Category Archives: CISO

Cooking up secure code: A foolproof recipe for open source

The use of open source code in modern software has become nearly ubiquitous. It makes perfect sense: facing ever-increasing pressures to accelerate the rate at which new applications are delivered, developers value the ready-made aspect of open source components which they can plug in where needed, rather than building a feature from the ground up. Indeed, this practice has become so common that today the average application is composed mostly of open source libraries, with … More

The post Cooking up secure code: A foolproof recipe for open source appeared first on Help Net Security.

Cybercriminals exposed 5 billion records in 2019, costing U.S. organizations over $1.2 trillion

Cybercriminals exposed over 5 billion records in 2019, costing over $1.2 trillion to U.S. organizations, according to ForgeRock. Coupled with breaches in 2018 costing over $654 billion, breaches over the last two years have cost U.S. organizations over $1.8 trillion. Healthcare: The most targeted industry Healthcare emerged as the most targeted industry in 2019, accounting for 382 breaches and costing over $2.45B, an increase from 164 incidents costing over $633 million in 2018. Despite healthcare … More

The post Cybercriminals exposed 5 billion records in 2019, costing U.S. organizations over $1.2 trillion appeared first on Help Net Security.

Lean into zero trust to ensure security in times of agility

Bad actors are rapidly mounting phishing campaigns, setting up malicious websites and sending malicious attachments to take full advantage of the pandemic and users’ need for information, their fears and other emotions. More often than not, the goal is the compromise of login credentials. Many organizations grant more trust to users on the intranet versus users on the internet. Employees working from home – while unknowingly browsing potentially malicious websites and clicking on doctored COVID-19 … More

The post Lean into zero trust to ensure security in times of agility appeared first on Help Net Security.

How to successfully operationalize your micro-segmentation solution

Introducing a new security model into your existing infrastructure can be challenging. The task becomes even more daunting when starting with a new host-based or micro-segmentation solution. If you’ve decided on a host-based approach to segmentation, I’d like to share, based on personal experience, some advice and best practices on using this type of solution in your organization. Discovery The business case that drove your organization to adopt a host-based segmentation solution will serve as … More

The post How to successfully operationalize your micro-segmentation solution appeared first on Help Net Security.

When SOCs never stop: How to fill the intelligence gaps in security

Demand for security analysts and security operations centre experts is high – so high that Frost and Sullivan found only two percent unemployment in the sector and that demand continues outstrip the supply of newly skilled professionals. (ISC)² suggests that the number of skilled professionals will have to grow from 2.8 million worldwide to 4.07 million to close the skills gap. All these roles will require the right skills and the right data. Alongside filling … More

The post When SOCs never stop: How to fill the intelligence gaps in security appeared first on Help Net Security.

The challenge of updating locally cached credentials

As organizations work to ensure remote workforce productivity, the issue of cached credentials will inevitably appear, causing a problem for the impacted user, and the IT service desk. It’s no secret that some material portion of nearly every workforce is functioning remotely. You’ve spent the last few months scurrying to establish remote connectivity, cloud-based productivity, and some form of encompassing security – all to allow your remote employees to get their job done while meeting … More

The post The challenge of updating locally cached credentials appeared first on Help Net Security.

People Are The Strongest Link

Here’s a little preview of what you’ll find in Episode 6 of the Security Stories podcast.

If you’re looking for behind the scenes tales from some of the leading figures in cybersecurity, then you’re in the right place. If you’re looking for anecdotes from significant security events in the past, then you’re also in the right place. 

If you’re looking for advice on how to create the perfect TicToc video, well, you’re in the wrong place, but do stick around and see if you find anything interesting.

Brian HonanOn today’s show we have a great interview with an altruistic Irishman who wears cool glasses and has a nice variety of white hats.

Nope, it’s not Bono, but we are lucky enough to have Brian Honan as our guest on this episode.

Brian is an internationally recognised expert on cybersecurity and data protection, but if you were to ask his young son what he did, the answer would be, ‘Dad catches hackers”.

In 2008 Brian founded Ireland’s first Computer Emergency Response Team. He’s also an adviser for Europol’s European Cybercrime Centre, and he runs his own independent security consultancy, BH Consulting, with a team based across the globe.

We cover a wide variety of topics during the interview, including the genesis of the Irish Emergency Response Team, running a company and managing a team, and why the cybersecurity industry needs more accountability.

A key part of our discussion is about people.  For many years, people have been deemed “the weakest link” when it comes to security.  Brian has an interesting take on why this isn’t the case. It’s really worth a listen.

Also in this episode is our regular “On This Day” feature. This is when my co-host Ben and I jump into the DeLorean and visit a significant cybersecurity event in the past.

