Thoughts from the 2022 Texas Cyber Summit

This week was the Texas Cyber Summit, held in Austin for the first time.?Living in Austin for over a decade may make me a little biased but I?believe?this was the best year yet!?Now, is that correlation or causation? You choose.

We had a great lineup of speakers from industry, defense, and intelligence.?All spoke about the challenges they face, how they are reinventing their organizations to address these threats and the lengths they are going to find, hire, train and retain the best.?Many of the speakers leveraged football quotes & analogies - So I guess I will keep with the trend - “Offense sells tickets. Defense wins championships” was said by?Paul “Bear” Bryant but applies to our cyber landscape today and into the future. It only takes one person to follow a?compromised?link, one person to download an infected file or one person to connect their laptop to an insecure network to breakdown all the good work done by cyber teams and shift the organization from defense into incident response. The most mature organizations have invested in both and accepted that incidents will happen and we need to be prepared so we can minimize harm and decrease recovery time.

While I only made it to a small percentage of the nearly 150 sessions, I saw several themes across the speakers and industries.

• High Complexity & Rate of Change - Todays technology landscape is changing faster than ever. We have highly mature application teams doing multiple deployments a day. The underlying?infrastructure?can easily change 100 times a day. This level of change demands high levels of automation, high levels of testing maturity and processes that rely on technical controls, not manual human review. Cyber teams must develop new tools and techniques to understand this change, measure the risk and intervene where their effort is most impactful.
• Changes in Logging Behavior - 10+ years ago the focus was on identifying what logs we needed to capture and discarding the rest. Storage was expensive and compute costs even higher. But the calculus has changed and storage and compute is significantly more affordable at scale to even modestly sized organizations. Now organizations capture and log anything they can instrument across their technology stacks. This has moved the dynamic to more effective mining of this data in real-time to support threat hunting teams, incident response teams & operations teams.
• Hiring is Hard - Finding & retaining the best talent has only gotten harder. While universities are doing better at producing highly capable graduates with cyber exposure, the market is still short on the right folks in the right places. The Army has gone as far as extending Direct Commissioning?to?cyber roles, where it was previously only focused on Chaplains, Law and Medical professions. Cyber teams must create environments people want to work, create learning opportunities, and build organizational structures that provide growth opportunities.?We must continue to launch innovative education offerings that enable growth in the workforce, UTSA has led for multiple years in the cyber domain and continues with their Bachelors of Applied Cyber Analytics.
• Fusion of Industry & Intelligence - Multiple federal agencies mentioned their efforts to streamline & accelerate the processes used to release information about new and emerging threats, enabling vendors to build protections into?projects?and industry to be aware and on the lookout for new threats. They understand that the ability to share information about threats, without disclosing how the intel was obtained, is key to enabling industry to protect themselves proactively.
• The Basics Still Matter - Patching laptops, updating applications, managing mobile devices, firewall rules and wifi?configuration?still matter. They still matter a lot. As we have seen with so many recent events, the origin of incidents is often something basic around password management, open ports or configuration errors. We must continue to focus on our defensive postures, focus on good cyber hygiene and accept the work is never done.
• Bots are a?Massive?Threat - The sophistication of bots and their ability to emulate human interaction, emotion and responsive behaviors has never been higher and shows no sights of slowing down in advancing capabilities. If defensive capabilities against bots and organizational investment in added layers of trust in human interactions do not mature, we risk a crisis in the coming years.
• CISOs & Executive Support - Some organizations have built structures where the CISO is seen as a strategic role with a voice about how the company executes and places bets. Other organizations still see security as something that?“needs to be done” not something that can provide a positive impact on the company. This is a continued place for improvement; CISOs must work to build trust and awareness across executive teams to the investments being made, the impact being realized, and the threats mitigated. The most impactful CISOs see their role as enabling through education/enablement, mentoring, and partnering on product delivery; being part of the process and not a check on the process.
• Zero Trust - Zero trust continues to be a key discussion topic with a realization that it is a heavy lift for most organizations to practically design & implement. Organizations are?beginning?to think about how zero trust becomes part of their design patterns and training standards.?NIST has published standards around secure software development that are?becoming?a framework to use for the software components of our zero trust architectures. The White House has made this an imperative for government agencies through a 2022 memorandum. But this journey will be incremental as we modernize our enterprises.
• Red & Blue Teams - Multiple talks discussed the various facets of standing up effective Red & Blue teams. A primary take away is that these structures must be aligned with all the teams they support including application development, operations, incident response and architecture to ensure that learnings are captured and acted upon. Ineffective teams risk further eroding trust between cyber organizations and wider technology teams.
• MFA is Still Important!?- There was a lot of discussion of MFA and its effectiveness, for obvious reasons. The consensus seems to be that MFA still has immense value but has to be thought of in the larger context of how humans work & react. Push methods are inherently more susceptible too exploitation due to their ability to overwhelm a user with requests until they accept one to end the barrage. Local pin generation apps have an added layer of value because of the localized operation model, but make sure that OTP validation is always occurring on the server side. When thinking about password reset processes, it is often valuable to add additional layers of checks - These could include previous device validation, location validation or human engagement with a manager or help-desk. Be cautious with how MFA enrollment & re-enrollment occurs, these steps can lead to MFA getting disabled if not configured properly.

Thank you to Joseph Mlodzianowski and the whole team at Texas Cyber Summit for a great event.?