CxOChat

Please answer inside the question in the thread

Agree with @dvellante; Every enterprise need to assume they are already compromised and attackers in their environment hiding their tracks

Correct. Today, it takes customers too long to finding vulnerabilities because threat scanning is a manual operation that isn't automated/orchestrated. If we were to look for issues all the time, we'd impact production envionrments.

Yes chances are the business has been penetrated. Its also not a question of if but when. When you talk about cybersecurity/infosec its Confidentiality, Integrity & Availability that are compromised more often internally.

Automated processes including measurement of time of detection (of vulnerability and exploitation) to remediation (DtR) is valuable

CIO and CISO need to move Threat detection assuming attacker is already inside and then prevent Threats

Priorities on cyber security should be better detection vs spending $$ on automation of remediation

With the detection needs to come better network architectures including zero trust and risk based authorization.

@GrogsAxle Also SDNs need to shift focus to Cyber security and software defined firewalls @dvellante

@smuddu I agree with Muddu that priority should be set on detection. Doing this we should be clear that this is an analytical problem to be addressed with deep learning/machine learning technologies rather than with classical SIEM.

I agree that every large corporation should work under the premise that they have been compromised. Prevention is not enough rapid detection and response needs to move up the priority list.

Would be great to have some of your folks join the chat tomorrow Mark...

Happy to have some of our team join- looking forward to it.

In addition to assuming breach, we need to isolate systems so the breach has limited reach. Cloud can help!

Lots of talk these days about finding stealthy intruders once they get in

Yes, depending on how you define "penetrated" industry statistics show the over 90% of companies were penetrated at least once in 2015.  I define penetrated as the company CIA was compromised requiring remediation.

@mgschiebel so by any definition the # is high in your view, yes?

The frequency can be considered high; depending on definition frequency can be daily. Understanding the likelihood X impact is where it matters e.g. what is the risk.

Probability of a breach and the severity (impact) is the formula?

most breaches are at least supported by internal trusted resources. Just in time access can help with breach and recovery

@ITProGuru you mean "inside jobs?" or just bad security practices/behavior?

Getting executive support is easier with evidence. More than 40 breaches in CA alone this year. https://oag.ca.gov/e...

@ITProGuru Can you clarify how Cloud can help? "In addition to assuming breach, we need to isolate systems so the breach has limited reach. Cloud can help"

@Phil_Dunn1 @ITProGuru - good ? Phil - is that because you can apply fixes faster or some other dynamic

@Phil_Dunn1 Cloud can help because there are many natural boundaries built into the platform (eg. Azure) where different systems can be put on different networks.

@Phil_Dunn1 it is really hard to do network isolation onprem, super easy in the cloud

@ITProGuru Why not just keep data in an encrypted format, whether at rest or in flight, and control who gets the keys to see the data?

You can apply fixes faster, Plus your cloud provider is doing much of the security on your behalf, + ACL, NAC, list goes on and on

@ITProGuru Ok...part of your argument is cloud security is better than my security...that I buy for most organizations

@Phil_Dunn1 In part this is why block chain is so hot right now in the CxO discussion - no "trusted" third party...

@ITProGuru I think you're just shifting the security issue/challenges to the cloud provider-whose to say they are better than you are?

@Phil_Dunn1 keeping data encrypted at rest and in flight is a best practice. But, if people (or bots) gain access (breach with creds), that is not helpful.

@Phil_Dunn1 people are often the problem. Cloud providers automate everything. Can't social engineer code, etc. Plus, they spend a fortune on protection, go through certs, etc.

@ITProGuru Cloud providers don't have people? if everyone moved to the "Cloud", don't you think the hackers/breachers will too?

most companies simply do not have the processes or money to do as much as cloud providers. Some companies may be doing more, I have not met many.

@ITProGuru True dat

@Phil_Dunn1 Sure cloud providers have people. those people do not have access to individual systems or even a way to find an particular system without a valid work authorization. Access is only granted when needed, separation of duties

@ITProGuru Sure sounds like you could implement the same practices/access on-premise?

@Phil_Dunn1 Absolutely you can do it on premises. It is just so much work that most do not. I have seen many of these practices by defense contractors

@ITProGuru From what I hear, majority of attacks/breaches are user, system, or database vulnerabilities. If you encrypt the entire information lifecycle, and apply strict credential polices for de-crypting, clearly should stop majority-no?

@ITProGuru But didn't the Venom & heartbleed attacks affect Cloud providers as well?

@Phil_Dunn1 Venom and heartbleed were Linux stack vulnerabilities, VMware, Microsoft Hyper-V, and Bochs hypervisors are not affected. the big boys AWS, Azure not impacted

@ITProGuru And what about when data is transferred to the Cloud provider? Sounds like a big security threat right there?

@Phil_Dunn1 not to say cloud will protect against everything, just that it is easier to isolate. there is not magic bullet. I just look at all options, and figure out what technologies can be deployed to help the business cost effectively

@Phil_Dunn1 most cloud transfers are done via certificate security authentication and encryption. Depends again on what tech you deploy. uploading to a storage account through unencrypted public channel not a great idea

@ITProGuru I just discovered this article mentioning AWS was impacted by Heartbleed bug although "mitigated" http://www.theregist... so Cloud isn't perfect either

@Phil_Dunn1 interesting. I was not aware AWS was impacted. No, cloud definitely does not solve all issues. Azure was not impacted because they run on Hyper-v

@Phil_Dunn1 If a vulnerability came out for hyper-v then Azure would be at risk. The highly automated nature of cloud lends well to them thwarting the risk quickly

"inside jobs" are not always bad people. Social engineer, easy passwords, bad security practices (similar password, writing down passwords, etc) all fall under the category of inside jobs

@ITProGuru Besides automation, I think standardization of infrastructure stack & removing/reducing the complexity of 100's of vendors products & the inherent challenge of tracking security across the stack will reduce security management issues & risk

@Phil_Dunn1 encrypting actually does not stop most. That is because the way most breaches happen is through the use of valid credentials. the creds can unlock the data

@Phil_Dunn1 Phil, spot on. Standardization, limiting exposure externally and automation all play a key role in minimizing risk

@ITProGuru I hear that many of last years attacks used old vulnerabilities & although fixes were published many years prior, the fixes were not deployed due to patching difficulties so improving patching cycles will help solve this via removing complexity.

@ITProGuru Well, encryption only works when there's strong key, access privilege management and accountability policies in place.

I think all organizations should operate assuming they are breached or compromised. Need to deploy continuous threat detection and monitoring products

I agree that we should assume we have been breached. It gets IT staff in the proper security mindset and will help staff maintain a higher security posture. We must find ways to keep security top-of-mind.