The most convenient and efficient way to operate a bank is where everything you need for customers is in easy reach.
So why do we store cash and valuables in bank vaults and safety deposit boxes?
Because it would be insanely easy to steal!
…but with digital businesses, we somehow overlook this and allow/encourage putting business critical assets and the ability to access them (administrative credentials) out 'in the open' on BOYDs and regular corporate laptops where people do email and web browsing to any old sites.
Microsoft published guidance on securing privileged access (https://aka.ms/spa) including the use of privileged access workstations (https://aka.ms/PAW) to change this practice that puts your organization at risk.
Please read and follow this guidance to get these out of the reach of any casual attacker!
What would you say you do here?
I am just putting the finishing touches on my BSides Tampa talk "What's my job again" and realized this talk will help security people answer this classic 'Office Space' question 😂
This talk is Saturday 5/17 at 11am in the career track -https://events.bsidestampa.net/BSidesTampa2025#/agenda?day=2&lang=en
13.5.2025 15:39What would you say you do here?I am just putting the finishing touches on my BSides Tampa talk "What's my job again" and...What common mistakes do you see business leaders make with cybersecurity? Seen these? Seen other mistakes?
I am building this antipattern slide for my BSides Tampa talk this Saturday that looks at security roles and responsibilities across business, technology, and security teams. (11am / career track)
https://events.bsidestampa.net/BSidesTampa2025#/agenda?day=2&lang=en
12.5.2025 15:31What common mistakes do you see business leaders make with cybersecurity? Seen these? Seen other mistakes?I am building this antipattern...A tale of two (large) purchases and cybersecurity
Sometimes it's hard to find concrete examples of how cybersecurity should be (is) an integral part of business. Let’s take a look at the case of purchasing a new expensive software-controlled piece of equipment that supports business operations like MRI Machines, heavy manufacturing equipment, ATM Machines, etc.
🅰️ Case A is what happens when security is left out of the process (unfortunately the normal default). The organization makes this purchase using only cost and other business criteria. This inevitably leading to massively increased risk of business disruption from criminals when the support contract ends to early and the product and/or vendor go end of life (e.g. no security patches possible but we have to keep it connected to production systems / internet).
🅱️ Case B is what happens when security is a normal part of the acquisition process where the purchasing agents know how to avoid those unexpected surprises in Case A by ensuring that:
◾ Vendor is likely to remain solvent / in business
◾ Vendor follows security development lifecycle
◾ Vendor provides security updates for operational lifetime
◾ Organization has contingency plan for vendor bankruptcy (reserve budget, alternate operating plan, etc.)
This avoids the no win situation where cybersecurity professionals are asked to fix the security issues somehow (and/or take the blame) during the never-ending orange / red period of case A.
This slide is part of my BSides Tampa talk this Saturday as we look at security roles and responsibilities across business, technology, and security teams. (11am / career track)
https://events.bsidestampa.net/BSidesTampa2025#/agenda?day=2&lang=en
11.5.2025 12:38A tale of two (large) purchases and cybersecuritySometimes it's hard to find concrete examples of how cybersecurity should be (is) an...BSides means new slides 😀
I am working on slides for my Tampa BSides presentation this coming Saturday May 17 (11am)
This is one of my new favorites showing the role of security leaders to educate and influence organizational leadership while guiding, coaching, and clearing obstacles for security teams.
Hope you can join me in person at the talk!
https://events.bsidestampa.net/BSidesTampa2025#/agenda?day=2
10.5.2025 19:15BSides means new slides 😀 I am working on slides for my Tampa BSides presentation this coming Saturday May 17 (11am)This is one of my...The problems of security are simple. Solving them is hard.
We added a new slide in the MCRA to capture and communicate these challenges for many different people to understand (business leaders, security professionals, technology professionals, and more).
You can download the deck and slide notes here - https://aka.ms/mcra
9.5.2025 21:00The problems of security are simple. Solving them is hard. We added a new slide in the MCRA to capture and communicate these challenges for...Hey all, this video covers several important topics:
1️⃣ How to ensure security notifications are set up right to ensure get the right people working on it right away.
2️⃣ How different SecOps/SOC roles work when they get a notification from an external party like Microsoft (including some commentary on outsourced SecOps/SOC providers)
In particular, the discussion that Michael Howard started on communicating what happened is critically important to avoid future similar incidents (and getting stuck in a 'groundhog day' loop)
Making sure another incident doesn't happen again requires doing a root cause analysis and working with engineering and operations folks in the IT/technology teams.
