Platform

Insights You Need

ColorTokens Named a Forrester Wave Microsegmentation 2024 Leader Badge

Download Report

By Industry

By Use Case

Services ZERO TRUST AS A SERVICE

Let's Win Together!

Partner Program Overview

Designed to deliver unparalleled customer value and accelerated mutual growth by harnessing partner expertise and ColorTokens cybersecurity technology.

Learn More
Become a Partner

Resource Center

View all Resources

Asset Type

Customer Success Stories

View all
What's New
Analyst Mentions, Awards, & Certifications
View All
platform-forrester-badge

ColorTokens named a Leader in the Forrester Wave™ Microsegmentation Solutions report.

Download Report

ColorTokens named a Leader again. The only vendor among 15 to achieve a perfect 5.0 across key feature categories.

Access Report

Xshield™ earned a spot on Constellation's Shortlist™ for Microsegmentation

Learn More
arrow Back
February 26, 2026 | 31 min

If They Can’t Reach It, They Can’t Breach It.

In this episode of Breach Ready Dialogues, Agnidipta Sarkar speaks with Sarah Armstrong, former Chief Security Advisor at Microsoft and author of Effective Crisis Management and Understand the Cyber Attacker Mindset.

They explore breach readiness, assumed failure, lateral movement, credential misuse, and why most cybersecurity investments focus on the perimeter instead of protecting the core business.

The conversation connects crisis management, cyber resilience, MITRE ATT&CK, Zero Trust, and microsegmentation to a simple principle: you cannot stop every attack, but you can control the impact.

If you are a CISO, CIO, board member, or security leader looking to shift from perimeter defense to inside-out protection, this episode reframes how to think about material impact, crown jewels, and containment-first architecture.

Agnidipta Sarkar: Hi everyone, this is Agni again, and today I have Sarah with me. Sarah has been a long-term associate that I’ve worked with long, long back and we’ve been working on business continuity institutes program committees, and we’ve had some association back then, but. Sarah moved on to become, to go into bigger things.

Agnidipta Sarkar: She became, she joined Microsoft and she did a whole lot of other things. She wrote a lot of books and some of those books were really very good and very in depth. What she brings on the table is the ability to of crisis management into cybersecurity. So she’s bridged to both of them, and that’s the fascinating story we are going to hear.

Agnidipta Sarkar: I’m not gonna talk much. And I’m gonna hand it over to Sarah. Sarah, why don’t you introduce yourself?

Sarah Armstrong Smith is the ex-Chief Security Advisor at Microsoft

Sarah Armstrong: Ah, thank you, Agni. It’s always a pleasure. As you say, our history goes back quite a number of years. And I think that’s a good starting point when I think my career has spanned getting on for three decades, which makes me feel very old.

Sarah Armstrong: But it started. From a business continuity perspective and then pivoted into disaster recovery, crisis management. And then I’ve been working in cybersecurity for 17 years, but I think what I always describe is I’m on the business side of cybersecurity and what does that mean in essence? So having worked from a business, continu Dr.

Sarah Armstrong: Perspectives, really getting to the heart of what is critical, what are we here to protect? And why, and I think that’s a really good starting point for getting people in the right mindset, that when we’re talking about cybersecurity often it’s about, oh, we’re here to protect the cloud. We’re here to protect endpoints and infrastructure.

Sarah Armstrong: But ultimately, those things don’t have a value to them. Until we put something on it. So when we talk about the data, the different types of data, the users, the sensitivity of those users, and it’s really building that big picture view of the world in terms of looking at the organization in its entirety.

Sarah Armstrong: Really understanding the core of that business, how all that business is connected, the dependencies. And if you can understand that, all of a sudden cybersecurity makes a lot of sense. So if I just give you a little bit of an insight over what I’ve been doing over the last few years, you’ve mentioned some of my books.

Sarah Armstrong: I spent five and a half years at Microsoft as the Chief Security Advisor. And it was doing exactly what I just said. In essence, it’s really talking to the. Biggest enterprises across Europe. So it’s multi-sector, multi-country ciso, CIO, CTOs, but also bridging more so into the business. What are the biggest challenges that customers are facing?

Sarah Armstrong: And during that five and a half years, had a global pandemic. I don’t think we ever expected to have an incident lasting that long. That itself introduced a huge number of challenges with regards to hybrid and remote working, whereas my data has always been the number one question I hear over and over again.

Sarah Armstrong: We’re now approaching four years since the Russian invasion of Ukraine. And I think that’s introduced a number of challenges when it comes to data sovereignty, residency, destructive cyber attacks. We’ve now got disinformation synthetic media since it’s. Cyber influence operations and over the last few years we’ve now bring AI into the mix and I think we bring it right up to date.

Sarah is an authority on Crisis Management having authored 2 books about it

Sarah Armstrong: We’re talking about agent ai more autonomous use of ai and that you bring all of that together. The challenges that we’ve been talking about over those three decades have arguably getting. Worse, but the challenge remains the same. In essence, how do I protect the crown jewels? What even is the crown jewels?

Sarah Armstrong: Just a little bit on some of my books. So given my back history and working and being on the frontline of multiple instance, that is what led me to write my first book effective Crisis Management, which I published in 2022. And it’s a little bit of a, how many wake up calls do we need? Before we make a positive change, it’s reflecting on some of the biggest incidents that we’ve had since the turn of the century.

Sarah Armstrong: Some of those I’ve been directly involved with indirectly. I started my career on the Millennium Bug. But it looks at nine 11 the. Pandemic that we’ve been talking about. But also there’s a pattern behind that in terms of the proactive, reactive response to major incidents. And I’m really challenging people about what are those principles that people should be thinking about when they’re doing their due diligence, understanding criticality, how you respond to a major incident.

Sarah Armstrong: And then my second book was published last year. Understand the cyber attacker mindset always comes back to the human element for me. And again. When we talk about cyber, it’s around the infrastructure. It’s the method of attack, and I’m really trying to hone in on the motivation for the attack. So there’s 1,000,001 ways in which I attack you, but only a finite reasons why.

Sarah Armstrong: And irrespective I state actor, organized crime, and activist and insider, ultimately, your objective. Is to get to those people is to get to the data. So my objective is to understand that, understand the core. So if I know what they’re going for, yeah. The value changes dependent on if it’s a state actor versus an organized crime, for example.

Sarah Armstrong: Some of those are motivated by espionage. Some of them are motivated by financial gain, but ultimately it’s the same data. It’s the same people, it just has a different value to it. And that’s a bit I’m really trying to challenge on Agni and it really does reflect a lot about what we’ve been talking about over the last few years with regards to really this all sits under the realm of resilience.

The concept of Assumed Failure, is the stepping stone to being breach ready

Agnidipta Sarkar: It’s been long that I read your book. I think there was one very fascinating thing that I found, because while I was preaching zero trust, you were talking about assumed failure. Can you explain what do you mean by assumed failure? And I think it’s very relevant today. Yeah, because there’s another thing that you talked about.

