Author Archives: Jon Oltsik
Author Archives: Jon Oltsik
CISOs tend to spend the bulk of their cybersecurity technology budgets on endpoint, server, and network security controls. Okay, this makes sense from a historical perspective but these IT assets are in a state of flux today. Endpoints are often mobile devices rather than Windows PCs while servers are virtual or cloud-based workloads. Meanwhile, networks are also moving to a virtual model composed of public and private network segments.It’s clear that organizations embracing new cloud and mobile infrastructure have less control of some IT assets than they did in the past. What does this mean for security? One CISO I spoke with a while ago gave me a very succinct answer to this question: “As I lose control over IT infrastructure, I better make sure I have tight control over two other areas – sensitive data and user identity.” In this security executive’s mind, data security and identity and access management (IAM) are rapidly becoming new security perimeters.To read this article in full or to leave a comment, please click here
It’s become a cliché in the industry to say that cybersecurity has become a board room-level issue but what evidence do we have to support this claim? Well, here are a few tidbits from some recent ESG research that certainly lend credibility to the business-driven cybersecurity thesis (note: I am an ESG employee): When asked to identify business initiatives that are driving IT spending, 43% of respondents said, “increasing cybersecurity.” This was the top business initiative selected followed by “reducing costs” (38%), “improving data analytics for real-time business intelligence” (32%), and “ensuring regulatory compliance” (27%). On a similar vein, survey respondents were asked to identify the most important IT “meta-trend” to their organization. Forty-two percent of respondents selected, “increasing cybersecurity.” The next most popular response, “using data analytics for real-time business intelligence,” came in at 17%. 69% of organizations are increasing their spending on cybersecurity in 2016. These budget increases are being approved by business managers who are now willing to spend more money to improve cybersecurity at their organizations. As if the ESG data wasn’t enough, we also know that cyber-insurance policies grew by about 35% last year. So aside from increasing Continue reading
Look at any industry data and you’ll see a consistent trend – the march toward cloud computing continues to gain momentum. According to ESG research, 75% of organizations are currently using public cloud services (note: I am an ESG employee). This is dominated by the use of SaaS today but ESG research reveals that 38% of organizations use IaaS while 33% use PaaS. The research also indicates that these numbers will continue to increase in the future.Now before you short HP and double-down on AWS, there is also a potential fly in the ointment – the global cybersecurity skills shortage. ESG research indicates that 46% of organizations say that they have a “problematic shortage” of cybersecurity skills in 2016, up from 28% last year. ESG also asked survey respondents to identify the area where they have the biggest cybersecurity skills shortage. Not surprisingly, 33% say that their biggest deficiency was cloud security specialists, followed by 28% who pointed to a deficiency with network security specialists, and 27% who have a shortage of security analysts – pretty scary stuff when you think about cloud security defense along with incident detection and response for cloud-based cyber-threats. Continue reading
Manual processes represent a major incident response bottleneck at enterprise organizations. Here are a few alarming data points from some recent ESG research (note: I am an ESG employee):1. 27% of enterprise organizations (i.e. those with more than 1,000 employees) spend at least 50% of their incident response time on manual processes like filling out paper work, finding a particular person, physically viewing multiple security management tools, etc.2. 93% of organizations believe that their incident response efficiency and effectiveness is limited by the time and effort required for manual processes.As if this wasn’t bad enough, IR process issues are exacerbated by a few other challenges:To read this article in full or to leave a comment, please click here
It’s been a week since my last meetings at RSA and I’m already thinking about travel plans and agendas for Infosec Europe and Black Hat. Before closing the book on RSA 2016 however, I have a few final thoughts about the industry and cybersecurity professional community.1. It’s time to go beyond product categorization. The technology industry has product categorization down to a science – we organize around products, budget for products, and make purchasing decisions on each individual product category. Heck, my friends at Gartner and NSS Labs have built lucrative businesses around testing products and rating products via magic quadrants. To read this article in full or to leave a comment, please click here
Just a week to go before the biggest cybersecurity event of the year, the RSA Security Conference in San Francisco. Building upon industry momentum and the dangerous threat landscape, I expect a record-breaking crowd from the Moscone Center to Union Square.What will be the focus on this year’s event? Well it should be the global cybersecurity skills shortage which continues to get worse each year. According to ESG research, 46% of organizations claim that they have a “problematic shortage” of cybersecurity skills, up for 28% last year (note: I am an ESG employee). In my humble opinion, the cybersecurity skills shortage has become a national security issue demanding a more comprehensive strategy. Here’s an article I recently wrote with more details on this topic. To read this article in full or to leave a comment, please click here
In the early 1900s, Henry Ford was intent on making the Model T an affordable car for the masses. To do so, he had to figure out a way to vastly improve the company’s manufacturing efficiency in order to reduce consumer prices. Ford solved this problem by adopting a modern manufacturing assembly line based upon four principles: interchangeable parts, continuous flow, division of labor, and reducing wasted efforts. While incident response is a bit different from automobile manufacturing, I believe that CISOs should assess their IR processes and take Ford’s four principles to heart. Here’s how I translate each one for IR purposes: Interchangeable parts. In Ford’s world, interchangeable parts meant that components like steering wheels and bumpers could be used to assemble all types of cars and thus keep the line moving. In IR, interchangeable parts mean that all detection tools should be based on published APIs so that each one can interoperate with all others. It also means embracing standards like STIX and TAXII for threat intelligence exchange so data can be easily consumed or shared. Finally, interchangeable IR parts calls for the creation and adoption of cybersecurity middleware that acts as a higher-level abstraction layer for Continue reading
According to ESG research, 75% of organizations use public cloud services of one kind or another today (note: I am an ESG employee). A majority (65%) use SaaS, 38% use IaaS, and 33% use PaaS. In terms of IaaS, Amazon Web Services (AWS) is still the king of the hill but many large enterprises are implementing or kicking the tires on alternatives. Microsoft is pushing clients with enterprise client access licenses (ECAL) toward Office365 and Azure, IBM is winning SoftLayer deals with large customers, and Google Cloud Platform is gaining traction in the life sciences industry.With all of this cloud momentum, we see a new compute model evolving that ESG calls heterogeneous multi-dimensional cloud infrastructure. Simply stated, heterogeneous multi-dimensional cloud infrastructure is sort of a hybrid cloud on steroids where enterprises have a little bit of everything – AWS, Azure, OpenStack, SoftLayers, VMware, etc., on-premise and in the public cloud.To read this article in full or to leave a comment, please click here
Just five weeks into 2016 and it’s already been a busy year for the cybersecurity industry. Here are just a few highlights so far:FireEye goes on a shopping spree. Ignoring Wall Street’s trepidation, FireEye continues to remain aggressive on the acquisition front by grabbing iSight Partners and Invotas. With the addition of these two companies, FireEye can claim leadership in: Threat intelligence. FireEye/Mandiant was already strong in this area and with the addition of iSight, FireEye becomes the instant market leader. FireEye already had a different view of threat intelligence, pivoting from cyber-adversaries (i.e. threat actors, TTPs, etc.) into the enterprise. With this perspective, FireEye believes it can help customers anticipate attacks and become more proactive with prevention, detection, and response. By adding iSight, FireEye attains a broader view of the threat landscape that can be integrated into its products and used to create a variety of threat intelligence services for enterprise and mid-market customers. Oh, and let’s not forget that FireEye picks up a few hundred cybersecurity experts in the deal which is especially important given the acute global cybersecurity skills shortage. This will certainly boost FireEye’s Continue reading
My colleague Doug Cahill and I are knee deep into a research project on next-generation endpoint security. As part of this project, we are relying on real-world experience so we’ve interviewed dozens of cybersecurity professionals working at enterprise organizations (i.e. more than 1,000 employees) who have already deployed new types of endpoint security software.Now all of the organizations we interviewed are already running antivirus tools but day-to-day responsibilities are often delegated to an IT operations team rather than the infosec staff. So organizations are at somewhat of a disadvantage because they delegated it to an IT generalist team. Still, many of the organizations we’ve interviewed have turned on all of their AV’s advanced features and are still being compromised.To read this article in full or to leave a comment, please click here
