Following the Wh1t3 Rabbit - Practical Enterprise Security

Enterprise Security organizations often find themselves caught between the ever-changing needs of the agile business, and the ever-present, ever-evolving threats to that business. At the same time – all too often we security professionals get caught up in “shiny object syndrome” which leads us to spend poorly, allocate resources unwisely, and generally de-couple from the organization we’re chartered to defend. Knowing how to defend begins with knowing what you’ll be defending, why it is worth defending, and who you’ll be defending from… and therein lies the trick. This blog takes the issue of enterprise security head-on, challenging outdated thinking and bringing a pragmatic, business-aligned, beyond the tools perspective … so follow the Wh1t3 Rabbit and remember that tools alone don’t solve problems, strategic thinkers are the key.

Rafal (Principal, Strategic Security Services)

Displaying articles for: March 2012

Vulnerable Open-Source Code in the Enterprise - 3 Keys to Avoiding Security Issues

Way, way back in December 2008 I wrote a piece on this blog called "Open or Closed [source]? Which is more secure?" and it got some people talking and debating ... some of you may actually remember that post if you've been reading my stuff for a while.  Now we appear to be back to this again in another study Aspect Security recently did ... so it's time for me to re-visit the idea ...again.

Shadow IT - Why IT (and Security) is scrambling to re-invent itself

Here's a statement I know will not shock you: Shadow IT is the leading cause of many of the "reinventions" that IT organizations across the globe are going through.


Shadow IT is causing a lot of trepidation to CIOs, CISOs and IT organizations in general.  The problem isn't shadow IT though ... it's it's the cause of shadow IT.

Labels: CIO| perform better

The Information Security OODA Loop - Act

The last step in the OODA Loop as applied to information security incident response is the ACTION.  Sometimes we choose to act, others we choose to stand our ground and be idle ...but it is in that action (or lack thereof) that we embody the spirit of intelligent cyber response.  Check out the last part of the Information Security OODA Loop series right here.

The Information Security OODA Loop: Decide - 3 key aspects to making a decision

There are, I believe, 3 key aspects of a decision in the OODA Loop as it applies to information security. If you're going to make a decision, these 3 components should be thought about and accounted for, and at the front of your mind...

The growing importance of protecting certificate authorities

Secure Sockets Layer (SSL) is become ever-more popular, and more and more volume of Internet traffic is being sent over secured connections.  The question is - do you trust that the endpoint on the other end of that SSL connection is really what it says it is?  How do you know?  Certificate Authorities are targets today like never before - so protecting them is more important than its ever been.

Project Zosimos rolls along - the video


As I start rolling on project Zosimos and helping you figure out if your IT Security program is performing better, I had our team produce a short video explaining what we're trying to get to - give it a quick view!


Enjoy the video, more on this soon!

The Information Security OODA Loop - Orient

Here we go on part 3 of the OODA Loop series, this time tackling the second O - Orient. We'll be covering how our ability to act or react is influenced by outside factors coming at us from the Information Security profession, and where we can provide good orientation and what negative influences exist already.  Given how critical orientation is to correct decision making in a timely manner, it's imperative to understand how orientation applies in information security, first and foremost.

March #SecBiz call - "Security Fundamentals"

Hello #SecBiz...


Just a quick and short post on this month's SecBiz call which just wrapped up.  A fantastic conversation with just under 30 participants on the line with us -we grow every month!  You should absolutely join us on LinkedIn if you haven't yet, and follow along on Twitter with the hashtag #SecBiz.


Our conversation went to try and define just what security fundamentals were... and it turns out we aren't quite sure - but we think that there are about 7 of them.  We also defined a framework for working top-down (I presume in a larger, more established organization) to establish more business-aligned fundamentals and steering away from "security for security's sake" types of exercises.


I took some notes, and here is the mind-map of what we talked about in PDF format.  I have the raw file for those of you who use Mind Manager (I encourage you to, it's a pricey but great tool) ...


I'd love to hear feedback (there will be a thread started in the LinkedIn group on this topic shortly!) as we work through these 7 fundamentals to refine them and define them more closely - and then start to work on the framework for that top-down approach...


A HUGE thanks to everyone who spoke up, joined and made this month's call a success!

Labels: SecBiz

The Information Security OODA Loop - Observe

As I brought up yesterday in my introductory post on the OODA Loop, Information Security is in a constant chess match with the opposition - that is, the 'attackers' who are better resourced, better funded and often significantly better equipped.  In order to have some way of fighting this type of asymmetric digital warfare the good guys need to have an organized, formalized way of identifying current threats and reacting in near-real-time in order to reach a state of detente.

The Information Security OODA Loop - The Introduction

If you've never heard of OODA (Observe, Orient, Decide, Act) then you're missing out.  OODA was invented by a military strategist and the idea is that in order to win any given incursion you must go through your OODA loop faster than your opponent.  This obviously applies to the digital world where decisions are made, often poorly, based on the information available to you in a consumable and actionable format.  There's the key though, the decision you make in any given moment is predicated on having the right information, at the right time, in the right context - so you can act appropriately.

Offensive Threat Modeling for Attackers - the 'determined' attacker

If you've missed Black Hat Europe and would still like to get information on the talk my co-presenter and I delivered, titled "Offensive Threat Modeling for Attackers", check this out... [Whitepaper attached]

Labels: threat modeling

Black Hat Europe 2012 - Day 3 - Some thoughts on sandboxes

I've always found sandboxes interesting, particularly from a cost-benefit analysis perspective.


As a developer you should be writing good code, period.  But when the pace of developing new functionality outpaces the ability to do complete software security analysis we see security organizations turning to sandboxing as a method of limiting the amount of damage an exploited piece of code can do.  Just ask Adobe if you want a good example.


Does it make sense to spend time designing, coding, testing and deploying a sandbox, when the real issue is in the underlying application you're trying to protect the operating system from?  I'll let you answer that for yourself.

3 Key take-aways from Amsterdam [Black Hat Europe 2012]

This blog is coming to you live from Amsterdam, one of my favorite cities in all the world for its laid-back attitude, it's brilliant culture, and history beyond books.  The conference has grown again, and I'm having a great time learning, meeting, and presenting - but as always, long after memories of presenters and topics fade I will remember the hallway conversations, the between-talk discussions and new friends being made.  On that thread, thought it would be appropriate to give you a Top 3 list of things I think are key take-aways from this year's Black Hat Conference here in Europe, in case you're not here right now.

Losing your laptop, not your data

Losing your laptop while you travel stinks, but losing your laptop with customer or proprietary data on it?  Not good... here's my story of woe.

Labels: mobility

Pentagon hacked 250,000 per year

"Each year the Pentagon estimates their computer network is hacked about 250,000 times.

 .... is this for real?  What the ...

Labels: hacking| Metrics

Metrics, KPIs and making business sense of Information Security

What is the difference between a metric and a KPI?


If you're still reporting metrics to your management, you're probably wasting a lot of time, and accomplishing very little.  I know this from experience.  It's time to get Information Security some respectability and get off that hamster wheel - KPIs are your way off.

SecOps - A step closer to bridging the Security Operations and IT Operations organizations

Today's post is a guest-blog by Scott Edwards, from the HP BSM (Business Service Management) group - oddly enough not a 'security' function - but as I promised in a previous post to provide more information on the SOC + NOC integrations.  This is some very cool, very useful stuff that crosses domains from security to network and applications - beyond the boundaries of traditional security.  I think you'll enjoy the read, and more importantly find the opportunity to enrich your IT Operations <> Security Operations relationship and efficiency.

Project Zosimos - Defining success for Information Security through KPIs

I've been a measure it kind of guy since shortly after taking a role at General Electric almost a decade ago. In a culture where everything is scorecards and metrics I quickly learned that proof requires actual evidence. The problem with evidence is that it has to be in the correct context, otherwise what it means to you doesn't necessarily translate to the person you're presenting that evidence to. This presented a problem for me many times over the years as I've struggled to build and launch successful software security assurance programs which could, over time, demonstrate their value and success to the business they service.

Labels: IT Performance| KPI

Don't get lulzed - 3 tips for avoiding headline hysteria

Before everyone gets entirely too excited about the FBI "chopping the head off of LulzSec" - can I add a pinch of commentary?


My friend Bill Brenner of CSO Magazine has the typically insightful headline "It's all fun and games until someone LulzSec's an eye" while FOX News has this headline splashed across the front page "EXCLUSIVE: Infamous international hacking group LulzSec brought down by own leader" - both of which make me wonder how many corporate security executives are reading those headlines thinking to themselves "whew! we can go back to not worrying about security again."

Enterprise security's Achilles heel - the human/password problem

Sometimes a headline makes you want to run head-first into a hard surface.  "Password1 is the No. 1 password employed by business users" makes my head hurt in ways I can't even begin to explain.  I thought about it for a while, wrote something, erased it, thought some more, then eventually came up with this condensed set of thoughts.  Enjoy... and then cry with me.

"It's not illegal if you consent" - malware's dirty little tricks

In a conversation with Chris Hadnagy yesterday, which will be released as a podcast shortly (and trust me you're not going to want to miss this episode!) we tripped over this little trick that malware authors use which just makes my blood boil. Since the bad guys often rely on the end-user's lack of awareness and knowledge you half-expect some of the dirty tricks like creating a brilliant-looking and convincing web page that looks just like your antivirus software ... or something equally dastardly, but there's another trick Chris brought up that made me crazy.

Do the bad guys make the best good guys? (Doing business with hackers)

Can the zebra change it's stripes? If you're a black hat hacker, will you always be one? What if you're one of those "I messed up, I was busted, did time, but now I'm a good guy, trust me" types ... do you deserve a 2nd (or 3rd...) chance? Does it make sense that the best people to teach you how to safeguard your valuables are the convicted crooks?


Is it really that easy?  ...obviously not.

About the Author(s)
Follow Us
Twitter Stream

Community Announcements
HP Blog

Technical Support Services Blog

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation