CSO: Threat Hunting Explained

Archive for the ‘News’ Category

CSO: Threat Hunting Explained

Posted by

With attackers lurking undetected in systems for months at a time, threat hunting is becoming an essential element of security.

Excerpt from: Threat hunting explained: Taking an active approach to defense

The goal of the security team has, of course, always been to stop bad things from happening as early as possible, whether that has meant shutting down an attempted hack from the outside or thwarting risky employee behavior.

Enterprise security teams often struggle to keep up, says Wolfgang Goerlich, advisory CISO for Duo Security, a Cisco business unit, which has offered workshops on threat hunting. SOCs are inundated with alerts about possible problems — so much so that they can’t possibly investigate each and every one. Cisco’s 2020 CISO Benchmark Report, in fact, found that 41% of organizations get more than 10,000 alerts a day.

Alert fatigue sets in and can keep security teams from being as effective as they could be. “If you’re constantly getting pinged, you can never think deeply and you can never think broadly,” Goerlich says.

He also points out that alerts generally indicate active attempts to attack and are not necessarily effective in finding threats that are either waiting for an opportune time to attack or are new and thus unknown to the monitoring systems.

Goerlich says he has seen how an overload of alerts coupled with a strictly reactive approach can leave an organization exposed. He led a red team simulating attacks on a company to test its security posture, using various tactics to try to get into the company’s systems. The security team did indeed identify the individual pieces of the attack, with monitoring systems alerting the SOC to phishing emails and malware. But while the security team successfully stopped individual attempts from exploding into full-blown events, they failed to see the big picture that there was an ongoing, multi-pronged coordinated attack.

“When you’re closing tickets in a fast manner — as you should be doing — you miss the full scale of what’s happening,” Goerlich explains.

But threat hunting, with its proactive approach and its focus across the IT stack versus alerts, helps security teams spot such activity.

Read the full article: https://www.csoonline.com/article/3570725/threat-hunting-explained-taking-an-active-approach-to-defense.html


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

BizTech: Securing Remote Work in a Transformed World

Posted by

“Now that everyone has shifted to work from home, it’s as if we’ve got 10,000 branches,” Goerlich said. “So the techniques we use aren’t scaling, the approaches we use aren’t scaling, we don’t have the manpower, the technology to possibly secure 10,000 branches.”

Excerpt from: Securing Remote Work in a Transformed World

That added complexity means security approaches that once defined work styles for decades now have to be reconsidered or retired — which means the moat needs a rethink.

“We start to talk about traditional IT as being this environment that had a hard-candy shell around it, or a castle with a moat,” said Kevin Swanson, a Microsoft Surface Specialist. “And you protected all of these outside threats from the things that were important to your business on the inside.

“That dynamic is changing.”

Read the full article: https://biztechmagazine.com/article/2020/08/cdw-tech-talk-securing-remote-work-transformed-world


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

SDxCentral: Why Cisco Duo’s on a Quest to Kill the Password

Posted by

Things to know about passwordless security: no, criminals will not cut off your thumb or peel the skin off your face to steal your biometrics and hack your network. And yes, C-suite executives always ask Wolfgang Goerlich, advisory CISO at Cisco Duo, this question.

Excerpt from: Why Cisco Duo’s on a Quest to Kill the Password.

“Everybody does,” he said. “We’ve seen so many ‘Mission Impossible’ movies — we know the risk. But here’s the thing: if a criminal is able to clone my biometrics, get ahold of my phone, get ahold of my computer, and bring those both into my home office, and then authenticate as me, and then only open up the applications that I normally open up during business hours, at that point I may just hire him as a contractor.”

He encourages CISOs to “bundle” passwordless with other zero-trust security tools such as identity and access management. “Partnering identity with passwordless is very appealing because we can establish that strong user identity with strong authentication factors without requiring more user effort. So this is a rare opportunity where it can actually reduce the amount of work that they need to do to establish that strong authentication.”

Read the full article: https://www.sdxcentral.com/articles/news/why-cisco-duos-on-a-quest-to-kill-the-password/2020/08/

Wolf’s Additional Thoughts

As part of the design series, I have put forth the idea that being ahead of the curve is being ahead of the criminal. The early adoption of a control — doing something right but rare — has surprising stopping power against common attacks. I expect organizations who are early adopters of single strong factor authentication, passwordless, will have this sort of surprisingly strong defense.

Well, for a while. When adoption reaches critical mass, the criminals will be highly motivated to work around passwordless authentication. We have seen this with strong second-factor authentication and criminals adopting phishing and proxying to bypass this control.

Therefore, my strong recommendation is pairing passwordless with additional anti-fraud measures. Include the device identification in the authentication. Include behavior analytics (where, when, how) to further bolster trust in the authentication. We can predict criminals will work around these authentication methods, so let’s move now to put in place compensating controls to detect and prevent their next move.


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

CyberScoop: Security professionals lose central watering hole with demise of Peerlyst

Posted by

For years, the Peerlyst social network has been a resource for software developers looking for a job or cybersecurity enthusiasts wanting to host meetups across the world. But on Aug. 27, the website will shut down, Peerlyst founder Limor Elbaz said Monday, citing financial pressure.

