Skip to main content
5 Key Updates in NIST Framework 2.0 to Know About

5 Key Updates in NIST Framework 2.0 to Know About

By Executive, Impelix, Impelix IMPACT Platform, Practitioner, Thoughts

The National Institute of Standards and Technology (NIST) recently unveiled the second iteration of its cybersecurity framework, commonly referred to as NIST Framework 2.0. This updated version introduces significant enhancements and changes that reflect the evolving landscape of cybersecurity threats and the need for more adaptive and robust security measures. The original framework, established to provide organizations with a comprehensive set of guidelines for managing cybersecurity risk, has been widely adopted across various sectors. However, as cyber threats have grown in complexity and frequency, the need for an updated framework became evident. This blog will explore the key updates in NIST Framework 2.0 and highlight the major differences from its predecessor.

1. Enhanced Emphasis on Privacy and Supply Chain Risk Management

One of the most notable updates in NIST Framework 2.0 is the increased emphasis on privacy and supply chain risk management. The original framework touched on these areas, but the latest version provides more detailed guidance, acknowledging the interconnected nature of today’s digital ecosystems. Organizations are encouraged to adopt a more holistic approach to cybersecurity, considering not only their internal processes but also how they interact with partners, suppliers, and third-party service providers.

2. Introduction of New Categories and Subcategories

NIST Framework 2.0 introduces new categories and subcategories that address emerging technologies and threat vectors. For instance, there is now more explicit guidance on cloud security, mobile device management, and the Internet of Things (IoT). These additions are designed to help organizations navigate the security challenges associated with these technologies, which were not as prevalent or critical when the original framework was developed.

3. Focus on Cybersecurity Resilience

Another significant shift in NIST Framework 2.0 is the increased focus on cybersecurity resilience. While the original framework emphasized identifying, protecting, detecting, responding, and recovering from cybersecurity incidents, the new version goes further by stressing the importance of resilience throughout these stages. This means not only reacting to cyber threats but also ensuring that operations can continue during and after an attack. The updated framework encourages organizations to develop and maintain systems that are not only secure but also resilient to disruptions.

4. Improved Accessibility and Flexibility

Recognizing the wide range of organizations that use the framework, from small businesses to large enterprises and government agencies, NIST Framework 2.0 is designed to be more accessible and flexible. The language has been simplified where possible to make the guidelines more approachable for non-experts. Additionally, the framework offers more examples and templates to assist organizations in implementing the recommended security measures. This inclusivity ensures that organizations of all sizes and sectors can effectively apply the framework to improve their cybersecurity posture.

5. Strengthened Alignment with Other Standards and Frameworks

NIST Framework 2.0 aims for better alignment with other international standards and cybersecurity frameworks, such as ISO/IEC 27001 and the CIS Controls. This harmonization is beneficial for organizations that adhere to multiple standards, as it simplifies compliance efforts and strengthens overall cybersecurity practices. By ensuring compatibility with other widely recognized frameworks, NIST makes it easier for organizations to adopt a comprehensive and cohesive approach to managing cybersecurity risk.

In Summary

Comparing NIST Framework 2.0 to its predecessor, the most significant differences lie in its broader scope, which now includes detailed guidance on privacy and supply chain risks, and its adaptability to emerging technologies. The emphasis on resilience and the efforts to make the framework more accessible and aligned with other standards demonstrate a forward-thinking approach to cybersecurity. The release of NIST Framework 2.0 marks a significant milestone in the evolution of cybersecurity standards. By addressing current challenges and providing clear, actionable guidance, the framework is a vital resource for organizations aiming to bolster their cybersecurity measures. As cyber threats continue to evolve, staying abreast of updates like NIST Framework 2.0 is crucial for organizations committed to safeguarding their operations and assets against cyber risks.

How Impelix IMPACT Can Help With Compliance

With the modifications to the NIST Framework, you may be wondering how they impact your cybersecurity maturity. The IMPACT platform from Impelix approaches compliance through a data-driven strategy. By integrating all the technologies in your stack and collecting telemetry, IMPACT can provide a real-time snapshot of your compliance progress with no effort. You will be able to check against common frameworks such as NIST CSF, ISO 27001, CIS CSC, and NIST 2.0, which will be introduced to the platform shortly. This allows you to assess your organization’s preparedness against a cybersecurity framework in a cost-effective manner.

Is Third-Party Risk That Bad?

Is Third-Party Risk That Bad?

By Enterprise Risk, Executive, IMPACT for MSSPs, Impelix IMPACT Platform, Thoughts

As a CTO with 25 years of cybersecurity experience, I am never at ease with the state of cybersecurity. It’s not because we’re not doing our jobs, it’s just that our modern-day businesses operate as part of a larger business ecosystem and I am concerned about the additional risks operating like this brings to an organization. Specifically, I am talking about third-party risk.

It is a hidden weakness that may undermine even the most formidable organizations, much like Superman’s kryptonite. Financial losses, operational disruptions, and reputational damage can occur as a result of a vendor, supplier, or contractor’s single slip-up, leaving you feeling helpless.

Why is third-party risk so potent? It’s simple:

  • Increased Reliance on External Partners: We outsource more than ever before, from IT infrastructure to marketing campaigns. This expands our attack surface, making us vulnerable to the weaknesses of others. It’s the weakest link principle, you are “only as strong as its weakest link.”
  • Lack of Transparency: When it comes to the security and operations of third parties, we don’t always have complete control.
  • Complex Ecosystem: The web of third-party relationships can be intricate and ever-changing, making it difficult to track and manage risk effectively

I am not trying to instill fear in you, but the potential fallout is no joke:

Data Breaches

A third-party’s immature security posture could expose your sensitive data, leading to lawsuits, fines, and eroded trust.

