Subscribe
Share
Share
Embed
Welcome to Episode 06 of "Secrets of AppSec Champions," titled "Working With Your CISO," featuring host Chris Lindsey and guest Yaron Levi, the Chief Information Security Officer (CISO) at Dolby Labs.
In this episode, Yaron Levi, with over 15 years of experience in various security functions, provides insights into the multifaceted role of a CISO. He discusses the relatively young profession, highlighting its diverse structures and responsibilities which include enabling businesses while managing risk and regulatory compliance.
The conversation delves into foundational aspects of security programs, such as governance, risk, compliance, and the importance of maintaining a robust defense posture. Yaron underscores the necessity for continuous learning and collaboration within the security field and emphasizes that the CISO's role is more about enabling safe business operations rather than strictly enforcing rules.
One of the key discussions revolves around the commonality of security threats, the significance of basic security measures, and how a substantial number of breaches stem from simple vulnerabilities like exposed credentials and misconfigurations. Yaron also emphasizes the importance of integrating security education for software developers and engaging software architects in mentoring roles.
The episode sheds light on the productive nature of bug bounty programs and responsible disclosure platforms for vulnerability testing. Yaron advocates for encouraging young individuals to engage in ethical hacking through structured channels.
The episode also touches on AI's impact on software development and security, reiterating a balanced approach to leveraging new technologies safely. The importance of simulations and tabletop exercises to prepare for security incidents is discussed, with example scenarios like ransomware attacks being used to test and improve response times.
Finally, Yaron stresses the importance of communication, especially in remote environments, urging employees to over-communicate any security concerns. He shares his experience of starting his role during the pandemic and highlights the significance of building trust remotely.
Chris Lindsey wraps up the episode by thanking Yaron Levi for his valuable insights and encourages listeners to subscribe, rate, and review the podcast to stay updated on future episodes.
Time Stamps:
00:00 Striving for 'Good Enough' in Business
06:01 Intentional Outreach and Security Measures: A Reminder
07:49 The Crucial Role of CISO in Cybersecurity and Software Development
12:49 Security: When, Not If
14:08 Prioritizing Cybersecurity Fundamentals: Key Threats Remain
19:50 The Minecraft Generation: Using Energy for Pen Testing
21:52 Building Bug Bounty Environment and Tabletop Exercises
25:36 Learning from a Ransomware Event Mishap
27:38 Challenges to Standardizing the CISO Role
33:15 Reframing the Role of Security: Protection Over Punishment
For more amazing application security information, please visit the following LinkedIn communities:
https://www.linkedin.com/company/appsec-hive
Provided by Mend.io (https://mend.io)
In this episode, Yaron Levi, with over 15 years of experience in various security functions, provides insights into the multifaceted role of a CISO. He discusses the relatively young profession, highlighting its diverse structures and responsibilities which include enabling businesses while managing risk and regulatory compliance.
The conversation delves into foundational aspects of security programs, such as governance, risk, compliance, and the importance of maintaining a robust defense posture. Yaron underscores the necessity for continuous learning and collaboration within the security field and emphasizes that the CISO's role is more about enabling safe business operations rather than strictly enforcing rules.
One of the key discussions revolves around the commonality of security threats, the significance of basic security measures, and how a substantial number of breaches stem from simple vulnerabilities like exposed credentials and misconfigurations. Yaron also emphasizes the importance of integrating security education for software developers and engaging software architects in mentoring roles.
The episode sheds light on the productive nature of bug bounty programs and responsible disclosure platforms for vulnerability testing. Yaron advocates for encouraging young individuals to engage in ethical hacking through structured channels.
The episode also touches on AI's impact on software development and security, reiterating a balanced approach to leveraging new technologies safely. The importance of simulations and tabletop exercises to prepare for security incidents is discussed, with example scenarios like ransomware attacks being used to test and improve response times.
Finally, Yaron stresses the importance of communication, especially in remote environments, urging employees to over-communicate any security concerns. He shares his experience of starting his role during the pandemic and highlights the significance of building trust remotely.
Chris Lindsey wraps up the episode by thanking Yaron Levi for his valuable insights and encourages listeners to subscribe, rate, and review the podcast to stay updated on future episodes.
Time Stamps:
00:00 Striving for 'Good Enough' in Business
06:01 Intentional Outreach and Security Measures: A Reminder
07:49 The Crucial Role of CISO in Cybersecurity and Software Development
12:49 Security: When, Not If
14:08 Prioritizing Cybersecurity Fundamentals: Key Threats Remain
19:50 The Minecraft Generation: Using Energy for Pen Testing
21:52 Building Bug Bounty Environment and Tabletop Exercises
25:36 Learning from a Ransomware Event Mishap
27:38 Challenges to Standardizing the CISO Role
33:15 Reframing the Role of Security: Protection Over Punishment
For more amazing application security information, please visit the following LinkedIn communities:
https://www.linkedin.com/company/appsec-hive
Provided by Mend.io (https://mend.io)
Creators & Guests
Host
Chris Lindsey
Chris Lindsey is a seasoned speaker who has appeared at conferences, webinars, and private events. Currently building an online community and creating a podcast series, Chris draws on expertise from more than 15 years of direct security experience and over 35 years of experience leading teams in programming and software, solutions, and security architecture. For three years, Chris built and led an entire application security program that includes the implementation of mature AppSec programs, including oversight of security processes and procedures, SAST, DAST, CSA/OSA, compliance, training, developer communication, code reviews, application inventory gathering, and risk analysis.
