Tuesday, December 10, 2013

A Breach is Not a Failed End State (get over it)

I struggled with the right way to start this blog post, but ultimately I settled on the most blunt approach which is the naked truth.

There are those in our security community that feel that a breach is a [failed] end-state. To me, these people fundamentally don't understand security in the modern context.

Before you start writing your comment to scold me for my directness, consider this... how many organizations can you name that can honestly claim that they are 'secure' - with evidence to back that up? Conversely, look at the tremendous number of organizations, enterprises and, yes even government entities that have been breached and not only survived the breach but are inexplicably thriving as an aftermath.

If the fact that a company's stock can look like the below graph (thanks Adrian, brilliant graphics work) after a breach boggles your mind, read on. Even if you get it, read on anyway ... maybe you'll find something to disagree with?

I've been going on and on about this topic for a while now, but let me be clear on my stance - everyone gets breached. I firmly believe there are two types of companies/organizations: those that have experienced a breach and those that don't know they have. This seems to be a universal truth more and more as I and my peers venture into organizations who claim to be "secure" only to find broad and rather obvious evidence of either past intrusions and exfiltration - or worse - active intrusions on the corporate assets. Depending on how you define an intrusion it's virtually impossible to find an organization without some active threat or adversary inside their prized assets. There is simply too much to protect in security*, but I digress.

Let's take one of the largest, most prolific breaches in recent memory - the TJX breach. I can recall that at the time of the breach there were plenty of high-profile folks, including some in the media, who called for their immediate demise. To be truthful, even I (being young(er) and naive) believed that the breach would be their undoing. Well, suffice to say we were all wrong. Check out the company's stock courtesy of Adrian's graphical handywork:

So what gives? If the company's stock drop was simply a blip on the radar to an otherwise wildly profitable company - why bother with security at all? Granted this was more than a few years ago - but is anyone reading this foolish enough to think that consumer sentiment has changed that much? I dare say not. Furthermore, I know what some of you are thinking ... this is the retail sector and retail shoppers are notorious for not really caring much about a credit card breach because ultimately credit cards are trivial to replace and rarely does it mean financial loss for the customer. More of a nuisance, really. True. Other industries and market segments of course will wildly vary, and I don't claim to have insight into every market segment.

Here's my logic.

  • Even the best-run, best-staffed, best-equipped security organizations are overwhelmed with operational tasks and there is bound to be some avenue or attack vector you leave unguarded for even a split-second
  • Attackers will exploit this weakness and breach your organization
Now, this is where it turns into a "choose your own adventure" book (remember those?)... the good security organizations think beyond simply preventing a breach and are always in detection mode, ready to respond to the intrusion and resolve any incident and consequently learn from it. Poorly run security organizations just get breached, and pandemonium ensues when they eventually, often accidentally, figure it out.

There are a number of factors that contribute to successfully riding out that inevitable dip in confidence and likely stock price:

  • How effectively your organization communicates the issue
  • How truthful your organization's communications are
  • How transparent and open your organization is about the breach or incident
  • The timeliness of notification of individuals, and the public, put at risk
  • The level of accountability your organization takes
  • The ultimate scope of the breach or incident (for example, was the entire database stolen, or did the attacker only get away with 1/4 of the records before they were stopped?)
  • The speed at which the issue is resolved
  • What changes your organization makes, tactically and strategically, to your defensive posture as a result of the lessons learned

Now, assuming you do a reasonably good job at the bullet points above, you may ride out the issue just fine, and in fact may come out of the poop-storm smelling like a rose! Of course the court of public opinion gets to determine how well your organization is perceived to do, and the standard goes up with each major breach). You will of course be measured against yourself in a previous breach (consecutive breaches inside your organization get less and less sympathy from your customers, partners, and the media), and your competitors - so it's not a low bar to get over necessarily.

When I explain this to CIOs and CISOs, I often find myself saying that the big issue isn't that you are experiencing a [perceived] catastrophic breach, but the true issue and Enterprise Security's responsibility is to "shorten the dip" (in the case of publicly traded companies). The better your security organization is the more integrated it will be throughout the company into legal, risk and yes even PR and marketing. The better you do in managing the incident and public perception the shorter that dip in stock price will be, and the less likely you are to hurt long term.

In fact, and this is shown up in the graphic above, there is a very good chance that even if your handling of your breach is mediocre, you will still get some tremendous exposure to new people, and will get a chance to set a high-bar for the next organization to follow. Consumers, partners and clients understand that and largely respond to it. In the case of the Buffer compromise** the company was transparent, did all the right things to mitigate the compromise, and then rolled out quick fixes... and where I wasn't a customer before I was so impressed with their handling of the incident I'm a Buffer user now. Go figure, a breach brings in new customers...

