Monday, December 29, 2014

Always Answer a Question with a Question

Why should you always answer a question with a question?  Why not?  Curious why I'm asking?  Have a look at my most recent SecurityWeek piece entitled "Always Answer a Question with a  Question": http://www.securityweek.com/always-answer-question-question.  In security, the question is often times more important than the answer.

Monday, December 15, 2014

Spear Alerting: Improving Efficiency of Security Operations and Incident Response

Do you practice spear alerting?  Curious what that means?  Give my latest SecurityWeek piece a read to see what spear alerting is all about: http://www.securityweek.com/spear-alerting-improving-efficiency-security-operations-and-incident-response.  I hope you enjoy the piece, and I invite your feedback and thoughts as always.

Saturday, December 13, 2014

Creating the right mix of cloud and on-premises tech systems

To insource or outsource?  To host in the cloud or on-premises?  Those are sometimes difficult questions to answer, particularly when it comes to technology and product in support of information security.  I've put together some thoughts to help with the decision making process in my next piece for The Business Journals entitled "Creating the right mix of cloud and on-premises tech systems": http://www.bizjournals.com/bizjournals/how-to/technology/2014/12/interesting-way-to-communicate-with-your-assistant.html.

Tuesday, December 2, 2014

Is Budget a Good Security Metric?

When discussing the effectiveness or maturity of a security program, budget is one of the criteria most often mentioned.  Does it make sense to evaluate security in terms of budget?  Further, is budget necessarily a good way to measure a security program?  My thoughts on this topic are in my latest SecurityWeek piece entitled "Is Budget A Good Security Metric?": http://www.securityweek.com/budget-good-security-metric.

Sunday, November 30, 2014

The Importance of Street Cred

There are many factors involved in a successful security program, and street creed is one of them.  Curious what I mean by that?  Have a look at my latest piece in SC Magazine UK entitled "The Importance of Street Cred": http://www.scmagazineuk.com/the-importance-of-street-cred/article/385637/.

Monday, November 24, 2014

Thoughts on #IRISSCON and #DeepSec

Last week, I was fortunate to have the opportunity to speak at both #IRISSCON and #DeepSec in Dublin and Vienna respectively.  Both conferences were extremely well run, with a great crowd and interesting dialogue to go along with them.  My conversations and observations at the conferences indicate to me that the paradigm shift from a focus solely on prevention to a mix between prevention and detection/response is indeed well underway.  Each conference I speak at, I find more and more people who are interested in better understanding the subject of incident response.

This is a good thing in my opinion.  It shows that we as an industry are trending in the correct direction.  People ask me many questions, but one of the most common is: "Where can I go to get good educational materials on incident response?"  This is a tough question to answer because, while there are many, many good materials on the subject, there are unfortunately, quite a few not so good materials out there.  Generally, I recommend finding a few trusted sources (I would be flattered if you would consider this blog one of them) as a beginning point.  As time allows, sources can be expanded, perhaps with the help of a seasoned incident response veteran.

Those of us who have experience in incident response should continue to share our knowledge with those that are new to the field.  Together, we can help organizations improve the state of their security operations function and their overall security posture.  I am glad that the community is becoming more interested in what has for a long time been a very niche field.  Let's continue to keep the knowledge and exchange of ideas flowing, while hopefully minimizing the influence of #FUD and bad ideas.

Wednesday, November 19, 2014

How to prioritize security efforts with a data-centric approach

My latest piece in The Business Journals discussing the prioritization of security efforts using a data-centric approach is out.  Curious what that means?  Give "How to prioritize security efforts with a data-centric approach" a read: http://www.bizjournals.com/bizjournals/how-to/technology/2014/11/security-with-a-data-centric-approach.html.  Hope you enjoy!

Tuesday, November 18, 2014

How Do I Raise The Signal-to-Noise Ratio?

After yesterday's piece in SecurityWeek, I received some great feedback.  The feedback I received reaffirms my belief that security professionals know the pain of alert fatigue and the deluge of false positives all too well.  Not surprisingly, many people also asked me how they can go about raising their signal-to-noise ratio.  That is an excellent question for which I am happy to offer some advice.

