Category Listing


Sort By:
Blog Date

Threat Hunting: Summaries of 5 Recent Cyber Security Studies

One of the few things more prolific than the threats in cyber security might be the studies and surveys. From our vantage point, this is a positive sign and indication the industry is increasingly open to sharing information for a good cause.

We review many of these studies for insights into trends. As such, we occasionally review those we think will be of interest to our community, summarize the findings, and provide links for further reading.

Below are the summaries of five recent cybersecurity studies.

1) Threat Hunting on the Rise

More than 80% of cybersecurity professionals say the volume of threats has doubled, according to a survey by Crowd Research Partners. At that rate, the pace of emerging threats is on course to overwhelm existing cybersecurity resources in many enterprises. To even the odds, some forward-thinking organizations are implementing threat hunting technologies.

“Threat hunting is a term that is generally used to describe the practice among security organizations to proactively search for and weed out threats on their network instead of waiting to discover them after an attack has materialized,” according to Jai Vijayan, in a news analysis about the study for Dark Reading. “It is a practice based on the premise that organizations simply cannot prevent every single intrusion from happening on a network, and therefore the focus needs to be equally on finding the ones that do slip through the defenses.”

The report found threat hunting can significantly reduce the time to detect, investigate and respond to a threat. However, most organizations are still quite reactive in their approach:

“An average of 43% of respondents’ time is spent reacting to security threats, while an average of 22% of respondents said that their time is spent proactively seeking threats.”

Additional points of interest from this survey include:

  • 44% of threats go undetected by automated security tools
  • 79% agree or somewhat agree that threat hunting will be top priority in 2017
  • 70% say the detection of hidden, unknown, and emerging threats is a top SOC challenge

“Threats already exist inside the firewall,” as our own CEO is known to say. “Security must layer in new methods of detection aimed at the east-west traffic to mitigate threats and reduce complexity, dwell time and time to containment.”

2) Enterprises Drowning in Cybersecurity Alerts

An independent survey of 150 professionals responsible in some way, shape or form for enterprise security noted they are drowning in alerts. There are literally more alerts than they can process. As a result, 54% say they simply ignore some alerts, even those “worthy of further investigation.”

The findings were reported by Kelly Sheridan, an associate editor with Dark Reading: Half of Security Pros Ignore Some Important Alerts. She notes that contributing factors entail the talent shortage in cybersecurity and the fact that organizations have invested in a multitude of tools over time – and each one of these tools has its own alert mechanisms:

“Each of these tools focuses on a different aspect of security. Businesses that previously needed only a few security systems can now have up to 50 or 70, all of which work independently and address different functions: endpoint security, mobile, cloud, web app security. The tools each provide a piece of the puzzle, but it's still up to the security expert to decide how events are related and initiate a response.”

We believe better integration of the right security tools – not necessarily just adding more tools – is a better course of action. Better integration will provide context around these alerts so security professionals can focus on the one alert that matters in a sea of flashing red icons.

Other notable statistics from this study include:

  • 35% say the “most-time consuming task” is gathering data about alerts
  • 39% say process and technology “to automate security operations is a priority”
  • 35% plan to acquire threat detection technologies


3) The Cost of Ransomware Downtime

Don’t pay the ransom! The rationale of that long-standing philosophy is simple: paying the ransom rewards bad behavior.

That idea is being reconsidered when it comes to ransomware which “grew into a $1 billion industry” in 2016, according to Maria Korolov, writing for This is because sometimes the cost of downtime for mission critical systems can cost a business far more in lost revenue.

A recent in-person survey of 170 security professionals at the 2017 RSA security conference quantified this cost.

“Fifty-nine percent of respondents said the biggest business impact of a ransomware attack was the cost of downtime due to lack of access to systems for customers and employees,” according to reporting by Jeff Goldman for eSecurity Planet. “Twenty-nine percent said they would lose between $5,000 and $20,000 a day due to downtime from a ransomware attack, and 27 percent said the cost could be more than $20,000 a day.”

The same study put numbers around the duration of an outage caused by ransomware:

  • 52% said less than eight hours
  • 11% said more than eight hours
  • 17% said one day (24 hours)
  • 20% said 2-3 days

As for paying the ransom, the vast majority (79%) said they’d refuse.

See these related posts:
Cyberthreat Evolution Shifts Emphasis to Proactive Detection and Prevention
Cybersecurity: The Best Defense is a Good Offense
Salary Survey: What's a CISO Worth in 2017?

4) People are Still the Weakest Security Link

It’s often said that people are an organization’s most valuable asset, but they may also be the biggest cybersecurity risk. That’s according to an annual poll of the Information Security Community, a sizeable professional cyber security group on LinkedIn.

The results of the survey were reported by Help Net Security in a piece entitled People are still the biggest security threat to any organization. The study found:

  • 74% of organizations feel vulnerable to insider threats
  • 56% say insider attacks have become more frequent in the last 12 months
  • 30% of organizations experienced insider attacks

What is it that makes the insider threat so challenging? According to Help Net Security:

“Most survey respondents (67 percent) indicate that because insiders already have credentialed access to their networks and services, they are much more difficult to detect and deter than external threats. But only 42 percent of organizations say they are regularly monitoring user behavior while 21 percent do none at all.”

The majority of respondents (68%) expressed confidence in an ability to “recover from an attack in a week or less.” However, this comes at a steep premium: 75% said the costs could add up to $500,000 or more.

5) Cybersecurity Skills Gap Translates into Real Vulnerabilities

For many employment openings, businesses commonly received dozens and even hundreds of applications in response. That’s not true in cybersecurity, according to a survey by ISACA, an education and standards organization for IT professionals.

Just “59 percent of surveyed organizations say they receive at least five applications for each cybersecurity opening, and only 13 percent receive 20 or more,” the organization said in a statement.

“Compounding the problem, ISACA’s State of Cyber Security 2017 found that 37 percent of respondents say fewer than 1 in 4 candidates have the qualifications employers need to keep companies secure.” To that end, most organizations tend to value hands-on experience (55%) and security certifications (69%) over formal education.

