Our current state: A perspective from our CSO during the COVID-19 crisis
This crisis we are in is not
over, and although we have been talking about pandemic response for as long as
I have been around security and BCP teams, it is very hard to anticipate, plan
for, and react to black swans. The responses to COVID-19 and the structural
changes we are going to see in economies throughout the world will be based on
good solid leadership, speed/adaptability, innovation, humility, charity, and
Security plays an additional
role in a crisis like COVID-19 in protecting an organization’s ability to
respond effectively, which sometimes means accepting more risk. Security
has to be laser-focused on ensuring a physical or cyber crisis does not impede
the organization’s response efforts. It also needs to be a part of the ongoing
risk decision-making as the crisis unfolds. Give this, Below are my
recommendations for additional considerations to your current security and
incident response efforts.
Revisit some risks now. A
crisis can take you into uncomfortable territory from a controls and process
perspective, so we need to spend time now reassessing some risks and
anticipating others as part of crisis management. Revisit threats, likelihoods,
and impacts in the context of the bigger picture and help the organization
steer clear of the inability to respond effectively to the current crisis and
return to the new normal.
Sharpen response to risks. Speed/adaptability and the other aspects of an effective response requires a good command-and-control framework that relies on roles rather than specific people. The right people will always eventually rise to the occasion in a crisis. If not, you’re toast. There are plenty of history lessons where failed command-and-control results in chaos during stress and crisis, which is why it is one of the first things to be attacked by adversaries. Communication strategy is also essential, leveraging technology and agreed-upon protocols for cadence and messaging inside and outside the organization. Lastly, anticipate working outside the norms of your business during a crisis. Helping customers or those who could become your customers with their response usually turns out net positive through a crisis. Generosity and sacrifice often gets rewarded.
Request to speak to an expert
After the Smoke Clears – What we can learn about risk management
the smoke clears and we’re all allowed to go to bars again, organizations will
be trying to answer a few questions. How well did we deal with this crisis?
What have we learned? What changes for us the next time we have a similar
crisis? Did what we just experience inform our approach to any other
security team has a particular responsibility in helping to answer these
questions. The mission of a security team is to protect a business from risk.
The risk of a pandemic eliminating supplies, services, and customers, as well
as forcing employees to stay home, etc., probably was not on the radar of most
businesses. It is now though.
management forces the business to do three things about where we are, right
now, in a heightened state of awareness:
Anticipate risks. What things could impact our business’ operations? We
can brainstorm, we can look at history, we can look at what’s happening to
other businesses in our industry or region, we can look at our operations and
list the conditions that would be detrimental to their success. All of these
activities should be inputs to our
risk management effort. We won’t anticipate everything, but we should do our
best to be holistic.
Prioritize risks. We need to answer the question, what risks would be the
most impactful to our operations? We make decisions about these, stack rank
them using a variety of criteria, and allow that to drive our efforts to deploy
countermeasures. Businesses that had a pandemic on their list of risks may not
have had it as a high priority before this year. Circumstances will change our
view of these things, which is why we also need to…
Learn. After something adverse happens we examine it and
adjust our risk inventory and priorities. We add things that weren’t there
before, we knock things off the list or adjust priorities, we update our list
of controls when we know something’s very effective—or less effective—than we
expected. We’re constantly re-examining our risk and making sure we’re tracking
and preparing for the right things.
Every business—even the critical ones that remained open during the quarantine—was impacted in some way by this pandemic. It’s a good time for every business to reexamine their risk management program and get it on track when leadership buy-in is likely to be at an all-time high. Take advantage of the hyper-awareness of risk to move the maturity of your information security program forward.
Request to speak to an expert
In response to Covid-19 now is the time to build a Cyber Risk Program – Here’s How
Digital Transformation is defined as the process of exploiting digital technologies and supporting capabilities to create a robust new business model which is led by executive management or at the board level. With the onset of the Covid-19 pandemic, we have an opportunity to review cyber risk strategies and align to the desired business outcomes.
According to IDC (Source – Worldwide CISO Influence Survey 2018), business leaders and CISOs view information security as vital to competitiveness of products and services while protecting the interests of their customers.
