Thursday, December 17, 2015

My Christmas Wish List

Dear Santa:

Yes, it's me again.  I know, I know...it's been many years since I've written to you, and I'm probably older than the typical demographic you're used to hearing from.  Still, I felt it was past time that I reached out to you again.  As a security professional my job requires a goodly amount of optimism as positivity -- these are essentials when you stand in the gap and fend off the bad nasties in the world -- so I remain hopeful that you might see fit to grant me a Christmas wish or two.

My list and short, and I know you're busy...so here goes:

  • For the team of consummate security professionals that I work with now and have worked with over the years, I wish for them at least one week's worth of uninterrupted sleep.  These are some of the finest sheepdogs (a la the Dave Grossman definition) that I've had the privilege of serving with;  they deserve some worry-free rest from the fight, if only for a moment.
  • For the spouses of every security professional that I know (including mine), I wish for them a refilling/replenishing of that seemingly endless font of patience and understanding that they continuously display.  It is said that the wives of Spartans are the secret pillars which hold up the world;  the significant others of security professionals prove this day-in and day-out as meals are interrupted, special dates are missed, and date nights are cancelled in our quest to keep the dragons at bay in the organizations that we are charged with protecting.  May they never lose their love of -- or patience with -- us as we continue to stand in the gap.
  • For my son and those of his generation, I wish for a vigorous, pointed, and decidedly uncomfortable discussion on the true concept and meaning of privacy in 2016. While accepting that the definition (and expectation) of that term is evolving, the impacts of big data, data analytics, and the internet of things on the "Minority Report Generation" are only beginning to be felt and understood.  If nothing else, I believe an acceleration and increase in the discourse is long overdue.  
I think that's it, Santa.  If you could fi-

...wait, what's that?  What about ME?  Oh, sorry about that.  Truth is, though, I don't have a special wish I'd ask for you to fulfill for me.  Other than the same thing I wish for every single day...

..."just enough strength to stand in the gap tomorrow."

Blessing to all this holiday season.  Namaste...

Sunday, September 27, 2015

Speaking the "Language of Security"

Recently, I've come across a spate of articles discussing the need for security professionals to "speak the language of the business."  This phrase has been used often to describe the underlying reason that CSOs and CISOs are not considered strategic partners to the business leadership (Taylor Armerding's recent article in CSO summarizes the situation rather nicely.).   Sure, we can all do better at dumping the professional  technical jargon (and this has gotten much better over the past decade); but even as we summarize risk tradeoffs in plain English, we Warriors of the Light are still met with this biting (and trite) criticism regarding our inability to communicate  with out most important constituent.  When I've asked senior business professionals what "the language of the business" means to them, I've gotten inconsistent, nebulous answers.  The best answer I received regarding this topic came from a former CEO who came up through the finance ranks. "The answer is dollars," he said to me. "Until you can tell me with absolute certainty what not patching that system will cost me in dollars, or what the absolute risk in dollars will be of not giving you a new tool or another body, I will always question the truth of your calculus." This calculus makes us slightly different from our IT brethren, who can link their costs more directly to revenue via availability and/or new business.

 

A hard truth, to be sure. Our profession will continue to struggle against this perspective. This truth will become harder still as the scrutiny of senior leaders and even the Board of Directors increases around security issues due to external regulatory and consumer pressures. Yes, we security professionals still own the bulk of the communication challenge…

 

…but we do not own it alone.

 

While I applaud, support, and participate in the efforts of the security community  to bridge the communications gap -- and let's be clear, it is our gap to bridge --  it's time to address the other side of this equation: the business itself. Communication, by definition, is two-way. While it's incumbent upon me to learn the language of the environment in which I operate, it is equally important for our business brethren to understand and appreciate some of the equally hard truths that exist within security's operating space.

 

Here are some  hard truths that security professionals would like business leaders to understand:

 

  1. I Don't Want to Be Your Top Priority. I recently heard a former storied CEO and current board member of several prominent tech companies say, "I want to know enough about security to know that we are okay, so  I can go on to the next marketing problem." Frankly, I feel this attitude and approach is healthy. He hired a CSO to take security off his mind. If that CSO does his job correctly, the CEO's concerns will fade considerably. There are, however, some upfront costs to that approach. The CEO and CSO need to work together to decide how to depict data in a manner which resonates with his concerns. My tools and processes can measure dozens of data sets, but what are truly the best way to show the amount of work it's going to take to defend the network?  Or the daily normalcy of attacks that occur (and our success rates against them)? As your security professional, I will work  hard to determine the correct metrics to depict an appropriate understanding of the landscape, as well as a holistic picture of our security posture…but this will take some trial-and-error and some back-and-forth between us. Be willing to make the time for that collaborative discussion, as I am truly terrible at mind reading  Just ask my wife.

