Orchestra's Blog

5 Good Practices for Policy based Cyber Risk

A risk management approach is fundamentally different than the standard approach to cyber security. It requires that organizations explicitly decide on what risks to ignore – an outcome of...

…and Cisco Scores a Perfect 10!!

Cisco just published a vulnerability that could allow an unauthenticated, remote attacker to bypass authentication on an affected device. The CVE-2021-1388 vulnerability ranks 10 (out of 10) on the...

All the (cyber) World’s a Graph

Graphs are about the connectedness of objects. Graph’s show us correlation and dependence between seemingly random objects as well as the degrees of freedom and separation from other objects. Social...

Groundhog Vulnerabilities

Groundhog Day is celebrated each year in the United States and Canada on February 2. It comes from a superstition that if a groundhog emerging from its burrow on this day sees its...

3 Clear and Present Cyber Dangers in 2021

According to the recently released World Economic Forum (WEF) Global Risks Report 2021, cyber risks continue ranking among the top ten clear and “present dangers” (high probability risks over the...

Capitol Breach and Cyber Threats

Last week pro-Trump rioters occupied portions of the U.S. Capitol building. This is a real issue for cyber defense since once there is known or presumed loss of physical...

Surprise: CISOs are Human

The CISO role is generally considered one the highest stress, least appreciated executive\managerial jobs. Even before the COVID crisis, nearly 9 out of 10 executives holding the title of...

Supply Chain Risk Management

NIST Special Publication 800-161 on “Supply Chain Risk Management Practices for Federal Information Systems and Organizations” was issued about 5 years ago (it is currently going through a revision)....

CISOs, Purple Teams and Cynefin

Cynefin is sense making framework created in 1999 by Dave Snowden. Cynefin offers five decision-making contexts or “domains”: obvious, complicated, complex, chaotic, and a center of disorder. Figure by Snowded  (Own work,...

Microsoft, SUNBURST and Supply Chain Attacks

Continuing my tracking of the Solarwinds trojan (SUNBURST), I came on an article about Microsoft’s response – “Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach”....

SWAG Security Analysis

Here in Israel there were two security breaches that made big headlines over the last couple weeks. The first was a an ongoing ransomware attack on an Israeli insurance...

DORA the (Threat Led) Explorer

As financial firms become more digital, the EU decided these firms need to focus on ensuring their operations are as cyber resilient as possible. Cyber resilience means the ability...

When a Zero Day is Old News

This week Microsoft released a zero day patch for an unpatched local privilege escalation (LPE) vulnerability affecting all Windows 7 and Server 2008 R2 devices. The LPE vulnerability stems from the...

Outcome based Cyber Security

Donald Rumsfeld was the US Secretary of Defense from 1975-1977 and once answered a security question using the terms known knowns, known unknowns and unknown unknowns. The language is...

Trump, Biden and CVSS

Businesses use predictive metrics all the time. For example, forecasting next quarter’s revenue is a predictive metric used widely in business. When looking at any predictive business metric there...

Security in Numbers

Security (or Safety) in numbers is the hypothesis that, by being part of a large physical group or mass, an individual is less likely to be the victim of a...

Cybersecurity and Continuous Improvement

The busy folks at NIST have just released the official version of NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM). It focuses on converging cybersecurity risk management (CSRM)...

Red, White and Blue Make Purple

Vulnerability scanning, penetration testing and red teams are the main detective controls for residual cyber risk – i.e. the risk that remains given controls already in place. Vulnerability scanning...

Red, White and Blue Cybersecurity Risks

Cybersecurity is moving away from using threats, vulnerabilities and exploits as the management metaphor towards risk-based cybersecurity management. Using risk terminology, penetration testing is a standard detective control used...

Lack of Standard Metrics

Lack of standard metrics to measure, manage and benchmark cyber risk limits security efficiency and effectiveness, making it difficult to prioritize and coordinate cyber defenses Single security truth from...

Fragmented technologies

Organizations’ cyber security stack consist of 100-150 different disconnected point tools or technologies making it difficult to assess and act on the big picture. Organizations based their security operations...

Constantly Shifting Business Needs

In today’s modern world business needs are constantly shifting, IT and cyber risk landscape require a constant stream of attention and resources. CISOs role isn’t just about security, but...

Is Cyber Security Fit-to-Purpose?

ITIL (IT Infrastructure Library) is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL is used by CIOs (especially...

Cyber security: Emphasize Protect or Detect?

I am a subscriber to the NIST cyber security framework school of thought. Even though it is officially called the “Framework for Improving Critical Infrastructure Cybersecurity” it isn’t just about securing...

Measuring the Value of Cyber Security

A value-driven approach to cyber security would help businesses understand where to spend their cyber security budget, and how much to budget. One way to estimate how to spend...

5 Indicators a Market is Ripe for a Platform

What is a Platform? The word “platform” even though it is used quite often, is a chameleon word – meaning different things in different contexts and to different people....

The Pure Platform Approach

Another option for starting a platform is a pure platform play, in essence, “let’s bet the bank that we guessed right approach”. This is an expensive approach since you...

Emergent Platform Approach is Best

The best way to create a platform combines an immediate solution approach with an emergent platform play. It requires a market ripe for a platform (see my earlier post...

The Accidental Platform

Creating a platform is the embodiment of the chicken and egg problem. If there are no consumers – producers have no one to sell to. If there are no...