This time we’re travelling back to the year 2000 which is when the “ILOVEYOU” worm or the “Love Bug”, or indeed the “Love letter for you” cyber attack ended up infecting over 10 million personal Windows computers.   Discover the unique story behind this attack, and the additional part of the story, which happened only a few days ago.

You can listen to this podcast on Apple Podcasts, Spotify, Google Podcasts, or wherever you normally get your podcasts from! You can also listen right here and now:

Listen to previous episodes of the Security Stories podcast right here

The post People Are The Strongest Link appeared first on Cisco Blogs.

Why is SDP the most effective architecture for zero trust strategy adoption?

Software Defined Perimeter (SDP) is the most effective architecture for adopting a zero trust strategy, an approach that is being heralded as the breakthrough technology for preventing large-scale breaches, according to the Cloud Security Alliance. “Most of the existing zero trust security measures are applied as authentication and sometimes authorization, based on policy after the termination of Transport Layer Security (TLS) certificates,” said Nya Alison Murray, senior ICT architect and co-lead author of the report. … More

The post Why is SDP the most effective architecture for zero trust strategy adoption? appeared first on Help Net Security.

Employees abandoning security when working remotely

48% of employees are less likely to follow safe data practices when working from home, a report from Tessian reveals. The global shift to remote working poses new security challenges for businesses and traditional security solutions are failing to curb the problem of the insider threat and accidental data loss. Remote work compounds insider threats While 91% of IT leaders trust their staff to follow best security practices when working remotely, 52% of employees believe … More

The post Employees abandoning security when working remotely appeared first on Help Net Security.

Creating an emergency ready cybersecurity program

A large part of the world’s workforce has transitioned to working remotely, but as plans are being drawn up to reopen economies, the security industry is being challenged to develop stronger screening practices, emergency operations planning, and to deploy tools to detect and minimize the impact that future pandemics, natural disasters and cyberattacks can have on a company. Things like global security operation centers (SOCs), managed security services, thermal imaging and temperature screening for on-site … More

The post Creating an emergency ready cybersecurity program appeared first on Help Net Security.

Zero Trust Deployment Guide for devices

The modern enterprise has an incredible diversity of endpoints accessing their data. This creates a massive attack surface, and as a result, endpoints can easily become the weakest link in your Zero Trust security strategy.

Whether a device is a personally owned BYOD device or a corporate-owned and fully managed device, we want to have visibility into the endpoints accessing our network, and ensure we’re only allowing healthy and compliant devices to access corporate resources. Likewise, we are concerned about the health and trustworthiness of mobile and desktop apps that run on those endpoints. We want to ensure those apps are also healthy and compliant and that they prevent corporate data from leaking to consumer apps or services through malicious intent or accidental means.

Get visibility into device health and compliance

Gaining visibility into the endpoints accessing your corporate resources is the first step in your Zero Trust device strategy. Typically, companies are proactive in protecting PCs from vulnerabilities and attacks, while mobile devices often go unmonitored and without protections. To help limit risk exposure, we need to monitor every endpoint to ensure it has a trusted identity, has security policies applied, and the risk level for things like malware or data exfiltration has been measured, remediated, or deemed acceptable. For example, if a personal device is jailbroken, we can block access to ensure that enterprise applications are not exposed to known vulnerabilities.

  1. To ensure you have a trusted identity for an endpoint, register your devices with Azure Active Directory (Azure AD). Devices registered in Azure AD can be managed using tools like Microsoft Endpoint Manager, Microsoft Intune, System Center Configuration Manager, Group Policy (hybrid Azure AD join), or other supported third-party tools (using the Intune Compliance API + Intune license). Once you’ve configured your policy, share the following guidance to help users get their devices registered—new Windows 10 devices, existing Windows 10 devices, and personal devices.
  2. Once we have identities for all the devices accessing corporate resources, we want to ensure that they meet the minimum security requirements set by your organization before access is granted. With Microsoft Intune, we can set compliance rules for devices before granting access to corporate resources. We also recommend setting remediation actions for noncompliant devices, such as blocking a noncompliant device or offering the user a grace period to get compliant.

Restricting access from vulnerable and compromised devices

Once we know the health and compliance status of an endpoint through Intune enrollment, we can use Azure AD Conditional Access to enforce more granular, risk-based access policies. For example, we can ensure that no vulnerable devices (like devices with malware) are allowed access until remediated, or ensure logins from unmanaged devices only receive limited access to corporate resources, and so on.

