I was looking in a book store (one that tends to stock the way out their books) and came across a book of Numerology. Now for those that don’t know, which I have to admit, I did not, Numerology is about how numbers affects our lives. Supposedly using numbers you can predict everything from if a marriage will work out to if you would lend someone a toothbrush. Now before you ask, I really have no idea if this is a valid form of science, but then I guess the whole point of science is that you don’t ignore something because you can’t understand it.

I often get asked to rate the security of a device so that we can put for example all smart phones in order going from most secure to least secure. In reality this is hard to do as it’s a bit like saying can you take all the vehicles on a road and put them in order from best to worse. We can take one aspect of security and compare it but when you put it all together it’s like saying which is best a Ferrari or a 40ft articulated lorry. 

So that calls into question how we do our risk assessments, should the output of a risk assessment allow for comparing of devices? Should the output be a score or a level? Well I don’t want the reputation of just reading books but it seems that risk management has changed and maybe the security world has not caught up.

Some risk management background, most organisations that I know use the standard risk assessment methodology of Threat, Vulnerability & Consequence(TVC). This seems to have come from the business definition of risk, so the finance organisations used much the same process for looking at financial and business related risks.  The idea with the TVC approach is to try to quantify the ratings then apply simple maths to come out with a risk score. Well that became a standard and filtered into security. There have been some problems with the TVC model and companies that have seen it go wrong have done some studies into how it fails.

In many cases TVC fails because the risks are not well communicated or the assumptions are wrong, in my experience that’s also why different security professionals risk assessing the same thing get different results. This sort of makes sense because you’re trying to quantify something that’s not quantifiable, risk is a thought process and how you think about a risk will depend on your character and outlook on life.

Where does this all lead to? Well a good risk assessment starts with profiling the audience that will be reading it so the end communication is optimum. Organisations with standard risk assessment formats are kidding themselves this is any sort of saving. Risk assessors must not be worried about saying they don’t know rather than making an assumption and leaving it in the detail of the assessment.

The last point… trust an expert.

We live in a world that’s driven by being able to out argue or prove your point. Sometimes the best experts are those that know it’s not right but can’t say why. Sometimes this is called gut feeling but there is science to back it up. Have a look at Jonah Lehrer’s book called “how we decide” if you want to be convinced that trusting an expert is often right, even if they can’t justify themselves.

Rob

A recent security survey indicated half of those surveyed, have a documented cyber security strategy. 

I don't believe it!  More specifically, I don’t believe the organizations with a 'documented strategy’ have something which represents a realistic and comprehensive cyber-security strategy.   One which is a valued long term plan providing guidance in how to keep the organization on the healthy side of security.  If I had to guess, I would say the actual number is less than 1% meet such criteria.

Why the disparity and why should anyone care?

The numbers are opinions with no criteria.  The word 'strategy' is being interpreted differently by those respondents.  Does a plan to keep firewalls and client anti-malware current, constitute a strategy?  I think not.  That is a tactic.  It is a common sense practice, in response to immediate threats.   A strategy, by definition, is a forward looking long term plan to achieve a goal.  In this case, maintain a level of security which controls losses to an acceptable degree.

Thinking you have a plan when you do not, is dangerous.  If system administrators and management believe they have a cyber security strategy, they are less likely to allocate and focus resources to understand long term needs.  It becomes easy to ignore, hoping the status quo is sufficient and then be surprised when it is not.

So I have created a quick 5 question test, to validate the existence of a realistic cyber-security strategy.  Pass my test and I will concede you have a strategy.  Fail, and you must admit you don’t.  Deal?

Question #1:  Does your strategy identify the threat agents who will be attacking your organization over the next 3 to 5 years?
Without knowing the attackers, defenders remain in the dark and are forced to protect from threats both real and imagined.  The first step to any realistic strategy is to know who the opposition is, both today and in the future.  Thereby understand their capabilities, objectives, and likely methods.

Question #2:  Does your strategy articulate how you will likely be attacked by those threat agents?
Understanding the computing ecosystem, where it is less secure, and how specific threat agents will attack over time is imperative to a strategy.  Does the strategy talk about generic worms, viruses, and system patching, or does it take into account likely exploits paths.   The ones which align to the common methods of those pervasive threat agents identified in Question #1?

Question #3:  What impacts and losses are estimated from these attacks, given the expected defenses
Strategy is about planning.  Planning security is about finding the right balance between spending for controls and the losses prevented.  Ultimately getting to a comfy place where the residual losses are acceptable for the cost of security.  Without knowing the likely losses, even at a generic level, it is impossible to plan forward.

