Priya R's Posts (80)

Sort by

 Navigating%20the%20Growing%20Pains%20of%20Attack%20Surface%20Management%20Challenges%20and%20Opportunities.png?profile=RESIZE_710x

  

In the ever-evolving landscape of cybersecurity, Attack Surface Management (ASM) emerges as a crucial cornerstone for organizations seeking to fortify their defenses against emerging threats. ASM transcends traditional boundaries, intersecting with multiple personas and technology domains to provide comprehensive insights into an organization's attack surface. However, despite its undeniable potential, ASM faces a myriad of challenges as it navigates the complexities of a rapidly evolving cybersecurity landscape. In this blog, we delve into the growing pains of ASM, exploring the challenges, opportunities, and nuances that define its journey towards maturity.

 

  

Here is the verbatim discussion:

Inventory you can't do vulnerability management uh the security leadership as you mentioned they're using this so it cuts across kind of multiple personas and if you look at if you look at the technology domains where ASM fits in that's also is very kind of horizontal right like for example vulnerability management and obvious area um uh but along with that if you look at Cloud security and that's the reason why some of the cloud security posture management cspm companies acquired ASM huh so um so there's a kind of augmentation story out there with threat intelligence there's an augmentation story because just the threat Intel without the context I mean it's good but it's not good enough if somebody could tell you well here's this adversary and these are their ttps and you got like 10 assets which could be interesting from that perspective so uh so I think TI and ASM also is getting converged because there's a nice augmentation Story the sock and ASM also has got an augmentation story because the the ASM can find out the assets and tell the sock that here's open RDP Port this faces because it is kind of it has become a hot new technology but it's still kind of early days not not at the super mature stage right so what what are those uh kind of growing pains? What are the challenges which ASM as an industry is facing today?What are the bad sides?

 

Highlights:

Horizontal Integration Across Personas and Domains: ASM spans across multiple personas and technology domains, making it a versatile tool for security leadership, vulnerability management teams, cloud security practitioners, threat intelligence analysts, and security operations centers (SOCs). Its horizontal integration enables organizations to gain holistic visibility into their attack surface, empowering them to make informed decisions and prioritize remediation efforts effectively.

Convergence with Cloud Security and Threat Intelligence: The convergence of ASM with cloud security posture management (CSPM) and threat intelligence (TI) heralds a new era of augmentation and synergy. ASM augments cloud security efforts by identifying misconfigurations and vulnerabilities within cloud environments, while also enriching threat intelligence with contextual insights into potential adversary tactics, techniques, and procedures (TTPs). This convergence unlocks new avenues for proactive defense and threat mitigation, bridging the gap between traditional security silos and fostering collaboration across disciplines.

Navigating the Growing Pains: Despite its promising trajectory, ASM grapples with several growing pains on its journey towards maturity. Challenges such as false positives, alert fatigue, integration complexities, and the need for context-aware analysis pose significant hurdles for organizations adopting ASM solutions. Moreover, the nascent stage of ASM as a technology domain necessitates ongoing refinement and innovation to address evolving threats and emerging attack vectors effectively.

 

As ASM emerges as a hotbed of innovation and potential within the cybersecurity landscape, it is essential to acknowledge and address the growing pains that accompany its evolution. By confronting challenges head-on and leveraging opportunities for convergence and collaboration, organizations can harness the full potential of ASM to fortify their defenses and stay ahead of emerging threats. Through proactive measures, continuous refinement, and a collaborative approach to cybersecurity, ASM stands poised to mature into a foundational pillar of modern cybersecurity operations. As organizations navigate the complexities of an increasingly digital world, ASM serves as a beacon of resilience, empowering them to safeguard their digital assets and embrace a future of secure and sustainable cybersecurity practices.

 

Speakers:

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

 

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Read more…

Navigating%20the%20Complexities%20of%20Attack%20Surface%20Management%20Challenges%20and%20Solutions.png?profile=RESIZE_710x

  

In the dynamic landscape of cybersecurity, the process of Attack Surface Management (ASM) emerges as a critical endeavor, particularly in the realm of mergers and acquisitions (M&A). As businesses undergo transformative changes and expand their portfolios through M&A activity, the technical business units face unprecedented challenges in assessing and securing newly acquired assets. Legacy tools and bespoke scripts fall short in meeting the demands of this evolving landscape, underscoring the need for innovative solutions that can adapt to the complexities of modern cybersecurity. In this blog, we explore the challenges posed by M&A activity, the prevalence of false positives in ASM, and the transformative capabilities that define the future of attack surface management.

 

  

Here is the verbatim discussion:

Just about every business unit in a large Enterprise is involved in m&a activity it's especially hard on the technical business units so it networking infrastructure uh storage Cloud identity management uh and then security they all have to assess this newly acquired company Discover it completely and then design and make plans to get it up to the security standard of the company that's acquiring it their company how do you do that with with Legacy tools that are out there or or bespoke scripts or an army of Engineers that would miss stuff so it's very important that as an industry we don't get complient um and and uh another point which I wanted to add Chris is the false positives what's your thoughts on false positives because ASM largely um a lot of the ASM players like they they rely on the passive reconnaissance right like so what's your thoughts on false positive as a challenge yeah and that's a that's a great point to bring up we can't leave the the discussion of attack surface management with talking about without talking about one of the key capabilities that makes attack surface management so unique and so powerful uh and again starting with an example Legacy vulnerability management scanning tools think of those names those logos that you can picture in your your mind's eye those are doing their best to discover across the network what might exist on the endpoint and there's inferences assumptions

 

 Highlights:

The Complexity of M&A Integration: As M&A activity becomes increasingly prevalent across industries, technical business units are tasked with the daunting challenge of integrating newly acquired companies into existing security frameworks. Networking infrastructure, storage, cloud services, identity management, and security all undergo rigorous assessment and redesign to meet the security standards of the acquiring company. Legacy tools and manual processes prove inadequate in this fast-paced environment, highlighting the urgent need for streamlined solutions that can efficiently manage the expanded attack surface.

False Positives: Navigating the Noise: False positives emerge as a significant challenge in ASM, particularly in passive reconnaissance methods. Traditional vulnerability management tools rely on network scans and endpoint assessments, often leading to inaccuracies and missed vulnerabilities. The abundance of false positives not only hampers the efficacy of security teams but also contributes to alert fatigue and operational inefficiencies. Addressing this challenge requires a paradigm shift towards more precise and context-aware approaches to vulnerability detection.

The Power of Context-Aware Solutions: At the heart of ASM lies a transformative capability that sets it apart from legacy tools: context awareness. Unlike traditional vulnerability management solutions, ASM leverages passive reconnaissance methods to gather comprehensive insights into the organization's attack surface. By analyzing DNS records, certificate data, and public repositories, ASM provides unparalleled visibility into potential vulnerabilities, empowering security teams to prioritize and mitigate risks with precision and efficiency.

 

As organizations navigate the complexities of modern cybersecurity, the role of Attack Surface Management emerges as a linchpin in securing digital assets and mitigating risks. By addressing the challenges posed by M&A integration and false positives head-on, ASM solutions pave the way for a more resilient and proactive approach to cybersecurity. Through context-aware methodologies and innovative technologies, security teams can gain a deeper understanding of their attack surface, enabling them to adapt and evolve in the face of evolving threats. As the cybersecurity landscape continues to evolve, ASM stands poised to lead the charge towards a safer, more secure digital future.

 

Speakers: 

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Read more…

_Bridging%20the%20Gap%20The%20Evolution%20of%20Attack%20Surface%20Management.png?profile=RESIZE_710x

  

In the realm where computer science intersects with magic and architecture, lies the fascinating journey of Nazia, a cybersecurity enthusiast whose early exposure to hacking sparked a lifelong passion for unraveling the intricacies of digital systems. From delving into patch reversals in her school days to witnessing the emergence of groundbreaking technologies like Shodan and ChatGPT, Nazia's trajectory illuminates the catalytic role of hacker culture in shaping the evolution of cybersecurity, particularly in the realm of Attack Surface Management (ASM). In this blog, we delve into the driving forces behind ASM's development, from the relentless pursuit of hacker communities to the pragmatic needs of small teams and startups navigating the cybersecurity landscape.

