My latest piece in SecurityWeek entitled "Root Cause Analysis: Stop Playing Whack-a-Mole" is out: http://www.securityweek.com/root-cause-analysis-stop-playing-whack-mole. In this piece, I tried to bring attention to the often overlooked topic of root cause analysis. Much of incident response involves continually treating symptoms, but how can we look at treating the cause of what ails us? In my experience, it's a discussion worth having and something that many of us struggle with. Have a look at the piece and let me know what you think.
Tuesday, August 26, 2014
Wednesday, August 13, 2014
First SC Magazine UK Piece
My first piece for SC Magazine UK entitled "A way forward in information sharing" was published today: http://www.scmagazineuk.com/a-way-forward-in-information-sharing/article/366014/. In the piece, I ask how can the infosec community move from informal and exclusive trust circles to more mature formal information sharing approaches, without losing agility and effectiveness. Ad hoc information sharing is a great thing, but it is only the beginning.
Tuesday, August 12, 2014
Not All Intrusions Involve Malware
My latest piece in SecurityWeek entitled "Not All Intrusions Involve Malware" was published today: http://www.securityweek.com/not-all-intrusions-involve-malware. In the piece, I tried to focus on an area that I often see overlooked within organizations. Malware is a big problem in the security space, but it is only one of many problems security practitioners face on a daily basis. I tried to lay out some examples of intrusion vectors that involve no malware at all and suggested approaches to detection and response. Of course, it is not possible to enumerate every potential threat vector within the allotted length of the piece, but I hope to ignite some thought and discussion on the topic. My hope is that the community will begin to pay more attention to analysis of the unknown unknowns. It's an important endeavor.
Thursday, August 7, 2014
Embrace Feedback and Diversity of Opinion
I’m sure we’ve all been in meetings (or discussions) where
the person who called the meeting had made up his or her mind before the
meeting even began. These meetings
typically progress as follows:
- Meeting organizer makes initial statements, points, and/or assertions
- Some of these may appear incorrect or unrealistic to some meeting attendees
- Initial feedback is provided by meeting attendees
- Meeting organizer becomes insulted or defensive and may become dismissive or, worse yet, confrontational
- Meeting participants cease providing feedback
- Meeting organizer interprets the lack of feedback as agreement or "victory"
- The meeting concludes with the outcome that the meeting organizer had pre-determined
These types of encounters can be frustrating
experiences. Aside from the wasted
investment in time, there is another tragedy here. The meeting organizer’s behavior not only
shuts down and demoralizes the other meeting attendees, but it may in fact have
dire consequences.
Information security is a tough business. Decisions often need to be made quickly and
under intense pressure. Further, the
consequences of an incorrect decision can be enormous. For example, ending an incident response
without fully containing and remediating the issue can lead to embarrassment,
theft of intellectual property, monetary loss, and other undesired outcomes.
With the stakes so high, I would argue that an incorrect
decision is worse than a delayed decision, largely due to the potential for
cascading consequences. Given this, how
can an organization minimize its potential for error during the process of
making critical decisions? There are
likely many approaches to this question, but one of them that I have found to
be the most effective involves creating an environment that embraces feedback
and values diversity of opinion.
An accurate decision requires accurate data points upon
which to make that decision. This is
felt acutely in the information security realm where accurate data points come
from a variety of sources and can take a frustratingly long time to
assemble. It is most often the case that
the decision maker does not personally have insight into all of the data points
required to make the decision or decisions at hand. Because of this, the decision maker needs to
foster an environment where feedback is embraced and accepted openly, and one where
diversity of opinion is valued. This
entails creating an environment that is the exact opposite of the sequence of
events that was listed at the beginning of this post.
Decision makers who listen to their subject matter experts openly,
attentively, and without prejudice benefit from more accurate and unbiased
information. This requires a decision
maker who is willing to listen, and one who is willing to accept that he or she
may not be particularly in touch or in tune with the details and intricacies
concerned. In short, security decision
makers should not only accept feedback and differing opinions – they should
treasure them. It’s really the only way
to make the correct decision in a demanding environment.
Tuesday, August 5, 2014
Tunnel Vision
As part of my efforts to stay educated, I try to allot some
time each day to catch up on the latest goings on in the Twitterverse and in the
blogosphere. Some days are more
informative than others, but in general, I have noticed something quite concerning
of late. We as a security community tend
to suffer from tunnel vision. Allow me
to explain.
I try to follow and read a wide variety of
perspectives. Recently, I have seen an
almost obsessive focus on the NSA/Edward Snowden drama and its associated causes. I’m not saying that privacy isn’t an issue
(it is) and that privacy concerns aren’t legitimate (they are). Rather, what I’m saying is that, off the top
of my head, I can think of a number of other threats to both large
organizations and private citizens alike.
Unfortunately, I don’t see much discussion on any of them. Rather, it seems that we as a community have
succumbed to tunnel vision, to the detriment of all of the other topics for
discussion.
Education, discourse, and collaboration on a number of
different topics simultaneously have always been how we as a community make
progress. If we focus entirely on one
topic and elevate it to dominate every conversation, we cannot attend to the
other, equally deserving topics. It’s
easy to follow the herd mentality and jump on the bandwagon, but it comes at a
great cost to our communal progress. I
am concerned that the issues we have pushed aside in order to follow the herd
may remain unsolved.
I’m sure that there are those in the community who will
agree with my concern. The question
becomes one of whether or not we can gain enough attention for the other topics
we are concerned about and interested in discussing. Time will tell. There is certainly no shortage of bright,
shiny objects to distract people, unfortunately.
Sunday, August 3, 2014
Optimizing Security Operations for the Big Data Crush
I'm very proud that my article entitled "Optimizing Security Operations for the Big Data Crush" is the feature article in the August ISSA Journal: https://c.ymcdn.com/sites/www.issa.org/resource/resmgr/JournalPDFs/feature0814.pdf. In the article, I identify factors that, based on my experience, create operational inefficiencies in a security operations setting. I also offer suggestions for how some of these inefficiencies can be made less inefficient. My intent was to cover a wide variety of topics within the security operations realm, while staying within the length limitations, so as to provide value to a wide readership. I hope you will find the article both informative and interesting.
Subscribe to:
Posts (Atom)