09-03-20 - We're Ready to Red Team Our House of Straw

We're Ready to Red Team Our House of Straw

September 03, 2020

CISO Series

This week's episode of Defense in Depth

When Red Teams Breakdown

When Red Teams Breakdown

is hosted by me, David Spark, producer of CISO Series and Allan Alford. Our sponsored guest, Dan DeCloss, founder and CEO, PlexTrac. All three of us discussed:

  • Don't make the mistake of red teaming too early. If you don't have your fundamental security program in place, you'll be testing out non-existing defenses.

  • If you're just starting to build up your security program, conduct a vulnerability scan and do some basic patch management.

  • A red team exercise exists to discover risks you didn't even know about and couldn't have predicted in your threat model exercises.

  • Have a plan of what you're going to do after the red team exercise. Just discovering you've got problems with no plan to remediate them will not only be a waste of money, but will also breed discontent.

  • Don't red team just to fill out an audit report. You can do a vulnerability scan for that.

  • Consider moving the red team to purple to actually help the blue team remediate the findings.

  • If you don't have a plan for remediation you'll find yourself running the same red team and filling out the same report.

  • Prioritize! The red (now purple) team can greatly help along with those who've assessed business risks.

  • First to remediate are the ones that are high impact and easy to execute. The rest is determined by an analysis of likelihood and impact.

Special thanks to this week's podcast sponsor, PlexTrac.

PlexTrac is a revolutionary, yet simple, cybersecurity platform that centralizes all security assessments, penetration test reports, audit findings, and vulnerabilities into a single location. PlexTrac vastly improves the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize important analytics, and collaborate on remediation in real-time.

Cyber Security Headlines

This week's sponsor of

Cyber Security Headlines

is Trusona

Trusona

Next Friday [9-11-20] We're Hacking the Human

We're taking this upcoming Friday off for the Labor Day weekend, but we're back the following Friday, September 11th, 2020 at 10 AM Pacific/1 PM Eastern for “Hacking the Human: An hour of critical thinking on the additional benefits of securing people”.

I'll be leading this discussion with Robert O’Brien, CEO, MetaCompliance and Shawn Bowen, CISO, Restaurant Brands International.

Plus, immediately after the video chat (11:00 AM PT/2:00 PM ET) we'll rollover to the CISO Series Friday Meetup. Each participant will be randomly matched up in impromptu 1-on-1 five-minute conversations with fellow cybersecurity professionals. Link to do that will be made available during the video chat.

Thanks to our sponsor MetaCompliance.

CISO Series Video Chat Highlights

Best Moments from Hacking Cyber Diversity

Best Moments from Hacking Cyber Diversity – CISO Series Video Chat

Here are seven minutes of the best moments from “Hacking Cyber Diversity: An hour of critical thinking on hiring diverse staff and using that to improve security and your competitive advantage”.

Joining me in this discussion were:

  • Jules Okafor, CEO and founder, RevolutionCyber

  • Christina Morillo, security engineering, Microsoft and chapter lead for Women in Security and Privacy (WISP)

Subscribe to all our podcasts

Click any of the podcasts below to get access to the subscription feeds. If you're already a subscriber, thank you!