 

 

Here is the verbatim discusssion:

I used to love architecture sorry computer science and magic and architecture I wasn't really a hacker but there was this friend of mine in my school uh great hacker so I kind of got introduced to hacking uh through him so I remember this is more than two decades back um in our like school network which was um the the Lan um was there it's one of the um few kind of uh schools during those days which was getting networked uh internet early days so I remember um every Tuesday I forgot Tuesday or Thursday like Patch Tuesday Chris or yep Microsoft yeah so every Tuesday the moment the patches used to get released um we had this like hacking Enthusiast group we used to uh go and reverse those patches figure out what did they fix and then try to do the reverse engineering and find out the vulnerability that's you know showan census is another C Cen Sy uh similar but I think they're starting to put up a pay wall for some of their stuff uh and to a a lesser extent quickly becoming a greater extent chat GPT uh this is going to be leveraged much the same way showan was you know it's it's gonna go and while showan finds the devices I imagine chat GPT is going to then uh provide context around well when was this patch released and what specific versions and maybe what was fixed if it's been on the the internet and chat GPT algorithms have been fed the data then it will provide those answers to anyone who asked that the the question so you know all these uh attacker focused enablers of Technology have been around and existing for a while uh and I I do see that you know now that you've made the connection for me as a catalyst for the development of ASM because the blue team needs something to to then catch them up to where they were at or where the where the attackers are at uh so yeah I I I do see that as a as a major driver um the other things that I know for a fact that are driving ASM because I've I've experienced them are uh small teams like I said or startups or small teams in large organisation.

 

Highlights:

From Patch Reversals to Cutting-Edge Technology: Nazia's journey epitomizes the fusion of hacker ingenuity with the advances of modern technology. From her early days of dissecting patch releases to uncover vulnerabilities, to witnessing the transformative potential of platforms like Shodan and ChatGPT, Nazia has been at the forefront of technological innovation. The convergence of her interests in computer science, magic, and architecture has endowed her with a unique perspective on the evolution of cybersecurity.

The Catalyst of Hacker Culture: Hacker communities have long served as incubators of innovation, driving the development of technologies that both challenge and fortify cybersecurity defenses. Platforms like Shodan and ChatGPT, initially conceived as tools for attackers, have catalyzed the emergence of ASM solutions, empowering defenders to gain insights into their digital footprints and proactively mitigate threats.

Empowering Small Teams and Startups: As Nazia underscores, the impetus for ASM's development extends beyond hacker culture to the pragmatic needs of small teams and startups grappling with cybersecurity challenges. With limited resources and expertise, these entities are increasingly turning to ASM solutions to enhance their security postures and stay ahead of evolving threats in a dynamic digital landscape.

 

Nazia's journey encapsulates the dynamic interplay between hacker culture, technological innovation, and pragmatic cybersecurity needs, underscoring the transformative potential of Attack Surface Management in fortifying organizational defenses. As ASM continues to evolve, driven by the relentless pursuit of hacker communities and the pragmatic imper.

 

 

Speakers: 

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Read more…

 A%20Journey%20Through%20Cybersecurity%20and%20Beyond%20Insights%20from%20Industry%20Veterans.png?profile=RESIZE_710x

 

Embarking on a journey through the multifaceted world of cybersecurity, we are privileged to hear from two industry veterans who have left an indelible mark on the landscape. Nazia, with her decades of experience and entrepreneurial spirit, brings a wealth of knowledge from founding companies in application security and automated red teaming. Chris, equally seasoned in the cybersecurity realm, shares his passion for magic, philosophy, physics, and cooking, adding a unique perspective to the conversation. Together, they offer insights into their diverse backgrounds, interests, and experiences, providing a glimpse into the dynamic intersection of cybersecurity and personal passions.

  

 
 
Here is the verbatim discussion:
 
Thank you nazia so let me start with a very quick short introduction so I had been in the field of cyber security for last couple of decades um founded a company in the space of application security which got Acquired and and now it is the product is now part of synopsis um then um founded a another Product Company in the space of automated red timming where at a surface management is also part of it um that's a little bit of my background outside of um security I love um magic which I don't do much these days but there was a time when I used to do some of these um semi-professional shows more more like The Mentalist kind of magic shows David blae and not like David Copperfield um then um philosophy physics cooking quite a few of U like outside interests outside of cyber security so over to you Chris Chris it'll be great to know a little bit about you please share a little bit to this destination this was a big deal to them they had spent a lot of money they'd invested a lot of time they brought their products with them and here they are now finally at their destination checking in getting their badges so they can get into the hall and uh the one who's doing the majority of the work is in front filling out the paperwork and then he has has a buddy behind him who uh is fiddling with a sharpie a black Sharpie marker and I can't figure out what's going on but it's boring so I'm just watching this guy fiddle with this marker well then he he uncaps it and he slowly holds it up.
 
 

Highlights:

A Legacy of Innovation: Nazia's journey in cybersecurity is marked by a legacy of innovation, from founding a successful company in application security to venturing into automated red teaming. Her entrepreneurial spirit and dedication to advancing cybersecurity solutions have made a lasting impact on the industry, with her products now integrated into leading platforms like Synopsis.

Beyond the Binary: Exploring Diverse Interests: While deeply entrenched in the world of cybersecurity, both Nazia and Chris exhibit a passion for pursuits beyond the binary. From Nazia's love for magic, reminiscent of the mentalist shows of David Blaine, to Chris's interests in philosophy, physics, and culinary arts, their diverse passions enrich their perspectives and contribute to a holistic understanding of the world.

A Moment of Intrigue: As Nazia and Chris share anecdotes from their respective journeys, a moment of intrigue unfolds in the narrative. Set against the backdrop of a mundane task – filling out paperwork at a conference – a simple act with a black Sharpie marker takes on unexpected significance. This moment encapsulates the essence of their storytelling, where seemingly ordinary events reveal layers of meaning and insight.

 

In the ever-evolving landscape of cybersecurity, the stories of Nazia and Chris serve as testaments to the boundless possibilities and intersections within the field. From entrepreneurial ventures to diverse interests and moments of intrigue, their journeys offer glimpses into the rich tapestry of experiences that shape the cybersecurity community. As we continue to navigate the complexities of the digital age, may we draw inspiration from their narratives and embrace the diverse passions and perspectives that enrich our collective journey.

 
 
Speakers:
 

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

 

Read more…

Evolving%20Perspectives%20The%20Future%20of%20Attack%20Surface%20Management.png?profile=RESIZE_710x

 

In the dynamic realm of cybersecurity, the concept of Attack Surface Management (ASM) continues to undergo evolution and refinement. As organizations grapple with the challenges of securing their digital assets, questions arise regarding the maturity of ASM programs and their adaptability to emerging threats. In this blog, we explore the shifting landscape of ASM and its potential trajectory towards internal attack surface management, alongside considerations of deception technology and the unknown unknowns that challenge traditional security paradigms.

 

 

Here is the verbatim discussion:

That you may miss out something right which defeats the purpose of the unknown unknown so uh yes I absolutely agree that's going to happen but operationally it's going to be more difficult uh there's a second question which is do you think the use of deception technology is a sign of maturity of an ASM program um so I I I don't because ASM is discovering what's already out there uh you know for the most part and I love deception technology don't get me wrong that's one of the topics that I've I've written at length about for a few years uh I think it's provides tremendous value it's easy to deploy uh and it's it's simple and intuitive but I don't see it sure you want to pick one yes um so is the field of ASM eventually moving into internal attack surface management so uh I'll try and do this quickly the the answer is I see yes um maybe not as quickly as we would like and it may not look like a tax surface management that we know today uh but much in the same way that EDR was revolutionary for endpoint detection or endpoint security and they said fendors said hey EDR work great for our endpoints I wish we could do that on our Cloud on our identity on our Network so EDR has evolved into xdr the extended detection and response uh I see a similar story for ASM or easm if if the vendor only doing external attack surface management hey this is great this is wonderful it's done all sorts of
 
Speakers: 

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Read more…

Empowering%20Security%20Architects%20Revolutionizing%20Asset%20Management%20and%20Incident%20Response.png?profile=RESIZE_710x

 

In the ever-evolving landscape of cybersecurity, security architects emerge as the linchpins of organizational defense, wielding their expertise to navigate complex systems and ensure robust security postures. However, their efforts are often hampered by the lack of visibility into the organization's attack surface and the burden of manual tasks in incident response. In this blog, we explore the pivotal role of security architects and their quest for solutions that automate asset management and enhance incident response capabilities.

 

 

Here is the verbatim discussion:

Either uh and then taking it down you know the Architects they are the ones that are involved working with other teams inside the organization they know the architecture or their systems better than almost anybody they also know that hey we have security tooling that just doesn't have any visibility into this stuff so they they've been looking for a solution that can automatically keep tabs on the attack surface as it changes and as they deploy it through architectural changes you know the engineers is the analyst uh that's another for them they are looking for something that's going to take the tier zero tier one maybe some of that tier two work off from their plate you know something's going to go out and identify accurately with high confidence hey this asset is on this IP address and it's this this and this you don't need to go and perform the manual steps here's some context now that you have this context do the things that you're good at as a human and and look at it and scrutinize it and say okay sometimes it's a bad question to ask me because I have vested interest right but if I keep my vested interest aside uh so I had been um kind of a ciso advisor for a few companies huh uh part of the like Advisory Board from the cyber security perspective so I remember for all the companies where I had been part of it um the moment I kind of joined the Advisory Board there were two big questions which I had in my mind and one was that do we know what our security posture is and for knowing that I have to know my assets right I mean without knowing the assets and its risk I mean it's incomplete right so this becomes a fundamental question like do we know all our assets and the risk associated with it that's one question and the second is if there is a breach will we be able to recover safely

 

Highlights:

Architects' Quest for Automated Visibility: Security architects, armed with intricate knowledge of organizational systems and architectures, recognize the critical importance of maintaining visibility into the attack surface. They are acutely aware of the limitations of existing security tooling, which often fails to provide comprehensive visibility into rapidly evolving attack surfaces. Consequently, architects are in search of solutions that can automatically monitor and track changes to the attack surface, enabling proactive risk management and threat mitigation.

