This presentation was given at CampIT. It motivated the need for a high level of maturity of the enterprise security program, by striving for cyber resiliency.
This presentation goes through a higher level overview of understanding cyber resilience, important concepts, the difference between cybersecurity and cyber resilience, and frameworks aimed at achieving or assessing an organizations cyber resilience.
HD version: http://1drv.ms/1eR5OQf
This is my publication on how the integration of the TOGAF Enterprise Architecture framework, the SABSA Enterprise Security Architecture framework, and Information Governance discipline add up to a robust and successful Information Security Management Program.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Cyber risk isn't new, but the stakes grow higher every day. An incident is no longer likely to be an isolated event, but a sustained and persistent campaign. There is no single solution that will offer protection from an attack, but a Cyber Resilience strategy can provide a multi-layered approach that encompasses people, processes and technology. Pete's presentation talks about eliminating the gap between IT and the business to present a united front against threats. This is a paradigm shift that uses security intelligence to guide decisions and support agility.
This presentation goes through a higher level overview of understanding cyber resilience, important concepts, the difference between cybersecurity and cyber resilience, and frameworks aimed at achieving or assessing an organizations cyber resilience.
HD version: http://1drv.ms/1eR5OQf
This is my publication on how the integration of the TOGAF Enterprise Architecture framework, the SABSA Enterprise Security Architecture framework, and Information Governance discipline add up to a robust and successful Information Security Management Program.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Cyber risk isn't new, but the stakes grow higher every day. An incident is no longer likely to be an isolated event, but a sustained and persistent campaign. There is no single solution that will offer protection from an attack, but a Cyber Resilience strategy can provide a multi-layered approach that encompasses people, processes and technology. Pete's presentation talks about eliminating the gap between IT and the business to present a united front against threats. This is a paradigm shift that uses security intelligence to guide decisions and support agility.
The Future of Security Architecture Certificationdanb02
Would you drive over a Bay Bridge built from an amateur building architect's blueprints? What if the architect passed a multiple choice test first - is that good enough?
Society's answer to these questions is obviously NO. But unlike building architects, security architects are not always required to have Certificates or Degrees and standards for such are lacking.
As information gains value, and we move from "information security" to also securing the Internet of Things, security architecture becomes increasingly consequence-laden and the question of required training and accreditation more pressing.
The slides are from a webinar in which Linked In Security Architecture group participants collaboratively explored the Future of Security Architecture Certification.
Understanding Zero Trust Security for IBM iPrecisely
As security threats continue to evolve and increase, companies need to also adapt their approach to IT security. One important concept that is gaining in popularity and adoption is zero trust security. The main concept behind the zero trust security model is "never trust, always verify,” which means that devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified.
Zero Trust means moving beyond a perimeter security strategy. As companies offer customers and business partners new digital experiences and processes, networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location. This dynamic is impacting IBM i customers and zero trust security is an important element of a modern security strategy.
Join us for this webcast to hear about:
• Understanding zero trust security concepts
• Zero trust security in the real world
• Zero trust security for IBM i environments
SOC Architecture - Building the NextGen SOCPriyanka Aash
Why are APTs difficult to detect
Revisit the cyber kill chain
Process orient detection
NextGen SOC Process
Building your threat mind map
Implement and measure your SOC
Designated IT security experts in Europe and Asia have been interviewed by RadarServices, the European market leader for managed security services, with regards to future IT security trends and challenges. They shared their views concerning the development of cyber attacks and security technologies until 2025.
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
Using NIST cybersecurity framework, one of the largest healthcare IT firms in the US developed the global security architecture and roadmap addressing security gaps by architecture domain and common security capability. This session will discuss the architecture framework, capability matrix, the architecture development methodology and key deliverables.
(Source : RSA Conference USA 2017)
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
In order to effectively defend your organization, you must think about the offensive strategy as well. But before we get ahead of ourselves let’s talk briefly about the building blocks of a good offense. First is an architecture that is built around a security policy that is aligned with the business risk. Risk must be understood and a cookie cutter approach must be avoided here because again every organization is different and so are their risks.
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault
- Overview of the AlienVault USM Platform
- Differentiation through Delivery "Threat Detection That Works"
- Ways to Engage via Managed Services, Security Device Management and Professional Services
- AlienVault MSSP Program Details
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
Information technology is a complex business, at best. While IT can provide amazing benefits, it still requires vigilance and diligence to ensure it is running correctly and that it is secure. A security framework can be an excellent tool to evaluate what you might be missing and confirm that what you are already doing is spot-on correct. This session will discuss the importance of using security frameworks and walk attendees through the NIST Cyber Security Framework to review how the framework functions, how to use a framework, and most importantly, how the use of a framework can and will benefit their organization.
The Future of Security Architecture Certificationdanb02
Would you drive over a Bay Bridge built from an amateur building architect's blueprints? What if the architect passed a multiple choice test first - is that good enough?
Society's answer to these questions is obviously NO. But unlike building architects, security architects are not always required to have Certificates or Degrees and standards for such are lacking.
As information gains value, and we move from "information security" to also securing the Internet of Things, security architecture becomes increasingly consequence-laden and the question of required training and accreditation more pressing.
The slides are from a webinar in which Linked In Security Architecture group participants collaboratively explored the Future of Security Architecture Certification.
Understanding Zero Trust Security for IBM iPrecisely
As security threats continue to evolve and increase, companies need to also adapt their approach to IT security. One important concept that is gaining in popularity and adoption is zero trust security. The main concept behind the zero trust security model is "never trust, always verify,” which means that devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified.
