this is the archive page

Our current state: A perspective from our CSO during the COVID-19 crisis

This crisis we are in is not over, and although we have been talking about pandemic response for as long as I have been around security and BCP teams, it is very hard to anticipate, plan for, and react to black swans. The responses to COVID-19 and the structural changes we are going to see in economies throughout the world will be based on good solid leadership, speed/adaptability, innovation, humility, charity, and sacrifice.

Security plays an additional role in a crisis like COVID-19 in protecting an organization’s ability to respond effectively, which sometimes means accepting more risk. Security has to be laser-focused on ensuring a physical or cyber crisis does not impede the organization’s response efforts. It also needs to be a part of the ongoing risk decision-making as the crisis unfolds. Give this, Below are my recommendations for additional considerations to your current security and incident response efforts. 

Revisit some risks now. A crisis can take you into uncomfortable territory from a controls and process perspective, so we need to spend time now reassessing some risks and anticipating others as part of crisis management. Revisit threats, likelihoods, and impacts in the context of the bigger picture and help the organization steer clear of the inability to respond effectively to the current crisis and return to the new normal.

Sharpen response to risks. Speed/adaptability and the other aspects of an effective response requires a good command-and-control framework that relies on roles rather than specific people. The right people will always eventually rise to the occasion in a crisis. If not, you’re toast. There are plenty of history lessons where failed command-and-control results in chaos during stress and crisis, which is why it is one of the first things to be attacked by adversaries. Communication strategy is also essential, leveraging technology and agreed-upon protocols for cadence and messaging inside and outside the organization. Lastly, anticipate working outside the norms of your business during a crisis. Helping customers or those who could become your customers with their response usually turns out net positive through a crisis. Generosity and sacrifice often gets rewarded.

Request to speak to an expert


After the Smoke Clears – What we can learn about risk management

After the smoke clears and we’re all allowed to go to bars again, organizations will be trying to answer a few questions. How well did we deal with this crisis? What have we learned? What changes for us the next time we have a similar crisis? Did what we just experience inform our approach to any other operational issues?

The security team has a particular responsibility in helping to answer these questions. The mission of a security team is to protect a business from risk. The risk of a pandemic eliminating supplies, services, and customers, as well as forcing employees to stay home, etc., probably was not on the radar of most businesses. It is now though.

Risk management forces the business to do three things about where we are, right now, in a heightened state of awareness:

  • Anticipate risks. What things could impact our business’ operations? We can brainstorm, we can look at history, we can look at what’s happening to other businesses in our industry or region, we can look at our operations and list the conditions that would be detrimental to their success. All of these activities should be inputs to our risk management effort. We won’t anticipate everything, but we should do our best to be holistic.
  • Prioritize risks. We need to answer the question, what risks would be the most impactful to our operations? We make decisions about these, stack rank them using a variety of criteria, and allow that to drive our efforts to deploy countermeasures. Businesses that had a pandemic on their list of risks may not have had it as a high priority before this year. Circumstances will change our view of these things, which is why we also need to…
  • Learn. After something adverse happens we examine it and adjust our risk inventory and priorities. We add things that weren’t there before, we knock things off the list or adjust priorities, we update our list of controls when we know something’s very effective—or less effective—than we expected. We’re constantly re-examining our risk and making sure we’re tracking and preparing for the right things.

Every business—even the critical ones that remained open during the quarantine—was impacted in some way by this pandemic. It’s a good time for every business to reexamine their risk management program and get it on track when leadership buy-in is likely to be at an all-time high. Take advantage of the hyper-awareness of risk to move the maturity of your information security program forward.

Request to speak to an expert


In response to Covid-19 now is the time to build a Cyber Risk Program – Here’s How

Digital Transformation is defined as the process of exploiting digital technologies and supporting capabilities to create a robust new business model which is led by executive management or at the board level. With the onset of the Covid-19 pandemic, we have an opportunity to review cyber risk strategies and align to the desired business outcomes. 

According to IDC (Source – Worldwide CISO Influence Survey 2018), business leaders and CISOs view information security as vital to competitiveness of products and services while protecting the interests of their customers.

Areas an Enterprise Cyber Risk Program should cover

When an organization promises to deliver the value of digital business to customers, it’s often the case that security is not at the table when critical decisions are being made. Without security representation at the right time, organizations are exposing themselves to business critical risks that could severely damage their brand.

As organizations continue to expand their digital footprint, an Enterprise Cyber Risk Program should be an integral part of the plan and should cover the following four areas:

  • Understanding and protecting your data.
  • Securing your applications.
  • Ensuring appropriate access.
  • Identifying and responding to incidents.

Questions to consider when building an Enterprise Cyber Risk Program

Here are some questions to consider as you build your program:

  1. What is your most critical and sensitive data? Where does it reside and how should you classify and protect it?
  2. With 90% of exploits being attributed to code defects in applications, how are you securing what has become the main entry point to your environment?
  3. How do you assure that the right people and things have the right access to the right data at the right time?
  4. It’s easy to monitor for security incidents that you are looking for, but how do you detect the ones that you have missed and drive them back into your automated detection and response processes?

CBTS can help you

If you would like to discuss in more detail, please email security@cbts.com.

 

Related Articles:

The key to strong security programs

Create your data breach response plan

Three steps to enhancing security solutions

Request to speak to an expert


Now, more than ever, network infrastructures need Network Access Control

The basis for Network Access Control

In the circumstances corporations now find themselves because of the Covid-19 pandemic, network segmentation deficiencies have been spotlighted as an alarmingly weak spot in modern network enterprises.

A recent example was provided by an attacker penetrating an IoT-based HVAC system that ultimately provided the attacker a nearly unrestricted path all the way to the victim corporation’s Point of Sale systems.

While re-architecting many infrastructures to provide more granular and secure segmentation would be an enormous ask, the first part—of low-security IoT devices being able to provide a starting point for a path through the network—is an easier one to address.

How Network Access Control works

Network Access Control, or NAC as it’s commonly referred to, is a process by which before network access is given, a user or a device (or both!) must first authenticate to the network.

What we’re NOT talking about: We’re not talking about logging on to a workstation when you first walk into your cubicle; in this instance your workstation is already connected to the network and you’re just providing your user credentials to log on to, for example, the Windows Domain.

What we ARE talking about: Rather, we’re talking about when you first connect your device—connect your laptop to the wired network, or connect your smartphone to a wireless network’s SSID, as examples—your device must first provide some kind of authentication, be it a MAC address or a certificate, and the network switch or wireless controller authenticates that MAC address or certificate against a centralized source.

Pass this authentication, and the device is allowed onto the network (for example, put into a certain VLAN) and further user authentication can take place from there.

Fail the authentication, and the device is either put into a guest VLAN for Internet-only access, or placed into an isolated VLAN with an explanatory page telling the user how to fix the situation by contacting a certain person or following a certain procedure to get the device properly registered, or else not allowed connection to the network at all.

How NAC solves IoT device vulnerabilities

Taking this concept further into the IoT realm, devices which do not have a user-facing GUI—headless devices like printers, security cameras, thermostats, HVAC systems, “smart-building” alarm sensors, etc.—are notoriously vulnerable via unpatched operating systems or known hardware security flaws, and need to be handled with care.

Devices like these should NEVER have an unrestricted pathway to secure/sensitive internal systems.

Network Access Control solves this by automatically authenticating these types of devices and placing them into cordoned-off zones (VLANs) with access only to their “phone home” destination.

A common misconception about modern NAC solutions

A common misconception is that Network Access Control is only applicable for wireless, or that “it’s that 802.1X thingy that never really caught on, so it’s an ‘old’ technology that is not applicable today.” That latter perception is particularly troubling, because 802.1X as a technology is painted as old/non-applicable because of the lack of quick-start guides and software wizards at the time.

Today’s NAC solutions are nothing like yesteryear’s NAC solutions, the latter of which required almost exclusive hands-on to the command-line configuration of all devices involved.

Setting up a NAC policy in today’s NAC solutions is as easy as following a “Start Here” wizard that quite literally walks you through setting it up, with resulting configuration statements that you install with copy/paste into the end-user-facing switch, controller, etc.

NAC solutions have hybrid configuration capabilities

Network Access Control solutions aren’t an “all or nothing” solution, either.

What a NAC solution is NOT: It’s not like an entire switch or controller is either under NAC control or it’s not, and if it is and the NAC solution isn’t working, the entire population of users connected to that switch or controller are locked out from the network.

What a NAC solution IS: Instead, NAC can be implemented on end-user-facing devices in a hybrid way, where only certain switch ports or certain SSIDs are under NAC control, and as well as being in a “fail-through” configuration where if the NAC doesn’t respond, the switch port or SSID will allow a predefined “default” access.

Naturally, a caution is warranted with a hybrid configuration like this (especially with the availability of the “fail-through” feature), as NAC’s security itself can be eaten away with production connectivity emergencies. One example of this is service ticket troubleshooting where, instead of troubleshooting the user’s reason to need to authenticate to that particular security domain, the “resolution” carves away some of NAC’s security policy and the ticket is closed out, leaving a weakened NAC policy in place.

Examples of some of the “Start Here” configuration wizards in a popular NAC product.
Figure 1a: Examples of some of the “Start Here” configuration wizards in a popular NAC product.
More examples of some of the “Start Here” configuration wizards in a popular NAC product
Figure 1b: More examples of some of the “Start Here” configuration wizards in a popular NAC product.

Granular device visibility and health determination through Network Access Control

Network Access Control also offers improved visibility into the devices connected to the network, via the fact that many/most of them will “profile” the device as it connects to the network.

Profiling can be agentless—where the device’s own communication characteristics on the network are captured and leveraged—or agent-based, where an agent is installed on the device to determine the health before access is allowed.

This profile information is subsequently used for policy determination even before access to the network is given. This is how network segmentation through device type—and how IT devices versus OT (operational technology) devices—can be achieved without having to hardcode switchports, SSIDs, or the devices themselves.

Example of the endpoint profiler in a popular NAC solution, showing newly-connected and unknown IoT devices like doorbells and thermostats, with the ability to review a device’s authentication records (bottom-right corner of screen).
Figure 2: Example of the endpoint profiler in a popular NAC solution, showing newly-connected and unknown IoT devices like doorbells and thermostats, with the ability to review a device’s authentication records (bottom-right corner of screen).

Summary

News headlines of the latest hacks demonstrate not only the need for authenticated network access, but device-specific network segmentation as well.

Network Access Control is just one part of a more-encompassing IT security policy, of course, but an ever more crucial one. And today’s NAC solutions make it easy to implement, which is unusually low-hanging fruit in the information security realm.

The CBTS Security Solutions team has Network Access Control subject matter experts on staff to not only assist with the selection, testing, and implementation of a NAC solution, but also to help build that more-encompassing IT security policy.

 

Related Articles:

Continuous Penetration Testing critical for security

Three steps to enhancing security solutions

Create your data breach response plan

Request to speak to an expert


The Effects of the Coronavirus on Cybersecurity

While we’re all struggling to deal with the new reality imposed on us by those mean little viral microbes, the world carries on around us. There are a few ways we at CBTS have noticed the Coronavirus impact cybersecurity. Specifically:

Attackers are capitalizing on our fear

Cybercriminals and malware authors always try to find the most effective way to trick users into making poor, risky choices. Fear is an extremely effective mechanism, so in the last weeks we’ve seen this happen with the pandemic. Phishing attacks that purport to carry news about quarantines and lockdowns, infections, vaccines, and “did you see which celebrity tested positive” are on the rise. Mobile apps that claim to help you track the spread of the virus actually introduce malware onto your mobile device. We’ll see more of these in the coming months, and then when the proverbial smoke clears, there will be another round warning people about another crisis that’s even worse.

Company networks are under strain

As the workforce moves from offices to homes, businesses are forced to adopt remote worker practices,often with no experience with this model. This might mean a greater reliance on VPN technology. Of course, if your business isn’t used to monitoring a suddenly-packed VPN appliance, your security monitoring effort might miss unauthorized VPN access from stolen accounts. Make sure you’re using multi-factor authentication for your VPN solution.

Other businesses might give up and expose internal applications to the internet to facilitate greater remote access, but without properly protecting those applications. The right way to make these applications public involves strong authentication, filtering traffic and requests to the app (using intrusion prevention and web application firewall tools), and ensuring sensitive data exposed by the application cannot be accessed by unauthorized users or assets. Make sure your servers and network infrastructure are getting patched, too.

Finally, more company assets might be attached to more untrusted networks than a few weeks ago, mostly home networks. While we’d like to think they’re just as clean and safe as the company network, there might be exposure to a compromised or infected machine. You need a strategy to patch, enforce policy, and update controls and defenses on your workstations wherever they are.

Cloud solutions, a blessing and a curse

We’ve got plenty of customers that have migrated many of their essential applications to the cloud and so find themselves in a good spot. The apps are already broadly accessible from the internet, no need to have folks in the office anyway!

However, we also see plenty of these workloads operating without proper governance. Now might be a good time to look at how data is protected in these workloads, how servers and applications are hardened, and if the security controls in place are actually addressing the business’ risk, or if they’re just a placeholder.

Is that enough to worry about? Our goal isn’t to add to your anxiety, but to relate, and to offer help. Talk to our experts for assistance in dealing with any of these challenges. And stay healthy!

Visit CBTS.com to learn more.

Request to speak to an expert


A critical Windows flaw with no patch…now what?

Just as the planet’s medical practitioners are battling an epidemic, security practitioners also find themselves struggling to prevent the spread of harmful viruses. (How’s that for a timely analogy? Too soon?)

Businesses that run Windows—so, pretty much every company around the world—may be faced with such a situation soon. This morning, Microsoft published a bulletin, about a vulnerability that some researchers have nicknamed “EternalDarkness,” besmirching the name of the excellent 2002 psychological thriller video game for the Nintendo GameCube.

Sorry, back to the vulnerability. The issue is present in Windows services that use the SMBv3 protocol to exchange files and perform administrative functions. If you have a Windows machine, it’s really hard to operate without this service running and available to your local network segment.

An unprecedented vulnerability

This vulnerability is startling for a few reasons. One, there’s currently no patch available, although I’m sure Microsoft is working to develop one as I write this. Two, both SMBv3 servers and clients are vulnerable. You can attack Windows machines both by simply sending unauthenticated exploit code to a listening service, and by convincing a user to open your malicious file share, an unprecedented method of attacking this service.

Three, we just got done telling everyone that SMBv1 and SMBv2 were unsafe for use and that SMBv3 is the best alternative (and to date there’s no SMBv4, sadly). Microsoft has published a workaround in their advisory: disabling compression on SMBv3, which mitigates the server-side issue but won’t address the client-side issue. Note that every Windows machine—workstation or server—runs both the client and server.

We cannot overstate the severity of this issue. While no public exploit code exists yet, it will soon. Once it does, it will be widely distributed and then used by ransomware authors, cyber criminals, and nation-state attackers.

What do we do when there’s no patch?

So what do we do as practitioners when there’s a vulnerability with no patch? We mitigate with compensating controls:

  • If you have endpoint protection solutions on your Windows workstations and servers, and they are capable of performing host-based intrusion prevention (for example, filtering malicious network traffic to the machine), ask the vendor to develop a signature to stop this exploit. Once it’s available, immediately distribute the signature to your entire environment.
  • Monitor for suspicious traffic at your perimeter.
  • Block unnecessary traffic between your network segments.
  • Use a host-based firewall to filter SMB traffic (port 445/TCP) between machines that don’t need to talk to each other, like other workstations. Better still, only allow 445/TCP traffic from workstations to necessary servers (such as domain controllers and file servers), and from servers to other necessary servers (application servers that require the protocol to talk to each other).
  • Most importantly, patch! Slam that F5 key on the Microsoft advisory website until you see a patch, and then distribute immediately to your environment.

For more information on how CBTS can help keep your business secure, visit: https://www.cbts.com/infrastructure/security/

Just like with COVID-19, with a little discipline, focus, and smarts we can all get through this in one piece!

The spooky dangers of reusing passwords

How much of your personal and professional life is managed through online accounts? A lot, right?

If you’re like me, you like to spend time binge-watching shows on Netflix or Hulu, do online banking, online shopping, and stay in contact with distant friends and family through e-mail and maybe a social media account or two. With all these usernames and passwords to keep track of, it’s super convenient and easy to use one or two passwords across all your online accounts. But this practice is dangerous and could very well wind up being the end to your online privacy, individuality, and financial security.

In this short blog post, I will highlight some of the dangers of reusing your passwords across your accounts and what you can do to make yourself more secure in an increasingly spooky world.

Why reusing passwords across accounts is dangerous

Guessing passwords is easy

As a security consultant, my job is to assess the security processes and controls of computer networks inside organizations through vulnerability assessments and penetration tests. Part of my day-to-day is spent trying to gain authorized access to accounts and services, most often in the form of guessing passwords.

You may be surprised at how easy it is to guess passwords when considering the hometown of a user, their birth year, or their favorite sports team. The reality is, it’s simply not enough to change the numbers at the end, the season, your favorite four digit number, or substitute letters for special characters.

Your chances of a data breach exponentially increase

Reusing similar passwords across multiple accounts often results in data breaches and account takeovers. In the information security industry, this is known as credential stuffing.

Credential stuffing is an attack where computer hackers will scour data breaches for usernames, e-mail addresses, and passwords, and then use that breached data to gain unauthorized access to your accounts.

You need to do more, and I’m here to tell you what you can do.

How to make your passwords more secure

Identify password reuse attacks by monitoring your e-mail address against data breaching goblins

If you are feeling curious, visit haveibeenpwned.com (it’s safe, I promise) and enter your e-mail address. This website will let you know if your accounts have been exposed during a public data breach. This site also has a notify section that lets you monitor your e-mail address. If your e-mail address later turns up in a data breach down the road, you’ll be notified, and you should promptly generate another strong password.

Treat yourself to a password manager to knock the cobwebs off your passwords

To stop the dangers of password reuse, a nifty piece of software called a password manager can help.

Simply put, a password manager is exactly as it sounds, a manager for your passwords. The idea is to create a virtual vault where you store all of your passwords and sensitive data. Access to that vault is granted only by entering a very strong, unique, and memorable master password.

Now you might be wondering: isn’t using a password manager sort of like putting all your candy in one pillowcase? After all, like candy, passwords are precious. If you’re like me, I treat my passwords like I enjoy my candy bars, all to myself and each bite more delicious and unique than the last.

Here are two excellent reasons why using a password manager is much safer and helps protect your online accounts and digital life:

1. You only have to remember one really strong password. That’s it.

In popular password managers like LastPass, Keypass, or 1Password, incredibly strong and unique passwords are generated for you. This not only protects your accounts from hackers trying to guess your password, but also from data breaches.

Remember, hackers don’t always need to steal your passwords from you. They can locate or generate passwords themselves and use your password against you or somewhere else you’ve used it.

2. A password manager with two-factor authentication provides an additional layer of security.

“All your candy in one pillowcase” is actually a self-imposed fallacy! In addition to using a password manager, you should also use two-factor authentication (2FA) for sensitive accounts and services like your corporate passwords, online bank accounts, primary e-mail, and social media accounts. 2FA is a way to provide additional verification for devices and accounts you treasure.

For example, when I log into my online bank account, I enter my username and password, after which I receive a text message with a 6-digit PIN from my bank. I then use that PIN as my secondary password to get access to my bank account. So even if a hacker somehow gets access to your password, they would not have access to the second form of authentication! 2FA can take different forms too, such as a text message, a hardware security token, or your second password can be generated with secure software.

Wrapping it up: Trick the hackers by not reusing passwords and use a password manager instead

Just as you wouldn’t relinquish all your Reese’s Cups or Snickers bars to a single trick-or-treater, you shouldn’t reuse all your passwords on a single website or online account. Employing the time-tested and bellyache preventive measures of ensuring that each trick-or-treater is only allowed one candy bar per unique costume, a password manager ensures that you only employ one unique password per online account.

If I haven’t convinced you to stop reusing passwords and instead using a password manager and enable 2FA where possible, the following articles may nudge you in the right direction:

 

Related Articles:

Is SMS-based Multi Factor Authentication Secure?

Understanding the “attacker mindset” in security

Create your data breach response plan

Cybertech Midwest 2019 Debrief

We just finished a few days with our friends at the Cybertech Midwest conference in Indianapolis. I try to visit as many information security conferences as I can each year—it’s one way my team keeps up with the latest research, learns about new attack scenarios, new tools, and understands the focal points of the community.

One of my favorite things about conferences like this is getting to hear from practitioners whose day-to-day work is notably different from my own. As a consultant, I spend more time in my clients’ worlds than my own, but that means I miss out on the experiences from industries and geographies where I don’t spend much time.

An area where this is especially true is state-level government here in the United States. We’ve spent time with city/county government, and other CBTS practices have done quite a bit at the state level, but our security practice doesn’t hang out there often, and as a result, I haven’t had a ton of exposure to the challenges and gaps that folks at the state level face.

So it was really exciting to hear from so many folks here that operate at that level – both CISOs and CIOs. What I heard was:

  • Traditional thinking and solutions aren’t effective enough anymore, and not just in terms of technology, but our thinking about solving security problems. Security folks end up very “siloed” as a function of being independent advisors . . . but we need to collaborate better with other teams in the business, for example folks with other areas of responsibility (legal, finance, HR, operations).
  • For some businesses, protecting data collected and used for analytics purposes can be as—or more—important than protecting financial or personal data, as it is the lifeblood of a lot of business operations. Make sure your data protection strategy covers that as well.
  • Business e-mail compromise (BEC) and fraud are still plaguing organizations large and small. At this point, if your business doesn’t operate using gift cards (which most do not), executives in the organization should pass the word to everyone: if you get a request to buy and provide pictures of gift cards to anyone with company money, it’s fake! Report it!

Going to a conference that doesn’t just focus on traditional enterprise security helps my team keep pace with the rest of the industry—and the rest of CBTS. We field every area of IT here, and clients of every stripe, and I best serve my clients and my colleagues when I can speak competently about their worlds as well as mine.

So let me ask you, the reader: where are you advancing your awareness of activities and trends in your field? You can read more about security services from CBTS.

Read more: Justin breaks down Ohio’s Data Protection Act

Connect with our experts



Understanding “Data Breach Safe Harbor” law

Last year, Ohio’s General Assembly passed SB220, referred to as the Ohio Data Protection Act. This legislation takes an interesting approach to cybersecurity regulation. Instead of mandating that a specific set of security controls be implemented, this data breach safe harbor legislation offers an incentive for voluntary compliance with one of several industry-accepted standards.

In short, if your business has a documented formal security program that follows one of these standards, and if a lawsuit is brought against you for a breach of personal data, the data breach safe harbor law allows you to claim an affirmative defense.

A closer look at the data breach safe harbor law

If, like us, you’re not attorneys or legal scholars, some of that might have left you scratching your head. Our good friends at Dinsmore (they’re great lawyers) wrote up a great article on the subject. For the laymen among us, here’s what we think the data breach safe harbor legislation means:

  1. Acme Company has a security program based on the NIST Cybersecurity Framework. They’ve documented and can demonstrate their compliance to each of the approximately 100 requirements of this framework.
  2. Acme suffers a data breach – despite their strong defenses, an attacker is able to access and steal their customer database.
  3. Acme customers whose data is stolen participate in a lawsuit against Acme, claiming negligence on Acme’s part that contributed to the loss of data.
  4. Under the Data Protection Act, Acme can demonstrate compliance to the NIST CSF as a defense in the suit, and if they are successful, cannot be held completely liable.

Sounds pretty groovy, eh?

Law highlights industry-accepted standards

The idea of the data breach safe harbor legislation is to incentivize businesses to develop a security program, adopt a formal security standard as its base, and to actually follow it. The standards mentioned by name in the law’s language are the good ones, too:

And if you’re required to be compliant to PCI-DSS, the HIPAA Security rules, FISMA, HITECH, or GLBA, those  count as well!

Effect of the law uncertain, but customers are intrigued

This is pretty appealing. Many companies have all been targeted in lawsuits by the victims of their data breaches and have had to pay millions of dollars as a result.

Here’s the thing. This data breach safe harbor legislation is new and hasn’t been tested. We don’t know who decides how much compliance is sufficient to actually warrant an “affirmative defense,” or how much impact it will have on the final decisions in these kinds of cases. What we do know is that our customers are intrigued and have been asking for help in determining where the gaps are in their security program, and how to address them.

CBTS helps you navigate the always-shifting security landscape

CBTS has been advising customers on building strong security programs since 2005. We’re well versed in the standards included as a part of this this data breach safe harbor legislation – we talk to customers about them every day. There’s never been a better time to invest in developing this practice in your business – contact us today!

NOTE: We are engineers, not lawyers. This blog post does not constitute legal advice and should not be used as such. If you require legal advice, you should consult a qualified lawyer in your jurisdiction.

Innovative security tools at 2019 RSA Conference

This year’s RSA Conference (RSAC) was bigger than ever – and I don’t mean that in the rote sense of “more exciting! Action packed! Full of more interesting things to see and learn!” I mean it literally – the physical space used by the conference that promises to showcase new innovative security tools covered more square mileage, and what was there was more densely packed. Good thing I brought my walking shoes.

So, does more equal better? Feedback from our customers and peers points towards the negative.

RSA reflects the crowded security solution market

Simply put, the security solution space is overcrowded. It makes sense – protecting your business, data, and assets from online threats is more of a concern now than it’s ever been. And certainly the market has reacted as one would expect, by growing exponentially. Standing shoulder to shoulder, vendors clamor for your attention, nearly every one guaranteeing they’ve got innovative security tools that will provide the assurance you’re seeking.

CBTS offers guidelines to help evaluate innovative security tools

Our team is uniquely positioned in this market. Our role is not to make empty promises to customers, standing between them and cybercriminals with a cape and tights. On the contrary, our customers depend on us to separate the wheat from the chaff, as it were. Customers expect us to point them to the practices and technologies that can materially improve the maturity of their security program. It requires a trained eye, to be sure, to identify these innovative security tools.

So what does CBTS look for in an enormous expo hall like RSAC’s? How do we pick our winners?

Guideline 1: Show me that your solution works; don’t just tell me

Execution is critical. More than what you say you can do, I want to hear success stories from your customers. What did their deployment look like? What other solutions did it displace or complement? What kind of staff does it take to admin and use? What kind of risk did it mitigate, and how? What threats did it stop or detect that couldn’t have been found otherwise?

Guideline 2: Innovative security tools must follow standards

Following standards is a personal big-ticket item for me. I was quite pleased to see how many vendors have adopted the MITRE ATT&CK Framework as a taxonomy to describe the kinds of threat tactics and techniques they can impact. If a vendor starts off the conversation by telling me the CIS Top 20 control category in which they fit, or the NIST 800-53 requirements they satisfy, I’ll be smiling ear to ear.

Guideline 3: Be wary of solutions that promise to solve all of your problems

The vendor that under-promises and over-delivers is valuable in my book. Claims that a product can solve all my security problems, or detect and stop every zero day exploit forever, will make me roll my eyes and move on. I want technology that solves very specific problems, tells me what it can do and what it cannot, and doesn’t try to boil the ocean. No product – no vendor alone, even – can satisfy every security need we have. Realism does the customer and the market a lot of good.

Guideline 4: It all comes down to innovation

Finally, innovation is at the top of my list. I look for technology used in truly new and interesting ways, and occasionally, I’ll find something new under the sun. Today anyone can cook up a fancy dashboard and an attractive, flashy UI. However, most of them are sitting atop the same approach as their conference floor neighbor. If I walk away from your booth and think, “huh, I’ve never seen anything like that before, and I think it could actually work!” that’s a healthy sign.

3 examples of innovative security tools

The SIEM space is a great example of a market segment where we’re starting to see more innovation. Here are three high-profile new offerings we saw announced around RSA:

  • Backstory, the new security analytics app from Chronicle, takes a new approach to log aggregation/correlation and incident investigation. Instead of presenting a simple table of log data from a structured query, analysts enter queries for common investigation-starting indicators – say, an IP address, username, or hostname. Backstory then provides a set of context-driven answers that give the analyst valuable insights immediately.
  • The demo of Azure Sentinel from Microsoft also caught my eye. While the investigation experience was much more reminiscent of a traditional SIEM, the UI presented an easy process to integrate event sources from Azure services, such as Azure SQL and Office 365, as well as sources from a variety of other network, server, and application platforms. An accessible, cloud-ready SIEM may be just what Azure customers are looking for.
  • Cisco’s Threat Response tool is similar – a “SIEM-like” interface that aggregates data from a variety of Cisco security products, such as Umbrella, AMP, and ThreatGrid. It also provides a really slick query/investigation interface to data from all of these tools.

Most interesting, though, were the licensing models for these three products:

  • Backstory is not priced based on log volume or events per second – common models from nearly every major SIEM player in the market – but instead based on number of employees. As a SaaS product hosted by Google, this means that storage is elastic and customers can maintain a virtually endless archive of data.
  • Cisco’s Threat Response may be even more appealing. It is free for use by Cisco customers that use AMP for Endpoints, Umbrella, next-gen firewalls, and ThreatGrid.
  • Microsoft’s Azure Sentinel, in its current preview program, is also free of charge to Office 365 customers.

CBTS wants to hear from you

So the next time you’re elbowing through a mass of people in a conference hall with the swag flying left and right, keep these criteria in mind.

And remember, CBTS has been helping customers leverage innovative security tools since 2005. Please contact us and let us know how we can help your organization.