EDITION One
INSIDER THREATS, MANDIANT ADVANTAGE & COUNTERING RANSOMWARE
READ NOW
DEFENDING THE NEW NORMAL
This issue of CDS in Review focusses on ransomware from many different perspectives
RANSOMWARE AND MULTIFACETED EXTORTION
EDITION TWO
A closer look at how advances in software are benefiting teams both large and small on their path to improvement.
DETECTION, RESPONSE & SECURITY VALIDATION
EDITION THREE
This edition highlights some of the many people discussions that took place over the two day event, including how to develop future leaders.
INSPIRING SECURITY LEADERS OF TOMORROW
EDITION FOUR
This edition of Cyber Defense Summit 2021 in Review focuses on breach disclosure, providing guidance and learning lessons
CONSIDERATIONS FOR BREACH DISCLOSURE
Edition FivE
Our final edition of Cyber Defense Summit 2021 in Review focuses on how organizations can prepare themselves when faced with an attack
PREPARING FOR THE FUTURE
EDITION SIX
Get a recap of Cyber Defense Summit 2021 and, for a limited time, watch keynotes and breakout sessions on demand.
COMING SOON
View the full content from Mandiant Cyber Defense Summit 2021
WATCH ON-DEMAND
EDITIONS
CYBER DEFENSE SUMMIT 2021 IN REVIEW
A closer look at how advances in software are benefiting teams both large and small.
RANSomware and multifaceted extortion
This edition highlights some of the many people discussions on how to develop future leaders.
This edition focuses on breach disclosure, providing guidance and learning lessons
EDITION FIVE
EDITION ONE - INSIDER THREATS, MANDIANT ADVANTAGE & COUNTERING RANSOMWARE
In this week’s Cyber Defense Summit in Review, catch up on the latest Mandiant news, learn about new and forthcoming Mandiant Advantage releases, and listen to a former CIA Intelligence Officer describe the evolving human hacking methodologies currently used by threat actors. Our feature interview this week is with Anne Neuberger, Deputy Assistant to the President & Deputy National Security Advisor, Cyber & Emerging Technology, who discusses ransomware and how the U.S. Government is planning to counter it.
Confessions of a CIA Spy–The Art of Human Hacking
FEATURE VIDEO
Leading From the Front: How the U.S. Federal Government Plans to Counter Ransomware
Feature Article
MANDIANT ADVANTAGE
Mandiant–Your Cybersecurity Advantage
READ mORE
This week’s feature article spotlights the three-part cyber security strategy in operation at the Federal Government and how it is forming the framework for countering ransomware. The article also features a Q&A session recorded at CDS with Anne Neuberger, Deputy Assistant to the President & Deputy National Security Advisor for Cyber & Emerging Technology and Kevin Mandia, CEO and Board Director, Mandiant.
Peter Warmka, Founder, Counterintelligence Institute, LLC and former CIA intelligence officer demonstrates several advanced social engineering techniques used by attackers to gain insider information and how to mitigate the risk to your organization, in this highly informative and engaging presentation from Cyber Defense Summit 2021.
Over the last 12 months, Mandiant Advantage has developed into a comprehensive Extended Detection and Response (XDR) solution. Find out what’s on the agenda for 2022 and beyond in our summary of the mainstage presentation undertaken by Mandiant’s Chief Product Officer, Chris Key.
The Mandiant Mission in 2022 and Beyond
Byte-SizE VIDEO
As we come to the close of another challenging 12 months for the cyber security industry, Kevin Mandia, CEO and Board Director, introduces Mandiant’s vision and direction. View the short video on this page or click below to access the full Cyber Defense Summit Keynote Presentation.
SIGN UP REQUIRED
MANDIANT ADVANTAGE – AN INTRODUCTION
Mandiant Advantage: New and UPcoming Releases
The Mandiant Advantage platform is built on the belief that effective security is not based on controls alone, but on the expertise and intelligence behind them. Our consultants consistently find that more effective security outcomes after an attack, depend on the expertise interpreting the signal and managing the controls, and the intelligence providing the context. The challenge is that expertise doesn't scale naturally, and this where Mandiant Advantage shines. Our platform scales our expertise and intelligence through automated solutions, to augment and act as a virtual extension of customers’ security teams.
The Mandiant Advantage SaaS platform was launched last year with the Threat Intelligence module. Mandiant Advantage is now a multi-vendor XDR solution, designed to work with existing tools within a customer’s environment. In addition to Threat Intelligence, our suite of modules now includes Security Validation and Automated Defense.
Back
Watch the full Mandiant Advantage presentation from CDS
Threat Intelligence
Launched 12 months ago, our Threat Intelligence module gives organizations a view of threats directly from the frontlines of incident response. Mandiant conducts 200,000 hours of breach response a year. We also have a robust global adversary intelligence system as well as machine intelligence from our partners and operational intelligence through Managed Defense. This data enables us to provide every customer with a specific view of the top threats targeting them at that moment and where they should focus their security efforts. On average, Mandiant tracks attackers and provides intelligence to our customers two and a half years before they are made publicly available via OSINT or news articles. Partnering with Mandiant for Threat Intelligence delivers an unrivalled frontline view of the threat landscape. Learn More
The Mandiant Security Validation module enables customers to truly understand the potential outcome of an attack before it happens by emulating the latest attacker behavior safely in the production infrastructure. The resulting incident response report helps organizations answer the following questions about that possible attack: • What am I going to block? • What am I going to detect? • What am I going to miss? • What will an attack look like? Security teams can use validation data to focus on remediating vulnerabilities and continuously and quantifiably prove their security effectiveness. The Mandiant Security Effectiveness 2020 report revealed that 75% of attacks processed through Mandiant Security Validation were not blocked or detected—mainly because of misconfigured tools. Environmental drift, one type of misconfiguration, evolves naturally over time as an organization adopts new technologies. These new technologies mean the security environment itself is constantly changing. To help keep pace, Security Validation provides essential data on the security environment continually, overcoming the risks of point-in-time references. Learn More
Security Validation
At Cyber Defense Summit 2021, Mandiant announced a soon-to-be-released product that specifically targets and tests an organization’s defenses against ransomware. Safely deploying real ransomware from the field and running tests through Mandiant Security Validation, Ransomware Defense Validation provides the data teams need to answer questions around their control readiness to respond to threats such as Darkside and other ransomware families operating right now.
Ransomware Defense Validation
Automated Defense detects and responds to incidents at machine speed, delivering Mandiant expertise at scale to the SOC. Without the automation of alert triage, remediation and response, staff capabilities limit how much data organizations can consistently process. The decision and machine learning models in Mandiant Advantage that automate processes have been trained by-and-based-on how our experts respond to threats. They continuously adapt to the new threat intelligence and information from within the customer’s environment. Data is processed consistently, at speed and scale, dramatically reducing the number of priority investigations escalated to the attention of in-house experts. Learn More
Automated Defense
In January 2022 the Automated Defense module will add Active Breach and Intel Monitoring. This product correlates our latest threat indicators with security data from a customer’s environments. As Mandiant experts identify new threats, the indicators of compromise (IOCs) are compared against information in customer logs, events and alerts in real time as well as historical records.
Active Breach & Intel Monitoring
Another powerful capability added to Mandiant Advantage helps organizations continuously see themselves through the eyes of an attacker. Attack Surface Management fully maps an organization’s entire environment including partner and third party entities, and alerts teams to potential threats. As an organization’s infrastructure changes, this module detects points of exposure in near real-time. This module integrates with Mandiant Advantage offering to increase the effectiveness of the entire platform. Learn More
Attack Surface Management
The Mandiant Advantage SaaS platform will continue to add critical capabilities our customers need. All products are available as SaaS technology for organizations with large teams who can operationalize it themselves. While organizations with greater security maturity can operationalize Advantage more readily, Mandiant also offers an always-available expert-assisted service that provides essential support. It can be packaged with our consulting solutions deployed as a fully managed service, where Mandiant experts handle all of the day-to-day security operations and alert you as needed.
FEATURE ARTICLE
1. Modernizing Defenses The President recently signed off an executive order to rapidly roll out technologies to reduce the risk of a successful ransomware attack across the Federal Government. This includes multifactor authentication, data encryption, endpoint detection, deployment of a fully manned security operation center and logging to detect anomalous activity. The executive order also requires that all software purchased by the Federal Government should be developed using secure practices in a secure development environment and urges all organizations to do likewise.
At Cyber Defense Summit 2021, Anne Neuberger, Deputy Assistant to the President & Deputy National Security Advisor for Cyber & Emerging Technology, described how the Government was tackling ransomware with a three-part cyber security strategy.
Watch the full Q&A session with Anne Neuberger and Kevin Mandia
2. Leading and Leveraging International Partners Cryptocurrency, the location of criminal actors and their infrastructure means that ransomware is a transnational issue. International cooperation is therefore critical to disrupt that ransomware attack infrastructures and hold countries who harbor ransomware actors accountable. Demonstrating the Federal Government’s commitment, the National Security Council will be hosting 30 countries to discuss a counter-ransomware initiative and build international partnerships.
3. Competing in Cyber and Other Important Technologies The Federal Government recognizes that becoming more competitive in cyber and other important emerging technologies that shape the future of the industry (such as 5g, artificial intelligence, micro electronics and quantum computing) is critical to transforming cyber security efforts. Building more secure systems, classifying malware to understand anomalous and potentially malicious activity, and building a more secure model for the future of the internet are high on the agenda.
View the full content from Mandiant’s Cyber Defense Summit 2021
EDITION TWO - CYBER DEFENSE SUMMIT 2021 IN REVIEW
Throughout Cyber Defense Summit 2021, ransomware has been a key topic. This edition focuses on ransomware from many different perspectives including a Government agency, the private sector and Mandiant’s technical experts to ensure you have the information you need to defend your environment.
Multifaceted Extortion: Defending Your Environment
Key VIDEO
Ransomware: The Cybersecurity and Infrastructure Security Agency’s Perspective
Byte-Size Video
FINANCIAL THREAT GROUP INSIGHT
FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets
Jen Easterly, Director, Cybersecurity and Infrastructure Security Agency (CISA) discusses their position on ransomware and how organizations can counter the problem. View the short video on this page or click below to access the full interview
Jugen Kutscher, Executive Vice President of Mandiant Services Delivery and Nicholas Bennett, Vice President, Mandiant Consulting share their expertise from the frontlines of incident response and provide advice on how to develop effective cyber defenses.
Access the latest comprehensive report on FIN12, the financially motivated threat actor currently impacting the healthcare sector
DOWNLOAD NOW
Watch ON DEMAND
Why Multifaceted Extortion is a Critical Threat
Kevin Mandia, CEO and Board Director, Mandiant defines the difference between ransomware and multifaceted extortion, highlighting how threat actors are leveraging their strengths to cause major disruption to organizations.
WATCH FULL VIDEO
Gopal Padinjaruveetil, CISO, Auto Car Group joins us for a discussion on ransomware, including how to prepare for an attack and the use of Security Validation to improve defenses.