 

  1. While I Don't Need You To Agree With Me, I Do Need You to Listen To What I Have To Say.  Contrary to anecdotal opinion, I'm not an alarmist. The sky is not falling, nor are the evil hacker hordes storming the gates RIGHT NOW. If I express a concern about a business practice or operational decision, don't dismiss me as a paranoid zealot who sees disaster around every corner. Just like business leaders, security professionals hone their craft over the course of many years. Our understanding of risk issues is as valid as a business leader's understanding  of market opportunities. Give us the courtesy of your focus when we express a concern, even when we can't necessarily present data analytics. Be aware that sometimes empirical data only becomes clear in the aftermath of an event, versus being a predictive indicator. 

 

  1. Compliance is Not the Same Thing as Security. Too often businesses hire security professionals either (a) in the wake of a breach; (b)  to stay ahead of regulatory demands;  or (c) to appear 'focused' on security challenges due to external pressures. Nothing wrong with these incentives in the slightest, but the mindset of the business in these situations tends to be focused on staying ahead of regulatory/compliance issues versus addressing security needs. Actions which address truly securing the environment but which aren't explicitly stated as a regulatory requirement are seen as excessive or needless. We still run up against this quite a bit in companies seeking to meet PCI-DSS requirements; many business clearly see the need for a control applied against their credit card data, yet struggle to see the need for similar controls against the petabytes of non-anonymized personal data within their environments. Businesses  should be honest with themselves and transparent with their security professionals: if what you're looking for is just compliance, tell us. It'll keep us from banging our heads against the wall as we attempt to bring secure solutions to your enterprise.

 

  1. Stop Asking Us  "Are We Secure?" The security professional defines "security" as freedom from risk. No matter how good s/he may be, as long as its doors are open for business a company will never achieve a zero-risk state; stop expecting me to tell you that you will. This also applies to operational objectives such as "never being breached" or "zero operational impacts due to security events;"  even if you gave me every dollar I requested in my budget, I could never guarantee you such absolute success. Now, asking me if our controls are up and running or how our controls/performance compares to others in our business vertical is fair and reasonable (though the latter may be hard to determine due to a lack of information sharing about security issues).

 

  1. Let's Make Tradeoffs Together. The security professional's job is rooted in the principles of risk management. This means making hard choices regarding risk versus return. While we're comfortable with this,  some circumstances do and will require additional resources in order to keep the risk at its current level. The business, not the security professional, makes the ultimate decision either to (a) reallocate resources, or (b) accept the risk. This is an important point to emphasize, because security professionals are facing multiple challenges in this area. 

 

At the end of the day, the function of a business is to make money. Business leaders can be reluctant to acknowledge an increase in security risk, since risk mitigation may be costly and blame can be the market's first reaction in the event of an incident. Security professionals do understand the risk tradeoffs, and accept them as part of growing a profitable business. We need open, honest dialogue with you regarding risk tradeoffs. 

 

  1. I Will Support & Defend the Business, Regardless of the Decision You Make. Once I've been heard and we've discussed tradeoffs, I will support your decision and execute it to the best of my ability. Your decision to accept additional risk does not give me a free pass to let bad things happen in the environment. A security professional will always fight to keep the evil hacker hordes from storming the gates, regardless of the risk decisions made. Period.

 

While the bulk of the communication burden rests with the security professional, I believe business leaders also have a responsibility to come to the table ready for an honest, open dialogue. Not wishing to burden the company with costs not associated with direct revenue benefit is not a sufficient reason to avoid the expertise and knowledge your CSO brings to any discussion. Give him a listen - he might just surprise you.

 

My two cents…

Monday, August 17, 2015

One CEO's View on a Point-of-Sale Breach

In 2012, Penn Station Subs became a victimof one of the earliest reported point of sale (POS) compromises.  Their CEO and leadership team took what were then considered to be drastic measures to remediate the situation and prevent reoccurrence of the situation.  Three years later, the Penn Station CEO (Craig Dunaway) has sat down to discuss his actions and his approach to the situation.  While fellow Warriors of the Light may find very few surprises in this interview, it is useful to hear the perspective ad thought processes of a chief executive around what could have been a potentially devastating situation for the franchise.  You can find a link to the interview here -- and you might want to consider sharing this link with the executives in your own organization.

