Security Analysis for Humans

Following a highly enjoyable and usefully challenging conversation with Eric Leandri from Qwant.com I was inspired to consider some guiding principles for conducting security analysis.

With an obvious hat tip to the Zen of Python the following is what I am aspiring to meet in the increasingly data-driven security consulting work I am engaged in:

 

If it’s hard to explain, it’s probably bad analysis.

If you’re not making a decision easier what’s the point?

Hypotheses without goals are pointless.

Measurement without hypothesis is not analysis.

Explicit and transparent analysis matters.

Beautifully designed output matters.

Readability matters.

 

 

I’d love feedback from anyone else working in the field.

Protecting Information About Networks, The Organisation and Its Systems

I recently wrote a report with a number of colleagues for the Centre for the Protection of National Infrastructure (CPNI) on the Network Reconnaissance phase of a targeted attack following initial exploitation. The report covers what is targeted, how the attackers operate and what controls help. Below is a summary infographic and below the cut is the briefing presentation I delivered and the full report.

Infographic:

Read the rest of this entry »

Big Data Security Analytics Paper

I wrote this paper with a colleague recently. A practical guide for getting started in Big Data Security Analytics. This should be the first of a series of posts on the application of big data technologies and data science approaches to cyber security.

I understand the impact of pervasive mobile, I get the risks of ‘consumerisation’ and I can see the challenges of cloud but it’s the opportunities of big data that have me excited about the future of security, both cyber security and traditional information security.

Cross-Domain Gateway Functions

Cross-Domain Gateways are a concept from multi-level government and military networks that are increasingly being deployed into traditionally flat commercial networks. I’ve spoken before about ‘trust zones‘ and the concept of choke-points between trust zones concept combined with a view of the threat exposure for each trust zone underlies the need for cross-domain gateways. (Domain is the historical term commonly used in government and military settings for zones of trust.)

There are a wide variety of applications to which cross domain gateways can be applied and a wide variety of gateway patterns and designs. However there is a common set of possible gateway functions that such patterns and designs can commonly call upon.
Read the rest of this entry »

Follow the Money

When we talk about security with the business we need to talk about money.

I have occasionally run into colleagues whose answer to risk-based governance approaches and performance-based management approaches has been to say “Show me the money!”. I understood their desire to see security operate in the language of business but was always reticent to jump feet first into financially-driven security for a couple of reasons; firstly  I just couldn’t see how we could put a reliable value on what we did and secondly I was nervous about what that might expose. In hindsight I find myself increasingly becoming a financial fundamentalist for security.

Business is fundamentally the generation of profits to maximise the returns of investors. It is the result of one equation:

Profit = Revenue – Costs

Read the rest of this entry »

Twitter RSS