What is Secrets of AppSec Champions?
Join host Chris Lindsey as he digs into the world of Application Security with experts from leading enterprises. Each episode is theme based, so it's more conversational and topic based instead of the general interview style. Our focus is growing your knowledge, providing useful tips and advice. With Chris' development background of 35 years, 15+ years of secure coding and 3+ years running an application security program for large enterprise, the conversations will be deep and provide a lot of good takeaway's that you can use almost immediately.
Yaron Levi [00:00:06]:
When I think about good enough, if we put ourselves in, the CEO and the CFO should, as an example, and, you know, every year we come back to them and say, hey, I need more money for this and I need more money for that. And even if they give you all these investments all the time, and by the way, security is not the only thing, right? And they also need to invest in other things and at some point they're going to come and ask how much enough is good enough. And I think this is kind of where we need to figure out. And that good enough may change, right, from time to time, but same thing as the military, right? How much do we spend on defense and how much is good enough, right? There's never perfect, but there's also other things that we have to consider. So I think that's the same thought process, the same mindset of working with the business, partnering, enabling, helping to make risk decisions and decide what is good enough.
Chris Lindsey [00:00:57]:
Hello and welcome to secrets of AppSec champions. My name is Chris Lindsey and today we are speaking with Yaron Levi. Today's conversation is going to be around working with your CISO. Yaron is a ciso at Dolby Labs. Yaron, please introduce yourself.
Yaron Levi [00:01:12]:
Hi, Chris, glad to be here. Thank you. So, my name is Erwin Levi. I'm the CISO at Dolby Labs. Been here with the company for about three and a half years now. Been practicing security for over 15. Done a bunch of different things in the industry, from e commerce to financial services to healthcare, now entertainment. So different perspectives.
Yaron Levi [00:01:35]:
And within that, as part of security also and everything from GRC to instant response to application security, to security architecture, to cloud security. Love this industry. Having fun. That's great people to collaborate and work with and always learning. So glad to be here.
Chris Lindsey [00:01:51]:
Awesome. I'm glad you're here. So today's conversation is going to be working with your CISO, which being a CISO, I think we're talking to the right guy. Yaron, one thing that I wanted to bring up is a little bit more on the role of a CISO. You're dealing with a lot of the stuff at a security level, right? You're dealing with the developers, the networking, the policy making and others. But one thing that I haven't actually mentioned is either the regulators or even the executive, the CEO, the C suites, the board of directors.
Yaron Levi [00:02:24]:
I felt, you know, I have a duty and pretty much kind of going back to my military days because we know how healthcare is targeted and SBC, with the Anthra bridge and others, I felt I had a duty to come and contribute back to my community. So that was great. That was great mission to come and, you know, build the practice and, you know, improve the practice. And I did that for nearly five years. And after that, decided, I want to do something a bit different. And a friend of a friend who was this former CISO at Dolby decided to leave. And our mutual friends say, hey, if anybody wants to throw their name in the hat. So I did throw my name in the hat, and, you know, after a long process of interviewing, and I was selected, luckily.
Yaron Levi [00:03:02]:
So here I am right now. It's a lot of fun. I started in the middle of the pandemic, which was really interesting, because all the interviews I had were like this. I didn't meet anybody face to face with the exception of my former boss, who actually flew to Kansas City to meet with me. And he said, I cannot hire Ciso, you know, without seeing them face to face. So he got a special approval from the company to travel. We met at the old Kansas City airport for about half an hour, both sitting with his masks and a little bit distant from each other, had a conversation, and then he flew back. And I joined the company in January of 21.
Yaron Levi [00:03:41]:
And the first time I saw somebody face to face was October. Wow. So ten months was, like, all like this. So that's in a nutshell. But I guess I never imagined that this is where I'm gonna get to or how things are going to evolve. But I love every minute, and I'm considering myself very, very blessed. I mean, to have that journey and.
Chris Lindsey [00:04:00]:
Have those experiences, that's incredible. And when you think about the fact that you're starting in the middle of a pandemic, in a position where normally we'd all be together, we'd all be in the same building or the same complex, where we would be seeing the guys that work for us sitting at the desks, starting this role, where you're not in the same city as your colleagues, they're actually scattered. And so being a CISO in this environment is so different than being a CISO prior to the pandemic.
Yaron Levi [00:04:35]:
Oh, completely.
