Home > Intel Communities > Open Port IT Community > IT@Intel > Blog > Tags > strategy
Up to Blog Posts in IT@Intel
1 2 Previous Next

IT@Intel Blog

22 Posts tagged with the strategy tag
Matthew Rosenquist
4

Is the value of patch management decreasing?  Some experts say, due to a rise in privately held vulnerabilities, the value of patch management is eroding.  Others feel patching is losing the race and becoming too little and too late with the rapid development of attackers.  I too have chimed in on the topic and stated patching all vulnerabilities is not economical, as most are never widely exploited.  But does this mean we should be looking at alternate paths, away from patch management?  I stand firm in support of the end-node update concept, but take a slightly different view of the scope and value.

 

I see ‘patch management’ as the strategic capability of managing end nodes.  I consider the delivery of ‘patches’ as a broad term which includes OS, application, and hardware BIOS upgrades which can benefit the security posture of the device.  This includes and is akin to the widely accepted delivery of security product updates for anti-virus, anti-spyware, firewalls, etc.  Some of which are updated daily.

 

Attacks are constantly changing.  They normally take advantage of poor coding practices, use design functionality in unintended ways, or exploit avenues to misguided end-user judgment.  The ability to update systems is crucial to maintain security equilibrium.  It is a support function for systems to adapt to new threats.  This capability has a multitude of benefits, both strategic and tactical.  Being able to reach out to systems allows for a better understanding of the number, type, and usage of systems in the environment.  An effective system can paint a picture of systems at risk.  It is a sweeping means to close identified vulnerabilities in deployed code, which can reduce the exposure surface.  It can be used to respond to compromises and drive clean-up activities.  Such services can raise the general security level of a community and may drive to a more homogenous security stance, which strongly lends towards efficiency.

 

Mapping ‘patch management’ against a defense-in-depth model shows it allows for Prevention of exposure to known vulnerabilities where patches exist.  It can provide Detection capabilities to improve alerting of attempted as well as successful attacks.  Once systems are compromised, this Response function aids in the restoration of services back to a norm state.  The combination of indicators generated in these areas may assist in efficiency improvements and be used to comprehend future trends, therefore providing a potential Prediction opportunity

 

Overall, actively managing end-node security via ‘patch management’ is very important.  I doubt any serious security professional is advocating turning off all patch or remote system security updates.  The value may vary over time and across different systems, but we have a lot of control in how this capability evolves and the value it returns.  We are empowered to maximize the return on investment.

 

The question still remains, from a measures and metrics perspective, how best can we show and quantify the benefits, efficiency, and value.  The industry as a whole has yet been able to adequately or consistently tackle this challenge.  That discussion is fodder for another blog.

4 Comments Permalink Tags: patching, roi, matthew_rosenquist, it@intel, patch, strategy, value, rosi, information_security, risk, optimal_security, security, model, rosenquist, it, intel_it
Matthew Rosenquist
0

Research in how bacteria communicate and cooperate may be the future lessons of how computer malware evolves.

 

Bacteria and malware evolution

I recently watched a fascinating presentation by Bonnie Bassler on how bacteria communicate.

My information security brain started thinking of the similarities between the evolution of computer malware and bacteria.  Bacteria over the course of billions of years, devised the most efficient way to communicate, survive, and even destroy large and complex systems.  This may be the most logical path for the successful evolution of computer malware and a peek in the future of information security challenges.

 

Bonnie is a passionate and articulate speaker who outlined how these simple single cell critters work as a team to coordinate activities in a perfectly synchronized manner.  Their actions are stealthy, methodical, and can accomplish incredible objectives through teamwork on the scale humans have never achieved.  They infect, quietly multiply, and wait.  Bacteria independently determine the size of their community and decide to act based upon rudimentary communication and awareness.  When conditions are right, a level of potential virulence is attained, they team up in the billions and act in a choreographed manner.  And they do it simultaneously to bring down their target.

 

In many ways, computer malware act similarly to bacteria.  Malware infects computers which are part of a large community.  Malware and bacteria want to remain stealthy until ready to strike.  Malware exists as basic lines of code with simple rules.  Bacteria are organisms which behave in simple ways.

We are seeing the malware industry evolve with more ambitious goals.  Infection of a single node in a network is no longer sufficient to achieve desired objectives.  Malware must be developed to meet new challenges.  Bacteria are the masters at infiltration, stealth and surprised coordinated attacks against behemoth adversaries.  In the future, malware may take some lessons from it biological doppelganger.

 

So how may malware evolve?

