Sunday, November 30, 2014

The Importance of Street Cred

There are many factors involved in a successful security program, and street creed is one of them.  Curious what I mean by that?  Have a look at my latest piece in SC Magazine UK entitled "The Importance of Street Cred": http://www.scmagazineuk.com/the-importance-of-street-cred/article/385637/.

Monday, November 24, 2014

Thoughts on #IRISSCON and #DeepSec

Last week, I was fortunate to have the opportunity to speak at both #IRISSCON and #DeepSec in Dublin and Vienna respectively.  Both conferences were extremely well run, with a great crowd and interesting dialogue to go along with them.  My conversations and observations at the conferences indicate to me that the paradigm shift from a focus solely on prevention to a mix between prevention and detection/response is indeed well underway.  Each conference I speak at, I find more and more people who are interested in better understanding the subject of incident response.

This is a good thing in my opinion.  It shows that we as an industry are trending in the correct direction.  People ask me many questions, but one of the most common is: "Where can I go to get good educational materials on incident response?"  This is a tough question to answer because, while there are many, many good materials on the subject, there are unfortunately, quite a few not so good materials out there.  Generally, I recommend finding a few trusted sources (I would be flattered if you would consider this blog one of them) as a beginning point.  As time allows, sources can be expanded, perhaps with the help of a seasoned incident response veteran.

Those of us who have experience in incident response should continue to share our knowledge with those that are new to the field.  Together, we can help organizations improve the state of their security operations function and their overall security posture.  I am glad that the community is becoming more interested in what has for a long time been a very niche field.  Let's continue to keep the knowledge and exchange of ideas flowing, while hopefully minimizing the influence of #FUD and bad ideas.

Wednesday, November 19, 2014

How to prioritize security efforts with a data-centric approach

My latest piece in The Business Journals discussing the prioritization of security efforts using a data-centric approach is out.  Curious what that means?  Give "How to prioritize security efforts with a data-centric approach" a read: http://www.bizjournals.com/bizjournals/how-to/technology/2014/11/security-with-a-data-centric-approach.html.  Hope you enjoy!

Tuesday, November 18, 2014

How Do I Raise The Signal-to-Noise Ratio?

After yesterday's piece in SecurityWeek, I received some great feedback.  The feedback I received reaffirms my belief that security professionals know the pain of alert fatigue and the deluge of false positives all too well.  Not surprisingly, many people also asked me how they can go about raising their signal-to-noise ratio.  That is an excellent question for which I am happy to offer some advice.

I have found it most effective to first enumerate security risks, goals, and priorities as discussed in one of my previous SecurityWeek pieces: http://www.securityweek.com/security-unsolvable-problem, and to then throw out the default rule set as discussed in another one of my previous SecurityWeek pieces: http://www.securityweek.com/throw-out-default-rule-set.

This approach is a bit different than the traditional approach taken by many security organizations.  But we already know that the traditional approach drowns us is noise and obscures our signal.  In my experience, I have found this approach a far better way to get to 100 a day: http://ananalyticalapproach.blogspot.com/2014/03/100-day.html.  This in turn allows organizations to operate far more efficiently, improve their signal-to-noise ratio, and reduce alert fatigue.

Monday, November 17, 2014

Security Operations: What is Your Signal-to-Noise Ratio?

Alert fatigue is an issue plaguing even the most mature security organizations these days.  Even the best organizations struggle with a deluge of alerts and an overwhelming number of false positives.  There is a relatively high level of awareness around this issue, but what can be done to alleviate alert fatigue?  I discuss this topic in my latest SecurityWeek piece entitled "Security Operations: What is Your Signal-to-Noise Ratio?": http://www.securityweek.com/security-operations-what-your-signal-noise-ratio.

Wednesday, November 12, 2014

On Being Constructive

Sometimes I think that the security community has forgotten the concept of being constructive.  It seems that criticism and snarkiness lurk nearly everywhere I turn, but sadly, constructive dialogue is often rare.  Further, the demeanor of our discourse is often unpleasant at best.  You might ask: If that is the personality of many in the security community, what is the issue with this?

The issue with this would seem to be that we are not getting our message across to a world that desperately needs to internalize it.  The end result of our demeanor is that many people and organizations that are in need of a dialogue with the security community simply tune us out.  Who wants the headache of dealing with a bunch of cynical, negative curmudgeons?

Although there is no silver bullet that will cause the world to pay attention to the security community, I believe that a move to a more constructive approach would help.  I see a lot of activity around criticizing ideas, and sometimes, unfortunately, attacking or ridiculing people and organizations.  Might I humbly suggest that the world has little patience for this?

I am not advocating that we cease thinking critically about the many important issues confronting the security community.  Quite the contrary.  In my experience, constructive approaches to address the issues we are passionate about are far more effective.  After all, most people are happy to be educated about a variety of issues.  But if we have only a stream of negativity and no constructive alternative to offer them, what can they really take away from the exchange of ideas?

Over the years I have seen that, in practice, the best response to an idea, a policy, a practice, an approach, or anything else that doesn’t sit right with us is a constructive alternative.  There is no need to tear down that which we take issue with.  If our alternative is good, and if we are able to adequately communicate its value, it will stand on its own.

The next time you want to take the road less traveled, it may be helpful to think about this point.  Which style do you think will be more effective for you and produce the results you are after?  To attack that which you disagree with, or to eloquently communicate a constructive alternative?

As an added bonus, this principal works well in life in general.  It is a principal that can be applied broadly, well beyond the borders of information security.  It’s not naive to be positive and an optimist.  It’s really the only way forward.

Monday, November 3, 2014

How to use metrics for better information security

Following onto my piece discussing the concept of relative metrics in SecurityWeek last week, my piece in The Business Journals entitled "How to use metrics for better information security" was published today.  In this piece, I continue my series in The Business Journals geared towards small and medium-sized businesses (SMBs).  Have a look at this piece if the topic of metrics interests you: http://www.bizjournals.com/bizjournals/how-to/technology/2014/11/how-to-use-metrics-for-better-information-security.html.