Chris Lindsey [00:04:35]:
With everybody spread around and out, the risks, the threats are quite a bit different, I would imagine.
Yaron Levi [00:04:42]:
Yeah, completely. I mean, I think first and foremost is, and that was frankly, my biggest concern coming into the role, is how do you build relationships remotely like that? Because we don't have, nobody had at that time, hey, let's go to lunch or let's have coffee or, you know, do something together when we are in the office, you know, we can do it from time to time. You walk around, you fall on somebody's cube and like, hey, how are you doing? What are you doing? You know, things like that. Right. We did not have that opportunity. And frankly, I mean, that was one of my concerns, like, how do I do that?
Chris Lindsey [00:05:15]:
Right, right.
Yaron Levi [00:05:16]:
I think it worked very, very well. I think because of two reasons. One is the culture of the company, which is fantastic. People are very collaborative and very open. So it's great, really great to work with. And they really, they embraced me. I mean, for that. So for that, I'm very grateful.
Yaron Levi [00:05:32]:
And the second thing is, you have to be very intentional about it. You have to spend the time, you have to reach out. You have to spend time with people. And not just, okay, I need something, or we have a meeting, because we have to talk about something about work, but really reach out and build relationships and build trust. How can I help you? What can I do for you? Tell me more about what you do. I mean, things like that. And again, it's possible, it may not be as easy, but if you do it with intention, I think you can be very, very successful.
Chris Lindsey [00:06:01]:
Right.
Chris Lindsey [00:06:01]:
And that's what I was just thinking, is you have to be very intentional about the reach out. But the thing is, you're talking about reaching out. The other thing, too is people within the company need to reach in, and you have multiple different groups and areas for security that fall under you. The role of a CISO, for those who aren't familiar with, they're doing the networking, they're doing the policies, they're doing the software side, the appsec, they're doing every aspect, including probably physical entry into the building type work. And so one thing that you might be a regular developer that's working on a development team, and you might have a finding, and it might be the weekend, or it might be a time where you just can't reach your boss, but it's something so serious, such as a potential compromise that you're seeing. And one thing that I wanted to bring up, and your own, and I had talked previously, it's okay to reach out to your CISO. It's okay to, if you see something, say something.
Yaron Levi [00:07:00]:
Absolutely, 100%. And, you know, I know some people, like, well, you know, I don't want to bother or I don't want to. My preference is like, let's err on the side of, like, over communication. Right. You know, so worst case scenario, okay, nothing happened. You know, we met somebody new, we learned something. I mean, I appreciate that collaboration yes, we do a lot of things that, you know, we have to deal with. I, by no means, I don't consider myself the most top expert in the team on everything.
Yaron Levi [00:07:24]:
My team definitely, I mean have the knowledge, the experiences and people have specific expertise, you know, and nobody insecure, I mean security is so vast, nobody can know everything. But I think our ability overall to work together as a team, to collaborate, to support each other, each one of us is kind of bringing something unique to the table, some is greater from its parts. So definitely collaborate, definitely communicate, reach out.
Chris Lindsey [00:07:47]:
Right, right.
Chris Lindsey [00:07:49]:
And being in the role of CISO is great because now you see the whole picture, you see everything. So when you're looking at the whole picture you're seeing the developers are writing API endpoints, they're writing things that receive and send data, and you're also looking at and asking the question, what if that gets compromised, what can happen? What's the worst thing? And you start looking at the east to west, the north to southeast compromise to be able to move laterally within a network environment. And being the CISO, you see all that you can pick out, wait a second, this doesn't smell right or little things. And so being in the role that you're at the CISO is a very critical role because they come up through the networking or through the software, but they really have a good vision of every aspect of security and they also have the right people below them and working with them in conjunction together. That collaboration, even all the way down to the developer side, there's paths for everything and it really adds a very secure mix. I'd like to talk about the evolution of software development. Right now AI is huge, people are talking about AI. What do you think about all this new AI stuff that's coming out?
Yaron Levi [00:09:07]:
Well, like anything else, it's a new technology, you know, it's relatively early ish in our journey, right. You know it reminds me the times of, I don't know, 2008, 2000, 910 era where cloud started to become a thing. AWS started around 2006, but around eight or nine, I mean this is kind of where okay, people start to adopt it and start to play with it and it start to come out, you know, kind of similar to how AI came out, but AI came out obviously faster and it's kind of hitting us fast and hard. And I remember conversations from that time that people said, well there's no way I will ever move my data to the cloud or it's somebody else's data center or I will never going to use it. And things like that. I think I see similarities in AI today. Oh, we are using it or we're not using it. So you're always this spectrum of opinions from hell.
Yaron Levi [00:09:58]:
No, we're never going to use this. It's going to be the end all, be all that's going to destroy humanity to. Oh, actually, you know what? It's the next big thing. Better than sliced bread. So I think the truth is somewhere in the middle, right?
Chris Lindsey [00:10:10]:
Right.
