Super Cyber Fridays!
Join us TOMORROW, Friday [01-19-24], for "Hacking Security Audits"

Join us Friday, January 19, 2024, for “Hacking Security Audits: A hour of critical thinking of how to improve this vital process.”

It all begins at 1 PM ET/10 AM PT on Friday, January 19, 2024 with guests Leith Khanafseh, managing director, assurance & compliance products, Thoropass and Rose Songer, director, IT and compliance, Spring Health. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Thoropass

Defense in Depth
Use Red Teaming To Build, Not Validate, Your Security Program

When did we all agree that red teaming was about validating security? It seems like increasingly red teaming is a catch all term for a whole lot of testing that isn't clearly defined, and as a result it's hard to see its value. Or it's purely done for compliance reasons with no intentions of improving defenses. In this episode we examine the value of moving red teaming upstream, testing your infrastructure as-is rather than building out your program to validate that it's "ready." If you test earlier then you’ll know earlier what you need to build out your security program.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Richard Ford, CTO, Praetorian. Here’s what we discussed:

Red teaming isn’t about being ready

Doing red team testing against fixed defenses can give a sense of finality and assurance, but provides much less flexibility than doing it early and often. "There should be security assurance exercises through the project lifecycle. Red teaming should be very open scope, goal driven and conducted periodically, not just when you feel ready for it," said Luke Jennings of Push Security. For Jonathan Waldrop, CISO at the Weather Company, this is less about calling it red teaming, and more about a desired outcome, saying, "A threat-modeling approach allows teams to look at a variety of potential problems, and helps you consider all of the ways vulnerabilities can be exploited."

Structural issues can prevent effective red teaming

If your organization only wants to see passing grades on your red team testing, it can be an impediment to actually improving your security posture. "Only when the organizational culture becomes one of learning, rather than punishment, will the buy-in necessary to be iterative with our red-teaming," said Dave Kelly of SensCy. While effective red teaming can help out individual projects or infrastructure, its biggest benefit might be to how your organization views cybersecurity. "The biggest benefit from legitimately good red teams is what it adds to the security culture of the company," said Kane N. of Canva.

Red teaming still needs context

While early red teaming shows clear benefits, organizations should realize that they still need to add the context of infrastructure to fully realize them. "You can't red team infrastructure that isn't yet built. If you're not deployed, it's just validation of the build stage- which folks can and should be doing today," said Merritt Baer, field CISO at Lacework. But a lot of this doesn’t matter if we can’t agree on what we’re talking about. "We need more alignment on how the industry defines red teaming, whether as threat emulation, penetration testing, or a combination thereof. Then we can have a better conversation on where it makes sense to shift those resources," said Ryan Franklin of Amazon.

A balancing act

As with everything in cybersecurity, red teaming needs to be a part of your solution that’s balanced with the other tools and resources available. "As with any testing, moving ‘left’ is something to be considered. But it has to be balanced with resources and stability. Most organizations don't have enough red team resources that can be dedicated to early testing,” cautioned Tim Chase, global field CISO at Lacework. Red teaming shouldn’t live in a bubble outside of your other tooling. "You need a combination of breach and attack simulation tools that can run automated tests for widely used TTPs and a red team for complex attacks requiring a human brain," said Ramki Balakrishnan of BNY Mellon.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, Praetorian

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Jerich Beason, CISO, WM.

Thanks to our Cyber Security Headlines sponsor, Savvy Security

Protecting Health Information From Nation-State Actors

Collective defense within industries has become increasingly common. Part of this relies on information sharing about threats with other organizations. But Adam Zoller, CISO, Providence Health, makes the case that organizations need more help from the federal government, while at the same time prioritizing the maintenance of private health data. This could be done by improving the clarity of regulatory requirements, bringing them up to par with protections around financial data.

Thanks to our sponsor, Claroty

Cyber chatter from around the web...
Jump in on these conversations

"Any other cybersec people refuse ‘smart tech’ because of the constant breaches?" (More here)

"Risk Compliance and Controls in IT" (More here)

"1.5yr after graduating college and can't land a job in the IT field" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [01-19-24] Hacking Security Audits

• [01-25-24] Super Cyber Game Show Friday

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.