Wednesday, December 23, 2015

How can we think about the security implications of IoT?

There is much buzz about the Internet of Things (IoT) these days.  But in what framework might it make sense to think about the security implications of IoT?  I'm sure there are likely many answers to that question, but I have included a few of my own thoughts in my latest piece in The Business Journals:

Thursday, December 10, 2015

Awareness is Old News: Make 2016 The Year of Solutions

If you're like me, you get tired of hearing people sound the "cyber" alarm.  I think we're all pretty much aware that there are a number of issues and challenges we face as a security community.  Shouldn't the discussion be about what we can do to solve problems and address some of the issues and challenges we face?  My latest piece in SecurityWeek discusses:

Wednesday, December 9, 2015

Learning to Tell Security Stories: Better Context For Better Decision Making

My latest post on the FireEye blog is up: The post discusses the idea of telling better stories to ultimately lead to better decision making.  I think you'll find it interesting, and I do hope you enjoy.

Monday, December 7, 2015

Playing It Straight: Building A Risk-Based Approach To InfoSec

What can a crooked haircut teach us about framing the discussion about organizational security goals and strategies?  I discuss this topic in my latest DarkReading piece:  Hope you enjoy the piece.

Wednesday, November 25, 2015

Building a Narrative-Driven Security Model

Those who know me well know I'm passionate about the concept of a narrative-driven model for security.  But how does one go about building one and moving an organization from an alert-driven model for security to a narrative-driven model one?  I discuss this topic in my latest SecurityWeek piece:  I think you'll enjoy.

Tuesday, November 10, 2015

The Most Important Thing About A Decision

What is the most important thing about a decision? I share my thoughts in my latest SecurityWeek piece:  Hope you enjoy.

Thursday, November 5, 2015

Mature and Unconfident

Incompetence and over-confidence is a deadly combination.  And not just when it comes to employees.  Organizations can also fall prey to this.  What do I mean by that?  Have a look at my latest DarkReading piece for a more in-depth discussion:!/a/d-id/1323008?.

Wednesday, October 28, 2015

User-Based Use Cases

What are some use cases for a user-based approach to information security?  I've explored some in my most recent piece in The Business Journals:  Hope you enjoy!

Wednesday, October 21, 2015

See Security From The User Perspective

The technology experience is a user-centric one.  Given that, why do security professionals take a system-centric approach?  I've always wondered.  I discuss this topic in my latest SecurityWeek piece entitled "See Security From The User Perspective":  Hope you enjoy.

Thursday, October 15, 2015

An Atypical Approach To DNS

DNS logging is extremely important for security operations and incident response.  So much so that organizations that don't log DNS are typically quite sorry they don't when crunch time comes.  On the other hand, implementing dedicated DNS logging infrastructure can increase cost and complexity.  Is there a better way?  I think so.  My latest piece in DarkReading explains:  Hope you enjoy.

Wednesday, September 30, 2015

What Does Security Mean to the "Unwashed Masses"?

Curious what I could possibly be getting at with this piece?  Have a look at my latest in SecurityWeek:  Hope you are able to take something away from it.

Friday, September 18, 2015

7 ways to deal with insider threat

While not exhaustive, I've written down some ideas to help small and medium-sized business (SMB) mitigate the risk posed by insider threat.  My latest piece in The Business Journals discusses this interesting, but challenging topic:  Hope you enjoy this piece and find it helpful.

Tuesday, September 15, 2015

Information Security Lessons From Literature

What can literature teach us about information security?  I would argue quite a bit.  Curious what I mean?  Have a look at my latest piece in DarkReading:  Hope you enjoy!

Thursday, September 10, 2015

The Security Operations Hierarchy of Needs

I am often asked a number of different questions by organizations that are just beginning their security maturity journey.  Some of the most common questions include:  Where do I begin?  How do I know what to prioritize?  How can I build a strong foundation of security fundamentals?  In what order should I add or improve capabilities?

These are all very good questions, and I tried to answer them, along with other questions, in my most recent SecurityWeek piece.  The piece is entitled "The Security Operations Hierarchy of Needs":  While the length of the piece does not permit an in-depth discussion of all the points, I believe the piece does provide some helpful guidance for those searching for it.  Hope you enjoy.