I have found it most effective to first enumerate security risks, goals, and priorities as discussed in one of my previous SecurityWeek pieces: http://www.securityweek.com/security-unsolvable-problem, and to then throw out the default rule set as discussed in another one of my previous SecurityWeek pieces: http://www.securityweek.com/throw-out-default-rule-set.

This approach is a bit different than the traditional approach taken by many security organizations.  But we already know that the traditional approach drowns us is noise and obscures our signal.  In my experience, I have found this approach a far better way to get to 100 a day: http://ananalyticalapproach.blogspot.com/2014/03/100-day.html.  This in turn allows organizations to operate far more efficiently, improve their signal-to-noise ratio, and reduce alert fatigue.

Monday, November 17, 2014

Security Operations: What is Your Signal-to-Noise Ratio?

Alert fatigue is an issue plaguing even the most mature security organizations these days.  Even the best organizations struggle with a deluge of alerts and an overwhelming number of false positives.  There is a relatively high level of awareness around this issue, but what can be done to alleviate alert fatigue?  I discuss this topic in my latest SecurityWeek piece entitled "Security Operations: What is Your Signal-to-Noise Ratio?": http://www.securityweek.com/security-operations-what-your-signal-noise-ratio.

Wednesday, November 12, 2014

On Being Constructive

Sometimes I think that the security community has forgotten the concept of being constructive.  It seems that criticism and snarkiness lurk nearly everywhere I turn, but sadly, constructive dialogue is often rare.  Further, the demeanor of our discourse is often unpleasant at best.  You might ask: If that is the personality of many in the security community, what is the issue with this?

The issue with this would seem to be that we are not getting our message across to a world that desperately needs to internalize it.  The end result of our demeanor is that many people and organizations that are in need of a dialogue with the security community simply tune us out.  Who wants the headache of dealing with a bunch of cynical, negative curmudgeons?

Although there is no silver bullet that will cause the world to pay attention to the security community, I believe that a move to a more constructive approach would help.  I see a lot of activity around criticizing ideas, and sometimes, unfortunately, attacking or ridiculing people and organizations.  Might I humbly suggest that the world has little patience for this?

I am not advocating that we cease thinking critically about the many important issues confronting the security community.  Quite the contrary.  In my experience, constructive approaches to address the issues we are passionate about are far more effective.  After all, most people are happy to be educated about a variety of issues.  But if we have only a stream of negativity and no constructive alternative to offer them, what can they really take away from the exchange of ideas?

Over the years I have seen that, in practice, the best response to an idea, a policy, a practice, an approach, or anything else that doesn’t sit right with us is a constructive alternative.  There is no need to tear down that which we take issue with.  If our alternative is good, and if we are able to adequately communicate its value, it will stand on its own.

The next time you want to take the road less traveled, it may be helpful to think about this point.  Which style do you think will be more effective for you and produce the results you are after?  To attack that which you disagree with, or to eloquently communicate a constructive alternative?

As an added bonus, this principal works well in life in general.  It is a principal that can be applied broadly, well beyond the borders of information security.  It’s not naive to be positive and an optimist.  It’s really the only way forward.

Monday, November 3, 2014

How to use metrics for better information security

Following onto my piece discussing the concept of relative metrics in SecurityWeek last week, my piece in The Business Journals entitled "How to use metrics for better information security" was published today.  In this piece, I continue my series in The Business Journals geared towards small and medium-sized businesses (SMBs).  Have a look at this piece if the topic of metrics interests you: http://www.bizjournals.com/bizjournals/how-to/technology/2014/11/how-to-use-metrics-for-better-information-security.html.

Wednesday, October 29, 2014

Using Relative Metrics to Measure Security Program Success

Historically, many organizations have focused on absolute security metrics.  Absolute security metrics are metrics that are not tied to any specific risk or threat that the organization seeks to mitigate.  The trouble with absolute metrics is that they don't provide us with much actual insight into the success and progress of our security program.  So what can an organization do to better measure itself?  I cover that topic in today's SecurityWeek piece entitled "Using Relative Metrics to Measure Security Program Success": http://www.securityweek.com/using-relative-metrics-measure-security-program-success.