Malware design may shift to very small autonomous pieces.  Modern malware is generally a single package of standalone code which may exist as a file or attach itself to other code.  Deciphering of this complete nugget will typically reveal all its secrets.  In the future such code may be broken up like pieces to a puzzle.  Each piece means very little and appears harmless. Only when they come together does the malevolent picture come into view.

 

Code will replicate itself and seek deeper penetration to all manner of systems.  With little risk of the big-picture exposure, these pieces can be distributed and replicated much more.  Computer environments are full of innoxious code such as temp files, random packets, application remnants, and unneeded data.  Most code and data is ignored unless deemed dangerous.  These pieces can quietly infiltrate many different operating systems, applications, data, and communication traffic of clients, servers, storage, and network devices without raising alarm.

 

Malware will be very quiet, acting locally and not attempting to communicate outside of the environment.  Much of today’s malware is detected as it attempts to communicate with command and control systems outside of the target network.  Evolution of malware code will be harmless, quiet, and unnoticeable until the right success conditions are met.  Local community awareness via ‘quorum sensing’ between the pieces within a target environment would likely not be detected.  Only when the right elements are in place will the pathogenicity be realized as unified activation is initiated and virulence is rapidly achieved.  This will offer little chance for security to offer a meaningful response.

 

Malware has a lot to learn from its slimy cousin.  Maybe someday malware writers will become as smart as these microbes.  On the upside, security can learn from the same teachers.  Just don’t blame our microscopic symbiants of malice, as we exist in their world.  The battle continues.

0 Comments Permalink Tags: risk, software, strategy, security, information_security, matthew_rosenquist, malicious_software, malware, rosenquist, virus, optimal_security, model, malicious, future
Matthew Rosenquist
0

Everyone wants information security to be easy.  Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie?  Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

 

Common Sense
I think the key to fortune cookie advice is ‘common sense’ in the context of security.  It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

 

Fortune Cookie advice for March:

 

The most successful civilizations rose to power, not by ignoring security, rather they ensured greatness through strategy and achievement.

 

Rosenquist Sig pic2.gif

 

For this month’s advice, you are a victim of eye-candy.  I created this slide for a recent presentation, to capture the audience’s attention and rouse some brain juices flowing.

 

The general message does hold true.  Security strategy is the long term endeavor to protect an organization’s future.  If the war is fought thinking exclusively about one battle at a time, you will lose the tide of initiative and ultimately spend most of resources responding to your opponent’s attacks.  If however, we keep in mind the end goals and manage to a state of optimal security, we can progress towards an advantageous and sustainable level of security.

 

We don’t have to win every fight, lock every door, and close every exposure.  Instead, we are in a position to selectively choose our victories to maximize our capabilities.  Our victory is finding the right balance of risk and costs.  Thinking strategically, in concert with tactical actions, will drive clarity for the desired end-state of security.

 

In practical terms:

  • Have a plan and communicate it
  • Understand the business need for security
  • Prioritize security initiatives based upon their value
  • Develop an overall defense-in-depth capability, with interlocking services
  • Characterize the most severe threats and identify the most likely and impactful exposures
  • Know what you are protecting
  • Be cognizant of when you need more, have enough, or too much security

 

My moment of enlightenment is over.  It is time to get back to the grind of the security firefights.  But my strategy is never far from my mind.  It defines the boundaries and guides my tactical decisions.

0 Comments Permalink Tags: matthew_rosenquist, security, rosenquist, strategy, threat, value, corporate_security, information_security, optimal_security, model, risk
Matthew Rosenquist
0

Momentum continues to gather for the protection of people’s private data.  On January 28th, the US, Canada, and 27 European countries will celebrate Data Privacy Day.  The security aspects seem simple in principle, but are proving to be more challenging than anyone predicted.

 

Today we celebrate Privacy Day, to promote fundamental principles of privacy and to raise awareness in our society.  The advancement and adoption of everyday technology has pulled this issue into the attention of the world stage.  In recent years, consumers insatiable desire for convenience, efficiency, and speed have placed our identities, purchases, interests, medical records, debts, communications, and social interactions into the digital world.  Indeed, our very lives are being tracked, processed, stored, and transmitted electronically.

 

There is a cost to all the inherent benefits: our Privacy.  One of the most important liberties in our free and open society is our right to privacy.  Our ability to choose what others know about us grants individuals some semblance of control in how we can be manipulated by others.  Protecting our private data is key.

 

The realms of security and privacy are beginning to blur.  I see a trend of security organizations being asked to tackle this tricky problem.  On the surface, it appears to be straightforward.  Find the data and secure it.  However, the picture starts to get complicated when we consider regulations, security controls, data lifecycles, and the immense behavioral challenges.

