Monthly ArchivesJanuary 2012

Intelligence-Driven Security standard

RSA released the ninth installment of the Security for Business Innovation Council report last week, and through a series of blog posts on Speaking on Security, we’re going to analyze the various areas highlighted in the findings. Today I’m going to explore the concept of Intelligence-Driven Security. In our world, intelligence-driven means that information coming in from all of our available sources will influence our actions—some of which will become automated over time. The report makes a pretty sad claim about the global state of information security, one that has been explored here in the past and largely derivative of the old subject of my blog. Security programs tend to be compliance driven, or even worse, simply optimized for compliance. ...

Continue Reading

Corporate Responsibility with Ben Tomhave standard

This is part two in a conversation that I had with Ben Tomhave (@falconsview) last week over Twitter. What started out as a quick question about busting PCI myths turned into corporate responsibility. If you haven’t seen this article about a company who is facing massive penalties, give it a read. It will help set up my position on corporate responsibility for promoting longevity. My position: Companies must make security and compliance a core part of their competency if they choose to operate in a manner that puts them in the cross-hairs of regulation. During the conversation, we moved to overall organizational competency around areas that arguably sit on the fringe of their core business. Restaurants that make pizza should ...

Continue Reading

Myth Busting with Ben Tomhave standard

I love our industry! There is no shortage of truly talented and smart folks, and one of the best parts of being in this industry is getting to have conversations with these folks often. Ben Tomhave (@falconsview), a noted security pro and blogger, kicked off a fury of tweets that really went into two directions. First was for a common myth about PCI DSS validation which I will address here (and ensure it is much clearer in the next edition of the book). “Can merchants (including Level 1) self assess?” lead us to a conversation about the functions of audit, the industry in general, and corporate responsibility. We’ll get into THAT discussion next week. The discussion on Twitter began with ...

Continue Reading

We Must Hunt standard

Security people are often viewed as gatherers. We gather security event data, collect logs for review, build documentation based on information about our environment, and group informational assets in like-valued groups to focus our defenses. I think we’ve got the gathering part down. It’s similar to our propensity to react. We may not be great at reacting (or more likely, we’re great at reacting at only a few things), but we get plenty of exposure to it. You cannot be a successful security professional by only being a gatherer, and your team won’t be successful if you only hire and employ gatherers. Just like most societal norms that evolved over thousands of years, you need hunters to fill a need ...

Continue Reading

Contextual Deep Content Inspection for Security standard

It’s 2012 (didn’t I already say that on Wednesday?) and the reality of 2011’s shifting security landscape should have set in by now. As much as many of you may want to go back to the days of worrying about Anti-Virus definition files, basic patching, and a single border firewall as the makeup of your entire security posture, its time to take a serious look at how you will plan your defenses for 2012. One defensive technologies that is getting another look is Data-Loss Prevention (DLP) ((John Kindervag from Forrester just released some research on Rethinking DLP that is pretty interesting as well, especially his DLP Maturity Grid.)). By itself, an implementation of DLP can go a long way to ...

Continue Reading

Herding Cats: Persona You (January 2012) standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Persona You. You can also download the November and December issues. I didn’t post them here as I have been tied up with a few other things! What does your online persona look like? This month’s column talks about the state of privacy in which we exist. Just last month we had a flurry of activity around CarrierIQ and the specific implementations  for various carriers. Now you can see a little more into some of the other issues that can come along with your online persona. If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally ...

Continue Reading

2011, A Year in Review standard

2011 is in the books, and we’re looking ahead to what promises to be an interesting year for everyone. Economic uncertainty promotes crime, and more of our assets are migrating to an electronic medium every day. We saw big breaches. BIG breaches. Hactivisim and state sponsored cyber-warfare lead the pack on the biggest and most devastating breaches of 2011. This year we talked about PCI DSS as we normally do, but later in the year we made a decided shift in our focus to security—something I hope anyone dealing with PCI DSS has already done. I think you all liked the shift as well, considering the top four were written in the last half of the year. Here are the ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!