Earlier this year, SafeBreach held its first-ever Validate Summit at Levi’s Stadium in Santa Clara, California. This in-person event brought together top cybersecurity leaders and innovators to discuss the changing requirements to build and optimize a proactive security organization.
To close out a full day of insightful and engaging sessions, we were treated to a dynamic panel discussion moderated by Richard Stiennon, industry research analyst and author of the annual Security Yearbook. Joining him on stage were Jimmy Sanders, VP of information security for Netflix; Ashley Baich, readiness and crisis management security consultant for Accenture; and SafeBreach’s own CISO, Avi Avivi.
In this edition of Voices from Validate, we look back at the range of unique perspectives shared on this expert panel focused on the concept of cyber resilience, exploring what it is, why it matters, and how organizations can achieve it.
To begin the discussion, Richard asked each panelist to describe what cyber resilience means to them. Ashley defined the concept of cyber resilience succinctly as “an organization’s ability to prepare, detect, and respond to a cyber event,” and she emphasized the importance of being able to minimize the disruptive impact of an attack and learn from any failures of your defenses. She also noted that the work of being cyber resilient is never complete, and organizations must not become stagnant in their efforts to bolster resiliency.
Avi agreed with Ashley’s points, adding that cyber resilience shouldn’t just account for the technology being used, but it must also encompass the people and processes behind an organization’s security posture. Jimmy also concurred with his fellow panelists but added that preventative measures are just as vital to resilience as your response plan. He stressed the value of a mixed-mode, nonhomogeneous security environment (e.g., different server types, hybrid cloud, etc.) to force attackers to chain together much more complicated methods in order to even breach your defenses.
“Cyber resilience is about prevention—building a multilayered fortress of defense for our environment—and it’s about reaction. How quickly can we detect and recover once an attacker’s breached our environment? This multifaceted approach is the best way to build resiliency and keep our customers and employees as safe as possible.” – Jimmy Sanders, Netflix
Keeping It Real
With all in agreement on what cyber resilience entails, Richard next asked the panelists to share some guidance organizations can follow to achieve greater resilience. The group consensus came down to the power of being able to run real-world attacks and practice real-world detection and response measures.
Avi spoke about the benefits of validating an organizations’ entire incident response chain process, even factoring in how non-security teams, such as legal and communications, perform under pressure. He also warned against the over-dependence on tabletop exercises to assess incident response, arguing there is no substitute for replicating a crisis situation as realistically as possible across all impacted areas.
To Avi’s point, Ashley served up an apt analogy of military training exercises in which real weapons, gear, and combat environments are preferred whenever possible to develop stronger troop muscle memory and condition well-honed response behaviors ahead of real-world deployment in battle.
Jimmy went on to discuss how the Netflix security team has made regular use of chaos engineering to stress test the resilience of its security environment and team. He pointed out that an attacker isn’t likely to warn you of when or how they will attack, so red team exercises should have that same level of unpredictability and complexity. To keep his developers and production staff on their toes, Jimmy leverages chaos simulations without giving his team any heads-up about what to expect or when to expect it.
Shifting from technology to teams, Jimmy returned to his point about the need to mix things up in your stack and said the same goes for your people. A sustainable, resilient security operation for him depends largely on the versatility of skill sets across the team. This includes ensuring he never relies too heavily on one single person or role to be able to handle one particular task or function. Regular cross-training is one method he’s used to ensure he has the necessary coverage across his team at all times, regardless of who may be away on vacation or out sick when a crisis occurs.
Avi added that a satisfied and motivated team tends to make for a more resilient team. That’s why it’s up to security team leadership to eliminate stressors, address burnout, and provide opportunities for advancement and growth as well as the resources the team needs to be as effective and efficient as possible.
Being a relative industry newcomer compared to her fellow panelists, Ashley also reminded security leaders to continue to invest in the next generation of defenders and to have a clear development plan in place for those new to their fields. This will enable organizations to better attract and retain talent, and improve their cyber resilience in the process.
BAS & Resilience
“Netflix is a numbers-focused company across the board. Data drives decisions, and that’s why SafeBreach fits so well into our security strategy. We can consistently measure our security stack with SafeBreach and get fast answers to questions like ‘What was the average detection time?’ or ‘What was our average response time?’ SafeBreach also helps us continuously evaluate team effectiveness and look for areas to drive improvements.” – Jimmy Sanders, Netflix
The unrivaled ability of breach and attack simulation (BAS) to help build and enhance cyber resilience was a key theme in this conversation. Jimmy noted how the SafeBreach BAS platform has proven to be an invaluable means of both validating Netflix’s security ecosystem as well as testing and training his employees. He also listed two essential components of resilience-building security technology like BAS:
- Automated Analysis – There’s no manual way to deal with all the data and avoid having key intelligence fall through the cracks. The automation SafeBreach provides enables security analysts to focus their attention where it’s needed most.
- Continuous Functionality – When the customer experience—and attacker schedule—is 24/7, so too must be your approach to security validation. Point-in-time testing can only tell you how safe you were at the moment the test was run. Beyond that, all bets are off.
Ashley also noted the flexible and customizable nature of the SafeBreach platform, enabling it to be applied to the most at-risk areas of an organization’s business strategy. For her clients, BAS has been a game-changer in its ability to ensure business-critical operations can remain up and running in the face of a disruptive attack.
Avi closed the discussion by doubling down on the integral role BAS plays in the cyber resilience process of implementing the right technology, processes, and people, validating those resources, and then reassessing and repeating the process again and again. SafeBreach is purpose-built to deliver greater resiliency, regardless of a security organization’s level of maturity and resource level. As a platform designed for scalability, SafeBreach enables organizations to first crawl, then walk, and finally run as they enhance and grow their security posture.
Wish you could have attended SafeBreach’s Validate summit? Well, our second-annual Validate summit is coming up on Wednesday, February 8 at The Star in Frisco—headquarters of the Dallas Cowboys. Registration will soon be open, but seats will be going fast, so be sure to save your spot early to join in on this exciting event and important conversation.