I know these relationships can sometimes be strained, but buying everyone a pizza and beverages to sit down and talk about the incident and what can be done (short and long term) to avoid future repetitions can go a long way to avoiding future pain. Attackers _WILL_ try the same thing again and blocking IP addresses is about as effective as trying to stop a rainstorm with a water glass.
If you assume breach in a Zero Trust approach, each failure becomes an opportunity to learn and get stronger rather than an opportunity to assign blame.
https://www.youtube.com/watch?v=ieLqmkPJ8Gk
6.5.2025 10:29Hey all, this video covers several important topics: 1️⃣ How to ensure security notifications are set up right to ensure get the right...Are you focusing on the important parts of cybersecurity first?
It's critical to ruthlessly prioritize in cybersecurity because there is an infinite number of ways that attackers could possibly attack your systems.
What you need to spend time thinking about is what is easiest and most effective for the adversaries, not what is possible.
You can use the 3 P's to remember what to focus on first:
1. Prevalent
2. Proven
3. Possible
Never go to the next stage until you are done with the first stage.
If you are tempted to research that cool new technique you just heard 'nation state X' did against a high profile target but you haven't effectively mitigated password spray or pass the hash, STOP!! 🛑⛔🚫🛑🛑!!!
…go back and take care of those basics before wasting your precious time and effort on something that is likely not to affect you.
The attacks you will see most are the ones that will get the job done easiest and most reliably for attackers:
1. Attackers will prefer prevalent well-known methods with a successful track record
2. They will fall back on other proven methods that are also likely to work
3. …and most will explore other potential options if needed (and if they have the skills/resources/funding/etc. to develop those into usable attack methods).
This slide visual is from the upcoming Security Matrix standard from The Open Group that captures this implication.
For a copy of this slide, see the downloadable MCRA deck - https://aka.ms/MCRA
For a webinar discussing the security matrix and other current and upcoming standards from The Open Group, see https://aka.ms/TOG-standards
1.5.2025 11:56Are you focusing on the important parts of cybersecurity first? It's critical to ruthlessly prioritize in cybersecurity because there is...April 2025 version of MCRA is out!
This release of the Microsoft Cybersecurity Reference Architectures (MCRA) focuses heavily on updates related to standards and mappings, products and technology changes, and more.
Key changes since the previous December 2023 release:
◾ Updated main capabilities diagram to add Microsoft Security Exposure Management, Windows LAPS, passkeys, and Microsoft Entra Verified ID as well as to show Microsoft Security Copilot as a broad capability.
◾ Replaced several references of Secure Score with Exposure Management
◾ Clarified representations of Microsoft Security Copilot to show broader capabilities beyond Security Operations
◾ Added Microsoft Entra ID Governance to Adaptive Access diagram
◾ Updated several slides in introduction sequence and added new “Security must be integrated everywhere” slide.
◾ Updated slides in Artificial Intelligence (AI) section
◾ Added ‘Standards Mapping’ section and included proposed drafts of Zero Trust Reference Model standard from The Open Group (and Microsoft product mapping to them)
◾ Added roles list from The Open Group to people section
◾ Added Prioritization slide to the Threats section from upcoming draft Security Matrix standard from The Open Group
◾ Updated threat intelligence daily signals to 78+ Trillion and updated links/resources on various slides.
◾ Updated closing slides to show the full security modernization journey and associated Microsoft Unified engagements
Download the PowerPoint file (including slide notes) from the usual site - https://aka.ms/MCRA
24.4.2025 00:34April 2025 version of MCRA is out!This release of the Microsoft Cybersecurity Reference Architectures (MCRA) focuses heavily on updates...Does your organization formalize security experts as a powerless scapegoat?
If your security team is blamed for decisions they don't make, then your accountability structure is broken. Cybersecurity people are subject matter experts like lawyers, finance professionals, HR professionals, physical safety experts, etc. whose job is to give sound advice to decision makers that have to reconcile all sorts of risks and opportunities.
Unfortunately, many people often incorrectly believe that "cybersecurity is the security team's job" and blame the security experts, which is wrong. It's not acceptable to blame lawyers when managers choose to do something illegal (unless the lawyers gave bad advice) but this is somehow ok in security.
Most incidents are the result of actions by...
◾ External attackers (and sometimes insiders)
Who exploit weaknesses in the organization's systems resulting from decisions by...
◾ Business/technical team members (not on the security team)
The business and technical team member decisions were often inadvertent (nobody decided 'we are going to make it easy for attackers to take down our business operations'), but the end result is the same. The risk impacting decisions results from hundreds of variations like clicking the link on a phishing email or setting budget / productivity targets so tightly that its not possible to apply security patches and configurations to systems.
Organizations absolutely need to hold security team members responsible for providing sound advice that is tailored to the business situation and to competently perform their specialized roles to respond to incidents, etc. But this cannot be a substitute for everyone recognizing they have an impact on security and performing their own security due diligence.
Organizations need to adopt a normal/rational accountability model where security subject matter experts are held accountable for _sound advice_ and decision makers are held accountable for _all outcomes of their decisions_.
We are focusing on laying out how to do this in an upcoming standard from The Open Group. I discuss this more in this article - https://www.linkedin.com/pulse/security-roles-responsibilities-mark-simos-09fbe
I just wrote a line that encapsulates so much of the core problem most security teams face.
--
Delegating the security outcomes of business decisions to a security team (without the power to change the original decision) formalizes security as a powerless ‘scapegoat’ where their only real job is to accept blame when those decisions end badly.
14.4.2025 23:00I just wrote a line that encapsulates so much of the core problem most security teams face. --Delegating the security outcomes of business...I just posted an article with proposed draft standards text for Security Operations (SecOps/SOC) roles and responsibilities. This is for the upcoming security roles and glossary standard from The Open Group.
Feedback is welcome!
https://www.linkedin.com/pulse/people-matter-security-operations-roles-mark-simos-ayz5c
3.4.2025 00:43I just posted an article with proposed draft standards text for Security Operations (SecOps/SOC) roles and responsibilities. This is for the...Recording and slides are now posted here - https://publications.opengroup.org/d333
Share and enjoy!
2.4.2025 23:21Recording and slides are now posted here - https://publications.opengroup.org/d333Share and enjoy!Cybersecurity maturity is stuck in the proverbial basement.
It would be hard to claim that the cybersecurity industry is 'defined' on any maturity model given that we haven’t even agreed basics like roles and job descriptions, basic terminology/definitions, effective controls, etc.).
Its not particularly surprising given how new the industry is (a few decades old compared to architecture and building materials that have been around for at least 25-35 centuries).
It's also extremely hard to defend against well-funded, creative, and intelligent attackers while managing intense pressure to not fail from regulators, business leaders, governments, the public, and ourselves. Adding to the challenge is that many people (including those in leadership positions) think security is a problem to be solved and that security teams have 'failed' if there is a breach (when security is actually an ongoing risk to manage and most of the decisions that lead to breaches have often been made outside of security teams).
Join this webinar to learn how The Open Group is helping by defining standards and guidance to address critical hidden gaps that link together other guidance (NIST, MITRE, etc.). These show how to build effective security risk management collaboratively across security, technology, and business teams without the blame, technology myopia, or ivory tower thinking.
This is the first webinar of a series that will help you plan, prioritize, and execute effective security. We will take you through the currently published standards as well as in development standards and guidance in the Security and Zero Trust Body of Knowledge that will give you actionable guidance and best practices whether you work in security, IT, or a business role.
Sign up here!
https://www.opengroup.org/events
16.3.2025 02:00Cybersecurity maturity is stuck in the proverbial basement. It would be hard to claim that the cybersecurity industry is 'defined'...I will be presenting one of my favorite new slides/graphics on a webinar on 27 March.
Attackers have different motivations and use a lot of different techniques, but the models/methods that attackers operate in generally fall into these six categories:
◾ Steal Money
◾ Extortion/Ransomware
◾ Outsourced provider
◾ Espionage / Data Theft
◾ Prepare for future attacks
◾ Destruction/Disruption/Defamation
The first 3 are primarily used by criminals and the second 3 primarily are used by governments (though there are plenty of exceptions, crossovers, and hybrids in this complex space).
This graphic is from proposed material for the upcoming Security Matrix standard from The Open Group
Feedback is welcome as always!
Sign up for the webinar here - https://www.opengroup.org/events
Attackers love getting privileged accounts like IT admins because they know it gets them instant access to all the goodies. They also know that they can easily steal credentials by compromising the device (workstation/laptop/etc.) that the admins log onto.
