Wednesday, December 14, 2016

Privileged Access Management (PAM) & Approach

There are both enterprise and point PAM solutions available to organizations.  With that said, as many organizations transition to a cloud-first and federated model, an enterprise solution may be the wiser choice.

While CyberArk, CA PAM, Centrify, etc. are expensive solutions, an organization may see a better return on investment (ROI) in the long run than an organization deploying multiple pointed (e.g., MSFT LAPS) solutions.

So, deploy PAM in a phased manner for AD, EUC, ERP / EHR, cloud, social media, etc. to make the cost palatable for the enterprise.

Tuesday, December 6, 2016

Are passwords going away?

With the introduction of additional associations and research organizations (e.g., FIDO: focused on negating the need for passwords, one might ask if they are going away.

The answer is no, not really.  Password-based credentials will still be around, especially within enterprises, for years to come.  Especially for legacy systems, and administrative access.

With that said, business-to-consumer (B2C) authentication for enterprises will morph considerably, as it already has.  And for that matter, so has business-to-business (B2B) authentication with PKI / x.509 certificate-based authentication for point-to-point VPN / RESTful API.

So, compensating controls in the way of conditional access (CA), multi-factor authentication (MFA: biometrics, OTP, voice, security challenge / questions), etc. will take the lead in identity verification, but passwords will be around for a long time.

Monday, November 21, 2016

Identity & Access Management (IAM / IdAM) Programs

IAM / IdAM / Single Sign-On (SSO) / Privileged Access Management (PAM) / Multi-Factor Authentication (MFA) / Identity Providers (IdP) / Identity Federation are all part of a program that enterprises should focus on these days.  And, these programs need to be able to extend to multiple technologies: cloud, mobile, IoT, ERP, etc.

However, these endeavors are treated as one-offs. 

As organizations wrestle with business transactions (merges, acquisitions, divestitures), the need to have a formal, organized IAM / IdAM program grows in need.

Saturday, October 29, 2016

Best Control Framework for HIPAA / HITECH Audits / Reviews

While many are adamant about using NIST SP 800-53a Rev 4~ for HIPAA / HITECH there is precedent for using alternatives.

Preference should be given to hybrid frameworks that use HITRUST CSF and / or ISF SOGP as they use a combination of 800-53, COBIT, and / or ISO.

The genesis for building on controls are the new technologies, new attack vectors / threats, and a renewed emphasis on deeper dives into the proper deployment of controls / safeguards.

Tuesday, October 18, 2016

Corporate IT & the Leadership Paradox

With over a decade of experience in consulting, one can see the leadership paradox, especially in corporate IT departments.

Corporate IT executives and managers often move into consulting to embrace their experience while negating the office politics, while many middle managers move into corporate IT from Big 4 consulting firms.

Furthermore, many corporate IT shops ship out work to consulting firms instead of training their own people, while many consulting firms leverage people more junior than their client's staff.

Add to that, the reticence for IT shops to send junior managers to leadership training, and we see a revolving door of poor leaders who focus on leveraging external parties to get the work done.

No wonder IT outsourcing is so strong.

Monday, October 10, 2016

Data Breach Fatigue & Security Training

Apparently, there is "data breach fatigue" out there and recommendations on cutting down security education, training, & awareness (SETA) is gaining traction.

The question comes with to scale back SETA activities due to this fatigue?

The answer is based on the maturity of the information security (InfoSec) program, jurisdiction / market, industry, and the organization's culture.  Frankly, a CISO / CIO / CTO should negotiate freedoms (e.g., local administrative access, open Internet / Web / email access) pursuant to SETA.  Meaning, that if users have carte blanche then SETA is required, necessary, and regularly conducted.

Also, less SETA should equate to more budget for preventive / detective capabilities.   

Monday, September 19, 2016

SaaS AI & Privacy

Salesforce's AI platform, Einstein (, may present some privacy concerns.

As a SaaS service the question begs on whether multi-tenancy data will be included in the analysis.

Will GDPR, U.S., Privacy Shield, HIPAA, PCI DSS requirements be included?  If so, it would behoove Salesforce to include details on de-identification.

Friday, September 16, 2016

Leveraging ITIL PPT for GRC, TVM, & DevSecOps / InfoSecOps

Many orgs now have some form of ITIL investment (PPT) in place (e.g., ServiceNow: SNOW, ServiceDesk, SAP Ariba) these days.

Why not leverage that for PCI DSS / GPDR / HIPAA / Privacy Shield compliance, let alone for other purposes (e.g., TVM, DevSecOps / InfoSecOps)?

Many ITIL tools have workflows that can automate tracking, reporting, etc.

Leverage existing tools for data processing in your ecosystem, and your ROI will increase dramatically.

Wednesday, September 14, 2016

Incident Response vs Digital Forensics

When an incident / event has happened that may turn into a full-scale breach it is best to ascertain (via a defined process / guide like 800-61) whether or not to engage in digital forensics or not.

However, beyond firing up forensic kits / tools like Sleuth / Autopsy, forensic activities may have adverse consequences as operations may be affected.

