and audits must play during the due-diligence phase.
Forbes article, February 13, 2019
(a must read article)
Most CISOs last 13 months in their job, or so I was told a decade ago. I’ve since seen as high as 18 months and as low as 11 months, but regardless of the actual length of time, I think we can all agree that any career with a short lifespan on achieving the leadership position of an entire department is extremely wasteful! The reason is simple: we aren’t aligned with the business. What it takes to get to the CISO seat is not what’s needed when sitting in it.
LinkedIn article, February 12, 2019
Gary Hayslip has previously written about the roles of the modern CISO whose security program is aligned with the business operations of their organization. That article discussed the changing roles CISOs are now assuming as organizations mature and employ CISOs for numerous security/risk initiatives that support strategic business goals. In retrospect, that article was written more about the job, and less about what personal strengths and weaknesses CISOs view as required to be the senior security executive for an organization. So keeping this in mind, let’s look at the lenses through which CISOs view their job, what barriers they feel prevent them from being successful, and what they feel is their responsibility as a business partner.
This article will focus on six domains that impact CISOs personally and professionally in their dynamic roles. These domains are barriers to success, obligations, authority, technology, risk management, and finally the pros/cons of reporting structure.
SecurityCurrent article, February 11,2019
The role of the CISO has evolved greatly over the years. Over the past 20 years leading security practices across multiple industry verticals for large Fortune 500 organizations, I have observed first hand its various shifts. The natural next question is what the next phase would look like. More importantly, will the CISOs of today be able to keep up with these challenges in the future?
Foremost we have to always be aware that we are not dealing with amateur attackers. We are dealing with well-funded organized crime. Well-funded nation states. Groups that have political agendas. They will be able to use information to influence political designs.
There will be a lot of investments in security analytics and emerging technologies. Just as tech can be used for good, those well-funded groups can also use them for criminal activities.
Dragos blog, February 12, 2019
Dragos’ Year in Review reports provide insights and lessons learned from our team’s first-hand experience hunting and responding to industrial control systems (ICS) adversaries throughout the year, so we can offer recommendations for stronger defenses for industrial organizations and help drive change in the ICS cybersecurity community.
MIT Technology Review article, January 4, 2019
Last year was full of cybersecurity disasters, from the revelation of security flaws in billions of microchips to massive data breaches and attacks using malicious software that locks down computer systems until a ransom is paid, usually in the form of an untraceable digital currency.
We’re going to see more mega-breaches and ransomware attacks in 2019. Planning to deal with these and other established risks, like threats to web-connected consumer devices and critical infrastructure such as electrical grids and transport systems, will be a top priority for security teams. But cyber-defenders should be paying attention to new threats, too. Here are some that should be on watch lists...
SecurityIntelligence article, February 7, 2019
With some figures putting the typical CISO tenure at just around two years, it’s clear turnover in this role is high. According to a Ponemon Institute study sponsored by Opus, 44 percent of CISOs surveyed said they plan to make a lateral move in their organization outside of IT security, and 40 percent said they expect to change careers. All of this considered, the window of time to make a mark as an effective security leader is short — and, in turn, stressful.
What are some best practices for getting started on the path to success in a new security management position? What do you need to do, who do you need to talk to, and what are the first actions you need to take to make an immediate impact and set yourself up for future wins?
Akamai blog, February 7, 2019
Everyone and everything on the Internet depends on the Domain Name System (DNS) being functional. The DNS has been a common vector for attacks in recent years, and 2019 seems to be no different. Many of these attacks have goals far more sinister than simply taking a company offline or defacing a website; reported attacks include redirecting some or all of an organization's domain to gain access to protected resources, intercept traffic, and even obtain TLS certificates for that domain. Organizations should perform regular DNS reviews and audits. The following guidelines provide a starting point for your review.
The DNS is critical to any organization with an online presence. Attacking domain names is a notable method to DoS (Denial of Service), deface, abuse or otherwise damage any Internet-connected organization. Domain names represent not only your brand but the way your customers interact with your business. In today's world, domain names are critical for web, voice, video, chat, APIs, and all the other services your company may offer or consume. In short, control of your domain names is essential to your business.
