Infosec’s Most Dangerous Game: Groupthink

October 12th, 2012 3 comments

These days, I am very, very afraid for the future of CISOs. Over the past few years, and specifically the past 12 months, I have become increasingly alarmed at the level of “groupthink” and “synchronized nodding” going on with security executives. Here are some of the things I am seeing:

  1. Lots of talking about the same shit, with absolutely no innovation at all. Good examples include metrics (we need them! they’re IMPORTANT!) and talk about policy and governance that usually means absolutely nothing.
  2. A desperate need to find “the metrics” to report to “senior management” – there is no such thing. Your management, in all likelihood, does not want any tactical numbers on antivirus events, IDS alerts, or such blather. They want real risk advice on business goals and functions. Period.
  3. Managing by managing what everyone else is managing. You would not BELIEVE how many security products get purchased because other security executives are buying them.

Most CISOs are smart folks. You got to that spot because you’re competent, or maybe more politically astute, or ideally both. We need to break out of this. I remember a while back when everyone in infosec lamented that we “never communicated”. Now, I almost think we OVER-communicate. It’s easy to play it safe by following what others are doing – I hear this in SANS classes, IANS forums, and sporadically with consulting clients. Not overtly, but sort of “between the lines”. We need innovation, and that means getting outside the echo chamber of security. I give a talk at a few IANS forums that adapts the concepts from the book “The Lean Startup” into the world of enterprise security programs to try and kickstart this. I don’t know that I do a great job, but I’m going to keep trying. Here’s a few key pointers from that talk.

First, think of your security program like a startup, and the overall program and its performance as your product. Ask yourself a few questions, and answer them honestly every day:

  1. Do Consumers Recognize the Problem We Solve?
  2. If there’s a solution, will consumers buy it?
  3. Will consumers buy the solution from us?
  4. Can we build a solution for the problem?

Your “consumers”, of course, are your constituents, ranging from employees to senior leadership, to customers and partners. Think about how THEY look at security, why they care or don’t care about it, and you’ll be on the right track.

The next thing to do is leverage the “Entrepreneur Pyramid”, shown below:

Create a security program mission/vision statement, and make it realistic. Define a short and long-term strategy, and be willing to “pivot”, or change, that strategy often – maybe every 6 months or even more regularly. Look at your product today as the MVP – Minimum Viable Product. Then optimize and build. To do that, leverage the Feedback Loop:

Focus on the major phases:

  • Build from ideas: Get creative. Think about different ways to accomplish your goals, and get feedback and input from people, and NOT just security people.
  • Measure your product, often: How effective are you? Are you missing attacks? Are you educating the business? Are you facilitating business, and becoming more trusted by business unit leaders? This is metrics, perhaps, but ask yourself what success looks like…?
  • Learn from the data: Data should drive insights. If it isn’t, you’re wasting time collecting it in the first place.

My final concept to try is “The Five Whys”. For every brainstorming session or security meeting, when trying to solve problems, come up with new ideas, or determine a root cause, drill into each idea five times. Not to be annoying, like a 3-year old that won’t quit, but to see how deep you can get, and force that “out of the box” thinking. In many cases, by the 3rd or 4th “why”, you’ll be really digging for answers or more ideas. That’s OK! Just keep digging.

This isn’t a perfect science, but if we want to be real business leaders advising on risk, we need to start thinking of new ways to do it. I recommend reading Eric Ries’ book, too – it’s really good.

Categories: Information Security, Musings Tags:

Your CISSP is Worthless. Now what?

August 22nd, 2012 30 comments

OK, so it’s not really worthless. It can help you get a job or a contract. But in the scheme of today’s infosec world? It’s really broken, in my opinion. Let me break down my thought process, since I’m typically pretty upbeat about things.

Over the years, I have had more than a few laughs with both clients and SANS students about various aspects of the CISSP. Few seem to *really* take it seriously. That’s a big indicator.

Second, there are far too many things in that cert/test that are completely and totally useless to 99% of us in infosec. As the Information Systems Security Professional, I do not need to know a damn thing about fire extinguisher types, fence height, or lighting. Sure, it may be interesting knowledge. But not relevant to most people’s infosec jobs, and thus extraneous in the cert.

