The initial inspiration of my “Groove Theory of GRC” was Rocco Prestia, the bass player for the funk band Tower of Power.  His definition, or lack thereof, of the term groove started my thought process on how very important things can exist without exact scientific explanation.   In my last blog, I talked about combining Musicality and Performance to create a special musical experience and how GRC should strive for this powerful combination through Visibility and Accountability to result in Performance Optimization.  Now I want to explore the complexities of any musical endeavor.  While solo performances can be captivating, a full orchestra performing in perfect concert together is one of the highest forms of human collaboration and expression.  So on to postulate #2.

Postulate #2:  The more pieces of the business involved; the more complex the challenge but the greater the value.

Across the spectrum of GRC activities, multiple pieces of the business need to pick up their instruments and build to the crescendo of a well-oiled organization.  This may be a flowery way of putting it to fit my running analogy so let’s cut to brass tacks:  Everybody needs to play nice in the sand box.  Not as dramatic but that is the bottom line.  Organizations that build walls, foster politically motivated cultures, enable kingdom building and all of the bad behavior we saw on the playground in kindergarten will struggle with making the right decisions and eventually face a serious business breakdown.

GRC is one of those avenues to break down the barriers between parts of the business.  If an organization can rally around a significant regulatory compliance challenge (as many companies faced with Sarbanes Oxley) or unite to respond to a major calamity (as organizations experienced during recent natural disasters), then the organization should be able to  band together to operationalize risk and compliance processes.   Domains of the business such as Information Technology, Finance, Audit, Legal, Compliance and others are necessary to build the right fabric across the organization.  A common strategy, with defined objectives and executive buy-in, will go a long way.

Each domain, or department will at times seek to build its own GRC approach.  This is completely understandable as each domain has its own drivers and needs.  Information Technology may utilize GRC to improve IT service responsiveness, reduce security risks and maintain compliance to data protection standards.  Finance may focus GRC on financial reporting processes, look to reduce capital, market or liquidity risk and maintain compliance to accounting practices.  G, R and C mean different things to different operational elements.  However, the organization can begin to bring those together into a more concerted, complimentary approach through an enterprise strategy.

Back to my Groove Theory:  Most organizations will start with a string quartet or jazz trio or folk singing duo.  The goal is then to bring more and more instruments into the ensemble until a full orchestra is making music together from the same song sheet.   Obviously that singular score, if its parts are written with harmony and based on solid music theory, can enable the movements, counter-melodies and dynamics that make for a beautiful symphony.   It is at this point where the organization transitions from singular players into a larger, more complex performance.   The result:  Opus # 9 in GRC sharp.

* I had to include a link to this video showing “Tower of Power” from 1973 – 2011.  A band as tight and funky as can get even after 38 years of creating music.  Now THAT is the type of sustainable collaboration we all hope we could foster in our organizations.

• 

Miles Davis is an easy example of this.  On one hand, you have an intense musical genius that fueled scores of jazz standards and inspired countless musicians across the globe.  On the other hand, you have an individual who later in his career performed quite literally with his back to the audience facing the other musicians and at times seemed oblivious that an audience was even present (Check out this video of his classic song Tutu).   Unfortunately I never got to see Miles Davis in person so I can’t weigh in on the feeling of being physically at one of his performances.  I am sure the power of the musicality was overwhelming but the performance may have left some feeling disconnected from the artist.   My point is that in some cases, you can have one without the other – great musicality without a grand performance or engaging entertainment without a deep, complex musical experience.

How does this fit into my “Groove Theory of GRC”?

Postulate #1:  Optimizing Business Performance is the end goal; Visibility and Accountability is the method.

The end goal of any GRC program should be Performance Optimization.  If GRC were a concert, the performance matters.  I am not talking about lasers and smoke machines.  I am talking about the substantive effect one feels at the end of a great performance – whether it is music, or theatre or a sporting event.  Management and the Board of Directors need to make decisions that are more certain to result in desired outcomes thus optimizing the performance of the business.   The GRC program should set this as the fundamental objective and impact the organization positively.   But great musical performances just don’t happen.  All the lasers and smoke machines in the world cannot make up for a truly awful band.   A talented set of musicians who know their own role, are dedicated to their craft and are communicating together can bring a musicality that transcends the individual members of the band.  This is the magic that makes the performance great.    The strength of the Performance is through the Visibility and Accountability the band members have with each other, the music and the audience.

