In the ever-evolving landscape of cybersecurity, Attack Surface Management (ASM) emerges as a crucial cornerstone for organizations seeking to fortify their defenses against emerging threats. ASM transcends traditional boundaries, intersecting with multiple personas and technology domains to provide comprehensive insights into an organization's attack surface. However, despite its undeniable potential, ASM faces a myriad of challenges as it navigates the complexities of a rapidly evolving cybersecurity landscape. In this blog, we delve into the growing pains of ASM, exploring the challenges, opportunities, and nuances that define its journey towards maturity.

Here is the verbatim discussion:

Inventory you can't do vulnerability management uh the security leadership as you mentioned they're using this so it cuts across kind of multiple personas and if you look at if you look at the technology domains where ASM fits in that's also is very kind of horizontal right like for example vulnerability management and obvious area um uh but along with that if you look at Cloud security and that's the reason why some of the cloud security posture management cspm companies acquired ASM huh so um so there's a kind of augmentation story out there with threat intelligence there's an augmentation story because just the threat Intel without the context I mean it's good but it's not good enough if somebody could tell you well here's this adversary and these are their ttps and you got like 10 assets which could be interesting from that perspective so uh so I think TI and ASM also is getting converged because there's a nice augmentation Story the sock and ASM also has got an augmentation story because the the ASM can find out the assets and tell the sock that here's open RDP Port this faces because it is kind of it has become a hot new technology but it's still kind of early days not not at the super mature stage right so what what are those uh kind of growing pains? What are the challenges which ASM as an industry is facing today?What are the bad sides?

Highlights:

Horizontal Integration Across Personas and Domains: ASM spans across multiple personas and technology domains, making it a versatile tool for security leadership, vulnerability management teams, cloud security practitioners, threat intelligence analysts, and security operations centers (SOCs). Its horizontal integration enables organizations to gain holistic visibility into their attack surface, empowering them to make informed decisions and prioritize remediation efforts effectively.

Convergence with Cloud Security and Threat Intelligence: The convergence of ASM with cloud security posture management (CSPM) and threat intelligence (TI) heralds a new era of augmentation and synergy. ASM augments cloud security efforts by identifying misconfigurations and vulnerabilities within cloud environments, while also enriching threat intelligence with contextual insights into potential adversary tactics, techniques, and procedures (TTPs). This convergence unlocks new avenues for proactive defense and threat mitigation, bridging the gap between traditional security silos and fostering collaboration across disciplines.

Navigating the Growing Pains: Despite its promising trajectory, ASM grapples with several growing pains on its journey towards maturity. Challenges such as false positives, alert fatigue, integration complexities, and the need for context-aware analysis pose significant hurdles for organizations adopting ASM solutions. Moreover, the nascent stage of ASM as a technology domain necessitates ongoing refinement and innovation to address evolving threats and emerging attack vectors effectively.

As ASM emerges as a hotbed of innovation and potential within the cybersecurity landscape, it is essential to acknowledge and address the growing pains that accompany its evolution. By confronting challenges head-on and leveraging opportunities for convergence and collaboration, organizations can harness the full potential of ASM to fortify their defenses and stay ahead of emerging threats. Through proactive measures, continuous refinement, and a collaborative approach to cybersecurity, ASM stands poised to mature into a foundational pillar of modern cybersecurity operations. As organizations navigate the complexities of an increasingly digital world, ASM serves as a beacon of resilience, empowering them to safeguard their digital assets and embrace a future of secure and sustainable cybersecurity practices.

Speakers:

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

In the dynamic landscape of cybersecurity, the process of Attack Surface Management (ASM) emerges as a critical endeavor, particularly in the realm of mergers and acquisitions (M&A). As businesses undergo transformative changes and expand their portfolios through M&A activity, the technical business units face unprecedented challenges in assessing and securing newly acquired assets. Legacy tools and bespoke scripts fall short in meeting the demands of this evolving landscape, underscoring the need for innovative solutions that can adapt to the complexities of modern cybersecurity. In this blog, we explore the challenges posed by M&A activity, the prevalence of false positives in ASM, and the transformative capabilities that define the future of attack surface management.

Here is the verbatim discussion:

Just about every business unit in a large Enterprise is involved in m&a activity it's especially hard on the technical business units so it networking infrastructure uh storage Cloud identity management uh and then security they all have to assess this newly acquired company Discover it completely and then design and make plans to get it up to the security standard of the company that's acquiring it their company how do you do that with with Legacy tools that are out there or or bespoke scripts or an army of Engineers that would miss stuff so it's very important that as an industry we don't get complient um and and uh another point which I wanted to add Chris is the false positives what's your thoughts on false positives because ASM largely um a lot of the ASM players like they they rely on the passive reconnaissance right like so what's your thoughts on false positive as a challenge yeah and that's a that's a great point to bring up we can't leave the the discussion of attack surface management with talking about without talking about one of the key capabilities that makes attack surface management so unique and so powerful uh and again starting with an example Legacy vulnerability management scanning tools think of those names those logos that you can picture in your your mind's eye those are doing their best to discover across the network what might exist on the endpoint and there's inferences assumptions

 Highlights:

The Complexity of M&A Integration: As M&A activity becomes increasingly prevalent across industries, technical business units are tasked with the daunting challenge of integrating newly acquired companies into existing security frameworks. Networking infrastructure, storage, cloud services, identity management, and security all undergo rigorous assessment and redesign to meet the security standards of the acquiring company. Legacy tools and manual processes prove inadequate in this fast-paced environment, highlighting the urgent need for streamlined solutions that can efficiently manage the expanded attack surface.