Areas an Enterprise Cyber Risk Program should cover
When an organization promises to deliver the value of digital business to customers, it’s often the case that security is not at the table when critical decisions are being made. Without security representation at the right time, organizations are exposing themselves to business critical risks that could severely damage their brand.
As organizations continue to expand their digital footprint, an Enterprise Cyber Risk Program should be an integral part of the plan and should cover the following four areas:
Understanding and protecting your data.
Securing your applications.
Ensuring appropriate access.
Identifying and responding to incidents.
Questions to consider when building an Enterprise Cyber Risk Program
Here are some questions to consider as you build your program:
What is your most critical and sensitive data? Where does it reside and how should you classify and protect it?
With 90% of exploits being attributed to code defects in applications, how are you securing what has become the main entry point to your environment?
How do you assure that the right people and things have the right access to the right data at the right time?
It’s easy to monitor for security incidents that you are looking for, but how do you detect the ones that you have missed and drive them back into your automated detection and response processes?
Now, more than ever, network infrastructures need Network Access Control
The basis for Network Access Control
In the circumstances corporations now find themselves because of the Covid-19 pandemic, network segmentation deficiencies have been spotlighted as an alarmingly weak spot in modern network enterprises.
A recent example was provided by an attacker penetrating an IoT-based HVAC system that ultimately provided the attacker a nearly unrestricted path all the way to the victim corporation’s Point of Sale systems.
While re-architecting many infrastructures to provide more granular and secure segmentation would be an enormous ask, the first part—of low-security IoT devices being able to provide a starting point for a path through the network—is an easier one to address.
Network Access Control, or NAC as it’s commonly referred to, is a process by which before network access is given, a user or a device (or both!) must first authenticate to the network.
What we’re NOT talking about: We’re not talking about logging on to a workstation when you first walk into your cubicle; in this instance your workstation is already connected to the network and you’re just providing your user credentials to log on to, for example, the Windows Domain.
What we ARE talking about: Rather, we’re talking about when you first connect your device—connect your laptop to the wired network, or connect your smartphone to a wireless network’s SSID, as examples—your device must first provide some kind of authentication, be it a MAC address or a certificate, and the network switch or wireless controller authenticates that MAC address or certificate against a centralized source.
Pass this authentication, and the device is allowed onto the network (for example, put into a certain VLAN) and further user authentication can take place from there.
Fail the authentication, and the device is either put into a guest VLAN for Internet-only access, or placed into an isolated VLAN with an explanatory page telling the user how to fix the situation by contacting a certain person or following a certain procedure to get the device properly registered, or else not allowed connection to the network at all.
How NAC solves IoT device vulnerabilities
Taking this concept further into the IoT realm, devices which do not have a user-facing GUI—headless devices like printers, security cameras, thermostats, HVAC systems, “smart-building” alarm sensors, etc.—are notoriously vulnerable via unpatched operating systems or known hardware security flaws, and need to be handled with care.
Devices like these should NEVER have an unrestricted pathway to secure/sensitive internal systems.
Network Access Control solves this by automatically authenticating these types of devices and placing them into cordoned-off zones (VLANs) with access only to their “phone home” destination.
A common misconception about modern NAC solutions
A common misconception is that Network Access Control is only applicable for wireless, or that “it’s that 802.1X thingy that never really caught on, so it’s an ‘old’ technology that is not applicable today.” That latter perception is particularly troubling, because 802.1X as a technology is painted as old/non-applicable because of the lack of quick-start guides and software wizards at the time.
Today’s NAC solutions are nothing like yesteryear’s NAC solutions, the latter of which required almost exclusive hands-on to the command-line configuration of all devices involved.
Setting up a NAC policy in today’s NAC solutions is as easy as following a “Start Here” wizard that quite literally walks you through setting it up, with resulting configuration statements that you install with copy/paste into the end-user-facing switch, controller, etc.
NAC solutions have hybrid configuration capabilities
Network Access Control solutions aren’t an “all or nothing” solution, either.