Many orgs want to be safe vs sorry, so they engage in forensics to check if there was a breach, though this may be not needed and may even be construed as impetuous.

Predicated on a quick notification on the event due to proper security education, awareness, and training (SETA); initial, cursory actions may be all that is needed.  At least, initially.

Monday, September 12, 2016

Open-Source IDS Comparison (Bro vs. Snort)

After installing and running both open-source Bro and Snort IDS deployments on Ubuntu 15.04, the pros and cons are clear.

Snort is easier to get up and running, while more limited in functionality.

Bro has more functionality, but Bro is more difficult to configure and consumes more resources.

Friday, September 9, 2016

(Application) Container Movement

With Cisco acquiring ContainerX on their security spree, Docker now looks to monetize its solution (Pied Piper-style, yes, from HBO).  However, the scuttlebutt is that an open-source fork (of Docker) will be created to keep the open-source dream alive.

So, what is next?  Will Twistlock be acquired too?  By Dell, perhaps?  TBD...

Tuesday, September 6, 2016

Mine Your Scanning / Audit Data

Like the article below suggests, orgs need to analyze the data from past endeavors focused on scanning / auditing for next-gen protections.

Anti-malware, user-behavior (anomaly detection), and signatures are great, but take interest with what scans / audits of your past have shown with gaps / attack vectors.

Wednesday, August 31, 2016

Consolidate Internal Identity Stores BEFORE Focusing on Cloud-based SSO / IAM

There is a tendency to focus on the shiny objects, and many orgs have a cloud-first mentality, but there is no reason to ignore the multitude of internal identity stores that exist in most large enterprises.

SSO, SAML, etc. are great, but what about LDAP, AD, etc.?  How about de / provisioning, especially with your vendors (e.g., SOC / MSSP, NOC / MSP, ITO, BPO)?

Friday, August 26, 2016

Are open-source SIEMs worth it?

Between SIEMonster, ELK, & OSSIM, there are several options out there for open-source SIEMs.

But, is the juice worth the squeeze?

Between cloud first strategies for SMBs & enterprises (many CSPs / IaaS providers offer add-on SIEM / ATP services), as well as the prevalence of MSSPs / SOCs, one may wonder if open-source SIEMs will ever hit critical mass?

Regardless, someone keeps building these solutions.  So, there is demand.  Also, startups may want to crawl before they sprint regarding TVM & SecEng.

Monday, August 22, 2016

Azure, Big Data, & Security

So, Microsoft has provided further innovation and thought leadership with the cloud, Big Data, & security.

As of late, Azure now offers a preview (i.e., BETA) of its Storage Service Encryption (SSE) offering for its Data Lake Store offering to complement the add-on crypto services one may use for its HDInsight (i.e., Hadoop) offering, namely integration with DgSecure.

The jury is still out on the ease of use, as well as how robust these offerings are, but, it seems Microsoft is ahead of the curve with cloud & Big Data security.

Will AWS catch-up?

Tuesday, August 16, 2016

IPS vs EDR vs NAC vs RMS

InfoSec teams have only so much budget, so how does one decide on whether to spend on the outer perimeter or inner perimeter of an on-prem network?

Well, what industry are you in?  Where are your critical systems and business processes?

If your org is not highly regulated, and you have critical systems (i.e., ERP) within your inner perimeter, then that should be your focal point.

While EDR, NAC, & RMS are all sexy technologies, they serve to protect the outer perimeter (e.g., laptops, workstations, file shares, business subnets).  And while assets themselves, hopefully your IT folks have embraced the cloud and ECM / EDM (i.e., SharePoint).

For the inner perimeter, your data center, IPS, UEBA, TI, & ATP technologies may be used to protect your financial systems, etc.  Now, these solutions aren't silver bullets, but there a start.

In this age of shadow IT, virtualization, and distributed workforces, priority should be your most critical digital assets.

Monday, August 15, 2016

Loss Expectancy & InfoSec Metrics

So when looking to make single / annual loss expectancy (SLE / ALE) as subjective as possible it helps to have some metrics (i.e., KPIs / KRIs).

While vulnerability scanning / DAST / SAST / pen test findings can help, the best examples are from either honeypots or via red team exercises, to include: social engineering, phishing, whaling, and / or compromised digital assets.

Such metrics will help with the providing the (estimated) annual rate of occurrence (ARO) needed to determine the SLE * ARO = ALE.

Finally, while subjective, annual net sales / days of expected outage always helps w/ determining the SLE for ERP / EMR / EHR / ICS / CRM / SFA systems.

Monday, August 8, 2016

Securing Native Big Data Deployments v3.0: Apache Ranger & Atlas for DevSecOps, IAM, & InfoGov

Apache Ranger ( and Atlas ( offer some real thought leadership for securing native big data environments.

The question that remains is, will corporate IT teams embrace these new technologies?

I do see (cloud) providers (MS Azure, AWS) using these tools, as they need to for security compliance purposes.  I also see on-premise (hyper-convergence) solution vendors (e.g., Hortonworks, Cloudera) leveraging this as well.

Thursday, August 4, 2016

Opening the DFIR Community

InfraGard & SEI's CERT have long proposed & advocated for information sharing w/in the DFIR space.

