How to Improve Security Control Performance

DIB: The DoD’s Implementation Plan Brings CMMC Level 3 Requirements Before Phase 4 (Full Implementation). While much of the focus has been on CMMC Level 2, it’s equally important to prepare for the significant lift required for Level 3. The transition to L3 will depend on your existing CUI Program, leadership support, and your technical team’s skill set. Key elements to consider: 1. Access Control for only organization-owned/managed devices, no Personal devices (BYOD). Also, apply Golden Images to Level 3 assets, ensuring consistency and security, followed by conditional access controls or systems posture checks. 2. Must protect the integrity of Secure Baseline Configuration/Golden Images. 3. Encryption In Transit and At Rest with Transport Layer Security (TLS), IEEE 802.1X, or IPsec. 4. Bidirectional/Mutual Authentication technology that ensures both parties in a communication session authenticate each other (see encryption). 5. Conduct L3-specific End-User Training, including practical training for end-users, power users, and administrators on phishing, social engineering, and cyber threats and test readiness and response. 6. Continuous Monitoring (ConMon), Automation, and Alerting to remove non-compliant systems promptly. 7. Automated Asset Discovery & Inventory, ensuring full visibility of all assets. 8. Security Operations Center (SOC) and Incident Response (IR): Maintain a 24x7 SOC and IR team to handle security incidents promptly and efficiently. 9. HR Response Plans that include Blackmail Resilience to address scenarios like blackmail, insider threats, and other HR-related security issues. 10. Mandatory Threat Hunting to proactively identify and mitigate threats. 11. Automated Risk Identification and Analytics using Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), Extended Detection and Response (XDR), etc. 12. Risk-Informed Security Control Selection to ensure tailored and effective protection measures. 13. Supply Chain Risk Management (SCRM), Monitoring & Testing of Service Provider Agreements (SPAs): Regularly monitor and test SPAs to ensure compliance with security requirements and to mitigate risks associated with third-party vendors and suppliers. 14. Mandatory Penetration Testing to identify and rectify system vulnerabilities. 15. Secure Management of Operational Technology (OT)/Industrial Control Systems (ICS), including Government-Furnished Equipment (GFE) and other critical infrastructure. 16. Root and Trust Mechanisms to verify the authenticity and integrity of software. Ensure devices boot using only trusted software. Provide hardware-based security functions such as TPM. 17. Threat Intelligence and Indicator of Compromise (IOC) Monitoring to stay ahead of emerging threats and quickly respond. #CUI #hva #ProtectCUI

𝗗𝗮𝘆 𝟭𝟬: 𝗣𝗿𝗲𝗽𝗮𝗿𝗲𝗱𝗻𝗲𝘀𝘀 𝗮𝗻𝗱 𝗥𝗲𝘀𝗽𝗼𝗻𝘀𝗲 We know the cost of response can be 100 times the cost of prevention, but when unprepared, the consequences are astronomical. A key prevention measure is a 𝗽𝗿𝗼𝗮𝗰𝘁𝗶𝘃𝗲 𝗱𝗲𝗳𝗲𝗻𝘀𝗲 𝘀𝘁𝗿𝗮𝘁𝗲𝗴𝘆 to anticipate and neutralize threats before they cause harm. Many enterprises struggled during crises like 𝗟𝗼𝗴𝟰𝗷 or 𝗠𝗢𝗩𝗘𝗶𝘁 due to limited visibility into their IT estate. Proactive threat management combines 𝗮𝘀𝘀𝗲𝘁 𝘃𝗶𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆, 𝘁𝗵𝗿𝗲𝗮𝘁 𝗱𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻, 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗲, and 𝗿𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝘁 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲. Here are few practices to address proactively: 1. 𝗔𝘀𝘀𝗲𝘁 𝗩𝗶𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆 Having a strong understanding of your assets and dependencies is foundational to security. Maintain 𝗦𝗕𝗢𝗠𝘀 to track software components and vulnerabilities. Use an updated 𝗖𝗠𝗗𝗕 for hardware, software, and cloud assets. 2. 𝗣𝗿𝗼𝗮𝗰𝘁𝗶𝘃𝗲 𝗧𝗵𝗿𝗲𝗮𝘁 𝗛𝘂𝗻𝘁𝗶𝗻𝗴 Identify vulnerabilities and threats before escalation. • Leverage 𝗦𝗜𝗘𝗠/𝗫𝗗𝗥 for real-time monitoring and log analysis. • Use AI/ML tools to detect anomalies indicative of lateral movement, insider threat, privilege escalations or unusual traffic. • Regularly hunt for unpatched systems leveraging SBOM and threat intel. 3. 𝗕𝘂𝗴 𝗕𝗼𝘂𝗻𝘁𝘆 𝗮𝗻𝗱 𝗥𝗲𝗱 𝗧𝗲𝗮𝗺𝗶𝗻𝗴 Uncover vulnerabilities before attackers do. • Implement bug bounty programs to identify and remediate exploitable vulnerabilities. • Use red teams to simulate adversary tactics and test defensive responses. • Conduct 𝗽𝘂𝗿𝗽𝗹𝗲 𝘁𝗲𝗮𝗺 exercises to share insights and enhance security controls. 4. 𝗜𝗺𝗺𝘂𝘁𝗮𝗯𝗹𝗲 𝗕𝗮𝗰𝗸𝘂𝗽𝘀 Protect data from ransomware and disruptions with robust backups. • Use immutable storage to prevent tampering (e.g., WORM storage). • Maintain offline immutable backups to guard against ransomware. • Regularly test backup restoration for reliability. 5. 𝗧𝗵𝗿𝗲𝗮𝘁 𝗜𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲 𝗣𝗿𝗼𝗴𝗿𝗮𝗺𝘀 Stay ahead of adversaries with robust intelligence. • Simulate attack techniques based on known adversaries like Scatter Spider • Share intelligence within industry groups like FS-ISAC to track emerging threats. 6. 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆-𝗙𝗶𝗿𝘀𝘁 𝗖𝘂𝗹𝘁𝘂𝗿𝗲 Employees are the first line of defense. • Train employees to identify phishing and social engineering. • Adopt a “𝗦𝗲𝗲 𝗦𝗼𝗺𝗲𝘁𝗵𝗶𝗻𝗴, 𝗦𝗮𝘆 𝗦𝗼𝗺𝗲𝘁𝗵𝗶𝗻𝗴” approach to foster vigilance. • Provide clear channels for reporting incidents or suspicious activity. Effectively managing 𝗰𝘆𝗯𝗲𝗿 𝗿𝗶𝘀𝗸 requires a 𝗰𝘂𝗹𝘁𝘂𝗿𝗲 𝗼𝗳 𝗽𝗲𝘀𝘀𝗶𝗺𝗶𝘀𝗺 𝗮𝗻𝗱 𝘃𝗶𝗴𝗶𝗹𝗮𝗻𝗰𝗲, investment in tools and talent, and alignment with a defense-in-depth strategy. Regular testing, automation, and a culture of continuous improvement are essential to maintaining a strong security posture. #VISA #Cybersecurity #IncidentResponse #PaymentSecurity #12DaysOfCybersecurityChristmas

Red team report recommendations to help reduce risk and impact from SE attacks like those used by Scattered Spider and similar threat actors who are now imitating: Maintain a “Do Not Touch” List of High-Value Targets (HVTs): Create and regularly update a list of high-value users (e.g., executives, IT admins, security team, etc.) whose creds, phone numbers, and MFA factors cannot be modified or reset without prior escalation. Give detection and response teams a tap into support tickets trying to touch these accounts so alerts can be made. Restrict L1 Access for HVT Accounts: Remove L1 support’s ability to reset passwords or modify MFA for these HVTs. Escalations should route through helpdesk managers or designated Tier 2+ staff with enhanced training. Harden Caller Verification Protocols: Move beyond weak knowledge-based questions (e.g., last 4 of SSN) as proof of identity. This stuff is in data breach leaks and easy to obtain. Leverage multi-factor, contextual, or out-of-band verification methods that are less likely to be compromised or exploited. Normalize User-Initiated Identity Verification: Train all employees to verify inbound calls claiming to be from internal IT or support. Simple workflows like sending a quick Slack/Teams message or calling the incoming caller’s number as listed in the company directory can make a huge difference. Make it easy. Many users assume that if caller ID == company number that it’s a safe call. These controls aren’t silver bullets and nothing is fool proof, BUT they are relatively low-effort ways to raise attacker cost and force them to move on to softer targets.