Wednesday, October 22, 2014

Every Interaction Matters

This blog post was inspired by and is dedicated to the memory of Ilan Rasooly.

When I first met Ilan, he was a 10 year old boy who was energetic, full of joy, and with a love for life.   Over the next 11 years, our family became good friends with Ilan's family.  During that time, I had the good fortune to watch Ilan grow into a responsible, helpful, kind, and yes, still energetic man.  When I first met Ilan, I had no idea that his life would be cut tragically short 11 years later after a horrific accident.

As with everything in life, I try to learn from and seek meaning in all events, both good and bad.  I have to be honest - I am struggling to learn from this one.  It's a very difficult time, most of all for Ilan's family.  Death is always painful, but the death of a young, energetic soul is exceptionally and incredibly painful.

Nonetheless, I do believe there is a security lesson that we can learn from this.  That may sound crazy, but please allow me to explain.

If we look across recent breaches that have made headlines, we see that in some cases, the initial or subsequent intrusions did result in an alert firing.  If that happened, why did so many of these breaches persist for long periods of time and result in the loss of millions of records (whether they were customer information, payment cards, or otherwise)?  Unfortunately, in may of these cases, although alerts indicating intrusion may have fired (the signal), they were lost amidst an incredible volume of false-positives (the noise).  Unfortunately, this is a daily occurrence inside most organizations.  The signal-to-noise ratio is often too low to allow the organization to understand that they have been breached and respond accordingly before any grave damage has been done.

I've discussed this concept in additional depth previously on my blog in a post entitled "Signal-to-Noise Ratio": http://ananalyticalapproach.blogspot.com/2014/03/signal-to-noise-ratio.html.

In this particular post, I'd like to stress the importance of reviewing each and every alert that was mentioned in my previous post.  If you have too many alerts to make that a reality, then you need fewer alerts.  Plain and simple.  Think that sounds crazy?  Allow me to ask the following question.  What is the point of an alert, if not to be reviewed and handled appropriately?  Organizations that have more mature security operations and incident response functions have fewer alerts of higher quality and higher fidelity.  Each and every alert gets reviewed.  Will those organizations still miss things from time to time?  Of course.  I'm sure there are attacks that will always fly under the radar of any detection techniques.  The difference is that mature organizations won't miss something they should have known about and, in fact, were alerted to.  Organizations with a mature security function do a lot of things well, but one of them is getting the signal-to-noise ratio under control.

What does this have to do with Ilan you ask?  We can think of each alert as an interaction.  If we review each and every alert, we have a chance to turn that interaction into a positive one.  In other words, even if we have been breached, we can learn of the breach in a timely manner and respond swiftly before any grave damage to the organization has occurred.

On the other hand, if we do not review each and every alert, we run the risk of each of those interactions turning into a negative one.  In other words, how can I be sure that an alert that fires now is not the one that will cause me to appear in the press in six months?  I can't be sure, unless I review each and every alert.

So too on the interpersonal front, every interaction matters.  In the 11 years that I knew Ilan, we interacted many times.  I hope that he felt that all of our interactions were positive ones.  I will never know for sure.  But, I do know that each and every one of us can strive for a positive outcome from each of our interpersonal interactions.  I think that is an important point to remember, whether we are applying that way of thinking to information security or otherwise.

Wednesday, October 15, 2014

#MIRcon: What the Cosmos can Teach us about Security

A few people have asked me what central theme and message stayed with me after last week’s #MIRcon.  I posted my thoughts to the FireEye blog: http://www.fireeye.com/blog/corporate/2014/10/mircon-what-the-cosmos-can-teach-us-about-security.html.  Hope you enjoy, and I am curious to hear your thoughts as always.

Tuesday, October 14, 2014

The "So What?" Factor of Information Security

While there are exceptions, most business executives view security as a necessary evil.  Because of this, we have to understand that what impresses and enamors us may not impress and enamor others.  As security professionals, we need to learn to speak the language of the business world to ensure that our message is received and internalized.  We have an important role to play as messengers, and we can have a tremendous impact on the security postures of our organizations if we play this role well.  I discuss this topic in my latest SecurityWeek post entitled "The 'So What?' Factor of Information Security?": http://www.securityweek.com/so-what-factor-information-security.

