SDxCentral: Debunking Cybersecurity Myths

Archive for the ‘News’ Category

SDxCentral: Debunking Cybersecurity Myths

Posted by

Of all the cybersecurity myths about small to midsized businesses, the most damaging is the widely held believe that SMB leadership doesn’t take security and data privacy seriously, says Wolfgang Goerlich, Advisory CISO at Cisco Duo. This myth must be stamped out immediately, he said. And while it’s myth No. 8 in a new Cisco report, “it really needs to be myth one.”

Excerpt from: Cisco Debunks Cybersecurity Myths

“Maybe that was true 10 years ago,” Goerlich said. “The executive teams of these organizations are taking security and data privacy very seriously. Every other myth downstream is effected by that awareness and visibility at the top.”

Cisco’s latest security report, based on a survey of almost 500 SMBs, aims to debunk myths about smaller companies’ security posture and threats. This is important because the security industry has traditionally been biased against SMBs, perpetuating the myth that they don’t prioritize cybersecurity, the report says.

To come up with the 10 myths debunked in the report, Cisco compared responses from SMBs (250-499 employees) versus larger organizations with 500 or more employees. It shows that SMBs face the same threats and potential damages from an attack and they take security preparedness every bit as seriously as their larger counterparts.

Read the full article: https://www.sdxcentral.com/articles/news/cisco-debunks-cybersecurity-myths/2020/05/


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.

CSO: Implementing Zero Trust

Posted by

Having a vision and a specific use case help get companies started toward Zero Trust implementation.

Excerpt from: Zero Trust Part 2: Implementation Considerations

A piece of advice at the outset: “Don’t do too much too fast,” says Wolfgang Goerlich, CISO Advisor with Cisco. “Have specific goals, meaningful use cases, and measurable results.”

To build momentum, start with a series of small Zero Trust projects with deliverable milestones, and demonstrate success every few months by showing how risk has been reduced.

“We need to show the board progress. With specific initiatives aimed at specific use cases, we can demonstrate progress towards Zero Trust,” Goerlich says. “You build momentum and a track record for success.”

Read the full article: https://www.csoonline.com/article/3537388/zero-trust-part-2-implementation-considerations.html


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.

CSO: Demystifying Zero Trust

Posted by

Despite the fact that Zero Trust has been around for a decade, there are still misconceptions about it in the marketplace.

Excerpt from: Zero Trust Part 1: Demystifying the Concept

Zero Trust is not one product or solution. Better to think of it as an approach, says Goerlich.

“Zero Trust is trusting someone to access something from somewhere,” he says. “Is it an employee, an application, a device? What is it accessing? What was can we determine if we trust this request? At the end of the day, Zero Trust means providing a consistent set of controls and policies for strong authentication and contextual access.”

The term was coined by Forrester Research in 2010. It was established as an information security concept based on the principle of “never trust, always verify.” Since then, the National Institutes of Standards and Technology (NIST) has produced comprehensive explanations and guidelines toward the implementation of Zero Trust architecture framework.

“NIST has a draft standard that dictates their view of Zero Trust — what the principles are, and what an architecture looks like,” Goerlich says. “The U.K. NCSC has done the same. Zero Trust has matured, and the need for it is now in sharp relief due to changes in the market and the way we use technology.”

Read the full article: https://www.csoonline.com/article/3537189/zero-trust-part-1-demystifying-the-concept.html

Wolf’s Additional Thoughts

I am leading a series of Zero Trust workshops this year. One concept I always stress: we’re applying existing technology to a new architecture. If you think back to Role Based Access Control (RBAC) was first being standardized, we used off-the-shelf x.509 directories and existing Unix/Windows groups to do it.

Now of course, better products offer better solutions. But the point remains. The application of existing standards to realize the principles of Zero Trust brings the concept beyond hype and into reality. Moreover, it makes it much easier to have confidence in Zero Trust. There’s no rip-and-replace. There’s no proprietary protocol layer. We’re simply taking authentication and access management to the next logical level.

Want to know more? Watch my calendar or subscribe to my newsletter to join an upcoming workshop.


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.

USA Today: Dear Passwords, Forget You

Posted by

Do you hate remembering passwords? Soon, you may be able to forget them for good. 

Excerpt from: Dear Passwords: Forget You.

“We are moving into a world which we’re calling passwordless, which is the ability for our applications, devices and computers to recognize us by something other than the old-fashioned password,” says Wolfgang Goerlich, advisory chief information security officer for Cisco-owned security firm Duo.

Goerlich estimates that within five years, we could be logging into most of our online accounts the same way we unlock our phones. And then we will be able to finally break up with passwords for good.  

What will replace them? That’s a bit more complicated. 

Read the full article: https://www.usatoday.com/story/tech/2020/02/28/data-breaches-hackers-passwords/4870309002/


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.