With that said, will COPS ( take this InfoSec specialty to the next level?  Will such actions dilute the quality DFIR SMEs work  &/or wages?


Sunday, July 31, 2016

Commercial Honeypots

While open-source honeypots have been around for a while (e.g., conpot, t-pot, honeyd) commercial honeypots are now coming to realization.

Examples include Cymmetria's MazeRunner (, Illusive Networks (, or Ridgeback's Deception Platform (

Wednesday, July 27, 2016

SIEM Deployments Does Not Equal Threat Intelligence

Just because an org has deployed a SIEM or uses a SIEM service from a MSSP / SOC vendor does not mean that threat intelligence (TI) has been implemented.

As articulated below, TI is at the next level compared to log aggregation and correlation.

As always, budget, available resources, technical skill-sets, industry, and jurisdiction will all be factors in the feasibility of onboarding a TI program.

Tuesday, July 26, 2016

SPF, DMARC, or both?

Most orgs have email filtering in the way of sender policy framework (SPF:, though some seem to omit the use of domain-based message authentication reporting and conformance (DMARC:

While a belt and suspenders approach may not fit all budgets, in the wake of email-based malware, it may behoove orgs to use both...

Cloud, CMDB, CI, & DevSecOps

AWS is changing the game w/ real thought leadership on CMDB, CI, & DevSecOps w/ rolling out: AWS Config, CodeCommit, & CodeDeploy.

Now, the question is how great do these services sync w/ on-premise solutions?  Jenkins, sure.  Local CMDB, probably not...

Also, will Microsoft (Azure) play catch-up?  Yes, they have Openness, though it really doesn't support organic services.

To be continued...


While an obvious plug for Exabeam, this blog post nails the value-add.

Tuesday, July 19, 2016

NextGen InfoSec Acronym Soup: IPS, ATP, SIEM, CTD, & UEBA

Gartner released some guidance about next generation InfoSec tools and the acronym UEBA caught the eye. 

User and entity behavioral analytics (UEBA) look to tie some usual suspects (e.g., IPS, SIEM) with quasi-new kids (i.e., advanced threat protection: ATP).  This new paradigm is also referred to as cyber threat defense (CTD) by vendors like Cisco.

Watch for newcomers like Cylance and Alert Logic to expand on UEBA for on and off premise solutions in the near future.

Monday, July 18, 2016

Pokemon GO: Privacy Tracking

Kudos for Pokémon GO's success!

However, please educate your professional and social circles on the security and / or privacy ramifications to this latest fad.  Here is some thought leadership:

Wednesday, July 13, 2016

Dropbox & Bring Your Own Key (BYOK)

With cloud service providers (CSPs) moving to embrace business consumers' needs to secure their environments, more and more are embracing BYOK and / or the use of cloud application security brokers (CASB).

However, Dropbox is lagging behind.  Is this because of their strengths in the B2C market?  Maybe, but with the announcement that Salesforce will now support BYOK, Dropbox seems to be the last of the Mohicans. 

Is this a smart or dumb move?  Time will tell, though the latter seems to be the case.

Friday, July 8, 2016

Business Analysis & Information Security Investment

All InfoSec orgs strive to align spending to the business, but how often does InfoSec management ensure that there are clear business cases for investment decisions?

While simple & trivial to some, a business case (with requirements / specifications, use cases, success criteria, and business as usual [BAU] / maintenance planning) goes a very long way.  And don't blame this on the PMO, we are all adults here....

Like sport, master the fundamentals first!

Thursday, July 7, 2016

KPIs, KRIs, & Just Plain Metrics

Here is an enumeration of measurements for your security program (aggregated from multiple sources):

Weighted Risk Trend (WRT)
Defect Remediation Window (DRW)
Rate of Defect Recurrence (RDR)
Specific Coverage Metric (SCM)
Security Defect to Quality Ratio (SDQR)
Equal Error Rate (False Positives / Negatives / Tool)
Shared Services Satisfaction Score
Platform Compliance Scores
Email Traffic Analysis

% System Availability
% Security Assessment Coverage
% IT Control Coverage
% Contingency Plan Coverage
% Anti-malware Coverage
% Anti-virus Coverage
% IAM / SSO Coverage
% CASB / DLP / DCAP Coverage
% EMM / MDM Coverage

# Unaddressed Risks & Severity
# Security Incidents
# Policy Violations
# Open Vulnerabilities
# Hours of Downtime
# Local Admin Users
# Policy Exceptions
# Privileged Accounts
# Hours to Remediate Security Incidents
# Firewall Rule Changes

Wednesday, July 6, 2016

Mobile Web Filtering, DLP, ATP, or MDM / MAM

With mobile security options abound, what is a security professional to do?

Well, as always, what are the requirements?

Most organizations these days leverage some type of MDM for at least the ability to check for jail broken iOS devices and / or to perform remote wipes.

With that said, what else is needed?  That answer depends on the use cases for the mobile devices, what data is on these devices, what devices are supported, what jurisdiction / industries the organization is in, and yes, the requirements.

As a belt and suspenders guy, I advocate MDM / MAM with Web filtering and ATP.  Especially in BYOD scenarios.  But, hey, that is just me...

Monday, July 4, 2016

Don't Forget to Plan

In the midst of the Brexit mess, we are reminded to plan before we take action.

Case in point, perform due diligence regarding information security before a merger or acquisition.  Likewise, have access controls in place before a divestiture.  Finally, test an incident response / disaster recovery plan before either really happens.

Regardless of one's position on Iraq 2003 or Brexit 2016, let's learn from one's inability to plan.

Wednesday, June 29, 2016

Roles & Responsibilities

In the midst of an engagement with a team in dire need of a reorganization, I am reminded of the need for clearly defined roles and responsibilities.  Any team in today's highly dynamic business environment will have a variety of generations, ethnicities, cultures, genders, skill sets, and competencies involved.  With that said, defined tasks and duties clarify for all parties involved who and what falls on the beloved RACI / RASCI / RAPID model(s) for the team.

That is not to say that a team does not need utility players (e.g., strategists, program managers, generalists), for they can assist during times of high resource utilization, incidents / emergencies, and / or as a mentor for junior staffers / managers.  But, for the most part, leaders need to steer the ship by providing clarity, and sometimes that requires a shuffling of the deck. 

Monday, June 27, 2016

ATP Prior to TVM (e.g., Vuln Scanning & Pen Testing)

Orgs are pushing for advanced threat protection (ATP) for ransomware / malware / phishing risk management.  However, orgs should not skip over engaging in traditional TVM to respond to these new threats.

The reason is that patching & config baselines are a true benchmark that hackers use to fingerprint / profile orgs & their environments.  Also, the time needed to remediate these findings is considerable for most orgs, as is tuning ATP products & svcs.

In an optimal, utopian world, orgs would have budget &  resources for both, but w/ limited resources orgs should focus on following the fundamentals.

Finally, orgs need TVM before a SIEM / SOC / MSSP too.

Wednesday, June 22, 2016

InfoSec & Negotiating

Many techies learn sooner or later informal negotiation tactics, though it seems InfoSec types gravitate away from this soft skill.  At least at first...

Whether dealing with internal management, vendors, or recruiters / hiring managers there will come a time when one's ability to negotiate affects their income. 

So, despite what you think of Trump, it may behoove you to read some of his thought leadership on this topic.  Sad, but true...

Tuesday, June 21, 2016

SIEM Decisions: OSSIM vs ELK, OSSEC vs rsyslog / tail / curl

Before dropping A LOT of money on a commercial SIEM installation, consider your open source options.

OSSIM and / or ELK are your most prevalent open source SIEM solutions.  ELK is the preferred deployment due to ease of use / deployment, as well as being less resource intensive.

Beyond SIEM, most organizations need to feed these log analyzers.  While OSSEC is an option, rsyslog / tail / curl is preferred as most orgs that have adept engineering teams are comfortable with open source solutions / scripting.

Monday, June 20, 2016


Does it make sense to implement a dedicated MFT environment?

It depends on the org & architecture; however, most orgs could do without.

Healthcare, insurance, fin svcs, or legal orgs may need these, though many will probably be better off using SFTP / FTPS or EDI in a pointed manner.

Wednesday, June 15, 2016

SIEMs / IPS Alone No Longer Work

Advanced threat protection (ATP), or a MSSP / SOC, versus solely SIEM deployments, are needed now more than ever.

Most orgs do not do a great job on log analysis, or malware / APT / phishing prevention, so it is well advised that outsourced ATP services be engaged, at least temporarily.

Monday, June 13, 2016

IoT Medical Device / Wearable Push-back

The AMA is pushing back on the proliferation of IoT medical device & wearables.

Now, this a is a culture issue between clinicians & technicians, though a breach will provide all too much ammo for further friction.

Security requirements have been and will continue to be extremely important for IoT assimilation & use.

Friday, June 10, 2016

Web App Password Protections

Whether using AD / IDaaS / LDAP / RDBMS / NoSQL, etc. to store your web app credentials, an org needs to ensure that these are secured while at rest.  And yes, while a no brainer, many orgs do not.

Whole disk / volume-based encryption is a start for all deployments, especially transparent data encryption (TDE) solutions using the KMIP for interoperability between on or off  prem.

For those who follow the belt-and-suspenders model, tokenization, salted hashes, or symmetric encryption are all options for data at rest (DAR).

For deployments (NoSQL) where organic encryption functionality may not be available, add-on algorithms (Bcrypt) may be utilized.

Stop the Emails

Email technologies are a tool to complement conversations, not supplement them.

In a global, distributed workforce it may seem easier to email away, but don't.

IMs, phone or face-to-face chats will always be more productive.

Tuesday, June 7, 2016

Soft Skills

We all need to "sharpen the saw" of our soft skills regularly.  With that said, I am constantly in awe of the amount of managers who shy away from mentoring junior staff on said soft skills. 

Beyond that, Toastmasters, project management, & Dale Carnegie training should be regularly reinforced to those who show potential.

Develop your people or they will certainly leave you.  To reiterate, they will certainly leave you, maybe not the company.