Excerpt from: Security professionals lose central watering hole with demise of Peerlyst

Cybersecurity professionals lamented the end of the platform. “I took the news hard,” said J. Wolfgang Goerlich, an advisory CISO at Duo Security who has posted nearly 700 times on Peerlyst. “With the Peerlyst going away, we’re losing a central watering hole. The conversations may continue over LinkedIn and Facebook groups. But the loss of a dedicated security social media site will be felt for some time.”

The site also let users plans their own offline meetups in various cities in Asia, Australia, Europe, and North America.

Read the full article here: https://www.cyberscoop.com/peerlyst-shut-down-infosec-professionals/

Wolf’s Additional Thoughts

I was an early adopter of Peerlyst and a regular contributor. I end up the 22nd most popular user on the site which boasts of serving “70% of security professionals around the world and the site ranks higher than the majority of security companies.” Also? Peerlyst once put my face on the side of a bus during the RSA Conference. So I’m a little biased.

There is tremendous value in community. Apple itself got its start at the The Homebrew Computer Club. I spent many years and cut my teeth as a top poster in the Citrix online community, back in the early 2000s. And in the last decade, more people than I can count had their careers launched through my local security community, MiSec.

I’m sad to see Peerlyst go and am grateful to Limor Elbaz, Evgeny Belenky, and the entire Peerlyst team. Thanks to them for the memories and connections.

To you the reader, I ask this: what community will you build?


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

StateTech: Ensuring telehealth solutions are HIPAA-compliant remains critical, even amid relaxed rules

Posted by

At a time when public health departments have been stretched thin by the coronavirus pandemic, telehealth solutions have helped ease the strain by connecting doctors remotely to patients. That has been especially useful during a time when everyone has been advised to maintain social distancing to help reduce the spread of the virus.

Excerpt from: How States Can Secure Public Health Telehealth Deployments

Part of the issue involves making sure the professionals who are operating the telehealth tools “have good visibility into who is compliant and who is not,” says Wolf Goerlich, advisory CISO at Cisco’s Duo Security. “A good deal of time and attention is spent on that.”

The actual appointment itself presents challenges, Wolf notes, because doctors and patients may all have different devices, different network settings and conditions, and varying bandwidth constraints.

Throughout this process, there are a number of security systems at work, says Goerlich. There is a need to confirm the clinician is who they say they are. The clinician and patient devices need to be certified as healthy and free of malware or are not going back to a command-and-control site.

“From a technical perspective, it comes down to really good authentication, access controls, adaptive access policies, device health and the integrations that happen along the way,” Goerlich says.

Read the full article here: https://statetechmagazine.com/article/2020/05/how-states-can-secure-public-health-telehealth-deployments-perfcon


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

SC Magazine: Rethinking Risk

Posted by

It’s time to rethink risk – both how to operationalize it and how to define it. With all the incompatible views of risk from different stakeholders through an enterprise, it’s hardly surprising that so many organizations struggle to get beyond checklist security mentality.

Excerpt from: Rethinking risk

“Start with a listening tour: What (those other LOB executives) care about, what their business objectives are,” says J. Wolfgang Goerlich, advisory CISO of Duo Security. “You must interpret and explain security needs as business outcomes. Security can no longer be about avoiding the bad things. It must align to the business direction.”

Read the full article here: https://www.scmagazine.com/home/security-news/features/rethinking-cyber-risk/

Wolf’s Additional Thoughts

I’ve been vocal about my disillusionment over risk management. It has it’s place, to be sure. It was my starting point. And I gave a number of talks advocating risk management, say 2008-2015, including one for the Society of Information Risk Analysts (SIRA). Risk management techniques are excellent at prioritizing efforts within the security function. But having built programs around risk management, I’ve realized the limitations.

People don’t think in terms of risk. Risk treatment tables don’t resonate with our stakeholders. High or low is meaningless without context. People don’t get it.

People also don’t act on risk. Wendy Nather coined this “cheeseburger risk management,” a term which I love. People will eat cheeseburgers even though they know the risk. They’ll eat right up until they have a heart attack. Only then will people get serious about what they eat, and as evidence shows, that discipline only lasts for a short time.

Evan Schuman’s coverage of these difficulties is a great place to begin questioning where and how we use risk in cybersecurity. I’m continuing exploring alternatives to communicating with the business, getting buy-in, and driving action in my security principles design series.


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Dark Reading: SMB Security Catches Up to Large Companies

Posted by

Small and midsize businesses (SMBs) have long had a reputation for being behind the curve in cybersecurity, especially compared with large companies that have more resources. A new report shows SMBs are just as capable of defending themselves, despite facing similar challenges.

Excerpt from: SMB security catches up to large companies

“We see time and time again that SMBs are actually punching above their weight,” says Wolfgang Goerlich, advisory CISO with Cisco Security. “They’re doing better than we would’ve anticipated.”

Overall, the numbers indicate small businesses are placing a stronger focus on security over time. The same sentiment is echoed in data from The Manifest, which recently released results from a survey of 383 smaller organizations, most of which had fewer than 50 employees.

