Saturday, June 29, 2019

The One Percent Doctrine: Prepared When Things Go Wrong...

"There is no avoiding the realities of the information age.  Its effects manifest differently in different sectors, but the drivers of speed and interdependence will impact us all.  Organizations that continue to use 20th-century tools in today's complex environment do so at their own peril."  --Stanley A. McChrystal

In David Suskind's book The One Percent Doctrine we are reminded that planners need to continue to focus on the 1%.  The "One Percent" doctrine considers threats with even a 1% likelihood, to be treated as certainties.  How proactive are you and your organization?

Do you think you're spending too much time with your team planning and training? You haven't.

Success in your organization doesn't happen because everything goes according to the plan. It happens because you were prepared when things go wrong.

The organizations whose team has proactively planned for every possible scenario and trained together in live simulations, will become the most successfully resilient to uncertain change.

Incidents of different severity and frequency are happening around you and your organization every day. Would your employees know what an incident looks like, let alone know what to do next to mitigate the risk to them and the organization?

Even if Mr. Suskind's book is somewhat critical of the US Government, looking in our own corporate mirror of preparedness, should be enough to get most executives rethinking their resource allocations for the current and future budget for planning, rehearsing and exercising for uncertain events:
Analysts at two security firms, Crowdstrike and Dragos, tell WIRED that they've seen a new campaign of targeted phishing emails sent to a variety of US targets last week from a hacker group known by the names APT33, Magnallium, or Refined Kitten and widely believed to be working in the service of the Iranian government. Dragos named the Department of Energy and US national labs as some of the half-dozen targeted organizations. A third security firm, FireEye, independently confirmed that it's seen a broad Iranian phishing campaign targeting both government agencies and private sector companies in the US and Europe, without naming APT33 specifically. None of the companies had any knowledge of successful intrusions.

Saturday, June 22, 2019

Cyber Risk: Human Factors vs. Automation...

Operational Risk Management (ORM) is a growing multi-faceted mosaic comprised of people, processes, systems and external events. The risks to the enterprise are increasing at a dynamic speed and trajectory that requires the use of automated tools.

This is where risk to the enterprise may actually expand as executives and operational management rely on software to provide information assurance. The design and architecture of software needs a human-based fail-safe. It requires a human interface that allows and simultaneously requires human intervention. Has too much automation contributed to our increased levels of vulnerability?

Fortunately, the software designs have allowed for these opportunities and for a human-factor to ask "What if" questions. Those questions that may arise after an automated alert from the system tells us that something is outside the baseline parameters set for the system, the sensor or the alarm.

Now we go back to Operational Risk and the nature of thinking from a security and safety perspective. What is the continued reliance on automated systems doing to the human capital who have been charged with the over all "Standard of Care" for the enterprise?

We believe that they may have lost the ability to ask the right questions, at the right moment and with the correct contextual understanding.

What is the truth? Is it true? What evidence do we have that this is true? How do you know that the evidence is not spoiled or compromised? If we know the truth, then what do we do next? Is the software really telling us the truth?

The security and the safety of the enterprise is counting on you. And more importantly, the enterprise is asking you to question the software. The "rule-sets" that you have chosen as a result of the programmers and architects decisions can no longer be trusted.

Is our system learning? In what capacity is the system learning in context with the human interaction for judgement, intuition and ethical emotions? Are you with us? The next generation of "Cyber Security" Innovators are now at the edge of significant new breakthroughs and solutions.

"Active Defense" has been and is a controversial topic du jour, yet the next few years will be a new age of understanding, cultural bifurcations and significant global collaboration.

Our entire platform of digital trust is at stake and the conversation has finally made its way to the nation state policy levels.

Operational Risk Management (ORM) will remain a key factor in decision points for the enterprise, the consumer and the operators of critical infrastructure across the globe.

Lets work on keeping the human factor in the loop as automation continues to give us a false sense of security and safety...

Saturday, June 15, 2019

Fatherhood: Reflecting on a Wondrous Journey...

After 31 years of experience as a Husband and a Father, the emotions are heart felt this June 16th, 2019.  The eyes are moist, thinking of so many wonderful memories.  My Daughter and Son have a Dad who has been there for them, whenever they cried or whenever they called (texted).

Having a day of recognition as a Father is twofold, especially if your reflection is on the journey of marriage as being completely integrated.  Seeing the wonderful process of being a Dad, is completely enhanced when your life partner is there by your side, to share all that life together has to offer.

When you have the responsibility and the challenges of Fatherhood in front of you, the only context you have is your own childhood.  Fathers Day is not just about anticipating the future, yet it is also reflecting on your own past.  How are you the same or different than your own Father?

You have the opportunity from day one as a Dad to be different and to be better.  You will lose sleep and you will ask yourself how to achieve all that you had growing up and so much more for your own kids.  Everyone has a Father, and you have a choice.

Are you capable of being a true partner with your wife to develop a wondrous team effort?  How will you work together to solve problems, provide all that a child requires in their first two decades of life?  And then that point in time arrives sooner then you wished, the day your child drives off for the first time in your automobile alone.

This is the point in time as a Father, when you feel so helpless and at a loss of control as a parent.  Think back to the past 16 or so years at that point.  This is when prayer, is even more of a refuge.

To my Daughter T. and Son C. on Fathers Day.  I am so proud of both of you.  Thank you for being my kids who allow me to love them so much.  Thank you to my wife C. for finding me, understanding me and giving us such wonderful children...so much love to all!

Happy Fathers Day 2019

Saturday, June 08, 2019

New Vision: Security Operations Center and CIU...

Flashback over 8 years ago when there was a convergence of thinking about the topic of a "Defensible Standard of Care" going on in the industry.

The key Operational Risk Management news from the 2011 RSA Conference was coming in, yet there were inside sources who still needed to be interviewed. What did they think was the most brilliant presentation or idea(s) presented?

This particular release caught some eyes as it addressed much of the thinking on the latest evolution of the Security Operations Center (SOC).  How much of this is still relevant today:

New Vision for Security Operations: Six Core Elements
The vision includes six core elements and prescriptive guidance for how to incorporate these elements into existing security operations. These elements include:
  • Risk planning: The new SOC will take a more information-centric approach to security risk planning and invest in understanding which organizational assets are highly valuable and essential to protect. With priorities based on GRC policies, security teams need to conduct risk assessments that focus on the “crown jewels” of the enterprise.
  • Attack modeling: Understanding attack modeling in a complex environment requires determining which systems, people and processes have access to valuable information. Once the threat surface is modeled, organizations can then determine potential attack vectors and examine defense steps to isolate compromised access points efficiently and quickly. RSA® Laboratories has developed theoretical models based on known APT techniques and employed game theory principles to identify the most efficient means of severing an attack path and optimize defense costs.
  • Virtualized environments: Virtualization will be a core capability of tomorrow's SOC – delivering a range of security benefits. For example, organizations can "sandbox" e-mail, attachments and URLs suspected of harboring malware. Anything suspicious can be launched in an isolated hypervisor and the virtual machine can be cut off from the rest of the system.
  • Self- learning, predictive analysis: To remain relevant in tomorrow's IT environment, a SOC will need to truly integrate compliance monitoring and risk management. The system should continually monitor the environment to identify typical states which can then be applied to identify problematic patterns early. Statistic-based predictive modeling will be able to help correlate various alerts. Developing such a system will require real-time behavior analysis innovations, although some of these elements are available today.
  • Automated, risk-based decision systems: A key differentiator of a more intelligent SOC will be its ability to assess risks instantly and vary responses accordingly. Similar to risk-based authentication, the SOC will employ predictive analytics to find high-risk events and then automatically initiate remediation activities. The prospect of dynamic typography is one of the most exciting areas of this type of systems automation for the cloud. To implement an APT, an attacker must understand network mapping and be able to model it. In response to this, organizations can remap their entire network infrastructure to disrupt an attacker’s reconnaissance efforts. This is akin to physically rearranging a city at frequent intervals – and the entire process can be automated so that links between systems stay intact and dependencies are handled without human intervention.
  • Continual improvement through forensic analyses and community learning: Although forensic analysis can be resource-intensive, it is an imperative element of a SOC and key to mitigating the impact of subsequent attacks. Virtualized environments can provide snapshots of the IT environment at the time of the security event providing useful information if detection of the attack was delayed. Having a way to share information about attack patterns will be the future of the SOC. This concept should be embraced in order to exchange threat information within respective industries and better predict the path of the APT and thereby determine countermeasures.
The evolution of the SOC in your enterprise may start in some unconventional places. Who is it in your organization that is responsible for the loss of corporate assets?