Yaron Levi [00:10:11]:
Relatively. We're still early. We probably can't imagine yet the practical applications and what opportunities that's going to create, you know, cloud. It's not just a different data center, it's a whole business model that was created. If you think about SaaS companies, different apps, DevOps, I mean, a lot of things that were created were a result of this whole as a service model, right. And that allowed us to scale, allowed us to innovate. We created a lot of value from business perspective and we create some problems and we also created some new risks. So like everything else, we have to look at the technology, we have to look at the opportunity, we have to consider the risks, and we have to decide what trade offs we're willing to live with.
Yaron Levi [00:10:56]:
There are going to be some things that AI is going to be great for us and you can use a lot of that capability, a lot of those capabilities to accelerate a bunch of different things. Flip side, if you are concerned about data loss, if you are Coca Cola, you probably aren't going to put your Coca Cola secret sauce in there. Again, these are trade offs. You have to make a decision what's right for your business and how to.
Chris Lindsey [00:11:18]:
Leverage that with AI. It's now adding complexity to the software development side. Well, it's really adding complexity across the whole spectrum. If you think about the new AI, ethical hacking tools. These tools are developed for pen testers internally to be able to test against systems, to be able to find weaknesses in the network, to be able to do things. And one of the jokes that I talk about in regards to this AI ethical, quote, unquote, ethical hacking tools is basically a quote from Maverick, the movie Top Gun. It's the pilot in the box.
Yaron Levi [00:11:53]:
That's true.
Chris Lindsey [00:11:54]:
When you look at the ethical hacking tools, it's really the person at the keyboard. Because what makes it ethical versus not ethical?
Yaron Levi [00:12:04]:
It's a matter of permission and perspective. Right. So, yeah, like you said, I mean, every tool can be used for good and can be used for bad. And I think there are definitely some ways that we can leverage those things to better productivity acceleration, innovation, create a bunch of different things, and at the same time, the bad guys are going to use that for bad things. So like everything else, I think we're going to evolve. Cloud security wasn't much of a thing back in 2008, 2009. Now it's a practice. We have tools, we have processes about how to leverage and how to use it.
Yaron Levi [00:12:40]:
So I think, again, we're going to evolve. We're going to learn. They're going to be bumps along the way. Hopefully they're not going to be too disastrous. But it's part of evolution, I guess.
Chris Lindsey [00:12:49]:
Yeah, well, I mean, really with security, it's always a question of when, not if and when we're trying to do our best and kick that can down the road. You know, that's the best we can do. And there are trade offs. And you bring up a good point because everything evolves. Two years ago, I would sit in front of a whole bunch of cisos and I would always ask this question, and it was funny because the room would always get dead silent. But my question was, technology is moving at such a quick, fast pace that you have kids that can actually do things today with the scripts that they can go find. They have time, lots of time, and they're just hitting and doing things just because they can. These kids are just attacking things right and left.
Chris Lindsey [00:13:34]:
What are you trying to do within your companies to stay ahead of this curve? And this question was before AI was really kind of known as it is today. And again, that question is so relevant. And again, it would be one of those things where if I were in the room, I would ask the same question. But the difference is, okay, now with AI and all these automations and the speed, the lightning speed, I can go attack with full automation. I just go set it off and just walk away and come back a couple hours later and I'll have stuff that I can start digging in and having a little fun.
Yaron Levi [00:14:08]:
Yeah, that's true. And again, there are no risks and there are no threats. But at the same time, I think we also need to be practical. And if we think about, you know, a lot of the, if we look at, you know, the last, I don't know, 510, 15 years, right. For the most part, by and large, if you think about a lot of the breaches, even like, you know, mega breaches we had at the end of the day, they all kind of came to the same thing, exposed credentials, misconfigurations, some vulnerabilities. Right? So, yeah, we kind of have to sometimes, you know, we tend to run after the new shiny object and the new shiny thing or whatever. But there are so many fundamental things that we have to do and those fundamentals are not easy.
Chris Lindsey [00:14:49]:
Yeah.
Yaron Levi [00:14:50]:
And sometimes, you know, we don't do them because of, you know, whatever reasons, right. But for the most part, I think if we're going to focus on those fundamentals and make sure those fundamentals are being done right, we're going to be 80% there.
Chris Lindsey [00:15:02]:
Right.
Yaron Levi [00:15:02]:
Look, even if you look like, again, like I said, many bridges, none of them are really sophisticated. I mean, I'll give you, Stuxnet was sophisticated.
Chris Lindsey [00:15:10]:
Right.
Yaron Levi [00:15:11]:
But how many stacks that we had?
Chris Lindsey [00:15:12]:
Not many, right.
Yaron Levi [00:15:14]:
SolarWinds, you can say, okay, was also sophisticated. But even if you take some mitre, ATT and CK framework, right, you know, and what Mitre did over there, it's all the end all be all. But for the most part, these are the most common methods have been observed and been used.
Chris Lindsey [00:15:26]:
Right.
Yaron Levi [00:15:26]:
So stop there. Focus on those first. Right.
Chris Lindsey [00:15:29]:
Right.
Yaron Levi [00:15:30]:
So that's kind of where I think we need to evolve and do better in the sense of, okay, yeah, we know there is no longer a perimeter or just one perimeter. That's one thing, right. I don't necessarily think that, you know, one security team can solve everything for everybody. That doesn't scale either.
Chris Lindsey [00:15:46]:
Right.
Yaron Levi [00:15:46]:
So how do we empower, how do we train, how do we work, you know, with the rest of the community to make sure that everybody's doing their own little thing or whatever they're responsible for and basically kind of get like, you know, the economies of scale. Right? So for example, you're a software developer. I expect you to know OS top ten if you're developing a web application, right? I expect you to know CVE top 25. And for the most part, I mean if we look at, you know, software deployment and, you know, vulnerabilities or whatnot, 80, 90% of the vulnerabilities are OS top ten on the website and on CVT 25. That's it.
Chris Lindsey [00:16:18]:
Unfortunately, you're right. You're absolutely right.
Yaron Levi [00:16:21]:
So it's not that complicated. I don't think we just need to be willing to do that.
Chris Lindsey [00:16:25]:
Well. And when software developers go to school, they're not teaching security. I mean, you're starting to see classes now popping up or they're doing a semester or, you know, at least throwing a little bit in. But you're right. How many people can you ask? Give me the Oauth top ten right now. And when you have somebody that's coming in as an intern over the summer or an entry level developer, you don't really expect them to really have that background. You would hope they would have it, but you don't expect it. And this is part of the problem that we face today is I call it notepad inheritance, where they take some code.
Chris Lindsey [00:16:59]:
It could have problems. It may have SQL injection, it could have command injection. A lot of things potentials, and they just copy and clone that code from one method to another to do something new. And that's where your software architects really should be more engaged with the security because your software architects, being the leaders of the development team and that project, should be able to be more and more security focused. Those guys absolutely need to understand, here are the security vulnerabilities. Here's my threat modeling. Because if they're not doing threat modeling and working with the security team and understanding the threat model with their own applications, you've got bigger problems at that point. And then they can mentor down to the junior guys.
Chris Lindsey [00:17:42]:
Hey, welcome to development. I know you're brand new. You just graduated just recently. Hey, let's sit down. Let's talk about secure programming practices, coding practices, and really help you get to that next level.
Yaron Levi [00:17:54]:
Yeah, and you're right. I mean, at the end of the day, security vulnerabilities is not different than any software defect, just a different type. But it's the exact same thing. And the same way that you manage your technical debt within your software application, you cannot do the same with security. I don't see that as something that is, you know, magical or special or anything like that.
Chris Lindsey [00:18:16]:
Right.
Yaron Levi [00:18:16]:
The only thing is understanding what the risks are, what the threats are. To your point, start with threat modeling. And I think this is an art that has not been taught and practiced enough as part of, you know, software design. But, yeah, do your threat modeling. You're gonna have, we're always gonna have vulnerabilities because of many different reasons. I mean, you know, coding practices, you.
Chris Lindsey [00:18:36]:
Know, what have you stuff snake through.
Yaron Levi [00:18:39]:
Yep.
Chris Lindsey [00:18:39]:
Yeah.
Yaron Levi [00:18:39]:
Technologies, part of technology is vulnerabilities, misconfigurations, and etcetera. So, yeah, I mean, continuously we have to monitor for those. And when you come across something and we check and see, okay, what the risks that we have with that and make those decisions.
Chris Lindsey [00:18:54]:
Right.
Yaron Levi [00:18:54]:
And sometimes, I mean, we'll have to prioritize maybe some of the business functionality, and sometimes we have to prioritize the defect, you know, resolution. And as long as we find the right balance, for the most part, we should be okay.
Chris Lindsey [00:19:06]:
Right.
Chris Lindsey [00:19:07]:
Well, in one thing that you guys can. Well, not you, I mean. Cause I know you guys are doing amazing work, but the industry, right, the developers, the security, is bug bounties. I mean, think about the benefits that bug bounties bring. Have you been or worked with a bug bounty program previously?
Yaron Levi [00:19:22]:
We have, we have an open. What's like a public disclosure? You know, policies and things like that. But yeah, I mean, like, I think every time you get an opportunity and things are being found, there's opportunity for you to become better.
Chris Lindsey [00:19:34]:
Right.
Yaron Levi [00:19:35]:
As long as you plan for it and as long as you can manage it properly and you are staffed. I mean, to deal with that. Sure. I mean, you can find a lot of interesting things. Yes. There's also a lot of noise that kind of hitting you. But for the most part, I don't know, call it like a free pen test.
Chris Lindsey [00:19:50]:
Exactly. And when you can take those twelve and 14 year olds that have all this free time that are experiencing and learning and, you know, the kids, I call it the Minecraft generation where they have so much time that they're just sitting there digging and digging and digging. And that's what Minecraft is all about, is digging and finding things and building things to be able to take that energy and pen test and hack and go against things and try to find something. And when they do, you're right, the new disclosure laws and the things that companies are doing make it effective. Gives you the ability to say, you know what, I'm, you went against our production environment. You didn't get anything serious but disclose it to us. We appreciate it because in the old days, companies would get very upset, very, very upset when somebody did something and instead of taking the information and saying please share with us, they send litigation paperwork their way. And that's just never any good.
Yaron Levi [00:20:47]:
Well, I think we have new and better platforms these days in the industry to do that, you know? Yeah. If you just kind of even walk down the street and just try to open every neighbor's door and see if you can get in or not, they're going to be pretty upset. Right. I mean, so probably don't do that. But I mean, if there is a platform out there that will allow you or actually invite you to go and say yes, come and check us out and tell us, you know, how we do. And you do that responsibly because a lot of those systems have not just sensitive information, but it can have impact on people, functionality or whatnot. Yeah, I mean, on one end you want to know when you have vulnerabilities and problems on the other hand, you don't want to be down because, you know, everybody can just kind of bring you down all the time.
Chris Lindsey [00:21:29]:
Right.
Yaron Levi [00:21:29]:
So there are responsible ways to do that and not just kind of for trying and kind of making a point. Right?
Chris Lindsey [00:21:35]:
Yeah.
Yaron Levi [00:21:35]:
And, yeah, I mean, that's helpful. That's helpful, I think, is overall, you know, contributing, and that's also compensating like the researchers. But, yeah, I agree. It's. I think it's better these days that we have platforms to do that in a responsible manner. As long as it's responsible and people work together, it's usually okay.
Chris Lindsey [00:21:52]:
So any of the companies or team leads that are listening to this, think about setting up an environment that you can use for bug bounties. There's groups called Bugcrowd and other groups that are out there that are out just trying to help you be better. And by setting this environment up, it gives you the ability to have people test against it with, you know, as your own. And I were talking without any downstream bad effects, no dos attacks against you or anything that could be accidental. So I want to change topics slightly. So, you know, one way that you can really build good collaboration and communication is tabletop exercises. And the value that those bring is huge, because when you do have an event and you've done your tabletop exercises, instead of the initial shock and awe of, wait a second, something bad has started or something bad is going on, what do we do now? It's actually a matter of, okay, we've identified this event is now going on a ransomware or some event, some adverse event, and let's hit the ground running. Let's deal with it.
Chris Lindsey [00:23:00]:
The differences between your house being completely burnt down or maybe a room burns down instead of the whole thing.
Yaron Levi [00:23:06]:
Yeah. And we are doing those always in different places. Right. So if you live here in the midwest, you know, we have tornadoes, so we have tornado drills, whether you are at school or with the kids or whether it work. But from time to time, we do tornado drills or we have like, you know, building evacuation, because, like fire drills or whatever the case may be, this is how the military trains. Right. You're running drills over and over and over again. Because when the real thing happened, people rarely rise to the occasion.
Yaron Levi [00:23:34]:
They sink back to their training.
Chris Lindsey [00:23:36]:
Right.
Yaron Levi [00:23:36]:
And into their instincts. And I think the reason that we are training so much is because that's how you build that instinct, that's how you build that muscle memory then, such that you don't have to even think when you need to react to those types of situations.
Chris Lindsey [00:23:49]:
Right.
Yaron Levi [00:23:49]:
And, you know, security is no different. You definitely don't want to deal with a breach the first time it ever happens.
Chris Lindsey [00:23:54]:
Right.
Yaron Levi [00:23:54]:
The reason that, you know, I think a lot of people make bad decisions, it's because usually it's under panic. And what it's panic. Panic is where you're faced with a situation and you don't have the program up here to know to tell you what to do.
Chris Lindsey [00:24:07]:
Right.
Yaron Levi [00:24:08]:
Are you going to run or are you going to stay and fight? But if you practice and you train and you simulate, I mean, those scenarios, then, yes, you kind of build that muscle memory and that knowledge inside, and then you can react much, much better. Same thing is like, hey, you don't take like a pilot and you just send them to read a book. And after that read a book, you know, take off with a plane full of passengers. That's probably not going to end well. No, but, you know, you train them a lot on different things. And even when they're trained, I mean, there are ways for them to gain enough hours and practice before. I mean, they get completely loose running a simulator, and then they can, quote unquote, crash the simulator like a hundred times, but then learn from each one of those times. So when the real thing, when happening, they know how to deal with it.
Yaron Levi [00:24:51]:
So I'm a big believer in simulations, you know, tabletops, you know, what have you, and over the years, I've seen a lot of good value coming out of that for the security teams.
