Category: Cybersecurity & Infosec

This is a very good overview of what many would call ‘basic hygiene‘ or the ‘bare minimum‘ for corporate cybersecurity defense. There are some additional vendors with new solutions, which I might add to the list, such as: Conventus NorthStar (get a view to your total security posture and enterprise risk using data you already have), BitGlass (inline CASB that goes beyond app discovery),  Venafi (machine identity protection), SafeBreach (continuous automated red team testing). As I start to regularly review new and innovative vendor solutions, I will start a series of posts with my findings.

Why are we paying attention to our online privacy now? In March 2018, it was discovered that Cambridge Analytica had been harvesting Facebook user information, and using it to build voter profiles which they then sold off to groups who wanted to influence the 2016 Presidential Election.

The issues we are facing today aren’t new. The Internet puts your personal information at risk: on your computer and mobile devices, in email and social media. It just becomes harder to protect your privacy and personal information, as the Internet and social media become more complex. Read More

If you don’t have a reliable and authoritative repository of the devices connected to your network, their posture and the use of privileged accounts, it is difficult to believe that you really have any hope of managing them well to protect your organization’s sensitive information. If you are not managing IT security risk well, it will have an effect on all aspects of enterprise risk. This is why situational awareness needs to be a top enterprise focus.

The first category in the NIST Cybersecurity Framework is “Identify”. The first 5 CIS controls related to discovery, inventory and posture of endpoints, software and privileges. Read More

The NIST Cybersecurity Framework has five categories for enterprise security: Identify, Protect, Detect, Respond, Recover. There is a lot of focus on Detect and Respond as the new shiny. Let’s be honest, every company should be doing their due diligence in all five of these categories. While traditional  protection controls are less effective, we still need to be doing what we can to identify and protect (let’s face it, we used to rely on static antivirus and today it is laughable to suggest static AV is anywhere adequate protection for endpoints).

I’ve heard people say that we don’t need defense in depth, we need to detect in depth. I’m not sure what that means. I agree we need to do a better job of detecting faster and responding better, but we only have two options here, DEFENSE and OFFENSE. I really don’t hear enterprise CISOs suggesting we attack back. Not sure the general counsel would agree on that either. Read More

QC Cybersecurity Alliance worked with the Quad Cities Chamber of Commerce and others in the Quad Cities to develop best practices and guidance for local businesses. Check it out!

http://quadcitieschamber.com/playbooks/cybersecurity

Steve Marino, CISO of Cisco, explains the need for security and business alignment. This is a basic concept we need to embrace, which is why I founded the infosec company Aligned Security: Align, measure, communicate.