James Nelson, VP of Infosec, Illumio
How has COVID-19 changed cybersecurity? Why is cyber resilience especially important now? What are the most important steps to ensure cyber-resiliency? How do you talk to business leaders about investing in cybersecurity to boost resiliency?
The best way for organizations to keep their ‘crown jewels’ secure is adopting a Zero Trust mindset. Organizations need to take advantage of adaptive security infrastructure that can scale to meet current and future organizational needs, and take steps to ensure even third-party hosted data is policy compliant.
Most CISOs don’t talk to the board all the time so they don’t understand that’s the conversation they want to have. By making sure that the security team’s spokesperson has an intelligent plan that shows how wrong things could go. Showing how money is directly connected to mitigating the risks is vital to getting the funding needed, and showing why an increase in spend coordinates with decrease of risk.
Cyber-Resilence-
https://en.wikipedia.org/wiki/Cyber_resilience
https://en.wikipedia.org/wiki/Business_continuity_planning#Resilience
https://www.darkreading.com/cloud/cyber-resiliency-cloud-and-the-evolving-role-of-the-firewall/a/d-id/1337206
Doug Barth and Evan Gilman - https://brakeingsecurity.com/2017-017-zero_trust_networking_with_doug_barth
part1 with Masha Sedova: https://traffic.libsyn.com/secure/brakeingsecurity/Masha_sedova-elevate_security-profiled-education-phishing-part1.mp3
Part2: https://traffic.libsyn.com/secure/brakeingsecurity/2020-019-masha_sedova-privacy-human_behavior-phishing-customized_training.mp3
https://www.helpnetsecurity.com/2017/08/24/assume-breach-world/
Key concepts:
Visibility into your environment
Controls necessary to repel attackers
Architecture of the network to create chokepoints (east/west, north/south isolation)
Threat modeling and regular threat assessment
Mechanisms to allow for rapid response
How long will current security controls hold a determined attacker at bay?
Business-wide Risk Management response can often determine resiliency in a Crisis/Breach situation.
Cyber-Resilence Framework (per NIST https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/final)
What does “cyber resiliency” mean in the to the organization? To the department? To the individual? and what of the mission or business process the system is intended to support?
Which cyber resiliency objectives are most important to a given stakeholder?
To what degree can each cyber resiliency objective be achieved?
How quickly and cost-effectively can each cyber resiliency objective be achieved?
With what degree of confidence or trust can each cyber resiliency objective be achieved?
(What do we as security people do to ensure that all of these are properly answered? --brbr)
Architecture of systems:
Depending on the age of our information systems and technology stacks, cruft builds up or one-off systems are setup and forgotten.
We (infosec industry) talk about shifting security left in a DevOps environment to ensure security gets put in, but should we do as an organization when we think about adding systems in terms of cyber-resilience? (It would seem that resilience may also be tied to the security or functionality in a piece of hardware and software. Proper understanding of all the systems capabilities/settings/options would be essential for drafting responses --brbr)
Some related and tangential suggestions for ideas/comments/themes/topics in case you feel like any fit into the conversation:
- Comparison of security to the human immune system.
- Does resilience (i.e., assume breach) imply there are failures you can recover from, yet other, existential risks you need to avoid? And what does that mean in practice?
- How do you define “most valuable assets”? Value vs. obligations vs. ...?
- Does a compliance mindset help or hinder resilience, and vice versa?
- Referring back to a prior show, how does the human element contribute to resilience?
- NIST doc makes a point that resilience only has meaning when it works across a system, how does this idea impact the cost of entry? And is there a tipping point for resilience?
- Another point made is that speed should be viewed as an advantage. Is there an application of the OODA loop concept to resilience, then?
- Cyber resilience resonates in other areas: Pandemics, natural disasters, and geo-political stressors. Could impact supply chain workforce effectiveness, other areas. Ransomware (which is cyber, but has other, knock-on effects).
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://pandora.app.link/p9AvwdTpT3
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: bds.podcast@gmail.com
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Download here!