Lavenix

Lavenix Collaborative security team (Purple team) as a service. Security architecture as a service.

15/11/2022

is not just about security teams and the CISO office, it goes much further than that. Every person within an organisation is essentially part of the cyber security strategy. People need to learn how to do their jobs in such a way that neither the company nor the people become victims of malicious actors. This is

The options to reduce the lack of security awareness are limited and become exponentially more expensive with each new business activity, as it requires more security specialists, more security gateways and more complex processes.

The most common way to increase awareness is to provide engaging cyber security awareness training tailored to different groups within the company.

There is another source of awareness-raising. People who are interested in security but are not part of security teams. If you involve them properly, they will be your best help in their work cycles.

Invest in people. They will help the company grow securely.

14/11/2022

NSA shared a very well-written explanation of why and tools but also code and code architecture reviews and secure code trainings are vital for product security.

I know that the suggestion to move the development stack to memory-safe languages is questionable among developers. In fairness, this can be seen as an additional safety measure and not the only way forward.

https://media.defense.gov/2022/Nov/10/2003112742/-1/-1/0/CSI_SOFTWARE_MEMORY_SAFETY.PDF

13/11/2022

is a serious threat. Statistics show that most successful hacks involve attacks on people in one way or another. Which, in my opinion, also means that the concept of an organisation's security perimeter is completely and irreversibly dead.

An organisation cannot run without people. People make use of all that technologies inside and outside the organisation and once they are compromised, they potentially give hackers a stepping stone to their goals inside the perimeter. There is no shortcut to prevent this, but there are key concepts that help immensely.

Security should shift to the left, which means that every decision and progress milestone at the business, architecture and product level must be evaluated from a security perspective. There are tools to automate this and there are people like security architects, managers and engineers to help with more conceptual questions. An ultimate goal of this concept is to embed security in depth in every aspect of the business. This limits the impact of individual mistakes and misfortunes by limiting the attack surface within the organisation's perimeter and enforcing sensible access controls.

But without constant improvement, even the best security plan quickly comes under pressure. The way to avoid this is to let security engineers work on the areas where they are needed most. And one of the best ways to do this is to let defence security engineers be driven by and freely exchange opinions and details with the offence security engineers. This collaboration is also known as purple teaming. It helps to identify not only technical flaws, but also entire offices whose infrastructure and behaviour are not well protected.

Protecting companies from security threats is not something that can be done by heroes. It is a constant way of working together, embedded in every level of the organisation. Do not rely on your perimeter defences and hope your people are not hacked, evolve.

  only answers how many and how serious the technical risks are within the scope.To understand the exposure of potential...
11/11/2022

only answers how many and how serious the technical risks are within the scope.

To understand the exposure of potential losses to the business, the focus should shift to an analysis based on tactics, techniques and procedures ( ). Simply put, this analysis shows how well organisations respond, detect and resist real attacks where malicious actors use the entire organisation and supply chain to achieve their goals. This is commonly referred to as a exercise. Repeated several times and supported by the security team within the organisation, this is the modern and proven way to improve security.

But if there is no capacity or resources to conduct red team exercises at full scale, it is possible to adopt a mixed approach where the red team is guided by security architecture analysis. It will focus attack simulations on the most critical areas.

But in the end, it all means nothing if no improvements have been made. Therefore, one of the best approaches is for the red team to work directly with the security defence team, often already during the engagement and influenced by them. This helps to understand how well the organisation detects and responds to attacks, but also allows it to identify improvement opportunities in flight. This is the work of .

Hiring a purple team for your company, is the way to get tailored improvements and a comprehensive view of the company's resilience and security.

Do you want to know more? Don't hesitate to ask us.

11/11/2022
11/11/2022

Address


Alerts

Be the first to know and let us send you an email when Lavenix posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Shortcuts

  • Address
  • Alerts
  • Claim ownership or report listing
  • Want your business to be the top-listed Computer & Electronics Service?

Share