Third, the CISSP demonstrates no hands-on skills. The test itself, completely insane in its wording and content in some cases, just makes you memorize a bunch of concepts. We don’t need many, if any, theoreticians today. I need tangible, real skills that can be put to good use immediately. You may argue that theory and research and risk and <blah blah blah> has its place. Sure it does. But I don’t need that in a cert like this. I want someone who can walk in the door and DO things. Not think about doing things. Or talk about doing things. Or answer obtuse questions about things without being able to perform hands-on tasks.

I’ve had some people tell me – “I’m proud of my CISSP.” Really? Of what, exactly?

  • Studying for a test
  • Taking and passing a long, obnoxious test
  • Doing WORK for 3-4 years (wow, welcome to a CAREER)
  • Having a college degree (in some cases)
  • Acquiring <puke> CPE credits for random bullshit-able things
  • Getting someone to attest that you are smart. And/or awesome.

People, it’s broken. HR offices are essentially discriminating against people who don’t have one, for really no good reason. This cert is ridiculous. If you have to get one for work, or compliance, or DOD 8570, or something…OK. But don’t strut around and act as though this really means you have something unique or special…you don’t. I know way too many CISSPs who can’t dissect a packet, configure a firewall or IDS, write a script, perform a real in-depth risk analysis, and so on. That does NOT bode well for the future of information security. If you argue that it’s meant to be a broad, “theory” cert – well, I argue we don’t NEED those. We need more DO-ers.

So what do I propose? I say scrap the whole thing. Start over. Build a cert and program that tests fundamental skills and means something to employers who really need things done. Offer existing cert holders one year and a free test to get the new one. Otherwise, they’re out. We need to weed out the people BSing their way through infosec on the back of a bunch of stupid CPEs. I’d love for the CISSP to mean something, and see the industry rally around it as a useful and legitimate indicator of knowledge and skill. We have friends of mine like Wim Remes on the ISC2 board, and Dave Lewis and Boris Sverdlik running for the board now. I would love to see more awesome folks like these guys steering the ship. But it needs an overhaul regardless.

Pic courtesy of Boris’ site at

Categories: Information Security, Musings, Rants Tags:

No Infosec Sacred Cows

July 20th, 2012 13 comments

We have sacred cows in infosec, apparently. I read a blog post by Dave Aitel about security awareness yesterday that I really enjoyed – he took a very bold stance on a topic that everyone seems to have an opinion about. His argument? Security awareness is useless. Ditch it, and spend your time and money on technologies and techniques that actually control what users can do and what can happen to them.

Is he exactly right? No, probably not. But he took a stance, and got some thought-provoking dialogue going. What was incredibly disconcerting to me, however, was the vitriol people started spewing in the comments – how DARE he propose such a thing?! I tried commenting on the post but I think CSO flagged it and didn’t let me, and I was probably being a bit acidic in my comment, as well, but for different reasons. So a few things shook out, in essence here’s what I was trying to say:

  1. People, don’t be LEMMINGS. I saw a lot of people who were puffing out their chests as “leaders” in the infosec space spewing garbage about “people, process, technology” like they were attached to Shon Harris’ rear-end after having a love fest with her CISSP study guide. C’mon, just because it’s one of the “10 domains” doesn’t mean you have to evangelize.
  2. Most security awareness programs SUCK. I would be willing to bet the majority of the awareness proselytizers on the thread are doing the same old crap with some stupid Web-based Flash thingie that people click through as fast as they can, and a little printout goes in their HR folder of whatever. UGH. That doesn’t work, never has, and never will.
  3. Given that most programs suck, what is wrong with a contrarian view? Start a conversation on new methods of security awareness and protection, but don’t demonize Dave (who has likely seen more overall than most posters) for having the balls to suggest that something BLATANTLY NOT WORKING for most should be canned.

I generally think security awareness is ridiculous. Sure, sure, you need that compliance checkbox that asks for it. And OK, you have to TRY, I get that, too. But sometimes, we seem to cling desperately to ancient ideals and practices in this field that just might have run their course. I’m not ready to say security awareness is one of them….yet. But we can and should try to improve it, across the board, or find something else to do instead.

