Wednesday, October 29, 2014

Using Relative Metrics to Measure Security Program Success

Historically, many organizations have focused on absolute security metrics.  Absolute security metrics are metrics that are not tied to any specific risk or threat that the organization seeks to mitigate.  The trouble with absolute metrics is that they don't provide us with much actual insight into the success and progress of our security program.  So what can an organization do to better measure itself?  I cover that topic in today's SecurityWeek piece entitled "Using Relative Metrics to Measure Security Program Success":

Wednesday, October 22, 2014

Every Interaction Matters

This blog post was inspired by and is dedicated to the memory of Ilan Rasooly.

When I first met Ilan, he was a 10 year old boy who was energetic, full of joy, and with a love for life.   Over the next 11 years, our family became good friends with Ilan's family.  During that time, I had the good fortune to watch Ilan grow into a responsible, helpful, kind, and yes, still energetic man.  When I first met Ilan, I had no idea that his life would be cut tragically short 11 years later after a horrific accident.

As with everything in life, I try to learn from and seek meaning in all events, both good and bad.  I have to be honest - I am struggling to learn from this one.  It's a very difficult time, most of all for Ilan's family.  Death is always painful, but the death of a young, energetic soul is exceptionally and incredibly painful.

Nonetheless, I do believe there is a security lesson that we can learn from this.  That may sound crazy, but please allow me to explain.

If we look across recent breaches that have made headlines, we see that in some cases, the initial or subsequent intrusions did result in an alert firing.  If that happened, why did so many of these breaches persist for long periods of time and result in the loss of millions of records (whether they were customer information, payment cards, or otherwise)?  Unfortunately, in may of these cases, although alerts indicating intrusion may have fired (the signal), they were lost amidst an incredible volume of false-positives (the noise).  Unfortunately, this is a daily occurrence inside most organizations.  The signal-to-noise ratio is often too low to allow the organization to understand that they have been breached and respond accordingly before any grave damage has been done.

I've discussed this concept in additional depth previously on my blog in a post entitled "Signal-to-Noise Ratio":

In this particular post, I'd like to stress the importance of reviewing each and every alert that was mentioned in my previous post.  If you have too many alerts to make that a reality, then you need fewer alerts.  Plain and simple.  Think that sounds crazy?  Allow me to ask the following question.  What is the point of an alert, if not to be reviewed and handled appropriately?  Organizations that have more mature security operations and incident response functions have fewer alerts of higher quality and higher fidelity.  Each and every alert gets reviewed.  Will those organizations still miss things from time to time?  Of course.  I'm sure there are attacks that will always fly under the radar of any detection techniques.  The difference is that mature organizations won't miss something they should have known about and, in fact, were alerted to.  Organizations with a mature security function do a lot of things well, but one of them is getting the signal-to-noise ratio under control.

What does this have to do with Ilan you ask?  We can think of each alert as an interaction.  If we review each and every alert, we have a chance to turn that interaction into a positive one.  In other words, even if we have been breached, we can learn of the breach in a timely manner and respond swiftly before any grave damage to the organization has occurred.

On the other hand, if we do not review each and every alert, we run the risk of each of those interactions turning into a negative one.  In other words, how can I be sure that an alert that fires now is not the one that will cause me to appear in the press in six months?  I can't be sure, unless I review each and every alert.

So too on the interpersonal front, every interaction matters.  In the 11 years that I knew Ilan, we interacted many times.  I hope that he felt that all of our interactions were positive ones.  I will never know for sure.  But, I do know that each and every one of us can strive for a positive outcome from each of our interpersonal interactions.  I think that is an important point to remember, whether we are applying that way of thinking to information security or otherwise.

Wednesday, October 15, 2014

#MIRcon: What the Cosmos can Teach us about Security

A few people have asked me what central theme and message stayed with me after last week’s #MIRcon.  I posted my thoughts to the FireEye blog:  Hope you enjoy, and I am curious to hear your thoughts as always.