To make it simple using my analogy, you have to have Musicality AND Performance to completely capture an audience.  Artists such as Michael Jackson, Prince, Frank Sinatra and many others have epitomized this unique blend of talent, personality and commitment.  GRC needs both Performance Optimization as a goal with Visibility and Accountability enabling the performance.  The program must be absolutely concerned about the positive impact to its audience AND based on a collaborative, connected ecosystem of contributors.

What are your organization’s end goals for GRC?  How do your GRC musicians connect, share and keep the audience engaged and entertained?  Do you feel your organization is bringing both performance (focus on business optimization) and musicality (visibility and accountability) to the concert hall?

• 

Many moons ago, in a galaxy far far away, a theory emerged that would challenge the very existence of the universe.   Okay, I may be a little dramatic here.  It was actually in 2009, in Overland Park, KS and involved a two part blog series I wrote for SC Magazine entitled “The Groove Theory”.    Citing a four year old blog isn’t the grand entrance I was looking for and truth be told – it didn’t challenge the very existence of the universe.  However, the blogs did propose a theory and centered on the premise that GRC is very difficult to explain but an absolute definition is not always necessary to discuss something.  In the blogs, I likened GRC to the “groove” within a song – hard to define but you definitely know if it is or is not present.   As with all electrons trapped in the Internet, this blog series (Part 1 and Part 2) is captured for eternity – along with poorly thought through Facebook photos and tweets regarding people’s breakfast choices.   Not that I am comparing the value of these blogs to the life changing decision between Captain Crunch and Cocoa Puffs but sometimes it is nice to have these reminders of our past thinking to stimulate new thoughts.

In the four years since those blog posts, the landscape of governance, risk and compliance has evolved substantially and, I believe, is reaching an inflection point.  In some respects, the discipline is enjoying the benefits of constant maturation.  Companies have been on the journey for multiple years and, evidenced by many of our long-time customers, are profiting from this adventure in both tangible and intangible ways.   In other respects, GRC, in some eyes, has become a bloated term – nebulous in its meaning and suspect in its value.  It is hard to argue with any concept that advocates managing risk, maintaining effective compliance to laws and regulations and, ultimately, making intelligent data driven business decisions.   But some detractors of the concept of GRC talk of immense, costly, protracted, delayed projects that rarely cross the finish line.

Sometimes it is good to get back to the roots and over the next few blogs, I wish to wander down some previously traveled paths and try to find some new ways to look at things.  I still believe in the “Groove Theory” premise that GRC is hard to verbally explain but is definitely observable.   So instead of focusing on the bottom line definition of GRC, I wish to articulate the observations that distinguish governance, risk and compliance initiatives.   Just like listening to a song and feeling the groove, GRC can be detected and felt within an organization.  Companies that can harness this force can move to a higher plane – just like those tunes on American Bandstand that had ‘a good beat and you can dance to’.

I hope you join me on this foray and weigh in on your experiences.  We at RSA Archer have always promoted the fact that GRC is a community driven industry.  As I lay out this new “groove”, I hope you pick up your drum, or horn, or instrument of choice and join in.

• 

One element I did not spend much time on in the series was the proactive side of security management.  Threat Prevention activities such as vulnerability identification, threat assessments and security intelligence coupled with the technical management processes such as configuration management and IT change control are an important part of ensuring your company is best positioned to fend off attacks.   As IT security risks are growing more and more complex, companies face threats from a wide variety of sources – from criminal elements to state sponsored corporate espionage – exploiting an extraordinary array of vulnerabilities within business processes and technology.  These compound threats result in substantial and often unrecognized business risk.  A key strategy to deal with these challenges is to expand tactical IT security processes such as vulnerability identification into a more holistic risk management discipline by deploying a combination of threat prevention and detection capabilities driven by a business-oriented foundation to reduce IT security risk.

I like to term this as IT Security Risk Management rather than Threat or Vulnerability management since the objective should be to build more business context into the picture rather than just traditional vulnerability management.   However, no one label truly captures the combination of these two critical components of holistic security management – Threat Prevention and Threat Detection and Response.  Supporting those two major elements are processes to catalog IT assets, provide business context on IT assets, enable emergency response services and a whole host of other processes.  To place a singular label on this major process is very difficult.  At the end of the day, an organization needs to:

• Identify IT Assets and the business context and criticality of those assets;
• Implement proactive threat management controls based on vulnerability intelligence, testing, threat modeling and analysis; and
• Monitor IT assets, detect active threats and manage incidents and investigations.

As part of an upcoming online event, I am presenting an overview of these concepts.  Rather than heading straight into the weeds, my presentation will focus on a framework to fitting these pieces together in a strategic fashion.  For those of you in the GRC world, this is an excellent opportunity to get an overview of this considerable challenge facing security practitioners.  For the security folks, the presentation can give you a higher level perspective of a long term strategy to communicate or position your security initiatives. I would like to invite anyone interested to check out this event given by BrightTalk.  https://www.brighttalk.com/summit/riskmanagement2013.

My presentation https://www.brighttalk.com/webcast/9219/70139 will be just one piece of this two day event.  I hope to “virtually see” you there.

• 

First, Business Context is becoming a big priority for security.  No longer can companies chase vulnerabilities and events around the infrastructure.  There has to be a layer on top of the monitoring and analysis processes that is cognizant of the business impact.  This is not just about prioritizing events but understanding the business impact when specific systems are involved.  Escalation of a security incident can be triggered by the nature of the events, the magnitude of the threat or the data or business process impacted.   The only way to truly add this dimension to the “tuning” of security monitoring is through Business Context.

Secondly, we need to continue to recognize that security incident handling must evolve in parallel with the threat landscape.   Quarantining a virus infected system is one thing; responding to an international data breach with significant regulatory and catastrophic business implications is a totally different animal.   Companies can begin with streamlining the security event-to-investigation transition to bolster the foundation.  Folding in Breach and Crisis Management takes the process to the next level.

Finally, there are many related processes that should be evaluated regularly to minimize attack vectors.  Processes that educate or involve the end users of the companies are key points of defense.  There is only so much that technology will do and the ‘flesh and blood’ of the company must be engaged.  One way to improve this within your company is to implement some type of threat assessment or brainstorming on a regular basis to highlight possible attack vectors.  Key business contacts can prove to be valuable assets when thinking outside the box on possible internal and external threat scenarios.

The need for a next generation security operations mindset is evident across the industry.  Technologies will continue to improve but we need to keep the pressure up on how we view security processes.   The attackers are constantly evaluating their methods and improvising new techniques.   The defenders must think in those same fluid terms.   I started this blog series using the analogy of the appearance of the catapult and trebuchet on the horizon outside a castle.   In some respects, this analogy holds water but in reality, the threats we need to prepare against are not obvious hulking pieces of machinery being drug across the battlefield but electrons and shadowy figures that we only catch in fleeting glances.  The next generation of security operations will need to dispel the shadows.  In the end, it isn’t just arming our lookouts with telescopes; we need to give them searchlights as well.

To follow my entire blog series on this topic, check out:

Next Generation Security Operations: Part 1

Next Generation Security Operations: Telescopes for the Lookouts

Next Generation Security Operations: The Breach Escalated

Next Generation Security Operations: Flesh and Blood

• 

Phishing is a well-worn arrow in the quiver of a would-be attacker.  Whether it is used to target a broad range of people or target a single person, a phishing attack can have a devastating effect if executed properly.  Phishing attacks typically contain some tidbit of personal information that makes the attack even more persuading.  With the advent of LinkedIn, Facebook, Twitter and the entire spectrum of social media, attackers have a comprehensive research library at their fingertips.  It doesn’t take long to construct business relationships via LinkedIn nor much effort to compile personal information from Facebook.

There is little companies can do about this threat except establish policies and increase awareness and training for employees.  An active education program for employees highlighting the daily risks they face as end users is core to a security program.   In addition to awareness campaigns, employees should have a clear escalation path for possible phishing attempts.  The garden variety spam phishing emails should be stopped at the perimeter via email filtering or content analysis technologies.  However, once it gets past that perimeter defense, users should know how to handle a possible email borne threat.  If the communication contains some request for sensitive data or an action that is out of the ordinary (or maybe even in the ordinary but involves some escalated privilege or confidential information), employees should be trained to escalate or, at a minimum, verify the request through other mechanisms.  Too often picking up the phone and making a call is a forgotten communication method in today’s E-society.

One thing to think about is validation processes around resetting passwords.  This process is exploited often to bypass security controls.   A common mechanism is the “question/answer” dance that hinges on the user and verifier having a common piece of confidential information to verify identity.   However, with today’s social sites, some of those validating pieces of information are no longer confidential.   High school mascot?  Easy to find.  Family names? Easy to find.   I once was part of a penetration test where we validated ourselves via an “ID” number that was deemed confidential.  The bad part about the ID number was it was used on the public website to identify associates in the company.  (Granted, the ID number was buried in the URL when doing an employee look-up and we guessed it was the employee ID number but it was a pretty solid guess.)

When thinking about the next generation of security operations, these tangential processes such as security awareness, end user escalation procedures and password reset processes need to be incorporated into the attack vectors of any threat assessment.  Processes such as these are important front line defenses that need to be evaluated regularly.   When was the last time the procedures for password verification were reviewed?   How often does communication go out to employees reminding them of their security roles?   What data is used to verify employee requests?  Sometimes we can get mired down in protecting against the “bits and bytes” threats so much that the “flesh and blood” threats saunter right around the defenses.

One mechanism that can get these tangent processes identified and up to date is through threat scenario modeling.  Engaging business contacts into a brainstorming session whereby different threat scenarios are modeled out can give great insight into vulnerable business processes.  It gives the business representatives a chance to play the adversary and give the security team much to think about in terms of attack vectors.   This can build a strong dialogue between security and the business to not only identify possible scenarios but also bring more business context to the security controls.

I would be interested to hear if your security teams engage with the business or how these ‘social’ attack vectors are addressed in your company.  Feel free to give out ideas on how threat assessments, social media or the ‘flesh and blood’ in your company is impacting your security operations.

• 

Stage 1: Security Event:  The first stage is the security event.  Many times this can be triggered from an individual event or a series of system events identified through some monitoring function.  A few failed logins, some system errors thrown from an application, a log file growing quicker than usual…  The types of events are numerous and the cause can range from innocuous hardware failures to a full blown attack.  At this point, little is known except that something is indicating a possible security problem.

Stage 2: Security Incident:  Once an event, or series of events, is identified and the cause is pointing to an active security issue, the event is escalated and becomes part of an incident response.

These first two stages are traditional Security Incident Management.  Security Incident Management is the process by which IT security related events are reported, cataloged, triaged and resolved.   This process will include gathering data on the system events, analyzing the information relevant to the event, assigning prioritization and documenting the response.

Stage 3: Security Investigation:  Investigations are the next step and include the processes by which larger investigations are conducted around IT security incidents.  These investigations can include larger data breaches, system compromises, internal investigations such as unacceptable use of company resources or other security incidents that require a larger amount of time or investigative procedures.   An investigation can result from a singular IT security incident or multiple incidents that are connected.

Organizations with mature security response plans have typically laid out these first three stages.  However, what happens when the Security Incident is bigger than usual? From the stories we see in the news, security incidents can spiral into significant crises very quickly.  The next stages of security incidents are the areas where companies need to evaluate their capabilities.

Stage 3a: Breach Management:  Did the security incident involve sensitive personal information or some other data related to mandated disclosure reporting? If so, that security investigation now needs Breach Management – the notification of appropriate regulatory bodies or individuals involved.   This stage needs to be handled not only in compliance with legislative obligations but also to manage reputational risks.

Stage 3b: Crisis Management:  If the security incident mushrooms into a serious event such as significant data disclosure or major business disruption, the company may need to go into Crisis Management mode.   Public relations, legal counsel, corporate governance boards or other entities may need to be engaged to sort out the problem and manage reputational, legal and business risks.

Security Operations should begin looking into these broader processes and can take a lesson from other GRC related processes such as the Business Continuity program.   To start this process, you can begin by asking a few key questions:

• Does security operations understand the data profiles that would trigger broader Breach Management activities?
• How would the operations personnel know that a system with a security issue stores or processes regulatory related data?
• Does the business context around IT devices exist and if so, does it give the security operations function the capability to quickly determine that a possible data breach might lead to regulatory or compliance notifications?
• Are the other key stakeholders like Public Relations, Human Resources and Business Operations prepared to assist if a security issue mushrooms into a full blown crisis?  Who are the resources that will be involved and what is the process to manage the crisis?

While the transition from Security Event to Crisis may happen very infrequently or – if you are lucky – not at all, companies should be putting these connections in place.

• 

First, our lookouts need to be looking in the right direction and taking in the activities in and around our castle. Real Time Monitoring is necessary to capture events and organize the data such that the security operations function can make sense of the activity.  Security Information and Event Management (SIEM), log collection and correlation systems are examples of this infrastructure.  This infrastructure also would include file integrity monitoring systems, system event logging systems, application logging systems and any other technology, role or process that is actively monitoring systems.

Secondly, the lookouts need to not only see, but understand, what is going on around them.  So a second element is enabling Forensics and Analysis to review security information from the real time monitoring processes and perform analysis based on expert input to identify patterns of active threats in the infrastructure.  This also includes the evidence collection, preservation and analysis processes that would support Incident Management and Investigations.

Most organizations have these capabilities.  The depth and breadth of the ability to capture and inspect events and network traffic are varied but this infrastructure has been part of security strategies for a while.   There are two key inputs that are needed to really move the needle when it comes to improving these capabilities within Security Operations.

“Real time” event analysis opens up many challenges – too much data moving too quickly towards an overwhelmed team of people.   The technologies for these monitoring processes are getting better.  A dimension that can greatly advance the process is feeding the criticality and data profile of devices into the mix.  Understanding the connection of the devices to business processes, and ultimately what data is flowing through those devices, provides ‘business context’ and is the next evolution of “tuning” for real time monitoring.

The second factor in improving monitoring processes is security intelligence and ‘indicators of compromise’.   Known malicious code, URLs, hosts and other data will assist security operations in identifying possible attacks or actual breaches.   This information, coupled with the ‘business context’, greatly improves the prioritization ability of security operations.

I won’t keep the analogy running too much longer and exhaust my readers, but I think it is an apropos way to look at this.   The first iteration of real time monitoring placed lookouts on the ramparts focused on watching everything going on OUTSIDE the castle.  Next, we told the lookouts to watch both outside and inside the castle.  Now we need to give the lookouts better methods to view what is going on and methods to identify areas of surveillance (key vulnerable areas, indicators of malicious activity, etc.) that need extra attention.

To see what RSA is doing in these areas, check out the upcoming Security Analytics event sponsored by RSA:  https://presentations.inxpo.com/shows/rsa_sa/registration/rsasar.html

• 

Insider Threats:  “Five Significant Insider Attacks Of 2012” highlights the challenge of managing insider threats.  This is a serious challenge since the problem hinges on something many companies truly take pride in – their own employees.

Malware: Malware in 2012 saw a vicious and ominous turn.  Malware is no longer the random act of some programmer striving for short-lived and notorious programming street cred.  Malware has become the tool of choice for calculated, nefarious crimes.

Data Breaches:  Another article, “10 Top Government Data Breaches Of 2012” focuses on the government breaches but highlights just how serious some of these breaches can be in compromising personal information.   Healthcare information faced the same serious threats as reported in another Dark Reading story “Most Healthcare Organizations Suffered Data Breaches“.   There are other massive data breaches reported in 2012 and these articles are just slivers in the big picture.

What does this mean as we head into 2013?  It means that the “incident response” plans that were drawn up, tested, implemented and put up on the shelf a few years ago are not prepared for this new battleground.   Security threats – from hacktivists to criminal organizations to state entities – have more tools, techniques and attack vectors than ever before.    Just like when the first trebuchet and catapult arrived on the scene outside the castle, it is that time, once again, when the defenders need to re-think their fortifications, evaluate the ramparts and re-invent defenses and lines of resistance.

In the next few blogs, I will discuss the attributes of the “next generation of security operations”.  The tenets are simple:

• Increase visibility across the enterprise to identify active threats quickly;
• Understand the business impacts to better respond; and
• Utilize resources to the fullest.

To further my castle analogy, we need to arm the lookouts with telescopes to see the catapults being moved on the battlefield sooner.  We need to know where the castle walls are the thinnest and most vulnerable while understanding where the crown jewels are secured.  We need to marshal the foot soldiers to the right rallying point to meet the enemy.   This is the new paradigm of security operations.  The ‘incident plan’ of the past needs to evolve if we want to change the outcomes of the stories I referenced.  I would hate to be sitting in January 2014 reading some of these same types of articles.  It is too depressing of a way to start off the year.  However, with the right strategy, 2013 can be a year of change for security operations.

To get some more insight on the upcoming challenges in 2013, check out RSA’s SBIC Trends Report: Information Security Shake-Up: Disruptive Innovations to Test Security’s Mettle in 2013 to see how some of the industry’s top leaders are approaching top of mind security issues.

• 

A few months ago, I wrote a short blog  using the “space between the 1s and 0s” as a metaphor to discuss dimensions of data that are beyond just the digits sitting on the disk drive.  These dimensions included how the data was created, who created it and why it was created along with the security implications of those dimensions.  Data created by a business process that includes personal information is much different than the invitation to the company monthly birthday party.  Yet those 1s and 0s, many times, sit side by side on our laptops, servers and storage area networks.   Recently, EMC announced the 2012 findings from IDC’s 6^th EMC-sponsored Digital Universe Study. This study has some amazing and interesting results – some directly related to this “space between the 1s and 0s”.

Just like our physical universe, the digital universe continues to expand.  The vast amount of data being created around the world, based on the study, will grow to an almost unimaginable size over the next few years.  Thus, the idea of this ‘space between the 1s and 0s’ seems less of a metaphor and more of a reality as our digital universe gets bigger and bigger.    The security findings alone are very telling.  The study found that the percentage of data in the digital universe that requires protection is growing faster than the Digital Universe itself, from less than a third in 2010 to more than 40% in 2020.  This growth is coupled with the fact that only half the information that needs protection has protection.   One of the other findings in the report highlighted the need (and current lack of) data analytics to transform these 1s and 0s into true information – with actions, conclusions or intelligence derived from the massive set of bytes.

The report made me think about the GRC side of this digital universe.  GRC processes within companies generate a fairly large universe of data.  The management of large data sets, and deriving value from that data, is a critical part of effectively maturing risk and compliance programs.  This falls directly in line with the strategies driving the RSA Archer product development.   Big data, analytics, reporting and workflow are just a few of the focus areas for the RSA Archer platform.   Building more cohesive, connected solutions is the emphasis driving our module strategies.   A core tenet of the product’s focus is to break down silos in organizations to leverage information and workflows across business processes.   Utilizing a business impact analysis as a product from the business continuity program to help prioritize security incidents is just one example of the value a GRC platform like RSA Archer can provide.   This is exactly the type of analytics and value that the study calls for – turning parts of the digital universe into actionable, useful information.

The study goes into much more detail and has some fascinating research.  I would highly suggest a read of the paper.  The report highlights the challenges and opportunities we as technology professionals face in the years to come.  For our own little part of the digital universe – that little galaxy of GRC related 1s and 0s – we need to understand how we can map out the stars, align the planets and bring order to an otherwise chaotic mix of celestial bodies.

•