Category Archives: tips

CISO do’s and don’ts: Lessons learned

Keeping a business safe from cyber threats while allowing it to thrive is every CISO’s goal. The task is not easy: a CISO has to keep many balls in the air while being buffeted by an increasingly complex and always shifting threat landscape. Consequently, the importance of a good CISO should not be underestimated. Mistakes to avoid, practices to implement Francesco Cipollone, CISO and director at UK-based cybersecurity consultancy NSC42, says that he has seen … More

The post CISO do’s and don’ts: Lessons learned appeared first on Help Net Security.

Are students prepared for real-world cyber curveballs?

With a projected “skills gap” numbering in the millions for open cyber headcount, educating a diverse workforce is critical to corporate and national cyber defense moving forward. However, are today’s students getting the preparation they need to do the cybersecurity work of tomorrow?

To help educators prepare meaningful curricula, the National Institute of Standards and Technology (NIST) has developed the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. The U.S. Department of Energy (DOE) is also doing its part to help educate our future cybersecurity workforce through initiatives like the CyberForce Competition,™ designed to support hands-on cyber education for college students and professionals. The CyberForce Competition™ emulates real-world, critical infrastructure scenarios, including “cyber-physical infrastructure and lifelike anomalies and constraints.”

As anyone who’s worked in cybersecurity knows, a big part of operational reality are the unexpected curveballs ranging from an attacker’s pivot while escalating privileges through a corporate domain to a request from the CEO to provide talking points for an upcoming news interview regarding a recent breach. In many “capture the flag” and “cyber-range exercises,” these unexpected anomalies are referred to as “injects,” the curveballs of the training world.

For the CyberForce Competition™ anomalies are mapped across the seven NICE Framework Workforce Categories illustrated below:

Image showing seven categories of cybersecurity: Operate and Maintain, Oversee and Govern, Collect and Operate, Securely Provision, Analayze, Protect and Defend, and Investigate.

NICE Framework Workforce categories, NIST SP 800-181.

Students were assessed based on how many and what types of anomalies they responded to and how effective/successful their responses were.

Tasks where students excelled

  • Threat tactic identification—Students excelled in identifying threat tactics and corresponding methodologies. This was shown through an anomaly that required students to parse through and analyze a log file to identify aspects of various identifiers of insider threat; for example, too many sign-ins at one time, odd sign-in times, or sign-ins from non-standard locations.
  • Log file analysis and review—One task requires students to identify non-standard browsing behavior of agents behind a firewall. To accomplish this task, students had to write code to parse and analyze the log files of a fictitious company’s intranet web servers. Statistical evidence from the event indicates that students are comfortable writing code to parse log file data and performing data analysis.
  • Insider threat investigations—Students seemed to gravitate towards the anomalies and tasks connected to insider threat identification that maps to the Security Provision pillar. Using log analysis techniques described above, students were able to determine at a high rate of success individuals with higher than average sign-in failure rates and those with anomalous successful logins, such as from many different devices or locations.
  • Network forensics—The data indicated that overall the students had success with the network packet capture (PCAP) forensics via analysis of network traffic full packet capture streams. They also had a firm grasp on related tasks, including file system forensic analysis and data carving techniques.
  • Trivia—Students were not only comfortable with writing code and parsing data, but also showed they have solid comprehension and intelligence related to cybersecurity history and trivia. Success in this category ranked in the higher percentile of the overall competition.

Pillar areas for improvement

  • Collect and Operate—This pillar “provides specialized denial and deception operations and collection of cybersecurity information that may be used to develop intelligence.” Statistical analysis gathered during the competition indicated that students had hesitancies towards the activities in this pillar, including for some tasks that they were successful with in other exercises. For example, some fairly simple tasks, such as analyzing logs for specific numbers of entries and records on a certain date, had a zero percent completion rate. Reasons for non-completion could be technical inability on the part of the students but could also have been due to a poorly written anomaly/task or even an issue with sign-ins to certain lab equipment.
  • Investigate—Based on the data, the Investigate pillar posed some challenges for the students. Students had a zero percent success rate on image analysis and an almost zero percent success rate on malware analysis. In addition, students had a zero percent success rate in this pillar for finding and identifying a bad file in the system.

Key takeaways

Frameworks like NIST NICE and competitions like the DOE CyberForce Competition™ are helping to train up the next generation of cybersecurity defenders. Analysis from the most recent CyberForce Competition™ indicates that students are comfortable with tasks in the “Protect and Defend” pillar and are proficient in many critical tasks, including network forensics and log analysis. The data points to areas for improvement especially in the “Collect and Operate” and “Investigate” pillars, and for additional focus on forensic skills and policy knowledge.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The CyberForce work was partially supported by the U.S. Department of Energy Office of Science under contract DE-AC02-06CH11357.

The post Are students prepared for real-world cyber curveballs? appeared first on Microsoft Security.

Beyond the buzzwords

When I was a kid, Gilligan’s Island reruns aired endlessly on TV. The character of the Professor was supposed to sound smart, so he’d use complex words to describe simple concepts. Instead of saying, “I’m nearsighted” he’d say, “My eyes are ametropic and completely refractable.” Sure, it was funny, but it didn’t help people understand his meaning.