Agnidipta Sarkar: Just gimme a minute. I’m going to pick up what you just said a few moments ago and the one thing that he talked about is. Like we focused on the endpoint, the cloud, everything. And I faced a situation with the CEO one day and he said do you know what we are protecting? And I had a very, exuberant person who’s reporting to me.

Agnidipta Sarkar: And he said I can answer that. I said, yes. And he said, we are protecting the endpoints. You’re protecting the the network. And he said, no, you’re protecting my business. If you are going to put money into protecting my business on the endpoint, then you better justify to me why I should be doing that and not focusing on what my critical assets are.

Agnidipta Sarkar: Just wanted to give you this segue. Tell me about this assume failure thing that you talked about. Long time back. Yeah.

Sarah Armstrong: There’s two elements to it. There’s assume, compromise and assume failure, and it ultimately means for the best will in the world, the investment in technology, processes, education, all of those things that we have to assume things are going to go wrong, whether that’s through an attacker, through their motivation because of all the tools and technology, it doesn’t stop them.

Sarah Armstrong: I think that’s the challenge. It just means they have to go away, pivot, and come back with another method. And so the, and that’s what I said, the mission never changes. So we’ve got our own mission to protect the core of our business. They have a mission to gain access to the business or gain access to that data or gain access to those vulnerable people.

Sarah Armstrong: And so that’s the point that we have to operate. We have to assume that. Things are going to fail, things are going to be compromised, and then it comes to the so what? So I always narrow it down to its lowest denominator. The what if, and the so what. So the what if, and ultimately is what are the scenarios that we are talking about?

There are multiple scenarios of failure and the resulting impact

Sarah Armstrong: What if somebody could gain access to those critical assets? What if they were able to infiltrate data? What if they were able to impersonate the CEO? What if they were able to do a business email compromise and move money And we could do what if? What if? What if? These are all the scenarios that we are used to thinking about from a cyber SEC as a business continuity, crisis management, and then it’s the so what.

Sarah Armstrong: What’s the measure of the impact? And that’s really where we are trying to understand the most critical assets, the highest impact to the business, and being able to justify our expenditure. Because ultimately we’ve only got a finite part of resource. We’d all love to be able to put security on everything and build all these defenses and build all these walls, but that’s not the reality in the world that we live in.

Sarah Armstrong: And I think the challenge is. That a lot of organizations, irrespective of their size and complexity, they try and put a little bit of security on everything. And then to your point, I’m trying to secure all endpoints, all network, all data as opposed to really refining down to that kind of crown jewels analogy that we refer to.

It is a fallacy to assume that you can stop all attacks

Sarah Armstrong: What is the core, what is the really critical things, and I need to divert my investment. To that, to protecting the absolute core, the absolute criticality. So that might mean we still get breaches. We’re not gonna be able to stop all incidents. So I think it’s a fallacy to assume that you could stop everything.

Sarah Armstrong: But what we’re trying to ultimately do is we can slow down the attack or we can slow down the impact of the attack. Then. We can make sure that we as to say, investing in the right area, managing our risk, giving the assurance and confidence back to the board and the stakeholders that we are putting our investment in the right area.

Agnidipta Sarkar: Yeah. And I think you’ve given me the topic for my next blog. What If, and so what, and it’s a fantastic concept, and I think I think everyone across the world should really be focusing on those two questions. It would make them so much better. I have a concept that I talk about are, the maximum acceptable material impact versus the minimum viable digital business. Which roughly translates into what you just said. It’s the impact is. So what and what if is your viable digital business, the business that you want to remain unaffected if a cyber attack. Not many people understand that.

Agnidipta Sarkar: People feel that, I’m talking about business continuity. No, I’m not. I’m talking about business continuity only for the affected part. Because you’ve, let’s say you are the most prepared organization in the world. You would kick in your business continuity plan for the affected part. Now, if you’ve not designed your enterprise in such a way that you will have an unaffected part, then you are.

Agnidipta Sarkar: In, in, and then you are executing a business continuity plan on 100%. So your recovery could be 15%, 20%, 30%, maybe 40% depending on how well prepared you were and how much it suits the current scenario. But if you had planned to have some part of your enterprise unaffected, you can go all the way up to 80% and invoke your BCP for the 20% that really got affected.

Breach readiness needs to shut down the path of least resistance

Agnidipta Sarkar: That brings me to another point that you made in, and I think you gave me an example of we are chasing the whole mouse, Tom and Jerry example that you gave. Could you explain that? It’s fascinating. Honestly, not many people understand that.

Sarah Armstrong: Yeah. I think we, we talk a lot about being this cat and mouse.

Sarah Armstrong: We’re constantly chasing our turn. If we go back to the Tom and Jerry cartoons, I’m sure that a lot of us always grew up with, we look at Jerry the mouse in essence. So he’s always outwitting Tom the cat. So he’s faster, he’s agile he’s outwitting, but I think that what we fail to forget.

Sarah Armstrong: Is, who’s the predator and who’s the prey in this scenario? So Tom, the cat is the predator. Ultimately, we don’t need to be chasing the mouse around the network and following it, looking at where they’re going, what they’re doing. Because we know the endpoint, we know the goal. And if I was looking at that from a mouse perspective, and I was going back to this analogy of the cartoon that we’ve all grown up with.

Sarah Armstrong: I’d be camping out at the fridge. I know he is after the cheese and I know where the cheese is. So all I need to do is cross my arms sitting right in front of the the fridge and wait for him to come to me. That’s the difference. Is that’s I don’t need to be chasing the threat actor, the attackers all around my network and closing all the doors and doing all the things I need to know the path.

Sarah Armstrong: I need to know the path of least resistance and I need to shut it down. But ultimately if the mouse is, if Jerry’s right in front of me and right in front of the fridge and trying to get access, he, we failed all of the points before that to stop him. And I think that’s the analogy Yes.

Sarah Armstrong: That I’m really trying to get to. We’ve gotta break this whole cat and mouse thing where we feel like we’re constantly mo chasing the mouse when the mouse actually has to come to us.

Agnidipta Sarkar: Yes. That’s absolutely fascinating the way you put it. And, I couldn’t have put it any better.

Agnidipta Sarkar: And what I like about this is that in, in one simple example, you’ve explained how we are putting our money in the effort of running after the car, after the mouse. While we should be really putting our money in, making sure that we have narrowed down the path, we’ve made sure that the attacker does not have any ability to budge once they’re inside.

Agnidipta Sarkar: Because I’ve heard a lot of stories and I think you have too, that attacker are very smart. I fail to believe that how is it that I know more about my network and the other guy who only has the ability to ping is smarter than me? That’s what I fail to understand every time and now with this example, what you just laid out is if I know where the attack was going to happen from.

Agnidipta Sarkar: I think that’s the biggest dilemma because all of us who are on the defense side most more usually we don’t know a, what we are defending. We don’t know our assets completely. That’s a big problem. B, we don’t know what processes we are using to keep those assets working. We don’t have a complete inventory of that.

