DEV Community: Mike P

Excel Tricks

Mike P — Sun, 08 Aug 2021 00:17:18 +0000

My commonly used Excel and Google Sheets formulas and tricks

Here’s the GitHub:
https://github.com/mikeprivette/exceltricks

Content

Excel Tricks
- Content
- Time and Date Formulas
  - Convert the format "Thu Oct 02 12:03:39 GMT 2014" to "10/02/2014"
  - Convert the format "2014-Dec-01 5:00:54 AM" to "12/01/2014"
  - Convert EPOCH format (Unix time) to Gregorian format (mm/dd/yyyy hh:mm:ss)
  - Convert a date and time field to ISO 8601 timestamp format
  - Convert a ISO 8601 timestamp format field to date and time
- Number Manipulation
  - Convert $20,000,000.00 to $20.0M
- Text Manipulation
  - Find what is to the RIGHT of the last instances of a specific character
  - Find if cell contains a space
  - Extract text between two characters in a cell
  - Trim All Whitespace Including Nonbreaking Space Characters (nbsp)
  - VLookUp and Replace #N/A with some text
  - Search for text within a cell and label it as X
  - Lookup a Value in 2 Different Columns and return the one you want
  - Get OS Short name from long Operating System name (Windows 10 Enterprise = Windows)
  - Get system type from OS (Windows Serer 2012 = Server)

Time and Date Formulas

Convert the format "Thu Oct 02 12:03:39 GMT 2014" to "10/02/2014"

=CONCATENATE("10/",MID(A2,9,2),"/2014")

Convert the format "2014-Dec-01 5:00:54 AM" to "12/01/2014"

Perform a Text-to-Columns on the cells to split the date from the time information (assuming you don't need time)
You will be left with this:

 |__A1__|  |__B1__|
 2014-Dec-01  05:00:54 AM

On cell A1 rearrange the text and add in the date delimiters:

=CONCATENATE(MID(A2,6,3)&"/"&RIGHT(A2,2)&"/"&LEFT(A2,4))

Result = Dec/01/2014

Do a Find & Replace "Dec" with "12"
Cells get automatically converted to Date/Time format
Repeat for different months

Convert EPOCH format (Unix time) to Gregorian format (mm/dd/yyyy hh:mm:ss)

Unix time is the number of seconds since January 1, 1970.

=CELL/(60*60*24)+"1/1/1970"

Turns 1424783916.796051000 = 02/24/2015 13:18:37

Convert a date and time field to ISO 8601 timestamp format

Example: 8/3/21 12:12:12 PM to 2021-08-03T12:12:12

=TEXT(A1,"yyyy-mm-ddThh:MM:ss")

Convert a ISO 8601 timestamp format field to date and time

Example: 2021-08-03T12:12:12 to 8/3/21 12:12:12 PM

=DATEVALUE(MID(A1,1,10))+TIMEVALUE(MID(A1,12,8))

Number Manipulation

Convert $20,000,000.00 to $20.0M

Select the cell you want to convert and add the following custom number format

$[>=999950]0.0,,"M";[<=-999950]0.0,,"M";0.0,"K"

Text Manipulation

Find what is to the RIGHT of the last instances of a specific character

Example = Drive:\Folder\SubFolder\Filename.ext (where you just want to find Filename.ext)

Find to the right of the last "\" character

=REGEXEXTRACT(A1,"\\([^\\]*$)")

To find what's to the LEFT, just replace "RIGHT" with "LEFT" in the formula

Example = "First_Name Last_Name" (where you just want "First_Name")

=REGEXEXTRACT(A1,"(^[^ ]*) ")

Find if cell contains a space

=IF(COUNTIF(H2,"* *"),"No","Yes")

Extract text between two characters in a cell

=REGEXEXTRACT(A1,"vip\.ce\.(.*)\.http")

Original = vip.ce.api-prd.website.com.http

After = api-prd.website.com

Trim All Whitespace Including Nonbreaking Space Characters (nbsp)

=TRIM(SUBSTITUTE(A1, CHAR(160), " "))

VLookUp and Replace #N/A with some text

=IF(ISNA(VLOOKUP(A2,<Table Range>,1,FALSE)),"Thing not found",VLOOKUP(A2,<Table Range>,1,FALSE))

Search for text within a cell and label it as X

=IF(IFERROR(SEARCH("<word>",A2),0),"Cleaned",IF(IFERROR(SEARCH("<other word>",A2),0),"Unknown","Not Cleaned"))

Lookup a Value in 2 Different Columns and return the one you want

=Index(array, Match(value_to_lookup, lookup_array, match_type))

=INDEX('TabName'!$A$1:$C$1000, MATCH('TabName'!A2,'TabName'!$A$1:$C$1000,0))

Get OS Short name from long Operating System name (Windows 10 Enterprise = Windows)

=IF(IFERROR(SEARCH("Windows",C2),0),"Windows",IF(IFERROR(SEARCH("AIX",C2),0),"AIX",IF(IFERROR(SEARCH("Linux",C2),0),"Linux",IF(IFERROR(SEARCH("SunOS",C2),0),"SunOS",IF(IFERROR(SEARCH("OS X",C2),0),"Mac","Unknown")))))

Get system type from OS (Windows Serer 2012 = Server)

=IF(IFERROR(SEARCH("Server",E2),0),"Server",IF(IFERROR(SEARCH("AIX",E2),0),"Server",IF(IFERROR(SEARCH("Linux",E2),0),"Server",IF(IFERROR(SEARCH("SunOS",E2),0),"Server",IF(IFERROR(SEARCH("Enterprise",E2),0),"Desktop",IF(IFERROR(SEARCH("Pro",E2),0),"Desktop",IF(IFERROR(SEARCH("Embedded",E2),0),"Desktop",IF(IFERROR(SEARCH("Windows 7",E2),0),"Desktop",IF(IFERROR(SEARCH("Windows 10",E2),0),"Desktop",IF(IFERROR(SEARCH("OS X",E2),0),"Desktop","Unknown"))))))))))

Useful PowerShell One-Liners (and a few two-liners)

Mike P — Thu, 17 Dec 2020 17:14:58 +0000

PowerShell Commands

Useful PowerShell one-liner (and some two-liner) commands. These are commands I have collected over the years in various IT/Cybersecurity capacities and have been helpful in troubleshooting and doing security investigations alike.

