I realized I haven’t been living up to the full name of this site lately. Here’s what’s on the menu for this weekend!
Lagavulin, Graycliff and a Montecristo
If you follow my blog, you know the Threat & Vulnerability Management Maturity Model has been in the works for a while now. I’m happy to report the full model has finally been published in Core Security’s latest white paper.
What’s the value?
By moving through this model, organizations will simultaneously 1) reduce risk exposure and the likelihood of a breach 2) gain ongoing visibility into true business risk, improving future decision-making 3) align IT, information security, and the rest of the organization in the direction of strategic business goals and 4) significantly increase operational efficiency. It’s not merely an ideal model from a security perspective; it’s a no-brainer for the business.
So take a look. What do you think? Can you easily identify where your organization stands on the model, and steps for advancing to the next level? Looking forward to your thoughts and feedback!
PS This is free to the security community and completely focused on how security programs improve their ability to reduce the risk of breach. It is not a product, nor are we selling it.
On Saturday evening I went up to the top of the Burj Khalifa. If you aren’t sure what I mean, the Burj Khalifa is the tallest building in the world. It’s 2772 feet high (830 meters). The observation deck itself is 1483 feet high. It is insanely impressive.
Below the fold are some of the pictures I took while I was up there.
I woke up in the Middle East this morning. In Dubai in the United Arab Emirates, to be precise. This isn’t the first time I have been in the Middle East. I’ve been to Saudi Arabia, Kuwait, Iraq, Egypt and Bahrain. Although there are no stamps in my passport for any of those countries. That’s because I went to those countries in 1990 and 1991 during Operation Desert Shield/Storm.
Another entry in the “Preventable Breach” and “We could have prevented this” columns. This appears to be all about change and configuration management. An area that really needs some work, clearly.
Brian Krebs announced last night that there has been a huge data leak at MBIA, the nation’s largest bond insurer. On Monday, he notified MBIA Inc. that a misconfiguration in a company Web server had exposed countless customer account numbers, balances and other sensitive data. Much of the information had been indexed by search engines. That includes a page listing administrative credentials that attackers could use to access data that wasn’t accessible via a simple Web search: https://krebsonsecurity.com/2014/10/huge-data-leak-at-largest-u-s-bond-insurer/
It’s the end of Year One at Core Security. Time really flies when you’re having fun. I’ve been here for 12 months now, and a couple days, and I guess I should do the “looking back after the first year” blog post. A year ago I wrote about my new adventure:
Most people in the information security field … know that I am firmly convinced that the bad guys are currently winning the war we are engaged in. This move is, in many ways, because I want to do even more to change the situation. One key area where we can do that is by providing security professionals with tools that allow them to reduce the attack surface they have to worry about. Right now, organizations have to defend everything. CORE Security can help with how to defend what is critical in ways that are meaningful. Frederick the Great said, “he who defends everything defends nothing” … and that applies now in information security as much as it did in the 1700’s during Frederick’s military campaigns.
We are making good progress with the Vulnerability Management Maturity Model now. We have a very nice looking graphic that aligns activity across each stage of maturity. Next steps include demonstrating the business value of improving maturity, providing an assessment tool, and developing a white paper to fully explain this.
I should also note that we appear to be ahead of most folks in this line of thinking. I read an article on financial services cyber risk today where it appears that someone (the SEC, perhaps) is developing risk management standards that “firms in the industry could better use to spot and block cyber-attacks.” Sounds an awful lot like our Maturity Model. Nice to know we aren’t the only folks thinking about this and glad to see others following where we are already at.
I thought I’d share the mostly final graphic of the Maturity Model. This is something that anyone is free to use for their security program as long as you provide attribution to Core Security and I for our development of the Model.
One of the interesting things about BlackHat is that hackers and CISOs rub elbows. One of the few places where that happens routinely. It’s kinda funny. The CISOs are trying not to look so much like a “suit”, so they wear khakis and polo shirts. The hackers aren’t worried about that, so they wear shorts and t-shirts, kilts, jeans, camo, etc. And have crazy hair and tattoos. I thought of Suits vs. Shorts all week. 🙂
On Monday, with a little rest and a weekend under my belt, Core’s Communications Manager asked me what I thought about BlackHat and how it was different from the past. A couple folks chimed in, not just me, and there’s a good write up on the Core blog. I thought I’d put my relevant thinking in a quote here and invite you to read the whole thing, as well.
Sure, the conference has become much more mainstream,” noted our VP of Advanced Security and Strategy Eric Cowperthwaite. “Some have started to refer to it as ‘RSA Lite.’ I think that is unfair. This is a conference dealing with the concept that anything and everything can be hacked, broken into, attacked, cracked – that’s an idea that only recently went mainstream in the security industry. You now have CISOs and hackers, big and small companies, all mingling together because the security industry is finally embracing reality.
Seems like a good thing, to me, that the suits (myself included) are finally embracing the reality that BlackHat has presented to the security world for a long time now.
That’s right, not too much more left here at BlackHat. A couple of meetings with customers, a couple of analysts. And of course, Core’s party at the RX Boiler Room. Which is supposed to be pretty epic.
Then I’m gonna get some sleep, get on a plane tomorrow and head home now that Security Summer Camp is over with.
So far have seen many good friends, like RSnake, Bill Brenner, Alex Hutton, Katie Moussouris, Wendy Nather, Mortman, McKeay, Adam Shostack, Richard Stiennon, Mark Weatherford, Mike Yaffe, MattJay, Michael Farnum, Cindy Valladares, ThatDwayne … hmmmmm, not sure I can catalog everybody. Sorry for those I missed. It’s been great to see you, chat with you, get caught up and generally enjoy summer camp.
Yes, it’s yet another day in the desert. Day of two of BlackHat Briefings is today. Tonight will be Core Security’s party and then the festivities (for me) will be done. A few pictures. The Breaching Bad tshirt is pretty good. Core’s booth has been pretty crowded. And there are lines everywhere!