False Positives: Navigating the Noise: False positives emerge as a significant challenge in ASM, particularly in passive reconnaissance methods. Traditional vulnerability management tools rely on network scans and endpoint assessments, often leading to inaccuracies and missed vulnerabilities. The abundance of false positives not only hampers the efficacy of security teams but also contributes to alert fatigue and operational inefficiencies. Addressing this challenge requires a paradigm shift towards more precise and context-aware approaches to vulnerability detection.

The Power of Context-Aware Solutions: At the heart of ASM lies a transformative capability that sets it apart from legacy tools: context awareness. Unlike traditional vulnerability management solutions, ASM leverages passive reconnaissance methods to gather comprehensive insights into the organization's attack surface. By analyzing DNS records, certificate data, and public repositories, ASM provides unparalleled visibility into potential vulnerabilities, empowering security teams to prioritize and mitigate risks with precision and efficiency.

As organizations navigate the complexities of modern cybersecurity, the role of Attack Surface Management emerges as a linchpin in securing digital assets and mitigating risks. By addressing the challenges posed by M&A integration and false positives head-on, ASM solutions pave the way for a more resilient and proactive approach to cybersecurity. Through context-aware methodologies and innovative technologies, security teams can gain a deeper understanding of their attack surface, enabling them to adapt and evolve in the face of evolving threats. As the cybersecurity landscape continues to evolve, ASM stands poised to lead the charge towards a safer, more secure digital future.

Speakers: 

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

In the realm where computer science intersects with magic and architecture, lies the fascinating journey of Nazia, a cybersecurity enthusiast whose early exposure to hacking sparked a lifelong passion for unraveling the intricacies of digital systems. From delving into patch reversals in her school days to witnessing the emergence of groundbreaking technologies like Shodan and ChatGPT, Nazia's trajectory illuminates the catalytic role of hacker culture in shaping the evolution of cybersecurity, particularly in the realm of Attack Surface Management (ASM). In this blog, we delve into the driving forces behind ASM's development, from the relentless pursuit of hacker communities to the pragmatic needs of small teams and startups navigating the cybersecurity landscape.

Here is the verbatim discusssion:

I used to love architecture sorry computer science and magic and architecture I wasn't really a hacker but there was this friend of mine in my school uh great hacker so I kind of got introduced to hacking uh through him so I remember this is more than two decades back um in our like school network which was um the the Lan um was there it's one of the um few kind of uh schools during those days which was getting networked uh internet early days so I remember um every Tuesday I forgot Tuesday or Thursday like Patch Tuesday Chris or yep Microsoft yeah so every Tuesday the moment the patches used to get released um we had this like hacking Enthusiast group we used to uh go and reverse those patches figure out what did they fix and then try to do the reverse engineering and find out the vulnerability that's you know showan census is another C Cen Sy uh similar but I think they're starting to put up a pay wall for some of their stuff uh and to a a lesser extent quickly becoming a greater extent chat GPT uh this is going to be leveraged much the same way showan was you know it's it's gonna go and while showan finds the devices I imagine chat GPT is going to then uh provide context around well when was this patch released and what specific versions and maybe what was fixed if it's been on the the internet and chat GPT algorithms have been fed the data then it will provide those answers to anyone who asked that the the question so you know all these uh attacker focused enablers of Technology have been around and existing for a while uh and I I do see that you know now that you've made the connection for me as a catalyst for the development of ASM because the blue team needs something to to then catch them up to where they were at or where the where the attackers are at uh so yeah I I I do see that as a as a major driver um the other things that I know for a fact that are driving ASM because I've I've experienced them are uh small teams like I said or startups or small teams in large organisation.

Speakers: 

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Embarking on a journey through the multifaceted world of cybersecurity, we are privileged to hear from two industry veterans who have left an indelible mark on the landscape. Nazia, with her decades of experience and entrepreneurial spirit, brings a wealth of knowledge from founding companies in application security and automated red teaming. Chris, equally seasoned in the cybersecurity realm, shares his passion for magic, philosophy, physics, and cooking, adding a unique perspective to the conversation. Together, they offer insights into their diverse backgrounds, interests, and experiences, providing a glimpse into the dynamic intersection of cybersecurity and personal passions.

In the dynamic realm of cybersecurity, the concept of Attack Surface Management (ASM) continues to undergo evolution and refinement. As organizations grapple with the challenges of securing their digital assets, questions arise regarding the maturity of ASM programs and their adaptability to emerging threats. In this blog, we explore the shifting landscape of ASM and its potential trajectory towards internal attack surface management, alongside considerations of deception technology and the unknown unknowns that challenge traditional security paradigms.

Here is the verbatim discussion:

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

In the ever-evolving landscape of cybersecurity, security architects emerge as the linchpins of organizational defense, wielding their expertise to navigate complex systems and ensure robust security postures. However, their efforts are often hampered by the lack of visibility into the organization's attack surface and the burden of manual tasks in incident response. In this blog, we explore the pivotal role of security architects and their quest for solutions that automate asset management and enhance incident response capabilities.

