G2's BLOG

Operationalizing Cybersecurity

noreply@blogger.com (Anonymous) — Mon, 31 Jul 2017 14:08:00 +0000

Operationalizing, or implementing, cybersecurity is an ongoing effort that continually evolves and grows. Just like organizations can’t achieve safety; they cannot achieve cybersecurity. Therefore, having a well-defined organizational cybersecurity strategy is essential in keeping organizational security goals in mind. Board members are becoming increasingly aware of the requirements to implement cybersecurity strategies and the perils faced by those organizations that continue to leave cybersecurity as an information technology (IT) problem. These motivations are assisting board members in being more active in defining the organization cybersecurity strategy. Therefore, board members are becoming increasingly aware of the importance in implementing a cybersecurity strategy.

Defining a cybersecurity strategy
An organizational cybersecurity strategy is the organization’s plan for mitigating security risks to an acceptable level. Understanding the business purpose and mission goals of the organization is the first step in defining a cybersecurity strategy. Board members, and business leaders, within the organization define their expectations for the services within the business by establishing operating targets and budgets. If aligned correctly, this information provides insight into critical business functions within the organization and can assist in identifying the criticality of the resources supporting those functions. For example, if an organization declares it is releasing a new product this quarter and all focus is being placed on completing the project, the resources supporting the new product development becomes critical. There are many frameworks available, such as ISCAC’s COBIT 5[1], that assist organizations in defining and establishing business priorities for the organization.

Translating a cybersecurity strategy into a risk management plan
Once an organization understand their business objectives and align resources to those objectives, the organization can develop a security risk management plan. Security risks are not simply a count of the number of vulnerabilities detected by a vulnerability scanner. Security risks are areas within the organization that could be damaging to business operations if the threat acts.. There are many risk assessment processes available to assist organizations in defining cybersecurity risks for their organization. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)[2] and FAIR[3] are quantitative risk assessment processes that enable organizations to identify and quantify the risk to their business. NIST 800-30, Guide for Conducting Risk Assessments[4], helps organization understand how likely a security risk is to occur and the impact or harm it will have on the organization if it does occur. Organizations can leverage any of these processes, or a combination of each, to define security risk thresholds and expectations of the organizations business operations. These security thresholds and expectations become the guidance required to define a risk management plan. Organizations can use the risk management plan to create a security risk register for their organization.

A security risk register is an artifact that aligns the key threats to the business operations of the organization (e.g. natural disaster, accidental insider, malicious external parties, etc.) with weaknesses within the organization that the threats could exploit to harm the organization. While an exhaustive risk register may have hundreds of line items for different ways threats could impact business operations, most organizations can summarize the threats and weaknesses within their organization to identify twenty to thirty key risk areas. This enables organization to focus on implementing cybersecurity objectives in areas where key security risks can be mitigated. The risk register can be sorted by the risk quantified using the risk assessment methodology selected by the organization.

Operationalizing cybersecurity strategies
The NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF)[5] defines the core activities and outcomes of a cybersecurity program. The CSF Core establishes five function: Identify, Protect, Detect, Respond, and Recover. Organizations can use these functions to establish security capabilities required to manage cybersecurity to an acceptable risk level as defined in the risk management plan.

Cybersecurity strategies are implemented using people, process, and technology. While technology provides a critical component within a cybersecurity program, it can’t be the only element. Similarly, cybersecurity policies are only effective if they are followed. Security policies that address all security risks within the organization are not effective if staff are not trained and reminded regularly of policies and their expectations in achieving the requirements defined within the policies. Organizations can implement a holistic cybersecurity strategy by using the CSF to define organizational cybersecurity expectations which mitigate security risks below risk thresholds established in the risk management plan as defined in the risk register. The CSF refers to this plan as a Target State Profile. An effective target state profile is one which identifies the types of security policy required within the organization and defines organizational practices required to implement the security policies.

Conclusion
Implementing a cybersecurity strategy is an ongoing activity, but not impossible. Organizations must continually evaluate the ever-changing threat landscape and business objectives. A good cybersecurity strategy is one that is in alignment with organizational business goals and mission objectives. The business goals and mission objectives establish the foundation for establishing a risk management plan that defines the acceptable security risk levels within the organization. Once the security risks within the organization are defined in a risk register, organization can determine the appropriate level of security required to operate within that risk level.

[1] What is COBIT 5?, ISACA, http://www.isaca.org/cobit/pages/default.aspx

[2] OCTAVE, SEI, http://www.cert.org/resilience/products-services/octave/

[3] FAIR, FAIR Institute, http://www.fairinstitute.org/

[4] Guide for Conducting Risk Assessments, National Institute of Standards and Technology (NIST) SP 800-30, September 2012, http://dx.doi.org/10.6028/NIST.SP.800-30r1

[5] NIST Framework for Improving Cybersecurity, NIST, February 2013, https://www.nist.gov/document-3766

Source; RSA Conference https://www.rsaconference.com/blogs/operationalizing-cybersecurity

Posted on July 27, 2017

by Tom Conkle

CISSP, Cybersecurity Engineer, and Commercial Services Lead, G2, Inc.

"Run-time Cyber Economics – Applying Risk-Adaptive Defenses"

noreply@blogger.com (Anonymous) — Thu, 28 Jul 2016 15:03:00 +0000

G2, Inc. has been involved in OpenC2 for quite some time. This is a great read relating to active cyber defense and OpenC2.

Run-time Cyber Economics – Applying Risk-Adaptive Defenses

Posted by: CyberSecurityChief Categories: Active Cyber Defense Articles

Well, it has been a long break since the last article of this series but I feel duty-bound to do this third article on cybersecurity investment since I find the possibilities resulting from a “risk-adaptive” security approach to be compelling. Generally cyber defenses must be pre-planned with cost-benefits carefully weighed prior to investing in new tools to bolster defenses. However a risk-adaptive approach can change cyber investment to a fluid, service-oriented, run-time decision that can be made using well-understood economic principles. Learn how risk-adaptive defenses can raise the quality of an organization’s security posture while reducing capex and opex.