Categories: Information Security, Rants Tags:

Infosec Thought Followers

June 15th, 2012 Comments off

If you have been in this field for any length of time, you’ve undoubtedly come across the term “Thought Leader”. Ugh.

What, exactly, is a “thought leader” in this space? Someone who discovers amazing new technologies? Someone who predicts the direction of security? Both? Neither?

This is one of those terms that just makes my skin crawl, and here’s why. I have not seen anything wholly NEW in this field in a long time. In fact, just about everything I see is some variation on an existing theme, in just about every way. Most of the people blogging, ranting, speaking at cons, etc. are all doing something that builds on work that came before…and that doesn’t necessarily make it bad, of course. Far from it – there’s some amazing stuff happening right now all over the place in infosec. But we’re really all building and feeding off one another. Some call it the “echo chamber”, since we tend to bounce things back and forth and love to hear ourselves think. In some cases, this is definitely true.

A while back, many were lamenting that we never talk in the security community. I think the opposite is true – I think we talk a LOT. My only lament is that we seem to talk about nothing but infosec! There is, of course, more to life than infosec…but I digress.

So next time you see someone labeling themselves as a “thought leader”, you should first laugh at their likely douchy nature, and then ask them exactly how they’re “leading”. Real leadership in this space tends to happen at a level unobserved by most. The CISO who backs her team politically and fights for key projects, the analyst who writes a sweet Python script to automate some rote pen testing task, the incident handler or forensicator who digs for hours to find the root cause of an event, and so on. That’s leadership, and it happens all the time.

As for thinking? Really, we’re all thought “followers” who absorb from one another. That’s what the community is good for. And we need all of it we can get.

Categories: Information Security, Musings Tags:

Lies, Damn Lies, and Infosec.

May 25th, 2012 1 comment

The little lies we tell ourselves are usually the most insidious. Lies about our weight, our success in life, our relationships. We believe these lies. Or we *want* to, at least. They make us feel better, most times. But they creep up on you over time, and when you really, truly discover that they’re lies, after all, they hurt. And they can hurt a lot.

We just might be lying to ourselves in the information security industry.

After a great and spirited debate on Twitter (naturally), a realization dawned on me. Well, two realizations, but I’ll start with the lie.

We may never be seen as business “partners”, or something that really adds value in an organization.

We’ve been struggling with this for years. “Get a seat at the business table” blah blah blah. What if we’re not meant to have one? What if the notion of a “Chief Security Officer” is most businesses’ (and the universe’s, perhaps) grand joke upon us and our industry? Any of you reading this that hold a CSO or CISO title…do you feel like you’re treated as a true executive? My guess is no. I’ve been one, I know. People are pretty nice to us, maybe. But we’ll never have the clout of a VP of Sales, or a CFO.

And down deep, I think we know this. 

But we keep on lying. Now, lest you sink into a quagmire of depression from which you’ll never surface after reading this, we DO have some value. Of course we do! I don’t need to describe all the things we do, and the unemployment rate in infosec right now supports the notion that we are serving a definitive purpose. But time and time again, I hear my fellow infosec folks opine that things are futile, we’re not making a lot of progress, we’re not “winning” (whatever that means in this business).

I’ve struggled with this for a long time. I’m a natural optimist, and I want (badly) to believe that we CAN “win” or succeed at beating back what for all appearances seems to be an unending tide of malicious and horrible crap. But this Twitter-borne realization dawned on me that I may in fact be lying to myself, and everyone else may be, too.

I said I had two realizations. The other came later, after my friends Kevin Riggins and Josh Corman pointed me to something beautiful. Neil Gaiman, a well-known fantasy author, gave one of the most incredible 20-minute speeches I have ever heard at a university commencement ceremony, and you can find the video here. I cannot encourage you enough to watch this video, it may give you something you didn’t know you needed.

There’s one passage in Neil’s speech that hit home, perhaps more than others:

So be wise, because the world needs more wisdom, and if you cannot be wise, pretend to be someone who is wise, and then just behave like they would.

So, for that second realization. I may be lying to myself, and you may be, too. As for me, I may not be the one to change the business world’s idea of infosec and the value we bring. But I’m going to pretend to be someone who can. And maybe that’s just as good.

