Category Archives: architecture

How to engage cybersecurity customers

Leave a reply

Andrew Townley strikes again with a good piece of advice for engaging with cyber security customers.

1) the conversation isn’t about us, and
2) we need to dial down the jarg-o-meter and industry-speak distortion effects 3x lower than we probably think is necessary.

Speak in terms of outcomes and objectives – what they want and what things do – rather than what things are, how they work, or using “insider” kool kidz terms that keep your seat at the lunch table with your security colleagues and friends.

Side note – the above is from Andrew’s daily email from https://archistry.com/ (09/28/2021, “When it shouldn’t be dialed up to 11.”)

Key Takeaways – Top Threats to Cloud Computing Report (2020)

Leave a reply

I just re-read the “Top Threats to Cloud Computing Egregious Eleven Deep Dive” (2020) by the Cloud Security Alliance. There is a lot of good stuff (or bad stuff depending on your vantage point). I like this report because it has use cases that illustrate real threats and weaknesses; it is also data driven not Elmer F.U.Dd driven! The report has “Key Takeaways” sections too.


Source: wikimedia.org

I highly recommend reading it and revise your architecture and processes as needed. I highlighted (in bold) a few key takeaways that are particularly important for you security architects to consider.

Summary

The authors make the following summary statement in the beginning of the report.

Identity and Access Management (IAM) controls were the most relevant mitigation in this year’s report, accounting for 8 of the 9 case studies. Security Incident Management, e-Discovery and Cloud Forensics (SEF), including planning for an attack fallout and executing on the plan was paramount to successfully dealing with all but one of the incidents cited. Both IAM and SEF accounted for 17 controls each.

Key Takeaways

The authors outline the following takeaways:

  1. Data inventory/lifecycle practices for archiving, disposal, and destruction limit data exposure.
  2. Be aware of the cloud service’s metadata that can be exposed with misconfigurations
  3. Over-privileged cloud apps allow access to too much data when compromised
  4. Enable Multi Factor Authentication(MFA) to ensure strong user authentication.
  5. Implement different set of login credentials for different services on the same platform to ensure compromise of one account does not affect the other services.
  6. User awareness campaign to ensure users follow security best practices such as use of strong and unique password per account.
  7. Data stored in the cloud should be secured through encryption and the use of IAM facilities
  8. 3rd party security service providers should be vetted to make sure they are trustworthy and follow standard security practices
  9. The agility of cloud services enables more human error, design flaws and policy violations. More investments into control and correction of existing and planned states are necessary
  10. Cloud services and assets exhibit a broader external attack surface, its discovery and reduction is key.
  11. Sound architecture & design of cloud systems, networks, accounts and identities, as well as other defense in depth considerations are beneficial even for smaller cloud-using organizations and environments..
  12. Consumers have to be aware of the hidden dangers of installing apps into their mobile devices without understand the true impact to their privacy
  13. Always protect sensitive data storage via encryption
  14. Have a detailed, tested incident response plan at the ready, including arrangements for additional network and filter capacity in an emergency
  15. Perform appropriate threat modeling
  16. Lower attack surface through best practice network design (ACLs, Firewalls, port and protocol blocking, deny)
  17. Proper threat modelling allows security architects and developers time to evaluate control gaps
  18. Security Protections built in not bolted on
  19. Service provider agreements should clearly state security responsibilities of the supplier
  20. Conduct periodic security assurance audits to verify vendor conformance against organizational policies, procedures and standards.

Quote of the day – 5/17/2021

Leave a reply

…we should always keep top of mind when we’re neck-deep in cyber threat intelligence, control libraries and vendor technology presentations is simply this:

“How does the decision I’m about to make help my security customers accomplish what they’re trying to do?” Followed closely by the corollary: “How are they really going to recognize that what I’m doing is helping them rather than just getting in their way?” ~ Andrew S. Townley

Quote of the day – 3/30/2021

Leave a reply

One of the biggest barriers to security automation isn’t the technology but rather figuring out where to start. Getting to a starting point requires prioritizing the processes that cause the most bottlenecks to security service delivery.

Here, I would recommend CISOs look at value-stream mapping. Value-stream mapping is a visual exercise that helps align workflows to business outcomesand identifies issues related to performance and quality. 

