Tuesday, July 29, 2014

Is Security An Unsolvable Problem?

In today's SecurityWeek piece, I pose the question: Is security an unsolvable problem?  I believe that question to be unanswerable, mainly because it is too broad, vague and ambiguous to properly understand.  I offer an alternative approach, namely, one that involves framing the problems of security differently.  Framing the challenges in the security realm properly is an important first step in addressing them.  Give it a read and let me know what you think: http://www.securityweek.com/security-unsolvable-problem.

Friday, July 25, 2014

Boosting SMB Information Security

Today, I published my thoughts in The Business Journals regarding how Small and Medium-sized Businesses (SMBs) can boost their information security: http://www.bizjournals.com/bizjournals/how-to/technology/2014/07/how-small-businesses-can-boost-security.html.  The piece is intended for a business audience, rather than a technical audience.  In the piece, I discuss the idea of approaching security like we would approach other business processes.  In my estimation, that effort begins by helping SMBs to become better educated about the security space.  Today's piece is an introductory piece in a monthly series.  The goal is to provide valuable guidance to SMBs over the coming months.

Thoughts on Sourcing Threat Intelligence

I published a piece in Computer Weekly yesterday entitled "How to source cyber threat intelligence": http://www.computerweekly.com/opinion/How-to-source-cyber-threat-intelligence.  Leveraging intelligence is something most organizations understand the need to do, but it is also something that many organizations struggle with for various reasons.  One of these reasons is the confusing environment for the buyer/consumer of intelligence.  There are an almost overwhelming number of threat intelligence sources available, whether they be paid, open source, or communal in nature.  These sources vary in scope, focus, and quality, and it can be difficult for intelligence consumers to ascertain the value of different sources to their organizations.  The piece is intended to provide high level guidance and practical suggestions to a business audience around the topic of sourcing threat intelligence.  If this topic is relevant to you or your organization, I hope you enjoy the piece.

Tuesday, July 15, 2014

The Event Horizon: Examining Enterprise Security Blind Spots

My latest SecurityWeek piece discusses the process of gap analysis, specifically relating to identifying blind spots on the network and on the endpoint.  The piece can be found here: http://www.securityweek.com/event-horizon-examining-enterprise-security-blind-spots.  In any organization, understanding where one has the ability to observe events and where one is "blind" to them is an important undertaking.  Although I am perhaps a bit biased, I think it's a good read.

Wednesday, July 9, 2014

Thoughts on BrutPOS

I posted my thoughts on the BrutPOS malware from an executive/business perspective on the FireEye Blog today: http://www.fireeye.com/blog/corporate/2014/07/brutpos-from-a-security-practioners-perspective.html.  In the post, I discuss the fact that attackers only need to try as hard as they need to in order to succeed.  Because of this, attackers can, in essence, be lazy and still be productive.  To counter that, some straightforward, foundational information security measures can be leveraged.  Have a look if of interest.

Thursday, July 3, 2014

Living Up To Rock Star Status

In almost any endeavor, success usually comes with additional responsibility.  For example, a promotion into a management or executive position comes with the additional responsibilities associated with that position.  It should be analogous in the security profession.  I’m not sure why, but we tend to make for ourselves “rock stars” or “celebrities” within our profession.  Sometimes these individuals push us and challenge us to think differently about solving problems, provide us with guidance and wisdom based on their knowledge and experiences, and/or use their influence for the greater good.  We usually examine their words closely and pay intimate attention to those words, as we should.

Unfortunately, sometimes that is not the case.  There are some “famous” people within the security community who seem to care more about self-promotion and elite status than they do about advancing the state of the art, educating people, or influencing others in the security profession.  It might be helpful for the overall security community if we sent a message that sounded something like: “It’s not all about you”.

I myself have a modest following.  Nonetheless, I believe that even one reader of my materials puts upon me tremendous responsibility.  I have always tried to educate, provide insight, and offer practical suggestions that can be implemented operationally.  I can only hope that I am living up to expectations.  The feedback I have received from some members of the security community regarding blog postings, articles in various publications, SecurityWeek pieces, and the pieces in Wired Information Insights indicates that there are many in the community who would agree with my perspective and appreciate what I am trying to do.  It is certainly not an easy task, and I am well aware of that.


If someone finds that he or she has attained “rock star” status, it should bring with it a tremendous amount of responsibility.  That responsibility is to the very security community that made someone a “rock star”.  With celebrity status comes tremendous potential to influence and advance the state of security.  To me, not taking advantage of that potential is a missed opportunity that hurts the community as a whole.  Really, it’s not about any of us – it’s about advancing the state of the security profession one day at a time.

Throw Out The Default Rule Set


Earlier this week, I published a piece in SecurityWeek entitled “Throw Out The Default Rule Set” (http://www.securityweek.com/throw-out-default-rule-set).  The piece discusses the benefits of discarding the default rule set that is included with many alerting and SIEM technologies and taking a different approach entirely.  The approach described in the piece suggests identifying risks and threats to the business, and using those to build a set of use cases unique to the specific organization.  Those use cases can be used to build a rule set that is more adequately suited to the specific organization running it.  Ultimately, if done correctly, this approach can result in far fewer false positives, far less noise, and a much higher signal-to-noise ratio.  If this concept intrigues you, I’d urge you to have a look.