Enjoy!

Tuesday, June 23, 2015

Fitbit Data Helps Disprove Rape Claim

I know, I know...not the typical headline you expect to see on a security topics blog.  Bear with me for a bit, though...

Last March a woman name Jeannine Risley called 9-1-1 alledging that a man in his 30s  had broken into the place she was staying, woke her,  and raped her.  Police found overtuned furniture, a vodka bottle, and a knife on the scene when they responded.  Still, something didn't seem right about the story (example:  there was fresh snow on the ground and there were now footprints in the snow leading to the house) so they kept investigating.  As part of the investigation, police requested that Mrs. Risley provide them the Fitbit device that she was wearing so that they could analyze the data.  Sure enough, the Fitbit data proved that Mrs. Risley was awake and walking around during the period where she claimed to be asleep.  This, combined with other evidence, provided sufficient cause to charge Mrs. Risley with several misdemeanor offenses.

As one might imagine, it is use of Fitbit data that has propelled this matter to the national stage.  As those in our profession have stated far too often, once individuals place data "out there" it is nigh impossible to restrict its use.  Mrs. Risley willingly wore a device designed to track and record her activity;  it should not be surprising to anyone that that same data could be used to prove or disprove the commission of an unlawful act. While it's doubtful that this one case will spark a substantive ripple in the push for wearable technologies or an expansion of the Internet of Things, we might finally begin to see some chatter outsite of our own professional circles about the privacy and legal implications of an uber-networked society -- to include protecting the data collected from from unauthorized alteration.

My two cents.  Click here for a quick link to the original story.

Monday, June 8, 2015

Security IPB

For the past 6 weeks I have been listening to the rumbles and fallout of the RSA conference…
 
…no, that’s not quite correct. It’s not been the fallout from the conference itself, but of the gauntlet thrown by RSA’s new president, Amit Yoran.
 
In his keynote address, Amit called out the security industry for its “dark ages” approach to the problem of security, laying out 5 tenets for navigating the terrain of today's new security battlefield. While I was not in attendance at RSA this year (San Francisco for a conference or the Caribbean for my wife's birthday? Hmm…) , I read both the RSA press release and a transcript of the address in the days after the event.
 
I am wholeheartedly supportive of Amit’s overall message regarding the need for both the security industry and the security profession to adjust their thinking regarding the problem and the fight. Should we fail to make such an adjustment, we will continue to be viewed as an obstacle to success, an impediment to revenue…and, should we continue to fail in our perceived mission, we risk being viewed as an ineffective drag on profitability. That being said, as the profession reaches to pick up the gauntlet that Mr. Yoran has thrown, it is important to understand the full context of the battlefield on which we fight. Amit pulls upon his experience as a West Point graduate and former military officer. As another graduate and former military officer, allow me to continue the analogy by doing some old-fashioned “intelligence preparation of the battlefield (IPB)” and take a deeper look at some of the battlefield conditions we face daily.
 
1. We need to preach to masses, not to the choir.  “Let’s stop believing that even advanced protections work. No matter how high or smart the walls, focused adversaries will find a way over, under, around, and through.” My first thought when I read this statement was, “Preach it, brotha!” Every board member and every executive I meet when I take a new job wants to know that they are “safe.” I spend much of my time during the first 30 days of any new gig reminding executives that as long as they are open for business they will never be completely invulnerable. My next thought around this point, though, was to hope that members of the security industry (those professionals who create and market the wonderful tools, technologies, and services we all use) and not just the security profession (in house personnel currently working to protect an organization’s resources) heard what Amit was saying. While it remains true that any professional who thinks they can make an enterprise invulnerable needs a wake-up call, it is equally true that members of the security industry also need to stop making promises of nirvana and panacea -- and not just to us, but to those around us who can influence purchasing. How many of us continue to have to address the CFO, CIO, or CEO who “just talked to XYZ Vendor and they said we can’t be compliant/secure/grow hair/stop global warming without their product?” Indeed, as C-level security professionals are increasingly weaving a story of managed risk and potential vulnerability, the security industry has begun to find points of entry into the enterprise that do not involve us. Amit alludes to such promises being made during his address, but this point should not be glossed over as it is a contributor to some of the challenges we face daily whilst attempting to secure the enterprise.
 