Here is the verbatim discussion:

Either uh and then taking it down you know the Architects they are the ones that are involved working with other teams inside the organization they know the architecture or their systems better than almost anybody they also know that hey we have security tooling that just doesn't have any visibility into this stuff so they they've been looking for a solution that can automatically keep tabs on the attack surface as it changes and as they deploy it through architectural changes you know the engineers is the analyst uh that's another for them they are looking for something that's going to take the tier zero tier one maybe some of that tier two work off from their plate you know something's going to go out and identify accurately with high confidence hey this asset is on this IP address and it's this this and this you don't need to go and perform the manual steps here's some context now that you have this context do the things that you're good at as a human and and look at it and scrutinize it and say okay sometimes it's a bad question to ask me because I have vested interest right but if I keep my vested interest aside uh so I had been um kind of a ciso advisor for a few companies huh uh part of the like Advisory Board from the cyber security perspective so I remember for all the companies where I had been part of it um the moment I kind of joined the Advisory Board there were two big questions which I had in my mind and one was that do we know what our security posture is and for knowing that I have to know my assets right I mean without knowing the assets and its risk I mean it's incomplete right so this becomes a fundamental question like do we know all our assets and the risk associated with it that's one question and the second is if there is a breach will we be able to recover safely

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

In the relentless battle against cyber threats, Attack Surface Management (ASM) has emerged as a vital tool for organizations seeking to protect their digital assets. However, the journey towards effective ASM implementation is fraught with challenges, particularly for smaller teams and organizations. In this blog, we delve into the intricacies of ASM, addressing the challenges faced by security professionals and exploring future directions for enhancing its efficacy.

Here is the verbatim discussion:

These are kind of connected so let me summarize like one one of the things which we discussed about so far is the attackers are attacking everybody on the internet I mean these attacks are becoming democratized especially with the ransom guys attacks have become lot faster right I mean unlike earlier today they can like scan the entire internet in a day and and find out vulnerable systems try to exploit so we got to be fast as well and then organizations as you mentioned don't know all the assets they have that I know unfortunately too well the the smaller the SMB the midmarket or the startups or even the small team in a large Enterprise uh you are overworked over requested um often not appreciated you are um generally trying to build a skill set but at the end of the week you're burned out from what you've just done the entire week and so you don't really want to look at a computer or pick up a book or listen to a podcast about something new that you have to learn so oftentimes in these overworked uh smaller teams the skill set I don't mean this in a bad way but it stagnates because that's really what it is they're they're working so much at work they're learning the things they have to learn to put out the fires in that moment they don't have the expertise or the skill set that is often missing and one of the the one of the primary skill sets that's often missing in a smaller team is the ability to triage a vulnerability that's been identified and appropriately decide what prior priority do I need to put on this what risk what risks does it create what new risks are there and do we have anything that's already going on that will mitigate this or what are our what are our mitigating controls that's something where I see ASM coming in because uh it takes that asset list that asset inventory which you know sounds really boring it's just the asset inventory sure service now has been doing that for 20 years but it doesn't have the security context around it and that's ASM it then takes that and says hey by the way there's these string of vulnerabilities on these assets that hey if an attacker figures this out it's going to be really bad you should go and take a look at this so that's what a good ASM does takes that asset list it applies wisdom or expertise to it that maybe your overwork staff doesn't have right now or they can't spend the time you know four hours pcing too many false positives too many alerts like wanted to know Chris your thoughts on how how how is the industry responding to that because that's one of the things which ASM has as a challenge like it throws just too many alerts a prioritization also right I mean as you mentioned prioritization false positives so what's your thought on this and what's the future like yeah and you know the the example of Legacy vulnerability management shows you what's broken it's it's noisy produces a lot of findings that are low confidence ASM can't do what that is doing it it it'll fail so ASM even though it discovers even more assets more broadly more comprehensively um through two methods of interaction with those remote assets either passive which is similar not the same but similar as the Legacy vulnerability management or active assessments meaning assets been identified okay now let's kick off some programmatic thing that's going to go out and interact with the asset and observe its behaviour.

Speakers: 

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

In the ever-evolving landscape of cybersecurity, Attack Surface Management (ASM) stands out as a beacon of precision and efficacy. Yet, its concise nature belies its transformative potential, representing a paradigm shift away from traditional security practices and tooling. In this blog, we delve into the essence of ASM, shedding light on its unique characteristics and illustrating its significance in modern cybersecurity practices.

Here is the verbatim discussion:

In the ever-evolving landscape of cybersecurity, Attack Surface Management (ASM) has emerged as a crucial tool for organizations seeking to safeguard their digital assets. However, the journey towards understanding ASM and its significance is often shaped by diverse experiences and insights from cybersecurity professionals. In this blog, we delve into the diverse perspectives and catalysts that have propelled the evolution of ASM, shedding light on its role in mitigating modern security threats.

Here is the verbatim discussion:

So I think very broad exposure to a lot of different business processes but also many different Technologies there uh and then you know I I work through the sisadmin network engineering and then transitioned into security just as a natural extension of the work I was doing but the whole the whole way along this journey you know um I've always worked in either highly regulated Industries so think banking fin Healthcare or uh I've worked in smaller teams startups uh where even if you are a dedicated security person you're still helping out on the network side or on the system side or in the cloud side or in the the identity side you have to pitch in where you can because it's a small orc or if you're working in a highly regulated space say Pur is is the search engine for iot that's what it was called I don't know if it's still called that but essentially you know if you're not familiar with showan it's like Google but for Internet connected stuff Cloud resources webcams security cameras uh whatever ends up on the Internet ends up in showed in and it fingerprints it it looks to identify what type of service maybe manufacturer what operating systems Etc and you can go there and you can look for specific versions of os Hardware uh applications that you know are vulnerable and you can search for it just as easily as you would search for an answer from Google so I never really considered that as being the Catalyst for ASM but definitely that's a tool set that attackers have had for 10 years we as Chris yeah they've absolutely been using it and I guess you are aware of this this is very interesting I didn't notice it for quite some time this lot of these bug Bounty platforms they actually get this Recon information from whatever be the source maybe Shodan maybe elsewhere and they pass on this intelligence like here is this open database expose database or something like that to the bounty hunters so the bug Bounty platforms are in a way helping the Bounty Hunters by giving them this Intel I know like one of the companies which is you could have called it an ASM company but what they're doing is they're giving this feed away to the bounty hunters so that they can do better bounties or whatever huh so this information is getting uh in the hands of like the black hats to White hats to gray hats to everybody like you said it's been democratized uh because previously to do what showen does now so easily would require that you have a you've developed the skill set to do that maybe build scripts and then parse through the data and it was not easy and it was not trivial now it is easy and trivial um so that's you know showan census is another C Cen Sy uh similar but I think they're starting to put up a pay wall for some of their stuff uh and to a a lesser extent quickly becoming a greater extent chat GPT uh this is going to be leveraged much the same way showan was you know it's it's G to go and while showan finds the devices I imagine chat GPT is going to then uh provide context around well when was this patch released and what specific versions and maybe what was fixed?

