Following the Wh1t3 Rabbit - Practical Enterprise Security

Enterprise Security organizations often find themselves caught between the ever-changing needs of the agile business, and the ever-present, ever-evolving threats to that business. At the same time – all too often we security professionals get caught up in “shiny object syndrome” which leads us to spend poorly, allocate resources unwisely, and generally de-couple from the organization we’re chartered to defend. Knowing how to defend begins with knowing what you’ll be defending, why it is worth defending, and who you’ll be defending from… and therein lies the trick. This blog takes the issue of enterprise security head-on, challenging outdated thinking and bringing a pragmatic, business-aligned, beyond the tools perspective … so follow the Wh1t3 Rabbit and remember that tools alone don’t solve problems, strategic thinkers are the key.

Rafal (Principal, Strategic Security Services)

Leap Second, Public Cloud and a lesson in Enterprise Resiliency

This has been an interesting weekend. One of the largest public cloud providers was knocked sideways by a severe electrical storm, and Linux systems all over the world freaked out because of an obscure "leap second" bug ... there are lessons to be learned here...

Lies we tell ourselves - 5 Misconceptions Information Security needs to change

This post is a look back into the mirror from the IT Security standpoint.  There are (at least) 5 big misconceptions, or delusions if you prefer, that we need to get over as an industry to move on in order to gain adoption, acceptance and alignment with the business.

SCADA Security - The danger of consequences and difficulty with incentives

This post is a quick analysis of an interesting lunchtime keynote here at the ISSA Summit in Los Angeles, with a broad range of speakers and interesting topics.  This one particularly touches my heart because it forces us to think about negative consequences, versus positive incentives and how difficult that balance is.

Melville's "Bartleby the Scrivener" and what it teaches about InfoSec

Every once in a while something from the real world gives us in the Information Security world a peek into the 'real world'.  As I read about the various hacking groups out there trying to force better security I can't help but think back to a book I read way back in high school.  The book is called "Bartleby, the Scrivener" and it was written by Herman Melville, back in 1853 and it offers remarkable insight into the perceived fight that we all feel we're fighting to force our enterprises to adopt better security.

Public cloud security - 5 conversations that will shape your cloud security model

Today we hosted another of our Converged Cloud chats on Twitter using the #ConvCloud hashtag.  If you missed it, you missed a conversation of epic proportions - a massive thank you for the throngs of people who jumped in and discussed.  While there were several questions posted and discussed in several veins of conversation, the one many of us got hung up on and never left was this: "How do you decide what to build internally (private cloud) and what to consume externally (public cloud)?"

Cyber Weapons - Bits instead of bullets but damage nonetheless

There has been a lot of buzz and chatter, not to mention heavy press coverage of the US government's desire to fund research into and acquire "cyber weapons" - presumably for use against our enemies.  While there are probably more questions than answers at this point what is becoming increasingly clear is the Pentagon and by extension the United States government has noticed that hacking isn't just for script kiddies anymore.

Trust - Making an intelligent, defensible trust valuation

There was in interesting conversation earlier today on Twitter over whether trust is a 'yes or no' answer.  While some of the people engaged argued vehemently that trust is either a yes or not, I maintained that to answer trust in such a way was silly, and created more issues which were becoming apparent in the information security industry.  This post is a result of some more thinking ... and I identify 3 things that are required to make a trust valuation, since I absolutely don't believe it's as simple as binary.

One lesson from Information Security World 2012 - Security is in trouble

Sometimes the absolute best conversation I can have with someone is that one that reminds me how complacent in my thinking I've become.  This applies to you too.  InfoSec World 2012 had an interesting mix of talks and forums from around all corners of information security but one particularly stuck with me because of its polarizing effects.  That talk was a panel with Marcus Ranum, Chris Nickerson and Alex Hutton.  I almost feel like the panel, for many, was like a bucket of ice-water to wake you from a 3am sleep for some people ...and polarized the audience into those who loved the message, and those who were simply offended by it.

Data Breach 'Containment'

I've had this post in the drafts for a while but today seems timely to post this given CNet's story about Global Payments and their statement that the data breach they've experienced is currently "contained to the best of our ability".  That's an interesting thing to say ... 'contained'.  I think it merits further discussion because I read people on Twitter dismissing this statement far too quickly.

The Information Security OODA Loop - Act

The last step in the OODA Loop as applied to information security incident response is the ACTION.  Sometimes we choose to act, others we choose to stand our ground and be idle ...but it is in that action (or lack thereof) that we embody the spirit of intelligent cyber response.  Check out the last part of the Information Security OODA Loop series right here.

The Information Security OODA Loop: Decide - 3 key aspects to making a decision

There are, I believe, 3 key aspects of a decision in the OODA Loop as it applies to information security. If you're going to make a decision, these 3 components should be thought about and accounted for, and at the front of your mind...

The growing importance of protecting certificate authorities

Secure Sockets Layer (SSL) is become ever-more popular, and more and more volume of Internet traffic is being sent over secured connections.  The question is - do you trust that the endpoint on the other end of that SSL connection is really what it says it is?  How do you know?  Certificate Authorities are targets today like never before - so protecting them is more important than its ever been.

The Information Security OODA Loop - Orient

Here we go on part 3 of the OODA Loop series, this time tackling the second O - Orient. We'll be covering how our ability to act or react is influenced by outside factors coming at us from the Information Security profession, and where we can provide good orientation and what negative influences exist already.  Given how critical orientation is to correct decision making in a timely manner, it's imperative to understand how orientation applies in information security, first and foremost.

The Information Security OODA Loop - The Introduction

If you've never heard of OODA (Observe, Orient, Decide, Act) then you're missing out.  OODA was invented by a military strategist and the idea is that in order to win any given incursion you must go through your OODA loop faster than your opponent.  This obviously applies to the digital world where decisions are made, often poorly, based on the information available to you in a consumable and actionable format.  There's the key though, the decision you make in any given moment is predicated on having the right information, at the right time, in the right context - so you can act appropriately.

Not blending in with the furniture - CISO becoming a capable catalyst

  Yesterday's post opened up the idea that Gene Kim started me on while we recorded Episode 10 of the "Down the Rabbithole" podcast (released 2/6/12 here) which is How does a CISO become a catalyst for change, with not only responsibility - but also capability?  Today's post seeks to provide clues and hints (there aren't really any answers) on how a CISO can gain capability (or earn it) by becoming a catalyst for positive change in his or her organization.  This is a difficult topic because it often involves a lot of you should, and you could types of ideas - but rest assured the things I'm talking about here I've either tried myself or have had others tell me they work.  This post also draws upon the collective ideas from the LinkedIn "SecBiz" group which has become a favorite place for many to discuss this, and I encourage you to join and participate that group as well.

Search
About the Author(s)
Follow Us
Twitter Stream


Community Announcements
HP Blog

Technical Support Services Blog

Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation