Brewing Cybersecurity Insights

Category: Cyber Strategy

23andMe, and Us?

It is a pleasure to present a collaboration article with Fabrizio Cilli.

As a dedicated cybersecurity enthusiast and pioneer, Fabrizio’s journey has been marked by global experiences, from Rome to the most advanced innovation hubs of North America and Asia, and through historical transformative projects in the Middle East. At Telecom Italia, he played a key role in the early days of Security Operations Centers (SOC), setting the stage for leadership positions that influenced cybersecurity advancements across sectors.

Leading as the Chief Information Security Officer (CISO) at Open Fiber, Fabrizio was pivotal in building a robust cybersecurity framework from scratch, marking achievements like the formation of XIRT (Any Incident Response Team) and striving for ISO 27001 certification. His work extended globally with renowned firms such as Datamat, Accenture, RESI/IPS, and EMC, where he focused on integrating cloud security, managing mergers and acquisitions, conducting due diligence, and safeguarding critical infrastructure.

A passionate advocate for the integration of artificial intelligence in cybersecurity, Fabrizio collaborated with the Italian Digitalization Team (Team Digitale) and co-founded the collective CISOs4AI (together with yours truly) and other great minds, underlining his commitment to harnessing AI for overcoming security challenges. His career is a testament to overcoming challenges, pushing boundaries, and fostering innovation, with a clear mission to cultivate a security-first mindset, drive technological empowerment, and ensure cybersecurity serves as a foundation of trust and resilience in our digital age.

So without further ado…

23andMe, and Us?

It all started from a response letter by 23andMe legal department, after CISO and some other directors had sold their stock options before the incident disclosure.

Facing an onslaught of lawsuits, 23andMe is denying liability for millions of users’ genetic records leaked last fall.In a letter sent to a group of users suing the company obtained by TechCrunch, lawyers representing the biotech company laid out a case that users were to blame for any data that may have been exposed.

It would be fantastic to have oversight and complexity requirements in place. Requiring multiple authentication factors has always been a key tool to prevent breaches from occurring. Companies like Microsoft, Google, Amazon, telecoms, banks, insurers, and healthcare providers all carefully control account access. They do this not just for prevention, but also to demonstrate maximum diligence. This is in a context where co-responsibility between companies and users is inevitable.

And if the responsibility of the external user is passed on as a “charter of rights and duties” (perhaps in terms and conditions between company and user), should we then consider that in a company, if it is discovered that a breach originated from a weak password (one of those in the annual most common lists) of an employee user, the latter falls into a scope of “bad faith” such as to stimulate an investigation for administrative liability? 

I mean, how much can responsibility be shifted to the user, given current standards for verifying the suitability of access control and administration measures (even more so for administrative accesses)?

Let’s talk about it, but if I think about Uber and SolarWinds, and then focus on 23andMe, and all the hospital ransomwares lately…I get a headache.

So if at the italian occurrence of attack to ASL1 L’Aquila, we understand that “it all started from a user with a weak password” or in the attack to MediBank Australia, a “user” propagated the attack, do we charge the 5 billion AUS Dollars to them and just move on? 👀😅

Such cases and similar situations, which we all know too well (and some scenarios we have experienced together, with some fellow CISO), where a user just leaves the doors open, what happens to these? Do we chase/investigate our own users? Could they be held responsible for the resulting damage? And on what rule and norm?

I want to clarify: full and robust user responsibility would be a breath of fresh air for most colleagues with millions users, but does this possibility even exist in current practice, that you are aware of? 👀

It is clear that the user who allows an attacker to use a “native” function is not ideal, but every low and slow attack and every APT we fight stems from the fact that we consider the user (I’m getting close to zero “user” trust theory) as potentially malicious or compromised.

So if a Sino-Russian-North Korean or Italo American criminal, with fake documents enters, and with that function manages to view data from thousands of other people, would we not notice? Is the system designed to prevent repeated abuse? Would GDPR minimization, applied to this processing, have required that it not be possible for example to “accumulate” sensitive data like this, but maybe only view genetic closeness, and then request direct contact? How did they design the registry at 23andMe?

When I say data is the lifeblood of a company I mean it seriously. If the lifeblood becomes poisoned, or too much comes out, the plant dies. 🌵🏜️

And then the dilemma: if one of “our” internal users blatantly violates a policy, procedure, and playbook, and leaves admin admin, while doing the ceremonial of an HSM, and we basically lose all our secrets?

Are we (the company) or is the user (colleague) administratively responsible? (And here the insurance systems on AdS come into play…)

It is certainly a good debate.