Highlights:

Diverse Professional Journeys: The adoption and understanding of ASM are often influenced by the varied professional journeys of cybersecurity professionals. From sysadmin and network engineering roles to transitioning into security, individuals bring a broad exposure to different business processes and technologies. This diverse background equips them with the skills and insights necessary to navigate the complexities of ASM effectively.

The Role of Tools like Shodan: Tools such as Shodan have played a pivotal role in shaping the landscape of ASM. Dubbed as the "search engine for IoT," Shodan provides invaluable insights into internet-connected devices, cloud resources, and vulnerabilities. Its ability to fingerprint and identify vulnerable assets has made it a crucial resource for both attackers and defenders alike, highlighting the importance of ASM in proactively addressing security risks.

Democratization of Threat Intelligence: The democratization of threat intelligence, facilitated by platforms like bug bounty programs and emerging technologies like chat GPT, has further underscored the significance of ASM. Bug bounty platforms leverage reconnaissance information, including data from Shodan, to empower bounty hunters with actionable insights. Similarly, emerging technologies like chat GPT hold the potential to provide contextual information and enhance the efficacy of ASM in identifying and mitigating vulnerabilities.

As the cybersecurity landscape continues to evolve, ASM remains at the forefront of organizations' defense strategies. The diverse experiences and insights of cybersecurity professionals, coupled with the proliferation of threat intelligence platforms and emerging technologies, have propelled the evolution of ASM. By embracing ASM as a proactive approach to identifying and mitigating security risks, organizations can enhance their resilience in the face of evolving threats. As we navigate the complexities of cybersecurity, ASM stands as a testament to the collective efforts of cybersecurity professionals in safeguarding digital assets and mitigating risks effectively.

Speakers:

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

In the ever-evolving realm of cybersecurity, securing adequate resources is paramount for organizations striving to protect their digital assets effectively. However, obtaining budgetary allocations for critical initiatives such as Attack Surface Management (ASM) can pose significant challenges. In this blog, we delve into the practical considerations and strategies employed by security organizations to secure funding for ASM initiatives, drawing insights from industry experts and observations in the cybersecurity landscape.

Here is the verbatim discussion:

They're learning the things they have to learn to put out the fires in that moment they don't have the expertise or the skill set that is often missing and one of the the one of the primary skill sets that's often missing in a smaller team is the ability to triage a vulnerability that's been identified and appropriately decide what priority do I need to put on this what risk what risks does it create what new risks are there and do we have anything that's already going on that will mitigate this or what are our what are our mitigating controls that's something where I see ASM coming in because uh it takes that asset list that asset inventory which you know sounds really boring it's just the asset inventory sure service now has been doing that for 20 years great and and Chris this is a kind of question which almost like every ciso is always talking about like where where do I get the budget from right so what what what are you typically observing since since you um uh as an an analyst in this space where are the security organizations getting the budget from is it like they're taking some existing budget are they creating a new budget and also like how are they justifying the budget yeah that's a a really good question because you can get really excited about a technology you can you can find all sorts of ways that it will be used in your organization you can say I hello everyone I welcome you all on behalf of ciso platform to this webinar ciso platform is the world's first online community solely dedicated for information senior security Executives ciso CIO CSO CTO directors Etc with 40,000 plus professionals globally and 5,000 Plus members today's session is on practical approach to understanding ATT tax surfice management m in 2023 our speakers are Chris Ray and Bash baray Chris is a security architect and Veteran of the cyber security domain he has written many reports on attack surface management and many more domains bash is the co-founder of CISO Platform plan and Firecompass. He is also an IIT Kharagpur alumni.

Highlights:

Addressing Skill Gaps: One of the primary challenges faced by security organizations, particularly smaller teams, is the lack of expertise and skill sets necessary to effectively triage vulnerabilities. ASM plays a crucial role in addressing this gap by providing insights into asset inventory and prioritizing vulnerabilities based on their potential impact and mitigating controls. By leveraging ASM tools, organizations can enhance their ability to assess risks and allocate resources more efficiently.

Budget Allocation Strategies: Securing budgetary allocations for ASM initiatives requires a strategic approach that emphasizes the alignment of security objectives with broader organizational goals. While some organizations may reallocate existing budgets to prioritize cybersecurity initiatives, others may create dedicated budgets specifically earmarked for ASM and related technologies. Additionally, justifying the budget for ASM often involves demonstrating the tangible value and return on investment (ROI) derived from enhanced security posture and risk mitigation.

Industry Insights and Best Practices: Drawing insights from industry experts and observing trends in the cybersecurity landscape can inform budget allocation strategies for ASM initiatives. Platforms like CISO Platform provide valuable resources and networking opportunities for security professionals to exchange insights and best practices related to ASM and other cybersecurity domains. By leveraging these platforms and collaborating with peers, security organizations can gain valuable perspectives on budgetary considerations and strategic approaches to ASM implementation.