If that device isn't secured well, then the chances of a very very bad no good day increase dramatically.
One of the best things you can do to reduce risk of a major breach is to increase the security of the devices used by admins. We documented a progressive set of controls to increase device security (while minimizing impact to usability) starting from everyday enterprise devices (we don't endorse BYOD for admins) to specialized devices (more locked down) to full privileged access workstation (PAW) configurations at https://aka.ms/PAW
13.3.2025 10:36Attackers love getting privileged accounts like IT admins because they know it gets them instant access to all the goodies. They also know...Looking for clarity from the typical confusion of cybersecurity?
Join Hasan Yasar and I for a session to learn about our bold vision (and progress on) open standards for Security and Zero Trust to connect and organize security.
This session (hosted by The Open Group) will give you an insider’s view of upcoming standards including the Security Roles and Glossary, Zero Trust Implementation Guide, and the Security Matrix. Learn how modern risk management standards are redefining connections to Open FAIR risk quantification guidance.
These provide practical security for a complex changing world and address critical industry gaps – including the challenges posed by AI – while bridging the divide between fragmented security practices and standards.
This integrated Security and Zero Trust Body of Knowledge builds on released standards like the Zero Trust Commandments, Zero Trust Reference Model, and Security Principles for Architecture as well as the de-perimeterisation heritage of the original Jericho Forum®.
This is the first of a series and will give you actionable guidance and best practices whether you’re a software or security architect, IT operations leader, or business professional focused on security.
Sign up here!
https://www.opengroup.org/events
12.3.2025 15:04Looking for clarity from the typical confusion of cybersecurity?Join Hasan Yasar and I for a session to learn about our bold vision (and...While poor technical tooling is only one source of SecOps burnout (see graphic), it is an important one.
It is extremely frustrating for triage (Tier 1) and investigation (Tier 2) analysts to have to keep investigating the same 'groundhog day' incident over and over again. This is even more frustrating if that detection is a false positive and if the work to investigate and document it are manual and repetitive (making it more likely you make a mistake, which adds further frustration).
The wheel of pain in the graphic shows this can turn into a (downward) cycle. If it gets bad enough, some people fully burn out on the job and quit (often in the false hope that it will be better different organization). This adds more work to the overburdened analysts that are left behind, adding further exhaustion and frustration.
While hiring new people to replace them sounds like a quick fix (and does help in the long term), it also adds additional burden on the people there to take time off of working the queue to spend time training and supporting those new folks until they get up to speed.
Its critical for SecOps leaders and practitioners to recognize this cycle (and other sources of burnout like lack of recognition, doing other peoples jobs, etc.) and help break it.
People do their best work when they aren't frustrated, burned out, and exhausted.
◾ Make sure you are hiring enough people
◾ Make sure you are sharing incident summaries with the IT folks so they know why and how to block attacks
◾ Make sure you are looking at automation and tools that reduce false positives
◾ Make sure you have processes to remove noisy alert sources with low true positive rates
◾ Make sure to thank people for their hard work and buy them some pizza or beer sometimes to show your appreciation
What are you doing to reduce burnout?
[Graphic is from SecOps/SOC module of the Security Adoption Framework (SAF) that shows how to build a modern capability using Microsoft technology - https://aka.ms/SAF ]
9.3.2025 15:21While poor technical tooling is only one source of SecOps burnout (see graphic), it is an important one. It is extremely frustrating for...I just posted an article with proposed updates for the next draft of the Identity and Adaptive Access Management (IAAM) capabilities and their supporting Architecture Building Blocks (ABBs).
This covers the advent of adaptive access, digital identities (from external organizations), the need to apply identities to everything (including obligatory meme :), and other changes like integrating key and certificate management.
Feedback is welcome!
https://www.linkedin.com/pulse/clarity-matters-identity-access-capabilities-mark-simos-xmkde/
8.3.2025 16:24I just posted an article with proposed updates for the next draft of the Identity and Adaptive Access Management (IAAM) capabilities and...The recording for this webinar is now posted - https://www.invokellc.com/events/revolutionizing-network-access-from-antipatterns-to-zero-trust-with-microsoft-entra
Share and enjoy!
8.3.2025 15:36The recording for this webinar is now posted - ...⬆️
⬇️