Goerlich attributes the rise in public scrutiny to two factors. One is the realization of supply chain and third-party risks, which are prompting customers to ask more questions. Even small suppliers selling tools are getting hit with inquiries more often. Another is the trickle-down effects of regulation and compliance requirements, which usually affect larger vendors first and then are passed down to smaller suppliers. Now, they’re reaching the SMBs surveyed here.

“If you’re a customer, your voice alone may not move the needle … but the voices of multiple customers move the needle in a significant direction,” he says of the rise in inquiries. Requirements for today’s SMBs are issues that enterprises were struggling with six years ago.

Read the full article here: https://www.darkreading.com/perimeter/smb-security-catches-up-to-large-companies-data-shows/d/d-id/1337725

Wolf’s Additional Thoughts

One thing I’ve long called for is companies to demand more from their vendors, in terms of security. This creates market pressure. This ties security to revenue. And ultimately, these steps result in improved security because customer demand results in executive support for security teams.

Good security delivers a business result and, in doing so, increases the security posture. Here, the business result is keeping existing customers and attracting new ones. The last six years has seen this call turn into a reality.


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

SDxCentral: Debunking Cybersecurity Myths

Posted by

Of all the cybersecurity myths about small to midsized businesses, the most damaging is the widely held believe that SMB leadership doesn’t take security and data privacy seriously, says Wolfgang Goerlich, Advisory CISO at Cisco Duo. This myth must be stamped out immediately, he said. And while it’s myth No. 8 in a new Cisco report, “it really needs to be myth one.”

Excerpt from: Cisco Debunks Cybersecurity Myths

“Maybe that was true 10 years ago,” Goerlich said. “The executive teams of these organizations are taking security and data privacy very seriously. Every other myth downstream is effected by that awareness and visibility at the top.”

Cisco’s latest security report, based on a survey of almost 500 SMBs, aims to debunk myths about smaller companies’ security posture and threats. This is important because the security industry has traditionally been biased against SMBs, perpetuating the myth that they don’t prioritize cybersecurity, the report says.

To come up with the 10 myths debunked in the report, Cisco compared responses from SMBs (250-499 employees) versus larger organizations with 500 or more employees. It shows that SMBs face the same threats and potential damages from an attack and they take security preparedness every bit as seriously as their larger counterparts.

Read the full article: https://www.sdxcentral.com/articles/news/cisco-debunks-cybersecurity-myths/2020/05/


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

CSO: Implementing Zero Trust

Posted by

Having a vision and a specific use case help get companies started toward Zero Trust implementation.

Excerpt from: Zero Trust Part 2: Implementation Considerations

A piece of advice at the outset: “Don’t do too much too fast,” says Wolfgang Goerlich, CISO Advisor with Cisco. “Have specific goals, meaningful use cases, and measurable results.”

To build momentum, start with a series of small Zero Trust projects with deliverable milestones, and demonstrate success every few months by showing how risk has been reduced.

“We need to show the board progress. With specific initiatives aimed at specific use cases, we can demonstrate progress towards Zero Trust,” Goerlich says. “You build momentum and a track record for success.”

Read the full article: https://www.csoonline.com/article/3537388/zero-trust-part-2-implementation-considerations.html


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

CSO: Demystifying Zero Trust

Posted by

Despite the fact that Zero Trust has been around for a decade, there are still misconceptions about it in the marketplace.

Excerpt from: Zero Trust Part 1: Demystifying the Concept

Zero Trust is not one product or solution. Better to think of it as an approach, says Goerlich.

“Zero Trust is trusting someone to access something from somewhere,” he says. “Is it an employee, an application, a device? What is it accessing? What was can we determine if we trust this request? At the end of the day, Zero Trust means providing a consistent set of controls and policies for strong authentication and contextual access.”

The term was coined by Forrester Research in 2010. It was established as an information security concept based on the principle of “never trust, always verify.” Since then, the National Institutes of Standards and Technology (NIST) has produced comprehensive explanations and guidelines toward the implementation of Zero Trust architecture framework.

“NIST has a draft standard that dictates their view of Zero Trust — what the principles are, and what an architecture looks like,” Goerlich says. “The U.K. NCSC has done the same. Zero Trust has matured, and the need for it is now in sharp relief due to changes in the market and the way we use technology.”

Read the full article: https://www.csoonline.com/article/3537189/zero-trust-part-1-demystifying-the-concept.html

Wolf’s Additional Thoughts

I am leading a series of Zero Trust workshops this year. One concept I always stress: we’re applying existing technology to a new architecture. If you think back to Role Based Access Control (RBAC) was first being standardized, we used off-the-shelf x.509 directories and existing Unix/Windows groups to do it.

Now of course, better products offer better solutions. But the point remains. The application of existing standards to realize the principles of Zero Trust brings the concept beyond hype and into reality. Moreover, it makes it much easier to have confidence in Zero Trust. There’s no rip-and-replace. There’s no proprietary protocol layer. We’re simply taking authentication and access management to the next logical level.

Want to know more? Watch my calendar or subscribe to my newsletter to join an upcoming workshop.


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.