One of the most overlooked threats to your DNS presence is neglect. Many organizations take their DNS setup for granted, configuring it once and leaving it for all time. Adversaries leverage this neglect and the resulting weaknesses. Performing regular DNS reviews and audits is an essential preventative measure.
SecurityWeek article, February 7, 2019
A lot of people are talking about security risk right now. A quick Google search reveals articles on risks associated with the Slack collaboration tool, out of date Windows software, 5G network equipment from Huawei, iPhone apps that have been communicating with a malicious server and organizations’ employees. And that’s just the first page! Of course, when these topics make the headlines, security teams inevitably get calls from management, but the nature of these calls is evolving.
Recent analysis by Forrester finds that Boards are maturing in their understanding of cybersecurity and are asking more detailed questions. They don’t just want to know if the latest threat matters to the organization, but how you know that. For Chief Information Security Officers (CISOs) and other security leaders, this means that your ability to communicate effectively about cybersecurity is just as important as your work doing cybersecurity, if not more important. Communication has become a critical component of security operations.
ThreatPost article, February 6, 2019
Today’s financial cyber-rings have corporate insider and management roles — cybercrime is not just just for hackers and coders anymore.
Contrary to the pop-culture image of the hoodie-clad lone hacker with mad keyboard “skillz” siphoning off funds and making people’s lives miserable with a few lines of brilliant code, increasingly cybercrime “takes a village”. The true face of cybercrime today is a more democratic one.
Modern financial crime rings are made up of a wide range of people with complementary toolsets—from coders to willing corporate insiders wanting to be paid for installing malware on a network and more.
HelpNetSecurity article, February 4, 2019
Capgemini commissioned IDC to produce a new piece of research, which reveals the increasing pressure on the Chief Information Security Officer to drive forward digital transformation – or risk losing their seat at the table when it comes to key business decisions.
Whilst CISOs are now involved in 90% of significant business decisions, the research found that just 25% of business executives perceive CISOs as proactively enabling digital transformation – which is a key goal for 89% of organizations.
CSO article, January 31, 2019
It’s been 16 years since the SQL Slammer worm struck on January 25, 2003. It was the fastest spreading computer worm in history, and surprisingly nothing has beat it since. Will that record stand much longer?
The saving grace of Slammer was that it didn’t do any intentional harm beyond crashing the SQL server and killing network bandwidth. It didn’t infect files, delete data, collect passwords, or do any of the devious things that nearly all malware does by default today. To recover from it, you applied the patch and rebooted the server. It was that easy.
Since then we’ve all wondered if a more devious malware program might beat Slammer’s record. Malware writers are far more sophisticated today, but it’s been 16 years and nothing has beaten Slammer’s record. Is it possible that Slammer will go down in history as the fastest spreading malware program?
CSO article, January 28, 2019
The FBI and law enforcement agencies from several European countries have shut down an underground marketplace that specialized in selling access to hacked computers and servers. Called xDedic, the site had been around for years, first on the open internet and then also on the Tor network. According to a 2016 report from Kaspersky Lab, the online shop was run by a group of Russian-speaking hackers.
The takedown happened Thursday but was only announced January 28 by Europol and Eurojust, who coordinated the investigation among authorities in Belgium, the U.S. and Ukraine. Law enforcement in Germany helped confiscate the site's IT infrastructure, and the domain names were seized through an order issued by a U.S. judge.
LinkedIn article, January 25, 2019
Earlier this week, Malwarebytes released its annual State of Malware Report, which analyzes top malware threats from January through November 2018 and compares them with the same period in 2017. The report identifies a sharp increase in business-based malware detections, including a more than 100 percent increase in Trojan, riskware tool, backdoor and spyware activity. Overall, the research shows that cyber criminals are finding businesses as the best target with the highest returns.
Business2Community article, January 24, 2019
"To stay alive and thrive in an era of accelerating digital disruption, organizations are realizing that simply being “data-driven” won’t guarantee future success. In 2019, leaders are now being challenged to change their siloed, departmental analytics approach to data, put away all their “interesting” dashboards, and get down to defined business outcomes.
