Bryan Faith, Cyber Defense Labs: “it is very hard to quantify what you cannot see and do not have metrics to measure”
Given the current threat landscape, emerging businesses are starting to become more and more aware of crucial cybersecurity systems.
It is generally known that investing in cybersecurity is a touchy subject in most organizations because while the necessity is recognized and understood, it is very difficult to determine the value of such security systems in quantifiable terms. More often than not, this issue leads to implementing cybersecurity architecture that is incomplete or simply unsuitable.
To talk about similar challenges organizations face when planning their information security systems, Cybernews reached out to Bryan Faith, the Director of Advanced Services at Cyber Defense Labs, an information security service provider.
How did the idea of Cyber Defense Labs originate?
Cyber Defense Labs is built around the idea of partnership. Companies of all sizes are working hard to provide high-quality services and products that deliver value for their employees, customers, suppliers, shareholders, and the communities they serve. Our team of experts operates as a trusted, reliable partner to these companies with a determined and focused mission on identifying and reducing risk for these organizations so they can continue doing what they do best.
Cyber Defense Labs takes a different approach. We listen, understand, and ask the tough questions to ensure our cybersecurity recommendations adhere to a holistic approach, incorporating the unique business processes of an organization with information security and data governance consistently to ensure cybersecurity is tied to their business strategy and not adversely impacted while carefully considering the business objectives and costs to the partners we work with. Our team represents knowledgeable and seasoned risk management and cybersecurity practitioners that have “been there and done that.” We have seen firsthand the way businesses can struggle to navigate the constantly evolving and persistent nature of today’s cyber threats. We have observed companies spend limited resources to improve security and still fall victim to a data breach. We know others who have purchased multiple technologies with the hope of creating a stronger defense but instead face a more complicated challenge. We don’t walk away. We take a “one team” approach providing continuous support with wide-ranging capabilities to enhance security and work in support of your team as your business transforms.
What has your journey been like at Cyber Defense Labs?
Working at Cyber Defense Labs has been a very dynamic experience for me professionally. While I came in specializing in cybersecurity in the financial vertical, I have been able to branch out and apply those same principles to other market verticals and learn the nuances of different business types. With a team of highly credentialed and experienced staff, there is no shortage of internal resources for me to leverage. Those internal resources make a big difference when faced with unique threats and challenges every single day. Perhaps the greatest benefit has been our “one team” approach both internally and with our clientele. When you engage me, you get my whole team and when you engage Cyber Defense Labs, you get the entire company. For someone who loves to learn and create, I couldn’t ask for a better business environment.
Can you introduce us to what you do? What are the main challenges you help navigate?
My role at Cyber Defense Labs is to manage and maintain our portfolio of advanced offensive security services including vulnerability assessments, penetration testing, social engineering, and more. I work directly with our technical staff and other key team leaders to ensure our portfolio of technical services remains relevant and aligns with our advisory and managed services.
One of the most common challenges I encounter is helping clients fully understand how our advanced services fit into their desire for a secure information security posture. Scoping these services properly is the key to getting an accurate picture of their business environment. Successfully understanding what each company needs requires detailed conversations regarding existing infrastructure, future strategic business plans, and information security goals.
Across all the industries that you work with, what would you consider the most common threats nowadays?
The 2021 Verizon Data Breach Investigation Report points out that phishing is and remains the most prevalent and pervasive cybersecurity threat. That holds true within the markets we serve. As development practices improve through the use of SSDLC and DevSecOps, the weakest point in every corporate landscape continues to be people. Employee information security training and constant testing are more important than ever in reducing cyber risk.
Zero-day vulnerabilities are another area of major concern that affects nearly all industries. The fallout because of Log4j was a great example of the impact that zero-day vulnerabilities can have on operations. Adding insult to injury, the immediate patches supplied were also problematic, extending the exposure window. If your patching practices don’t specifically address and accommodate zero-day responses, now is the time to review and update them.
How do you think the current global events are going to affect the threat landscape?
The combination of geopolitical tension and advanced technology creates a new threat landscape that is very concerning. Verticals such as finance, public utilities, manufacturing, and critical infrastructure are at notable risk for cyberespionage attacks as well as denial of service attacks. Businesses may find themselves being targeted indirectly, as a nation-state attempts to interrupt regular operations to damage the inner workings of a target country’s economy. As a result, a single staged defensive response plan will not be enough to deal with the variability. Businesses need to be prepared with multi-level defensive plans, ready to ratchet up or down security as the situation dictates.
