On my way into the office this morning, I listened to a podcast interview of a well-known SIEM vendor.  I got more and more frustrated at the wheel, but did make it to the office without incident.  The focus of this conversation was the plethora of log sources that this vendor could ingest—system, network, endpoint—and the machine learning used to analyze the data.

This is backwards.  Good security designs need to start with the CUSTOMER.  Yes, the customer.  Who are the specific people that want information and what exactly do they want to see?  Users could be audit, security operations, CISO, security analysts, developer, etc.  Any other log files collected are irrelevant.  

This approach is just lean thinking applied to security.  Lean itself has been discussed in many books;  I discussed it in the context of security here.  The first lean principle is “voice of the customer”.  SIEM tool design needs to run backwards, starting with the user interface, not the sources of data.  Another lean principle is “systems thinking”, in other words how does the product or tool under discussion fit into the larger needs of protecting information.    Virtually every security product discussion I am part of focuses only on that product’s small part of the assurance puzzle.  I think CISO’s are getting tired of this and I hope vendors will take notice.

This week is RSA 2017 and I am counting hundreds of vendors exhibiting in San Francisco. This doesn’t count the others still in stealth mode and off the main show floor. They are all looking for the right formula to survive and grow. But what is that formula? In fact security startups aren’t much different from other startups, when considering the secrets to business success. My own background includes two technology startups. But the best advice I heard on how to grow a business came from a talk given by serial entrepreneur Kevin McGovern. This was: “catch the wave”.

Mr. McGovern was one of the founders of SoBe soft drinks, a leader in the nutraceutical beverage market. Did anyone really need another drink? Yet, SoBe indeed caught the wave when it was sold to Pepsi for $325m. How do you catch the wave in your startup? You need preparation and constant 360 degree vigilance of the market.  

Some years ago, I tried surfing on a trip to Hawaii. I wasn’t successful, but there are some lessons learned.

1. I hired a world champion surfer to train me. Good idea to find a mentor; maybe not the right person to train a beginner.

2. I found out that the beach was rocky…I didn’t have water shoes to make it navigable.  So minus one for lack of preparation and equipment.

3. I did have a good surfboard, rented from the pro. So plus one for preparation and equipment.

4. I hadn’t read anything or watched any training videos on surfing ahead of time. So minus one for lack of preparation.

5. I gave up after one lesson, when I was unsuccessful.  Minus one for lack of persistence. Surfing is harder than it looks.

To be a good surfer, you will need 360 degree vision. Backwards to pick the right wave, and forwards to see where you are going. The same is true for any security startup. Watch where you are going, but keep your eye in the rear view mirror to watch for firms gaining on you with new technology. Be prepared and stay out in the water!

For a short introduction to preparing and running your security startup, I recommend serial entrepreneur Milton Chang’s book: Toward Entrepreneurship.  

I have been tracking the number of “cloud” jobs listed in Indeed.com for the past five years.  See the chart below.  This isn’t a scientific survey, but an indication of the openings with the term “cloud” in the job description.  Since 2012, this number has gone up continuously.  This month’s number shows flattening when compared with 2016.  Has the supply of cloud engineers finally equaled the demand?  Will we see another increase by this summer?  In any case, clearly businesses are rapidly moving to the cloud and the demand for people is still high.

 

Occasionally a book on information security comes along that is required reading by all. The Spy Who Couldn’t Spell is one of those books. Published in 2016 and written by journalist and writer Yudhijit Bhattacharjee, it includes pretty much everything that security professionals deal with every day. 

The book is non-fiction, dealing with a real-life story of espionage. Here, truth is really stranger than any fictional TV series or movie. You will find novel crypto methods and cryptanalysis challenges, insider threat profiling, forensics, national security, foreign espionage, law enforcement, FISA court proceedings. Nothing is fabricated. Everything is the subject matter of everyday headlines today. 

A fun and educational read!

There is no shortage of headlines stating the cybersecurity professionals shortage as a fact. For example, this one from Information Week. I have taught security at the graduate level, and can report that all my students found good jobs. But I get a little skeptical after reading all of these headlines from other industries:

"The worker shortage facing America's farmers"

"Truck Driver Shortage:  Is it Self-Inflicted?"

"New Research Confirms Looming Physician Shortage"

"The Coming Lawyer Shortage"

It seems like every industry is out promoting shortages.  I don't think there is a shortage of cybersecurity professionals, but there is likely a shortage trained in the right skills.  The field is changing so fast, that it is almost impossible to keep up. So we need to focus on making sure that our training programs meet tomorrow's needs around DevOps, cloud security, software and systems security, risk management and security governance.  Those seeking to advance in the field need to take a hard look at the changing opportunities.

A few weeks ago, I was asked to comment on the "most underestimated IT security threat".  My answer was "us".  The full post is here.  My conclusion is going to be valid for 2017 and at least the next 10-20 years.  Why?  Because there are no magic pills to prevent cybersecurity failures.  Only your own diligence and knowledge.  The problem is we have grown accustomed to someone else solving these types of problems.  Look at health issues.  If you watch evening TV, you will be amazed at the number of drugs being marketed to improve lifestyle.  Most of these challenges can be mitigated by simple diet and exercise, but that does require discipline and self-knowledge.  For cyber threats, there's plenty at stake.  Our democratic processes, privacy and financial well-being.  But we are going to have to defend these.

A recent column from Hiawatha Bray makes the same point:  to create a safe Internet, we all need to be actively involved.  Mr. Bray recalls the days of nuclear bomb shelters and civil defense exercises, long gone out of favor. If cyber defense exercises won't get people engaged today, what will, short of a "cyber Pearl Harbor"?

The Commission on Enhancing National Cybersecurity, referred to in my last blog post, considers consumer based cybersecurity efforts to be a national imperative.  Their recommendations include:

• Sustained awareness campaign at the national level
• Better security educational efforts from vendors of digital products
• Research on security and usability of digital products

These efforts haven't made much progress in the past.  As the Commission pointed out, past awareness campaigns were carried out by technology focused organizations, such as DHS.  Before you dismiss all new initiatives, take a look at this site describing the top ad campaigns of the 21^st century.  Cybersecurity awareness needs participation from experts in advertising and public messaging.  Combine their level of creativity and a strong social media campaign, and I can see a new type of cybersecurity awareness campaign getting traction next year.

President Obama's Commission on Enhancing National Cybersecurity issued its report on December 1, and I thought it had some good recommendations.  I was expecting a long list of regulatory requirements, but did not find those.  Now we have to wait to see if the incoming President chooses to follow the recommendations.

The report contents was divided into six imperatives and 16 recommendations.  The recommendations were backed up with action items.  The major recurring idea in the report was that of public-private partnerships.  Another one was the use of incentives to encourage the adoption of good cyber security programs.  There were many specific steps that the group documented.

Here are some of the high points that caught my attention:

• Creation of a National Cybersecurity Private-Public Program (NCP³) to address collaboration of public and private sectors in cyber defense.  This is needed, since we don't have a template to use in the event of a major incident.
• Strong authentication:   government services should offer strong authentication to citizens; agencies should require strong authentication by employees and contractors; the government should determine how it can provide identity proofing for all.
• The NIST Cyber Security Framework (CSF) gets prime billing.  Recommendations are that it should be required in government agencies, promoted in the private sector and promoted internationally.
• Incentives should be provided for companies that follow good cyber risk management principles.
• Significant focus on helping SMB markets.
• Recommendation to increase funding for cybersecurity in civilian federal agencies by $4 billion over 10 years.
• Development of a cybersecurity nutritional label to help educate consumers.
• Workforce improvement:  100,000 new cybersecurity practitioners by 2020; 50,000 new apprentice level practitioners by 2020.
• Mandatory training program for managers and executives.
• Move federal agencies from security requirements management to enterprise risk management.

The whole report is worth reading and can be found here.

Today, there are a large number of security startups trying to assure our data and infrastructure.  I have done two data communications start-ups in the past, over a period of 13 years.   One company was acquired by a larger firm; the second went public on NASDAQ.  The following reading list represents ideas that I wish I had at the time.  I think they will valuable to leadership in any security start-up.  None of these are technical books.  I will assume that any reader is already at the expert level in their field.  These selections focus on leadership, marketing and business.

TITLE	AUTHOR	WHY READ?
How To Win At The Sport Of Business	Mark Cuban	Tips from a master business builder
Show and Tell	Dan Roam	How to create effective presentations
Leadership and the One Minute Manager	Ken Blanchard	How to lead, while wearing many hats
The Five Dysfunctions of a Team	Patrick Lencioni	Building your team is the number one critical success factor
The Art of Getting Your Own Sweet Way	Phillip Crosby	Classic guide by one of the founders of the quality movement
Toward Establishing a Successful Technology Business Entrepreneurship	Milton Chang	Handbook for building a business, from a serial entrepreneur
The Innovators	Walter Isaacson	Some time for inspiration
Getting to Plan B	John Mullins & Randy Komisar	You will need this
Powerlines	Steve Cone	How to turn your ideas into brands
The Art of the Start	Guy Kawasaki	Lessons from the start-up evangelist

It is obvious that cyber security will continue to play an important part in national security.  But as a Washington outsider, it is difficult to see inside government policies and organizations that are responsible for this security.  Michael Hayden has taken a significant step in providing this insight through his recent book, Playing to the Edge (2016).  Mr. Hayden served as both the Director of the NSA and the CIA and is a retired four star Air Force general.  A great aspect of the book is that Mr. Hayden wrote it himself, apparently without a ghost writer.  So readers get the best insight into government intelligence that can pass a classification review.

The years covered comprised turbulent times, including:  the 9/11 attack; the build-up of NSA monitoring; the Snowden leaks; and the CIA alleged torture incidents.  No shortage of controversy here!    Three points stood out for me.  First, the real brilliance and leadership of Mr. Hayden in the many roles he assumed.  Second the great challenges of running intelligence operations in a political environment like ours.  Finally, the challenges of managing the needs of a free press while needing to protect classified information. 

I highly recommend this book to anyone working in cybersecurity.  Your work will impact national security sooner or later and it will be important to understand some of the inner workings of the responsible government agencies.

Information security used to be part of IT.  That has changed recently;  security now needs to be independently aligned with the business operations, not just IT operations.  The PCI SSC calls this "Business as Usual" (BAU).  NIST CSF talks about aligning cybersecurity requirements with business activities. I call this process information security governance and maintain a CSO Online blog on this topic.  For a recent post on an approach to alignment between security and the business, go here.

Business Email Compromise (BEC) continues to be one of the most successful information security attack vectors.  Criminals steal email addresses and passwords of C-level executives and then use this information to initiate fraudulent financial transfers from the executive's employer to the criminal's bank account.  In this process the executive's home network is also vulnerable.  It will likely contain sensitive information, including business account information.  I discussed this risk and recommended solutions in my webinar "Cybersecurity Tips for High Net Worth Individuals and Small Businesses" last February, now posted on LinkedIn here.

Two new books cover the topic in more detail.  I recommend both to security practitioners.  The first is Cybersecurity:  Home and Small Business, by Raef Meeuwisse.  The second is Small Business Cyber Security, by Adam Anderson and Tom Gilkeson.  Both books adapt the NIST CSF to the home and small business environment.  They will help you keep your clients' homes and home offices as secure as the corporate headquarters.

Enterprise Risk Management (ERM) has been around at least since the days of the Trojan Horse.  Information security risk management can learn much from ERM and avoid reinventing the wheel.  The National Association of Corporate Directors (NACD)  made this clear in the 2014 handbook Cyber-Risk Oversight.  Principle #1 is to approach cybersecurity as an enterprise-wide risk management issue.  For updated observations on ERM and information security, go to my CSO Online blog post "Don't be the next Humpty Dumpty".

My approach to risk assessment always includes analysis of actual breaches in an industry similar to the client industry.  This is the evidence based component of risk analysis.  On July 28, 2012, three protesters broke into the Y-12 Highly Enriched Uranium Manufacturing Facility (HEUMF) in Oak Ridge, Tennessee.  While you may not run a nuclear complex, we can still learn from this incident.  Much has been published about this break-in and how it could occur given the high priority placed on security at the facility.  How did three people, average age about 66 years, break through three fences to an enriched uranium facility?  Only the people who were there will really know, but a recent book by Steve Gibbs does give some insight into the events and aftermath.  Mr. Gibbs was General Manager for the protective force vendor, Wackenhut, around the time of the break-in.  His recent book, Behind the Blue Line (2015) is a rare look into the events surrounding any type of security breach.  Here are some lessons I learned from this book.  These are my own observations, not explicitly stated in Mr. Gibbs' book: 

1. Wackenhut was involved with 6 weeks of difficult contract negotiations with the guard union.  This was finalized only the day before the above breach.  Did anyone in management or labor take their eye off the ball?  Did the negotiations contribute to the failure to detect the breach or take appropriate action?
2. Failure to maintain security systems was clearly a contributing factor.  The zone 62 camera simply was not working and had been out of service for five months.  Maintenance of physical security equipment seems like an obvious necessity.  Maintenance of cyber security controls is not top of mind with most organizations.  Interestingly, a new service in this space, "Managed Tools Security Service", is now offered by Compliance Engineering.
3. Some systems in operation at Y-12 were not tuned for effective use.  One example was Argus, a physical intrusion detection system.  It had recently replaced a legacy system that had been in use for 20 years.  Argus had too many false positives to be effective, according to some of its users.  This, of course, is a common problem with all types of cyber detection systems.
4. Finally, one more contributing factor is that contract negotiations and budget scrutiny was taking place at exactly the same time as the July breach.  This was in addition to the labor negotiations mentioned in #1.  Previous reductions in funds had eliminated some of the guards that could have caught the intrusion before it got to the HEUMF.

The biggest failure is that Y-12 did not test its incident response plan or operational security monitoring.  This would have highlighted shortcomings and hopefully led to corrective action.  Conclusion:  never trust a security control, unless it is regularly tested.  Trust but verify everything.  Mr. Gibbs' book is a worthwhile read, illustrating what it takes to secure a nuclear facility.

Reuters reports today the guilty plea and plea agreement of Kody Peterson, charged with illegally distributing Android apps.  The conviction was the first copyright theft case involving Android apps.  The case was tried in US District Court for the Northern District of Georgia.  The original charges are here.

According to the US Attorney, the defendant obtained or created Android apps with disabled access controls.  He then distributed them on his own website, www.snappzmarket.com.  The retail value of the apps was over $1.7 million.  This case was broken by an FBI agent working undercover and purchasing the apps online.

The good news is that this scam was broken.  The bad news is that it is the first.  How many others are still operating?

Universities are traditionally open, without all of the information security controls that are implemented in the corporate environment.  Not surprising, given that the term university means community.  It is hard to build community with overly restrictive security controls.

Now, however, the New York Times reports that universities are under increasing attack from cybersecurity threats—“Universities Face a Rising Barrage of Cyberattacks”.  Is this media hype or are more successful attacks being carried out?  My approach is always to start with evidence based risk assessment.  What does the actual data show?  While we don’t have perfect actuarial data for information security, we do have some extremely valuable information. 

For this post, I analyzed breach data from Privacy Rights Clearinghouse, over the years from 2011-2013.  I included all breaches reported at educational institutions, whether secondary schools or university level institutions.  I used the breach types that Privacy Rights uses to classify the breaches.  Here are the results:

Type of Breach	Number of Breaches	Number of Lost Records	% (Number of Records)
Hacking or malware	65	1,601,000	63
Unintended disclosure	53	812,000	32
Portable devices	19	87,400	3
Insider	10	25,245	1
Physical loss	16	3175	0.1
Payment card fraud	1	16	0

So the media reporting seems to be on target;  hacking and/or malware is the top root cause of most breaches.  Unintended disclosure or user error falls in second place.  Losses from portable devices is third.  The devices reported include laptops, flash drives and hard drives.  The insider breaches include existing and former employees or students.  The physical, non-electronic losses comprise lost records or records dropped in dumpsters without shredding.

To defend against these types of breaches, we need to harden the databases that are holding confidential records.  We can no longer rely on the traditional defense in depth approach, using multiple layers, each slowing down the adversary until we catch him.  It is now too easy to drop in a Remote Access Trojan (RAT) into the inner layer of the defensive system.

Hardening of databases is itself difficult, since there are so many ways to attack.  The remediation consists of people, process, technology and monitoring.  The best summary of non-vendor-specific recommendations that I have seen has been developed by Berkeley Security, University of California.  It is worth comparing your data security controls versus this list of controls.

On May 31, the Cloud Security Alliance released a white paper entitled “Cloud Computing Vulnerability Incidents:  A Statistical Overview”.  This paper analyzes published cloud vulnerabilities reported in the news media from 2008 to 2011.  A total of 172 unique cloud incidents were analyzed to determine root cause and attribution.  The overall mission of the analysis was to encourage cloud vendors to improve transparency of reporting.  There are other several other points of interest in the report.

Over the 2008-2011 time period, the number of incidents per year increased by 370%.  However the cloud market (according to Forrester) increased by 440%.  So cloud vendors achieved a modest improvement in security over this period.  The report also includes a pie chart of incidents by vendor, with Amazon, Google and Microsoft leading the way.  A number of other large cloud vendors show up in the pie chart, but with much smaller slices of the incident pie.  As the report’s authors state:  “it is noteworthy to observe companies which have a large customer base but relatively lesser cloud outages”.  Maybe with further reporting, we will achieve a standard of excellence in cloud reliability and fewest cloud incidents.  The third item that caught my attention was the fastest growing threats, at least in the 2010-2011 time period.  These included “Insecure Interfaces and APIs”, “Data Loss or Leakage” and “Unknown Risk”.   Data loss and leakage will likely continue to grow.  The growth in the unknown category shows that we still need more transparency in security incident reporting.

This report is a good effort in evidence based risk analysis and worth reading.  Hopefully the authors will continue the research.

Our local newspaper, The Tennessean, recently ran a story on the Y-12 nuclear facility break-in last year.  The defendants are now scheduled for a May trial in the Eastern District Court of Tennessee.  This prompted me to review the Inspector General’s Y-12 security breach report  for lessons learned.  This report is one of the few published analyses of security breaches.  The other good examples I use come from court cases, where both sides’ arguments are heard by the court.  I believe that the observations from the IG report apply to security management in general.

So how did three people, average about 66 years, break through three fences to an enriched uranium facility?  Here are the summarized contributing factors:

1.    Poor response from the security officers on duty.  If you have outsourced security and are not testing the capabilities of your team, you may have surprises of this type.  Mock incidents should be staged to verify that such incidents are promptly and accurately detected.
2.    Poor maintenance of equipment.  A number of cameras were stationed to detect intruders.  They were either not functioning or not working at full capability.  If there is an application outage, it will be fixed according to defined user-based SLA’s.  Security capability should be maintained with similar written security SLA’s.
3.    Poor communications; when the trespassers banged on the wall of the security facility, security officers assumed they were maintenance workers.  No clear schedule for maintenance workers was communicated to them.  During the incident security officers communicated via cell phone, instead of by secure radio, as required by policy.  This again suggests that no testing of the incident response plan was carried out.

The biggest failure is that Y-12 did not test its incident response plan or operational security monitoring.  This would have highlighted shortcomings and hopefully led to corrective action.  Conclusion:  never trust a security control, unless it is regularly tested.  Trust but verify everything.

There is a debate among security professionals as to whether a strong compliance or strong security program best protects the enterprise.  Arguments along the lines of compliance is “just satisfying a checklist” and “security is not compliance” are offered.  Obviously compliance requirements must be satisfied and often compliance programs help justify “security” programs and budgets.  But what is the relationship?

I believe the following simple relationship captures the connection between compliance and security:

Security = Compliance + Continuous Improvement

Compliance establishes a baseline for the security program.  This baseline may be regulated or legislated or be an organizational requirement.  However, often compliance is checked only annually and by individuals who may not be aware of the risks that are present in a specific organization.  The security program has a broader mandate, namely to protect the intellectual capital in the enterprise.  

A security continuous improvement program will “fill in” the gaps between annual audits.  It can be used to reduce costs of audits and compliance.  It can be used to adjust to changing threats and business conditions.  This type of continuous improvement program is “built in” to the security program and is not just another check box to be filled in under as part of the annual audit.  A successful Continuous Improvement program is built on strong metrics that are reported weekly and provided to all stakeholders in the security program.  

Security and compliance are both essential parts of protecting information and by implementing continuous improvement, organizations can realize the benefits of both.

Many businesses today assume that their workers will report to home in the event of a disaster at the corporate offices.  In fact, workers are already telecommuting or working full time in home offices.  The widespread implementation of broadband connectivity has made this possible.  In many cases corporate disaster recovery planning has not taken into account these home offices.

In this scenario, corporate disaster and home continuity planning has to include the home offices.  This, of course, supports individual safety, family safety as well as the corporate business processes.

FEMA, through its Ready program, has published check lists of preparedness items for home emergencies at www.ready.gov/research-publications.

Now is a good time to read through these and add those items you do not have to your home emergency kit.  here are some of the highlight checklist items:

 

• 3 gallons of water per person
• 3 day supply of food
• Battery powered radio
• Flashlight with extra batteries
• First aid kit
• Tools to turn off utilities
• Family emergency plan
• Shelter-in-place

 

The rush to cloud computing has brought about amazing new services, but, without adequate vendor monitoring, businesses may be building digital supply chain risks that will show up later when cost and market pressures are felt by cloud vendors.  We can learn from business processing outsourcing experiences.

The New York Times reports today a $280K+ OSHA fine against a Hershey’s chocolate packing plant in Pennsylvania.  The fine was for injuries and safety violations at the plant over four years.  The plant is owned by Hershey’s and used for packing Reese’s cups, Kit-Kat bars and Hershey’s Kisses.  Its operations had been outsourced to another firm, Exel.  Exel in turn outsourced labor to a temporary help firm that employed, among others, international student labor.  This is the kind of violation that could have been avoided if Hershey’s had monitored that plant’s operations and Exel’s results during the four years. 

Monitoring is critical to digital outsourcing and cloud computing.  NIST Special Publication 800-144 (“Guidelines on Security and Privacy in Public Cloud Computing”, December, 2011) is the best and most current written document on how to maintain security and trust, while benefiting from new public cloud services.