Archive

Archive for the ‘CISO’ Category

Afternoon Cyber Tea: Cybersecurity & IoT: New risks and how to minimize them

July 2nd, 2020 No comments

Recently, Microsoft announced our acquisition of CyberX, a comprehensive network-based security platform with continuous threat monitoring and analytics. This solution builds upon our commitment to provide a unified IoT security solution that addresses connected devices spread across both industrial and IT environments and provides a trusted, easy-to-use platform for our customers and partners to build connected solutions – no matter where they are starting in their IoT journey.

Every year billions of new connected devices come online. These devices enable businesses to finetune operations, optimize processes, and develop analytics-based services. Organizations are clearly benefiting from IoT as shared in the IoT Signals research report produced by Microsoft. But while the benefit is great, we must not ignore the potential security risks. To talk about how companies can reduce their risk from connected devices, Dr. Andrea Little Limbago joined me on Cyber Tea with Ann Johnson.

Dr. Andrea Little Limbago is a cybersecurity researcher, quant analyst, and computational social scientist at Virtru. With a background in social science, Andera has a unique perspective that I think you’ll find interesting.

Andrea and I talked about the role of automation in attacks and defense and how privacy and security advocates can come together to accomplish their overlapping goals. We also talked about how to safeguard your organization when you can’t inventory all your IoT devices.

It isn’t just businesses that are investing in connected devices. If you have IoT devices in your home, Andrea offered some great advice for protecting your privacy and your data. Listen to Cybersecurity and IoT: New Risks and How to Minimize Them to hear our conversation.

Lack of visibility into the devices currently connected to the network is a widespread problem. Many organizations also struggle to manage security on existing devices. The acquisition of CyberX complements existing Azure IoT security capabilities. I’m excited because this helps our customers discover their existing IoT assets, and both manage and improve the security posture of those devices. Expect more innovative solutions as we continue to integrate CyberX into Microsoft’s IoT security portfolio.

What’s next

In this important cyber series, I talk with cybersecurity influencers about trends shaping the threat landscape and explore the risk and promise of systems powered by AI, Internet of Things (IoT), and other emerging tech.

You can listen to Afternoon Cyber Tea with Ann Johnson on:

§  Apple Podcasts—You can also download the episode by clicking the Episode Website link.

§  Podcast One—Includes option to subscribe, so you’re notified as soon as new episodes are available.

§  CISO Spotlight page—Listen alongside our CISO Spotlight episodes, where customers and security experts discuss similar topics such as Zero Trust, compliance, going passwordless, and more.

If you are interested in how businesses across the globe are benefiting from IoT, read IoT Signals, a research report produced by Microsoft.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter if you have guest or topic suggestions.

The post Afternoon Cyber Tea: Cybersecurity & IoT: New risks and how to minimize them appeared first on Microsoft Security.

The psychology of social engineering—the “soft” side of cybercrime

June 30th, 2020 No comments

Forty-eight percent of people will exchange their password for a piece of chocolate,[1] 91 percent of cyberattacks begin with a simple phish,[2] and two out of three people have experienced a tech support scam in the past 12 months.[3] What do all of these have in common? They make use of social engineering: when an attacker preys on our human nature in order to defraud. Also in common, these small, very human actions have led to billions of dollars of loss to global business.

People are by nature social. Our decision making is highly influenced by others. We are also overloaded with information and look to shortcuts to save time. This is why social engineering is so effective. In this blog, I’ll share the psychology behind Cialdini’s Six Principles of Persuasion to show how they help lure employees and customers into social engineering hacks. And I’ll provide some tips for using those principles to create a social engineering resistant culture.

Dr. Robert Cialdini is Regents’ Professor Emeritus of Psychology and Marketing at Arizona State University and founder of Influence at Work. He has spent his entire career studying what makes people say “Yes” to requests. From that research he developed Six Principles of Persuasion: Reciprocity, Scarcity, Authority, Consistency, Liking, and Consensus. So let’s take a look at how each of these principles is used in social engineering campaigns and how you can turn them around for good.

Reciprocity

People are inclined to be fair. In fact, receiving a gift triggers a neurological response in the areas of the brain associated with decision-making. If my friend buys me lunch on Friday, I will feel obliged to buy her lunch the next time we go out. Social psychologists have shown that if people receive a holiday card from a stranger, 20 percent will send one back.[4] And providing a mint at the end of a meal can increase tipping by 18-21 percent.

How reciprocity is used in phishing: You can see evidence of the Principle of Reciprocity in phishing campaigns and other scams. For example, an attacker may send an email that includes a free coupon and then ask the user to sign up for an account.

Leveraging reciprocity to reduce phishing: According to Dr. Cialdini, the lesson of “the Principle of Reciprocity is to be the first to give...” Many organizations pay for lunch to get people to come to trainings, but you may also consider giving away gift certificates for coffee or a fun T-shirt. If the gift is personal and unexpected, it’s even more effective. After you give, ask people to commit to your security principles. Many will feel compelled to do so.

