Three paradoxes disrupting IT Security

2017 has been a banner year for IT Security. The massive publicity of attacks like WannaCry have focused public attention like never before on a hitherto obscure field. Non-technical people, including board members, nod gravely when listening as the CISO or wise friend harangue them for attention, behavior change or budget on the topic of IT Security. It’s in a way comforting to think that such attention is a good thing. After all, there’s no such thing as bad publicity, right? This is certainly the age of “I don’t care what the news papers say about me as long as they spell my name right“.

Not so fast, my friend. Despite all of the attention, all of the massive investment by venture funds in IT Security, all of the hand wringing and tut-tutting after the latest attack makes the front pages, there are some deeply rooted inconsistencies if you look closely at the scene.

Paradox #1: More data, less information

For some time now, we are drowning in data but starving for insight. This recent survey of CIOs shows that:

  • 95% of CIOs believe data is changing the way their organizations do business
  • 83% see data as a valuable asset that is not being fully utilized within their organization
  • 64% believe their organization is not making optimal use of the data to drive their business forward

In 2010, Eric Schmidt, of Google noted that every two days, we create as much information as we did from the dawn of civilization up to 2003. Data is everywhere, but insight is not. Why? Because the barriers to producing data are so low. In the Middle Ages, when paper was a sign of wealth, and books were locked up in monasteries, knowledge was considered valuable and creating it was costly. Today the challenge is different. We live at the opposite extreme, where instrumentation in practically every network connected device emits data, nonstop. The challenge, as always, is what does it all mean, to me, now? That level of insight continues to be elusive. Getting at it requires a mix of technology, data science and domain expertise and process discipline — a trifecta that is rare.

Paradox #2: More connectivity, less understanding

Today more and more of our lives are online. Every desktop, phone, tablet, watch, automobile and x-ray machine is online and generating reams of data. Networks are interconnected leading to even larger networks. So much so that no less a personage than Elon Musk worries that Skynet is about to become self-aware. Sure, connectivity has created tremendous positive changes, including new markets in developing nations, efficiencies in the marketplace and benefits for social interaction that were unthinkable a mere decade ago. But the same connectivity that lets you travel the globe in one click works the other way also. Deplorables from far flung locales can be at your doorstep with one click.

The sprawling network also begets the problem of not knowing your “home” turf. There is increasingly less understanding of the ways into and out of complex interconnected networks which makes them harder to defend. And, what of the Mir Jafar‘s amongst us — the scary thought of the insider threat? Effective defense demands actionable intelligence. It’s essential to answer the 4 Ws (who, what, where, when), but prevention and effective countermeasures require the 5th W (why), which is knowing motive, i.e., understanding. In his blog, David Bianco describes network defense as defenders working to push attackers up the pyramid pf pain. The highest form of defense is to understand the attackers’ tactics, techniques and procedures (TTP) so as to deny them their prize.

Paradox #3: The wisdom of crowds, the irrelevance of crowds

The latest buzzword in IT Security circles for the past couple of years has been threat intelligence, or crowd-sourced observations of bad behavior with the attendant publishing of these actors and their actions on a global scale. If the bad guys collaborate and share info on TTPs (ransomware as a service?) then should defenders do the same? Should every defender be left to analyze artifacts from the past and work in isolation to determine the future?

Surely the answer is no, and yet there’s the question of applicability and relevance to our specific network. If Ivan the Terrible is on the rampage in Kazakhstan, should the sheriff of Middleburg, VA worry and shore up his defense against the TTP used there? Probably not. And so the paradox. While crowds can give you a million eyes, it doesn’t necessarily translate into actionable intelligence to defend your network.

Disruption is a good word, signifying creativity and innovation—shaking up things in a good way. But disruption often has unintended consequences. More information, connectivity and crowdsourcing are also shrinking insight, eroding understanding and empowering irrelevant data points. These are points to ponder as we journey deeper into this 21st century.

Tip of the hat to Amy Zegart whose article in The Atlantic got the neurons firing.

Think you are too small to be hacked?

As a small business, how would you survive an abrupt demand for $250,000? It’s ransomware, and as this poll shows, that’s what an incident would cost a small business. Just why has ransomware exploded on to the scene in 2017? Because it works. Because most bad guys are capitalists and are driven by the profit motive. Because most small business have not taken the time to guard their data. Because they are soft targets. What makes the news headlines are the attacks on large companies like Merck, Maersk or large government, NHS Hospitals in the UK, etc. But make no mistake, small businesses get hit every day – they’re just not in the headlines. After all, more people miss work due to the common cold, but this never makes the news. On the other hand, a single case of Ebola and whoa!

Unfortunately this leads to confirmation bias. Since you don’t hear about it, it must not be a thing, right? That’s dangerous thinking for a small business. The large corporations can bounce back from cyberattacks; they have the depth of pocket to hire the experts needed during the crisis. But how does a small businesses cope? Breach costs can go to $250,000, not to mention the destruction of client trust if word gets out that confidential information was leaked.

So what do you do? Try these three steps:

It starts with you and your employees. Know your digital assets and maintain an up-to-date inventory. Invest in training of employees, as they are the weakest link in the IT security game.
Minimum diligence includes up-to-date anti-virus, a managed next-gen firewall and regular patching. Step it up with endpoint protection. Regular reviews of user and system activity is a solid, low-cost improvement to close the gap.
Get an expert on your team. It’s too expensive to get dedicated resources, but this doesn’t mean you have to go it alone.  Co-sourcing is an excellent technique to have an expert team on call that specializes in cybersecurity.

If the first half of 2017 is an indicator, then it’s high time to wake up and smell the hummus.

***Some images from

How do you determine IT security risk?

How much security is enough? That’s a hard question to answer. You could spend $1 or $1M on security and still ask the same question. It’s a trick question; there is no correct answer. The better/correct question is how much risk are you willing to tolerate? Mind you, the answer to this question is a “beauty in the beholder” deal, and again there is no one correct answer.

The classic comeback from management when posed this question by the CISO is to debate what risk means, in a business context, of course. To answer this, consider the picture below.

This is your tax dollars at work. It comes from a NIST publication called “Small Business Information Security” and is available here. It presents a systematic method to first identify and thereafter mitigate the elements of risk to your business. To a small business owner, this may all be very well but can be overwhelming.

Did you know that you are not alone in tackling this problem? Our SIEMphonic program is specifically designed to provide co-management. We get that for a small business owner, it’s difficult to deploy, manage and use an effective combination of expertise and tools that provide early detection of targeted, advanced threats and insider threats. With SIEMphonic Enterprise Edition and SIEMphonic MDR Edition, we work together with you to analyze event data in real-time, then collect, store, investigate, and report on log data for incident response, forensics and regulatory compliance. Let us help you strengthen your security defenses, respond effectively, control costs and optimize your team’s capabilities through SIEMphonic.