Securing resources for Attack Surface Management is a multifaceted endeavor that requires a strategic approach, collaboration, and alignment with organizational objectives. By addressing skill gaps, leveraging budget allocation strategies, and drawing insights from industry best practices, security organizations can effectively secure the necessary resources to implement ASM initiatives. Platforms like CISO Platform serve as invaluable resources for security professionals, offering insights, networking opportunities, and practical guidance for navigating the budgetary landscape and achieving cybersecurity objectives. As organizations continue to prioritize cybersecurity in an increasingly complex threat landscape, securing adequate resources for ASM initiatives will remain a critical priority for safeguarding digital assets and mitigating risks effectively.

Speakers:

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

In the pursuit of cybersecurity excellence, Attack Surface Management (ASM) has emerged as a powerful tool for organizations seeking to fortify their defenses. However, amidst the excitement surrounding ASM's capabilities, it's crucial to acknowledge the inherent limitations and challenges that come with it. In this blog, we delve into the nuanced realities of ASM, highlighting the need for a balanced approach that recognizes both its strengths and shortcomings.

Here is the verbatim discussion:

So that 5% is still a risk as an organization you have to account that you know uh you have to you have to consider that ASM is is still just a tool built by humans and it's going to have its own shortcomings you know based on human fallacies uh so it don't assume that it's complete uh assume that you still have more more work to do the other side even though ASM I will say I get excited about ASM because of how good it is at discovering things so that's you know the asteris there is it's it's almost perfect but it's not quite the other side the other thing I I I emphasized I touched on this a little bit earlier is the internal attack surface um ASM is really good at the external attack surface right now uh and there appears to be uh a direction where some vendors or some ASM Solutions are building similar capabilities not the exact same because they're achieved differently but similar once they got to know all those assets they saw like half of it we don't need it they shouldn't be online yeah they actually went and kind of reduced the attex surface which is great from the security perspective but also reduce the spend on cloud costs that's a great Point uh how many organizations have you worked with or you know I've I've worked in many organizations that once they start to wrap their arms around the attack surface they start to say wait a second I thought that was decommissioned a year and a half ago what is it still doing? Don't turn that off. That's a risk. It's $800 a month. Why is that running?

Highlights:

The Human Factor: While ASM offers unparalleled capabilities in discovering vulnerabilities and mitigating risks, it's essential to remember that it is ultimately a tool created by humans. As such, it is susceptible to human fallacies and limitations. Organizations must not fall into the trap of assuming that ASM provides a foolproof solution. Rather, they should approach it with a mindset that acknowledges the possibility of errors and shortcomings, necessitating ongoing vigilance and supplementary measures.

The External vs. Internal Attack Surface: ASM excels in assessing and managing the external attack surface of an organization's digital infrastructure. However, its effectiveness in addressing internal vulnerabilities may vary. While some ASM solutions are expanding to cover internal attack surfaces, there remains a gap in comprehensive coverage. Organizations must recognize this disparity and implement additional measures to mitigate risks stemming from internal vulnerabilities effectively.

Optimizing Resource Utilization: One of the overlooked benefits of ASM is its potential to optimize resource utilization by identifying and eliminating unnecessary assets from the attack surface. By gaining insights into their digital footprint, organizations can uncover dormant or redundant assets that pose security risks and incur unnecessary costs. This dual benefit of enhanced security and cost reduction underscores the value of ASM beyond its traditional scope.

As organizations embrace Attack Surface Management as a cornerstone of their cybersecurity strategy, it's imperative to maintain a nuanced understanding of its capabilities and limitations. While ASM offers unprecedented insights into vulnerabilities and threats, it is not without its flaws. Human error, internal vulnerabilities, and the need for ongoing optimization remain persistent challenges in the ASM landscape. By adopting a holistic approach that combines ASM with supplementary measures and a culture of continuous improvement, organizations can maximize the efficacy of their cybersecurity efforts. In doing so, they can navigate the imperfect landscape of cybersecurity with confidence and resilience, safeguarding their digital assets against evolving threats.

Speakers:

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

In the realm of cybersecurity, the landscape is constantly evolving, presenting new challenges and opportunities for organizations. One such challenge lies in effectively managing vulnerabilities across diverse and dynamic digital environments. Traditional vulnerability scanning solutions, while useful, often fall short when it comes to providing comprehensive visibility into an organization's attack surface. In this blog, we explore the shortcomings of legacy vulnerability management and the transformative potential of Attack Surface Management (ASM) in revolutionizing how organizations approach vulnerability management.

Here is the verbatim discussion:

There's a handful of them the Legacy vulnerability scanning Solutions require that you know your IP space roughly even if it's an IP block you could say here's my slash21 on the Internet or whatever it is my slash28 just keep scanning it and tell me what's there but what if you have assets that fall outside of the gnome well the Legacy vulnerability scanners are going to completely fail they have zero insight into what's there and that's that's a major problem for a lot of organizations attack surface what's the future like yeah and you know the the example of Legacy vulnerability management shows you what's broken it's it's noisy produces a lot of findings that are low confidence ASM can't do what that is doing it it it'll fail so ASM even though it discovers even more assets more broadly more comprehensively um through two methods of interaction with those remote assets either passive which is similar not the same but similar as the Legacy vulnerability management or active assessments meaning assets been identified okay now let's kick off some programmatic thing that's going to go out and interact with the asset and observe its behaviors does it respond with a SSL an SSH login does it give me back a banner um if I know that this asset in the app version that's running on it is vulnerable to a remote code execution maybe it's possible through Act assessments to run a benign version of that attack and you can then measure the results that's a very specific example but some ASM Solutions are able to go out and do that so now what you end up with is instead of Legacy vulnerability management with 20% confidence that this is the vulnerability on the other end of the wire, you have ASM, Which is like 100% confident this is the vulnerability on the other end of the wire.