  1. To get started, we recommend only allowing access to your cloud apps from Intune-managed, domain-joined, and/or compliant devices. These are baseline security requirements that every device will have to meet before access is granted.
  2. Next, we can configure device-based Conditional Access policies in Intune to enforce restrictions based on device health and compliance. This will allow us to enforce more granular access decisions and fine-tune the Conditional Access policies based on your organization’s risk appetite. For example, we might want to exclude certain device platforms from accessing specific apps.
  3. Finally, we want to ensure that your endpoints and apps are protected from malicious threats. This will help ensure your data is better-protected and users are at less risk of getting denied access due to device health and/or compliance issues. We can integrate data from Microsoft Defender Advanced Threat Protection (ATP), or other Mobile Threat Defense (MTD) vendors, as an information source for device compliance policies and device Conditional Access rules. Options below:

Enforcing security policies on mobile devices and apps

We have two options for enforcing security policies on mobile devices: Intune Mobile Device Management (MDM) and Intune Mobile Application Management (MAM). In both cases, once data access is granted, we want to control what the user does with the data. For example, if a user accesses a document with a corporate identity, we want to prevent that document from being saved in an unprotected consumer storage location or from being shared with a consumer communication or chat app. With Intune MAM policies in place, they can only transfer or copy data within trusted apps such as Office 365 or Adobe Acrobat Reader, and only save it to trusted locations such as OneDrive or SharePoint.

Intune ensures that the device configuration aspects of the endpoint are centrally managed and controlled. Device management through Intune enables endpoint provisioning, configuration, automatic updates, device wipe, or other remote actions. Device management requires the endpoint to be enrolled with an organizational account and allows for greater control over things like disk encryption, camera usage, network connectivity, certificate deployment, and so on.

Mobile Device Management (MDM)

  1. First, using Intune, let’s apply Microsoft’s recommended security settings to Windows 10 devices to protect corporate data (Windows 10 1809 or later required).
  2. Ensure your devices are patched and up to date using Intune—check out our guidance for Windows 10 and iOS.
  3. Finally, we recommend ensuring your devices are encrypted to protect data at rest. Intune can manage a device’s built-in disk encryption across both macOS and Windows 10.

Meanwhile, Intune MAM is concerned with management of the mobile and desktop apps that run on endpoints. Where user privacy is a higher priority, or the device is not owned by the company, app management makes it possible to apply security controls (such as Intune app protection policies) at the app level on non-enrolled devices. The organization can ensure that only apps that comply with their security controls, and running on approved devices, can be used to access emails or files or browse the web.

With Intune, MAM is possible for both managed and unmanaged devices. For example, a user’s personal phone (which is not MDM-enrolled) may have apps that receive Intune app protection policies to contain and protect corporate data after it has been accessed. Those same app protection policies can be applied to apps on a corporate-owned and enrolled tablet. In that case, the app-level protections complement the device-level protections. If the device is also managed and enrolled with Intune MDM, you can choose not to require a separate app-level PIN if a device-level PIN is set, as part of the Intune MAM policy configuration.

Mobile Application Management (MAM)

  1. To protect your corporate data at the application level, configure Intune MAM policies for corporate apps. MAM policies offer several ways to control access to your organizational data from within apps:
    • Configure data relocation policies like save-as restrictions for saving organization data or restrict actions like cut, copy, and paste outside of organizational apps.
    • Configure access policy settings like requiring simple PIN for access or blocking managed apps from running on jailbroken or rooted devices.
    • Configure automatic selective wipe of corporate data for noncompliant devices using MAM conditional launch actions.
    • If needed, create exceptions to the MAM data transfer policy to and from approved third-party apps.
  2. Next, we want to set up app-based Conditional Access policies to ensure only approved corporate apps access corporate data.
  3. Finally, using app configuration (appconfig) policies, Intune can help eliminate app setup complexity or issues, make it easier for end users to get going, and ensure better consistency in your security policies. Check out our guidance on assigning configuration settings.

Conclusion

We hope the above helps you deploy and successfully incorporate devices into your Zero Trust strategy. Make sure to check out the other deployment guides in the series by following the Microsoft Security blog. For more information on Microsoft Security Solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust Deployment Guide for devices appeared first on Microsoft Security.

IoT security: In 2020, action needs to match awareness

As the power of IoT devices increases, security has failed to follow suit. This is a direct result of the drive to the bottom for price of network enabling all devices. But small steps can greatly increase the overall security of IoT. A better IoT security story has to be one of the most urgent priorities in all of technology. That’s because IoT is one of the industry’s most compelling opportunities and squandering it due … More

The post IoT security: In 2020, action needs to match awareness appeared first on Help Net Security.

How do I select a backup solution for my business?