Today’s new defense strategies are focused on hunting and mitigating threats. In general, the threat vectors don’t change greatly – however the malware is being packaged and delivered in ways that are designed to evade detection and to deceive users. Some examples of this malware trend can be found here and here. As a reaction to this trend, cyber protection systems are beginning to move away from static signature-based approaches (Intel’s pending sale of McAfee anti-virus is an example of this lack of faith in static signature-based defenses) to an integrated proactive model based on a range of different narrow aperture collectors feeding big databehavioral models that can sense anomalies. These sense-making models output alerts to cyber decision-making systems that produce courses of action (COAs). The COAs are implemented byorchestrators which synchronize detection mechanisms and instigate mitigation services, such as sending updates to nexgen firewalls, or signaling a suite of other software-based protection services. These services are designed to quickly respond and stop attacks or prevent data breaches. This is really good but how do we balance the investment in these different tools with the risk posture and scale of the organization? That is, how do these tools reduce the cyber value-at-risk at a rate that makes investment in these tools worthwhile? This question was recently highlighted in a “Security Challenges” market landscape report by SDxCentral. When asked to indicate all their major security challenges, there was no single overwhelming problem identified by respondents to the SDxCentral survey; 49% said “Lack of visibility” was an issue, followed by the “Cost effectiveness of security solutions at scale,” at 44%. What was also evident from this survey is that organizations lack common measures to quantify cyber risk, curtailing their ability to make clear strategic decisions concerning optimal cyber security investment levels.
Adaptive Cyber Defenses Can Be Effective in Reducing Attacker Dwell Time and Minimizing Loss to Cyber Intrusions

One aspect of cyber security that is being measured is the cost of breaches. Studies have shown that the cost impact to the business goes up to exponential proportions the longer the attack goes undetected. This is where a proactive cyber strategy can help. The benefit of a proactive cyber strategy lies in its ability to drastically reduce the “dwell time” of an attacker on compromised platforms by accelerating the OODA loop. This reduction in dwell time inhibits the attacker’s ability to pivot and move laterally across the network to cause more harm and therefore drive up costs. However a successful proactive cyber strategy depends on overcoming four main challenges:

1 – As you might surmise, the sense-making process is often a bottleneck as there’s too much data and not enough context provided by the collectors. The sense-making process must enrich the collected data at a rate and level of accuracy (i.e., low false positive rate) that matches the cyber threat. One method of enrichment is to use one or more (more is preferred) threat intelligence sources. Cyber threat intelligence providers supply Indicators of Attack (IOA) and / or Indicators of Compromise (IOC) to help direct the sense-making service about what to look for and where to look.

2 – The second major challenge is defining COAs. There are two main issues here:

The first issue is there is no mutually understood, generally accepted, machine-readable, and shareable language between the different IT organizations as well as the business side who are involved in COA development and incident response that allows all sides to really connect, perform critical impact and root cause analysis, make efficient and faster decisions, implement response strategies, and, ultimately, work with less friction. A standards effort that is working to help in this area is the Open C2 COA Standardization WG. The Open C2 work group, a partnership between NSA, DHS, and industry is initially focused on defining a language at a level of abstraction that will enable command and control of cyber defense entities that execute the actions with enough generality to provide flexibility in the implementations of devices and accommodate future products. This effort, if successful should help to reduce the upfront investment cost in COA development by defining a common language for COAs and for sharing COAs.

The second major issue is actually identifying the specific courses of action that need to be performed for a given intrusion set to enable a given set of services that protect a given mission or business system. This issue requires algorithm development. A variety of mathematical theories can be used to model and analyze cybersecurity. Resource-allocation problems in network security can be formulated as optimization problems. In dynamic systems, control theory is beneficial in formulating the dynamic behavior of the systems. Game theory also provides rich mathematical tools and techniques to express security problems. This DTIC report highlights some of the issues and an approach to COA algorithm development.

3 – The third challenge involves integrating the tools needed to automate the COAs. This challenge is being addressed through community efforts led by NSA, DHS, and Johns Hopkins Applied Physics Lab. In addition, work by OASIS’ STIX provides COA, Incident, Threat and other related schemas which can be leveraged by tools seeking interoperability across threat data, COA, and cyber impact. See figure below for an example.

4 – The fourth major challenge involves culture change – i.e., overcoming a lack of confidence in automating the decision-making of cyber response. Generally, most organizations will insist in having a man-in-the-middle in the COA decision-making processes until confidence is well-established in the COA algorithms. Having a vetting process will also be essential prior to sharing COAs or accepting shared COAs from other organizations.
Adaptive Defenses Require OODA Loops at Each System [and Business] Layer

As pointed out by Emami-Taba et al, it is necessary to provide a holistic approach in implementing adaptive defenses. Depending on the architecture layer, the source of the data to be monitored is different and the adaptive cyber decision-making and responses are different. For example, to detect a cyber attack at the network level, the data to be monitored can be packet data, network traffic, etc. Intrusion detection systems are a cyber detection, decision-making, and response mechanism at the network layer. Intrusion-detection systems can take adaptive actions such as intensifying monitoring efforts when malicious behavior is detected. Likewise at the application layer, a cyber attack can be detected from various data sources. For example, the system can monitor the number of transactions by a specific user or the access rights of a user to a particular piece of sensitive data. An adaptive access control system may prevent access to the data if the behavior of the user appears abnormal. Therefore, COAs should not be limited to actions in only one layer of the systems being defended but cover top to bottom of the system stack. This holistic approach mirrors the advances made by tool vendors regarding their newer approach to malware: Security companies are aiming lower in the system stack, essentially running their software in a position where they can observe all activity on the device – examples include Tanium and Bromium. However, it is also important to connect adaptive defenses to the business layer so mission dependencies can be evaluated, business disruption can be assessed, the value-at-risk can be determined, and appropriate risk mitigation action can be taken, i.e., what’s the risk impact to the business related to a particular attack and COA response? The answer to this question is what the respondents to the SDX Challenge Survey were searching.
Risk-Adaptive Defenses Relate Protections to an Economic Model

“Risk-adaptive” defenses can be used to help provide visibility and governance to cyber defenses since they can quantify risk and manage allocation of protections using an economic model. One example of a risk-adaptive approach is Fuzzy MLS, an access control model which in a limited context can be used to quantify risk associated with information access. The ability to quantify risk makes it possible to treat risk that an organization is willing to take as a limited and countable resource. This enables the use of a variety of economic principles to manage the resource (risk) allocation with the goal of achieving the optimal utilization of risk, i.e., allocate risk in a manner that optimizes the risk vs. benefit trade-off.

