Disbanding your security team may not be an entirely dumb idea, because plenty of other people in your organisation already overlap with their responsibilities, or could usefully do their jobs. That’s an idea advanced by analyst firm Gartner’s vice president and research fellow Tom Scholtz, who has raised it as a deliberately provocative gesture to get people thinking about how to best secure their organisations. Scholtz’s hypothesis is that when organisations perceive more risk, they create a dedicated team to address it . That team, he said, grows as the scope of risk grows . With business quickly expanding their online activities, that means lots more risk and lots more people in the central team .
Which might do the job but also reminded Scholtz that big teams are seldom noted for efficiency. He also says plenty of businesses see centralised security as roadblocks . I met one chief security officer who said his team is known as the ‘business prevention department’, Scholtz told Gartner’s Security and Risk Management Summit in Sydney today. He therefore looked at how security teams might become less obstructive and hit on the idea of pushing responsibility for security into other teams . One area where this could work, he said, is endpoint security, a field in which many organisations have dedicated and skilled teams to tend desktops and/or servers .
Data security is another area ripe for potential devolution, as Scholtz said security teams often have responsibility to determine the value of data and how it can be used, as do the teams that use that data . Yet both teams exist in their own silo and duplicate elements of each other’s work . Giving the job to one team could therefore be useful. He also pointed out that security teams’ natural proclivities mean they are often not the best educators inside a business, yet other teams are dedicated to the task and therefore excellent candidates for the job of explaining how to control risk. Scholtz’s research led him to believe that organisations will still need central security teams, but that devolution is unlikely to hurt if done well .
Indeed, he said he’s met CIOs who are already making the idea happen, by always looking for other organisations to take responsibility for tasks they don’t think belong in a central technology office. Making the move will also require a culture that sees people willing to learn, fast, and take on new responsibilities . Organisations considering such devolution will also need strong cross-team co-ordination structures, plus the ability to understand how to integrate security requirements into an overall security solution design.
Even those organisations who ultimately see such devolution as too risky, Scholtz said, can still take something away from the theory, by using it to ensure that business unit or team leaders feel accountable for securing their own tools .
Devolving security can also help organisations identify which security functions have been commoditised and are therefore suitable for outsourcing.
More posts by this contributor:
As the times change, the security community needs to adapt.
We live in an imperfect world, as Alex Stamos2, Chief Information Security Officer of Facebook pointed out in his recent BlackHat 2017 keynote address . Instead of trying to punish each other, hackers and innovators need to work closely to ensure a higher order.
Other security thought leaders have echoed similar sentiments.
Refreshingly, security thought leaders are driving cultural change from the top . Besides technological innovation, we are beginning to see changes in sales, diversity and culture . We are growing up, albeit slowly.
Product Innovation, Garbage and Lies
Ping Li, 5Partner at Accel Ventures reminded me that we are still in early innings of a long game . The security sector is evolving rapidly and we are still developing a common nomenclature, a lingua franca for our business . Visibility into systems, managing patches, vulnerabilities and security workflows are still being accomplished with rudimentary tools, Lu said.
Newcomers like Corelight6 (backed by Accel), Awake Networks7 (backed by Greylock Ventures) and EastWind Networks8 (backed by Signal Peak Ventures) are innovating on visibility of traffic and threats . In data security, ThinAir9 and Onapsis10 (securing ERP systems) have carved out an interesting niche in the market while Pwnie Express11 is positioning itself to win the IoT / ICS security market.
Empow Networks12, a Gartner Cool Vendor of 2017 wants to create a novel abstraction layer to manage all security tools effectively and Demisto13 (in which I am an investor) is bringing much needed automation to incident response. Nyotron14 just raised $21 million to redefine endpoint security . As drones grow from a mild nuisance to a significant headache, several security startups like Airspace15 and Dedrone16 have jumped in to protect the three dimensional perimeter.
Calling BS on the marketing hype, several presenters at BlackHat offer an unvarnished view of the state of technology .
In her talk, Garbage in Garbage out17 Hillary Sanders, a data scientist with Sophos18 pointed out that if ML models use sub-optimal training data, the reliability of the models will be questionable, possibly leading to catastrophic failures.
She trained models based on three separate data sources and found that if a model is tested on a different data set, the outcomes varied significantly (See 3 X 3 matrix) . Put it differently, if I was trained to recognize a cat in one school, and if I moved to a different school, my ability to identify a cat will drop dramatically.
Caveat Emptor: Do not believe the ML hype unless you have seen the results on your own data sets . Each vendor will train their models on different data sets, which may not be relevant to your environment . And then as new malware data is discovered, stuff gets stale . Chances are that the model may need to be trained or else could start to behave erratically . We live in an imperfect word indeed.
Feed me some garbage: ML Training and Test Data Variances (Image Courtesy: Hillary Sanders, Sophos Labs)
In another presentation aptly titled, Lies and Damn Lies19 Lidia Guiliano and Mike Spaulding presented an analysis of various endpoint marketing claims and debunked these systematically . They spent five months digging into various endpoint offerings and concluded that threat intelligence simply does not work . While endpoint solutions are better than signature based detection, they are no silver bullets.
When it came to drone security, Bishop Fox20, a security consulting firm took a Mythbusters approach to 21research 86 drone security products . Francis Brown, partner at Bishop Fox presented Game of Drones in which he concluded that the solutions are rife with marketing, but most of them are not yet available.
The study concluded that while the 1st generation drone defense solutions/products are being deployed, there are no best practices .
Everything from drone netting, shooting, confetti cannons, lasers and jammers was being used (including falcons) . The vendors have gone wild indeed . If lasers, missiles and falcons are being deployed, what s next?
BlackHat + DefCon may be the only conference in the world where the forces of creation and destruction operate at the same venue . The builders (Suits) show off their wares at briefings and the hackers (T-shirts) show off their arsenal of how they break stuff both mingle freely, challenge each other and do a thumbs-down / eyeroll at the other side . It s like a weird semi-drunk tribal war dance . And unless the elders of the tribe, like Stamos and Yoran, do not call BS on this childish behavior, we will never grow up.
Innovation in Go-To-Market tactics:
Ben Johnson, CTO of Obsidian Security22 recently raised $9.5 million from Greylock (and since the announcement, has been inundated with Series B interest) . In security, all revenues go to hire even more salespeople he says . Is that a healthy practice ? As co-founder of Carbon Black, Ben called upon over 600 enterprise customers and in his current role, is actively exploring more innovative ways to get the product out .
Indeed, when fear drives sales, innovation is harder . As an industry, we need to look at a better way of selling security products . However there is dearth of intelligent tactics . Partnerships with System Integrators (SIs), Channel Partners, Value added Resellers (VARs) and Managed Security Service Providers (MSSPs) are variants to the theme . Margins and accountability get slimmed down as the number of partners grows. Virgil Security23 a data security company (for which I am an advisor) has built a developer-first platform offering tools to build encryption seamlessly . Virgil offers its security platform as a service and the GTM approach can become highly efficient in such scenarios.
Purple Rain, Culture and Diversity
In his BlackHat keynote, Alex Stamos touched upon the importance of diversity of thought, gender and culture . His call to action included behaving responsibly (and not childishly) within a societal framework.
A large number of people in emerging markets will be using $50 phone, not $800 iPhones how do we protect this new wave of digital citizens ? What is the role of a security professional in the context of law enforcement ? Can we learn to empathize with the product builders, the users, the government?
To the security nihilists, Stamos reminded them that not everyone is out to get you . At a more fundamental level, Caroline Wong, VP of Security Strategy at Cobalt24 presented the security professional s guide to hacking office politics .
Security teams need to know more about the business challenges, not just technology . We should be able to understand the flow of money, not just data she pointed out.
The debates have just started in an open honest fashion and IMHO, culture changes slowly . For now, we have added a new color there were Red Teams and Blue Teams . The offense and the defense . Like two sides of security at a perpetual war . At BlackHat 2017, the concept of Purple Teams was introduced by April Wright, who hopes the two warring factions should cooperate and work well together . And yes she also suggested that security should never be an afterthought to which we all say Amen!
Featured Image: Bryce Durbin/TechCrunch
- ^ Secure Octane (www.secureoctane.com)
- ^ Alex Stamos (www.facebook.com)
- ^ Amit Yoran (en.wikipedia.org)
- ^ Tenable Networks (www.tenable.com)
- ^ Ping Li, (www.accel.com)
- ^ Corelight (www.corelight.com)
- ^ Awake Networks (awakesecurity.com)
- ^ EastWind Networks (www.eastwindnetworks.com)
- ^ ThinAir (www.thinair.com)
- ^ Onapsis (www.onapsis.com)
- ^ Pwnie Express (www.pwnieexpress.com)
- ^ Empow Networks (www.empownetworks.com)
- ^ Demisto (www.demisto.com)
- ^ Nyotron (nyotron.com)
- ^ Airspace (airspace.co)
- ^ Dedrone (techcrunch.com)
- ^ Garbage in Garbage out (www.blackhat.com)
- ^ Sophos (www.sophos.com)
- ^ Lies and Damn Lies (www.blackhat.com)
- ^ Bishop Fox (www.bishopfox.com)
- ^ a Mythbusters approach to (www.bishopfox.com)
- ^ Obsidian Security (www.obsidiansecurity.com)
- ^ Virgil Security (virgilsecurity.com)
- ^ Cobalt (cobalt.io)
Security firms are, understandably, quite sensitive about claims that their products are insecure, so accusations of this sort tend to cause a kerfuffle. On Wednesday, security consultancy DirectDefense published a blog post1 claiming endpoint security vendor Carbon Black’s Cb Response protection software would, once installed for a customer, spew sensitive data to third parties . This included customers’ AWS, Azure and Google Compute private keys, internal usernames and passwords, proprietary internal applications, and two-factor authentication secrets, allegedly. Jim Broome, president of DirectDefense, said the problem stems from the way Cb Response patrols corporate file systems, and transmits data out to third-party malware scanners to check whether files are legit or infected with nasties . If the Cb Response installation doesn’t recognize a document or executable, it can punt it out to multiple scanners to see if they have come across the binaries before, and if they’re safe or need quarantining.
“This means that files uploaded by Cb Response customers first go to Carbon Black (or their local Carbon Black server instance), but then are immediately forwarded to a cloud-based multiscanner, where they are dutifully spread to anyone that wants them and is willing to pay,” he explained.
“Welcome to the world’s largest pay-for-play data exfiltration botnet.”
Broome said that his team had discovered this flow of data while working for a client last year, and have since found multiple organizations using the Cb Response system . He said his team went public with its findings to warn people without informing the vendor and put out a press release2 to highlight the supposed danger. However, Carbon Black has fired back with a blog post of its own, claiming DirectDefense got its facts wrong . It’s not a bug causing the data emissions it’s a feature.
Bug ? Feature?
“This is an optional feature, turned off by default, to allow customers to share information with external sources for additional ability to detect threats,” said3 Michael Viscuso, cofounder of Carbon Black.
“In Cb Response, there is an optional, customer-controlled configuration (disabled by default) that allows the uploading of binaries (executables) to VirusTotal for additional threat analysis .
This option can be enabled by a customer, on a per-sensor group basis . When enabled, executable files will be uploaded to VirusTotal, a public repository and scanning service owned by Google.”
He pointed out that even with the information sharing feature turned on, users can customize exactly what data is sent out of the network . There’s also a popup warning page telling admins that they are sending data outside the company network. He also notes that DirectDefense could have contacted them about this before creating a big fuss about it, and Carbon Black would have explained the issue. A spokeswoman for DirectDefense told The Register that they didn’t tip off Carbon Black about the issue because it didn’t consider the data transmission a vulnerability, instead describing Cb Response as suffering “a function of how the tool is architected” in the original blog.
“However, the recommendations or messaging from Carbon Black’s professional services team during the course of installing the product is to turn this feature on to help accelerate the analysis of the file scans.”
So DirectDefense decided to “educate users” about the issue, albeit in somewhat alarmist terms .
Education or PR stunt that backfired you decide.