Fork/Clone the repo here: https://github.com/mikeprivette/PowerShell

Active Directory User Commands
- Getting Started
- Specific User Scenarios
Computer Object Commands
File Level Commands

Active Directory User Commands

Getting Started

Before running any Active Directory commands, you need to import the correct module.

Import Active Directory Module

Import-Module ActiveDirectory

Get All Active Directory Module Commands

get-command -module ActiveDirectory

Specific User Scenarios

Get All AD Information on a User in the Current Domain (the one you are running this from)

Get-ADUser -Identity <username> -properties *

Get All AD Information on a User in a Different Domain (assumes you have trust and permissions to access)

Get-ADUser -Identity <username> -server "domain" -properties *

Get All Members of a Group by name and ID

Get-ADGroupMember -Identity <group_name> -Recursive | select name,SamAccountName

Find All Groups a User is a Member of

Get-ADPrincipalGroupMembership <username> | select name
Get-ADPrincipalGroupMembership <username> -server "domain" | select name | Sort-Object -Property name

Add Member to an AD Group

Add-ADGroupMember -identity "<group_name>" -Member "<user_id>"

Remove Member from an AD Group

Remove-ADGroupMember -identity "<group_name>" -Member "<user_id>"

Find all users that are disabled

Search-ADAccount -AccountDisabled -UsersOnly | Format-Table Name,SamAccountName ObjectClass -A

Find the Date/Time for When an Account Expires

[datetime](Get-ADuser <userid> -Properties accountExpires).accountExpires

Find all Users with Locked Out Accounts

Search-ADAccount -LockedOut | select name, samAccountName
Search-ADAccount -LockedOut | Where-Object {$_.DistinguishedName -like "*DC=domain,DC=com"} | Select Name, LockedOut, LastLogonDate, PasswordExpired | Format-Table -AutoSize

Get AD User Information for List of Users and Output to CSV

Get-Content C:\<path>\users.txt | % {Get-ADUser -Identity $_ -properties * | select CN, samAccountName, EmployeeID, enabled, Description, Department, mlSubLobDescr, OfficePhone, Manager ,StreetAddress, LastLogonDate, LastBadPasswordAttempt, PasswordExpired} | Export-Csv C:\<path>\user_lookup.csv

Get AD User Group Membership Information for List of Users and Output to CSV

Get-Content C:\<path>\users.txt | % {Get-ADPrincipalGroupMembership $_ | select name} | Export-Csv C:\<path>\user_group_membership_lookup.csv

Get All Users of AD Groups for List of Groups and Output to CSV

$groups = Get-Content C:\<path>\groups.txt

foreach ($group in $groups) {
Get-ADGroupMember -Identity $Group | select @{Expression={$Group};Label="Group Name"},Name,SamAccountName | Export-CSV C:\<path>\user_groups.csv -NoTypeInformation -append
}

Get All Users of AD Groups Matching a Certain Name Format (i.e group name is like Local Admin)

$groups = Get-ADGroup -Filter {name -like "*Admin*"}

foreach ($group in $groups)
    {
    Get-ADGroupMember -Identity $Group -Server "domain" | Get-ADUser -Properties * | select @{Expression={$Group};Label="Common Name"},Name,enabled,LastLogonDate,GivenName,Surname,EmailAddress,title,department,mlSubLobDescr | Export-Csv C:\<path>\local_admin_group.csv -NoTypeInformation -Append
    }

Find user information by AD attribute (i.e. DisplayName)

Get-ADUser -Filter {DisplayName -like "*Bobby Administrator*"} -Properties * | Select name, DisplayName, EmailAddress, enabled, LastLogonDate, title, department, mlSubLobDescr | Format-Table -AutoSize

Computer Object Commands

Find a Specific Service on a Computer using WMI

get-wmiobject -query "SELECT * FROM Win32_Process where Name = '<service_name.exe>'" | select-object Name,CommandLine | Sort-Object -Descending Name

Find Computers by Operating System Type

Get-ADComputer -Filter * -Properties OperatingSystem | Select OperatingSystem -unique | Sort OperatingSystem

List all Servers in a Domain

Get-ADComputer -Server "domain.com" -Filter {operatingsystem -like "*server*"} -Properties * | select enabled,name,operatingsystem,canonicalname,lastlogondate | Export-Csv C:\<path>\computer_list.csv -Append -NoClobber

List all Servers in a Domain, but only return Enabled Computer Objects, and only return those logged into within the last 60 days from the current date, and only show the top 10 rows

Get-ADComputer -Server "domain.com" -Filter {(operatingsystem -like "*server*") -and (enabled -eq "TRUE")} -Properties * | where {$_.LastLogonDate -ge (Get-Date).AddDays(-60)} | select enabled,name,operatingsystem,canonicalname,lastlogondate | Format-Table -AutoSize | select -First 10

Find All Domain Controllers in a Specific Domain

Get-ADDomainController -Filter * -server <domain> | Select-Object name, domain

Find Out Information About a Specific Computer by Hostname

Get-ADComputer -Filter {Name -Like "<hostname>"} -Property * | Format-Table Name,ipv4address,OperatingSystem,OperatingSystemServicePack,LastLogonDate -Wrap -Auto

Find Host Information from TXT File of Hosts

Get-Content C:\<path>\file.txt | % {Get-ADComputer -Identity $_ -server <domain> -properties * | select name, ipv4address, operatingsystem, distinguishedname} | Export-Csv C:\<path>\output.csv -Append -NoClobber

Get the CN and DN for each Organizational Unit in a Specific Domain

Get-ADOrganizationalUnit -server "domain.com" -Filter * -Properties CanonicalName | Select-Object -Property CanonicalName, DistinguishedName | Sort-Object CanonicalName, ascending