Tuesday, August 25, 2015

We're Looking at Information Sharing The Wrong Way

We're looking at information sharing the wrong way.  Sound radical?  Curious what I mean by this statement?  Have a look at my latest piece in SecurityWeek:  After you read it, you might just agree with me.

Thursday, August 20, 2015

Endpoints come in all shapes and sizes

The concept of a security perimeter begins to break down in the modern business environment.  Nowhere is the pain felt more acutely than on the endpoint.  What are some things to consider when looking to protect endpoints of any persuasion in the current environment?  My thoughts in my latest piece in The Business Journals:

Tuesday, August 11, 2015

Detection May Not Be What You Think It Is

Sometimes, I hear the concept of detection criticized.  More often than not, it's not clear to me that the person or organization doing the criticizing actually understands what detection is really all about.  There are no silver bullets in security, but the concept and practice of detection are an important part of a holistic and well-rounded approach to risk management.  I explain my perspective in my latest SecurityWeek piece:  Hope you enjoy.

Monday, August 10, 2015

Data Visibility: A Matter of Perspective

What can the dentist teach us about visibility?  Quite a bit, actually.  Curious what on earth I could possibly be referring to?  Have a look at my latest piece in DarkReading:  I discuss the topic of visibility and how more angles and perspectives are better than just one or a few.  Hope you enjoy!

Thursday, July 23, 2015

Have Our Security Rock Stars Failed Us?

Am I alone in expecting more from our security rock stars?  Curious what I am referring to?  Have a look at my latest piece in SecurityWeek:

Tuesday, July 21, 2015

Detection: A Balanced Approach For Mitigating Risk

The "Detection vs. Prevention" debate rages on in the security world.  In my latest piece in DarkReading, I argue that neither one is a silver bullet.  A quality security program requires a balance between prevention and detection, and that the debate should really be about mitigating risk.  Curious what I mean?  Have a look:

Friday, July 17, 2015

Security is a global problem, right?

I'm sure we're all aware that security is a global problem.  But why is global action so important?  My thoughts in my latest piece in The Business Journals:  Hope you enjoy.

Thursday, July 9, 2015

Too Busy For Round Wheels

Ever stop to wonder why life in the SOC seems to be so hectic?  I'm sure there are many reasons why this is the case.  I've included some thoughts on the topic in my latest SecurityWeek piece:  Hope you enjoy the piece.

Wednesday, June 24, 2015

To The Cloud! What do we have to lose?

The cloud is an oft-discussed topic these days.  But beyond the hype and buzz, what are the ramifications of a move to the cloud for security operations and incident response?  I share my thoughts on the topic in my latest SecurityWeek piece:

Sunday, June 21, 2015

Why encryption can't replace security operations

But isn't encryption enough?  No way.  Curious why?  Have a look at my latest piece in The Business Journals:  Hope you enjoy the read.

Thursday, June 11, 2015

Isn't retention as important as recruiting?

In my experience, retention is equally important, and perhaps more important than recruiting.  Given that, why do so many organizations struggle to retain talented security analysts?  My thoughts in my latest SecurityWeek piece:  Hope you enjoy, and more importantly, hope you can take something of value with you away from the article.

Tuesday, June 9, 2015

Security Metrics: It's All Relative

What can a haircut teach us about communicating security value to executives and non-security professionals?  I discuss this question in my latest piece in DarkReading:  Wondering what one thing has to do with the other?  Have a look at the piece.  Hope you enjoy!

Wednesday, May 27, 2015

Stay Out of the Tunnel to Minimize Risk

The tempation to enter the tunnel can be almost insurmountable.  But in the long term, it is much more advantageous to remain strategically focused towards improving the organization's overall security posture.  Curious what I'm referring to?  Have a look at my latest piece in SecurityWeek:

Wednesday, May 13, 2015

Taking A Security Program From Zero To Hero

How does one take a security program from zero to hero?  It is certainly not an overnight process, but it is an attainable goal.  My latest piece in DarkReading discusses this topic:  Hope you enjoy!

Friday, May 8, 2015

Alert fatigue: 6 steps for dealing with constant alerts

Alert fatigue is an almost universal challenge that affects nearly every aspect of a security program.  I am often asked about how organizations can overcome alert fatigue.  My thoughts on this important topic in The Business Journals:  Hope you enjoy this piece and find it useful.

