Get to know Chris Kennedy, CISO at AttackIQ, who previously lead the initial development of the US Marine Corps’ global incident response organization. He also held various roles in defense contracting, including delivering the US Department of Treasury’s Cybersecurity Operations program. He most recently helped Bridgewater Associates secure their enterprise.

Security magazine: How can I show the board/leadership cybersecurity is worth the investment?

Kennedy: This has been a longstanding problem for the security executive stemming from:

• Boards and leadership that don’t understand their businesses dependence on technology, and the technical threats to it.
• An overwhelming and disjointed security industry that is in constant flux of evolution in response to disruptive new technology enablement and ever evolving threats.
• Security governance and risk management practices that are informed with weak data.
• Poor or ambiguous metrics of management that often lead to false inferences of security, protection and safety.

That’s all changing now though. The cybersecurity industry has rotated around an axis of threat uncertainty for many years, but it turns out there’s a lot of good, quantifiable “threat behavior data” out there, and it’s bounded. This data, codified in frameworks like MITRE ATT&CK, serve as foundational bodies of knowledge of common ways attackers operate. The data can be used for many purposes such as educating executives on the types of behaviors an attacker will take and through mapping of investments in security to threat behaviors. The MITRE ATT&CK framework enables organizations to see the attacker kill chain, and with a bit of analysis, show where companies stand against specific attacks. Breach and attack simulation (BAS) platforms allow companies to automate emulating these known attacker behaviors. The security leader can analyze the way known attackers operate and "emulate" that attacker to validate the security investments in place are working as expected.

The ability to bring this codified knowledge of threat behavior to demonstrate the impact and effectiveness (or gaps) in the security investment using real and objective data is the growing trend. BAS platforms allow this approach to be applied continuously and integrated with technology and security processes so risk posture can be evaluated in every governance motion -- and then rolled up to a financial ROI based model. 

Security magazine: How can I ensure my third party partners are aligned with my organization’s security standards?

Kennedy: As regulatory requirements have evolved, there is expected and required due diligence by the owning organization to assure the security of their first (and second and third order) parties that support them. Industry best practice in managing third party risks is invoking a governance process that oversees use of third parties. Not having such allows the “shadow IT” to creep through an organization, where business units stand up use of third party technologies that introduce risk unknown to anyone. Furthermore, companies should invoke a risk assessment process that probes and understands:

• What the third party does for the organization, and how important is that to the core business.
• What data/information the third party would handle to support that process. Is the reason for using the third party (usually cost savings), worth the risk of assuming they could fail and loose that data?
• What are the architectural and engineering allowances to use the third party? Is that data above securely transmitted? Does that third party require software to be deployed in your environment? 
• Is this a reputable and secure third party? Look at their security attestations and certifications, do they have an ISO 27001 or SOC 2 audit? Do they have a testing program to validate their security? How often do they test? Will they share results and remediations from them? Beyond security is this a good a move? 
• Ensure you have good terms in your contract to allow interrogation of their security program, notification of incidents, etc. Security requirements for third parties are upheld in a contract.
• If the risk is high enough, see it with your own eyes. Walk the data center, meet the managers, review tier documentation, and conduct your own security testing.

Security magazine: What is the benefit of having a purple team vs a red or blue?

Kennedy: This is merely an organizational construct. Blue teams focus on what they know about the capabilities they have, and red teams use the art of the possible as threat would. By combining knowledge, companies receive the below benefits:

• Create a culture of cooperation and joint maturation between teams versus an adversary relationship
• A much more enriched test that is better based on the shared knowledge of adversary techniques and existing defense
• Stronger ability to prioritize validating what really matters and making sure problems are addressed
• Create a new and better interaction model between technology and security that’s result driven
• Automation can enable scaling and much more continuous validation

Security magazine: What does the data breach landscape look like in the next six months?

Kennedy: It’s going to grow due to businesses enabling work from home, creating tons of risks. The first is the risk of insider threats due to changes in working culture. People working face to face affords some security deterrence in peer and management oversight. Additionally, companies moved fast to adjust and save their business. Mistakes happen and gaps were likely left open as they were in a hurry. There are also architecture changes that broke security as not all the pivots made brought accommodating security of the previous design. There is a high likelihood that many of the “core enterprise” security controls don’t work with a remote workforce. Last, COVID-19 and other global political issues present an opportunity for attackers to target people with phishing or other social media attacks.

Security magazine: What other opportunistic attacks — such as phishing scams — have you seen around COVID-19 so far?

Kennedy:

• Spear phishing for fraud related to COVID-19 such as donations and medical enrollments
• Sophisticated attacks on remote access with brute force or credential stuffing attacks and attacks on remote access infrastructure
• Ransomware has been on the rise as it’s more successful when the security posture is weakened in massive shifts, when people are off guard, untrained, or less security culture conscious
• The 2020 elections are showing the same social media influence themes as COVID-19, making it hard for people to know what information can be trusted

Security magazine: What do you like to do in your free time?

Kennedy: Aside from the thirst for knowledge in my industry, which can be time consuming given the industry’s pace, I am a family man with teenage daughters. I love to spend time with them and together we raise bees and rabbits. One day I hope to have my own community engaged self-sustaining farm. I’m an avid outdoorsman with an isolated property in Vermont where I go to get off the grid, hike, hunt and fish, and develop the land. As an engineer, I love to tinker with machines and am always wrenching on something. I grew up in Nashville, well exposed to the live music scene, so nothing makes me happier than taking in an intimate, passionate live rock show.