bsw220

Business Security Weekly Episode #220 – June 14, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Securing User Connections to Applications – 03:00 PM-03:30 PM

Sponsored By

sponsor
Visit https://securityweekly.com/ciscoumbrella for more information!

Announcements

  • Security Weekly is ecstatic to announce that Security Weekly Unlocked will be held IN PERSON this December 5-8 at the Hilton Lake Buena Vista! Call for presentations & early registration for Security Weekly listeners is open now! Visit securityweekly.com/unlocked to submit your presentation & register for the early registration price before it expires!

  • Join us June 24 at 11 AM ET to learn how web application firewalls can help mitigate exposure in a complex threat landscape. Then join us July 15 at 11 AM ET to learn how a thoughtful approach to SASE can improve security and enable scalability. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

Are Secure Web Gateways doing their job to keep businesses safe in 2021? Recent survey results from ESG reveal 1 in 10 are not happy with their secure web gateway (SWG) and/or web security. Yet by 2024, the SWG market is projected to grow to 10.9 billion.

As this year continues to twist and turn, complexity for an IT security professional continues to rise. Security professionals need to expect more from their security tools so they can stop running from one fire to another, and can simplify daily management.

Join us to learn what you can do to get more effective threat detection and reliable, fast secure access. We’ll look at ways you can cut complexity, reduce risk exposure, and improve performance with a cloud-delivered, secure internet gateway.

This segment is sponsored by Cisco Umbrella.

Visit https://securityweekly.com/ciscoumbrella to learn more about them!

Guest(s)

Jonny Noble

Jonny Noble – Technical Marketing Team Lead at Cisco Umbrella

Jonny Noble leads the Technical Marketing team for Cloud Security at Cisco, with expertise in Cisco Umbrella and surrounding SASE-related technologies. Jonny is focused on cyber-security and has over 20 years of vast experience in customer-facing disciplines in leading global hi-tech organizations. Jonny is a seasoned speaker at Cisco Live events and regularly represents Cisco at numerous other customer and partner events, trade shows, and exhibitions. Jonny holds degrees in Electronics, Sociology, a Business MBA, and is CISSP certified.

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

JasonAlbuquerque

Jason Albuquerque

@Jay_Albuquerque

CIO & CSO at Carousel Industries

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

2. Cliché Self-Help, RockYou2021, “Productive Procrastinators”, & Attracting Talent – 03:30 PM-04:00 PM

Announcements

  • Security Weekly is more than happy to announce that we will be at InfoSec World 2021 IN PERSON October 25th-27th, 2021! This year, our annual partnership with InfoSec World is extra special, as we are both business units under the CyberRisk Alliance brand! What does that mean for Security Weekly listeners & InfoSec World attendees? You will get to see and hear from many of the Security Weekly team at the event AND you will save 20% off on your world pass! Visit https://securityweekly.com/isw2021 to register using our discount code!

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

Description

This week, In the Leadership & Communications articles: Attracting Talent During a Worker Shortage, CISOs Say Application Security is Broken, Three Steps to Harden Your Active Directory in Light of Recent Attacks, Demystifying RockYou2021, & more!

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

  1. 3 Ways CIOs Can Embed Resilience in Their Business – It’s an important topic, but I’m not sure this article hits the mark. 1 is Secure IT and business alignment. 2 is Create data-driven architecture, and prioritise reskilling, and 3 is To innovate within budget, seek flexible licensing arrangements
  2. Self-Direction 2.0 – How to Successfully Scale a Flat Organization – As larger security teams become more common, I thought this would be an interesting topic to explore – especially considering how important it is for security teams to be agile and self-directed to an extent. This framework, in particular, was interesting: One such mechanism used at Futurice is a 3×2 framework that’s designed to support strategic decision-making throughout the organization and across tribes.

    The idea is simple: You’re free to make a decision as long as you feel confident that it will benefit your clients, colleagues, and numbers (the “3” component of the 3×2), and that it will do so both today and tomorrow (the “2”). The company collectively articulates objectives and key results but gives its tribes a high degree of freedom in figuring out how to achieve them. Formal rules and processes are out. Instead, to share learning and information across teams and functions, the company encourages active dialogue on Slack and in community gatherings — a minimal approach to coordination that several companies in our cluster refer to as “no nonsense” or “no bullshit.”

  3. Ransomware response: What CISOs really want from the federal government – CISOs want the government to do more! No, less! No, we want them to do something, we’re just not sure what! The quotes and responses from CISOs in this article are ALL OVER the place. Still, it’s good that we’re having the conversation, right?
  4. How to Get Your Team to Stop Asking You Every Little Question – Once you are established as a subject matter expert or just someone with a large amount of experience, it can be difficult to get staff and mentees to make decisions without checking in. While they absolutely can and should ask questions, it can be a nightmare with a larger staff, making it hard to get things done with all the interruptions. There are some important business culture lessons here – like managing expectations with asynchronous chat (no, I might NOT respond immediately) and giving employees the opportunities to safely make mistakes they can learn from.
JasonAlbuquerque

Jason Albuquerque

@Jay_Albuquerque

CIO & CSO at Carousel Industries

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. Three Steps to Harden Your Active Directory in Light of Recent Attacks – 1. “A service that uses machine learning algorithms and other advanced detections to detect and block phishing messages and suspicious attachments must be in place in today’s threat landscape.”, 2. “First, the local administrator password on each endpoint must be different. Microsoft offers a free solution called the Local Administrator Password Solution (LAPS) to achieve this. Second, you cannot nest domain accounts in the local administrators group to enable easy IT support.” 3. “Two of the most common control sets we implement at Ravenswood Technology Group are the concepts of tiered security controls and privileged access workstations (PAWs). Tiered security controls prevent high-privilege credentials from being exposed to higher-risk assets such as client computers where the credentials might be stolen. PAWs isolate the tasks an administrator performs from their day-to-day workstation to a highly secured workstation,”
  2. Demystifying RockYou2021 – “When any breach list pops up, you should check to see if the password you used is a part of it.” – Better yet, this should be part of your Attack Surface Monitoring program, which will automatically discover credentials that are part of public breach disclosures, then operationalize it, and feed into your identity management program so that within 24 hours all affected users have passwords changed and established trusts/cached credentials reset.
  3. How To Drive Value with Security Data – Thoughts? “…discuss some of the challenges that we face today with managing all of our security data and expand on some of the trends in the security analytics space. In the third section, we focus on the future. What does tomorrow hold in the SIEM / XDR / security data space? What are some of the key features we will see and how does this matter to the user of these approaches.”
  4. CISOs Say Application Security is Broken – Security Boulevard – Oh boy: “In addition, nearly all (97%) of organizations surveyed do not have real-time visibility into runtime vulnerabilities in containerized production environments, and nearly two-thirds (63%) of CISOs surveyed said DevOps and Agile development have made it more difficult to detect and manage software vulnerabilities.” A suggestion: “While not security-related, supporting automated testing coverage will help the organization deploy changes in a safer manner and also make patching changes easier to deploy.” – I’d argue that this IS security-related.
  5. Ron Gula – Innovation and Emerging Trends in Cybersecurity – “Gula stresses the need for an engineering focus and looking for solutions that can fundamentally change the game rather than just reacting to the latest attack trend. We talk about newer cybersecurity technologies like browser isolation and deception, and some of the companies Gula Tech Adventures is supporting to bring the next generation of cybersecurity tools to market.” – What solutions fundamentally change the game for you?
  6. We’re Tired Of Reading Cliché Self-Help Articles – OMG, so much this: “They lure us in with the promise of being healthy, wealthy, or incredibly successful. Each article promises to “change your life” so you can “become a better person.” But more often than not, you’re left with a bitter taste in your mouth because the writer click-baited you just to get a few more views and dollars in their bank account.” And this: “Self Improvement is ruined. Like a chocolate cookie, it’s crumbling apart and often doesn’t put the best interests of the reader at heart. It’s become a pitch-fest of courses and digital products to “help you live your best life.””
  7. You Might Be a Secret “Productive Procrastinator” – I do this more often than I would like: “There are obvious forms of productive procrastination such as organizing your office before you start a project. You somehow convince yourself that the mess will distract you from your work.” So true: “It’s spending 1-hour researching fonts as you are trying to revamp your resume. Or working on a 20+ page deck and wasting time looking for just the right image on slide 2. You are working on a task related to the project (yay!), but you are spending too much time on a particular aspect of it that is not going to deliver the right return on your time investment (boo!).” Not bad advice, set aside 15 minutes to choose the style for your presentation (as an example): “Time blocking enables you to think through how much time you want to spend on a task.”
  8. How is Automation Helping in Security? – This is one aspect of automation that needs to be highlighted: “Human errors are playing a big role in security.” We often do not want to admit that we, as humans, make mistakes. To combat this automation is important. Computers are are AMAZING at following directions, in fact, one could argue they are the best innovation of all time at following directions. This is a good and a bad thing, however, when programmed correctly, computers can help us automate those tasks that are boring but require a high degree of accuracy. What we also need is people on the team who can understand the possibilities that software and automation can bring, and guide that change into the organization and it’s processes!
  9. Attracting Talent During a Worker Shortage – We really need to adjust this for cybersecurity…