Categories: Information Security, Musings Tags:

What’s RIGHT with Infosec

April 2nd, 2012 Comments off

There’s a lot of general negativity in the information security community, often represented as a sense of futility and continual failure. This makes sense intrinsically, especially when you take “security” as a macro-level topic across the spectrum of news, etc. It seems like everyone is failing all over the place, and the media just eats it up. But is this really the case? In certain situations, sure. Some organizations just don’t care as much, and some security professionals are unable to get the job done due to lack of skill, politics, too much workload, or plain old apathy.

This is not a “black or white” issue though. I think there’s a lot of good happening in this space right now, and it all fundamentally comes down to the maturity of information security as a discipline. I’ve said this for years, and it bears repeating – this field is still really in its infancy, and has a long way to go. This post is just me observing the state of things, and I’ll list a few points that I think illustrate the good coming out of our field.

  1. We are coming to the realization that we WILL be breached. This is a huge, fundamental shift in mindset that’s actually healthy, not redolent of defeatism. We have too much surface area to cover, not enough people and technology, and dammit, defense is HARD.
  2. We are all risk managers and advisors. This does not mean  we WIN or LOSE. We assess and advise, and then we live with the damn decision whether we like it or not. That’s how business has worked, and traditionally those organizations that were more willing to take risks and stick their necks out were rewarded (or crushed). You can’t expect business people to change that mentality overnight. And we’re starting to figure this out.
  3. A healthy offense can inform defense, and more and more organizations are figuring this out. And we’re actually getting better at it. Sadly, all the kids want to be superhax0rz, seems like defense is BORING. Maybe, but the truth of the matter is that most people aren’t cut out to be good superhax0rz, and without defense there would BE no offense. Let me say that another way. The only reason we do pen tests is to find holes and fix them. In other words, defense. So we’ve got a Yin and Yang deal going on here, and this is also becoming a healthy realization in more organizations than ever.
  4. We’re becoming less tolerant of bullshit bureaucrats who spout “policy” and “governance” with no credible skills to back this up. Thank God. If you’re the boss (CSO/CISO, etc) and have no real technical skill, then block and tackle for your folks, then get the hell out of the way and let them make you look good. Still more “infosec politicians” than I’d like to see, but at least we’re learning to work around this issue.
  5. We’ve realized the government is not going to help/save us. This may seem obvious to longer-term practitioners, but we’re basically on our own, and we’re just getting on with it.
  6. We’ve got some hella smart new blood coming into this field. If we could stop being crusty, snarky ASSHOLES long enough to embrace them, we’d see the industry advance even faster. 🙂
This post somewhat parallels my previous post titled “Doom, Gloom, and Infosec“, where I also outline some solid benefits of working in infosec (good money, smart people, etc.). This post is more about the overall advancement and maturity of the industry as a whole, and I’m glad to see it. Despite the sensationalized failures, we’re headed in the right direction, I’m sure of it.


Categories: Information Security, Musings Tags:

The Cloud’s Low-Rent District

February 16th, 2012 1 comment

I’m a  big fan of the work of Tim Ferriss. While I haven’t quite managed the 4-hour work week yet (more like the 84), the dude is smart and has no fear of saying what many of us just think. In Outside magazine’s July 2011 issue, while promoting his new book “The 4-Hour Body,” Ferriss describes his opinion on human motivations:

It pays not to be puritanical with incentives. Just look at what’s effective. We like to talk about reward, positive thinking, positive reinforcement. But the sad or useful fact of the matter is that shame, humiliation, peer pressure, financial loss – those things are all more effective.

