Sunday, July 31, 2016

Commercial Honeypots

While open-source honeypots have been around for a while (e.g., conpot, t-pot, honeyd) commercial honeypots are now coming to realization.

Examples include Cymmetria's MazeRunner (, Illusive Networks (, or Ridgeback's Deception Platform (

Wednesday, July 27, 2016

SIEM Deployments Does Not Equal Threat Intelligence

Just because an org has deployed a SIEM or uses a SIEM service from a MSSP / SOC vendor does not mean that threat intelligence (TI) has been implemented.

As articulated below, TI is at the next level compared to log aggregation and correlation.

As always, budget, available resources, technical skill-sets, industry, and jurisdiction will all be factors in the feasibility of onboarding a TI program.

Tuesday, July 26, 2016

SPF, DMARC, or both?

Most orgs have email filtering in the way of sender policy framework (SPF:, though some seem to omit the use of domain-based message authentication reporting and conformance (DMARC:

While a belt and suspenders approach may not fit all budgets, in the wake of email-based malware, it may behoove orgs to use both...

Cloud, CMDB, CI, & DevSecOps

AWS is changing the game w/ real thought leadership on CMDB, CI, & DevSecOps w/ rolling out: AWS Config, CodeCommit, & CodeDeploy.

Now, the question is how great do these services sync w/ on-premise solutions?  Jenkins, sure.  Local CMDB, probably not...

Also, will Microsoft (Azure) play catch-up?  Yes, they have Openness, though it really doesn't support organic services.

To be continued...


While an obvious plug for Exabeam, this blog post nails the value-add.

Tuesday, July 19, 2016

NextGen InfoSec Acronym Soup: IPS, ATP, SIEM, CTD, & UEBA

Gartner released some guidance about next generation InfoSec tools and the acronym UEBA caught the eye. 

User and entity behavioral analytics (UEBA) look to tie some usual suspects (e.g., IPS, SIEM) with quasi-new kids (i.e., advanced threat protection: ATP).  This new paradigm is also referred to as cyber threat defense (CTD) by vendors like Cisco.

Watch for newcomers like Cylance and Alert Logic to expand on UEBA for on and off premise solutions in the near future.

Monday, July 18, 2016

Pokemon GO: Privacy Tracking

Kudos for Pokémon GO's success!

However, please educate your professional and social circles on the security and / or privacy ramifications to this latest fad.  Here is some thought leadership:

Wednesday, July 13, 2016

Dropbox & Bring Your Own Key (BYOK)

With cloud service providers (CSPs) moving to embrace business consumers' needs to secure their environments, more and more are embracing BYOK and / or the use of cloud application security brokers (CASB).

However, Dropbox is lagging behind.  Is this because of their strengths in the B2C market?  Maybe, but with the announcement that Salesforce will now support BYOK, Dropbox seems to be the last of the Mohicans. 

Is this a smart or dumb move?  Time will tell, though the latter seems to be the case.

Friday, July 8, 2016

Business Analysis & Information Security Investment

All InfoSec orgs strive to align spending to the business, but how often does InfoSec management ensure that there are clear business cases for investment decisions?

While simple & trivial to some, a business case (with requirements / specifications, use cases, success criteria, and business as usual [BAU] / maintenance planning) goes a very long way.  And don't blame this on the PMO, we are all adults here....

Like sport, master the fundamentals first!

Thursday, July 7, 2016

KPIs, KRIs, & Just Plain Metrics

Here is an enumeration of measurements for your security program (aggregated from multiple sources):

Weighted Risk Trend (WRT)
Defect Remediation Window (DRW)
Rate of Defect Recurrence (RDR)
Specific Coverage Metric (SCM)
Security Defect to Quality Ratio (SDQR)
Equal Error Rate (False Positives / Negatives / Tool)
Shared Services Satisfaction Score
Platform Compliance Scores
Email Traffic Analysis

% System Availability
% Security Assessment Coverage
% IT Control Coverage
% Contingency Plan Coverage
% Anti-malware Coverage
% Anti-virus Coverage
% IAM / SSO Coverage
% CASB / DLP / DCAP Coverage
% EMM / MDM Coverage

# Unaddressed Risks & Severity
# Security Incidents
# Policy Violations
# Open Vulnerabilities
# Hours of Downtime
# Local Admin Users
# Policy Exceptions
# Privileged Accounts
# Hours to Remediate Security Incidents
# Firewall Rule Changes

Wednesday, July 6, 2016

Mobile Web Filtering, DLP, ATP, or MDM / MAM

With mobile security options abound, what is a security professional to do?

Well, as always, what are the requirements?

Most organizations these days leverage some type of MDM for at least the ability to check for jail broken iOS devices and / or to perform remote wipes.

With that said, what else is needed?  That answer depends on the use cases for the mobile devices, what data is on these devices, what devices are supported, what jurisdiction / industries the organization is in, and yes, the requirements.

As a belt and suspenders guy, I advocate MDM / MAM with Web filtering and ATP.  Especially in BYOD scenarios.  But, hey, that is just me...

Monday, July 4, 2016

Don't Forget to Plan

In the midst of the Brexit mess, we are reminded to plan before we take action.

Case in point, perform due diligence regarding information security before a merger or acquisition.  Likewise, have access controls in place before a divestiture.  Finally, test an incident response / disaster recovery plan before either really happens.

Regardless of one's position on Iraq 2003 or Brexit 2016, let's learn from one's inability to plan.