Streamlining Incident Response: Beyond asset management, security architects are tasked with optimizing incident response processes to minimize downtime and mitigate the impact of security breaches. They understand the value of automating repetitive tasks and leveraging contextual intelligence to streamline incident response efforts. By deploying solutions that accurately identify assets and provide actionable context, architects can empower incident response teams to focus on strategic decision-making and remediation activities, rather than laborious manual tasks.

Key Questions Driving Security Posture: As trusted advisors to organizations, security architects grapple with fundamental questions that underpin cybersecurity resilience. Chief among these is the need to assess and understand the organization's security posture, which hinges on comprehensive asset management and risk assessment. Additionally, architects are keenly focused on ensuring the organization's readiness to recover from security breaches safely and efficiently, underscoring the importance of robust incident response capabilities and contingency planning.

 

Security architects occupy a pivotal role in shaping organizational cybersecurity strategies, leveraging their expertise to navigate complex architectures and defend against evolving threats. As organizations strive to enhance their security postures, architects are at the forefront of the quest for solutions that automate asset management and streamline incident response processes. By embracing innovative technologies that provide automated visibility into the attack surface and empower incident response teams with actionable insights, security architects can bolster organizational resilience and safeguard against emerging threats effectively. As we look to the future, the role of security architects will remain indispensable in guiding organizations towards cybersecurity maturity and ensuring readiness to respond to security breaches with confidence and agility.

 
 
Speakers: 
 

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Read more…

 

Navigating%20the%20Complexities%20of%20Attack%20Surface%20Management%20Challenges%20and%20Future%20Directions.png?profile=RESIZE_710x

 

In the relentless battle against cyber threats, Attack Surface Management (ASM) has emerged as a vital tool for organizations seeking to protect their digital assets. However, the journey towards effective ASM implementation is fraught with challenges, particularly for smaller teams and organizations. In this blog, we delve into the intricacies of ASM, addressing the challenges faced by security professionals and exploring future directions for enhancing its efficacy.

 

 

Here is the verbatim discussion:

These are kind of connected so let me summarize like one one of the things which we discussed about so far is the attackers are attacking everybody on the internet I mean these attacks are becoming democratized especially with the ransom guys attacks have become lot faster right I mean unlike earlier today they can like scan the entire internet in a day and and find out vulnerable systems try to exploit so we got to be fast as well and then organizations as you mentioned don't know all the assets they have that I know unfortunately too well the the smaller the SMB the midmarket or the startups or even the small team in a large Enterprise uh you are overworked over requested um often not appreciated you are um generally trying to build a skill set but at the end of the week you're burned out from what you've just done the entire week and so you don't really want to look at a computer or pick up a book or listen to a podcast about something new that you have to learn so oftentimes in these overworked uh smaller teams the skill set I don't mean this in a bad way but it stagnates because that's really what it is they're they're working so much at work they're learning the things they have to learn to put out the fires in that moment they don't have the expertise or the skill set that is often missing and one of the the one of the primary skill sets that's often missing in a smaller team is the ability to triage a vulnerability that's been identified and appropriately decide what prior priority do I need to put on this what risk what risks does it create what new risks are there and do we have anything that's already going on that will mitigate this or what are our what are our mitigating controls that's something where I see ASM coming in because uh it takes that asset list that asset inventory which you know sounds really boring it's just the asset inventory sure service now has been doing that for 20 years but it doesn't have the security context around it and that's ASM it then takes that and says hey by the way there's these string of vulnerabilities on these assets that hey if an attacker figures this out it's going to be really bad you should go and take a look at this so that's what a good ASM does takes that asset list it applies wisdom or expertise to it that maybe your overwork staff doesn't have right now or they can't spend the time you know four hours pcing too many false positives too many alerts like wanted to know Chris your thoughts on how how how is the industry responding to that because that's one of the things which ASM has as a challenge like it throws just too many alerts a prioritization also right I mean as you mentioned prioritization false positives so what's your thought on this and what's the future like yeah and you know the the example of Legacy vulnerability management shows you what's broken it's it's noisy produces a lot of findings that are low confidence ASM can't do what that is doing it it it'll fail so ASM even though it discovers even more assets more broadly more comprehensively um through two methods of interaction with those remote assets either passive which is similar not the same but similar as the Legacy vulnerability management or active assessments meaning assets been identified okay now let's kick off some programmatic thing that's going to go out and interact with the asset and observe its behaviour.

 

 

Highlights:

Overworked Teams and Stagnant Skill Sets: Smaller teams and organizations often find themselves grappling with limited resources and overworked staff. Despite their best efforts, the relentless demands of day-to-day operations can hinder their ability to stay abreast of evolving security threats and technologies. Consequently, skill sets may stagnate, leaving teams ill-equipped to triage vulnerabilities effectively. ASM offers a beacon of hope in this landscape, providing automated insights and security context that augment the capabilities of overworked teams.

The Challenge of Alert Overload: ASM presents a unique challenge in the form of alert overload. With the ability to discover a vast array of assets and vulnerabilities, ASM may inundate security teams with a deluge of alerts, leading to alert fatigue and hampering prioritization efforts. Addressing this challenge requires a nuanced approach that balances the need for comprehensive visibility with the imperative of efficient alert management. Future developments in ASM solutions may focus on refining alert mechanisms and prioritization algorithms to alleviate this burden.

The Promise of Comprehensive Discovery: Despite its challenges, ASM holds immense promise in its ability to provide comprehensive visibility into an organization's attack surface. By leveraging both passive and active assessment methods, ASM can uncover assets and vulnerabilities that may have otherwise gone unnoticed. Furthermore, ASM's integration of security context and expertise enables it to prioritize vulnerabilities and recommend mitigating controls, empowering security teams to make informed decisions amidst the noise of alerts and false positives.

 

As the cybersecurity landscape continues to evolve, Attack Surface Management remains a critical component of organizations' defense strategies. While challenges such as alert overload and skill stagnation persist, ASM offers a path forward, providing automated insights and contextual intelligence that augment the capabilities of security teams. Looking ahead, the future of ASM lies in enhancing its ability to provide actionable insights, streamline alert management, and empower security professionals to navigate the complexities of the modern threat landscape with confidence and resilience. By embracing ASM as a cornerstone of their cybersecurity strategy, organizations can stay ahead of emerging threats and safeguard their digital assets effectively in an increasingly hostile environment.

 

 

Speakers: 

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Read more…

Demystifying%20Attack%20Surface%20Management%20A%20Paradigm%20Shift%20in%20Cybersecurity.png?profile=RESIZE_710x

 

In the ever-evolving landscape of cybersecurity, Attack Surface Management (ASM) stands out as a beacon of precision and efficacy. Yet, its concise nature belies its transformative potential, representing a paradigm shift away from traditional security practices and tooling. In this blog, we delve into the essence of ASM, shedding light on its unique characteristics and illustrating its significance in modern cybersecurity practices.

 

 

Here is the verbatim discussion:

But ASM is just too concise it's too accurate it's it's very you know descriptive it's a tax surface management three letters that describes that so when we're talking about a tax surface management it's really important to understand if you've never considered it you've never lifted the hood looked under the covers to to take a look at what it is it's really important to understand it's a paradigm shift away from a lot of security practices and tooling uh and I'll give examples to help illustrate this with EDR you have to know about the endpoint to First install the agent on it to get the protections provided by the EDR with uh vulnerability management specifically with code you have to know your repos exist so that you can connect your your vulnerability management or your code scanning solution to your repo with ASM it takes the the shortcomings of the Legacy vulnerability scanning platforms the ones that are network based I won't name names but you know who those are it scour the internet it uses uh automations it uses human expertise a lot of solutions do not all and they they look for little breadcrumbs of data and information based off from One initial starting point and that's usually your domain name so you know whatever you're at your uh business name is. com. net.edu you give a a tax surface management vendor that little piece of information they then go and scour DNS records uh certificate data they do NS NS lookups they scour public repositories of of information looking for merger and acquisition activity divesture activity.
 