According to Pau-Chen – the author of Fuzzy MLS: “the fact that when a security administrator creates the [access control] policy, she is guessing and codifying what risk-benefit trade-offs will be acceptable for information accesses that will happen in the future. Clearly, for an organization with dynamic needs the future risk-benefit trade-offs are not predictable and the guesses made about future risk-benefit trade-offs, encoded in the security policy are likely to be in conflict with the real risk-benefit trade-offs at the time of access.”

The main feature of Fuzzy MLS is that it considers access control as an exercise in risk management where access control decisions are made on the basis of risk, risk tolerance, and risk mitigation, where risk has the usual connotation of expected damage. Viewed in terms of risk, the process of setting a traditional access control policy is actually determining a fixed trade-off between the risks of leakage of sensitive information versus the need of the organization to provide such information to its employees for them to perform their job. This fixed trade-off sets up a non-adaptive, binary access control decision model where accesses have been pre-classified as having either acceptable risk or non-acceptable risk and only the accesses with acceptable risk are allowed. Fuzzy MLS devises a way to compute an estimate of risk associated with an access by quantifying the “gap” between the subject’s value and the object’s value. With these quantified estimates of risk, a risk scale can be built such that each access is associated with a point on the scale. With such a scale, the access control model can be made risk–adaptive by adjusting the point of trade-off on the scale as the needs and environment change. Fuzzy MLS goes one step further by expanding this point of trade-off into a region on the scale. An access associated with a point below the lower-bound of the region (also called the soft boundary) is allowed, an access associated with a point above the upper-bound of the region (the hard boundary) is denied. The region is further divided into bands of risk such that each band is associated with a risk mitigation measure(s) or course of action. An access located in a band is allowed only if the risk mitigation measure(s) / courses of action associated with that band can be applied to the access. Thus, the Fuzzy MLS model depicts a risk management system that resembles a Fuzzy control system and thus the name “Fuzzy MLS.”

One of the keys to such a risk-adaptive system such as Fuzzy MLS is coming up with values which can be used to quantify the subject/object gaps and perform risk trade-offs. I suggest that two types of values be assigned to cover two scenarios: 1) for access control scenarios, the value of an asset to the organization could be applied; and, 2) for attack scenarios, the value of an asset to an attacker could be applied. In the former case, the value of an asset can be established through well-known processes such as business impact analysis, where the levels of confidentiality, integrity and availability can be ascertained and translated into economic terms. In the latter case, a different approach is needed as a seemingly worthless piece of data from an organizational perspective might be extremely valuable to an attacker to profile and phish a target. This attacker view of an asset value requires intelligence about how attackers rate and target your assets.

The perishability or shelf life of an asset should also be determined. In this way you can adaptively change protections over a time span when the value of the asset changes – e.g., M&A plans have a relatively short shelf life and access protections need to increase around these plans during that time period. In the same regard, a vulnerability can be considered an asset from an attacker’s perspective that has a shelf life. In contrast, detections against weaponizer artifacts are defender assets that have a very durable shelf life.

To conclude, risk-adaptive cyber defenses can help in the prioritization and selection of courses of action by instantiating economic principles that reflect the true mission impact of a course of action mitigation or remediation action.

Source:

www.ActiveCyber.net July 26th 2016

G2 invited to speak at the RSA Conference 2016

noreply@blogger.com (Anonymous) — Wed, 27 Jan 2016 14:16:00 +0000

G2 Inc, was invited to speak at the RSA Conference 2016 for the second year in a row. G2 is most recently known as the prime contractor responsible for supporting NIST in the development of the Cybersecurity Framework (CSF). G2 cybersecurity engineers Greg Witte and Tom Conkle will present on G2’s experiences helping customers across the nation with using the CSF.

The session, “Effectively Measuring Cybersecurity Improvement: A CSF Use Case” highlights G2’s experience helping customers use the CSF to achieve measurable and continuous improvement. The session harnesses momentum established by the 2014 release of the CSF, as organizations work with G2 in leveraging the Framework to develop and maintain effective cybersecurity program outcomes.

This session explains how G2 engineers helped an organization use the CSF as a common language for communicating program goals and activities among stakeholders. Through quantitative measurement of current and planned activities (including references to standards, e.g., ISO 27002), in alignment with senior executives’ priorities, G2 helped to clearly articulate gaps between their existing cybersecurity program and the one needed to achieve their risk objectives.

The talk will illustrate how Board members were able to quickly understand the identified security deficiencies, enabling resource and planning discussions.

Join G2 in West Room 2014 on Thursday, March 3, 2006 at 9:10am PT to learn more about the CSF case study.

G2 attends IAS Symposium

noreply@blogger.com (Anonymous) — Mon, 20 Jul 2015 20:14:00 +0000

G2 Inc, an Annapolis Junction Maryland based cyber solutions and services organization, recently participated in the Information Assurance Symposium (IAS) sponsored primarily by the Intelligence Community.

This well attended timely symposium was hosted by the Washington Convention Center. The IAS G2 symposium technical display included a live demonstration of a cloud adaptable, open source, standards based Identity and Access Management (IdAM) technology entitled Enhanced OpenAM. Enhanced OpenAM is built on open source ForgeRock technology, is DoD/IC ready, is easily configurable and accommodates pluggable attribute repositories. Based upon multiple current DoD implementations, this G2 Enhanced OpenAM demonstration generated significant IAS interest. More information can be found by way of the video below.

The video below is from IRM Summit 2014 where Daniel Stroud, CISSP-ISSAP, MCSE, Identity and Access Management Capabilities Lead, G2, Inc. delivered a presentation focused on how to enable dynamic eCitizen systems in environments with distributed PKI administration, Light Weight Directory Access Protocol (LDAP), and distributed attribute repositories using OpenAM. The session will include background on the initial case study and a demonstration.

Two G2 experts published by ISACA

noreply@blogger.com (Anonymous) — Wed, 11 Mar 2015 21:42:00 +0000

We couldn't be more proud of Tom Conkle and Greg Witte two of G2's subject matter experts on NIST's Cybersecurity Framework.

G2 partnered with ISACA and Tom and Greg's work was recently published in the below publication.

