Prioritizing is the Key to Defending against Advanced Threats

August 24, 2014 1 comment

IT GovernanceHere are some helpful tips for the security manager who wants the right governance in light of advanced threats.

Most organizations have struggled for years with just cleaning and prioritizing security alerts generated from numerous point products. The value proposition for SIEM products was couched in terms of correlation and prioritization, but SIEM has only succeeded in checking a compliance box without addressing the problem of advanced persistent threats. Stopping targeted attacks in the shortest time possible is now the top priority for advanced security solutions. Read the tips HERE

 

Categories: Uncategorized

Four ways to build a more empowered security team

Every Chief Security Officer, CISO, and risk manager I know believes that their security and risk operation has strengths and weaknesses; in some areas best practices reign supreme, and in others the blunders threaten catastrophe. If managing risk were merely a matter of crafting great policies, we’d read about very few security failures indeed. Unfortunately, managing risk and security always plays a wildcard: the security personnel. How can we ensure that our security teams are putting their best efforts toward the objectives of the department and the business?Consulting-sized

Read it here.

Categories: Uncategorized

Unusual Data Breaches, and other posts

I am a guest blogger at a number of other sites. Here is a sampling a some of my recent posts.

The greatest threat to data is also the least studied

Physical loss of information was difficult to quantify, so said the editors of the 2014 Verizon Data Breach Investigations Report (DBIR2014) that came out this month. That imprecision is why your cyber security precautions mean squat against the gargantuan physical risk you face.Verizon DBIR

The report, anxiously awaited each Spring, this year included a summary of ten years of breach data. Among the findings is a section on Physical theft and loss. The editors described physical loss of information not sexy and “cyber-y,” and the numbers about this type of information leakage a little iffy. However, they rightly point out that physical loss is among the most common causes of data loss/exposure.

In short, they claim that one of the most common types of information loss is also the least measurable.  Read it here

 

Balanced Scorecard for Security

Security executives who’ve used the Balanced Scorecard over the years, set their IT budgets by first determining the strategic role that security will play in the organization, then established a companywide funding level that enables security programs to fulfill that objective. Since the first step in implementing a Balanced Scorecard starts with strategy, it follows that this can be an effective method for aligning security with that strategy. Read it here.

 

 

 

 

Categories: Uncategorized

New CISO at Target

Photo Courtesy of Target

Photo Courtesy of Target

Target named its new CISO today. Brad Maiorino will fill a newly created post called senior vice president and chief information security officer. When the Target search began, I shared the comment with several other security analysts wondering who would want that job. Apparently, Mr. Maiorino, who comes from General Motors and General Electric where he held similar positions, wants it. I imagine he feels excited about the opportunity to rebuild a security program with a substantial budget and likely a wide latitude. Plus, any breaches occuring in the first six months or so could easily be blamed on the previous administration. That gives him a year of smooth sailing and liberal spending. After that, the rubber hits the road and he will be on trial more than most CISOs.

The Snowden conversation we are all having in one way or another…

Edward Snowden (source Wikipedia)

Edward Snowden (source Wikipedia)

Edward Snowden did one important thing: He made an important conversation on security and ethics popular and international.

One one hand, he told us something we always knew: Spies spy. That is, stealthily gathering secrets, usually associated with times of war or matters of national security, is the third(?) oldest profession.  :-)
Spying on specific national interests is assumed, expected, and probably universal, which is why the feigned indignation of global leaders is laughable.
However, spying on a populous is extreme. Spying is normal when its targets are decision makers, influencers and information handlers. Regular citizens, though, don’t qualify for surveillance unless they are associated in some other way with a security threat.
  • Surveillance of a high crime street corner is appropriate
  • Surveillance of a shoplifting-prone market is appropriate
  • Surveillance of military leaders engaged in assault on national interests is expected
  • Yet, combing private communications, collecting information that may someday be factored as a risk – destroys the fabric of trust between a people and its government. 
Therefore, surveillance in itself is morally neutral, neither good nor bad. Sometimes it’s downright necessary for security or loss prevention. It’s a simple formula: Analyze meta data, identify risks, manage risks.
This surveillance and spying conversation, however, sends shivers down the backs of security managers and executives.
My recent informal research shows that security executives are Least Aware of physical threats to information. Every security executive we’ve interviewed had an understanding of physical threats to information (unauthorized visitors, dumpster diving, etc) but almost none had studied or measured the risks associated with physical threats to information, nor did they have in place thorough procedures to protect against it.
…and Least Prepared for Social engineering and physical penetration.  Every security executive confessed that confidential company information was as risk of social engineer attacks (phony phone conversations, pre-texting, impersonation, spear-phishing, etc.).  Physical penetrations were even more frightening to some executives who were certain that their confidential company information could be collected and conveyed out of the building (in the form of printed documents, photos, memory sticks, etc) by
  • an unauthorized visitor tailgating into the building
  • an attacker bypassing security controls at doors and fences
  • rogue employees or contractors (a la Snowden)
  • an internal attacker of any type
We are all in this discussion now, public and private organizations, data and physical infrastructures. Now tell me your opinion. Do you think the “Snowden affair” is relevant to your organization?  Is it a physical security issue? A cybersecurity issue? Both? Something different?
(Published by Steve Hunt previously on SecurityCurrent.com)
(Photo credit: Wikipedia)

Reinventing the security perimeter

It’s time to register for my upcoming GigaOm Research webinar. The Modern Perimeter & More – countering Advanced Security Threats.

http://research.gigaom.com/webinar/the-modern-perimeter-and-more-countering-advanced-security-threats/

Categories: Uncategorized

How Spring Cleaning May Create New Information Risks

Categories: Uncategorized
Follow

Get every new post delivered to your Inbox.