Tuesday, August 26, 2014

Root Cause Analysis: Stop Playing Whack-a-Mole

My latest piece in SecurityWeek entitled "Root Cause Analysis: Stop Playing Whack-a-Mole" is out: http://www.securityweek.com/root-cause-analysis-stop-playing-whack-mole.  In this piece, I tried to bring attention to the often overlooked topic of root cause analysis.  Much of incident response involves continually treating symptoms, but how can we look at treating the cause of what ails us?  In my experience, it's a discussion worth having and something that many of us struggle with.  Have a look at the piece and let me know what you think.

Wednesday, August 13, 2014

First SC Magazine UK Piece

My first piece for SC Magazine UK entitled "A way forward in information sharing" was published today: http://www.scmagazineuk.com/a-way-forward-in-information-sharing/article/366014/.  In the piece, I ask how can the infosec community move from informal and exclusive trust circles to more mature formal information sharing approaches, without losing agility and effectiveness.  Ad hoc information sharing is a great thing, but it is only the beginning.

Tuesday, August 12, 2014

Not All Intrusions Involve Malware

My latest piece in SecurityWeek entitled "Not All Intrusions Involve Malware" was published today: http://www.securityweek.com/not-all-intrusions-involve-malware.  In the piece, I tried to focus on an area that I often see overlooked within organizations.  Malware is a big problem in the security space, but it is only one of many problems security practitioners face on a daily basis.  I tried to lay out some examples of intrusion vectors that involve no malware at all and suggested approaches to detection and response.  Of course, it is not possible to enumerate every potential threat vector within the allotted length of the piece, but I hope to ignite some thought and discussion on the topic.  My hope is that the community will begin to pay more attention to analysis of the unknown unknowns.  It's an important endeavor.

Thursday, August 7, 2014

Embrace Feedback and Diversity of Opinion

I’m sure we’ve all been in meetings (or discussions) where the person who called the meeting had made up his or her mind before the meeting even began.  These meetings typically progress as follows:
  • Meeting organizer makes initial statements, points, and/or assertions
  • Some of these may appear incorrect or unrealistic to some meeting attendees
  • Initial feedback is provided by meeting attendees
  • Meeting organizer becomes insulted or defensive and may become dismissive or, worse yet, confrontational
  • Meeting participants cease providing feedback
  • Meeting organizer interprets the lack of feedback as agreement or "victory"
  • The meeting concludes with the outcome that the meeting organizer had pre-determined

These types of encounters can be frustrating experiences.  Aside from the wasted investment in time, there is another tragedy here.  The meeting organizer’s behavior not only shuts down and demoralizes the other meeting attendees, but it may in fact have dire consequences.

Information security is a tough business.  Decisions often need to be made quickly and under intense pressure.  Further, the consequences of an incorrect decision can be enormous.  For example, ending an incident response without fully containing and remediating the issue can lead to embarrassment, theft of intellectual property, monetary loss, and other undesired outcomes.

With the stakes so high, I would argue that an incorrect decision is worse than a delayed decision, largely due to the potential for cascading consequences.  Given this, how can an organization minimize its potential for error during the process of making critical decisions?  There are likely many approaches to this question, but one of them that I have found to be the most effective involves creating an environment that embraces feedback and values diversity of opinion.

An accurate decision requires accurate data points upon which to make that decision.  This is felt acutely in the information security realm where accurate data points come from a variety of sources and can take a frustratingly long time to assemble.  It is most often the case that the decision maker does not personally have insight into all of the data points required to make the decision or decisions at hand.  Because of this, the decision maker needs to foster an environment where feedback is embraced and accepted openly, and one where diversity of opinion is valued.  This entails creating an environment that is the exact opposite of the sequence of events that was listed at the beginning of this post.


Decision makers who listen to their subject matter experts openly, attentively, and without prejudice benefit from more accurate and unbiased information.  This requires a decision maker who is willing to listen, and one who is willing to accept that he or she may not be particularly in touch or in tune with the details and intricacies concerned.  In short, security decision makers should not only accept feedback and differing opinions – they should treasure them.  It’s really the only way to make the correct decision in a demanding environment.

Tuesday, August 5, 2014

Tunnel Vision

As part of my efforts to stay educated, I try to allot some time each day to catch up on the latest goings on in the Twitterverse and in the blogosphere.  Some days are more informative than others, but in general, I have noticed something quite concerning of late.  We as a security community tend to suffer from tunnel vision.  Allow me to explain.

I try to follow and read a wide variety of perspectives.  Recently, I have seen an almost obsessive focus on the NSA/Edward Snowden drama and its associated causes.  I’m not saying that privacy isn’t an issue (it is) and that privacy concerns aren’t legitimate (they are).  Rather, what I’m saying is that, off the top of my head, I can think of a number of other threats to both large organizations and private citizens alike.  Unfortunately, I don’t see much discussion on any of them.  Rather, it seems that we as a community have succumbed to tunnel vision, to the detriment of all of the other topics for discussion.

Education, discourse, and collaboration on a number of different topics simultaneously have always been how we as a community make progress.  If we focus entirely on one topic and elevate it to dominate every conversation, we cannot attend to the other, equally deserving topics.  It’s easy to follow the herd mentality and jump on the bandwagon, but it comes at a great cost to our communal progress.  I am concerned that the issues we have pushed aside in order to follow the herd may remain unsolved.


I’m sure that there are those in the community who will agree with my concern.  The question becomes one of whether or not we can gain enough attention for the other topics we are concerned about and interested in discussing.  Time will tell.  There is certainly no shortage of bright, shiny objects to distract people, unfortunately.

Sunday, August 3, 2014

Optimizing Security Operations for the Big Data Crush

I'm very proud that my article entitled "Optimizing Security Operations for the Big Data Crush" is the feature article in the August ISSA Journal: https://c.ymcdn.com/sites/www.issa.org/resource/resmgr/JournalPDFs/feature0814.pdf.  In the article, I identify factors that, based on my experience, create operational inefficiencies in a security operations setting.  I also offer suggestions for how some of these inefficiencies can be made less inefficient.  My intent was to cover a wide variety of topics within the security operations realm, while staying within the length limitations, so as to provide value to a wide readership.  I hope you will find the article both informative and interesting.