If you would like a copy for your reference, the guide can be purchased here.

Congratulations Tom and Greg on your accomplishments and to that of the whole G2 Federal and Commercial practice !!!

Greg Witte To Share His COBIT 5 Knowledge

noreply@blogger.com (Anonymous) — Mon, 26 Jan 2015 21:52:00 +0000

Connect with fellow IT and business leaders at ISACA’s first-of-its-kind COBIT Conference. In addition to creating value for enterprises, COBIT 5 framework can significantly mitigate risk as you will learn in the invaluable session: Cybersecurity and COBIT—where you can leverage Greg Witte’s of G2's insights to:

Better understand COBIT 5 principles and how they apply to the cybersecurity landscape
Learn how COBIT 5 enablers work with common security frameworks
Integrate cybersecurity into enterprise risk management strategy using COBIT

G2 selected to speak at the 2015 RSA Conference

noreply@blogger.com (Anonymous) — Wed, 21 Jan 2015 15:17:00 +0000

G2 received word this week that Tom Conkle has been accepted as a speaker that RSA 2015 Conference in San Francisco. Below is part of Tom's acceptance letter;

"The quality and quantity of submissions for RSA Conference 2015 were at an all-time high, making the selection process extremely competitive.

We are delighted to inform you that your session has been accepted to be part of the RSA Conference 2015 agenda, taking place April 20 - 24, 2015, at The Moscone Center in San Francisco, California. Your session is a valuable contribution to help make this year’s agenda one of the best ever!

Short Abstract: The Cybersecurity Framework (CSF) establishes a common language for describing cybersecurity activities. In 2015 it is anticipated that if voluntary adoption of the framework is not sufficient, the industry specific regulators will leverage the CSF as part of their regulatory oversight process. This session provides an overview and benefits organizations receive from aligning to the CSF."

We are very proud of Tom and the whole Federal and Commercial Practice here at G2.

Stay tuned, we'll post a video after the event.

Home Project by Paul Green

noreply@blogger.com (Anonymous) — Wed, 07 Jan 2015 16:56:00 +0000

Here's Paul's latest Raspberry Pi project.

Take a perfectly good remote control car, rip out the parts that make it work, replace them with a programmable micro-computer (the pi and an Arduino-like board) and wa-la you have a computer controlled toy (via python & WiFi) and three kids who almost got excited about the Internet of Things...‪

It's become painfully clear to me, the cool factor lies in flight. So, after a quick upgrade to Bert, we'll be working on building our own drone I suppose.

#‎GettingMyGeekOn‬ ‪#‎IWonder

Paul

G2 Addresses the Exclusive CISO Executive Forum

noreply@blogger.com (Anonymous) — Sat, 01 Nov 2014 13:30:00 +0000

G2 is pleased to, once again, share and collaborate with our colleagues in the Information Systems Security Association (ISSA). ISSA is celebrating its 30th anniversary as an organization of professionals who work to improve global cybersecurity.

G2 was invited to address the exclusive CISO Executive Forum, the ISSA program that provides executives an environment to achieve mutual success by connecting them to a large network of peers and top industry experts. Tom Conkle and Greg Witte described how the Cybersecurity Framework (CSF) enables effective risk management communication by fostering dialogue among Senior Executives, Business Process Owners, and Operational levels. CSF supports a cost-effective approach to protecting what's important and achieving risk objectives.

G2 has been a part of NIST's core team that has partnered with industry to build the CSF, and continues to support industry adoption through consulting, engineering, and implementation guidance. G2 will continue that support as the CSF and as the DHS voluntary program expand and evolve.

G2 Attending 6th Cybersecurity Framework Workshop

noreply@blogger.com (Anonymous) — Tue, 28 Oct 2014 18:28:00 +0000

Over the next two days, Paul Green, Brian Hubbard, Tom Conkle and several other G2'ers will be supporting and contributing to the 6th Cybersecurity Framework Workshop which will be hosted at the University of South Florida in sunny Tampa, FL.

The purpose; "Executive Order 13636, Improving Critical Infrastructure Cybersecurity, directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. Version 1.0 of the Cybersecurity Framework, released on February 12, 2014, was developed in an open manner with input from stakeholders in industry, academia, and government, including a public review and comment process, workshops, and other means of engagement.

In the time since the Framework's publication, NIST's primary goal has been to raise awareness of the Framework and encourage its use as a tool to help industry sectors and organizations manage cybersecurity risks.

The purpose of this workshop is to gather input to help NIST understand stakeholder awareness of, and initial experiences with, the framework and related activities to support its use. NIST is planning to release a formal Request for Information (RFI) asking for further feedback in these areas. Responses to the RFI will inform the workshop agenda.

Target Audience
Critical Infrastructure Owners and Operators and cybersecurity staff. Specifically those who have operational, managerial and policy experience and responsibilities for cybersecurity, technology and/or standards development for Critical Infrastructure companies." - Source NIST.Gov

For additional (Non NIST Sponsored) open discussion about the Cybersecurity Framework, check out CForum.

Director of R&D, Dr. Pat Muoio, was recently interviewed by AFCEA Signal about Cloud Security.

noreply@blogger.com (Anonymous) — Thu, 02 Oct 2014 18:15:00 +0000

Isolation  Mechanisms  Help Protect Data in Public Cloud

October 1, 2014
By Sandra Jontz

Usage has spurred growth in the virtualization market.

Explosive amounts of data and the strains on limited financial resources have prompted corporations and governmental agencies alike to explore joint tenancy in the cloud for storing, processing and transmitting data. But while good fences—or in this case isolation mechanisms—make good neighbors, in the virtual world of cloud security the idiom might not ring entirely true. In the public cloud arena, risks arise when organizations place their data in a cloud system but cannot control who their neighbors might be.

“There’s a risk that your data or your processes could bleed or be accessible from your cloud by your neighbors in a way you don’t intend them to be,” says Pat Muoio, director of research and development at G2 Incorporated in Maryland. “The kinds of mechanisms you need to protect against these risks of multitenancy are strong isolation mechanisms. A lot of virtualization systems provide isolation of your data and your processes from the next guy’s data and processes, but making sure that the mechanisms … are sound and strong, I think, is a key way to address this multitenancy risk.”