The National Security Agency (NSA) has released critical guidance on enhancing Zero Trust maturity within the application and workload pillar. We must take action to safeguard our organizations against increasingly sophisticated threats. Key Takeaways: • Transition from static, network-centric access to dynamic, identity, and data-centric access control • Prioritize capabilities such as application inventory management, secure software development (DevSecOps), software risk management, resource authorization, and continuous monitoring • Implement practical security measures, including strong authentication, granular access based on least privilege, encryption, micro-segmentation, and container security best practices Action Items: 1. Conduct a comprehensive inventory and categorization of all applications and workloads 2. Assess current authentication and access control measures; implement necessary improvements 3. Evaluate software development processes; integrate security throughout the DevSecOps lifecycle 4. Establish continuous monitoring capabilities to detect anomalous behavior and regularly assess security posture By taking proactive steps to mature our Zero Trust architectures, we can significantly enhance the protection of our critical applications and sensitive data. #ZeroTrust #Cybersecurity #ApplicationSecurity #DataProtection #NSAGuidance

Throughout my career as an #IAM professional, I've observed organizations consistently making the simple complex. For those just starting their formal IAM program, this post shares fundamental lessons learned from implementing IAM across different enterprises. Working with enterprises, I've seen a common pattern: organizations investing in advanced IAM solutions before establishing basic controls. Even with substantial technology investments, fundamental processes like offboarding often remain manual and error-prone. Here's what experience has taught me: sophisticated tools can't fix broken foundations. Successful IAM programs start with mastering the basics: #JML (Joiner-Mover-Leaver) automation is fundamental. Proper automation of these processes reduces security risks and ensures consistent access management throughout the employee lifecycle. For organizations just starting out, this provides immediate risk reduction and operational efficiency. Centralized access provisioning creates a foundation for governance. By consolidating access management, organizations gain visibility and control over user permissions across systems. This streamlines operations and simplifies compliance efforts. Regarding role management: organizations that begin with basic RBAC and incrementally mature their model tend to succeed. Starting with complex role structures often leads to implementation delays and adoption challenges. For organizations establishing their IAM practice, I recommend focusing on fundamentals for the first few years: - Automated JML processes - Centralized access provisioning - Basic role management - Comprehensive audit trails These core capabilities enable organizations to: - Reduce manual access management overhead - Improve security through consistent controls - Establish audit readiness - Create a foundation for advanced capabilities When reviewing IAM strategies, I often see roadmaps emphasizing advanced features while basic processes remain manual. For organizations beginning their IAM journey, establishing these fundamental controls should take precedence. For those starting out: invest time in building robust foundational processes before pursuing advanced capabilities. This approach typically yields better long-term results. Would appreciate hearing from other IAM professionals: what fundamental controls have proven most valuable in early-stage IAM programs?