Forrester notes that it’s not “data-driven,” but rather “insights-driven,” businesses that are growing at an average of more than 30% each year, and by 2021 are predicted to take $1.8 trillion annually from their less-informed peers. Organizations that are intent on lasting into the next decade and beyond must stop doing analytics for analytics’ sake, notes Forrester and other top thought leaders who have shared these 10 Enterprise Analytics Trends to Watch in 2019..."
IDG Connect article, January 24, 2019
Gary Hayslip is an enterprise cybersecurity expert with 17 years of experience. Currently CISO for Webroot, a provider of threat intelligence and endpoint security, he previously held multiple CISO, IT Director and Senior Network Architect roles for the City of San Diego, the U.S. Navy and the U.S. Government.
And he's a personal favorite of ours here at Phenomenati.
Dark Reading article, January 24, 2019
Cloud customers were hit with 681 million cyberattacks last year, according to analysts at cloud security provider Armor, which recently analyzed cloud attacks detected in 2018.
The most common cloud-focused threats leveraged known software vulnerabilities, involved brute-force and/or stolen credentials, targeted the Internet of Things (IoT), or aimed for Web applications with SQL injection, cross-site scripting, cross-site request forgery attacks, or remote file inclusion. Researchers based the list on volume; these are not the most advanced or lethal cloud attacks.
Yet they continue to work, are easy to access, and are fairly simple to use, they explained in a blog post on their findings. Any cybercriminal can rent an exploit kit containing attack tools for a reasonable amount of cash. For example, they said, the older and established Disdain Exploit Kit was charging rental fees starting at $80 per day, $500 per week, and $1,400 per month. Kits are designed to be accessible to cybercriminals at all levels and are constantly updated with new exploits.
Dark Reading article, January 21, 2019
Shadow IT, the use of technology outside the IT purview, is becoming a tacitly approved aspect of most modern enterprises. Yet, with the vast adoption of software-as-a-service and infrastructure-as-a-service (IaaS) approaches, shadow IT presents increased security challenges that can create major risk. To further complicate things, because organizations aren't centrally controlling these solutions and tools, their vulnerabilities often go undetected for far too long. If individuals and internal teams continue to introduce outside tools and solutions into their environments, enterprises will have to adopt a smart path to ensure they operate securely.
The evolution of shadow IT is a result of technology becoming simpler and the cloud offering easy connectivity to applications and storage. As this happened, people began to cherry-pick those things that would help them get things done easily. Internal groups began using Google Drive for team collaboration and storage; employees used their personal phones to access secured enterprise resources; development teams grabbed code from shared repositories. All of these use cases, and many more, are examples of finding and adopting usable, efficient, and cheap strategies to get things done.
SecurityIntelligence article, January 21, 2019
"Just how well are organizations informing stakeholders about cyber risks? As 2018 drew to a close, that was the question that EY sought to answer in its “Cybersecurity Disclosure Benchmarking” report. EY looked at how Fortune 100 organizations are sharing information related to cybersecurity in their proxy statements and 10-K filings, specifically analyzing these documents for the following:
Before we look at what EY’s analysis revealed, let’s take a step back and look at the environment that got us here."
Forbes article, January 7, 2019
A company can be 100% compliant and yet 100% owned by cyber criminals. Many companies document every cybersecurity measure and check all appropriate compliance boxes. Even after all that, they still hit the headlines and lose customer data. Compliance doesn’t mean security.
Take Target as an example. Most of us remember the retail giant’s massive 2013 data breach after a cyber criminal got to its point-of-sale system. What most don’t know is that Target had earned its certification against the payment card industry (PCI) cybersecurity standard that year. And the same likely holds true for Marriott, although data breach investigations by Europe’s General Data Protection Regulation and the state of New York will prove this out.
To understand this gap between compliance and security, we must follow cybersecurity regulation back to its roots: banking regulation. Financial regulation emerged to discourage unwanted behavior such as insider trading. In this world, compliance means documenting transgressions for investigation after the fact. If inappropriate behavior occurs, a bank can punish wrongdoers and make things right afterward. In short, banking compliance is a form of deterrence.
Morphisec blog post, January 17, 2019
By now you’ve heard all the 2019 predictions from cybersecurity vendors and practitioners. As every year, many are insightful and thought-provoking, some meant to invoke self-serving fear and doubt about the next big threat, others just repeats from the year prior.
