Sedara's Cybersecurity Podcast

A Chief Information Security Officer (CISO) is the tip of the spear for an organization’s cybersecurity program. CISOs identify threats, manage risk, implement security controls, and increase organizational resiliency. Sedara has several “virtual” CISOs (vCISOs) who split their time serving as CISOs for different organizations. This podcast covers what CISOs do and how they protect your organization’s most valuable assets.Sedara has vCISOs available to take an organization’s cybersecurity program to the next level. They provide ongoing supervision and support and advise about threats, risk, security controls, and resiliency strategies. Contact Sedara today to learn how a vCISO can help your organization.

Why is security awareness important when we have all of these appliances and software and hardware to protect us? Well, ultimately, attacks come down to a set of human eyes and a keyboard, and a mouse. And if a user is well educated and if they're trained well and they're astute, they can help prevent a security incident from ever happening or detect it.

Incident response is a structured process organizations use to identify and deal with cybersecurity incidents. Response includes several stages, including preparation for incidents, detection and analysis of a security incident, containment, eradication, and full recovery, and post-incident analysis and learning.What are some tips for making effective plans?Listen to this episode of Sedara's Whiteboard Series to find out. Be sure to subscribe to our YouTube channel to get more content.

 Many organizations focus on technological controls to protect their assets. But that’s only part of the story! Smart attackers use social engineering to achieve their goals in compromising networks and data. In a social engineering attack vector, attackers lie or present deceptive fronts to convince people to divulge information or take some action that allows the attackers access.  Sedara offers a phishing assessment, in which we send out communication and assess the rate of “success”. We can also include social engineering in our penetration testing or security assessments. This service includes a deeper approach, in which we integrate the results of the phishing campaign into our assessment of overall security. Please let us know how we can help you! 

Welcome back to the Sedara Whiteboard series. In this episode, we will discuss frequently asked questions about NIST CSF. The NIST Cybersecurity Framework, developed by the National Institute of Standards and Technology, integrates industry standards and bast practices to help organizations manage their cybersecurity risks. It is widely used across schools, government organizations, and businesses across the globe. Sedara uses the NIST CSF as a basis for testing the posture of an organization’s security.If you found this information helpful, please subscribe to our YouTube channel! For more helpful resources, check out Sedara Declassified. 

In this episode of the Sedara Cybersecurity Whiteboard Series, our Lead Pentester Nick Aures talks about what to look for in a quality pentest. Nick breaks the talk down into 4 key takeaways:A Vulnerability Scan is NOT a PentestHow to identify a qualified vendorWhat you should expect from the engagementWhat you should expect from the reportTake a look, and we hope it's helpful.If you're finding our content useful, sign up for Sedara Declassified to make sure you get it sent right to you every month, and of course, if we can help you with anything directly, feel free to reach out.

Why Should I Consider the NIST Cybersecurity Framework(NIST CSF)?The NIST Cybersecurity Framework (NIST CSF) is great for organizations that want to improve their information security maturity. Other organizations may align the framework with other compliance or governance requirements. The NIST CSF has five cyclical functions that cover an organization’s security processes: Identify, Protect, Detect, Respond, and Recover.Regardless of the reason, getting started with the NIST Framework is often the #1 challenge. Against a complex environment, the framework can seem overwhelming.Where Do I Start?Almost all information security frameworks start with asset management. You can’t secure devices you don’t know about! But asset management doesn’t have to be complete or perfect before moving through the framework.Start with the assets you already know about and work with, in your daily operations. For most organizations, this means high impact assets with a low volume of devices. Examples include servers, domain controllers, and firewalls. Asset management doesn’t need to be complicated – it can start with a short, written list. In this post, we’ll use firewalls as an example.Breaking it downAfter you’ve inventoried a category of assets, you can move through the framework and pick the tasks that will best secure it. This can be done by asking what-if questions and documenting the answers. Here are some examples:Identify / GovernanceWho manages the firewall? How often do they manage it? What are they allowed to do? What is the approval process for changes?Protect / Access ControlWho can log into the firewalls? What level of access do they have and what can they do with that data? Is monitoring in place?Protect / MaintenanceWho checks for and installs updates? Who reviews release notes? How often is maintenance on the firewall performed?Detect & ResponseHow are incidents detected? What is the response plan when an incident is detected?RecoveryHow are backups performed? When a firewall goes down, who is notified and what is the process for getting it back online?Want to know more about NIST CSF?Check out this resource for more information about the NIST CSF version 1.1 and to access online learning resources!SummaryIt’s easier to start on the NIST CSF by taking small steps, grouping assets into categories, and documenting the operational processes you already have. Starting with the high-impact, low-volume assets will save valuable time, and makes the biggest impact in improving your organization’s security stance.How Sedara Can Help with the NIST Cybersecurity FrameworkSedara helps organizations implement the NIST CSF to improve their cybersecurity programs. Our team will take your information security maturity to the next level with proven methods and expertise.Subscribe to Sedara Declassified to get timely updates on new and evolving threats – and what to do about them – just like our clients do.Watch this episode on Youtube. 

