Shawn Anderson's Cyber Blog

Cloud, Assurance, Forensics, Engineering

ZTA, Secure by Design, Platform, Best of Suite, what does all this mean???

Boom… A little over a month ago, I published a blog around best of breed vs. best integrated vs. best of luck. Other related topics that CISOs, CTOs, and other C-Suite executives often discuss include Zero Trust Architecture (ZTA), Secure by Design, Best of Suite, and platform. Many CISOs and CIOs have strong opinions on these topics. Some feel ZTA is a bogus strategy and impossible to achieve, while others are committed to achieving it. Secure by Design is a dream many of us in the industry have had for decades. This blog will dive deeper into each of these topics, highlight companies in each area, and provide some talking points/benefits for each.

Defining Zero Trust Architecture (ZTA)

On the surface, Zero Trust Architecture is exactly what it sounds like: trust nothing without verification. This means verifying explicitly and using the principle of least privilege, where entities only have access when needed. Another key aspect is the “assume breach” mentality. While I understand the rationale, I prefer explicit verification over assuming a breach. For example, I know my house is secure because the doors are locked, and my dogs would alert me to any intruders. Similarly, a well-architected and monitored network should achieve the same level of security. Zero Trust is a continuous journey rather than a final destination.

Understanding Secure by Design

Secure by Design emphasizes integrating security into every layer of a system from the outset. As a CTO or CISO, fostering a culture of security by design is crucial. This approach includes principles like least privilege, assume breach, and defense in depth. Think of it like a car equipped with safety features such as airbags, seatbelts, and sensors. Similarly, your network should be designed with multiple layers of security. Achieving Secure by Design involves threat modeling, secure coding practices, and regular security training. Companies helping companies with this are Microsoft, Google, AWS, Cisco, IBM, Palo Alto Networks, and Crowdstrike. Crowdstrike has an interesting take on this as they push for “resilient by design” which I prefer as a practitioner. Security is always evolving and adversaries have even more resources to use against us. It’s critical to be resilient to achieve any level of success. Secure by Design is good as well so consider options of both when researching this for your own organizations

Best Integrated vs. Best of Platform

In a previous post, I discussed “best integrated,” which aligns with the concept of “best of platform.” This approach involves selecting a broad set of tools within an extensible framework that supports your goals and security needs. Always choose tools with built-in integration capabilities to ensure seamless operation. Some of the same companies as above are considered highly focused on on “best integrated” and walk the line into platform if customers wish to do so. Technology companies that focus on “platform” are Trend Micro, Qualys, Zscaler, Lacework, and Tenable. Thes companies focus on cloud-native solutions, compliance, advanced threat protection, insurance, and management solutions which all taken together help customers build a “best platform”.

Best of Suite

The best of suite approach involves selecting a comprehensive suite of security tools from a single vendor. Having worked at an investment bank for the past three years, I’ve seen a trend towards security consolidation. The managed services space is also growing as more companies outsource their security needs. While the initial cost can be higher, this approach requires careful planning and architecture. It is important to understand there are small differences in each of these. While Microsoft is on many of these lists it is due to the fact you can choose some or all of their capabilities. Google is very similar where you can look at Gartner, 451, or Forrester1 and they will have both companies highly rated. This is important for “Best of Suite”. Other companies to consider would be Salesforce, Oracle, SAP, Adobe, Workday, and ServiceNow. They have “platforms” around Enterprise resource planning, customer relationship management, IT Service Management, and Operations Management. They can integrate tools across marketing, sales, service, and commerce.

Conclusion

Over the past two blogs, we’ve explored best of breed, best integrated, best of suite, platform, and Secure by Design. Each approach has its complexities, costs, and challenges. It’s essential to consider the data and remember that “culture eats strategy” every day of the week. As a new CIO, CTO, or CISO, gaining buy-in from key stakeholders is crucial. My recommendation is to choose a framework, build your architecture based on existing capabilities, and develop a roadmap for gradual improvement. Change requires time and endurance, but with a strategic approach, you can shift the culture one tool at a time.

In conclusion, take a strategic approach rather than a tactical one to avoid constantly playing “whack-a-mole.” A well-developed architecture will align the C-Suite and help you create a robust security plan. Avoid making decisions based on personal preferences alone, and focus on building a cohesive and secure environment.

If I missed speaking with you at Blackhat, I along with the team at Boston Meridian Partners would be happy to jump on a call to chat about the state of the markets or help you navigate the M&A process. Please reach out to us via our webpage and LinkedIn below.

www.bostonmeridian.com

Boston Meridan LinkedIn Page <- Follow this company!

About the author

Shawn Anderson2 has an extensive background in cybersecurity, beginning his career while serving in the US Marine Corps. He played a significant role as one of the original agents in the cybercrime unit of the Naval Criminal Investigative Service.

Throughout his career, Mr. Anderson has held various positions, including Security Analyst, Systems Engineer, Director of Security, Security Advisor, and twice as a Chief Information Security Officer (CISO). His CISO roles involved leading security initiatives for a large defense contractor’s intelligence business and an energy company specializing in transporting environmentally friendly materials.

Beyond his professional achievements, he is also recognized for his expertise in the field of cybersecurity. He is a sought-after speaker, writer, and industry expert, providing valuable insights to both C-Suite executives and boards of directors.

Currently, Mr. Anderson serves as the Chief Technology Officer (CTO) for Boston Meridian Partners. In this role, he evaluates emerging technologies, collaborates with major security providers to devise cybersecurity strategies, and delivers technology insights to the private equity and venture capital community.

Overall, Shawn Anderson’s career journey showcases a wealth of experience in cybersecurity and leadership roles, making him a respected and influential figure in the industry.

  1. Gartner, 451 Research, Forrester ↩︎
  2. http://www.linkedin.com/in/shawnanderson ↩︎

Please follow and like us:
onpost_follow
Tweet
Share
submit to reddit

Best of Breed, Best integrated, or Best of Luck?

When it comes to implementing technology solutions, C-level executives often face a critical decision: should they opt for a Best of Breed or a Best Integrated Solution? As top decision-makers, their focus is on keeping the company running smoothly, growing the business, and ensuring customer satisfaction. However, they often rely on technical experts to guide them in choosing the right technology, as they don’t always have the time to dive deep into the details.

Why Executives Prefer Strategic Decisions Over Tactical Ones

Executives are naturally risk-averse and prefer to make informed, data-driven decisions quickly. Their time is limited, and they need to keep their focus on high-level strategies. It’s imperative that leadership remains focused on the company’s broader goals, rather than getting bogged down in the minutiae of tactical decisions. As a result, many executives turn to third-party analysis from companies like Gartner, Forrester, or 451 Research to guide their choices. These firms offer insights that can help companies decide whether to go with a Best of Breed approach or a Best Integrated Solution.1

What Is the “Best of Breed” Approach?

The Best of Breed approach involves selecting the best individual technology or software for each function, regardless of the vendor. The idea is to optimize performance in each specific area by using specialized tools.

Advantages of Best of Breed:

  • Specialized Functionality: Each solution is tailored to the unique needs of a specific business function, providing superior performance in that area.
  • Flexibility and Customization: Since each solution is chosen for its particular functionality, businesses have the flexibility to tailor and customize tools to their exact requirements.
  • Innovation and Agility: Specialized vendors tend to focus on innovation in their niche, which means businesses often benefit from faster adoption of cutting-edge features.

Disadvantages of Best of Breed:

  • Integration Complexity: Integrating multiple systems from different vendors can be complex, time-consuming, and expensive. It often requires expertise to ensure seamless data flow between systems.
  • Vendor Management: Dealing with multiple vendors increases complexity in terms of licensing, support, and maintenance.
  • Higher Total Cost: While the upfront costs may be attractive, managing multiple solutions can increase the total cost of ownership over time due to maintenance and integration efforts.

What Is the “Best Integrated Solution” Approach?

A Best Integrated Solution involves choosing a single platform or suite of applications from one vendor that covers a wide range of business functions. This approach simplifies the IT environment by minimizing the need for integration between different tools.

Advantages of Best Integrated Solution:

  • Seamless Integration: Since all components are designed to work together, there are fewer compatibility issues, making it easier to manage and implement across the organization.
  • Simplified Vendor Management: With just one vendor, managing licensing, support, and maintenance becomes simpler and more streamlined.
  • Lower Risk of Implementation Failures: With pre-tested compatibility, the risk of technical failures during implementation is reduced.
  • Unified Data Flow: A single platform allows data to flow seamlessly across different business functions, improving data accuracy and reducing silos.

Disadvantages of Best Integrated Solution:

  • Limited Flexibility: While the system may work well overall, it might not be the best fit for every individual business function, leading to compromises in some areas.
  • Vendor Lock-in: Relying on one vendor can lead to dependency, making future changes more difficult and potentially costly.
  • Slower Innovation: Large, integrated systems may evolve more slowly compared to specialized vendors, meaning businesses might miss out on cutting-edge features.
  • High Upfront Costs: The initial investment in an enterprise-wide system can be substantial, both in terms of licensing and the resources needed for implementation.

Which Approach Is Right for Your Business?

Both approaches have clear advantages and disadvantages, and the right choice depends on your organization’s specific needs, resources, and long-term goals. The Best of Breed approach offers flexibility, innovation, and specialized functionality but requires more effort to integrate and manage. On the other hand, a Best Integrated Solution offers simplicity, streamlined processes, and a unified data flow but may sacrifice some level of customization and agility.

Regardless of the path you choose, success lies in careful planning, budgeting, and architectural design. A “spray and pray” approach—where you simply hope things work out without a solid strategy—will almost certainly fail. If you’re unsure about which direction to take, consulting with a systems integrator can help you navigate the complexities and make the best choice for your organization.

In the end, whether you choose Best of Breed or Best Integrated Solution, the key is to align your technology choices with your broader business strategy. After all, the goal is to keep growing the business and keeping customers happy.

If I missed speaking with you at Blackhat, I along with the team at Boston Meridian Partners would be happy to jump on a call to chat about the state of the markets or help you navigate the M&A process. Please reach out to us via our webpage and LinkedIn below.

www.bostonmeridian.com

Boston Meridan LinkedIn Page <- Follow this company!

About the author

Shawn Anderson2 has an extensive background in cybersecurity, beginning his career while serving in the US Marine Corps. He played a significant role as one of the original agents in the cybercrime unit of the Naval Criminal Investigative Service.

Throughout his career, Mr. Anderson has held various positions, including Security Analyst, Systems Engineer, Director of Security, Security Advisor, and twice as a Chief Information Security Officer (CISO). His CISO roles involved leading security initiatives for a large defense contractor’s intelligence business and an energy company specializing in transporting environmentally friendly materials.

Beyond his professional achievements, he is also recognized for his expertise in the field of cybersecurity. He is a sought-after speaker, writer, and industry expert, providing valuable insights to both C-Suite executives and boards of directors.

Currently, Mr. Anderson serves as the Chief Technology Officer (CTO) for Boston Meridian Partners. In this role, he evaluates emerging technologies, collaborates with major security providers to devise cybersecurity strategies, and delivers technology insights to the private equity and venture capital community.

Overall, Shawn Anderson’s career journey showcases a wealth of experience in cybersecurity and leadership roles, making him a respected and influential figure in the industry.

  1. www.gartner.com, www.forrester.com, www.451research.com ↩︎
  2. www.linkedin.com/in/shawnanderson
    ↩︎

Please follow and like us:
onpost_follow
Tweet
Share
submit to reddit

Observations from RSAC2024 – A Security Roadmap for AI

Most of us have fully recovered from our very busy week at this year’s RSA Conference. The massive cyber security event which takes place in San Francisco with over 60k of my closest cybersecurity friends. As most of us already figured would be the topic de jour, there were very few if any in attendance, who were not talking about GenAI. Specifically, the impacts it is and will have on our industry and the rest of the world as we know it.

I have written about Artificial Intelligence (AI) in the past and how it’s going to be the integration of GenAi and different other solutions which will truly cause significant disruption. GenAI and the combination of other technologies such as robotics, medical, oil and gas exploration, retail delivery, fast food experience, and even tier 1 and 2 security operations center functions. This all sounds really cool and fascinates me with the massive potential GenAI has to impact the world.

Boston Meridian Partners, the company I work at, hosts a reception on Sunday evening each year prior to the conference. We host this meeting for numerous startups and friends from the private equity and venture capital world as well as many C suite executives with interest in cyber security. Our goal the past few years has been to get some top-notch speakers to share their wisdom with the crowd and this year’s speakers did not disappoint.

We had Chris Krebs from SentinelOne, Brian Finch from Pillsbury Winthrop Shaw Pittman LLP, and Kate Kuehn from WTI who shared key points on regulatory issues (Note: Thankfully we have the EU who have established many key requirements for the world to follow as our own US government has been slow to pass any legislation with real teeth). They also spent time talking about risk and the importance of collaboration and coordination. While we discussed many key investor topics around GenAI it couldn’t have been a better way to set the stage for the RSA Conference and our very full week of over 150 meetings from across the community. 1

I took away quite a few pointers as I met with startups, CEOs, speakers at numerous events, and in general discussion around a good craft beer or cocktail in the evenings. Here are some take aways from and things to ponder as we push GenAI initiatives in our companies and industries we support.

  1. As mentioned above, collaboration and coordination are key to success. It might seem like a no brainer but many of us are hardheaded and like to “go it alone” which can be a big mistake. It’s imperative we work closely with industry partners, government agencies, and relevant councils to manage AI-related risks and incidents. Fostering this collaboration will enhance GenAI security across the collective.
  2. Risk – I have spoken on this, written about it, and will shout it from the highest mountain as long as I have air in my lungs; “It’s about the data”. It’s super critical to conduct thorough risk assessments specific to GenAI deployments and focus on the data risk. It’s being sucked like a vacuum into these Large Language Models (LLMs) with little to no understanding where the data is going or how it is being used. It is critical for CIO’s and CISO’s to identify potential vulnerabilities, threats, and attack vectors related to AI technologies.
  3. Zero Trust and/or Secure by Design – We use the term “it’s easier to bake it in than spread it on like peanut butter” but often we find companies doing this very thing. Prioritize security from the outset. Ensure those GenAI systems are designed with zero trust (we trust nothing and no one without verification) and with security in mind, incorporating Multi-Factor Authentication, encryption, and access controls.
  4. Supply Chain and 3rd party security – Extending security considerations throughout the entire GenAI supply chain is now a must do these days. One cannot assume the suppliers are doing the right thing or have you in their best interest. They should, but it’s up to you to verify and set up the appropriate controls and service level agreements. This goes back to the “collaborate” discussion above and ensuring safe and responsible use of GenAI.
  5. Finally, we have the geek moment and have to allow technology and or the “hunters” to red team. This should be performed regularly as GenAI exercises and tabletops with the executive team’s involvement. By simulating attacks organizations can identify weaknesses and improve defenses. Since it’s often illegal to go on the offensive against adversaries we must have strong defenses in place.

Overall, it was another amazing week in San Francisco, and I enjoyed meeting so many innovative companies on the show floor. While GenAI is still in its infancy it has quickly become a show of force from all thing’s cybersecurity. GenAI will speed up our ability to do our jobs (but also the adversaries) but we have to be strategic and work faster through the traditional “blocking and tackling” abyss we so often fall into. Teamwork makes the dreamwork!

If you missed us at RSA, I along with the team at Boston Meridian Partners will be at Blackhat, Las Vegas this coming August so please reach out to us via our webpage and LinkedIn below.

www.bostonmeridian.com

Boston Meridan LinkedIn Page <- Follow this company!

Learn More: CISA Roadmap FAQs, CISA AI Roadmap, Cam Sivesind article on “cisa-roadmap-for-ai”, Grayson Milbourne – Forbes Article on “Small Business Roadmap for AI”

About the author

Shawn Anderson2 has an extensive background in cybersecurity, beginning his career while serving in the US Marine Corps. He played a significant role as one of the original agents in the cybercrime unit of the Naval Criminal Investigative Service.

Throughout his career, Anderson has held various positions, including Security Analyst, Systems Engineer, Director of Security, Security Advisor, and twice as a Chief Information Security Officer (CISO). His CISO roles involved leading security initiatives for a large defense contractor’s intelligence business and an energy company specializing in transporting environmentally friendly materials.

Beyond his professional achievements, Anderson is recognized for his expertise in the field of cybersecurity. He is a sought-after speaker, writer, and industry expert, providing valuable insights to both C-Suite executives and boards of directors.

Currently, Anderson serves as the Chief Technology Officer (CTO) for Boston Meridian Partners. In this role, he evaluates emerging technologies, collaborates with major security providers to devise cybersecurity strategies, and delivers technology insights to the private equity and venture capital community.

Overall, Shawn Anderson’s career journey showcases a wealth of experience in cybersecurity and leadership roles, making him a respected and influential figure in the industry.

  1. https://www.linkedin.com/in/christopherckrebs/
    https://www.linkedin.com/in/brianfinch-cybersecurity/
    https://www.linkedin.com/in/katekuehn/
    ↩︎
  2. www.linkedin.com/in/shawnanderson/ ↩︎
Please follow and like us:
onpost_follow
Tweet
Share
submit to reddit

Be vewwwy quiet….The AI Robots are hunting us….

Well, at least they might if we don’t plan appropriately. This blog will explore the world of cybersecurity in AI and the potential of this technology as it advances.

In our ever-connected world, we entrust AI with a plethora of information about our lives, from our daily routines to our most personal records. While this technology offers incredible benefits, it also raises important questions about privacy, security, and control. In this blog post, we’ll explore the impact of AI on our lives, drawing inspiration from a recent miniseries and delving into the crucial role of AI and Machine Learning (ML) in the realm of cybersecurity.

AI in “Class of 09”:

Recently, I watched a fascinating miniseries on Hulu called “Class of 09,” which revolves around an FBI class of 2009. This series delves into AI, taking us through the past, present, and future, offering a unique perspective on technology’s evolution and its effects on society. The central story arc is centered around an AI system that starts as a tool to assist agents but eventually turns into a formidable weapon to identify and confront wrongdoers. As the AI becomes increasingly sentient, it begins to view humans as threats, much like the dystopian scenario depicted in “iRobot.”

The massive amount of data – is an ongoing issue.

Back in the ’90s, the technology world was grappling with the idea of a 1-gigabyte hard drive as a significant storage solution (if we only knew!). Fast forward to today, and we find ourselves in the era of “zetta and yottabyte” (1021 – 1024 data storage, where the scale of information is staggering. To put it in perspective, envision a stack of 8 1/2 by 11-inch papers stacked as high as the Washington Monument – that’s roughly the equivalent of 1 gigabyte of data. Now, multiply that by millions to billions, and you’ll grasp the immense volume of data in the cloud.

Not only is the amount of data and the proliferation of AI an issue, but we also have cyber adversaries operating with ruthless determination, driven by motives that often disregard feelings, morals, and laws. They seek data, money, fame, or other objectives, and they stop at nothing to achieve their goals. In this high-stakes game, we, as defenders of cybersecurity, must act proactively and swiftly.

The Ethics of AI:

This storyline raises an important question: how do we ensure that AI systems are used responsibly and ethically, rather than targeting individuals based on mere suspicion? As AI advances rapidly, we need to implement checks and balances to ensure fairness and control. The line between progress and potential chaos is thin, and we must tread carefully.

Rigorous Security Practices:

To effectively combat threats, rigorous identity practices are essential. Verifying the identity of users and devices is a fundamental step in safeguarding data and systems. Implementing strong identity practices can help prevent unauthorized access and potential breaches.

Security frameworks work for cybersecurity and as I’ve stated in past blogs, “just pick a framework”. You don’t have to be picky, but you should consider one for your particular set of requirements. For some the CIS Benchmark (Formerly Sans top 20) might work, others NIST, CoBIT, or something from ISO. AI should not be any different and you should find a framework for it and around the Large Language Models (LLMs) you will be working with.

As AI and ML continue to evolve, it’s vital to establish a security framework for large language models. These deep learning algorithms are becoming integral in various applications, but their potential misuse can pose significant risks. A structured framework can ensure responsible use and mitigate potential security concerns.

There is a very promising future of AI, if only we used it as a tool in the toolbox. A really fast, smart, and innovative tool but one none the less. The thing about tools is they have to have a purpose and some are complex enough you should learn how to use them properly, so you don’t hurt yourself or others. Despite the massive data challenges, AI holds immense potential for enhancing our lives.

Exciting developments are underway in fields like autonomous vehicles, aerial imaging using drones, robotic surgical systems, exoskeletons, collaborative robots, automated farming, smart home devices, virtual assistants, virtual reality, and space exploration. The future of AI and robotics is indeed bright, limited only by our imagination.

Conclusion:

While AI has the power to transform our lives for the better, it also demands our vigilance and ethical considerations. As we navigate this AI-powered world, it’s crucial to strike a balance between innovation and responsibility. The cybersecurity landscape is evolving, and AI is at the forefront, empowering professionals to safeguard our digital realm. What are your thoughts on this? Follow my page for more insights into the exciting world of AI and technology.

Top 10 AI books you might be interested in

About the author

Shawn Anderson has an extensive background in cybersecurity, beginning his career while serving in the US Marine Corps. He played a significant role as one of the original agents in the cybercrime unit of the Naval Criminal Investigative Service.

Throughout his career, Shawn has held various positions, including Security Analyst, Systems Engineer, Director of Security, Security Advisor, and twice as a Chief Information Security Officer (CISO). His CISO roles involved leading security initiatives for a large defense contractor’s intelligence business and an energy company specializing in transporting environmentally friendly materials.

Beyond his professional achievements, Shawn is recognized for his expertise in the field of cybersecurity. He is a sought-after speaker, writer, and industry expert, providing valuable insights to both C-Suite executives and boards of directors.

Currently, Shawn serves as the Chief Technology Officer (CTO) for Boston Meridian Partners. In this role, he evaluates emerging technologies, collaborates with major security providers to devise cybersecurity strategies, and delivers technology insights to the private equity and venture capital community.

Overall, Shawn Anderson’s career journey showcases a wealth of experience in cybersecurity and leadership roles, making him a respected and influential figure in the industry.

Please follow and like us:
onpost_follow
Tweet
Share
submit to reddit

It’s all about the Data!

The title might be the biggest “duh” statement ever but I continue to be surprised at how many technology/cyber professionals miss this. They feel it’s all about the “network” and the “infrastructure”. We can’t really blame them, as there is a huge chance these professionals started their careers “on premises” and kept with the same understanding and knowledge when they shifted to the cloud.

We cannot use the same thinking in the cloud that we used on prem because data doesn’t reside within any one domain of control. It spans across numerous boundaries in it could be residing locally on an endpoint, on a server in the local data center, or in a SaaS solution in the cloud. This means the data is sitting on a cloud providers network somewhere in the world. Unless you build the location into your architecture or specifically state this requirement in the service level agreement your data residency requirements, it could be anywhere. It’s still out of your purview of protection using SaaS but you have a responsibility to protect it wherever it resides.

Cloud providers are quick to tell you they are responsible for the protection of the cloud and you, as users, are responsible for the protection in the cloud. This statement kills me because the “devil is in the details”. Companies are terrible at patching their own on premises systems, let alone keeping track of the 100’s of VM’s they might have in any one cloud provider. In a future blog I will discuss my frustration when technology companies make you “turn the security feature on” rather than “we turned in on and here are the risks to your data if you turn it off”.

When we focus on designing out topology using a network mentality, we implement solutions originally built to keep people out of the network (or in) and not focused on who might be accessing data in either domain. We need to focus first on data identification so we can figure out how/when to protect it.

In the cloud there must be a renewed focus on data protection and the security of the applications accessing, moving, managing, or touching this said data. In order to do this we have to rewire our brains a bit. On prem, we didn’t care about the data as long as it was sitting in the perimeter of our control. Anyone on the inside was trusted and anyone outside was not. Easy as pie!

It’s not so easy in the cloud age. We need to have an “assume compromise” and “zero trust” mentality 100% of the time. In my past blogs I have mentioned the importance of due care and due diligence, the importance of implementing multi factor authentication (MFA), and picking a security framework. These are the basics and once you have these in place you can focus on a more holistic ($2 word) data protection architecture. Here are some items to consider in your data protection journey:

  1. First step is understanding your data journey is going to be just that, a journey. With the advent of cloud computing, processing capability, and data creation you should be prepared for upwards of multiple petabytes of data or even exabytes. Think “data ocean” vs “data lake”[1] and eat the elephant one byte at a time.
  2. Organize a company wide data risk and threat management team who can work across the organization identifying the most critical data and make recommendations/decisions on how best to protect this data. This team should be made up of a cross company team with representatives from every department.
  3. Pick a tool to give you visibility across your whole network environment. Consider cloud-based tools with connectors to on premises tools so you can get a full view of everything you have. consider all areas whether they be on prem, cloud or hybrid multi-cloud. This can be a managed service, or one of the newer cloud SaaS companies providing these services.
  4. Run a report and then sit down with the management team described above to discuss the output of this report. Develop discussion points to help the executive team understand why protecting this data is important and what the analytics stated was important. They might be similar, but often times very different. The most used system vs the most important system could be very different. This is where the organization should have a good handle on where their data is traveling/sitting and what applications are being used to work with the data.
  5. Take the data, the input from management, and build a build out the organizations risk tolerance dashboard showing these systems and accompanying data. This should include how critical these applications/systems are to the ongoing business. If one critical system goes down or data is lost how long would it take to recover? How long would it take to rebuild?
  6. Run a worst-case scenario exercise with your IT department and security team. Once they have a good handle on the main issues invite the leadership and/or business leaders in to conduct a tabletop exercise. This is where you really have the ability to see how decisions would be made and identify the response gaps you might have because of those decisions.
  7. Rinse and repeat as often as you can, continuously fine tuning and working off known issues.

Bottom line, companies need to identify a framework, take inventory of their data (both critical and non-critical), implement a system to monitor across the whole of the company’s environment. This should include on prem, cloud, and in many cases multi-cloud environments. Run analytics and build out your risk management strategy and reporting structure. Bring in the leadership early and often to review as you go, making sure everyone knows their role in the process. finally, don’t be afraid of what the process shows. It’s going to be ugly at times, but this is how we get better. Identify the issues and work a plan to get better.

About the author

Shawn Anderson has an extensive background in cybersecurity, beginning his career while serving in the US Marine Corps. He played a significant role as one of the original agents in the cybercrime unit of the Naval Criminal Investigative Service.

Throughout his career, Anderson has held various positions, including Security Analyst, Systems Engineer, Director of Security, Security Advisor, and twice as a Chief Information Security Officer (CISO). His CISO roles involved leading security initiatives for a large defense contractor’s intelligence business and an energy company specializing in transporting “environmentally friendly materials”.

Beyond his professional achievements, Anderson is recognized for his expertise in the field of cybersecurity. He is a sought-after speaker, writer, and industry expert, providing valuable insights to both C-Suite executives and boards of directors.

Currently, Anderson serves as the Chief Technology Officer (CTO) for Boston Meridian Partners. In this role, he evaluates emerging technologies, collaborates with major security providers to devise cybersecurity strategies, and delivers technology insights to the private equity and venture capital community.

Overall, Shawn Anderson’s career journey showcases a wealth of experience in cybersecurity and leadership roles, making him a respected and influential figure in the industry.


[1] Data Lakes Revisited | James Dixon’s Blog (wordpress.com)

Please follow and like us:
onpost_follow
Tweet
Share
submit to reddit

Due Care….Due Diligence…did you know and what did you do?

I’ve been in this industry for more than a few decades and many times have come across cyber professionals and organizations who do not have a clear answer to this basic question: Why do we approach security the way we do? People have varying answers from “it’s my passion”, “bad guys are bad”, “the money”, “I love technology”, and many more. Rarely do I get the answer of “Because protecting our “fill in the blank” is the right thing to do.”

Many professionals I work with are in this because they see bad actors for what they truly are. Bad, not good, very low down, and sometimes outright evil actors. The adversary wants to own you, manipulate you, control you, or in the case of many nation states eventually break you. The terms of “Due Care” and “Due Diligence” are legal terms every cyber security professional should know on day one. These terms are drivers for everything we do. If we know we have an issue, then it’s important to protect and do something about it.  

Most cyber security professionals do not have a legal background so it is a good idea to brush up on these key terms so one can navigate the profession a little bit easier. These are as critical to me as confidentiality, availability, integrity, and non-repudiation. Topics I will discuss in a future blog because people need to be reminded from time to time.

Cybersecurity is a critical concern for organizations across all industries, with data breaches and cyber-attacks becoming increasingly common. Let’s face facts; the bad actors are bad, and they want to take companies down for reasons ranging from fame, they are mean, or worst case they represent a nation state who is in a digital war with the other country. In this context, due care and due diligence are two concepts often discussed in relation to cybersecurity. While both are important, they are distinct and serve different purposes.

Due care refers to the level of care that a reasonable person would take to protect their own personal information and that of others. It is a legal concept that obligates organizations to take reasonable steps to protect the personal information of their customers and employees from unauthorized access, use, and disclosure. Due care involves establishing and implementing reasonable security measures to protect data, such as using firewalls, encryption, and access controls. Due care is a proactive approach that emphasizes the prevention of security breaches and data loss.

Due diligence, on the other hand, is a process of conducting a thorough investigation into a company’s security practices and assessing the risks associated with a particular transaction or activity. Due diligence involves evaluating the security posture of a company and identifying any vulnerabilities or gaps that may exist in its security infrastructure. Due diligence is often conducted before entering a business relationship with another organization or acquiring a new company.

In the context of cybersecurity, due diligence involves reviewing the security policies and procedures of a company, as well as conducting vulnerability assessments and penetration testing to identify any weaknesses in the security infrastructure. Due diligence also involves reviewing the security training and awareness programs in place for employees and evaluating the incident response and disaster recovery plans of the organization.

While due care and due diligence are distinct concepts, they are both important for maintaining effective cybersecurity practices. Due care is essential for establishing a baseline level of security and implementing best practices to prevent security breaches. Due diligence, on the other hand, is critical for identifying potential risks and vulnerabilities and developing strategies to address them. Together, these two concepts help organizations to maintain a strong security posture and minimize the risk of cyber-attacks and data breaches.

In conclusion, due care and due diligence are two critical concepts in cybersecurity that serve different purposes. Due care is a proactive approach that emphasizes the prevention of security breaches and data loss, while due diligence involves conducting a thorough investigation into a company’s security practices and assessing the risks associated with a particular transaction or activity.

Both concepts are important for maintaining effective cybersecurity practices and minimizing the risk of cyber-attacks and data breaches. Down the road I will address how these two very critical terms and corresponding activities can help leaders build out their risk posture and program.

About the author

Shawn Anderson has an extensive background in cybersecurity, beginning his career while serving in the US Marine Corps. He played a significant role as one of the original agents in the cybercrime unit of the Naval Criminal Investigative Service.

Throughout his career, Anderson has held various positions, including Security Analyst, Systems Engineer, Director of Security, Security Advisor, and twice as a Chief Information Security Officer (CISO). His CISO roles involved leading security initiatives for a large defense contractor’s intelligence business and an energy company specializing in transporting environmentally friendly materials.

Beyond his professional achievements, Anderson is recognized for his expertise in the field of cybersecurity. He is a sought-after speaker, writer, and industry expert, providing valuable insights to both C-Suite executives and boards of directors.

Currently, Anderson serves as the Chief Technology Officer (CTO) for Boston Meridian Partners. In this role, he evaluates emerging technologies, collaborates with major security providers to devise cybersecurity strategies, and delivers technology insights to the private equity and venture capital community.

Overall, Shawn Anderson’s career journey showcases a wealth of experience in cybersecurity and leadership roles, making him a respected and influential figure in the industry.

Please follow and like us:
onpost_follow
Tweet
Share
submit to reddit

Attack Lifecycle and Building a Security Strategy

The attack lifecycle, also known as the cyber-attack lifecycle or the cyber kill chain, are the steps used to describe the various stages of a typical cyber-attack. It was an overview of the process and documented by Lockheed Martin some years ago[1]. Understanding the attack lifecycle can help organizations develop more effective cybersecurity strategies, by identifying vulnerabilities and implementing controls to prevent or mitigate attacks at each stage of the lifecycle.

In order to mitigate the threats, think of your organization as a blueprint where you have to overlay the electrical, the plumbing, the HVAC, and the network cables so you see each system individually or all at once. In this case we want to look at the data in your organization as it sits, traverses, and moves in and out of your purview of control. This view is what I call a data view and all the systems/devices working to handle this data.

You have numerous pieces of software working side by side to help with collaboration, data storage, identity management, endpoint, servers for processing, and a whole lot more. There is telemetry coming from all of this and the adversaries as well as your own internal teams can use this data for both good and bad. It is up to you, as security professionals to know the attack lifecycle and the cyber kill chain so you can implement solutions to protect your home, office, organization from exposure and exploitation.

The exact stages of the attack lifecycle may vary depending on the specific model used, but generally include the following:

Reconnaissance: In this stage, the attacker gathers information about the target system or network, such as IP addresses, domain names, email addresses, and employee names. To use simpler terms this is where the adversary sits outside your house to monitor ways in, your routines, who has access, etc.

Weaponization: Here, the attacker selects the tools and techniques they will use to exploit vulnerabilities in the target system or network. This may involve creating or modifying malware or other malicious software.

Delivery: The attacker delivers the weaponized malware to the target system or network. This may be done through email phishing, social engineering, or exploiting vulnerabilities in software.

Exploitation: In this stage, the attacker uses the weaponized malware to gain access to the target system or network. This may involve exploiting known or unknown vulnerabilities in software or hardware.

Installation: Once the attacker has gained access to the target system or network, they install malware or other malicious software, which allows them to maintain persistence and control over the system.

Command and Control: The attacker establishes a command and control (C2) channel, which allows them to communicate with the malware or other malicious software installed on the target system or network.

Actions on Objectives: The final stage of the attack lifecycle involves the attacker taking actions to achieve their objectives. This may involve stealing data, altering, or destroying data, or disrupting the target system or network in some other way.

Once you understand the attack lifecycle it is my recommendation that you use some form of data analysis to track where your data is at all times. Place all the security tools your organization has on top of the cyber kill chain. Examples would be Crowdstrike or Microsoft Defender on the endpoint or using Okta, Ping, or AAD for identity. By doing this you will start to see where you have gaps or overlap.

Architecting in the cloud requires a renewed focus on data and the protection of the data. Whereas networking on premises can be accomplished by putting all your data on a standalone computer and locking it in a closet. Not very productive but somewhat secure. In the cloud your attack lifecycle can be stretched because your data can be anywhere. You must build a secure architecture to accomplish this.

So, you have an assignment to review the steps an adversary would use as outlined above then take your current security tools/capabilities and overlay them on the “attack lifecycle”. Do not try and boil the ocean as this is an initial exercise to gain a better understanding of your companies’ security posture. For more detailed analysis and effort I would recommend you look at the Mitre Att&ck Framework[2]. The Mitre Att&ck Framework is not the same thing as the LMCO Attack Lifecycle. One is higher level, whereas the Mitre framework will allow you to go into techniques and sub-techniques one should protect against. There are other frameworks out there such as the Center for Internet Security Benchmark[3] (CIS Benchmark; formerly the SANS top 20) and then overlay your security capabilities over the top. It’s not an end all be all answer but will start to show you overlap, gaps, and provide a good start to now develop a plan to improve.

Take the time to study what the adversaries are doing, understand and document your organizations network, understanding where the important data is, PICK A FRAMEWORK (cannot stress this enough), and start working to put security capabilities in place to mitigate risk at every stage of the framework your organization has chosen. You will still have to assume compromise, but you will be in a much better position knowing where your gaps/risks are regarding access and protecting your data.

About the author

Shawn Anderson has an extensive background in cybersecurity, beginning his career while serving in the US Marine Corps. He played a significant role as one of the original agents in the cybercrime unit of the Naval Criminal Investigative Service.

Throughout his career, Anderson has held various positions, including Security Analyst, Systems Engineer, Director of Security, Security Advisor, and twice as a Chief Information Security Officer (CISO). His CISO roles involved leading security initiatives for a large defense contractor’s intelligence business and an energy company specializing in transporting environmentally friendly materials.

