I have been taking a lot of end-user calls on compliance lately. PCI, GLBA, Sarbanes-Oxley, state privacy laws, and the like. Today I was struck by how consistently these calls are more challenging than security discussions. With security users want to address a fairly well-defined problem. For example “How do we stop our IP from leaving the organization?” or “How can we protect users from phishing?” or “How do we verify administrator activity?” These discussions are far easier because of their much narrower scope, both in terms of technical approach and user perception of how they want to deal with the problem.
With compliance I often feel like someone dropped a dead cow at my feet. I don’t even know where to start the conversation – it is not clear what the customer even wants. What can or should I do with this giant steaming pile of stuff that just landed on me? What matters to you? Which compliance mandates are in play, what are your internal policies, and what security do you have that actually work for you and what do not. I always ask whether the customer just wants to get compliant, or whether they are actually looking to improve security – because it matters, and you cannot assume either way. Even then, there are dozens of avenues of discussion – such as data-at-rest protection, data-in-motion, application security, user issues, and network security issues. There are many possible approaches such as prevention vs. detection, monitoring vs. blocking, and so on. How much staff and budget can you dedicate to the problem? Even if the focus is on something specific like GLBA, often the customer has not even decided what GLBA compliance means, because they are not sure whether the auditor who flagged them for a violation is even asking for the right controls. It is a soupy mess, and very difficult to have constructive conversations until you set ground rules – which usually involves focusing on a few critical tasks and then setting the strategy.
So I guess what I learned this week is to approach these conversations more like threat modeling in the future. Break down the problem down to specific areas, identify the threats and/or requirements, and then discuss two or three relevant approaches. Walk them through one scenario and then repeat. After a few iterations a clear trend of what is right for the specific firm emerges. Perhaps start with how to secure archives, then move on to how to secure disk files, how to secure database files, how to secure document server/sharepoint archives, and so on. In many cases the best solution is suddenly apparent, and provides a consistent approach across the enterprise which works in 90% or better of cases. It becomes much easier when you examine the task in smaller pieces, looking at threats, and providing the customer with the proper threat responses. Trying to “eat the elephant” is not just a bad idea during execution – it can be fatal during planning too.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Rich presents changes in the crypto landscape October 30th.
- Mike quoted by George Hulme in CIO on security spending.
- Mortman on a podcast about security and privacy, and the Internet of Things.
- Mike’s presentation on Vulnerability Management.
- Rich quoted on hacking car computers.
- Adrian’s recorded Cloud IAM webcast series.
- Adrian Quoted on Big Data Security Analytics, liking it.
- Adrian Quoted on Big Data Security Analytics, not liking it.
Favorite Securosis Posts
- Mike Rothman: The Week in Webcasts. We have been a bit of the suck on blogging lately. But it’s because a bunch of work is going on which you don’t necessarily see. Like webcasts and working with our retainer clients. So I pulled a copout to highlight a fraction of our recent speaking activity. You missed these events, but check out the recordings. We pontificate well.
- Rich: Mike’s post on millennial in security.. I hate that term, and this isn’t about that particular generation, it’s about anyone younger than you. Those damn kids.
- Adrian Lane: Building Strengths. Fan of this methodology, and no surprise mine are similar to Mike’s: Relator, Activator, Maximizer, Strategic, Analytical.
- David Mortman: Reality Check for Millennials Looking at Security.
Other Securosis Posts
- Security Awareness Training Evolution: Focus on Great Content.
- Why a vBulletin Exploit Matters to Enterprise Security.
- Summary: Age is wasted on the… middle aged.
- Firewall Management Essentials [New Paper].
- Friday Summary: October 4, 2013.
Favorite Outside Posts
- Mike Rothman: Spy-shy: Mugger thwarted by ‘NSA intern’ on Capitol Hill. Talk about quick thinking and having a security mindset. A lady in the process of being mugged told the assailant she worked for the NSA and her phone is bugged and tracked. That was enough to get the perpetrator to make haste away from her. Who thinks of that? Totally awesome.
- Rich: Wade Baker on the kind of data we need in breach disclosures. Yup.
- Adrian Lane: Adrian Cockcroft on High Availability. It is the opposite of normal – each time I read a blog post by or interview with Adrian Cockcroft, I learn something new.
- David Mortman: Making Systems Operable.
Research Reports and Presentations
- Firewall Management Essentials.
- A Practical Example of Software Defined Security.
- Continuous Security Monitoring.
- API Gateways: Where Security Enables Innovation.
- Identity and Access Management for Cloud Services.
- Dealing with Database Denial of Service.
- The 2014 Endpoint Security Buyer’s Guide.
- The CISO’s Guide to Advanced Attackers.
- Defending Cloud Data with Infrastructure Encryption.
- Network-based Malware Detection 2.0: Assessing Scale, Accuracy and Deployment.
Top News and Posts
- NSA Director Alexander Admits He Lied about Phone Surveillance Stopping 54 Terror Plots. If secrecy, misdirection and counter-intelligence is part of your job description, isn’t lying a given?
- Attackers in Asia compromise data for nearly 150k in California.
- Software Firm Breached, 60k records stolen.
- Freedom Of The Press SecureDrop. Could also be an interesting NSA honeypot.
- How To Defend Against Backdoor Access. Schneier’s history lesson is interesting.
- Oracle Releases Critical Java Patches
- Breach at PR Newswire Tied to Adobe Hack
Blog Comment of the Week
While it is tough to beat last week’s gem, this week’s best comment goes to Adrian Sanabria, in response to Reality Check for Millennials Looking at Security.
I feel pretty strongly on this subject, and often get the, “how do I break into security” question from millennials. I always advise them that security isn’t an entry-level field. You shouldn’t try to “break into it”. You need proficiency somewhere else first. I suggest finding some area of IT for them to start their career first, and then plan a move into security 3-8 years down the road. Until then, do it as a hobby, not a job, to get a feel for what you like in security, and form a career plan that gets you there.
The bottom line, in my opinion, is that without IT, information security doesn’t exist. It is a layer on top. If you haven’t done IT, you’re not going to have the perspective, experience or skills necessary to be good in security, or enjoy it.