Corporate Partners

Top IT Security Bloggers

Network World - Networking Nuggets and Security Snippets
  • The RMS Titanic and cybersecurity

    Network World - Networking Nuggets and Security Snippets
    Little known fact: Yesterday was the 30th anniversary of Bob Ballard’s discovery of the RMS Titanic, several hundred miles off the coast of Newfoundland Canada. I’ve recently done some research into the ship, its builders, and its ultimate fate and believe that lessons learned from Titanic may be useful for the cybersecurity community at large. The Titanic tragedy teaches us of:
    The dangers of technology hubris. The Titanic was designed with the latest technology at the time to withstand severe storms in the north Atlantic. Because of this, the shipbuilders at Harland and Wolff decided to market the ship as “unsinkable.” Likewise, our industry has this absolute love affair with technology. I’m constantly briefed on the latest and greatest prevention or detection engine designed to withstand anything hackers can throw at it. Like the “unsinkable” Titanic, this is nothing but hot air. Bad guys will find ways around all of our defenses over time. Strong security demands people, process, and technology so the industry love affair with technology alone is counterproductive and leaves us susceptible to a sea of cybersecurity icebergs.
    The need for organizational coordination. There were two inquiries into the Titanic disaster, one in the U.S. and one in England. In both cases, investigators learned that the crew of the Titanic was inexperienced and various groups that made up the Titanic’s staff did not work well together. This lack of coordination could have contributed to the disaster. Similarly, strong cybersecurity depends on a collaborative effort between cybersecurity professionals, business management, and different IT groups (i.e. IT operations, DevOps, data center infrastructure, etc.). A lack of cooperation could also lead to disastrous results.
    Tradeoffs between business objectives versus risk management. A man named Thomas Andrews was tasked with the Titanic’s overall design and construction. Andrews wanted 64 life boats to guarantee space for all passengers, but the management of Harland and Wolff didn’t want to waste precious space on the promenade deck, so higher-ups decided to go with the legally acceptable minimum – 16 lifeboats (and 4 tenders). The rest, as they say, is history. Similarly, business managers often go full-speed ahead with business initiatives without considering cybersecurity risks. Alternatively, they minimize cybersecurity investment, eschewing good security for “good enough” security. The lesson here? Don’t make blind or best-case risk management assumptions or you could hit an iceberg that is much larger than you think.

    There are plenty of other lessons I could come up with but I’m sure you get my point.  Organizations should approach cybersecurity with humility, reality, and a comprehensive team effort.  In lieu of this end-to-end approach, CEOs shouldn’t be surprised when their organizations suffer data breaches, their stock prices sink, and their careers end up in Davy Jones’ locker.  To read this article in full or to leave a comment, please click here
  • Anticipating VMworld

    Network World - Networking Nuggets and Security Snippets
    It’s the end of the summer of 2015 – the nights are getting cooler, the leaves are starting to change colors, and flocks of students are abandoning the beaches of Cape Cod bound for college campuses. The seasonal change also signals another annual ritual – VMworld in San Francisco. VMworld used to be focused on virtual server technology, and then it expanded to VDI. Now the show represents all things cloud computing. Of course, I’ll be looking at a specific sub-segment: The intersection of cloud computing and cybersecurity. As such, I’m anticipating discussions around:
    Micro-segmentation. A few years ago, virtual networking really meant virtual switching at Layer 2. While virtual switches offered a lot of functionality, most organizations used them as a bridge to forward traffic to the “real” physical network. This is no longer the case. Many enterprises are embracing virtual networking in data centers across layers 2-4. As part of this transition, I’m starting to see a lot more interest in micro-segmentation for network isolation, east-west traffic segmentation between data center servers, and even the creation of network tunnels from endpoints to data center applications. From a cybersecurity perspective, micro-segmentation offers great potential as it can be used to limit the attack surface. I’m curious to find out about micro-segmentation adoption. Is it still a cutting-edge technology, or has it crossed the proverbial chasm? My hope (and gut feel) is that we are making progress – more soon.
    Network security services. As virtual networks gain traction, they will pull virtual network security services along for the ride. VMware is pushing this model with NSX partners like Check Point, F5, Palo Alto, Rapid 7, Symantec, and Trend Micro who can supplement server and network virtualization with proven, enterprise-class security services. Cisco offers a similar architecture and partner program with ACI and its security services architecture. Others, like Illumio and vArmour, are intent on virtualizing network security services on their own – sort of like what Novell NetWare did for file and print services 25 years ago. If you are serious about cloud computing, you have to go down the network security services route, but this is a big leap of faith for many seasoned cybersecurity veterans who grew up as CCNEs and Cisco Pix firewall administrators. I’ll be monitoring VMworld to see how this transition is progressing as changes here could have big implications on the security market. 
    Identity and access management (IAM) in the cloud. According to ESG research, 68% of enterprise cybersecurity professionals’ claim that the combination of cloud and mobile computing have made IAM security a lot more difficult (note: I am an ESG employee). Why? Cloud computing extends IAM to new infrastructure and applications, some with their own authentication, entitlements, and management tools. This in turn creates IAM blind spots, policy contention, and loads of opportunity for human error. There are several ways to bridge these worlds, including homegrown integration using federated identity standards (i.e. SAML), single-vendor product solutions (i.e. CA, Centrify, IBM, Microsoft, Oracle, RSA, etc.), and gateway solutions (OneLogic, Okta, Ping Identity, etc.). There’s also a slight chance that social networking vendors like Facebook, Google, and LinkedIn will fill this void, and there are promising authentication technologies (i.e. Apple, FIDO alliance) that could greatly impact IAM at large. Lots of balls in the IAM air, so I’m interested to see how this will play out. 
    Cloud security organizational dynamics. Many industry events resemble a techno pep rally focused on silicon and code rather than carbon-based life forms. I hope this isn’t the case at VMworld, as I’d like to explore cloud security as it relates to IT and cybersecurity organizations. My current observation is that cloud security responsibilities often migrate toward different groups like application developers, DevOps, and data center infrastructure groups. OK, but where do network security engineers fit into this mix? And since cloud security is a relatively new pursuit, how are cybersecurity professionals (and others) gaining necessary skills around secure design, physical/virtual security integration, cloud security operations, best practices, etc. In my humble opinion, skills development is a critical and often neglected aspect of cloud security. With the right training, CISOs can use things like micro-segmentation and virtual network security services to improve security protection and mitigate risk. In lieu of this, however, other IT groups with minimal cybersecurity knowledge will be in charge of “winging it,” putting everyone at risk.