Wednesday, June 1, 2016

Stop Using IE / Edge

Chrome / Safari / Firefox should be the preferred browser for orgs these days.

Use IE / Edge sparingly for Web apps that only support those browsers.

Tuesday, May 24, 2016

The Case for a Divide & Conquer Approach to Penetration Testing

Usually for budget / pricing reasons, some orgs decide to engage a firm with an annual pen test of significant scope (e.g., all ingress / egress, RAS, AD, VoIP, IPS, SIGs, ERP, EHR / EMR, SaaS, WLAN).

However, this approach increases risk of scope, schedule, resource availability, and budgeting from a project management standpoint. 

Stronger orgs, with enough resources, tend to move away from the once and done approach due to the need to assess many vectors, a need for timely and regular remediation actions, and for security compliance purposes (i.e., PCI).

Monday, May 23, 2016

Stop the one-off protocols...

While easier said than done, it is time for orgs to stop using technologies with non-standard protocols.

With the maturation of TCP/IP, UDP, http/s, and ftp, there really is no reason to continue to support deviations.  Doing so just leads to insecurity.

Thursday, May 19, 2016

Why Use an IPS if Only in Monitoring Mode?

Here is a link to a commercial that describes the conundrum here:

Along the LifeLock point here is that many orgs monitor for intrusions vs stopping them.

Now, a misconfigured IPS can bring the train to a halt, but, that is why you "smarten" said IPS before you really start blocking traffic.

Tuesday, May 17, 2016

Red Teaming vs Pen Testing vs Scanning

Many orgs ask for pen tests these days and only get scanning from a vendor (some orgs may only want this).

However, a proper pen test will walk through in detail the safeguards, configurations, and vulnerabilities in scope to determine what exploits may actually be realized.

A red team exercise (these days) builds on a pen test by attempting to exploit the vulnerability completely to determine if the org may actually determine if such an exploit is or has happened.  Additionally, some orgs will engage in war gaming (or a red-blue / purple) exercise to determine if their SOC / MSSP can shut down the exploit attempt.

If an org wants to achieve compliance a scan, or something akin, is all that is needed.  However, most orgs need to engage a third party at least annually for a pen test to prioritize investments in remediation.  Finally, an org that is using a MSSP (external SOC) should certainly conduct a red / purple team exercise to determine the maturity of the provider.

Monday, May 16, 2016

WAF Selection Guidance

Read from the link below that Imperva is not the best fit for all orgs.

More often than not, a cloud-based or open-sourced WAF can prove to be just as effective.

Safe alternatives provided to clients include:

-Modsecurity, iptables, & WAFFLE
-AWS WAF & CloudFront

Thursday, May 12, 2016

InfoSec Policies / Standards vs Patterns

Policies / standards are great and all, but for larger orgs security design patterns are needed.

Said design patterns give guidance on IoT, SCADA, application, system, and network deployments.

With that said, patterns should come after policies / standards and need to be solution / vendor neutral.

Monday, May 9, 2016

IDS, IPS, or Endpoint ATP

Many orgs leverage an IDS (e.g., Snort) for detection, though many should really deploy an IPS (e.g., FireEye) for prevention purposes.  Especially when it comes to anti-malware purposes.

However, many orgs are now looking to use advanced threat prevention (ATP) solutions on Web / cloud, mobile, or SaaS email endpoints. 

Low and behold, it makes sense to take a risk-based approach to negating malware / ransomware.  For many orgs, it makes sense to focus on protection sensitive, core competency data that usually resides in a EHR / EMR, ERP, ecommerce standpoint.  For those orgs that host these systems, it may make sense to deploy an inline IPS.

Wednesday, May 4, 2016

Are SIEMs Effective?

Verizon mentions that log analysis only accounted for 1% of breach detections.

Therefore, does an organization need a SIEM solution?  Yes, but it is one prong of a multi-prong approach to threat analysis and detection.

That is why organizations engage in MSSPs or SOCs, due to the need to incorporate defense-in-depth capabilities.

Monday, May 2, 2016

Insider Users = Reason for 27% Breaches

Malicious insider abuse causes 27% of breaches; so, ensure that local admin rights are constrained and that file shares are locked down via RBAC.  Finally, segregate and separate networks via VLANs.

Thursday, April 28, 2016


If it comes to embracing one email-focused protection solution or another, what is best for an organization?

Many orgs solely deploy DLP for email due to an enterprise DLP purchase; however, does this protect against spear phising, whaling, or spamming?

Not really, especially if your DLP deployment is in its infancy.  With that said, email protections like DMAC & SPF will not work to prevent data loss without some type of content & context-aware solution (e.g., classification, labeling).

Thankfully, email-as-a-service (EmaaS) cloud providers include both services, while usually as an add-on service at an additional cost.

Wednesday, April 27, 2016

AWS Mobile Hub = Death of Local / Network-based DevOps?

With more organizations leveraging (at least) a cloud-first policy, is the time for local / network-based DevOps gone?

I suspect that the larger, internal development functions of Fortune 1000 firms wont change anytime soon.  However, the ecosystem between large and small is tightly coupled.  So, give it 5-10 years, and the local SCM repository will be gone.

Docker Security

Great blog post from CloudPassage below:

But what agents does one place on a container? 

  • File Integrity Monitoring (FIM)
  • Anti-virus / Malware
  • Logging / SIEM

Nice to Haves:
  • Edge Protection / Network Access Controls (NAC) - assuming a private cloud deployment
  • Data Loss Prevention (DLP) - only if an enterprise solution is deployed

Tuesday, April 26, 2016

SaaS (e.g., Cloud) Apps & Enterprise Security Architecture

Beyond extending formal enterprise security architecture (ESA) frameworks like SABSA, TOGAF, DoDAF, etc. to the cloud, organizations will have to choose on a strategy for implementing controls in the cloud as well.

Now, many cloud service providers (CSP) enumerate their safeguards on a high-level and say hands-off; however, more and more are either adding premium add-on security services (e.g., Shield, Office 365 DLP), or allow for the integration with third party solutions (e.g., Dropbox & CloudLock).

Pending the ubiquity of usage (i.e., enterprise-wide), industry, and / or amount of CSPs used, a hybrid strategy probably works best.  In this manner an organization can leverage enterprise access controls and monitoring via cloud access security broker (CASB) or enterprise mobility management (EMM) solutions, while leveraging native content awareness (e.g., DLP, RMS) or cryptography solutions as well. 

Friday, April 22, 2016

Whaling, Spear Phishing, Scamming.....oh my!

Orgs need to conduct red team-like exercises to benchmark their exposure to this stuff....big time!

Gotchas, and ah-hahs, are not necessary when conducting this testing.  Though identification for security education, training, & awareness (SETA) is.....

Wednesday, April 20, 2016

Ransomware Response & Red Teaming

Too many pen tests are more or less vulnerability scans.

So, how many orgs engage in the next logical step, red teaming?

Better yet, how many orgs engage a red team to test their incident response process & procedures for ransomware, malware, DDoS / DoS, APT, or brute forcing / rainbow attacks throughout the cyber kill chain (

As orgs progress w/ pen testing, red teaming, etc., they need to up the ante with more inclusive testing.

Tuesday, April 12, 2016

Cloud Service Providers & Retention

When it comes to using cloud services for business, it pays to know what retention policies can and will be leveraged, particularly for heavily regulated industries.  Below are the retention policies for the heavy hitters regarding cloud: 

For the retention policies of traditional cloud file storage, see below:

Here are the retention policies for popular cloud (e.g., SaaS) apps:

On Premise DLP for Cloud-first Organizations

More often than not cloud-first organizations still engage in on premise DLP projects.  The mentality being that on prem DLP has a solid use case (file shares, etc.).

With many orgs now leveraging Exchange Online or Gmail, as well as cloud file sharing (e.g., Box, Dropbox, OneDrive, Dive), is this the best strategy?

No, most of these orgs would be better off to first focus on:

  • Cloud App Security Brokers (CASB) solutions (e.g., CloudLock, Centrify)
  • Whole Disk Encryption / EMM / MDM (e.g., BitLocker / Intune, AirWatch)
  • Email / EDM DLP
  • Web Filtering DLP
After that, orgs should focus on these investments to tie up any residual risk:
  • Database Crypto
  • IRM / RMS / DRM
  • NAC / NAP

Thursday, March 24, 2016

HIPAA & Ransomware

Is an incident involving ransomware a HIPAA breach?

The article below gives some guidance on whether or not it is a breach, though the scope of the incident is a HUGE determination in whether or not it is a breach.

Basically, an enterprise-wide structured / unstructured ePHI (database, file share / SAN / NAS) ransomware event is certainly a HIPAA breach.

Tuesday, March 22, 2016

Need for Droid App Vetting

With the news below divulged today, does anyone disagree that public apps for individual consumption would be better off with some type of security attestation?

HR Background (Credit) Checks & Internal Threats

The article below states that some insiders are open to selling a password for $1,000 (U.S.).

How does an organization prevent this?

Well, a credit check may help to understand an applicants judgment and financial position for starters.  Though, counsel (employment specialists) better approve this beforehand.

Also, while difficult to quantify, ensure leaders (notice the lack of mentioning "managers") foster esprit de corps to mitigate such actions.

Monday, March 21, 2016

Current iOS Zero-day (March '16) = False Alarm

An alarming trend is happening.  "Cybersecuirty" hype:

Yes, it is a vulnerability.  Is it front-page, five-alarm, news-worthy?  No, cryptography can be broken, that is why compensating controls are put in place.

With that said, will the U.S. Justice Department focus in on this exploit?  If so, will they leave Apple alone?  Time will tell....

Friday, March 18, 2016

Data Masking for Oracle or MSSQL

Vendors (like hotels & now airlines) love their add-ons.  Oracle offers a data masking service for a decent charge, while Microsoft offers a native, dynamic data masking (DDM) service for contemporary versions of MSSQL.

Why not trim the strings at the application-side & go from there?  Ohh, you need an identifier.  How about using a tokenization service (e.g., Vormetric, SafeNet) and a more comprehensive crypto / KMS strategy?

Monday, March 14, 2016

Crypto-shredding & retention policies...

Most orgs these days perform key rotation at least annually.  However, what about key disposal?

Key disposal should go hand-in-hand with disposition periods on one's retention policy, though seven  (7) years is an answer if one does not have a retention policy.

Just remember how different the technology landscape was in 2009?  Yeah, seven should do, predicated on the data classification...

Friday, March 11, 2016

Java & Vulnerabilities

The world's love-hate relationship with Java continues....

Particular relevance is that this issue affects server deployments (J2EE, J2ME) versus solely JWS and applets.

Thursday, March 10, 2016

NOC (MSP) & SOC (MSSP) Selection

Guidance like the link below always reminds us of how MSP & MSSP vendors need to play nice together.

While it is not advocated that one vendor should provide both services, it is paramount that they collaborate on incident response, ticketing, patching, etc.

Wednesday, March 9, 2016

AWS Glacier & Retention Policies

For orgs that want to move AWS data (e.g., S3, EBS) to offline storage Glacier is the answer.

However, an org will want to set access controls and retention periods for the data "vaults" in Glacier.

Per the link above, one can do that via the API.  Note that the output screenshots show JSON.

Understanding NoSQL

Many technology professionals who are not developers seem to have some difficulty in understanding the nuances of NoSQL.  So, please see the article below:

The bottom-line is that NoSQL is more flexible, but traditionally less secure out of the box.

Hopefully, homomorphic encryption (HE) will assist:

Tuesday, March 8, 2016

AWS Inspector = AWS DAST Scanning

Nice work AWS!  However, does this include the AWS WAF and / or AWS API Gateway?

Also, how does one integrate Inspector's findings in GRC & ticketing systems?

Will WhiteHat feel the heat from the competition?  Chances are yes as they run on the high side, though many orgs have loads of apps for DAST scanning, on and off AWS.

Monday, March 7, 2016

HIPAA & PCI Contact Center Compliance

HIPAA & PCI compliance transcends traditional IT security and privacy controls to include business processing.

HIPAA EDI, PCI, and / or contact center compliance is a different nut to crack with management needing to decide whether to tokenize, mask, or ecncrypt PHI or CHD recorded data.

Beyond the need to notify some or all of the parties that calls may be recorded, management must decided whether to take an all or focused (PHI, CHD) protection strategy.  Deciding factors include size, scale, geographic location, and / or the budget for protecting sensitive information.

Thursday, March 3, 2016

Cloud Security & Key Management

Does one leverage a cloud provider's implicit encryption keys, their own key management system (KMS) service, or use a third-party?

First, it makes sense for an org to rely on a cloud provider's implicit key management until they are of scale to have InfoSec FTEs.

Second, some cloud consumers use multiple cloud providers (AWS, Rackspace), while some use a cloud provider via multiple regions.  So, as always it is about the requirements and budget.

With that said, here are some options:

  • Rackspace / OpenStack Cloud Keep 
  • Vormetric
  • KeyNexus
  • Intuit
Also note that software providers, especially database vendors, also have their own offerings:

  • Microsoft
  • Oracle
As usual, there is no silver bullet, though crypto is something that a org certainly needs to do correctly.

Wednesday, March 2, 2016

U.S. Federal Government Bug Bounty Program

Will they eventually have issues similar to Facebook / Instagram?

Tuesday, March 1, 2016

More prescriptive guidance on EU / US Privacy Shield

Don't we need prescriptive guidance on security here?  Maybe not on par with PCI DSS, but somewhere close.

Monday, February 29, 2016

EU/US Privacy Shield

Privacy Shield Specifics (Starting at Combined PDF Page 21):
-Accountability for Onward Transfer
-Integrity & Purpose Limitation

Big Data for InfoSec & Privacy

Most orgs now have multiple tools and processes to identify findings and to-dos regarding their risks.

However, these tools are often silo'd when compared to the org's policies, controls, and best practices.

With the introduction of RESTful APIs and JSON, the era of the master dashboard is upon us.

Looks for these artifacts to leverage GRC, ECM, EDM, SAST, DAST, vulnerability management, third-party management, and configuration management data moving forward.

Thursday, February 25, 2016

NY State & Upcoming Fin Svcs Cyber Reqs

CISO, AppSec, Vendor Mgmt, CSIRT, & more happiness.......

Wednesday, February 24, 2016

Pen Testing Tool of the Week: Bluto

Tuesday, February 23, 2016

AppSec, WAFs & ESAPI

While a client waits to deploy CDN, WAF, & DDoS services to their edge, we have suggested using OWASP's ESAPI as a stopgap.

She is old and imperfect, yet ESAPI still has a use.

Friday, February 19, 2016

Ransomware & Bitcoin Payoffs

PLEASE stop doing this...invest in a solid DR strategy w/ frequent backups instead....

Debian Linux & ClamAV

Though it is not a silver bullet, ClamAV & Ubuntu go hand-in-hand.

With malware and other nastiness affecting Linux now, it is time to bulk up your Linux security baseline with ClamAV.

NoSQL Overview

Thursday, February 18, 2016

Cloud & Mobile Sockets

Wednesday, February 17, 2016

Linux Malware, Vulnerabilities & Need for Bastion Hosts

Lately with Fysbis (1), glibc (2), and other Linux issues, we have been advocating more now than ever for organizations to use bastion hosts.

Bastion hosts are easier to patch than production servers, and they allow a Linux shop to insulate known Linux hosts / guests from the outside world.

Linux is on the map with malware, so leverage ClamAV, etc. as well as a defense-in-depth security architecture.



Tuesday, February 16, 2016

Contact Center Privacy Compliance

When involving potential PHI and CHD, contact center employees must be trained up on an organization's privacy practices.

To get there, a company must have their act together by naming a Privacy Officer who can launch an effective program with the proper procedures, etc.

Monday, February 15, 2016

Consolidating Data Stores (File Shares, EDM / ECM, Cloud Storage)

2016 seems to be the year of information governance for nControl as more and more organizations (law firms, hospitals, insurance companies, banks, CROs) look to consolidate their data stores.

It is as simple as picking a street from a strategic perspective.  Though harder to execute.

Most organizations want to enable their employees from a workflow perspective, so many go down the using solely cloud storage route.  That is fine as long as safeguards are in place (access controls, SSO, cryptography, retention schedules).

Regardless of whether cloud storage is used or not, it always seems redundant to use both file shares and EDM / ECM (SharePoint, Documentum) systems.  That is why it should be on the road-map of IT management to figure this out in 2016.

Friday, February 12, 2016

Security Appliances & Vulnerabilities

Will these ever end?

No, as threat modeling evolves, and as IT consumers continue to use legacy IT assets, hackers will find a way to exploit them.

It all comes down to dollars.  Vendors want to work on new offerings, while consumers will use legacy systems until it makes financial sense to move on.

Friday, February 5, 2016

Key Mgmt: Build vs Buy

Most orgs these days leverage cryptography for data protections.  However, key management can be a logistical and administrative headache.

Hence, the use of key management systems (KMS) and services.  With that said, orgs need to determine whether they want to build or buy said KMS solutions.

For small shops, a SKM (or SKIMP as I call it) solution may work.  This solution is akin to the LAMP stack for small KMS deployments.

Larger, multinational shops may opt to go w a cloud solutions like AWS's KMS, Azure's Key Vault, or SafeNet's services.

Ultimately, the decision to build vs buy rests on the complexity, budget, and skill-set of an orgs IT shop.  Rest assured, there are options for all types.

Wednesday, February 3, 2016

Non-Western Breaches

Not all breaches happen in the West, and not all breaches (anywhere) are reported.


Tuesday, February 2, 2016

The Real Problem with Mobile App Security

It seems that many organizations outsource mobile application development.  Therefore, it is extremely important to ensure that security is a requirement enumerated in the contract (SLA, MSA, etc.) with said vendor.

Specifically, organizations should provide security requirements (logging, access controls, cryptography, IAM / IdM), perform threat modeling during design, perform static and dynamic analysis testing, as well as execute misuse cases during testing all with said vendor.

Malware in becoming more and more prevalent, especially on devices.  So, organizations beware.

Monday, February 1, 2016

Build vs Buy Decisions w IT Security

In danger of oversimplifying, this post will discuss the potential for building versus buying security solutions.

Some vendors who shall remain anonymous come in awfully high for security solutions.  Due to this, some smaller shops will want to go with building SIEM, GRC, or WAF solutions.  With that said, SMBs must realize that these tools require TLC to remain secure.

Note that an organization may be able to report compliance with PCI, etc. though they may not be able to keep secure.

Friday, January 29, 2016

SOAP/WCF...just die already!

To paraphrase Walter White's son in the TV show Breaking Bad, "just die" SOAP & WCF.

While RESTful and JSON APIs are not a silver bullet, they are certainly better than SOAP & WCF,

I am sure that AJAX and XML will live on, but SOA needs to pass the torch.

Thursday, January 28, 2016


It is extremely important to test out the effectiveness of your compensating controls.

Many organizations have rested on their laurels after implementing one of the tools above only to experience a data breach.

A cynic might say that this is the difference between compliance and information security.

Wednesday, January 27, 2016

More Than SIEM (VSOC, SOC) - Threat Intelligence

In contemporary times it is no longer enough for an organization to simply collect data in a SIEM (on-premise, cloud/VSOC, SOC).

This data must be analyzed and correlated with national, industry, and association-based threat intelligence to determine attack vectors and action items.

In other words, it is essential for us to move beyond security compliance to stop subsequent data breaches.

Tuesday, January 26, 2016

DDoS Prevention: Build vs Buy

In light of the recent DDoS atatcks against the Irish government, it is prudent that organizations take steps to prevent DDoS attacks.

Such attacks may affect either layer 7 or layer 4 of an organization's technology stack, and therefore solutions should be put in place to cover both attack vectors.

Many organizations leverage cloud-based solutions, such as: Imperva Incapsula, Cisco OpenDNS, or F5 Silverline.  However, an organization can leverage more cost effective solutions as well, like: ModSecurity (with a commercial license from SpiderLabs for layer 7 protections) and iptables (for layer 4 protections).