Anyone familiar with identity management knows that it can be extremely messy – lots of tactical tools, access policies, multiple data repositories, manual processes, etc. Furthermore, user authentication continues to be anchored by user names and passwords making nearly every organization vulnerable to credentials harvesting, identity theft, and cyber attacks.These persistent IAM problems remain, even though identity management is becoming a bigger component of enterprise security. This is true because, as organizations embrace cloud and mobile computing, they lose some control over their IT infrastructure. As one CISO mentioned to me, “when we lose control in some areas we need to get better control over others as compensating controls.” To read this article in full or to leave a comment, please click here
In 2012, I did an extension research project on big data security analytics. My thesis was that big data tools like Hadoop, Mahout, MapReduce, and Pig would greatly enhance in-depth historical cybersecurity investigations beyond anything provided by SIEM tools. In retrospect, I believe my assumptions were correct, but the market remains in an early stage of development even today. While general use of big data security analytics is still in its genesis phase, there appears to be an increasingly popular use case in cybersecurity: User Behavior Analytics (UBA). UBA is roughly defined as the analysis of all activities related to individual users, covering devices, processes, applications, network sessions, and data consumed and utilized. UBA builds a data analytics model where all log files, endpoint and network forensics, authentication requests, and data access actions are aligned with individual users themselves. To read this article in full or to leave a comment, please click here
Depending upon whom you believe, there are roughly 800 to 1200 companies selling cybersecurity products and services to end customers. Yes, the cybersecurity market is forecast to be around $70 billion this year, but that’s still a lot of vendors.Now, there are point product specialists, managed services firms, and enterprise security vendors all competing for the same dollars. So how can any company stand out from the crowd? In my opinion, each security vendor must determine where its products and service fit among four distinct buyer types: Security-centric buyers. This traditional security buyer evaluates and purchases security products and services based upon discrete needs and budgets. As such, security-centric buyers tend to look for best-of-breed products from vendors with strong cybersecurity experience. Startups with strong cybersecurity chops are welcome to this club but purchasers also maintain a “rip-and-replace” mentality rather than any type of long-term allegiance. Vendors like Bit9 + Carbon Black, Cylance, Check Point, FireEye, Fortinet, Palo Alto Networks, Symantec, and Trend Micro come to mind here. Note that security-centric buyers will have some role to play in EVERY cybersecurity product and services deal. IT infrastructure-centric buyer. In most cases, IT infrastructure vendors extend their reach into security Continue reading
Remember advanced persistent threats (APTs)? This term originated within the United States Air Force around 2006. In my opinion, it gained more widespread recognition after the Google “Operation Aurora” data breach first disclosed in 2010. This cyber-attack is attributed to groups associated with China’s People’s Liberation Army and impacted organizations like Adobe Systems, Juniper Networks, Northrop Grumman, Symantec, and Yahoo in addition to Google.APT visibility got another boost in 2013 when Mandiant released its now famous APT1 report documenting several cyber-attacks emanating from a PLA group known as Unit 61398.To read this article in full or to leave a comment, please click here
I’ve been focused on security analytics for several years and spent a good part of 2015 investigating technologies and methodologies used for incident response. Based upon lots of discussions with cybersecurity professionals and a review of industry research, I’ve come up with a concept I call the incident response “fab five.” Enterprise organizations with the most efficient and effective incident detection and response, tend to establish best practice and synchronization in 5 distinct areas: Host monitoring. This centers on understanding the state and activities of host computers. Host monitoring tends to concentrate on Windows PCs, but may also include oversight of Macs, Linux, servers, and even cloud-based workloads. Historically, host monitoring was based upon log collection and analysis but SOC managers are also embracing open source EDR tools (i.e. GRR, MIG, etc.) as well as commercial forensic offerings (i.e. Carbon Black, Countertack, Hexis Cyber Solutions, Guidance Software EnCase, RSA Ecat, Tanium, etc.). The trend is toward collecting, processing, and analyzing more host forensic data in real-time. Network monitoring. Beyond network logs, I see leading-edge organizations collecting and analyzing a combination of flow and PCAP data. Think of technologies Continue reading
I’ve been writing about the cybersecurity skills shortage for many years and, unfortunately, things seem to be getting worse. Here are a few data points: According to ESG research, 28% of organizations claim that they have a “problematic shortage” of IT security skills (disclosure: I am an ESG employee). Job market analytics vendor Burning Glass states that cybersecurity job postings grew 74% from 2007 to 2013, more than twice the growth rate of all IT jobs. Prospective employers posted more than 50,000 jobs requesting Certified Information Systems Security Professional (CISSP) certification. Unfortunately, there are only about 65,000 CISSPs in the world, and many are gainfully employed. ISC2, the organization that certifies CISSPs believes that there will be a deficit of 1.5 million cybersecurity professionals by 2020. The UK House of Lords is even more bearish, predicting a shortage of 2 million cybersecurity professionals by 2017. A 2015 report from the Information Systems Audit and Control Association (ISACA) states that 86% of business and IT professionals globally believe there is a shortage of cyber security professionals. In this case, perception is reality. A Raytheon/National Cyber Security Alliance report indicates that 64% of high school Continue reading
I’m a bit reluctant to blog about 2016 cybersecurity predictions as it seems like everyone is getting into this act. Alas, this end-of-year tradition used to be the exclusive domain of the analyst community and a few industry beacons but now it seems like every security tools vendor in the world is reaching out to me to tell me what they see in their crystal ball. So with some hesitancy, here are a few of the things I expect to see after the proverbial ball drops (in no particular order):1. Greater focus on cyber supply chain security. Enterprise CISOs realize that strong cybersecurity extends beyond the corporate LAN and that cyber-attacks and data breaches could easily start with third parties with access to the network. The OPM and Target breaches are two examples where cyber-adversaries simply compromised trusted business partners and used them as a beachhead to penetrate their targets. At the same time, we’ve seen in increase in malware hiding in firmware, system BIOS, device drivers, etc., so servers, routers, storage devices, and network appliances could all introduce malicious code into an otherwise pristine environment. I expect CISOs to extend Continue reading
Cybersecurity professionals often complain about the number of disparate tools they’ve deployed on their networks. Ask any enterprise CISOs and he or she will come up with a list of around 60 to 80 various security tools from a myriad of distinct vendors.This has become a nagging problem as an enterprise cybersecurity architecture based upon point tools can’t scale and requires way too much operational overhead to maintain. Thus, CISOs are moving in another direction – a tightly-coupled cybersecurity technology architecture based upon software integration.I’ve been following this transition for years and always thought it would look something like the departmental application to ERP migration of the 1990s. Oracle, SAP, and lots of professional services built an interoperable software infrastructure connecting applications across the enterprise and soon dominated the market. This is happening in cybersecurity to some extent as ecosystems form around the biggest vendors like Blue Coat, Cisco, IBM, Intel Security, Raytheon, Splunk, Symantec, and Trend Micro. To read this article in full or to leave a comment, please click here
I had the pleasure of attending a presentation given by Dr. Ron Ross, a fellow at the National Institute of Standards and Technology (NIST). Ron’s areas of specialization include information security, risk management, and systems security engineering.In his presentation, Dr. Ross delivered a bit of a counterintuitive message on cybersecurity by stating, "We have to stop obsessing about threats and start focusing on asset protection." To drive home this point, Dr. Ross added, "If 90% of our bridges were failing, we’d mobilize teams of engineers right away. Yet when 90% of our IT systems are insecure, we focus a good part of our attention on external threats."To read this article in full or to leave a comment, please click here
Cybersecurity and IT professionals would be wise to review the findings of the 9/11 Commission report published in 2004. The report provides a comprehensive analysis of events surrounding the attacks and points to a number of systemic problems in several areas: Management. “The missed opportunities to thwart the 9/11 plot were symptoms of a broader inability to adapt the way government manages problems to the new challenges of the twenty-first century… Management should have ensured that information was shared and duties were clearly assigned across agencies, and across the foreign-domestic divide.” The chain of command. “At more senior levels, communication was poor. Senior military and FAA leaders had no effective communication with each other. The chain of command did not function well.” Emergency response. “Effective decision making in New York was hampered by problems in command and control and in internal communications. Within the Fire Department of New York, this was true for several reasons: the magnitude of the incident was unforeseen; commanders had difficulty communicating with their units; more units were actually dispatched than were ordered by the chiefs; some units self-dispatched; and once units arrived at the World Trade Center, they were neither comprehensively accounted for Continue reading