    A few years ago, cloud computing seemed to be hamstrung by security concerns, but this is no longer the case. Many organizations, led by the public sector, are moving full-speed ahead into the cloud, so it is incumbent upon the cybersecurity community to keep up. When I leave VMworld next week, I should have a good indication of whether cloud security is a ray of sunshine on Amazon, OpenStack, and vCloud Air, or whether stormy cybersecurity weather is in the forecast. To read this article in full or to leave a comment, please click here
  • Facebook’s Threat Intelligence Sharing Potential

    Network World - Networking Nuggets and Security Snippets
    Enterprise organizations are actively consuming external threat intelligence, purchasing additional threat intelligence feeds, and sharing internally-derived threat intelligence with small circles of trusted third-parties.  Based upon these trends, it certainly seems like the threat intelligence market is well- established but in this case, appearances are far from reality.In my humble opinion, threat intelligence consumption and sharing is extremely immature today with the market divided by a few haves (i.e. large banks, defense contractors, large IT vendors, intelligence agencies) and a large majority of have-nots – everyone else.This immaturity is illustrated by some recent ESG research (note: I am an ESG employee).  A panel of cybersecurity professionals working at enterprise organizations (i.e. more than 1,000 employees) were asked to identify weaknesses associated with their firm’s threat intelligence consumption and sharing programs.  The data indicates:To read this article in full or to leave a comment, please click here
  • Incident Response: More Art than Science

    Network World - Networking Nuggets and Security Snippets
    Five to ten years ago, the cybersecurity industry was mainly focused on incident prevention with tools like endpoint antivirus software, firewalls, IDS/IPS, and web threat gateways.  This perspective changed around 2010, driven by the Google Aurora and the subsequent obsession on advanced persistent threats (APTs). These and other events convinced the cybersecurity community that hackers could easily circumvent standard prevention-centric security controls so we needed much better tools for incident detection on endpoints and the network.Over the last year or so, the cybersecurity winds have shifted once again.  With the onslaught of new detection engines, CISOs need ways to collect, process, analyze, and react to volumes of incident detection data in a timely fashion so they can actually respond to incidents.  Why the change?  Incident response (IR) is where technology meets humanity as it depends upon the instincts, experience, skills, and methodologies of really smart people.  These individuals, and the processes they create, are the essential ingredients for discovering and addressing cyber-attacks efficiently and effectively – at each and every organization.To read this article in full or to leave a comment, please click here
  • Enterprises are Analyzing Lots of Internal Cybersecurity Data

    Network World - Networking Nuggets and Security Snippets
    The cybersecurity industry has been talking about the intersection of big data and cybersecurity analytics for years, but is this actually a reality or nothing more than marketing hype? The recently published ESG research report titled, Threat Intelligence and Its Role Within Enterprise Cybersecurity Practices, only reinforces my belief that big data security is tangible today, and enterprises will only double down in the future (note: I am an ESG employee).As part of the threat intelligence research project, ESG surveyed 304 cybersecurity professionals working at enterprise organizations (i.e. more than 1,000 employees), and asked them which types of internal security data they regularly collect, process, and analyze today. It turns out that around 40% of enterprises collect and analyze 13 different types of cybersecurity data. At the top of the list:To read this article in full or to leave a comment, please click here
  • Black Hat Boogie

    Network World - Networking Nuggets and Security Snippets
    I spent all of last week in Las Vegas at Black Hat 2015.  I used to pass on Black Hat but no longer – it is a great opportunity for getting into the cybersecurity weeds with the right people who can talk about evasion techniques, malware, threat actors, and vulnerabilities.  Alternatively, RSA Security conference conversations tend to center on things like IPOs, market trends, and PowerPoint presentations.I made a list of a few Black Hat take-aways on my flight home from Las Vegas:
    The burgeoning conflict between money and vulnerability disclosure.  As is common at Black Hat/Defcon, security researchers exposed numerous software vulnerabilities during presentations throughout the week.  This was expected but there is a bigger and more ominous trend I heard about in Vegas.  It has always been a common courtesy for security researchers to share major vulnerabilities (i.e. vulnerabilities that impact pervasive software like Oracle RDBMSs or the Windows OS, critical infrastructure technologies, common hardware, etc.) with vendors and government agencies before going public.  This lag time gives the good guys’ time to evaluate researchers’ claims and react if necessary.  Given the influx on money flowing into the cybersecurity market however, some researchers and VC-backed startups are eschewing this unwritten rule and going directly to the press to get the biggest PR bang they can.  Maybe it’s just me but I believe that this type of cybersecurity charlatanism is of questionable ethics at the very least.  In the near future, a highly-publicized vulnerability could put us all at risk. 
    Endpoint battle royal.  A few years ago, the only people talking about endpoint security were AV vendors like Kaspersky, McAfee (Intel Security), Sophos, Symantec, and Trend Micro.  Now everyone seems to have skin in the game as evidenced by the parade of “next-generation” endpoint vendors at Black Hat.  Yes, the new kids on the endpoint block like Bit9, Digital Guardian, Invincea, Hexis Cyber Solutions, SentinelOne and Tanium are being measured by their detection efficacy, but I truly believe that the winners here will be the ones who can streamline incident response operations.  We’ll see, but the endpoint security game is certainly changing quickly. 
    Cybersecurity recruiting and training hits the tradeshow floor.  I’ve been screaming about the cybersecurity skills shortage for years and even presented on this topic at RSA 2014 so I was extremely pleased to real activity at Black Hat.  According to ESG research, 28% of organizations claim that they have a “problematic shortage” of cybersecurity skills today (note: I am an ESG employee).  This skills gap was not lost on Black Hat as a whole section of the show floor was dedicated to career enhancement and of course, Black Hat sessions were all about skills development.  Additionally, vendors like Accenture were actively recruiting new talent within their booth in the exhibitor hall.  Finally, kudos to the University of MD Baltimore for its consistent academic leadership and its proactive cybersecurity program marketing at Black Hat and many other infosec events.  Sigh, I wish my alma mater, UMass Amherst, demonstrated the same level of marketing and recruiting savvy. 
    Threat intelligence sharing realities and rhetoric.  I’ve been wrapped up in threat intelligence sharing research for many months now and Black Hat only reinforced my viewpoints in this area.  The Vegas show demonstrated that there is lots of cyber threat intelligence out there but things are messy as everyone has their own names for malware and threat actors, TTP details vary, and attribution remains a hit-or-miss proposition.  Likewise, threat intelligence sharing is still hamstrung by manual processes, cybersecurity professional paranoia, and legal limbo.  If you want good threat intelligence, speak to the experts who live in this world (as I did at Black Hat), otherwise good luck.  Are they aware of this reality in Washington?
    NSS labs brouhaha.  During the height of the Black Hat event, NSS labs released the results of its breach detection system testing, leading to a public debate on the test results, the merits of NSS’s testing process and the relative purity of the NSS business model.  Okay, but beyond NSS, there is an even bigger question looming:  Is single-product detection testing worthwhile anymore?  Most of the advanced cybersecurity shops I speak with are integrating multiple network and endpoint detection engines through APIs or aggregating detection tools and threat intelligence for incident response using integrated cybersecurity orchestration platforms (ICOPs) from Invotas, Phantom Cyber, or Resilient Systems.  As one CISO succinctly stated to me, “integration is the new best of breed.”  Synthetic tests may be an insightful data point but typical incident response processes rely on a multitude of tools, skills, and workflows.  To gain a real world perception on cybersecurity efficacy, infosec professionals should evaluate, test, and select products that offer the best fit for their unique networks, methodologies, organizations, and integration needs.  