However, what very few mention, because it’s hard to quantify and doesn’t make good headlines, is the escalating trend of technology confusion and overload. This didn’t happen overnight. More investment has poured into the cybersecurity market than any other B2B software market. In 2017, $4.9 billion was invested in cybersecurity start-ups. And while there are some truly innovative technologies solving real problems, far too many providers just do more of the same thing in different packaging, or simply throw food at a wall to see if it will stick.
So how can organizations make sure that the solutions they choose provide the best defense possible?
TechTarget article, January 16, 2019
Security professionals are struggling to keep up with today's dynamic threat landscape as they continue to deal with security alert overload and cybersecurity skills shortage, but several security experts believe deploying security orchestration, automation and response tools can aid security teams with streamlining and improving everyday processes.
Gartner defines SOAR as "technologies that enable organizations to collect security threats data and alerts from different sources, where incident analysis and triage can be performed using a combination of human and machine power to help define, prioritize and drive standardized incident response activities according to a standard workflow." For companies with five or more security professionals, the research outfit forecasts SOAR adoption rate to rise from 1% to 15% by 2020.
Research from Enterprise Strategy Group (ESG) found even higher adoption rates for SOAR tools. In a survey conducted last year, ESG found that 19% of responding enterprises said they had deployed operations automation and orchestration technology "extensively," while 39% of respondents said they are deploying the technology on a "limited basis."
With most enterprises receiving more than 10,000 alerts per day -- according to data from a 2018 RSA survey -- it is impossible for security teams to review all of those alerts. This high volume of alerts and the need to perform detection in multiple stages would be enough of a driver for SOAR tools, but there's something else, Gartner analyst Augusto Barros said in an email interview.
TweetChat article, January 9, 2019
"... when I noted that what I had done was run a bunch of Google searches and that every day people all over the world were running billions of identical analyses over Google’s 100 petabyte index, suddenly the audience usually changed its mind and argued this was clearly not a “big data” analysis, it was merely “search.”
Indeed, it seems hardly satisfying to argue that a 10-year-old running a Google search should count as a bleeding edge “big data” analyst.
As with Google searches, does merely keyword searching a trillion tweets really count as performing a trillion-tweet “big data” analysis?
Does a keyword search of a trillion tweets that yields a set of 100,000 results of which just 1,000 randomly selected tweets are finally analyzed, really count as a “big data” analysis?
HPE blog post, January 7, 2019
Cybersecurity professionals grapple with increasingly sophisticated technical challenges. But for risk management and strategic planning, they need a seat at the table.
Liz Joyce has been fascinated by cybersecurity since her student days. She has had a ringside view of the evolving threat landscape as individual hackers and script kiddies have been replaced by hacktivists, state actors, organized cybercrime rings, and other cunning adversaries. As Hewlett Packard Enterprise’s chief information security officer, she not only has to consider these threats, but her team also has to deal with formidable management challenges, from workforce development to infusing a cybersecurity perspective across HPE. In an interview with enterprise.nxt, Joyce shares insights and advice from decades of experience in the field.
CSO article, January 17, 2019
A few months ago, I participated in a public debate on password policy with my co-worker and friend, Kevin Mitnick. It was a heated back and forth discussion, with Kevin arguing for far longer passwords than most expert sources, including me, recommend. I just wasn’t buying his arguments.
Then he sent me an email that, when I opened it, sent Kevin my Microsoft Windows password hash, which he then cracked. It was a knock-out punch. I didn’t know it was possible.
CSO article, January 16, 2019
According to Nicole Eagan, CEO of software company Darktrace, only two out of every ten cybersecurity experts typically embrace artificial intelligence (AI) as a key component of threat detection. The others, she explains, tend to be "totally resistant" or agree to "give [AI] a try" but don’t put in the effort required to make the most of the tech post-purchase.
Granted, information security professionals are known to be risk-averse, which has the flip side of sometimes making them resistant to try out new tech — and for good reason: Protecting the company against risk is the number one job. Yet, theoretically, AI has the potential to more quickly identify a larger number of problems. So why doesn’t every security team use it?
HelpNetSecurity article, January 15, 2019
The CISO, a title skyrocketing in popularity, is now an essential part of every organization. Companies that aren’t employing a CISO need to embrace this position (and in some states quickly if they don’t want to be fined). As threats become exponentially more elaborate and the world becomes more connected the need for CISOs is undeniable.
Even if a company is based in a state where it is not mandatory, not having a CISO could be a clear indicator to a prospect or customer that security is not being taken as a priority. But with the increase in security threats and the business implications they raise, one question remains unanswered: what does it take to be an effective CISO?
Dark Reading article, January 11, 2019
The general public, and even the security industry, seems to idolize the "hackers" and people who can compromise security of organizations with ease. They are frequently referred to as the "Rock Stars of Security." Some of these people have incredible skills at what they do. However, the "Rock Stars" we should be revering are those working on internal security teams, who know all too well that real security involves infinitely more than telling people "don't give away your passwords" or "patch your systems." They frequently experience failures of one form or another but somehow manage to effectively mitigate losses and keep major organizations up and running.
It is great to have heroes, but the world needs to realize that the real heroes of security are those with the really hard jobs, which means those who are constantly trying to keep the bad guys out while fighting their own organizations more than the hackers. Unfortunately, we rarely know their names, how hard they're working, or acknowledge them for the heroes that they are.
CSO article, January 9, 2019
“The complexity of managing internet visibility is a challenge for every organization today,” Ann Barron-DiCamillo, the former director of the United States Computer Emergency Readiness Team, said at recent private event at the National Press Club in Washington, D.C. “Traditional security stacks do not address these internet visibility challenges; we need to think about the problem differently.”
So how do agencies even begin to address these vulnerabilities? The key is a paradigm shift in how cyber professionals engage with the public internet -- not just as a risky environment, but as the great technology equalizer. This shift in thinking offers a strategic advantage for anyone willing to embrace it. It will not only futureproof where the agency is going, but also directly address the current visibility challenges the internet poses.
Cyber Security Hub article, January 1, 2019
“What's in short supply is the security analyst type of individual as well as someone that's very knowledgeable about software security assurance … and application security. I'm seeing those two areas being the most difficult to locate.” McCarthy said a threat hunter is a newer role that is also in demand in the security operations center. A threat hunter, “is really able to cross and correlate the different threat feeds and all the different data and build conclusions on what's happening from inside and the dark web and across that horizon.”
She said that as security threats become a lot more complex, “you really need some very smart and savvy young folks that have a real appetite for correlating that data … like the James Bond of IT” who is interested in threat hunting, pulling data together and problem solving.
CSO article, January 4, 2019
Security information and event management (SIEM) systems first appeared around 2000 from vendors such as Intellitactics, NetForensics, and eSecurity. The original functionality centered around event correlation from perimeter security devices such as IDS/IPS and firewalls.
The SIEM market evolved over the past 19 years, with different vendors, functionality, and use cases. SIEM has also grown into a $2.5 billion market, dominated by vendors such as Splunk, IBM, LogRhythm, and AT&T (AlienVault).
Despite the SIEM evolution, today’s products can be seen as super-sized versions of those of yesteryear. In fact, the original design of SIEM seemed like a knockoff of network and systems management tools CA Unicenter, HP OpenView, and IBM Tivoli. SIEM products were based upon a tiered architecture of distributed data collectors/indexers/processors and a central database used for data analytics, visualization, and reporting.
Security Magazine article, January 3, 2019
If you want senior executives to buy into cybersecurity, you need to prove the value cybersecurity brings to the core business. Read your organization’s annual reports, corporate governance documents, shareholder statements and the like. These documents will give you a better sense for what drives your organization and, in turn, what your executives are thinking about.
You’ll likely find that cybersecurity shows up in these documents but not around specific attacks, zero-days and APTs. You’ll see verbiage about material harm. You may see risk statements around maintaining effective cybersecurity controls, protecting confidentiality and privacy, and the need to safeguard sensitive data.
New ISACA and CMMI Institute research on cybersecurity culture is full of attention-grabbing perspectives and stats regarding the value of a strong cybersecurity culture, such as reduced cyber incidents, stronger customer trust and better brand reputation. This study made me think about how a cybersecurity culture is really created and what a cybersecurity team needs to be able to prove within its organization to earn the support and resources required for a cybersecurity culture.
LinkedIn article, January 2, 2019
With the introduction of a new year, we are seeing the influx of regular cybersecurity predictions and by most counts, this one is no different. Except, I do not have a product to sell, a book to advertise, or a political position to encourage. These are just the predictions that I see beginning to emerge now and will have some amount of maturity during 2019 and 2020.
GovTech article, January 2, 2019
The beginning of a new security chief's tenure is critical. From opening lines of communication to creating a strategic plan, here are seven dos — and three don’ts — for successfully navigating a new position.
Let’s say you were just appointed to lead the cybersecurity program within a new government administration — congratulations! You’re likely excited to be a part of a new tech team with a fresh mandate from voters and a group of like-minded professionals. Or maybe you just landed a top job as a chief information security officer (CISO), director of IT security or cybermanager within a new organization.
Regardless of how you arrived at your new role, it’s an exciting opportunity. After reading a ton of material on security leadership, your ideas are set. You’re determined to be successful and fix everything you’ve been told is wrong with the current cyber team and security culture.
ThreatPost article, December 28, 2018
Researchers hunting cyber-espionage group Sednit (an APT also known as Sofacy, Fancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks.
The discussion of Sednit was part of the 35C3 conference, and a session given by Frédéric Vachon, a malware researcher at ESET who published a technical write-up on his findings earlier this fall (PDF). During his session, Vachon said that finding a rootkit targeting a system’s UEFI is significant, given that rootkit malware programs can survive on the motherboard’s flash memory, giving it both persistence and stealth.
“UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level,” he said.
ISACA report, December, 2018
The importance of strong cybersecurity is no longer in question in today's harrowing threat landscape, but less clear is how organizations put a strong culture of cybersecurity in place, beginning with leadership from the board of directors and inclusive of all employees. The 2018 Cybersecurity Culture Report from ISACA and CMMI Institute shows there is much progress to be made, as 95 percent of global survey respondents identify a gap between their current and desired organizational culture of cybersecurity.
The research shows that prioritizing investment in training can be a meaningful driver of strong cybersecurity culture, while annually measuring and assessing employee views on cybersecurity is among the other steps that can lead to heightened awareness and improved culture.
CSO article, December 18, 2018
In many organizations, traditional IT and critical Operational Technology (OT)networks are being merged to take advantage of the speed and efficiency of today’s digital marketplace. Typical OT networks are comprised of switches, monitors, sensors, valves, and manufacturing devices managed by an ICS system through remote terminal units (RTUs) and programmable logic controllers (PLCs) over a serial or IP connection. Since these systems manage sensitive and sometimes dangerous environments, they demand safe and continuous operation. To achieve that, they have traditionally tended to be air-gapped from the IT network to avoid the sorts of intermittent network or device crashes that IT systems can tolerate.
These systems are built upon high-value OT assets that can range into the billions of dollars. A system crash on a manufacturing floor can stall production for hours and potentially ruin millions of dollars in materials. Even worse, having to reset an open furnace or a 10,000-gallon boiler processing caustic chemicals can have far more devastating consequences than temporarily losing access to an online printer.
LinkedIn article, October 19, 2018
The cybersecurity scene has never been so dynamic and complex. The number of attacks and their complexity has grown drastically, and the amount of security solutions collecting endless amounts of alerts and events have raised drastically. A recent Ovum survey sponsored by McAfee, found that 37 percent of respondents in the financial sector had to deal with over 200,000 daily security alerts, and many institutions deploy between 100-200 disparate security solutions. New threats and attack vectors emerge, spanning across a converged attack surface of IT and OT networks, as well as IoT devices. Attacks have become time-sensitive, requiring SOCs to detect and respond within seconds to minutes, and challenging the SOC’s ability to perform effectively. We have seen this new reality once again in the recent attack on the Cosmos Bank in India last month, where over $15M were stolen via ATM hacking. Topping this, new regulatory guidelines are being introduced , requiring strict procedures and comprehensive reporting processes. In parallel, our overall ability to recruit, train and retain our cybersecurity experts has been dropping continuously over the last years. These trends will remain with us and in many cases increase in the foreseen future, making the jobs of our CISOs ever more challenging.
