CASB – Cloud Access Security Broker

Welcome to episode #8 of the webcast. A semi-weekly livestream, video feed and podcast from Cybersecurity Growth. A show for aspiring and existing cybersecurity leaders. Hosted by Shawn Valle, Managing Director and CISO of Cybersecurity Growth.

In this eighth cast/stream, Shawn learns what a CASB is and shares the details. He discusses the key components, the value of a solution like this, the product leaders in the space, and shares his real-world experiences too. If you are new to IT cloud security or just trying to keep up with all the new acronyms, this show is for you.

Watch on YouTube:

Listen right here:

Tune in live weekly by following the account at Twitch.tv/CybersecurityGrowth

Subscribe in your favorite podcatcher: https://feeds.captivate.fm/cybersecurity-growth

Cloud Security 101

Welcome to episode #7 of the webcast. A semi-weekly livestream, video feed and podcast from Cybersecurity Growth. A show for aspiring and existing cybersecurity leaders. Hosted by Shawn Valle, Managing Director and CISO of Cybersecurity Growth.

In this seventh cast/stream, Shawn learns many areas of importance across the massive cloud security landscape is and shares the details. He discusses the key components, the value of a solution like this, the product leaders in the space, and shares his real-world experiences too. If you are new to IT cloud security or just trying to keep up with all the new acronyms, this show is for you.

Watch on YouTube:

Listen right here:

Tune in live every other week by following the account at Twitch.tv/CybersecurityGrowth

Subscribe in your favorite podcatcher: https://feeds.captivate.fm/cybersecurity-growth

White House National Cybersecurity Strategy

Welcome to episode #6 of the webcast. A weekly livestream, video feed and podcast from Cybersecurity Growth. A show for aspiring and existing cybersecurity leaders. Hosted by Shawn Valle, Exec Director and CISO of Cybersecurity Growth.

In this sixth cast/stream, Shawn pulls from the just released White House National Cybersecurity Strategy, straight from the desk of President Biden. He reviews the overall strategy, brings in some real-world guidance from industry experts, and shares his thoughts along the way. Whether you work in/for the US federal government, or not at all, this show will provide some thoughtful guidance on how to update your cybersecurity strategy for 2023.

Watch on YouTube:

Listen right here:

Tune in live weekly by following the account at Twitch.tv/CybersecurityGrowth

Subscribe in your favorite podcatcher: https://feeds.captivate.fm/cybersecurity-growth

Security Risk Management

Welcome to episode #5 of the webcast. A weekly livestream, video feed and podcast from Cybersecurity Growth. A show for aspiring and existing cybersecurity leaders. Hosted by Shawn Valle, Exec Director and CISO of Cybersecurity Growth.

In this fifth cast/stream, Shawn shares takes his experiences (alongs with experiences from industry experts) on the topic of building a Security Risk Management program. If you are new to Risk Management, or looking for an alternate take to what you are currently doing in this space, give this a watch/listen, to help you get more familiar with the topic.

Watch on YouTube:

Listen right here:

Tune in live weekly by following the account at Twitch.tv/CybersecurityGrowth

Subscribe in your favorite podcatcher: https://feeds.captivate.fm/cybersecurity-growth/

Zerø Trust

Welcome to episode #4 of the webcast. A weekly livestream, video feed and podcast from Cybersecurity Growth. A show for aspiring and existing cybersecurity leaders. Hosted by Shawn Valle, Exec Director and CISO of Cybersecurity Growth.

In this fourth cast/stream, Shawn takes learnings from Microsoft, NIST and NSA about the topic of “zero trust”, puts them together into a single stream, presents the topics and gives his real world commentary on it. If you are new to Zero Trust, or confused like many others, give this a watch/listen, to help you get more familiar with the topic.