Among the recommendation ISACA suggests to remedy the matter, is grooming employees with technical skills in adjacent IT positions and then moving them to cybersecurity jobs.

* * *

What cybersecurity studies have captured your attention lately? Tweet us a link @BricataLLC or join us on LinkedIn.

If you enjoyed this post, you might also like:
Cliff Notes to 3 Notable Cybersecurity Studies

Photo credit: Pixabay (CC0 1.0)

8 Considerations in Cybersecurity Risk Management

Cybersecurity risk management boils down to three key factors:

  • The probability of an event occurring;
  • The severity of impact if that event occurs; and
  • Any mitigating factors that can reduce either probability or severity.  

That was our takeaway from an excellent panel discussion facilitated by our partners at Cylance, titled Cut Through the Risk Confusion: Shedding Light on Common Security Misperceptions.

Risk management is often confusing because it’s fraught with subjectivity according to the panel. Case in point? Senior business leaders – general counsel, CFO and CIO – all have different perceptions around the composition of risk and appropriate controls.

While the discussion centered on how to eliminate that subjectivity through process, the panelists provided several excellent tips along the way.  We’ve articulated those that stood out for us below. 

1) Even for professionals, cyber risk management is hard.

Seeing, identifying and understanding the indicators of risk doesn’t come naturally to most people. To illustrate this point, one panelist noted he missed the risk indicators after putting new hardwood stairs in his home.

Despite several complaints from guests that the new stairs were slippery, he only sought a solution after he slipped and broke an ankle which required surgery. The solution was $50 roll of anti-slip tape. 

This illustrates the purpose of risk management – and the value of a relatively small preventative investment compared to the extensive cost (and pain) for remediation after an event.

2) Include diversity in risk perspective.   

A diverse perspective is critical to good risk management in cybersecurity. More importantly, disagreement is not disloyalty. Examining a problem through various viewpoint prevents groupthink and the overconfidence that can lead to loopholes and mistakes.

3) Commission a counterargument.

It’s useful to charge a member, or a team, with the task of arguing the opposite view. This is something different than diversity in perspective given the commission is to intentionally look for gaps in an argument or idea. 

If the consensus view believes a factor is low-risk, have someone build a case that it’s high-risk and vice versa. The panel referred to this as ensuring a “stratification of dialogue” in order to see all the options and potential impacts.

4) A structured risk management process helps “manage up.”

A structured risk format brings organizational discipline to risk management that’s also useful for managing news-driven risks. The panel called this “Wall Street Journal risk management.”

What does that mean? A board member reads a story about data loss on USB ports and sends the story to the CEO. The CEO, in turn, sends it to the CIO and suddenly the top priority for the risk team is data loss prevention at the network and host level. Consequently, USB ports are shut off, but employees still have access to commercial file sharing sites. 

A structured process both allows the team to consider all options and also provides a framework for diplomatically managing senior leader inquiries based on news events. Stories are a powerful and amazing way to communicate, but stories are data points, not data.

5) Some risks only appear more interesting than others. 

Any organization that runs real penetration testing is likely to come to the same conclusion: the red team is going to get inside. However, that doesn’t mean the risk a red team finds parallels real-world risk.

One panelist noted, for example, a red team that had dropped a physical device on the network. While interesting, the chances of this really happening were fairly low. This phenomenon can distort the risk perspective, create unnecessary executive concern, and wind up with a misallocation of finite resources.

6) Just “shutting it off” isn’t always the best solution.

Employees at one company were rather vocal on social media during earning announcements. This made the executive team nervous for obvious compliance reasons, according to a panelist telling the story. The leadership simply wanted to shut down access to social media sites from the corporate network.

However, doing so in the security team’s assessment, was unlikely to prevent employees from doing the same thing from the guest network, or from personal devices. Even worse, this action would limit the company’s visibility to monitor the activity; it would still happen, they just wouldn’t see it now.

A better solution, or at least one worth considering from a risk management perspective, was to engage employees and shaping behavior with training and information.   

7) Translate tech speak into business talk.

The cybersecurity space has its fair share of buzzwords the business may not understand. Security teams need to be conscious of this when peers from other functions are involved in security conversations.  

One of the panelists recalled a situation where the technical team had found malicious software on a backup drive. The probability of risk was low, but the impact was high, so the conversation was escalated to include other team members from around the business. In the process, it became evident the business wasn’t following the discussion, and so couldn’t contribute to the risk assessment.

The panelist said he quickly came up with an analogy to describe the data-backup problem at hand to the effect: We’re trying to move people (data) from one point to another. We used a car to pick people up, but we can’t see how many passengers are in the car or how many have arrived safely at the destination.

A good technique is to have a “pre-discussion” before talking to other business peers to ensure the key points are presented at a business, rather than technical level.

8) Examine trends and prepare.

Security professionals are in many ways tasked with forecasting future trends and putting plans in place to prepare contingency plans. For example, it’s not a stretch to predict that ransomware is going to intensify and focus on data destruction. 

Understanding this trend, and the cost will help articulate to the business options in the event of an incident. The business can refuse to pay the ransom and lose a week or more of revenue while IT works to get systems operational. Or it can have the means to pay the ransom in bitcoin already established in case the business pursues that option – as some businesses are.

Cybersecurity is “amazingly complicated” and the more confident you are of an answer, the more concerned you should feel. A rigorous process of analyzing cyber risks will go a long way toward fulfilling the security goal of business assurance. A complete recording of this panel discussion is available through Cylance at the link provided above.  

If you enjoyed this post, you might also like: Cyberthreat Evolution Shifts Emphasis to Proactive Detection and Prevention 
Photo credit: Pixabay (CC0 1.0)

Roundup: The Latest from the Cybersecurity Tech Analysts

Of all the sectors technology analysts cover, cybersecurity just might be one of the most important. This is because while many technology markets are fluid, the dynamics of cybersecurity change daily.

From emerging threats, to the options for deterring or remediating those threats, it’s a full-time job to catalog and analyze emerging vulnerabilities, the technology options for resolving them, and what it means for the industry. 