Get All Computer Objects in a Particular OU in a Particular Domain

Get-ADComputer -server "domain.com" -SearchBase 'OU=NA,OU=USA,OU=HQ,DC=domain,DC=com' -Filter '*' -Properties * | Select name, ipv4address, operatingsystem, CanonicalName, distinguishedname | Format-Table -AutoSize

Get All Computer Objects from a TXT File of OUs

Get-Content C:\<path>\computer_ous.txt | % {Get-ADComputer -Server "domain.com" -SearchBase $_ -Filter '*' -Properties * | Select name,ipv4address,operatingsystem,CanonicalName,distinguishedname,enabled} | Export-Csv C:\<path>\computers_in_ous.csv -Append -NoClobber

File Level Commands

Recursively Remove Files Older than a Certain Day in a Directory

Get-ChildItem -Path "C:\<path>\<dir>\" -Recurse | Where-Object CreationTime -gt (Get-Date).AddDays(-180) | Remove-Item -Recurse

Making Sense of the Anti-Phishing Cybersecurity Product Market

Mike P — Mon, 02 Nov 2020 13:46:02 +0000

Phishing has arguably been the single most devastating cybersecurity threat to the world since its inception in 1990. Let’s take a look at this area and all the various cybersecurity products that play in the space.

Terms You Might Also Hear

Business Email Compromise (BEC) (phishing meant to compromise business functions like wire transfers)
Spear Phishing (highly targeted phishing attacks against a company or person)
Smshing (Phishing attacks over SMS/Text)
Vishing (Phishing attacks over the phone)

Problem Statement

Phishing targets organizations of all sizes and people of all walks of life. The attacks can be both opportunistic and targeted depending on the motives of the attackers.
Phishing attacks are largely based on financial motives, and no one is immune to receiving this kind of security threat in business and personal life.
Many experts cite phishing as the first phase of most attacks leading to ransomware, business email compromise, extortion, and fraud.
Some studies purport that phishing attacks account for 90% of all data breaches.
Identifying, preventing, and responding to phishing attacks is a priority for most organizations, but little can stop the ebbing and ever-changing flow of malicious emails.
Phishing and email attacks are not only increasing, but they’re also evolving. They are a part of life on the Internet.

Market Solutions

Enter the Anti-Phishing product market space.

Phishing, and people’s susceptibility to it, means the product market space views this issue as a “human problem.”
Solutions either have to teach humans how to not be tricked so easily or they have to accept that humans will be tricked and try to address the problem with technology behind the scenes.
Solutions in the anti-phishing space can take on different forms, and many organizations use most or all of these:
- Content Disarmament - by far the most common approach, these tools are designed to be in the flow of mail (between the person sending and receiving the email) to intercept, inspect, unpack, and potentially detonate malicious payloads like links or attachments. These tools prevent bad emails from arriving at the recipient. This is often cloud-based and happens per link.
- Simulated Attacks - platforms that allow a company to send “safe” phishing emails, SMS, and phone calls to employees as a means for training and awareness. These simulations are used to show how susceptible people are to phishing attacks.
- Phishing Awareness Training - learning and development platforms that educate employees using an online course format and simulated exercises to spot signs of phishing. These courses are tailored to an individual organization to train employees on spotting phishing attacks and handling them at their company.
- Job Supplementation - digital and physical assets like posters, signs, stickers, and desk cards to give employees constant reminders to be aware of phishing. Anti-phishing requires constant vigilance, so the goal here is to ingrain awareness and how to safely respond.

Players in the Space

Product Space Predictions

With COVID-19 and remote working becoming more of a norm, many companies will have to extend the reach of their security capabilities into employee home networks, which is arguably more hostile compared to a traditional corporate network with unmanaged and untrusted routers, printers, gaming consoles, and home IoT devices. A successful phishing attack that compromises one part of the home network can pivot to other devices on the network, including the corporate managed laptop.
Since phishing doesn’t have a work-life balance, remote employee protection, especially for high-profile executives, will be on the rise. Look for a rise in vendors and products that can serve both corporate laptops and personal devices with the same level of visibility and protection. There are obvious privacy concerns here.

"The best offense is a good defense”

Unknown, on Anti-Phishing (probably)

Product Space Opportunities

Go multi-threaded. As a buyer in this space, you’ll need to deploy social, psychological, and technological means to keep your organization safe from phishing. One solution will not be enough, so think Defense in Depth.
Look for bundles where it makes sense. As mentioned in a previous issue, corporate buyers can rarely buy the best of the best. Bundling anti-phishing with Endpoint Detection and Response (EDR) platforms can increase your security observability where most attacks happen by volume - on an employee’s computer.
Make simulation content dynamic. Most phishing simulation platforms are just versions of MailChimp. Instead of sending a singular email campaign to a list of users, make a platform that allows for randomization and customization. Send multiple emails with variations of domains and email bodies to make them harder to detect like real phishing emails.
Make it interactive. Train employees the same way you train developers to not write insecure code. Solutions that can offer immediate feedback and training at the time of click or in the email clients will teach users at the point that it matters the most. This will be far more effective than the once a year training that employees speed click through to the end.

Key Insights

A good anti-phishing program is still only a small piece of the overall cybersecurity puzzle. This is one of the most important pieces, but you can’t overlook or neglect strong identification and protection defenses elsewhere.
Anti-phishing solution implementations require nuance. Disrupting the user experience for the sake of security has a high trade-off of risk vs. reward, but it just might be worth it to reduce phishing attacks.
Rolling out a successful anti-phishing program is more about constant change management than about the technology itself (as with most technology rollouts). You want behaviors to change, which is the hardest thing to do. Take a page from the experts on change management.
Don’t “name and shame” with phishing simulation metrics to drive better end user compliance and awareness. Showing month-over-month click rates by department or line of business isn’t useful to anyone.