Security vendors and professionals suffer from a pinch of “Professor-ism” and often use complex words and terminology to describe simple concepts. Here are few guidelines to consider when naming or describing your products, services, and features:

Assess whether a new term or acronym is needed

Before trying to create a new term or acronym, assess whether an existing one will work. Consider the mobile device space where tools used to manage mobile devices were originally known as MDM for mobile device management. Pretty straightforward. But then the acronym flood started with MAM (mobile application management), MIM (mobile information management), and EMM (enterprise mobile management). It’s true, there are some technical differences between the four, but a quick Bing search shows a raft of articles explaining the differences because it’s not clear to the average customer. And, frankly, all of them are basically subsets of the MDM acronym.

Use acronyms with enthusiasm and clarity

When creating a new term or acronym there is no point in being memorable if the meaning gets lost in the noise. Instead of succumbing to the path of least resistance by forming an acronym, put a little oomph into your naming efforts.

A recent example is SOAR (Security Orchestration, Automation, and Response). Yes, it was a whole new category and one that is adjacent to SIEM (security information and event monitoring) but it adds clarity because it describes a new set of features and functions—like incident response activities and playbooks—which aren’t covered by traditional SIEMs.

Acronyms can save time, but when you get into splintered variants like the MDM example, clarity goes out the window. Since not all acronyms are created equal, go for acronym gold—and make sure there is a recognizable connection to your brand or (even better) the product itself.

This strategy can yield explosive results! Think TNT (Trinitrotoluene), or the more chill TCBY® (The Country’s Best Yogurt), or the zip in ZIP code (Zone Improvement Plan). Compare these zingers with an acronym for something like UDM (Unified Data Management). Sorry—is that the sound of you snoring? (Me, too!)

Put a little pep in your step (and your sales) by producing names that are sharply focused—like laser (Light Amplification by Stimulated Emission of Radiation)—which is an acronym that has become synonymous with what it does and has some well-placed vowels. Another winner in this category is GIF (graphics interchange format). While this acronym wasn’t recognizable out the door, it became synonymous with the product it created by adding a bit of pizzazz to the mix.

Use names that are clear and practical—but catch and hold the imagination

Resist the temptation to take a cool buzzword and tack it onto your marketing efforts to take advantage of the attention. I once saw a basic power strip advertised as “internet ready.” Come on now! Find words or phrases that catch and hold the imagination—while saying something about your product’s functionality.

Sometimes it’s as simple as helping customers understand what the product does: antimalware? Customers are going to get that this probably protects against malware. If the solution really is a new approach, make the name as clear as possible.

In addition, rather than inventing new terms, consider being very practical. Think of the use-cases and ask these questions: What does the solution do for the customer or business? What does the solution deliver? Or what kind of brand experience does your product provide?

Years ago, I ran afoul of a company that advertised itself as “S-OX in a Box” (that’s Sarbanes-Oxley, not a sports or footwear reference), because I wrote a piece on the complexity of the tech side of S-OX compliance. I explained why it wasn’t as simple as buying a “S-OX in a BOX” solution. I wasn’t trying to call out that specific company, but rather to show why it can be better to be clear and explicit about what a solution does. S-OX is too complex for a single solution to do it all. But a tool that can help automate S-OX compliance reporting? That, for many companies, is a big win.

Also, think about the non-cyber world—where companies describe the function to discover an evocative name. Examples of everyday products that accomplish this include bubble wrap, Chapstick®, Crock-Pot®, and Onesie®. Not all first tries will be winners. For example, the breathalyzer was originally known as the Drunk-O-Meter. Just experiment with it. Have some fun. Make it meaningful to your client or customer.

Never overpromise

Promising customers that they will never have a breach again is a pretty lofty claim. And most likely impossible. Words like absolute, perfect, and unhackable may sound good in copy, but can you guarantee a product or solution really deliver absolute security?

Savvy customers know that security is about risk management and tradeoffs and that no solution is completely immune to all attacks. Rather than overpromise, consider helping the customer understand what the solution does. Does the product protect against a breach by monitoring the database? Good, then say that.

Get creative and mix it up

Get creative by mixing initials and non-initial letters, as in “radar” (RAdio Detection And Ranging). Or try “initialism,” which requires you pronounce your abbreviation as a string of separate letters. Examples include OEM (original equipment manufacturing) and the BBC (British Broadcasting Corporation). You can also incorporate a shortcut into the name by combining numbers and letters like 3M (Minnesota Mining and Manufacturing Company).

If you’re really stuck, try a backronym

A backronym is created when you turn a word into an acronym by assigning each letter a word of its own—after a term is already in use. For example, the term “rap” (as in rap music) is a backronym for rhythm and poetry and SOAR is a backronym for Security Orchestration, Automation, and Response.

If you want something closer to the technology realm, check out what NASA (a well-known acronym for National Aeronautics and Space Administration) did. They named a space station treadmill in honor of comedian Stephen Colbert by coming up with the words to spell out his name: Combined Operational Load-Bearing External Resistance Treadmill (COLBERT).

Find your sweet spot

When it comes to using common words to describe uncommon things, combine the freshness and friendliness of Mary Ann and with the profit mindset of Thurston Howell III to come up with names that intrigue people with their relatability and nail the sale because clients and customers get a clear idea of the product’s business value.

Reach out to me on LinkedIn or Twitter and let me know what you’d like to see us cover as we talk about new security products and capabilities.

The post Beyond the buzzwords appeared first on Microsoft Security.