The Southern Fried Security Podcast
Join Andy Willingham, Martin Fisher,Steve Ragan, Yvette Johnson, and Joseph Sokoly as they discuss information security, news, and interview interesting people. Get in the discussion at www.southernfriedsecurity.com.

It's another Front Porch episode!

Yvette talks to her friend Brandon Clark as his first novel "Ransomware" is about to be released.  "Ransomware" is part of Brandon's "Killchain Chronicles" series that will be coming out over time.

You can find the book here:

 https://www.amazon.com/gp/product/1732651108/

We will be back soon with more great new content.

Direct download: SFS_Podcast_-_Episode_207.mp3
Category:general -- posted at: 3:06pm EDT

Episode 206 - The Front Porch….

 

Welcome to the first of an occasional series of episodes featuring conversations with a variety of interesting people from both inside and outside of information security.

 

In this inaugural episode you get to listen to dinner conversation between Wendy Nather, Mike Rothman, Wolfgang Goerlich, and Martin Fisher that happened in Atlanta at the Atlas Restaurant. We cover a lot of topics that I’m sure you’ll find interesting.  

 

And, for the record, the “Aristocrat” cocktail at Atlas is something you must try.

 

I appreciate Duo Security and CBI for helping to make this dinner possible.

Direct download: SFS_Podcast_-_Episode_206.mp3
Category:general -- posted at: 2:24pm EDT

We recorded this episode as the closing keynote at BSides Atlanta on May 5th, 2018.

We want to give a big round of thanks to the organizers, volunteers, sponsors, and attendees of BSides Atlanta for a great venue and event.  It was a great time and we hope to be there again next year.

Direct download: SFS_Podcast_-_Episode_205.mp3
Category:general -- posted at: 7:22pm EDT

Episode 204 - Evaluating Your Security Program: Communications Plan

 

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. If Education & Awareness are how the employees engage the program then Communications is how the management team engage the program
    2. In business life, like everywhere else, if people don’t know who you are or what you do then they aren’t going to be willing or able to support you in times of crisis or need
    3. The higher up in the org you want to communicate the more deliberate your plan needs to be
  3. Why Even Consider Communications?
    1. Each sub-org needs to be considered
      1. CIO-org
      2. CFO-org
      3. COO-org
      4. CMO-org
      5. CCO-org
      1. Unless you report to the CEO the next person down in your chain is going to have to likely carry that water
      2. We will address the opportunities and dangers of directly engaging a CEO at some other podcast
    2. Notice that there is no “CEO-org”
  4. Determine the Audience(s)
    1. Updated status reports are better than a ‘newsletter’
    2. Compelling progress reports (especially if validated by a third party) can be a huge gain
    3. If you invent something new it better be hugely valuable
    4. “Communication is what the listener does”
  5. Leverage Existing Comms Before Inventing Something New
    1. Get over yourself
    2. Really.
  6. “But this is just playing politics!”
Direct download: SFS_Podcast_-_Episode_204.mp3
Category:general -- posted at: 4:37pm EDT

Show Notes

 

Episode 203 - Evaluating Your Security Program: Threat Mapping

 

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. How is this different from threat modeling?
    2. Threat modeling is listing what could happen to you.
    3. Threat mapping is mapping the holes in your program.
  3. What is “Threat Mapping”?
    1. Must have a assessment management program
      1. you can’t protect what you don’t know about
      2. This isn’t “I have a CMDB”.  It’s actually taking actions based on what you know about what you have
      1. Map assets to known threats
        1. industry
        2. entry points
        3. technology
        4. Online threat maps
      2. What are you doing to know this?
      3. What controls do you currently have in place to mitigate or reduce the risk?
    2. Understand what your “real” threats are

      1. Apps
      2. Infrastructure
      3. 3rd parties
      4. etc
    3. Scope and prioritize - break down into areas to tackle
  4. How To Get Started
    1. Scorecard (KRI)
      1. What is important and helpful
    2. Risk Registry
  5. How To Measure
    1. Use your risk registry or GRC tool to track progress and keep management updated. You need them onboard to improve.
    2. once you have some areas mapped don’t ignore them
    3. implement solid change control and change management processes
    4. keep risk scores updated so you aren’t focusing on unimportant things
  6. How To Improve/Modify
Direct download: SFS_Podcast_-_Episode_203.mp3
Category:general -- posted at: 7:40pm EDT

Episode 202 - Evaluating Your Security Program: Awareness & Education

 

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. What do you think you do?
      1. Mandatory CBLs
      2. CyberCyberCyberStuff (Posters, Email, Swag)
      3. Briefings and Classes
      4. Phishing Awareness
      5. $NOVEL_IDEA
      1. How many people is it designed to engage?
        1. Not how many people took the awareness, how many people were ENGAGED?
      2. How many people were actually engaged?
      3. How did they do? (CBL completions, % phished, reviews, etc)
        1. If CBL_Completion = 15(clicks) then you may want to rethink that
        2. 0% phished is not a sign of a great security program...more likely a sign of a bad phishing program
        3. If there is no way to allow for anonymous reviews of training/briefings/etc then you’re not likely to get fully honest reviews (Who wants to piss off security?)
      4. Are you being honest with yourself?
    2. How do you measure it?
  3. Measuring Awareness & Education
    1. Don’t change the measurement...change the program
      1. The key to long term success is consistently measuring the same thing over time
      2. You may want to update goals (up or down) but be able to explain why especially if you are making the test easier
      1. Big changes in delivery will skew the numbers in ways you likely will not like
      2. Constant large turmoil is counter to most corporate cultures
      3. Small changes take advantage of previous investments best
      4. “Iterate small and grow larger” - doing too much too fast almost always ends is highly suboptimal results over time
    2. Don’t make drastic changes until Year 3 unless you have to make drastic changes
    3. Clearly failing components should be axed and replaced and not tweaked around the edges - especially if there’s a compliance or safety aspect
  4. Adjusting The Program
  5. If this feels like “Wash, Rinse, Repeat” it’s because is it “Wash, Rinse, Repeat”
Direct download: SFS_Podcast_-_Episode_202.mp3
Category:podcasts -- posted at: 6:31pm EDT

We're going to use this episode to allow the cast to talk about reaching 200 episodes and you'll hear what *really* happened on the Lost Episode.

 

We will be back in 2018 with more episodes.  Until then be well and stay secure!

Direct download: SFS_Podcast_-_Episode_201.mp3
Category:general -- posted at: 12:24pm EDT

Episode 200 - Building A Security Strategy - Part III

  1. Recap
    1. Strategy vs Policy
    1. Understand the business of your Business
    2. Know who your stakeholders really are
    3. Capability = (Tech + Service) * Process
    4. Crawl, Walk, Run
    5. It Takes A Village
  2. The Question is “How do I make one?”
    1. Tech
      1. Tech, by itself, only consumes electricity and turns cool air into warm air
      2. So many choices….
      3. The tech selection is the *least* critical one for developing a capability
      4. http://www.southernfriedsecurity.com/episode-192-security-waste/
      1. This is the “Stuff You Have To Do”
      2. Usually determined by regulation, policy, or corporate edict
      3. Describes a desired outcome - not how to get there
      4. Examples include “Malware Detection”, “Email Security”
    2. Service
      1. How you do the crazy things you do
      2. Security is not a One-Off - things must be repeatable and consistent
    3. Process
      1. Describes value team brings to org
      2. While tech and service selection is important the biggest improvement usually comes from better process
    4. Capability
  3. Capability = (Tech + Service) * Process
    1. Armorguy’s Maxim of Life: “Start small and iterate larger”
    2. Try to do to much out of the gate and you WILL fail
    3. Define success criteria for each stage that allows for error and learning
  4. Crawl, Walk, Run
    1. Security cannot exist as an island
    2. Interdependence with business units is key - if you don’t you are the foreigner and will be rejected
    3. The relationship with IT Operations is going to be wonky at first
  5. It Takes A Village
    1. Where do you look for more info?
  6. Strategy - It’s What CISOs Do…
Direct download: SFS_Podcast_-_Ep_200.mp3
Category:podcasts -- posted at: 9:32pm EDT

Episode 199 - Building A Security Strategy - Part II

  1. Recap
    1. Strategy vs Policy
    1. Understand the business of your Business
    2. Know who your stakeholders really are
    3. Capability = (Tech + Service) * Process
    4. Crawl, Walk, Run
    5. It Takes A Village
  2. The Question is “How do I make one?”
    1. Almost no business is in the business of information security
    2. Follow The Money
    3. Understand The Decisioning Process
    4. “Culture Eats Strategy For Breakfast”
    5. Vocabulary Matters
  3. Understand the Business of Your Business
    1. Know the Formal and Informal Org Charts
    2. Influencers are as important as Deciders
    3. Beware the Spoiler
    4. “Culture Eats Strategy For Breakfast”
    5. Don’t Give a Vote or Veto Unnecessarily
  4. Know Who Your Stakeholders Really Are
    1. We will keep discussing this.
    2. Underestimating the power of culture WILL result in your plan faling
    3. That’s a majority of the reason that Strategy Is Hard
  5. Culture Is The Key
Direct download: SFS_Podcast_-_Ep_199.mp3
Category:podcasts -- posted at: 1:23pm EDT

Episode 198 – Building a Security Strategy – Part 1

 

Strategy is the hardest thing a CISO will do in their career...except if they have to explain a massive breach…

 

  1. What is a Strategy?
    1. What’s the difference between a strategy and a policy?
      1. A policy is binding statements
      2. A strategy is thought out planning
      1. A list of tech you want to buy
      2. A remediation plan that follows an audit/assessment
      3. A continued justification for the way you’ve always done things
      4. The stuff your favorite vendor told you needs doing
    2. What a strategy isn’t…
      1. Based on the needs and desires of the org and its senior leaders
      2. Culturally relevant
      3. A guide to where investment (money and people) need to be made
      4. Balanced between boldness and reassurance
      5. Built on a set of capabilities that map to business success criteria
    3. A strategy is…
    1. Creates a consistent frame of reference for talking about the program
    2. Helps senior leaders understand the where/why of the investments
    3. Lays out a connected story for CFOrg to make budget less hard
    4. Provides a decision-making framework that enables effective choices
  2. Why do you want one?
    1. Understand the business of your Business
    2. Know who your stakeholders really are
    3. Capability = (Tech + Service) * Process
    4. Crawl, Walk, Run
    5. It Takes A Village
  3. How do I make one?

 

In our next episodes we’ll break down each of the steps and talk more about strategy…

Direct download: SFS_Podcast_Ep_-_198.mp3
Category:podcasts -- posted at: 8:53pm EDT