42% of companies experienced a data loss event that resulted in downtime last year. That high number is likely caused by the fact that while nearly 90% are backing up the IT components they’re responsible for protecting, only 41% back up daily – leaving many businesses with gaps in the valuable data available for recovery. In order to select an appropriate backup solution for your business, you need to think about a variety of factors. … More

The post How do I select a backup solution for my business? appeared first on Help Net Security.

Create a safe haven for your customers to build loyalty

“The customer comes first” started out as the secret to success in business. Now it’s the secret to 21st century cybersecurity and fraud prevention, too. The phrase always seemed more like an empty platitude, but a growing number of banks and other financial institutions now understand that optimizing convenient consumer experience with risk and safety across all their channels is a strategic differentiator. Dealing with fraudulent transactions Financial institutions have been on the lookout for … More

The post Create a safe haven for your customers to build loyalty appeared first on Help Net Security.

Integrating a SIEM solution in a large enterprise with disparate global centers

Security Information and Event Management (SIEM) systems combine two critical infosec abilities – information management and event management – to identify outliers and respond with appropriate measures. While information management deals with the collection of security data from across silos in the enterprise (firewalls, antivirus tools, intrusion detection, etc.), event management focuses on incidents that can pose a threat to the system – from benign human errors to malicious code trying to break in. Having … More

The post Integrating a SIEM solution in a large enterprise with disparate global centers appeared first on Help Net Security.

What do IGA solutions have in common with listening to music anywhere?

Fifteen years ago, there was a revolution in personal music players. The market had slowly evolved from the Walkman to the Discman, when a bolt of innovation brought the MP3 player. Finally, the solution to having all of one’s music anywhere was solved with a single device, not a device plus a bag full of whatever physical media was popular at that time. History clearly shows that the iPod and a few of its competitors … More

The post What do IGA solutions have in common with listening to music anywhere? appeared first on Help Net Security.

CEOs and CISOs disagree on cyber strategies

There are growing disparities in how CEOs and CISOs view the most effective cybersecurity path forward, according to Forcepoint. The global survey of 200 CEOs and CISOs from across industries including healthcare, finance and retail, among others, uncovered prominent cybersecurity stressors and areas of disconnect for business and security leaders, including the lack of an ongoing cybersecurity strategy for less than half of all CEO respondents. The research also identified disparities between geographic regions on … More

The post CEOs and CISOs disagree on cyber strategies appeared first on Help Net Security.

CISOs are critical to thriving companies: Here’s how to support their efforts

Even before COVID-19 initiated an onslaught of additional cybersecurity risks, many chief information security officers (CISOs) were struggling. According to a 2019 survey of cybersecurity professionals, these critical data defenders were burned out. At the time, 64% were considering quitting their jobs, and nearly as many, 63%, were looking to leave the industry altogether. Of course, COVID-19 and the ensuing remote work requirements have made the problem worse. It’s clear that companies could be facing … More

The post CISOs are critical to thriving companies: Here’s how to support their efforts appeared first on Help Net Security.

How a good user experience brings the pieces of the enterprise IT jigsaw together

Have you ever done a jigsaw puzzle with pieces missing? Or tried to do a complicated one with only part of the picture showing on the box lid? If so, you will know how it feels to be the folks working to create secure, robust, and seamless enterprise IT systems. Enterprise IT has morphed into something that can feel complex and messy at best and out of control at worst. Each deployment can be convoluted, … More

The post How a good user experience brings the pieces of the enterprise IT jigsaw together appeared first on Help Net Security.

Operational resilience in a remote work world

Microsoft CEO Satya Nadella recently said, “We have seen two years’ worth of digital transformation in two months.” This is a result of many organizations having to adapt to the new world of document sharing and video conferencing as they become distributed organizations overnight.

At Microsoft, we understand that while the current health crisis we face together has served as this forcing function, some organizations might not have been ready for this new world of remote work, financially or organizationally. Just last summer, a simple lightning strike caused the U.K.’s National Grid to suffer the biggest blackout in decades. It affected homes across the country, shut down traffic signals, and closed some of the busiest train stations in the middle of the Friday evening rush hour. Trains needed to be manually rebooted causing delays and disruptions. And, when malware shut down the cranes and security gates at Maersk shipping terminals, as well as most of the company’s IT network—from the booking site to systems handling cargo manifests, it took two months to rebuild all the software systems, and three months before all cargo in transit was tracked down—with recovery dependent on a single server having been accidentally offline during the attack due to the power being cut off.

Cybersecurity provides the underpinning to operationally resiliency as more organizations adapt to enabling secure remote work options, whether in the short or long term. And, whether natural or manmade, the difference between success or struggle to any type of disruption requires a strategic combination of planning, response, and recovery. To maintain cyber resilience, one should be regularly evaluating their risk threshold and an organization’s ability to operationally execute the processes through a combination of human efforts and technology products and services.