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

In the dynamic realm of cybersecurity, Attack Surface Management (ASM) has emerged as a crucial linchpin in fortifying digital defenses. However, the future of ASM extends far beyond its current capabilities. As discussions around the future trajectory of ASM unfold, it becomes evident that its evolution will be characterized by a quest for continuous improvement and integration. In this blog, we delve into the nuances of ASM's future, exploring its potential to enhance security solutions and drive convergence in the cybersecurity landscape.

In the ever-changing landscape of cybersecurity, Attack Surface Management (ASM) has emerged as a critical component in safeguarding digital assets. As threats evolve and technology advances, the role of ASM is not only pivotal in identifying vulnerabilities but also in shaping the future of security solutions. In this blog, we explore how ASM is poised to become the bedrock for comprehensive security measures, driving convergence in the cybersecurity space.

Here is the verbatim discussion:

I see it becoming a better version or it's um let me think of the best way to put this I see it enabling better Security Solutions as is you know in one way it will become the Bedrock for uh or the foundation for better Security Solutions meaning uh con convergence in the space and that's that's popular one right now uh either through merger and acquisition you know bigger vendors buying smaller vendors or through um the the the leaders in the ASM space developing broader capabilities and saying you know we can't uh we're not doing a great job and this is just an example we're not doing a great job with the identity side of ATT tax surface management we're going to build additional identity capabilities into our platform so I see uh the future of ASM uh not going away I see maybe getting ASM integrated into uh either larger companies so broader portfolios or ASM being a part of a a platform a suite of of risk mitigation tools yeah Chris I absolutely agree with you in fact like when when um after the the acquisition of my previous company we were thinking like what's next so we kind of looked into ASM as a standalone space and one of the kind of assumptions which I had was like ASM at the end of of the day is going to become a feature yep and it'll become a part of many, many solutions.

Highlights:

Convergence in Security Solutions: The integration of ASM into broader security portfolios marks a significant trend in the cybersecurity industry. As highlighted in the conversation, larger companies are recognizing the importance of ASM and seeking to incorporate it into their offerings. This convergence is driven by the need for holistic security solutions that address the diverse and evolving threat landscape.

Expansion of Capabilities: ASM is not limited to vulnerability identification alone; it serves as a foundation for expanding security capabilities. As organizations strive to enhance their risk mitigation strategies, ASM provides a framework for incorporating additional features such as identity management. This expansion reflects a shift towards proactive risk management, where ASM plays a central role in fortifying digital defenses.

The Future of ASM: Despite its evolution, ASM is not fading into obscurity; rather, it is becoming more deeply integrated into security ecosystems. Whether through mergers and acquisitions or the development of broader capabilities by industry leaders, ASM is poised to remain a cornerstone of cybersecurity strategies. By becoming a feature of larger solutions or part of comprehensive risk mitigation platforms, ASM ensures its relevance in the ever-evolving threat landscape.

The journey of Attack Surface Management from a standalone solution to an integral component of comprehensive security platforms underscores its significance in modern cybersecurity. As organizations grapple with increasingly sophisticated threats, ASM offers a framework for proactive risk mitigation and vulnerability management. By embracing ASM as a foundational element, businesses can bolster their defenses and adapt to the evolving threat landscape, ensuring resilience in the face of emerging challenges.

Speakers:

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

In an age where digital connectivity pervades every aspect of our lives, cybersecurity has emerged as a critical concern. The rapid evolution of technology has brought about unprecedented opportunities, but it has also opened doors to a myriad of vulnerabilities. Today, attackers wield sophisticated tools and techniques, exploiting weaknesses in systems with alarming efficiency. To navigate this landscape, organizations must remain vigilant, adaptive, and proactive in their approach to cybersecurity.

Here is the verbatim discussion:

Unlike earlier today they can like scan the entire internet in a day and and find out vulnerable systems try to exploit so we got to be fast as well and then organizations as you mentioned don't know all the assets they have a lot of things are happening behind the back because of the decentralized power right like people want to go agile they you have like organ different departments making decisions on their own fast so that also creates a lot of things happening I never thought of you know showdan you're right has been around a long time showan is is the search engine for iot that's what it was called I don't know if it's still called that but essentially you know if you're not familiar with showan it's like Google but for Internet connected stuff Cloud resources webcams security cameras whatever ends up on the Internet ends up in showed in and it fingerprints it it looks to identify what type of service maybe manufacturer what operating systems Etc and you can go there and you can look for specific versions of os Hardware uh applications that you know are vulnerable these are kind of connected so let me summarize like one one of the things which we discussed about so far is the attackers are attacking everybody on the internet I mean these attacks are becoming democratize especially with the ransom guys attacks have become lot faster right I mean unlike earlier today they can like scan the entire internet in a day and and find out vulnerable systems try to exploit so we got to be fast as well and then organizations as you mentioned don't know all the assets they have. A lot of things are happening behind the back because of the decentralized power. Right?

Highlights:

The Shifting Paradigm of Cyber Threats: As discussed in the clips, the nature of cyber threats has undergone a significant transformation. Attackers no longer discriminate based on size or industry; everyone connected to the internet is a potential target. Moreover, the democratization of cyber attacks, particularly with the rise of ransomware, has accelerated their pace and scale.

The Role of Decentralization: Decentralization, often touted for its benefits in promoting agility and innovation, also introduces complexities in cybersecurity. With power dispersed across various departments and individuals within organizations, it becomes challenging to maintain a comprehensive view of all assets and vulnerabilities. This lack of visibility creates opportunities for malicious actors to operate undetected.

The Power of Tools like Shodan: Tools like Shodan exemplify the vast landscape of cyber threat intelligence. Dubbed the "search engine for the Internet of Things (IoT)," Shodan scans and indexes internet-connected devices, providing invaluable insights into potential security risks. By leveraging such tools, security professionals can proactively identify and mitigate vulnerabilities before they are exploited.