What a NAC solution is NOT: It’s not like an entire switch or controller is either under NAC control or it’s not, and if it is and the NAC solution isn’t working, the entire population of users connected to that switch or controller are locked out from the network.
What a NAC solution IS: Instead, NAC can be implemented on end-user-facing devices in a hybrid way, where only certain switch ports or certain SSIDs are under NAC control, and as well as being in a “fail-through” configuration where if the NAC doesn’t respond, the switch port or SSID will allow a predefined “default” access.
Naturally, a caution is warranted with a hybrid configuration like this (especially with the availability of the “fail-through” feature), as NAC’s security itself can be eaten away with production connectivity emergencies. One example of this is service ticket troubleshooting where, instead of troubleshooting the user’s reason to need to authenticate to that particular security domain, the “resolution” carves away some of NAC’s security policy and the ticket is closed out, leaving a weakened NAC policy in place.
Granular device visibility and health determination through Network Access Control
Network Access Control also offers improved visibility into the devices connected to the network, via the fact that many/most of them will “profile” the device as it connects to the network.
Profiling can be agentless—where the device’s own communication characteristics on the network are captured and leveraged—or agent-based, where an agent is installed on the device to determine the health before access is allowed.
This profile information is subsequently used for policy determination even before access to the network is given. This is how network segmentation through device type—and how IT devices versus OT (operational technology) devices—can be achieved without having to hardcode switchports, SSIDs, or the devices themselves.
News headlines of the latest hacks demonstrate not only the need for authenticated network access, but device-specific network segmentation as well.
Network Access Control is just one part of a more-encompassing IT security policy, of course, but an ever more crucial one. And today’s NAC solutions make it easy to implement, which is unusually low-hanging fruit in the information security realm.
While we’re all struggling to deal with the new reality imposed on us by those mean little viral microbes, the world carries on around us. There are a few ways we at CBTS have noticed the Coronavirus impact cybersecurity. Specifically:
Attackers are capitalizing on our fear
Cybercriminals and malware authors always try to find the most effective way to trick users into making poor, risky choices. Fear is an extremely effective mechanism, so in the last weeks we’ve seen this happen with the pandemic. Phishing attacks that purport to carry news about quarantines and lockdowns, infections, vaccines, and “did you see which celebrity tested positive” are on the rise. Mobile apps that claim to help you track the spread of the virus actually introduce malware onto your mobile device. We’ll see more of these in the coming months, and then when the proverbial smoke clears, there will be another round warning people about another crisis that’s even worse.
Company networks are under strain
workforce moves from offices to homes, businesses are forced to adopt remote worker
practices,often with no experience with this model. This might mean a greater
reliance on VPN technology. Of course, if your business isn’t used to
monitoring a suddenly-packed VPN appliance, your security monitoring effort
might miss unauthorized VPN access from stolen accounts. Make sure you’re using
multi-factor authentication for your VPN solution.
Other businesses might give up and expose internal applications to the internet to facilitate greater remote access, but without properly protecting those applications. The right way to make these applications public involves strong authentication, filtering traffic and requests to the app (using intrusion prevention and web application firewall tools), and ensuring sensitive data exposed by the application cannot be accessed by unauthorized users or assets. Make sure your servers and network infrastructure are getting patched, too.
Finally, more company assets might be attached to more untrusted networks than a few weeks ago, mostly home networks. While we’d like to think they’re just as clean and safe as the company network, there might be exposure to a compromised or infected machine. You need a strategy to patch, enforce policy, and update controls and defenses on your workstations wherever they are.
Cloud solutions, a blessing and a curse
plenty of customers that have migrated many of their essential applications to
the cloud and so find themselves in a good spot. The apps are already broadly
accessible from the internet, no need to have folks in the office anyway!
also see plenty of these workloads operating without proper governance. Now
might be a good time to look at how data is protected in these workloads, how
servers and applications are hardened, and if the security controls in place
are actually addressing the business’ risk, or if they’re just a placeholder.
Is that enough to worry about? Our goal isn’t to add to your anxiety, but to relate, and to offer help. Talk to our experts for assistance in dealing with any of these challenges. And stay healthy!
Just as the planet’s medical practitioners are battling an
epidemic, security practitioners also find themselves struggling to prevent the
spread of harmful viruses. (How’s that for a timely analogy? Too soon?)
Businesses that run Windows—so, pretty much every company
around the world—may be faced with such a situation soon. This morning,
Microsoft published a bulletin,
about a vulnerability that some researchers have nicknamed
“EternalDarkness,” besmirching the name of the excellent 2002
psychological thriller video game for the Nintendo GameCube.
Sorry, back to the vulnerability. The issue is present in
Windows services that use the SMBv3 protocol to exchange files and perform
administrative functions. If you have a Windows machine, it’s really hard to
operate without this service running and available to your local network
An unprecedented vulnerability
This vulnerability is startling for a few reasons. One,
there’s currently no patch available, although I’m sure Microsoft is working to
develop one as I write this. Two, both SMBv3 servers and clients are vulnerable. You can attack Windows machines both by
simply sending unauthenticated exploit code to a listening service, and by
convincing a user to open your malicious file share, an unprecedented method of
attacking this service.
Three, we just got done telling everyone that SMBv1 and
SMBv2 were unsafe for use and that SMBv3 is the best alternative (and to date
there’s no SMBv4, sadly). Microsoft has published a workaround in their advisory:
disabling compression on SMBv3, which mitigates the server-side issue but won’t
address the client-side issue. Note that every Windows machine—workstation or
server—runs both the client and server.
We cannot overstate the severity of this issue. While no
public exploit code exists yet, it will soon. Once it does, it will be widely
distributed and then used by ransomware authors, cyber criminals, and
What do we do when
there’s no patch?
So what do we do as practitioners when there’s a
vulnerability with no patch? We mitigate with compensating controls:
If you have endpoint protection solutions on
your Windows workstations and servers, and they are capable of performing
host-based intrusion prevention (for example, filtering malicious network
traffic to the machine), ask the vendor to develop a signature to stop this
exploit. Once it’s available, immediately distribute the signature to your
Monitor for suspicious traffic at your
Block unnecessary traffic between your network
Use a host-based firewall to filter SMB traffic
(port 445/TCP) between machines that don’t need to talk to each other, like
other workstations. Better still, only allow 445/TCP traffic from workstations
to necessary servers (such as domain controllers and file servers), and from
servers to other necessary servers (application servers that require the
protocol to talk to each other).
Most importantly, patch! Slam that F5 key on the
website until you see a patch, and then distribute immediately to your
Just like with COVID-19, with a little discipline, focus, and smarts we can all get through this in one piece!
The spooky dangers of reusing passwords
How much of your personal and professional life is managed through online accounts? A lot, right?
If you’re like me, you like to spend time binge-watching shows on Netflix or Hulu, do online banking, online shopping, and stay in contact with distant friends and family through e-mail and maybe a social media account or two. With all these usernames and passwords to keep track of, it’s super convenient and easy to use one or two passwords across all your online accounts. But this practice is dangerous and could very well wind up being the end to your online privacy, individuality, and financial security.
In this short blog post, I will highlight some of the dangers of reusing your passwords across your accounts and what you can do to make yourself more secure in an increasingly spooky world.
Why reusing passwords across accounts is dangerous
Guessing passwords is easy
As a security consultant, my job is to assess the security processes and controls of computer networks inside organizations through vulnerability assessments and penetration tests. Part of my day-to-day is spent trying to gain authorized access to accounts and services, most often in the form of guessing passwords.
You may be surprised at how easy it is to guess passwords when considering the hometown of a user, their birth year, or their favorite sports team. The reality is, it’s simply not enough to change the numbers at the end, the season, your favorite four digit number, or substitute letters for special characters.
Your chances of a data breach exponentially increase
Reusing similar passwords across multiple accounts often results in data breaches and account takeovers. In the information security industry, this is known as credential stuffing.
Credential stuffing is an attack where computer hackers will scour data breaches for usernames, e-mail addresses, and passwords, and then use that breached data to gain unauthorized access to your accounts.
You need to do more, and I’m here to tell you what you can do.
How to make your passwords more secure
Identify password reuse attacks by monitoring your e-mail address against data breaching goblins
If you are feeling curious, visit haveibeenpwned.com (it’s safe, I promise) and enter your e-mail address. This website will let you know if your accounts have been exposed during a public data breach. This site also has a notify section that lets you monitor your e-mail address. If your e-mail address later turns up in a data breach down the road, you’ll be notified, and you should promptly generate another strong password.
Treat yourself to a password manager to knock the cobwebs off your passwords
To stop the dangers of password reuse, a nifty piece of software called a password manager can help.
Simply put, a password manager is exactly as it sounds, a manager for your passwords. The idea is to create a virtual vault where you store all of your passwords and sensitive data. Access to that vault is granted only by entering a very strong, unique, and memorable master password.
Now you might be wondering: isn’t using a password manager sort of like putting all your candy in one pillowcase? After all, like candy, passwords are precious. If you’re like me, I treat my passwords like I enjoy my candy bars, all to myself and each bite more delicious and unique than the last.
Here are two excellent reasons why using a password manager is much safer and helps protect your online accounts and digital life:
1. You only have to remember one really strong password. That’s it.
In popular password managers like LastPass, Keypass, or 1Password, incredibly strong and unique passwords are generated for you. This not only protects your accounts from hackers trying to guess your password, but also from data breaches.
Remember, hackers don’t always need to steal your passwords from you. They can locate or generate passwords themselves and use your password against you or somewhere else you’ve used it.
2. A password manager with two-factor authentication provides an additional layer of security.
“All your candy in one pillowcase” is actually a self-imposed fallacy! In addition to using a password manager, you should also use two-factor authentication (2FA) for sensitive accounts and services like your corporate passwords, online bank accounts, primary e-mail, and social media accounts. 2FA is a way to provide additional verification for devices and accounts you treasure.
For example, when I log into my online bank account, I enter my username and password, after which I receive a text message with a 6-digit PIN from my bank. I then use that PIN as my secondary password to get access to my bank account. So even if a hacker somehow gets access to your password, they would not have access to the second form of authentication! 2FA can take different forms too, such as a text message, a hardware security token, or your second password can be generated with secure software.
Wrapping it up: Trick the hackers by not reusing passwords and use a password manager instead
Just as you wouldn’t relinquish all your Reese’s Cups or Snickers bars to a single trick-or-treater, you shouldn’t reuse all your passwords on a single website or online account. Employing the time-tested and bellyache preventive measures of ensuring that each trick-or-treater is only allowed one candy bar per unique costume, a password manager ensures that you only employ one unique password per online account.
If I haven’t convinced you to stop reusing passwords and instead using a password manager and enable 2FA where possible, the following articles may nudge you in the right direction:
We just finished a few days with our friends at the Cybertech Midwest conference in Indianapolis. I try to visit as many information security conferences as I can each year—it’s one way my team keeps up with the latest research, learns about new attack scenarios, new tools, and understands the focal points of the community.
One of my favorite things about conferences like this is getting to hear from practitioners whose day-to-day work is notably different from my own. As a consultant, I spend more time in my clients’ worlds than my own, but that means I miss out on the experiences from industries and geographies where I don’t spend much time.
An area where this is especially true is state-level government here in the United States. We’ve spent time with city/county government, and other CBTS practices have done quite a bit at the state level, but our security practice doesn’t hang out there often, and as a result, I haven’t had a ton of exposure to the challenges and gaps that folks at the state level face.
So it was really exciting to hear from so many folks here that operate at that level – both CISOs and CIOs. What I heard was:
Traditional thinking and solutions aren’t effective enough anymore, and not just in terms of technology, but our thinking about solving security problems. Security folks end up very “siloed” as a function of being independent advisors . . . but we need to collaborate better with other teams in the business, for example folks with other areas of responsibility (legal, finance, HR, operations).