Who in your company is the one who determines what items are counted as losses to the bottom line?

Who does the enterprise look to when the crisis hits and people are looking for answers in minutes, not hours, or days?

Who picks up the phone to answer the call from the local FBI Field Office?

These may not be the people you think of in the CIO's office or IT department. These people however need to be part of the combined Security Operations Center solution in the company.

The Advanced Persistent Threat (APT) now requires the intersection of prudent strategy from the business leadership, the accounting or finance leadership and the risk management leadership.

If the CIO is looked upon as the key executive running a "Utility" inside the enterprise, think again.

This blog has discussed the "Corporate Intelligence Unit" in years past :

Beyond the utilization of threat assessment or management teams, enterprises are going to the next level in creating a "Corporate Intelligence Unit" (CIU). The CIU is providing the "Strategic Insight" framework and assisting the organization in "Achieving a Defensible Standard of Care."

The framework elements that encompass policy, legal, privacy, governance, litigation, security, incidents and safety surround the CIU. It includes with effective processes and procedures that provides a push / pull of information flow. Application of the correct tools, software systems and controls adds to the overall milestone of what many corporate risk managers already understand.

The best way in most cases to defend against an insider attack and prevent an insider incident is to continuously help identify the source of the incident, the person(s) responsible and to correlate information on other peers that may have been impacted by the same incident or modus operandi of the subject. "Connecting The Dots" with others in the same company or with industry sector partners, increases the overall resilience factor and hardens the vulnerabilities that are all too often being exploited for months if not years.

In retrospect, you can be more effective investigating and collecting evidence in your company to gain a "DecisionAdvantage". To pursue civil or criminal recovery of losses from these insider incidents, you may not go to law enforcement, but it's likely they will come to you once they get a whistle blower report, catch the attacker and/or they have the evidence that you were a victim.
How your organization pulls together the right people to staff and operate your "CIU" is going to depend on your culture, funding and current state of the threat.
BALTIMORE -
It has been a month since the City of Baltimore's networks were brought to a standstill by ransomware. On Tuesday, Mayor Bernard "Jack" Young and his cabinet briefed press on the status of the cleanup, which the city's director of finance has estimated will cost Baltimore $10 million—not including $8 million lost because of deferred or lost revenue while the city was unable to process payments. The recovery remains in its early stages, with less than a third of city employees issued new log-in credentials thus far and many city business functions restricted to paper-based workarounds.
Here is another thought. A thorough review of the current funding, staffing and strategy of a SOC or CIU in the enterprise, may even become a priority at the next "Board of Directors" meeting.

Saturday, June 01, 2019

Trust Decisions: Never Stop Questioning...

"Learn from yesterday, live for today, hope for tomorrow.  The important thing is not to stop questioning."  --Albert Einstein
What sources are influencing your "Trust Decisions" today?

The front page of the "Washington Post."  The e-mail from a parent.  The text message from a loved one.  A phone call from your commander or a work supervisor.

What does your future look like next week?  Next month.  Or next year.  You might think you have it all planned out and on your calendar.  Or maybe you have not even thought about it yet.

Which person are you?

One certainty is, that you will experience the unexpected and you will simultaneously be required to adapt, to adjust and to be agile, in order to respond to the changes in your day, your plan and in your life.

As a true leader in your business, in your agency, in your tribe or in your family, is there anyone you know, that asks questions all the time?  Here is a question.  Why does this bother you?

How will you achieve your latest objectives?  Most likely because you have a continuous passion for asking questions.  Then you truly listen.  You take the time to think.  You now make your "Trust Decisions" to act.

Albert Einstein was correct...