From there, you’ll want to explore which technology solutions have integrations built in and which will need custom programming. Invest in solutions that work well together. Then, fill in any automation gaps with strategic programming.~ Kent Noyes

Quote of the day – 3/24/2021

Leave a reply

The primary purpose of creating an enterprise security architecture is to ensure that business strategy and IT security are aligned. As such, enterprise security architecture allows traceability from the business strategy down to the underlying technology. However, many IT organizations have moved away from formal security architecture governance in favor of rapid deployment cycles and tactical changes which over time risk diverging into complexity and fragmentation – with unresolved security exceptions. Complexity not only leads to insecurity and the increasing potential for human error but also increased cost of operations. (Nige the Security Guy, https://nigesecurityguy.wordpress.com/tag/security-architecture/)

How Smart, Connected Products Are Transforming Companies – A New Architecture

Leave a reply

I randomly (can you say “squirrel”) came across article entitled, ” How Smart, Connected Products Are Transforming Companies.” The article has an interesting architecture or new technology stack for handling smart, connected products. It requires companies to build and support an entirely new technology infrastructure. The entire article is a really good read.

R1411C_A2

The authors writes about the need for security:

Until recently, IT departments in manufacturing companies have been largely responsible for safeguarding firms’ data centers, business systems, computers, and networks. With the advent of smart, connected devices, the game changes dramatically. The job of ensuring IT security now cuts across all functions.

Every smart, connected device may be a point of network access, a target of hackers, or a launchpad for cyberattacks. Smart, connected products are widely distributed, exposed, and hard to protect with physical measures. Because the products themselves often have limited processing power, they cannot support modern security hardware and software.

Smart, connected products share some familiar vulnerabilities with IT in general. For example, they are susceptible to the same type of denial-of-service attack that overwhelms servers and networks with a flood of access requests. However, these products have major new points of vulnerability, and the impact of intrusions can be more severe. Hackers can take control of a product or tap into the sensitive data that moves between it, the manufacturer, and the customer. On the TV program 60 Minutes, DARPA demonstrated how a hacker could gain complete control of a car’s acceleration and braking, for example. The risk posed by hackers penetrating aircraft, automobiles, medical equipment, generators, and other connected products could be far greater than the risks from a breach of a business e-mail server.

Customers expect products and their data to be safe. So a firm’s ability to provide security is becoming a key source of value—and a potential differentiator. Customers with extraordinary security needs, such as the military and defense organizations, may demand special services.

Security will affect multiple functions. Clearly the IT function will continue to play a central role in identifying and implementing best practices for data and network security. And the need to embed security in product design is crucial. Risk models must consider threats across all potential points of access: the device, the network to which it is connected, and the product cloud. New risk-mitigation techniques are emerging: The U.S. Food and Drug Administration, for example, has mandated that layered authentication levels and timed usage sessions be built into all medical devices to minimize the risk to patients. Security can also be enhanced by giving customers or users the ability to control when data is transmitted to the cloud and what type of data the manufacturer can collect. Overall, knowledge and best practices for security in a smart, connected world are rapidly evolving.

Data privacy and the fair exchange of value for data are also increasingly important to customers. Creating data policies and communicating them to customers is becoming a central concern of legal, marketing, sales and service, and other departments. In addition to addressing customers’ privacy concerns, data policies must reflect ever-stricter government regulations and transparently define the type of data collected and how it will be used internally and by third parties.

Shared Responsibility for Security.

In most companies, executive oversight of security is in flux. Security may report to the chief information officer, the chief technology officer, the chief data officer, or the chief compliance officer. Whatever the leadership structure, security cuts across product development, dev-ops, IT, the field service group, and other units. Especially strong collaboration among R&D, IT, and the data organization is essential. The data organization, along with IT, will normally be responsible for securing product data, defining user access and rights protocols, and identifying and complying with regulations. The R&D and dev-ops teams will take the lead on reducing vulnerabilities in the physical product. IT and R&D will often be jointly responsible for maintaining and protecting the product cloud and its connections to the product. However, the organizational model for managing security is still being written.

The authors continue with implications for organizational structure (i.e., The Takeaways)

R1510G_PORTER_ANEWORGANIZATIONAL-1024x794

 

What is the Trusted Exchange Framework?