Dark Reading: Security, Networking Collaboration Cuts Breach Cost

Posted by

CISOs report increases in alert fatigue and the number of records breached, as well as the struggle to secure mobile devices in a new Cisco study.

Excerpt from: Security, Networking Collaboration Cuts Breach Cost.

“We’re starting to see this move toward fewer consoles and move toward greater collaboration with other teams,” says Wolf Goerlich, advisory CISO with Duo Security (now under Cisco). “CISOs who act on those two trends have better outcomes for the organization.”

More than 91% of respondents say they are “very” or “extremely” collaborative; collaboration between endpoint and security teams is also high, at 87%. This trend can have financial benefits in the aftermath of a breach. In 2020, 59% of companies that say they are very/extremely collaborative between networking and security teams experienced a financial impact under $100,000 for their biggest breach, the lowest category offered for breach cost.

“A lot of it has to do with dwell time: How do we detect what’s going on in our environment; how do we remediate what’s going on in our environment,” Goerlich explains. “To detect, you have to have a really solid understanding of what’s going on in our networks and the cloud infrastructure we’re plugged into.”

And who better to detect than the subject matter experts? The networking team has a better understanding of the environment; as a result, team members know what’s typical and what isn’t. “There’s a reduction in time to detect because they understand what normal looks like, so they can help us understand what abnormal behaviors are,” he continues.

The networking team can also help stop threats. When a security operations center analyst spots an event, often because good practices they won’t pull out the equipment. They’ll pass this off to the subject matter experts, and the networking team takes over for quarantine, remediation, and cleanup.

“When you have those tight collaborations, you can say, ‘This is what we see, this is what needs to happen,’ and the handoff is much smoother,” Goerlich says.

Read the full article: https://www.darkreading.com/cloud/security-networking-collaboration-cuts-breach-cost/d/d-id/1337132

Wolf’s Additional Thoughts

When I built one of the first DevOps teams, a decade ago, I recognized the need for collaboration but greatly underestimated the impact of bringing teams together. By all metrics, our new combined team significantly and surprisingly beat out our previous separate teams. The industry has seen improvements year-after-year based on this simple concept. Create a common language, use a common set of tools, set a common set of goals, reduce barriers, and let the magic happen.

This is what excites me about SASE (Secure Access Service Edge). Imagine if we do with network operations and security operations what we previously did with development and IT operations. A decade from now, if we get that right, the productivity and pace of operations will be completely transformed.

Of course, that means pushing through the pushback to get staffing, reporting relationships, and budgets aligned. I’m not suggesting this is going to be easy. I’m simply saying we have a playbook to follow. Let’s do it.


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.

InfoSecurity Magazine: Mental Health Toolbox

Posted by

Noting the warning lights to assess your levels of stress and mental health now, and in the future, can save a lot of anguish in your working life.

Excerpt from: Mental Health Toolbox

Speaking at 44CON in London on the issue of dealing with mental health, Duo Security CISO advisory group member J Wolfgang Goerlich recommended a strategy of a “career owners manual” and knowing what to do to “make sure you have got a career and what you’re doing well.”

“You need to be sure the inputs line up, as different companies have different values” he said, as if we are unhappy, it is too easy to ignore warning lights around our mental health, and it is too easy to take a “teenager’s action” as they ignore warning lights on a car. These warning lights should be around:

  • Physiological effects
  • Non-competitive compensation
  • Lack of training
  • Lack of career path
  • Poor teamwork
  • Poor leadership
  • No appreciation or recognition
  • Misaligned values and culture

Read the full article: https://www.infosecurity-magazine.com/news/44con-mental-health-toolbox/

Wolf’s Additional Thoughts

I burned out hard in 2014. I ended up taking a quarter off to refresh and renew. Since then, I’ve been very vocal about the need for managing the stresses of IT and cyber security.

I ran an apprenticeship from 2015-2019. This allowed me to hone my career advice with 67 junior-level security analysts. Quite sure they taught me more than they learned from me. It became readily apparent that no one advises on how to cope with stress, and how to separate bad stress from good stress, in cyber security degree programs.

I was therefore excited and pleased to have the opportunity to present on this topic at 44con, in collaboration with Mental Health Hackers.

If you’d like to talk, hit me up on my coaching page. We absolutely must do more to support each other, mentally and physically.


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Dark Reading: OS, Authentication, Browser & Cloud Trends

Posted by

New research shows cloud apps are climbing, SMS authentication is falling, Chrome is the enterprise browser favorite, and Android leads outdated devices.

Excerpt from: OS, Authentication, Browser & Cloud Trends

Application integration is up across most key categories. The number of customers per cloud app is up 189% year-over-year, and the number of authentications per customer per app is up 56%.

The massive spike in cloud applications means any given employee has at least two or three cloud apps they use to do their jobs, says Wolfgang Goerlich, advisory CISO for Duo Security. “It was a big explosion of shadow IT,” he adds. “It really got away from a lot of the organizations.” Some people often use the same applications for personal and business use, driving the need for businesses to enforce their security policies for cloud-based applications and resources.

