CISO Forum Summary: The Viability of Passwordless Authentication

Every month, Fortify Experts holds CISO Round Tables discussing the latest trends and topics.  Recently, we discussed the viability of passwordless authentication.

The desire is high to achieve Passwordless Authentication, but there appear to be very few Passwordless solutions that achieve the level of security required for the broad needs of a large enterprise.

Our discussion revolved around password best practices and what technologies are available to reduce the burden of managing and securing passwords.

Initial Questions to Consider:

1. Would Passwordless Authentication (PA) increase security across the enterprise?
2. How much will implementing PA cost the firm?
3. What price will users be willing to pay for the convenience of PA (giving access to biometrics, using an app, or company-issued phones, USB security devices, etc.)?
4. What legacy applications will be a barrier to implementing PA?
5. Is the goal is to be Passwordless across the end user workstations & devices or across the entire enterprise?

What is Password Integrity:

1. NIST standard recommendation is now to make passwords at least 12 characters, but they can be less complex making it easier to remember.
2. Using passphrases such as “Thi$_i$_a_L0ng_Pa$$word” could significantly increase security.
3. Many people are using “Lost my password” to log in each time. One firm, with many hourly workers, had to ramp up staff to assist with all the password change requests.  For them, this is an administrative nightmare and the desire to use a biometric (i.e. fingerprint) instead of a password is very high.
4. One leader said, “We all are experiencing password & MFA overload.”
5. One firm provides “LastPass” to all employees and their families, so they will utilize good password hygiene in personal accounts. This leads to better password hygiene at work.
6. This same firm also provide Password Vaulting though Thycotic (now Delinea)
7. They also enacted that if an employee fails a phishing test, they must change their passwords. This “Punishment” fits the ‘crime’ and is a natural consequence of their actions.
8. One firm eliminated password security questions for their MFA into HR Systems. Instead, employees must use an app or VPN to get access to HR systems.
9. One firm has gone to 16-character passwords, but they only expire once a year. Admin PW’s still expire every 90 days and Contractors also expire every 90 days.

Biometrics:

1. Microsoft has been able to get 85% of their campus to Zero Trust and much of that is Passwordless using biometrics.
2. Biometrics could solve so much of the password reset issues.
3. Some firms like Wells Fargo are using Voice printing to authenticate. But it was recommended that you don’t manage the crown jewel with that.
4. Voice was said to be one of the weaker biometrics. Face and fingerprints are better.

Multi-Factor Authentication (MFA):

1. While MFA is more secure, it can be breached. If an email breach occurs, a SIM card is swapped, or a cell phone is left behind, MFA codes can be stolen, passwords can be reset, and access to systems can be compromised.
2. Smishing (SMiSing) is making MFA less secure
3. However, MFA is still recommended for all public facing apps.

Challenges to Implementing MFA

1. A lot of legacy systems are still in place which inhibit a single sign-on MFA from being implemented.
2. Each different division, acquisition or subsidiary has different ways of doing things making a universal MFA impractical.
3. We should be cautious of using too much Push MFA because people are getting MFA fatigue.

Zero-Trust

1. To achieve true zero trust, MFA needs to be redefined. It is more than just sending a code to your phone. Zero Trust MFA evaluates 3 factors:
   1. What you know – i.e. password
   2. What you have – i.e. personal device, authenticator, or a UBT
   3. What you are. – i.e. biometrics
2. However, “what you are” is morphing – what you do is what you are. Some firms are analyzing your patterns to validate you. (i.e. keystrokes, habits, voice print, etc.) not just body parts.

Could a Personal Mobile Device be used for Passwordless Authentication?

1. An Apple Watch can unlock your MAC workstation.
2. Microsoft Hello for facial recognition has been mildly successful, but there are issues with having a good enough camera, or masks.
3. It would require Microsoft and Apple to work together to build a holistic solution. That’s a real challenge.
4. It seems like there is an opportunity to create an App which leverages a phone capability and tie it to a single sign-on solution to unlock enterprise applications.

Unhappy Path:

1. Much of the focus is on the users “happy path” – when they have all they need to log in (device, PW, biometrics, etc.)
2. The real thing that needs to be evaluated is the Unhappy Path (when the user doesn’t have one of those). Then what happens and how does one validate to get in?

Security on OT Systems:

1. More focus needs to be put on the securing of OT systems where you may have 10+ people all interacting with the same terminals. Facial recognition may not be an option in a chemical plant if they have a serious incident.
2. Maybe combining plant badging in/out, smart camera systems, proximity badges and storing this data in a block chain to evaluate multiple attributes to better validate if the right people have access.
3. OT systems ‘should’ be air gapped but often they are not.
4. One question was asked: “Is the biggest challenge using Passwordless Authentication on OT systems or is it at the app level where the masses are accessing thousands of applications?

YubiKey Authentication:

1. YubiKey’s are typically Impractical at scale. There are no doubts about the security of the product.  The problem is the management of these in a remote work environment.  SecureID was the predecessor of the technology.  It is also difficult to manage in smaller organizations.
2. How about Bring Your Own YubiKey? It was said to be not practical for larger corporation.  These should be Corporate assigned only.
3. Do YubiKey’s expire? Depends on how they are set up.
4. YubiKey’s would be good as a 3^rd or 4^th Not as a single sign-on or even a 2^nd factor.

Challenges of YubiKey’s:

1. YubiKey’s can be stolen.
2. YubiKey trojans – Someone could switch out one embedded with ransomware on someone’s desk.
3. Laptops have limited # of USB ports. Also, newer laptops may only have USB-C instead of USB-A.
4. Logistical problems of getting YubiKey’s into employee’s hands if they are remote.
5. When someone leaves the company, it become a challenge to shut all the access down. It’s just one more thing to disable especially if the process is not automated.

Other Emerging Technologies:

• Typing DNA (https://www.typingdna.com/) is analyzing keyboard cadence to identify you.
• Bind ID (https://www.transmitsecurity.com/passwordless) – Uses an app to enable facial recognition or a fingerprint scan to enter customer facing apps.
• Human (https://www.humansecurity.com/) – Separates botnets from humans
• Deduce (https://www.deduce.com/) – Builds up a personal identity profile to authenticate you.
• Delina https://delinea.com/) – Privileged Access Management

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice on how to improve your password authentication activities.

If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.

About Tim Howard

Tim Howard is the founder of 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST-based security assessments. 

In addition, he has a passion for helping CISOs develop Higher Performing Teams through coaching, by creating interactive CISO Forums, and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

He also teamed up with Lyndrel Downs to launch Cybersecurity DIVAS to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University. 

Invite Tim to connect:  www.linkedin.com/in/timhoward

CISO Forum Summary – Establishing a Baseline in your Security Program

Every month, Fortify Experts holds CISO Round Tables discussing the latest trends and topics.  Recently, we discussed how these successful security leaders have been able to create higher-performing security teams.  Here is a summary of their top tips or suggestions on how to create a baseline to move your program forward.

Frameworks for establishing a baseline in your program:

1. Leaders should establish a baseline on a Risk Management Framework (RMF) like NIST Controls.

• • NIST has 260 controls for their top level which is required by the DoD or other Federal Agencies.
  • NIST has also established a Cybersecurity Framework for those industries who fall under Critical Infrastructure, those NIST guidelines only have 160 of the 260 controls.
  • Therefore, if NIST is the RMF for Critical Infrastructure, then those 100 controls NOT implemented could be attack vectors.

2. Another framework is FFIEC which is designed for the financial industry. While it’s not 100% cyber focused, it has many cyber controls built into it.
3. There are several other more proprietary Frameworks such as HI-TRUST which is designed for the Health Care industry and based on NIST but also adds a layer of HIPAA controls on top of it.

Challenges with Establishing a Baseline

1. NIST is more of a guideline instead of a black and white – do this or that. Therefore, it allows room for interpretation and could lead to disagreements on its application or implementation.
2. Some try to box answers into Yes, No or Does not Apply which may not work as well in a large enterprise since one area or business unit may implement that control well while a different unit may not. Therefore, there may need to be more depth to answers.
3. Self-assessments can be skewed and do not carry much weight.
4. Managing all of the framework controls data (i.e. status, maturity, documentation, procedures, exceptions, etc.) is a major challenge. Most of the leaders were managing this in spreadsheets.

Assessing a Baseline on Employees:

1. Since 80-90% of all attacks come through email, using a Phishing tool (i.e. KnowBe4 or PhishMe) to assess cyber awareness is highly effective. One CISO lowered his phishing rates from 22% down to 1% in one year.
2. Employee Awareness if often just benchmarked on phishing success. However, with today’s remote workforce, it requires a much larger scope.  Employees need to be trained on data security.  Exfiltration thorough Dropbox, and other shadow IT, BYOD acceptable uses, personal email accessibility on corporate devices, home network and wifi settings, USB use, ability to print, connecting to public WIFI, etc.
3. Employee cyber safety knowledge needs to be holistically assessed and measured to know where the training requirements need to be focused.

“Security is everyone’s responsibility, but not everyone knows their responsibility.”

4. Development Staff – To raise the secure coding awareness of developers, one CISO creates competitions between development groups to find vulnerabilities in each other’s code then rewards the team with the most secure code. This teaches both teams what to look for and how to code more securely.
5. Tech Staff – One CISO creates Capture the Flag events for all tech staff – Infrastructure, Privileged Access team, QA, Developers – anyone can participate. Teaches them how to break code, how to secure code and even identifies potential security team new hires.

Assessing a Baseline for Vendors:

1. It is typically a painful experience to vet out vendors to validate their maturity.
2. Need to know:
   1. Who filled out the form
   2. Who’s ultimately responsible for the program
   3. Their contact information to validate answers and listen for competency.
   4. A good competency measurement is whether they conduct regular Internal & external vulnerability tests.

Tools & Technology that Help:

1. https://csf.tools/ is the NIST Cybersecurity Framework (CST) tool.
2. Diligence (acquired Steel & Galvanize) – Integrated GRC SaaS solution
3. Privva (acquired by Entreda) – Integrated GRC solution for regulated industries
4. SecurityStudio – NIST CSF maturity assessment tool which simplifies an assessment across NIST CSF, HIPAA, & CMMC. Also automates the assessing of security maturity for Employee and Vendors.
5. Riskrecon – Vendor risk assessment tool.

Other Best Practices:

1. Think about each control with the following levels of maturity:
   1. Documented
   2. Implemented
   3. Practiced
   4. Measured
   5. Optimized
2. Assessments should be done by 3^rd parties to create an objective lens.
   1. Partner with audit. Point them to the problem areas to create visibility which can then be used to gain support.
   2. Be consistent. Every 12 month to 24 months with the same vendor to track improvements and gaps.
3. Track who owns the controls and who is responsible for them for being implemented fully. If someone leaves, the ownership needs to transferred.

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice on how to improve your Red Teaming activities.

If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.

About Tim Howard

Tim Howard is the founder of 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST-based security assessments. 

In addition, he has a passion for helping CISOs develop Higher Performing Teams through coaching, by creating interactive CISO Forums, and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

He also teamed up with Lyndrel Downs to launch Cybersecurity DIVAS to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University. 

Invite Tim to connect:  www.linkedin.com/in/timhoward

CISO Forum Summary – Establishing Meaningful Metrics in your Security Program

Every month, Fortify Experts holds CISO Round Tables discussing the latest trends and topics.  Recently, we discussed how these successful security leaders have been able to create higher-performing security teams.  Here is a summary of their top tips or suggestions on how to create better metrics to move your program forward.

Below are perspectives from 18 Security Leaders who provided input on the following questions:

What metric has helped drive your program forward the most?

1. Understanding the Audience: The metric that has helped drive his program the most is understanding the audience and getting the metrics they want. Thinks that is one of the critical differentiators so that both parties will speak the same language and are on the same page.
2. MTTD (Mean time to Detect) & MTTR (Mean Time to Resolve/Respond): The ones that he has always gone back to are MTTD (Mean time to Detect) & MTTR (Mean Time to Resolve/Respond). This is useful in the operational realm because it shows your responsivity and how quickly you can get back up. Another metric is your level of preparedness and patchwork for your vulnerabilities. These aren’t the metrics and the measures that go with them; it is more the ability to tell the story and how it will impact others. These metrics will mean different things to others in the company, and that is why it is helpful to understand what story you are trying to tell.
3. Impact Analysis:  The metric that has helped him the most is a quality metric which is an impact analysis that he does after every widespread cyber-attack that comes to the news. He looks at the impact of that attack and analyzes that attack for different companies and his own. If that attack did not affect his organization the same way it did others, he will examine what works for him and see the differences between the other companies and vice versa. This has been good for showing how his program works for people on his board.
4. Risk-Based Metrics: The metrics that work best with her programs are risk-based Metrics. Metrics that share the risks exceeding the agreed mitigation timeframe with the enterprise. Also, extending chances that the owner’s request since extensions are always requested is mitigation of a problem that has not been resolved. Another metric is the measurement of risks they are being accepted. These are usually of value to executives by bringing these to the surface to be discussed.
5. Readiness Metrics: The metric that has worked for him is reviewing all of the big hacks and presenting them to the executive committees, explaining what has happened, and showing their readiness for that to potentially happen at his organization. It feels like we get too technical with terms that many people, especially executives, do not understand, and he feels it is best to keep things as simple as possible for people to all understand.
6. NIST CSF Maturity Score: The metric that has worked best for him is reporting his company’s maturity score, as measured by the NIST cybersecurity framework. He knows it is subjective but used his proper funding to hire a third party to analyze the maturity score.
7. Tracking Against a Baseline: You’ve got a board or an executive leadership team that only thinks of risk after getting a poor or fair assessment. Establishing a baseline foundation and starting tracking against it has been effective for him over the years.
8. NIST maturity assessment: He completed a NIST maturity assessment which has given him leverage to talk to the board about focusing on tracking metrics that focus on vulnerabilities and patchwork. His company bought Tenable and scans their devices every week, showing that things were old and needed to be patched. His goal is to get where he can detect in 1 minute, contain in 10 minutes, and recover fully in 60 minutes.
9. Measuring against a Framework:  He found a lot of success by starting with the simple things that people can wrap their arms around, such as project status. NCSF (NIST Cybersecurity Framework) is always at the top of the list of customers he has worked with. They are working with key stakeholders and internal auditors to define agreed-upon attributes that encompass a maturity level capability, which allows the maturity level to be their own.
10. TOP 4 Metrics: 4 metrics have helped him along the way, one being visible grading systems available on the internet (BitSight, Recon, etc.) because it shows what the world thinks when they look at his company. The other three are % of completed commitments planned, the % of the operationalized controls, and the maturity of those implemented controls.
11. Qualitative Metrics: His new company focuses on the qualitative side and operates in a no-blame culture.
12. IAM Metrics: Use metrics around identity and access management. Who has access to customer data is getting a lot of attention from the executives.
13. Top 10 Most Asked Questions: Building a program from the ground up, they went straight to the business. From there, they would take the top 10 most asked questions from prospective clients and compare them to their existing controls environment and map them out to missed opportunities/missed revenue. This is what he dubbed the Security Blitz and has helped gain executive support and drive a lot of change.
14. Question Provoking Metrics: Impactful metrics are taking credit for success and showing where the achievements are.  Metrics should drive more questions for the executives, especially before asking for more resources.
15. Connecting to Organizational Strategy: The metrics that have helped him are the ones that are related to risk. It was understanding the risks related to the IT environment and the risk posed to the business environment. The key to his success is aligning the metrics that he is presenting to the overall strategic plan for the organization and making that connection solid.
16. Financial Impact Metrics: The metric that got the most attention from his board and President was when they reported the number of records they have and the potential financial impact of the organization if those records were breached. This helps the conversations start moving forward so that they can get additional resources going.
17. Gamification Scoring Metrics: We are hiring analysts who have a technical background but who also have a gaming background because they are competitive. They do gamification of the SOC internal by finding remediating against the metrics they have. By having a points system that will be rewarded each month. So, keeping them motivated and gamification are helpful for his team.
18. Business Aligned Outcome-Driven Metrics: By getting with the business leaders we have them identify what value they see in their investment for security. We also have them define an acceptable baseline.  We developed Protection Level Agreements to help businesses understand the value we are giving to them. We developed metrics to give regular status updates on those business objectives.

What technologies are used to help drive better metrics?

• Solutions like RiskLens or SecurityStudio bring a lot of visibility to risk managers presenting on that front. In enterprise environments, Looker and PowerBI take data out of they’re data dumping lake to help make sense of all of it and eventually dashboard it.
• One leader just relies on their ticketing system. They put a lot of effort into getting everybody in the university to use it. This helped his university understand where the issues are coming from and where they need to put their resources. The ticketing system is probably their most significant resource in gaining metrics for their ticketing system.
• API Connections to a cloud-based tool for our compliance. For their SOC, it has API connections in all the various devices that they feed data so that it knows based on the controls what the evidence should be, and it pulls it monthly.

What are the most useless metrics to track?

• Number of phishing emails! Rather have the number that did not get clicked.
• Billions of attacks on the firewall.

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice on how to improve your Red Teaming activities.

If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.

About Tim Howard

Tim Howard is the founder of 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST-based security assessments. 

In addition, he has a passion for helping CISOs develop Higher Performing Teams through coaching, by creating interactive CISO Forums, and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

He also teamed up with Lyndrel Downs to launch Cybersecurity DIVAS to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University. 

Invite Tim to connect:  www.linkedin.com/in/timhoward

 CISO Executive Forum Summary – Best Practices for Managing a Hybrid Security Team

Every month, Fortify Experts holds CISO Round Tables discussing the latest trends and topics.  Recently, we discussed how these successful security leaders have been able to create higher-performing security teams.  Here is a summary of their top tips or suggestions on how to better manage a hybrid/remote team.

Challenges with Hybrid/Remote Teams:

• One CISO said remote or hybrid teams raise the following questions:
  • Are your systems architected correctly to handle a large number of remote people?
  • How do you prevent your remoteness from setting you up for failure?
• One CISO rolled out a hybrid option 2 years ago.  It has been challenging meshing all of the teams together.  He believes that the infrastructure team is critical for all of it to work properly.
• He said language, communication, and time zones all play a factor in how successful a hybrid security team can be.
• Another CISO of 6,000 employees, allows each director the flexibility to choose how hybrid they want to be with their teams.
• One CISO said they had initial difficulty while transitioning to remote work because they didn’t have all the controls at home that they had in the office.
• Remote workers pose a schedule coordination issue which gets very frustrating with the hybrid systems.
• One leader said her goal was not to make remote workers feel like 3rd Class citizens.

WFH and/or BYOD Policies:

• She initiated a Work-from-Home policy that would allow people to have 1 or 2 days to work from home. Her company already had a hybrid foundation in place, especially since they have been doing it off and on for about two years now.
• One CISO did not have a Work-from-Home policy, but her company has a Bring Your Own Device (BYOD) policy to help them know what kind of devices they can or cannot use for work.
• Another leader did have a Work-from-Home policy before the pandemic however, many positions would still need to come into the office because they were accustomed to their desktops, and during the pandemic, it was a rush to get laptops that were unfortunately backlogged. So they had to temporarily implement a BYOD policy where they had to implement some safeguards.
• A Work-from-Home policy should also provide guidelines around an Acceptable Use Policy for security measures.

Suggestions:

• Establish specific work-from-home days because it would be better to align teams to be in the office on the same days.
• Tell employees they cannot print certain documents at home with important information on them.

Connectivity and Bandwidth Challenges:

• People believed that their ISP was delivering a certain level of service, but with all of the kids being home, it caused all ISPs to provide terrible service to people who thought it was good.
• One CISO sent documents titled “Helpful Hints” to help employees who have kids at home to help employees understand the demands of streaming services and bandwidth issues that could impact their work. Although HR didn’t like it, the goal was to help moderate the bandwidth of individual households.
• One other suggestion was to advise people to get 5G internet through a cellular system that would allow them to use a directional antenna that points at one of the towers which will enable them to have better service even with a slow ISP.
• When some people working from home connected via ethernet, it made them have a public IP address.  The security team had to help employees figure out how to remove it from public view.
• One leader said going remote impacted him negatively because he lives in Idaho, and Fiber optics cables are not everywhere. It went from only 20-25 people on a VPN to over 5,000. People were having problems, which impacted what they could do and how well they could get it done.  More solutions are finally coming online for the more rural areas.

Hiring Hybrid & Remote Talent

• A survey said that 80% of people said that if their employer were to force them to return to the office, they would find a job elsewhere. This will become an issue that many companies will have to deal with in the future.
• When hiring people have them submit a screenshot of a speed test to make sure they have fast internet. The speed test has become a requirement for employment, and if their internet is not up to speed, they will not be hired.   It has been helpful to have this guideline when recruiting new employees because they can know what to expect before they even interview for this position. With the guidelines, they can upgrade their bandwidth or find a way to increase their internet speed to be up to par with the standards of the policy.
• Remote roles have allowed one CISO to finally recruit outside of his small town in Idaho because not many want to live there.
• However, this has a negative impact as well, because many people in remote areas are also finding better remote jobs elsewhere.
• One CISO said remote hiring has been a multiplier because they have so many locations in the US. Complete remote work has freed them up to hiring people where they are located, which has helped them hire many more employees and aren’t limited to just location.
• Creating a hybrid culture needs to be high on the list of importance because, the cost of turnover is enormous, and the best people are getting picked off is also a considerable cost.

CISO Forum Summary – Best Practices for Red Teaming

Every month, Fortify Experts holds CISO Round Tables discussing the latest trends and topics.  Recently, we discussed how these successful security leaders have been able to improve their security programs through the use of red teams.  Here is a summary of their top tips or suggestions on how to select and create better red teaming engagements.

Selecting a Red Team:

Here are some perspectives on how to select a red team.

• One CISO said his current employer (large health care), outsources pen testing to the big consulting firms which he believes do not have the right people.  He feels small boutiques are the way to go with 20 people or less.  They usually have come out of the industry and are diverse and have specialists.
• He says to get on the phone and talk to the companies to see what they know and based on his experience he could decipher the best one to choose.  The key is asking the right questions to determine who the best pen-testing companies are.
• One leader said he picks a different vendor every year to show the executive board how they compare to their peers.  After 3 years of annual tests, they could anticipate what they were going to find because they kept running into systemic issues that come up mostly with change management and third-party risk.
• One CISO prefers small pen testing companies over large ones because they usually have a more mapped-out plan for diverse attacks and do not try to sell them services afterward. Also, as soon as the small companies get bought, he usually drops them.
• Another CISO said he would not use the same red team twice in one year because they would do their attack the same way and he needed a variety of attacks.

Scoping/Contracting a Red Team:

Here are some perspectives on how to scope out and contract a red team engagement.

• It is critical to define the rules of engagement for a pen test.
• Have a detailed attack plan that is memorialized because in you can’t have systems going down.
• Evaluate the company’s Modus operandi for each attack vector to monitor if there is any recourse or downtime as a result of their activities. That way you will know what they are doing if something goes wrong – then it’s on them.
• The scoping exercise is the most critical, and figuring out where each vendor’s strengths and weaknesses are very critical.
• One CISO said the philosophy at his company was to sit down and see what was important to test that they had not looked at before. They would target where the business is trying to grow because this is where the investments are in the business. They figured that where it is new, that is what they would target for pen testing.
• Another CISO says, he does pen testing every 2 years, uses both small/large third-party vendors to keep things diverse, and tries to focus on key business risk areas

Why you SHOULD NOT do Red Teaming:

• One leader explicitly forbade red teaming and hunting internally.  Here’s why:
  • Not allowed because it was a luxury, they could not afford from a resource’s perspective.
  • His team focused on automation containment in SOAR.
  • They don’t go hunting for needles in the haystack.  Instead, automate the needles that we know we need to find.
  • However, they did conduct annual pen-testing.
• Another leader said they are going with attack surface profiling and attack surface management instead of red teaming.
  • They wanted to see how to get real-time visibility of the business surface/internet facing to see where there might be vulnerably based on the attack tools that everyone uses
  • Red teaming is “sexy” but has very low ROI
  • He feels you do not need to spend money on an internal pen-testing team, and most external teams are just a compliance check box.
  • He says, the only thing red teaming adds value in is application pen-testing.

Why you SHOULD use Red Teaming:

• To prove to customers that they are serious about security and having a third-party pen test is collateral that they can waive to prospective clients to reduce sales friction around being a secure company.
• Red-Teaming is proactive instead of reactive.
• Pen-testing forces groups to be more diligent in administration, policies, procedures, coding, clean-up, and maintenance.

Simulation instead of Red Teaming?

• One recommendation is to start moving away from traditional pen testing and Red Teaming, and get involved in cyber test ranges and attack modeling and simulation (i.e SafeBreach, Verodin, AttackIQ, Cymulate, etc.), so you can remain prepared.  Although the simulation is not as good as pen-testing, it is getting close.  The industry needs to support these vendors to help mature the attack modeling simulation space.

Different Approaches:

• One CISO is using O365 hunting to show that he is continuously pen-testing and continuously mitigating attacks.
• Consider using indicative compromise, which is a pen test that checks the pen tester’s ability to get through indicators of compromise.
• Another CISO said he leveraged red teaming on accounts payable to justify red teaming tactics. They would work with him and do both a social/cyber-attack with the red team and identify risks. The rule of thumb with this tactic is that no one could get in trouble because this was a tool for training. Through this tactic, he was able to avoid ROI issues while still spending 2 million on red teaming.

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice on how to improve your Red Teaming activities.

If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.

About Tim Howard

Tim Howard is the founder of 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST-based security assessments. 

In addition, he has a passion for helping CISOs develop Higher Performing Teams through coaching, by creating interactive CISO Forums, and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

He also teamed up with Lyndrel Downs to launch Cybersecurity DIVAS to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University. 

Invite Tim to connect:  www.linkedin.com/in/timhoward