Tuesday, May 5, 2015

Security Solutions: Build or Buy?

The "Build or Buy" question is not a new one, but is it even the right question to be asking?  In my opinion, no, it is not.  Sound like a radical statement?  Take a look at my latest piece in SecurityWeek to see for yourself:  Hope this latest piece provides good food for thought and encourages a healthy discussion.

Wednesday, April 15, 2015

Setting Security Professionals Up For Success

How can we improve our security programs by better enabling security professionals to be successful?  It's a complex topic of course, but I provide some thoughts in my latest DarkReading piece:  Hope you enjoy.

Tuesday, April 14, 2015

Avoiding Tree Rings

What do tree rings have to do with information security?  I discuss that very question in my latest SecurityWeek piece entitled "Avoiding Tree Rings: Why a Security Organization Must Never Stop Growing":  I hope you are curious enough to read the piece, and that you enjoy it.

Tuesday, March 31, 2015

5 strategies for overcoming the information security skills gap

It's no secret that there is a large skills gap in information security.  How can an organization overcome that gap?  I share my thoughts on this important topic in The Business Journals:

Thursday, March 26, 2015

Risk-Driven Security: The Approach to Keep Pace With Advanced Threats

Intelligence-driven security or risk-driven security?  What say you?  I shared my thoughts on the topic in my latest SecurityWeek piece:  Interested in hearing your thoughts on the topic.

Monday, March 23, 2015

Context: Finding The Story Inside Your Security Operations Program

The first of what I hope will be a regular series of DarkReading pieces was published today:  In the piece, I discuss the importance of context and of building a narrative to better facilitate security operations.  This is a topic that is missing from the security operations dialogue in my opinion.  Hope you enjoy the piece, and that it provokes thought and dialogue.

Tuesday, March 17, 2015

Your guide to finding good IT security talent

Information security is a career field full of many challenges.  One of the greatest strategic challenges most organizations face is finding qualified information security talent.  This is partially due to a shortage of qualified and experienced labor, but also partially due to the difficulty in assessing candidates during the interview process.  My thoughts on this topic in my latest piece in The Business Journals:  Hope you enjoy.

Wednesday, March 11, 2015

Don't Forget the Rest of the World

I've always found it interesting how in a global company, the security program can be overwhelmingly focused on the home geography of the company.  It's important to remember the rest of the world, especially in security operations:  I hope you enjoy this piece and find it helpful.

Monday, March 9, 2015

Videos of the Narrative-Driven Model

People often ask me to elaborate on the topic I am the most passionate about: "Security Operations: Moving to a Narrative-Driven Model".  Of course, there is my piece in SecurityWeek on the topic (, but that merely scratches the surface of a deep topic.  I am always more than happy to discuss the topic at length, but there are also a few recordings of talks I've given on the topic that are available.  Each of the talks targets a different audience, and as such, they vary in length and technical depth.

Video of my talk on "Security Operations: Moving to a Narrative-Driven Model" at the 4th Annual Cyber Security Conference, Tel Aviv, Israel, September, 2014:

Video of my talk on "Security Operations: Moving to a Narrative-Driven Model" at DeepSec 2014, Vienna, Austria, November, 2014:

Video of my talk on "Security Operations: Moving to a Narrative-Driven Model" to the CU Boulder Master of Infosec Colloquium, Boulder, CO, USA, March, 2015:

I hope that the videos do justice to what I consider to be an important concept for the future of security operations.

Tuesday, March 3, 2015

Good Things Come in Small Packages

Recently, during a discussion on Twitter, Richard Bejtlich asked me to blog about my experiences working with the Estonian Cyber Defence League (Eesti K├╝berkaitseliit).  I visited them for a week back in 2009, and I was quite impressed with what I saw then.  I have no doubt that they have made great progress in the six years since.

The lesson I would take from my time in Estonia is that good things come in small packages.  Small, technologically advanced countries enjoy a few advantages in information security.  Here are just a few of them:

Being Nimble: Information security moves at a relentlessly torrid pace.  The threat landscape changes constantly.  A hulking bureaucracy has no chance.  A nation that is small, while having fewer resources, can also be quite agile and use those resources more efficiently.

