- CISO Series Newsletter
- Posts
- [01-19-23] Join us tomorrow for “Hacking Automated Security”
[01-19-23] Join us tomorrow for “Hacking Automated Security”
Join us tomorrow for “Hacking Automated Security”
Super Cyber Fridays!
Join us TOMORROW, Friday [01-20-23], for "Hacking Automated Security"
Join us tomorrow, Friday, January 20, 2023, for
"Hacking Automated Security: An hour of critical thinking of how intelligent automation can achieve more without doing more.”
It all begins at 1 PM ET/10 AM PT on Friday, January 20, 2023 with guests Brian Vecci, field CTO, Varonis and Ken Collins, sr. director, information security, Sunbelt Rentals, Inc. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.
Thanks to our Super Cyber Friday sponsor, Varonis
Defense in Depth
Securing Unmanaged Assets
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, producer of CISO Series, and Steve Zalewski. Our sponsored guest is Huxley Barbee, security evangelist, runZero. Here are some of the issues we discussed on the topic of unknown and therefore unmanaged assets. Please jump in with your thoughts on any and all.The definition of an unknown and unmanaged asset has grown. We’re all in agreement with the “you can’t secure what you don’t know” philosophy of asset discovery. It’s right up there at the top of the CIS controls as to what you should do first. Problem is we’re discovering more and more in categories we didn’t previously consider. "I would estimate that about 20% of incidents in my experience go through the ‘who the hell owns this’ gauntlet," said Duane Gran of Converge Technology Solutions.Finding everything doesn’t mean you have to protect everything. But you do have to start with discovery. There’s no way to conduct asset discovery of “just” the really important stuff. That’s a decision you make after you do your asset discovery. At that point you make your decisions. As Ezra Ortiz of Peraton said, "You can't defend everything, but you better defend 100% of what is critical." Malcolm Harkins of Epiphany Systems notes that it’s often not the assets themselves, but the relations they have with your other systems that may create an attack path that you want to avoid.After discovery, be procedural about how you’re managing newly discovered assets. CISOs Yassir Abousselham of UiPath and Edward Contreras of Frost Bank are very mechanical about how they go about dealing with the issue of unmanaged assets. Their suggestions include assigning an owner to an asset, scanning for vulnerabilities, updating CMDB, and working with procurement to enforce policy rejecting cloud/SaaS expenses running through personal or corporate credit cards.When you don’t know your assets, you can’t target your security controls. “Lack of asset understanding to me is the difference between being forced into a zone-based defensive model and being able to use more precision asset-to-asset defensive approaches," said Anthony M. of Air Products.You can listen to this week’s episode over on our blog where you can read the full transcript. If you aren’t already subscribed to Defense in Depth on your favorite podcast app, please go ahead and do that right now.
Thanks to our podcast sponsor, runZero
Next Monday! CISO Series Meetup (for DC listeners and cyberpeeps!)
Hey DC/Virginia/Maryland cyberpeeps and fans of CISO Series, our founder David Spark is coming to the area next week and is hosting an in-person meetup on Monday night (1-23-23). Please circulate wide and we hope to see you there. It's very close to the Metro.
More information here.
Cyber Security Headlines - Week in Review
Make sure you
to join the LIVE "Week In Review" this Friday for
Cyber Security Headlines
with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be George Finney, CISO, Southern Methodist University.
Thanks to this week's headlines sponsor, Cerby
Cyber chatter from around the web...
Jump in on these conversations
"What's the best online cybersecurity course you've taken?" (
What's the best online cybersecurity course you've taken?
— Daniel Kelley (@danielmakelley)
8:16 AM • Nov 15, 2022
)
"Anyone with an Internet connection can get into cybersecurity with nothing but a laptop" (
Anyone with an Internet connection can get into cybersecurity with nothing but a laptop:
@cybraryIT is free.
@rootme_org is free.
@LetsDefendIO is free.
@hackthebox_eu is free.
@RealTryHackMe is free.
@OverTheWireCTF is free.The resources are already out there.
— Daniel Kelley (@danielmakelley)
12:36 AM • Nov 9, 2022
)
Coming Up On Super Cyber Friday...
Coming up in the weeks ahead we have:
[01-20-23] Hacking Automated Security
[01-27-23] Hacking Cloud Forensics
[02-03-23] Hacking People and Process
[02-10-23] Hacking Your Security Program
[02-17-23] NO SHOW
[02-24-23] Hacking Vulnerability Remediation
and register for them all now!
Thank you!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com.
Interested in sponsorship, contact me, David Spark.