Special Summary: Enterprise security stories

The state of computer security is in continual change. The only constant in this game is the very dynamic nature of defense and offense. If you are a defender you will always have a hard job. You will always need to be on the lookout for ways to succeed in the face of a dynamic, never ending threat.

The state of computer security is in continual change. The only constant in this game is the very dynamic nature of defense and offense. If you are a defender you will always have a hard job. You will always need to be on the lookout for ways to succeed in the face of a dynamic, never ending threat.

This special report is a summary of the Cyber Security category of the CTOvision.com blog. This means it is a summary of pieces we know and care about, and we hope these stories generate thoughts and comments and suggestions from you on future content. Please let us know your thoughts:

Summary:

On 15 July we published two items related to cybersecurity. The first was a pointer to the Department of Defense’s new cybersecurity strategy titled Deputy Secretary of Defense Lynn: Cyber Strategy’s Thrust is Defensive

This piece provided an overview of DoD’s new cyber strategy, a strategy that we think many enterprises can learn from. We also printed a review of a piece of cybersecurity writing that succinctly describes a key failing of overly simplistic security measures titled ”The Maginot Line of Information Systems Security“ It reviews the 1999 advice of cyber security strategist Rick Forno who underscores that “Good firewalls and other purely technical solutions do their work effectively, but to a clever and determined attacker they are just obstacles to be either broken or side-slipped, whichever is more effective.”

We also reported on a Brookings institution piece tilted “Pirates of the ISPs: Tactics for Turning Online Crooks Into International Pariahs” This review provided a framework that our nation could use to help reduce cyber crime. The bad news is that this type of action will only occur with lots of coordination and leadership and to date we have not seen the broad action required to move this concept forward. Enterprises must continue to mount a vigorous defense without this type of top cover.

We did note with pleasure the success Microsoft had in battling major criminal organizations, including collecting information leading to the arrest and shutdown of major botnets like Waledac and Rustock. For more see “Microsoft Works To Tame The Wild Wild Web“ Please thank Microsoft at every turn for this great action.

Do you need to learn more about the language of cyber defense? Many in leadership positions find themselves overwhelmed when they are assigned to play roles in cyber defense. The fastest way to learn the new language is to start with a primer on cyber defense taxonomies. We review the greatest of those at “Enhancing Collective Defense with Taxonomies for Operational Cyber Defense.”

Some of the greatest enterprise defenders gathered in the DC area on September 12, 2011 at the HP Protect conference. Attending this event enabled us to better assess the state of enterprise IT and also provided us with content relevant to our future reporting. For example, Dillon Behr provided a recap on “Big Data Security“ Enterprises everywhere are using increasing amounts of data to make better/faster decisions. Doing so has security ramifications.

Alex Olesker captured content on the “Evolving Enterprise Threat Environment.” This included information from an online interview with HP’s CTO of Enterprise Security, Andrzej Kawalec, as well as the CTOvision.com editor Bob Gourley. This discussion highlighted threads like Spear Phishing, Malicious Code and Insiders. The discussion also reviewed the threat of insiders and the important trend of cloud computing.

Adam Elkus wrote about the traditional approach to cybersecurity in ”Thinking About The Traditional Approach”  And Alex Olesker captured more information on “Big Data and the Enterprise CIO“, including a video of a discussion with Bob Gourley at HP Protect. Alex would later underscore that “Yesterday’s Security Doesn’t Work For Today’s Threats“ where he reviewed the video of Andrzej Kawalec and Bob Gourley in more detail. Kawalec and Gourley continued their discussions on security in another piece titled “Evolving Approaches to Cyber Threats.”

Social media is playing multiple roles in cyber security. It is a vector for threats, it is a means for adversaries to learn more about you, and it is also a means for defenders to exchange information on what is happening. As an example of its strength in helping defenders and other IT professionals learn, John Dodge of the Enterprise CIO Forum and Bob Gourley of CTOvision conducted a series of radio broadcasts and blog posts which were fueled by summaries of hot
security topics noticed in Twitter. The first of these was summarized at Blog Talk Radio and “New Enterprise CIO Forum Blog Talk Radio”

Another cyber security opinion piece was captured in a piece that asked the question “If You Could Pick One Thing For Congress To Do Regarding Cybersecurity, What Would It Be?“ This piece quotes Abraham Lincoln who stated “If we could first know where we are, and whither we are tending, we could better judge what to do, and how to do it.” We reference that as a way of asking for better metrics on cyber security. We believe Congress can help in that regard by requiring more detailed breach reporting from firms.

Bob Gourley and Tom Reilly, Vice President and General Manager of Enterprise Security for HP, provided context on two cybersecurity studies which provided valuable statistics for enterprise professionals. Their video and more on the statistics is at “Survey Says: Security Risks Never Higher, Or Most Costly.”

Bob and Tom also dove deep into the “Myths and Realities of Cloud Security”  In this recorded discussion the two discuss the approach of Security Intelligence and Risk Management. Risk management is a construct of increasing importance since all recognize that 100% security is impossible and therefore tradeoffs and decisions must be made focused on the risk to mission. Security intelligence is a key enabler of smart risk management since it informs on the status of your own mission, your resources, your enterprise and the state of the threat.

Another key event this quarter was the FedCyber.com Government-Industry Cybersecurity Summit. This was a closed event which was attended by a hand selected group of cyber practitioners from government and industry which focused on discussion of new models for security. To register for the next event stay tuned to FedCyber.com. For a short recap of the event see: “Quicklook Report: The FedCyber.com Summit of 28 Sep 2011”

The conclusion of this review of security reporting: Our advice is that security professionals continue to do what you have been doing and continue to work on your agility while at it. You already know that there is no such thing as a perfect defense. And you already know you must establish defense in depth. And you already know you must avail yourself of very smart concepts of operation and must ensure your strategy and your work force are informed. We hope one of your ways of staying informed is by tracking the CTOvision.com blog. But we write about strategy. You need tactical intelligence feeds continuously updated on the threat. And you need a team of enterprise security architects and designers acting in your interests to continually assess the state of your enterprise.

Let us know please your thoughts on the above. We are especially interested in your ideas for what we should be covering next.