Rick Howard and the DtSR interview - what you need to know from a veteran in the industry
This week I was listening to Rafal Los (@wh1t3rabbit) interviewing Rick Howard on DtSR Episode 414 - TPA Rick Howard's Almost Retirement. Well worth a listen. Some of the points that jumped out for me were:
- Go to the Cybersecurity Canon to identify must-read books for all cybersecurity practitioners
- What is the goal of a cyber defender - “we want to reduce the probability of a material impact to our organisation due to a cyber attack”
- If you have budget or resource that is not directed at this, you may be wasting your money
- How - through use of zero trust and an intrusion kill chain
- Zero trust is a philosophy, don’t trust anyone and don’t give out permissions carte blanche, only give permissions that allow an individual to connect with resources that they need to achieve their job
- For zero trust to work, it needs to be the company who decides who gets access to what, not the 2 guys in IT
- An intrusion kill chain will stop 95% of the 100 or so advisory campaigns that exist, we need to put controls in place to mitigate all of their intrusion methodologies
- Look at the adversaries intended outcome and what it takes for them to get there, this will help you to build your defences in the right place
- There is a need for secrecy, but declassify the secrets when they no longer need to be kept that way, i.e. an earnings report is secret until such time as your CEO speaks about it to the media
- If only 20% of the data you hold, if stolen, would impact the company in a material way, why protect it all with the same intensity, concentrate your effort on the 20%
- However, you need to know where that 20% is in your organisation, you need to ask the individual business unit leaders to identify their critical data. Say to them “If there is a 40% chance that your data will be stolen in the next 3 years, are you OK with that” if they have a “shrieking fit” you know to concentrate on that. This may be a best guess, you need the support of the senior management who run the business to help identify what you need to protect. But we know this is not easy!
- Next Generation Firewalls - most companies don’t switch on the capabilities of the NextGen firewalls, they make rules on applications tied to the authenticated user, in the new world everything is an application. This gives you an ability to make decisions dependent on the individual, or the group they belong to. Start by categorising your staff into buckets, your finance staff don’t need admin rights on your websites, your developers don’t need to access your finance systems. Start small, you don’t have to boil the ocean
- You must convince people that security is not the blocker, create DevSecOps teams where all you experts work together and there is no finger pointing during a crisis. The security teams need to step out of their silo, they are just part of the team or tribe.
He finished recommending two books for more information on the DevSecOps approach: The Phoenix Project, which at the Cyber Security Canon web page he describes as "a novel about IT, DevOps, and helping your business win". And for a deeper dive Site Reliability Engineering, which he explained describes how Google runs production systems.
A great listen!