Watch on YouTube:

Listen right here:

Tune in live weekly by following the account at Twitch.tv/CybersecurityGrowth

Subscribe in your favorite podcatcher: https://feeds.captivate.fm/cybersecurity-growth/

So You Wanna Be A CISO

Welcome to episode #3 of the webcast. A weekly livestream, video feed and podcast from Cybersecurity Growth. A show for aspiring and existing cybersecurity leaders. Hosted by Shawn Valle, Exec Director and CISO of Cybersecurity Growth.

In this third cast/stream, Shawn shares his personal approach for building a “cyber” security strategy and organization. This deep dive, circulates around the early days of being hired into a security leadership role, and what steps are/should be taken within the first 100 days in the role. Maybe there is something in here that you’ll find valuable.

Watch on YouTube:

Listen right here:

Tune in live weekly by following the account at Twitch.tv/CybersecurityGrowth

Subscribe in your favorite podcatcher: https://feeds.captivate.fm/cybersecurity-growth/

Practical uses of the Secure Controls Framework (Part 2)

Welcome to the all new webcast. A weekly livestream, video feed and podcast from Cybersecurity Growth, A show for aspiring and existing cybersecurity leaders. Hosted by Shawn Valle, Exec Director and CISO of Cybersecurity Growth.

In this second cast/stream, Shawn dives deeper into how the SCF creators suggest the Secure Controls Framework could be used in practical applications; plus Shawn’s commentary.

Watch on YouTube:

Listen right here:

Tune in live weekly by following the account at Twitch.tv/CybersecurityGrowth

Subscribe in your favorite podcatcher: https://feeds.captivate.fm/cybersecurity-growth/

Secure Controls Framework, an introduction (Part 1)

Welcome to the all new webcast. A weekly livestream, video feed and podcast from Cybersecurity Growth, A show for aspiring and existing cybersecurity leaders. Hosted by Shawn Valle, Exec Director and CISO of Cybersecurity Growth.

In this first cast/steam, Shawn learns and shares an overview of (possibly the most important framework you should learn) the Secure Controls Framework.

Watch on YouTube:

Listen right here:

Tune in live weekly by following the account at Twitch.tv/CybersecurityGrowth

Subscribe in your favorite podcatcher: https://feeds.captivate.fm/cybersecurity-growth/

The World of Online Platform Abuse and Fraud

Initially posted at: https://www.nisos.com/podcast/know-your-adversary-episode-3/

I had the privilege to (virtually) sit with my industry colleague, Landon Winkelvoss (co-founder, Nisos) to discuss cyber adversaries I have encountered, and lessons learned.

Excerpt from the initial post:


In Episode 3 of Know Your Adversary, our discussion takes a look into the world of online platform abuse and fraud. We explore threat actors’ use of bots to make bulk purchases online. We also tell the story of a security researcher on the wrong side of the law. Learn about the path he took from disclosing a breach to demanding a ransom payment. Shawn tells us about two major threats he faced prior to taking on his current role. Each of those threats warranted different levels of attribution. In the first case, he was faced with bot programmers who abused the platform to “cut in the digital line” when major retailers were having online sales. In the second case, he was faced with a security researcher who compromised a third-party supplier, exfiltrated sensitive data, and threatened to go public if a ransom payment was not made. Our guest is former Chief Information Security Officer at Rapid 7, Shawn Valle.

Here are some of the key takeaways from the episode:

Different types of fraud, but similar techniques. While fraud on technology platforms differs from fraud against other industries, many of the techniques used to combat the abuse is the same. This is especially true when it comes to threat actor engagement.

Whether we are discussing “Trust and Safety” issues related to online platforms or fraud related to scams against employees, applications, or customers, both types of exploits result in reduced consumer confidence. In both cases, as Shawn explains, organizations must take aggressive steps to engage directly with threat actors to stop and attribute the fraud and ensure confidentiality, integrity, and availability of services.

Not all levels of e-crime require attribution and unmasking. The extent to which a victim will pursue threat actors varies. Many fraud prevention programs exist simply to identify the tactic being used to commit the fraud and ensure the fraud stops so the product or service can function properly. In many cases, the effort necessary to identify, pursue, and arrest the fraudsters is simply not worth expending resources.