References

The History of Phishing - for those who like to understand origin stories.
Business Email Compromise - definitions and examples.
Phishing and Email Fraud Statistics 2019 - the numbers only ever go up.
Verizon 2020 Data Breach Investigations Report - the gold standard for data breaches and cybersecurity trends across all industries.
Tackling Phishing and BEC Attacks - more on how to prevent attacks like this.
Defense in Depth - the standard that cybersecurity principles are built off of in enterprise companies.
What is Machine Learning? - a beginner’s guide.
More Than 8 in 10 Fell Victim to Phishing Attacks in 2018 - this is a hard game.

Want More?

Looking for more insights and analysis? Sign-up here to get access to all past and future Pro issues.

Before You Go

Did you enjoy this issue of Cybersecurity Market Insights? If so, consider sharing the link on social media.

Making Sense of the SOAR Cybersecurity Product Space

Mike P — Thu, 01 Oct 2020 16:06:07 +0000

What is Security Orchestration, Automation, and Response (SOAR)? Let’s break this down and understand both sides of this product market space.

Terms You Might Also Hear

Security Orchestration
Security Automation
Security Operations, Analytics, and Reporting (SOAR)
Security Incident and Response Platforms (SIRPs)

Interrelated Products / Functions

SIEM (Security Information and Event Management)
Threat Intelligence Platforms (TIPs)
Security Operations Center (SOC - pronounced “sock”)

Relevant Definitions

Event - one or more instances of an observable change on a system (i.e. a file was downloaded, a folder permission was changed, etc.)
Alert - a notification that one or more events have occurred (i.e., an email is about a firewall rule update, etc.)
Incident - one or more events or one or more alerts that negatively affect the business (i.e., an employee successfully sends a customer list to a personal email address prior to putting in their notice, etc.)

Problem Statement

As we covered in our first issue, companies are doing more with mobile and cloud services via Digital Transformation. Digital transformation leads to more devices, more cloud resources, more environments to monitor, and ultimately more events, alerts, and incidents to comb through looking for cyber threats.
There has been exponential growth in the number of log sources. Log sources are the systems, services, and devices in an environment that generate events and need to be constantly monitored from a cyber threat perspective.
The more log sources in an environment, the more noise. Noise makes it harder to know when something bad has happened or is happening in your environment. If you don’t know about a threat, you can’t do anything about it.
Security operations teams have to sift through the noise. Unfortunately, they spend >95% of their time chasing down low value/fidelity events that are not really threats.
Companies are doing more than ever and cybersecurity teams have too much to keep up with. A typical workflow might look like this:

A security alert fires, an analyst may need to investigate in the SIEM, lookup an endpoint in the Endpoint Detection and Response (EDR) platform for computer data, reset a user’s password or disable their account in Active Directory (AD), and record the case in a Case Management system.

The cybersecurity profession has a talent shortage which only exacerbates the problem. In short, humans can’t keep up with the amount of data coming in and the number of disparate systems they have to click through.

Market Solution

Enter Security Orchestration, Automation, and Response (SOAR).

SOAR platforms let you create efficiency, consistency, and accountability by way of automation between disparate technology platforms and security controls.
SOAR platforms act as a central place to connect system APIs together to perform a series of actions, lookups, or checks in a visualized process flow. This creates accountability and traceability for teams and when investigating from a single platform.
SOAR platforms can achieve automation by activating either by event/alert triggers or scenario “playbooks”. These playbooks kick off a series of checks, actions, and steps, with or without boolean logic, to attempt to triage and remediate cyber threats. This can be with or without human interaction.
Playbooks from SOAR platforms provide consistency and repeatability. Prior to SOAR, an analyst may have followed a loosely defined playbook but would take their own path to investigate. Playbooks with SOAR provide the exact same process each time, including the exact sequence of tools and queries.
SOAR can reduce the “speed-to-context” to operate from and make better decisions quicker by not having to focus on low-value events, alerts, and incidents.
Also covered in the last issue, SOAR is a prime example of how demand for professionals results in product companies trying to enhance or subvert the talent needed. SOC teams are under immense pressure and need more help.
SOAR allows your highly paid security operations team to focus on real and bigger threats. Security investments seldom provide immediate transformational benefits, but SOAR has a chance to change that. SOAR helps solve that age-old management problem of “doing more with less,” thereby trying to show benefit.

Players in the Space

Product Space Predictions

As covered in the last issue, cybersecurity spending is dominated by regulatory and compliance drivers. With escalating requirements from regulators and governing bodies, so too will the requirements for monitoring and responding to all sources be escalated. SOAR platforms can make or break this.
Digital Transformation initiatives at companies are changing cybersecurity landscapes and associated threats and are driving the need for more automation across all security domains. Time to shine SOAR platforms.
New players will enter the SOAR product category that seeks to enhance existing SOAR platforms and playbooks, like Polarity. Adding additional context and ease-of-use for operators will be a differentiating factor. Expect more acquisitions in this product sub-space.
Players in the space will focus on the disrupter of No-code and Low-code solutions as a way to drive adoption to their platforms and reach a broader audience that cannot afford to hire highly specialized disciplines of cybersecurity professionals.
Cloudy with a chance of SOAR. As more business and technology moves to the cloud, SOAR platforms used on-premises will have to be able to quickly adapt to automation at Cloud Service Providers (CSPs) like AWS and Azure.

"I need another API like I need another hole in my head"

Cybersecurity Engineer at Large Insurance Company

Challenges for Products Buyers

SOAR platforms work best with specific technology integrations. To get the most out of your SOAR platform, you have to buy or already have all the other platforms that integrate the best. That is unless you want to get into full REST API development and maintenance to support your security stack. Which leads me to my next point...
SOAR platforms are competence destroying. New knowledge will have to be created and learned to operate these platforms and old knowledge will be less valuable. It is no longer enough to know how a standalone endpoint or network security platform works. You need to hire people who know about APIs, DevOps, CI/CD pipelines, etc. in addition to being sysadmins. These are not skills traditional security people have in most organizations. Skill retooling is necessary.
SOAR platform rollouts are never “finished”. As connected security platforms get upgraded, new features and functionality will replace old ones, APIs will change, and automation already in place can and will break. You will need resources dedicated and responsible for keeping up with this newly created ecosystem just like with delivering a software product. This speaks to the broader convergence of technical abilities and routines happening across all IT disciplines, and cybersecurity is no exception.