We need to stop lateral movement while we can, to stop weaponized edge attacks

Agnidipta Sarkar: Change management is a big problem and three, we don’t know how they’re configured to connect to each other. So that’s the big gap if we’ve been able, if we are able to solve that and narrow down that tech path. Reduce the attack surface, bring it down so that we know, okay, this attacker, let’s say some known, CSAR has done a fantastic job on their website.

Agnidipta Sarkar: They’ve profiled different attackers, and you can actually figure out how that attack can happen if they land upon a, on a vulnerable asset, whether that asset is a gateway or an expo server. It doesn’t really matter. Coming to that, what’s your take on that F five incident that happened? Now you’re scared.

Agnidipta Sarkar: We’ve got these gateways, which are now becoming the sources of, we, we don’t know if somebody left a signature there.

Sarah Armstrong: Ah, I think it’s. It really comes back to the point that you were saying Agni as well, is that we’re so focused on the perimeter. We’re so focused on the edge and we’re so focused on the network.

Sarah Armstrong: And I think a lot of cybersecurity is looking on how attractive we are from the outside in. So we have a lot of penetration testing. We look at all of these a myriad of different routes. You say there’s a. So many entry points and we are trying to look at them and block all of these things.

We need to focus on the core that impacts materiality and all paths that lead to it

Sarah Armstrong: But what we need to focus on is the inside out. So we need to focus on the core. And really trying to say is there’s only a finite ways I can get to the core, but there’s 1,000,001 ways I can get to the edge. So I think that’s the difference. And I think I, I think from a threat actor’s perspective, they understand that.

Sarah Armstrong: They understand, first of all, they have to breach that perimeter. And I think historically that’s why so much as emphasis has been put onto the perimeter, on the networking, firewalls, all of those things. But I think if we go back to the point we made earlier, if you’re gonna assume compromise and you’re going to assume failure, you’ve gotta assume that they’re gonna breach that.

Sarah Armstrong: That wall, that firewall is gonna get breached no matter what, because that’s their job. So now they’re in. Now what? So you’ve gotta, that, you just gotta have to assume that first line is gonna get breached because that’s their job ultimately. Whether they breach it through conventional means through the technology or through social engineering, but with them back to square one again.

Sarah Armstrong: So now they’re in. Where are all the paths and all, where are the ways in which I can gain access? So I think that’s the ultimately why we have to start from an inside out perspective is and it all roads lead to the same point ultimately. And we then have to think about, okay, so if we know that.

We need to control the roads that lead to the critical systems and the traffic that can use them

Sarah Armstrong: It can start shutting down the roads. Whether we do that physically or logically, whether we do that in advance or we do that at the time because ultimately we’re also narrowing their path as well. So that makes, arguably, I’d say, does that make security easier? Because if we know, if we’re forcing them down a path and that’s a path that we control and that we are monitoring and we are blocking and or all the things that we can put deception into play or whatever, that means that we are backing control.

Sarah Armstrong: And I think a lot of the time when we’re talking about cybersecurity, we don’t have any control. We put all the controls in, but we’re still out of control. And so it’s like, how do we gain back? And I love the, if we go back to the Tom and Jerry, I think our role is almost Brutus the dog. Me and my dogs, I love my dogs.

Sarah Armstrong: Always come back to the dogs. But Brutus, he’s the top predator ultimately. So he’s even overseeing Tom. So any of those kind of step outta line, I’m coming in to be the big brother and to take back control. So I think the Brutus kind of thing is the oversight of everything. Yes. He’s the one who’s sitting on the top of the fridge.

Sarah Armstrong: Yeah. And he’s not moving

Sarah Armstrong: the cat. You’ve gotta get past me. So

Agnidipta Sarkar: he’s not moving, but he has a razor sharp vision almost panoptic on where Tom is chasing Jerry.

Sarah Armstrong: Yeah, that’s, yeah, exactly that. Yeah.

Agnidipta Sarkar: And that’s what is fascinating about your example, because you just mentioned Brutus. I didn’t want to bring him up, but you brought up Brutus and I think what you brought out is there is a need for having, I use the word panoptic.

Panoptic visibility of the path of an attacker is the real value in being breach ready

Agnidipta Sarkar: It’s like those prisons, in earlier days, which are called Panopticons, right? So where you had one central tower, which would have complete insight into what the prisoners were doing and who’s visiting them and everything. And. I think there was a circular prison that they designed long back where was it?

Agnidipta Sarkar: I don’t remember where the first one was, but I think the first one was as old as the Saxon Times, but I’m not very sure anyways. That’s what it reminded me of in. And I think that’s very important. You just mentioned that there needs to be visibility and you need to be in control. And I’m gonna take on that because that’s a very important word for everyone who’s listening out there, that the only way you can control is if you define the attack path, the possible attack path, or possible attack paths.

Agnidipta Sarkar: There could be many.

Sarah Armstrong: Yes,

Agnidipta Sarkar: as long as you know how the attacker will travel. What zones using what conduits. Then you are in control. You can decide to disconnect a conduit at will and thereby cutting off the attacker and then bring in cybersecurity tools that you already invested in to the attacker if it needs to be your isolate.

Agnidipta Sarkar: Them making it so much more difficult for anybody to come in, but at the same time. And this is the question that I have for you because you, I remember you’ve always been espousing the business aspect of cybersecurity, which means what you’re saying is that, you should, cybersecurity should be enabling business.

Agnidipta Sarkar: So the main misconception people have in this whole Zero Trust concept and inside out. In fact, you remind me of another thing. There used to be this crossword in this newspaper puzzle that used to come with the gold in the center and eight or nine entrances in a square block. And you had to come in through any one of those and you’ll find most of them were blocked.

Agnidipta Sarkar: The only way to solve that was to go inside out.

Sarah Armstrong: There you go.

When you are breach ready, you already know your digital business, and the defenses you control

Agnidipta Sarkar: So coming from a business perspective. Why do you think businesses should be more confident of this way of working rather than the other way of working where you’re trying to fix, a, you’re being focusing on Jerry, and why should people be focusing on the crown jewels and trying to protect them versus, imagine a balloon and you’re putting a handy plaster every time there’s a hole.

Sarah Armstrong: I think you nailed the on the head earlier, Agni, when you said, ultimately nobody should know your business more than you. It’s your business, it’s your technology, it’s your people, it’s your data. These are your processes. This is what you built the house in essence. So you should know all of these points and everything else.

Sarah Armstrong: And I think the beauty is depending on the majority of the organization, a lot of this work’s already being done. You just need to be able to ask the right questions to the right people. I’m gonna hazard a guess and say everyone has some level of enterprise risk, so you already have some really good understanding at the board level.

Sarah Armstrong: They have, they understand the concept of enterprise risk. They understand the requirements in terms of keeping the business operational, whether that’s from a. A stakeholder or regulatory perspective. So those principles and are there I’m hoping that a lot of those companies also have business continuity professionals working within that organization.

