In today's SecurityWeek piece, I pose the question: Is security an unsolvable problem? I believe that question to be unanswerable, mainly because it is too broad, vague and ambiguous to properly understand. I offer an alternative approach, namely, one that involves framing the problems of security differently. Framing the challenges in the security realm properly is an important first step in addressing them. Give it a read and let me know what you think: http://www.securityweek.com/security-unsolvable-problem.
Tuesday, July 29, 2014
Friday, July 25, 2014
Boosting SMB Information Security
Today, I published my thoughts in The Business Journals regarding how Small and Medium-sized Businesses (SMBs) can boost their information security: http://www.bizjournals.com/bizjournals/how-to/technology/2014/07/how-small-businesses-can-boost-security.html. The piece is intended for a business audience, rather than a technical audience. In the piece, I discuss the idea of approaching security like we would approach other business processes. In my estimation, that effort begins by helping SMBs to become better educated about the security space. Today's piece is an introductory piece in a monthly series. The goal is to provide valuable guidance to SMBs over the coming months.
Thoughts on Sourcing Threat Intelligence
I published a piece in Computer Weekly yesterday entitled "How to source cyber threat intelligence": http://www.computerweekly.com/opinion/How-to-source-cyber-threat-intelligence. Leveraging intelligence is something most organizations understand the need to do, but it is also something that many organizations struggle with for various reasons. One of these reasons is the confusing environment for the buyer/consumer of intelligence. There are an almost overwhelming number of threat intelligence sources available, whether they be paid, open source, or communal in nature. These sources vary in scope, focus, and quality, and it can be difficult for intelligence consumers to ascertain the value of different sources to their organizations. The piece is intended to provide high level guidance and practical suggestions to a business audience around the topic of sourcing threat intelligence. If this topic is relevant to you or your organization, I hope you enjoy the piece.
Tuesday, July 15, 2014
The Event Horizon: Examining Enterprise Security Blind Spots
My latest SecurityWeek piece discusses the process of gap analysis, specifically relating to identifying blind spots on the network and on the endpoint. The piece can be found here: http://www.securityweek.com/event-horizon-examining-enterprise-security-blind-spots. In any organization, understanding where one has the ability to observe events and where one is "blind" to them is an important undertaking. Although I am perhaps a bit biased, I think it's a good read.
Wednesday, July 9, 2014
Thoughts on BrutPOS
I posted my thoughts on the BrutPOS malware from an executive/business perspective on the FireEye Blog today: http://www.fireeye.com/blog/corporate/2014/07/brutpos-from-a-security-practioners-perspective.html. In the post, I discuss the fact that attackers only need to try as hard as they need to in order to succeed. Because of this, attackers can, in essence, be lazy and still be productive. To counter that, some straightforward, foundational information security measures can be leveraged. Have a look if of interest.
Thursday, July 3, 2014
Living Up To Rock Star Status
In almost any endeavor, success usually comes with
additional responsibility. For example,
a promotion into a management or executive position comes with the additional
responsibilities associated with that position.
It should be analogous in the security profession. I’m not sure why, but we tend to make for
ourselves “rock stars” or “celebrities” within our profession. Sometimes these individuals push us and challenge
us to think differently about solving problems, provide us with guidance and
wisdom based on their knowledge and experiences, and/or use their influence for the
greater good. We usually examine their
words closely and pay intimate attention to those words, as we should.
Unfortunately, sometimes that is not the case. There are some “famous” people within the security
community who seem to care more about self-promotion and elite status than they
do about advancing the state of the art, educating people, or influencing
others in the security profession. It
might be helpful for the overall security community if we sent a message that
sounded something like: “It’s not all about you”.
I myself have a modest following. Nonetheless, I believe that even one reader
of my materials puts upon me tremendous responsibility. I have always tried to educate, provide
insight, and offer practical suggestions that can be implemented operationally. I can only hope that I am living up to
expectations. The feedback I have
received from some members of the security community regarding blog postings,
articles in various publications, SecurityWeek pieces, and the pieces in Wired
Information Insights indicates that there are many in the community who would
agree with my perspective and appreciate what I am trying to do. It is certainly not an easy task, and I am
well aware of that.
If someone finds that he or she has attained “rock star”
status, it should bring with it a tremendous amount of responsibility. That responsibility is to the very security
community that made someone a “rock star”.
With celebrity status comes tremendous potential to influence and advance
the state of security. To me, not taking
advantage of that potential is a missed opportunity that hurts the community as
a whole. Really, it’s not about any of
us – it’s about advancing the state of the security profession one day at a
time.
Throw Out The Default Rule Set
Earlier this week, I published a piece in SecurityWeek
entitled “Throw Out The Default Rule Set” (http://www.securityweek.com/throw-out-default-rule-set). The piece discusses the benefits of
discarding the default rule set that is included with many alerting and SIEM
technologies and taking a different approach entirely. The approach described in the piece suggests
identifying risks and threats to the business, and using those to build a set
of use cases unique to the specific organization. Those use cases can be used to build a rule
set that is more adequately suited to the specific organization running
it. Ultimately, if done correctly, this approach
can result in far fewer false positives, far less noise, and a much higher
signal-to-noise ratio. If this concept
intrigues you, I’d urge you to have a look.
Subscribe to:
Posts (Atom)