How Players Will Be Successful in this Market

Focus not just on the volume of integrations, but the completeness of integrations. If your SOAR API connection can only perform 5 basic actions from an integration or is somehow rate limited, you are limiting what can be done with your platform. When you limit your platform, you make buyers, not like it.
Show the difference. After a certain amount of automation claims, you can start bleeding into the Managed Detection and Response (MDR) space. Why automate only the SOC triage, when we can automate it all with MDR? You’ll want to make sure you are telling the right story and not one that makes it sound like you are replacing people or whole functions. The people closest to the work often have a greater say in product purchasing because those decisions impact them the most.
Push security to the business edge. Want to drive broader adoption of your SOAR platform? Pushing security into the business technology teams that run the critical operations and move/process the sensitive data for the organization gets greater engagement, and ultimately, better security.

How Will Product Buyers Get What They Need?

Sell the bigger picture for the overarching security operations and response capabilities and goals. Security investments seldom provide immediate transformational benefits, and showing an uptick in closed tickets is not a measure of SOAR success or actually reducing security risks to the company.
Hire people from other technology backgrounds. Cybersecurity technology is evolving just like cloud, data, and other larger drivers of innovation in IT. Hire the right technical leaders to bring over the disciplines from other IT functions like software development. Things like code linting, code reviews, testing (unit/functional), and automated deployment should become your new norm. These practices will have ripple effects across your organization and increase security while enabling other teams to work faster.

References

The Difference Between Events, Alerts, and Incidents - a quick primer and an all-time personal favorite cybersecurity-related website
The Benefits of SOAR - listing of benefits and definitions
SOAR in the Cloud - 7 factors to consider
Arming your SOC with SOAR - practical and common use cases for SOAR playbooks
Gartner’s take on SOAR - the Hype Cycle for Security Operations

Want More?

Looking for more insights and analysis? Check out the Pro version of this newsletter where you’ll find:

9 Predictions for the product space (80% more)
5 Challenges for Product Buyers (67% more)
6 Insights for Players to be successful (100% more)
4 ways Buyers can get what they need (100% more)

When you subscribe to the Pro version, you’ll get access to the pro version of this issue and all past and future issues.

Before You Go

Did you enjoy this issue of Cybersecurity Market Insights? If so, consider sharing it on social media or telling some friends about it. Maybe something like this?

“Looking to learn about #cybersecurity in plain English and looking for product buying guidance? Check out the Cybersecurity Market Insights newsletter!”

Be sure to also check out Fraction Consulting if you’re interested in deeper dive engagements, fractional CTO/CISO consulting, and guidance on an array of technology and cybersecurity efforts.

Making Sense of the Zero Trust Cybersecurity Product Space

Mike P — Sun, 06 Sep 2020 13:17:36 +0000

This is the inaugural post for the Cybersecurity Market Insights newsletter!

A popular topic as of late, Zero Trust, can mean many different things to many different people. Let’s break this down further and understand both sides of the market.

Terms You Might Also Hear

Microsegmentation
Zero Trust Security
Zero Trust Architecture
Zero Trust Network
Zero Trust Network Access
Zero Trust Principles
Zero Trust Execution
Secure Access Service Edge (SASE pronounced “sassy”)
Application Perimeter
Cloud Workload Protection

Problem Statement

Traditional company networks are built like an M&M - hard shell on the outside, smooth on the inside. Networks have a firewall perimeter for security to keep bad guys out, but fewer security controls inside the network.
Everyone inside is “trusted” by default. If an attacker breaches the network in this model, they can easily exploit other systems and steal data because of fewer restrictions.
With companies doing more with mobile and cloud services via Digital Transformation, the concept of a perimeter you can protect yourself disappears and trust becomes even more important.

Market Solution

Enter Zero Trust. “Zero trust” means that no one “entity” is trusted by default from inside or outside the network.
It’s an alternative network and application design with a security model that isolates computer networks, systems, and users from one another.
No users, no systems, no applications, and no workloads are to be trusted, internally or externally, to the business environment.
Isolation stops bad guys who get at one system or one piece of sensitive data from getting at others because all systems and resources are locked down by default.

Players in the Space

Product Space Predictions

Cybersecurity professionals will continue to push for zero trust principles. This will, in turn, drive demand up for professionals with experience in this space. Where there is a demand for professionals in a specific discipline, product companies will follow quickly behind to either enhance or subvert the talent needed.
Digital Transformation initiatives at companies are changing cybersecurity landscapes and associated threats and are creating more desire for zero trust solutions.
High tech companies like Google, Netflix, etc., will implement versions of zero trust principles that the product industry will mimic.
The cybersecurity product industry will set zero trust as a base expectation - experts and vendors alike will cite that future breaches can be avoided by implementing zero trust principles.
Regulators will catch on to zero trust and start asking questions. Soon they will cite deficiencies for not having zero trust principles implemented. Internal Audit teams will do the same.
Cybersecurity budgets at large companies will continue to surge and this will be a significant portion of spending.
Differentiation among product players will become more of a challenge.

“The only way to get to zero trust is to bury your computer in concrete”

-- Cybersecurity Executive at Top 5 US Bank

Challenges for Products Buyers

Zero Trust is Not Important Yet - Cybersecurity spending is dominated by regulatory and compliance drivers. Zero trust isn’t important to regulators yet.
Zero Trust is Really Hard - Zero trust is a high effort for very little visible reward. Implementations take a really long time and require deep knowledge of how applications and infrastructure integrates into upstream and downstream systems. Technical Debt only makes this worse.
Zero Trust Requires Homework - Zero trust requires a company to know much more about their IT applications that most companies ever do.