Material Impact Analysis is a derivative of how BCM teams conduct business impact analysis

Sarah Armstrong: I’m hoping that they’ve done some level of business impact analysis. So it doesn’t mean people have to start from scratch and literally be scratching their head going, where do I start with this huge, big beast of a thing that I have ultimately start from the center. And work your way out. And I think this comes back to the reality as we said that most companies are facing that I’ve got 1,000,001 risks.

Sarah Armstrong: My cyber business continuity is one element of that. I’ve also got other risks that I have to manage. So when I’m looking at the top 10 risks or I’m looking at where am I gonna put all my investment, I’ve gotta make sure that my. My investment is giving me the best bang for buck. And that ultimately has to be, I’ve gotta put it on the center.

Sarah Armstrong: I’ve gotta, we talk about having all of these different layers of defense, but I have to assume that the layers are going to get broken at some point because that’s the attacker’s objective. Is to get in laterally moved to, to gain more control, to gain more visibility, to gain access to all of these things.

Sarah Armstrong: But my job. Ultimately is to protect that core. And I, my argument I think is ultimately, I think a lot of the investment today is in the wrong area. I think there’s a huge amount of investments we said on network, on perimeters, on endpoints and all of them ways in, not necessarily on the center.

Sarah Armstrong: And what I say to people, it should be harder to get out than it is to get in. Yeah. ’cause if I’ve detected you all the way through, I should have been able to block you. But if we think about it from a lot of cyber attack perspective, once they’ve hit and might wanna got access to the data, they can exfiltrate it like that.

Sarah Armstrong: There’s nothing to stop. The data’s now gone. Now what? So they’ve achieved their objective and they’re out. They’ve gone,

Breach readiness tagline: You can come in any time you want, but you can never leave.

Agnidipta Sarkar: you just made hotel California. Wan song. You come in anytime you want, but you can never go out.

Sarah Armstrong: Has to be our tagline, doesn’t it?

Agnidipta Sarkar: I like that. I like that. Yeah. But let me get into something more something that most people grapple with conceptually.

Agnidipta Sarkar: Many people probably understand what we are talking about. Actually, I would put them into three buckets. Few people understand what we’re talking about. Many people do understand what you’re talk, what we’re talking about, and far fewer are actually aware about what we really mean by this. And they then they go out there at their workspace and then they realize they have a new problem.

Agnidipta Sarkar: And that’s identity credentials. And when you study the Mitre framework, and the funny thing is, I was doodling one day. On the Mitre framework, I had the staple printed and I had a pencil and I was just drawing it around. Suddenly I realized that it looks like a man who’s got a big belly and was lying down and do you know what the belly is?

Agnidipta Sarkar: 33 techniques, credential misuse.

Sarah Armstrong: Really interesting.

Breach Readiness is aligned to the MITRE ATT&CK framework

Agnidipta Sarkar: Yes, and that’s the fun part. So if you see the Mitre attack, and you can actually break it down into four parts. The first two are the resource augmentation. And recon is a place where you really can’t do anything because it’s happening outside.

Agnidipta Sarkar: Your sphere of control at the most that you can do is sign up with a dark web intelligence company and they will tell you, okay, your data is on the web. And then you can think about taking it down and all those kind of stuff, but there’s not much really you can do about that occurred there. It’s only on the third tactic, which is initial access is when they get into the network.

Agnidipta Sarkar: It goes all the way up to privilege escalation, which is the sixth tactic. So four of them is phase two. That’s breaking in. That’s when the breach happens. And if you look at our cybersecurity industry, that’s where the 90% of the industry sits. Then once they’re able to do go further, they a discovery, then they do credential misuse, and eventually they get into lateral movement.

Agnidipta Sarkar: The fun part is lateral movement has only nine techniques. So if you are using 33 techniques to. Do credential misuse. And of those nine, one of them is all about valid accounts. So theoretically speaking, and again, I’m speaking theoretically because we’re just having a discussion, but there is a practical way of doing this, but theoretically speaking, if you are able to throttle those nine, then you have achieved what you just said.

Agnidipta Sarkar: Hotel California, you can come in anytime you want, breaking wherever you want, but you just can’t go out because we’ve caught you there. You can’t exfiltrate. So there are two parts of that exfiltration part and the lateral movement. Part one part is about valid accounts. The other eight are not about valid accounts.

Agnidipta Sarkar: So if you look at microsegmentation as a solution, that takes care of the other eight, if you look at credential management as a solution that takes care of the one of the nine. So essentially if you’ve been able to stop that, you’ve moved left instead of getting into chaos, which begins with command in control and data exfiltration and all that, which is the fourth part of the framework, right?

Agnidipta Sarkar: So I said the first one was where you can’t do anything. Happening outside your door, your control. Second one is where you have full control and you define what people can attack and what people cannot attack. The third is when they break out of, they bypass the initial defenses and they start moving in and you can actually choke them down there.

Agnidipta Sarkar: And the fourth is if you can’t do anything, any of those, then they’re out and they’ve caused chaos. Again, you can’t do nothing there because you’re fighting fires. So if you look at this whole transition, and if you look at this Potbelly man that I was talking about, lying upside down, if you look at the top and flipped up table upside down, it was very interesting and I realized that’s the only choke point and you’ve laid it out absolutely right.

Agnidipta Sarkar: If we are able to choke that part, we’ve got that attacker. But then I also realized that’s only a model. The benefit of the disadvantage of that is if we can translate that model into technology, build cyber defense models, then there’s benefit. The downside is that is not fixed. It could be that there’s somebody tried to do lateral movement right after p privilege escalation.

Agnidipta Sarkar: ’cause these are tactics and attackers are not bound by Mitre. They’re not going to wait. Okay, let me do, let me do initial access and then let me wait till I do privilege escalation and then I will exfiltrate. No, they could do initial access, pick up whatever data they want. They could be a small attacker, but they might be creating a great HaBO because they picked up the real data that makes a difference to your organization.

Being breach ready is to have the ability to contain the attacker in the smallest microsegment

Agnidipta Sarkar: They’ll exfiltrate right out. So yeah, to your point I think that’s a good strategy. So you’ve given me two talking points today.

Sarah Armstrong: Yeah. I think as well, just as you were talking when we talk about the lateral movement, it’s, and we go back to the analogy that we were talking about with Tom and Jerry.

Sarah Armstrong: We’re in es we’re allowing the attacker to walk around the maze. And to find the different paths and to and to put those little markers there. Where are they? Where are the back doors? I’ll come back to that one later. And so I know in essence, they’re looking for the path of least resistance to the court at the middle of the maze or whatever the case.

Sarah Armstrong: And I think sometimes we shut down the path in front of them, but we don’t shut the door behind them. So we need to lock them in. And I think that’s the principle as well, is that we’re actually narrowing the path down so they can’t backtrack. Because I think if the path in front of you is now blocked, what are you gonna do?

Sarah Armstrong: You’re gonna go back down the way that you came and then try a different route through. And I think ultimately if you then were to block the exit and the entrance now what?

Agnidipta Sarkar: Yes.

Sarah Armstrong: So

Agnidipta Sarkar: you’re trapped, you’re

Sarah Armstrong: completely stuck.

Agnidipta Sarkar: You’re trapped.

Sarah Armstrong: You’re trapped.

Agnidipta Sarkar: Great idea. Great idea. So Sarah, I know we’ve got almost, you’ve talked a lot and I simply love talking about this. We should record another one sometime later. But thank you so much. Let me stop recording and then and then you know it’s been a great insight into whatever we know about and thank you for all of that.

Sarah Armstrong: You’re very welcome.

xshield-logo

Explore the Platform

forrester-badge

Download Report

Request Your Free Customized Demo

In this episode of Breach Ready Dialogues, Agnidipta Sarkar speaks with Sarah Armstrong, former Chief Security Advisor at Microsoft and author of Effective Crisis Management and Understand the Cyber Attacker Mindset.

They explore breach readiness, assumed failure, lateral movement, credential misuse, and why most cybersecurity investments focus on the perimeter instead of protecting the core business.

The conversation connects crisis management, cyber resilience, MITRE ATT&CK, Zero Trust, and microsegmentation to a simple principle: you cannot stop every attack, but you can control the impact.

If you are a CISO, CIO, board member, or security leader looking to shift from perimeter defense to inside-out protection, this episode reframes how to think about material impact, crown jewels, and containment-first architecture.

Agnidipta Sarkar: Hi everyone, this is Agni again, and today I have Sarah with me. Sarah has been a long-term associate that I’ve worked with long, long back and we’ve been working on business continuity institutes program committees, and we’ve had some association back then, but. Sarah moved on to become, to go into bigger things.

Agnidipta Sarkar: She became, she joined Microsoft and she did a whole lot of other things. She wrote a lot of books and some of those books were really very good and very in depth. What she brings on the table is the ability to of crisis management into cybersecurity. So she’s bridged to both of them, and that’s the fascinating story we are going to hear.

Agnidipta Sarkar: I’m not gonna talk much. And I’m gonna hand it over to Sarah. Sarah, why don’t you introduce yourself?

Sarah Armstrong Smith is the ex-Chief Security Advisor at Microsoft

Sarah Armstrong: Ah, thank you, Agni. It’s always a pleasure. As you say, our history goes back quite a number of years. And I think that’s a good starting point when I think my career has spanned getting on for three decades, which makes me feel very old.

Sarah Armstrong: But it started. From a business continuity perspective and then pivoted into disaster recovery, crisis management. And then I’ve been working in cybersecurity for 17 years, but I think what I always describe is I’m on the business side of cybersecurity and what does that mean in essence? So having worked from a business, continu Dr.

Sarah Armstrong: Perspectives, really getting to the heart of what is critical, what are we here to protect? And why, and I think that’s a really good starting point for getting people in the right mindset, that when we’re talking about cybersecurity often it’s about, oh, we’re here to protect the cloud. We’re here to protect endpoints and infrastructure.

Sarah Armstrong: But ultimately, those things don’t have a value to them. Until we put something on it. So when we talk about the data, the different types of data, the users, the sensitivity of those users, and it’s really building that big picture view of the world in terms of looking at the organization in its entirety.

Sarah Armstrong: Really understanding the core of that business, how all that business is connected, the dependencies. And if you can understand that, all of a sudden cybersecurity makes a lot of sense. So if I just give you a little bit of an insight over what I’ve been doing over the last few years, you’ve mentioned some of my books.

Sarah Armstrong: I spent five and a half years at Microsoft as the Chief Security Advisor. And it was doing exactly what I just said. In essence, it’s really talking to the. Biggest enterprises across Europe. So it’s multi-sector, multi-country ciso, CIO, CTOs, but also bridging more so into the business. What are the biggest challenges that customers are facing?

Sarah Armstrong: And during that five and a half years, had a global pandemic. I don’t think we ever expected to have an incident lasting that long. That itself introduced a huge number of challenges with regards to hybrid and remote working, whereas my data has always been the number one question I hear over and over again.

Sarah Armstrong: We’re now approaching four years since the Russian invasion of Ukraine. And I think that’s introduced a number of challenges when it comes to data sovereignty, residency, destructive cyber attacks. We’ve now got disinformation synthetic media since it’s. Cyber influence operations and over the last few years we’ve now bring AI into the mix and I think we bring it right up to date.

Sarah is an authority on Crisis Management having authored 2 books about it

Sarah Armstrong: We’re talking about agent ai more autonomous use of ai and that you bring all of that together. The challenges that we’ve been talking about over those three decades have arguably getting. Worse, but the challenge remains the same. In essence, how do I protect the crown jewels? What even is the crown jewels?

Sarah Armstrong: Just a little bit on some of my books. So given my back history and working and being on the frontline of multiple instance, that is what led me to write my first book effective Crisis Management, which I published in 2022. And it’s a little bit of a, how many wake up calls do we need? Before we make a positive change, it’s reflecting on some of the biggest incidents that we’ve had since the turn of the century.

Sarah Armstrong: Some of those I’ve been directly involved with indirectly. I started my career on the Millennium Bug. But it looks at nine 11 the. Pandemic that we’ve been talking about. But also there’s a pattern behind that in terms of the proactive, reactive response to major incidents. And I’m really challenging people about what are those principles that people should be thinking about when they’re doing their due diligence, understanding criticality, how you respond to a major incident.

Sarah Armstrong: And then my second book was published last year. Understand the cyber attacker mindset always comes back to the human element for me. And again. When we talk about cyber, it’s around the infrastructure. It’s the method of attack, and I’m really trying to hone in on the motivation for the attack. So there’s 1,000,001 ways in which I attack you, but only a finite reasons why.

Sarah Armstrong: And irrespective I state actor, organized crime, and activist and insider, ultimately, your objective. Is to get to those people is to get to the data. So my objective is to understand that, understand the core. So if I know what they’re going for, yeah. The value changes dependent on if it’s a state actor versus an organized crime, for example.

Sarah Armstrong: Some of those are motivated by espionage. Some of them are motivated by financial gain, but ultimately it’s the same data. It’s the same people, it just has a different value to it. And that’s a bit I’m really trying to challenge on Agni and it really does reflect a lot about what we’ve been talking about over the last few years with regards to really this all sits under the realm of resilience.

The concept of Assumed Failure, is the stepping stone to being breach ready

Agnidipta Sarkar: It’s been long that I read your book. I think there was one very fascinating thing that I found, because while I was preaching zero trust, you were talking about assumed failure. Can you explain what do you mean by assumed failure? And I think it’s very relevant today. Yeah, because there’s another thing that you talked about.

Agnidipta Sarkar: Just gimme a minute. I’m going to pick up what you just said a few moments ago and the one thing that he talked about is. Like we focused on the endpoint, the cloud, everything. And I faced a situation with the CEO one day and he said do you know what we are protecting? And I had a very, exuberant person who’s reporting to me.

Agnidipta Sarkar: And he said I can answer that. I said, yes. And he said, we are protecting the endpoints. You’re protecting the the network. And he said, no, you’re protecting my business. If you are going to put money into protecting my business on the endpoint, then you better justify to me why I should be doing that and not focusing on what my critical assets are.