What is Education Law 2-d?Education Law 2-d is a new section to NYS Education Law that was added in early 2020. This section covers various aspects of data privacy for school districts in New York State.It identifies data that exists, how it’s handled, what you’re allowed to do with it, and defines additional security requirements. Ed Law 2-d provides a clear description of student data and personally identifiable information (PII).What are the requirements of Ed Law 2-d?Ed Law 2-d creates specific regulations and controls that school districts are required to abide by. According to the New York State Regional Information Centers and the Ed Law 2-d/Part 121 of the Commissioner’s Regulations outline, schools must follow a multi-faceted approach to information governance, including:The protection of PII:PII for teachers, students, and principals must be protectedParent’s Bill of Rights for Data Privacy and Security:Districts must develop and share this information on their website with supplemental information regarding every agreement with a third-party contractor involving the disclosure of PIIData Security and Privacy Policy:Districts are required to adopt a Data Security and Privacy Policy that adheres to the NIST Cybersecurity Framework (NIST CSF)Data Protection Officer:It is mandatory to appoint a Data Protection Officer to oversee the execution of Ed Law 2-d responsibilities.It is also mandatory to have a complaint process, incident reporting/notification process, annual employee training, and most importantly, map everything back to NIST Cybersecurity Framework.NIST CSF is a set of controls that governs aspects of the law and is a risk management program that identifies 1) where there are risks within an organization and 2) the ability to respond and prioritize those risks.NIST is a comprehensive United States program that Sedara has been implementing in school districts for years.The Sedara Approach:Sedara has spent the last couple of years developing the Cybersecurity Development Program (CDP). A CDP encompasses controls such as NIST and is approachable, scalable, and specific for school districts to obtain and maintain compliance while keeping their data safe.The method is designed to understand and factor in the needs, resources, and the existing operations of school districts.Sedara’s CDP includes technical and non-technical approaches, and is effective in keeping student data safe This can include incident response, data loss and privacy controls, protection against ransomware, and much more.CDP is not designed to replace an existing system - it is designed to augment the investments that have already been made and right-size a program that's appropriate for a particular school district. CDP brings in the resources - both technical and non-technical - to help deliver on an ongoing basis, making it a cost-effective approach.How Sedara Can HelpSedara has worked with school districts all over New York State to help them protect the PII of students, teachers, and staff. We’re experienced with Ed Law 2-d and can help make sure school districts are compliant.Don’t take our word for it - check out what other school districts had to say about their experience with the program.

A Crawl, Walk, Run Approach to Offensive CybersecurityFor the next video in our Whiteboard Series, we talk about a Crawl, Walk, Run Approach to introducing offensive cybersecurity operations to your environment. What are Offensive Security Operations? Offensive security operations are about replicating the type of tactics and procedures that real-world hackers are using to penetrate networks. Common forms of offensive security include penetration testing and vulnerability scanning.What is Crawl, Walk, Run? A Crawl, Walk, Run Approach is an effective method where you lay out the steps for an organization to start out with the basics, and mature their processes over time. This approach has been found to be extremely effective when it comes to cybersecurity program maturity.The Crawl Stage: During the “crawl” stage, the I.T. team is spending their time ensuring production is running smoothly, ensuring upgrades are complete, hardware is repaired, end-user tickets are resolved, etc. These tasks consume most of their time.This is where Sedara sees a lot of organizations struggle with going above and beyond to prepare for an advanced attack. It can seem impossible when a majority of your time is spent putting out fires. So, what can you do? There are a few simple things, such as asset discovery. Understanding where your business-critical assets are, whether they are internal, external, or cloud-hosted, is one thing to focus on. The next step would be a vulnerability scan of those assets. This will provide you with any low-hanging fruit that an attacker might find. Low-hanging fruit to an attacker would be something of high value that is easy to attack. The next thing you want to do is a basic assessment. At this point, you should have an understanding of where your weaknesses are and which of your business assets are critical. You’ll also want to understand what weakness might look like in your organization. Then, you can move to the “walk” phase.  The Walk Phase: The “walk” phase is where you run a penetration test. A penetration test takes the vulnerability test one step further. Penetration testing is a controlled form of hacking. You take real-world tactics that attackers would use to simulate a hacker trying to get into your network, systems, and applications through the exploitation of vulnerabilities. Penetration testing will also help you better understand your external assets. Once you have this understanding, you’re ready to move on to the “run” phase.The Run Phase: If you want to continue to improve the cybersecurity maturity of your organization, consider running a red-team engagement. A Red-team engagement gauges technical vulnerabilities, business logic flaws, and social engineering. With a red-team engagement, you can also perform advanced remediation, which helps you fix deeper issues, often procedure-related, for lasting cybersecurity improvement.  Overall, this type of engagement can take anywhere from 3-6 months. How Sedara Can Help You Reach out to us to learn how we can help prepare your organization for when a threat occurs. Be sure to follow our Whiteboard Series, and check out our video for more information on offensive security operations. 