Beyond his professional achievements, Anderson is recognized for his expertise in the field of cybersecurity. He is a sought-after speaker, writer, and industry expert, providing valuable insights to both C-Suite executives and boards of directors.

Currently, Anderson serves as the Chief Technology Officer (CTO) for Boston Meridian Partners. In this role, he evaluates emerging technologies, collaborates with major security providers to devise cybersecurity strategies, and delivers technology insights to the private equity and venture capital community.

Overall, Shawn Anderson’s career journey showcases a wealth of experience in cybersecurity and leadership roles, making him a respected and influential figure in the industry.


[1] https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

[2] https://attack.mitre.org/

[3] https://www.cisecurity.org/controls/v8_pre

Please follow and like us:
onpost_follow
Tweet
Share
submit to reddit

Cybersecurity Trends from a CTO/CISO perspective

It’s been a fast 15 months since I started on this journey working as the CTO for an investment bank. I’ve traveled all over the United States, held conversations with 100’s of Venture Capital, Private Equity, and exciting newer security startups. There have been a few trends which keep bubbling to the top that I wanted to share with all of you. As we all know cybersecurity isn’t anything new but something all companies, large and small, need to be doing. Cybersecurity has become an increasingly important area of focus for businesses and governments, with the rising frequency and severity of cyber-attacks as well as the renewed governance focus at the board level.

As a result, there has been a growing interest in investing in cybersecurity companies and technologies. Here are some of the investment trends in cybersecurity:

Cloud Security: With more businesses moving their operations to the cloud, cloud security has become a top priority. Investors are looking for companies that provide cloud security solutions, such as cloud access security brokers (CASBs), cloud security posture management (CSPM) tools, and cloud workload protection platforms (CWPPs). Using rough numbers from quarterly earnings of the top 3 cloud providers (GCP, AWS, and Microsoft) they are roughly $350b annual revenue which is a small percentage of the overall global IT spend of $4.2T. This area will continue to grow.

Identity and Access Management (IAM): IAM solutions have become essential for managing access to corporate networks, applications, and data. Investors are looking for companies that provide IAM solutions such as identity governance and administration (IGA), multi-factor authentication (MFA), privileged access management (PAM), and User access management.

Artificial Intelligence (AI) and Machine Learning (ML): AI and ML are being used to enhance cybersecurity by enabling faster threat detection and response. Investors are looking for companies that provide AI and ML-powered solutions such as security analytics, threat detection and response, and fraud prevention. This area spooks me a bit as it’s moving so quickly and from what I’ve seen without any guardrails to keep it 100% safe, ethical, and working in the best interests of it’s creators.

Internet of Things (IoT) Security: As more devices become connected to the internet, IoT security has become a critical concern. Investors are looking for companies that provide IoT security solutions such as device management, data encryption, and firmware security. Other areas are Operational Technology (OT) which is a term defining a specific category of hardware and software whose purpose is to monitor and control the performance of physical devices. The other is Industrial Internet of Things (IIoT) designed to incorporate technologies such as machine learning, machine-to-machine (M2M) communication, sensor data, Big Data, etc.

Cyber Insurance: Cyber insurance has become increasingly popular as a way for businesses to mitigate the financial risks associated with cyber attacks. Investors are looking for companies that provide cyber insurance policies and risk assessment services. This is a growing area with a lot of unknown variables. Unlike traditional insurance such as life and auto the data available on cyber is limited to the past 40 years and is always advancing. This area will continue to mature and be extremely important as companies try to defer and manage their risk.

Cybersecurity Consulting and Integration: With cybersecurity becoming more complex, businesses are seeking the expertise of cybersecurity consultants to help them develop and implement effective cybersecurity strategies. Investors are looking for companies that provide cybersecurity consulting services. An offshoot of this is Cloud System Integration or Cloud SI. Companies who can help other companies to deploy the cloud solutions they have acquired to get it deployed in the quickest way possible. These companies who are “born in the cloud” have an advantage today because they have the ability to move at “cloud speed”. The issue is training the talent to do the work.

Overall, the cybersecurity industry is expected to continue to grow, and investors are expected to continue to invest in companies that provide innovative and effective cybersecurity solutions.

About the author

Shawn Anderson has an extensive background in cybersecurity, beginning his career while serving in the US Marine Corps. He played a significant role as one of the original agents in the cybercrime unit of the Naval Criminal Investigative Service.

Throughout his career, Anderson has held various positions, including Security Analyst, Systems Engineer, Director of Security, Security Advisor, and twice as a Chief Information Security Officer (CISO). His CISO roles involved leading security initiatives for a large defense contractor’s intelligence business and an energy company specializing in transporting environmentally friendly materials.

Beyond his professional achievements, Anderson is recognized for his expertise in the field of cybersecurity. He is a sought-after speaker, writer, and industry expert, providing valuable insights to both C-Suite executives and boards of directors.

Currently, Anderson serves as the Chief Technology Officer (CTO) for Boston Meridian Partners. In this role, he evaluates emerging technologies, collaborates with major security providers to devise cybersecurity strategies, and delivers technology insights to the private equity and venture capital community.

Overall, Shawn Anderson’s career journey showcases a wealth of experience in cybersecurity and leadership roles, making him a respected and influential figure in the industry.

Please follow and like us:
onpost_follow
Tweet
Share
submit to reddit