For some businesses, protecting data collected and used for analytics purposes can be as—or more—important than protecting financial or personal data, as it is the lifeblood of a lot of business operations. Make sure your data protection strategy covers that as well.
Business e-mail compromise (BEC) and fraud are still plaguing organizations large and small. At this point, if your business doesn’t operate using gift cards (which most do not), executives in the organization should pass the word to everyone: if you get a request to buy and provide pictures of gift cards to anyone with company money, it’s fake! Report it!
Going to a conference that doesn’t just focus on traditional enterprise security helps my team keep pace with the rest of the industry—and the rest of CBTS. We field every area of IT here, and clients of every stripe, and I best serve my clients and my colleagues when I can speak competently about their worlds as well as mine.
So let me ask you, the reader: where are you advancing your awareness of activities and trends in your field? You can read more about security services from CBTS.
Last year, Ohio’s General Assembly passed SB220, referred to as the Ohio Data Protection Act. This legislation takes an interesting approach to cybersecurity regulation. Instead of mandating that a specific set of security controls be implemented, this data breach safe harbor legislation offers an incentive for voluntary compliance with one of several industry-accepted standards.
In short, if your business has a documented formal security program that follows one of these standards, and if a lawsuit is brought against you for a breach of personal data, the data breach safe harbor law allows you to claim an affirmative defense.
A closer look at the data breach safe harbor law
If, like us, you’re not attorneys or legal scholars, some of that might have left you scratching your head. Our good friends at Dinsmore (they’re great lawyers) wrote up a great article on the subject. For the laymen among us, here’s what we think the data breach safe harbor legislation means:
Acme Company has a security program based on the NIST Cybersecurity Framework. They’ve documented and can demonstrate their compliance to each of the approximately 100 requirements of this framework.
Acme suffers a data breach – despite their strong defenses, an attacker is able to access and steal their customer database.
Acme customers whose data is stolen participate in a lawsuit against Acme, claiming negligence on Acme’s part that contributed to the loss of data.
Under the Data Protection Act, Acme can demonstrate compliance to the NIST CSF as a defense in the suit, and if they are successful, cannot be held completely liable.
Sounds pretty groovy, eh?
Law highlights industry-accepted standards
The idea of the data breach safe harbor legislation is to incentivize businesses to develop a security program, adopt a formal security standard as its base, and to actually follow it. The standards mentioned by name in the law’s language are the good ones, too:
And if you’re required to be compliant to PCI-DSS, the HIPAA Security rules, FISMA, HITECH, or GLBA, those count as well!
Effect of the law uncertain, but customers are intrigued
This is pretty appealing. Many companies have all been targeted in lawsuits by the victims of their data breaches and have had to pay millions of dollars as a result.
Here’s the thing. This data breach safe harbor legislation is new and hasn’t been tested. We don’t know who decides how much compliance is sufficient to actually warrant an “affirmative defense,” or how much impact it will have on the final decisions in these kinds of cases. What we do know is that our customers are intrigued and have been asking for help in determining where the gaps are in their security program, and how to address them.
CBTS helps you navigate the always-shifting security landscape
CBTS has been advising customers on building strong security programs since 2005. We’re well versed in the standards included as a part of this this data breach safe harbor legislation – we talk to customers about them every day. There’s never been a better time to invest in developing this practice in your business – contact us today!
NOTE: We are engineers, not lawyers. This blog post does not constitute legal advice and should not be used as such. If you require legal advice, you should consult a qualified lawyer in your jurisdiction.
Innovative security tools at 2019 RSA Conference
This year’s RSA Conference (RSAC) was bigger than ever – and I don’t mean that in the rote sense of “more exciting! Action packed! Full of more interesting things to see and learn!” I mean it literally – the physical space used by the conference that promises to showcase new innovative security tools covered more square mileage, and what was there was more densely packed. Good thing I brought my walking shoes.
So, does more equal better? Feedback from our customers and peers points towards the negative.
