Wednesday, August 31, 2016

Consolidate Internal Identity Stores BEFORE Focusing on Cloud-based SSO / IAM

There is a tendency to focus on the shiny objects, and many orgs have a cloud-first mentality, but there is no reason to ignore the multitude of internal identity stores that exist in most large enterprises.

SSO, SAML, etc. are great, but what about LDAP, AD, etc.?  How about de / provisioning, especially with your vendors (e.g., SOC / MSSP, NOC / MSP, ITO, BPO)?

Friday, August 26, 2016

Are open-source SIEMs worth it?

Between SIEMonster, ELK, & OSSIM, there are several options out there for open-source SIEMs.

But, is the juice worth the squeeze?

Between cloud first strategies for SMBs & enterprises (many CSPs / IaaS providers offer add-on SIEM / ATP services), as well as the prevalence of MSSPs / SOCs, one may wonder if open-source SIEMs will ever hit critical mass?

Regardless, someone keeps building these solutions.  So, there is demand.  Also, startups may want to crawl before they sprint regarding TVM & SecEng.

Monday, August 22, 2016

Azure, Big Data, & Security

So, Microsoft has provided further innovation and thought leadership with the cloud, Big Data, & security.

As of late, Azure now offers a preview (i.e., BETA) of its Storage Service Encryption (SSE) offering for its Data Lake Store offering to complement the add-on crypto services one may use for its HDInsight (i.e., Hadoop) offering, namely integration with DgSecure.

The jury is still out on the ease of use, as well as how robust these offerings are, but, it seems Microsoft is ahead of the curve with cloud & Big Data security.

Will AWS catch-up?

Tuesday, August 16, 2016

IPS vs EDR vs NAC vs RMS

InfoSec teams have only so much budget, so how does one decide on whether to spend on the outer perimeter or inner perimeter of an on-prem network?

Well, what industry are you in?  Where are your critical systems and business processes?

If your org is not highly regulated, and you have critical systems (i.e., ERP) within your inner perimeter, then that should be your focal point.

While EDR, NAC, & RMS are all sexy technologies, they serve to protect the outer perimeter (e.g., laptops, workstations, file shares, business subnets).  And while assets themselves, hopefully your IT folks have embraced the cloud and ECM / EDM (i.e., SharePoint).

For the inner perimeter, your data center, IPS, UEBA, TI, & ATP technologies may be used to protect your financial systems, etc.  Now, these solutions aren't silver bullets, but there a start.

In this age of shadow IT, virtualization, and distributed workforces, priority should be your most critical digital assets.

Monday, August 15, 2016

Loss Expectancy & InfoSec Metrics

So when looking to make single / annual loss expectancy (SLE / ALE) as subjective as possible it helps to have some metrics (i.e., KPIs / KRIs).

While vulnerability scanning / DAST / SAST / pen test findings can help, the best examples are from either honeypots or via red team exercises, to include: social engineering, phishing, whaling, and / or compromised digital assets.

Such metrics will help with the providing the (estimated) annual rate of occurrence (ARO) needed to determine the SLE * ARO = ALE.

Finally, while subjective, annual net sales / days of expected outage always helps w/ determining the SLE for ERP / EMR / EHR / ICS / CRM / SFA systems.

Monday, August 8, 2016

Securing Native Big Data Deployments v3.0: Apache Ranger & Atlas for DevSecOps, IAM, & InfoGov

Apache Ranger ( and Atlas ( offer some real thought leadership for securing native big data environments.

The question that remains is, will corporate IT teams embrace these new technologies?

I do see (cloud) providers (MS Azure, AWS) using these tools, as they need to for security compliance purposes.  I also see on-premise (hyper-convergence) solution vendors (e.g., Hortonworks, Cloudera) leveraging this as well.

Thursday, August 4, 2016

Opening the DFIR Community

InfraGard & SEI's CERT have long proposed & advocated for information sharing w/in the DFIR space.

With that said, will COPS ( take this InfoSec specialty to the next level?  Will such actions dilute the quality DFIR SMEs work  &/or wages?