Monday, October 13, 2014

How to measure the success of your security program

Measuring the success of a security program is something that has always been a challenge in our industry.  This challenge is felt even more acutely in the small and medium-sized business (SMB) arena.  There is some good news, however.  Although the value and relevancy of different metrics will vary widely by organization, taking the approach of measuring success and failure against enumerated goals and priorities can help.  Risk management isn't just a good exercise for strengthening an organization's security posture -- it can also help the organization measure its progress and improvement.  My thoughts on this topic in The Business Journals: http://www.bizjournals.com/bizjournals/how-to/growth-strategies/2014/10/measuring-success-of-a-security-program.html.

Wednesday, October 8, 2014

Flying Blind

To say that enterprise-wide visibility is a challenge in the security realm is a bit of an understatement.  It's an important topic whose ramifications are felt quite acutely during breach response or incident response.  Given that, you might find it quite surprising that more often than not, when crunch time comes, enterprises find out the hard way that they don't have the visibility and data they thought they did.  Why is this the case?  Further, what can an enterprise do proactively to avoid this type of situation?  I discuss this topic in my post on the FireEye blog today, entitled "Flying Blind": http://www.fireeye.com/blog/corporate/2014/10/flying-blind.html.

Wednesday, October 1, 2014

The Importance of Being Earnest

Most of us have likely either seen the play or watched the movie "The Importance of Being Earnest" (http://en.wikipedia.org/wiki/The_Importance_of_Being_Earnest).  Although I am not an expert in theater or cinema, it would seem to me that one of the key lessons of this work is that of truthfulness. You might be asking yourself what this has to do with information security.  Well, I would say that there is an important lesson here that we can apply to the security realm.

Being truthful, honest, straightforward, and, well, earnest helps strengthen an organization's security posture, its overall security program, and its security operations function.  How so?  Let's examine this concept by each of the parties with which we can be truthful, honest, and straightforward:

  • Ourselves: First and foremost, we need to be honest with ourselves.  Every security program has its strengths and weaknesses.  Acknowledging a weakness is not in itself a weakness.  Rather, it is the first step towards strengthening and improving that weak spot and should be regarded as a positive.  It may not be easy to take a look in the mirror and examine what we are not doing well, but it is extremely important.  After all, if we are not honest with ourselves, we cannot really be honest with everyone else.
  • Management: Intentions matter.  Management does not expect perfection, but they do expect honesty and integrity.  If we misrepresent our capabilities, it may keep pressure off our backs in the short term, but in the long term, by hiding a weakness or shortcoming we are aware of, we are introducing unnecessary risk into the security posture of our organization.  Have a weakness or shortcoming that you dread raising to the attention of management?  Try formulating a plan to correct it before raising it to management.  I think you'll be surprised that what management really cares about is that you have a plan to do something about it, and not about the issue itself.
  • Peers: We all learn and grow from constructive interactions with our peers.  In order for everyone to benefit from these interactions, everyone needs to approach them in a positive light.  Not doing so causes individuals to miss out on the potential to improve.  Most people want to be helpful.  If you are honest and sincere with people about the challenges you face in accomplishing your goals, they will usually try to help you.  If you attempt to deceive them, you are really only cheating yourself.
  • Clients and Partners: We certainly want to show clients and partners that we have a serious and formalized approach to information security.  But, we don't need to be dishonest to do so.  Most clients and partners appreciate a fresh dose of honesty.  It shows that the organization is self-aware and has a list of priorities to attend to on the never-ending road of continuous improvement.  If one of my vendors or suppliers told me that everything was perfect and great, that would make me less comfortable, not more comfortable.  Think about it.
  • Other Organizations: Organizations can improve by interacting with, sharing information with, and learning from one another.  Similar to the peer interactions amongst individuals, this requires approaching this undertaking honestly.  Otherwise, an opportunity for growth is forfeited.  Sure, there will always be individuals and organizations that will be fooled by fast talking double speak, but not as many as we might think.  People tend to see through that stuff, but they are often too polite to point that out.
It sounds counter-intuitive, but admitting weakness is actually a strength.  By being truthful, honest, straightforward, and earnest, we empower ourselves to grow and improve, both as individuals and as organizations.  This is an important cultural aspect that helps improve an organization's security posture, and it is one that is often overlooked.  If you are a security leader, you owe it to yourself and to your organization to create a culture that rewards honesty and truthfulness.  The importance of being earnest is clear.

Tuesday, September 30, 2014

Incident Response: Focus on Big Value, Not Big Data

My next piece in SecurityWeek entitled "Incident Response: Focus on Big Value, Not Big Data" is out: http://www.securityweek.com/incident-response-focus-big-value-not-big-data.  With this piece, I am trying to raise awareness of the difference between data value and data volume.  All too often, I see organizations run to collect as much data as they possibly can.  Unfortunately, this is often done without thinking about the value and relevance of each data source to security operations and incident response.  This can result in a disorganized, haphazard storm of uncoordinated data sources that actually impedes security operations and incident response.  There is a better way.  Have a look and let me know what you think.

Wednesday, September 24, 2014

Two Sides to the Coin

Sometimes, it seems that talk of “big data”, “security analytics”, and “big data security analytics” can dominate discourse within the information security profession.  This tends to produce a confusing and somewhat overwhelming environment for the enterprise buyer, where all of the words and ideas can begin to blend together.  Since I spent over a decade on the enterprise/operational side before moving to the vendor side, I can sympathize with the confusion this can bring to the enterprise audience.  Leaders in the enterprise have many responsibilities, and it is difficult for them to keep track of the large number of vendors and what each vendor's specialty is.

Many enterprises see the need and share a desire to be doing "big data" and "security analytics", and thus, it's not particularly surprising that many vendors are offering "big data" and "security analytics" solutions.  But what does it actually mean to do "big data" and "security analytics"?  I think it's helpful to take a step back and think a level deeper about this in order to better understand it.

At a high level, "big data" and "security analytics" are about the two very different, but equally important concepts of collection and analysis.  Allow me to explain.  Before it is possible to run analytics, one needs the right data upon which to run those analytics.  Before "big data" emerged as a buzzword, this was called "collection" or "instrumentation of the network and endpoint".  Further, in order to run analytics, one also needs a high performance platform upon which to issue the precise, targeted, incisive queries required by analytics.  Before "security analytics" emerged as a buzzword, this was sometimes called analysis or forensics, among other terms.

Collection and analysis, at enterprise speeds, are both equally important. If you think about it, you can't really have one without the other.  Or, to put it another way, what good does the greatest collection capability provide without a way to analyze that data in a timely and accurate manner?  Similarly, what good does the greatest analytical capability provide without the underlying data to support it?

In addition to being the elements of big data, collection and analysis form the cornerstone of a strong security program.  Collection and analysis provide an organization with the visibility required to practice Continuous Security Monitoring (CSM).  Although a detailed discussion of CSM is beyond the scope of this post, the topic has been discussed at length by NIST, SANS, Gartner, and others.  The goal of CSM is to allow an organization to move rapidly from Detection to Analysis and on to Containment and Remediation.  In other words, CSM facilitates and enables the incident response process and life cycle.  An organization’s ultimate goal, when prevention efforts fail, is to detect and respond to intrusions before they cause damage to the organization.

Continuous Security Monitoring involves many details.  Here are some thoughts on high level guidelines around strategic steps organizations can take in the area of CSM to improve their information security postures:
  • Identification of business risks and concerns to be addressed through Continuous Security Monitoring
  • Creation of goals and priorities based on business risks and concerns
  • Identification of the least number of data sources of highest value that provide the required visibility across the enterprise
  • Collection of relevant data sources
  • Exposure of the collected data with sufficient performance to facilitate Detection, Analysis, Containment, and Remediation
  • Development of content and logic leveraging the collected data to supply the work queue with high fidelity alerting
  • Development of process for investigation and response

While it is tempting to collect all of the available data within the enterprise, this actually works against the interests of the security organization.  It is prudent to ensure that the minimal data that provides sufficient context and coverage is collected, but not more than that.  Collecting more data than required creates two issues:
  • Analytical (query) performance degrades rapidly, making timely incident response nearly impossible
  • Retention periods shorten, producing historical blind spots that impede response for long present intrusions

Big data is an interesting topic with the potential to be an incident response enabler.  It’s important to remember that big data involves two equally important but somewhat diametrically opposed interests – collection and analysis.  Both aspects are important, but they have a tendency to work against each other if left unchecked.  It’s important to remember the ultimate goal of collection and analysis, which is the enablement of timely incident response.  It is in this spirit that we aim to gain the most information from the smallest subset of data.  All the data in the world does you no good if you cannot leverage it in a timely manner when you need it most.  In incident response, less is more.