 

Click infographic to enlarge

Operational Disruptions

A critical vendor outage can cripple your entire business, costing you revenue and damaging customer relationships.

Production at some of Stellantis’ North American assembly plants were offline for approximately 3 days.

Source: BleepingComputer

Damage to Reputation

Hearing of your outside party’s cybersecurity incident can swiftly tarnish your brand, making it hard to entice consumers and investors.

The public disclosure of the hack that affected more than 18,000 companies and many government bodies caused SolarWinds’ stock price to plummet.

Source: SolarWinds

So, what can we do to avoid the kryptonite kiss of death? Here’s my playbook:

  • Proactive Due Diligence: Thoroughly examine potential risks before onboarding any third party as part of proactive due diligence. Look at their security measures, regulatory compliance, and financial soundness. Do not merely mark the box; delve deeply.
  • Contractual Safeguards: Craft watertight contracts that clearly define risk ownership, incident response protocols, and termination clauses. Make sure you’re not left holding the kryptonite bag.
  • Always Be Watching: Never Leave It Alone. Keep a close eye on how well your third parties are doing and how secure they are. To remain one step ahead of possible dangers, make use of technological and intelligence-based solutions.
  • Open Communication: Foster open communication channels with your third parties. Encourage them to share security updates, incident reports, and any concerns they may have. Remember, we’re all in this kryptonite fight together.
  • Build a Culture of Awareness: Educate your employees about third-party risk and how their actions can impact it. Encourage them to report suspicious activity and be vigilant about phishing attacks and social engineering scams.

If you follow these steps, you can make third-party risk work for you instead of against you. Your operational efficiency, competitive edge, and organization’s resilience can all be improved with a well-managed ecosystem of third parties.

Remember, in the game of risk management, Superman might be able to fly, but a proactive approach is the real magic bullet. So, go forth, brave risk managers, and conquer the kryptonite!

Just a friendly reminder to include kryptonite-resistant underwear in your budget... I mean, cyber insurance. Being cautious is preferable than being unprepared.

Sources:
1. Ponemon Institute and Shared Assessments survey - Third-Party Risk Management Benchmarking Study 2019
2. Predictions 2022: Cybersecurity, Risk and Privacy, Forrester Research, Inc., Oct. 28, 2021

The Evolution of Digital Security Or: How I Learned to Stop Worrying and Love the (Narrow) AI

The Evolution of Digital Security or: How I Learned to Stop Worrying and Love the (Narrow) AI

By Enterprise Risk, Executive, IMPACT for MSSPs, Impelix IMPACT Platform, Practitioner, SecOps, Thoughts


A Brief History

I was thinking recently about the evolution of digital security over the past 25 years. We went from a world of wired connections and office buildings to global networks of cloud resources that are accessed as often from phones and tablets as they are from corporately managed devices. We lived in a world where security consisted of a firewall, antivirus, and a keycard to access the building. And now the average enterprise organization has more than twenty-five security tools in their stack. We came from a world where “the IT guy” oversaw security to one where we have red teams, blue teams, purple teams, SOC analysts, incident responders, threat hunters, and more. Attacks used to cause a user’s PC to pop-up ads for sketchy websites. Now they encrypt an organization’s data, compromise SSO credentials and exfiltrate critical intellectual property for sale to the highest bidder. To say that the increase in complexity has been exponential would be a glaring understatement. And yet, one thing has remained constant in this world of upheaval. The protection of organizations’ digital assets still falls to human beings. And the front line of defense is the SOC analyst.

The Challenge

Unfortunately, this evolution of digital threats did not come with a corresponding evolution in the ability to detect and respond to them. The evolution in tools, although necessary, also created its own problems. Every tool operates in its own silo, and generates alerts based on its own narrow view of the world. With over twenty tools, each generating alerts, the volume of data being thrown at the SOC analyst quickly became overwhelming (and is getting worse).

The Pain

What was the result of this explosion of tools?

Security:
  • Missed Detections: The increased number of alerts and the high volume of noise (i.e. false positives) leads to real alerts being dismissed due to Alert Fatigue.
  • Inadequate Response: Even when an event is properly detected, it requires time and analyst expertise to understand the breadth of the incident. Increasingly complex attacks may not be fully understood and only partially remediated, leaving an attacker access to the network.
Organization:
  • Staffing: Too many alerts, not enough time, and the stress of the outcome for missed detections leads to analyst burnout. Mated to the tedious nature of triaging thousands of (mostly false) alerts, with little meaningful proactive work, low job satisfaction and turnover often follow.
  • Cost: The human cost of staffing a SOC has skyrocketed. Experienced security practitioners who can understand the data generated by dozens of disparate tools, and correlate this data, are hard to find. This, coupled with the volume of people required to triage hundreds or thousands of alerts per day, creates a need for a large, skilled security operations team.

The Solution! (Or was it?)

In 2005, Gartner coined the term “SIEM” in a report called “Improve IT Security with Vulnerability Management.” This ushered in a new era (and a new Magic Quadrant of vendors) to address the pains caused by the explosion of siloed tools. The promise was a simple one: Get insight into the security of the organization by centralizing the collection of this siloed data and tying together all of the “loose threads” into cohesive stories. But the devil is always in the details.

