Speaking of Security - The RSA Blog and Podcast » Jason Rader

Want to Save the Universe?

Jason Rader — Tue, 08 Jan 2013 13:30:13 +0000

I like Star Trek. I’ve always wanted to be Captain Kirk (had to pick one…Picard is great too) sitting in that chair on the bridge of the Enterprise with seemingly endless resources at my disposal with a mission to protect the universe. I’m not giving up, but that’s probably not going to happen. However, I do get a bit of the same thrill as I have the opportunity to work in the Critical Incident Response Center lab we have set up at RSA for research and demonstration purposes.

Affectionately known as the “mini-CIRC”, this impressive lab is modeled after the real EMC CIRC and similarly leverages EMC and RSA products into an Enterprise console (see what I did there?). Unlike the production CIRC at EMC, the mini-CIRC has dozens of virtual machines assembled as attackers, malware distribution sites, drop zones, and command & control servers. It allows a group of analysts to operate in a real environment with the real tools and the real screens and try to detect and fend off a real attack. Make no mistake, this is no screen shot click thru…it’s the real tools with real data that’s being generated in real time…but unlike real life, if something goes horribly wrong in the mini-CIRC we can reset it back and debrief and give it another try.

Kobayashi Maru anyone?

This safe environment gives us the opportunity to train analysts on not just the tools but also the techniques, the team dynamics, and the processes and procedures involved in a real attack. Like the Kobayashi Maru in Star Trek we can keep playing the “unwinnable scenario” until we’ve learned the attacker’s techniques and methods. Then we can take this knowledge and ingest it back into our real program. When the Klingons alter their attack, we alter the scenario and can keep our response current.

How Can I Play?

We are working on several ways to allow those with a desire to get access to this resource. RSA Conference will be an opportunity for those who attend the 2013 conference in San Francisco who desire some hands on access to get some. Our Executive Briefing Center also has plans to make this available for those who visit the RSA EBC in Bedford, MA. And for those wanting extensive time and training, RSA Education Services is developing a full course called the Advanced Threat Workshop that includes multiple days in this environment working with a team and assuming different roles.

If you’re interested in more information about obtaining the skills and getting the practice required to save the universe, Jason Rader can be contacted via jason.rader@rsa.com

Jason Rader is the Chief Security Strategist for RSA Global Services

2013 Security Resolutions

Jason Rader — Wed, 02 Jan 2013 17:30:14 +0000

Now that the Mayan calendar gives us until October 13, 4772, we have some time to focus on 2013 in earnest. As I was thinking of my resolutions for 2013, I thought I’d compile some of the things that I predict will be on the resolution list for many organizations in the New Year.

Start With A Strategy

Sounds silly, I know, but some people still shoot from the hip when it comes to security initiatives and their desired outcomes, how they map back to business objectives, and what metrics to use to measure success. I know it can be a hassle getting all of the business units together and mediating the process, but it’s worth it! Everyone understanding the goals and having their input validated will go a long way to getting buy-in across the board. And that will go a long way to the success of the strategy.

Leverage What You’re Already Doing

Chances are, you’re already doing a pretty good job in many areas. One opportunity for a more secure 2013 could be to leverage the efforts that may be siloed in your organization and look at them as parts of an overall solution. Part of your strategy should have been to define what security capabilities are needed to support the business objectives…and these capabilities can most likely be obtained by using the investment in people, process, and technology that has already been made and augmenting it with a holistic approach to the problem. Security analytics could be the glue for this.

Reevaluate The Tools You’re Using

“If you do what you’ve always done, you’re going to get what you’ve always gotten.” This may sound like the opposite of the previous point, but bear with me…it is very possible that the amount of effort it takes for your highly skilled security team to detect a security incident could be reduced by simply changing or adding some capabilities. Less effort = less time = quicker resolution = less exposure to the threat. That is pretty simple math.

Invest In Your People – “Sharpen the Saw”

Let’s not forget the people who are keeping our data safe and within the perimeter of our networks. These folks are great but they are typically buried in operations all day. This means that all of their opportunity to learn new skills happens on the job…which could lead to a situation where the “learning experience” results in an exposure. As you plan for 2013, plan to allow these folks some downtime to attend conferences, take classes to enhance their skills, and play in the lab with new technologies and tools. Right now, these folks are in high demand, and retaining top talent should always be a top priority.

That’s my short list…I hope this validated your 2013 security plan, and if not, you’ve still got a little time before the ball drops.

Jason Rader is the Chief Security Strategist for RSA Global Services; he can be reached at jason.rader@rsa.com

Worried about Advanced Threats? RSA Education Services can help!

Jason Rader — Mon, 10 Dec 2012 13:30:34 +0000

I’d like to start out with a quote from RSA’s Executive Chairman, Art Coviello, from his Keynote at RSA Conference in February this year…

“We need to champion and develop a new breed of Cyber Security Analyst…This new breed of analyst must have the right analytical skills, ‘big picture’ thinking and much needed collaborative “people skills” to ensure smooth information sharing with multiple stakeholders.”