Monday, September 15, 2014

Will Technology Replace Security Analysts?

My next piece in SecurityWeek entitled "Will Technology Replace Security Analysts?" is out: http://www.securityweek.com/will-technology-replace-security-analysts.  It may be tempting to imagine a world in which the work of the security analyst has been entirely automated.  Unfortunately, this does not seem particularly realistic.  Rather, the work of the analyst can and should evolve over time to keep pace with the changing threat landscape.

Friday, September 5, 2014

How small business can prioritize security on a budget

My piece in The Business Journals entitled "How small business can prioritize security on a budget" is out: http://www.bizjournals.com/bizjournals/how-to/technology/2014/09/how-a-small-business-can-prioritize-security.html.  In my experience, security can seem like an overwhelming topic, particularly to small and medium-sized businesses.  Add smaller budgets to the mix, and the topic of security can seem nearly unapproachable.  The good news is that security is essentially about risk management.  Because of that, by prioritizing risks to our business, we can prioritize our security efforts.  If this topic is of interest, please have a look and left me know your thoughts.

Tuesday, August 26, 2014

Root Cause Analysis: Stop Playing Whack-a-Mole

My latest piece in SecurityWeek entitled "Root Cause Analysis: Stop Playing Whack-a-Mole" is out: http://www.securityweek.com/root-cause-analysis-stop-playing-whack-mole.  In this piece, I tried to bring attention to the often overlooked topic of root cause analysis.  Much of incident response involves continually treating symptoms, but how can we look at treating the cause of what ails us?  In my experience, it's a discussion worth having and something that many of us struggle with.  Have a look at the piece and let me know what you think.

Wednesday, August 13, 2014

First SC Magazine UK Piece

My first piece for SC Magazine UK entitled "A way forward in information sharing" was published today: http://www.scmagazineuk.com/a-way-forward-in-information-sharing/article/366014/.  In the piece, I ask how can the infosec community move from informal and exclusive trust circles to more mature formal information sharing approaches, without losing agility and effectiveness.  Ad hoc information sharing is a great thing, but it is only the beginning.

Tuesday, August 12, 2014

Not All Intrusions Involve Malware

My latest piece in SecurityWeek entitled "Not All Intrusions Involve Malware" was published today: http://www.securityweek.com/not-all-intrusions-involve-malware.  In the piece, I tried to focus on an area that I often see overlooked within organizations.  Malware is a big problem in the security space, but it is only one of many problems security practitioners face on a daily basis.  I tried to lay out some examples of intrusion vectors that involve no malware at all and suggested approaches to detection and response.  Of course, it is not possible to enumerate every potential threat vector within the allotted length of the piece, but I hope to ignite some thought and discussion on the topic.  My hope is that the community will begin to pay more attention to analysis of the unknown unknowns.  It's an important endeavor.

Thursday, August 7, 2014

Embrace Feedback and Diversity of Opinion

I’m sure we’ve all been in meetings (or discussions) where the person who called the meeting had made up his or her mind before the meeting even began.  These meetings typically progress as follows:
  • Meeting organizer makes initial statements, points, and/or assertions
  • Some of these may appear incorrect or unrealistic to some meeting attendees
  • Initial feedback is provided by meeting attendees
  • Meeting organizer becomes insulted or defensive and may become dismissive or, worse yet, confrontational
  • Meeting participants cease providing feedback
  • Meeting organizer interprets the lack of feedback as agreement or "victory"
  • The meeting concludes with the outcome that the meeting organizer had pre-determined

These types of encounters can be frustrating experiences.  Aside from the wasted investment in time, there is another tragedy here.  The meeting organizer’s behavior not only shuts down and demoralizes the other meeting attendees, but it may in fact have dire consequences.

Information security is a tough business.  Decisions often need to be made quickly and under intense pressure.  Further, the consequences of an incorrect decision can be enormous.  For example, ending an incident response without fully containing and remediating the issue can lead to embarrassment, theft of intellectual property, monetary loss, and other undesired outcomes.

With the stakes so high, I would argue that an incorrect decision is worse than a delayed decision, largely due to the potential for cascading consequences.  Given this, how can an organization minimize its potential for error during the process of making critical decisions?  There are likely many approaches to this question, but one of them that I have found to be the most effective involves creating an environment that embraces feedback and values diversity of opinion.

An accurate decision requires accurate data points upon which to make that decision.  This is felt acutely in the information security realm where accurate data points come from a variety of sources and can take a frustratingly long time to assemble.  It is most often the case that the decision maker does not personally have insight into all of the data points required to make the decision or decisions at hand.  Because of this, the decision maker needs to foster an environment where feedback is embraced and accepted openly, and one where diversity of opinion is valued.  This entails creating an environment that is the exact opposite of the sequence of events that was listed at the beginning of this post.


Decision makers who listen to their subject matter experts openly, attentively, and without prejudice benefit from more accurate and unbiased information.  This requires a decision maker who is willing to listen, and one who is willing to accept that he or she may not be particularly in touch or in tune with the details and intricacies concerned.  In short, security decision makers should not only accept feedback and differing opinions – they should treasure them.  It’s really the only way to make the correct decision in a demanding environment.

Tuesday, August 5, 2014

Tunnel Vision

As part of my efforts to stay educated, I try to allot some time each day to catch up on the latest goings on in the Twitterverse and in the blogosphere.  Some days are more informative than others, but in general, I have noticed something quite concerning of late.  We as a security community tend to suffer from tunnel vision.  Allow me to explain.

I try to follow and read a wide variety of perspectives.  Recently, I have seen an almost obsessive focus on the NSA/Edward Snowden drama and its associated causes.  I’m not saying that privacy isn’t an issue (it is) and that privacy concerns aren’t legitimate (they are).  Rather, what I’m saying is that, off the top of my head, I can think of a number of other threats to both large organizations and private citizens alike.  Unfortunately, I don’t see much discussion on any of them.  Rather, it seems that we as a community have succumbed to tunnel vision, to the detriment of all of the other topics for discussion.

Education, discourse, and collaboration on a number of different topics simultaneously have always been how we as a community make progress.  If we focus entirely on one topic and elevate it to dominate every conversation, we cannot attend to the other, equally deserving topics.  It’s easy to follow the herd mentality and jump on the bandwagon, but it comes at a great cost to our communal progress.  I am concerned that the issues we have pushed aside in order to follow the herd may remain unsolved.


I’m sure that there are those in the community who will agree with my concern.  The question becomes one of whether or not we can gain enough attention for the other topics we are concerned about and interested in discussing.  Time will tell.  There is certainly no shortage of bright, shiny objects to distract people, unfortunately.

Sunday, August 3, 2014

Optimizing Security Operations for the Big Data Crush

I'm very proud that my article entitled "Optimizing Security Operations for the Big Data Crush" is the feature article in the August ISSA Journal: https://c.ymcdn.com/sites/www.issa.org/resource/resmgr/JournalPDFs/feature0814.pdf.  In the article, I identify factors that, based on my experience, create operational inefficiencies in a security operations setting.  I also offer suggestions for how some of these inefficiencies can be made less inefficient.  My intent was to cover a wide variety of topics within the security operations realm, while staying within the length limitations, so as to provide value to a wide readership.  I hope you will find the article both informative and interesting.

Tuesday, July 29, 2014

Is Security An Unsolvable Problem?

In today's SecurityWeek piece, I pose the question: Is security an unsolvable problem?  I believe that question to be unanswerable, mainly because it is too broad, vague and ambiguous to properly understand.  I offer an alternative approach, namely, one that involves framing the problems of security differently.  Framing the challenges in the security realm properly is an important first step in addressing them.  Give it a read and let me know what you think: http://www.securityweek.com/security-unsolvable-problem.