Cloud security vulnerabilities are just as high as those in networking. “That’s just a risk of [information technology] in general, not just a risk to cloud,” says Muoio, who served as a senior executive supervising more than 100 researchers in the federal government and developed capabilities to operate safely in compromised environments. In addition, she provided strategic direction to secure wireless technology, resilient systems, trustworthy computing, science of security, cryptography and system design and analysis.

Putting all of the security burdens of network computing on the back of the “poor cloud” is not useful, she adds. “We have to think about what’s different about the cloud,” says Muoio, whose technical focus areas include cyber physical systems, cybersecurity and advanced data processing. “For the most part, in my mind, those differences only become acute when we’re talking about the public cloud,” Muoio continues. “When we start talking about putting your data somewhere else, I think the risks change a little.”

The cloud offers attractive, affordable solutions that do not require much of an upfront investment and can be paid for based on usage or through subscriptions. It will be a booming market, a study by Global Media and Entertainment Solutions for the Cloud reports. While the cloud market earned roughly $100 million in 2013, it is expected to grow nearly ninefold by 2020, the report states. The Office of Management and Budget (OMB) already requires federal agencies to adopt a “cloud first” policy when contemplating information technology purchases.

Generally, public cloud use appeals to researchers, smaller companies and individuals who might need a lot of computing power for short durations. It also is attractive for cloud bursting, when running an application on a private cloud or data center is not enough and a user needs to burst into a public cloud for a brief capacity spike. “You might need a lot of compute power for an hour or two, or only once a week or so. If you were to buy that size of a computer, it would be very expensive and you might not get as much use out of it to justify that expense,” Muoio explains. “A lot of big companies are actually slower to move to public clouds because they have richer internal resources and have a better understanding of their compute load, which is much more steady.”

The growth of cloud usage spurred increased attention to and investment in virtualization, Muoio says. This is key to some possible solutions such as the growing trend of bring your own device (BYOD), in which employees use their own mobile devices such as cellular phones and tablets for work purposes. “You can save a lot of money if you work with virtual machines rather than be limited by the barriers that are on physical machines,” she says. “Absent virtualization, if I wanted to keep my work separate from your work, we’d have to put them on different physical computers. Whereas now, you use half a computer, I use half a computer, we can share it because we have these virtualization technologies.”

But access to the data—when users want it and how users want it—presents an additional concern. Data is stored off the cloud user’s premises and in somebody else’s space. There is a risk of not being able to gain access to the data if, for example, a network crashes. Consumers should conduct ample research when choosing suitable vendors to meet their needs, Muoio advises. “You would be doing poor due diligence in picking a contractor if you need a 99 percent availability and that vendor only offers 80 percent.”

Midsize and larger corporations have migrated toward using technology that takes them from a “recovery” of data mindset to a “resiliency” one. This technology provides seamless backup between data centers or access to cloud computing when one center is compromised and shuts down, says Matt Waxman, vice president of product management for the data protection and availability division of EMC Corporation. The company created the VPLEX technology, which the U.S. military uses as a backup system between data centers.

“There’s a big difference between recovery and resiliency, and VPLEX really plays into the resiliency. Whether it’s a power failure or a flood or a hurricane, … it keeps your applications online across two data centers without the need for any human intervention,” Waxman explains. “It’s a hardware and software solution that effectively can turn storage of data into this continuous availability model.”

Although technology such as VPLEX offers a recovery and resilience solution, Muoio points out that other techniques also are available. For example, if users rely on public cloud computing centers and access to multiple data centers is out of reach, they can mitigate problems through diligent tagging, such as specifying a date to delete stored data from the cloud, she advises.

“Understand the relationship and how much trust you are willing to put in [a company.] Put in the cloud the data that matches the trust you have in the system’s integrity. You can see companies making choices where they might put less sensitive data out there and keep their intellectual property in-house. The part of using these resources is understanding what they are good for, what they are too risky for.”

G2 Expertise on Display in the Harvard Law School Forum on Corporate Governance and Financial Regulation

noreply@blogger.com (Anonymous) — Wed, 27 Aug 2014 21:14:00 +0000

We are proud to announce that one of our Sr Cybersecurity Consultants has contributed content that was just recently published by the Harvard Law School Forum on Corporate Governance and Financial Regulation. You can view the article, authored by Tom Conkle, Sr Cybersecurity Consultant at G2, Inc. and Paul A. Ferrillo, counsel at Weil, Gotshal & Manges LLP, by clicking here.

We firmly believe that the Cybersecurity Framework is a key component to securing our Nation's most critical systems, and we invite you to exchange ideas with us on CFORUM (the only website dedicated to the evolution of NIST's Cybersecurity Framework).

G2 to Particpate in Weil Gotshal & Manges' September Cybersecurity Briefings in New York City

noreply@blogger.com (Anonymous) — Thu, 21 Aug 2014 20:24:00 +0000

G2 is proud to partner with Weil Gotshal & Manges in the effort to further educate the general public on the principles of Cybersecurity, Cyber Governance, and Cyber Insurance. In the month of September, the firm will sponsor a set of Cyber Security Briefings.

The two-day Continuing Legal Education (CLE) webinar series – to be held on the mornings of Monday, September 15 and Monday September 22 at Weil's New York office – will feature three panels focusing on the existing cyber security threat and target industries, cyber governance issues facing boards and management, and related cyber insurance issues for directors. Tom Conkle, Cybersecurity Consultant at G2, will serve as one of the panelists on September 15th, that will tackle the issue of Cyber Governance.

Here's a little more information about Weil Gotshal and their inagural September Cybersecurity Briefing:

Weil, Gotshal & Manges is an international law firm that has dedicated practice that addresses the litigation risks caused by cybercrime. The Cybersecurity briefings in September will feature a number of Weil Gotshal's partners as well as a premier group of cyber and risk professionals from public companies, enterprise risk management consulting companies, public relations firms, cyber “first responders,” and the legal industry. Weil counsel, Paul Ferrillo, will moderate each panel.

We invite you to click here to view the two-day agenda and register for the webinar(s).

G2's Tom Conkle to lead "The Cybersecurity Framework Explained" webinar alongside Admiral Mike Brown (RSA)!

noreply@blogger.com (Anonymous) — Tue, 19 Aug 2014 19:51:00 +0000

Register now to participate in the RSA/G2 Cybersecurity Framework webinar scheduled for this Thursday, Aug 21, 2014 at 11am EST. This webinar will provide an overview of the Cybersecurity Framework and discuss the benefits the Framework provides to critical infrastructure providers.