While my advice is often a three-pronged approach of turning on multi-factor authentication (MFA)—100 percent of your employees, 100 percent of the time—using Secure Score to increase an organization’s security posture and having a mature patching program that includes containment and isolation of devices that cannot be patched, we must also understand that not every organization’s cybersecurity team may be as mature as another.

Organizations must now be able to provide their people with the right resources so they are able to securely access data, from anywhere, 100 percent of the time. Every person with corporate network access, including full-time employees, consultants, and contractors, should be regularly trained to develop a cyber-resilient mindset. They shouldn’t just adhere to a set of IT security policies around identity-based access control, but they should also be alerting IT to suspicious events and infections as soon as possible to help minimize time to remediation.

Our new normal means that risks are no longer limited to commonly recognized sources such as cybercriminals, malware, or even targeted attacks. Moving to secure remote work environment, without a resilience plan in place that does not include cyber resilience increases an organization’s risk.

Before COVID, we knew that while a majority of firms have a disaster recovery plan on paper, nearly a quarter never test that, and only 42 percent of global executives are confident their organization could recover from a major cyber event without it affecting their business.

Operational resilience cannot be achieved without a true commitment to, and investment in, cyber resilience. We want to help empower every organization on the planet by continuing to share our learnings to help you reach the state where core operations and services won’t be disrupted by geopolitical or socioeconomic events, natural disasters, or even cyber events.

Learn more about our guidance related to COVID-19 here, and bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Operational resilience in a remote work world appeared first on Microsoft Security.

Redefining business for a digital world with smart security decisions

Kurt John is Chief Cybersecurity Officer of Siemens USA, where he is responsible for the information security strategy, governance and implementation for the company’s largest market with ~$23B in annual revenues. In this interview with Help Net Security, he explores a variety of smart security decisions. Kurt discusses the challenges modern CISO have to deal with, the importance of IT security certification, he provides his opinion on what an ideal cybersecurity candidate looks like, and … More

The post Redefining business for a digital world with smart security decisions appeared first on Help Net Security.

Shifting responsibility is causing uncertainty and more security breaches

Data security is creating fear and trust issues for IT professionals, according to a new Oracle and KPMG report. The study of 750 cybersecurity and IT professionals across the globe found that a patchwork approach to data security, misconfigured services and confusion around new cloud security models has created a crisis of confidence that will only be fixed by organizations making security part of the culture of their business. Data security is keeping IT professionals … More

The post Shifting responsibility is causing uncertainty and more security breaches appeared first on Help Net Security.

CISO stress-busters: post #1 overcoming obstacles

As part of the launch of the U.S. space program’s moon shot, President Kennedy famously said we do these things “not because they are easy, but because they are hard.” The same can be said for the people responsible for security at their organizations; it is not a job one takes because it is easy. But it is critically important to keep our digital lives and work safe. And for the CISOs and leaders of the world, it is a job that is more than worth the hardships.

Recent research from Nominet paints a concerning picture of a few of those hardships. Forty-eight percent of CISO respondents indicated work stress had negatively impacted their mental health, this is almost double the number from last year’s survey. Thirty-one percent reported job stress had negatively impacted their physical health and 40 percent have seen their job stress impacting their personal lives. Add a fairly rapid churn rate (26 months on average) to all that stress and it’s clear CISOs are managing a tremendous amount of stress every day. And when crises hit, from incident response after a breach to a suddenly remote workforce after COVID-19, that stress only shoots higher.

Which is why we’re starting this new blog series called “CISO stress-busters.” In the words of CISOs from around the globe, we’ll be sharing insights, guidance, and support from peers on the front lines of the cyber workforce. Kicking us off—the main challenges that CISOs face and how they turn those obstacles into opportunity. The goal of the series is to be a bit of chicken (or chik’n for those vegans out there) soup for the CISO’s soul.

Today’s post features wisdom from three CISOs/Security Leaders:

  • TM Ching, Security CTO at DXC Technology
  • Jim Eckart, (former) CISO at Coca-Cola
  • Jason Golden, CISO at Mainstay Technologies

Clarifying contribution

Ask five different CEOs what their CISOs do and after the high level “manage security” answer you’ll probably get five very different explanations. This is partly because CISO responsibility can vary widely from company to company. So, it’s no surprise that many of the CISOs we interviewed touched on this point.