Recruiting: Small countries generally have small information security communities.  And within these communities, everyone usually knows everyone — or at least everyone worth knowing.  This can lend a huge advantage to recruiting efforts for a Cyber Defence League.  It reduces the time and expense of finding the right people, as well as the risk of making the wrong call in recruiting.

Training and Education: Small countries generally have much more centralized education systems at all educational levels.  This lends itself well to both influencing curriculum, as well as to identifying talent.  Facing a shortage of skilled information security professionals?  Grow them organically.  This is much easier done in a small country than a large one.

Visibility: Before a given asset can be protected, we have to know where it is. Because smaller countries have fewer assets in general, it is much easier to keep track of them.  Want to protect all of the electrical substations or network ingress/egress points in a small country?  Probably doable.  In a large country?  Good luck finding all that stuff.

Humility: Small countries generally understand that they cannot go it alone.  As such, they are much more likely to learn from others and work collaboratively as part of the larger information security community.  They are also much less likely to have a “not invented here” syndrome.  This comes in quite handy when building and operating a Cyber Defence League faced with the tall order of protecting the nation’s critical infrastructure.

Implementing Changes: In a small country, once a decision has been made to implement a change, it is generally much easier to do so.  There is simply less bureaucracy, friction, and inertia to overcome.  That can make it much easier to bring about meaningful change within a realistic amount of time.

These are just a few of the many reasons good things come in small packages.  Although larger countries have more resources than smaller countries, they can learn a lot from their smaller counterparts.  Something to think about if you are involved in cyber defense in your home country, wherever that may be.

Tuesday, February 24, 2015

The House Always Wins

Why is it that all we ever hear from security organizations is good news, yet problems and challenges still persist within those same organizations?  It's the same reason we hear all about Las Vegas wins, yet the casinos stay in business.  Curious what I'm getting at?  Have a look at my latest piece in Security week entitled "The House Always Wins":

Thursday, February 19, 2015

Penny-Wise, Pound-Foolish

It often amazes me how many people don't understand the value in building and maintaining long-term relationships built on trust.  To some people, if there is a dollar to be made in the moment, or a favor to be extracted at the current time, that trumps all.  Of course, behaving this way erodes trust and sacrifices any chance of an enduring relationship.  It's a penny-wise, pound-foolish way to behave.

In the information security realm, this is all the more true.  Most of us spend years building and maintaining long-term relationships because we understand that the information security community is built on trust.  It can often be tempting to sacrifice this trust for a short-term monetary return or a favor.  But, in the long run, this is a foolish way to behave.  After all, at the end of the day, our relationships and our reputations are essentially our careers.

As the old saying goes: Fool me once, shame on you; fool me twice, shame on me.  There is much truth in this.  We all know what happens when someone optimizes for the short-term.  The next time that person calls, no one answers the phone.  We are all human, and we all err from time to time.  When we err in this manner, we should own up to it when called on it.  Believe it or not, that actually helps restore trust.  Certainly moreso than dancing around the truth or trying to distract those who are questioning us.  That seldom fools anyone, despite how politely they may behave in reaction to these tactics.

The information security community is close and tight-knit.  None of us can afford to have no one answer the phone the next time it rings.  It pays to think about that the next time we consider substituting short-term gain for long-term trust.  It's penny-wise, pound-foolish.

Tuesday, February 17, 2015

5 ways cyber threat intelligence can improve your security

My latest piece in The Business Journals entitled "5 ways cyber threat intelligence can improve your security" is out.  Threat intelligence is a hot topic these days, but how can organizations wade through the hype and into the intelligence sea?  How can we make order out of the chaos?  My thoughts in this latest piece:  Hope you enjoy.

Wednesday, February 11, 2015

Complexity is the Enemy of Security

I'm sure we've all heard the sound bite "complexity is the enemy of security" from time to time.  It's a popular, attention-grabbing phrase, but what can we learn from it?  My thoughts on the topic in my latest SecurityWeek piece:  After all, the point of any sound bite should be to stimulate thought, discussion, and ideas, right?

Why is timely detection and response so difficult?

Why is timely detection and response so difficult?  People often ask me that question, so I put down my thoughts in this piece in IT Security Guru:  Timely detection and response is indeed a big challenge confronting organizations.  The good news is that there are practical, applicable steps that can be taken to improve the status quo.  I hope you agree and find tidbits you can leverage operationally.