Why Multi-Factor Authentication (MFA) Alone Isn’t Enough MFA is an essential layer of defense to safeguard accounts and systems—but it’s not a silver bullet. Cybercriminals continue to innovate, using tactics like social engineering, phishing, and device compromises to bypass MFA protections. A recent DarkReading article, "Researchers Crack Microsoft Azure MFA in an Hour", highlights just how vulnerable MFA can be against determined attackers. (article: https://lnkd.in/eyDwbH4Z) As we approach 2025, it’s imperative for business leaders to actively engage with technology and security teams to ensure that authentication strategies evolve to address these growing threats. Here are five key questions to ask your teams to ensure a comprehensive and user-centered security approach: ✅ How do we leverage adaptive authentication for smarter risk detection? Ask for real-world examples where adaptive authentication identifies unusual user behavior or location-based risks to thwart threats. ✅ How do we implement 'trust but verify' post-login? Request a walkthrough of continuous authentication, exploring tokenized access, device verification, and real-time risk evaluation to maintain security without compromising user experience. ✅ What are our 2025 plans for ongoing user education on social engineering? The old practice of phishing tests followed by "gotcha" moments is outdated. Instead, empower employees with training to recognize and prevent manipulation attempts. ✅ Are we enhancing monitoring with behavior-based analytics? Behavioral analytics can flag anomalies before they escalate into breaches, offering a proactive defense mechanism. ✅ Should we add stronger MFA layers for high-risk areas? Evaluate options like FIDO2 security keys for executives or IT teams. These keys are more resistant to phishing and other interception attacks, offering advanced protection where it matters most. Cost Considerations Implementing and enhancing MFA involves investments in several areas: Hardware & Licensing System Updates: Custom development or updates may be required to integrate advanced MFA methods into legacy systems. Training & Support: Equipping end users and help desk teams with the skills to implement and troubleshoot MFA effectively ensures smooth adoption. While MFA is not a plug-and-play solution, it remains a critical component of a layered defense strategy. With thoughtful planning, budget allocation, and strong executive backing, MFA—paired with adaptive authentication, behavior-based monitoring, and advanced tools like FIDO2 keys—can significantly reduce the risk of cyberattacks and insider threats.

Secure Your Data Analytics Initiative from the Start: The Power of Foundational Access Controls Enterprises embarking on a new data analytics initiative in the cloud demand a strong security foundation, especially when connecting disparate systems. Establishing robust mechanisms for identity (Authentication), user lifecycle (Provisioning), and resource access (Authorization) is critical at all times. 🔑 Single Sign-On (SSO) [Authentication]: Your Central Key to the Cloud: This enhances user experience and reduces password sprawl, a significant security risk. 👤 System for Cross-Domain Identity Management (SCIM) [Provisioning]: Automating User Lifecycle. This ensures that the right people have the right access from day one and that access is revoked promptly when needed, minimizing orphaned accounts and potential breaches. 🤝 OAuth [Authorization]: Secure Delegated Access. It's like granting a temporary "visitor pass" with limited permissions, ensuring secure communication between disparate systems without compromising user credentials. 🛡️ Role-Based Access Control (RBAC) [Authorization] & Network Policies: Defining the Fortress Walls. This limits the attack surface and prevents unauthorized lateral movement between systems. Why are these foundational for new cloud data analytics initiatives? - Enhanced Security, Simplified Management, Improved Compliance, Seamless User Experience.. Laying this robust foundation of SSO, SCIM, OAuth, and RBAC (including network considerations) from the outset is not just a good practice – it's a necessity for any enterprise building a secure and scalable data analytics environment in the cloud with interconnected systems. Level Up Your Data Fortress: Beyond Basic Access Control In the ongoing journey to secure and govern the modern data landscape, foundational concepts like SSO, SCIM, and RBAC are just the start. But the fortress walls extend further with mechanisms that elevate our data security posture: 🛡️ Attribute-Based Access Control (ABAC) 📜 Policy-Based Access Control (PBAC) ⏳ Just-In-Time (JIT) Access 🔑 Privileged Access Management (PAM) 🤫 Secrets Management 🤖 Managed Identities 🎭 Data Masking/Anonymization 🏷️ Tokenization 🔒 Data Encryption (at rest & in transit) 🗺️ Data Lineage 📚 Data Catalog ✅ Data Quality Frameworks 🏗️ IaC & Immutable Infra 🧱 Network Segmentation & Firewalls 🚨 DLP (Data Loss Prevention) 🕵️ Auditing & Logging These advanced mechanisms, layered upon the fundamentals, build a truly resilient and trustworthy data environment. Which of these are you prioritizing in your data strategy? #DataSecurity #DataGovernance #DataEngineering #CloudSecurity #ZeroTrust ✨ Secure your data journey from the ground up! 🚀 #DataFortress #CloudSecurityFirst #ModernDataStack #AccessControl #DataProtection

"65% of employees surveyed admitted to finding ways to bypass security policies for the sake of better productivity" You might say that humans are the weakest link in security. I would argue that *bad security* is the weakest link in security and humans are just trying to do their jobs. Cyberark surveyed over 14,000 employees. Here were the top 5 security policies that employees skipped: 🔴 Using one password across multiple accounts (27%) 🔴 Using personal devices as Wi-Fi hotspots (20%) 🔴 Avoiding updates if they take too long (18%) 🔴 Using personal devices instead of corporate ones (18%) 🔴 Forwarding corporate emails to personal accounts (17%) Certainly there are some bad employees who take shortcuts to avoid admitting their own faults or mistakes. But, the vast majority of employees are just trying to do their jobs and they feel that security is preventing them. That is bad security policy - plain and simple. Let's solve some of these issues right now: 🟢 Use a corporate password manager that people can access and use to remember passwords 🟢 Ensure security controls on networks aren't slowing things down or blocking crucial services/sites 🟢 Schedule updates for after hours or let employees schedule them within 2-3 days 🟢 Don't allow personal devices to access corporate data/services 🟢 Ensure that Spam and anti-virus filters aren't blocking legitimate emails and attachments Are these easy to do? Certainly not! But communicating clearly with employees and making them partners in the endeavor (explaining the risks, what you are doing, and why) can help them become security policy champions instead of security policy bandits. See the full survey from Cyberark (link in the comments) How would you address these risks? #security #cybersecurity #risk #employees #cyberark

Attackers love getting privileged accounts like IT admins because they know it gets them instant access to all the goodies. They also know that they can easily steal credentials by compromising the device (workstation/laptop/etc.) that the admins log onto.   If that device isn't secured well, then the chances of a very very bad no good day increase dramatically.   One of the best things you can do to reduce risk of a major breach is to increase the security of the devices used by admins. We documented a progressive set of controls to increase device security (while minimizing impact to usability) starting from everyday enterprise devices (we don't endorse BYOD for admins) to specialized devices (more locked down) to full privileged access workstation (PAW) configurations at https://aka.ms/PAW

Because CISOs and security teams deserve a break! As we kick off Q3, I’m excited to announce something the OutThink team has been working hard on: 👉 Human Risk Response Automation Workflows Security teams love the idea of Human Risk Management, but embedding it into daily operations? That’s another story. Between manual processes, policy exceptions, and endless back-and-forth, most teams simply don’t have the bandwidth. So we’re fixing that. We’re building workflows that help security teams:  ↳ Reduce risk (without lifting a finger) ↳ Identify human vulnerabilities (with data and root-cause analysis) ↳ Save time (by automating adaptive controls) Two real-world examples: 1️⃣ USB Exception Requests  Today: a user needs USB access → back and forth with the user and their manager → manual approval → repeat requests → chaos. With OutThink: ✔ User requests access → auto-assigned a 4-min training on risks/alternatives. ✔ Many realize they don’t need it (win). For those who still do, the request flows to their manager → auto-approved for low-risk users → auto-expires in 6 months. ✔ Fully logged, fully override-able. Security teams retain control but skip the grind. Result: 83% reduction in time spent with USB exception tickets at pilot customers. 2️⃣ High-Risk Users - real-time protection Today: blanket security policies impacting productivity and frustrating users, executives get same policies as interns and security only discovers risks after incidents occur. Manual policy adjustments take days/weeks.  With OutThink: ✔ Continuous risk scoring (80%+ threshold) → auto-triggers action ✔ Via dynamic policy upgrades in Entra ID/Okta the user is automatically applied high risk security policy.  ✔ Adaptive security controls auto-applied - MFA everywhere, must come in from a trusted location using a company-compliant device.  ✔ Zero security team involvement required Result: 68% reduction in human-initiated security incidents (faster containment of insider threats). This changes everything! It not only saves a lot of time for everyone, but this approach makes people more risk-aware as a natural by-product. Training happens automatically when and where it's needed, not once a year in an LMS. We’ve worked with our customers and identified 13 automation workflows that put Human Risk Management on autopilot. And we're building these in Q3. And this is just the beginning. We’re proud to be building this with some of the most forward-thinking security teams out there! 👉 Got a manual workflow you wish you could automate? DM me - let’s build it together. OutThink #CyberSecurity #HumanRiskManagement #SecurityAutomation #InsiderRisk #CISO #SecurityOps