WEBVTT 1 00:00:00.040 --> 00:00:03.120 You're probably swimming in information every day trying to say 2 00:00:03.160 --> 00:00:06.480 well informed, especially when it comes to something is well 3 00:00:06.599 --> 00:00:09.039 complex and critical as cybersecurity. 4 00:00:09.119 --> 00:00:13.960 Oh, definitely, so many buzzwords, best practices, just so much noise. 5 00:00:13.919 --> 00:00:16.480 Exactly, But what's really at the core of it all? 6 00:00:17.039 --> 00:00:19.280 Today we're trying to cut through that noise, give you 7 00:00:19.280 --> 00:00:25.359 a shortcut maybe to understanding cybersecurity at its most fundamental level. 8 00:00:25.440 --> 00:00:27.160 Yeah, we're going on a bit of a deep dive 9 00:00:27.160 --> 00:00:29.120 into a powerful new approach, and. 10 00:00:29.079 --> 00:00:31.600 To help us navigate this, we've been digging into a 11 00:00:31.640 --> 00:00:36.280 really fascinating new book, Cybersecurity First Principles, a reboot of 12 00:00:36.320 --> 00:00:40.079 strategy and tactics by Rick Howard and Steve Winterfield. 13 00:00:39.640 --> 00:00:41.960 And guiding us today. We have someone with a real 14 00:00:42.240 --> 00:00:45.520 natural curiosity, a knack for making these, let's face it, 15 00:00:45.560 --> 00:00:48.600 sometimes dense topics genuinely interesting. 16 00:00:48.240 --> 00:00:50.759 And our expert here is brilliant and synthesizing all this 17 00:00:50.840 --> 00:00:54.560 info and helping us understand why it actually matters. This 18 00:00:54.679 --> 00:00:58.679 deep dive. It comes from two real industry veterans, Rick 19 00:00:58.719 --> 00:00:59.960 Howard and Steve Winterfie. 20 00:01:00.479 --> 00:01:02.840 Yeah, Rick's the chief analyst at the Cyber Wire Stee's 21 00:01:02.840 --> 00:01:06.599 Advisory CISO at Akamai. These guys have decades of experience. 22 00:01:06.959 --> 00:01:08.799 They've literally written the book on this step, and. 23 00:01:08.719 --> 00:01:11.359 They joke they wrote it to satisfy mobs of learners, 24 00:01:11.359 --> 00:01:13.120 which is kind of fun, huh. 25 00:01:12.879 --> 00:01:15.519 Right, And they pose this big question, don't they. If 26 00:01:15.560 --> 00:01:18.879 you ask, say, one hundred cybersecurity pros what they're trying 27 00:01:18.920 --> 00:01:19.599 to achieve, they'. 28 00:01:19.480 --> 00:01:22.760 Get a hundred different answers. Easy, everyone's got their own focus. 29 00:01:22.959 --> 00:01:27.200 But what if Yeah, what if there was one core purpose, 30 00:01:28.040 --> 00:01:33.000 one atomic first principle for all of cybersecurity? 31 00:01:33.000 --> 00:01:36.799 Okay, yeah, let's unpack that. They lay out this foundational belief, 32 00:01:36.879 --> 00:01:41.480 this principle reducing the probability of material impact due to 33 00:01:41.519 --> 00:01:43.920 a cyber event over a finite set of time. 34 00:01:44.120 --> 00:01:48.599 Reducing the probability of material impact. Okay, So this idea 35 00:01:48.599 --> 00:01:50.959 of a first principle, it's not just like a Twitter meme. 36 00:01:51.120 --> 00:01:54.640 No, No, definitely not. It goes way back. I think Aristotle, Descartes, 37 00:01:54.719 --> 00:01:56.760 Elon Mussa talks about it a lot now too. It 38 00:01:56.799 --> 00:02:00.640 means breaking a really complex problem down to its it's 39 00:02:00.799 --> 00:02:05.519 primary essence. These fundamental, self evident truths, the basic building blocks, 40 00:02:05.519 --> 00:02:05.799 you know. 41 00:02:06.280 --> 00:02:09.159 Okay, atomic building block. So if that's the standard. Why 42 00:02:09.159 --> 00:02:11.680 don't a lot of the usual suspects, the common best 43 00:02:11.680 --> 00:02:13.319 practices make the cut. 44 00:02:13.520 --> 00:02:16.479 That's a great question, and the book really gets into it. 45 00:02:16.719 --> 00:02:19.599 They look back even to the seventies and eighties. What 46 00:02:19.800 --> 00:02:23.759 was the thinking then, Well, researchers back then they actually 47 00:02:23.759 --> 00:02:26.919 thought the ultimate goal the first principle was to build 48 00:02:26.960 --> 00:02:30.439 a completely secure computer, like perfectly secure. 49 00:02:30.120 --> 00:02:31.719 The dream, the dream. 50 00:02:31.759 --> 00:02:35.840 But yeah, it was largely abandoned, just seen as impractical. 51 00:02:35.879 --> 00:02:38.000 People still kind of lament that failure. 