Since then, that quote has pretty much been our mantra here in RSA Education Services as we’ve updated our RSA NetWitness courses and are charging forward with our new Advanced Cyber Defense curriculum. Both of these efforts are exciting to me and I’ll definitely blog again about them at a later date. For now, let’s talk about the update to our RSA NetWitness Administration course.

The content for this instructor-led class has been revamped and extended to three days. The course is now task-based and includes new topics like NetWitness for Logs and external authentication. The class is now 60 percent hands-on to provide real-life experience and includes a capstone project.

This course is appropriate for customers that are focused on the administration of the RSA NetWitness product as it provides an overview, hands-on installation and configuration of components. The course also covers integration with other products, monitoring capabilities and troubleshooting of common issues.

Soon to be released will be the new RSA NetWitness Analysis and RSA NetWitness Forensics Fundamentals courses, which are intended to provide security analysts with a road map for intelligence-drive security using RSA NetWitness.

Stay tuned for the latest in RSA Education’s efforts to empower the next generation of Cyber Security Analyst.

For further information and to check out our complete course catalog, visit the RSA Education Services web site.

Answering Questions About the CISSP Certification

Jason Rader — Tue, 17 Jul 2012 18:00:06 +0000

I just finished teaching RSA’s CISSP exam prep course last week (good times) and I was asked some questions that I felt were appropriate to answer in a blog post because they might be of interest to a wider audience. So here goes…

#1 Is CISSP still a worthy credential to obtain?

This is a fair question as the certification has been around over a decade. My answer involved a comparison of the current security credentials out there, the acceptance of those credentials in the market, the authority that defines and maintains the credential, and the level of expertise required to obtain the credential. We arrived at the conclusion that the CISSP is one of a very few security certifications out there that are worth the time, money and effort to acquire. It certainly isn’t everything to everyone but it does represent a fundamental knowledge of “all things security” and the certification process after the exam validates a certain amount of experience. And it still looks good on a resume!

#2 Why is RSA offering this course?

RSA, The Security Division of EMC not only has a series of products that can be used to mitigate many of the threats that the CISSP addresses, it also has a Professional Services group, a Security and Risk Management group of EMC Consulting, and an Education Services group. Between all of these groups we deliver solutions to thousands of clients each year dealing with the latest threats and business needs. The CISSP talks about many topics from an academic perspective with a generic approach. I think taking the RSA course gives you the knowledge required to pass the exam while additionally giving the insight into the latest happenings in the security world. RSA’s CISSP course gives a CISSP candidate the additional information that will be valid well past the exam.

#3 Has the CISSP test changed recently?

Yes on two levels. First there is an updated Candidate Information Bulletin (CIB) that was issued in 2012 with the most up to date information related to the exam objectives…RSA’s course aligns with this. Secondly, and most exciting in my opinion, the exam is now offered through PearsonVue testing centers. This means you don’t have to wait for an exam to be offered in your area as was traditionally done, you can register and take the exam whenever you like. I still recommend registering early…the test is long and seats are limited in testing centers, but this really makes it easier to take the exam.

Now a shameless plug…

I’ve been teaching CISSP courses for over 10 years and RSA’s course is really the best way to go to get the most bang for your buck and the best use of your time. If you’d like to join me, check the schedule at RSA’s Training Site and register. There are courses available in the US, Europe, and Asia Pacific right now.

Jason Rader is the Chief Security Strategist for RSA Global Services and can be reached at jason.rader@rsa.com

The Ultimate Defense Against Advanced Persistent Threats

Jason Rader — Thu, 31 May 2012 15:57:16 +0000

Sorry about that, I knew the title would pull you in…but what I have to say will, in the end, support the headline. The reason for the showmanship is that if the title had been “End User Training and Awareness is Important” or “Training End Users Will Help Your Bottom Line” you may not have clicked (I know you would have clicked anyway mom). But seriously, end user training is the new hotness.

As you can tell from the byline, I work for RSA, The Security Division of EMC, and unless you are a noob in the security space you can probably remember an incident in the not so distant past where RSA was in the headlines for a data breach. Yes, RSA, The Security Division of EMC. There have been many forensic breakdowns of the event itself, but I just want to reference Uri Rivner’s initial blog post related to the attack. Yup, the initial foothold was obtained by someone clicking and opening an attachment in an obviously suspect (to me, anyway) email that was in their Junk Mail folder. Junk Mail Folder? Yes!

This reminds me of 2 quotes that sum up the situation from both sides:

“Wisdom consists in being able to distinguish among dangers and make a choice of the least harmful.” — Niccolo Machiavelli, The Prince

“The user’s going to pick dancing pigs over security every time.” — Bruce Schneier

So we need to empower the end user to make good decisions and at least let them know the risk of the dancing pigs, right? Making end users wise in the ways of security may sound like a daunting task, and it is, but thanks to the folks at the Information Risk Executive Council we have a few user behaviors that we should focus on to start with.

Clean Desk Policy
Avoiding Phishing
Locking Computer When Away
Physically Securing Devices
Personal Use of Web
Using Good Passwords
Not Sharing Passwords
Not Discussing Sensitive Information in Public
Not Working on Sensitive Information in Public
Not Using the Web for Personal Use on a Corporate Asset
Not Allowing Tailgating
Not Attaching Non-corporate Devices to The Corporate Network

Ok, these certainly aren’t awesome or revolutionary…BUT, you can’t just send a bulleted list like this out to the user base and expect them to “get it” either. Your job is to not put your employees in a position to make an ethical decision for the company. They should know how and what to do in situations they will be confronted with on a daily basis…and yes, you have to prepare them for that.

How, you say? Here are a few suggestions. First, start by using real examples from your organization’s real experiences. Did someone fall prey to a phishing scheme? Talk about it at the next all-hands meeting and give tips on how to avoid the threat. It’s ok (and actually good) for an organization to acknowledge that something happened and use it as a teaching/learning tool. Likewise, if you don’t want a certain behavior to happen, say it. Enable your users with the information and resources and let them make educated decisions on what to do and what not to click on. And like when you send your kids off to college, they’ll hopefully make the right choices 70% of the time.

Finally, review the list above and determine the triage of which behaviors have the highest impact on your organization. Then set out to define the risky behaviors your users are engaging in and show them the reasons they are risky and give them the guidance they need to make good decisions. And then, you’ll have lowered your overall risk profile for Advanced Threats and actually most threats. See, I told you we’d get there.

Hey, wait a minute, shouldn’t there be a program around this whole endeavor? Yes, absolutely. We’ll be talking about that next time…until then, safe travels.

Jason Rader is the Chief Security Strategist for RSA Global Services and can be reached at jason.rader@rsa.com

How to Best Equip Your Security Program

Jason Rader — Tue, 01 May 2012 17:54:05 +0000

We have seen action movies where the protagonist, stripped of his weapon, manages to find some everyday item like a stick or pen and disarm several baddies, rescue the hostages, and disable the imminent threat to mankind. We accept this premise because it happens every day; ingenuity, experience, and persistence often overcome the lack of a specific tool. We, as 21^st century professionals, leverage these skills and the resources at hand to overcome the daily crises and defeat evil (or save a file that has accidentally been deleted). Cue the heroic background music…

Now that I have set the stage for the conversation…let’s talk about an organization’s typical approach to security. Got a problem with this? Buy a tool designed to fix it! Got a problem with that? Buy a tool designed to fix that! Worried about APTs? Buy an APT tool! New threat? New tool! New problem? Look for a tool that addresses it specifically! Who manages all of this? It must be IT because they’re good with this kind of stuff…(fade to black)

It’s not the tools, it’s the people!

Don’t get the wrong impression, I love technology! I believe the right types of tools in your program are going to make your program more efficient, economical and effective. But it won’t be the technology that manages to leverage these outcomes…it will be the people that implement, integrate and optimize them. That’s what makes Jason Bourne and MacGyver so great; they take the resources that are available and they use their expert skills to get the job done even when the tools are less than ideal.

image credit: Richard Dean Anderson Forever

Tools are great; the right people protecting your assets are better.

Let’s cut to the chase (scene?) if you are trying to build/enhance/extend your security capabilities; just looking at technology is short sighted. I consult with organizations all the time that have these grand designs of where they want to be from a security operations or incident response perspective and they have a road map of the technologies and even the facilities that will be required…but they haven’t thought about the skill sets they’ll need to pull this off and whether they have them internally or will have to go out into the market to acquire them. If they haven’t thought of this, aren’t they picking the tools out before they know if it will be James Bond or Chuck Norris that will be carrying out this mission? The success of the mission is at stake!

“Help me Obi-Wan Kenobi. You’re my only hope.”

If there is one thing that makes a security program successful it is the people executing it. Education, experience and empowerment are the new hope in securing your organization. I strongly recommend that an organization’s first step in enhancing its security program is to empower their security staff, get them access to security intelligence, exposure to other practitioners and provide them training in management-level security not just product security (because most have an engineering background). Most transformative security projects have a ramp-up time that is measured in months or even quarters, so invest in your “A” level talent.

A current high potential employee has an understanding of your business, its objectives, has relationships within the company and an understanding of operations. It takes an outsider many months to get this knowledge…and training an internal employee will be exponentially less expensive than hiring someone from the outside with the skill set you desire.

Just a little thought shift that can make a big difference.

As you embark on your next great security conquest give some thought to the people and skill sets that you need to have on board before you start making a list of the technology that you need. Somewhere within your organization there may be a young Padawan who, when equipped with the right knowledge, training, and access to the right tools can become a Security Jedi and defend your universe against the attackers from the Dark Side.

(Roll Credits)

Jason Rader is the Chief Security Strategist for RSA, The Security Division of EMC. He can be reached at jason.rader@rsa.com

Stay tuned: In our next episode we will tackle the biggest threat in the universe…the end-user!