To that end, we’ve canvased the public facing blogs of several prominent analyst firms to see what’s on been on their radar of late. Here’s what we found:  

1) What do new cybersecurity regulations mean?

The New York State Department of Financial Services (DFS) published cybersecurity regulations detailing minimum cybersecurity requirements for financial services companies. The requirements are intended to protect both consumers and financial services organizations according to a public announcement.

Designating a CISO and maintaining “detection and response capabilities” are among the list of obligations, according to Sam Olyaei, a senior research analyst with Gartner in a piece on the matter: NY DFS Cybersecurity Regulation goes into effect today, and it is already outdated!

The formality of penalty-backed regulations might be panic inducing, but it shouldn’t be a surprise, according to Mr. Olyaei:

“…it is my opinion, that many of these security activities (if not, all) were already taking place at most banks, insurance companies and other financial services firms.”

And later he suggests there may even be an upside:

“Everything and anything that FSI firms are doing in terms of cybersecurity must be through a risk-based approach. That now gives firms flexibility in determining the requirements that affect them the most.”

That flexibility is important because security isn’t just a technical problem, but a legal, policy and human behavioral problem as well.

2) Have security and DevOps found new drivers for collaboration?

Sometimes cybersecurity teams find it challenging to work with DevOps. This is because, as the insurance company Aflac pointed out in a case study, security is sometimes at odds conventional IT change management processes. When you need to plug a possible exploit hole, that hole exists in a production environment.

That might be starting to change according to Gartner Research Director Jonathan Care in a piece summarizing his impressions from the 2017 RSA Conference (RSAC): Thoughts from RSAC:

“For some time, DevOps and cybersecurity have eyed each other warily, and now a meeting of minds appears to be in place, with innovations to represent cybersecurity as a software defined model. This is, of course, interesting as we move more and more to the cloud, and it is likely to lead to increased agility in responding to advanced threats, allowing increased automation and machine-controlled rapid response.”

While Mr. Care represents the security perspective, glimpses of thawing relations can be viewed from the DevOps side as well. Stephen Elliot, a vice president of research for IDC recently advised DevOps to include security teams in service delivery collaboration:

“Take advantage of team-based collaboration and reinvent integrated service delivery across development, operations, and security teams with DevOps practices.”

Must See Complimentary Webinar -- Register Today!

Play Offense: Proactive Hunting for Unknown Threats
Wednesday 4/19/17 at 2:00 p.m. ET

3) Security remains the top concern for mobile payments 

Mobile payments are arguably the next competitive advantage for financial services firms. A recent survey by 451 Research found consumer interest at all-time high according to a piece by Kaitlin Buckley:

“Planned use of mobile payment apps has increased for the second survey in a row, reaching its highest level since we began asking this question back in 2014. A total of 29% of smartphone owners say they’re likely to use mobile payment apps over the next 90 days.”

However, if fraud and identity theft are reasons for consumers to migrate away from credit cards and other conventional forms of electronic payments, it’s also a roadblock to mobile payment adoption:

“We asked unlikely users what would drive them to adopt mobile payment apps. Two-thirds (66%) cite Security Against Fraud that is Better Than Traditional Payment Cards as a factor.” 

The graphic with this piece suggests it’s the top factor – and by a wide margin. 

4) Is deception essential to cybersecurity?

Despite a steady increase in spending on cybersecurity, bad actors still get the best of enterprise security according to a new white paper by research firm Frost & Sullivan. The premise is based on research by Mandiant which found “the median time that attackers live inside an enterprise network before being detected is 146 days.”

The paper argues that hackers seeking to exploit an enterprise are effectively on a blind scavenger hunt, which proceeds by trial and error, and that presents opportunities to use deception to identify them:

“The hunters must gamble – gather pieces of information, without a pre-assessment of its value; and, in their gathering, risk being identified. It is this scavenger’s gamble where deception technology delivers its unique cybersecurity value: turning this gamble and risk of being identified into a certainty.”

We agree that new thinking in cybersecurity is required in this era of the assumed-breach security posture. This means shifting the focus, which has, in the past, primarily centered on prevention at the perimeter, to also include detection.  

Security in the modern IT infrastructure is an exercise in risk mitigation with layers designed to stave off attacks.  However, it must also include the capacity find and manage those already underway to reduce dwell time and accelerate time-to-containment.

Your turn! What are some topics you’ve seen technology analysts cover of late that you deem important? 

If you enjoyed this post, you might also like: Cyberthreat Evolution Shifts Emphasis to Proactive Detection and Prevention 
Photo credit: Pixabay (CC0 1.0)

How to Buy Cybersecurity

A central theme of the so-called paradox of choice is that too many choices can lead to decision paralysis.

There is a dizzying array of choices in cybersecurity products and services. That’s according to a recent CyberWire podcastBuying Cyber Security: A CyberWire Special Edition.

The podcast highlighted viewpoints from technology decision makers across organizations large and small. This included a global telecom carrier, a government agency, a small business with regulatory requirements, and a large consulting firm, which in part, advises clients on cybersecurity purchases.  

Collectively the participants provided sound advice for evaluating and procuring cybersecurity products including the following:

1) Understand the business purpose for a security product.  

Too many vendors focus their presentations on the technology itself, which while often interesting, overlooks the business problem, according to Emily Mossburg of the consulting firm, Deloitte

Buyers and vendors alike should provide greater emphasis on the business problem, and how a given product fits into the overall solution mix. She noted this is especially important in vertical markets because “the type of adversary” can vary based on unique attributes in vertical markets.

2) Integration of security products is growing in importance.

A few years ago, much of the attraction in purchasing new security products centered on new features and functions according to Ms. Mossburg. While better monitoring and intelligence remain inherently important to cybersecurity, the trend is tipping toward integration. 

Dr. Emma Garrison-Alexander, a former CIO for the Transportation Security Administration (TSA) agreed. She added that managing the integration as the environment evolved was equally important.

3) Start by talking to people you trust.

Chances are whatever the cybersecurity problem you’re trying to solve, you’re not the first to face it. As such, beginning the search for solutions by asking people you trust, is a good place to start.

That’s how Vilas Naralakatt of Pinnacle Advisory Group got started in his search for dual-authentication technology, according to the podcast. An independent security advisory firm pointed him toward a product it both used – and recommended.

With 50 employees, Pinnacle is a small business, but its focus in wealth management means it’s technology and security products must both meet the needs of the firm and regulatory requirements. For example, data transmitted to and from clients must be encrypted both in transit and at rest.

4) Trust but verify: proof of concepts.

While recommendations and referrals are a good start, Mr. Naralakattu said nothing replaces testing the software or technology. His firm examined products that “sounded great on paper” but rigorous testing demonstrated these didn’t quite fit his firm’s needs. Consequently, his company “went in a different direction for the dual authentication pieces,” and perhaps avoided an expensive mistake.

Ms. Mossburg also emphasized the importance of a proof-of-concept, pilot or bakeoff. She observed there are often “a lot of small details” and complications that go overlooked until a product has been tested – and tested with the same volume or speed it needs to work within a production environment. 

Alerts, logs, the flow of data, speed, and interoperability are some of the aspects Ms. Mossburg cited as examples to test. She said sometimes clients go into such proof-of-concepts thinking they had a clear leader in mind, but emerge on the other end of the test with a very different perspective.

“Nothing as good as actually doing it,” said Michael R. Singer, executive director for Technology Security at AT&T. The best way to learn is “to have real data and real traffic.”

5) Product scalability matters.

Scalability may be one of those words used a too liberally in technology circles, but Mr. Singer said scale really matters. As a global telecom carrier, the magnitude is sometimes exponentially greater than some of the new security technologies are prepared to handle.

“We’ve probably bought one of everything along the way,” Mr. Singer said. That experience in part has helped the company learn to distinguish among products that can scale, from those that can’t, very early in the review process.

6) Separate hardware and software.

“This is a big one,” said Mr. Singer suggesting this a long-standing requirement cybersecurity. Many businesses want to run software on the hardware it has selected rather than be forced to go with a solution that bundles the two together.

7) Consider the service after the sale.

All the speakers remarked to the effect that service after the sale was an important consideration. Dr. Garrison-Alexander called it “incumbent-itis” where an existing vendor becomes “lackadaisical” after obtaining a contract.

For Mr. Naralakatt that means transparent communication. If a vendor finds a vulnerability in its software, for example, he’s more confident in the relationship if the vendor notifies him and tells him what they are doing to fix it.  

Ms. Mossburg’s comments also centered on communication. She said clients want to be heard and feel like their concerns are being acted upon – even after deploying a product in a production environment.

Strategic Tech Engagements to Navigate Choices

Strategic engagement organizations are one of the interesting ways larger organizations are staying abreast of developments. Mr. Singer described a program called AT&T Foundry, which is an organization that facilitates “outreach and fast pitches” for startups. The website for the program lists several “foundry” locations around the world – technology hubs like Palo Alto – and says it meets with 500 startups annually.

He said the AT&T leadership “deliberately asks us to look at small innovative players” to examine what those firms are doing differently. The company strives to understand how new innovations can help the carrier solve a business problem more efficiently or effectively.

Similarly, the TSA also maintains a “strategic engagement organization” with a similar mission – to engage small but innovative companies, according to Dr. Garrison-Alexander. Her budget while large – $450 million annually with “purview” over an additional $278 million in technology spending – also comes with a lot of requirements. While the government “doesn’t move fast” strategic engagements were a way to stay in tune with innovation, keep incumbent vendors on their toes, and help fulfill the government’s desire contract with small businesses. 

Arguably, such strategic engagements are a proactively way to navigate the myriad of options, make better cybersecurity procurement decisions, and certainly to avoid the paradox of choice.

If you enjoyed this post, you might also like: Cyberthreat Evolution Shifts Emphasis to Proactive Detection and Prevention
Photo credit: Flickr, Danny Oosterveer, Online Security (CC BY-ND 2.0)

Cybersecurity: The Best Defense is a Good Offense

Cybersecurity is a bit like that classic joke about two hikers and a bear.  As a bear approaches the pair, the first hiker frantically digs a pair of sneakers out of a backpack and puts them on in a hurry. 

“What are you doing? You can’t outrun a bear!” exclaims the second hiker.
“I don’t have to outrun a bear,” replied the first hiker. “I just need to outrun you.”

In an information security context, this means being harder to breach than the next target, which motivates bad actors to pursue softer targets.   That’s how Tim Callahan set up his presentation at the 2017 RSA Conference titled, An Aflac Case Study: Moving a Security Program from Defense to Offense. Mr. Callahan is a senior vice president and CISO for the supplemental health insurance carrier. 

Defining an Offense in Cybersecurity

Every company is vulnerable, which is why phrases like “assumed breach” have entered the security lexicon.  A good offense is about both making the act of a breach as challenging as possible – and being ready to respond if in fact the organization is comprised.  

It’s also important to define what an offense in cybersecurity does not mean. Mr. Callahan does not advocate for measures such as a “hack back". This is where, for example, if a company is attacked, it might in turn attack the source – or perceived source.  

Hacking back, he says, is fraught with risk for several reasons.  These include the fact that most businesses simply don’t have the intelligence to have comprehensive situational awareness.  A hacker might use a server that runs a life-support device as a proxy.  If that company responded by attacking that server, it might unknowingly put lives at risk.

The Four Pillars of a Cybersecurity Offense

Enterprises need four pillars to design and implement what Mr. Callahan calls a “preemptive environment". Those components are:

  • An effective intelligence program
  • A good analytics system
  • An environment that keeps the “fight far” from the core business
  • The right team

He walked through each pillar as follows:

1) Threat intelligence.  Security analysts need multiple sources of information.  In Mr. Callahan’s view, this means gathering internal threat data and augmenting it with several classes of external sources.  To that end, he breaks threat intelligence into three categories:

  • Internal sources.  This includes traffic, log files, appliances and even employee behavior.  The behavioral difference means being able to distinguish between a clumsy user attempt to retrieve a lost password and brute force effort to crack one.
  • External sources.  This category includes open source information, association memberships, vendors, and even government sources.  He spoke highly of the Automated Indicator Sharing service, a public-private partnership sponsored by the Department of Homeland Security (DHS).
  • Dark web.  The dark web provides the opportunity to monitor forums frequented by bad actors for information you can use to proactively protect the enterprise. Mr. Callahan says Aflac subscribes to services for this information, rather than having his own employees canvas the chat rooms.  These services have helped discover stolen credentials for sale and even helped gather information about a planned deliberate attack on Aflac, which enabled the company to make changes to avert it before it happened.  

2) Security analytics.  Security analytics is an enabling technology that allows analysts to ingest vast sums of seemingly disparate data and find connections that are hard to detect with a human mind.  It’s able to take the internal sources of data and correlate it with external sources of information.  In this way, Aflac has been able to develop a confidence score that triggers a machine to take action – to block and exploit a hole, for example. 

The challenge with this approach, according to Mr. Callahan, is it’s at odds with conventional IT change management processes.  This is why a confidence score based on internal and external sources is so important.  Aflac has been able to master this – with “almost heroic” results from just a five-person analytics team.  Those results include:

  • Two million connections blocked with only 12 false positives
  • Average of 90 threat actor campaigns maintained
  • More than five million indicators of compromise maintained

3) Fight far.  By “fight far” Mr. Callahan is referring to building layers of security in order to keep the cybersecurity battles “away from your core.”  The closer the fight is to the core business, the less margin there is for error.  The far fight is about putting multiple obstacles in-between those core systems and the avenues of approach a hacker might take in an attempt to gain entry.

The far fight for Aflac begins all the way out in cloud with “blackholing”, which he describes as working with an ISP to shed any traffic “that can’t be good.”  The depth also includes multiple firewalls, anti-virus, and quarantine that continuously reduce the threat.  Inside the firewall, Aflac maintains IPS, sandboxing, an experimental program with deception and decoy tools – and of course HIDS. Slide #9 of his presentation contains a graphical illustration of the far fight Mr. Callahan describes.

4) Staffing and building the team.  It’s no secret there’s a cybersecurity skills gap.  Mr. Callahan cites data from research firm Frost & Sullivan which suggests 1.5 million cybersecurity jobs will go unfilled by 2020.

This is a challenge he’s experienced firsthand at Aflac.  He says his hiring – about 30 new employees per year – is limited purely by the ability to find the right experience and skill sets.  To that end, he’s improvised and offered several ideas to work through the challenge of a talent shortage.

  • Recruiting military and veterans.  Mr. Callahan noted veterans have the core instincts to protect sensitive information.  This in combination with the fact he finds this group “very trainable” makes veterans an ideal source of talent.  It might help also that Mr. Callahan himself once wore a uniform, and that the Aflac headquarters is located in Columbus, Ga., which is close to a sprawling military community of Ft. Benning.
  • Relatable skills.  Sometimes skill sets from other functional areas are a good match, as well.  For example, a data scientist can be even better suited to a security analytics role than experienced security personnel. Mr. Callahan points out you can train a data scientist on the security threats to look for, but they often inherently have a better aptitude for the important task of data interpretation.
  • Grow from within IT.  He also discussed “re-purposing” employees from other IT specializations.  He has found network engineers have the right aptitude for security.  There’s an advantage to the fact, network engineers already know the IT environment and corporate culture.  

He was careful to point out the importance of cultivating and maintaining some existing leadership and experience to successfully tap talent from these other areas and train them properly. 

* * *

Mr. Callahan’s session was recorded and is freely available online without registration.  His entire presentation runs about 45 minutes and is well worth making the time to listen or watch. 


If you enjoyed this post, you might also like:
Salary Survey: What's a CISO Worth in 2017?
Photo Credit: Pixabay (CC0 1.0)

Salary Survey: What's a CISO Worth in 2017?

What is a CISO Worth?On the heels of a record-breaking year for incidents and breaches, the security industry may be headed towards breaking one more:  the salary paid to top security officers. 

Security Current, a news and advice site for security professionals recently released a survey putting the average Chief Information Security Officer (CISO) salary in the U.S. at $273,000 per year. 

A CISO we spoke with thought the average was “about right” for large enterprises, especially those in regulated markets. However, he thought the figure was not reflective of smaller organizations where a leader may be tasked with security responsibilities, but may not hold the designated title of CISO.

That CISO works for a sizable managed services provider serving a sensitive vertical market. He requested his comments remain anonymous.

Overall his reaction wasn’t so much as to whether or not $273,000 was the right figure, but emphasized value a CISO delivers as the driver behind rising salaries. It’s “not whether it’s the correct amount in relation to the responsibility, it’s the value you receive from a CISO that is going to really understand this space, drive compliance measures and help align and balance risks, in conjunction with the board [of directors],” he said.  He likened the role of the CISO to other leaders in the C-suite.  They all have responsibilities that extend to other areas of the business and are not typically well understood.

"You need a trusted advisor and business leader," he said. A CISO provides subject matter expertise that helps enterprises mitigate risk and "minimize bad outcomes." He was careful to underscore the leadership aspects of a CISO as well.  He noted that supporting staff are still necessary to execute on security recommendations.

"That makes more sense when you see that spending in risk mitigation should be some factor of that potential loss exposure. Organizations that hire a $273K CISO and then starve security spending thinking that’s the key are not getting the bigger picture."

Benchmarking: 3 Additional Security Salary Surveys

While just 74 CISOs took the Security Current survey, nearly half of the respondents (46%) said they were the first person to hold the CISO title in their organization.  This suggests that industry benchmarks including the role, responsibilities and compensation are still emerging.  Even so, we also reviewed three other salary surveys to identify ranges or other salary benchmarks that might prove useful to a CISO.

1) 2017 Salary Outlook by Mondo.  Citing the 2017 Salary Outlook by the talent agency Mondo, Ann Bednarz of Network World reported: “CISO ranks third in Mondo’s salary guide, with a salary range of $145,000 at the low end and $250,000 at the high end.”  “It’s one of two security jobs with a salary range that tops $200,000,” she noted in her piece titled, 13 tech jobs that pay $200k salaries.  “The other is application security engineer, which commands between $125,000 and $210,000.”

The Mondo guide did not provide an average or median salary as a point of comparison.

2) SilverBull on CISO Salaries, Cities and Issues.  The second benchmark we looked at was from the staffing agency SilverBull.  This recruiting agency has published several surveys like this that have been widely reported. The most recent survey we spotted was published in May of 2016 and put the median salary for CISO at $224,000 with a range between $137,000 and $346,000.  An infographic visualizing the SilverBull data lists six cities, all notable tech hubs, where CISO jobs are most in demand.  These cities are Boston, New York, Washington, Atlanta, Chicago and San Francisco.

It also lists 10 top issues facing CISOs including advanced persistent threats (APTs), cloud security, bring-your-own-device (BYOD), network transformation, and malware or spyware.

3) The median for a CISO by  The third and final source we revised was an assessment provided by  The website said, “The median annual Chief Information Security Officer salary is $198,226, as of January 30, 2017, with a range usually between $166,662-$239,680.” The website provides a caveat noting the range “can vary widely depending on a variety of factors.”

CISOs May Earn More than CIOs

“In some cases, CISOs may now make more than CIOs,” according to CIO Dive citing the 2017 Technology & IT Salary Guide by the recruiting and staffing firm Robert Half Technology in a comparison to the Security  Current survey. That guide puts estimates salaries for chief information officers will range between $175,000 and $ 279,000 – a 3.1% gain year-over-year.  While the Robert Half survey doesn’t list the title of CISO, it does estimate a compensation bracket for the comparative title of Chief Security o
Officers (CSOs) at between $145,250 and $236,750.  Those salaries will rise at a slightly higher rate – 5.3% – over the previous year.

CISO Reporting to the CEO

It’s not just that CISOs might earn more money than CIOs, they, in fact, might be on their way to becoming peers.   In a column for Forbes, Steve Morgan, the founder of Cybersecurity Ventures, cited research from IDC  predicting three-quarters of CSOs and CISO will “report directly to the CEO, not the CIO” by 2018.  And that might make sense when the responsibilities of these professionals are considered in context.  For example, in a commentary published on LinkedIn about CISO salaries and recruiting, Bruce A. Brody, a CISO with PricewaterhouseCoopers noted, “the average breach now costs almost $4 million according to the Ponemon Institute.”

Mr. Brody’s commentary is now older, but still quite relevant.  Newer data only seems to substantiate his assessment.  For example, as we noted earlier, reports stemming from the 2016/2017 Global Fraud and Risk Report by Kroll detailed the cost of cyber incidents (as opposed to breaches) as a percentage of revenue.

The majority respondents (57%) said costs of such incidents costs enterprises 1-3% of revenue; another 10% said the cost was 4-6% of revenue, and 3% put the cost between 7-10% of revenue.  About one-third (30%) put the cost at < 1% of revenue.

The Human Problem in CISO Demand

The market for CISOs is likely to remain highly competitive as demand continues to outpace supply.  More importantly, some CISOs seem open to jumping ship.  About half of all respondents (51%) to the Security Current survey “said they would be open to accepting a new position in 2017.”  While about the same number (47%) cited the chance to earn more money as a motivation for a job change, “other influencing factors included more visibility to the board and executive leadership team as well as an equity stake.”

To that end, it’s not just money or even demand that makes recruiting the CISO role so challenging, as New York University Professor Nasir Memon explained to the New York Law Journal.

"Security is not just a technical problem," he said in an interview for a piece titled, FBI Official: Feds Can't Compete With Top Tech Companies for Cybersecurity Analysts. "It's a legal problem. It's a policy problem. It's a human behavior problem."

* * *

What do you think?  Are you addressing the legal, policy and behavior challenges related to security?  Are your security challenges being starved of appropriate funding?


If you enjoyed this post, you might also like:
Cyberthreat Evolution Shifts Emphasis to Proactive Detection and Prevention
Photo credit: Pixabay (CC0 1.0)

Cliff Notes to 3 Notable Cybersecurity Studies

Cybersecurity Studies

There have been several new cybersecurity reports published since the beginning of the year. It’s hard enough to keep pace with security events, let alone the studies about the events, so we’ve put together a cliff note version for the time-strapped security professional.

Each section provides a link to the underlying source along with links to news and commentary around the study for additional review. 

Interestingly, in mulling over the aggregate of data, the trend line appears to follow a trajectory like this:  incidents and breaches are up and so security budgets are shifting to address the business problem.

This post provides a short summary and a links to underlying sources recommended for additional reading.   Here are the cliff notes to these three cybersecurity studies:

1) Costs add up as Cyber Incident Volume Grows

More than 85% of executives experienced a cyber incident over the past year, per Dark Reading.  The data stems from the 2016/2017 Global Fraud and Risk Report by Kroll which commissioned Forrester Consulting to survey 545 executives

It’s worth noting that an “incident” is not necessarily synonymous with a breach.  The Dark Reading report summed up the type of incidents this way:
  • 38% experienced theft or loss of intellectual property
  • 33% reported virus attacks
  • 26% experienced phishing attacks in email

Interestingly, the origin of many cyber incidents could belong to a familiar face. “Nearly half (44%) of respondents hold insiders responsible for cyber incidents; more than half (56%) say insiders were ‘key perpetrators’ of security problems.”

“Statistics prove that more risk exists within an organization,” wrote Ryan Francis, the managing editor of CSO. He put together a handful of tips on how to eliminate insider threats.

Technology trade publication eWeek honed in on the costs of such incidents.  The majority 57% reported the costs of such incidents costs enterprises 1-3% of revenue. Another 10% of respondents said the cost was 4-6% of revenue, and, alarmingly, 3% put the cost between 7-10% of revenue. 

2) Data Breaches Set U.S. Record in 2016

There were more than a thousand U.S. data breaches in 2016, which was a 40% increase over the previous year and set an all-time record.  More specifically, a report by the Identity Theft Resource Center (ITRC) and CyberScout put that number at precisely 1,093 – well above the 780 breaches reported the previous year.

The organization has tracked breaches across five sectors since 2005.  The business sector experience the most breaches with 494 in 2016, while the financial sector experienced the least with 52.  The report suggested recent efforts to make breach information publicly available may have been a contributing factor to the spike.

In a news analysis for Light Reading, Security Editor Curtis Franklin places this into context:

“Regardless of the source, there's no doubt that the number of records involved in data breaches in 2016 was huge. A quick scan through the list of breaches made public in 2016 (though the list includes some breaches that occurred in previous years) show more than 2.3 billion records revealed to unauthorized individuals. And those compromised records carry a steep cost. Per the 2016 Cost of Data Breach Study, Global Analysis conducted by the Ponemon Institute, the average cost per lost record is $158, with an average cost per breach of $4 million.”

Hacking, skimming or phishing “attacks accounted for 55.5 percent of breaches in 2016, an increase of 17.7 percent over 2015,” per reporting by eSecurity Planet.  “Accident exposures of information by email or online came in second at 9.2 percent, followed by employee error at 8.7 percent.”

The attackers were “sophisticated, extremely creative and dogged” in their pursuit of information, the target of which, appears to have shifted.  More than half (52%) involved social security numbers (SSN) which rose 8% over 2015, while roughly 13% targeted credit or debit card information, which was down 7% from the previous year.

“The spike in SSN exposures is in clear alignment with the surge of CEO spear phishing attacks, which target this type of information,” per the report. 

3) Security Budgets Shift Towards Detection

Enterprises are increasingly concerned about existing cyber threats and are shifting their budgets to more thoroughly address detection, per an Anderson Research survey reviewed by Help Net Security.  Upwards of three-fourths of security budgets have been allocated to traditional breach prevention tools, but the findings indicate nearly half may soon be dedicated to detection tools.

“These numbers validate that organizations are adopting an ‘assumed breached’ security posture and are now looking to modernize their security infrastructure with tools that provide accurate in-network threat visibility and will improve their efficiency in post infection detection and response,” per the article.

Noteworthy statistics from the survey include:
  • 70.3% of respondents are more concerned about in-network threat detection than in previous years.
  • 51.9% say current security defenses reliably prevent cyber threats
  • 54.5% say lack visibility to threats inside the network
  • 52.2% say they receive too many false positive alerts
  • 59.2% say correlating attack information

“There have been too many breaches in the past to suggest that prevention tools alone can protect organizations,” per an online statement by Attivo Networks, which sponsored the survey.

Indeed, the hunt for threats already inside the firewall appears to be on.  As our own CEO, John Trauth, recently remarked:

“The reality is threats already exist inside the firewall leaving organizations at risk and security analysts with the near impossible task of keeping up in a complex infrastructure. IT Security must layer in new methods of detection aimed at the east-west traffic to mitigate threats and reduce complexity, dwell time and time to containment.”

* * *

What do you think? Will a shift in cybersecurity focus and investment to detection help ensure the final tally for this falls short of the records set last year?


If you enjoyed this post, you might also like:
Cyberthreat Evolution Shifts Emphasis to Proactive Detection and Prevention
Photo credit: Flickr, Blogtrepreneur, Hacker (CC BY 2.0)

Bricata Heading to RSA 2017 with Momentum!

Bricata is headed to the 2017 RSA Conference in San Francisco, February 13-17 with momentum stemming from a recent deal with Cylance to strengthen its solution with artificial intelligence and recently being named among “vendors to watch” in the 2017 Gartner report: Magic Quadrant for Intrusion Detection and Prevention Systems

The Gartner report lists several use cases driving the continuation of the IDPS market. “IDPS continues to be a significant network security market, but needs to start addressing the internal use case better that covers protection of internal assets, and helps detect and prevent lateral movement,” wrote the report authors Craig Lawson, Adam Hils and Claudio Neiva, who are all analysts with Gartner.

The market has a pressing need for new cybersecurity technologies that proactively hunt for advanced persistent threats (APTs) that are already inside the firewall. By proactively hunting for threats, dwell time of malware is decreased and time-to-contain APTs is accelerated. Indeed, the integration with Cylance adds one more layer of inspection to address the challenge of detecting and hunting for threats within the organization by bringing to market a solution that weaves together three leading threat detection engines.

Bricata adds Open Source (Suricata and Bro) to provide signature-based protection and scripting to hunt for any undetected threats through pattern matching, variance and behavior anomalies with the integration to Cylance adding machine learning analysis to the files carved for inspection and scoring to address zero-day threats.

Our sense of momentum is being fueled by the traction and interest we are observing in the market for tackling the cybersecurity problem differently. Many of the recent high-profile breaches can be traced back to the presence of undetected malware inside the network.  Enterprises need to evolve their security strategies to layer in an active hunting capability alongside detection and prevention strategies.

We will be demonstrating the resulting technology integration at the RSA Conference in Booth #536 in the South Hall of the RSA 2017 conference. 

* * *


Gartner Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Cyberthreat Evolution Shifts Emphasis to Proactive Detection and Prevention

More than 20 million sensitive documents were extracted from the IT infrastructure of the Office of Personnel Management (OPM). The breach enabling the extraction wasn’t discovered until more than six months later as the first indicators of malware were discovered, which triggered an incident response. That’s according to a recent webinar conducted by the Cylance team titled, Dissecting the OPM Breach (recording available with registration). The webinar walks viewers through a case study of the incident and lessons learned.
Cylance - Dissecting the OPM Breach

OPM is essentially the “central human resources department” for the federal government and keeps records on millions of employees and contractors. Cylance, which is the first company to incorporate machine learning into advanced cyberthreat detection and prevention, played an instrumental role in discovering and remediating this high-profile cybersecurity incident.

It took 10 days for Cylance to triage – time-to-contain – approximately 2,000 pieces of malware. However, significant damage was already done.

Personnel records, fingerprints and security clearance application documentation, known as a Standard Form 86 (SF-86), were all taken from OPM systems between July of 2014 and early 2015. The presenters noted evidence to date suggests the breach was likely performed by a nation-state for intelligence collection.

Clearance records contained background information on federal employees and military personnel, including any foreign contacts and overseas travel in which they’ve engage. This is information that can be mined, analyzed and correlated for intelligence purposes. To place the sensitivity of these documents into context, the Cylance team cited commentary from FBI Director James Comey at the time: 

“My SF-86 lists every place I've ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses. So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.”

Unknown Unknowns

The OPM breach highlights how the cyberthreat environment has evolved, according to Thomas Pace, a Cylance incident response consultant, and the primary webinar presenter. We’ve gone from broad brush attacks using malware like worms without a specific target, to highly sophisticated attacks, seeking specialized information and using advanced persistent threats.

The tools for launching attacks have gotten easier to use and the execution more methodical. Mr. Pace said a hacker could configure a modern hacking tool and launch an attack within an hour. Similarly, the community has largely begun to describe cyberattacks in stages akin to a military operation: reconnaissance, infiltration, actions on the objective and exfiltration.

One of the most unsettling aspects of modern cybersecurity threats is that the originating malware can disguise itself and live inside an IT environment for months without being discovered – dwell time. The attackers simply wait for the right opportunity to execute. To that end, IT organizations literally don’t know what they don’t know. To build on a famous phrase from a former U.S. Secretary of Defense, the IT security community is dealing with “unknown unknowns.”

The Best Defense is a Good Offense

The cyberthreats of today involve “persistent and motivated attackers” with a specific target in mind, according to Mr. Pace. They are using “advanced extortion tactics” and “advanced infection vectors” such as cross-platform malware. The attacks are different and so the remedy must be different as well. Sure, we still need signatures, but we also need behavioral analysis, anomaly detection and the benefit of machine learning. More importantly, the cybersecurity posture of today needs to be proactive rather than reactive – the best defense is sometimes a good offense.

This is where Bricata and Cylance share the same philosophy. As our recent announcement indicated, we've partnered with Cylance to embed their technology into our network appliance and virtual solution. The combined solution will integrate three detection engines, including artificial intelligence to provide advanced intrusion detection, reducing complexity, dwell time and time to containment.

“The combined approach is the only commercialized solution of best-of-breed technologies, Open Source and partner developed, in concert with our intellectual property addressing today’s zero-day market requirements of threat evolution,” said Bricata CEO John Trauth. “The reality is threats already exist inside the firewall leaving organizations at risk and security analysts with the near impossible task of keeping up in a complex infrastructure. IT Security must layer in new methods of detection aimed at the east-west traffic to mitigate threats and reduce complexity, dwell time and time to containment.”

* * *

What are you doing to go on the offense and hunt for the Unknown Threats? It's not if or even when, you have already been breached. How are you hunting?


If you enjoyed this post, you might also like:
White paper: IDS/IPS: The Most Useful Threat Detection Tool You Have
Photo credit: from the Cylance webinar presentation

Remote Locations: Soft Targets Make Great Footholds

A short time ago, in a remote office a few internet hops away….

Given recent trends in overall corporate spending for security solutions, most companies are now armed to the teeth much like the Empire in the Star Wars series of movies.  More weapons to stop, frisk, and ultimately eliminate the bad guys in data centers is always a great thing, but as the saying goes, the larger they are, the harder they fall.  Most organizations that have made security breach headlines in recent years have done so not because they failed to arm themselves with increasingly complex and sophisticated security tools, but because they failed to do the little things, like getting visibility into network traffic in small, remote offices. This has become a glaring weakness in the attack surface of most organizations.  

It is easy to understand how this happens. Security defenders are typically constrained in three dimensions: budget, time (in terms of people resources) and being viewed as inhibitors to efficient operations of the network (“you want to put ANOTHER device into my network?!?”). As a result, most of the security budget and time is spent protecting what is easily understood and easiest to communicate to management, i.e., the known critical informational resources and assets sitting in the main data center or corporate headquarters. It becomes much harder to justify putting an IDS in those 120 remote offices that only have 10-20 people, and which has limited information of any measurable “theft value” to the bad guys. Moreover, just managing 120 more devices could be a viewed as a challenge with limited manpower on hand. Other locations such as stores or branches that handle customer transactions are more important to protect, but those can number into the hundreds (or thousands) of locations, further exacerbating the cost/resource challenge most organizations face.

Without basic network traffic visibility, the security team does not understand what is considered normal or abnormal on the LAN, from user activity to devices, from applications to protocols. Which essentially renders the location a soft target. This basic data can be the difference between understanding when an attack is underway or a company being another data point in the industry average Median Time of Compromise to Discovery – a whopping 146 days!

Many remote locations are Internet connected, whether sanctioned or not. If I had a nickel for every time an assessment turns up a rogue wireless access point setup by some clever employee….Further, these locations are all connected back to the central network. If an attacker can compromise a remote location, it’s an effective foothold to get onto the main network.

Every Internet connection should have basic security including a firewall for access management and an IDS for threat detection. Most organizations fail to adequately provide for these two security functions, opting to use the most basic security functions provided by the network router, opting for the passé UTM or opting to “take their chances.” Routers weren’t built to stop attackers, UTM’s fail because of performance tradeoffs and “taking your chances” should be left to bets in a casino. Moreover, each of these bale wire approaches gives the security professional insufficient log evidence to back track when a breach is discovered.

Bricata has developed a small office IDS appliance that is purpose built to reduce the total cost of ownership for protecting large numbers of locations. Combing a low cost, high performance sensor with an easy to use central management console, Bricata makes it affordable to monitor, detect and protect against external threats in remote locations. The next generation network sensor leverages a multitude of open source technologies to achieve the low cost-to-detection ratio many companies have been seeking. The sensor includes a Suricata IDS threat engine that leverages the traditional IDS signature approach as well as a Bro Network sensor engine that leverages a protocol analysis approach for detecting anomalous patterns and behaviors on a network. Lastly, the sensor includes a PCAP solution that maintains from days to weeks of historical network traffic data useful during alert analysis and investigations.