Read the full article: https://www.darkreading.com/cloud/security-snapshot-os-authentication-browser-and-cloud-trends/d/d-id/1335262

Wolf’s Additional Thoughts

IT history repeats itself.

The organization moves slow to provide employees with tools and technology. Consumer tech fills in the gap outside of the office. People get savvier and more experienced with tech. People innovate with what they know, to get done what they need to get done.

The organization notices people doing things in an innovative yet ad hoc way. Work is done to standardize tech use. More work is done to secure the tech use. The wild ways of people, the wilderness of shadow IT, is tamed and brought into the light.

We’re at this point now. That’s what the numbers show. But tamed IT is slower than shadow IT. If the past has taught us anything, it is that the cycle will repeat.


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

With continuous security, Sec DevOps deconstructs CI/CD

Posted by

Nothing is set in stone when an organization follows a DevOps methodology — a DevOps security model pushes developers and ops to constantly retune, slow down and speed up.

Excerpt from: With continuous security, SecDevOps deconstructs CI/CD

“All of the DevOps teams I work with have some integration between cybersecurity and development,” said J. Wolfgang Goerlich, cybersecurity strategist at Creative Breakthroughs Inc., a Detroit-based IT security consultancy. Some organizations have embedded security architects in the DevOps teams. Others have security champions within DevOps who work directly with the cybersecurity team. “In both cases, the partnership is a means to introduce security concepts while maintaining DevOps velocity,” he said.

Goerlich said roughly one in four DevOps teams integrate and automate some level of security controls. “This integration is generally performing scans and checks against the static code, the application, and the underlying environment composition,” he said.

But this level of automation often requires tuning and adjustments to ensure it keeps pace with DevOps. For example, he said, traditional code-level scans take several days. “That’s not effective when DevOps is changing the code on a daily or even hourly basis,” Goerlich said.

Effective SecDevOps teams secure without slowing, and they add continuous security without exceeding the team’s capacity to change, he said. “It’s paradoxically fast and slow, with security controls being added slowly while tuned to execute very quickly.”

Success comes from balancing protection for the DevOps product while protecting the DevOps productivity.

Read the full article: http://searchitoperations.techtarget.com/feature/With-continuous-security-SecDevOps-deconstructs-CI-CD


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Hybrid cloud security: 8 key considerations

Posted by

Hybrid cloud should strengthen your organization’s security posture, not diminish it. But that doesn’t mean improved security is a default setting. While security fears are declining as cloud matures, security remains an ongoing challenge that needs to be managed in any organization. And a hybrid cloud environment comes with its own particular set of security considerations.

 

1. Ensure you have complete visibility.

Too often in modern IT, CIOs and other IT leaders have blind spots in their environments, or they focus too narrowly (or even exclusively) on their on-premises infrastructure, says cybersecurity veteran J. Wolfgang Goerlich, who serves as VP of strategic programs at CBI.

Now that companies and their end users can use hundreds of cloud-based apps, and multiple departments can spin up their own virtual server on an Infrastructure-as-a-Service platform, complete visibility across private cloud, public cloud, and traditional infrastructure is a must. A lack of visibility, says Goerlich, snowballs into much greater security risks than are necessary.

2. Every asset needs an owner.

If you lack 360-degree visibility, you probably lack ownership. Every piece of your hybrid cloud architecture needs an owner.

“A key tenet in IT security is having an owner identified for every asset, and having the owner responsible for least privilege and segregation of duties over the asset,” Goerlich says. “Lack of visibility results in a lack of ownership. This means, quite often, hybrid cloud environments have loosely defined access controls and often are without segregation of duties. Excessive permissions introduce risk, and unowned risk is unaddressed risk.”

Read the full article:

Hybrid cloud security: 8 key considerations
https://enterprisersproject.com/article/2017/7/hybrid-cloud-security-8-key-considerations

Enterprisers Project: Expert advice on securing hybrid cloud environments

Posted by

Hybrid cloud should strengthen your organization’s security posture, not diminish it. But that doesn’t mean improved security is a default setting.

Excerpt from: Hybrid cloud security: 8 key considerations

Ensure you have complete visibility. Too often in modern IT, CIOs and other IT leaders have blind spots in their environments, or they focus too narrowly (or even exclusively) on their on-premises infrastructure, says cybersecurity veteran J. Wolfgang Goerlich, who serves as VP of strategic programs at CBI.

Now that companies and their end users can use hundreds of cloud-based apps, and multiple departments can spin up their own virtual server on an Infrastructure-as-a-Service platform, complete visibility across private cloud, public cloud, and traditional infrastructure is a must. A lack of visibility, says Goerlich, snowballs into much greater security risks than are necessary.

Read the full article: https://enterprisersproject.com/article/2017/7/hybrid-cloud-security-8-key-considerations


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.