There are so many corollaries to infosec in this statement it’s hard to know where to begin – the flaccid ineffectiveness of security awareness, repeated insane attempts to buy our way out of proper security process and tactics, and on and on. Here, though, I want to focus on the new and exciting realm of CLOUD SECURITY. There are numerous projects underway out there that are seeking to provide some degree of provider transparency. The most well-known include the following:

There’s lots of discussion in the security community around cloud standards and “best practices” related to cloud provider practices, architecture models, and such. This will continue for some time, surely, but one of the most pressing issues has been getting CSPs to disclose how well they’re safeguarding assets and operating a security-savvy environment. To this effect, STAR is probably the most high-profile effort to date, where shiny, happy CSPs can proudly proclaim that they are awesome. I think this has some merit, but I think we need a different model. Coming back around to Ferriss’ quote, this doesn’t really address the most successful motivations we have as humans (and as organizations, by extension). I think it’s time for a “Wall of Shame” for CSPs who blatantly disregard security. How many CSPs would take security more seriously if they knew there was a provision in every contract stating that customers could publicly describe security failings at the CSP, and immediately move their data and systems elsewhere with no questions asked. I’m sure you’re saying “Yeah, right, Shack – on a cold day in hell”. OK, we’re not there, but I think we need to get away from the “chosen few” mentality of STAR, which to date, has very limited participation, and on to a more realistic model, especially for SMBs and specialized companies who need very vertical-specific SaaS offerings, for example. Do you think a small healthcare billing SaaS is going to offer themselves up for STAR? Uh, no.

While some efforts along these lines have started (the one that still have hopes for is Cloutage, although it needs a lot more community involvement), we need to thinking about this problem a little differently. No STAR listing, SSAE 16, SOC2 or 3 report, etc. will get us to a point where people know what to do and where to do business. Or in this case, where NOT to do business.

Infosec: Where’s our “Long Tail”?

February 2nd, 2012 1 comment

Chris Anderson popularized the concept of the “Long Tail” in his 2006 book “The Long Tail: Why the Future of Business is Selling Less of More“. In a nutshell, this concept means that there’s a statistical distribution of products, services, and so on, meaning most people or populations tend to gravitate to the 80% of whatever is available. The “long tail” concept illustrates the subtle, often overlooked 20% market that tends to be more niche. For example, using one of Anderson’s case studies, Amazon sells a number of products that are popular across all buyers. Think hit movies, popular books, new gadgets, etc. However, there’s a smaller subset of customers that like incredibly unusual products that most don’t consider. This doesn’t mean they’re not profitable – far from it. That group of people that love 1950’s comic strips about hilarious talking farm animals will be incredibly loyal and devoted to the company that can provide them with goods in their space.

What does this have to do with infosec? My thoughts – we are really lacking a proper “long tail”. RSA is coming up soon – what will we see that points to real innovation in the space? I always tell people that I spend the majority of my time on the show floor at RSA roaming among the smallest, least flashy booths. The reason is that I’m always searching for that next trend or innovator that is doing something new or original. In a few cases, I’ve been rewarded – last year I saw a lot of “cloud” startups that were peddling Identity and Access Management (IAM) solutions. This space has a lot of growth, based on what we’ve seen in the last year. More often than not, though, you see a rallying cry of buzzwords. DLP!!! Cloud <insert term here>!!! And we all, of course, make fun of this with our usual, lovable snark. But snark only goes so far. At some point, we have to take a long, hard look at what we’re doing in security, and whether it’s working. Based on the breaches of the past 10 years, I think it’s safe to say that we’re not winning. Hell, I don’t even know that we’re SOLVING any problems, really.

Folks, we NEED a long tail. We need those organizations that are desperate to find unusual, different solutions that are not available at all right now. And we need small startups to provide them. Peter Kuper, a super-smart guy at In-Q-Tel who I love watching present, often gives talks about the lack of innovation and VC investment in security. His talks are amusing…and depressing. But we need that focus. One of our fellow security wonks in the space argued to me a few years ago that he was “really innovating” now that he was working at one of the biggest vendors. Bullshit. Big vendors typically buy their way to innovation. The question is – who are they buying? I encourage you all to pay attention to those tiny little booths in the dark corners of the Moscone Exhibit Hall at RSA 2012. And pray you see more of them.

Categories: Information Security, Musings Tags:

Failing Gracefully? Or Just Failing?

January 12th, 2012 No comments

Writing a book has put a serious crimp in my time for many other things, blogging included. I was warned, I know. I’ll quit bitching now.