52 00:02:38.199 --> 00:02:41.080 Okay, so that didn't work out. What about the CIA 53 00:02:41.280 --> 00:02:45.800 triad confidentiality, integrity availability? Everyone knows that one. 54 00:02:45.840 --> 00:02:49.439 Everyone knows it. It's foundational thinking, absolutely, But the authors 55 00:02:49.560 --> 00:02:53.159 argue it's more like general best practice. 56 00:02:52.680 --> 00:02:53.840 Not the atomic principle. 57 00:02:53.960 --> 00:02:56.560 Right, it doesn't fully capture the ultimate purpose of an 58 00:02:56.719 --> 00:03:00.439 entire security program. Some even say it's frankly in adequate 59 00:03:00.439 --> 00:03:01.199 for today's threats. 60 00:03:01.800 --> 00:03:04.199 Okay, how about patching. I mean we hear it constantly 61 00:03:04.280 --> 00:03:07.240 keep your systems updated sounds pretty fundamental. 62 00:03:07.479 --> 00:03:12.520 It's critical, no doubt. Systematically upgrading is vital. But and 63 00:03:12.560 --> 00:03:15.639 this is interesting, the data shows hackers use actual code 64 00:03:15.680 --> 00:03:19.800 exploits in like less than ten percent of known breaches. 65 00:03:19.520 --> 00:03:21.120 Less than ten percent. Wow. 66 00:03:21.319 --> 00:03:24.199 Yeah, so the authors point out, even with decades of 67 00:03:24.240 --> 00:03:27.719 focusing on patching, it hasn't really abated the volume of 68 00:03:27.759 --> 00:03:33.599 successful cyber breaches. Important tactic, Yes, the foundational principle, they argue. 69 00:03:33.439 --> 00:03:36.919 No, okay, so patching is out as the core principle. 70 00:03:37.439 --> 00:03:41.560 What about other things people aim for, like stopping malware 71 00:03:41.840 --> 00:03:45.879 or instant response or following frameworks like NIST or you know, 72 00:03:46.000 --> 00:03:47.680 compliance stuff like GDPR. 73 00:03:47.840 --> 00:03:51.479 Yeah, good examples. The book argues these are often either 74 00:03:51.520 --> 00:03:54.039 too simple, like just stopping one type of threat, or 75 00:03:54.080 --> 00:03:57.759 they're too tactical. Tactical meaning meaning they're specific actions, but 76 00:03:57.800 --> 00:04:00.800 they don't answer the big why why are we doing 77 00:04:00.879 --> 00:04:03.759 all this? They don't define the overall purpose, and often 78 00:04:03.759 --> 00:04:05.520 they're kind of black and white. You know, did you 79 00:04:05.560 --> 00:04:06.280 do it or not? Right? 80 00:04:06.400 --> 00:04:07.599 Check the box exactly? 81 00:04:07.879 --> 00:04:11.319 Compliance? For instance, it might be necessary for business a 82 00:04:11.400 --> 00:04:14.520 ticket to ride or for brand reputation. But does ticking 83 00:04:14.560 --> 00:04:18.000 those boxes inherently reduce the chance of a material impact? 84 00:04:18.600 --> 00:04:19.600 Not necessarily? 85 00:04:19.759 --> 00:04:22.480 Okay, So that brings us back to that word material. 86 00:04:22.959 --> 00:04:26.079 What's missing from all those other approaches that this new 87 00:04:26.120 --> 00:04:27.600 atomic principle gives us. 88 00:04:27.839 --> 00:04:31.199 It's that focus on materiality. That's the absolute key insight. 89 00:04:31.279 --> 00:04:31.639 I think. 90 00:04:32.279 --> 00:04:33.240 Explain that a bit more. 91 00:04:33.360 --> 00:04:35.720 Well, think about it. Not everything on your network is 92 00:04:35.879 --> 00:04:40.600 equally important, Right If some hacker gets Luigi's lunch menu 93 00:04:40.680 --> 00:04:43.839 off his laptop, Yeah, probably not calling the FBI exactly. 94 00:04:43.959 --> 00:04:48.360 So why spend potentially infinite resources trying to protect absolutely 95 00:04:48.439 --> 00:04:52.160 everything equally, especially when resources are always finite? 96 00:04:52.519 --> 00:04:56.160 Ah? Okay, So the atomic principle forces that focus. It's 97 00:04:57.000 --> 00:04:59.639 reducing the probability of material. 98 00:04:59.160 --> 00:05:03.560 Impact to a cyber event over a finite set of time. Precisely, 99 00:05:04.079 --> 00:05:08.000 it forces you to identify what truly fundamentally matters to 100 00:05:08.079 --> 00:05:08.959 the business mission. 101 00:05:09.040 --> 00:05:10.839 And that's going to be different for every company. 