More details regarding the webinar are provided below.

RSA Live Webcast:
The Cybersecurity Framework Explained

Thursday, August 21, 2014
11:00 am EDT/4:00 pm GMT

Presenters:
Admiral Mike Brown, United States Navy (Retired), Vice President and General Manager, Global Public Sector, RSA

Tom Conkle, Commercial Cybersecurity Lead, G2, Inc.

Concerns with the increasing number of successful cyber attacks (a recent Ponemon survey identified that 67% of Critical Infrastructure providers surveyed were breached last year*) and the continued increase in Cybersecurity spending prompted the U.S. Government to develop the Cybersecurity Framework in February of 2014.

If you have questions about the Cybersecurity Framework and what this means for your organization, this webcast will provide you with access to two of the foremost experts. Hear from Admiral Mike Brown who participated in the development of the Presidential Executive Order (E.O. 13636) which led to the development of the Framework. Also hear from G2, Inc., who was engaged by the National Institute of Standards and Technology (NIST) as the prime contractor to assist in the development of the Framework for Improving Critical Infrastructure Cybersecurity.

While the Framework was developed for Critical Infrastructure providers it is a valuable tool for any company with cyber presence. Join this webcast to learn more about:
The history of the Cybersecurity Framework and why it was developed
The Cybersecurity Framework components
The benefits your organization can obtain from using the Cybersecurity Framework
How to get started using the Framework

You will also have the chance to ask questions at the end of the webcast.

Greg Witte Leads ISACA Cybersecurity Framework Webinar (July 29, 2014)

noreply@blogger.com (Anonymous) — Tue, 29 Jul 2014 15:57:00 +0000

To register for the webinar or view the archive, click here.

A little background information...
G2 recently completed the "ISACA Guide for Implementing the Cybersecurity Framework." The book describes the Cybersecurity Framework and how organizations can implement the Framework using ISACA COBIT 5 processes. ISACA scheduled the release of the book for mid-August.

As a precursor to the book being released and to help advertise ISACA's NEXUS program, they asked our very own Greg Witte to provide a webinar describing the Framework and implementation guidance provided in the book.

ISACA (www.isaca.org) is an independent, nonprofit, global association, that engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.

Needless to say, we're extremely proud of Greg and the outcomes that we're producing with ISACA. We hope those who tune in find the webinar helpful.

SWIM UPSTREAM.

noreply@blogger.com (Anonymous) — Wed, 07 May 2014 15:14:00 +0000

By Paul Green, CEO

How do we make a difference in protecting our Nation, and run a business at the same time? Many small businesses (G2 included) have people in their company that individually make a difference but as a whole is there something we can accomplish that is greater than the sum of our employee’s individual contributions? And, can we do this in a repeatable way so we can create a long lasting and positive impact on our customers and employees? I believe the answer is yes.

The first question that must be answered is how you intend to create that difference. At G2 our answer to this question is to proactively and systematically turn our employees ideas into impact. To be effective, we have to start with a fundamental understanding of the mission outcomes our customers want to achieve. We must also be well versed in the challenges that will prevent them from reaching their goals both today and in the future. The best source of this insight and ideas is our employees who are embedded within customer organizations supporting a variety of mission sets.

Since anyone can conceive an idea, what really matters is what you do with the idea. At G2, we provide the resources (time, equipment and money) to our employees to investigate whether their idea can make a positive impact. Some will, some will not. There are no penalties if an idea does not succeed. For the ideas that can make a difference, the next challenge is to attach these efforts to contract vehicles where the Government can benefit from them. This often means navigating through bureaucracy, contract limitations and coop-ertition (otherwise known as teaming) and even protectionism.

I recall a time when we were a very small business supporting a very large system integrator that we received explicit instructions not talk to the customer unless the large system integrator was there as part of the conversation. At the time this seem like a reasonable request from our prime and one we weren’t well positioned to push back on. Over time, what I came to realize is that request was a very deliberate act in order to ensure that the small business would not influence the way the customer was thinking or planning. The desire of the large system integrator was that the small company should simply provide the bodies, follow the rules, punch the clock and not rock the boat. This is precisely what our Country doesn’t need.

It's my belief the reason this happens is because the thoughtful dialogue could increase the risk of delivery on a task, drive up customer expectations or costs that would create a risk to the bottom line. By its very nature the battlefield that we work on every day it's always changing so concepts like “don’t rock the boat” are antiquated and unhelpful.

At G2 I encourage every employee to be bold, question status quo, take chances and swim upstream.

Research and Failure

noreply@blogger.com (Anonymous) — Mon, 21 Apr 2014 14:26:00 +0000

By Pat Muoio

Folk wisdom has it that a good research program should fail at least 70% of the time. This might lead one to think that research is the perfect endeavor for the lazy and the inept. Yet research remains a respected pursuit; and researchers are generally thought to be driven and accomplished (insert image or your favorite inventor or mad scientist here). So how do we reconcile this drive for truth and innovation with the complacent acceptance of a high failure rate?

First we have to recognize that not all failures are created equal. There is one species of failure that results from lack of critical thinking, misunderstanding of the problem, unchallenged assumptions, poor experimental design, or general incompetence. This kind of failure is no more acceptable in research than it is in development or operations. The desirable species of failure comes from taking significant technical risk and pushing the boundaries of what is currently known. The thinking is, if you go out on a technical limb, it will fail to bear your weight a good percentage of the time. You can increase your chances of being supported by staying close to the trunk, or by only venturing out on the thick limbs that have been around for a while, but you can’t reach very far from these vantage points. To expand the scope of your grasp, you need to explore the less mature parts of the tree.

But falling out of a tree hurts (to torture this analogy just a little bit more) so why is climbing trees a good thing? For one, the view from the top when you are successful is spectacular. For two, you learn a lot about the problem, and about the limits of our understanding, every time you fall. And, if you are self-critical about your climb, your analysis of what went wrong improves your chances of succeeding the next time. This learning, born of risk-taking, is the value of failure in research.