RSA reflects the crowded security solution market
Simply put, the security solution space is overcrowded. It makes sense – protecting your business, data, and assets from online threats is more of a concern now than it’s ever been. And certainly the market has reacted as one would expect, by growing exponentially. Standing shoulder to shoulder, vendors clamor for your attention, nearly every one guaranteeing they’ve got innovative security tools that will provide the assurance you’re seeking.
CBTS offers guidelines to help evaluate innovative security tools
Our team is uniquely positioned in this market. Our role is not to make empty promises to customers, standing between them and cybercriminals with a cape and tights. On the contrary, our customers depend on us to separate the wheat from the chaff, as it were. Customers expect us to point them to the practices and technologies that can materially improve the maturity of their security program. It requires a trained eye, to be sure, to identify these innovative security tools.
So what does CBTS look for in an enormous expo hall like RSAC’s? How do we pick our winners?
Guideline 1: Show me that your solution works; don’t just tell me
Execution is critical. More than what you say you can do, I want to hear success stories from your customers. What did their deployment look like? What other solutions did it displace or complement? What kind of staff does it take to admin and use? What kind of risk did it mitigate, and how? What threats did it stop or detect that couldn’t have been found otherwise?
Guideline 2: Innovative security tools must follow standards
Following standards is a personal big-ticket item for me. I was quite pleased to see how many vendors have adopted the MITRE ATT&CK Framework as a taxonomy to describe the kinds of threat tactics and techniques they can impact. If a vendor starts off the conversation by telling me the CIS Top 20 control category in which they fit, or the NIST 800-53 requirements they satisfy, I’ll be smiling ear to ear.
Guideline 3: Be wary of solutions that promise to solve all of your problems
The vendor that under-promises and over-delivers is valuable in my book. Claims that a product can solve all my security problems, or detect and stop every zero day exploit forever, will make me roll my eyes and move on. I want technology that solves very specific problems, tells me what it can do and what it cannot, and doesn’t try to boil the ocean. No product – no vendor alone, even – can satisfy every security need we have. Realism does the customer and the market a lot of good.
Guideline 4: It all comes down to innovation
Finally, innovation is at the top of my list. I look for technology used in truly new and interesting ways, and occasionally, I’ll find something new under the sun. Today anyone can cook up a fancy dashboard and an attractive, flashy UI. However, most of them are sitting atop the same approach as their conference floor neighbor. If I walk away from your booth and think, “huh, I’ve never seen anything like that before, and I think it could actually work!” that’s a healthy sign.
3 examples of innovative security tools
The SIEM space is a great example of a market segment where we’re starting to see more innovation. Here are three high-profile new offerings we saw announced around RSA:
Backstory, the new security analytics app from Chronicle, takes a new approach to log aggregation/correlation and incident investigation. Instead of presenting a simple table of log data from a structured query, analysts enter queries for common investigation-starting indicators – say, an IP address, username, or hostname. Backstory then provides a set of context-driven answers that give the analyst valuable insights immediately.
The demo of Azure Sentinel from Microsoft also caught my eye. While the investigation experience was much more reminiscent of a traditional SIEM, the UI presented an easy process to integrate event sources from Azure services, such as Azure SQL and Office 365, as well as sources from a variety of other network, server, and application platforms. An accessible, cloud-ready SIEM may be just what Azure customers are looking for.
Cisco’s Threat Response tool is similar – a “SIEM-like” interface that aggregates data from a variety of Cisco security products, such as Umbrella, AMP, and ThreatGrid. It also provides a really slick query/investigation interface to data from all of these tools.
Most interesting, though, were the licensing models for these three products:
Backstory is not priced based on log volume or events per second – common models from nearly every major SIEM player in the market – but instead based on number of employees. As a SaaS product hosted by Google, this means that storage is elastic and customers can maintain a virtually endless archive of data.
Cisco’s Threat Response may be even more appealing. It is free for use by Cisco customers that use AMP for Endpoints, Umbrella, next-gen firewalls, and ThreatGrid.
Microsoft’s Azure Sentinel, in its current preview program, is also free of charge to Office 365 customers.
CBTS wants to hear from you
So the next time you’re elbowing through a mass of people in a conference hall with the swag flying left and right, keep these criteria in mind.