Every week, Casey Cammilleri interviews an expert leading the charge on empowering security experts and practitioners with the knowledge and insights needed to excel in the future of cybersecurity.

In our latest edition, we dive into our interview with Mario DiNatale, CISO at Odyssey Group. Here are the top takeaways from the interview.

#1: Focus on Asymmetric Risk Management

“I'm not gonna go out and, like, cover, like, the entire risk landscape, because I think, one, that takes too much time. Two, it's probably ineffective. I look at where I essentially bubble sort, I'd say, okay, here's our highest areas of risk, and here are, you know, where I can do the most good with the least amount of spend. And then I attack all those first, right?

“I try to buy myself as much asymmetry in this, you know, cyber landscape as possible against my attackers, right? Like, if I spend x and they have to spend xx, that's probably a more effective control for me, right? Because I want to effectively have them spend more time, more cycles, more money to penetrate me than I'm spending on defending. That's just me not outrunning the bear. That's me out running, like, the person behind me.”

Actionable Takeaway: Instead of attempting to cover the entire risk landscape, focus on the highest areas of risk where you can achieve maximum impact with minimal spend. Aim to create asymmetric defenses where attackers must expend significantly more resources to penetrate than you spend to defend. This strategic approach maximizes effectiveness.

#2: Leverage Team Intelligence and Rigorous Testing for Cybersecurity

“So, I'm big on leveraging the group IQ of the team. I can't be the smartest person in the room. I hire people smarter than me. Hire smart people to do smart things. Additionally, that's not my job anymore, right? I'm the CISO. I've got to hire smart people to do that, and I got to be able to trust them to do it properly so that I can effectively do my job properly reporting what these are and getting the results, right?

“So it is an integral part of testing your controls, right? It's part of every compliance framework or audit framework is, okay, you report the risk, you remediate it, but you also test it. Trust will verify. Right? Like, Ronnie Reagan. Trust will verify. And you have to have the pen testing component to verify the security of these controls. It's one thing to say, like, oh, yeah, we fixed that. That's another thing to actually test it and make sure that's right. Because how many times has somebody told me they went and fixed it? It really wasn't fixed.”

Actionable Takeaway: Empower intelligent team members to handle complex tasks, and trust but verify their work. Integrate pen testing as an essential component of your cybersecurity strategy to ensure that reported fixes are genuinely effective. Regularly test controls to confirm their efficacy, ensuring your security measures are robust and reliable.

#3: Strategic Threat Detection with MITRE ATT&CK Implementation

“When you look at the MITRE ATT&CK matrix, I see a lot of CISOs make what I consider a mistake all the time. They say I want to detect everything. I want all of these. And counterintuitively, I take the opposite approach, because if you look at the entire library of the MITRE ATT&CK not all of them pertain to my environment. Not all of them pertain to my vertical. Not all of them pertain to even the types of systems we run in our business.

“So if I dumped that entire library into the SIEM, which is effectively supposed to be a high-performance database, you've done two things. You’ve slowed down the database. So now when the attack that I need to see comes in, [o]r now I've just filled my SOC operators screen up with useless noise, and they're gonna end up missing that attack. I mean, when you're getting attacked, it's attacker advantage. You're already behind them as it is, and you're playing catch up. It's like the last thing you need to do is give them even more of a head start, right?

“So we take the opposite approach. We go, hey, all right, what do we know? What do we think we might have? What are we up against? And let's build those. Instead of, like, the build the wall approach, which is, you know, fill out everything. I call it building the minefield. Like, we selectively drop our traps everywhere, and if we get enough of our traps hit, we're like, this is higher fidelity. Let's move.”

Actionable Takeaway: Avoid overloading your SIEM system by trying to detect every possible threat. Instead, prioritize relevant threats specific to your environment and business. Implement a strategic “minefield” approach, placing targeted detection traps to ensure higher fidelity alerts and minimize unnecessary noise.

Listen to full episodes out now:

For more information about Ahead of the Breach, please visit www.sprocketsecurity.com/aob-podcast. Episodes are available on all major podcast platforms.

Apple

Spotify

YouTube

We look forward to bringing you more conversations with actionable insights that help in your pursuit to protect your most valuable assets — and help clients do the same!