How Players Will Be Successful in this Market

Make zero trust implementation less complex.
Products that create an easy-path to implement “zero trust principles” onto existing technology stacks with limited management overhead will win.
Enable the zero trust way of operating. Offer complementary products that enable the zero trust principles or that ease the path into zero trust.

How Will Product Buyers Get What They Need?

Scale. Corporate buyers rarely have the financial latitude to buy the “best of” anything, so scale and interoperability matters. Use your limited capital to buy products in this space with the most integrations for your environment.
Plan for Now. Buy for what can work now on premises and in cloud-hosted environments.

References

Why Zero Trust is an Unrealistic Security Model - why zero trust is really hard to do
Forrester’s Five Steps to a Zero Trust Network - a simple framework that is all but simple to execute. Most companies never get those five steps completed, but it’s good to have something to shoot for.
Microsegmentation - a core component of zero trust architecture
Technical Debt - the coding you must do tomorrow because you took a shortcut in order to deliver the software today.
NIST SP 800-207 Zero Trust Architecture - want to get really, really deep? Start here. For the hardcore techies only.

Want More?

Looking for more insights and analysis? Check out the Pro version of this issue where you’ll find:

11 Players (83% more)
13 Predictions (86% more)
5 Challenges (67% more)
5 Product Space Opportunities (Pro Only Section 100% more)
7 Insights on how Players can be successful (133% more)
4 Tips on how Product Buyers can get what they need (100% more)
8 References (60% more)

Before You Go

Did you enjoy this issue of Cybersecurity Market Insights? If so, consider sharing it on social media or telling some friends about it. Maybe something like this?

“Looking to learn about #cybersecurity in plain English and looking for product buying guidance? Check out the Cybersecurity Market Insights by Fraction Consulting newsletter!”

Be sure to also check out Fraction Consulting if you’re interested in deeper dive engagements, fractional CTO/CISO consulting, and guidance on an array of technology and cybersecurity efforts.

How to Get Your Startup Through Vendor Onboarding

Mike P — Mon, 17 Aug 2020 12:29:09 +0000

Getting your startup through vendor onboarding at a large company is harder than it should be.

Why is vendor onboarding so hard?

You are looking to make a business relationship with a larger company that can provide you with some kind of access to data, customers, or that can leverage the services you're selling.

You get the business side excited about your products and services. They buy into what you're pitching, and they are ready to move. Congratulations on making it this far, a lot of hard work is now done!

However, now you get handed to the sourcing team for the official vendor onboarding process. You get met with a lot of questions and formality. You get the 3rd degree from sourcing specialists, corporate attorneys, and IT/cybersecurity professionals. Now you have to answer a 300 question spreadsheet, and you have 48 hours to do it.

It doesn't matter that half of the questionnaire does not apply to your business model. It also doesn't matter that the other half is the same set of the questions repeat themselves in slightly different ways or using terms you've never seen before.

It shouldn't be so hard to get your company through vendor onboarding, right?

So, how do you get your startup through the vendor onboarding process? It's all about:

Understanding 3rd party risk management
Learning what really matters to the 3rd party risk & security teams
Making a plan to close gaps

Understanding 3rd Party Risk Management

Big companies use big systems to operate and govern themselves. The result to the outsider looking in can seem like too much complexity and formality.

Without big systems, however, it's hard to coordinate so many different teams and groups to get anything done.

Here's what that big vendor onboarding program cares about as it:

Limiting Risk
Process efficiency

Limiting Risk

Companies want to limit the amount of legal, regulatory, operational, reputational, and security risks from 3rd parties. The company's brand is at stake when they bring on 3rd party companies, so this process is a means to limit exposure in all possible ways.

Additionally, the more important or "critical" your business or services to the larger company, the more risk you have for them, and the more they want to reduce that risk. Here are some items that go into determining your company's risk level to the larger company:

💻 Classifications, types, and volume of data they'll be sharing with you
🌎 Any geography-specific laws or regulations
🙋 Whether or not you're a customer-facing service for them
☁️ Whether or not you are cloud-hosted (yes this still matters ⚡)

All of this comes down to how "important" or critical your business will be to the larger company's operations. The more critical you are, the more risk they have to mitigate.

Process Efficiency

The bigger the company, the more 3rd party vendors they have. Sourcing is a whole business itself at most large companies, and they have to field 100's or 1,000's of new 3rd party vendor relationships every year (not to mention the ones they have to maintain).

As a result, vendor sourcing teams need standardized intakes, standardized questionnaires regardless of the type of business relationship or type of company, and standardized workflows with SLAs (Service Level Agreements). Not to mention standardized governance routines to oversee and monitor all of the above.

I think we can all agree you'd standardize this too if you had to do the same thing that many times. This efficiency also helps with fair and consistent practices from an ethical and legal standpoint.

Learning What Really Matters to the 3rd Party Risk & Security Teams

Remember that 300 question spreadsheet? 😱

Yes, you really have to fill that out to move forward.

Your company may not have anyone "doing security" at this point, let alone someone who is in charge of security overall.

You might have a hard time taking that big spreadsheet and figuring out what your company does in relation. You may have a hard time understanding how you even achieve some of these things. You might have a hard time committing to closing any identified gaps based on where you are at as a company. The good news, however, is your company doesn't have to be compliant with every single item or do all of those functions today.

Here's the thing - larger companies have dedicated security and risk management teams. They evaluate their 3rd party vendors based on their own level of security and compliance. They want to see equal or better controls to have certain assurances on how their data will be treated (remember the Limiting Risk part?).

Once you realize this, you can have a conversation to determine what really matters to the company. This will vary some, but most concerns fall into these categories:

Information Protection
- Server/Cloud services controls
- Encryption of data-in-motion and at-rest
- Vulnerability patching
- Threat monitoring
- Physical security controls (less relevant for cloud-based companies)
Business Continuity & Disaster Recovery
- Your ability to recover and continue services in case of an event or outage
Compliance
- Your ability to comply with laws based on the data you have and process as a part of your business (PCI, AML, KYC, OFAC, etc.)
- Human resource items like training, security awareness, background checks, etc.