Many levels of loss and reputation impact do require the attribution. As we discussed in last month’s episode with Randy Pargman, when security researchers or insider threats make contact with a victim and threaten a sizable payment or face public disclosure, attribution that goes beyond tactics and techniques is necessary. Shawn discusses another real-world example.

M&A and Cybersecurity

[updated April 12, 2021]
You’re a cybersecurity leader at a growing company. [or information security leader — I’ll just say security from here on out]. You learn that your company is in conversations to acquire a smaller company, to include the people, products, and locations. What do you do?

making mistakes

You likely make a lot of mistakes…at least at first. M&A and security are oftentimes, not a top line consideration for executive teams. Yet, not considering the risk implications of integrating two companies, could lead to disastrous consequences. Consider if your IT team on-boarded a start-up 3rd party vendor that connects to much of your distributed network infrastructure, but neglected to identify that this vendor doesn’t have a dedicated security team. You now have inherited all the risk of that 3rd party, since their product is now integrated into your environment. Now, picture the similar scenario, but your company is integrating every piece of a companies fabric into yours.

ask all the questions

Do their employee desktops have basic endpoint protections?

Is multifactor authentication everywhere? Is it anywhere?

What are their highest priority risk items? How did those risks get scored and prioritized?

Who has access to production systems? How is least privilege determined?

What is their history with security incidents based on business email compromise?

This list can go on and on. Oftentimes, in a security leaders first M&A event, many of these (and many more) questions will go overlooked. All may be fine. Though, without creating a risk profile, you are merely rolling the dice, hoping not to inherit an active security incident (or worse, integrate an active security incident into your current environment).

create a plan, now

The time to draft a security M&A due diligence plan is now. Well, it should be a core document to have, alongside companywide security policies, incident response plan, and 3rd party risk assessment plan. In fact, if you have a 3rd party risk assessment process, you can borrow a large part of that plan/process to copy/paste into your security due diligence M&A plan. If you are wondering why, read this Ponemon Institute study from 2018, that states “59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties”. You need to think of your acquisitions, as you would a very sensitive third party.

Let’s get back to why you should have a plan at the ready. I have real-world examples of my own poor due diligence that allowed an undetected, actively exploited vulnerability of a company we acquired, to be integrated into our infrastructure, and allowed for pivoting from that environment into ours. There are also plenty of studies that highlight the time it takes to locate a sophisticated adversary in your network. FireEye’s 2020 M-Trends report provides some sobering numbers.

When you get your M&A due diligence plan in place, please consider the multiple stages of the event. (1) Pre-announcement, (2) acquisition, (3) Post-acquisition, (4) Integration.

Why creating an M&A Security plan (not dissimilar to a combination of a 3rd party risk assessment plan and an incident response plan) is critical to do in the early stages of a security leaders role.

….in the next update…

What should go in a plan, to start, and iterate on.

If you have a 3rd party vendor security assessment plan, may I suggest you make a clone of that plan, and rename it “M&A Security Due Diligence”? If you don’t have a 3rd party vendor security assessment plan, stop reading now, and focus on that. (Maybe I’ll write an article on that topic next…that would be a good linkable item).

The plan should have, at least three core sections titled: (1) Pre-acquisition Diligence, (2) Post-acquisition Diligence, (3) Integration Requirements.

With these three sections, create a checklist for each. There is a possibility that some of the checklist items will be “N/A”, though you should expect whomever is going to be your designated manager of the due diligence, should consider each item on the checklist as a “must have” requirement. (I do realize that it may very likely be you, the security leader, who is ultimately going to manage the security due diligence process. Though, as teams mature, you are likely going to want to have another team member be accountable for a due diligence project. More on that later).

How to prepare and staff for an acquisition, when they happen very infrequently.