102 00:05:10.560 --> 00:05:13.800 Right absolutely depends on their risk tolerance, their size, industry, 103 00:05:13.879 --> 00:05:16.759 you name it, and it changes over time too. Business 104 00:05:16.839 --> 00:05:19.879 leaders know what's material. The job of security pros is 105 00:05:19.920 --> 00:05:23.480 to understand that deeply and align the security effort accordingly. 106 00:05:23.680 --> 00:05:25.720 Okay, this makes a lot of sense. So let's dive 107 00:05:25.720 --> 00:05:28.560 into the strategies that actually flow from this core principle. 108 00:05:28.759 --> 00:05:32.279 The book lays out five right, starting with zero trust. 109 00:05:32.199 --> 00:05:36.319 Yep, zero trust, the never trust, always verify mindset. 110 00:05:36.560 --> 00:05:39.879 Before this, say, pre twenty ten, what was the main. 111 00:05:39.720 --> 00:05:44.839 Approach mostly perimeter defense, build big, strong electronic fences around 112 00:05:44.879 --> 00:05:47.920 your stuff, castle and mote thinking. But the problem was 113 00:05:48.040 --> 00:05:50.720 the problem was the chewy center. If a bad guy 114 00:05:50.800 --> 00:05:52.519 did get inside that perimeter. 115 00:05:52.160 --> 00:05:53.560 They could roam around pretty freely. 116 00:05:53.720 --> 00:05:56.519 Often. Yeah, access to way too much. 117 00:05:56.560 --> 00:05:59.680 And the Edward Snowden case in twenty thirteen really drove 118 00:05:59.720 --> 00:06:00.160 this home. 119 00:06:00.199 --> 00:06:03.639 Didn't there a classic textbook example. He was an IT admin, 120 00:06:03.800 --> 00:06:07.000 had legitimate credentials, He didn't hack his way in. He 121 00:06:07.040 --> 00:06:09.959 basically web served on a classified network using a crawler 122 00:06:10.000 --> 00:06:13.519 he bought, grabbed over a million documents, and walked out because. 123 00:06:13.279 --> 00:06:15.879 He was already inside the castle walls exactly. 124 00:06:15.920 --> 00:06:18.879 It showed the fundamental weakness of just relying on the perimeter. 125 00:06:19.040 --> 00:06:21.439 So that kind of thinking led to John Kindervag's white 126 00:06:21.439 --> 00:06:24.480 paper in twenty ten, No More Shoey Setters. 127 00:06:24.759 --> 00:06:27.480 That paper was huge. It really proposed the zero trust 128 00:06:27.519 --> 00:06:30.600 model and started changing how people thought about network security. 129 00:06:30.680 --> 00:06:34.319 So zero trust isn't just like buying a specific product. 130 00:06:34.439 --> 00:06:36.399 It's a whole strategy, a mindset. 131 00:06:36.639 --> 00:06:40.439 It's definitely a strategy of philosophy. Restrict access to everything 132 00:06:40.519 --> 00:06:44.399 based on need to know and continuously verify don't assume 133 00:06:44.480 --> 00:06:46.879 trust just because someone is inside the network. 134 00:06:46.959 --> 00:06:49.480 Okay, so how do you actually do zero trust? What 135 00:06:49.519 --> 00:06:50.560 are some key tactics? 136 00:06:50.600 --> 00:06:54.040 Well, one big one is vulnerability management, but it's more 137 00:06:54.120 --> 00:06:56.040 nuanced than just patch everything. 138 00:06:56.199 --> 00:06:59.040 Right, you mentioned patching earlier. Wasn't the whole story exactly? 139 00:06:59.079 --> 00:07:03.759 So NIST cattle over eighteen thousand new vulnerabilities in twenty 140 00:07:03.800 --> 00:07:05.319 twenty one. That's overwhelming. 141 00:07:05.480 --> 00:07:06.519 Yeah, how do you even start? 142 00:07:06.639 --> 00:07:10.240 But here's the crucial part. SISA, the US Cybersecurity Agency, 143 00:07:10.480 --> 00:07:12.600 found that only about eight hundred and twelve of those 144 00:07:12.639 --> 00:07:15.680 were actually being actively exploited by attackers in the wild. 145 00:07:15.720 --> 00:07:18.279 Only eight hundred and twelve out of eighteen thousand. That's manageable. 146 00:07:18.360 --> 00:07:22.639 Right, So, vulnerability management under zero trust means focusing intensely 147 00:07:22.720 --> 00:07:27.360 on those known exploited vulnerabilities. First, Patching becomes a targeted 148 00:07:27.399 --> 00:07:29.199 subset of this smarter approach. 149 00:07:29.360 --> 00:07:32.439 That's a really practical takeaway focus where the actual risk is. 150 00:07:32.879 --> 00:07:34.439 What else is key for zero trust? 151 00:07:34.519 --> 00:07:38.959 Identity knowing who is accessing what. So identity and authentication 152 00:07:39.120 --> 00:07:39.639 is huge. 153 00:07:39.720 --> 00:07:41.759 We've moved beyond just passwords thankfully. 154 00:07:42.040 --> 00:07:44.920 Oh yeah, passwords from the sixties were obviously weak. We 155 00:07:44.959 --> 00:07:47.279 moved to things like hardware tokens in the eighties than 156 00:07:47.360 --> 00:07:51.000 two factor authentications something you have are or no got 157 00:07:51.040 --> 00:07:52.519 patented in the nineties, and. 158 00:07:52.519 --> 00:07:57.800 Smartphones really made that mainstream, right, authenticator apps, push notifications. 159 00:07:57.120 --> 00:07:59.879 Totally, and things like U two F security keys. Now 160 00:08:00.480 --> 00:08:03.759 the big goal here is shifting from site centric identity, 161 00:08:03.800 --> 00:08:07.040 where every website holds your password, to user centric. 162 00:08:06.800 --> 00:08:09.639 Identity, where I control my identity credentials. 163 00:08:09.319 --> 00:08:13.120 Exactly makes it much harder for one breach to compromise everything. 164 00:08:13.240 --> 00:08:15.439 And the Solar Winds attack in twenty twenty is a 165 00:08:15.480 --> 00:08:19.279 scary example of why identity systems themselves are critical. 166 00:08:18.959 --> 00:08:22.800 Absolutely terrifying. The Cozy Bear hackers got admin rights compromise 167 00:08:22.879 --> 00:08:25.079 this SAM authentication system. 168 00:08:24.839 --> 00:08:27.480 SAML being this system that lets you log in once 169 00:08:27.560 --> 00:08:29.040 for multiple services. 170 00:08:28.680 --> 00:08:32.000 Right, and they could then forge tokens to impersonate any user, 171 00:08:32.120 --> 00:08:35.120 even the highest privileged admins. It shows your identity and 172 00:08:35.159 --> 00:08:38.840 access management. Your IAM system is itself a material system. 173 00:08:38.879 --> 00:08:42.159 You have to protect it fiercely. Single sign on SSO 174 00:08:42.399 --> 00:08:46.159 is a key tactic, but securing the SSO system is paramount, okay. 175 00:08:46.240 --> 00:08:50.440 Another tactic mentioned is the software defined perimeter or FDP. 176 00:08:51.240 --> 00:08:52.360 Sounds kind of techy. 177 00:08:52.600 --> 00:08:55.840 It is a bit, but the concept is powerful. It 178 00:08:55.879 --> 00:08:58.799 came out of US military thinking in the early two thousands. 179 00:08:58.840 --> 00:09:03.080 They called it deeperization, getting rid of the perimeter. Essentially, Yeah, 180 00:09:03.159 --> 00:09:06.039 instead of connecting to the whole network, you first authenticate 181 00:09:06.080 --> 00:09:08.480 to a separate controller outside the firewall. 182 00:09:08.600 --> 00:09:09.799 Okay, if you're. 183 00:09:09.639 --> 00:09:15.279 Authorized for say one specific application, the controller creates a secure, 184 00:09:15.480 --> 00:09:18.919 encrypted tunnel only to that one application. Everything else on 185 00:09:18.960 --> 00:09:21.440 the network stays hidden, like it's in a black cloud. 186 00:09:21.679 --> 00:09:24.320 Ah, So it drastically shrinks the attack surface. You can 187 00:09:24.320 --> 00:09:26.600 only see what you're explicitly allowed to see. 188 00:09:26.639 --> 00:09:30.159 Precisely, Google did something similar with their Beyond COREP initiative 189 00:09:30.200 --> 00:09:32.879 after a big Chinese hack in twenty ten. The name 190 00:09:33.080 --> 00:09:36.639 STP is actually kind of ironic because it's about eliminating 191 00:09:36.679 --> 00:09:38.559 the traditional perimeter, not defining it. 192 00:09:38.799 --> 00:09:42.720 So zero trust sounds like the way to go. Why 193 00:09:42.759 --> 00:09:45.159 do these projects sometimes fail or stall out? 194 00:09:45.279 --> 00:09:49.039 Well, they can look really big and expensive upfront, that's true, 195 00:09:49.200 --> 00:09:52.039 but the authors argue it's often less about the tech 196 00:09:52.120 --> 00:09:55.519 and more about people and process problems getting buy in 197 00:09:55.759 --> 00:09:59.720 changing habits. It's really a journey continuous improvement, not a 198 00:09:59.759 --> 00:10:02.120 one and done project. You can often start with the 199 00:10:02.159 --> 00:10:03.080 tools you already have. 200 00:10:03.320 --> 00:10:06.480 That's encouraging. Yeah, okay, let's shift to the second big strategy, 201 00:10:06.840 --> 00:10:11.080 intrusion kill chain prevention, breaking the attackers steps right. 