Agnidipta Sarkar: Just wanted to give you this segue. Tell me about this assume failure thing that you talked about. Long time back. Yeah.

Sarah Armstrong: There’s two elements to it. There’s assume, compromise and assume failure, and it ultimately means for the best will in the world, the investment in technology, processes, education, all of those things that we have to assume things are going to go wrong, whether that’s through an attacker, through their motivation because of all the tools and technology, it doesn’t stop them.

Sarah Armstrong: I think that’s the challenge. It just means they have to go away, pivot, and come back with another method. And so the, and that’s what I said, the mission never changes. So we’ve got our own mission to protect the core of our business. They have a mission to gain access to the business or gain access to that data or gain access to those vulnerable people.

Sarah Armstrong: And so that’s the point that we have to operate. We have to assume that. Things are going to fail, things are going to be compromised, and then it comes to the so what? So I always narrow it down to its lowest denominator. The what if, and the so what. So the what if, and ultimately is what are the scenarios that we are talking about?

There are multiple scenarios of failure and the resulting impact

Sarah Armstrong: What if somebody could gain access to those critical assets? What if they were able to infiltrate data? What if they were able to impersonate the CEO? What if they were able to do a business email compromise and move money And we could do what if? What if? What if? These are all the scenarios that we are used to thinking about from a cyber SEC as a business continuity, crisis management, and then it’s the so what.

Sarah Armstrong: What’s the measure of the impact? And that’s really where we are trying to understand the most critical assets, the highest impact to the business, and being able to justify our expenditure. Because ultimately we’ve only got a finite part of resource. We’d all love to be able to put security on everything and build all these defenses and build all these walls, but that’s not the reality in the world that we live in.

Sarah Armstrong: And I think the challenge is. That a lot of organizations, irrespective of their size and complexity, they try and put a little bit of security on everything. And then to your point, I’m trying to secure all endpoints, all network, all data as opposed to really refining down to that kind of crown jewels analogy that we refer to.

It is a fallacy to assume that you can stop all attacks

Sarah Armstrong: What is the core, what is the really critical things, and I need to divert my investment. To that, to protecting the absolute core, the absolute criticality. So that might mean we still get breaches. We’re not gonna be able to stop all incidents. So I think it’s a fallacy to assume that you could stop everything.

Sarah Armstrong: But what we’re trying to ultimately do is we can slow down the attack or we can slow down the impact of the attack. Then. We can make sure that we as to say, investing in the right area, managing our risk, giving the assurance and confidence back to the board and the stakeholders that we are putting our investment in the right area.

Agnidipta Sarkar: Yeah. And I think you’ve given me the topic for my next blog. What If, and so what, and it’s a fantastic concept, and I think I think everyone across the world should really be focusing on those two questions. It would make them so much better. I have a concept that I talk about are, the maximum acceptable material impact versus the minimum viable digital business. Which roughly translates into what you just said. It’s the impact is. So what and what if is your viable digital business, the business that you want to remain unaffected if a cyber attack. Not many people understand that.

Agnidipta Sarkar: People feel that, I’m talking about business continuity. No, I’m not. I’m talking about business continuity only for the affected part. Because you’ve, let’s say you are the most prepared organization in the world. You would kick in your business continuity plan for the affected part. Now, if you’ve not designed your enterprise in such a way that you will have an unaffected part, then you are.

Agnidipta Sarkar: In, in, and then you are executing a business continuity plan on 100%. So your recovery could be 15%, 20%, 30%, maybe 40% depending on how well prepared you were and how much it suits the current scenario. But if you had planned to have some part of your enterprise unaffected, you can go all the way up to 80% and invoke your BCP for the 20% that really got affected.

Breach readiness needs to shut down the path of least resistance

Agnidipta Sarkar: That brings me to another point that you made in, and I think you gave me an example of we are chasing the whole mouse, Tom and Jerry example that you gave. Could you explain that? It’s fascinating. Honestly, not many people understand that.

Sarah Armstrong: Yeah. I think we, we talk a lot about being this cat and mouse.

Sarah Armstrong: We’re constantly chasing our turn. If we go back to the Tom and Jerry cartoons, I’m sure that a lot of us always grew up with, we look at Jerry the mouse in essence. So he’s always outwitting Tom the cat. So he’s faster, he’s agile he’s outwitting, but I think that what we fail to forget.

Sarah Armstrong: Is, who’s the predator and who’s the prey in this scenario? So Tom, the cat is the predator. Ultimately, we don’t need to be chasing the mouse around the network and following it, looking at where they’re going, what they’re doing. Because we know the endpoint, we know the goal. And if I was looking at that from a mouse perspective, and I was going back to this analogy of the cartoon that we’ve all grown up with.

Sarah Armstrong: I’d be camping out at the fridge. I know he is after the cheese and I know where the cheese is. So all I need to do is cross my arms sitting right in front of the the fridge and wait for him to come to me. That’s the difference. Is that’s I don’t need to be chasing the threat actor, the attackers all around my network and closing all the doors and doing all the things I need to know the path.

Sarah Armstrong: I need to know the path of least resistance and I need to shut it down. But ultimately if the mouse is, if Jerry’s right in front of me and right in front of the fridge and trying to get access, he, we failed all of the points before that to stop him. And I think that’s the analogy Yes.

Sarah Armstrong: That I’m really trying to get to. We’ve gotta break this whole cat and mouse thing where we feel like we’re constantly mo chasing the mouse when the mouse actually has to come to us.

Agnidipta Sarkar: Yes. That’s absolutely fascinating the way you put it. And, I couldn’t have put it any better.

Agnidipta Sarkar: And what I like about this is that in, in one simple example, you’ve explained how we are putting our money in the effort of running after the car, after the mouse. While we should be really putting our money in, making sure that we have narrowed down the path, we’ve made sure that the attacker does not have any ability to budge once they’re inside.

Agnidipta Sarkar: Because I’ve heard a lot of stories and I think you have too, that attacker are very smart. I fail to believe that how is it that I know more about my network and the other guy who only has the ability to ping is smarter than me? That’s what I fail to understand every time and now with this example, what you just laid out is if I know where the attack was going to happen from.

Agnidipta Sarkar: I think that’s the biggest dilemma because all of us who are on the defense side most more usually we don’t know a, what we are defending. We don’t know our assets completely. That’s a big problem. B, we don’t know what processes we are using to keep those assets working. We don’t have a complete inventory of that.

We need to stop lateral movement while we can, to stop weaponized edge attacks

Agnidipta Sarkar: Change management is a big problem and three, we don’t know how they’re configured to connect to each other. So that’s the big gap if we’ve been able, if we are able to solve that and narrow down that tech path. Reduce the attack surface, bring it down so that we know, okay, this attacker, let’s say some known, CSAR has done a fantastic job on their website.