Zero Trust means moving beyond a perimeter security strategy. As companies offer customers and business partners new digital experiences and processes, networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location. This dynamic is impacting IBM i customers and zero trust security is an important element of a modern security strategy.
Join us for this webcast to hear about:
• Understanding zero trust security concepts
• Zero trust security in the real world
• Zero trust security for IBM i environments
SOC Architecture - Building the NextGen SOCPriyanka Aash
Why are APTs difficult to detect
Revisit the cyber kill chain
Process orient detection
NextGen SOC Process
Building your threat mind map
Implement and measure your SOC
Designated IT security experts in Europe and Asia have been interviewed by RadarServices, the European market leader for managed security services, with regards to future IT security trends and challenges. They shared their views concerning the development of cyber attacks and security technologies until 2025.
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
Using NIST cybersecurity framework, one of the largest healthcare IT firms in the US developed the global security architecture and roadmap addressing security gaps by architecture domain and common security capability. This session will discuss the architecture framework, capability matrix, the architecture development methodology and key deliverables.
(Source : RSA Conference USA 2017)
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
In order to effectively defend your organization, you must think about the offensive strategy as well. But before we get ahead of ourselves let’s talk briefly about the building blocks of a good offense. First is an architecture that is built around a security policy that is aligned with the business risk. Risk must be understood and a cookie cutter approach must be avoided here because again every organization is different and so are their risks.
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault
- Overview of the AlienVault USM Platform
- Differentiation through Delivery "Threat Detection That Works"
- Ways to Engage via Managed Services, Security Device Management and Professional Services
- AlienVault MSSP Program Details
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
Information technology is a complex business, at best. While IT can provide amazing benefits, it still requires vigilance and diligence to ensure it is running correctly and that it is secure. A security framework can be an excellent tool to evaluate what you might be missing and confirm that what you are already doing is spot-on correct. This session will discuss the importance of using security frameworks and walk attendees through the NIST Cyber Security Framework to review how the framework functions, how to use a framework, and most importantly, how the use of a framework can and will benefit their organization.
Integrated Security for Software Development and Advanced Penetration Testing...Symptai Consulting Limited
Security by design is an approach to software development that seeks to make systems as free of vulnerabilities and attacks as possible through such measures as continuous testing, authentication safeguards and adherence to best programming practices.
Learn all about the Latest CompTIA Security+ SYO-701 Exam in 2 minutes! Swipe through the slides to discover the new updates in this latest version, its course content, target audience, exam details, career scope, and more.
𝐒𝐭𝐚𝐫𝐭 𝐲𝐨𝐮𝐫 𝐥𝐞𝐚𝐫𝐧𝐢𝐧𝐠 𝐣𝐨𝐮𝐫𝐧𝐞𝐲 𝐧𝐨𝐰! 👉 https://www.infosectrain.com/courses/comptia-security/
In the ever-evolving cybersecurity landscape, the latest version of the CompTIA Security+ (SY0-701) training course from InfosecTrain is your gateway to mastering the core skills necessary to secure data and information systems in the digital age.
The CompTIA Security+ SY0-701 course from InfosecTrain, provides a comprehensive and expert-led training experience, covering five key domains that are essential for understanding and excelling in the field of information security. Participants will delve into general security concepts, threats, vulnerabilities, mitigations, security architecture, security operations, and security program management. The course features practical exercises and hands-on labs to develop participant’s skills, ensuring that participants are well-prepared for the SY0-701 certification exam.
Unlock essential cybersecurity skills with InfosecTrain's latest CompTIA Security+ (SY0-701) course. Master core competencies in data and information system security, covering the latest threats, automation, zero trust principles, IoT security, and risk management. Be exam-ready and secure success on your first attempt.
Learn all about the 𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦 in 2 minutes!
Swipe through the slides to discover the new updates in this latest version, its course content, target audience, exam details, career scope and more..
CISSO Certification | CISSO Training | CISSOSagarNegi10
Our CISSO Certification course is designed for forward-thinking security professionals that want the advanced skill set necessary to manage and consult businesses on information security.
Building an effective Information Security RoadmapElliott Franklin
As company information security functions continue to grow each year with increasing attacks and regulations, how are you handling the
pressure? Are you constantly battling to run the business projects and reacting to customer requests? Have you blocked off a few hours each week
on your calendar to close your email, turn off your phone and try to build, assess and maintain an effective vision for your security team? This
presentation will discuss a cascading approach to creating such a roadmap that is easily understood by executives and has helped gain quick buy
in for multiple enterprise wide security projects.
CISSO Certification| CISSO Training | CISSOSagarNegi10
You will gain practical knowledge regarding a range of aspects in the INFOSEC community as part of the CISSO Certification program. It will teach you how to secure assets, monitor them, and comply with data security policies.
put the
finishing touches on this book, Twitter is busy recovering
from the latest very public and newsworthy cybersecurity
incident widely reported in the media. For every one of
these highly publicized breaches there are hundreds of
other damaging cyberattacks experienced by businesses
and government entities. To help organizations protect
themselves against and respond to information security
incidents, many of them turn to the chief information
security officer (CISO) for leadership. The CISO is
becoming the guardian of the modern business, charged
with protecting the organization against security threats
in the digital world.
A Security hole in an application can cause not only major financial loss but also loss of customer confidence, trust and reputation severely impacting the business. This webinar looks at well-established industry practices to identify and secure applications from breaches while adhering with regulatory compliances.