    One final observation and comparison between Black Hat and RSA.  In my humble opinion, there is an underlying, “hooray for technology” vibe at RSA each year.  This is to be expected since vendors announce new products and VCs crow about rounds of investment and IPOs across the halls of the Moscone Center.  On the other hand, Black Hat has a pronounced sophomoric ambiance in terms of personalities and pranks, but real discussions tend to be a lot more subdued, substantive, and cerebral than those that take place in San Francisco.  I tend to leave RSA with a sense of industry pride and a pocket full of business cards.  Upon exiting Black Hat, I’m usually scared to death. To read this article in full or to leave a comment, please click here
  • Black Hat Is About Cybersecurity People and Processes

    Network World - Networking Nuggets and Security Snippets
    Over the past few years, the RSA Security Conference has become a marquis technology industry event.  It has really outgrown its humble roots in cryptography and Layer 3 and 4 packet filtering – now RSA is where technology industry bigwigs meet, drink exquisite Napa Valley wine, get a broad perspective of the cybersecurity industry, and do deals.RSA’s emergence as a “must-attend” technology industry event is a good thing on balance.  For one week of the year, business, government, and technology leaders descend on San Francisco and shed a spotlight on the global state of cybersecurity.  But while this attention is a good thing, RSA has evolved into a high-level affair, focusing on the “why” questions surrounding cybersecurity.To read this article in full or to leave a comment, please click here
  • Cybersecurity Technology Integration Changes Everything

    Network World - Networking Nuggets and Security Snippets
    I have been writing about cybersecurity technology integration a lot lately.  For example, here’s a blog I posted in May of this year about cybersecurity technology integration trends I see in the market. Yup, I’ve increased my rants on this topic lately but I’ve actually been preaching this message for a number of years.  Cybersecurity technology integration activities remind me of what happened in the 1990s when departmental applications gave way to big ERP systems from Baan, Oracle, and SAP.  This was a difficult transition but organizations that persevered benefited from improved data analytics, real-time decision making, and new types of automated business processes.  CISOs are clearly looking for similar results. To read this article in full or to leave a comment, please click here
  • Cybersecurity Canon and The Florentine Deception

    Network World - Networking Nuggets and Security Snippets
    I first met cybersecurity veteran, Rick Howard, when he joined Palo Alto Networks as Chief Security Officer.  During our discussion, Rick mentioned an idea he was promoting for a cybersecurity canon: A list of must-read books for all cybersecurity practitioners -- be they from industry, government or academia -- where the content is timeless, genuinely represents an aspect of the community that is true and precise, reflects the highest quality and that, if not read, will leave a hole in the cybersecurity professional’s education that will make the practitioner incomplete.Rick’s notion of a cybersecurity canon hit home for a few reasons.  I am an avid reader of cybersecurity books and am usually reading or re-reading something.  And whenever someone asked me how they could learn about cybersecurity concepts, I would tell them to eschew text books and begin their education by reading more mainstream works like Cyberwar by Richard Clarke, Fatal System Error by Joseph Menn, Worm by Mark Bowden, and Kingpin by Kevin Poulsen.To read this article in full or to leave a comment, please click here
  • Measuring the Quality of Commercial Threat Intelligence

    Network World - Networking Nuggets and Security Snippets
    In my most recent blog, I described how a recently-published ESG research report on threat intelligence revealed a number of issues around commercial threat intelligence quality (note: I am an ESG employee).  As part of a recent survey of cybersecurity professionals working at enterprise organizations (i.e. more than 1,000 employees), ESG found that:
    72% of enterprise cybersecurity professionals believe that at least half of the information contained in commercial threat intelligence feeds /services is redundant regardless of the source.
    74% of enterprise cybersecurity professionals say that it is extremely difficult or somewhat difficult to determine the quality and efficacy of each individual threat intelligence feed.

    I suggested that large organizations may overcome this problem over time as they deploy threat intelligence consolidation and analysis platforms (TICAPs) based upon open source CRITS, or purchase commercial offerings from vendors like BrightPoint Security, ThreatGRID, and TreatQuotient, or use threat intelligence integration features in SIEM platforms like LogRhythm, QRadar, and Splunk.  Since TICAPs provide correlation tools and common dashboards, SOC personnel and malware analysts will be able to assess which threat intelligence feeds recognizes each threat first, which provide the most details about cyberattacks, which contains the fewest false positives, etc.To read this article in full or to leave a comment, please click here

Market Place