The Threat & Vulnerability Management Maturity Model Arrives

If you follow my blog, you know the Threat & Vulnerability Management Maturity Model has been in the works for a while now. I’m happy to report the full model has finally been published in Core Security’s latest white paper.

What’s the value?

By moving through this model, organizations will simultaneously 1) reduce risk exposure and the likelihood of a breach 2) gain ongoing visibility into true business risk, improving future decision-making 3) align IT, information security, and the rest of the organization in the direction of strategic business goals and 4) significantly increase operational efficiency. It’s not merely an ideal model from a security perspective; it’s a no-brainer for the business.

So take a look. What do you think? Can you easily identify where your organization stands on the model, and steps for advancing to the next level? Looking forward to your thoughts and feedback!

PS This is free to the security community and completely focused on how security programs improve their ability to reduce the risk of breach. It is not a product, nor are we selling it.

Posted in InfoSec, Security, Vulnerability Management | Tagged , , , , , , | Comments Off on The Threat & Vulnerability Management Maturity Model Arrives

The Burj Khalifa

On Saturday evening I went up to the top of the Burj Khalifa. If you aren’t sure what I mean, the Burj Khalifa is the tallest building in the world. It’s 2772 feet high (830 meters). The observation deck itself is 1483 feet high. It is insanely impressive.

Below the fold are some of the pictures I took while I was up there.

Continue reading

Posted in Life and Times, Travel | Tagged , , | Comments Off on The Burj Khalifa

23 Years is a Long Time

I woke up in the Middle East this morning. In Dubai in the United Arab Emirates, to be precise. This isn’t the first time I have been in the Middle East. I’ve been to Saudi Arabia, Kuwait, Iraq, Egypt and Bahrain. Although there are no stamps in my passport for any of those countries. That’s because I went to those countries in 1990 and 1991 during Operation Desert Shield/Storm.

Continue reading

Posted in Conferences, Travel | Tagged , , , , , , | Comments Off on 23 Years is a Long Time

Another Preventable Breach

Another entry in the “Preventable Breach” and “We could have prevented this” columns. This appears to be all about change and configuration management. An area that really needs some work, clearly.

Brian Krebs announced last night that there has been a huge data leak at MBIA, the nation’s largest bond insurer. On Monday, he notified MBIA Inc. that a misconfiguration in a company Web server had exposed countless customer account numbers, balances and other sensitive data. Much of the information had been indexed by search engines. That includes a page listing administrative credentials that attackers could use to access data that wasn’t accessible via a simple Web search: https://krebsonsecurity.com/2014/10/huge-data-leak-at-largest-u-s-bond-insurer/

Continue reading

Posted in InfoSec, Security, Vulnerability Management | Tagged , , , , | Comments Off on Another Preventable Breach

Year One

It’s the end of Year One at Core Security. Time really flies when you’re having fun. I’ve been here for 12 months now, and a couple days, and I guess I should do the “looking back after the first year” blog post. A year ago I wrote about my new adventure:

Most people in the information security field … know that I am firmly convinced that the bad guys are currently winning the war we are engaged in. This move is, in many ways, because I want to do even more to change the situation. One key area where we can do that is by providing security professionals with tools that allow them to reduce the attack surface they have to worry about. Right now, organizations have to defend everything. CORE Security can help with how to defend what is critical in ways that are meaningful. Frederick the Great said, “he who defends everything defends nothing” … and that applies now in information security as much as it did in the 1700’s during Frederick’s military campaigns.

Continue reading

Posted in Career, Cigars, InfoSec, Security, Vulnerability Management | Comments Off on Year One

The Maturity Model … Matures

We are making good progress with the Vulnerability Management Maturity Model now. We have a very nice looking graphic that aligns activity across each stage of maturity. Next steps include demonstrating the business value of improving maturity, providing an assessment tool, and developing a white paper to fully explain this.

I should also note that we appear to be ahead of most folks in this line of thinking. I read an article on financial services cyber risk today where it appears that someone (the SEC, perhaps) is developing risk management standards that “firms in the industry could better use to spot and block cyber-attacks.” Sounds an awful lot like our Maturity Model. Nice to know we aren’t the only folks thinking about this and glad to see others following where we are already at. 

I thought I’d share the mostly final graphic of the Maturity Model. This is something that anyone is free to use for their security program as long as you provide attribution to Core Security and I for our development of the Model.

MaturityModel

Posted in InfoSec, Risk Management, Security, Vulnerability Management | Tagged | Comments Off on The Maturity Model … Matures

Thinking About BlackHat – The Suits vs. The Shorts

One of the interesting things about BlackHat is that hackers and CISOs rub elbows. One of the few places where that happens routinely. It’s kinda funny. The CISOs are trying not to look so much like a “suit”, so they wear khakis and polo shirts. The hackers aren’t worried about that, so they wear shorts and t-shirts, kilts, jeans, camo, etc. And have crazy hair and tattoos. I thought of Suits vs. Shorts all week. 🙂

On Monday, with a little rest and a weekend under my belt, Core’s Communications Manager asked me what I thought about BlackHat and how it was different from the past. A couple folks chimed in, not just me, and there’s a good write up on the Core blog. I thought I’d put my relevant thinking in a quote here and invite you to read the whole thing, as well.

Sure, the conference has become much more mainstream,” noted our VP of Advanced Security and Strategy Eric Cowperthwaite. “Some have started to refer to it as ‘RSA Lite.’ I think that is unfair. This is a conference dealing with the concept that anything and everything can be hacked, broken into, attacked, cracked – that’s an idea that only recently went mainstream in the security industry. You now have CISOs and hackers, big and small companies, all mingling together because the security industry is finally embracing reality.

Seems like a good thing, to me, that the suits (myself included) are finally embracing the reality that BlackHat has presented to the security world for a long time now.

Posted in Conferences, CyberWar, FUD, Security | Tagged | Comments Off on Thinking About BlackHat – The Suits vs. The Shorts

Just A Few Things Left

That’s right, not too much more left here at BlackHat. A couple of meetings with customers, a couple of analysts. And of course, Core’s party at the RX Boiler Room. Which is supposed to be pretty epic.

Then I’m gonna get some sleep, get on a plane tomorrow and head home now that Security Summer Camp is over with.

So far have seen many good friends, like RSnake, Bill Brenner, Alex Hutton, Katie Moussouris, Wendy Nather, Mortman, McKeay, Adam Shostack, Richard Stiennon, Mark Weatherford, Mike Yaffe, MattJay, Michael Farnum, Cindy Valladares, ThatDwayne … hmmmmm, not sure I can catalog everybody. Sorry for those I missed. It’s been great to see you, chat with you, get caught up and generally enjoy summer camp.

Posted in Conferences, Security | Tagged | Comments Off on Just A Few Things Left

Another Day In The Desert

Yes, it’s yet another day in the desert. Day of two of BlackHat Briefings is today. Tonight will be Core Security’s party and then the festivities (for me) will be done. A few pictures. The Breaching Bad tshirt is pretty good. Core’s booth has been pretty crowded. And there are lines everywhere!

More later.

IMG_4220

IMG_4228

IMG_4230

IMG_4231

Posted in Uncategorized | Comments Off on Another Day In The Desert

Vulnerability Management Maturity Model

I’ve been working on this for a couple months now. Basically, we all know the truth of the matter is that intrusions happen because we security guys are not able to patch the things that matter, fix the areas that intruders will use to break in and steal credit cards or SSN’s or … passwords, now. I realize that there is a lot of hype about advanced bad guys, zero day exploits, and so on. And there are things there to be worried about.

However, the vast majority of all cyber-crime is happening because we are not doing the basics well. That was a major factor in my deciding to move to Core Security last year. I wanted to make a difference for a lot of people, across the whole of security. We focus on something that I think is key in all of this, which is dealing with the data overload that exists around vulnerability management. As part of this effort, I realized that most companies really have no idea if their vulnerability management is good or bad, how to measure it, what constitutes a good patch lifecycle, and so forth. Most companies vulnerability management is more like whack-a-mole than like a mature security program.

I decided to take a stab at helping to fix that. Over the last few months I’ve been working on a maturity model and roadmap for maturity for Vulnerability Management. I’ve drawn on my experience at EDS, at Providence Health & Services as CISO for 7 years and now my time at Core and working with our customers. The model is aimed at a security management level and focuses on building the right processes, coordinating activity across departments, and putting technology in place where it makes sense.

We are going to release the model publicly at BlackHat – come see us at Booth 735 for the first look and a discussion around where you fit within the model and what activities make sense to move to a new level of maturity.

There are prettier versions coming, but here is the maturity model itself. The roadmap will follow soon.

Maturity-Model-no-roadmap

 

Rob Lemos (@roblemos on Twitter) wrote a nice piece yesterday for eWeek specifically on the work we are doing around improving maturity for vulnerability management programs.

Posted in Conferences, InfoSec, Security, Vulnerability Management | Tagged , , , , , | Comments Off on Vulnerability Management Maturity Model