If you're not sure what to start with some of these, check out our earlier post on Securing Your Startup.

Sometimes all the larger company needs are the understanding that you hear their concerns and the assurance that you will address what they care about most.

Making a Plan to Close Gaps

Building off the above, to close on the vendor onboarding process to a point where you can do the business function you were brought in to do, you need to make a plan to close out those gaps. The larger company understands you do not have the same resources that they do, but they will need dates and milestones to make them comfortable.

Don't ask the larger company how long you can have to close a specific set of gaps.

You need to be transparent and realistic about what you can commit to over the next 3 to 12 months on a remediation plan and tell them what you can do. Help the larger company understand that you will address risks as you grow, and some risks are not possible to closeout until you get to certain financial milestones or bring in more people. Let the larger company come back to you on what they want to see done faster or in what order.

Here's another piece that is almost always overlooked when it comes to this process 👇

Keep your "business contacts" engaged through the whole exercise.

This is the team or group you originally made traction with. This is the group that liked your offerings enough to get you started on the vendor onboarding process. This group needs to understand and weigh in on the risks from their business point of view.

These business relationships often are accelerators at getting new products to market or being competitive. The risk of not being able to use your business or services also has risks associated with it. Your business contacts are the best to articulate what is at stake and what levels of risk are acceptable.

Wrap-Up

If everything goes well for your company, you will be in this position many times! Each company may have a slightly different set of concerns and a somewhat different spreadsheet or online form (though it will still be massive!), but how you approach and negotiate success can be the same.

If you need help from a trusted partner who has been on the other end of the spreadsheets asking the questions, reach out to us to learn how we can help.

YANMSS (Yet Another New Mac Setup Script)!

Mike P — Wed, 05 Aug 2020 16:29:37 +0000

Jump right to my Github page if you just want the script: https://github.com/mikeprivette/yanmss

About

This setup script is for modifying some default settings on Mac OS X, installing some of my preferred Terminal tools, and a few applications.

Please feel free to fork and/or add issues/PRs to help make this work better for everyone.

Installation with Curl

To install this script from a brand new Mac (fresh out of the box!) run the following command in terminal with no additional tools or permissions needed:

sh -c "$(curl -fsSL https://raw.githubusercontent.com/mikeprivette/yanmss/master/setup.sh)"

Want to know what "curl -fsSL" stands for? Check out this link.

If you do not already have Xcode Command Line Tools installed, you will be prompted to install them after being prompted for sudo access.

Why ask for sudo access?

You'll need sudo access to do the initial Finder modifications, but it is not required to install Homebrew or associated packages.

If you're not comfortable allowing this script to prompt you for sudo access, feel free to copy/paste the commands you want out of this script into the Terminal as you see fit.

Mac OS X Modifications

All of the following are commands that you can enter directly into Terminal or let the script run for you.

Modify Finder Preferences

Show Library Folder in Finder

chflags nohidden ~/Library

Show Hidden Files in Finder

defaults write com.apple.finder AppleShowAllFiles YES

Show Path Bar in Finder

defaults write com.apple.finder ShowPathbar -bool true

Show Status Bar in Finder

defaults write com.apple.finder ShowStatusBar -bool true

Terminal Tools

All of the following are commands that you can enter directly into Terminal or let the script run for you.

Install the following terminal tools:

Homebrew

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Update Brew

brew config
brew update
brew upgrade

iTerm2

brew cask install iterm2

oh-my-zsh

sh -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"

Git

brew install git

Powerline fonts

git clone https://github.com/powerline/fonts.git
cd fonts
sh -c ./install.sh

Ruby

brew install ruby
echo "Adding the brew ruby path to shell config..."
echo 'export PATH="/usr/local/opt/ruby/bin:$PATH"' >>~/.bash_profile

Nmap

brew install nmap

Speedtest-cli

brew install speedtest_cli

Additional Applications

All of the following are commands that you can enter directly into Terminal or let the script run for you.

Install the following applications:

Alfred

brew cask install --appdir="/Applications" alfred

Visual Studio Code

brew cask install --appdir="/Applications" visual-studio-code

Firefox

brew cask install --appdir="/Applications" firefox

Slack

brew cask install --appdir="/Applications" slack

1Password

brew cask install --appdir="/Applications" 1password

Caffeine (Keeps your screen on)

brew cask install --appdir="/Applications" caffeine

Clean Up

Run the brew cleanup script and remove old or unneeded casks

brew cleanup

Post Script Actions

I have not yet figured out to automate the post script actions for some of these installations, so there are a few more steps to manually complete.

Enable Any Oh My Zsh Plugins

Oh My Zsh comes with a ton of plugins you can take advantage of. Here is the wiki page.

Open your ~/.zshrc file via Terminal

open ~/.zshrc

Find and edit the plugins section to add the ones you want

# Example format: plugins=(rails git textmate ruby lighthouse)
# Add wisely, as too many plugins slow down shell startup.
plugins=(git brew ruby osx)

Set the Oh My Zsh Theme

Open your ~/.zshrc file via Terminal

open ~/.zshrc

Modify the theme. You can find a list of the themes here. I personally like the agnoster theme.

ZSH_THEME="agnoster"

Make sure to save and close the file after editing. You may have quit and reopen iTerm2 for the theme to take effect.

To make the Agnoster theme look the way it does on the wiki page you have to go to:

Open iTerm2
Select Preferences
Click Profile
Click Colors
Change "Color Presets" to "Solarized Dark"
While still in the same window as above, click "Text"
Click on the dropdown under Font and select any font with "Powerline" in it. I chose "Meslo LG DZ for Powerline"

The End

That's all I have folks. I appreciate any feedback and suggestions on how to make this better!

Securing Your Startup

Mike P — Mon, 27 Jul 2020 19:42:35 +0000

When it comes to early-stage startups and cybersecurity, the two concepts do not always go hand-in-hand. In this write-up, we'll explain the importance of cybersecurity and how it will build trust with customers and investors.

Table of Contents (1260 words, 5 minute read):

Target Audience
Why This Matters
Problems to Solve
Where This Applies
Common Arguments From Founders
Why to Start Early
Security Guiding Principles for Startups
What You Can Do Right Now
Moving Forward

Target Audience

Founders (technical & non-technical)
CTOs & Developers
Sales & Business Development
Investors (Private Equity, Venture Capital, etc.)

Why This Matters

Cybersecurity, data privacy, and regulatory compliance have become increasingly essential business challenges for startups and global organizations alike, and these issues impact starting, running, investing, or acquiring a business.

Today's consumer has become more focused on data protection and privacy and has less confidence in a startup's ability to safeguard digital assets.

Problems to Solve

Consumer Trust - Trust in a digital world is harder to earn and keep, and startups are considered riskier by the average consumer.
Meeting Standards - Enterprise customers expect mature data protection, and data privacy practices and early startups can struggle to meet standards.
Regulatory Costs - Solving for the evolving regulatory landscape only gets more expensive with time and company scale

Where This Applies

Does your startup:

Have users logging into your platform?
Use a database?
Leverage cloud-based resources like IaaS (Infrastructure as a Service)?
Have intellectual property (IP) to safeguard?
Process payment transactions?
Collect, store, use, or process Personally Identifiable Information (PII) data?
Collect, store, use, or process any regulated data (i.e., financial or healthcare)?
Have customers who operate in highly regulated industries (i.e., Critical Infrastructure, Insurance, etc.)?
Have operations in geographies with consumer protection laws or regulations (i.e., EU for GDPR, US for CCPA, etc.)?

If yes to any of the above, security, privacy, and compliance need consideration early and often.

Simply put, you cannot do business without cybersecurity, data privacy, and regulatory compliance in mind today

A few other reasons you need to consider security, data privacy, and compliance:

Your company brings in new employees (part-time or otherwise)
You want your company to be acquired
You are seeking private equity or venture capital investment (see Why Private Equity Needs Cybersecurity Expertise)

Simply put, you cannot do business without cybersecurity, data privacy, and regulatory compliance in mind today (at least not for very long).

Common Arguments From Founders

❌ "We're here to sell product X or service Y first, not be secure..."

❌ "We'll take a look at that when we get bigger..."

❌ "We'll wait until we have enough customers asking..."

Many startups gauge their level of involvement and commitment to cybersecurity based on either the company's financial expense or certain financial milestones.

Instead of waiting for a specific windfall event or a set number of times a customer asks about your cybersecurity practices, do this instead:

✔️ Consider what industry you are in (or your customers are in)

✔️ Consider the risk associated with the data your company has (or hopes to have)

✔️ Consider what that would mean if that data was lost or stolen

Why to Start Early

Price You Pay to Play - Some enterprise customers will require specific security and regulatory compliance levels even to do business (i.e., SOC2, PCI-DSS, etc.).
Security Sells - Security and compliance are selling points in the current state of the world, and your customers will expect it. Security, or lack thereof, could make or break your first big B2B customer.
Create Your Moat - Do what others will not. Security, data privacy, and regulatory compliance in your industry can make you stand out and create a competitive barrier to entry into your market.
Limit Security Debt - Cybersecurity, data privacy, and regulatory compliance design decisions early on cost a lot less than down the road as your company begin to scale as customers, and requirements get larger.

Security Guiding Principles for Startups

Create a Security Culture - Adopt strong security and data privacy practices from the beginning and make it a part of everyone's job. Security is more process than technology.
Do the Right Things - And Do the Things Right. You can't be good at everything early on, so pick a few things to be very good at and make it an essential piece of how you operate.
Work the Plan - You don't have to have it all done up front, but you have to plan to get it all done. Customers will be OK with timelines to get compliant or resolve security issues. Customers will NOT be OK with no plans.

What You Can Do Right Now

While not meant to be an exhaustive or exact list on what may work for your company, here is a sample guide on what you can do now with associated timelines:

Use What You Have (0-3 months):

Use environment-native security controls where possible
Use environment-native compliance reporting (i.e., AWS Trusted Advisory, etc.)
Use available 3rd party tools/integrations for security
Start talking to employees about how to avoid phishing scams and Business Email Compromise (BEC)

Know Yourself and Know Your Vendors (0-3 months):

Understand the "Shared Responsibility Model"of securing your cloud resources
Be able to explain how you collect, store, process, and use a customer's data
Hold your 3rd party vendors to a high level of security rigor with your data
Make sure all employees, contractors, etc. understand what information they can and cannot share

Understand Compliance in Your Industry (3-6 months):

Know the regulations and certifications that your industry or customers require
Make someone at your company responsible for cybersecurity, data privacy, and regulatory compliance (doesn't have to be their only job, but this will ramp up quickly)

Get Outside Support (6-9 months):

Find out how other startups or companies in your market space are addressing security concerns
Seek out a part-time or fractional trusted advisor to help navigate cybersecurity, data privacy, and regulatory compliance

Nail the Basics (9-12 months):

Build your business with security and data privacy principles upfront
Create Information Security policies and standards
Use multi-factor/two-factor authentication wherever possible
Do not share passwords and get password vault manager to manage your company's many accounts (I like 1Password)
Use the model of least privilege (e.g., the CEO should not be "admin" on everything)

Work Smarter, Not Harder (9-12 months):

Make managing users of your services easy to use, self-service, and auditable
Make someone's full-time responsibility looking after security or hire a new person to take on this role

Test Yourself (12+ months):

Do static/dynamic code analysis on your web and mobile applications
Audit yourself early and often (your institutional customers will)
Perform tabletop exercise to respond to threats or loss of your services due to a cybersecurity event

Every scenario will be different, and the risk of your particular company should be driving your roadmap here. Adjust as needed.

Moving Forward

We hope this detailed write-up has been useful for you! Every startup has dreams of being a "big" or "real" company one day. The goal here is to learn how to bake security in from the beginning so the company's security response can adapt to the changing risk posture and goals as the company grows. If you can do this successfully before reaching too much velocity, you can combat security debt and use security to accelerate your growth.