Category Archives: strategy

Delivering security and continuity for the cities of tomorrow

It’s seems like almost every part of our lives is now being supported by emerging technologies, from predictive analytics and artificial intelligence to the Internet of Things (IoT). First, we had smart phones, then smart watches and now smart cities. Currently, more than half of the world’s population lives in towns and cities, and by 2050 this number could rise to 66 per cent. This is resulting in a growing need for solutions to effectively … More

The post Delivering security and continuity for the cities of tomorrow appeared first on Help Net Security.

Warding off security vulnerabilities with centralized data

This is the second article of a series, the first article is available here. File access permissions Having a system that lets you set the proper permissions and prevents unauthorized people from accessing files is important. However, you should expect that human error will lead to unwanted vulnerabilities. Expecting your users to manually set permissions on each file without ever making a mistake is unrealistic and bad for security and compliance. The key to getting … More

The post Warding off security vulnerabilities with centralized data appeared first on Help Net Security.

Digital skills are critical for tackling the rising tide of cybercrime

The rising tide of cybercrime shows no sign of slowing. Whether it’s hacking, identity fraud or malware attacks, online criminals have proven themselves to be both relentless and ruthless. Targets have included public sector institutions, charities, even the UK’s National Health Service (NHS) was not spared. In this challenging climate, it is unsurprising that police forces are facing extreme pressure to protect victims and take meaningful action against the perpetrators, who are hard to track … More

The post Digital skills are critical for tackling the rising tide of cybercrime appeared first on Help Net Security.

Most organizations suffered a business-disrupting cyber event

A study conducted by Ponemon Institute found that 60 percent of organizations globally had suffered two or more business-disrupting cyber events — defined as cyber attacks causing data breaches or significant disruption and downtime to business operations, plant and operational equipment — in the last 24 months. Further, 91 percent of respondents had suffered at least one such cyber event in the same time period. Despite this documented history of damaging attacks, the study found … More

The post Most organizations suffered a business-disrupting cyber event appeared first on Help Net Security.

Deception technology: Authenticity and why it matters

This article is the second in a five-part series being developed by Dr. Edward Amoroso in conjunction with the deception technology team from Attivo Networks. The article provides an overview of the central role that authenticity plays in the establishment of deception as a practical defense and cyber risk reduction measure. Requirements for authenticity in deception The over-arching goal for any cyber deception system is to create target computing and networking systems and infrastructure that … More

The post Deception technology: Authenticity and why it matters appeared first on Help Net Security.

Can advancing cybersecurity techniques keep pace with new attack vectors in 2019?

A look back through a volatile 2018 has seen the cyber security landscape move towards an even more complex picture. This has been driven by the increased volume and diversity of threats and breaches, tools and network evolution. Security professionals have faced significant challenges in attack detection and mitigation, operating to the necessary policy and legal guidelines and growing teams with suitably-skilled personnel. None of these advances show any signs of slowing in 2019. However, … More

The post Can advancing cybersecurity techniques keep pace with new attack vectors in 2019? appeared first on Help Net Security.

Leveraging AI and automation for successful DevSecOps

As engineering teams try to innovate at a faster pace, being able to maintain the quality, performance and security of the applications become much more important. Organizations have found huge success in improving their overall product quality while ensuring security controls and compliance requirements are met. AI-driven automation solutions have aided engineering teams in automating key processes and leverage predictive analytics, to identify issues before they occur and taking corrective actions, improving the overall product … More

The post Leveraging AI and automation for successful DevSecOps appeared first on Help Net Security.

Securing and managing the enterprise Internet of Things

A future where the Internet of Things spreads exponentially is almost certain. Seemingly everybody wants these devices: consumers for the helpful features and manufacturers for the ability to collect data about the product and consumers’ use of it. Paul Calatayud, Palo Alto Networks’ CSO for the Americas, sees the IoT evolving into a new form of distributed computing powered by 5G and ever-increasing bandwidth speeds. The result will be intelligent, programmable devices that operate without … More

The post Securing and managing the enterprise Internet of Things appeared first on Help Net Security.

CISO challenges and the path to cutting edge security

Zane Lackey is the co-founder and CSO at Signal Sciences, and the author of Building a Modern Security Program (O’Reilly Media). He serves on multiple Advisory Boards including the National Technology Security Coalition, the Internet Bug Bounty Program, and the US State Department-backed Open Technology Fund. Prior to co-founding Signal Sciences, Zane lead a security team at the forefront of the DevOps/Cloud shift as CISO of Etsy. In this interview with Help Net Security he … More

The post CISO challenges and the path to cutting edge security appeared first on Help Net Security.

An integrated approach helps companies improve operational resilience

By taking a unified approach to managing critical events (i.e. extreme weather, violence, supply chain disruption), businesses can significantly reduce the impact on employee safety, organizational reputation, and revenue, according to a study conducted by Forrester Consulting for Everbridge. According to the study, companies are investing significant resources in sophisticated controls to protect their employees, brand and assets from critical events. These disruptive incidents (ranging from cyberattacks to terrorist activity) increasingly lead to business impacts … More

The post An integrated approach helps companies improve operational resilience appeared first on Help Net Security.

Not all data collection is evil: Don’t let privacy scandals stall cybersecurity

Facebook continues to be criticized for its data collection practices. The media is hammering Google over how it handles data. JPMorgan Chase & Company was vilified for using Palantir software to allegedly invade the privacy of employees. This past June marked the five-year anniversary of The Guardian’s first story about NSA mass surveillance operations. These incidents and many others have led to an era where the world is more heavily focused on privacy and trust. … More

The post Not all data collection is evil: Don’t let privacy scandals stall cybersecurity appeared first on Help Net Security.

How can businesses get the most out of pentesting?

More than 4.5 billion data records were compromised in the first half of this year. If you still feel like your enterprise is secure after reading that statistic, you’re one of the few. Hackers utilizing high-profile exploits to victimize organizations is becoming an almost daily occurrence, with 18,000 to 19,000 new vulnerabilities estimated to show up in 2018. Here’s the thing though – we can still address the situation and make the current threat landscape … More

The post How can businesses get the most out of pentesting? appeared first on Help Net Security.

An introduction to deception technology

This article is first in a five-part series being developed by Dr. Edward Amoroso in conjunction with the deception technology team from Attivo Networks. The article provides an overview of the evolution of deception, including its use in the enterprise, with emphasis on the practical requirements that have emerged in recent years to counter the growing number and nature of malicious threats. Purpose of deception for cyber The idea of modern deception in cyber security … More

The post An introduction to deception technology appeared first on Help Net Security.

Situational awareness: Real-time decision making to improve business operations

Although the term situational awareness usually pertains to the military and first responder space, it also plays a crucial role in the efficiency of public and private organizations such as large-scale businesses, government agencies, transportation and logistics, and many other industries. For business leaders, situational awareness has come to mean having real-time visibility into operations in order to understand and control the business on a day-to-day basis. This allows entire teams to understand how their … More

The post Situational awareness: Real-time decision making to improve business operations appeared first on Help Net Security.

Enabling the digital future: speed, agility and resilience

As more organizations embrace digital business, infrastructure and operations (I&O) leaders will need to evolve their strategies and skills to provide an agile infrastructure for their business. In fact, Gartner said that 75 percent of I&O leaders are not prepared with the skills, behaviors or cultural presence needed over the next two to three years. These leaders will need to embrace emerging trends in edge computing, artificial intelligence (AI) and the ever-changing cloud marketplace, which … More

The post Enabling the digital future: speed, agility and resilience appeared first on Help Net Security.

Detecting malicious behavior blended with business-justified activity

With organizations moving to the cloud and remote workers becoming the rule rather than the exception, the definition of the network is changing. Add to this the increasing use of IoT devices, encryption and engagement in shadow IT practices, and it’s easy to see why organizations have trouble keeping their network and systems secure. What’s more, attackers are changing tactics: they are relying less and less on malware and shifting their focus to stealing legitimate … More

The post Detecting malicious behavior blended with business-justified activity appeared first on Help Net Security.

The fundamentals of network security and cybersecurity hygiene

Infrastructure and network security The two fundamental building blocks to ensuring that your data is secure are physical infrastructure and network security. Understanding and protecting your information from threats and human error require meticulously layered security protocols. Physical infrastructure Last year, British Airways canceled over 400 flights and stranded 75,000 passengers because of an IT outage caused by an engineer who disconnected a power supply at a data center near London’s Heathrow airport. When it … More

The post The fundamentals of network security and cybersecurity hygiene appeared first on Help Net Security.

Is security the real stuff of nightmares?

The Chief Information Security Officer role (CISO), is the most senior cyber security role in any organisation, and the role has developed rapidly in recent years under the wave of increased digital needs. With more customer data gathered and stored than ever before, the risk of implementing a sub-par security strategy effects every level of the organisation. CISOs are the custodians, responsible for protecting the face of their business and trust of its customers as … More

The post Is security the real stuff of nightmares? appeared first on Help Net Security.

7 trends driving enterprise IT transformation in 2019

Enabling the business outcome in a ‘Real-Time’ enterprise environment is the next challenge for global brands and government agencies in 2019. Tech companies will need to drive hard to continually exceed to their customers’ expectations during a time of accelerating change. They will need to show how technology can help deliver on their customers’ objectives, improve agility, security and impact, or they risk being disrupted. Here is Verizon Enterprise Solutions’ view of those enterprise technology … More

The post 7 trends driving enterprise IT transformation in 2019 appeared first on Help Net Security.

Why compliance is never enough

Organizations are well aware of the security risks inherent in our hyper-connected world. However, many are making the mistake of focusing their attention on being compliant rather than on ensuring that their security strategy is effective and efficient. As the threat landscape continues to evolve this type of compliance-driven, checkbox mentality is setting many organizations up for a potentially disastrous fall (or breach). Being in compliance does not guarantee that a company has a comprehensive … More

The post Why compliance is never enough appeared first on Help Net Security.

Take cybersecurity into your own hands: Don’t rely on tech giants

Google doesn’t want you to have to think about cybersecurity at all, similar to how we think about breathing, which sounds like a great idea. However, in all of my years in cyber security, from the Israeli Defence Forces’ Intelligence Corps Unit to my years at the government’s National Cyber Bureau – where I worked with one of the most attacked organizations in the world, the Israel Electric Corporation – I’ve learned that trusting solely … More

The post Take cybersecurity into your own hands: Don’t rely on tech giants appeared first on Help Net Security.

Cybersecurity 2019: Predictions you can’t ignore

As we move forward to 2019, expect credit card and payment information theft to continue to rise. Yes, this isn’t a major surprise; however, if organizations can better address the reasons for the rise in cybercrime, they will be better prepared. Bolder cyberattacks against digital businesses The good news: advanced security technologies are constantly being brought to market. The not-so-good news: threat actors are not letting that get in the way; witness more intensified and … More

The post Cybersecurity 2019: Predictions you can’t ignore appeared first on Help Net Security.

Why you shouldn’t be worried about UPnP port masking

Last May, security firm Imperva wrote a blog post discussing a new proof of concept for bypassing DDoS mitigation after discovering reflected network protocols appearing on non-standard network ports. Imperva was able to replicate the same behavior using a technique called UPnP Port Masking, which uses the Universal Plug and Play (UPnP) Protocol to alter the source port of commonly abused network protocols in DDoS attacks. Multiple news outlets picked up on Imperva’s research and … More

The post Why you shouldn’t be worried about UPnP port masking appeared first on Help Net Security.

ATM attackers strike again: Are you at risk?

The United States National ATM Council recently released information about a series of ATM attacks using rogue network devices. The criminals opened the upper half of the ATM and installed the device, most likely into the Ethernet switch. The device then intercepted the ATM’s network traffic and changed the bank’s “withdraw denied” response to “withdraw approved,” presumably only for the criminals’ cards. For many readers, the attacks’ success may be surprising. However, IBM X-Force Red … More

The post ATM attackers strike again: Are you at risk? appeared first on Help Net Security.

The current state of cybersecurity in the connected hospital

Abbott and The Chertoff Group released a white paper that shares key findings from a recent study of 300 physicians and 100 hospital administrators on cybersecurity challenges in the hospital environment. Results found that while physicians and hospital administrators view cybersecurity as a priority, the majority of them feel underprepared to combat cyber risks in the connected hospital. “Cybersecurity is a shared responsibility across all of us working in today’s healthcare system,” said Chris Tyberg, … More

The post The current state of cybersecurity in the connected hospital appeared first on Help Net Security.

Are we chasing the wrong zero days?

Zero days became part of mainstream security after the world found out that Stuxnet malware was used to inflict physical damage on an Iranian nuclear facility. After the revelation, organization focused efforts on closing unknown pathways into networks and to detecting unidentified cyber weapons and malware. A number of cybersecurity startups have even ridden the “zero day” wave into unicornville. Stuxnet’s ability to halt operations forced critical infrastructure operators to think about they could fall … More

The post Are we chasing the wrong zero days? appeared first on Help Net Security.

Don’t accept risk with a pocket veto

We who live risk management know there are four responses when confronted with a credible risk to our organizations. We can treat the risk to reduce it. We can avoid the risk by altering our organization’s behavior. We can transfer the risk with insurance or outsourcing, though the transfer is rarely complete. Lastly, we can accept risk and hope for the best. Let’s get this out of the way first: no security professional wants to … More

The post Don’t accept risk with a pocket veto appeared first on Help Net Security.

Privacy laws do not understand human error

In a world of increasingly punitive regulations like GDPR, the combination of unstructured data and human error represents one of the greatest risks an organization faces. Understanding the differences between unstructured and structured data – and the different approaches needed to secure it – is critical to achieve compliance with the many data privacy regulations that businesses in the U.S. now face. Structured data is comprised of individual elements of information organized to be accessible, … More

The post Privacy laws do not understand human error appeared first on Help Net Security.

Third parties: Fast-growing risk to an organization’s sensitive data

The Ponemon Institute surveyed more than 1,000 CISOs and other security and risk professionals across the US and UK to understand the challenges companies face in protecting sensitive and confidential information shared with third-party vendors and partners. According to the findings, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is even higher at 61 percent — up 5 … More

The post Third parties: Fast-growing risk to an organization’s sensitive data appeared first on Help Net Security.

Organizations unable to achieve business resilience against cyber threats

The Resilience Gap study, which surveyed over 4,000 business decision makers across the United States, United Kingdom, France, Germany and Japan found that while 96% of the global business decision makers believe that making technology resilient to business disruptions should be core to their firm’s wider business strategy, the reality is very different. In fact, only 54% of respondents claim that it definitely is. Barriers to achieving business resilience Despite 96% of respondents claiming that … More

The post Organizations unable to achieve business resilience against cyber threats appeared first on Help Net Security.

What’s keeping Europe’s top infosec pros awake at night?

As the world adapts to GDPR and puts more attention on personal privacy and security, Europe’s top information security professionals still have doubts about the industry’s ability to protect critical infrastructure, corporate networks, and personal information. Black Hat Europe’s new research report entitled, Europe’s Cybersecurity Challenges, details the thoughts that are keeping Europe’s top information security professionals awake at night. The report includes new insights directly from more than 130 survey respondents and spans topics … More

The post What’s keeping Europe’s top infosec pros awake at night? appeared first on Help Net Security.

60% of firms believe a major security event will hit in the next few years

Only 30 percent of 1,250 senior executives, management and security practitioners in the U.S., U.K. and Canada are confident their business will avoid a major security event in the coming two years and 60 percent believe an attack will hit in the next few years, according to eSentire. In terms of cyberattack preparedness in global organizations, the research also uncovered gaps between the C-suite, board and technical leaders. Among CEO and board members surveyed, 77 … More

The post 60% of firms believe a major security event will hit in the next few years appeared first on Help Net Security.

Ireland needs a coherent national approach to cybersecurity

I was interviewed by the Irish Times on why “Ireland (is) Vulnerable to Cybersecurity Attack” During my chat with Charlie Taylor I mentioned a number of concerns I have regarding how Ireland is dealing with cybersecurity at a national level and that in many areas it is disjointed with no one department or function taking overall responsibility. The article mentions my calls for a cybersecurity tsar, but this is not the only area we need to work on.

October is known as the European Cybersecurity Awareness Month and countries throughout the EU, and indeed globally, have put together awareness campaigns aimed at their citizens and businesses alike. The whole purpose of these campaigns is to help people become more aware of the cybersecurity risks they face and to take the appropriate steps to protect themselves and others. A good awareness campaign is critical to support an effective cybersecurity strategy. However, when you go to the website for the European Agency for Network and Information Security to see which countries have government sponsored campaigns it is notable that, as per the picture below, Ireland has no such campaign.

 

This lack of support brought back to me the need for us as a nation to have an effective cybersecurity strategy to better protect our economy, infrastructure, businesses, and citizens.

I wrote about the need for a national cybersecurity strategy in a post back in 2009 “Securing Ireland’s Digital Future”. Since then we have had a strategy published in 2015 and the National Centre for Cybersecurity has been established.

The Government set up the National Cyber Security Centre in 2011 to protect critical national infrastructure. But according to a recent article in the Irish Times, a report by the public spending watchdog found that the unit has no strategic plan and needs a funding review. For anyone keen to establish Ireland as a centre for cybersecurity, then the Comptroller and Auditor General’s review of the National Cyber Security Centre made for disappointing reading.

That’s not to criticise the NCSC: it can only make do with the budget and resources it has. But the story suggests that the Government doesn’t take cybersecurity seriously. In year one, it allocated €800,000 in funding to the unit, but the following year, its funding fell below €266,000 and stayed at that level over the next three years.

The C&AG report also found that the oversight body that’s supposed to review the NCSC’s performance hasn’t met since 2015. That also happens to be the same year when the Government last published a cybersecurity strategy.

You only have to glance at the headlines to see how much of a prominent issue cybersecurity has become. Think of data breaches, DDoS attacks, online financial scams and state-sponsored activity to name just four. Ransomware infections like WannaCry and NotPetya are cost businesses and public agencies significant sums of money, not to mention disrupted operations.

The C&AG also noted that in 2017, the NCSC’s funding rose again to €1.95 million. We know from reports that the Data Protection Commissioner and the Garda’s Computer Crime Investigation Unit also had their funding increased recently. But is that funding enough for that they need?

I would argue the Government needs to go further. We need a coherent and centralised approach to protecting our nation, rather than having responsibilities for various aspects for cybersecurity spread throughout different government departments and agencies.

Given how critical cybersecurity is to our ambitions as a nation to grow as a technical hub for Europe the government should look to;

  • Establish a cysecurity tsar with the autonomy and authority to drive a cybersecurity agenda at all levels of the public service, and to engage with the private sector.
  • Engage with key stakeholders to ensure all needs are met. The Citizens’ Assembly could be an excellent model or indeed forum to adopt to identify all the relevant needs.
  • Based on the above engagement develop a revised cybersecurity strategy with a concrete action plan to achieve the goals of the strategy. Earlier this month at CyberConf in Dublin, Minister Sean Kyne said that a new cybersecurity strategy is due in 2019. That’s not a moment too soon. We’ll await that document with interest.

While cybersecurity is everyone’s responsibility it is now too critical for us as a nation, both from an economic and national security point of view, for it to be left to individual government departments or businesses to look after.

As a small nation we have the unique advantage of being able to quickly engage with all key stakeholders and to implement initiatives to make us more secure.  It is time for us to ensure the security of our nation includes the realm of cyberspace and that Ireland can become a leading light in how to create a safe online space on the internet for its citizens and businesses alike.

The post Ireland needs a coherent national approach to cybersecurity appeared first on BH Consulting.

The Quest for Optimal Security

There's no shortage of guidance available today about how to structure, build, and run a security program. Most guidance comes from a standpoint of inherent bias, whether it be to promote a product class, specific framework/standard, or to best align with specific technologies (legacy/traditional infrastructure, cloud, etc.). Given all the competing advice out there, I often find it's hard to suss out exactly what one should be doing. As someone actively on the job hunt, this reality is even more daunting because job descriptions will typically contain a smattering of biases, confirmed or contradicted through interview processes. But, I digress...

At end of day, the goal of your security program should be to chart a path to an optimal set of capabilities. What exactly constitutes "optimal" will in fact vary from org to org. We know this is true because otherwise there would already be a settled "best practice" framework to which everyone would align. That said, there are a lot of common pieces that can be leveraged in identifying the optimal program attributes for your organization.

The Basics

First and foremost, your security program must account for basic security hygiene, which creates the basis for arguing legal defensibility; which is to say, if you're not doing the basics, then your program can be construed insufficient, exposing your organization to legal liability (a growing concern). That said, what exactly constitutes "basic security hygiene"?

There are a couple different ways to look at basic security hygiene. For starters, you can look at it be technology grouping:
- Network
- Endpoint
- Data
- Applications
- IAM
- etc.

However, listing out specific technologies can become cumbersome, plus it doesn't necessarily lend itself well to thinking about security architecture and strategy. A few years ago I came up with an approach that looks like this:

Ben-matrix.png

More recently, I learned of the OWASP Cyber Defense Matrix, which takes a similar approach to mine above, but mixing it with the NIST Cybersecurity Framework.


Overall, I like the simplicity of the CDM approach as I think it covers sufficient bases to project a legally defensible position, while also ensuring a decent starting point that will cross-map to other frameworks and standards depending on the needs of your organization (e.g., maybe you need to move to ISO 27001 or complete a SOC 1/2/3 certification).

Org Culture

One of the oft-overlooked, and yet insanely important, aspects of designing an approach to optimal security for your organization is to understand that it must exist completely within the organization's culture. After all, the organization is comprised of people doing work, and pretty much everything you're looking to do will have some degree of impact on those people and their daily lives.

Ben-pyramid.png

As such, when you think about everything, be it basic security hygiene, information risk management, or even behavioral infosec, you must first consider how it fits with org culture. Specifically, you need to look at the values of the organization (and its leadership), as well as the behaviors that are common, advocated, and rewarded.

If what you're asking people to do goes against the incentive model within which they're operating, then you must find a way to either better align with those incentives or find a way to change the incentives such that they encourage preferred behaviors. We'll talking more about behavioral infosec below, so for this section the key takeaway is this: organizational culture creates the incentive model(s) upon which people make decisions, which means you absolutely must optimize for that reality.

For more on my thoughts around org culture, please see my post "Quit Talking About "Security Culture" - Fix Org Culture!"

Risk Management

Much has been said about risk management over the past decade+, whether it be PCI DSS advocating for a "risk-based approach" to vulnerability management, or updates to the NIST Risk Management Framework, or various advocation by ISO 27005/31000 or proponents of a quantitative approach (such as the FAIR Institute).

The simply fact is that, once you have a reasonable base set of practices in place, almost everything else should be driven by a risk management approach. However, what this means within the context of optimal security can vary substantially, not the least being due to staffing challenges. If you are a small-to-medium-sized business, then your reality is likely one where you, at best, have a security leader of some sort (CISO, security architect, security manager, whatever) and then maybe up to a couple security engineers (doers), maybe someone for compliance, and then most likely a lot of outsourcing (MSP/MSSP/MDR, DFIR retainer, auditors, contractors, consultants, etc, etc, etc).

Risk management is not your starting point. As noted above, there are a number of security practices that we know must be done, whether that be securing endpoints, data, networks, access, or what-have-you. Where we start needing risk management is when we get beyond the basics and try to determine what else is needed. As such, the crux of optimal security is having an information risk management capability, which means your overall practice structure might look like this:

Ben-pyramid2.png

However, don't get wrapped around the axel too much on how the picture fits together. Instead, be aware that your basics come first (out of necessity), then comes some form of risk mgmt., which will include gaining a deep understanding of org culture.

Behavioral InfoSec

The other major piece of a comprehensive security program is behavioral infosec, which I have talked about previously in my posts "Introducing Behavioral InfoSec" and "Design For Behavior, Not Awareness." In these posts, and other places, I talk about the imperative to key in on organizational culture, and specifically look at behavior design as part of an overall security program. However, there are a couple key differences in this approach that set it apart from traditional security awareness programs.
1) Behavioral InfoSec acknowledges that we are seeking preferred behaviors within the context of organizational culture, which is the set of values of behaviors promoted, supported, and rewarded by the organization.
2) We move away from basic "security awareness" programs like annual CBTs toward practices that seek measurable, lasting change in behavior that provide positive security benefit.
3) We accept that all security behaviors - whether it be hardening or anti-phishing or data security (etc) - must either align with the inherent cultural structure and incentive model, or seek to change those things in order to heighten the motivation to change while simultaneously making it easier to change.

To me, shifting to a behavioral infosec mindset is imperative for achieving success with embedding and institutionalizing desired security practices into your organization. Never is this more apparent than in looking at the Fogg Behavior Model, which explains behavior thusly:

In writing, it says that behavior happens when three things come together: motivation, ability, and a trigger (prompt or cue). We can diagram behavior (as above) wherein motivate is charted on the Y-axis from low to high, ability is charted on the X-axis from "hard to do" to "easy to do," and then a prompt (or trigger) that falls either to the left or right of the "line of action," which means the prompt itself is less important than one's motivation and the ease of the action.

We consistently fail in infosec by not properly accounting for incentive models (motivation) or by asking people to do something that is, in fact, too difficult (ability; that is, you're asking for a change that is hard, maybe in terms of making it difficult to do their job, or maybe just challenging in general). In all things, when we think about information risk mgmt. and the kinds of changes we want to see in our organizations beyond basic security hygiene, it's imperative that we also under the cultural impact and how org culture will support, maybe even reward, the desired changes.

Overall, I would argue that my original pyramid diagram ends up being more useful insomuch as it encourages us to think about info risk mgmt. and behavioral infosec in parallel and in conjunction with each other.

Putting It All Together

All of these practices areas - basic security hygiene, info risk mgmt, behavioral infosec - ideally come together in a strategic approach that achieves optimal security. But, what does that really mean? What are the attributes, today, of an optimal security program? There are lessons we can learn from agile, DevOps, ITIL, Six Sigma, and various other related programs and research, ranging from Deming to Senge and everything in between. Combined, "optimal security" might look something like this:


Conscious
   - Generative (thinking beyond the immediate)
   - Mindful (thinking of people and orgs in the whole)
   - Discursive (collaborative, communicative, open-minded)

Lean
   - Efficient (minimum steps to achieve desired outcome)
   - Effective (do we accomplish what we set out to do?)
   - Managed (haphazard and ad hoc are the enemy of lasting success)

Quantified
   - Measured (applying qualitative or quantitative approaches to test for efficiency and effectiveness)
   - Monitored (not just point-in-time, but watched over time)
   - Reported (to align with org culture, as well as to help reform org culture over time)

Clear
   - Defined (what problem is being solved? what is the desired outcome/impact? why is this important?)
   - Mapped (possibly value stream mapping, possibly net flows or data flows, taking time to understand who and what is impacted)
   - Reduced (don't bite off too much at once, acknowledge change requires time, simplify simplify simplify)

Systematic
   - Systemic understanding (the organization is a complex organism that must work together)
   - Automated where possible (don't install people where an automated process will suffice)
   - Minimized complexity (perfect is the enemy of good, and optimal security is all about "good enough," so seek the least complex solutions possible)


Obviously, much, much more can be said about the above, but that's fodder for another post (or a book, haha). Instead, I present the above as a starting point for a conversation to help move everyone away from some of our traditional, broken approaches. Now is the time to take a step back and (re-)evaluate our security programs and how best to approach them.

Aikido & HolisticInfoSec™

This is the 300th post to the HolisticInfoSec™ blog. Sparta, this isn't, but I thought it important to provide you with content in a warrior/philosopher mindset regardless. 
Your author is an Aikido practitioner, albeit a fledgling in practice, with so, so much to learn. While Aikido is often translated as "the way of unifying with life energy" or as "the way of harmonious spirit", I propose that the philosophies and principles inherent to Aikido have significant bearing on the practice of information security.
In addition to spending time in the dojo, there are numerous reference books specific to Aikido from which a student can learn. Among the best is Adele Westbrook and Oscar Ratti's Aikido and the Dynamic Sphere. All quotes and references that follow are drawn from this fine publication.
As an advocate for the practice of HolisticInfoSec™ (so much so, I trademarked it) the connectivity to Aikido is practically rhetorical, but allow me to provide you some pointed examples. I've tried to connect each of these in what I believe is an appropriate sequence to further your understanding, and aid you in improving your practice. Simply, one could say each of these can lead to the next.
  
The Practice of Aikido
"The very first requisite for defense is to know the enemy."
So often in information security, we see reference to the much abused The Art of War, wherein Sun Tzu stated "It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles." Aikido embraces this as the first requisite, but so too offers the importance of not underestimating your enemy or opponent. For information security, I liken it to this. If you are uninformed on adversary actor types and profiles, their TTPs (tools, tactics, procedures), as well as current vulnerabilities and exploits, along with more general threat intelligence, then you are already at a disadvantage before you even begin to imagine countering your opponent.  

"A positive defensive strategy is further qualified as being specific, immediate, consistent, and powerful." 
Upon learning more about your adversary, a rehearsed, exercised strategy for responding to their attack should be considered the second requisite for defense. To achieve this, your efforts must include:
  • a clear definition and inventory of the assets you're protecting
  • threat modeling of code, services, and infrastructure
  • an incident response plan and SOP, and regular exercise of the IR plan
  • robust security monitoring to include collection, aggregation, detection, correlation, and visualization
  • ideally, a purple team approach that includes testing blue team detection and response capabilities in partnership with a red team. Any red team that follows the "you suck, we rock" approach should be removed from the building and replaced by one who espouses "we exist to identify vulnerabilities and exploits with the goal of helping the organization better mitigate and remediate".
As your detection and response capabilities improve with practice and repetition, your meantime to mitigate (MTM) and meantime to remediate (MTR) should begin to shrink, thus lending to the immediacy, consistentcy, and power of your defense.