Tuesday, October 14, 2014

The "So What?" Factor of Information Security

While there are exceptions, most business executives view security as a necessary evil.  Because of this, we have to understand that what impresses and enamors us may not impress and enamor others.  As security professionals, we need to learn to speak the language of the business world to ensure that our message is received and internalized.  We have an important role to play as messengers, and we can have a tremendous impact on the security postures of our organizations if we play this role well.  I discuss this topic in my latest SecurityWeek post entitled "The 'So What?' Factor of Information Security?":

Monday, October 13, 2014

How to measure the success of your security program

Measuring the success of a security program is something that has always been a challenge in our industry.  This challenge is felt even more acutely in the small and medium-sized business (SMB) arena.  There is some good news, however.  Although the value and relevancy of different metrics will vary widely by organization, taking the approach of measuring success and failure against enumerated goals and priorities can help.  Risk management isn't just a good exercise for strengthening an organization's security posture -- it can also help the organization measure its progress and improvement.  My thoughts on this topic in The Business Journals:

Wednesday, October 8, 2014

Flying Blind

To say that enterprise-wide visibility is a challenge in the security realm is a bit of an understatement.  It's an important topic whose ramifications are felt quite acutely during breach response or incident response.  Given that, you might find it quite surprising that more often than not, when crunch time comes, enterprises find out the hard way that they don't have the visibility and data they thought they did.  Why is this the case?  Further, what can an enterprise do proactively to avoid this type of situation?  I discuss this topic in my post on the FireEye blog today, entitled "Flying Blind":

Wednesday, October 1, 2014

The Importance of Being Earnest

Most of us have likely either seen the play or watched the movie "The Importance of Being Earnest" (  Although I am not an expert in theater or cinema, it would seem to me that one of the key lessons of this work is that of truthfulness. You might be asking yourself what this has to do with information security.  Well, I would say that there is an important lesson here that we can apply to the security realm.

Being truthful, honest, straightforward, and, well, earnest helps strengthen an organization's security posture, its overall security program, and its security operations function.  How so?  Let's examine this concept by each of the parties with which we can be truthful, honest, and straightforward:

  • Ourselves: First and foremost, we need to be honest with ourselves.  Every security program has its strengths and weaknesses.  Acknowledging a weakness is not in itself a weakness.  Rather, it is the first step towards strengthening and improving that weak spot and should be regarded as a positive.  It may not be easy to take a look in the mirror and examine what we are not doing well, but it is extremely important.  After all, if we are not honest with ourselves, we cannot really be honest with everyone else.
  • Management: Intentions matter.  Management does not expect perfection, but they do expect honesty and integrity.  If we misrepresent our capabilities, it may keep pressure off our backs in the short term, but in the long term, by hiding a weakness or shortcoming we are aware of, we are introducing unnecessary risk into the security posture of our organization.  Have a weakness or shortcoming that you dread raising to the attention of management?  Try formulating a plan to correct it before raising it to management.  I think you'll be surprised that what management really cares about is that you have a plan to do something about it, and not about the issue itself.
  • Peers: We all learn and grow from constructive interactions with our peers.  In order for everyone to benefit from these interactions, everyone needs to approach them in a positive light.  Not doing so causes individuals to miss out on the potential to improve.  Most people want to be helpful.  If you are honest and sincere with people about the challenges you face in accomplishing your goals, they will usually try to help you.  If you attempt to deceive them, you are really only cheating yourself.
  • Clients and Partners: We certainly want to show clients and partners that we have a serious and formalized approach to information security.  But, we don't need to be dishonest to do so.  Most clients and partners appreciate a fresh dose of honesty.  It shows that the organization is self-aware and has a list of priorities to attend to on the never-ending road of continuous improvement.  If one of my vendors or suppliers told me that everything was perfect and great, that would make me less comfortable, not more comfortable.  Think about it.
  • Other Organizations: Organizations can improve by interacting with, sharing information with, and learning from one another.  Similar to the peer interactions amongst individuals, this requires approaching this undertaking honestly.  Otherwise, an opportunity for growth is forfeited.  Sure, there will always be individuals and organizations that will be fooled by fast talking double speak, but not as many as we might think.  People tend to see through that stuff, but they are often too polite to point that out.
It sounds counter-intuitive, but admitting weakness is actually a strength.  By being truthful, honest, straightforward, and earnest, we empower ourselves to grow and improve, both as individuals and as organizations.  This is an important cultural aspect that helps improve an organization's security posture, and it is one that is often overlooked.  If you are a security leader, you owe it to yourself and to your organization to create a culture that rewards honesty and truthfulness.  The importance of being earnest is clear.