Scarcity

Why do so many travel websites tell you when there are only a few remaining flights or rooms? The Principle of Scarcity. It’s human nature to place a higher value on something that is in limited supply. In one experiment, college students judged cookies more appealing if there were fewer in the jar.[5] Even more appealing? When an abundant supply of cookies was later reduced to scarcity.

How scarcity is used in phishing: Attackers take advantage of our desire for things that seem scarce by putting time limits on offers in emails. Or, in another common tactic, they tell people that their account will deactivate in 24 hours if they don’t click on a link to get it resolved.

Leveraging scarcity to reduce phishing: You can leverage scarcity to engage people in security behaviors too. For example, consider giving a prize to the first 100 people who enable multi-factor authentication.

Authority

People tend to follow the lead of credible experts. Doctors (think Dr. Fauci), teachers, bosses, and political leaders, among others, have huge sway over people’s actions and behaviors. If you’ve heard of the Milgram study,[6] you may be familiar with this concept. In that study an experimenter convinced volunteers to deliver increasingly more severe shocks to a “learner” who didn’t answer questions correctly. Fortunately, the learner was an actor who pretended to feel pain, when in reality there were no shocks delivered. However, it does show you how powerful the Principle of Authority is.

How authority is used in phishing: Using authority figures to trick users is very common and quite effective. Bad actors spoof the Chief Executive Officer (CEO) to demand that the Chief Financial Officer (CFO) wire money quickly in some spear phishing campaigns. When combined with urgency, people are often afraid to say no to their boss.

Leveraging authority to reduce phishing: You can use people’s natural trust of authority figures in your security program. For example, have senior managers make a statement about how important security is.

Consistency

Most people value integrity. We admire honesty and reliability in others, and we try to practice it in our own lives. This is what drives the Principle of Consistency. People are motivated to remain consistent with prior statements or actions. If I tell you that I value the outdoors, I won’t want to be caught throwing litter in a park. One study found that if you ask people to commit to environmentally friendly behavior when they check into a hotel, they will be 25 percent more likely to reuse their towel.[7]

How consistency is used in phishing: Scammers take advantage of people’s desire to be consistent by asking for something small in an initial email and then asking for more later.

Leveraging consistency to reduce phishing: One way to employ the Principle of Consistency in your security program is to ask staff to commit to security. Even more powerful? Have them do it in writing.

Liking

It probably won’t surprise you to learn that people are more likely to say yes to someone they like. If a friend asks for help, I want to say yes, but it’s easier to say no to stranger. But even a stranger can be persuasive if they are perceived as nice. In the raffle experiment, people were more likely to buy raffle tickets if the person selling the tickets brought them a soda, and less likely if the person only bought themselves a soda.[8]

How liking is used in phishing: When bad actors spoof or hack an individual’s email account and then send a phishing email to that person’s contacts, they are using the Principle of Liking. They are hoping that one of the hacking victim’s friends won’t spend much time scrutinizing the email content and will just act because the like the “sender.”

Leveraging liking to reduce phishing: To be more persuasive with your staff, cultivate an “internal consulting” mindset. Be friendly and build relationships, so that people want to say yes when you ask them to change their behavior.

Consensus

When people are uncertain, they look to others to help them formulate an opinion. Even when they are confident of their beliefs, consensus opinions can be very persuasive. This can be seen in the light dot experiment. In this study, individuals were asked how much a (stationary) dot of light was moving. It appeared to move due to autokinetic effect. Days later, the subjects were divided into groups. Despite very different earlier estimates, responses “normalized” to the broader group. If brought back to provide an individual estimate, individuals continued to provide the group estimate.[9]

How consensus is used in phishing: Adversaries exploit cultural trends. For example, when there is a natural disaster, there are often several illegitimate organizations posing as a charity to elicit donations.

Leveraging consensus to reduce phishing: Highlight positive security behaviors among other employees or report favorable statistics that indicate most people are complying with a security policy.

The more complex life becomes, the more likely humans will rely on cognitive shortcuts to make decisions. Educate your employees on how the Cialdini’s Six Principles of Persuasion can be used to trick them. Try implementing the principles in your own communication and training programs to improve compliance. Over time, you can build a culture that is less likely to fall for social engineering campaigns.

Watch “The psychology of social engineering: the soft side of cybercrime” presentation at InfoSec World v2020.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter.

