Talking Cyber Security
How CxOs (CISOs) can better communicate to the Board of Directors about Cyber Security
2 years ago
#CXOchatThe Customer Journey Understand the customer journey to deliver better experiences and boost your bottom line
Dave Vellante
Q1. Is this Premise correct? Chances are we've already been penetrated. CIOs (CISOs) need to adjust management’s cybersecurity stance from “thwart penetration” to “rapidly respond to penetration & thwart damage"

Dave Vellante Please answer inside the question in the thread
Muddu Sudhakar Agree with @dvellante; Every enterprise need to assume they are already compromised and attackers in their environment hiding their tracks
AndrewGilman Correct. Today, it takes customers too long to finding vulnerabilities because threat scanning is a manual operation that isn't automated/orchestrated. If we were to look for issues all the time, we'd impact production envionrments.
Will Lassalle Yes chances are the business has been penetrated. Its also not a question of if but when. When you talk about cybersecurity/infosec its Confidentiality, Integrity & Availability that are compromised more often internally.
Grogs Axle Automated processes including measurement of time of detection (of vulnerability and exploitation) to remediation (DtR) is valuable
Muddu Sudhakar CIO and CISO need to move Threat detection assuming attacker is already inside and then prevent Threats
Muddu Sudhakar Priorities on cyber security should be better detection vs spending $$ on automation of remediation
Grogs Axle With the detection needs to come better network architectures including zero trust and risk based authorization.
Muddu Sudhakar @GrogsAxle Also SDNs need to shift focus to Cyber security and software defined firewalls @dvellante
Knebel Achim @smuddu I agree with Muddu that priority should be set on detection. Doing this we should be clear that this is an analytical problem to be addressed with deep learning/machine learning technologies rather than with classical SIEM.
Mark Terenzoni I agree that every large corporation should work under the premise that they have been compromised. Prevention is not enough rapid detection and response needs to move up the priority list.
Dave Vellante Would be great to have some of your folks join the chat tomorrow Mark...
Mark Terenzoni Happy to have some of our team join- looking forward to it.
Dan Stolts In addition to assuming breach, we need to isolate systems so the breach has limited reach. Cloud can help!
Dave Vellante Lots of talk these days about finding stealthy intruders once they get in
Michael Schiebel Yes, depending on how you define "penetrated" industry statistics show the over 90% of companies were penetrated at least once in 2015.  I define penetrated as the company CIA was compromised requiring remediation.
Dave Vellante @mgschiebel so by any definition the # is high in your view, yes?
Michael Schiebel The frequency can be considered high; depending on definition frequency can be daily. Understanding the likelihood X impact is where it matters e.g. what is the risk.
Dave Vellante Probability of a breach and the severity (impact) is the formula?
Dan Stolts most breaches are at least supported by internal trusted resources. Just in time access can help with breach and recovery
Dave Vellante @ITProGuru you mean "inside jobs?" or just bad security practices/behavior?
Dan Stolts Getting executive support is easier with evidence. More than 40 breaches in CA alone this year.
Phil Dunn @ITProGuru Can you clarify how Cloud can help? "In addition to assuming breach, we need to isolate systems so the breach has limited reach. Cloud can help"
Dave Vellante @Phil_Dunn1 @ITProGuru - good ? Phil - is that because you can apply fixes faster or some other dynamic
Dan Stolts @Phil_Dunn1 Cloud can help because there are many natural boundaries built into the platform (eg. Azure) where different systems can be put on different networks.
Dan Stolts @Phil_Dunn1 it is really hard to do network isolation onprem, super easy in the cloud
Phil Dunn @ITProGuru Why not just keep data in an encrypted format, whether at rest or in flight, and control who gets the keys to see the data?
Dan Stolts You can apply fixes faster, Plus your cloud provider is doing much of the security on your behalf, + ACL, NAC, list goes on and on
Dave Vellante @ITProGuru Ok...part of your argument is cloud security is better than my security...that I buy for most organizations
Dave Vellante @Phil_Dunn1 In part this is why block chain is so hot right now in the CxO discussion - no "trusted" third party...
Phil Dunn @ITProGuru I think you're just shifting the security issue/challenges to the cloud provider-whose to say they are better than you are?
Dan Stolts @Phil_Dunn1 keeping data encrypted at rest and in flight is a best practice. But, if people (or bots) gain access (breach with creds), that is not helpful.
Dan Stolts @Phil_Dunn1 people are often the problem. Cloud providers automate everything. Can't social engineer code, etc. Plus, they spend a fortune on protection, go through certs, etc.
Phil Dunn @ITProGuru Cloud providers don't have people? if everyone moved to the "Cloud", don't you think the hackers/breachers will too?
Dan Stolts most companies simply do not have the processes or money to do as much as cloud providers. Some companies may be doing more, I have not met many.
Dan Stolts @Phil_Dunn1 Sure cloud providers have people. those people do not have access to individual systems or even a way to find an particular system without a valid work authorization. Access is only granted when needed, separation of duties
Phil Dunn @ITProGuru Sure sounds like you could implement the same practices/access on-premise?
Dan Stolts @Phil_Dunn1 Absolutely you can do it on premises. It is just so much work that most do not. I have seen many of these practices by defense contractors
Phil Dunn @ITProGuru From what I hear, majority of attacks/breaches are user, system, or database vulnerabilities. If you encrypt the entire information lifecycle, and apply strict credential polices for de-crypting, clearly should stop majority-no?
Phil Dunn @ITProGuru But didn't the Venom & heartbleed attacks affect Cloud providers as well?
Dan Stolts @Phil_Dunn1 Venom and heartbleed were Linux stack vulnerabilities, VMware, Microsoft Hyper-V, and Bochs hypervisors are not affected. the big boys AWS, Azure not impacted
Phil Dunn @ITProGuru And what about when data is transferred to the Cloud provider? Sounds like a big security threat right there?
Dan Stolts @Phil_Dunn1 not to say cloud will protect against everything, just that it is easier to isolate. there is not magic bullet. I just look at all options, and figure out what technologies can be deployed to help the business cost effectively
Dan Stolts @Phil_Dunn1 most cloud transfers are done via certificate security authentication and encryption. Depends again on what tech you deploy. uploading to a storage account through unencrypted public channel not a great idea
Phil Dunn @ITProGuru I just discovered this article mentioning AWS was impacted by Heartbleed bug although "mitigated" http://www.theregist... so Cloud isn't perfect either
Dan Stolts @Phil_Dunn1 interesting. I was not aware AWS was impacted. No, cloud definitely does not solve all issues. Azure was not impacted because they run on Hyper-v
Dan Stolts @Phil_Dunn1 If a vulnerability came out for hyper-v then Azure would be at risk. The highly automated nature of cloud lends well to them thwarting the risk quickly
Dan Stolts "inside jobs" are not always bad people. Social engineer, easy passwords, bad security practices (similar password, writing down passwords, etc) all fall under the category of inside jobs
Phil Dunn @ITProGuru Besides automation, I think standardization of infrastructure stack & removing/reducing the complexity of 100's of vendors products & the inherent challenge of tracking security across the stack will reduce security management issues & risk
Dan Stolts @Phil_Dunn1 encrypting actually does not stop most. That is because the way most breaches happen is through the use of valid credentials. the creds can unlock the data
Dan Stolts @Phil_Dunn1 Phil, spot on. Standardization, limiting exposure externally and automation all play a key role in minimizing risk
Phil Dunn @ITProGuru I hear that many of last years attacks used old vulnerabilities & although fixes were published many years prior, the fixes were not deployed due to patching difficulties so improving patching cycles will help solve this via removing complexity.
Phil Dunn @ITProGuru Well, encryption only works when there's strong key, access privilege management and accountability policies in place.
Muddu Sudhakar I think all organizations should operate assuming they are breached or compromised. Need to deploy continuous threat detection and monitoring products
Vi Bergquist I agree that we should assume we have been breached. It gets IT staff in the proper security mindset and will help staff maintain a higher security posture. We must find ways to keep security top-of-mind.