With more than 50,000 new malware created every day organisations can no longer afford to risk the financial and reputational impacts of a security or data breach, which can be too much for a business to recover from. Because of this, IT managers face increasing scrutiny and pressure from CEOs, managing directors and boards to prove that they are keeping the organisation secure.
The changing threat landscape means organisations need to be vigilant and smarter about security. While businesses still face threats from infected devices and malware, attackers have also moved beyond that. For example, there is an increasing number of targeted email attacks with cyber criminals spending time to monitor communications so they can imitate emails that are so sophisticated that even relatively savvy users will open them.
This webinar will explore the building blocks required to ensure you have the roadmap required to best protection against cyber attacks. We will provide you with a high level view of the following topics:
· Audit and discovery – What are your weaknesses and are you compliant?
· Education – Do your employees know when not to open that attachment?
· Policy – Do you have the right policies for your industry?
· Technology – Where to start and what has changed?
Does Anyone Remember Enterprise Security Architecture?rbrockway
The concept of Enterprise Security Architecture (ESA) is not new (Gartner 2006), yet the numbers from the past several years’ worth of breach data indicates that most organizations continue to approach security on a project by project basis or from a compliance perspective. This talk will refresh the ESA concept and communicate tangible and realistic steps any organization can take to align their security processes, architecture and management to their business strategies, reduce business risks and significantly improve their overarching security posture.
Cyber Security Management in a Highly Innovative WorldSafeNet
Cyber attacks are reaching pandemic levels. State-sponsored groups and organized crime are successfully stealing valuable intellectual property—including critical infrastructure and operational readiness information, businesses’ and consumers’ financial data—often without anyone realizing the attack has occurred!
But preparedness cannot be delegated solely to the IT department. The involvement of the entire enterprise, armed with an understanding of the highly dynamic landscape, is vital for warding off potential threats.
Author: David Etue, VP of CorpDev Strategy, SafeNet
Watch the webcast on demand: https://www.brighttalk.com/webcast/6319/75109
Similar to The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt (20)
All The Things: Security, Privacy & Safety in a World of Connected DevicesJohn D. Johnson
Much of our technology today is connected to the Internet and communicating information about us, our homes and businesses, back to manufacturers in order to give us something of value in return. It is estimated that by 2025, there may be as many as 80 billion Internet of Things (IoT) devices connected to the Internet. As IoT becomes a normal part of our everyday lives, at home, on the road, and at the office, privacy, security and safety become paramount.
This presentation will set the stage: What is IoT? How is it used today? How will it be used in the future? IoT provides both opportunities and risk to society, and IoT devices need to be secured as this world of connected devices become critical to how society functions.
Introductory pre-college physics class to introduce the subject of atoms, isotopes, ions, energy (kinetic/potential/radiative) and light. This class would be followed by exercises and applications with light and energy, and laws of motion/forces.
Managing Enterprise Risk: Why U No Haz Metrics?John D. Johnson
A panel with Alex Hutton, Jack Jones, Caroline Wong and David Mortman discussing measuring risk and the SMART use of metrics to quantify enterprise risk. RSA Conference 2013
An overview of how to develop SMART security metrics that are meaningful for targeted audience: operational, tactical and strategic. I discuss key performance and risk indicators and graphical presentation for your audience.
IQPC Enterprise IT Security Exchange, March 10, 2013
This presentation looks at the risks and rewards and security and privacy implications of Big Data Analytics.
This presentation was given with Solomon Smith at the 2017 Spring Illowa-Chapter ISACA meeting in Coralville, IA. It covers various forms of education, from K-12 to the cyber professional and executive. Events and conferences along with training resources in Iowa, online and other.
Discovering a Universe Beyond the Cosmic ShoreJohn D. Johnson
Dr. John D. Johnson gives a presentation at the Figge Art Museum in Davenport, IA, July 2012 on NASA and space exploration. Most of the presentation is graphical with his narration (not included).
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
2. John D. Johnson, Ph.D., CISSP, CRISC
www.johndjohnson.com
@johndjohnson
3. The journey begins…
•Where are we and how did we get here?
•Where are we going?
•Why are we going there?
•What will it take to get there?
•Are we there yet?
•Why aren’t we stopping?
“I’m going
on an
adventure!”
5. Cyber Resilience
Capability
Maturity
Enterprise
Risk
Mgmt
Corporate
Culture
*As I view it…
• Basic Hygiene
• Compliance and Audit Process
• Risk Based Security Management
• Anchor to Standards Frameworks
• Threat Assessment & Modeling
• Threat Intelligence
• Information Sharing
• Use Layered Security to Address
Gaps – People/Process/Tools
• Assess Effectiveness/Efficacy of
Controls with Meaningful Metrics
• Integrate with Enterprise
Risk Council
• Utilize Consistent
Methodology and
Taxonomy
• Communicate Risk
Effectively to Stakeholders
• Develop Cyber Response
& Recovery Playbooks
• Build Security Aware
Culture
• Security Seen as
Change Agent
• Security Enables
Business Value at Risk
(VaR)
Goal: Prevent or respond
quickly to reduce the impact
and duration of threat events
to your organization, and
through preparation, restore
normal business operations
sooner.
12. The Castle Model of Defense
• What is the advantage of a castle?
• The castle is built on high ground
• The castle has visibility to see enemies approaching far away
• The castle has thick, impervious walls
• Guards watch everyone coming and going
• It is very difficult and expensive for enemies to breach a castle
• Why is our enterprise not a castle?
