I grew up in Northern New York State, so a trip to Helsinki in the middle of February held no fears for me. Interesting things are going on in Finland from a cybersecurity point of view, so I jumped at the chance to speak to the Security Day conference in Finland’s capital city. The conference appearance was actually one stop on an itinerary that took me to three countries, two press conferences, and four customer visits…in five days.
In some ways, it’s a tribute to globalization that audiences all over world share the same concerns about cybersecurity. Mobility, identity, explosive growth of an Internet of Things, and an increasingly malicious threat environment are as much on the minds of the people I met in Finland as they are in every part of the world I have traveled. I also found it notable that the Security Day conference celebrated its 12th anniversary this year with the largest number of attendees in its history. My talk centered on three kinds of methods that can make it harder for cybersecurity adversaries to succeed. First, I recommend doing the basics—patching, asset inventories, identity management, visibility into device and user behavior—and doing them well. Here it is particularly important to eliminate any dark space in an infrastructure. It’s the assets and users that you don’t know about that will oftentimes create our largest risks.
Second, the security community has been innovating some delightful ways to lead adversaries on merry, frustrating chases. Virtualization, honey pots, software-defined network configuration changes, and systems set up to act as mineshaft canaries, can be used to bring frustration and confusion to the working lives of adversaries.
Third, I shared my thoughts on developing new kinds of metrics designed to reflect changing definitions of security effectiveness. These include heightened ability to measure…
Adversarial Dwell Time—Time required to detect an adversary entering a system.
Compromise Speed—Time required for an adversary to perform their mission.
Unmitigated Attack Duration—Time an attack operates before stopping it.
Adversarial Confusion Ratio 1—Ratio of time an adversary appears confused to the total time of an attack.
Adversarial Confusion Ratio 2—Number of incorrect adversary decisions to the number of correct decisions.
Cost Effectiveness Ratios—Cost of protecting an infrastructure and/or service to cost of losses, and cost of protecting an infrastructure to cost of restoring a service.
These proposed metrics probably justify a free-standing blog post in their own right, so stay tuned for that.
In summing up, I described the above methods as steps along the path of building a condition of information superiority over security adversaries. This means knowing more about the infrastructure, services, and users you protect than your adversaries as a precondition for the ability to act effectively.
There’s a lot more that can be said about this, and the more I talk to customers and security practitioners, the more I’m learning and processing to take these concepts further. That alone is one of the factors that makes cybersecurity so fascinating. There’s something new to learn and think about every day.
Tags: cybersecurity, Finland, Helsinki, John N. Stewart, security, Security Day Conference
Despite its overwhelming business benefits, the Internet of Things (IoT) also significantly increases security risks. That’s why Cisco is pleased to announce the IoT Security Grand Challenge, an industry-wide initiative to bring the global security community together to secure the IoT, and deliver intelligent cybersecurity for the real world – before, during, and after an attack. Winners will be awarded $50,000 in prize money and be publicly announced at the IoT World Forum this Fall!
Read the full Fame and Fortune Awaits: The Cisco IoT Security Grand Challenge blog post to learn more.
Tags: Cisco Security, cybersecurity, Internet of Everything, internet of things, IoE, IoT, network security, security
Editor’s Note: This is the first part of a four-part series featuring an in-depth overview of Infosec’s (Information Security) Unified Security Metrics Program. In this first installment, we discuss the value of security metrics at Cisco.
What does the film Moneyball have in common with security metrics? Turns out—plenty. In Moneyball, the storyline focuses on the Oakland A’s baseball team’s quest to assemble and field a competitive team. Fiscally constrained, their general manager uses a new approach towards scouting, analyzing and securing players through the use of metrics.
The general manager’s hypothesis was that player performance statistics, such as stolen bases and runs batted in (RBIs) focus on speed and contact. But other metrics, such as on-base percentage and slugging percentage have a greater influence on the team’s main goal—scoring runs and winning games.
Skeptics scoffed at the data’s reliability as a consistent performance indicator but, much to everyone’s surprise, the data held its own and the A’s became a viable competitor. By keeping their eyes squarely focused on the real problem—protecting and safeguarding their franchise’s future—the A’s used simple, meaningful metrics to manage risk, guide their operating and decision-making practices, and strengthen their brand. Read More »
Tags: infosec, metrics, security
I recently contributed a chapter titled “Advanced Technologies/Tactics Techniques, Procedures (TTPs): Closing the Attack Window, and Thresholds for Reporting and Containment” that was published in an anthology Best Practices in Computer Network Defense: Incident Detection and Response, published by the IOS press. In the chapter, I recommend a number of TTPs that can move the cybersecurity balance of power away from adversaries to infrastructure defenders. Acting on the TTPs I propose—including focusing hard work and clear thinking on network security basics—will pay maximum dividends for the cybersecurity defender.
The book’s publishers have graciously granted me permission to reproduce the chapter on the Cisco website, and you are welcome to read it here. Please take a moment to read it and let me know what you think in the form of comments on this blog post.
Thanks in advance for your thoughts and reasonably well considered opinions!
Tags: best practices, network security, security, TTPs
Is the combination of cloud computing and mobility a perfect storm of security threats?
Actually, yes. And you should prepare for them as if there is a storm coming.
As businesses become increasingly mobile, so does sensitive data. In fact, in a recent survey conducted by ESG,
31% of security professionals say that the biggest risk associated with cloud infrastructure services is, “privacy concerns associated with sensitive and/or regulated data stored and/or processed by a cloud infrastructure provider.”
With cloud-based services, it is key to have visibility into applications and provide consistent experience across devices accessing the web and cloud applications. More users are leaving the standard PC behind and engaging cloud applications through a mobile device, making application-layer security and user access security critical. Smartphones and tablets are able to connect to applications running anywhere, including public, private and hybrid cloud applications, opening your data to potential attacks. Security professionals need assurances that their cloud security provider will appropriately secure customer data while ensuring availability and uptime.
The conversation is no longer if you’ll be attacked, but when. And will you be prepared?
Read the full article: Data Security Through the Cloud
Tags: CIO, cisco annual security report, Cisco Security, Cisco Security Grand Challenge, CiscoCloud, cloud, cloud security, data security, ESG, Internet of Everything, IoE, ITaaS, security