There you have it. That's my thinking on why a breach isn't a failed end state but rather an opportunity for enterprise security to shine and actually drive the company's position and confidence in the enterprise forward.

* There will be more (much more) on this later as it necessitates a separate thread of discussion.
** If you're interested in hearing an interview on the BufferApp compromise and how they fared - check that out here on my Down the Rabbithole podcast. (shameless plug)

Monday, December 9, 2013

Security Intelligence for the Enterprise - Part 3

As promised, this is the 3rd installment of my Security Intelligence for the Enterprise post where I’ll drop some of the things that I find useful for clients looking to adopt a less “on your heels” security stance in the cyber realm.

I’ve already explained my position on what Security Intelligence is and why it’s different from Threat Intelligence, so I won’t revisit that… you can read part 1 and part2 respectively if you want that background.


Before you dive into this campaign, and it is just that – a campaign, you’ll need to spend some time understanding what it is you want to accomplish. I suggest defining and setting your own goals since others will likely not fit in line with your business strategy or budget or resource constraints.

If you’re going to mobilize for a new function, or maybe you’re starting a not-so-successful program from another time, you have to set goals and understand direction. Security intelligence is a holistic thing, so you have to approach it as such. First ask yourself “What is lacking in our business-aligned security program?” If your security program is yet to be business-aligned, start there and come back to Security Intelligence only after you’re got appropriately tight business alignment.

Remember, ultimately you’re hoping that your security intelligence program helps you answer security-related questions faster and with greater certainty. It’s a way to learn from the past, analyze in the present and be more risk-averse in the future.

Capacity is a big issue. One of the first things I advise my clients to do is take a look at their existing security program and assess whether they have the human resources and capital to take on such an endeavor. If your staffers are pulling 50+ hour weeks and are overworked already you’re not going to have the ability to start a security intelligence program. Unless, that is, you drop one of your existing program elements or consolidate/repurpose. That’s actually quite common. And since I know you’re going to ask what the most common program element that disappears as a stand-along function is I may as well tell you that it’s the TVM (Threat and Vulnerability Management) piece. TVM nicely matures into Security Intelligence – if done properly. I will attempt to cover the metamorphosis from TVM to SecIntel in a future post, hopefully it won’t take as long to publish as this one did.

So once you’ve lined up your goals, done due diligence on resource checking, you’re ready to begin the actual planning. Although it’s not the stylish thing to do these days, the security intelligence programs I build for clients start from the inside and work outward. This means you’re not going to be reverse-engineering malware and signing up for a pricey threat intel feed just yet. Security Intelligence inside-out means you’re converting at least a few of your vulnerability analysts (depending on company size) temporarily into business analysts. Look internally into your organization and start by going over some of your old RCAs (Root Cause Analyses) from incidents you’re experienced. Find the trouble spots, from both a technical and business perspective and focus on those. If you’ve never had an incident, or don’t have major anything to work with, look at the various aspects of how security interacts with the operation of business and ask yourself what things are causing the most friction.

Now you’re on the right track to better protecting the business by having the correct information, at the right time, with the level of certainty you need. Certainty is crucial here – you can’t make decisions (such as preventing a project going live) with impartial data, or information you don’t have a high degree of confidence in.

At this stage you’ve added in the externalities that will be implemented later on as part of the holistic approach. Hacker group profiles (TTPs), external feeds of raw data, and timely research are all part of your master plan, each with specific value and specific payback for your program.

Basically ask yourself the question: “How does this widget/thing help me meet the operational goals of security for this enterprise?” Be ready to justify these items to both yourself, your team, and your management.

Execute the plan

Now that your plan is looking good and has been appropriately signed off it’s time to execute. I recommend that organizations seeking to adopt a more holistic approach using security intelligence start slow – with their existing TVM program. Modify your current TVM program as much as you can to suit the purpose of decision making … now with added business context.

Track changes you’re making, track issues you’ve encountered and gains you feel you’ve made along the way. This will help you to claim success at some point, without any uncertainty. I advocate CISOs hire on (at least temporarily) a project manager to assist with keeping things on an even keel. Security programs, including Security Intelligence, are prone to scope and project creep more than other things, I fear. I’m not sure why that is.

Don’t be afraid to test and fail. For example, one of my clients got ambitious and added web app server logs in full debug to their security intelligence platform and quickly realized that while they were getting some amazing data the systems they had in place for analysis and storage were being overwhelmed. They failed, but it only took a week, and they were able to work with their Operations organization to pare down the data volume while still receiving useful information they can process in a reasonable amount of time to make business-saving decisions. That’s pretty cool

Measure it

By now you’re aware of my addiction to measuring your gains/losses. Security Intelligence is no different, honestly. You’re investing, potentially quite heavily, in a new function to help your business be more agile in its security decision-making. If you can’t tell me how much more efficient or intelligent your org has become as a result of implementing your key items, you haven’t accomplished anything in my book.
In fact, I spend so much time on definition, collection and analysis of data for provability of effectiveness that I make it a centerpiece of the program.

My SecIntel strategy has a placeholder for developing KPIs based on the decisions you’re hoping to make faster or more effectively with relation to some business item. Maybe you can make decisions on “attack or not attack” 50% faster than before the program rolled out. If you don’t have the metrics to back that up, rolling up into a KPI dashboard you’re in trouble. People won’t take your word for it, the days of FUD ruling the enterprise are (hopefully) long over.

There you go, folks. A few tidbits that will hopefully help you kick off your security intelligence program right. If you’d got questions, you can always hit me up – I’m here to help in any way I can.

Tuesday, December 3, 2013

Enterprise Security Professionals Getting Out of the Enterprise?

Enterprise security is hard, and the role of enterprise security leader is getting even harder.

In fact, I'm noticing something of a phenomenon lately that may have everything to do with how difficult it is to succeed in an enterprise security leadership role. No less than three of my real-life colleagues and friends in the last 90 days have left the enterprise role for a vendor or consulting opportunity. Now, this may all just be a coincidence but if you look back over the past year successively more and more very smart people from the enterprise are leaving their roles.

I've been thinking a lot about why this is happening, or whether it's just part of the normal cycle of things - but I think there is a pattern worth noting here. As the hum of 'cyber-security' becomes deafening even in the mainstream media and enters every crevice of our collective conscious - it's becoming difficult to spit without hitting something cyber-security related. With that as evidence perhaps it's simply true that the opportunities in the consulting and vendor world are far greater than in the enterprise. While this is probably true on a financial incentive level, these folks I know are not solely money driven so there must be more to it.

Is it simply too hard to thrive in the enterprise as a security leader?

Let's look at what factors in... First of course is the very definition of success. I know far too many organizations (large or small) that still have the delusional view that they expect their enterprise security folks to keep them from being attacked or hacked. This is a wildly unrealistic expectation in this climate. Hell this was wildly unrealistic 5 years ago...but I digress. If enterprise leadership that the CISO or security leader is to report to can't adequately understand how to define success for the CISO - what's the use in trying to dive in to achieve an undefined goal? That's madness! More precisely, if failure is easy to identify (being hacked/breached) and success is unclear - what are the odds of success here? I'd say pretty close to zero.

If you can get past the very definition of success and get to something mutually agreeable and achievable - there's always the issue of culture and budget. Some organizations are simply not going to adopt sane and sound security practices without a lot of forced retirement. I'm actually serious. Chris Hoff ( @beaker ) had a great quote a while back that certain paradigms (I think he was talking about cloud computing at the time) are literally waiting for us to die off (us being the dinosaurs) before they're mainstream adopted. Think about it. Those folks in you company that have been working there before computers were an everyday thing in all aspects of life, and before hackers and cyber was a common thing will probably never fully understand or mentally grasp the gravity of what you're going to ask them to do. So you'll literally have to wait until they're gone from the company before things get better. Now, don't get me wrong, I'm not saying that the latest generation raised on FaceBook and SnapChat have any better clues on security but at least they're understanding the technologies better ... or so we'd hope. The other major hindrance is budget, and that's just a fact of life in the enterprise. When things are going well, you get budget. When things are going poorly (and you really need every penny) you're likely being asked to cut back - the problem is that in security it's nearly impossible to pare back "unnecessary items" unless you've really padded your budget (in which case, shame on you, and good job). So there's that.

Lastly - your adversaries are kicking your ass all over the playground. They have better toys, they have more time, and they're often times much better equipped to win. You're stuck affording a mid-level firewall resource who also has to use the web app scanner to scan your web apps while your adversary is financially driven and has an entire supply chain of bad-asses at their disposal. Seriously, you're screwed. There is no way you're entering a CISO role at an organization that has a public profile without getting some bruises and having one of those very, very long nights when things go sideways.

So perhaps getting out of the enterprise (like I did back in '08) is just the thing to do right now, because to play defense is challenging to put it politely. Or perhaps the consulting and vendor side just pays way, way better and offers more challenge and a climate where it's at least possible to succeed. Or perhaps this is all just a coincidence ... but I bet it's more than that.

What do you think? Have you recently made the switch from enterprise to the dark side? Or have you gone back the other way (vendor/consultant to enterprise)? I'd like to hear from you in the comments section below...