Cisco Blogs


Cisco Blog > Security

Mission to Helsinki

I grew up in Northern New York State, so a trip to Helsinki in the middle of February held no fears for me. Interesting things are going on in Finland from a cybersecurity point of view, so I jumped at the chance to speak to the Security Day conference in Finland’s capital city. The conference appearance was actually one stop on an itinerary that took me to three countries, two press conferences, and four customer visits…in five days.

In some ways, it’s a tribute to globalization that audiences all over world share the same concerns about cybersecurity. Mobility, identity, explosive growth of an Internet of Things, and an increasingly malicious threat environment are as much on the minds of the people I met in Finland as they are in every part of the world I have traveled. I also found it notable that the Security Day conference celebrated its 12th anniversary this year with the largest number of attendees in its history. My talk centered on three kinds of methods that can make it harder for cybersecurity adversaries to succeed. First, I recommend doing the basics—patching, asset inventories, identity management, visibility into device and user behavior—and doing them well. Here it is particularly important to eliminate any dark space in an infrastructure. It’s the assets and users that you don’t know about that will oftentimes create our largest risks.

Second, the security community has been innovating some delightful ways to lead adversaries on merry, frustrating chases. Virtualization, honey pots, software-defined network configuration changes, and systems set up to act as mineshaft canaries, can be used to bring frustration and confusion to the working lives of adversaries.

Third, I shared my thoughts on developing new kinds of metrics designed to reflect changing definitions of security effectiveness. These include heightened ability to measure…

Adversarial Dwell Time—Time required to detect an adversary entering a system.
Compromise Speed—Time required for an adversary to perform their mission.
Unmitigated Attack Duration—Time an attack operates before stopping it.
Adversarial Confusion Ratio 1—Ratio of time an adversary appears confused to the total time of an attack.
Adversarial Confusion Ratio 2—Number of incorrect adversary decisions to the number of correct decisions.
Cost Effectiveness Ratios—Cost of protecting an infrastructure and/or service to cost of losses, and cost of protecting an infrastructure to cost of restoring a service.

These proposed metrics probably justify a free-standing blog post in their own right, so stay tuned for that.

In summing up, I described the above methods as steps along the path of building a condition of information superiority over security adversaries. This means knowing more about the infrastructure, services, and users you protect than your adversaries as a precondition for the ability to act effectively.

There’s a lot more that can be said about this, and the more I talk to customers and security practitioners, the more I’m learning and processing to take these concepts further. That alone is one of the factors that makes cybersecurity so fascinating. There’s something new to learn and think about every day.

Tags: , , , , ,

Security Geeks and Wonks Unite!

Are we heading to a day of reckoning, where the forces of cyber crime overwhelm and erase the good things that information technology delivers? If we head down our current path of incremental, individualized approaches to cyber security, the answer is “Yes.” But I’m enough of an optimist to think that if the IT and security geeks and wonks of the world can unite, share information, work hard, and not worry about who gets the credit, we stand a fighting chance. Read More »

Tags: , , , ,

RSA 2013: That’s a Wrap

RSA 2013 ends and I both miss it and breathe a sigh of relief that it’s over. Let me explain. As a security guy, it’s nice to be around other security like-minded people.  We all speak the language. You needn’t really justify why you are worried about things most people have never heard of. It’s exciting to see so many people try so many different things, be it startups, big companies, or inspired individuals. It’s great to see government employees, corporate executives, and pony-tailed security geeks all talking to one another.  In a slightly strange way, it’s therapeutic.

That said, RSA is an incredibly intense week, and this year’s conference was no exception. In four-and-a-half full days (and this is just my schedule), I had:

  • Eight customer meetings
  • Eight dinners (working out to 1.78 dinners per day.)
  • Four press interviews: two on-record, one background, 1 live videocast via Google+
  • Four bizdev/company review meetings
  • Two panels
  • Two  analyst interviews
  • Two partner meetings
  • One customer breakfast talk along with with Chris Young

And this doesn’t include the countless run-ins with friends, a quick word here or there, and emails that all have to be managed along the way. In some respects, you don’t get enough time with really good friends (if there really is such a thing as enough time for such people in our lives), and in the end, it’s a huge blur from meeting to meeting.

I posed a question in my blog earlier this year: Are we making progress in cyber security? I say yes, yet not nearly enough, and now I am thinking hard about how to change it before RSA 2014.

Tags: , , , , , ,

Live from RSA: John N. Stewart

The RSA Conference is expected to be bigger and better than ever this year—more booths, more vendors, more technical sessions and keynotes.

But I have to ask the question: “Are we as IT practitioners better off now than we were 4 or 5 years ago?” There are a lot of people at the show who worry that the old approaches aren’t working and next generation solutions have not clearly come into focus. I do think, however, there are reasons to be cautiously optimistic.

Join me for a live broadcast from the RSA show floor on Wednesday, February 27 at 10:30 AM PT as I discuss what I’m seeing at the RSA conference and what it means for the IT Security industry. We’ll be taking your questions live via Twitter and Google Hangouts.  Read More »

Tags: , , , ,

RSA Conference: T-Minus 30 Days and Counting

A month from now, thousands of cyber security friends, colleagues, professionals, hackers, defenders, sellers, buyers, old timers, and newbies will descend on San Francisco for the 2013 RSA Conference. We will challenge one another about what has changed, create new topics and new words to describe the previously indefinable, scare the heck out of each another, and ask the same questions…often: “What’s changed in the last year? Is it better? Is it worse? Is it new?”

“Security in Knowledge” is an apt theme for this year’s RSA. It resonates with me, given my very strong opinions that no company can effectively manage cyber security alone, either people-wise or data- and information-wise. Can any organization analyze 13 billion web requests per day? 150 million endpoints? A daily deluge of 75  terabytes of incoming data? You can’t cope with that yourself. We need to move to crowd-sourcing security, creating security knowledge, and ultimately increasing effectiveness rather than watching the ship continue to take on water at intermittently slowed rates.  Read More »

Tags: , , , , ,