 
Highlights:
 

Precision and Accuracy: ASM embodies precision and accuracy in its approach to identifying and mitigating security risks. Unlike traditional vulnerability scanning platforms, which may rely on predefined IP ranges or blocks, ASM adopts a comprehensive and dynamic methodology. Leveraging automation and human expertise, ASM scours the internet for breadcrumbs of data and information, starting from a single piece of input, such as a domain name. This meticulous approach ensures that no stone is left unturned in uncovering potential vulnerabilities within an organization's attack surface.

A Comprehensive Approach: ASM represents a departure from the limitations of legacy vulnerability scanning platforms, particularly those that are network-based. While traditional solutions may focus on scanning internal networks or predefined IP ranges, ASM takes a holistic approach by scouring DNS records, certificate data, and public repositories for information. This comprehensive approach enables ASM to provide a more accurate and thorough assessment of an organization's attack surface, including identifying assets that may fall outside of traditional boundaries.

Embracing Automation and Expertise: Central to ASM's effectiveness is its integration of automation and human expertise. By leveraging automation, ASM can efficiently gather and analyze vast amounts of data from disparate sources. Simultaneously, human expertise plays a crucial role in interpreting the findings and identifying potential security risks. This symbiotic relationship between automation and expertise ensures that organizations benefit from both the speed of automated processes and the nuanced insights provided by human analysis.

 

Attack Surface Management represents a paradigm shift in cybersecurity, offering a precise, comprehensive, and dynamic approach to identifying and mitigating security risks. By embracing ASM, organizations can transcend the limitations of traditional security practices and tooling, gaining unprecedented visibility into their attack surface. With ASM as a cornerstone of their cybersecurity strategy, organizations can navigate the evolving threat landscape with confidence, knowing that they have the tools and insights necessary to safeguard their digital assets effectively. As we continue to embrace ASM as a transformative force in cybersecurity, it is essential to recognize its unique characteristics and leverage its capabilities to enhance our security posture and resilience against emerging threats.

 
Speakers:
 

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

 

Read more…

 

Unveiling%20the%20Catalysts%20of%20Cybersecurity%20Exploring%20Attack%20Surface%20Management.png?profile=RESIZE_710x

 

In the ever-evolving landscape of cybersecurity, Attack Surface Management (ASM) has emerged as a crucial tool for organizations seeking to safeguard their digital assets. However, the journey towards understanding ASM and its significance is often shaped by diverse experiences and insights from cybersecurity professionals. In this blog, we delve into the diverse perspectives and catalysts that have propelled the evolution of ASM, shedding light on its role in mitigating modern security threats.

 

 

 

Here is the verbatim discussion:

So I think very broad exposure to a lot of different business processes but also many different Technologies there uh and then you know I I work through the sisadmin network engineering and then transitioned into security just as a natural extension of the work I was doing but the whole the whole way along this journey you know um I've always worked in either highly regulated Industries so think banking fin Healthcare or uh I've worked in smaller teams startups uh where even if you are a dedicated security person you're still helping out on the network side or on the system side or in the cloud side or in the the identity side you have to pitch in where you can because it's a small orc or if you're working in a highly regulated space say Pur is is the search engine for iot that's what it was called I don't know if it's still called that but essentially you know if you're not familiar with showan it's like Google but for Internet connected stuff Cloud resources webcams security cameras uh whatever ends up on the Internet ends up in showed in and it fingerprints it it looks to identify what type of service maybe manufacturer what operating systems Etc and you can go there and you can look for specific versions of os Hardware uh applications that you know are vulnerable and you can search for it just as easily as you would search for an answer from Google so I never really considered that as being the Catalyst for ASM but definitely that's a tool set that attackers have had for 10 years we as Chris yeah they've absolutely been using it and I guess you are aware of this this is very interesting I didn't notice it for quite some time this lot of these bug Bounty platforms they actually get this Recon information from whatever be the source maybe Shodan maybe elsewhere and they pass on this intelligence like here is this open database expose database or something like that to the bounty hunters so the bug Bounty platforms are in a way helping the Bounty Hunters by giving them this Intel I know like one of the companies which is you could have called it an ASM company but what they're doing is they're giving this feed away to the bounty hunters so that they can do better bounties or whatever huh so this information is getting uh in the hands of like the black hats to White hats to gray hats to everybody like you said it's been democratized uh because previously to do what showen does now so easily would require that you have a you've developed the skill set to do that maybe build scripts and then parse through the data and it was not easy and it was not trivial now it is easy and trivial um so that's you know showan census is another C Cen Sy uh similar but I think they're starting to put up a pay wall for some of their stuff uh and to a a lesser extent quickly becoming a greater extent chat GPT uh this is going to be leveraged much the same way showan was you know it's it's G to go and while showan finds the devices I imagine chat GPT is going to then uh provide context around well when was this patch released and what specific versions and maybe what was fixed?

 

Highlights:

Diverse Professional Journeys: The adoption and understanding of ASM are often influenced by the varied professional journeys of cybersecurity professionals. From sysadmin and network engineering roles to transitioning into security, individuals bring a broad exposure to different business processes and technologies. This diverse background equips them with the skills and insights necessary to navigate the complexities of ASM effectively.

The Role of Tools like Shodan: Tools such as Shodan have played a pivotal role in shaping the landscape of ASM. Dubbed as the "search engine for IoT," Shodan provides invaluable insights into internet-connected devices, cloud resources, and vulnerabilities. Its ability to fingerprint and identify vulnerable assets has made it a crucial resource for both attackers and defenders alike, highlighting the importance of ASM in proactively addressing security risks.

Democratization of Threat Intelligence: The democratization of threat intelligence, facilitated by platforms like bug bounty programs and emerging technologies like chat GPT, has further underscored the significance of ASM. Bug bounty platforms leverage reconnaissance information, including data from Shodan, to empower bounty hunters with actionable insights. Similarly, emerging technologies like chat GPT hold the potential to provide contextual information and enhance the efficacy of ASM in identifying and mitigating vulnerabilities.

 

As the cybersecurity landscape continues to evolve, ASM remains at the forefront of organizations' defense strategies. The diverse experiences and insights of cybersecurity professionals, coupled with the proliferation of threat intelligence platforms and emerging technologies, have propelled the evolution of ASM. By embracing ASM as a proactive approach to identifying and mitigating security risks, organizations can enhance their resilience in the face of evolving threats. As we navigate the complexities of cybersecurity, ASM stands as a testament to the collective efforts of cybersecurity professionals in safeguarding digital assets and mitigating risks effectively.

 

 

Speakers:

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Read more…


Navigating%20the%20Budgetary%20Landscape%20Securing%20Resources%20for%20Attack%20Surface%20Management.png?profile=RESIZE_710x

 

In the ever-evolving realm of cybersecurity, securing adequate resources is paramount for organizations striving to protect their digital assets effectively. However, obtaining budgetary allocations for critical initiatives such as Attack Surface Management (ASM) can pose significant challenges. In this blog, we delve into the practical considerations and strategies employed by security organizations to secure funding for ASM initiatives, drawing insights from industry experts and observations in the cybersecurity landscape.

 

 

 

Here is the verbatim discussion:

They're learning the things they have to learn to put out the fires in that moment they don't have the expertise or the skill set that is often missing and one of the the one of the primary skill sets that's often missing in a smaller team is the ability to triage a vulnerability that's been identified and appropriately decide what priority do I need to put on this what risk what risks does it create what new risks are there and do we have anything that's already going on that will mitigate this or what are our what are our mitigating controls that's something where I see ASM coming in because uh it takes that asset list that asset inventory which you know sounds really boring it's just the asset inventory sure service now has been doing that for 20 years great and and Chris this is a kind of question which almost like every ciso is always talking about like where where do I get the budget from right so what what what are you typically observing since since you um uh as an an analyst in this space where are the security organizations getting the budget from is it like they're taking some existing budget are they creating a new budget and also like how are they justifying the budget yeah that's a a really good question because you can get really excited about a technology you can you can find all sorts of ways that it will be used in your organization you can say I hello everyone I welcome you all on behalf of ciso platform to this webinar ciso platform is the world's first online community solely dedicated for information senior security Executives ciso CIO CSO CTO directors Etc with 40,000 plus professionals globally and 5,000 Plus members today's session is on practical approach to understanding ATT tax surfice management m in 2023 our speakers are Chris Ray and Bash baray Chris is a security architect and Veteran of the cyber security domain he has written many reports on attack surface management and many more domains bash is the co-founder of CISO Platform plan and Firecompass. He is also an IIT Kharagpur alumni.

 

Highlights:

Addressing Skill Gaps: One of the primary challenges faced by security organizations, particularly smaller teams, is the lack of expertise and skill sets necessary to effectively triage vulnerabilities. ASM plays a crucial role in addressing this gap by providing insights into asset inventory and prioritizing vulnerabilities based on their potential impact and mitigating controls. By leveraging ASM tools, organizations can enhance their ability to assess risks and allocate resources more efficiently.

Budget Allocation Strategies: Securing budgetary allocations for ASM initiatives requires a strategic approach that emphasizes the alignment of security objectives with broader organizational goals. While some organizations may reallocate existing budgets to prioritize cybersecurity initiatives, others may create dedicated budgets specifically earmarked for ASM and related technologies. Additionally, justifying the budget for ASM often involves demonstrating the tangible value and return on investment (ROI) derived from enhanced security posture and risk mitigation.

Industry Insights and Best Practices: Drawing insights from industry experts and observing trends in the cybersecurity landscape can inform budget allocation strategies for ASM initiatives. Platforms like CISO Platform provide valuable resources and networking opportunities for security professionals to exchange insights and best practices related to ASM and other cybersecurity domains. By leveraging these platforms and collaborating with peers, security organizations can gain valuable perspectives on budgetary considerations and strategic approaches to ASM implementation.

 

Securing resources for Attack Surface Management is a multifaceted endeavor that requires a strategic approach, collaboration, and alignment with organizational objectives. By addressing skill gaps, leveraging budget allocation strategies, and drawing insights from industry best practices, security organizations can effectively secure the necessary resources to implement ASM initiatives. Platforms like CISO Platform serve as invaluable resources for security professionals, offering insights, networking opportunities, and practical guidance for navigating the budgetary landscape and achieving cybersecurity objectives. As organizations continue to prioritize cybersecurity in an increasingly complex threat landscape, securing adequate resources for ASM initiatives will remain a critical priority for safeguarding digital assets and mitigating risks effectively.

 

Speakers:

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Read more…

 
Navigating%20the%20Imperfect%20Landscape%20Understanding%20the%20Realities%20of%20Attack%20Surface%20Management.png?profile=RESIZE_710x

 

In the pursuit of cybersecurity excellence, Attack Surface Management (ASM) has emerged as a powerful tool for organizations seeking to fortify their defenses. However, amidst the excitement surrounding ASM's capabilities, it's crucial to acknowledge the inherent limitations and challenges that come with it. In this blog, we delve into the nuanced realities of ASM, highlighting the need for a balanced approach that recognizes both its strengths and shortcomings.

 

 

Here is the verbatim discussion:

So that 5% is still a risk as an organization you have to account that you know uh you have to you have to consider that ASM is is still just a tool built by humans and it's going to have its own shortcomings you know based on human fallacies uh so it don't assume that it's complete uh assume that you still have more more work to do the other side even though ASM I will say I get excited about ASM because of how good it is at discovering things so that's you know the asteris there is it's it's almost perfect but it's not quite the other side the other thing I I I emphasized I touched on this a little bit earlier is the internal attack surface um ASM is really good at the external attack surface right now uh and there appears to be uh a direction where some vendors or some ASM Solutions are building similar capabilities not the exact same because they're achieved differently but similar once they got to know all those assets they saw like half of it we don't need it they shouldn't be online yeah they actually went and kind of reduced the attex surface which is great from the security perspective but also reduce the spend on cloud costs that's a great Point uh how many organizations have you worked with or you know I've I've worked in many organizations that once they start to wrap their arms around the attack surface they start to say wait a second I thought that was decommissioned a year and a half ago what is it still doing? Don't turn that off. That's a risk. It's $800 a month. Why is that running?

 

Highlights:

The Human Factor: While ASM offers unparalleled capabilities in discovering vulnerabilities and mitigating risks, it's essential to remember that it is ultimately a tool created by humans. As such, it is susceptible to human fallacies and limitations. Organizations must not fall into the trap of assuming that ASM provides a foolproof solution. Rather, they should approach it with a mindset that acknowledges the possibility of errors and shortcomings, necessitating ongoing vigilance and supplementary measures.

The External vs. Internal Attack Surface: ASM excels in assessing and managing the external attack surface of an organization's digital infrastructure. However, its effectiveness in addressing internal vulnerabilities may vary. While some ASM solutions are expanding to cover internal attack surfaces, there remains a gap in comprehensive coverage. Organizations must recognize this disparity and implement additional measures to mitigate risks stemming from internal vulnerabilities effectively.

Optimizing Resource Utilization: One of the overlooked benefits of ASM is its potential to optimize resource utilization by identifying and eliminating unnecessary assets from the attack surface. By gaining insights into their digital footprint, organizations can uncover dormant or redundant assets that pose security risks and incur unnecessary costs. This dual benefit of enhanced security and cost reduction underscores the value of ASM beyond its traditional scope.

 

As organizations embrace Attack Surface Management as a cornerstone of their cybersecurity strategy, it's imperative to maintain a nuanced understanding of its capabilities and limitations. While ASM offers unprecedented insights into vulnerabilities and threats, it is not without its flaws. Human error, internal vulnerabilities, and the need for ongoing optimization remain persistent challenges in the ASM landscape. By adopting a holistic approach that combines ASM with supplementary measures and a culture of continuous improvement, organizations can maximize the efficacy of their cybersecurity efforts. In doing so, they can navigate the imperfect landscape of cybersecurity with confidence and resilience, safeguarding their digital assets against evolving threats.

 

Speakers:

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Read more…

Revolutionizing%20Vulnerability%20Management%20The%20Rise%20of%20Attack%20Surface%20Management.png?profile=RESIZE_710x  

In the realm of cybersecurity, the landscape is constantly evolving, presenting new challenges and opportunities for organizations. One such challenge lies in effectively managing vulnerabilities across diverse and dynamic digital environments. Traditional vulnerability scanning solutions, while useful, often fall short when it comes to providing comprehensive visibility into an organization's attack surface. In this blog, we explore the shortcomings of legacy vulnerability management and the transformative potential of Attack Surface Management (ASM) in revolutionizing how organizations approach vulnerability management.

 

 

Here is the verbatim discussion:

There's a handful of them the Legacy vulnerability scanning Solutions require that you know your IP space roughly even if it's an IP block you could say here's my slash21 on the Internet or whatever it is my slash28 just keep scanning it and tell me what's there but what if you have assets that fall outside of the gnome well the Legacy vulnerability scanners are going to completely fail they have zero insight into what's there and that's that's a major problem for a lot of organizations attack surface what's the future like yeah and you know the the example of Legacy vulnerability management shows you what's broken it's it's noisy produces a lot of findings that are low confidence ASM can't do what that is doing it it it'll fail so ASM even though it discovers even more assets more broadly more comprehensively um through two methods of interaction with those remote assets either passive which is similar not the same but similar as the Legacy vulnerability management or active assessments meaning assets been identified okay now let's kick off some programmatic thing that's going to go out and interact with the asset and observe its behaviors does it respond with a SSL an SSH login does it give me back a banner um if I know that this asset in the app version that's running on it is vulnerable to a remote code execution maybe it's possible through Act assessments to run a benign version of that attack and you can then measure the results that's a very specific example but some ASM Solutions are able to go out and do that so now what you end up with is instead of Legacy vulnerability management with 20% confidence that this is the vulnerability on the other end of the wire, you have ASM, Which is like 100% confident this is the vulnerability on the other end of the wire.

 

Highlights:

Limitations of Legacy Vulnerability Management: Legacy vulnerability scanning solutions are often limited by their reliance on predefined IP ranges or blocks. This approach fails to account for assets that fall outside of these predefined boundaries, resulting in blind spots and incomplete assessments of an organization's attack surface. Moreover, legacy solutions tend to produce noisy findings with low confidence, making it challenging for security teams to prioritize and remediate vulnerabilities effectively.

The Promise of Attack Surface Management: ASM represents a paradigm shift in vulnerability management, offering a more comprehensive and proactive approach to identifying and mitigating security risks. Unlike legacy solutions, ASM leverages both passive and active assessment methods to discover assets and assess their vulnerabilities. Passive assessments provide insights into the presence of assets, while active assessments allow for deeper analysis of vulnerabilities, including the ability to simulate attacks and measure their impact.

Enhanced Confidence and Accuracy: By combining passive and active assessment techniques, ASM provides organizations with a higher level of confidence and accuracy in identifying vulnerabilities. Rather than relying on noisy findings with low confidence levels, ASM delivers precise insights into the vulnerabilities present on an organization's network. This increased accuracy enables security teams to prioritize remediation efforts more effectively, reducing the overall risk exposure.

 

As organizations grapple with the ever-expanding threat landscape, the need for robust vulnerability management solutions has never been more critical. Legacy vulnerability scanning solutions, while valuable, are no longer sufficient in providing the level of visibility and accuracy required to mitigate modern security risks. Attack Surface Management emerges as a transformative solution, offering a proactive and comprehensive approach to vulnerability management. By embracing ASM, organizations can gain a deeper understanding of their attack surface, prioritize remediation efforts more effectively, and ultimately enhance their overall security posture. As we continue to navigate the evolving cybersecurity landscape, ASM stands poised to revolutionize how organizations manage vulnerabilities, ensuring a more secure and resilient future.