The Eventuality of Ransomware: Preparedness & Prevention
A CISO’s View on Ransomware
The Eventuality of Ransomware – A CISO’s View
How has the pandemic affected you as a CISO? We have 10,000 employees and other partners; suddenly we had to send everybody home. This pandemic has resulted in every home becoming a data center with computers, wi-fi networks and routers, so instead of having 2 data centers, we now have 10,000 – any of which can be compromised. What would be the impact of a ransomware attack on your company? We are a B2C company and similar to a first responder because when you are stuck in a blizzard in the middle of a road, we are the first people you call. We also have insurance and banking. If we were the target of a ransomware attack, approximately 14 million members would be impacted. That’s when you start thinking about resilience – how you bounce back from an attack. The key thing is to have a plan for an attack, practice it and prepare. Why is Mandiant Security Validation important to you as a CISO? Most of us have undertaken red teaming, but I wanted to do red teaming anytime I wanted, and I can now do that with Security Validation. As a CISO, I want to seek the unknown and make as much of it known as possible to get visibility into the kind of attacks we may be facing and whether we are prepared so we can incrementally improve our defenses. Security Validation gives me that. For example, we had an EDR tool and wanted to switch to something different, but I wanted to undertake a proof of value using the Security Validation platform before we bought anything – so we took APT39 and tested it to see what each potential vendor was detecting and blocking. That has made a real difference, we are no longer relying on product brochures, we are live testing software to give us confidence that it works. How do you communicate the data you receive from Security Validation to the rest of the Board? You need to transform your data into the language individual people on the Board speak to make it meaningful for them. If I am talking to a CFO, I think about how I turn my data into a probable loss value. If I am speaking to the CEO I need to concentrate on what impacts business growth. You also have to stick to defensible facts. You need to be 100% confident in your data, so when I use Security Validation, I am placing my trust in Mandiant, trusting that the data is accurate. How do you deal with the reality that at some point you might get attacked by something you haven’t seen before? The problem we have in cyber security is not the ignorance of cyber security, but the illusion of cyber security. I always recommend actively seeking what you don’t know because you want to know the unknown before the bad guys do. That’s where resilience comes from. Ultimately, we should share our knowledge throughout the industry and with our peers. When you go to the dark web, the bad guys are sharing their knowledge so why don’t we share ours? By doing this, we pull things out of the “unknown-unknown” quadrant which helps us prepare for the future. How do we address ransomware in an eventuality paradigm? As a CISO I break things down into what’s in my control and what isn’t. When I became CISO at Auto Car Group, I reorganized my team so that we have a group of people who are dedicated to risk management, another team focusing on identity and access, and a team concentrating on threat management. Together, we actively undertake threat hunting on a regular basis. Another thing we focus on is our timing. We practice and measure the time we take to respond to an incident as a team to see how we perform and how we can improve. How do you communicate to the Board that they are, or could be the target of ransomware? Never tell your Board that your company is 100% secure. Never over-promise that you are invincible. Use metrics that they will understand. Be honest and use data that is defendable. Engage the Board with cyber security. Update them on what’s happening in the industry, how it affects them, and how you are preparing for a potential attack.
Gopal Padinjaruveetil, CISO, Auto Car Group, has over 30 years of experience as a CISO, cyber security strategist and thought leader. During Cyber Defense Summit 2021, Mandiant asked Gopal to share his perspective on how to prepare for a ransomware attack.
Kevin Mandia, CEO and Board Director, Mandiant interviews Sue Gordon, Former Principal Deputy Director of National Intelligence on national security in a disrupted world and discuss how diplomatic outreach and international co-operation is becoming increasingly important for the cyber security sector.
Nation State Threats – Past, Present and Future
With a wealth of cyber security experience behind him from both large and small enterprises, Darin Remington, Senior Information Security Engineer, Ultimate Medical Academy details how he transformed cyber security at the University with the support of Mandiant Automated Defense.
Achieving Success as a Small Security Team
PRODUCT INSIGHT
Discover how the Mandiant Behavioral Research Team deployed threat intelligence including behavioral analysis and TTPs used by the Darkside threat actor group, to create content and validate security controls against this malicious force.
Protecting Against Darkside Using Threat Intelligence-Led Security Validation
One of the focal points of this year’s summit was to enable organizations to better defend their environments and be more confident in their security readiness. This week’s Cyber Defense Summit 2021 in Review takes a closer look at how advances in software are benefiting teams both large and small on their path to improvement.
EDITION THREE - CYBER DEFENSE SUMMIT 2021 IN REVIEW
Transforming Employees into Defenders After recognizing the need for a culture change within the University with regards to cyber security, Darin quickly started working with departments to gain their trust and commitment. “If you are trying to change the culture of the company security wise, you have to get out there and talk to the other department heads, talk to leadership and get them to help you to start changing the culture, otherwise it’s just an uphill battle all the way,” says Darin. “Educating your users is extremely important because they start fighting your battle for you by not clicking on that link or plugging in that USB they found in the parking lot.” Acting as part enabler and part educator, Darin and his team started to run and track phishing campaigns, using security awareness training software to track the percentage of phish-prone emails that were opened by employees. Within 9 months, they improved their metrics from 27% to 5% and are now at 3.2% against an industry average of 4.5%. Building New Foundations Understanding his own team’s strengths and weaknesses, Darin instilled a practise of rotating their roles on a regular basis, giving them exposure to many different aspects of cyber security and access to the training they needed. Daily meetings are now commonplace and are a platform for exchanging information as well as presenting opportunities to cross-train, helping them grow, learn more about the business and achieve job satisfaction. With budgets under pressure, Darin took the decision to move away from the University’s incumbent MSSP, opting to integrate Mandiant Automated Defense into their environment to deliver the scale, data processing accuracy and visibility of incidents they needed without draining the team’s resources. Despite finding it difficult initially to wholly trust the software to accurately identify incidents, Darin has verified that Mandiant Automated Defense has “not missed anything yet” and his team are able to use the results and relationship between data points to improve their capabilities and skill base. “Automated Defense hasn’t decreased our headcount, it has given us more power into the ability to see data and know what is a false positive, it allows everybody on the team to focus on other aspects,” said Darin. “A product such as Automated Defense frees up your people to learn more and make them better security analysts.” “When we first bought it, we hadn’t seen a product like this ever.” Comments Darin “Other products are not able to take in different types of proxies or EDR solutions, whereas you guys (Mandiant) are and that’s what makes your product stand out. Smaller/medium companies are building, they can’t afford to spend $1.5m on a full installation, what they can do is use their legacy routers and servers or their legacy proxies and you can feed that information in and make it relevant to the customer who has it.” Automated Defense is part of the Mandiant Advantage platform of SaaS based security solutions that can be deployed as technology only, expert assisted or as a fully managed service. To learn more about Mandiant’s full product suite, click here. Access the full Cyber Defense Summit interview with Dan Lamorena and Darin Remington online.
Despite defending against similar threats, smaller organizations face different pressures to those at enterprise level. During the Mandiant Cyber Defense Summit 2021, Dan Lamorena, VP, Product Marketing, Mandiant spoke with Darin Remington, Senior Information Security Engineer, Ultimate Medical Academy to further understand these pressures and how to combat them.
The Ultimate Medical Academy is a non-profit online healthcare educational institution, offering students a comprehensive, accredited healthcare education. Having recently undergone a step change in the organization’s attitude to cyber security, Darin describes how he set his team on the path to success, transforming operations with the help of Mandiant Automated Defense.