TM Ching summed it up this way, “Demonstrating my role to the organization can be a challenge—a role like mine may be perceived as symbolic” or that security is just here to “slow things down.” For Jason, “making sure that business leaders understand the difference between IT Operations, Cybersecurity, and InfoSec” can be difficult because execs “often think all of those disciplines are the same thing” and that since IT Ops has the products and solutions, they own security. Jim also bumped up against confusion about the security role with multiple stakeholders pushing and pulling in different directions like “a CIO who says ‘here is your budget,’ a CFO who says ‘why are you so expensive?’ and a general counsel who says ‘we could be leaking information everywhere.'”

What works:

  • Educate Execs—about the role of a CISO. Helping them “understand that it takes a program, that it’s a discipline.” One inflection point is after a breach, “you may be sitting there with an executive, the insurance company, their attorneys, maybe a forensics company and it always looks the same. The executive is looking down the table at the wide-eyed IT person saying ‘What happened?’” It’s a opportunity to educate, to help “make sure the execs understand the purpose of risk management.”—Jason Golden.   To see how to do this watch Microsoft CISO Series Episode 2 Part 1:  Security is everyone’s Business
  • Show Don’t Tell—“It is important to constantly demonstrate that I am here to help them succeed, and not to impose onerous compliance requirements that stall their projects.”—TM Ching
  • Accountability Awareness—CISOs do a lot, but one thing they shouldn’t do is to make risk decisions for the business in a vacuum. That’s why it’s critical to align “all stakeholders (IT, privacy, legal, financial, security, etc.) around the fact that cybersecurity and compliance are business risk issues and not IT issues. IT motions are (and should be) purely in response to the business’ decision around risk tolerance.”—Jim Eckart

Exerting influence

Fans of Boehm’s curve know that the earlier security can be introduced into a process, the less expensive it is to fix defects and flaws. But it’s not always easy for CISOs to get security a seat at the table whether it’s early in the ideation process for a new customer facing application or during financial negotiations to move critical workloads to the cloud. As TM put it, “Exerting influence to ensure that projects are secured at Day 0. This is possibly the hardest thing to do.” And because “some business owners do not take negative news very well” telling them their new app baby is “security ugly” the day before launch can be a gruesome task. And as Jason pointed out, “it’s one thing to talk hypothetically about things like configuration management and change management and here are the things that you need to do to meet those controls so you can keep your contract. It’s a different thing to get that embedded in operations so that IT and HR all the way through finance are following the rules for change management and configuration management.”

What Works:

  • Negotiate engagement—To avoid the last minute “gotchas” or bolting on security after a project has deployed, get into the conversation as early as possible. This isn’t easy, but as TM explains, it can be done. “It takes a lot of negotiations to convince stakeholders why it will be beneficial for them in the long run to take a pause and put the security controls in place, before continuing with their projects.”
  • Follow frameworks—Well-known frameworks like the NIST Cybersecurity Framework, NIST SP800-53, and SP800-37 can help CISOs “take things from strategy to operations” by providing baselines and best practices for building security into the entire organization and systems lifecycle. And that will pay off in the long run; “when the auditors come calling, they’re looking for evidence that you’re following your security model and embedding that throughout the organization.” —Jason

Cultivating culture

Wouldn’t it be wonderful if every company had a security mindset and understood the benefits of having a mature, well-funded security and risk management program? If every employee understood what a phish looks like and why they should report it? Unfortunately, most companies aren’t laser focused on security, leaving that education work up to the CISO and their team. And having those conversations with stakeholders that sometimes have conflicting agendas requires technical depth and robust communication skills. That’s not easy. As Jim points out, “it’s a daunting scope of topics to be proficient in at all levels.

What works:

  • Human firewalls—All the tech controls in the world won’t stop 100 percent of attacks, people need to be part of the solution too. “We can address administrative controls, technical controls, physical controls, but you also need to address the culture and human behavior, or the human firewalls. You know you’re only going to be marginally successful if you don’t engage employees too.” —Jason
  • Know your audience—CISOs need to cultivate “depth and breadth. On any given day, I needed to move from board-level conversations (where participants barely understand security) all the way to the depths of zero day vulnerabilities, patching, security architecture.” —Jim

Did you find these insights helpful? What would you tell your fellow CISOs about overcoming obstacles? What works for you? Please reach out to me on LinkedIn and let me know what you thought of this article and if you’re interested in being interviewed for one of our upcoming posts.

The post CISO stress-busters: post #1 overcoming obstacles appeared first on Microsoft Security.

12 days of Christmas Security Predictions: What lies ahead in 2020

Marked by a shortage of cyber security talent and attackers willing to exploit any vulnerability to achieve their aims, this year emphasised the need for organisations to invest in security and understand their risk posture. With the number of vendors in the cyber security market rapidly growing, rising standard for managing identities and access, and organisations investing more in security tools, 2020 will be a transformational year for the sector.