[1] Trick with treat – Reciprocity increases the willingness to communicate personal data, Happ, Melzer, Steffgen, https://dl.acm.org/citation.cfm?id=2950731
[2] 2016 Enterprise Phishing Susceptibility and Resiliency Report, https://phishme.com/enterprise-phishing-susceptibility-report
[3] Microsoft Global Survey on Tech Support Scams, https://mscorpmedia.azureedge.net/mscorpmedia/2016/10/Microsoft_Infographic_final.pdf
[4] Kunz, Phillip R; Woolcott, Michael (1976-09-01). “Season’s greetings: From my status to yours.” Social Science Research. 5 (3): 269–278
[5] Worchel, Stephen; Lee, Jerry; Adewole, Akanbi (1975). “Effects of supply and demand on ratings of object value.” Journal of Personality and Social Psychology. 32 (5): 906–914.
[6] Milgram, Stanley (1963). “Behavioral Study of Obedience.” Journal of Abnormal and Social Psychology. 67(4): 371–8.
[7] Commitment and Behavior Change: Evidence from the Field Katie Baca-Motes, Amber Brown, Ayelet Gneezy, Elizabeth A. Keenan, Leif D. Nelson Journal of Consumer Research, Volume 39, Issue 5, 1 February 2013, Pages 1070–1084
[8] Regan, Dennis T. (1971-11-01). “Effects of a favor and liking on compliance.” Journal of Experimental Social Psychology. 7 (6): 627–639.
[9] Sherif, M (1935). “A study of some social factors in perception.” Archives of Psychology. 27: 187.

The post The psychology of social engineering—the “soft” side of cybercrime appeared first on Microsoft Security.

CISO Stressbusters: Post #2: 4 tips for getting the first 6 months right as a new CISO

June 23rd, 2020 No comments

In your first six months in a new Chief Information Security Officer (CISO) role, you will often be tasked with building a security program. For some of us this is the most exciting part of the job, but it can also be stressful. You’re probably working under a deadline. Plus, it can be difficult to affect change while you’re learning the corporate culture.

In my role as CISO at Mainstay Technologies, I run a team that is responsible for security for each of our clients. I’ve learned a lot about what it takes to create a security program that’s sustainable in different organization types, sizes and industries. In this post, the second in the CISO Stressbusters series, I’ve distilled my learnings into four tips that you can apply to your own organization.

1. What makes your organization tick?

An effective security program requires participation from people across the organization. If you understand what drives decision-making and behavior, it will help you develop a scalable and sustainable plan that will be implemented and accepted into your culture. Talk with and interview team members at all levels of the organization and across departments to understand the shared values that drive the company. Identify how the organization collaborates, how decisions are made, and what your company’s risk tolerance is.

2. Do you know where all your data is? Are you sure?

Before you can implement a new program, you need to understand your current state and the gap that exists between where you are today and standards that must be met. You may need to lower real-world risk, satisfy compliance demands, or likely, both.

Start by identifying data privacy laws that you must comply with (i.e., California Privacy Protect Act or Massachusetts 201 CMR 17) and compliance frameworks that you may be contractually obligated to adhere to (i.e., DFARS NIST 800-171 or CMMC) or select a standard you will align yourself to (i.e., the NIST Cybersecurity Framework). The data that you are trying to protect must be at the core of a discovery effort. Are you protecting classified information, controlled unclassified information, patient health information, personally identifiable information, etc.? Classify it, then identify how it flows and where it lives. Then build defensive layers to protect it.

A risk assessment should be completed that includes your compliance gap analysis as well as a detailed analysis of internal and external threats and vulnerabilities (technical and organizational). This will also help to generate your risk profile: Risk equals probability multiplied by impact.

It’s also helpful to gather tangible evidence when conducting your assessment. Vulnerability, account control, and role-based access reports should all be standard. During your interviews you may hear about very organized data flows. Run a data discovery scan to see what type of data is actually being stored in which locations. Do you know how well trained your staff is? Think about integrating a red team exercise or include physical security tests. Or consider starting with something basic like phishing tests.

When Mainstay engages with a new client, we interview stakeholders to understand how they manage and protect data, and then we verify. When the assessment is complete, we move into mitigation and remediation strategies. This includes developing plans to close technical, administrative, and physical gaps. If you don’t have written information security policies and a system security plan, this should be evident in your assessment and will be part of your remediation strategy. If you don’t know who is in your building or connected to your network, physical controls, and network access controls should be implemented. We often find that data controls aren’t nearly as strong as people think, so when it comes to assessment the best approach is trust but verify.

Microsoft Defender Advanced Threat Protection (ATP) is a great technical example of software that can help you identify and manage threats and vulnerabilities in your environment.

3. Mind the gap

A thorough risk assessment gives you the data you need to start building your information security program. From there, highlight your gaps and build a remediation roadmap with milestones.  Your security posture should increase each step of the way. Work towards a continuous monitoring strategy. Define where you would like your security program to be in six months vs. two years, align with your stakeholders, and build momentum. Prioritize quick wins that you can close out now to help reduce risk immediately.

4. Map everything to the “Why”

Upfront legwork to understand the corporate culture will pay off when it’s time to establish new security policies and training. You will need to embed operational change throughout the organization. To do so requires company buy-in and participation.

Educate executives and business leaders on risk management. Show them how the changes you are recommending will improve ROI. Develop a cross-discipline governance team that reports on cybersecurity risk management at the leadership level. Conduct regular training and check ins to make sure processes are being followed. By distributing the responsibility, you will alleviate the pressure on you and your team, and it will help you build a security culture. A win-win!

Looking ahead

The job of a CISO is stressful. Don’t do it alone. Ally with people in your organization who share your values and can help you achieve your goals. Connect with CISOs from other companies who can commiserate and share advice. And stay tuned for the next CISO Stressbuster post for more advice from other CISOs and security professionals in the trenches.

Did you find these insights helpful? What would you tell your fellow CISOs about overcoming obstacles? What works for you? Please reach out to Diana Kelley on LinkedIn if you’re interested in being interviewed for one of our upcoming posts on CISO insights and stressbusters.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post CISO Stressbusters: Post #2: 4 tips for getting the first 6 months right as a new CISO appeared first on Microsoft Security.

Zero Trust Deployment Guide for devices

May 26th, 2020 No comments

The modern enterprise has an incredible diversity of endpoints accessing their data. This creates a massive attack surface, and as a result, endpoints can easily become the weakest link in your Zero Trust security strategy.

Whether a device is a personally owned BYOD device or a corporate-owned and fully managed device, we want to have visibility into the endpoints accessing our network, and ensure we’re only allowing healthy and compliant devices to access corporate resources. Likewise, we are concerned about the health and trustworthiness of mobile and desktop apps that run on those endpoints. We want to ensure those apps are also healthy and compliant and that they prevent corporate data from leaking to consumer apps or services through malicious intent or accidental means.

Get visibility into device health and compliance

Gaining visibility into the endpoints accessing your corporate resources is the first step in your Zero Trust device strategy. Typically, companies are proactive in protecting PCs from vulnerabilities and attacks, while mobile devices often go unmonitored and without protections. To help limit risk exposure, we need to monitor every endpoint to ensure it has a trusted identity, has security policies applied, and the risk level for things like malware or data exfiltration has been measured, remediated, or deemed acceptable. For example, if a personal device is jailbroken, we can block access to ensure that enterprise applications are not exposed to known vulnerabilities.

  1. To ensure you have a trusted identity for an endpoint, register your devices with Azure Active Directory (Azure AD). Devices registered in Azure AD can be managed using tools like Microsoft Endpoint Manager, Microsoft Intune, System Center Configuration Manager, Group Policy (hybrid Azure AD join), or other supported third-party tools (using the Intune Compliance API + Intune license). Once you’ve configured your policy, share the following guidance to help users get their devices registered—new Windows 10 devices, existing Windows 10 devices, and personal devices.
  2. Once we have identities for all the devices accessing corporate resources, we want to ensure that they meet the minimum security requirements set by your organization before access is granted. With Microsoft Intune, we can set compliance rules for devices before granting access to corporate resources. We also recommend setting remediation actions for noncompliant devices, such as blocking a noncompliant device or offering the user a grace period to get compliant.

Restricting access from vulnerable and compromised devices

Once we know the health and compliance status of an endpoint through Intune enrollment, we can use Azure AD Conditional Access to enforce more granular, risk-based access policies. For example, we can ensure that no vulnerable devices (like devices with malware) are allowed access until remediated, or ensure logins from unmanaged devices only receive limited access to corporate resources, and so on.

  1. To get started, we recommend only allowing access to your cloud apps from Intune-managed, domain-joined, and/or compliant devices. These are baseline security requirements that every device will have to meet before access is granted.
  2. Next, we can configure device-based Conditional Access policies in Intune to enforce restrictions based on device health and compliance. This will allow us to enforce more granular access decisions and fine-tune the Conditional Access policies based on your organization’s risk appetite. For example, we might want to exclude certain device platforms from accessing specific apps.
  3. Finally, we want to ensure that your endpoints and apps are protected from malicious threats. This will help ensure your data is better-protected and users are at less risk of getting denied access due to device health and/or compliance issues. We can integrate data from Microsoft Defender Advanced Threat Protection (ATP), or other Mobile Threat Defense (MTD) vendors, as an information source for device compliance policies and device Conditional Access rules. Options below:

Enforcing security policies on mobile devices and apps

We have two options for enforcing security policies on mobile devices: Intune Mobile Device Management (MDM) and Intune Mobile Application Management (MAM). In both cases, once data access is granted, we want to control what the user does with the data. For example, if a user accesses a document with a corporate identity, we want to prevent that document from being saved in an unprotected consumer storage location or from being shared with a consumer communication or chat app. With Intune MAM policies in place, they can only transfer or copy data within trusted apps such as Office 365 or Adobe Acrobat Reader, and only save it to trusted locations such as OneDrive or SharePoint.

Intune ensures that the device configuration aspects of the endpoint are centrally managed and controlled. Device management through Intune enables endpoint provisioning, configuration, automatic updates, device wipe, or other remote actions. Device management requires the endpoint to be enrolled with an organizational account and allows for greater control over things like disk encryption, camera usage, network connectivity, certificate deployment, and so on.

Mobile Device Management (MDM)

  1. First, using Intune, let’s apply Microsoft’s recommended security settings to Windows 10 devices to protect corporate data (Windows 10 1809 or later required).
  2. Ensure your devices are patched and up to date using Intune—check out our guidance for Windows 10 and iOS.
  3. Finally, we recommend ensuring your devices are encrypted to protect data at rest. Intune can manage a device’s built-in disk encryption across both macOS and Windows 10.

Meanwhile, Intune MAM is concerned with management of the mobile and desktop apps that run on endpoints. Where user privacy is a higher priority, or the device is not owned by the company, app management makes it possible to apply security controls (such as Intune app protection policies) at the app level on non-enrolled devices. The organization can ensure that only apps that comply with their security controls, and running on approved devices, can be used to access emails or files or browse the web.

With Intune, MAM is possible for both managed and unmanaged devices. For example, a user’s personal phone (which is not MDM-enrolled) may have apps that receive Intune app protection policies to contain and protect corporate data after it has been accessed. Those same app protection policies can be applied to apps on a corporate-owned and enrolled tablet. In that case, the app-level protections complement the device-level protections. If the device is also managed and enrolled with Intune MDM, you can choose not to require a separate app-level PIN if a device-level PIN is set, as part of the Intune MAM policy configuration.

Mobile Application Management (MAM)

  1. To protect your corporate data at the application level, configure Intune MAM policies for corporate apps. MAM policies offer several ways to control access to your organizational data from within apps:
    • Configure data relocation policies like save-as restrictions for saving organization data or restrict actions like cut, copy, and paste outside of organizational apps.
    • Configure access policy settings like requiring simple PIN for access or blocking managed apps from running on jailbroken or rooted devices.
    • Configure automatic selective wipe of corporate data for noncompliant devices using MAM conditional launch actions.
    • If needed, create exceptions to the MAM data transfer policy to and from approved third-party apps.
  2. Next, we want to set up app-based Conditional Access policies to ensure only approved corporate apps access corporate data.
  3. Finally, using app configuration (appconfig) policies, Intune can help eliminate app setup complexity or issues, make it easier for end users to get going, and ensure better consistency in your security policies. Check out our guidance on assigning configuration settings.

Conclusion

We hope the above helps you deploy and successfully incorporate devices into your Zero Trust strategy. Make sure to check out the other deployment guides in the series by following the Microsoft Security blog. For more information on Microsoft Security Solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust Deployment Guide for devices appeared first on Microsoft Security.

Operational resilience in a remote work world

May 18th, 2020 No comments

Microsoft CEO Satya Nadella recently said, “We have seen two years’ worth of digital transformation in two months.” This is a result of many organizations having to adapt to the new world of document sharing and video conferencing as they become distributed organizations overnight.

At Microsoft, we understand that while the current health crisis we face together has served as this forcing function, some organizations might not have been ready for this new world of remote work, financially or organizationally. Just last summer, a simple lightning strike caused the U.K.’s National Grid to suffer the biggest blackout in decades. It affected homes across the country, shut down traffic signals, and closed some of the busiest train stations in the middle of the Friday evening rush hour. Trains needed to be manually rebooted causing delays and disruptions. And, when malware shut down the cranes and security gates at Maersk shipping terminals, as well as most of the company’s IT network—from the booking site to systems handling cargo manifests, it took two months to rebuild all the software systems, and three months before all cargo in transit was tracked down—with recovery dependent on a single server having been accidentally offline during the attack due to the power being cut off.

Cybersecurity provides the underpinning to operationally resiliency as more organizations adapt to enabling secure remote work options, whether in the short or long term. And, whether natural or manmade, the difference between success or struggle to any type of disruption requires a strategic combination of planning, response, and recovery. To maintain cyber resilience, one should be regularly evaluating their risk threshold and an organization’s ability to operationally execute the processes through a combination of human efforts and technology products and services.

While my advice is often a three-pronged approach of turning on multi-factor authentication (MFA)—100 percent of your employees, 100 percent of the time—using Secure Score to increase an organization’s security posture and having a mature patching program that includes containment and isolation of devices that cannot be patched, we must also understand that not every organization’s cybersecurity team may be as mature as another.

Organizations must now be able to provide their people with the right resources so they are able to securely access data, from anywhere, 100 percent of the time. Every person with corporate network access, including full-time employees, consultants, and contractors, should be regularly trained to develop a cyber-resilient mindset. They shouldn’t just adhere to a set of IT security policies around identity-based access control, but they should also be alerting IT to suspicious events and infections as soon as possible to help minimize time to remediation.

Our new normal means that risks are no longer limited to commonly recognized sources such as cybercriminals, malware, or even targeted attacks. Moving to secure remote work environment, without a resilience plan in place that does not include cyber resilience increases an organization’s risk.

Before COVID, we knew that while a majority of firms have a disaster recovery plan on paper, nearly a quarter never test that, and only 42 percent of global executives are confident their organization could recover from a major cyber event without it affecting their business.

Operational resilience cannot be achieved without a true commitment to, and investment in, cyber resilience. We want to help empower every organization on the planet by continuing to share our learnings to help you reach the state where core operations and services won’t be disrupted by geopolitical or socioeconomic events, natural disasters, or even cyber events.

Learn more about our guidance related to COVID-19 here, and bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Operational resilience in a remote work world appeared first on Microsoft Security.

CISO stress-busters: post #1 overcoming obstacles

May 11th, 2020 No comments

As part of the launch of the U.S. space program’s moon shot, President Kennedy famously said we do these things “not because they are easy, but because they are hard.” The same can be said for the people responsible for security at their organizations; it is not a job one takes because it is easy. But it is critically important to keep our digital lives and work safe. And for the CISOs and leaders of the world, it is a job that is more than worth the hardships.

Recent research from Nominet paints a concerning picture of a few of those hardships. Forty-eight percent of CISO respondents indicated work stress had negatively impacted their mental health, this is almost double the number from last year’s survey. Thirty-one percent reported job stress had negatively impacted their physical health and 40 percent have seen their job stress impacting their personal lives. Add a fairly rapid churn rate (26 months on average) to all that stress and it’s clear CISOs are managing a tremendous amount of stress every day. And when crises hit, from incident response after a breach to a suddenly remote workforce after COVID-19, that stress only shoots higher.

Which is why we’re starting this new blog series called “CISO stress-busters.” In the words of CISOs from around the globe, we’ll be sharing insights, guidance, and support from peers on the front lines of the cyber workforce. Kicking us off—the main challenges that CISOs face and how they turn those obstacles into opportunity. The goal of the series is to be a bit of chicken (or chik’n for those vegans out there) soup for the CISO’s soul.

Today’s post features wisdom from three CISOs/Security Leaders:

  • TM Ching, Security CTO at DXC Technology
  • Jim Eckart, (former) CISO at Coca-Cola
  • Jason Golden, CISO at Mainstay Technologies

Clarifying contribution

Ask five different CEOs what their CISOs do and after the high level “manage security” answer you’ll probably get five very different explanations. This is partly because CISO responsibility can vary widely from company to company. So, it’s no surprise that many of the CISOs we interviewed touched on this point.

TM Ching summed it up this way, “Demonstrating my role to the organization can be a challenge—a role like mine may be perceived as symbolic” or that security is just here to “slow things down.” For Jason, “making sure that business leaders understand the difference between IT Operations, Cybersecurity, and InfoSec” can be difficult because execs “often think all of those disciplines are the same thing” and that since IT Ops has the products and solutions, they own security. Jim also bumped up against confusion about the security role with multiple stakeholders pushing and pulling in different directions like “a CIO who says ‘here is your budget,’ a CFO who says ‘why are you so expensive?’ and a general counsel who says ‘we could be leaking information everywhere.’”

What works:

  • Educate Execs—about the role of a CISO. Helping them “understand that it takes a program, that it’s a discipline.” One inflection point is after a breach, “you may be sitting there with an executive, the insurance company, their attorneys, maybe a forensics company and it always looks the same. The executive is looking down the table at the wide-eyed IT person saying ‘What happened?’” It’s a opportunity to educate, to help “make sure the execs understand the purpose of risk management.”—Jason Golden.   To see how to do this watch Microsoft CISO Series Episode 2 Part 1:  Security is everyone’s Business
  • Show Don’t Tell—“It is important to constantly demonstrate that I am here to help them succeed, and not to impose onerous compliance requirements that stall their projects.”—TM Ching
  • Accountability Awareness—CISOs do a lot, but one thing they shouldn’t do is to make risk decisions for the business in a vacuum. That’s why it’s critical to align “all stakeholders (IT, privacy, legal, financial, security, etc.) around the fact that cybersecurity and compliance are business risk issues and not IT issues. IT motions are (and should be) purely in response to the business’ decision around risk tolerance.”—Jim Eckart

Exerting influence

Fans of Boehm’s curve know that the earlier security can be introduced into a process, the less expensive it is to fix defects and flaws. But it’s not always easy for CISOs to get security a seat at the table whether it’s early in the ideation process for a new customer facing application or during financial negotiations to move critical workloads to the cloud. As TM put it, “Exerting influence to ensure that projects are secured at Day 0. This is possibly the hardest thing to do.” And because “some business owners do not take negative news very well” telling them their new app baby is “security ugly” the day before launch can be a gruesome task. And as Jason pointed out, “it’s one thing to talk hypothetically about things like configuration management and change management and here are the things that you need to do to meet those controls so you can keep your contract. It’s a different thing to get that embedded in operations so that IT and HR all the way through finance are following the rules for change management and configuration management.”