As cyber threats continue to evolve in sophistication and scale, the need for robust cybersecurity measures has never been more pressing. Organizations must adopt a multi-faceted approach that combines advanced technologies, proactive monitoring, and a culture of security awareness. By staying informed, vigilant, and collaborative, we can collectively safeguard our digital ecosystems against emerging threats, ensuring a secure and resilient future for all.

Speakers: 

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Welcome, fellow security enthusiasts! As we gather once again at the RSA Conference, amidst the buzz of innovative technologies and strategies, it's crucial to reflect on a fundamental aspect often overlooked in the realm of cybersecurity: human behavior. While awareness campaigns have long been a cornerstone of security initiatives, their effectiveness often plateaus, leaving organizations vulnerable to persistent threats. But fear not, for there is a powerful ally in our quest for better security practices: the science of habits.

Welcome, esteemed attendees of the RSA Conference, to a discourse on a fundamental truth often obscured by the veneer of consciousness: our lack of control over our own actions. Despite our fervent belief in our autonomy, the reality is that much of our behavior is dictated by deeply ingrained habits that operate beneath the surface of our awareness. Join me as we delve into the intricate structure of human habits and explore how understanding this phenomenon can revolutionize our approach to IT security.

Here is the verbatim discussion:

The central theme is that we are not in control even though we would love to think that we are in control but we are not and I I would explain the the basic structure of a human habit and if you look at the kind of things which we do in our day-to-day life around 40% of the things which we do we do it unconsciously I'll give an example like tying up the shoelace or driving the car changing the gear all these things we do without thinking if you think tying a shoelace is quite complex right but we do it without thinking or just imagine you are in an elevator and and you are thinking of something mentally engrossed in some thought and the elevator door opens at the wrong floor what happens we just step out right because that's an automated program in our mind to step out when the door opens so we have a lot of these programs in our mind which are kind of inbuilt and which get triggered automatically every time there's that right trigger so one part of my talk is in terms of understanding the structure of human behavior or human habits so basically uh there are three parts one is the trigger then there is a routine and then there is a reward so we all respond to things in uh a specific way when the trigger happens and interestingly uh there are these companies uh like Coca-Cola and and Facebook and Google.

Highlights:

The Illusion of Control: Despite our desires to believe otherwise, research indicates that a significant portion of our daily actions occur on autopilot, driven by habit rather than conscious deliberation. From mundane tasks like tying shoelaces to complex behaviors like driving a car, approximately 40% of our actions are executed unconsciously. This realization challenges the notion of human agency and underscores the powerful influence of habit in shaping behavior.

Decoding the Structure of Habits: At the core of human habits lies a triad of components: the trigger, the routine, and the reward. When confronted with a particular cue or trigger, our brains instinctively initiate a predetermined routine, culminating in a reward that reinforces the behavior. This cyclical process forms the bedrock of habit formation, dictating our responses to stimuli in a predictable manner.

Insights from Corporate Giants: The ubiquity of habit-driven behavior extends beyond individual actions to shape the strategies of corporate behemoths like Coca-Cola and Facebook. Through meticulously crafted triggers, routines, and rewards, these companies engineer addictive products and experiences that compel users to engage with their platforms habitually. By leveraging insights from behavioral psychology, they exploit the innate tendencies of human cognition to drive desired outcomes.

As we reflect on the interplay between habit and human behavior, it becomes evident that our perceived agency is but an illusion, overshadowed by the omnipresent influence of habit. By unraveling the intricacies of habit formation and acknowledging our susceptibility to its sway, we can unlock new avenues for promoting IT security within organizations. Rather than relying solely on awareness campaigns, let us harness the power of habits to instill secure behaviors seamlessly and unconsciously. In doing so, we can fortify our defenses against cyber threats and navigate the digital landscape with heightened resilience. As we depart from this discourse, let us carry forth this newfound understanding and usher in a paradigm shift in our approach to cybersecurity.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Jennifer Lawinski Editor-in-Chief of online engagement for RSA Conference. With experience writing for publications like CRN and CIOInsight, Jennifer has the experience to facilitate the important security conversations. Keep an eye on this space. I am excited to see what the next phase of RSAC 365 will look like.

https://twitter.com/lawinski

https://www.linkedin.com/in/jenlawinski

Greetings, esteemed participants of the RSA Conference, as we convene amidst the bustling nexus of cybersecurity discourse, it's paramount to recognize a pivotal yet often overlooked aspect of our collective security posture: human behavior. In an era saturated with awareness campaigns and regulatory mandates, the perennial question persists: why do individuals continue to engage in risky behaviors despite knowing the potential consequences? Join me on a journey beyond the realm of awareness as we delve into the intricate dynamics of human habits and their profound implications for cybersecurity.

Greetings, fellow cybersecurity enthusiasts! As we gather once again, this time in Singapore, it's my privilege to embark on a journey of evolution and exploration from my previous talk at RSA Conference USA. Building upon the foundation laid in the realm of individual behavior transformation, my focus now shifts towards the collective dynamics of group behavior and organizational culture. Join me as we delve into the profound implications of habits in shaping the fabric of organizational identity and resilience.

Here is the verbatim discussion:

I spoke at uh RSA Conference USA uh this year and over there my focus was more in terms of how to use the science of habits to transform an individual's behavior and then over a period of time I am now trying to work on how to extend it to a group Behavior how to form culture and when you want to influence the group Behavior and the culture of an organization you need to deal with it in a different way so the evolution from my USA talk to the Singapore talk is on how to extend the same principles but use it differently in the context of a larger group rather than an individual okay so then what are three major points you plan on making in your talk the central theme is that we are not in control even though we would love to think that we are in control but we are not and I I would explain the um the basic structure of a human habit and if you look at the kind of things which we do in our day-to-day life around 40% of the things which we do we do it unconsciously I'll give an example like um tying up the shoelace uh or driving the car changing the gear all these things we do without thinking if you think tying a shoeless is quite complex right but we.