2. There is a cost associated with visibility – and that cost exists outside of the security budget.  Amit advocates “a deep and pervasive level of true visibility everywhere -- from the endpoint to the network to the cloud.”  He goes on to describe true visibility as including things such as full packet capture; endpoint compromise assessment visibility; and a detailed understanding of which systems are communicating with which, and what’s being communicated. Many security professionals are faced with the every-present quandary of obtaining complete, detailed, and accurate data flow diagrams within older, multi-faceted enterprises. In many cases (except in heavily regulated spaces), these diagrams do not exist until security personnel ask for them -- and when provided, their accuracy levels tend to be suspect. Further, assuming the data flows exist, the level of potential increase in bandwidth and horsepower on the network and the systems themselves in order to provide “true visibility” may be punitive and/or force systems upgrades and unexpected costs within the IT organization. (Think I’m kidding? How many of you reading this article have been told that “turning auditing on for <insert system here> will kill the server/bog down the application/consume too much bandwidth?”)
 
3. You can’t ignore the rest of the I-AAA equation.  Amit rightfully discusses the importance of Identity and Access “[i]n a world with no perimeter and fewer security anchor points.”  Let us remember, though,  that there are two other A’s to the I-AAA equation and at least one of them is of equally (if not more) critical importance in the current terrain: Authorization. Pop quiz, everyone: raise your hand if you can, with 100% certainty, guarantee that you know exactly the privileges and roles for absolutely every system and person in your organization AND that they are 100% complete, accurate, and appropriate. I'm not talking about the quarterly signoffs that organizations do in lieu of the in-depth visibility that Amit is referring to, but rather a detailed role mining and mapping of every system and every application in the enterprise to a meticulous level of detail that ensures entitlements are tight and accurate. 
 
Most mature enterprises struggle with I-AAA over time. Unless the organization has either (a) taken the opportunity to maintain entitlement and role accuracy throughout its life cycle, or (b) invested the time (and not insignificant dollars) to do the detailed analysis and mapping, the result is a level of blindness to entitlements which is a (if not the) major contributor to security professionals maintaining a border-centric outlook. If I don’t know who you are and/or whether where you are allowed to go is appropriate, then the easiest solution is to build a wall and limit the entries/egresses to the castle. Cleaning up the authorization problem requires a level of (expensive) buy-in from IT and the organization as a whole. Many organizations do not see the criticality of such an expense yet still wish for the flexibility of a borderless environment…placing the security professional in the awkward position of appearing to be a Luddite and an inhibitor to the business or weakening (if not eliminating) the ROI associated with borderless cloud-based operations.
 
4. Asset categorization, to be useful, requires a depth of understanding of the enterprise and data flows. In most organizations, at least part of the assets considered to be critical and/or high value would be data. Strongpointing your defenses around critical assets which house the data is a good start…but it also means controlling who has access to that data and the systems which communicate to/from that critical asset. In other words, in order to effectively accomplish Point 5 of Amit’s 5-point plan, Points 2 (deep visibility) & 3 (strong identity & access) need to be accomplished first.  Again, these objectives will require buy in and expense outside of security’s bailiwick in order to succeed.
 
Amit Yoran’s call to arms is one that is timely, accurate, and well needed…as far as it goes. Yes, security professionals need to look at the problem differently and more holistically, but I would also contend that many (most?) C-level security professionals. already do this and are actively educating our teams and constituents appropriately. The challenge, however, in operating in a manner reflective of a proper mindset is to change the conditions of the battlefield upon which we engage. The security profession continues to refine our language and our metrics to discuss the causal relationships between incomplete data flow analysis, I-AAA concerns, and the increased risks of tearing down borders -- with mixed success. The border is effectively dead, yes…but security professionals cannot maintain comparable levels of risk to the enterprise if we tear down the borders without addressing the areas in Amit’s five-point treatise. This requires those we serve to (a) prioritize the efforts necessary to allow the depth of insight into the enterprise necessary to manage risk in a borderless world, and (b) accept the fact that regardless of this level of detail we will be compromised to some extent. 
 
(Let’s not forget, either, that the security industry will need to continue evolving its toolset and its message, to include delivering this same message to the Boards of Directors and chief technologists whom we serve and eschewing discussions about security which do not include members of the security team.)
 
Understand that I offer this analysis not as an excuse for inaction but rather as a completion of the treatise offered by Mr. Yoran. Throwing away the old maps, as Amit suggests, is important…but equally important is acknowledging the limitations of the terrain upon which we Warriors of the Light do battle every single day (even as we struggle to modify the terrain to suit our needs).
 
Amit has thrown down a gauntlet to the security industry and the security profession alike; however, I believe what he will find is that many of us picked up this gauntlet many moons ago and are already fighting the good fight.

Welcome to the line, Brother Amit. Your shield, your sword arm, and your voice are more than appreciated.

My two cents…

Monday, April 27, 2015

Thoughts on The Irari Rules

I’ve had the pleasure of knowing Ira Winkler and Araceli Treu Gomes for over a decade now.  Both are quality and insightful security professionals who raise the bar within our industry.  As such, I’ve enjoyed reading their joint commentaries on various security issues and challenges over the past few months.

Winkler and Gomes’ latest contribution to the fight are “The Irari Rules” (named after a combining of their first names).  The relevance of the Irari rules re: determining the true technical attack sophistication cannot be overstated;  it is easy for business leaders and other technology professionals to talk about a new level of sophistication in attacks when in reality we are seeing increased efficiencies and volume around highly predictable (and preventable) attack vectors.  That being said, Winkler and Gomes take a slight – and, in my opinion, erroneous – detour in their conclusions which may obscure some of the important messaging we all need to hear.

Think about what the Irari rules are advocating for a second:

  • Use anti-virus or anti-malware software
  • Patch your systems
  • Use multi-factor authentication
  • Change passwords frequently
  • Create detailed, realistic, holistic education programs
  • Turn on and monitor your alert mechanisms
  • Segment your networks
  • Aggressively manage user accounts and their privileges

None of this is rocket science -- nor is it anything that we as security professionals haven’t been saying for the better part of two decades, with arguably the same level of mixed (poor?) results.  Yet clearly something has changed within the ecosystem given that (a) the number of compromised records per breach has increased exponentially; and (b) concern regarding breaches has entered the mainstream consciousness.  So if it’s not the sophistication of the technical attack…what’s going on?

Winkler and Gomes posit that the “new normal” for organizations should be to “expect to be targeted by people with more than a trivial level of skills and the time and resources to search for blatant vulnerabilities.”  This would seem to support an argument for the efficacy of a more sophisticated attacker as opposed to a more sophisticated attack – which results in higher levels of risk overall to an organization.   Remembering the basic risk multiplicative of (T)hreat x (V)ulnerability x (A)sset-Value, a more sophisticated threat can make better use of existing vulnerabilities than casual aggressor.  Continuing the lock analogy used in their article, the issue isn’t whether the door is locked or not as most security is rarely so binary a calculus; rather, it’s the newness and maintenance of the locks in place.  While these locks may be sufficient to stop an opportunistic intruder, a focused intruder with moderate skills could defeat these locks (single factor authentication; static passwords; etc.) with relative ease.

There’s another factor in the risk equation that Winkler and Gomes have failed to consider:  asset value.   While consumers have not yet fully rationalized their willingness to achieve convenience and personalized service via providing personal data with their concerns over its use, the value of data to both individuals and corporations has increased dramatically.  As the value and proliferation of data within organizations increases, the security professional must reevaluate whether the locks remain sufficient and are sufficiently maintained to mitigate risks within the environment to an appropriate level. 

Winkler and Gomes conclude that “(c)laims of sophisticated attacks deflect blame, obscure the need to make improvements and attempt to shirk responsibility for implementing poor security efforts.” In this I agree…but only to a point.  Yes, claims of sophistication can contribute to obscuring the need for improvements, but the argument for improving programs isn’t in the elimination of obscuration but the removal of our profession's own obfuscation of risk issues.  Fundamental blocking and tackling within a security program is essential, yes...but even the best managed programs can’t bring risk to zero.  As we do the blocking and tackling to eliminate vulnerabilities, it is equally critical to acknowledge attacker (versus attack) sophistication as well as the marked increased in asset value regarding data.  In this environment, yesterday’s locks and windows (read:  yesterday’s security program implementation) won’t keep the bad guys away.

My two cents…

Sunday, March 22, 2015

Security Awareness: Changing User Behavior Reduces Overall Risk

Last week I was asked to participate in a webinar regarding security awareness and its efficacy within the workplace. I and my fellow panelists -- Sam Masiello of Teletech; Michael Angelo of NetIQ, and Joe Ferrara of Wombat Security -- had a lively and wide ranging discussion of the benefits, pitfalls, and challenges of security awareness.  If you're inerested, the webinar is available for playback at this link.  Note, you'll be required to register at the site before viewing/listening.  

Enjoy!