Brightfly - Enlighten Your Enterprise

ISC2 Roundtable on Log Management

Tue, 23 Jun 2009 05:44:59 +0100

Join Brightfly's Managing Director of Research, Brandon Dunlap, as he moderates this morning's panel on log management. Panelists include A. J. Wright, Chief Architect University of Tennessee’s Technical Review Board and Varun Kohli, Sr. Manager of Product Marketing at ArcSight. The focus of this session will be around the cost-benefit analysis of SEIM and Log Management technologies with special attention being paid to the development of business cases supporting these types of projects.

Click here to register.

Choosing a Controls Framework - UK vs. US Perspective

Tue, 19 May 2009 08:09:08 +0100

Having recently compiled my notes from Infosecurity Europe 2009, I was fast on the hunt for similarities and differences between the views expressed "across the pond" and those held by the US markets. While there is longstanding acceptance about what constitutes a comprehensive and effective security program across both continents, what really stood out was how different our approaches were.

Here in the US, many client companies we work with have been struggling through a "reconciliation" projects of one stripe or another. By reconciliation, I mean the cross-mapping of multiple regulations and industry best practices to one another as a sort of gap analysis for the controls that are being implemented in the enterprise. This practice has been pervasive for at least 5 years when we first began our Illumination project, (acquired by BindView in 2005, now a part of Symantec's ITGRC offering) and continues to this day.

We have watched as vendors have not only promoted this problem, but have actively worked to solve it. There has been a sort of Cambrian explosion in the marketplace as vendors have ramped up the number of controls in the libraries of their products. Archer's acquistion of Brabeion is a perfect example. In the press release, and subsequent media coverage, the addition of Brabeion's controls library was touted as a key benefit of the deal.This arms race shows little signs of slowing as projects such as the Unified Compliance Framework are starting to show up in RFPs for tools in this space.

One of the things we have realized in our research is that having more controls to choose from is not necessarily better. From the end user's perspective, having a product with a gigantic library of controls actually mkes the problem more difficult, since there now needs to be a long and drawn out process of justifying and rationalizing the vendor's content against the risk appetite and audit guidance within the organization. Having more controls implemented is also of dubious benefit, especially since it is not actually indicative of due care (what a reasonable person, in similar circumstances would do). This particular problem is the genesis of our latest effort, The Consensus Controls Project , a portal where organizations can anonomously share what controls, regardless of origin frameowrk, that they are actually using.

Contrast this approach to what we saw in the UK. While there were many booths on the expo floor from the US heavyweights in the IT GRC space, and many UK-based start-ups, the attendees didn't seem to understand GRC as a concept. The term itself was often met with confused looks that ended upon explanation (usually starting with defining the acronym). Nearly every person I talked to, regardless of organization type (public sector, private, publically traded, etc.) or size, seemed to be focused on ISO 27001 and certification. They saw this as a stamp of approval on their security program by an independant outsider and one worthy of pursuing for competitive advantage. When pressed about other control frameworks, such as COBIT, we were quickly dismissed. What these people saw was a need to get back to basics. Considering our long held view that nothing has fundamentally changed in information security in nearly 30 years (exept for the underlying technology, the basics still apply), this viewpoint resonated with us.

To sum up, what we found was that the people we talked to in the UK were more focused on picking a framework (in this case ISO's) and working to be the best that they could be at managing to that framework, as opposed to cobbling together a controls environment from multiple frameworks and working to reconcile it internally.

Advertising Security

Wed, 22 Apr 2009 18:07:52 +0100

The problem being faced is really not so different from the age old advertising problem of reaching the right audience with the right message, at the right time. Having developed security awareness programs based upon advertising and marketing models in the past, I suggest the following:�

Define the target audience

Not all messages will resonate with, or be accepted by, all audiences equally. That means that the user population should be segmented into distinct groups, each getting targeted with messages that are tailored to their “demographic”. For even the largest of organizations, it is rarely necessary to segment beyond 3-5 target groups (for example: Executives, Middle Management, Employees).

Tailor the message

Since each group has their own worldviews (not just on security issues, but also on corporate culture, their standing in the organization, the requirements for their job, etc.) it is important to use language and messages that take these needs into consideration. A good place to start in crafting your message is to consider how you would approach conveying the topic to the target audience member in a conversation. Composite personas work well for creating “use cases” for the conversations. You can then work within the communications group to establish appropriate wording and the level of formality that is appropriate for each persona or group of personas if more than one is created for each demographic slice. You will also want to consider who the sending party is in each message. If you can “borrow” authority from the executives on an important topic, that might give the message higher receptiveness than one coming from Corporate Communications or Security.

Plan the campaign

According to some estimates the average person gets bombarded with 3000+ advertising messages per day. Since you are within the confines of your company, this number is lower since I am assuming you don’t allow major brands to put up billboards in your offices. The reason we are inundated with marketing messages is that it has been shown that it takes multiple attempts to reach us in order for the message to sink in. It has also been shown that utilizing multiple mediums increases this effectiveness. By taking a campaign based approach, you can target key messages across posters, brochures, e-mail messages, presentations, etc. to increase the retention of the material being offered.

Test the campaign

This is a luxury that allows you to craft a series of messages on a given topical area and deliver them over time. The benefit to this is that you hit each person with multiple instances of the same message, but each one should be crafted and communicated slightly differently. Each message then reinforces the previous, or hits where that one missed. With a defined messaging campaign, you can then test each message for its effectiveness against a target population. You can use tools you probably already have to search on the number of your messages that are sitting unopened, or in people’s trash folders on the mail server. This will help you better adjust your subject line to ensure they at least open the message, for example.

These techniques are just a start, but hopefully will offer you insight into a new and interesting way to view your awareness campaign and will give you an idea of how to define for the communication’s team how best to address the issue of getting the word out to the masses.

Dunlap Interviewed About Grid Hack

Wed, 08 Apr 2009 15:53:29 +0100

Brandon Dunlap, Brightfly's Managing Director of Research, was quoted in eWeek's "GridGate" article series on security issues within the US electric grid today. Drawing upon his experience in the utility sector, he provided advice to his friends and colleagues still working within it.

"To Dunlap, energy companies need to look at three key areas to improve their overall security. The first involves more sharing of ideas between plant operations and IT or information security. Another is tighter integration between physical security, information security, IT, plant operations and other groups as more technology is pushed down to the meter level. Finally, he said, companies need to do more than merely meet the minimum regulatory requirements that do exist."

These barriers to efficient and effective operations are not new to any one working in this field, regardless of vertical and are key points that Brightfly has promoted for a long time.

In a sort of "call to arms", Dunlap encouraged utilities to strive for more open dialogue and information sharing, not only with one another, but also with vendors.

“Reach out to your peers in other companies, share ideas. Push your vendors to incorporate security into their control systems, band together for a stronger voice if you can. I have sat in on a lot of conference calls with various utilities and there seems to be a certain air of defensiveness among many of the members. They seem reluctant to share beyond a certain point. We need more collaboration.”

This aggregated "voice of the customer" is growing louder and we have been fortunate to work with some vendor companies leading the charge to integrate security elements into their control system technologies. Unfortunately, too often the necessary updates to maintain the security solutions outpaces the revision cycles of the underlying control systems, creating a gap in supportability for the overall system. By working as a coherent team, utilities are more likely to get the necessary security "baked into" their control systems. But we'll have to wait until the next buying cycle for such things to find out if the message has truely taken hold.

LogRhythm Takes Down $3million B Round

Thu, 02 Apr 2009 07:34:30 +0100

Boulder, CO.based LogRhythm Inc. , a provider of solutions in the highly competitive log management/log analysis space, has added over $3.1 million to their warchest in their second round.� As part of the deal, Joe Zell of Grotech Ventures joined the board alongside members from past investors Access Venture Partners and� High Country Ventures "Colorado Fund". Both investors participated in LogRhythm's previous $3.25 million A round in Q4 of 2007.

This latest infusion shows that while many markets have cooled off, security investing remains active, a good sign for the profession and the state of the market.

Volcanos Pose a Real Threat

Tue, 24 Mar 2009 08:08:58 +0100

Last spring we had just completed our first few Risk Management events where we began collecting information on how risks are percieved and managed by organizations across the US. In an early preview of what we had observed so far, I wrote an article [read 'The Impact of Culture of Risk Perception ' here] on how culture and geography impact risk perceptions. In that article, I had made a brief reference to the risk of volcanic activity and how it had shaped the culture of IT and information security operations at companies in the Pacific Northwest. Well, this morning I stumbled across this article from The Channel Wire [read 'Alaskan IT Firms Bracing for Volcanic Ash Fall ' here] that describes how companies in Alaska are dealing with volcanic ash from Mount Redoubt.

This is yet another fine example of how your geogrpahy and the cultures created by past experiences shape your views and responses to risks. I know many of my friends and colleagues in Houston, TX have similar views about hurricanes, especially after last fall when Ike caused widespread outages across the region. This has been a background topic of disuccsion for us since those first few events we held and since then, we've been wondering: What other sorts of concerns have others seen in their particular parts of the world and how has it shaped your views and actions on risk management?

Partnering To Bring Change

Wed, 04 Mar 2009 11:44:02 +0100

We haven't been as publicly active lately, and it's for a good reason. We have a number of fantastic projects in flight right now, one of which has been formally announced just last night.

In an effort to bring about what we see as a fundamental need to cross-pollinate between security disciplines, we have partnered with Andrews International. The press relase can be found on their site here.

We think is a great opportunity to bridge what has historically been a pretty wide gulf between these two corporate functions and we look forward to leveraging this opportunity to share valuable information across these discicplines.