According to Rob Norris, VP Head of Enterprise & Cyber Security EMEIA at Fujitsu: “We anticipate that 2020 will be a positive year for security, and encourage public and private sector to work together to bring more talent to the sector and raise the industry standards. As the threat landscape continues to expand with phishing and ransomware still popular, so will the security tools, leaving organisations with a variety of solutions. Next year will also be marked by a rush to create an Artificial Intelligence silver-bullet for cyber security and a move from old-fashioned password management practices to password-less technologies.”

“As cyber criminals continue to find new ways to strike, we’ll be working hard to help our customers across the world to prepare their people, processes and technology to deal with these threats. One thing to always keep in mind is that technology alone cannot stop a breach - this requires a cultural shift to educate employees across organisations about data and security governance. After all, people are always at the front line of a cyber-attack.”

What will 2020 bring with Cybersecurity?

In light of this, Rob Norris shares his “12 Days of Christmas” security predictions for the coming year.

1. A United front for Cyber Security Talent Development
The shortage of cyber security talent will only get worse in 2020 - if we allow it to.

The scarce talent pool of cyber security specialists has become a real problem with various reports estimating a global shortage of 3.5 million unfulfilled positions by 2021. New approaches to talent creation need to be considered.

The government, academia, law enforcement and businesses all have a part to play in talent identification and development and will need to work collaboratively to provide different pathways for students who may not ordinarily be suited to the traditional education route. Institutions offering new cyber security courses for technically gifted individuals are a great starting point, but more will need to be done in 2020 if the shortage is to be reduced.

2. Cloud Adoption Expands the Unknown Threat Landscape 
It will take time for organisations to understand their risk posture as the adoption of cloud services grows.

While the transition to cloud-based services will provide many operational, business and commercial benefits to organisations, there will be many CISO’s working to understand the risks to their business with new data flows, data storage and new services. Traditional networks, in particular, boundaries and control of services are typically very well understood while the velocity and momentum of cloud adoption services leaves CISO’s with unanswered questions. Valid concerns remain around container security, cloud storage, cloud sharing applications, identity theft and vulnerabilities yet to be understood, or exposed.

3. The Brexit Effect 
Brexit will have far-reaching cyber security implications for many organisations, in many countries.

The UK and European markets are suffering from uncertainty around the UK’s departure from the European Union, which will affect the adoption of cyber security services, as organisations will be reticent to spend until the impact of Brexit is fully understood.

The implications of data residency legislation, hosting, corporation tax, EU-UK security collaboration and information sharing are all questions that will need to be answered in 2020 post-Brexit. There is a long-standing collaborative relationship between the UK and its EU counterparts including European Certs and Europol and whilst the dynamics of those working relationships should continue, CISO’s and senior security personnel will be watching closely to observe the real impact.

4. SOAR Revolution 
Security Orchestration, Automation and Response (SOAR) is a real game-changer for cyber security and early adopters will see the benefits in 2020 as the threat landscape continues to expand.

Threat intelligence is a domain that has taken a while for organisations to understand in terms of terminology and real business benefits. SOAR is another domain that will take time to be understood and adopted, but the business benefits are also tangible. At a granular level, the correct adoption of SOAR will help organisations map, understand and improve their business processes. By making correct use of their technology stack and associated API’s early adopters will get faster and enhanced reporting and will improve their security posture through the reduction of the Mean Time To Respond (MTTR) to threats that could impact their reputation, operations and bottom-line.

5. Further Market Fragmentation will Frustrate CISOs 
The number of vendors in the cyber security market has been rapidly growing and that will continue in 2020, but this is leading to confusion for organisations.

The cyber security market is an increasingly saturated one, often at the frustration of CISO’s who are frequently asked to evaluate new products. Providers that can offer a combined set of cyber security services that deliver clear business outcomes will gain traction as they can offer benefits over the use of disparate security technologies such as a reduction in contract management, discount provisioned across services, single point of contacts and reduction in services and technologies to manage.

Providers that continue to acquire security technologies to enhance their stack such as Endpoint Detection and Response (EDR) or technology analytics, will be best positioned to provide the full Managed Detection and Response (MDR) services that organisations need.

6. Artificial Intelligence (AI) will need Real Security 
2020 will see a rise in the use of adversarial attacks to exploit vulnerabilities in AI systems.

There is a rush to create an AI silver-bullet for cyber security however, there is currently a lack of focus on security for AI. It is likely we will see a shift towards this research area as “adversarial” approaches to neural networks could potentially divulge partial or complete data points that the model was trained on. It is also possible to extract parts of a model leading to intellectual property theft as well as the ability to craft “adversarial” AI which can manipulate the intended model. Currently, it is hard to detect and remediate these attacks.

There will need to be more focus on explainable AI, which would allow for response and remediation on what are currently black-box models.

7. Organisations will need to Understand how to make better use of Security Tools and Controls at their Disposal 
Customers will need to take better advantage of the security measures that they already have available. 

The well-established cloud platforms already contain many integrated security features but organisations are failing to take advantage of these features, partly because they do not know about them. A greater understanding of these features will allow organisations to make smarter investment decisions and we expect to see a growing demand for advice and services that allow organisations to optimally configure and monitor those technologies to ensure they have minimal risk and exposure to threats.

Fujitsu predicted last year that securing multi-cloud environments will be key going forward and organisations continue to need to find a balance of native and third-party tools to drive the right solution for their objectives.

8. Do you WannaCry again? 
The end of support for Windows Server 2008 and Windows 7 will open the door for well-prepared attackers.

January 2020 sees the official end of support life for all variants of Windows Server 2008 and Windows 7, which share elements of the same code base. This means that both end-user devices and data center servers will be equally vulnerable to the same exploits and opens the possibility that organisations could be susceptible to attacks that cause large outages.

In 2017, Wannacry surfaced and caused some well-publicised outages including well-known organisations from across the healthcare, manufacturing, logistics and aerospace industries. Microsoft had released patches two months before and recommended using a later version of the impacted components. We also learned in 2017, via Edward Snowden, that nation-states have built up an armoury of previously undisclosed exploits. These exploits are documented to target the majority of publicly available Operating Systems and so it stands to reason that cyber criminals could have also built a war chest of tools which will surface once the end of vendor support has passed for these Operating systems.

9. Rising the Standard for Managing Identities and Access
Federated Authentication, Single Sign-On and Adaptive Multi-Factor will become standard, if not required, practices in 2020.

2020 will see organisations continuing their adoption of hybrid and multi-cloud infrastructures and a ‘cloud-first’ attitude for applications. This creates the challenge of managing the expanding bundle of associated identities and credentials across the organisation.

Identities and associated credentials are the key attack vector in a data breach - they are ‘keys to the kingdom’. Without sufficient controls, especially for those with privileged rights, it is becoming increasingly difficult for organisations to securely manage identities and mitigate the risk of a data breach. Capabilities such as Federation Authentication, Single Sign-On and Adaptive Multi-Factor address the challenge of balance between security and usability, and we see this becoming standard, if not required, practice in 2020.

10. Extortion Phishing on the Rise 
Taboo lures enhanced phishing and social engineering techniques will prey on user privacy.

We are seeing an increase in a form of phishing that would have a recipient believe their potentially embarrassing web browsing and private activity has been observed with spyware and will be made public unless a large ransom is paid.

Since their widespread emergence last year, the techniques used by these extortionists to evade filters continue to develop. Simple text-only emails from single addresses now come from ‘burnable’ single-use domains. Glyphs from the Cyrillic, Greek, Armenian and extended Latin alphabets are being used to substitute letters in the email to bypass keyword filters and Bitcoin wallets are rotated often and used to associate a recipient with a payment.

The psychological tricks used in the wording of these emails will develop and likely aid their continued success.

11. Passwords become a Thing of the Past 
We will see increasing adoption of end-to-end password-less access, especially in scenarios where Privileged Access Management (PAM) is required.

Next year we will see a move from old-fashioned password management practices to password-less technologies. The increasing number of cases where privileged credentials and passwords are required, but are painful to manage in secure and cost effective, way will drive this shift. Passwords are easy to forget and the increasing complexity requirements placed upon users increases the chances of passwords having to be written down – which is self-defeating. Biometric technologies and ephemeral certificates will provide a more secure and user-friendly way to manage credentials and ensure assets and data are kept secure.

12. Ransomware not so Random
As more organisations employ negotiators to work with threat actors, ransomware is likely to decrease next year.

In 2019, we observed a shift in the way certain ransomware ransom notes were constructed. Traditionally, ransomware notes are generic template text informing the victim that their files are encrypted and that they must pay a set amount of Bitcoin in order to have their files unencrypted.

When threat actors successfully deploy ransomware network-wide and achieve other deployment objectives, they inform their victims their files are encrypted. Crucially, however, they do not reveal the price they demand for their decryption. Instead, threat actors seek to open a dialogue with the victim to discuss a price. This change has seen organisations employ negotiators to work with threat actors on managing and, hopefully, reducing the demand and we expect this to continue in 2020.