MDR vs XDR - Key DifferencesManaged Detection and Response (MDR) and Extended Detection and Response (XDR) are two solutions designed to help security teams with cybersecurity threats. However, these two methods approach threats in different ways.In the latest video for our Cybersecurity Whiteboard Series, we go over MDR and XDR, their differences, and why they should matter to you.  MDR Defined and Its Purpose: MDR, or Managed Detection and Response, is a function or a service that cannot be defined by a single technology. Rather, it is defined by what the intended outcome is supposed to be. MDR focuses on what threats you want to detect and how you respond to them. It is an external service that focuses on data collection and the ability to investigate and respond.  First, you want to have the ability to analyze what is happening in your environment, followed by a response plan. Typically, you’re looking to block unfamiliar IP addresses on your firewall or inbound and outbound blocking URLs and your spam or content filter - to name a few examples.  In short, the goal is to identify if an account is compromised and then disable that account. Afterwards, you would begin your incident response plan to understand if further action is required. XDR Defined and Its Purpose: XDR, also known as Extended Detection and Response, is a strategy-driven approach. Essentially, XDR brings MDR to a new level. XDR is about enhancing your threat detection, reducing your time to respond, and making your response actions more effective. Ultimately, it is about establishing a stronger security program and automated data enrichment. Automated data enrichment is about thinking of all the data you’re collecting and how you understand it. One of the most important aspects of XDR is the ability to view what is not changing within your cybersecurity system and understand how it applies to things that are changing constantly. MDR vs XDR: Both MDR and XDR assist security teams around increasing workloads. MDR essentially provides an external Security Operations Center (SOC) that performs a majority of duties necessary to protect your IT assets. XDR, on the other hand, enhances your threat detection, reduces your time to respond, and makes your response actions more effective. Together, this is an efficient way to manage threats and respond appropriately. How Sedara Can Help You: Sedara was founded on the principle that cybersecurity monitoring must have detection capabilities and response capabilities built into it. We’ve been doing MDR and XDR for over a decade now. If you’re looking to strengthen your cybersecurity operations, contact Sedara today. 

Welcome to the first video of Sedara's Whiteboard Series. Our goal for these videos is to educate you about cybersecurity. In this podcast, Darrick will go over the Tiered Approach to Security Maturity. Darrick Kristich is the Founder and CEO of Sedara.The SIEM & MDR deployment process can seem overwhelming, especially if your organization lacks experience with this process. There’s a lot to consider, such as understanding exactly what you can expect and the value you will get from the process. In this first podcast of the Sedara Whiteboard Series, we go over a crawl-walk-run methodology to ease into a mature cybersecurity posture. If you’re looking to get some tangible value out of a system or service, watch this video or read below for some key takeaways. What is SIEM Technology? SIEM technology revolves around data collection. It’s about collecting logs, analyzing them, and pulling data through API integrations to understand what is happening in your cybersecurity environment. The crawl-walk-run-approach:Crawl The crawl phase starts with your SIEM ingesting highly critical assets, and sometimes high-value, lower volume assets. What do we mean when we say high-value? We’re referring to the data they are providing. The primary focus during this stage includes getting visibility into network traffic. This includes firewall logs and directory services. Firewalls and directory services are considered extremely high-value data sources. In a firewall log, you can expect to get the source, target port, and protocol information. Firewall logs don’t share a lot of information unless it is a unified threat management (UTM) device.  With a UTM device, you can get actual URL destinations and conduct spam filtering.When examining log sources, it’s crucial to consider:What data you’re collectingWhat intelligence is going to be appliedWhat are you getting out of it? One example of a security risk would be if a user adds another domain admin at a time when your employees aren’t usually working. Sedara can detect and respond to this problem by using your SIEM that has collected logs from your domain controllers. Without putting some sort of intelligence into this, you would not be able to find this significant compromise. Walk:The walk phase gets into more complex systems to configure, with higher volumes. In this phase, workstations are your highest volume assets. The logs from your workstation may not be as important as the logs from your global directory services. However, you can build a significant amount of use cases and alarms from the data. Obtaining workstation logs can be challenging. However, Sedara has created processes that integrate Windows event forwarding that can be applied in a couple of hours. The volume of data impacts the size SIEM you need.One reason workstation logs are impactful is because, if an attacker knows you are using a SIEM they will use local accounts to get into your system and stay under the radar from detection.Starting to isolate and remove devices or killing processes is a great way to start the response process during the walk phase. As an MDR provider, Sedara can detect and respond to threats on your behalf.Run: The run phase can take longer to reach, is typically very high volume, and is fairly sophisticated to implement and manage. The complexity comes into play because you are including robust business applications such as ERP systems, EMR systems, finance systems, and more.