Business Insight: Achieving Success as a Small Security Team
Steve Cobb, CISO, One Source Communications shares how newly appointed security leaders can become more efficient and effective in their role. With a focus on mastering C-suite interaction, managing budgets and prioritizing activities, Steve identifies how practitioners can build strong foundations for a successful career in cyber security.
You’re The New CISO/Security Officer, Now What?
Over the course of two engaging sessions, we held discussions with 6 inspiring women in cyber security who spoke about their experience and careers. This article highlights some of the insight and advice imparted.
Elevating Women in Cyber Security: Q&A with Industry Leaders
LEARN MORE
Despite concerted efforts to transform and evolve, the cyber security sector suffers from a reputation of long hours, high pressure, employee burnout and difficulty attracting women into the profession. If we are to continue the progress we are making today, we need to encourage diversity and inspire the security leaders and professionals of tomorrow. This week’s Cyber Defense Summit 2021 in Review highlights some of the many people discussions that took place over the two day event, including how to develop future leaders, career advice from our expert panel and how to deploy effective recruitment strategies.
EDITION FOUR - CYBER DEFENSE SUMMIT 2021 IN REVIEW
Recruiting in Cyber Security
Jen Easterly, Director, Cybersecurity and Infrastructure Security Agency, shares her plans for building a new talent management system aimed at attracting and retaining cyber security staff at CISA.
Mandiant relies on many behind-the-curtain teams to effectively and rapidly respond to incidents. Learn more about our experts and how they create, use and deploy threat intelligence via the Mandiant Intel Grid.
Threat Intel and Rapid Response: The Mandiant You Don’t See
MANDIANT INSIGHT
Inspiring Future Leaders
Every day we learn from those around us, we are moulded, shaped and formed by our peers in our quest to become better employees and better leaders. Jen Easterly, Director, Cybersecurity and Infrastructure Security Agency shares who has inspired her over the years and how her career has evolved during her employment in both private and public sector organizations.
Alicia Lynch, CISO, Cognizant: “The first thing is having a plan of what I wanted to do to get to where I am today. It’s good for all of us to have a plan – where you want to be in your life? I wanted to be a CISO, so one of the things I put on my plan was to go to school and get an MBA. The second thing is to know your craft and be the best at it. The third thing is to have confidence in yourself. A lot of the reason today why women don’t hold more senior positions is confidence. If you can’t build confidence in what you are doing today, reach inside yourself so you can move to the next level.” Alexandra Heckler, CISO, Collins Aerospace: “Know the limits of your skills and find a partner who has opposite strengths. When you find people with complementary strengths, you can accomplish a lot more together. The second thing is that healthy people ask for what they want. One of the things I started doing early on in my career was take advantage of various opportunities to apply for other jobs. I had no plans to leave my role at that point, but I would go and participate in the interviews just to understand what excited me about those jobs and what benefits they had. Then I would go back to my boss and ask what we could do to change my job to accommodate more of what I wanted.” Camille Stewart, VP Google Product Security Strategy, Google: “Own what you don’t know as much as what you do know. You learn so much by being honest about the limits of your expertise or experience and you also gain credibility. I make it my business anytime I start a new role to understand what everyone else does – what they do, why they do it, what they think my team does and how they expect my team to support. I leverage that to approach communications and develop strategies to problem solve.” Aylea Baldwin, Sr. Manager Threat Detection Threat Intel, Reddit, Inc.: “I feel like one of my biggest challenges was myself. I am still my biggest critic and how that manifested earlier in my career was the perception that I lacked confidence in what I could do. The biggest challenge for me was to keep my personal standard personal. As I was presenting my work and telling my manager that I could do better, it came across that I lacked confidence and wasn’t the right person for a managerial job. I realized that I was doing this after a conversation with a manager of mine and I had to dig down and present my work as the good work it was.” Camille Stewart: “Own all of your interests and prepare yourself for a career that is multifaceted and multidimensional. Taking the opportunities as they come and speaking out about what you want is really important. Opening yourself up to new opportunities, to new skill sets that may not seem completely aligned to what you are doing now, could lead you to some of the most exciting opportunities you have ever had.” Aylea Baldwin: “Going hand in hand with the idea of vocalizing your intentions and what you want, also build relationships with people because they then get to recognize those things and understand that you are a person who is viable for something. People who understand your goals and what you want could work very well for you.” Alexandra Heckler: “You need to stand behind your values, let your team know that you are willing to take a big swing and not accept bad behavior. That’s what we all as leaders need to do.” Alicia Lynch: “I would encourage leaders to reach out to colleges and universities, start getting a diverse pipeline into your company to encourage diversity. Working more in your community – I open my door to mentor anybody, I do anything in my power to foster that pipeline and encourage diversity.” Alexandra Heckler: “Two behaviors that I have asked of my team have dramatically changed the diversity of who we are bringing through the door. Number one, anytime you write a job rec, you have to have three people who don’t think like you or look like you review the job rec. You need to make sure it’s written like a horoscope – that anyone can see themselves in the job. Number 2 is that as you are interviewing, make sure your interviewers include three other people that look and think nothing like one another, because that way, as someone comes into an interview, they get to see that diversity. We saw double digit increase in diversity on our new hires as we implemented those two things alone.” Camille Stewart: “I am on the board of an organization called Girl Security, engaging young women in middle school and high school around national security. Starting that conversation early is really important and opens that aperture for them to think about careers in national security. I also lead an initiative called ‘Share the Mic in Cyber’ that pulls black practitioners into cyber security or highlights those who are already there. There are a lot of women and people of color working in cyber security; elevating them and creating space for them in the industry is important. I would love to see more programs like this.” Both interviews organized by Elevate are available to view on demand via the Cyber Defense Summit 2021
What personal/professional habits have helped you get to where you are today?
What challenges have you faced and how did you rise above it?
What career advice would you give to women as they seek leadership roles?
What can we all do to encourage the next generation?
How are we doing as an industry to attract and retain women and how can we do better?