202 00:10:11.320 --> 00:10:14.480 This was another huge paradigm shift around twenty ten, thanks 203 00:10:14.519 --> 00:10:17.320 to a paper from Lockheed Martin. What was the shift 204 00:10:17.639 --> 00:10:21.919 before that? Defenders were mostly focused on blocking individual tools, 205 00:10:22.080 --> 00:10:26.840 specific malware, specific exploits. Whack them mold, Yeah, it feels impossible. 206 00:10:26.919 --> 00:10:29.519 The Locky paper flipped it. It said, Look, attackers have 207 00:10:29.559 --> 00:10:31.679 to succeed at a series of actions to reach their 208 00:10:31.720 --> 00:10:37.759 goal recon weaponization, delivery, exploitation installations. See two actions on objectives. 209 00:10:37.840 --> 00:10:38.480 The kill chain. 210 00:10:38.519 --> 00:10:41.799 The kill chain, You the defender, only need to break 211 00:10:41.879 --> 00:10:44.759 one link in that chain to stop the entire attack. 212 00:10:45.200 --> 00:10:46.679 Much more strategic, and this. 213 00:10:46.679 --> 00:10:50.200 Is super relevant in what some call continuous low level 214 00:10:50.279 --> 00:10:52.120 cyber conflict right like nation. 215 00:10:52.039 --> 00:10:56.000 State stuff exactly David Sanger's term. It describes how countries 216 00:10:56.120 --> 00:10:59.320 use cyber operations just short of war. Think Stuck's net 217 00:10:59.320 --> 00:11:03.799 targeting around on centrifuges or Russia's not Petya attack devastating 218 00:11:03.879 --> 00:11:05.360 Ukrainian systems. 219 00:11:04.879 --> 00:11:07.240 Destructive but not triggering a shooting war. 220 00:11:07.360 --> 00:11:11.039 Precisely, it's a calculated level of conflict, and defending against 221 00:11:11.039 --> 00:11:14.759 it requires understanding and disrupting that multi step process. 222 00:11:15.240 --> 00:11:18.039 So what are the key tactics for breaking the kill chain? 223 00:11:18.360 --> 00:11:22.480 Intelligence is paramount? The book talks about the adversary model trifecta. 224 00:11:22.600 --> 00:11:24.879 Okay, sounds important. What's in the trifecta? 225 00:11:24.919 --> 00:11:28.120 First, the Lockheed Martin kilchain itself. That's the high level 226 00:11:28.159 --> 00:11:29.600 strategic map of an attack. 227 00:11:29.720 --> 00:11:31.000 Okay, the overall phases. 228 00:11:31.120 --> 00:11:33.840 Second, and this is where it gets really practical for defenders, 229 00:11:34.120 --> 00:11:37.120 is the Miter EATT and CK framework. 230 00:11:37.200 --> 00:11:40.240 Ayah ATT and CK. You hear that everywhere. 231 00:11:39.840 --> 00:11:42.559 Now and for good reason. Launched in twenty thirteen, it 232 00:11:42.639 --> 00:11:45.679 catalogs the specific techniques and tactics used by known threat 233 00:11:45.720 --> 00:11:49.080 groups the apts. But the most important thing MITER did 234 00:11:49.200 --> 00:11:51.240 was create a standardized vocabulary. 235 00:11:51.360 --> 00:11:52.399 Why was that so crucial? 236 00:11:52.600 --> 00:11:57.159 Before miter AT and CK everyone described attacks differently. Sharing 237 00:11:57.200 --> 00:12:01.320 intelligence was a nightmare, just pure grunt work trying to translate. 238 00:12:01.960 --> 00:12:05.559 MITER gave everyone a common language. Huge step forward. 239 00:12:05.679 --> 00:12:08.799 Okay, kill chain, mi ATP and c K. What's the 240 00:12:08.840 --> 00:12:09.919 third part of the trifecta? 241 00:12:10.159 --> 00:12:13.720 The DoD diamond model developed around twenty eleven. It helps 242 00:12:13.759 --> 00:12:17.399 analysts map the relationships between four key aspects of an attack, 243 00:12:17.919 --> 00:12:21.799 the adversary, their capabilities, the infrastructure they use, and the victim. 244 00:12:21.919 --> 00:12:23.480 It helps connect the dots. 245 00:12:23.240 --> 00:12:25.519 Connecting the dots. You had a story about that with 246 00:12:25.559 --> 00:12:26.320 the French police. 247 00:12:26.440 --> 00:12:29.960 Ah. Yeah, I was meeting with the Gendarmeris cybercrime unit captain. 248 00:12:30.039 --> 00:12:33.600 He was frustrated, saying, I don't need lectures on firewalls. 249 00:12:33.639 --> 00:12:37.360 I need actionable intelligence IP addresses. I can block domains, 250 00:12:37.399 --> 00:12:39.440 I can take down What what did you do? I 251 00:12:39.480 --> 00:12:43.960 texted my intel director basically saying, need French ctwips now. 252 00:12:44.639 --> 00:12:46.759 Within minutes, I got back a list. I showed it 253 00:12:46.759 --> 00:12:48.960 to the captain. His eyes lit up and he immediately 254 00:12:48.960 --> 00:12:50.879 got on the phone to start shutting those nodes down. 255 00:12:51.320 --> 00:12:52.799 That's actionable intelligence. 256 00:12:53.120 --> 00:12:55.519 Wow. Okay, So that perfectly leads into the next tactic, 257 00:12:55.759 --> 00:12:57.480 cyber threat intelligence or at CTI. 258 00:12:57.879 --> 00:13:01.840 Right, and CTI isn't just read security news headlines. It's 259 00:13:01.879 --> 00:13:07.440 a formal process, hope. It's about systematically collecting, processing, analyzing 260 00:13:07.480 --> 00:13:12.519 information about adversaries, their capabilities, intentions, and then producing intelligence 261 00:13:12.559 --> 00:13:15.879 products that help leadership make actual decisions. It follows a 262 00:13:15.919 --> 00:13:20.679 cycle planning, What do we need to know? Collection, processing, analysis, 263 00:13:20.679 --> 00:13:22.480 and production, dissemination feedback. 264 00:13:22.759 --> 00:13:25.480 So it's not just here's the latest vulnerability exactly. 265 00:13:25.519 --> 00:13:27.759 We learned that early on. Commanders tune out if you 266 00:13:27.840 --> 00:13:30.759 just give them news. They need intelligence tailored to the 267 00:13:30.799 --> 00:13:31.720 decisions they have to make. 268 00:13:31.799 --> 00:13:35.559 And since no single company can see everything, intelligence sharing becomes. 269 00:13:35.360 --> 00:13:39.039 Vital, absolutely critical. The Morris worm back in nineteen eighty 270 00:13:39.039 --> 00:13:41.440 eight was a wake up call that led to things 271 00:13:41.480 --> 00:13:45.399 like ISx information sharing and analysis centers like the FSIS 272 00:13:45.399 --> 00:13:46.679 for the financial. 273 00:13:46.200 --> 00:13:49.200 Sector, how do they manage sharing sensitive info safely? 274 00:13:49.360 --> 00:13:52.639 A key innovation was the Traffic Light Protocol TOLP, develop 275 00:13:52.679 --> 00:13:56.559 in the UK. It uses simple color codes red, amber, green, 276 00:13:56.759 --> 00:14:00.559 white to label how widely information can be shared, builds 277 00:14:00.559 --> 00:14:01.279 trust and. 278 00:14:01.240 --> 00:14:03.440 The future vision is even more automated sharing. 279 00:14:03.639 --> 00:14:07.720 Yeah, ideally an API driven database, maybe government provided, covering 280 00:14:07.759 --> 00:14:10.039 all sorts of adversaries, not just nation states. We're not 281 00:14:10.080 --> 00:14:11.399 there yet, but that's the direction. 282 00:14:11.679 --> 00:14:15.200 Speaking of adversaries, we hear all these cool, sometimes scary names, 283 00:14:15.720 --> 00:14:20.200 cozy bear, fancy bear, lazarrisk group. How much weight should 284 00:14:20.200 --> 00:14:23.639 we put on attributing attacks to these specific groups? 285 00:14:24.120 --> 00:14:26.960 That's a really good question. And there's nuance. When security 286 00:14:26.960 --> 00:14:29.679 companies talk about Cozy Bear did this, they usually mean 287 00:14:29.720 --> 00:14:34.039 a tax sequence attribution. They've identified a pattern of tactics, techniques, 288 00:14:34.039 --> 00:14:37.759 and procedures a playbook that matches what that group usually does. 289 00:14:38.000 --> 00:14:40.879 So it's matching the how, not necessarily knowing the who 290 00:14:40.960 --> 00:14:42.320 behind the keyboard exactly. 291 00:14:42.639 --> 00:14:47.679 Pinpointing the actual humans involved. Hacker identity attribution is incredibly hard. 292 00:14:48.000 --> 00:14:50.879 Spy agencies can sometimes do it, but they rarely share 293 00:14:50.919 --> 00:14:54.840 that publicly. For most defenders, obsessing over the specific group 294 00:14:54.960 --> 00:14:57.679 name is less important than understanding their playbook and how 295 00:14:57.720 --> 00:14:58.279 to counter it. 296 00:14:58.360 --> 00:15:00.679 Okay, that makes sense. Focus on the meta. Now, with 297 00:15:00.799 --> 00:15:05.039 kill chain, mitre at T, and ck CTI, it sounds 298 00:15:05.080 --> 00:15:06.919 like a lot of different tools and data feeds. How 299 00:15:06.960 --> 00:15:07.840 do you manage all that? 300 00:15:08.080 --> 00:15:13.360 Orchestration becomes key. It's just not feasible manually anymore. Back 301 00:15:13.360 --> 00:15:15.879 in the late nineties, maybe you had three security tools. 302 00:15:16.120 --> 00:15:18.399 By twenty twenty two the average was seventy six. 303 00:15:18.480 --> 00:15:19.120 Seventy six. 304 00:15:19.240 --> 00:15:22.000 Wow, Yeah, so you need tools to manage the tools, 305 00:15:22.399 --> 00:15:25.080 things like the big all in one platforms from firewall 306 00:15:25.159 --> 00:15:30.200 vendors or sr tool Security orchestration, Automation and response. They 307 00:15:30.200 --> 00:15:33.440 help automate workflows, connect different systems. 308 00:15:33.000 --> 00:15:36.200 And newer concepts like SASSE or SSE fit in here too. 309 00:15:36.279 --> 00:15:40.639 Right, Secure Access Service Edge or Security Service Edge. They 310 00:15:40.679 --> 00:15:43.240 kind of flip the model routing traffic through a cloud 311 00:15:43.240 --> 00:15:46.679 provider security stack. It's all about finding ways to manage 312 00:15:46.679 --> 00:15:49.559 that complexity and make the different parts work together effectively. 313 00:15:49.799 --> 00:15:51.960 Mastering orchestration is vital and. 314 00:15:51.919 --> 00:15:55.080 One more tactic for the kill chain strategy red Blue 315 00:15:55.120 --> 00:15:56.120 and Purple teaming. 316 00:15:56.399 --> 00:15:59.679 Yeah, this is about testing your defenses proactively. The Red 317 00:15:59.720 --> 00:16:02.879 team acts like the adversary, trying to break. 318 00:16:02.600 --> 00:16:03.679 In the attackers. 319 00:16:03.759 --> 00:16:06.879 The Blue team defends using all those tools and intelligence 320 00:16:06.879 --> 00:16:09.279 we just talked about, and Purple team brings them together, 321 00:16:09.399 --> 00:16:13.240 fostering collaboration and feedback loops, so the Blue team learns 322 00:16:13.279 --> 00:16:16.200 directly from what the Red team finds, and vice versa. 323 00:16:16.600 --> 00:16:20.480 It's incredibly valuable for continuous improvement and for training your analysts. 324 00:16:20.720 --> 00:16:22.639 Gives them real hands on experience. 325 00:16:22.960 --> 00:16:27.600 Okay, excellent, Let's move to the third strategy, Resilience. This 326 00:16:27.679 --> 00:16:31.039 one feels different. It's not about preventing the breach exactly. 327 00:16:31.480 --> 00:16:34.559 Resilience starts with the assumption that breaches will happen eventually, 328 00:16:34.639 --> 00:16:37.120 So the question becomes, what do we need to do 329 00:16:37.240 --> 00:16:38.919 to continue our mission after the fact. 330 00:16:39.000 --> 00:16:40.440 So it's about bouncing back. 331 00:16:40.320 --> 00:16:43.600 Bouncing back, yes, But even more it's about continuous delivery. 332 00:16:44.000 --> 00:16:48.039 The book uses a great definition, the ability to continuously 333 00:16:48.120 --> 00:16:51.519 deliver the intended outcome despite adverse cyber events. 334 00:16:51.600 --> 00:16:54.840 Continuously deliver. Yeah, like the Terminator. 335 00:16:54.480 --> 00:16:56.759 Hah Yeah, the T one thousand and T two is 336 00:16:56.759 --> 00:16:59.480 a pretty good analogy. He wasn't just built to survive damage. 337 00:16:59.480 --> 00:17:02.759 He adapted, reformed, kept coming, always focused on the mission. 338 00:17:03.000 --> 00:17:03.759 That's resilience. 339 00:17:03.840 --> 00:17:06.440 Are there real world examples of companies doing this? 340 00:17:06.559 --> 00:17:06.720 Oh? 341 00:17:06.799 --> 00:17:07.160 Yeah. 342 00:17:07.440 --> 00:17:12.000 Netflix is famous for its chaos engineering chaos Monkey, that's 343 00:17:12.039 --> 00:17:16.079 the one. After some big outages years ago, they built tools, 344 00:17:16.160 --> 00:17:18.759 starting with chaos Monkey in twenty eleven, that intentionally and 345 00:17:18.839 --> 00:17:21.079 randomly disable parts of their production. 346 00:17:20.759 --> 00:17:22.680 System on purpose. That sounds terrifying. 347 00:17:22.799 --> 00:17:26.160 It forces their engineers to build systems that can withstand 348 00:17:26.240 --> 00:17:29.599 failure to bick resilience in from the start. They have 349 00:17:29.680 --> 00:17:33.920 a whole Simian army of tools that inject latency kill processes. 350 00:17:34.039 --> 00:17:35.200 Wow, okay, who else? 351 00:17:35.559 --> 00:17:40.119 Google Site Reliability Engineering SRI is another classic example. Back 352 00:17:40.160 --> 00:17:43.240 in two thousand and four, they basically gave network management 353 00:17:43.279 --> 00:17:47.000 to software developers as the traditional ITOps right, and these 354 00:17:47.079 --> 00:17:51.480 sres focused on automating everything, eliminating manual tasks what they 355 00:17:51.480 --> 00:17:56.039 call toil, and building self healing autonomous systems. You almost 356 00:17:56.240 --> 00:17:59.400 never see a major Google service go down right, very rarely, 357 00:17:59.480 --> 00:18:02.319 but internally the esries will tell you stuff is failing 358 00:18:02.359 --> 00:18:04.720 all the time. The system is just designed to handle 359 00:18:04.759 --> 00:18:08.039 it gracefully, reroute, recover. That's resilience in action. 360 00:18:08.359 --> 00:18:12.240 So how does this relate to, say, disaster recovery or 361 00:18:12.440 --> 00:18:14.839 business continuity plans? Are they the same thing? 362 00:18:15.119 --> 00:18:20.119 They're related but distinct. Business continuity is usually broader, covering 363 00:18:20.119 --> 00:18:25.759 things like fires, floods, pandemics, force measure events. Disaster recovery 364 00:18:25.799 --> 00:18:29.599 is typically focused on recovering IT systems after a major. 365 00:18:29.359 --> 00:18:31.240 Outage, and resilience. 366 00:18:31.079 --> 00:18:34.279 Resilience is maybe a blend, but with that specific focus 367 00:18:34.319 --> 00:18:38.559 on continuously delivering the intended outcome. The author's stress getting 368 00:18:38.559 --> 00:18:41.160 the names right is important because confusion here has led 369 00:18:41.200 --> 00:18:42.279 to problems in the past. 370 00:18:42.720 --> 00:18:45.200 Okay, so what are the key tactics to build resilience. 371 00:18:45.839 --> 00:18:47.160 Crisis handling seems. 372 00:18:46.880 --> 00:18:50.039 Like a big one definitely, and practices everything. One of 373 00:18:50.039 --> 00:18:53.119 the authors shares a really painful personal story about his 374 00:18:53.240 --> 00:18:53.960 backup plan. 375 00:18:54.200 --> 00:18:55.359 Oh what happened? 376 00:18:55.440 --> 00:18:58.000 He thought he had this great system backing up all 377 00:18:58.000 --> 00:19:01.440 his precious family photos and digital days data. He configured it, 378 00:19:01.599 --> 00:19:04.480 checked it regularly. It always said a okay, sounds good 379 00:19:04.519 --> 00:19:07.079 so far, until his hard drive died. He went to 380 00:19:07.079 --> 00:19:10.480 restore and found out he'd accidentally configured the backup to 381 00:19:10.519 --> 00:19:12.160 copy an empty directory every day. 382 00:19:12.279 --> 00:19:13.400 Oh no, all gone. 383 00:19:13.640 --> 00:19:16.519 The lesson he learned the hard way. If a plan 384 00:19:16.599 --> 00:19:19.559 is not exercised, it is almost guaranteed to fail. You 385 00:19:19.559 --> 00:19:21.319 have to really test it ouch. 386 00:19:22.279 --> 00:19:25.720 That's a visceral lesson. How does resilient apply to something 387 00:19:25.759 --> 00:19:29.119 like ransomware? Backups are key there right, absolutely central. 388 00:19:29.279 --> 00:19:33.319 Ransomware has gotten so nasty, moving from hitting individuals to 389 00:19:33.440 --> 00:19:37.799 demanding millions from corporations, and just encrypting your data isn't 390 00:19:37.920 --> 00:19:41.440 enough protection anymore. Why not, because some ransomware will happily 391 00:19:41.599 --> 00:19:45.599 encrypt you're already encrypted backups, or just steal your data 392 00:19:45.680 --> 00:19:48.279 first and threaten to leak it. So the only real 393 00:19:48.319 --> 00:19:51.440 defense against the threat of having your data rendered unusable 394 00:19:51.559 --> 00:19:55.279 or exposed is a rock solid, tested backup and restore 395 00:19:55.400 --> 00:19:57.680 process for your material. 396 00:19:57.319 --> 00:19:59.400 Data again, focusing on the material stock. 397 00:19:59.440 --> 00:20:01.799 It makes the problem manageable. You don't necessarily need to 398 00:20:01.839 --> 00:20:04.799 back up everything instantly, just the stuff that's truly critical 399 00:20:04.799 --> 00:20:06.319 to delivering that intended outcome. 400 00:20:06.480 --> 00:20:09.960 Okay. Encryption itself is another tactic listed under resilience. 401 00:20:10.160 --> 00:20:12.480