LinkedIn article, December 28, 2018
As in recent times, the cyber threats will continue to get worse before they get better. Those that think “good enough” security or risk management will be sorely disappointed in the large gaps they will leave open for the cybercriminals and nation-state actors to easily breach and compromise their enterprise.
CSO article, December 27, 2018
The hacks, exploits and data breaches security researcher need to most pay attention to are those that do something new or suddenly increase in volume.
Each year a few hackers do something new that begs further examination. The general public and Hollywood paints most hackers as these uber-smart people who can take control of entire city’s infrastructure and crack any password in seconds. The reality is that most hackers are fairly average people with average intelligence. Most don’t do anything new. They just repeat the same things that have worked for years, if not decades, using someone else’s tool based on someone else’s hack from many years ago.
The stuff that we need to pay more attention to are the new, evolutionary or revolutionary hacking methods that gave hackers access to something they didn’t have before. Maybe it isn’t exactly new, but it’s being used more or in more innovative ways than in the past (like ransomware did a few years ago). With that said, here are my choices for most interesting hacks of 2018.
NetworkWorld article, December 21, 2018
When Tim Callahan came to Aflac four years ago to take on the role of CISO, enterprise security at the insurance giant was embedded deep in the infrastructure team.
One of his first requests of the CIO: Let me extract security out into its own group. Callahan readily admits the culture shift was not easy but believes that the demarcation has actually led to better collaboration.
Arguing for a walled-off security team is not easy for security leaders amid a shrinking talent pool of qualified security professionals. Analyst firm ESG found that from 2014 to 2018, the percentage of respondents to a global survey on the state of IT claiming a problematic shortage in cybersecurity skills at their organization more than doubled from 23% to 51%.
Forbes article, December 17, 2018
Today, most C-Suite and boardroom discussions on cybersecurity are based on gut feelings and incomplete data. We are wasting a lot of money because we don’t know how to deal with cybersecurity effectively.
If you have a mature cybersecurity program, your chief information security officer (CISO) probably provides periodic updates with qualitative (or quasi-quantitative) estimates of cyber-risk organized around categories such as risk to intellectual property, risk of operational disruption from a cyberattack, risk of customer data disclosure, etc. The presenting executive might review status of key cybersecurity projects, and perhaps ask for additional budget to pursue “necessary” initiatives to keep up with the evolving threat landscape. Sometimes these sessions become deeply technical and hard to follow. Come next year (or next quarter), a similar meeting occurs. With the steady stream of cyber breaches in the news, you hope your company is doing the right things to stay out of trouble.
InfoSecurity Magazine article, December 10, 2018
In a recent company board strategy meeting the CFO presented the financial forecast and outcome and made some interesting comments about fiscal risks and opportunities on the horizon. The COO discussed efficiency in operations, explained how the company may need to adjust the hiring procedures to avoid the risk of high turnover and to speed up the candidate selection. She also argued in favor of some new IT initiatives to automate and modernize some processes – including the hiring process. With these in mind, the CEO made some strategic decisions on projects and operations, and the meeting was concluded.
Three months later the company name was in the headlines. A temp employee of the vendor that was selected to implement the new IT system had his laptop stolen, credentials were cached in the browser. The personal details of all applicants in the new system, including previous salary details and diversity data (such as race, religion and sexual orientation), were posted on a public website.
Forbes article, December 6, 2018
As a recovering CIO and current CISO, I discovered one of the fundamental skill sets useful for technical leaders to drive informed decision making by nontechnical audiences is the art of storytelling. CISOs typically communicate in numerous formats, and I have known many of my peers to be masters at documenting and describing security architectures and emerging threats. However, to be truly effective in evangelizing the worth of a security program to the business, a CISO must describe their vision of cybersecurity, risk management and its business value to company employees and leadership stakeholders. This shift of taking highly technical information and transforming it into a presentation that non-technical people can understand and relate to is not easy. In fact, it is a skill that CISOs today must regularly practice as their role continues to evolve into one that supports business operations.
Copyright © 2019 Phenomenati - All Rights Reserved.