AcoraCast

CISO New Year's Resolutions 2022

To help you be better prepared for the year ahead, Acora has collated a new year's resolutions list that that #cybersecurity professionals should consider adopting in 2022.  

Tune in as we explore planning a 12-18 month cyber security strategy, supply chain challenges, issues with poor cloud configurations, leveraging breach attack simulations, and why security controls are vital in today’s threat landscape. 

Interested in finding out more about Acora? Visit our website here.  

Acora is a progressive technology services provider that is leading the industry with its Experience-Led Approach™. Its mission is to unleash people's potential through outstanding IT experiences, striking the right balance between frictionless user experience and best-in-class security. Acora continually invests in the right people, processes, and platforms that enable businesses to excel and reach their full potential.

Discover all of our IT and Cyber Security services here: Our Services - Acora

Hello, and welcome to Secrutiny's 2022 new year's resolutions podcast. I am delighted to introduce our Secrutiny panellists, who will be sharing their CISO resolutions in the world of cyber security. Phil Davies, chief technology officer and John Winchester, director of product development and operations. So without further ado, please take it away Phil.

Thank you, Rachael. It's great to be here. I guess we were talking in the office about what it would mean for CISOs, who are having to consider what their new year's resolutions would be. And it'd be a good talking point to discuss what we might choose if we were in their shoes. 

I guess in the context of so many changes in the threat landscape now, it's increasingly difficult to work out what you would do. But you know, in the spirit of wanting to help people and to understand the challenges that people face, I kind of thought that there might be some predictions that we would consider in the context of these news resolutions.

So the first one I thought about was that increasingly we're seeing more mega-breaches happening with significant cloud organizations that we rely upon. The WhatsApps, the Facebooks, and the public cloud. We've seen more this year than ever before.

And I think that's going to continue and people need to have prepared for that and then consider that. I see that we're going to see more supply chain issues. So what I mean by that is that there are more breaches of pieces of software making use of connections that suppliers have into our organizations that there's potential for browser, password management leakages, again, that are an immediate problem should they occur. 

People put so much faith in them and it gives access to some significantly sensitive assets in our organizations sometimes. People who are in a rush to the cloud have still gotten these configured cloud tenants, cloud accounts, running that that more organizations are going to struggle with finding somebody else has joined and started using.

That cloud account without being authorized. So, on that basis, having worked with a number of organizations over the past, when I'm thinking about planning, budgets and strategy, there is always a challenge that this comes up almost without notice.

It seems to creep up on you in your annual planning site. The time to work out what you're going to be doing over the next 24 months can really creep up on you. And I think what we end up doing is as chief information security officer relies upon the tried and tested methods of selecting suppliers that feel like they have.

Some specific way of treating some significant gaps that we've got in our security control plane and to sort of take that on faith and to go through the procurement process subsequently implement the solution and then find that, it is significantly behind where we expected it to be in terms of its functional capability or its non-functional capable.

So, I guess what this means in my head is that we need to change this model. We need to change this approach. And instead of waiting for those decisions to have been made and for planning those decisions in, with the specific vendors in advance and then implementing the solution and then working it out.

I think we need to bring that forward. So, my new year's resolution would be that for everything that's on my current roadmap, I would want to see that there was some provable risk reduction for each of those solutions and that we integrate that into the decision-making capability.

And that's ultimately what determines what the budget needs to be. I think if we achieve that, we'll be able to have a testable provable security control environment where less money is wasted and less time is wasted on solutions that can't prove upfront, that they can do what they say they do on the tin.

Thanks, Phil, for your thoughts there. Hi everyone. I'm John Winchester, director of product development and operations at Secrutiny. And I'd like to talk about my new year's resolution for CISOs, which can help to aluminate the very security controls that Phil was just talking about, which may not be working or that are not configured properly in your organization.

My new year's resolution, therefore, is to leverage attack simulations, to highlight risks, particularly to identify impact lateral movement exposure and ransomware attack susceptibility. 

So, what is an attack simulation? Well, I'm glad you asked that Phil it might be better for us to start thinking of what a security control is. And by that, I'll explain that it's anything that limits the ability that a threat actor has to accomplish their goal or even for a legitimate user to do something that they shouldn't. And these controls can be devices or software such as firewalls or anti-malware solutions.

And indeed, they can also be policies and processes such as change management or acceptable use policies. And it's important to emphasize that both are critical to ensuring everything remains safe in an organization. And that has an important impact. And the fact is that these controls tend to be complex because you must be able to marry up both the technical security controls with your policies and processes. 

So those things need to be very well aligned. And anyone can tell you that they stared at a 500-rule firewall policy, but that complexity in these things is, you know, it's rife. It's very, very difficult. And that means that mistakes can happen. We are after all only human. 

Breach attack simulation can help provide an assurance that you know the controls you've put in place are effective and working properly. So effectively it's marking your homework. And so breach attack simulation is a set of safe tooling that measures your control efficacy.

And it doesn't concern itself with what controls are in place or how they are configured. There's no need to pre-populate an attack simulation tool with that data. But and it only really cares about what it can achieve once it's landed within your environment.

And it uses the very techniques tactics and procedures that attackers use. Typically, what we do is install an agent onto a standard build. It's important that it's aligned with the corporate build because that is after all that's in place within the organization.

And that's likely to be what gets attacked or subjected to attack. And the agent talks back to a software-based management system in the cloud that defines the types of attacks to simulate. So you could simulate email attacks, phishing attacks, ransomware attacks lateral movements, tax, and that sort of thing.

And so there's this quite extensive library of simulations that can be put together and run within an organization. And the important thing here is that it uses those techniques that an attacker would likely use, and then attack again. It, it's also important to point out that it doesn't run any malicious code.

So, it won't land malware in your environment. It won't change permissions on files. It won't do anything it shouldn't do so it's just running the techniques and exploring which techniques can be successfully leveraged versus those that can't. And, what you get at the end of it is a report that says what was achieved.

The report can be aligned with MITRE attack TTP, tactics, techniques, and procedures. And that's a fairly standard approach to providing an organization with feedback. But it will highlight where controls are not working properly or where an organization has a gap in its defences.

And, and importantly, you know it's very good at showing where organizations have left the basic principles of cybersecurity, perhaps. An unexplored preference for trying to adopt you know, expensive technology solutions that, you know, ultimately are only as good as the foundation that they're built on.

So, I guess the clever part about that if I'm thinking that through then is if the security landscape changes and you can continue to update. The techniques that you're using to take account of that and all your IT environment changes because everyone's environment seems to change or people's business priorities seem to change.

It can still give you a useful measure than can it? 

Absolutely, yes. 

The techniques are, as you rightly point out, constantly evolving and changing. And you know, the library that I referred to earlier is consistently updated with the latest trends, samples and techniques that are used by these attackers. You can at least stay with the curve. 

You're probably never going to get ahead of a cybersecurity curve, but you can at least stay with it and keep up with, keep up with those changes as and when they happen. So in stimulation, that's to say, is there some advantage in not just testing the technology controls, but also how your people respond to it.

I think all simulations should include an element of assessing and measuring the effectiveness of your response to an attack and all organizations if they're not using a tool to perform the attack simulation should be encouraged to perform desktop simulations where they perform a walkthrough.

So, something's just happened. What are we going to do? What's the right next steps? Who do we inform? Have we done our impact assessment to assess the scope of the breach of the attack? And have we informed all the relevant stakeholders? If there's a breach, do we need to inform the ICO?

And that's the thing, there's a huge amount of value in organizations performing those desktop exercises. I think that's handy because what I've found without going into too much detail is that organizations, in any sort of business vertical, don't often spend a lot of time.

Getting all the way through to the recovery section of an incident and decision-making that they would need to effectively determine when the right time was to recover and housing. That should go about it, I guess, increasingly when people are uncovering the stones for the first time, often in a real event, they're discovering things that You know that they might have better found out through one of these tests.

So perhaps not everything that they are expecting to get backed up did successfully get backed up, and that they haven't tested some of the recoveries. Well, all how they would decide of whether that attack is now out of the network, confidently because there's very little point in trying to stall the recovery if the attacker is still present on the network. 

I think all of those things point to if you're starting to consider adopting those steps, those things are all point to a level of cyber maturity. And as you progress along the cyber maturity journey, you know more and more of those things will become second nature to your organization.

We talk a lot about muscle memory and this sort of rehearsal of these often quite harrowing incidents. If you can get to the point where that has become more or less a business as the usual set of decisions. It's going to be less frightening, not to say that there'll be no worry or no stress in such an incident.

But because you've practised some of the tasks, it's going to feel slightly less frightening than it would have done. And that muscle memory that you've built up, by repeating those steps should mean that you're making those decisions more quickly and executing those decisions more quickly.

In a clearly with ransomware. The speed with which you execute. Those decisions are critical in terms of what that final impact is likely to account for. 

Well, it’s been great to hear from each of you. I think we can all agree. Some very interesting points have been raised. So, thank you both for providing your input and on behalf of everyone at security, we hope you have a great end to the year and carry some of these resolutions with you into 2022.