Capture the CISO!
Capture the CISO! Season 2 Episode 1 Out Now!

Capture the CISO Season 2 is back! Listen to the first episode available now and see the contestant’s videos!

Listen to the episode.

Defense in Depth
Managing Data Leaks Outside Your Perimeter

It's one thing to protect your data within your four walls. But when data leaks increasingly come from third-parties, what can you do to protect your organization?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap, CISO, LinkedIn. Joining us is our sponsored guest, Mackenzie Jackson, developer advocate, GitGuardian.

Understanding the scope of the issue

Security teams can often feel at odds with developers, characterizing them as “not caring” about security. But this ignores systemic issues across the entire development process. "We need to make it really easy for software development teams to do the 'right' thing, and very hard to do the 'wrong' thing. That's on the Security community - not on developers. This is a human-centric issue and therefore a culture issue," said Dutch Schwartz of Amazon Web Services. Creating a native security culture within software development can lead to a virtuous cycle, with Ian Poynter of Kalahari Security noting, "When the software development culture in your organization becomes security aware, security will become second nature for all software teams."

A lack of oversight leads to leaks

Secret sprawl directly leads to data leaks. When an organization doesn’t have oversight over what secrets they even have, the cat is out of the bag. "One of the main reasons secrets are exposed is the lack of proper management and protection. R&D teams are the ones responsible for creating and storing secrets, but they are not the ones who are responsible for securing them," said Mark Fireman of Entro Security. This becomes compounded when you’re dealing with credentials for third-parties. Erik Bloch of Atlassian noted that he’s seen far more compromises through third party credentials, saying, “If you have a reasonable SSO/MFA platform set up, but yet let third parties access your SaaS or other applications without requiring them to use at least MFA, it’s a prescription to get owned.”

Tooling can complement process changes

Secrets exposed in published code remain an issue. Scanning tools provide an immediate bandage to quickly find and remove these instances, but should pair with a wide process shift. "The key is to improve better coding practices and processes to force regular secret rotation or expiration that would leave secrets useless even if found in code or repositories," said Mauricio Ortiz of Merck. Getting visibility into secrets sprawl requires organizations to have context into how secrets were created and where they are being used. Randall Hettinger of Permiso Security advised, "Companies should prioritize developing more visibility into how their secrets are being used. Who has provisioned them, who has access to them, and where are they being shared?"

The horse is out of the barn

Preventing leaked secrets remains a goal, but a security posture should assume they are already out the door. Amit Arora of Amazon Web Services recommended this approach and pointed to it as an industry opportunity, "Any activities happening in your environment, things that normally an attacker does, can be monitored to guess backwards if a secret is stolen. Signals around stolen secrets can go to a centralized bucket from where enterprises can subscribe and continuously monitor every activity. Instead of protecting the key, protect the kingdom."

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, GitGuardian

Live!
CISO Series Game Show LIVE in San Francisco (05-07-24)

All your favorite games from Super Cyber Friday, brought to the stage for one special afternoon during the week of RSA 2024 in San Francisco. CISO Series will be hosting this event, and David Spark will be the emcee. We'll have lunch (while it lasts), a bunch of really fun cyber games, and prizes.

EVENT: CISO Series' Super Cyber Game Show Friday (TUESDAY EDITION)

WHERE: W Hotel,181 3rd St, San Francisco, CA 94103 (2nd Floor)

WHEN: Tuesday, May 7th, 2024 from 12:30pm-1:30pm PT (come early for lunch!)

REGISTER

HUGE thanks to our sponsor and host, Veracode

Super Cyber Fridays!
Join Us 04-26-24 for “Hacking Your Cybersecurity Career” – Super Cyber Friday

Please join us on Friday April 26, 2024 for Super Cyber Friday.

Our topic of discussion will be “Hacking Your Cybersecurity Career: an hour of critical thinking about how to level up your professional development.”

REGISTER for 04-26-24 Super Cyber Friday event

Joining David Spark, producer of CISO Series for this discussion will be:

• Jesse Whaley, CISO, Amtrak

• Jerich Beason, CISO, WM

It all begins at 1 PM ET/10 AM PT on Friday April 26, 2024. At the end of the hour [2 PM Eastern/11 AM Pacific] we’ll switch gears to our meetup where everyone will get a chance to chat face to face.

Register

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Dan Walsh, CISO, Paxos.

Thanks to our Cyber Security Headlines sponsor, Conveyor

Cyber chatter from around the web...
Jump in on these conversations

"Question for the younger folks in the 'biz, about motivation" (More here)

"Hey recruiters, what are the answers you wish to hear when you’re interviewing for a junior role?" (More here)

"How can I learn to schmooze? I've been told my communication style is too direct, cold, and rough around the edges." (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [04-19-24] NO SHOW

• [04-26-24] Hacking Your Cybersecurity Career

• [05-03-24] Hacking the Value of GRC

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.