Leave a reply

On January 5, 2018, the Office of the National Coordinator for Health Information Technology released the “Draft Trusted Exchange Framework.” Per ONC’s  website, the framework:

outlines a common set of principles for trusted exchange and minimum terms and conditions for trusted exchange. This is designed to bridge the gap between providers’ and patients’ information systems and enable interoperability across disparate health information networks (HINs).

The framework was a response to Congress.

In the 21st Century Cures Act (Cures Act), Congress identified the importance of interoperability and set out a path for the interoperable exchange of Electronic Health Information. Specifically, Congress directed ONC to “develop or support a trusted exchange framework, including a common agreement among health information networks nationally

Marianne Kolbasuk McGee at www.healthcareinfosecurity.com provides a good analysis here, including  security components that go beyond HIPAA requirements. I will review the draft proposal and provide comments.

The Takeways

  1. Review draft trust exchange framework, provide feedback to the ONC and alert your partners in compliance, legal, privacy and InfoSec GRC about this new framework.

What are some emerging trends in cybersecurity?

Leave a reply

I read an interesting blog post on ten cyber security trends for organizations to consider.  Please read the entire blog posting here.  Below (copied directly from blog post) are the potential trends that I find the most interesting and accurate.

A new model of cyber security will emerge
As firms invest more in cloud computing, a new model for cyber security is emerging. Increasingly, firms can look to cloud providers to embed good IT security, but firms still own the problem of setting their requirements and determining just who can access what. The shift towards DevOps and agile development build on these more flexible infrastructures, but also demand new ways of embedding security into the development lifecycle and an equally agile test regime. Security can no longer engage at the end of development cycles and, if it does, it risks being seen as a blocker rather than an enabler.

Automation of controls and compliance will be the order of the day
Firms are coming under pressure to contain their burgeoning cyber security budgets. Manpower-intensive compliance processes are beginning to give way to continuous testing and controls monitoring, helping firms build a more accurate picture of their IT estate – helping the CIO as well as the CISO. The growing demand for supply chain security and third party assurance will also lead to a burgeoning industry of testing firms offering risk scoring and testing services for those third parties.

Digital channels will demand customer centric security
Digital channels are becoming more and more sophisticated, demanding new consumer identity and access management approaches, dynamic transaction risk scoring and fraud controls, and an emphasis on usable non-intrusive security measures which don’t impact the consumer’s experience. Open Banking and the arrival of Payment Services Directive 2 will drive richer interactions between a new ecosystem of payment service providers and the banks who handle our money. A new world of open API is on the horizon, but concerns over criminal exploitation of these rich interfaces abound.

Resilience and speed matters
Regulators are focusing on resilience – the ability of an organization to anticipate, absorb and adapt to disruptive events – whether cyber-attack, technology failure, physical events or collapse of a key supplier. Exercises and playbooks are in fashion as firms try to build the muscle memory they need to respond to a cyber-attack quickly and confidently, while cyber insurance is finding its place not just as a means of cost reimbursement but as a channel for access to specialist support in a crisis.

The Takeaways

  1. Review and discuss above trends and adjust any strategy as appropriate for your organization

 

What is the Open Data Exchange Layer?

Leave a reply

I am at Mcafee Focus 16 (#focus16).  I decided to come despite missing out on the CxO track.

The opening video talked about the need to collaborate and work together. Standing alone won’t work. “Together is Power!”

Chris Young announced Open Data Exchange Layer. I have been waiting for this for last 2 years. He has thrown down the gauntlet to their competitors. Are you listening, Cisco, Symantec, Microsoft and Palo Alto Networks?

Chris Young also mentioned automation, integration and orchestration.  Nice. Another key element is using the cloud as part of our cybersecurity efforts;  it expands and contracts with the individual and company’s needs. It is always available regardless of where the person is physically or virtually.
The Takeways

  1. Take a closer at ODXL. Is it real?
  2. Invite your current security product suppliers to add ODXL to their roadmaps
  3. Keep McAffee accountable to this “Together is Power” vision. Ask them to prove and deliver it!
  4. Ask Mcaffee to add other open standards,  like SACM, to their products