I remember one of the first lessons I learned in my freshman class “Intro to Programming Logic” was “Garbage In, Garbage Out”. And this principle became increasingly noticeable with the rapid adoption of the SIEM. Ever-increasing volumes of data didn’t provide clarity or insight, they provided higher volumes of noise. Organizations dedicated significant resources to fixing this problem, and it became a never-ending battle of “tuning the SIEM” (i.e. manually tweaking the data, the queries, the rules and alerts to minimize the amount of unimportant, or outright inaccurate data coming out of the platform). The SIEM was only as valuable as the expertise of the people who managed it (and finding these people was a significant challenge). The problem became so pronounced that a survey of security leaders by 451 Research revealed that only 21.6% of organizations felt that they were getting the value out of the SIEM that they were expecting.

But the Times, They Are A-Changin’

Although SIEM had struggled to deliver on its full potential, the core concept was a good one. All it needed was a nudge from another field of computing. And it got one in the form of AI. Although technically around since the 1950s, AI has experienced a golden age in the last 10 years due to the advances in Deep Learning, Big Data, and Large Language Models. Although Chat GPT (and its ilk) get all the publicity for the generative AI cat memes, it is the Deep Learning and Big Data modeling that have the biggest impact for security teams. These technologies enabled a massive leap forward in Narrow (or “Weak”) AI. At its core, these systems can analyze large datasets more quickly and accurately than humans, identify patterns and trends, and make data-driven predictions or decisions. They are also capable of learning and improving over time through techniques such as machine learning, particularly deep learning, where they can adjust their algorithms based on the data they process.

Sounds Cool but How Does This Solve “The SIEM Problem”?

As mentioned earlier, SIEM’s goal was to provide global insight based on the correlation of vast amounts of data. But unfortunately, it fell to human beings to make this happen, and quite frankly, we did it poorly. Narrow AI or Artificial Narrow Intelligence (ANI) was purpose built for this type of work. It is an Expert System that can simultaneously analyze tens of thousands of unique pieces of data, correlate them into a single meaningful chain of events, and discern not only the connections between them, but the bigger meaning of the incident.

Can I Fire My SOC Team Then?

Well let’s not get ahead of ourselves…

What ANI can provide, in conjunction with a large, centralized data store, is the insight that used to only be achieved through many hours of tedious log searches, and manual event correlation. If implemented well, Narrow AI can eliminate the need for alert triage completely. Well trained models will evaluate every alert and do a continuous assessment of each threat in the greater context of environment. SOC analysts only need to get involved when there is enough evidence to justify that an alert (or series of alerts) is a legitimate security incident. And when they do, they should have all the relevant data provided so that no remnant of the attack remains after remediation.

So instead of going through the 500th alert of the day your team can be threat hunting through all that collected data, or researching the latest MITRE TTPs, or working on the next security cert. But whatever they choose to do with this time, it will be more rewarding, while still providing top notch security operations. And who doesn’t want that?

Wrapping it Up

It’s been a crazy quarter of a century and I’m sure this is just the beginning. But I am confident that we can meet the challenges of the latest cyber threats and APT assaults if we learn to leverage the tools at our disposal. Personally, I wholeheartedly welcome the wonderful new world of AI. (But I reserve the right to change my mind when SKYNET becomes self aware).

PPT: A CISO’s Guide to Developing a Strong Security Posture

PPT: A CISO’s Guide to Developing a Strong Security Posture

By Enterprise Risk, Executive, IMPACT for MSSPs, Impelix IMPACT Platform, SecOps, Thoughts

In the fast-evolving realm of cybersecurity, the role of a Chief Information Security Officer (CISO) is pivotal. Securing an organization goes well beyond the all-too-common approach of “we have a tool for that”. We’re all familiar with the People, Process, Technology (PPT) Framework, but often lose sight of just how directly it applies in the realm of cybersecurity. In this blog, I’ll lay out the core strategy for leveraging the PPT framework to deliver a measurably secure enterprise.

People

Create a Culture of Security

Yes, I know it’s cliché, but that doesn’t make it untrue. Empowering your people doesn’t just mean training them on how to spot a phishing attack. It means teaching them why it’s important that they do so. FUD can be a double-edged sword, but realistic information about how a breach could affect your business, turns security vigilance from a nebulous concept to a task with a purpose.

Security Education Doesn’t Happen in One Hour a Year

Annual security training is a good starting point, but it’s unrealistic to think that your staff will absorb, retain, and use the knowledge that’s been shared. Coupled with the rapid advances in AI-developed attack techniques, regular refreshes and updates should be conducted. Even 15 minutes, once per quarter can make a big ifference.

Trust but Verify

Hire a service to test your people. (I can hear the groans coming from some of you already). Remember, this is not about singling people out for their mistakes, it’s about education through practice and repetition. Send fake phishing attempts. Send text messages. Make phishing phone calls. Make them believable, using available public records. The key here is to reward success and encourage after failure. Make it a game. Every time an employee correctly spots an attack, they get a $10 gift card. It’s a small price to pay, given the alternative.

Listen

Last, and certainly not least, listen to your employees. Too often, CISOs are so ensconced in the security bubble that they lose site of the forest for the trees. As Mike Tyson once said, “Everybody has a plan until they get punched in the mouth.” Likewise, every CISO has a plan until it meets the reality of the business. Learn from people who are struggling to do their jobs because of your comprehensive zero-trust initiative. Trust me, they will find a way to work around your controls, and that kinda defeats the purpose, no?