Agnidipta Sarkar: They’ve profiled different attackers, and you can actually figure out how that attack can happen if they land upon a, on a vulnerable asset, whether that asset is a gateway or an expo server. It doesn’t really matter. Coming to that, what’s your take on that F five incident that happened? Now you’re scared.

Agnidipta Sarkar: We’ve got these gateways, which are now becoming the sources of, we, we don’t know if somebody left a signature there.

Sarah Armstrong: Ah, I think it’s. It really comes back to the point that you were saying Agni as well, is that we’re so focused on the perimeter. We’re so focused on the edge and we’re so focused on the network.

Sarah Armstrong: And I think a lot of cybersecurity is looking on how attractive we are from the outside in. So we have a lot of penetration testing. We look at all of these a myriad of different routes. You say there’s a. So many entry points and we are trying to look at them and block all of these things.

We need to focus on the core that impacts materiality and all paths that lead to it

Sarah Armstrong: But what we need to focus on is the inside out. So we need to focus on the core. And really trying to say is there’s only a finite ways I can get to the core, but there’s 1,000,001 ways I can get to the edge. So I think that’s the difference. And I think I, I think from a threat actor’s perspective, they understand that.

Sarah Armstrong: They understand, first of all, they have to breach that perimeter. And I think historically that’s why so much as emphasis has been put onto the perimeter, on the networking, firewalls, all of those things. But I think if we go back to the point we made earlier, if you’re gonna assume compromise and you’re going to assume failure, you’ve gotta assume that they’re gonna breach that.

Sarah Armstrong: That wall, that firewall is gonna get breached no matter what, because that’s their job. So now they’re in. Now what? So you’ve gotta, that, you just gotta have to assume that first line is gonna get breached because that’s their job ultimately. Whether they breach it through conventional means through the technology or through social engineering, but with them back to square one again.

Sarah Armstrong: So now they’re in. Where are all the paths and all, where are the ways in which I can gain access? So I think that’s the ultimately why we have to start from an inside out perspective is and it all roads lead to the same point ultimately. And we then have to think about, okay, so if we know that.

We need to control the roads that lead to the critical systems and the traffic that can use them

Sarah Armstrong: It can start shutting down the roads. Whether we do that physically or logically, whether we do that in advance or we do that at the time because ultimately we’re also narrowing their path as well. So that makes, arguably, I’d say, does that make security easier? Because if we know, if we’re forcing them down a path and that’s a path that we control and that we are monitoring and we are blocking and or all the things that we can put deception into play or whatever, that means that we are backing control.

Sarah Armstrong: And I think a lot of the time when we’re talking about cybersecurity, we don’t have any control. We put all the controls in, but we’re still out of control. And so it’s like, how do we gain back? And I love the, if we go back to the Tom and Jerry, I think our role is almost Brutus the dog. Me and my dogs, I love my dogs.

Sarah Armstrong: Always come back to the dogs. But Brutus, he’s the top predator ultimately. So he’s even overseeing Tom. So any of those kind of step outta line, I’m coming in to be the big brother and to take back control. So I think the Brutus kind of thing is the oversight of everything. Yes. He’s the one who’s sitting on the top of the fridge.

Sarah Armstrong: Yeah. And he’s not moving

Sarah Armstrong: the cat. You’ve gotta get past me. So

Agnidipta Sarkar: he’s not moving, but he has a razor sharp vision almost panoptic on where Tom is chasing Jerry.

Sarah Armstrong: Yeah, that’s, yeah, exactly that. Yeah.

Agnidipta Sarkar: And that’s what is fascinating about your example, because you just mentioned Brutus. I didn’t want to bring him up, but you brought up Brutus and I think what you brought out is there is a need for having, I use the word panoptic.

Panoptic visibility of the path of an attacker is the real value in being breach ready

Agnidipta Sarkar: It’s like those prisons, in earlier days, which are called Panopticons, right? So where you had one central tower, which would have complete insight into what the prisoners were doing and who’s visiting them and everything. And. I think there was a circular prison that they designed long back where was it?

Agnidipta Sarkar: I don’t remember where the first one was, but I think the first one was as old as the Saxon Times, but I’m not very sure anyways. That’s what it reminded me of in. And I think that’s very important. You just mentioned that there needs to be visibility and you need to be in control. And I’m gonna take on that because that’s a very important word for everyone who’s listening out there, that the only way you can control is if you define the attack path, the possible attack path, or possible attack paths.

Agnidipta Sarkar: There could be many.

Sarah Armstrong: Yes,

Agnidipta Sarkar: as long as you know how the attacker will travel. What zones using what conduits. Then you are in control. You can decide to disconnect a conduit at will and thereby cutting off the attacker and then bring in cybersecurity tools that you already invested in to the attacker if it needs to be your isolate.

Agnidipta Sarkar: Them making it so much more difficult for anybody to come in, but at the same time. And this is the question that I have for you because you, I remember you’ve always been espousing the business aspect of cybersecurity, which means what you’re saying is that, you should, cybersecurity should be enabling business.

Agnidipta Sarkar: So the main misconception people have in this whole Zero Trust concept and inside out. In fact, you remind me of another thing. There used to be this crossword in this newspaper puzzle that used to come with the gold in the center and eight or nine entrances in a square block. And you had to come in through any one of those and you’ll find most of them were blocked.

Agnidipta Sarkar: The only way to solve that was to go inside out.

Sarah Armstrong: There you go.

When you are breach ready, you already know your digital business, and the defenses you control

Agnidipta Sarkar: So coming from a business perspective. Why do you think businesses should be more confident of this way of working rather than the other way of working where you’re trying to fix, a, you’re being focusing on Jerry, and why should people be focusing on the crown jewels and trying to protect them versus, imagine a balloon and you’re putting a handy plaster every time there’s a hole.

Sarah Armstrong: I think you nailed the on the head earlier, Agni, when you said, ultimately nobody should know your business more than you. It’s your business, it’s your technology, it’s your people, it’s your data. These are your processes. This is what you built the house in essence. So you should know all of these points and everything else.

Sarah Armstrong: And I think the beauty is depending on the majority of the organization, a lot of this work’s already being done. You just need to be able to ask the right questions to the right people. I’m gonna hazard a guess and say everyone has some level of enterprise risk, so you already have some really good understanding at the board level.

Sarah Armstrong: They have, they understand the concept of enterprise risk. They understand the requirements in terms of keeping the business operational, whether that’s from a. A stakeholder or regulatory perspective. So those principles and are there I’m hoping that a lot of those companies also have business continuity professionals working within that organization.

Material Impact Analysis is a derivative of how BCM teams conduct business impact analysis

Sarah Armstrong: I’m hoping that they’ve done some level of business impact analysis. So it doesn’t mean people have to start from scratch and literally be scratching their head going, where do I start with this huge, big beast of a thing that I have ultimately start from the center. And work your way out. And I think this comes back to the reality as we said that most companies are facing that I’ve got 1,000,001 risks.

Sarah Armstrong: My cyber business continuity is one element of that. I’ve also got other risks that I have to manage. So when I’m looking at the top 10 risks or I’m looking at where am I gonna put all my investment, I’ve gotta make sure that my. My investment is giving me the best bang for buck. And that ultimately has to be, I’ve gotta put it on the center.

Sarah Armstrong: I’ve gotta, we talk about having all of these different layers of defense, but I have to assume that the layers are going to get broken at some point because that’s the attacker’s objective. Is to get in laterally moved to, to gain more control, to gain more visibility, to gain access to all of these things.

Sarah Armstrong: But my job. Ultimately is to protect that core. And I, my argument I think is ultimately, I think a lot of the investment today is in the wrong area. I think there’s a huge amount of investments we said on network, on perimeters, on endpoints and all of them ways in, not necessarily on the center.

Sarah Armstrong: And what I say to people, it should be harder to get out than it is to get in. Yeah. ’cause if I’ve detected you all the way through, I should have been able to block you. But if we think about it from a lot of cyber attack perspective, once they’ve hit and might wanna got access to the data, they can exfiltrate it like that.

Sarah Armstrong: There’s nothing to stop. The data’s now gone. Now what? So they’ve achieved their objective and they’re out. They’ve gone,

Breach readiness tagline: You can come in any time you want, but you can never leave.

Agnidipta Sarkar: you just made hotel California. Wan song. You come in anytime you want, but you can never go out.

Sarah Armstrong: Has to be our tagline, doesn’t it?

Agnidipta Sarkar: I like that. I like that. Yeah. But let me get into something more something that most people grapple with conceptually.

Agnidipta Sarkar: Many people probably understand what we are talking about. Actually, I would put them into three buckets. Few people understand what we’re talking about. Many people do understand what you’re talk, what we’re talking about, and far fewer are actually aware about what we really mean by this. And they then they go out there at their workspace and then they realize they have a new problem.

Agnidipta Sarkar: And that’s identity credentials. And when you study the Mitre framework, and the funny thing is, I was doodling one day. On the Mitre framework, I had the staple printed and I had a pencil and I was just drawing it around. Suddenly I realized that it looks like a man who’s got a big belly and was lying down and do you know what the belly is?

Agnidipta Sarkar: 33 techniques, credential misuse.

Sarah Armstrong: Really interesting.

Breach Readiness is aligned to the MITRE ATT&CK framework

Agnidipta Sarkar: Yes, and that’s the fun part. So if you see the Mitre attack, and you can actually break it down into four parts. The first two are the resource augmentation. And recon is a place where you really can’t do anything because it’s happening outside.

Agnidipta Sarkar: Your sphere of control at the most that you can do is sign up with a dark web intelligence company and they will tell you, okay, your data is on the web. And then you can think about taking it down and all those kind of stuff, but there’s not much really you can do about that occurred there. It’s only on the third tactic, which is initial access is when they get into the network.

Agnidipta Sarkar: It goes all the way up to privilege escalation, which is the sixth tactic. So four of them is phase two. That’s breaking in. That’s when the breach happens. And if you look at our cybersecurity industry, that’s where the 90% of the industry sits. Then once they’re able to do go further, they a discovery, then they do credential misuse, and eventually they get into lateral movement.

Agnidipta Sarkar: The fun part is lateral movement has only nine techniques. So if you are using 33 techniques to. Do credential misuse. And of those nine, one of them is all about valid accounts. So theoretically speaking, and again, I’m speaking theoretically because we’re just having a discussion, but there is a practical way of doing this, but theoretically speaking, if you are able to throttle those nine, then you have achieved what you just said.

Agnidipta Sarkar: Hotel California, you can come in anytime you want, breaking wherever you want, but you just can’t go out because we’ve caught you there. You can’t exfiltrate. So there are two parts of that exfiltration part and the lateral movement. Part one part is about valid accounts. The other eight are not about valid accounts.

Agnidipta Sarkar: So if you look at microsegmentation as a solution, that takes care of the other eight, if you look at credential management as a solution that takes care of the one of the nine. So essentially if you’ve been able to stop that, you’ve moved left instead of getting into chaos, which begins with command in control and data exfiltration and all that, which is the fourth part of the framework, right?

Agnidipta Sarkar: So I said the first one was where you can’t do anything. Happening outside your door, your control. Second one is where you have full control and you define what people can attack and what people cannot attack. The third is when they break out of, they bypass the initial defenses and they start moving in and you can actually choke them down there.

Agnidipta Sarkar: And the fourth is if you can’t do anything, any of those, then they’re out and they’ve caused chaos. Again, you can’t do nothing there because you’re fighting fires. So if you look at this whole transition, and if you look at this Potbelly man that I was talking about, lying upside down, if you look at the top and flipped up table upside down, it was very interesting and I realized that’s the only choke point and you’ve laid it out absolutely right.

Agnidipta Sarkar: If we are able to choke that part, we’ve got that attacker. But then I also realized that’s only a model. The benefit of the disadvantage of that is if we can translate that model into technology, build cyber defense models, then there’s benefit. The downside is that is not fixed. It could be that there’s somebody tried to do lateral movement right after p privilege escalation.

Agnidipta Sarkar: ’cause these are tactics and attackers are not bound by Mitre. They’re not going to wait. Okay, let me do, let me do initial access and then let me wait till I do privilege escalation and then I will exfiltrate. No, they could do initial access, pick up whatever data they want. They could be a small attacker, but they might be creating a great HaBO because they picked up the real data that makes a difference to your organization.

Being breach ready is to have the ability to contain the attacker in the smallest microsegment

Agnidipta Sarkar: They’ll exfiltrate right out. So yeah, to your point I think that’s a good strategy. So you’ve given me two talking points today.

Sarah Armstrong: Yeah. I think as well, just as you were talking when we talk about the lateral movement, it’s, and we go back to the analogy that we were talking about with Tom and Jerry.

Sarah Armstrong: We’re in es we’re allowing the attacker to walk around the maze. And to find the different paths and to and to put those little markers there. Where are they? Where are the back doors? I’ll come back to that one later. And so I know in essence, they’re looking for the path of least resistance to the court at the middle of the maze or whatever the case.

Sarah Armstrong: And I think sometimes we shut down the path in front of them, but we don’t shut the door behind them. So we need to lock them in. And I think that’s the principle as well, is that we’re actually narrowing the path down so they can’t backtrack. Because I think if the path in front of you is now blocked, what are you gonna do?

Sarah Armstrong: You’re gonna go back down the way that you came and then try a different route through. And I think ultimately if you then were to block the exit and the entrance now what?

Agnidipta Sarkar: Yes.

Sarah Armstrong: So

Agnidipta Sarkar: you’re trapped, you’re

Sarah Armstrong: completely stuck.

Agnidipta Sarkar: You’re trapped.

Sarah Armstrong: You’re trapped.

Agnidipta Sarkar: Great idea. Great idea. So Sarah, I know we’ve got almost, you’ve talked a lot and I simply love talking about this. We should record another one sometime later. But thank you so much. Let me stop recording and then and then you know it’s been a great insight into whatever we know about and thank you for all of that.

Sarah Armstrong: You’re very welcome.

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.