Highlights:

The Illusion of Control: At the core of my discourse lies the sobering realization that despite our aspirations for autonomy, much of our behavior is governed by subconscious habits. Whether it's the seemingly mundane act of tying shoelaces or navigating the complexities of driving, approximately 40% of our actions occur on autopilot, devoid of conscious thought. By unraveling the fundamental structure of human habits, we gain insights into the hidden forces shaping our individual and collective behaviors.

Extending the Principles: Building upon the insights gleaned from individual behavior transformation, my talk will elucidate the nuanced strategies required to influence group behavior and cultivate a resilient organizational culture. In navigating the intricacies of group dynamics, it's essential to recognize that the principles of habit formation remain immutable, yet their application necessitates a tailored approach. From fostering collaborative workflows to instilling a shared sense of accountability, leveraging habits as catalysts for cultural change requires finesse and adaptability.

Navigating Organizational Culture: Central to my discourse is the recognition that organizational culture serves as the bedrock upon which cybersecurity resilience is built. By harnessing the science of habits, organizations can orchestrate deliberate interventions to cultivate a culture that prioritizes security and resilience. From embedding cybersecurity practices into the fabric of daily workflows to fostering a culture of continuous learning and adaptation, the possibilities for leveraging habits in shaping organizational culture are boundless.

As we embark on this journey of exploration and transformation, let us dispel the illusion of control and embrace the profound influence of habits in shaping group behavior and organizational culture. By extending the principles elucidated in my previous talk to the realm of collective dynamics, we unlock new vistas of possibility for fortifying organizational resilience against cyber threats. Together, let us harness the science of habits as a beacon guiding us towards a future where cybersecurity is not just a practice but a way of life ingrained in the very fabric of organizational culture.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Jennifer Lawinski Editor-in-Chief of online engagement for RSA Conference. With experience writing for publications like CRN and CIOInsight, Jennifer has the experience to facilitate the important security conversations. Keep an eye on this space. I am excited to see what the next phase of RSAC 365 will look like.

https://twitter.com/lawinski

https://www.linkedin.com/in/jenlawinski

Greetings, fellow cybersecurity professionals! As we navigate the ever-evolving landscape of digital threats and vulnerabilities, it's imperative to acknowledge a pervasive challenge hindering our collective defense: the fragmented nature of cybersecurity technologies. From Data Loss Prevention (DLP) to Cloud Access Security Broker (CASB) solutions, Threat Intelligence platforms, and Security Information and Event Management (SIEM) systems, the proliferation of specialized products has led to a siloed ecosystem where interoperability remains elusive. Join me as we delve into the critical imperative of integration and collaboration in cybersecurity technologies, and the transformative impact it holds for organizational security posture.

Here is the verbatim discussion:

Right and the same thing is happening in the field of security you got uh DLP products you got casby products you got threat Intel products Sim products and all these products are like largely they're closely guarded they don't they don't talk to each other in a seamless manner so I think that's a big hardle which we need to solve and if you can do that well all of a sudden our the posture the security posture which an organization can attain with the same set of solutions will move dramatically up so I'll talk about um I would consider that uh integrating these various Technologies making them talk to each other in a meaningful manner is a technology problem which we need to resolve thank you very much for your time here today.

Highlights:

Fragmentation in Cybersecurity Technologies: The proliferation of specialized cybersecurity products has led to a fragmented ecosystem characterized by isolated silos of functionality. While individual solutions excel in their respective domains, the lack of interoperability and communication between them poses a significant obstacle to holistic defense strategies. As organizations grapple with an ever-expanding threat landscape, the need for seamless integration and collaboration among disparate technologies becomes increasingly pronounced.

Bridging the Divide: At the heart of my discourse lies the recognition that integration is not merely a technological challenge but a strategic imperative for bolstering cybersecurity resilience. By breaking down silos and fostering interoperability among diverse security solutions, organizations can unlock synergies and amplify the efficacy of their defense mechanisms. Whether it's correlating threat intelligence data across disparate platforms or orchestrating automated response actions, integrated cybersecurity technologies hold the key to a more cohesive and proactive defense posture.

The Technology Problem: While the concept of integration may seem straightforward in theory, its implementation poses formidable technological hurdles. From disparate data formats and protocols to varying degrees of vendor support, achieving seamless interoperability requires concerted efforts and innovative solutions. By investing in standards-based approaches, open APIs, and interoperability frameworks, the cybersecurity community can pave the way for a future where integrated defense architectures are the norm rather than the exception.

As we conclude our discourse on the imperative of integration in cybersecurity technologies, let us reaffirm our commitment to breaking down silos and fostering collaboration across the security ecosystem. By transcending the constraints of individual solutions and embracing a collective mindset, we can fortify our defenses against emerging threats and navigate the digital landscape with heightened resilience. Together, let us confront the technological challenges head-on and pave the way for a future where integrated cybersecurity architectures empower organizations to stay one step ahead of adversaries. Thank you for your time and dedication to advancing the cause of cybersecurity excellence.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Jennifer Lawinski Editor-in-Chief of online engagement for RSA Conference. With experience writing for publications like CRN and CIOInsight, Jennifer has the experience to facilitate the important security conversations. Keep an eye on this space. I am excited to see what the next phase of RSAC 365 will look like.

https://twitter.com/lawinski

https://www.linkedin.com/in/jenlawinski