The Process of Defense and Its Factors
"EVERY process of defense will consist of three stages: perception, evaluation-decision, and reaction."
These should be easy likenesses for you to reconcile.
Perception = detection and awareness
The better and more complete your threat intelligence collection and detection capabilities, the better your situational awareness will be, and as a result your perception of adversary behaviors will improve and become more timely.
Evaluation-decision = triage
It's inevitable...$#!+ happens. Your ability to quickly evaluate adversary actions and be decisive in your response will dictate your level of success as incident responders. Strength at this stage directly impacts the rest of the response process. Incorrect or incomplete evaluation, and the resulting ill-informed decisions, can set back your response process in a manner from which recovery will be very difficult.
Reaction = response
My Aikido sensei, after doing so, likes to remind his students "Don't get hit." :-) The analogy here is to react quickly enough to stay on your feet. Can you move quickly enough to not be hit as hard or as impactfully as your adversary intended? Your reaction and response will determine such outcomes. The connection between kinetic and virtual combat here is profound. Stand still, get hit. Feign or evade, at least avoid some, or all contact. In the digital realm, you're reducing your time to recover with this mindset.  

Dynamic Factors
"A defensive aikido strategy begins the moment a would-be attacker takes a step toward you or turns aggressively in your direction. His initial motion (movement) in itself contains the factors you will use to neutralize the action of attack which will spring with explosive force from that motion of convergence."
Continuing on our theme of inevitability, digital adversaries will, beyond the shadow of a doubt, take a step toward you or turn aggressively in your direction. The question for you will be, do you even know when that has occurred in light of our discussion of requisites above? Aikido is all about using your opponent's energy against them, wherein, for those of us in DFIR, our adversary's movement in itself contains the factors we use to neutralize the action of attack. As we improve our capabilities in our defensive processes (perception, evaluation-decision, and reaction), we should be able to respond in a manner that begins the very moment we identify adversarial behavior, and do so quickly enough that our actions pivot directly on our adversary's initial motion.
As an example, your adversary conducts a targeted, nuanced spear phishing campaign. Your detective means identify all intended victims, you immediately react, and add all intended victims to an enhanced watch list for continuous monitoring. The two victims who engaged the payload are quarantined immediately, and no further adversarial pivoting or escalation is identified. The environment as a whole raised to a state of heightened awareness, and your user-base becomes part of your perception network.


"It will be immediate or instantaneous when your reaction is so swift that you apply a technique of neutralization while the attack is still developing, and at the higher levels of the practice even before an attack has been fully launched."
Your threat intelligence capabilities are robust enough that your active deployment of detections for specific Indicators of Compromise (IOCs) prevented the targeted, nuanced spear phishing campaign from even reaching the intended victims. Your monitoring active lists include known adversary infrastructure such that the moment they launch an attack, you are already aware of its imminence.
You are able to neutralize your opponent before they even launch. This may be unimaginable for some, but it is achievable by certain mature organizations under specific circumstances.

The Principle of Centralization
"Centralization, therefore, means adopting a new point of reference, a new platform from which you can exercise a more objective form of control over events and over yourself."
Some organizations decentralize information security, others centralize it with absolute authority. There are arguments for both, and I do not intend to engage that debate. What I ask you to embrace is the "principle of centralization". The analogy is this: large corporations and organizations often have multiple, and even redundant security teams. Even so, their cooperation is key to success.
  • Is information exchanged openly and freely, with silos avoided? 
  • Are teams capable of joint response? 
  • Are there shared resources that all teams can draw from for consistent IOCs and case data?
  • Are you and your team focused on facts, avoiding FUD, thinking creatively, yet assessing with a critical, objective eye?
Even with a logically decentralized security model, organizations can embrace the principle of centralization and achieve an objective form of control over events. The practice of a joint forces focus defines the platform from which teams can and should operate.

Adversarial conditions, in both the physical realm, and the digital realm in which DFIR practitioners operate, are stressful, challenging, and worrisome. 
Morihei Ueshiba, Aikido's founder reminds us that "in extreme situations, the entire universe becomes our foe; at such critical times, unity of mind and technique is essential - do not let your heart waver!" That said, perfection is unlikely, or even impossible, this is a practice you must exercise. Again Ueshiba offers that "failure is the key to success; each mistake teaches us something."
Keep learning, be strong of heart. :-)
Cheers...until next time.