Global tensions and war also create a pretext for fraudsters to prey on empathetic people that want to help with humanitarian causes. Don’t underestimate cybercriminals’ willingness to exploit a crisis to create a sense of urgency that baits individuals into overlooking typical red flags. Ensure any support or donations are only provided to known entities and inform all staff to work under the assumption that unsolicited messages or calls are likely fraudulent.
The belief that only large and well-known enterprises are prone to cyberattacks is only one of many misconceptions still prevalent today. What cybersecurity myths do you come across most often?
The most common myth that I have encountered is “My staff would never do that.” This declaration is often used as a justification for why a particular control or training program has not been implemented. Whether it’s clicking a malicious link, responding to a vishing phone call with private information, or working with an outsider to exfiltrate data or company secrets, insider threats are often greater than external threats. Social engineering exercises at Cyber Defense Labs bear this out. When doing assessments, our experts frequently can collect personally identifiable information and credentials that are assumed to be under lock and key. This isn’t to say business leaders should distrust employees. However, if we aren’t proactively training and testing them, how can we stand behind the statement, “my staff would never do that,” with any certainty?
Why do you think it takes so long for certain organizations to recognize the risks they are exposed to?
It is very hard to quantify what you cannot see and do not have metrics to measure. It isn’t typically because of negligence or disregard that certain organizations take such a long time to recognize risks. In fact, many of the business leaders I work with are very aware of cybersecurity risks, they simply do not have the in-house expertise or knowledge to determine how best to attack this problem. Furthermore, if the business has not suffered a loss yet, it may be difficult to gain traction and buy in with other leadership. This is why partnering with a cybersecurity firm with seasoned experts is so crucial. Business leaders need to stay focused on operating their business, not on evaluating hypotheticals and “what if” scenarios that may never come to pass. As a partner in cybersecurity, we will evaluate the environment both for sound security practices and technical defenses, weeding out false positives and providing the client with risk-rated reporting on actual issues that can then be leveraged to organize the remediation efforts and ensure the most critical areas of weakness are addressed.
In your opinion, what IT and cybersecurity details are often overlooked by new companies?
There are several things new companies may overlook when launching. First is the importance of a comprehensive information security program. New companies are in an enviable position whereby they have the opportunity to address cybersecurity well from the start. The key is building out the information security program very early in the business development process so subsequent business decisions are subject to the established security standards. This will ensure adherence to the desired security objectives.
Second, third-party vendor management is critical for mitigating IT and business risks. Whether it’s a managed service provider, a cloud service vendor, or a telecom vendor, evaluating the vendor's viability and the risks they may introduce to your business are critical to achieving sustainability and value. Just because a vendor is the largest on the block or has the best sales pitch doesn’t mean they are the right vendor for your needs and objectives.
Third, as a business owner, one thing you cannot do is outsource risk. Leveraging the latest technologies can be a great thing for your business by driving speed to market, lowering capital expenses, and empowering your employees. However, you are responsible for securing your environment in such a way that complies with applicable regulations and builds trust with your customer base. Understanding that third parties cannot and will not assume your business risks will aid you in building risk mitigation strategies that work.
Talking about average Internet users, what security tools do you think everyone should use to keep themselves safe online?
The most important tool to stay safe online is a healthy dose of suspicion. Work under the assumption that any unsolicited requests for things like credentials, personal information, or assistance of any kind are fraudulent until proven otherwise. A common attack vector for fraudsters is to take over an account, then pose as that person, requesting favors or information from the victim’s contacts list. If you are unsure about it, contact the person by phone or face-to-face to confirm before going any further.
Technically speaking, a great tool to leverage is a password management application. Using unique passwords for your online accounts is an excellent way to mitigate the risk of credential reuse attacks and it also makes logging into websites a breeze. When breaches occur, often lists of usernames and passwords are published publicly or on the dark web and fraudsters may attempt to use those login credentials to access other popular websites, such as e-commerce sites, and purchase items in your name, or worse yet, commit identity theft.
What does the future hold for Cyber Defense Labs?
Cyber Defense Labs operates with the understanding that we are here to serve and be the trusted, leading provider of cybersecurity services for middle-market and enterprise companies. We will continue to grow and expand. We are proud to have earned the trust of our client partners and work with several critical industries including healthcare, financial services, critical infrastructure operators, manufacturing, automotive, and retail. This is just the tip of the iceberg regarding our capacity to serve the business community and we welcome the challenge. Cyber Defense Labs is different because we are not a one-size-fits mold. We are massively adaptable and endeavor to understand your specific business needs before we ever suggest solutions.