It was our third CISO roundtable that we hosted at a local vineyard and the conversation was as lively as ever. I’m not sure if it was the wine tasting, the food or the experience of the CISO’s in attendance, but this event was lively discussion that focused on “Building a Defendable Enterprise with Continuous Monitoring”. The excitement and passion that was coming back from our attendees was nothing short of encouraging to see how these leaders in our field are taking their roles serious in defending their organizations. It was once again a privilege to be in the midst of these leaders learning from their wisdom and experience in the field. This blog is being written as recap of a few highlighted discussion points throughout evening that were discussed.
The discussion of where to start when creating a layered defense was raised to the group and there was mixed responses. We all know that a layered defense is needed, there’s nothing new about this topic, but where to begin was discussed. The consensus of the group was to better understand the risks of the organizations, their critical data and if regulations were required to be met. When asking how to balance policy & procedure with technical enforcement the conversation pivoted towards getting better buy in from their board and building risk registers to develop roadmaps for risk reduction. There was general agreement that risk needed to be proactively tracked and assigned to bring maturity to a security program. This also didn’t mean that it had to be remediated, but classified and identified to start the process of acceptation or remediation.
In discussing ways to reduce white noise and alert fatigue with security tools, I asked the question, “Is SIEM still needed today, or is it dead”? It was interesting to see the responses based off industry and how they prioritized this question. Depending on the budget we’ve seen that organizations are utilizing more behavioral technology and growing into SIEM’s as maturity or compliance dictates. Some of the large organizations in attendance were adamant that there was a use for SIEM, but that tuning and white noise in the organization was a concern. The conversation than moved into ways to reduce alert fatigue and how utilizing automation and orchestration tools were areas that they were looking into, if not already in use, to help with creating quicker response and reducing white noise for their operation teams.
It was also interesting to hear how these leaders were dealing with 3rd and 4th party vendors being added to their organizations. The risk of 3rd party vendors is still one of the largest risks to any data and security program, but it’s going even deeper now. The focus was shifted heavily to the 4th party vendors, or the vendors your 3rd party is utilizing. The increase of tools using solely OSINT for these reviews was heavily subjective and many of the attendees didn’t rely on them for accurate reviews. A more dedicated form of reviewing each vendor being brought into the organization was recommended, but also caused delays of implementation due to the extra work. Working through the vendor supply chain was an area that was consistently being reviewed.
We ended the night with a poll of how many people were in favor of “Active Defense” techniques that assist with more of an offense capability. This is a polarizing topic that was started with the Active Cyber Defense Bill commonly named “Hacking Back”. This is an area that needs extreme refinement and the opinions ranged from it will never happen, to it needs better clarity before they’d even consider looking at the topic more seriously; which was the most common response. We like to end the night on a thought provoking topic and by suggesting frameworks, legal guidelines and beaconing technology to assist with attribution, not hacking back. This topic is new ground for the infosec community and we left the night with some fresh ideas and opinions.
With another successful CISO roundtable under our belts we’re extremely excited to prep for the next one. Each time we have these roundtables we learn so much about from each other and how the industry is moving towards deterring attacks and reducing risk. We look forward to continually learning and sharing our experiences with the community.
Ransomware Protection Checklist
Ransomware attacks are increasing, but they’re not unstoppable. There is no single layer or control that can be implemented which will completely protect you. Using a layered approach to fight against ransomware and going back-to-basics is the best method to use when defending against attack. Download this checklist for a starting point to protect your organization from the preventable threat of ransomware.
Author Bio: Matthew Pascucci is a Security Architect, Privacy Advocate and Security Blogger. He holds multiple information security certificates and has had the opportunity to write and speak about cyber security for the past decade. He’s the founder of www.frontlinesentinel.com and can be contacted via his blog, on Twitter @matthewpascucci, or via email firstname.lastname@example.org