 

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Read more…

Advancing%20Attack%20Surface%20Management%20Shaping%20the%20Future%20of%20Security%20Solutions.png?profile=RESIZE_710x

 

In the dynamic realm of cybersecurity, Attack Surface Management (ASM) has emerged as a crucial linchpin in fortifying digital defenses. However, the future of ASM extends far beyond its current capabilities. As discussions around the future trajectory of ASM unfold, it becomes evident that its evolution will be characterized by a quest for continuous improvement and integration. In this blog, we delve into the nuances of ASM's future, exploring its potential to enhance security solutions and drive convergence in the cybersecurity landscape.

 

 
 
Here is the verbatim Discussion:
 
Mostly they're not doing that because there's a lot of these ASM players who just stop at that passive and that can be very dangerous so I think when somebody's looking for a solution looking at the false positive rate becomes very important and as you mentioned the prioritization is another like super critical area because no security team wants more alerts um so so Chris let's get to the final part of the conversation in terms of what do you think the future of ASM is like has become a shiny new thing but what's the future like I see it becoming a better version or it's um let me think of the best way to put this I see it enabling better Security Solutions as is you know in one way it will become the Bedrock for uh or the foundation for better Security Solutions meaning uh con convergence in the space and that's that's popular one right now uh either through and acquisition you know bigger vendors buying smaller vendors or through um the the the leaders in the ASM space developing broader capabilities and saying, you know we can't we're not doing a great job.
 
 

Highlights:

Moving Beyond Passive Solutions: While ASM has traditionally focused on passive vulnerability identification, there is a growing recognition of the limitations of such approaches. The conversation underscores the dangers of complacency and emphasizes the need for ASM solutions that go beyond passive scanning. As organizations evaluate potential solutions, considerations such as false positive rates and prioritization become paramount in ensuring effective risk management.

Enabling Comprehensive Security Solutions: The future of ASM lies in its ability to serve as the bedrock for comprehensive security solutions. This entails not only identifying vulnerabilities but also integrating proactive measures for threat mitigation. As highlighted in the discussion, ASM has the potential to enable better security solutions by driving convergence in the cybersecurity space. Whether through mergers and acquisitions or the development of broader capabilities by industry leaders, ASM is poised to play a pivotal role in shaping the future of cybersecurity.

Embracing Continuous Improvement: As ASM evolves, the emphasis on continuous improvement becomes increasingly pronounced. The vision for the future of ASM involves a commitment to innovation and adaptation to emerging threats. By leveraging advancements in technology and best practices, ASM solutions can stay ahead of evolving threats and provide organizations with the tools they need to safeguard their digital assets effectively.

 

The future of Attack Surface Management is characterized by a relentless pursuit of excellence and innovation. As organizations confront an ever-expanding threat landscape, ASM serves as a beacon of resilience and adaptability. By moving beyond passive approaches and embracing proactive risk management strategies, ASM has the potential to revolutionize the cybersecurity paradigm. As we embark on this journey towards a more secure future, the role of ASM as the foundation for better security solutions cannot be overstated. Through collaboration, innovation, and a commitment to continuous improvement, ASM will continue to shape the future of cybersecurity, ensuring that organizations remain resilient in the face of evolving threats.

 

Speakers:

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

 

Read more…

 

The%20Evolution%20of%20Attack%20Surface%20Management%20Towards%20Integrated%20Security%20Solutions.png?profile=RESIZE_710x

 

In the ever-changing landscape of cybersecurity, Attack Surface Management (ASM) has emerged as a critical component in safeguarding digital assets. As threats evolve and technology advances, the role of ASM is not only pivotal in identifying vulnerabilities but also in shaping the future of security solutions. In this blog, we explore how ASM is poised to become the bedrock for comprehensive security measures, driving convergence in the cybersecurity space.

 

 

Here is the verbatim discussion:

I see it becoming a better version or it's um let me think of the best way to put this I see it enabling better Security Solutions as is you know in one way it will become the Bedrock for uh or the foundation for better Security Solutions meaning uh con convergence in the space and that's that's popular one right now uh either through merger and acquisition you know bigger vendors buying smaller vendors or through um the the the leaders in the ASM space developing broader capabilities and saying you know we can't uh we're not doing a great job and this is just an example we're not doing a great job with the identity side of ATT tax surface management we're going to build additional identity capabilities into our platform so I see uh the future of ASM uh not going away I see maybe getting ASM integrated into uh either larger companies so broader portfolios or ASM being a part of a a platform a suite of of risk mitigation tools yeah Chris I absolutely agree with you in fact like when when um after the the acquisition of my previous company we were thinking like what's next so we kind of looked into ASM as a standalone space and one of the kind of assumptions which I had was like ASM at the end of of the day is going to become a feature yep and it'll become a part of many, many solutions.

 

Highlights:

Convergence in Security Solutions: The integration of ASM into broader security portfolios marks a significant trend in the cybersecurity industry. As highlighted in the conversation, larger companies are recognizing the importance of ASM and seeking to incorporate it into their offerings. This convergence is driven by the need for holistic security solutions that address the diverse and evolving threat landscape.

Expansion of Capabilities: ASM is not limited to vulnerability identification alone; it serves as a foundation for expanding security capabilities. As organizations strive to enhance their risk mitigation strategies, ASM provides a framework for incorporating additional features such as identity management. This expansion reflects a shift towards proactive risk management, where ASM plays a central role in fortifying digital defenses.

The Future of ASM: Despite its evolution, ASM is not fading into obscurity; rather, it is becoming more deeply integrated into security ecosystems. Whether through mergers and acquisitions or the development of broader capabilities by industry leaders, ASM is poised to remain a cornerstone of cybersecurity strategies. By becoming a feature of larger solutions or part of comprehensive risk mitigation platforms, ASM ensures its relevance in the ever-evolving threat landscape.

 

The journey of Attack Surface Management from a standalone solution to an integral component of comprehensive security platforms underscores its significance in modern cybersecurity. As organizations grapple with increasingly sophisticated threats, ASM offers a framework for proactive risk mitigation and vulnerability management. By embracing ASM as a foundational element, businesses can bolster their defenses and adapt to the evolving threat landscape, ensuring resilience in the face of emerging challenges.

 

Speakers:

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

 

Read more…

Navigating%20the%20Cybersecurity%20Landscape%20Adapting%20to%20Rapidly%20Evolving%20Threats.png?profile=RESIZE_710x

 

In an age where digital connectivity pervades every aspect of our lives, cybersecurity has emerged as a critical concern. The rapid evolution of technology has brought about unprecedented opportunities, but it has also opened doors to a myriad of vulnerabilities. Today, attackers wield sophisticated tools and techniques, exploiting weaknesses in systems with alarming efficiency. To navigate this landscape, organizations must remain vigilant, adaptive, and proactive in their approach to cybersecurity.

 

 

Here is the verbatim discussion:

Unlike earlier today they can like scan the entire internet in a day and and find out vulnerable systems try to exploit so we got to be fast as well and then organizations as you mentioned don't know all the assets they have a lot of things are happening behind the back because of the decentralized power right like people want to go agile they you have like organ different departments making decisions on their own fast so that also creates a lot of things happening I never thought of you know showdan you're right has been around a long time showan is is the search engine for iot that's what it was called I don't know if it's still called that but essentially you know if you're not familiar with showan it's like Google but for Internet connected stuff Cloud resources webcams security cameras whatever ends up on the Internet ends up in showed in and it fingerprints it it looks to identify what type of service maybe manufacturer what operating systems Etc and you can go there and you can look for specific versions of os Hardware uh applications that you know are vulnerable these are kind of connected so let me summarize like one one of the things which we discussed about so far is the attackers are attacking everybody on the internet I mean these attacks are becoming democratize especially with the ransom guys attacks have become lot faster right I mean unlike earlier today they can like scan the entire internet in a day and and find out vulnerable systems try to exploit so we got to be fast as well and then organizations as you mentioned don't know all the assets they have. A lot of things are happening behind the back because of the decentralized power. Right?

 

Highlights:

The Shifting Paradigm of Cyber Threats: As discussed in the clips, the nature of cyber threats has undergone a significant transformation. Attackers no longer discriminate based on size or industry; everyone connected to the internet is a potential target. Moreover, the democratization of cyber attacks, particularly with the rise of ransomware, has accelerated their pace and scale.

The Role of Decentralization: Decentralization, often touted for its benefits in promoting agility and innovation, also introduces complexities in cybersecurity. With power dispersed across various departments and individuals within organizations, it becomes challenging to maintain a comprehensive view of all assets and vulnerabilities. This lack of visibility creates opportunities for malicious actors to operate undetected.