Friday, July 25, 2014

Boosting SMB Information Security

Today, I published my thoughts in The Business Journals regarding how Small and Medium-sized Businesses (SMBs) can boost their information security: http://www.bizjournals.com/bizjournals/how-to/technology/2014/07/how-small-businesses-can-boost-security.html.  The piece is intended for a business audience, rather than a technical audience.  In the piece, I discuss the idea of approaching security like we would approach other business processes.  In my estimation, that effort begins by helping SMBs to become better educated about the security space.  Today's piece is an introductory piece in a monthly series.  The goal is to provide valuable guidance to SMBs over the coming months.

Thoughts on Sourcing Threat Intelligence

I published a piece in Computer Weekly yesterday entitled "How to source cyber threat intelligence": http://www.computerweekly.com/opinion/How-to-source-cyber-threat-intelligence.  Leveraging intelligence is something most organizations understand the need to do, but it is also something that many organizations struggle with for various reasons.  One of these reasons is the confusing environment for the buyer/consumer of intelligence.  There are an almost overwhelming number of threat intelligence sources available, whether they be paid, open source, or communal in nature.  These sources vary in scope, focus, and quality, and it can be difficult for intelligence consumers to ascertain the value of different sources to their organizations.  The piece is intended to provide high level guidance and practical suggestions to a business audience around the topic of sourcing threat intelligence.  If this topic is relevant to you or your organization, I hope you enjoy the piece.

Tuesday, July 15, 2014

The Event Horizon: Examining Enterprise Security Blind Spots

My latest SecurityWeek piece discusses the process of gap analysis, specifically relating to identifying blind spots on the network and on the endpoint.  The piece can be found here: http://www.securityweek.com/event-horizon-examining-enterprise-security-blind-spots.  In any organization, understanding where one has the ability to observe events and where one is "blind" to them is an important undertaking.  Although I am perhaps a bit biased, I think it's a good read.

Wednesday, July 9, 2014

Thoughts on BrutPOS

I posted my thoughts on the BrutPOS malware from an executive/business perspective on the FireEye Blog today: http://www.fireeye.com/blog/corporate/2014/07/brutpos-from-a-security-practioners-perspective.html.  In the post, I discuss the fact that attackers only need to try as hard as they need to in order to succeed.  Because of this, attackers can, in essence, be lazy and still be productive.  To counter that, some straightforward, foundational information security measures can be leveraged.  Have a look if of interest.

Thursday, July 3, 2014

Living Up To Rock Star Status

In almost any endeavor, success usually comes with additional responsibility.  For example, a promotion into a management or executive position comes with the additional responsibilities associated with that position.  It should be analogous in the security profession.  I’m not sure why, but we tend to make for ourselves “rock stars” or “celebrities” within our profession.  Sometimes these individuals push us and challenge us to think differently about solving problems, provide us with guidance and wisdom based on their knowledge and experiences, and/or use their influence for the greater good.  We usually examine their words closely and pay intimate attention to those words, as we should.

Unfortunately, sometimes that is not the case.  There are some “famous” people within the security community who seem to care more about self-promotion and elite status than they do about advancing the state of the art, educating people, or influencing others in the security profession.  It might be helpful for the overall security community if we sent a message that sounded something like: “It’s not all about you”.

I myself have a modest following.  Nonetheless, I believe that even one reader of my materials puts upon me tremendous responsibility.  I have always tried to educate, provide insight, and offer practical suggestions that can be implemented operationally.  I can only hope that I am living up to expectations.  The feedback I have received from some members of the security community regarding blog postings, articles in various publications, SecurityWeek pieces, and the pieces in Wired Information Insights indicates that there are many in the community who would agree with my perspective and appreciate what I am trying to do.  It is certainly not an easy task, and I am well aware of that.


If someone finds that he or she has attained “rock star” status, it should bring with it a tremendous amount of responsibility.  That responsibility is to the very security community that made someone a “rock star”.  With celebrity status comes tremendous potential to influence and advance the state of security.  To me, not taking advantage of that potential is a missed opportunity that hurts the community as a whole.  Really, it’s not about any of us – it’s about advancing the state of the security profession one day at a time.