Question #4:  How does your budget and efforts align to managing those losses?  Does it fall within the range of acceptable levels of loss?
If you don’t have an accepted level of loss identified, you fail this question.  Impervious security, where no losses occur, either do not exist or are far too costly to employ.  Such a system is not practical.  So, some losses must be accepted.  Knowing this range is important to planning as it will trigger either growth or contraction for security spending

Question #5:  Who is responsible for the care and maintenance of the security strategy? 
Given the radical and chaotic nature of security threats, vulnerabilities, and impacts, a strategy must continually flex, adapt, and be updated.  Without crisp ownership, most strategies rapidly become stale and worthless.  Many such plans are rolled under some organization with little real stewardship.  The manager of the group is therefore the 'owner', yet so far removed it is an invalid answer.  If you don’t have the name of a single person, knows and agrees to actively manage the planning, you fail the question.

So do you have a viable documented cyber security strategy?  If not, don't be too disheartened.  You are in good company.  These are tough questions.  Most organizations struggle with cyber security strategy.  It is the norm, not the exception.

We are still at the beginning of this endeavor.  Rushing to claim maturity is not the path of enlightenment.  Let’s be realistic and recognize where we are and where we need to go.  Over time the community must move to a mature model where they benefit from pragmatic cyber security strategies.  To get there we must see our shortcomings and effort the good fight.

Reference: Ernst & Young Into the Cloud, Out of the Fog business briefing

DARPA, the Defense Advanced Research Projects Agency, and its Department of Defense partners, reached into the private sector this week in an unprecedented way through the first Cyber Colloquium, in search of talent and ideas.  What was remarkable, was both how they have purposely streamlined the process to target a tremendous untapped talent pool and more shockingly is technology they are looking to develop: OFFENSIVE Cyber capabilities.

So serious in this new research direction, they are going after new talent, which although rich in skills, usually falls far outside the conservative circles they normally engage.  DARPA and the defense agencies as a whole are configured to work with large and professional companies.  Unfortunately, 'weaponizing' computer systems into offensive options for military branches is a skill not commonly found in such traditional contract partners.  Those relationships have evolved to become very formal and bureaucratic affairs, taking tremendous time, resources, and oversight.  This is crushing to timelines and potential engagements with smaller groups not familiar with the process or possessing the necessary patience and resources to traverse the gauntlet of the submission, review, and selection.  The smart folks at DARPA have realized this and instituted a rapid evaluation process ‘Cyber Fast Track’ tailored to individuals, small teams, and non-traditional defense contract organizations with a turnaround averaging 5 days from submission to approval and kickoff of actual project work.

Research and innovation is their business.  It is no great surprise they are adapting their mining efforts to stay in touch with the best resources.  After all, this is the agency who grandfathered the Internet.  Streamlining the process to close the gap between DARPA project teams and external innovation talent is to be expected.  The impressive reduction of stifling bureaucracy is impressive, but not the real story of this first of its kind Cyber Colloquium. 

Presenting to a select and vetted audience, DARPA repeatedly made clear the new direction in research for the US defense community.  DARPA is looking to develop offensive cyber capabilities.  This is an overt request for ideas, research, and prototypes to arm military branches to not only defend their own compute environments, but offensive capabilities to attack adversaries.   The US is likely not the first nation to seek offensive cyber weapons, but it is a radical new direction for DARPA, driven by policy makers.

We are truly at a momentous point in history.  Will computers become the weapons of choice in the future?  We may be at the start of an escalating weapons race, for the proliferation of offensive capabilities, on a scale that has not been witnessed since the cold war.  Unlike those in history, this may expand to include, involve, and impact the computer systems in the hands of everyday people around the world.

Hello Again,

Today I am going to share my Top 10 areas of focus for 2012, some of these are stretch goals, but would like to share ideas and see what others are doing in these regards.  Again, we are primarily focused on an internal enterprise private cloud, due to TCO, security, and performance reasons.  However we do intend to use external capacity for specific use cases, we can discuss that later….

First of all, as discussed in my last blog, we are going after three big business goals:

Business Goals 

1.) Achieve 80% Effective Utilization (CapEx Reduction)

2.) Velocity Increases at a Cadence for Service Provisioning and Maintenance activities (Agility and lower OpEx through more automation)

3.) Zero Business Impact (Resiliency)

Top 10 for IaaS and PaaS - we can discuss SaaS in a future discussion...

1.)  Cloud Bursting automatically, first from one Intel Data Center, then to second Intel Data Center, then to public cloud all through controllable policy.

2.)  Automated Sourcing at Provision and Runtime- as a consumer enters our portal or calls our APIs, based on business requirements entered, security classification, capacity available, and workload characteristics…. the automation and business logic will decide what type of services and the location (public, private, or hybrid cloud).  Workloads are dynamically migrated to higher performance infrastructure (and back) as demands change through the app’s life cycle.  End result is a dynamic infrastructure based on a Hybrid Cloud that adapts to consumer needs automatically.