 

Regulations

The European Union strongly influenced the direction back in the 1990’s with the development of privacy directives which outlined some basic principles.  Since, decentralized regulations have been germinating and beginning to take hold with different verbiage, requirements, and exemptions all over the world.  Even within each country, different regulations may exist for different states, provinces, or jurisdictions.  Today’s landscape is ever changing with overlapping policies, gaps, and regulations which touch different aspects.  It is a mess.  Well, Rome was not built in a day and neither will a unified privacy stance.  Security, with the goal of meeting all the regulations, must understand the requirements and make them magically come to fruition.

 

Security controls

The security controls, including tools, standards, and processes, are themselves new and trying to keep up with the changing types of data and how they are handled by organizations.  It is akin to herding cats.  Finding private data is tough enough, but securing it with a comprehensive strategy without impacting the business value of how it must be used is problematic.  To compound the problem, new technologies and more types of data are being added to the pool.  Everyone loves data. Nobody loves the job of securing it.

 

Data lifecycles

It is not enough to simply lock up data from prying eyes.  Data must be managed.  In some cases, the very person which the data represents must be given a chance to review and correct inaccurate data.  Information may be obtained only in certain ways, stored securely, accessed in a controlled manner, and most importantly, data must be destroyed.  Yes, destroyed.  Which means security must have a strong hand in how data is managed across its entire lifecycle.

 

Behavioral Challenges


Securing data may sound tough, but the most difficult problem is not technical in nature.  It is the behavioral challenges of educating people why security is necessary and to convince them it is in everyone’s best interest.  The toughest audience to convince are the end-users, especially the next generation who are just now leading the social media exploration of cyber communication and on-line communities.  They are willing to share very personal data without comprehending the risks or understanding how it may adversely affect their future.

 

 

Which brings us back to Data Privacy Day.  As an employee, I am proud Intel is actively participating in Privacy Day
http://www.intel.com/policy/dataprivacy.htm  Check out the event details, other participants, and resources!

 

 

Exerpt:

“Designed to raise awareness and generate discussion about data privacy practices and rights, Data Privacy Day activities in the United States have included privacy professionals, corporations, government officials, and representatives, academics, and students across the country.


One of the primary goals of Data Privacy Day is to promote privacy awareness and education among teens across the United States. Data Privacy Day also serves the important purpose of furthering international collaboration and cooperation around privacy issues.”

0 Comments Permalink Tags: security, optimal_security, privacy, risk, strategy, matthew_rosenquist, information_security, privacy_day, rosenquist
Matthew Rosenquist
0

Don't assume people will read the security policy!

 

Just because the policy is posted, does not mean everyone will read it.

 

Listen to the Audiocast:Information Security policy must be marketed to employees

 

Policy, like any other communication, must be marketed.  It is the role of the security professional to show the end-users the value and how it helps them.   Make it personal.

 

References: SANS.org blog: How to Suck at Information Security

0 Comments Permalink Tags: optimal_security, policy, strategy, value, security, risk, matthew_rosenquist, rosenquist, information_security, model
Matthew Rosenquist
0

Can security be detrimental to an organization?  Absolutely!

 

Being aware security programs may become the source of losses and introduce more risk is important for establishing and maintaining a valuable security capability.

 

Listen to the audiocast

 

It is important to understand there does exist a dark side to information security.  If it is not professionally managed it can cause productivity impacts, financial losses, and introduce liability for the corporation.

0 Comments Permalink Tags: model, information_security, matthew_rosenquist, strategy, risk, value, security, optimal_security, rosenquist
Matthew Rosenquist
0

Intel developed a defense-in-depth strategy to optimize information security using interlocking prediction, prevention, detection and response capabilities. It is a structure designed to support consistent and comprehensive security controls throughout the organization while allowing flexibility needed to manage risk.

 

 

 

It promotes continual improvement, maturity of security services, and adaptability to evolving threats. At Intel, proliferation of the defense in depth methodology has resulted in more efficient business decisions. The fundamental aspects allows for consolidation of support resources, helps highlight alternative methods for managing risk, aligns programs across environments, and keeps focus on achieving optimal security.

 

 

Download the whitepaper: Defense In Depth Strategy Optimizes Security

 

 

Defense in Depth Information Security Strategy

 

The Problem of Measuring Information Security

 

Getting a Return on IT Security Investment

0 Comments Permalink Tags: information, security, information_security, optimal_security, defense-in-depth, defense, depth, whitepaper, strategy, model, risk, matthew_rosenquist, rosenquist
1 2 Previous Next

Popular Blog Posts