Yet taking risks is not the same as being foolhardy, and it is critical to keep this in mind when embarking on a research activity – good research needs a strategy. You can assess the resilience of the branches of the tree you want to climb. You can tell in advance that some branches are just too weak, or are pointing downward and so won’t improve your view in any case. You can trace a path through the tree that enables you to jump to a nearby branch when you hear the one you are on starting to crack. And you can put a knowledge-collecting net near the base of the tree so you can bounce back up after the fall.

G2 Leadership.

noreply@blogger.com (Anonymous) — Tue, 08 Apr 2014 14:37:00 +0000

By: Paul Green, CEO

Eight things I believe about Leadership:

1. Being a Leader is a choice and does not require a title.

2. Leaders act with integrity and are fair. The bedrock of leadership is integrity. Integrity is the product of moral character and honesty and is closely associated to the consistency of our actions. If one says they are going to do something and then does not do it, they risk having their integrity called into question.

3. Leaders are trustworthy. Trust is a belief that something or someone has integrity. In other words it is the belief that something (or someone) will work as you expect. If you want people to trust you focus on consistently doing what you say you’re going to do, and always be fair to others.

4. Leaders create positive environments by being approachable and willing to listen to the ideas and concerns of anyone in the company. Leaders are willing to be transparent about how they make decisions. They have high expectations of others, offer praise when it is deserved and provide candid and timely feedback when those expectations are not met.

5. Leaders create a sense of belonging by building teams of people whose personal ideals and motivations are aligned with the core mission and values of the organization, and by helping each member of their team understand how they can contribute to the team’s shared goals.

6. Leaders inspire others. They keep us focused on our most important goal, remind us of why this goal is meaningful and lead by example.

7. Leaders build the esteem of others. Leaders let their people know they believe in them and their potential. They take the time to celebrate the successes of their peers and direct reports in front of others. Leaders offer meaningful encouragement, and help others realize their own success even when they can't see it for themselves.

8. Leaders empower others. They see more in people than they see in themselves. Great leaders hold us accountable not only for what must be done, but also to realize the fullness of our potential.

Leveraging the Cybersecurity Framework to Protect Critical Infrastructure

noreply@blogger.com (Anonymous) — Wed, 02 Apr 2014 19:28:00 +0000

By Brian Hubbard

After a year of working hand-in-hand with NIST to develop the Cybersecurity Framework, G2 has established an Implementation Support team to help critical infrastructure organizations leverage the Framework to improve their cybersecurity programs.

Our Implementation Support team assists organizations in the following areas: identification and scoping of their cybersecurity programs, development and analysis of their cybersecurity profiles, the analysis of gaps, and the development of action plans to close gaps. In addition, we help those organizations implement those action plans with the intent of moving the organization toward their targeted state.

As an added value, G2 also provides training on the Cybersecurity Framework. Our tiered training sessions are rooted in the many lessons that we learned while supporting the Cybersecurity Framework’s development and implementation. We offer training that ranges from informational overviews for C-level executives to implementation seminars that focus on helping managers and operators understand how the Framework can improve their cybersecurity programs. Beyond that, we facilitate workshops that help organizations develop detailed Framework implementation plans.

Our support doesn't stop at training and planning. Our Implementation Support team also provides the expertise required to continually maintain and evolve your security program as the target state profile continually evolves to address newly identified threats, security vulnerabilities, or changes in technologies. Additionally, our implementation team defines security target states for organizational suppliers.

Our Supplier Risk Management capability identifies security risks imposed by your suppliers and establishes target profiles to manage the risk your suppliers impose.

For more information on our services supporting the implementation of the Cybersecurity Framework, or any of our other services, feel free to contact Brian Hubbard at brian.hubbard@g2-inc.comor 301-575-5106.

When The Going Gets Tough, The Tough Invest in Research

noreply@blogger.com (Anonymous) — Wed, 19 Mar 2014 06:00:00 +0000

By: Patricia Muoio
Director of R&D, G2 Inc.

There is no denying that we have just emerged from a year that was fiscally problematic for government contractors into a period with a somewhat rosier prospect that is still marked by a high degree of fiscal uncertainty.

Some may wonder why G2 would choose to go large in research, an uncertain prospect, in this time of uncertainty. Or, more personally, we may individually be wondering whether it makes sense to go out on a limb and ask for research time when we could be maxing out our billable hours.

Prudence might suggest we concentrate on revenue-producing activities while we wait out the storm. While this may be a comfortable tactic and enable us to maintain the status quo with little risk, I’d like to argue this is a terrible strategy for the company’s long term health.

One argument in favor of increased investment in research during tough fiscal times is the tried and true “don’t eat your seed corn” argument. If one devotes all their resources to addressing today’s immediate needs, they will be under-resourced to address tomorrow’s challenges.

Another argument for increased research investment is based on the notion of improved competitiveness in times of scarcity. Contract opportunities are fewer when times are tough and G2 will need to win a higher percentage of the opportunities we bid on.

We could perhaps do this with superhuman pursuit efforts and lots of luck, or we could establish a systemic advantage: a reputation for innovation and problem solving backed by concrete evidence of solid processes and a track record of success in innovation.

Many large companies with established research divisions have taken this track, to great success. Tweak this basic idea to account for smaller margins and a less diverse market, and you have a strategy that enables a small company to flourish.

In addition to providing an edge in the short to medium term, prognosticating about the future that will follow these current uncertain times suggests that establishing a reputation for innovation will have big payoff in the long term. It is likely government budgets will stabilize, but my bet is they will likely be no larger, and more likely will be somewhat smaller, than they are today.

The unhappy reality of the government budget with which I am familiar, is that an unhealthy percentage of the money is devoted to personnel and keeping the lights on. The discretionary spending needed to keep up with the rapidly changing technical environment is inadequate.

Given my bet that there will not be much new money, and given we can’t ask the tech environment to slow down so we can catch up, agencies are going to need to reduce personnel costs and increase efficiency in their installed base in order to increase their investment in new technology.

It is innovation that enables automation, low-power commodity solutions, smart systems with lower maintenance costs, and other efficiencies needed to break the stranglehold of investment in sustaining current operations. And it seems to me as if this is the kind of innovation G2 is best at.

By going large on research at this time, we can be poised to provide solutions of this type, perhaps even before the customer asks for them.