3.)  Automated End-to-End Service Monitoring - as the Automated Sourcing occurs, all components are dynamically added immediately (as fast as provisioning time) to an end-to-end service model representing health, utilization, and usage of the deployed service.  Dynamic changes to environment are handled through automation (add/remove nodes, etc).  Key service level objectives QoS are exposed to the consumer (i.e.. availability, performance, configuration compliance, associated service requests) providing the consumer a view of how the service is performing to SLA for their precise instance.

4.)  Automated component based recovery - as specific components in the end-to-end service fail, automated remediation is completed resulting in 95% of situations being rectified through destroy/create concepts and or other immediate remediation solutions - net effect is Zero business impact.

5.)  Automated deployment of resilient services - nodes and components are deployed and managed through automation in such a way that allows for 100% uptime (zero business impact), through methods such as affinity, striping across multiple points of failure, active/active deployment across multiple data centers and disaster zones.  All done based on choice in portal on resiliency requirements for application, and with minimal complexity.  Applications built through PaaS are always built with Active/Active resiliency and with Design for Failure elements enabled.

6.)  All aspects of solution are available through Open APIs and rich but simplistic UI, or API layer that allows for usage of different service providers or different platform solutions allowing for write once methods with backwards compatibility for application layer.  Features are exposed via control panel to cloud consumer that permit manipulation of backup schedules, patch parameters, alerting thresholds, and other key elements for supporting a production service. Integrated dashboard views are available for different participants: operations, end-user, and management.

7.)  Security –Security assurance provided allowing for trusted computing for compute and data components of Cloud hosting environments.  Levels of trust available through programmatic queries and UI, with configurable settings to establish level of trust where security standards are not yet in existence, this configuration could include logical segmentation, physical segmentation, and authorized users roles, as well as such elements as encryption of data at rest, in motion, or in memory.   

8.)  Exposure of scale out data services (Relational, structured, unstructured, file shares) - through APIs, with replication between all necessary locations based on placement of nodes supporting application.

9.)  PaaS layer for both Java, and .NET applications - with associated IDE, Manageability, Data, and Compute Services, exposed at PaaS layer instead of IaaS, PaaS layer should automatically enable key design elements such as automated elasticity, automated deployment of resilient services, secure code on a trusted platform, and with client awareness.

10.)Select and Choose web services for consumption with appropriate interfaces exposed based on choices in portal on business solution being developed - encourage of reuse of existing web service stores in both public cloud space, as well as private cloud.  Providing community of mash-ups for specific business processes, and associated IaaS and PaaS underlying technology exposed as needed for use case described in portal.  Net effect is the ability to enable our Innovative Idea to Production Service < 1 day.

Are you doing similar things in your Cloud environment, are you doing these today already in your private Cloud?  As usual love to hear your thoughts on where you are going, as many of us are on this same journey to transform how IT is used to help things happen faster, better, and cheaper.

-Das
Intel IT Cloud Lead

In my last blog Part 1, I provided some details of ways to improve Information Security when working with a low budget. One main area of my focus was on ensuring sound security policy and integrating security awareness training into other processes within an organization. There are many other opportunities to integrate information security best practices that increase awareness and build on the information security posture for the organization. Here are a couple more ideas:

• Find ways to integrate information security risk assessments into already existing processes so as to identify risks at early stages of product or solution development. This can allow the organization to evaluate the best mitigating controls which could be more expensive to add on at deployment.  At the forefront of defining the budget for a new solution or product roll out, the security management, technical and physical controls that are required should be considered ahead of time so that there are no surprises after implementation.
  
• Evaluation of the organization’s purchasing process. If technical controls are required in a security policy or risk assessment and purchases are made from the budget of a project, there may be an opportunity for justification of funds for deploying security control at an organizational level. It may be just a checkpoint during the procurement phase to evaluate whether there are several different deployments of similar solutions. If so, there may not be the consistency needed to ensure quality standards are met. Additionally, negotiation with the vendor for licenses or hardware might be more beneficial on a larger scale to save a significant amount of money. One other benefit to discussing security with the purchasing representatives are the relationships that can be developed with the information security group which can help significantly in understanding how the business justification of costs work within the organization.
  

During the effort to integrate security within other processes, the security staff should know about common misperceptions such as being a “road block” or trying to paint a picture that the “sky is falling”. A positive attitude can help with encouragement of open discussion on risk and acknowledgement of good catches made. I’m sure there are other ideas for improving the security posture of an organization on a tight budget that others may want to share.