The Power of Tools like Shodan: Tools like Shodan exemplify the vast landscape of cyber threat intelligence. Dubbed the "search engine for the Internet of Things (IoT)," Shodan scans and indexes internet-connected devices, providing invaluable insights into potential security risks. By leveraging such tools, security professionals can proactively identify and mitigate vulnerabilities before they are exploited.

 

As cyber threats continue to evolve in sophistication and scale, the need for robust cybersecurity measures has never been more pressing. Organizations must adopt a multi-faceted approach that combines advanced technologies, proactive monitoring, and a culture of security awareness. By staying informed, vigilant, and collaborative, we can collectively safeguard our digital ecosystems against emerging threats, ensuring a secure and resilient future for all.

 

Speakers: 

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Read more…

Harnessing%20the%20Power%20of%20Habits%20for%20Improved%20IT%20Security%20A%20Guide%20for%20RSA%20Conference%20Attendees.png?profile=RESIZE_710x

 

Welcome, fellow security enthusiasts! As we gather once again at the RSA Conference, amidst the buzz of innovative technologies and strategies, it's crucial to reflect on a fundamental aspect often overlooked in the realm of cybersecurity: human behavior. While awareness campaigns have long been a cornerstone of security initiatives, their effectiveness often plateaus, leaving organizations vulnerable to persistent threats. But fear not, for there is a powerful ally in our quest for better security practices: the science of habits.

 

 
Here is the verbatim discussion:
 
And that's something very interesting so I'm going to talk more about it like how do you make somebody change the behavior or rather change a habit so these are like the three parts like the structure of habits how do you build a habit and how do you change a habit in the context of in the context of uh it security why did  you choose to talk about this subject at RSA conference in particular so I think RSC is probably uh the most prominent place where all the security builders get together I mean the people who drive the security of an organization and I thought of this idea that uh awareness can only help you to certain degree and beyond that awareness doesn't give you Roi and today is is the right point because we have invested a lot in Awareness but people still are not changing and this is the right time that we take this idea and make people adopt uh the science of habits and make the security good behavior uh seamless and unconscious so that we just do it automatically.
 
 

Highlight of Points:

Understanding the Structure of Habits: Before diving into the realm of behavior change, it's essential to grasp the intricate structure of habits. Habits consist of three main components: cue, routine, and reward. Identifying these elements within the context of IT security behaviors can provide valuable insights into potential areas for intervention.

Building Habits: Armed with knowledge of habit formation, security professionals can strategically design interventions to cultivate desirable behaviors within their organizations. Whether it's implementing regular password updates, practicing safe browsing habits, or adhering to multi-factor authentication protocols, habit-building initiatives can gradually transform security practices from conscious efforts to automatic routines.

Changing Habits: Despite the allure of awareness campaigns, simply informing users about security best practices often falls short in eliciting lasting behavior change. Instead, leveraging the principles of habit formation allows for a more nuanced approach to instilling secure behaviors. By targeting key cues and rewards associated with undesirable habits and substituting them with more favorable alternatives, organizations can effectively rewire ingrained behaviors over time.

Why RSA Conference? As the premier gathering of security professionals, the RSA Conference serves as the ideal platform to catalyze conversations around the intersection of human behavior and IT security. By shedding light on the untapped potential of habit formation in bolstering security practices, attendees can gain actionable insights to fortify their organizations against evolving threats.

 

As we navigate the ever-evolving landscape of cybersecurity, it's imperative to recognize the pivotal role of human behavior in shaping the security posture of organizations. By embracing the science of habits and integrating it into our security strategies, we can transcend the limitations of traditional awareness campaigns and forge a path towards sustainable behavior change. So, let us seize this opportunity at the RSA Conference to harness the power of habits and pave the way for a safer digital future.

 
 

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

 

Jennifer Lawinski Editor-in-Chief of online engagement for RSA Conference. With experience writing for publications like CRN and CIOInsight, Jennifer has the experience to facilitate the important security conversations. Keep an eye on this space. I am excited to see what the next phase of RSAC 365 will look like.

https://twitter.com/lawinski

https://www.linkedin.com/in/jenlawinski

Read more…

Unraveling%20the%20Illusion%20of%20Control%20The%20Power%20of%20Habits%20in%20Human%20Behavior.png?profile=RESIZE_710x

 

Welcome, esteemed attendees of the RSA Conference, to a discourse on a fundamental truth often obscured by the veneer of consciousness: our lack of control over our own actions. Despite our fervent belief in our autonomy, the reality is that much of our behavior is dictated by deeply ingrained habits that operate beneath the surface of our awareness. Join me as we delve into the intricate structure of human habits and explore how understanding this phenomenon can revolutionize our approach to IT security.

 

 

Here is the verbatim discussion:

The central theme is that we are not in control even though we would love to think that we are in control but we are not and I I would explain the the basic structure of a human habit and if you look at the kind of things which we do in our day-to-day life around 40% of the things which we do we do it unconsciously I'll give an example like tying up the shoelace or driving the car changing the gear all these things we do without thinking if you think tying a shoelace is quite complex right but we do it without thinking or just imagine you are in an elevator and and you are thinking of something mentally engrossed in some thought and the elevator door opens at the wrong floor what happens we just step out right because that's an automated program in our mind to step out when the door opens so we have a lot of these programs in our mind which are kind of inbuilt and which get triggered automatically every time there's that right trigger so one part of my talk is in terms of understanding the structure of human behavior or human habits so basically uh there are three parts one is the trigger then there is a routine and then there is a reward so we all respond to things in uh a specific way when the trigger happens and interestingly uh there are these companies uh like Coca-Cola and and Facebook and Google.

 

Highlights:

The Illusion of Control: Despite our desires to believe otherwise, research indicates that a significant portion of our daily actions occur on autopilot, driven by habit rather than conscious deliberation. From mundane tasks like tying shoelaces to complex behaviors like driving a car, approximately 40% of our actions are executed unconsciously. This realization challenges the notion of human agency and underscores the powerful influence of habit in shaping behavior.

Decoding the Structure of Habits: At the core of human habits lies a triad of components: the trigger, the routine, and the reward. When confronted with a particular cue or trigger, our brains instinctively initiate a predetermined routine, culminating in a reward that reinforces the behavior. This cyclical process forms the bedrock of habit formation, dictating our responses to stimuli in a predictable manner.

Insights from Corporate Giants: The ubiquity of habit-driven behavior extends beyond individual actions to shape the strategies of corporate behemoths like Coca-Cola and Facebook. Through meticulously crafted triggers, routines, and rewards, these companies engineer addictive products and experiences that compel users to engage with their platforms habitually. By leveraging insights from behavioral psychology, they exploit the innate tendencies of human cognition to drive desired outcomes.

 

As we reflect on the interplay between habit and human behavior, it becomes evident that our perceived agency is but an illusion, overshadowed by the omnipresent influence of habit. By unraveling the intricacies of habit formation and acknowledging our susceptibility to its sway, we can unlock new avenues for promoting IT security within organizations. Rather than relying solely on awareness campaigns, let us harness the power of habits to instill secure behaviors seamlessly and unconsciously. In doing so, we can fortify our defenses against cyber threats and navigate the digital landscape with heightened resilience. As we depart from this discourse, let us carry forth this newfound understanding and usher in a paradigm shift in our approach to cybersecurity.

 

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

 

Jennifer Lawinski Editor-in-Chief of online engagement for RSA Conference. With experience writing for publications like CRN and CIOInsight, Jennifer has the experience to facilitate the important security conversations. Keep an eye on this space. I am excited to see what the next phase of RSAC 365 will look like.

https://twitter.com/lawinski

https://www.linkedin.com/in/jenlawinski

 

Read more…

Beyond%20Awareness%20Unveiling%20the%20Power%20of%20Habits%20in%20Cybersecurity.png?profile=RESIZE_710x

 

Greetings, esteemed participants of the RSA Conference, as we convene amidst the bustling nexus of cybersecurity discourse, it's paramount to recognize a pivotal yet often overlooked aspect of our collective security posture: human behavior. In an era saturated with awareness campaigns and regulatory mandates, the perennial question persists: why do individuals continue to engage in risky behaviors despite knowing the potential consequences? Join me on a journey beyond the realm of awareness as we delve into the intricate dynamics of human habits and their profound implications for cybersecurity.

 

 
 
Here is the verbatim discussion:
 
And what's going on here this week so why do you think your session is relevant in today's cyber security climate so um my talk is around human behavior and the interesting thing about uh my talk is that it's going to focus on something Beyond awareness I mean today as an industry we are trying to make everybody aware um what are the bad things what are the good things but then after a certain point of time people don't listen to us and we feel that we created all these security policies and everything and people don't listen to us but if you just pause for a moment and think we all know that going to the gym is good we all know that having those fries is bad but we still do it right so there's something Beyond awareness which kind of controls us and that's what I'm going to talk about I'm going to talk about how human habits how habits are formed.
 
 

Highlights:

Moving Beyond Awareness: Despite the fervent efforts of cybersecurity professionals to disseminate knowledge and best practices, the efficacy of traditional awareness campaigns inevitably wanes over time. Merely informing individuals of the dos and don'ts of cybersecurity fails to address the underlying mechanisms driving their behaviors. It's time to transcend the limitations of awareness and explore alternative avenues for fostering secure practices.

The Power of Habits: At the heart of human behavior lies the omnipotent force of habits, which exert a profound influence on our actions and decisions. Whether it's reaching for that tempting bag of fries despite knowing the health risks or succumbing to the allure of procrastination, habits dictate much of our daily conduct. By unraveling the mysteries of habit formation, we gain invaluable insights into the subconscious drivers of cybersecurity behaviors.

Understanding Habit Formation: Habits are not formed overnight but rather emerge through a cyclical process involving cues, routines, and rewards. Identifying the triggers that prompt undesirable behaviors, the routines they engender, and the rewards that reinforce them is essential for effecting meaningful change. By dissecting the anatomy of habits, we empower ourselves to intervene strategically and cultivate secure behaviors within our organizations.

Relevance in Today's Cybersecurity Climate: Against the backdrop of escalating cyber threats and evolving attack vectors, the imperative for robust cybersecurity practices has never been more pressing. However, the efficacy of conventional approaches reliant solely on awareness is diminishing. In this context, my session offers a timely intervention by spotlighting the transformative potential of habit-based strategies in bolstering organizational resilience against cyber threats.

 

As we navigate the dynamic landscape of cybersecurity, it's imperative to recognize that knowledge alone is insufficient in mitigating risk. By transcending the confines of awareness and embracing the science of habits, we can catalyze a paradigm shift in our approach to cybersecurity. Let us harness the power of habits to instill secure behaviors seamlessly and subconsciously, thereby fortifying our defenses against the ever-present specter of cyber threats. Together, let us embark on this journey beyond awareness and unlock a new frontier of cybersecurity resilience.

Read more…

 

Shaping%20Group%20Behavior%20Harnessing%20the%20Science%20of%20Habits%20for%20Organizational%20Culture.png?profile=RESIZE_710x

 

Greetings, fellow cybersecurity enthusiasts! As we gather once again, this time in Singapore, it's my privilege to embark on a journey of evolution and exploration from my previous talk at RSA Conference USA. Building upon the foundation laid in the realm of individual behavior transformation, my focus now shifts towards the collective dynamics of group behavior and organizational culture. Join me as we delve into the profound implications of habits in shaping the fabric of organizational identity and resilience.

 

 

Here is the verbatim discussion:

I spoke at uh RSA Conference USA uh this year and over there my focus was more in terms of how to use the science of habits to transform an individual's behavior and then over a period of time I am now trying to work on how to extend it to a group Behavior how to form culture and when you want to influence the group Behavior and the culture of an organization you need to deal with it in a different way so the evolution from my USA talk to the Singapore talk is on how to extend the same principles but use it differently in the context of a larger group rather than an individual okay so then what are three major points you plan on making in your talk the central theme is that we are not in control even though we would love to think that we are in control but we are not and I I would explain the um the basic structure of a human habit and if you look at the kind of things which we do in our day-to-day life around 40% of the things which we do we do it unconsciously I'll give an example like um tying up the shoelace uh or driving the car changing the gear all these things we do without thinking if you think tying a shoeless is quite complex right but we.

 

Highlights:

The Illusion of Control: At the core of my discourse lies the sobering realization that despite our aspirations for autonomy, much of our behavior is governed by subconscious habits. Whether it's the seemingly mundane act of tying shoelaces or navigating the complexities of driving, approximately 40% of our actions occur on autopilot, devoid of conscious thought. By unraveling the fundamental structure of human habits, we gain insights into the hidden forces shaping our individual and collective behaviors.

Extending the Principles: Building upon the insights gleaned from individual behavior transformation, my talk will elucidate the nuanced strategies required to influence group behavior and cultivate a resilient organizational culture. In navigating the intricacies of group dynamics, it's essential to recognize that the principles of habit formation remain immutable, yet their application necessitates a tailored approach. From fostering collaborative workflows to instilling a shared sense of accountability, leveraging habits as catalysts for cultural change requires finesse and adaptability.

Navigating Organizational Culture: Central to my discourse is the recognition that organizational culture serves as the bedrock upon which cybersecurity resilience is built. By harnessing the science of habits, organizations can orchestrate deliberate interventions to cultivate a culture that prioritizes security and resilience. From embedding cybersecurity practices into the fabric of daily workflows to fostering a culture of continuous learning and adaptation, the possibilities for leveraging habits in shaping organizational culture are boundless.

 

As we embark on this journey of exploration and transformation, let us dispel the illusion of control and embrace the profound influence of habits in shaping group behavior and organizational culture. By extending the principles elucidated in my previous talk to the realm of collective dynamics, we unlock new vistas of possibility for fortifying organizational resilience against cyber threats. Together, let us harness the science of habits as a beacon guiding us towards a future where cybersecurity is not just a practice but a way of life ingrained in the very fabric of organizational culture.

 

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

 

Jennifer Lawinski Editor-in-Chief of online engagement for RSA Conference. With experience writing for publications like CRN and CIOInsight, Jennifer has the experience to facilitate the important security conversations. Keep an eye on this space. I am excited to see what the next phase of RSAC 365 will look like.

https://twitter.com/lawinski

https://www.linkedin.com/in/jenlawinski

Read more…

Breaking%20Down%20Silos%20The%20Imperative%20of%20Integration%20in%20Cybersecurity%20Technologies.png?profile=RESIZE_710x

 

Greetings, fellow cybersecurity professionals! As we navigate the ever-evolving landscape of digital threats and vulnerabilities, it's imperative to acknowledge a pervasive challenge hindering our collective defense: the fragmented nature of cybersecurity technologies. From Data Loss Prevention (DLP) to Cloud Access Security Broker (CASB) solutions, Threat Intelligence platforms, and Security Information and Event Management (SIEM) systems, the proliferation of specialized products has led to a siloed ecosystem where interoperability remains elusive. Join me as we delve into the critical imperative of integration and collaboration in cybersecurity technologies, and the transformative impact it holds for organizational security posture.

 

 

Here is the verbatim discussion:

Right and the same thing is happening in the field of security you got uh DLP products you got casby products you got threat Intel products Sim products and all these products are like largely they're closely guarded they don't they don't talk to each other in a seamless manner so I think that's a big hardle which we need to solve and if you can do that well all of a sudden our the posture the security posture which an organization can attain with the same set of solutions will move dramatically up so I'll talk about um I would consider that uh integrating these various Technologies making them talk to each other in a meaningful manner is a technology problem which we need to resolve thank you very much for your time here today.

 

Highlights:

Fragmentation in Cybersecurity Technologies: The proliferation of specialized cybersecurity products has led to a fragmented ecosystem characterized by isolated silos of functionality. While individual solutions excel in their respective domains, the lack of interoperability and communication between them poses a significant obstacle to holistic defense strategies. As organizations grapple with an ever-expanding threat landscape, the need for seamless integration and collaboration among disparate technologies becomes increasingly pronounced.

Bridging the Divide: At the heart of my discourse lies the recognition that integration is not merely a technological challenge but a strategic imperative for bolstering cybersecurity resilience. By breaking down silos and fostering interoperability among diverse security solutions, organizations can unlock synergies and amplify the efficacy of their defense mechanisms. Whether it's correlating threat intelligence data across disparate platforms or orchestrating automated response actions, integrated cybersecurity technologies hold the key to a more cohesive and proactive defense posture.

The Technology Problem: While the concept of integration may seem straightforward in theory, its implementation poses formidable technological hurdles. From disparate data formats and protocols to varying degrees of vendor support, achieving seamless interoperability requires concerted efforts and innovative solutions. By investing in standards-based approaches, open APIs, and interoperability frameworks, the cybersecurity community can pave the way for a future where integrated defense architectures are the norm rather than the exception.

 

As we conclude our discourse on the imperative of integration in cybersecurity technologies, let us reaffirm our commitment to breaking down silos and fostering collaboration across the security ecosystem. By transcending the constraints of individual solutions and embracing a collective mindset, we can fortify our defenses against emerging threats and navigate the digital landscape with heightened resilience. Together, let us confront the technological challenges head-on and pave the way for a future where integrated cybersecurity architectures empower organizations to stay one step ahead of adversaries. Thank you for your time and dedication to advancing the cause of cybersecurity excellence.

 

 

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

 

Jennifer Lawinski Editor-in-Chief of online engagement for RSA Conference. With experience writing for publications like CRN and CIOInsight, Jennifer has the experience to facilitate the important security conversations. Keep an eye on this space. I am excited to see what the next phase of RSAC 365 will look like.

https://twitter.com/lawinski

https://www.linkedin.com/in/jenlawinski

Read more…