Comments
Cybersecurity Demands New Framework
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Broadway0474
50%
50%
Broadway0474,
User Rank: Strategist
8/25/2014 | 9:45:57 PM
Re: Security, a process on a timeline
Zulfikar, I really like the security camera analogy. That really let me wrap my head around it. Thanks!
Zulfikar_Ramzan
50%
50%
Zulfikar_Ramzan,
User Rank: Apprentice
8/22/2014 | 5:35:47 PM
Re: Security, a process on a timeline
Broadway0474, it can definitely be unsettling to acquiese that despite our best efforts threats will get through. The goal is not necessarily to passively accept it, but to do two things. First, put measures in place so we can understand what happened when something gets through. Second, armed with that knowledge, rethink our basic defenses. I liken it to a security camera. A building may have existing defenses in place: locks, burglar alarms, motion sensors, etc. A security camera cannot inherently prevent a break-in (except to the extent that it acts as a deterrent in the physical world). But with a security camera in place, one can review footage and quickly figure out what happened during a break in. Many organizations ignore this after phase. So, they are never able to respond to existing breaches (allowing those breaches to do far more damage than they would have otherwise been able to do). More so, they don't have insight into how to put up better defenses (allowing the bad guys to exploit some of the same holes over and over again). I hope this helps clarify my position.  
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
8/22/2014 | 5:05:43 PM
No, not defeatest
Broadway0474: Disagree on "defeatest." It would be defeatest if that were the only thing you were resolved to do. If, on the other hand, you have numerous defenses in place and an attacker still gets through, it's wise to analyze afterwards and see what could be done better. Much better to conduct forensics and try to prevent the next breakthrough than to do nothing because it might be labeled the wrong approach or even "defeatest," after the fact.
Broadway0474
50%
50%
Broadway0474,
User Rank: Strategist
8/21/2014 | 11:07:08 PM
Re: Security, a process on a timeline
I think I got it, Zulfikar. The "after" phase is more about having the systems in place to gather information and understand what went wrong. It still is a bit demoralizing to think about though --- defeatist even.
Zulfikar_Ramzan
50%
50%
Zulfikar_Ramzan,
User Rank: Apprentice
8/21/2014 | 6:16:58 PM
Re: What about the hypervisor?
Charlie, I think the hypervisor question is definitely relevant in the context of cloud. You will still want visibility at that level, but there may be different ways to achieve it. For example, VMWare's vSheid API allows you to achieve VM-level visibility from the host system itself (and many virtualization-friendly anti-malware technologies leverage this cabaility). The one nice aspect of virtualization is that being able to remediate threats is much simpler since you can revert back to a clean image or at least a clean snapshot. Of course, many caveats apply here since you might lose data, etc. There are also risks, certainly, of malware piercing a VM and compromising the host system (or of spreading among virtual instances in a given host). These situations don't occur often, but they are always a theoretical concern (especially in targeted corporate espionage type situations). 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
8/20/2014 | 6:45:27 PM
What about the hypervisor?
Zulfikar, Do you think it's logical or practical to include more analysis of what's going on at the virtual machine hypevisor level. Is that a good inspection point? Or is it too late, if you spot trouble there?
Zulfikar_Ramzan
50%
50%
Zulfikar_Ramzan,
User Rank: Apprentice
8/20/2014 | 6:21:06 PM
Re: Security, a process on a timeline
One approach to take Charlie, if you are developing an organization's IT security strategy, would be to first inventory what technologies you have in place today and then map that to the framework -- being careful to identify all the assets that you are trying to protect as well. Then you can begin to see whether you have any capabiity gaps (or areas where you've overinvested in a particular capability). You can also start to see whether technologies that cover one part of the framework can potentially "play nice" with other technologies. 
Zulfikar_Ramzan
50%
50%
Zulfikar_Ramzan,
User Rank: Apprentice
8/20/2014 | 6:17:44 PM
Re: Security, a process on a timeline
Great question Broadway0474 -- definitely one that keeps me up at night! I think applying lessons is the only hope we have of keeping bad guys at bay. But aside from that, the reason for emphasizing the after phase is that in many cases you won't be able to prevent a breach from occuring -- but what you can do in that situation is have the plumbing in place to respond to the breach effectively. Far too often, organizations spend weeks to months investigating a single incident. The questions they have to deal with, however, are fairly simple to ask (but can be challenging to answer in the aftermath of a breach). Continuous monitoring offers a way to short-circuit that time. If we can reduce weeks to hours, then we achieve a lot.
Zulfikar_Ramzan
50%
50%
Zulfikar_Ramzan,
User Rank: Apprentice
8/20/2014 | 6:12:46 PM
Re: Security, a process on a timeline
Good point Stratustician. I think many people lose sight of the fact that we care first and foremost about protecting information from threats to that information. The choice of approach should come after. One area that I didn't get into in the article, but which I believe is important in this regard is having a corporate culture that places the appropriate amount of importance on information security. This can help make developing and implementing a security strategy much easier.
Zulfikar_Ramzan
50%
50%
Zulfikar_Ramzan,
User Rank: Apprentice
8/20/2014 | 6:08:25 PM
Re: Security, a process on a timeline
Thanks for your comment MDMConsult14! I definitely agree. I actually talked about this framework at a recent academic venue on security analytics to help promote the idea that we should be thinking about security solutions from the perspective of the entire threat spectrum. 
Page 1 / 2   >   >>


The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest Septermber 14, 2014
It doesn't matter whether your e-commerce D-Day is Black Friday, tax day, or some random Thursday when a post goes viral. Your websites need to be ready.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.