Diversity in the boardroom is improving in the cyber security sector, but there is more work to be done. Launched in 2019 to support women in cyber security as they grow into leadership positions, Elevate encourages female leaders to learn, inspire and educate others around the world. At Cyber Defense Summit 2021, Elevate moderated two sessions focusing on accelerating the development and recruitment of women in cyber security. Each session featured women leaders helping to shape the future of the industry, here are some of the highlights from the discussions:
Alicia Lynch, CISO, Cognizant: “The first thing is having a plan of what I wanted to do to get to where I am today. It’s good for all of us to have a plan – where you want to be in your life? I wanted to be a CISO, so one of the things I put on my plan was to go to school and get an MBA. The second thing is to know your craft and be the best at it. The third thing is to have confidence in yourself. A lot of the reason today why women don’t hold more senior positions is confidence. If you can’t build confidence in what you are doing today, reach inside yourself so you can move to the next level.” Alexandra Heckler, CISO, Collins Aerospace: ““Know the limits of your skills and find a partner who has opposite strengths. When you find people with complementary strengths, you can accomplish a lot more together. The second thing is that healthy people ask for what they want. One of the things I started doing early on in my career was take advantage of various opportunities to apply for other jobs. I had no plans to leave my role at that point, but I would go and participate in the interviews just to understand what excited me about those jobs and what benefits they had. Then I would go back to my boss and ask what we could do to change my job to accommodate more of what I wanted.” Camille Stewart, VP Google Product Security Strategy, Google: “Own what you don’t know as much as what you do know. You learn so much by being honest about the limits of your expertise or experience and you also gain credibility. I make it my business anytime I start a new role to understand what everyone else does – what they do, why they do it, what they think my team does and how they expect my team to support. I leverage that to approach communications and develop strategies to problem solve.” Aylea Baldwin, Sr. Manager Threat Detection Threat Intel, Reddit, Inc.: “I feel like one of my biggest challenges was myself. I am still my biggest critic and how that manifested earlier in my career was the perception that I lacked confidence in what I could do. The biggest challenge for me was to keep my personal standard personal. As I was presenting my work and telling my manager that I could do better, it came across that I lacked confidence and wasn’t the right person for a managerial job. I realized that I was doing this after a conversation with a manager of mine and I had to dig down and present my work as the good work it was.” Camille Stewart: “Own all of your interests and prepare yourself for a career that is multifaceted and multidimensional. Take the opportunities as they come and speaking out about what you want is really important. Opening yourself up to new opportunities, to new skill sets that may not seem completely aligned to what you are doing now, could lead you to some of the most exciting opportunities you have ever had.” Aylea Baldwin: “Own all of your interests and prepare yourself for a career that is multifaceted and multidimensional. Taking the opportunities as they come and speaking out about what you want is really important. Opening yourself up to new opportunities, to new skill sets that may not seem completely aligned to what you are doing now, could lead you to some of the most exciting opportunities you have ever had.” Alexandra Heckler: “You need to stand behind your values, let your team know that you are willing to take a big swing and not accept bad behavior. That’s what we all as leaders need to do.” Alicia Lynch: “I would encourage leaders to reach out to colleges and universities, start getting a diverse pipeline into your company to encourage diversity. Working more in your community – I open my door to mentor anybody, I do anything in my power to foster that pipeline and encourage diversity.” Alexandra Heckler: “Two behaviors that I have asked of my team have dramatically changed the diversity of who we are bringing through the door. Number one, anytime you write a job rec, you have to have three people who don’t think like you or look like you review the job rec. You need to make sure it’s written like a horoscope – that anyone can see themselves in the job. Number 2 is that as you are interviewing, make sure your interviewers include three other people that look and think nothing like one another, because that way, as someone comes into an interview, they get to see that diversity. We saw double digit increase in diversity on our new hires as we implemented those two things alone.” Camille Stewart:“I am on the board of an organization called Girl Security, engaging young women in middle school and high school around national security. Starting that conversation early is really important and opens that aperture for them to think about careers in national security. I also lead an initiative called ‘Share the Mic in Cyber’ that pulls black practitioners into cyber security or highlights those who are already there. There are a lot of women and people of color working in cyber security; elevating them and creating space for them in the industry is important. I would love to see more programs like this.” Both interviews organized by Elevate are available to view on demand via the Cyber Defense Summit 2021
The Mandiant Intel Grid is our core enabling technology, delivering up-to-the-moment breach intelligence and expertise, automatically updating Mandiant Advantage and reducing the time to leverage threat intelligence from weeks to minutes. Having been in operation for over a decade, Mandiant experts took the opportunity at the Cyber Defense Summit 2021 to reveal how the Mandiant Intel Grid remembers, organizes and applies the millions of data points it receives. One of the most significant examples of how the Mandiant Intel Grid provides direct support to our engagements is from our personal experience: the SolarWinds campaign. As soon as we were alerted to the breach, our incident response consultants worked around the clock to investigate the intrusion alongside our reverse engineers, who combed through every line of code in the SolarWinds product to try and find those used as a backdoor for the attacker. Working in tandem with this team were our detection engineers, consuming the intelligence discovered by our reverse engineers and incident responders, coding it into a YARA rule, SNORT or similar technology. This information was pushed out via the Mandiant Intel Grid to our products, partners and customers, who applied the threat intelligence to find new compromises or activity related to our initial investigation.
Mandiant’s network of global experts constantly process and analyze threat data from telemetry, partnerships and incident response missions. Keeping track of attackers at scale and ensuring our consultants and customers can access that intelligence is impossible using spreadsheets and emailing documents amongst teams.
Threat Intelligence and Rapid Response: The Mandiant You Don’t See
At the start of the SolarWinds campaign, Mandiant shared 100’s of these rules with the community as direct support. Once these rules were shared, our Threat Hunting team went to work, identifying high and low fidelity signals, surfacing activity and sharing it with Mandiant consultants on the frontlines to enhance their initial engagement. Mandiant also has an extensive team of intelligence analysts, who spend their time assessing the data that is fed into the Mandiant Intel Grid from findings in the field. This team performs critical clustering and attribution activities, tracking individual threats and identifying relationships in the Mandiant Intel Grid that may be significant. They also identify any overlaps in data that determine the identity, targets and motivations of the attacker. Tracking these individual campaigns allows our experts to timeline events and answer questions such as: • What is the average time to exploit? • What threat actors are targeting a vulnerability prior to a patch being released? • What threat actors are targeting a vulnerability after the exploit has been incorporated into a tool? This approach helps us identify how sophisticated the threat actor is and whether they had access to additional resources. It also enables Mandiant consultants to target their response to an incident and remedy the situation faster. Threat intelligence within the Mandiant Intel Grid is operationalized via hunting missions and undertaken on behalf of our Managed Defense customers or by individual security teams deploying Mandiant Advantage. Mandiant aggregates indicators from these investigations, constantly updating our products and services, creating fresh hunting missions to help identify more victims while validating our customers security against the latest threats. As Mandiant identifies new victims or identifies fresh activity, we share what we know, forming a perpetual learning cycle, feeding learnings back into the Mandiant Intel Grid. All threat data is stored in one place and normalized so everyone, including Mandiant Advantage customers, can speak the same language and work from the same baseline. To learn more about how our Mandiant experts have worked behind the scenes on threats such as APT32 and the exploitation of Microsoft Exchange, watch the full Cyber Defense Summit presentation on-demand.
At the start of the SolarWinds campaign, Mandiant shared hundreds of these rules with the community as direct support. Once these rules were shared, our threat hunting team went to work, identifying high and low fidelity signals, surfacing activity and sharing it with Mandiant consultants on the frontlines to enhance their initial engagement. Mandiant also has an extensive team of intelligence analysts, who spend their time assessing the data that is fed into the Mandiant Intel Grid from findings in the field. This team performs critical clustering and attribution activities, tracking individual threats and identifying relationships in the Mandiant Intel Grid that may be significant. They also identify any overlaps in data that determine the identity, targets and motivations of the attacker. Tracking these individual campaigns allows our experts to timeline events and answer questions such as: • What is the average time to exploit? • What threat actors are targeting a vulnerability prior to a patch being released? • What threat actors are targeting a vulnerability after the exploit has been incorporated into a tool? This approach helps us identify how sophisticated the threat actor is and whether they had access to additional resources. It also enables Mandiant consultants to target their response to an incident and remedy the situation faster. Threat intelligence within the Mandiant Intel Grid is operationalized via hunting missions and undertaken on behalf of our Managed Defense customers or by individual security teams deploying Mandiant Advantage. Mandiant aggregates indicators from these investigations, constantly updating our products and services, creating fresh hunting missions to help identify more victims while validating our customers security against the latest threats. As Mandiant identifies new victims or identifies fresh activity, we share what we know, forming a perpetual learning cycle, feeding learnings back into the Mandiant Intel Grid. All threat data is stored in one place and normalized so everyone, including Mandiant Advantage customers, can speak the same language and work from the same baseline. To learn more about how our Mandiant experts have worked behind the scenes on threats such as APT32 and the exploitation of Microsoft Exchange, watch the full Cyber Defense Summit presentation on-demand.
Joseph Blount, President, Chief Executive Officer, Colonial Pipeline Company and Jonathan Yaron, Chairman and CEO, Accellion share their experience and the strategies each company deployed when faced with a multifaceted extortion attack.
Responding to a Ransomware Attack: An Interview with Accellion & Colonial Pipeline
Developing a plan for communicating a breach to peers and supporting security organizations as early as possible is critical for minimizing cyber threats to the global community.
The Importance of Breach Disclosure
The ‘who, what, how and when’ of communicating a breach can be complex and stressful. With many high profile attacks hitting the headlines over the past 12 months, this edition of Cyber Defense Summit 2021 in Review focuses on breach disclosure, providing guidance and learning lessons first hand from Accellion and Colonial Pipeline who candidly shared their experiences with us at this year’s summit.
EDITION FIVE - CYBER DEFENSE SUMMIT 2021 IN REVIEW
Christopher Key, Chief Product Officer, Mandiant presents a preview of the Active Breach & Intel Monitoring product soon to join the Mandiant Advantage portfolio.
BYTE-SIZE VIDEO
GET IN TOUCH
Security Incident and Response in the Cloud Era
Roberto Bamberger, Principal Consultant, Microsoft and Kshitji Kumar, Senior Cybersecurity Consultant, Microsoft, provide expert insight into how security modelling and risk factors have changed with the increased adoption of cloud environments.
EDITION Five - CYBER DEFENSE SUMMIT 2021 IN REVIEW
Sharing information such as indicators, tactics, techniques and procedures with other security practitioners in the aftermath of a breach helps everyone in the security community protect their environments and reduce the risk of an attack. This information is critical enough that disclosure legislation will soon be passed in the U.S. to mandate the timing and communication of a breach to aid the dissemination of attacker intelligence to specific organizations.
Even if processes are in place to manage and mitigate a breach, disclosure remains a complex issue. With an increasing number of high-profile attacks and multifaceted extortion events, interest in the topic has intensified. In fact, attackers rely on a CISO’s reluctance to communicate breaches to the board, customers or government entities. Attackers therefore have more time to prey on further victims, and cause more disruption before they are identified and publicly recognized.
As a security practitioner, it can be difficult to determine when to communicate an event. Informing business leaders of a high severity breach too late can be catastrophic. A warning too early may not be taken seriously. Guidelines that scale with perceived threat severity should be made readily available to teams. They can then detail the following when a breach occur: • Who is informed • What information they receive • How much time they have • Who makes the call A plan that specifies how early the board and other security organizations are warned of a potential incident and regularly performing dry run exercises or communication drills are increasingly important in the war on cyber crime.
Jen Easterly, Director, Cybersecurity and Infrastructure Security Agency (CISA) discusses the operational information CISOs should share with CISA following a breach.
Kevin Mandia, CEO and Board Director, Mandiant reveals the top priorities for CISO’s around the world.
What are CISO’s Working on Right Now?
When a ransomware attack strikes, you don’t want to waste precious time. Creating a plan and regularly testing its effectiveness will minimize long-term disruption. Find out what our team of experts recommended at Cyber Defense Summit 2021 to improve your breach readiness.
Building a Ransomware War Room
This edition of Cyber Defense Summit 2021 in Review focuses on how organizations can prepare themselves when faced with an attack. Discover best practices for building a ‘war room’, prevent insider threats and find out what activities CISO’s are prioritizing for 2022.
EDITION SIX - CYBER DEFENSE SUMMIT 2021 IN REVIEW
The U.S. Federal Government and Cyber Security: Expert Insight
Before founding the Krebs Stamos Group, Christopher Krebs served as the first director of the federal Cybersecurity and Infrastructure Security Agency (CISA). In this presentation, Christopher shares his views on the Federal Government’s role in the war on cyber crime.
This edition of Cyber Defense Summit 2021 in Review focuses on how organizations can prepare themselves when faced with an attack. Discover best practice for building a ‘War Room’, prevent insider threats and find out what activities CISO’s are prioritizing for 2022.
Insider threats are evolving and becoming increasingly difficult to detect. At Cyber Defense Summit 2021, Mandiant interviewed a panel of experts to learn more about insider threats and how organizations can minimize the risk of a breach.
Why Legitimate Access Rules the Cyber Landscape
What Does The Future of Cyber Security Look Like?
Kevin Mandia, CEO and Board Director, Mandiant presents his views on how threat actors will continue to evolve and the impact this will have on cyber security practitioners.
As ransomware and multifaceted extortion attacks continue to rise, many organizations have formed ransomware response war rooms. However, many lack the elements needed to effectively remediate a breach. This state of unpreparedness can be costly, resulting in: • Lengthy downtime for businesses • Possibility of reinfection • Loss of credibility • Loss of customers and revenue • Future litigation due to an indefensible investigation • Internal conflict, burn-out and high attrition rates
Investigation and response activities for ransomware and multifaceted extortion can be very intense. Critical decisions need to be made under high pressure to remediate an incident. To succeed, you need to assemble a ”war room” team that is experienced, practiced and decision-authorized to address multi-million-dollar ransom payments, the availability of internet connectivity or business applications and determine the rules of engagement.
Ransom payment and litigation considerations The decision as to whether a ransom should be paid will differ between organizations and is dependent upon criteria unique to each organization’s circumstances. Before a payment is made, the following questions should be considered: • How quickly can systems and data be recovered? • How reliable is the threat actor? • Did the threat actor steal the data before they deployed their encryptors? • If data was stolen, how sensitive is the data they stole? • Does the threat actor still have active access to the network? • Will cyber security insurance cover the claim? • Is the threat actor sanctioned by the U.S. Department of Treasury? Even when a ransom has been paid, the attacker may not restore systems and data. Paying a ransom is therefore a risk and all possible eventualities need to be discussed before making the final decision. What to expect if a ransom is not paid Organizations should engage the attacker with negotiations while working in the background to understand the extent of data exposure, contain the incident and determine whether any compensating controls will be able to protect the organization while implementing long-term fixes. Refusing to pay an attacker can lead to retaliation, so be prepared for an attacker determined to make an example of your organization or take further action. Advance your state of preparedness The most effective way to prepare for the eventual ransomware attack is by conducting red team and tabletop exercises. Assessments should include a technical workstream to simulate ransomware attacker behavior within your network and a ransomware readiness workstream to assess the effectiveness of your response plans. Ransomware readiness workstreams comprehensively review: Security architecture: The technologies, controls and networks available to defend against a ransomware attack and support the continuation of business operations Response: The capacity of the business to quickly respond and contain an attack Communications: The process used to deliver internal and external corporate messages to key stakeholders Recovery: The processes and approach used to remediate or recover from an attack When an organization’s team decision making is often based on its culture and risk tolerance. However the best practices identified above should always be considered. When organizations team and logistics are properly prepared, they can be more effective in the moments following a breach. To learn more, watch the full session from Cyber Defense Summit 2021
Outwit, outplay and outlast the attacker When setting up a war room, the task-force should be comprised of cyber security personnel as well as complementary teams and stakeholders such as IT, infrastructure management, application developers, HR, external forensics consultants and external counsel to advise on legal matters. Appointing a Project Manager in advance to run the team and empowering them to spearhead incident response activities, make critical decisions that affect business operations, assign tasks and schedule communication updates, will ensure no time is wasted in the precious few moments following a breach. There must also be a dedicated space, available 24x7 for all team members to meet and communicate when required. As soon as the war room is operationalized, a central fact sheet should be developed and then approved by the Project Manager and legal team to ensure communications deliver the level of information that is required by law and by third parties who may rely upon your products and services. Fact sheets should contain the details and roles of all team members, along with plans in place for a sensible cadence of communications to the public, customers and employees. Setting war room priorities is a combined effort. General Counsel and forensic investigators should work together to ensure organizations meet their legal responsibilities while tackling and containing the breach effectively. Responding to a ransomware breach takes time and requires a cohesive, strong team to survive the high-intensity, high-pressure environment. Organizations should comprise a team capable of operating under those conditions to sustain a positive culture that solicits feedback, acts on it and avoids focusing on blame.
What are your views on the insider threat problem?
In today’s era of hybrid work, the boundaries of corporate networks are blurred, creating challenges when protecting data and corporate assets. Insider threats are evolving from single individuals to groups seeking to steal or destroy critical, high value data. During Cyber Defense Summit 2021, Ron Bushar, Sr Vice President and CTO, Government Solutions at Mandiant joined Gunnar Newquist, Client Advisor at Strider and Bob West, Managing Partner at West Strategy Group to discuss the importance of insider threat security and how organizations can develop an insider threat program.
Gunnar: Often, when we talk about insiders, companies focus on people and how people make mistakes. It is very difficult to predict human behavior and it’s very rare that when somebody joins a company, they intend to become an insider. Somebody becomes an insider through their time with a company, whether it’s as a result of the culture or a change within their own lives that causes them to switch focus. Ron: In my experience, while there are some general categories of activity motivated by greed and anger, there also are some specific factors that dictate the timing and actions that an insider will take which are very difficult to model and predict. There are a million different ways that people can be motivated to be bad, but there are probably only a very small number of ways that they are going to execute that bad intention, so if we can laser in on that and understand that domain, we will be in a much better place.
We are currently seeing a trend whereby ransomware actors are recruiting specific individuals to leverage their access and deploy ransomware. How can organizations protect themselves from this type of threat without impacting their daily business operations?
Bob: One critical thing we can do is to manage the provisioning of identities properly throughout the employee lifecycle. One of the challenges that large enterprises have is managing who has access to what throughout their employment as they move throughout that organization. If an organization can understand unusual behavior and is able to link that to employee access, they can delete an account quickly and minimize their risk exposure. Ron: With insiders, organizations can impose real consequences and costs on the employee if they get caught, which is not something we can normally do with an outsider attack. Although organizations don’t want to set that tone amongst their employees, they can make it gentle-but-obvious to everyone working with sensitive data—that their actions are being monitored. For example, if an employee is trying to gain access to something they don’t normally have access to, they can be contacted, highlighting that the action has been observed and if they need access to contact their manager. If it was unintentional, they can be made aware that it has been logged. It has been tried and tested that by giving someone a simple nudge in this way, it prevents unauthorized behavior.
