RSA Rises to the Challenge of APTs

Recent news around APT attacks have underscored the critical importance of improving our techniques for rapidly detecting, analyzing and responding to APTs. To foster research in this area, Los Alamos National Lab (LANL) recently released an anonymized dataset of DNS activity collected from their internal servers over a two months window (February and March 2013), overlaid with traffic from 20 simulated APT attacks during the month of March. LANL also issued a public challenge to the cybersecurity community to “develop techniques for detecting malicious externaldomains given the DNS logs for a site and to identify potentially infected hosts in the process.”

The Danger of Denial

I was very surprised recently, in a conversation I had with someone I used to work with, to hear him remark that he didn’t think there is any such thing as stealthy, targeted attacks. His comment was something like “those warnings about APTs, targeted attacks, whatever you want to call them, is just a distraction…

Configuring the Human Firewall

Configuring the Human Firewall These days it seems every single attack out there is called an ‘APT’,  but the truth is that ‘real’ APT attacks are actually much more rare and are generally not in the public domain. When planning an APT, social engineering is the most important tool in the cybercriminal toolbox.  So how…

Telling the Story: Using Narrative in Talking about Security

I had the opportunity recently to speak about “Advanced Security” at the Evanta CISO Executive Summit event in Houston.  Just before going onstage for my presentation, I had a great conversation with David Frazier (Director of IT for Halliburton) about the approaches he’s taken not only in security strategy, but in discussing security with the…

Welcome to the Club

A few months ago I had a conversation with a security professional working in a major US defense contractor. It was right after the attack on RSA. “Welcome to the club”, he said, “we’ve been hit by these APTs for years”.

J. Lo and the Advanced Persistent Threat

So Ok, you think you know security. Riddle me this one… What does Jennifer Lopez and computer hackers who’ve attacked America’s defense establishment have in common? If you answered both are featured in this September’s issue of Vanity Fair magazine, you’d be right, and a true member of the all knowing security club.

IT Security in the Age of APTs

In January 2010, at the turn of the decade, I wrote the following lines in my blog: “It will be an interesting decade from a cybercrime perspective. Employees are one of the weakest links in corporate security… The current defenses cannot suffice, and the industry must think of a new defense doctrine.” A lot of folks in the security space raised an eyebrow.

A Changing Landscape Demands a Different Answer

Building the right strategies and principles into any security program and, frankly, gaining awareness and building relationships at all levels and with all functions in a company or organization is critical to success. While confronting APTs will require giving up the idea that it is possible to protect everything, security teams will have to focus on protecting the organization’s most critical information and systems. Or even more strongly stated- they will get in – the goal is to detect them early and minimize the damage.

Thoughts from the Gartner Security & Risk Management Summit

On the flight home from this year’s Gartner Security & Risk Management Summit, I reflected on some of the highlights of the trip. I look forward to this show every year due to the high level of customer engagement and great conversations. In looking for overall themes from the event I noticed, not surprisingly, a lot of emphasis around advanced persistent threats.

The Art of Tracing Footsteps (through the infrastructure)

The question of “why” EMC has acquired NetWitness will no doubt come up (beyond the fact that they are the obvious market leader with awesome technology) and how do they fit? Over the next few months that will become increasingly clear and in fact obvious if it isn’t already, but I thought I’d start with a simple analogy that I will connect first with RSA enVision (i.e. with Security Information and Event Management or “SIEM”) and then with RSA Archer (i.e. with Governance Risk and Compliance or “GRC”).