Forecast: Mostly Cloudy @ISC West 2017

I’ll be speaking on Cloud Security at ISC West on April 6, 2016.

Mostly Cloudy with a Chance of Security

ISC West bills itself as the “largest security industry trade show in the U.S.”

I attended last year and blogged about my experience.

This year I’ll be wearing two hats and advocating on behalf of both enterprises and cloud service providers with a goal to improve the security of both.

 

 

Fiber Cut? No Internet, Mobile or SMS? Are You SOL?

I woke up this morning thinking about the increasing impact that any disruption between us and the Internet has in our daily personal and professional lives. I love the security profession but sometimes it drives your brain to an offroad or two (or more) that many people do not oft travel.

Think. What use is your smartphone, computer or tablet if it loses all ability to communicate with anyone or anything else?

When fiber is cut and Internet and phone service are down it often affects an entire community or region. If this disruption occurs inline with a disaster, either natural or terror, lives can be at risk.

Fortunately most fiber cuts to date are accidental the result of an errant backhoe or other less than nefarious cause.

This is changing. Intentional cuts in the Bay Area in 2015 and allegations from Verizon that striking workers intentionally cut fiber are troublesome indicators that our fiber optic networks will increasingly be a target for those with a desire to disrupt.

But what is old is new again. The first recorded telecommunication sabotage took place during the second battle of Bull Run in 1862.  I would argue the stakes are no higher today just different.

Impact

The business impact of a fiber cut can be measured quantitatively and qualitatively. I dare you to go brick and mortar shopping in a region experiencing a fiber cut. You will quickly learn which retailers have the most resilient and effective disaster recovery and business continuity efforts.

Most retailers rely on fiber for every connection they make at the point of sale or otherwise. The fallback is normally satellite and works much more slowly, if it works at all. And you thought the lady ahead of you in line at Wal-Mart buying 500 cat key chains insisting on 50 separate receipts was slow.

The inability for teenagers to reach their friends via Facebook, Snapchat, SMS, phone or any other means other than face to face may seem in the moment catastrophic but is in reality only a symptom pointing to a future where the stakes are much higher.

Today Alexa’s inability to respond from the mothership to turn off lights and tell dad jokes arguably worse than my own is but a minor annoyance.

Future Alexa controlling my in home medical devices, fire suppression systems, and life safety equipment sets the stage for a future where being always connected is as critical as having water, power and oxygen to breathe.

Solutions

Ensure you have multiple Internet connections over disparate paths. Businesses in mission critical industries do this as a normal course of business. I recommend small businesses and families do as well.

My small business maintains two Internet connections and a satellite backup. Keep in mind fiber cuts often render all land based communication useless. Maintaining satellite Internet as a backup is a relatively cheap insurance policy. We use Exede.

Invest in a SOHO router that manages multiple Internet connections and provides for automatic failover/failback. My preference is CradlePoint.

Invest in an out-of-band communication technology to ensure that fiber cuts or other outages do not prevent you from reaching your family or business associates.

Not fully baked but amongst the most promising and exciting innovation for communications not reliant on Internet or even mobile coverage are these two companies. Beartooth  and GoTenna.

Both systems utilize a combination of your smartphone and a built in 900 mhz unlicensed radio frequencies to allow communication over several miles with no dependency other than a similar device on the other end.

Although GoTenna appears more consumer friendly and geared towards the social, crowdsourced model they do purport to have a mission critical “professional” line in the works. I’ve ordered a pair of GoTenna devices and will be posting a review after some time assessing their merits and limitations.

Technology solutions aside the most important action you can take as a business, family or individual is to have a plan and TEST the plan regularly.  Many great resources to assist with this over at ready.gov

As always feel free to reach out to me directly via LinkedIn if you would like more information about this topic or any other.

Stuart Clark

Beginning of the EndPoint – Challengers

hand-pointing-out-1465802608efl

I’ve been a Cloud CISO for a little more than 5 years now. One consequence is that enterprise endpoint security products and I have rarely passed paths. Agile orgs running Linux / OSX with users perpetually outside the perimeter is not easily solved for with legacy endpoint products.

But I was curious what has changed…

This afternoon I read with interest the “Forrester Wave Endpoint Security Suites Q4, 2016” report.

The report could have been written ten years ago, with the notable exceptions:

  1. Companies like Carbon Black, Cylance, CrowdStrike and Bromium have emerged to challenge perennial industry giants. Any innovation in endpoint security is noteworthy. No longer is it acceptable for the incumbents to ride the cash cow of enterprise renewals without significant development efforts to keep pace.
  2. Quarantine = Remediation

You can find the Forrester report over on the Carbon Black website.  (Gated, Sigh…)

END

ISC West 2016 Conference Wrap – Connected Death

Last week I had the opportunity to attend ISC West billed at the “largest security industry trade show in the U.S.” Held annually at the Sands Expo in Las Vegas the show features over 1000 exhibitors and is attended by over 28000 security professionals.

IoT Vendors at Connected Security 2016

IoT Vendors at Connected Security 2016

Make no mistake ISC West is largely a physical security conference.  The sheer number of cameras, access control solutions, retractable electronic bollards, electrified fencing and oddly skin care vendors was staggering.

For the first time the show included the Connected Security Expo a cybersecurity conference within the larger conference.  A recognition that many of the aforementioned vendors now manufacture internet connected devices that need to be secured (with the probable exception of the skin care vendors).

I was pleasantly surprised at both the execution and content of the expo.  A successful conference for me is largely defined by what I learned.  My thoughts about the conference based on my multiple personalities, err personas…

As a Technologist – Very Cool. As a corporation you can actually buy a drone fleet and patrol your perimeter, then deploy a robot to investigate and intercept violators.  All remotely controlled and monitored.

As a CISO – Abject Fear.  Very few of these IoT device manufacturers appear to have any expertise in cybersecurity.  I’ve probably spent more time thinking about their supply chain and secure software practices than they have.

As a Security Entrepreneur  – Unlimited business opportunities abound.  See CISO thoughts above.

We can expect 200 billion new devices to come online by 2020 according to Matthew Rosenquist of Intel.  Many of these devices will impact life and safety.  Vehicle control systems and medical devices are examples.  The bad news is that a significant amount of blood will be spilled in the next few years.  Innovation has always outpaced cybersecurity but now the consequences of failure include the likelihood that people will die.

Are we ready for this connected future?  We had better be.  There is no other choice.

Security Program Hacks – Using Security Liaisons as Force Multipliers for your Security Program. (Part 2)

Part 1 introduced the concept of transforming a paper “security contact” into a security liaison for your organization.  

My experience working with organizations is that while most have a security contact attached to an asset or functional area many of the designated contacts when asked are surprised to learn of their role.  This is a sure indication of checkbox compliance and missed opportunity.

Creating a security liaison program is an exercise in taking a latent asset tied to a compliance objective and activating them to become an active participate in the overall security of the organization.

How can this be accomplished?

  • Policy – Authorize the security liaison program by writing it into your overall security policy.  Define the role and overall responsibilities of the liaison.  I’ve found that the liaison program tends to map closely to the security steering committee so placing this section immediately following the steering committee makes sense.
  • Process  –  Make it real.  Make it auditable.  Meet regularly with your security liaisons and document much as you would for the security committee.  A functioning security liaison program can be used as a control at audit time to show the maturity of security within your organization.  
  • Empower/Enable – Assign real responsibilities.  Enable your security liaisons to participate in your risk management program and other key areas.  Empower them to drive improvements to the security of the organization by encouraging them to ask hard questions that may not have easy answers.  Empower your liaisons by allowing them to communicate/report issues and progress to the security committee/leadership.

Final Comments

The overall goals of any security program are to reduce risk and increase security.  Adding security liaisons can be a key component of your overall security strategy.  A group created with zero additional headcount, authorized by policy and doing your security bidding?  It is only a dream if you don’t act.

 

Out of Control? – AWS and Shared Responsibility

Key Takeaways:  The AWS shared responsibility model is a vehicle for explaining security control responsibilities between AWS and customer and is not a security panacea for vendors developing on the platform.  Closely examine vendor governance controls, specifically vendor management programs to determine if the additional responsibilities of shared responsibility are accounted for in their security program.

In 2012 Amazon pioneered a cloud security concept they now call the “Shared Responsibility Model”.  This concept was borne out of the need to clearly communicate the line of demarcation between AWS security responsibilities and ours (loyal AWS customers).

The concept is as obvious as it is useful, if used for good rather than evil.

I use the term frequently to explain to auditors, engineers, c-level folks and basically anyone who will listen that Amazon is responsible for technical security controls from the “concrete through the hypervisor” and explain that as an AWS customer we are responsible for everything else.  Everything else includes; the operating system, network and firewall configuration, our software/platform, and of course our data.  Here is a diagram taken from the AWS Security Best Practices whitepaper available here.  (Evil follows the diagram.)

AWS Shared Responsibility Model Screen

AWS Shared Responsibility Model Screen

Now for the evil.  I’ve noted on more than one occasion vendors invoking the AWS shared responsibility model to absolve themselves of any responsibility for the security layers that Amazon is responsible for.   This is flat wrong and irresponsible.

The vendor is most certainly still responsible for security throughout the entire AWS stack, but what has changes is the type of control.  What was a technical control now becomes a governance control.

Scrutiny of their vendor management program (if they have one) should ferret out whether they have a clue as to the difference.

A Security Leaders Quest for Commitment in a Sea of Conflict and Compliance.

As security leaders we spend our working lives managing risk, being bombarded with very real threats and vulnerabilities and the vendors who can “solve” them, all while struggling to influence and instill positive change in our own dysfunctional organizations. From time to time we must  step back to own and celebrate the fact that the even the small positive steps for good we take today lay the foundation for a more secure future that none of us alive today can even imagine.
 

 

 

Austin, Devops and Great Folks

There are a couple of people that I want to take the time to highlight; Ernest Mueller @ernestmueller and Tim Virtue @timvirtue.
Ernest’s thought leadership, publication and iteration of “What is Devops” has been exceedingly helpful in my quest to both define devops in my own head as well as communicate the vision and future of operations/development/cloud to others.

Tim is the first security leader that I know of that has presented devops in the context of security. I had the opportunity to listen and speak to Tim this year at SecureWorld Houston.  A slidshare of his presentation is here.

The fact that both of these guys are in Austin?  Bonus!

My take on agile/devops? relative to security?  The fundamentals of information security will remain the same.  Devops will demand that we as security leaders, change our tactics, and speed the heck up, to retain any relevancy in the face of the insane pace that devops and agile processes facilitate.

 

Using the “3 C’s of influence” to gauge the effectiveness of your security program

While doing my best to absorb a small portion of the wealth of useful information found in Dr. Kenneth Brown’s Great Courses: Influence Mastering Life’s Most Powerful Skill, I had an ah-ha moment that I wanted to pass along.
Dr. Brown states that exerting influence will always result in one of the three following outcomes; CONFLICT, COMPLIANCE, or COMMITMENT.

CISO’s and other security pros who have spent years in the security trenches are more than familiar with the first two; conflict and compliance.  The bulk of our time it seems is spent squarely in between.

If we have finally exerted enough influence successfully managing past conflict, and adeptly wielding the compliance ax to “be compliant”, we tend to call it a win and move on.

The ah-ha moment for me was the realization that the persistent, nagging feeling of uneasiness I have carried since my early days of security leadership is the “commitment gap”, the gap that exists between compliance and commitment.

Failing to achieve commitment from stakeholders, results in, at best compliance. While certainly better than conflict,  compliance by itself is inadequate and a hollow victory to be sure.

Commitment is a high bar, and unfortunately not always something that can be obtained, but it should always be the goal.

Do you agree?  I’d love to hear about your successes, challenges and thoughts on this or any other information security related topic.