But in the end I believe there are various safe passes, both for users and colleagues, when it comes to access and management of technologies and privileges imposed on them.

The “good family man” remains the company, the multitude of individuals who manage the systems are its own, with its procedures and internal and external regulations. It is not a 1-to-1 relationship with the user, it is a many-to-1 or many-to-many relationship.

The Regulations we advertise, and for which we request flags, signatures etc., exist precisely to ensure they are not violated, due to boredom and lack of reading or reconciliation.

The Countermeasures we implement guarantee controls, and verify that the healthy behaviors we ask to assume are assumed, by those who use our systems and services, preventing them from circumventing them to facilitate the user experience.

Of course it is true that if we do not solve the problem of “passwords”, it is like having a low cipher forced by incompatibility, and not being able to apply a patch for life…

Perhaps this is what Sam Altman is aiming for with his WorldCoin startup: the full and unequivocal recognizability of the user… Will he make it?

And how will 23andMe end up?

There is very much at stake and an ongoing court case, that didn’t really start on the best terms.

Now, I don’t mean to make light of this situation, but the reality is that: Cybersecurity maturity needs to be embedded in a company’s very DNA. It requires integration, communication, and transparency primarily between the business itself and its clients.

Or it won’t work. In a fully digital world, you need fully digital cyber protection. Your business doesn’t sleep, crooks do not sleep, your clients are cycling around the world and guess what? They are not sleeping at the moment.

If it was enough to have “security” across the company, and “secure by design” software, today it’s about having a “secure by design company” and “software security” in place.

Word games? No, it’s the real deal.

You can get wiped out from the market.

And now the bombshell that will make you think: in such a scenario, even your competition can harm your core business by means of criminal hackers.

Resilience, and security by design with zero-trust: it’s worth it.

Deciphering the XDR Puzzle

What’s in a name: Next-Gen SIEM or Improved EDR?

Introduction

While I’ve been busy in the world of Large Language Models (LLMs) lately, a topic I have had on my mind for some time is the “semantics” of Extended Detection and Response (XDR). Just a year ago, the cybersecurity community was abuzz with discussions about XDR’s role in the industry.

Recently, however, XDR appears to have slipped from the limelight (now the trend is CISO-as-a-Service and vCISO), which I find regrettable. XDR, for me, represents a combination of EDR, NDR, IDR, augmented by SOAR.

Robin Long’s LinkedIn poll sparked a debate – “SIEM or XDR?”

This prompted me to delve deeper into what exactly XDR is. In this article, we’ll explore XDR’s potential, its relation to SIEM, and its role as an advanced EDR solution.

The XDR Conundrum

A perspective on XDR is positioning it as an enhanced and integrated EDR solution. In this context, XDR could serve also as a something that “collect and analysises security events”. Well that is dangerously close to SIEM. There are also SIEMless XDRs, leveraging its capabilities for improved detection.  

At this point I’ll repropose the answer I gave to the “SIEM or XDR?” question paraphrasing Shakespeare: “What’s in a name? That which we call a SIEM, by any other word would detect as sweet”.   

Another view of XDR is the amalgamation of EDR, NDR, and IDR, potentially mixed with SOAR or playbooks. Some vendors have pursued this unified approach, akin to a Unified Threat Management (UTM) solution (Unified Detection & Response would be a cool name too).

Gartner’s Insights

To shed light on the matter, Gartner provides a concise definition of XDR as “a platform that integrates, correlates and contextualizes data and alerts from multiple security prevention, detection and response components. XDR is a cloud-delivered technology comprising multiple point solutions and advanced analytics to correlate alerts from multiple sources into incidents from weaker individual signals to create more accurate detections.” 

Unraveling XDR Components

Breaking down Gartner’s definition, we can extract the following key elements: 

  • XDR as a SIEM: With its ability to correlate data and alerts from multiple security components, XDR can be seen as a SIEM with a cooler name 
  • Enhanced/Integrated EDR: XDR’s integration and contextualization of data and alerts from prevention, detection, and response components present an improved and integrated EDR solution, ideally integrating with threat intelligence solutions. 
  • Cloud-Delivered Technology: XDR’s cloud delivery model adds scalability and flexibility to the solution, similar to SIEM-as-a-Service. 

Closing Thoughts

Although XDR’s definition doesn’t explicitly mention SOAR, I think it should be considered, especially if we aim to want to go SIEMless.  

In conclusion, let’s revisit the XDR equation as EDR + NDR + IDR + SOAR, with a touch of Threat Intelligence.  

Despite XDR no longer being perceived as the bleeding-edge solution, two key factors make it worthwhile in my book. First, its potential to simplify deployment, usage, and maintenance by centralizing detection within a single enriched platform. Second, the ability to reduce entropy and enhance incident management through enriched and correlated events, leading to better triage, prioritization, and overall efficiency. 

While the discussion may have left SIEM unexplored (given its longstanding presence in the field), we now should have a clearer understanding of XDR and its potential in the evolving cybersecurity landscape. 

The Human Element in Cybersecurity

Moving Beyond Technology

Human Element
Image by Bing Image Creator

The Human Element – Introduction:

When it comes to cybersecurity, most people tend to think it’s all about technology. But guess what? It’s time to break that misconception. In today’s world, cyber threats the weakest link in the security chain is the human element.

You see, we may have fancy technologies, but there’s no magic bullet (despite what many vendors promise). No matter how much we invest in technology, we can still fall prey to cybercriminals who know just how to exploit our human nature.

The Conti ransomware gang hit the nail on the head last year when they said, “we also need to focus on the human part of our attacks. Our targets invest millions of dollars in security technologies, but they often overlook the human element. We will continue to exploit this weakness to our advantage.”” It’s a wake-up call to understand that in the traditional triad of People, Processes, and Technology, People are (and have been in probably the last 10 years) the center stage in cybersecurity.

So, buckle up and keep reading as we dive into the role of the human factor in cyber attacks.

The Exploitation of Human Vulnerabilities:

Cybercriminals are crafty. They know that humans are easier to manipulate than sophisticated security technologies. They also look for a ROI on their investments, so they will use whatever is the cheaper approach to reach their goal. So, they use psychological tricks like phishing and social engineering to exploit our weaknesses and gain unauthorized access to sensitive information. They send convincing email scams, impersonate trusted entities, and even dig up personal details from social media to trick us into revealing confidential data or compromising system security.

Still think that cybersecurity is all about fancy technology?

You took a look at the latest latest ENISA Threat Landscape. You saw that the top threats include ransomware and malware—definitely techie stuff. But guess who unwittingly lets those threats in? Yep, it’s people.

Now let me tell you, the Ponemon Institute’s Cost of Data Breach report is an eye-opener. In their “Initial attack vectors” section, they highlight the prevalence and cost of human-related attack vectors. Stolen or compromised credentials accounted for 19% of breaches, costing an average of $4.50 million. Phishing, at 16% of breaches, topped the list as the costliest initial attack vector, with an average cost of $4.91 million. Business email compromise was another initial vector among cyber attackers.

If you look closely, you’ll notice that every issue, even seemingly technical ones like “Vulnerability in third-party software,” ultimately comes down to human error. After all, who coded the software with the vulnerability or who didn’t define or apply a patching process? That’s right, a human.

Moving Towards a People-Centric Approach:

So, what can we do about it? Well, it’s time for organizations to start adopting a people-centric approach to cybersecurity. My recipe consist in building a “Cyber Culture”! This means understand what are the Cyber behaviors we want to influence, providing comprehensive training programs to raise cybersecurity awareness among employees and promoting a culture of vigilance and responsible behavior. We gotta teach everyday users about common cyber threats, show them how to spot suspicious activities, and encourage good practices like creating strong passwords and keeping software up to date.

But it’s not just about training. Organizations need to share real-world examples of cyber attacks, so people can see the real risks out there. By making everyone feel responsible for cybersecurity, we turn our workforce into a first line of defense against cyber threats.

And here’s a secret: investing in the human factor is not only cheaper, but it’s also way more effective than splurging on fancy technology. I mean, sure, we still need the right tools, but without a strong Cyber Culture, we’re like a castle with a moat but no guards. It just doesn’t work! I will write an article on this topic in the future.

So why isn’t a a People-Centric approach that widespread?

Many people still think that cybersecurity is all about technology. They believe it’s a technical issue that only (nerdy) IT folks (with glasses and a hoodie) can handle. The problem is that cybersecurity specialists often are really technical to start with so they neglect the crucial human elements.

And here’s another kicker: reporting lines within organizations often make things worse. Cybersecurity teams end up aligned with IT departments, who are mainly focused only on technical risks!

I know I’m digressing this is another topic: the need of having an effective, diverse and multidisciplinary Cyber team.

But the truth is, investing in Cyber Culture, in our people, is the key to success. It’s not only more cost-effective, but it’s also more impactful in preventing and mitigating cyber threats. So I think it’s time to break the cycle!

Conclusion:

it’s time we realized that cybersecurity is not just about technology. People play a crucial role, and cybercriminals know it. By adopting a people-centric approach, building a strong Cyber Culture, and empowering employees to be active defenders, organizations can level up their defense against cyber threats.

So, let’s remember that we’re not alone in this fight. It’s not just about fancy tech; it’s about us, the people. Together, we can create a safer digital world. Let’s do this!

The Pros and Cons of vCISO and CISO-as-a-Service

Navigating the Challenges of Cybersecurity Leadership

The Pros and Cons of vCISO and CISO-as-a-Service
Image by Bing Images Creator

Introduction

Virtual CISO – vCISO and CISO-as-a-Service are emerging as popular options for organizations looking to strengthen their cybersecurity posture without hiring a full-time CISO. Sorry for the over-simplification but it would basically be a part-time Security Expert acting as a CISO. While these services offer certain benefits, they also come with potential drawbacks. In this article, we’ll explore the advantages and challenges of vCISO and CISO-as-a-Service and discuss how to find the right balance.

The Benefits of vCISO and CISO-as-a-Service

  1. Access to expertise: vCISO and CISO-as-a-Service can provide organizations with the cybersecurity expertise they might not have in-house. This can be especially valuable for smaller companies or those just starting their security journey. Please note that security professionals are a hot commodity, and organizations should ensure they are using resources with the right skills. For example, someone who configured firewalls might be considered a (Network) Security Expert, but will they be the right expert to define a long term Cybersecurity strategy?
  2. Temporary solution: vCISO and CISO-as-a-Service can serve as a temporary measure to fill the gap in cybersecurity leadership, especially when organizations face difficulties in hiring a full-time CISO or during transitional periods.
  3. Flexibility: vCISO and CISO-as-a-Service offer flexibility for organizations experiencing transition or growth. These services can be scaled up or down according to the organization’s needs, providing a tailored solution to their cybersecurity challenges.

The Limitations of vCISO and CISO-as-a-Service

  1. Accountability: While vCISOs and CISO-as-a-Service providers hold a “C” in their title, they may not have the same level of accountability as a full-time, in-house CISO. Organizations looking to meet ESG (Environmental, Social, and Governance) requirements may need a more accountable figure in the role. In other words, did you ever see a vCFO or a CFO-as-a-Service?
  2. Integration, Authority, and Long-term Strategy: vCISOs and CISO-as-a-Service providers may not have the same level of authority within an organization, potentially limiting their ability to effectively integrate with various departments and functions. Moreover, due to the limited length of their contract and insufficient knowledge of the company (technology, processes, people, and culture), they may struggle to plan and implement a comprehensive, long-term security strategy, leading to a focus on quick wins instead.
  3. Conflict of Interest: If a vCISO or CISO-as-a-Service provider is affiliated with a company that sells or provides cybersecurity services, there may be a conflict of interest. This can result in a lack of neutrality, which could affect their advice and recommendations and even questionable decision-making. Especially because they are not accountable (see point 1, jointly with this point it is a potential recipe for disaster). However affiliation it is not necessary a bad thing as it would allow to involve specific vertical competencies of other Subject Matter Experts when necessary.
  4. Incident Management: A CISO is expected to be involved in the management of cyber incidents. A vCISO, being part-time, might struggle to handle multiple major incidents simultaneously for different clients, potentially prioritizing the one that pays better or has a longer contract remaining.

Finding the Right Balance

While vCISO and CISO-as-a-Service can be valuable solutions for organizations in transition, small businesses part of bigger groups with real CISOs (in this case I also saw a case of an internal CISO-as-a-Service, and this appears to be a great idea) and scaleup companies, it’s essential to consider potential limitations and conflicts of interest. Ideally, organizations should work towards cultivating internal talent to eventually assume the CISO role.
In cases where a trusted internal candidate is not yet ready or a CISO has recently resigned, vCISO and CISO-as-a-Service can be effective interim solutions to put paper over the cracks. However, it’s essential to ensure that the chosen provider is competent, neutral, dedicated to the organization’s best interests, and ideally has knowledge of the industry. Moreover, organizations should make sure that someone internally is identified (e.g., COO or CIO) to be accountable.

Conclusion

I may be biased since I was an advisor for a long period of my career, but these services are not that different from the “old approach,” which is still an alternative: using strategic consultancies and in-house IT and/or system integrators to complete projects. What matters is recognizing the importance of security, regardless of whether the person helping them is called a CISO-on-demand or a security advisor.

vCISO and CISO-as-a-Service can provide much-needed cybersecurity expertise, especially for small businesses and scaleup companies.

When considering the use of vCISO and CISO-as-a-Service, it is essential for organizations to carefully assess the benefits and limitations of these options. By taking into account factors such as access to expertise, competencies (and not just title and certifications), flexibility, accountability, integration, authority, long-term strategy, conflict of interest and involvement in case of incidents, businesses can make informed decisions about whether these services are the right fit for their cybersecurity strategy.

Ultimately, fostering internal talent and working towards a full-time CISO role may be the best long-term solution. Small businesses and organizations in transition can benefit from the expertise and flexibility offered by vCISO and CISO-as-a-Service but must have a holistic approach in selecting a provider who can effectively address their unique cybersecurity challenges and should continuously reevaluate their cybersecurity needs and ensure that their chosen option remains effective .

Battling Burnout in Cybersecurity

Battling Burnout in Cybersecurity
Photo by fauxels from Pexels

5 Key Strategies for Enduring Team Resilience

Introduction

The cybersecurity field presents unique challenges and stressors, resulting in change fatigue that threatens the sustainability of security teams.

Why are cybersecurity teams burning out? Talent shortages, understaffing, and fading motivation are hitting hard, and employee burnout is becoming one of the biggest threats to cybersecurity teams. To address this growing problem, it’s crucial to implement strategies that promote sustainability and mitigate fatigue among cybersecurity professionals.

In recent speech on talent (I already talked about this in a LinkedIn Post), I shared my experience of a resignation of a key resource that ultimately resulted in me becoming a better leader. By acknowledging the failure and learning from it, I was able to create a more supportive and understanding environment for my team.

In a recent Gartner article, “Four Tactics to Mitigate Change Fatigue,” CIOs are provided with valuable strategies to combat change fatigue within their organizations.

While primarily targeting CIOs, these tactics can be adapted to address the sustainability crisis in cybersecurity teams, or any team. These are all strategies that I pursue (badly or well can only be said by the people who work with me). In this article we’ll explore those revised four strategies and my additional ones, to ensure a lasting journey of fatigue mitigation.

Strategies for a Sustainable Journey of Fatigue Mitigation in Cybersecurity Teams:

  1. Treat change fatigue as a business issue: Cybersecurity is particularly stressful due to the constant security debt and the fear of being hit by a major attack. Balancing short-term objectives with long-term goals is crucial to prevent employee burnout, anxiety, that ultimately ends in resignation. It’s important to incorporate change fatigue as a factor when planning initiatives and prioritize projects to reduce the impact of fatigue on the team, e.g. by avoiding excessive workload, or the week-end warriors phenomenon.
  2. Distribute change leadership: Decisions in cybersecurity often require trade-offs between business, as-is operations, and security. Engaging business leaders and experts in decision-making at all levels can lead to more successful outcomes and reduce the burden of decision-making, which is a key cause of stress. Collaboration among different leaders is essential for making informed decisions. I’d add that also clear responsibilities are a must as unclear expectations are another a big source of stress. A key point here is that Cybersecurity leaders should hold the other leaders accountable in making the organization more secure (if this accountability fails, the organization will be significantly less secure).
  3. Co-create execution and involve stakeholders: In the long run, employees who feel a sense of purpose and are involved in the change management process will become the “leaders of tomorrow.” Creating cross-pollination between teams is paramount, with attacks targeted on people (e.g., phishing, CEO Fraud), on the supply chain, all departments must collaborate to secure the enterprise. This principle is also true inside of the Cybersecurity function, resources working on detection and response and those focused on protection measures must all know the vision and the strategy and know what the others are doing, this is crucial for a more cohesive and empowered team.
  4. Focus on the journey, not just the end goals: Instead of solely concentrating on the end goal, emphasize the process and progress made throughout the journey. Security is a continuous journey, not a goal that can be reached. By celebrating progress and creating a positive environment, the team will feel accomplished and motivated during the entire journey.

Allow me to add some additional personal strategies: make sure that employees are supported, they feel valued, have a work-life balance, and have the opportunity for personal growth and development. It’s essential to provide continuous feedback, both positive and negative, and to clearly explain what is good and what needs improvement. This empowers employees with the right to fail, as long as they learn from their mistakes and grow. Addressing issues in real-time ensures the team remains successful, rather than waiting until the end of the year to provide a feedback and having low performances in the meantime.

Bottom line, cybersecurity staff should feel committed and believe that the cybersecurity leadership is composed of individuals with a little more experience who empower them.

Conclusion

Adapting the strategies above can help address the sustainability crisis in cybersecurity teams by mitigating change fatigue and successfully battling burnout in cybersecurity.

By treating change fatigue as a business issue, distributing change leadership, co-creating execution, and focusing on the journey rather than just the end goals, cybersecurity teams can remain resilient and effective in an ever-evolving landscape. Embracing change and personal growth as a leader is essential to building a strong, empowered, and sustainable team.

© 2024 CyberSec.Cafe