• The Internet has no high ground
• We don’t have good visibility to threats
• We have lots of holes in our walls
• We don’t inspect all the traffic coming and going
• A castle is not resilient. It takes a long time to rebuild a wall after it gets hit by a catapult.
• The Asymmetric Problem: It is expensive to defend, but the adversary only needs to find one
hole to breach the enterprise
13.
14. Different Stakeholders Want to Use
Technology Differently
• Different Employee Segments
• Business Partners
• Customers
• Dealers / Resellers
• Business Leaders
36. Top Global Risks for 2017
Risk 2017 Rating 2016 Rating
Economic Conditions 6.61 5.83
Regulatory Changes and Scrutiny 6.51 6.06
Cyberthreats 5.91 5.80
Speed of Disruptive Innovation 5.88 5.48
Privacy or Identity Management & Information Security 5.87 5.55
Succession Challenges, Ability to Attract and Retain Talent 5.76 5.63
Global Market and Currency Volatility 5.67 5.33
Organizational Culture Hindering Escalation of Risk Issues 5.66 5.30
Resistance to Change Operations 5.63 5.40
Sustaining Customer Loyalty and Retention 5.62 5.28
Source: http://www.journalofaccountancy.com/news/2016/dec/top-business-risks-for-2017-201615723.html
37. The Situation Today
We cannot enable
business
transformation
if we are still trying to
defend a castle.
We need to mature our
capabilities and
strive for cyber
resiliency.
The Perimeter is Evolving
The Volume and Sophistication of
Attacks is Rapidly Increasing
Global Regulatory Changes
Variety and Use of
Technology
40. Capability Maturity
As the security program matures, more fundamental pieces will be in place to support
advanced toolsets and capabilities necessary to protect against more advanced threats,
respond faster to attacks and recover. The pace of threats, regulatory change and
advancing technology require maturity and resiliency.
Informal
1
Planned &
Tracked
2
Well Defined
3
Quantitatively
Controlled
4
Continuously
Improving
5
Improved ability to anticipate, execute & respond quickly/effectively
N.B. – Ponemon Self-Assessment ranges from -2 to +2
Basic
Hygiene
Resilient
Siloed
Top-Down
Pervasive
48. Basic Hygiene
We start with ”Basic Hygiene”, such as CIS Top 20 Critical Security Controls.
Source: https://learn.cisecurity.org/20-controls-download
49. Baseline Configurations
CIS also has baseline security configurations for systems and software. This allows you to set a
security baseline (with documented variances) which maps back to a framework (NIST CSF) –
good security based on industry standards which you can audit against using automation.
• OS Platforms: Linux, Novell, Unix, MS Windows, Apple Mac OS
• Amazon AWS (Hardened virtual images in EC2)
• Browsers: Chrome, Firefox, MS IE, Opera, Safari
• Microsoft Office, SharePoint, MS Exchange, Apache, IIS
• Mobile Device Platform OS: Apple iOS, Android
• Network Devices: Cisco Devices, Juniper, Palo Alto, CheckPoint, Wireless Network Devices
• Multifunction Printers
• Databases: IBM DB2, MS SQL, Oracle MySQL, Oracle DB, Sybase
• Virtualization: Docker, VMware, Citrix Xen
50. Risk Based Security Management Roadmap
• Understand Current State
• Environment (assets (value/inventory/vulns/compliance…), networks, data, applications)
• Business knowledge (requirements, processes…)
• Regulatory environment
• Threats (std process for threat modeling/assessment)
• Capability maturity
• Determine Risk
• Prioritize Security Portfolio
• Business Alignment and Enablement
• Reduce Risk (Business will choose to Accept, Transfer or Mitigate)
• Build capabilities (maturity)
• Develop Metrics (operational tactical strategic)
• Measure effectiveness of controls at risk reduction
• Measure efficiency (are resources going where they add the most value?)
• Communicate Business Value
If everything is
protected equally,
nothing is protected
adequately.
51. A Cyber Risk Framework Improves Resiliency
Source: http://www3.weforum.org/docs/WEF_IT_PathwaysToGlobalCyberResilience_Report_2012.pdf
52. IT Risk Management Life Cycle
IT Risk
Identification
IT Risk
Assessment
Risk
Response &
Mitigation
Risk & Control
Monitoring &
Reporting
Source: COBIT
60. Information Security Risk Management
Process
Establish
Context
Identify
Risk
Risk
Analysis
Risk
Evaluation
Risk
Treatment
Communication and Consultation
Monitoring and Review
Source: COBIT
61.
62. Situational Awareness – Understanding the
Current State
• Can’t assess risk without knowledge; turn uncertainty into a risk
measurement (risk-based security management)
• Know the Enterprise: Assets, Data, Applications, Network, Identities…
• Know the Business: What is important, learn business processes
• Know the Enemy: A case for actionable Threat Intelligence
• Root Cause Analysis and Attribution can tell you where to focus (access to
historical and forensic data)
63. If you’ve ever travelled you are well aware
that most people have no situational
awareness!