What lessons have you learned over the years and what should organizations be looking for to identify an insider group?
Gunnar: In counterintelligence, one of the things we often look at is the recruitment cycle, using the framework of spot, assess, develop, recruit and manage. If you identify suspicious behavior, try to determine where it fits on the framework. This will help guide you to remedy the issue. If they are in the early stages of activity, you can deploy a defensive strategy such as the one Ron mentioned. Bob: There are two common groups that criminal organizations gravitate towards. The first group has a lot of privilege with regards to access or managing systems, so it is important to have tools such as privilege identity management in place. The second group is motivation oriented and typically call center employees are targeted here because they are usually earning minimum wage. Offering $1,000 or $2,000 in exchange for customer records can be very persuasive, especially when economic conditions are tough. To combat this, organizations need to educate teams, making them aware of the type of people they may encounter, what they might be asked for and how important it is to avoid entering those kinds of agreements. Ron: I tend to look at the situation from the adversary’s perspective. In most cases, they will want to keep the number of observables to a minimum and enable remote access as quickly as possible. This makes it easier to recruit an insider and minimize the risk of getting caught. Identity management is therefore really important because the predominant way of identifying an insider threat in this case will be through the misuse, escalation or disablement of privileges.
What can we expect to see trending over the next few years and how can organizations protect themselves?
Gunnar: I think we will find that managed insiders (those with the benefit of a nation state threat actor behind them) will be guided away from risky behaviors such as email communication and will move towards communicating via We Chat or systems that are more undetectable. The Chinese use of talent programs has been very successful and I think we will see the language used amongst those programs changing to make it increasingly difficult to identify relationships with threat actors. Bob: Ransomware is not going to go away anytime soon, so it is important to understand who is being targeted by threat groups and correlate that with unusual activity on the inside. Organizations then need to put the right controls in place to make sure it is both challenging and expensive for threat actors to achieve their mission. Ron: Organizations should think about how they incentivize employees and the channels in place for staff to raise their concerns—be they ethical or legal—outside of their normal management chain to the right people and authorities without threat of retribution or personal consequences to prevent a public whistleblowing incident.
To learn more about insider threats and how to prevent them, watch the full interview online
KEVIN MANDIA KEYNOTE
DEFENDING THE NEW NORMAL in 2021
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Blandit libero volutpat sed cras ornare arcu dui. Proin sagittis nisl rhoncus mattis rhoncus urna. Sed blandit libero volutpat sed cras ornare arcu. Mauris vitae ultricies leo integer malesuada nunc. Tempor nec feugiat nisl pretium fusce id velit ut tortor. Sed ullamcorper morbi tincidunt ornare massa eget egestas purus. Cras sed felis eget velit aliquet. Velit aliquet sagittis id consectetur purus ut. Ut consequat semper viverra nam libero justo laoreet. Ornare arcu dui vivamus arcu felis bibendum ut. Pellentesque habitant morbi tristique senectus et. Integer malesuada nunc vel risus commodo viverra maecenas accumsan lacus. Faucibus a pellentesque sit amet porttitor eget dolor morbi non. Ac tortor vitae purus faucibus ornare suspendisse sed. Vulputate eu scelerisque felis imperdiet proin fermentum leo vel. Lectus arcu bibendum at varius vel pharetra vel turpis. Massa sapien faucibus et molestie ac feugiat sed lectus. Fringilla phasellus faucibus scelerisque eleifend donec pretium vulputate sapien. Orci dapibus ultrices in iaculis nunc sed augue. Vitae tortor condimentum lacinia quis. Quisque id diam vel quam elementum. Ultrices sagittis orci a scelerisque purus. Dui vivamus arcu felis bibendum ut tristique et. Faucibus scelerisque eleifend donec pretium vulputate sapien nec sagittis aliquam.
Introduction para ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Blandit libero volutpat sed cras ornare arcu dui. Proin sagittis nisl rhoncus mattis rhoncus urna. Sed blandit libero volutpat sed cras ornare arcu. Mauris vitae ultricies leo integer malesuada nunc.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Blandit libero volutpat sed cras ornare arcu dui. Proin sagittis nisl rhoncus mattis rhoncus urna. Sed blandit libero volutpat sed cras ornare arcu. Mauris vitae ultricies leo integer malesuada nunc. Tempor nec feugiat nisl pretium fusce id velit ut tortor. Sed ullamcorper morbi tincidunt ornare massa eget egestas purus. Cras sed felis eget velit aliquet. Velit aliquet sagittis id consectetur purus ut. Ut consequat semper viverra nam libero justo laoreet. Ornare arcu dui vivamus arcu felis bibendum ut. Pellentesque habitant morbi tristique senectus et. Integer malesuada nunc vel risus commodo viverra maecenas accumsan lacus.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Blandit libero volutpat sed cras ornare arcu dui. Proin sagittis nisl rhoncus mattis rhoncus urna. Sed blandit libero volutpat sed cras ornare arcu. Mauris vitae ultricies leo integer malesuada nunc.
SAAS
Implants
Lorem ipsum dolor sit amet, consectetur lorem adipiscing elit, sed do eiusmod tempor incid idunt ut labore et dolore magna aliqua.
Call to action on one line here
Register today to see more in-depth content from CDS
CTA
CYBER DEFENSE SUMMIT REVIEW 2021
Hero article title here lorem ipsum
WEEK ONE - BRAND, PRODUCT AND GOVERNMENT LEGISLATION
Confessions of a CIA Spy - The Art of Human Hacking
Lorem ipsum dolor sit amet lorem ipsum dolor sit amet lorem ipsum dolor lorem
300 x 565 advert
919 x 190 advert
Insight Type - 18 October, 2021
Lorem ipsum dolor sit amet lorem ipsum dolor sit amet lorem ipsum dolor
Introduction para ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna.
An understanding of how attackers target and manipulate insider knowledge
ISSUES