G2 Tech Talk: "Lambda Expressions in Java 8" - July 17, 2013

noreply@blogger.com (Anonymous) — Wed, 10 Jul 2013 20:17:00 +0000

Join us on July 17th, when Marty Hall, President of coreservlets.com, will lead a discussion on Lambda Expressions in Java 8.

Location:

G2 Home Office

302 Sentinel Drive, Suite 300

Annapolis Junction, MD 20701

301.575.5100 main line

Time:
5:30pm - 7:00pm

Food will be provided. RSVP by emailing us at behind_the_scenes@g2-inc.com.

In Marty Hall's words, "Lambda expressions are by far the most significant addition to the Java programming language since generics and annotations were added in 2004. Functional programming, first introduced to the mainstream with Lisp, has been around since the early days of computer programming. However, it has seen a big resurgence in popularity in the 21st century, with Python, Ruby, and JavaScript used more extensively, and with the use of closures in those languages becoming much more widespread. And, despite Scala and ML showing that functional programming was not tied to dynamic typing, there continued to be a mis-perception in the Java world that functional programming was inappropriate for strongly-typed languages. Finally, with Java 8, lambda expressions (closures) are part of the world's most widely used programming language, and at long last the power of functional programming can be used in Java applications. This talk will summarize the syntax of Java 8 lambda expressions and give examples of the types of applications to which they are well suited."

We hope you can join us for this informational session pertaining to the future of Java programming.

G2 Awarded DISA ESS BPA Contract

noreply@blogger.com (Anonymous) — Tue, 16 Apr 2013 14:11:00 +0000

G2, Inc is very pleased to announce that it was one of three vendors awarded the DISA Engineering Support Services Blanket Purchase Agreement (ESS BPA) contract.

This highly competitive award allows G2 to provide DISA PEO-MA with quick reaction capabilities to enhance DISA ability to secure and operate the Global Information Grid. The period of performance for the ESS BPA contract has been set for 3 years.

About G2, Inc
G2 is a dynamic, advanced technology solutions and services company focused on defending our Nation in Cyberspace. The company specializes in attack analysis, security automation and big data analytics, and is committed to the success and satisfaction of each of its employees.

For more information visit the company’s web site at www.g2-inc.com.

Pete Senholzi Joins G2, Inc as Vice President of Strategic Programs

noreply@blogger.com (Anonymous) — Fri, 25 Jan 2013 21:02:00 +0000

G2, Incorporated announced yesterday that Pete Senholzi has joined the company as Vice President of Strategic Programs. In this role, Senholzi will have responsibility for business development program planning, implementation, and management. He will lead G2 efforts to provide innovative technology based solutions in support of current and emerging customer mission requirements.

Senholzi brings more than twenty-five years of hands-on, advanced technology business development experience and an extensive business development network in both the public and private customer sectors. This experience includes business development support to both large and small organizations. For the past six years, Senholzi was Senior Director at CSC where he directly supported just under $1.5B dollars of new awards primarily in the Intelligence Community.

Senholzi is an excellent addition to G2’s executive team which focuses on customers, creativity, agility and character. "We're thrilled to bring Pete on board and believe he is a great fit for G2. His drive, determination and capacity are well suited for G2's fast paced innovation driven environment." ~ Paul Green, CEO.

Senholzi holds both a bachelor’s degree in engineering and a master’s degree in business/marketing from Drexel University. He is happily married with two children. His interests include skiing, biking, boating and coaching.

About G2 Inc

G2 is a dynamic, advanced technology solutions and services company supporting the public sector. G2’s mission is “to proactively provide innovative solutions to the most significant challenges affecting our Nation’s ability to collect, utilize, and defend digital information”. The company specializes in developing cyber solutions including attack analysis, security automation and big data analytics.

Recognized as the Baltimore Sun’s Top Workplace for Encouraging New Ideas, G2 is also committed to the success and satisfaction of its employees. The company goes to great lengths to ensure that its engineers and business professionals are technically proficient, driven, and humble. Constant communication, trust, and respect are noted as cultural elements that keep employee satisfaction and morale high.

G2 is a small business with corporate offices located in Annapolis Junction, MD. For more information visit the company’s web site at www.g2-inc.com.

Leveraging Social Media When Engineering Tomorrow's Cyber Solutions

noreply@blogger.com (Anonymous) — Tue, 20 Nov 2012 14:45:00 +0000

G2's Emerging Presence Online

At G2, we recognize that the most valuable cyber solutions begin with
meaningful collaboration. On any given day, you can find our
engineers huddled around whiteboards solving the federal
government's most difficult cyber challenges. Whether we're working on malware analysis, big data analytics, or security automation, G2
is committed to removing the barriers between its engineers and the broader cyber community. We believe that today's cyber engineer can interact with his or her peers in more productive ways, when leveraging the power of social media.

At this year's Social Media Strategies Summit (hosted by @gsmionline)industry experts discussed how companies and employees can interact with others well beyond their existing networks. Conference speakers
like Jennifer Cohen Crompton, Glenn Selig, and Patrick Baynes spoke on topics like search engine optimization (SEO) and developing meaningful content. They stressed the fact that thoughtful preparation (using industry-specific terminology, high-frequency search terms, and stimulating subject matter) can lead to greater visibility on social media sites. By leveraging this strategy when tweeting, updating linkedin, and blogging, a software engineer in Ft Meade, MD can collaborate with a computer scientist at Google to produce tomorrow's computer network defense systems. Facebook, LinkedIn, and Twitter to help our engineers lead innovative discussions with other SMEs. While we are committed to sharing useful content via social media, we encourage our employees, industry colleagues, and friends to actively participate in the dialogue.

In summary: know your audience, create valuable content, connect & collaborate.

What types of cool techniques are you using to expand your online footprint?? We're listening!

An Open Letter to Our Nation's Veterans

noreply@blogger.com (Anonymous) — Sun, 11 Nov 2012 14:56:00 +0000

Today I enjoyed a wonderful day with my oldest daughter Madeleine. The highlight of our day was a walk in the woods which ended with a beautiful Eastern Shore sunset.

Today, I am reminded that this simple pleasure was possible only because of the selfless service of so many men and women who committed their lives to serving our Country.

To our Vets, I thank you for all that you have done to defend our great Nation. Your commitment is what guarantees our freedom.

We are all indebted to you. From the entire G2 family, thank you.

- Paul Green, CEO