So, Microsoft has provided further innovation and thought leadership with the cloud, Big Data, & security.
As of late, Azure now offers a preview (i.e., BETA) of its Storage Service Encryption (SSE) offering for its Data Lake Store offering to complement the add-on crypto services one may use for its HDInsight (i.e., Hadoop) offering, namely integration with DgSecure.
The jury is still out on the ease of use, as well as how robust these offerings are, but, it seems Microsoft is ahead of the curve with cloud & Big Data security.
Will AWS catch-up?
Monday, August 22, 2016
Monday, August 15, 2016
Loss Expectancy & InfoSec Metrics
So when looking to make single / annual loss expectancy (SLE / ALE) as subjective as possible it helps to have some metrics (i.e., KPIs / KRIs).
While vulnerability scanning / DAST / SAST / pen test findings can help, the best examples are from either honeypots or via red team exercises, to include: social engineering, phishing, whaling, and / or compromised digital assets.
Such metrics will help with the providing the (estimated) annual rate of occurrence (ARO) needed to determine the SLE * ARO = ALE.
Finally, while subjective, annual net sales / days of expected outage always helps w/ determining the SLE for ERP / EMR / EHR / ICS / CRM / SFA systems.
While vulnerability scanning / DAST / SAST / pen test findings can help, the best examples are from either honeypots or via red team exercises, to include: social engineering, phishing, whaling, and / or compromised digital assets.
Such metrics will help with the providing the (estimated) annual rate of occurrence (ARO) needed to determine the SLE * ARO = ALE.
Finally, while subjective, annual net sales / days of expected outage always helps w/ determining the SLE for ERP / EMR / EHR / ICS / CRM / SFA systems.
Monday, August 8, 2016
Securing Native Big Data Environments v3.0: Using Apache Ranger & Atlas for DevSecOps, IAM, InfoGov
Apache Ranger (http://ranger.apache.org/) and Atlas (http://atlas.incubator.apache.org/) offer some real thought leadership for securing native big data environments.
The question that remains is, will corporate IT teams embrace these new technologies?
I do see (cloud) providers (MS Azure, AWS) using these tools, as they need to for security compliance purposes. I also see on-premise (hyper-convergence) solution vendors (e.g., Hortonworks, Cloudera) leveraging this as well.
The question that remains is, will corporate IT teams embrace these new technologies?
I do see (cloud) providers (MS Azure, AWS) using these tools, as they need to for security compliance purposes. I also see on-premise (hyper-convergence) solution vendors (e.g., Hortonworks, Cloudera) leveraging this as well.
Thursday, August 4, 2016
Opening the DFIR Community
InfraGard & SEI's CERT have long proposed & advocated for information sharing w/in the DFIR space.
With that said, will COPS (http://www.infosecurity-magazine.com/news/cops-open-incident-response/) take this InfoSec specialty to the next level? Will such actions dilute the quality DFIR SMEs work &/or wages?
TBD...
With that said, will COPS (http://www.infosecurity-magazine.com/news/cops-open-incident-response/) take this InfoSec specialty to the next level? Will such actions dilute the quality DFIR SMEs work &/or wages?
TBD...
Monday, August 1, 2016
KPIs, KRIs, & Just Plain Metrics
Here is an enumeration of measurements for your security program (aggregated from multiple sources):
Weighted Risk Trend (WRT)
Defect Remediation Window (DRW)
Rate of Defect Recurrence (RDR)
Specific Coverage Metric (SCM)
Security Defect to Quality Ratio (SDQR)
Equal Error Rate (False Positives / Negatives / Tool)
Shared Services Satisfaction Score
Platform Compliance Scores
Email Traffic Analysis
% System Availability
% Security Assessment Coverage
% IT Control Coverage
% Contingency Plan Coverage
% Anti-malware Coverage
% Anti-virus Coverage
% IAM / SSO Coverage
% CASB / DLP / DCAP Coverage
% EMM / MDM Coverage
# Unaddressed Risks & Severity
# Security Incidents
# Policy Violations
# Open Vulnerabilities
# Hours of Downtime
# Local Admin Users
# Policy Exceptions
# Privileged Accounts
# Hours to Remediate Security Incidents
# Firewall Rule Changes
Weighted Risk Trend (WRT)
Defect Remediation Window (DRW)
Rate of Defect Recurrence (RDR)
Specific Coverage Metric (SCM)
Security Defect to Quality Ratio (SDQR)
Equal Error Rate (False Positives / Negatives / Tool)
Shared Services Satisfaction Score
Platform Compliance Scores
Email Traffic Analysis
% System Availability
% Security Assessment Coverage
% IT Control Coverage
% Contingency Plan Coverage
% Anti-malware Coverage
% Anti-virus Coverage
% IAM / SSO Coverage
% CASB / DLP / DCAP Coverage
% EMM / MDM Coverage
# Unaddressed Risks & Severity
# Security Incidents
# Policy Violations
# Open Vulnerabilities
# Hours of Downtime
# Local Admin Users
# Policy Exceptions
# Privileged Accounts
# Hours to Remediate Security Incidents
# Firewall Rule Changes
Sunday, July 31, 2016
Commercial Honeypots
While open-source honeypots have been around for a while (e.g., conpot, t-pot, honeyd) commercial honeypots are now coming to realization.
Examples include Cymmetria's MazeRunner (https://www.cymmetria.com/) or Ridgeback's Deception Platform (http://www.ridgebacknet.com/).
Examples include Cymmetria's MazeRunner (https://www.cymmetria.com/) or Ridgeback's Deception Platform (http://www.ridgebacknet.com/).
Friday, July 29, 2016
SPF, DMARC, or both?
Most orgs have email filtering in the way of sender policy framework (SPF: http://www.openspf.org/), though some seem to omit the use of domain-based message authentication reporting and conformance (DMARC: https://dmarc.org/).
While a belt and suspenders approach may not fit all budgets, in the wake of email-based malware, it may behoove orgs to use both...
While a belt and suspenders approach may not fit all budgets, in the wake of email-based malware, it may behoove orgs to use both...
Dart: Google's New Web Procedural Language
So, Google has announced that they are rolling out a new web procedural language called Dart, which strikes my fancy as I wonder if security was built from the ground up.
Specifically, IAM, encryption/hashing, prepared statements/input validation, enhanced error/exception checking all come to mind as points I hope they considered.
We will see.
Cloud Computing & ROI
I have spent several hours today reading about various takes on calculating the ROI on cloud computing and the consensus seems to be that it is nebulous. Though, one can break down the cloud into various buckets, such as: hardware, software administration, provisioning, etc.
These buckets may assist in the overall ROI of the cloud, but my experience is that a Business Analyst/Manager type uses ROI to build a business case for going to the cloud for a specific, not as much a CIO. So, in that case I believe a TCO for an internal solution could be used for calculating the ROI for a one-off app going to the cloud.
At the end of the day, you need a number the CxO will be satisfied with. The how you came about that number may not be questioned.
SIEM Deployments Does Not Equal Threat Intelligence
Just because an org has deployed a SIEM or uses a SIEM service from a MSSP / SOC vendor does not mean that threat intelligence (TI) has been implemented.
As articulated below, TI is at the next level compared to log aggregation and correlation.
https://securityintelligence.com/how-stix-taxii-and-cybox-can-help-with-standardizing-threat-information/
As always, budget, available resources, technical skill-sets, industry, and jurisdiction will all be factors in the feasibility of onboarding a TI program.
As articulated below, TI is at the next level compared to log aggregation and correlation.
https://securityintelligence.com/how-stix-taxii-and-cybox-can-help-with-standardizing-threat-information/
As always, budget, available resources, technical skill-sets, industry, and jurisdiction will all be factors in the feasibility of onboarding a TI program.
Monday, July 4, 2016
Don't Forget to Plan
In the midst of the Brexit mess, we are reminded to plan before we take action.
Case in point, perform due diligence regarding information security before a merger or acquisition. Likewise, have access controls in place before a divestiture. Finally, test an incident response / disaster recovery plan before either really happens.
Regardless of one's position on Iraq 2003 or Brexit 2016, let's learn from one's inability to plan.
Case in point, perform due diligence regarding information security before a merger or acquisition. Likewise, have access controls in place before a divestiture. Finally, test an incident response / disaster recovery plan before either really happens.
Regardless of one's position on Iraq 2003 or Brexit 2016, let's learn from one's inability to plan.
Tuesday, April 12, 2016
Cloud Service Providers & Retention
When it comes to using cloud services for business, it pays to know what retention policies can and will be leveraged, particularly for heavily regulated industries. Below are the retention policies for the heavy hitters regarding cloud:
For the retention policies of traditional cloud file storage, see below:
Here are the retention policies for popular cloud (e.g., SaaS) apps:
Subscribe to:
Posts (Atom)