What Works:

  • Negotiate engagement—To avoid the last minute “gotchas” or bolting on security after a project has deployed, get into the conversation as early as possible. This isn’t easy, but as TM explains, it can be done. “It takes a lot of negotiations to convince stakeholders why it will be beneficial for them in the long run to take a pause and put the security controls in place, before continuing with their projects.”
  • Follow frameworks—Well-known frameworks like the NIST Cybersecurity Framework, NIST SP800-53, and SP800-37 can help CISOs “take things from strategy to operations” by providing baselines and best practices for building security into the entire organization and systems lifecycle. And that will pay off in the long run; “when the auditors come calling, they’re looking for evidence that you’re following your security model and embedding that throughout the organization.” —Jason

Cultivating culture

Wouldn’t it be wonderful if every company had a security mindset and understood the benefits of having a mature, well-funded security and risk management program? If every employee understood what a phish looks like and why they should report it? Unfortunately, most companies aren’t laser focused on security, leaving that education work up to the CISO and their team. And having those conversations with stakeholders that sometimes have conflicting agendas requires technical depth and robust communication skills. That’s not easy. As Jim points out, “it’s a daunting scope of topics to be proficient in at all levels.

What works:

  • Human firewalls—All the tech controls in the world won’t stop 100 percent of attacks, people need to be part of the solution too. “We can address administrative controls, technical controls, physical controls, but you also need to address the culture and human behavior, or the human firewalls. You know you’re only going to be marginally successful if you don’t engage employees too.” —Jason
  • Know your audience—CISOs need to cultivate “depth and breadth. On any given day, I needed to move from board-level conversations (where participants barely understand security) all the way to the depths of zero day vulnerabilities, patching, security architecture.” —Jim

Did you find these insights helpful? What would you tell your fellow CISOs about overcoming obstacles? What works for you? Please reach out to me on LinkedIn and let me know what you thought of this article and if you’re interested in being interviewed for one of our upcoming posts.

The post CISO stress-busters: post #1 overcoming obstacles appeared first on Microsoft Security.

Transparency & Trust in the Cloud Series: Mountain View, California

April 28th, 2015 No comments

T&T Banner

I was in Silicon Valley recently speaking at another Transparency & Trust in the Cloud event. Thank-you very much to all the customers that made time to join us at the Microsoft campus in Mountain View, California! This was another very well attended event with numerous large enterprise customers located in the vicinity in attendance.

Like all the Transparency and Trust events prior to this one, I learned from the attendees what their expectations are for a Cloud Service Provider when it comes to security, privacy and compliance. We had several lively discussions on a range of topics. These are some of the themes that emerged during our discussions:

  • How do customers move data from existing on-premise applications into new applications in the Cloud?
  • What compliance artifacts does Microsoft provide to its Cloud customers?
  • Does Microsoft provide architectural diagrams of what its cloud services look like to its customers?
  • What process does Microsoft use for incident response in the Cloud?

My next stop on this tour is San Diego on April 14th and there are still a few other opportunities to learn more about Microsoft’s approach to building the industry’s most trustworthy Cloud. Please refer to the Transparency & Trust Series event schedule. As always, your Microsoft account team is available if you have any questions about these events.

Tim Rains
Chief Security Advisor
WW Cybersecurity & Data Protection, Microsoft

Transparency & Trust in the Cloud Series: Omaha and Des Moines

April 8th, 2015 No comments

I was in Omaha and Des Moines last week speaking at more Transparency & Trust in the Cloud events. The events in Omaha and Des Moines were very well attended; thank you very much to all the customers that made time to join us. The feedback from the CIOs, CISOs, attorneys, and IT professionals that attended has been very positive.

Dennis Garcia, Assistant General Counsel from Legal and Corporate Affairs at Microsoft talking with customers at a Transparency & Trust in the Cloud Series event in Des Moines

Dennis Garcia, Assistant General Counsel from Legal and Corporate Affairs at Microsoft talking with customers at the Transparency & Trust in the Cloud Series event in Des Moines

I learn from the customers attending these events as much as they learn from the speakers. The themes that emerged during the conversations in Omaha and Des Moines included:

  • Is Microsoft’s plan to get every compliance certification and attestation possible in every country/region where it does business?
  • Does Microsoft sign Business Associate Agreements?
  • How does Microsoft help its customers during incident response investigations?
  • What are best practices for managing crisis communications during and after a breach?
  • What is Microsoft doing to help governments craft public policy for cybersecurity?

My next stops on this tour are Mountain View on April 16th, and San Diego on May 14th. If you are an enterprise customer and would like to learn more about Microsoft’s approach to building the industry’s most trustworthy Cloud, check out the current Transparency & Trust in the Cloud event schedule and please reach out to your account team to find out if one of these events is coming to your area in the future.

I’m also speaking at the RSA Conference 2015 in San Francisco on April 21st – if you are attending the conference, please check out some of the Microsoft sessions.

California here I come!

Building Trust in the Cloud: The CSO50 Security Confab + Awards

March 9th, 2015 No comments

Recently, I was privileged to attend and present at the 2015 CSO50 Security Confab + Awards in Florida. This event, organized by CSO Magazine, brought together hundreds of Chief Information Security Officers and other executives from many organizations across the US. I had the chance to meet with many of the attendees to discuss their top-of-mind security concerns, particularly when considering adopting cloud services.

The topics we covered varied, with two consistent themes emerging:

  • Does moving to the cloud help an organization’s security profile?, and
  • The notion of eDiscovery fitting into their existing process [eDiscovery, or electronic discovery, is the process used by organizations to find, preserve, analyze, and package electronic content (also referred to as electronically stored information) for a legal request or investigation.]

The “Security Confab” featured a fascinating mix of 30-minute presentations and unique, 18-minute “flash” presentations. This fast-paced approach worked well in helping to keep the audience engaged, and further spurring a range of follow-up conversations afterwards.

As noted, this was also an opportunity to award exemplary organizations and individuals who are making a difference in the industry by helping to improve security and data protection for many of our customers. I would like to congratulate all of the CSO50 Awards Honorees for their contributions. Well done! You can find a list of the Honorees at this website.

CSO50 Presentation

My colleagues and I are continually engaging with organizations in a number of cities across the US through our series, “Transparency & Trust in the Cloud”, where we discuss many of the same issues covered at the CSO50 Confab—read my recent blog on the latest events in Kansas City, St. Louis and Minneapolis.

If you are a CIO, CISO, General Counsel, or operations leader in an enterprise organization and would like to learn more about the Microsoft approach to building the industry’s most trustworthy cloud, please reach out to your account team and inquire.

I’d like to thank those customers who shared their time with me during the CSO50 Security Confab, and look forward to meeting others at future events.

Transparency & Trust in the Cloud Series: Kansas City, St. Louis, Minneapolis

March 5th, 2015 No comments

Over the last few months, Microsoft has hosted a series of events to bring together Chief Information Officers (CIO) and their legal counsels, Chief Information Security Officers (CISO), as well as IT operations leaders from enterprises in cities across the US. These “Transparency & Trust in the Cloud” events aim to highlight and discuss the security, privacy, compliance, and transparency capabilities of Microsoft’s cloud services.

Recently, I was given the opportunity to attend and speak at those in Kansas City, St. Louis, and Minneapolis. I was also able speak directly with many enterprise customers in each city. I was joined by other Microsoft cloud subject matter experts, where together, we answered a range of technology, business process, and legal questions that attendees had—and believe me, they had some well-thought, complex questions!

For example, in Kansas City, attendees asked about service level agreements and were provided with the Microsoft perspective by our Assistant General Counsel, Dennis Garcia. In St. Louis, we were asked about Microsoft’s own journey to move workloads and applications from on premise to the cloud. Ryan Reed, from Microsoft IT, has been doing this work at Microsoft for some time, and shared architectural and development considerations with the audience. Enterprise customers in Minneapolis asked questions ranging from eDiscovery to security incident notifications, to the right to audit, to protecting sensitive healthcare information. These discussions are also extremely helpful to us, at Microsoft, to better understand which topics are top of mind for enterprise customers who are evaluating the use of or adopting cloud services.

I would like to again thank those customers who attended these events. Thank-you!

More meetings like these have been scheduled in different cities across the country. If you are a CIO, CISO, legal counsel, or operations leader for an enterprise organization and would like to learn more about the Microsoft approach to building the industry’s most trustworthy cloud, please reach out to your account team to inquire.

I’m looking forward to meeting more customers and having deeper discussions on trust and transparency in the cloud in the coming weeks.

CISO Perspectives on Compliance in the Cloud

September 9th, 2013 No comments

Regulatory compliance is a hot topic among many of the customers I talk to. Of particular interest is compliance as it relates to the cloud. It is a challenging topic and there are many regulations that Chief Information Security Officers (CISOs) need to be aware of and adhere to and these can vary significantly by industry and location.

Today Trustworthy Computing is releasing an executive level article providing insight on the challenges, success factors and potential solutions of compliance from CISOs representing some of the world’s largest organizations. Our aim is to share and highlight some of the key things that other CISOs and information and security risk specialists might want to consider in relation to the topic of compliance.  Read more

…(read more)