Process

Follow a Framework (or Frameworks)

This one is kind of a no brainer, but I’m shocked how many CISOs I talk to that pay scant attention to any structured framework. To many, it seems too daunting of a project to undertake, especially with an understaffed security team and a limited budget. But I encourage people to look at the frameworks as nothing more than a way of organizing their team’s efforts to address their risks in order of priority, with the added benefit of being able to measurably track improvements over time. And remember, checking a box next to all 20 CIS Critical Controls doesn’t get you a gold star. Addressing the five that are most critical to your business is far better than addressing none of them because it’s too much to take on.

Assess & Prioritize Risk (ALL Your Risk)

Risk assessment is a key part of every CISOs strategy, but unfortunately, many take too narrow a view. Yes, cyber risk is a critical part of your organizational risk, but it’s not the only part. Step outside of the SOC and assess the risk of the business as a whole. What is my third-party risk from trusted vendors? What is my supply chain risk? Is my data on the dark web? Financial risk? Legal? Brand and reputation? It’s amazing how much you can learn about the image your company is presenting by spending a few minutes looking at Glass Door reviews.

Develop and Test Your IR Plan

Understand up front that you will be breached. But how you react when it happens is the key to a successful IR strategy. Develop a comprehensive incident response plan outlining procedures to follow in case of a security breach. Define roles and responsibilities within the response team, establish communication protocols, and conduct regular drills to ensure readiness in handling security incidents effectively. Keep in mind that a breach response might go far beyond reimaging a compromised computer and resetting some passwords. It might include a full disaster recovery from a ransomware attack, media messaging related to stolen customer data, and more.

Learn from your Mistakes

This applies at both the individual and organizational levels.

  • Non-Security Personnel: This might mean reviewing the successful phishing email that snagged a couple of employees on the next all-hands call. (And no, no names will be mentioned).
  • Security Personnel: They can learn from the post-mortem of an event where they could have improved. Maybe a SOC analyst dismissed a legitimate alert which allowed an attack to progress. Or the IR team only partially cleared the breach and additional malicious activity was later found.
  • Organizational: This involves objectively measuring your progress against the framework (or pieces thereof) which the organization is following. Course corrections will always be necessary. Make them based on hard data.

Do the Math

Lastly, objectively assess your security operations. How well is my team performing? Are they understaffed? Undertrained? Use metrics like MTTD and MTTR to gauge your team’s performance and ability to successfully handle complex attacks. But also assess your spending. Annually assess your security tooling. Are the tools providing the value they promised? Are they redundant? What is their signal-to-ratio? And what about the hidden costs? How much time does my staff spend on care and feeding? What is my cost to host the infrastructure (especially if it is running in the cloud)?

Technology

Find Your Gaps

Back to the clichés again but you can’t protect what you can’t see. And in the world of multi-hybrid-cloud environments, comprehensive visibility is even harder to achieve. But it can be done, with the right tools and some persistence. Enterprise visibility is not an end in itself; it’s the foundational information required to conduct a proper gap analysis of your security controls. Your EDR dashboard is a great resource for telling you which machines it’s protecting. But it doesn’t tell you about all of the hosts that were missed during the rollout and are completely unprotected (and are very exploitable).

Objectively Assess Your Tooling

I’ve yet to meet a CISO who’s team has so much free time that they can devote many hours to regularly auditing how well their tools are working. But it needs to be done anyway. Network configurations change, patches break things, and sometimes the tool itself just doesn’t deliver on what it promised. Your team is only as good as their data and if the tools are wasting their time with a lot of noise, or worse, missing real security events, something needs to change. If a POC was conducted before purchase (and it almost always should be), then there should be a set of success criteria that were used to evaluate each tool. At a minimum, check these again. Or better, modify or add new criteria to reflect what has been learned since that purchase.

Have a Migration Strategy

In today’s security world, SecOps teams are dependent on rapid access to large volumes of information. SIEM has become the de facto standard for meeting this requirement. But all SIEMs are not created equal and a better solution is always around the corner. Anyone who’s ever deployed a SIEM knows the pain of connecting dozens of different data sources, all using different formats, from cloud, data center and on-prem, into a single platform (and even better, make it useful when it gets there!). SIEM vendors know the dirty little secret that if their platform, once deployed, provides a bare minimum of functionality, customers are willing to live with it, rather than go through a painful migration to a new platform. Consider using a simple log collector or a cloud bucket as the destination for all of your logs, with a single forwarder to the SIEM. Not only can you migrate at the drop of a hat, but you can also POC other products with very little effort. Some solutions even let you parse and modify the packets it receives, in case the preferred new tool needs a different format. And whenever possible, stay away from tools that require significant expertise to operate. Just like the inertia to change platforms, the inertia (or outright opposition) to retraining your staff can be just as powerful in keeping you from making a necessary change.

Embrace AI

The roaring (20)20’s are the decade of AI. And for good reason. Deep Learning and Big Data have given rise to incredibly powerful analytical models that can parse out and correlate vast quantities of data in near real-time. The best models for security operations teams use “Weak AI” models that have been developed specifically to understand what a security incident looks like, and continuously monitor events, looking for this evidence. Not only have these models proven incredibly effective, they also address the shortcomings of human operators and work exponentially faster than a human could.

Conclusion

The role of a CISO in fortifying an organization’s security posture is challenging, at the best of times. But by remembering the three variables that can be controlled (People, Process and Technology), it is not only achievable, but also rewarding. Cybersecurity is an ongoing journey requiring adaptability and constant improvement. By leveraging the proven “PPT” model, you can proactively mitigate risks, strengthen defenses, and safeguard your organization’s assets and reputation in an increasingly interconnected digital world.

Strengthening Cybersecurity Through Communal Knowledge Sharing

By Executive, IMPACT for MSSPs, Impelix IMPACT Platform, Practitioner, SecOps, Thoughts

In today’s digital world, cybersecurity defenses continually lag behind attacks. As technology evolves, so do the threats and vulnerabilities that cybercriminals exploit. In the battle to protect our digital assets and privacy, communal knowledge sharing has become an increasingly important element of a well-rounded cybersecurity plan. This blog explores the critical role of sharing communal knowledge in improving cybersecurity, how it works, and the benefits it brings.

The Cybersecurity Landscape

The digital age has brought about incredible advancements in communication, commerce, and information sharing. However, it has also given rise to new forms of crime and security threats. Cyberattacks, ranging from data breaches to ransomware attacks, have become more sophisticated and frequent, targeting individuals, businesses, and even governments. The sheer scale and complexity of these threats have made it challenging for any single entity to defend against them effectively. Much like the early tribal peoples found increased security in banding together, organizations are now realizing the same benefits in the cyber world.

Communal Knowledge Sharing Defined

Communal knowledge sharing in the context of cybersecurity refers to the practice of sharing information, insights, and best practices among individuals, organizations, and communities to enhance their collective cybersecurity posture. This sharing can take various forms, including collaboration among security professionals, threat intelligence sharing, and coordination with local law enforcement agencies.

  • Security User Groups: Active security-focused user groups are at the heart of communal knowledge sharing. These communities bring together cybersecurity professionals, researchers, and enthusiasts who openly share their expertise and develop tools and solutions to counter threats. There are many different types of cybersecurity communities, but the most common are arranged around either a project, a common role, an industry or risk profile, or a locale. All these present opportunities for useful knowledge sharing.
    • Projects like the Open Web Application Security Project (OWASP) and the MITRE ATT&CK framework are prime examples of project-focused groups. Interaction is almost always done via the Web, with all participants contributing to accomplish some definable goal.
    • Many groups are formed to unite people sharing the same role or job responsibilities. CISO communities are formed to share the tools and strategies that are working (or not) within their organizations, to help their peers improve their own security posture and/or avoid the same pitfalls.
    • Industry-focused user groups are commonly created around organizations facing specific challenges that may be unique to their line of business. Manufacturing firms have far different security needs in protecting OT/ICS devices than does a biotech firm protecting its proprietary intellectual property.
    • Lastly, all mid-large size cities have local security user groups (often chapters of larger groups like ISSA), that meet in person to discuss common security concerns and often have guest speakers to educate them on a specific topic.
  • Threat Intelligence Sharing: One of the fundamental aspects of communal knowledge sharing is the exchange of threat intelligence. This involves sharing information about the latest cybersecurity threats, attack techniques, and vulnerabilities. Organizations and cybersecurity experts often collaborate to pool their knowledge and resources to identify and mitigate potential risks.
  • Partnership with Law Enforcement: The most often overlooked part of a communal approach to cybersecurity is the mutual benefit of working with local law enforcement agencies. Individual organizations that repel and remediate attacks may stave off a catastrophic event, but they do nothing to deter future attacks. Cooperation with law enforcement not only enables those agencies to prosecute cybercriminals more successfully, but also allows these agencies to share emerging threat data, with private organizations.

Benefits of Communal Knowledge Sharing in Cybersecurity

There are many reasons that organizations (and their users) should embrace communal knowledge sharing, but I’ll note only a few the biggest ones below.

  • Rapid Threat Detection and Mitigation: Sharing information about emerging threats enables organizations to detect and respond to attacks more quickly. This proactive approach can minimize the impact of a cyberattack, or event prevent it completely, with advanced warning as to the tactics, vulnerabilities, and IOCs to look for.
  • Increased Deterrence: When organizations are empowered to collect and share digital forensic data with law enforcement agencies, cybercriminals’ rates of prosecution increase. This trend can cascade upwards as individual jurisdictions can collaborate with each other, as well as with federal efforts to bring down high profile threat actors.
  • Improved Infrastructure: Knowledge sharing, within the security community, can help not only with best practices for the configuration of network and security controls, but also with the selection of tools that are working well for peers with similar needs.
  • Minimized Mistakes: The old sports adage “The team that is likely to win is the one that makes the fewest mistakes” is equally applicable to cybersecurity. Unless they are targeting an organization for a very specific reason, most attackers are simply looking for easy targets. Sharing lessons learned with peers helps all members of the community limit the mistakes they might make in tackling their security challenges alone.
  • Innovation: Communal knowledge sharing fosters innovation in cybersecurity. The collective brainpower of experts from diverse backgrounds can lead to the development of cutting-edge tools and solutions, as well as novel strategies for implementing them.
  • Improved Resilience: When the entire cybersecurity community shares knowledge and collaborates, it creates a more resilient digital ecosystem. A shared defense is harder for cybercriminals to penetrate.

Challenges and Considerations

While communal knowledge sharing is a powerful tool in the fight against cyber threats, it is not without challenges:

  • Trust and Privacy: Organizations may be reluctant to share sensitive information due to concerns about trust and data privacy. Establishing secure channels, as well as appropriate levels of anonymization, for sharing is crucial, and must align with the corporate security policy on organization data and PII.
  • Legal and Regulatory Hurdles: Compliance with data protection laws and regulations can complicate information sharing, especially across international borders. Sharing must be transparent to all parties, require manual opt-in, and provide full oversight into the content and destination of any shared information.
  • Data Validity: As many organizations learned during the development and use of IOC databases, having bad information can be worse than having no information. Organizations can spend excessive amounts of time and effort searching for and combating phantom threats, based on inaccurate IOC data. Any communal approach to sharing threat intelligence needs to have protocols in place that validate the quality of the threat intelligence before it is distributed.

Conclusion

The ever-evolving landscape of cybersecurity requires a collective effort to combat the growing threats. Communal knowledge sharing is an indispensable part of this effort, enabling organizations and individuals to collaborate, innovate, and protect themselves effectively. In a world where information is power, sharing knowledge in the realm of cybersecurity is the key to a safer digital future. By working together, we can build a robust defense against even the most formidable cyber adversaries.

Eight Steps to Implement an Enterprise Risk Management Framework

By Enterprise Risk, Executive, IMPACT for MSSPs, Impelix IMPACT Platform, Thoughts

In the fast-paced and dynamic world of business that we are in, having a robust enterprise risk management (ERM) framework is crucial for organizations to survive. With the constant evolution of the modern business landscape, it has become increasingly vital for companies to navigate potential risks effectively. By implementing a comprehensive ERM framework, businesses can proactively anticipate and address potential threats, ensuring their long‑term success.

What is ERM?

Enterprise Risk Management (ERM) is a crucial process that plays a significant role in the success of organizations. It serves as a comprehensive framework that enables businesses to identify, assess, and effectively manage various types of risks. These risks encompass a wide range, including financial risks, operational risks, and even reputational risks. By implementing ERM, organizations gain a holistic understanding of the potential risks they may face. This understanding allows them to develop proactive strategies to mitigate these risks and ensure the smooth functioning of their operations. ERM acts as a guiding light, illuminating the path towards a more secure and resilient future for businesses. Financial risks, such as market volatility or economic uncertainties, can pose significant challenges to organizations. ERM equips businesses with the tools and methodologies to assess and manage these risks effectively. By doing so, organizations can safeguard their financial stability and make informed decisions that align with their long-term objectives. Operational risks, on the other hand, encompass a wide range of potential disruptions to business processes.

In essence, ERM serves as a protective shield, safeguarding companies from the uncertainties and challenges that arise in today’s complex business environment. It enables organizations to assess risks holistically, considering both internal and external factors that may pose a threat to their operations. Moreover, an effective ERM framework fosters a culture of risk awareness and accountability within an organization. By encouraging employees at all levels to actively participate in risk management efforts, companies can harness the collective intelligence and expertise of their workforce. This collaborative approach enhances the organization’s ability to identify and respond.

How Can an Organization Implement ERM?

While there is no universally recognized or defined ERM framework, there is a well-established methodology that can improve any company’s chances of successfully implementing ERM. Here is one way on how an organization can implement an effective enterprise risk management (ERM) framework:

Step 1: Leadership Commitment and Alignment

The journey starts when the leaders of the company are committed and on the same page. The top leaders need to not only agree with the idea, but also work to make it happen. It is very important to show that your culture values strategic choices that take risks into account.

Step 2: Create a Risk Appetite

Every organization has a risk tolerance level that it is willing to accept. It is critical to explicitly define and express this risk appetite. It serves as a guiding beacon, assisting in navigating the turbulent seas of risks and possibilities.

Step 3: Create a Strong Policy Framework

Developing a solid policy framework is analogous to preparing the foundations of a sturdy building. This process entails creating policies that explain the risk management philosophy, objectives, and tactics of the organization. This framework should be comprehensive, addressing all potential risk aspects, such as financial, operational, reputational, and strategic risks.

Step 4: Identifying and Assessing Risks

With a robust policy framework in place, it’s time to explore the enormous terrain of potential dangers. This step entails identifying and assessing potential hazards that may affect the organization. Various tools, including as SWOT analysis, PESTLE analysis, and risk heat maps, can be used.

Step 5: Putting Risk Response Plans into Action

Once the risks have been found and evaluated, the organization needs to develop and execute risk response strategies. Some of these tactics could be to completely avoid the risk, while others could be to accept the risk and share it with other stakeholders. The plan should be based on a careful analysis of how each identified risk could happen and how likely it is to happen.

Step 6: Monitor and Report

Transparency and open dialogue are vital for an ERM framework to work effectively. It is important to set up a mechanism for all stakeholders, including employees, board members, and investors, to get regular updates on risk management activities. This makes sure that everyone in the company is aware of the risks.

Step 7: Training and Development

Organizations should invest in training and development programs to equip their teams with the necessary skills and knowledge to manage risks effectively. It fosters a culture where every individual becomes a risk manager in their own capacity.

Step 8: Monitoring and Review

The final step in the journey is the constant monitoring and review of the ERM framework. This is a continuous process that helps in fine-tuning the risk management strategies and making necessary adjustments as the external and internal environments evolve.

Closing Thoughts

Implementing a successful ERM framework is an ongoing journey, not a one-time effort. It is a voyage full of discoveries, changes, and enhancements. By following these steps, organizations may confidently and agilely traverse the complicated world of risks, transforming potential threats into opportunities for growth and innovation.

So, set out on this trip with enthusiasm and energy, and direct your business toward a future that is not only secure but also replete with opportunity. Until next time, safe risk‑taking!

High Cost of SIEMs – And What To Do About It

By Enterprise Risk, Executive, IMPACT for MSSPs, Impelix IMPACT Platform, SecOps, Thoughts

Dealing with the High Cost of SIEMs

In today’s increasingly digital world, Security Information and Event Management (SIEM) systems have developed into an indispensable component of both corporate compliance and safety. They provide analysis of security warnings in real time from a variety of infrastructures, which helps in the identification and response to cyber-attacks. Nevertheless, there are major costs associated with SIEMs, from the initial setup to the ongoing upkeep.

The necessity of human oversight is a significant contributor to the cost of SIEMs. Even the most sophisticated SIEMs require a specialized SOC team composed of cybersecurity professionals to properly evaluate and respond to the data they collect. The cost of recruiting cybersecurity professionals has increased in recent years due to the growing demand for their skills. In addition, the requirement that monitoring occur around the clock necessitates the involvement of numerous specialists to ensure continuous coverage.

The SIEM implementation process involves more than just installing software. It includes procedures such as auditing the infrastructure, integrating the platform, and making any necessary adjustments to reduce the number of false warnings and noise. These modifications take place on a continuous basis and necessitate the steady allocation of resources. However, excessive customizations might lead to a failure to recognize real dangers, which could have negative ramifications for the company’s finances.

Because SIEMs process and store huge amounts of data logs on a regular basis, storage costs rapidly increase. The exponential increase in system generated data is out of alignment with the incremental increases of organizations security budget. The SOC teams have the goal of collecting all available data, but financial constraints frequently compel them to collect only a subset of available data, which reduces the efficiency of both SIEM and SOC.

In an effort to control expenses, some companies may choose to restrict data gathering, cut staff, or forego the deployment of SIEM, thereby jeopardizing their security posture. There are, however, approaches to keep costs in check while still maintaining a high level of security:

  • Cloud-based SIEM solutions offer an alternative that is both more scalable and more cost-effective. This is accomplished by shifting the burden of maintaining the necessary infrastructure to the service provider. SaaS-based security information and event management systems have a greater propensity to simplify and lower the cost of an efficient deployment.
  • The utilization of human oversight and SOC teams can be reduced when automation is incorporated. This can be accomplished through the utilization of artificial intelligence and machine learning by the SIEM platform, in addition to integrated Security Orchestration, Automation, and Response (SOAR) functionality that is built into the SIEM.
  • To collect comprehensive data without breaking the bank, you should look into SIEMs that have modern cost structures that are centered on user numbers or comparable metrics rather than data storage. These SIEMs allow for, sometimes, unlimited data ingestion and long-term retention at significantly reduced costs.
  • Choose security information and event management (SIEM) systems that require the fewest number of adjustments and tuning. Only the most important information is presented by the top platforms, doing away with the necessity for manual rule formulation and minimization of background noise. This results in a reduced need placed on SOC teams resulting in reduced resource requirements.

SIEMs are necessary in the current state of the cybersecurity industry; yet there is a cost associated with using them. Organizations can secure their digital assets in an effective and economical manner if they first acknowledge the expenses involved and then make educated investments.

Getting Off the “Alert-Respond” Hamster Wheel: A Journey from Reactive to Preventative Security

By Executive, IMPACT for MSSPs, Impelix IMPACT Platform, Practitioner, SecOps, Thoughts

Introduction

In today’s rapidly evolving digital landscape, the importance of cybersecurity cannot be overstated. The frequency and sophistication of cyberattacks continue to rise, making it imperative for individuals and organizations to shift from a reactive approach to a proactive stance when it comes to security. The traditional “wait-and-respond” method is no longer sufficient in safeguarding sensitive data and critical systems. In this blog post, we’ll explore the benefits of moving from reactive to proactive security measures, and finally to actionable strategies to fortify your defense against cyber threats.

The Downfalls of Reactive Security

Reactive security involves responding to incidents only after they’ve occurred, often resulting in a game of catch-up that leaves organizations vulnerable to various cyber risks. This approach can lead to devastating consequences, including data breaches, financial losses, reputational damage, and legal liabilities. Relying solely on firewalls, antivirus software, and incident response plans is akin to locking the barn door after the horse has bolted.

Proactive vs Preventative Security

The first step in the evolution of any security strategy is to root out your adversaries before they can cause damage to your organization.  And the only way this can be done is with data.  Lots of data.  Let’s be clear, organizations that are struggling to keep up with a high volume of daily alerts simply do not have the time to search through terabytes (or more) of logs, looking for evidence of a potential threat.  This created the need for XDR and MDR solutions.  These products and services (when done well) use AI and/or highly skilled security professionals to comb through massive datasets looking for evidence of a potential breach, before it can be exploited.

But threat hunting is only a part of the equation.  Evidence of security incidents means that attackers are finding their way into your network. And this leads to us to the next stage of an effective security strategy – preventative.  Preventative security (as the name implies) focuses on keeping attackers off your network in the first place.  And the only way to do this is by finding (and fixing) the gaps in your security controls.  There are multiple ways that this can be done. Trusted external auditors and security consultants can be leveraged to evaluate your security architecture and tool configurations, helping you to build a short-term/mid-term/long-term improvement plan to address these gaps, based on their criticality. In addition, Red/Purple/Blue Teams can regularly test your environment, looking for exploitable attack surfaces and paths into/across your network. But the most important step in a preventive security strategy is taking the time to do a post-mortem analysis of every security incident that occurs, because these are no longer hypothetical attack vectors that should be blocked; they are documented, exploitable weaknesses that have been, and will be, exploited again.

Benefits of a Proactive/Preventative Security Strategy

None of these should come as a surprise, but they are all compelling reasons to undertake this journey.

  1. Reduced Attack Surface: Adopting a preventative security approach means identifying weaknesses in your systems and applications that you can address before attackers have a chance to exploit them. This reduces your attack surface, making it harder for cybercriminals to gain a foothold.
  2. Early Threat Detection:  By continuously monitoring network traffic, user behavior, and system logs, you can identify suspicious patterns and activities that could indicate an impending attack, or evidence of a current attack in progress. This early detection empowers you to take preemptive action and minimize potential damage.
  3. Minimized Downtime: Cyberattacks often lead to system downtime and disruptions in operations. Proactive security measures, such as deploying intrusion detection and prevention systems, can help prevent breaches and keep critical systems up and running. This results in decreased downtime and improved business continuity.
  4. Cost Savings: Dealing with the aftermath of a cyber incident can be financially draining. Legal fees, customer compensation, and regulatory fines can add up quickly. By investing in proactive security measures upfront, you can potentially avoid these costs altogether.
  5. Reputation Protection: A single data breach can severely damage an organization’s reputation and erode customer trust. Proactive security demonstrates a commitment to safeguarding sensitive information, helping to maintain a positive brand image and customer loyalty.

Sounds great. But How Do I Get There?

  1. Empower Your SOC: Sounds easy, right?  Well, it may not be as hard as you think. Investing in quality tools that can automate the detection, analysis and response to security incidents can take a huge burden off your security analysts, freeing up their time to do the proactive threat hunting that is key to getting ahead of the threats. A good MSSP or MDR (although typically more expensive than a software solution) can help here as well. But be careful, read the fine print on any product or service. They can become cost prohibitive based on the amount of data you need to store, and with security, more is more. You want everything you can get.
  2. Evaluate Your Tools: When is the last time you evaluated your EDR or SIEM, compared to the current products in the marketplace?  And what criteria were used to select the tools you use today? Complacency and inertia are all too commonplace in most organizations, leading to outdated or underperforming technologies.
    1. Join a local security user group and find out what your peers are using, and more importantly if it works well.
    2. Build a relationship with a VAR that you trust and ask for their recommendations.
    3. Think outside the (magic) quadrant!  Just because Gartner or Forrester don’t have a category or an article telling you that “this is the key tool that everyone needs this year” doesn’t mean that a solution isn’t good or would be a good fit for you.
    4. Don’t throw the baby out with the bathwater.  Just because something you have isn’t the latest and greatest, doesn’t mean it’s still not a good choice.  If it ain’t broke, don’t fix it.
  1. Evaluate Your Processes: Complacency doesn’t just affect tooling. Too many organizations suffer from “Well that’s the way we’ve always done it” syndrome.  Evolve, change, shake things up if what you’re doing isn’t working.
  2. Evaluate Your Personnel: No, this does not mean interviewing your staff to keep their jobs. It means interviewing your staff to truly understand their needs. Sometimes it’s a bored analyst who needs a greater challenge. Or a SOC team member who is burned out from chasing false positives.  Not only will this help you get the best out of your people, but it can also drastically reduce turnover.  And who doesn’t like that?
  3. Follow a Framework: There are a lot of great security frameworks like MITRE, CIS Critical Controls, NIST and ISO27001.  They each take a different approach to security and sometimes, elements of each one might be the right fit for your organizational needs.  But whatever you choose, make it a priority.  Get buy in from the CISO and set measurable goals.  No matter how good your plan is, if it’s a binder in a cabinet, it probably won’t do you much good.
  4. Monitor Your Progress: Not only is measuring your progress the only way to make sure you stay on track, it’s also the only way to make sure that the executive team will continue to fund your efforts.  Security teams have always struggled to justify their budgets, but facts don’t lie.  Demonstrate that you went from 65-90% compliance on your EDR deployment, your critical vulnerabilities are down 40%, your Mean-Time-to-Detect (MTTD) and Mean-Time-to-Resolution (MTTR) are down 22% in the last 6 months.  (Don’t worry, good toolsets will help you track this).
  5. Assess Your Risk: There is more risk to an organization than just a cyberattack.  Is your sensitive data on the dark web? Is your supply chain secure? Organizational risk can take on many forms.  Don’t lose sight of the forest for the trees.

Conclusion

In an era where cyber threats continue to evolve in complexity and frequency, adopting a proactive security approach is no longer optional—it’s essential. The shift from reactive to proactive security empowers organizations to anticipate and mitigate threats before they escalate into major incidents. By embracing early threat detection, reducing attack surfaces, and prioritizing risk management, businesses can safeguard their data, systems, and reputation more effectively. Remember, cybersecurity is an ongoing journey, and staying proactive is key to maintaining a strong defense against the ever-changing landscape of cyber threats.

I wish you well on your journey.

Want to Ward Off Ransomware Attackers? Take Away Their Key

By Thoughts No Comments
Recently, I had the opportunity to present to a group of 25+ IT leaders representing manufacturing and distribution companies of various business sectors, some of them global, about cybersecurity. They were interested in hearing the latest about ransomware attacks at JBS and Colonial Pipeline, which continue to generate headlines because of the havoc they caused, and the huge ransoms demanded by bad actors that were paid (at least in part) by these companies. Read More