Wednesday, June 29, 2016

Roles & Responsibilities

In the midst of an engagement with a team in dire need of a reorganization, I am reminded of the need for clearly defined roles and responsibilities.  Any team in today's highly dynamic business environment will have a variety of generations, ethnicities, cultures, genders, skill sets, and competencies involved.  With that said, defined tasks and duties clarify for all parties involved who and what falls on the beloved RACI / RASCI / RAPID model(s) for the team.

That is not to say that a team does not need utility players (e.g., strategists, program managers, generalists), for they can assist during times of high resource utilization, incidents / emergencies, and / or as a mentor for junior staffers / managers.  But, for the most part, leaders need to steer the ship by providing clarity, and sometimes that requires a shuffling of the deck. 

Monday, June 27, 2016

ATP Prior to TVM (e.g., Vuln Scanning & Pen Testing)

Orgs are pushing for advanced threat protection (ATP) for ransomware / malware / phishing risk management.  However, orgs should not skip over engaging in traditional TVM to respond to these new threats.

The reason is that patching & config baselines are a true benchmark that hackers use to fingerprint / profile orgs & their environments.  Also, the time needed to remediate these findings is considerable for most orgs, as is tuning ATP products & svcs.

In an optimal, utopian world, orgs would have budget &  resources for both, but w/ limited resources orgs should focus on following the fundamentals.

Finally, orgs need TVM before a SIEM / SOC / MSSP too.

Wednesday, June 22, 2016

InfoSec & Negotiating

Many techies learn sooner or later informal negotiation tactics, though it seems InfoSec types gravitate away from this soft skill.  At least at first...

Whether dealing with internal management, vendors, or recruiters / hiring managers there will come a time when one's ability to negotiate affects their income. 

So, despite what you think of Trump, it may behoove you to read some of his thought leadership on this topic.  Sad, but true...

Tuesday, June 21, 2016

SIEM Decisions: OSSIM vs ELK, OSSEC vs rsyslog / tail / curl

Before dropping A LOT of money on a commercial SIEM installation, consider your open source options.

OSSIM and / or ELK are your most prevalent open source SIEM solutions.  ELK is the preferred deployment due to ease of use / deployment, as well as being less resource intensive.

Beyond SIEM, most organizations need to feed these log analyzers.  While OSSEC is an option, rsyslog / tail / curl is preferred as most orgs that have adept engineering teams are comfortable with open source solutions / scripting.

Monday, June 20, 2016


Does it make sense to implement a dedicated MFT environment?

It depends on the org & architecture; however, most orgs could do without.

Healthcare, insurance, fin svcs, or legal orgs may need these, though many will probably be better off using SFTP / FTPS or EDI in a pointed manner.

Wednesday, June 15, 2016

SIEMs / IPS Alone No Longer Work

Advanced threat protection (ATP), or a MSSP / SOC, versus solely SIEM deployments, are needed now more than ever.

Most orgs do not do a great job on log analysis, or malware / APT / phishing prevention, so it is well advised that outsourced ATP services be engaged, at least temporarily.

Monday, June 13, 2016

IoT Medical Device / Wearable Push-back

The AMA is pushing back on the proliferation of IoT medical device & wearables.

Now, this a is a culture issue between clinicians & technicians, though a breach will provide all too much ammo for further friction.

Security requirements have been and will continue to be extremely important for IoT assimilation & use.

Friday, June 10, 2016

Web App Password Protections

Whether using AD / IDaaS / LDAP / RDBMS / NoSQL, etc. to store your web app credentials, an org needs to ensure that these are secured while at rest.  And yes, while a no brainer, many orgs do not.

Whole disk / volume-based encryption is a start for all deployments, especially transparent data encryption (TDE) solutions using the KMIP for interoperability between on or off  prem.

For those who follow the belt-and-suspenders model, tokenization, salted hashes, or symmetric encryption are all options for data at rest (DAR).

For deployments (NoSQL) where organic encryption functionality may not be available, add-on algorithms (Bcrypt) may be utilized.

Stop the Emails

Email technologies are a tool to complement conversations, not supplement them.

In a global, distributed workforce it may seem easier to email away, but don't.

IMs, phone or face-to-face chats will always be more productive.

Tuesday, June 7, 2016

Soft Skills

We all need to "sharpen the saw" of our soft skills regularly.  With that said, I am constantly in awe of the amount of managers who shy away from mentoring junior staff on said soft skills. 

Beyond that, Toastmasters, project management, & Dale Carnegie training should be regularly reinforced to those who show potential.

Develop your people or they will certainly leave you.  To reiterate, they will certainly leave you, maybe not the company.

Wednesday, June 1, 2016

Stop Using IE / Edge

Chrome / Safari / Firefox should be the preferred browser for orgs these days.

Use IE / Edge sparingly for Web apps that only support those browsers.