Chris Lindsey [00:25:00]:
One of the tabletops that I've run in the past, we actually only let two or three people know that we were doing it. The director of support, the networking director, and of course, the CISO. And what we essentially did is we just called the support desk. We actually set up a whole new environment, and we mimicked a ransomware attack. We didn't actually kick one off, but we mimicked it. And it was one of the not normal ransomware type variants that were out there. And what we did is we just had somebody act like the customer and called support and said, hey, I'm seeing this weird oddity. Can you help me? And what we learned was the amount of time.
Chris Lindsey [00:25:36]:
And when we did that event, we had a stopwatch, we clicked the button, we started counting, and by the time we got to the right group and actually identified what was going on and where we should have been, the whole place was basically gone. And had we actually had real ransomware event, it was terrible, but we learned a lot from it. We learned where the mistakes were, we learned where a lot of the hiccups were. We learned from the time that the support person started getting the phone call and the paths that they went down. We identified deficiencies within our own documentation, and so we were able to beef it up and talk about it. And the next time we did this random event, we had multiple shifts, daytime, nighttime. We kicked it off again after a couple of months, and we did the same event, but slightly different that way. It wasn't the same scenario, but we called the night shift people and we said, hey, I'm a customer.
Chris Lindsey [00:26:30]:
I'm seeing this weird thing. You know, my files show that they're encrypted. What do you know? And by the time it got to the right people and the right people did the right thing, it was kind of my analogy earlier. It was just a small footprint of what would have been affected versus the whole environment being taken down.
Yaron Levi [00:26:49]:
Yeah, 100%. And Mike Tyson, who was a boxer, once said, everybody has a plan until they get punched in the face. And I think by doing those exercises and stimulations, you can actually test all of your assumptions and actually, through real life simulation. See? Okay, is our response is enough, is our response time is enough, right? And all of that. So, yes, we make a lot of assumptions when we plan and build things. It's kind of the nature of the beast. I mean, you don't really kind of have much choice because you don't have all the information. But now when you test it and you see how it operates in real life, like I say, okay, well, we need to make some adjustments here and there.
Yaron Levi [00:27:25]:
And I think those simulations give you, like, great empirical data that help you to make those decisions.
Chris Lindsey [00:27:30]:
Can you share a little bit of what your CISO role, not for where you're at now, but a typical CISO, how you would play in that space.
Yaron Levi [00:27:38]:
Yeah. So I think when you think about the role of a CISO, it's a relatively young profession. We have only been doing it for 20 ish years, and we don't really have a standard for security. We have a lot of frameworks, but we had a lot of opinions. But I don't think there's one stunt that I can point to and say, hey, everybody kind of practice the same, right? If you're in the financial space, let's say take the CFO, take the finance department. They have the gap rules, the generally accepted accounting practices, and for the most part, everybody kind of follow the same gap rules. And if you ask two CFo's, how you run your finance department, you're probably going to get 80% the same answer and maybe there are 20% differences, right. You take two cisos and ask, hey, how do you run security? I mean, you're going to get completely two different answers.
Yaron Levi [00:28:24]:
Right. So I think this is still evolved as a profession and, you know, kind of what we do with that. I think also organizations, many of them are still not exactly sure what they want from their CISO and, you know, what that role is and where should it be? You know, we're seeing cisos reporting to CIO's for the most part. I mean, that has been kind of more traditional reporting. Some report to general counsel, some report through finance, some report them in two different places, some report directly to the CEO. I think we'll start seeing some changes. But for the most part, I think the role has been viewed predominantly as the technology, technology role or part of it. I think when I think about CISA role in general, cisos, for me, they're advisors.
Yaron Levi [00:29:05]:
They're advisors to the business of how to enable the business and how to help the business take and manage risk, but providing that, I mean, providing the security expertise from that. And what does that mean for them? Now when it's talked about security, it's also include like regulatory, you know, and things like that. So not being compliant with the law, it's a form of risk or threat to your organization. Right. Because regulators can shut you down, they can find you, they can do a bunch of different things. So that's another risk that you have to consider and you have to manage. Right. As you build something or deliver your service.
Chris Lindsey [00:29:40]:
Yeah.
Yaron Levi [00:29:40]:
The other thing is, again, there are many risks and there's never going to be perfection. There's always going to be some kind of level of exposure. And even more than that, businesses must take risks in order to advance, I mean, to work to deliver their mission.
Chris Lindsey [00:29:55]:
Right.
Yaron Levi [00:29:55]:
The question is how do we help the businesses to take risks responsibly and also help the business to reduce risk? That is not necessary.
Chris Lindsey [00:30:02]:
Right.
Yaron Levi [00:30:03]:
So I think, you know, a lot of it is, as we talked about the foundations before, right. Help the organization build a foundation such that they can operate and deliver the mission, take the risks and so on. But having those foundational protections in place on top of that governance, risk and compliance, we have to deal with that because it's not just the compliance side of things, but also managing the risk and putting the governance in place, policies or whatnot. And if the governance risk and compliance, we help the organization to assume risk or to take more risk as needed for the business. On the flip side of that, we have the whole defense posture, which is essentially how we proactively reduce risks, vulnerability scanning, inset response, application, security, all that self defense is helping us to reduce unnecessary risk.
Chris Lindsey [00:30:47]:
Right.
Yaron Levi [00:30:48]:
And then on top of that, there's culture, because at the end of the day, everybody has part of the security program. And like we said before, if you're a developer, I expect you to know what Os top ten is. Maybe you don't need to know exactly the whole network segmentation and routing protocols. Okay. I mean, it's good if you do, but Oslo ten for sure, you need to know. Right. And then also community. And I think this is probably the best thing we have in this security that we have that community.
Yaron Levi [00:31:15]:
We have the people we can share, we have the people we can learn from. And I think we need to build those communities inside the organization as well as communities outside of the organization that we can share, collaborate and, and, you know, share that knowledge. And when we think about all of that is really how do you build the relationships? How do you work across the organization at all levels, from executive management, I mean, down to the frontline engineers and employees, and really, again, help them. You're there to help and enable the business, help the business take risk, help the business reduce risk. And at the end of the day, you really help the business to help make decisions about how much is good enough.
Chris Lindsey [00:31:52]:
Right.
Yaron Levi [00:31:53]:
Because like I said, there's never going to be 100% right. You don't want to be in a position that you're ignoring completely and you're being negligent.
Chris Lindsey [00:32:01]:
Right.
Yaron Levi [00:32:01]:
Right. So you want to find, okay, what are the foundation, the things that we have to do, and then build that or manage the risk to a level that the organization can manage and make sense. And as long as you are thoughtful about it and intentional about it and pragmatic about it, then you can make a decision. How much for your organization is good enough?
Chris Lindsey [00:32:20]:
I'm going to ask you two questions and I'm just curious what your thoughts are.
Yaron Levi [00:32:25]:
Sure.
Chris Lindsey [00:32:26]:
What is the best advice that somebody has ever given you regarding security?
Yaron Levi [00:32:30]:
Oh, wow. I guess that you're always a noob and never stop learning because the field changes so much and there's so much to learn to know. I don't think there's anybody who is an expert per se, if you will. And as long as you keep learning and keep yourself up to date on what's going on, by talking to people, you know, by teaching others by collaborating, going to those conferences you mentioned, like Bsides, Oaspino, places like that, great places. I mean, to go and collaborate and learn. Never stop learning because otherwise you're going to get stale. That's what I'm finding, like, really helpful.
Chris Lindsey [00:33:01]:
That's rock solid right there. I mean, if you're not moving forward, you're falling behind. I hate to ask this, but what's the worst advice you've been given?
Yaron Levi [00:33:12]:
It will be okay.
Chris Lindsey [00:33:13]:
Just go home. It's 05:00.
Yaron Levi [00:33:15]:
It's good. The worst advice, I think the worst advice was, I don't think it's advice, but like, it was a perception, perhaps by somebody I ran into throughout my career, that security is really kind of, you know, the police, the enforcer, and everybody has to go through security and we have to approve and, you know, and bless everything. And that's not right. It's not right because first of all, we can scale, you know, and the second thing is that our job is not to go around and punish people who kind of misbehave. I mean, that's not our role. Right. We are kind of more like the military, not the police, if it makes sense. So our goal, I mean, the reason that we can sit here and have a conversation in relatively safe environment and whatnot, because there are a lot of service members who defend this country, who defend this from external adversaries such that we can sit and have this peaceful and safe conversation.
Yaron Levi [00:34:05]:
Security, in my mind, is kind of a similar thing. Right. How do we help secure the organization such that we enable the organization to go and deliver and work on what they need to do as opposed to go and try to, quote unquote, punish everybody who misbehave, you know, and things like that.
Chris Lindsey [00:34:21]:
Right.
Yaron Levi [00:34:21]:
I think there are some times where as an industry, we kind of shoot ourselves in the foot a little bit when we kind of have this kind of gotcha mentality. But I think this is something we need to get beyond and get over with.
Chris Lindsey [00:34:33]:
So, Yaron, this has been an amazing conversation. I know you and I could probably speak for hours and upon hours of the role of CISO and I programming and security. But thank you so much for taking your time to come and speak to our podcast community. And I really appreciate you coming and doing this.
Yaron Levi [00:34:51]:
You're very welcome, Chris. Thank you for having me. It was a lot of fun and yeah, happy to be back anytime.
Chris Lindsey [00:34:56]:
Thank you so much. You have a good rest of the day and for everybody watching. Thank you. Thank you so much for joining me on this episode of Secret of Appsec Champions. If you found this valuable, hit that subscribe button on Apple Podcasts, Spotify, or wherever you get your podcast. And hey, ratings and reviews are like gold Force. So if you're feeling generous, please leave a kind word. It helps others discover our show.
Chris Lindsey [00:35:23]:
Until next time, take care.