64. Asset Vulnerabilities and Value
• Knowledge of posture gives vulnerability, and along with
understanding threats and value of resources, risk can be calculated
• Look for solutions that help you aggregate information from disparate
sources about assets (much different from SIEM):
• System configuration, patch levels and OS details
• Details about desktops, servers, cloud-hosted, BYOD, non-compliant
systems, OT systems and ICS
• Inventory of software and versions installed
• This is not the same as vulnerability scanning
• Centralizing this information is key – avoid delays from running to
various IT teams whenever you need to gather compliance/IR details
65. Cyber Risk Analysis: Threat Modeling
Target
•Data (DAR, DIM, DIU)
•Code/Software
•Services
•Databases
•Operating Systems
•Networks/Infrastructure
•Platforms/Hardware/Firmware
Threat
Vector
•Copy, Exfiltrate
•Modify, Corrupt
•Destroy, Denial of
Service
Threat
Source
• Insider
• Hacktivists
• Motivated Hobbyist
• Corporate Espionage
• Cybercriminals
• Nation State
Requirements
• Level of
knowledge
required
• Ability, Expertise
• Proximity required
• Access required
• Resources
required
• Time required
Motivations
• Money
• Ideology
• Coercion
• Ego
Risk can be mitigated; the threat landscape remains unchanged.
Threat Intel
• Industry Peer
Groups;
ISACs
• Threat Intel
Feeds
• Private/Public
Partnerships
68. Black Swan Events
• Can’t predict well – statistical methods, extrapolating from trend data
fails
• If you know:
• your organization – strengths and weaknesses
• which adversaries might want to attack you
• what those adversaries might want to accomplish
(money, ideology, disruption)
• what they would target
• their capabilities
• Then you can focus resources to make it costly for the adversaries
• And you can focus your resources at protecting what is at greatest
risk
• This applies to adversaries as well as natural disasters
Reference: US Cyberconsequences Unit, http://www.usccu.us
69.
70. So why do we want security metrics?
• Are we being effective?
• Performance
• Controls/Processes
• Risk Management
• Are we efficient?
• Are we strategically aligned?
• Are we maturing our capabilities?
• Are we doing well compared to others?
72. Filling the Gaps with Layered Security
Once we have assessed our security risk and measured where we are effective/efficient,
we identify additional security layers to improve and mature our security program. This
involves People, Processes and Technology.
Risk can never be
eliminated, but it can be
mitigated. Layered
security is the most
effective way to do this.
73.
74. Additional Risk Mitigation
Areas that need more focus in the future and emerging security
technologies to consider to provide cyber resiliency:
• Keys and Certificate Management
• Cloud Security Access Brokers & Cloud Proxies
• Solutions to help give you situational awareness, such as Endpoint
Inventory, Compliance, Vulnerability Management
• Improved Threat Intelligence (timely, detailed)
• Continuous Risk Profiling
(if you have Posture, Value and Threat Info = RISK)
• I suggest as technology improves and converges that you can have near real-
time view to quantitative and actionable enterprise risk
• There are vendors today that will give you an overall risk score that you can
compare to peers in your industry – not perfect but proven beneficial
75. Fog of War – Deception Technology
• Raise the bar for the adversary – Reduce adversary’s operating surface
and increase their economic cost
• Assume applications know what transactions are legitimate. By adding lots
of noise for adversaries it becomes hard to avoid false leads. No false
positives for incident response team.
76. AI and Machine Learning
• With the volume, velocity, variety and sophistication of attacks, it can be
very difficult for humans to sort through and triage events and incidents
• SIEM is a partial solution that requires a lot of up front work, as you are
typically looking for what you expect
• Tier I in the future will need to be AI, identifying patterns that are too fast or
too slow or fly under the radar for humans with eyes that are tired of
starting at a pane of glass
• Humans have an important role, but emerging technologies can help your
IR staff detect and respond to incidents quicker and better
77. Cyber Insurance
• Cyber insurance is one way to transfer risk
• Cyber insurance won’t absorb all the cost, but helps to reduce the impact
of a breach or incident
• Today, no two cyber insurers are the same
• Cyber insurers are motivated to help you become cyber resilient (they
don’t LIKE to pay out)
• Cyber insurance is a necessity these days, but don’t think it lets you off the
hook for not doing your due diligence
78. Training Security Staff
• Your security staff, and others in your organization (as you embed security
across the organization) will need appropriate training.
• Example: Can your IT staff really apply IP network security techniques to
secure OT or product?
• Training, mentoring and providing a career path is also key for attracting
and retaining the best
• Smaller organizations may not be able to support the number of experts
(or attract and retain) and should consider MSSP
80. Key Aspects of a Successful Awareness
Program
Security awareness should have:
• Executive sponsorship – walk the walk
• Targeted content and delivery methods depending on the audience
• Classroom, CBT, Teachable Moments, Easy to find Policies & Procedures
• Clearly articulated goals
• Metrics to measure program efficacy and success
• Metrics and surveys to ensure program improvements
• Content that emphasizes in a meaningful way, why security is an important
part of every employee’s job
• Understand the impact to the company and consequences of not following the rules
• Security solutions should be designed with the user experience in mind
• If the secure way is the easiest way, people are less likely to choose Shadow IT
81. Cyber Value at Risk (VaR)
• Classifying risks in broad terms such as “high,” “medium,” or “low” does not truly support effective
risk management decisions and resource allocation. The cyber value-at-risk (VaR) concept offers
firms a game-changing new approach.
• VaR both quantifies risk and expresses it in economic terms that can be understood by boards and
throughout the executive suite.
• VaR aggregates cyber risk with other operational risks in the enterprise risk management
framework.
• VAR approach will put CISOs in a much better position to offer objective answers to fundamental
questions from executives and the board, such as:
• What are our top cyber risks in terms of probability and severity?
• What impact will risk mitigation/transfer plans have on these risks?
• How large are our cyber risks compared to other enterprise risks?
• How might our business expansion plans increase our cyber risks?
• What are our most cost-effective risk management strategies?
Source: https://www.afponline.org/trends-topics/topics/articles/Details/cybersecurity-quantifying-value-at-risk/
Source: http://www.fairinstitute.org/blog/what-is-a-cyber-value-at-risk-model
82. Risk Communication Components
Effective IT
Risk
Communication
Expectation:
Strategies,
Policies,
Procedures,
Awareness,
Training, etc.
Capability:
Risk
Management
Process
Maturity
Status: Risk
Profile, Key
Risk
Indicators,
Loss Data,
etc.
Source: COBIT
83. Security Metrics for Management
• Find a way to add business value
• Meeting regulatory requirements
• Consolidation of tools, reduction of resources
• Demonstrate reduced costs by reduction in help desk cases
• Business leaders take the loss of IP seriously
• Have security seen as a business enabler. New technologies come with risks, but
they may also lead to new innovations and competitive advantage.
• Explain it in language business leaders understand
• Make presentations clear & concise
• Avoid IT jargon
• Provide the information executives need to make informed decisions
83
84. Where does the CISO report?
• The ability to communicate and be effective as a CISO can be hindered by
an inefficient organizational structure.
• Where does your CISO report? Most continue to report to the CIO,
although some organizations have a deeper hierarchy or dotted line
reporting.
• The key is for the CISO to have access across the business and up to the
executive level. This is important for breaking down siloes and improving
the cross-team effectiveness necessary.
• The CISO should have authority and a budget which will not be at the
mercy of IT budget planning and cuts. Because the value of security
measures may still be difficult to sell to IT management, less mature
organizations will see their security budgets cut, which may prevent them
from building the capabilities they need to be cyber resilient.
85. Security Leadership
• A more mature organization runs security “like a business” in a very
strategic and measured way, aligning with business objectives
• Metrics demonstrate that resources are going where there is greatest
risk/need
• Security leaders should lead by example
• Leadership is key to successfully achieving cyber resilience
• Learn to communicate well to various audiences/stakeholders
• The role of security is to express risk in the context of the business to
business leaders so they can make informed decisions
87. Key takeaways from a Forbes survey of 300 CIOs and
CISOs: Investing in Cyber Resilience
Source: http://media.cms.bmc.com/documents/Forbes_Insights_SecOps_Survey.pdf
88. With data breaches averaging $4 million, what are exec
priorities?
Source: http://media.cms.bmc.com/documents/Forbes_Insights_SecOps_Survey.pdf
89. What technologies do execs feel have biggest security
implications?
Source: http://media.cms.bmc.com/documents/Forbes_Insights_SecOps_Survey.pdf
90. Cyber Resilience Levers
McKinsey outlines 7 levers for achieving cyber resilience that
help integrate security into the overall business:
1. Prioritize information assets based on business risks
2. Provide differentiated protection for the most important assets
3. Integrate cybersecurity into enterprise-wide risk management and
governance processes
4. Enlist frontline personnel to protect the information assets they use
5. Integrate cybersecurity into the technology environment
6. Deploy active defenses to engage attackers
7. Test continuously to improve incident response across business
functions
Source: https://www.upguard.com/hubfs/UpGuard/ebooks/pdfs/eBook_itil-guide-cyber-resilience-UpGuard.pdf
91. Cyber Resilience Review (DHS)
• The Cyber Resilience Review (CRR)[1] is an assessment method developed
by the United States Department of Homeland Security (DHS).
• It is a voluntary examination of operational resilience and cyber
security practices offered at no cost by DHS to the operators of
critical infrastructure and state, local, tribal, and territorial
governments.
• The CRR comprises 42 goals and 141 specific practices extracted from the
CERT-RMM (Resilience Management Model) and organized in 10 domains):
• Asset Management
• Controls Management
• Configuration and Change Management
• Vulnerability Management
• Incident Management
• Service Continuity Management
• Risk Management
• External Dependency Management
• Training and Awareness
• Situational Awareness
[1] "Cyber Resilience Review Fact Sheet" (PDF). Retrieved 27 February 2015.
92.
93. Barriers to Cyber Resilience
• Lack of enterprise awareness
• Poor communication
• Lack of leadership
• Too much focus on compliance and not enterprise risk
• Silo mentality
• Not having a balance of operational, tactical and strategic; cyber
resilience demands “whole system” approach
• Lack of new thinking for new problems
• Cyber resilience needs to be ingrained in your organizational culture
94. Summary
1. Anchor to standard frameworks
2. Perform basic hygiene
3. Implement risk-based security to prioritize your risk response
• Focus on high value/mission critical assets
4. Gain situational awareness (assets, data, access, identity…)
5. Model potential threats and risk scenarios (and Black Swans)
• Develop incident response plans involving preparedness, detection and recovery
• Consider the use of new security technology to mitigate risk from use of disruptive technologies
6. Make use of and understand limitations of Cyber Insurance
7. Invest in training and awareness to build culture of security (resilience)
8. Develop SMART and meaningful metrics
9. Develop CISO leadership and communication skills and consider new reporting
structures
10. Exchange information on threats and best practices with peers, vendors, business
partners & government
We often talk about the Fortune 500, but there are 9.6 million small to medium sized businesses in the U.S..
DHS has provided:
CIKR facility risk assessments
Data center risk assessments
These guidelines exist to connect physical and cyber security
Even PCI DSS and ISO/IEC 27001:2005 have physical security control requirements
This article was in the paper the week before researchers were set to disclose information at Black Hat. Let me quote from the article:
"The world’s most important facilities—think massive hydroelectric dams and nuclear power plants—are vulnerable to devastating cyberattacks. And it may be just a matter of time before someone gets hurt.
The trouble centers around vulnerabilities in so-called Industrial Ethernet Switches (IES), the devices that create the internal networks that are vital for the function of modern factories, refineries, ports, and countless other industrial environments today. The critical vulnerabilities in IES allow attackers to gain access to the network, take full control, and cause potentially fatal damage, the researchers say.
“There is a massive lack of security awareness in the industrial control systems community.”
Industrial switches are ubiquitous in today's networked industry but rarely appear in homes, making them unfamiliar for most people. But the instrumental role they play in countless facilities means any single vulnerability has far-reaching consequences.
The vulnerabilities can lead to events reminiscent of the 2010 Stuxnet attack on Iranian nuclear facilities or the 2014 cyberattack on a German steel mill. These attacks were the first time purely digital weapons caused physical damage to their targets. Stuxnet shut down a wide swath of Iran's nuclear facilities, while the 2014 attack caused “massive” damage in the German facilities when the factory owners were unable to shut down a blast furnace."
---
Today, it can take years to replace vulnerable Industrial Control Systems. This has been an area that was more operational and less managed by the IT department. So, the actual process of patching the switches can take several years and loads of money to accomplish, leaving many plants like this vulnerable to network attacks.
Industrial control systems often use default passwords, hard-coded encryption keys, and a lack of proper authentication for firmware updates. These three fundamental failures of security combine to make it easier for attackers to gain access to industry devices and therefore cross the divide from the digital world into the physical world.
Another threat that has been in the news lately is the hacking of vehicles.
Cyber attacks against entertainment systems, radios, vehicle networks, can cause real and potentially widespread kinetic damage.
Tesla has a good story of reducing functionality if their vehicles are hacked while traveling down the highway. They don't immediately stop the engine, they disable acceleration and allow the driver to steer and brake and get off the highway safely. This is some of what needs to be considered in designing networked vehicles in the future.
Now fast forward a few years to autonomous vehicles… self-driving cars and semi-trucks.
Now, extend this problem to pacemakers and insulin pumps. Consider the wearable personal health technology. Consider home security systems. Consider the recent hack against baby monitors.
It’s clear that the threat landscape is significantly greater that it was just a few years ago, and it is exponentially growing.
No longer are we dealing with script kiddies in Mom and Dad’s basement.
Cybercrime is big business.
Hactivism can be destructive and unpredictable. Is anyone familiar with something called Wikileaks? They haven’t caused any trouble lately have they?
And, of course nation state actors are sophisticated, patient and well-funded. None of us want to be a victim of nation states.
What are the take-aways from the latest Verizon Report?
Attackers tend to come from the outside, but insider threats are on the rise. We have nation states and organized crime. But, we also have business partners.
Our supply chain can be a weak point in our security.
Hacking and malware are the two primary methods of stealing data, and compromised passwords are still the main way that hackers are gaining unauthorized access.
Just a few years ago, only Nation States had the sophistication to create attack tools that could get past our defenses.
NOW, the threat curve has radically changed and you can see that sophisticated threats are even accessible by Hacktivists with less knowledge and means.
Traditional signature-based solutions like antivirus will not prevent these new sophisticated attacks. We need to develop adaptive response capabilities and,
BETTER DEFEND - MORE QUICKLY DETECT -And IMPROVE OUR RESPONSE when we detect an indicator of compromise
There are several things I will suggest to accomplish this later, as a part of risk based security management.
Again, the chart on the left comes from the Verizon report showing that the sophistication and volume of attacks are on the rise, year after year.
In a survey by Commvault, 87% of CIOs surveyed believe their current policies and procedures leave them exposed to risk under GDPR.
58% believe their companies will be fined under GDPR.
The perimeter remains important, but with an increase in remote access by our suppliers and contractors, and moving data to the cloud where services may lack some of the enterprise security controls, the perimeter is definitely changing.
Firewalls are not the solution. Castle defense is not the solution. Rather than focusing on trying to protect everything, our new perimeter needs to ”follow the data” and provide a consistent way of assuring data is managed and shared appropriately, by the right users under the right conditions, on the right devices. This becomes a challenge as we rapidly adapt our business processes and adopt new technologies.
Many of us are in the middle of the pack, but in order to support the demands of the business, our business partners, employees and customers, in order to seize opportunities in the face of increased threats and uncertainty, we need to strive to become cyber resilient.
Security not seen as important to the business.
Very fragmented and siloed.
There is understanding of a need for security from the top-down, but security is not integrated into business processes.
Security has broken out of its siloes and security is pervasive at the organization.
The organization is highly connected to partners and peers sharing information. Employees have a high degree of awarenes.
Everyone should recognize the NIST Cybersecurity Framework, 5 domains or pillars…
Here is another look at cybersecurity domains.
You have identity and access management. Network security. Data Protection. Secure Development. Architecture.
Frameworks, standards and policies. Endpoint security. Mobile security. Risk management.
Incident response and threat management. Security operations. eDiscovery and forensics.
Training and awareness. Vulnerability management.
We all have our own way of organizing these areas into domains in our organizations. And, we realize that the people, processes and tools we use as well as our methods of risk management overlap.
Let’s say we are assessing our endpoint security program. We can map our endpoint controls back to NIST CSF.
This is a high level diagram, where I also indicate other data sources and integration points.
The point being that in order to ensure a robust, layered security program, you should make use of standard frameworks.
I will expand on the reference architecture for endpoints, related to the IDENTIFY section of NIST CSF.
Read off the top 5… #1 is the most important, and so on…
You can see that there are basic things you can be doing, whether it is endpoints, network, data, cloud, mobile, and so on.
The CIS critical security controls are also mapped back to the NIST CSF.
A little more about secure configurations…
So far, we’ve discussed the importance of:
Using standard frameworks,
basic hygiene
and utilizing standard baseline security configurations.
These are all interrelated and whether you are using COBIT or NIST CSF, or other standard frameworks, they provide a foundation on which you can manage risk at your organization.
World Economic Forum did a study and determined that a cyber risk framework is the best method of becoming cyber resilient.
We often do a poor job of communicating risk in terms that are meaningful to business leaders, and which are comparable.
IT related risk hits all areas of enterprise risk, so it is important that our approach to calculating risk be in line with what the rest of the enterprise is doing.
Scoring risk as red, yellow or green is probably not sufficient. I suggest you work closely with your enterprise risk council if you have one.
Risk scoring then leads to prioritization of mitigation strategies.
If we have a consistent process for assessing and expressing risk, we can compare risks and look at how they are trending and the impact they have and better utilize our limited resources to reduce those risks that are greatest.
We may show red, yellow and green here, but that’s ok if you are accounting for the enterprise risk appetite and expressing risk in terms that are consistent for the enterprise.
These COBIT slides are just reinforcing the process of analyzing risk and selecting appropriate and prioritized risk response options.
And, of course, security does not exist in a vacuum. It is important to work with other teams and communicate effectively throughout the process.
When you apply your risk treatment, you continue the cycle through the use of metrics and other feedback. So this is a continuous process.
One thing that can interfere with the accuracy and precision of a risk calculation is a lack of information or poor quality or stale data.
Perhaps I have put the cart before the horse in addressing the process of risk management before discussing the importance of what I’ll refer to as situational awareness.
We can't protect everything. As the saying goes, If everything is protected equally, nothing is protected adequately.
Imagine you have people coming up to you asking questions:
Is AV running on all our endpoints? Do any endpoints have OS or software vulnerabilities that can be exploited? Are endpoints configured properly? What exposure do we have to the latest zero day? What was accessed from that compromised laptop? What assets are the most important? What is our risk?
You don’t have a complete inventory of all systems and software (rogue devices, multiple asset DBs, what about IoT?). You might have disparate data on everything from spreadsheets to specialized application databases.
When it isn’t all centralized and automated, you have to ask the other IT teams who own these data sources and tools to run scans and provide reports and then you must manipulate them in Excel to try and find an answer. You are faced with a slow and time consuming chore and the next time someone asks that same question, you have to go through the entire process again. It is painful!
Really, without having up-to-date, centralized, reliable data on your assets, their posture and their value, you have a hard time calculating risk. You are guessing. You won’t immediately know what assets are affected by the latest exploit. Vulnerability scanning won’t solve this problem, neither will SIEM.
I tried but was never able to home-grow a solution to this problem, because other teams didn’t feel it was a priority. I think gaining situational awareness, and it extends to identity and privilged access and data management and network… is a journey of its own, and you don’t need to wait to have the perfect data sources. I think if you start to centrally aggregate data and automate this and keep it current, you can have a very powerful tool for assessing compliance and risk in your environment. It is just a matter of deciding what questions you need to answer and start to build that extensible platform.
We want to identify the risk, and one way to do that is with threat modeling.
When you are modeling threat, you want to determine who wants what and how they are likely to go about getting it. I think there are some really smart people and service providers in this space, who can help you understand the risk your industry and your company in specific may be facing.
Threat modeling can then be mapped to the attack chain, to determine where you can best prevent or detect and respond to likely threats.
Risk scenarios can go beyond just the attack chain, so you may formalize a process for developing and walking through generic or business-specific risk scenarios.
If you know these things, you can walk through specialized risk scenarios to identify potential black swan events.
I bet you didn’t see this coming!
Now that we have matured capabilities, by:
Anchoring to standard frameworks
Performed basic hygiene
Implemented risk-based security to prioritize your risk response
Gained situational awareness
And identified potential threats and risk scenarios
You need to gather metrics to determine if your risk response is effective…
I just want to emphasize that your controls are never perfect.
What we are developing here is a high level strategy for maturing your capabilities, with cyber resiliency being the goal.
So far, this is all positioning you to have a solid foundation for your security program so you can better identify and reduce risk in your environment.
In the next couple slides I will suggest some technical solutions that may help address the evolving threat landscape and changing regulations and business transformation involving new technologies and the cloud.
These are areas that companies are often weak in.
I am seeing new and innovative solutions that should be considered.
Now we shift gears and look at the human element and often our weakest link.
We will discuss different types of training, exercises and awareness that will help build skills, preparedness and a culture of security awareness in your organization.
I wanted to come back to this concept because it really relates to not only assessing risk, but doing it in a way that is meaningful to executives and boards.
Another COBIT slide expressing the aspects of effective IT risk communication.
Some additional advice for the CISO who needs to report to the board.
Smart and meaningful metrics can be a strong indication as to the effectiveness and efficiency of the security program.
Make it personal. Make it relevant.
Let’s take a look at what matters to senior executives.
Whether it is a review by DHS or benchmarking and sharing of best practices and threat intelligence, a highly resilient organization is proactive and involved in information sharing beyond their four walls.