Friday, February 6, 2015

Caveat Emptor

Although I'm not a Latin speaker, I am quite aware of the phrase "caveat emptor".  This phrase is most often translated as "let the buyer beware".  There are many contexts in which this phrase is appropriate, most notably when discussing contracts or legally binding agreements.  Unfortunately, I would argue that the phrase is becoming increasingly important in the field of information security.  What do I mean by this?  Allow me to explain.

I was fortunate enough to be invited to speak at a conference earlier this week.  Before my talk, I introduced myself briefly, as I typically do.  This particular time, it was a new crowd for me, and I did not know many people.  I was a stranger to them.  As I listened to some of the other talks, something dawned on me, and the idea of caveat emptor crossed my mind repeatedly.

When I introduce myself or talk about my background and experiences, I do so honestly.  People who know me and have worked with me in the past will vouch for that.  However, as we all know, not all people approach themselves in the same manner.  In fact, one speaker's introduction sounded nearly identical to mine.  What was the issue?  I have come across this individual in the past, and although I do indeed have the experience and skills I say I do, this particular individuals does not possess those same experience and skills.  Surely, we have all worked with or crossed paths with individuals like this in the past.  Where there's smoke, there's fire - except when there's not.

What's interesting to me is not necessarily that some people choose to embellish or blatantly falsify their backgrounds.  What's more interesting to me are two points: a) the rate at which these individuals seem to be appearing in the information security space and b) how hard they make life for the rest of us.

Regarding point a, this is perhaps not surprising.  Information security is now a hot field.  Whereas ten years ago, we were the obscure, quiet geeks in the corner, today, we are en vogue.  With the amount of money being thrown around in our domain of expertise, it's not surprising that there are suddenly countless new "experts" coming out of the woodwork.

Of course, with all these new "experts", it makes life that much more difficult for the rest of us.  I realized something very important when this particular speaker introduced himself.  To the crowd of strangers we both addressed, we are the same.  I'm not sure they can differentiate between who is real and who is not real.  At first, you may have an adverse reaction to this statement, but it is an important point.  Perception is reality.  This is unfortunate, and this is where the caveat emptor point comes in.

If you have ever been in or spoken with someone in a leadership position within an enterprise, you know that all day, every day, "experts" hound them.  After a while, all the buzzwords and marketing lingo begin to sound the same.  It makes it tough for both the enterprises, who very much need effective help (rather than ineffective or incompetent help), as well as the true information security professionals who are too busy working and solving problems to self-promote and shout above everyone else.

So what can we as a community do?  We can provide honest, truthful references and feedback.  We can vet people and companies we speak to.  We can seek out other opinions.  I fear that the days of taking what someone says at face value are slipping away from what was once a very tight and close-knit community.  It makes sense to vet.  Take care of the good information security professionals you  know - they need it.  We have entered the days of caveat emptor.

Friday, January 30, 2015

How to hire a top security employee

It likely comes as no surprise that people are an extremely important part of the people, process, and technology triad.  In the information security realm, finding the right people is certainly not easy for a number of different reasons.  How can organizations properly vet and assess candidates for security positions to ensure they do not make critical and costly hiring mistakes?  My thoughts on the topic in my latest piece in The Business Journals:

Tuesday, January 27, 2015

It's Okay to Fail

This may sound radical, but I would argue that we as a security community don't fail enough.  Or rather, that we aren't failing in the right way often enough.  Interested in understanding what I mean? Have a look at my latest SecurityWeek piece entitled "It's Okay to Fail":  Hope you enjoy.

Tuesday, January 13, 2015

Collection and Analysis: Two Sides to the Coin

While many individuals and organizations focus on collection of relevant data for security operations, fewer focus on the analytical component of the equation.  Curious what I mean?  Have a look at my latest piece in SecurityWeek:

Monday, January 12, 2015

If I had a hammer: Security technology is a tool, not a solution in itself

We would never expect a hammer, some nails, and a pile of wood to magically build itself into a bird house.  So why do we sometimes expect our security technologies to magically build themselves into solutions to our security problems?  Technology is, first and foremost, a tool to be used in conjunction with intelligence and expertise.  Only then can we approach a solution.  My thoughts on this topic in my latest in The Business Journals: