Author Archives: Jon Oltsik
Author Archives: Jon Oltsik
All this year I’ve been researching the burgeoning cyber insurance market. Admittedly, this is a bit of a detour from covering endpoint security, network security, and security analytics, but cyber insurance is becoming an increasingly important puzzle piece in any organization’s risk mitigation strategy, so it’s worth paying attention to. Given all of the highly visible data breaches over the past few years, it shouldn’t be surprising that cyber insurance is on fire. Between 30% and 40% of companies have some type of cyber insurance today, and the market is growing at 35% or more on an annual basis. It is estimated that the U.S. market for cyber insurance is around $2.5 billion today with about 50 insurance companies competing for business. PWC estimates that this market will grow to over $7.5 billion by 2020.To read this article in full or to leave a comment, please click here
One of the fundamental best practices of cyber supply chain security is IT vendor risk management. When organizations purchase and deploy application software, routers, servers, and storage devices, they are in essence placing their trust in the IT vendors that develop and sell these products. Unfortunately, this trust can be misplaced. Some IT vendors (especially startups) focus on feature/functionality rather than security when they develop products resulting in buggy vulnerable products. In other cases, hardware vendors unknowingly build systems using malicious components sourced through their own supply chain. IT products are also often purchased through global networks of third-party distributors that have ample opportunity to turn innocent IT products into malicious confederates for cybercrime.To read this article in full or to leave a comment, please click here
I've been following cybersecurity legislation for a number of years, including all the proceedings with the Cybersecurity Information Sharing Act (CISA). After much deliberation, I believe that CISA remains fundamentally flawed and needs a lot more work before it becomes the law of the land. To be clear, I understand and support the basic objective CISA seeks to promote. Real-time threat intelligence sharing and analysis could help public and private sector organizations proactively react to emerging cyber-threats, mitigating risk and/or minimizing the potential damages associated with devastating data breaches (i.e. Anthem, OMB, Sony Pictures, Target, etc.).To read this article in full or to leave a comment, please click here
While last week’s Dell/EMC merger was certainly a blockbuster, nothing specific was mentioned about future plans for RSA Security. Michael Dell did say that there were a “number of discussions about security” during the negotiations but apparently, no concrete plans. Infosec reporters have lobbed phone calls into Round Rock Texas as well as Bedford and Hopkinton, MA looking for more details but Dell and EMC officials haven’t responded.Based upon a week of vague retorts, it’s safe to assume that there is no master plan for RSA at this time. While we in the cybersecurity world have a nostalgic bond with RSA, it really is small potatoes as part of this mega-deal in the IT space. Nevertheless, RSA is marquis $1b+ brand named company in the red hot cybersecurity space so there is certainly value to be had.To read this article in full or to leave a comment, please click here
Some tech companies are always associated with their first acts. Dell just acquired my first employer, EMC Corporation, in order to expand its enterprise portfolio yet the company will always be linked with personal computers and its founder’s dorm room. F5 has become a nexus that brings together networks and applications but will always retain the moniker of a load balancing company. Bit9 has established itself as a major next-generation endpoint player yet some people can only think of its original focus on white listing.In my opinion, FireEye shares a similar limited reputation as many security professionals equate the company with a single cybersecurity technology, network “sandboxing,” in spite of its acquisitions, progress, and diversification. This perception seems especially true on Wall Street where financial analysts continue to judge FireEye based upon the number of competitive vendors who offer network sandboxes of their own. To read this article in full or to leave a comment, please click here
When the term “critical infrastructure” is mentioned in conversation, thoughts immediately turn to things like electrical power plants, oil and gas pipelines, food, water, etc. You know, the foundational services of modern life that we all take for granted. These are the same industries that former Defense Secretary, Leon Panetta, was referring to when he warned of the possibility of a “cyber-Pearl Harbor” back in 2012. Panetta stated:’An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical (railroad) switches…they could derail passenger trains or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities or shut down the power grid across large parts of the country.” To read this article in full or to leave a comment, please click here
Future Crimes by Marc Goodman details the dark side of technology, examining how new technologies are used and abused for criminal purposes. In just under 400 pages, Goodman provides some basic historical background on computer security and then guides the reader through a cybercrime journey spanning consumer, industrial, medical, and various other technologies.Fair warning to prospective readers: the story isn’t pretty. The author starts with a wake-up call about data privacy and how a plethora of companies like Facebook, Google, and OkCupid, and the $150 billion dollar data broker industry regularly collect, sell, and abuse user data. Future Crimes also explores the current derelict world of cyber peeping toms, bullies, revenge porn, and extortion. While these crimes are already rampant today, Goodman theorizes that things will get worse with the proliferation of surveillance cameras, geo-location services, RFID tags, and wireless networking technology. The point is crystal clear: each technology innovation increases the attack surface, and cybercriminals are only too happy to exploit these vulnerabilities for profit.To read this article in full or to leave a comment, please click here
As the old cybersecurity adage states, ‘the cybersecurity chain is only as strong as its weakest link.’ Smart CISOs also understand that the proverbial weak link may actually be out of their control. U.S. retailer Target certainly experienced this lack of cybersecurity control in 2013. The now infamous Target data breach that exposed the personal information of 110 million people began with a spear phishing attack on one of the company’s HVAC contractors, Fazio Mechanical of Sharpsburg, PA. Cyber-criminals compromised a Fazio Mechanical system, gained credentialed access to Target, and proceeded to wreak havoc on Target’s data, customers, and reputation.To read this article in full or to leave a comment, please click here
When it comes to threat intelligence, there seem to be two primary focus areas in play: The threat intelligence data itself and the legislative rhetoric around threat intelligence sharing (i.e. CISA, CISPA, etc.). What’s missing? The answer to a basic question: How do organizations get actual value out of threat intelligence data and threat intelligence sharing in a meaningful way?As it turns out, the answer to this question isn’t obvious and many enterprises continue to struggle as they seek to “operationalize” threat intelligence. In a recently published ESG research report titled, Threat Intelligence and Its Role Within Enterprise Cybersecurity Practices, ESG surveyed 304 cybersecurity professionals working at enterprise organizations (i.e. more than 1,000 employees), and asked them to rate themselves in terms of their ability to operationalize threat intelligence (note: I am an ESG employee). The data indicates that:To read this article in full or to leave a comment, please click here
Little known fact: Yesterday was the 30th anniversary of Bob Ballard’s discovery of the RMS Titanic, several hundred miles off the coast of Newfoundland Canada. I’ve recently done some research into the ship, its builders, and its ultimate fate and believe that lessons learned from Titanic may be useful for the cybersecurity community at large. The Titanic tragedy teaches us of: The dangers of technology hubris. The Titanic was designed with the latest technology at the time to withstand severe storms in the north Atlantic. Because of this, the shipbuilders at Harland and Wolff decided to market the ship as “unsinkable.” Likewise, our industry has this absolute love affair with technology. I’m constantly briefed on the latest and greatest prevention or detection engine designed to withstand anything hackers can throw at it. Like the “unsinkable” Titanic, this is nothing but hot air. Bad guys will find ways around all of our defenses over time. Strong security demands people, process, and technology so the industry love affair with technology alone is counterproductive and leaves us susceptible to a sea of cybersecurity icebergs. The need for organizational coordination. There were two inquiries into the Titanic disaster, one in the U.S. Continue reading
Enterprise organizations are actively consuming external threat intelligence, purchasing additional threat intelligence feeds, and sharing internally-derived threat intelligence with small circles of trusted third-parties. Based upon these trends, it certainly seems like the threat intelligence market is well- established but in this case, appearances are far from reality.In my humble opinion, threat intelligence consumption and sharing is extremely immature today with the market divided by a few haves (i.e. large banks, defense contractors, large IT vendors, intelligence agencies) and a large majority of have-nots – everyone else.This immaturity is illustrated by some recent ESG research (note: I am an ESG employee). A panel of cybersecurity professionals working at enterprise organizations (i.e. more than 1,000 employees) were asked to identify weaknesses associated with their firm’s threat intelligence consumption and sharing programs. The data indicates:To read this article in full or to leave a comment, please click here
I first met cybersecurity veteran, Rick Howard, when he joined Palo Alto Networks as Chief Security Officer. During our discussion, Rick mentioned an idea he was promoting for a cybersecurity canon: A list of must-read books for all cybersecurity practitioners -- be they from industry, government or academia -- where the content is timeless, genuinely represents an aspect of the community that is true and precise, reflects the highest quality and that, if not read, will leave a hole in the cybersecurity professional’s education that will make the practitioner incomplete.Rick’s notion of a cybersecurity canon hit home for a few reasons. I am an avid reader of cybersecurity books and am usually reading or re-reading something. And whenever someone asked me how they could learn about cybersecurity concepts, I would tell them to eschew text books and begin their education by reading more mainstream works like Cyberwar by Richard Clarke, Fatal System Error by Joseph Menn, Worm by Mark Bowden, and Kingpin by Kevin Poulsen.To read this article in full or to leave a comment, please click here
At an elementary level, IT is all about using technology to enable the business. This really hasn’t changed, even back in the early days when IT was called data processing or management information systems. In today’s IT world, business enablement is driving a few meta-trends. Cheap hardware and open source software is driving big data analytics to the mainstream. Organizations are abandoning the costs and constraints of on-site IT systems as they move applications and systems to the cloud. Mobile devices are becoming the primary compute platform for users, automating business processes and changing application development.Given the crazy activity around new IT initiatives like these, it may be somewhat surprising that information security was rated as the most important of all meta-trends in a recent ESG research survey (note: I am an ESG employee). ESG asked 601 IT professionals working at mid-market (i.e. 500 to 999 employees) and enterprise (i.e. more than 1,000 employees) organizations in North America and Europe to rank 6 different meta-trends on a scale from 1 (most important) to 6 (least important). The results were as follows:To read this article in full or to leave a comment, please click here
Just about every cyber-attack follows a similar pattern: An end-user is fooled into clicking on a malicious link, downloading malware, or opening an infected file. This is one of the early stages of the famous Lockheed Martin “kill chain.”Given this pedestrian malware workflow, endpoint security is absolutely key – catch an attack early when it compromises a few endpoints and you can avoid the more ominous phases of the kill chain including data exfiltration. To pull off today’s endpoint security requirements, you can’t assume that you can block all attacks using AV or patching software vulnerabilities. Rather, you need smart security analysts skilled at detecting and responding to attacks on endpoint devices.To read this article in full or to leave a comment, please click here