I did a presentation with Alex Hutton and Rich Mogull yesterday to kick off 2012 at IANS, and we talked about a lot of major trends and themes in our space today. These ranged from mobile security and “consumer-ization” of mobile devices to cloud security, advanced threats, blah blah blah. We made no predictions, since all the same stuff from last year is still on the plate. Well, I guess we could have predicted that. During one of our discussions, focusing on advanced threats and incident response, Rich made a really good point (he does that). We were discussing the slowly dawning realization that we WILL be breached, and need to focus on detection and reaction more than anything at this point. At some point in the conversation, Rich said our prevention tools and processes just need to “fail gracefully” and lead us into detection and response mode. I started thinking about this, and I think the concept holds for a lot of things we do.

First, and probably most obviously, there’s code. Whether it’s the Rugged Manifesto started by Josh Corman and Dave Rice, or just general coding best practices, it stands to reason that sometimes people will do things with your function calls, input vectors, and the like that you did not plan for or intend to happen. Invariably, this will lead to some unintended consequence. Now, to be clear, sometimes that consequence is really nothing. Nada. It just pretends nothing happened and moves on. But more often than not, something doesn’t work. And the question, of course, is what happens then? Do you post a happy little message to someone’s browser announcing that Microsoft SQL Server 2005 could NOT execute SQL query X? Hopefully not. Worse yet, you just cough up *really* sensitive data.

Another classic preventive control is antivirus. It fails. A lot. And then what? What other controls do you have to allow A/V to fail gracefully? Behavior-based detection at the host or network? Protocol-aware firewalls that can spot HTTP/HTTPS C&C traffic? What about your security awareness program and email spam/malware controls? When they fail, people click on links. And then bad things happen. What controls can catch that (aside from A/V)? Do you have more innovative controls for your browsers, etc. like Invincea’s browser protection?

The list could go on and on, but I think a shift we need in security overall is to start thinking in terms of failure scenarios. Every single solution/control/process should be viewed in context of the others, really more like a “controls ecosystem” than any one specific point control. This is somewhat related to the age old “Defense in Depth” concept we’ve touted for years, but it goes beyond that, I think. We’re pretty good at “if-then” analysis for controls in security, it’s the kind of analytical process many of us enjoy. Let’s turn it around though, and start thinking “if-then” in the negative sense.

Fail gracefully, my friends.

Categories: Information Security Tags:

Does Offensive Security Really Exist?

November 15th, 2011 Comments off

And NO, I am not talking about the great folks at Offensive Security. I KNOW they exist. 🙂

I had some great commentary and discussion on my last post, “Doom, Gloom, and Infosec“. Jericho rightly pointed out the ever-popular Charlatans page at Attrition. This could definitely lead some to feel a little despondent or at least irritated in this field. Asshats have a way of doing this. Wendy at 451 had some interesting thoughts, too, as did a few other sites and folks. My friends at the Infosec Daily Podcast, Rick and crew, had a discussion about the post that really got me thinking, though.

In my post, I list some general ideas of reasons why infosec might suck. These were totally off the top of my head, based on a lot of conversations I’ve had in the last few years with people in all walks of the industry (consultants, company and end user practitioners, CISOs, trainers, you name it). The ISD crew talked about them, and made an interesting statement – “as offensive folks, many of these don’t apply to me|us”. The premise being that folks playing DEFENSE (responders, intrusion analysts, firewall folks, etc) have a worse time of it. This is likely true. But the point that stuck with me was the concept of “offensive infosec” roles. The assumption, of course, is that this means vulnerability assessment teams, red teams, pen testers, and so on. And I get what they are saying. However, I want to refute the concept of “offensive” vs. “defensive” security staff. I don’t think that’s realistic. Reason? Offense really exists for one reason only – to inform defense. In my mind, this really means we’re ALL defense. We just accomplish our defensive strategy and tactics in different ways.

I am a pen tester and someone who enjoys “breaking” as well as “fixing”. Would “breaking” fit into a security philosophy if not for the perceived benefits to “fixing”, though? I’m not trying to blow this all out of context, I know exactly what the ISD dudes meant, but it just got me thinking – when we classify ourselves that way, we may in fact be doing ourselves a disservice as a whole. Interested in your thoughts.

Categories: Information Security Tags: