Skip navigation
All Places > Information Security > Blog
1 2 3 Previous Next

Information Security

582 posts

"What's your infosec key learning from 2015?"


We asked this question of a number of minds in infosec and got a variety of answers. Below are the responses from some of our brilliant and insightful friends in the infosec community, including from within our own lovely Rapid7 team. The responses varied from brief to elaborate, and touch on changes in perceptions within infosec, as well as broader trends that will affect infosec from the outside. We hope these reflections will prompt you to share your own key learnings as well -- let us know what your big takeaway from the year has been in the comments below.


Chris Hadnagy (@humanhacker), President and CEO of Social-Engineer Inc

It is easy for us to say: "We saw more social engineering in attacks this year."  It would be true but vague.  So let me tell you what I really saw in more detail.


Phishing - massive rise in the complexity, frequency, branding and realism of phishing emails.  This year wins the award for most realistic phish in an email scene. We found a site on the dark web that offers a paid service to malicious phishers to spellcheck, grammar check and increase click ratio or money back.


Rick Holland (@rickhholland), Vice President and Principal Analyst at Forrester Research

The key highlight for me is that there is no such thing as a cybersecurity sprint. The path to building residency isn’t through a 30 day run. It is more like the Marathon des Sables, a 155 mile run through the Sahara desert that you then have to run over and over with no legs. There is simply no cybersecurity finish line.


David Kennedy (@HackingDave) CEO and Founder of TrustedSec, Founder of DerbyCon

I think the focus of 2015 really started to be a positive motion on detection. Companies truly realizing that prevention isn’t always a sure sign and focusing on what attackers are doing. I think we’ll continue to see this moving forward. We also know that the attackers haven’t gotten smaller – only larger and that the beaches themselves continue to have a high impact on reputation and damages to the company. 2015 didn’t really trend anything new per se — it's been the same types of attacks time and time and the same methods of exploitation – client side, third party connectivity, and perimeter attacks as main vectors.


Katie Moussouris (@k8em0), Chief Policy Officer at HackerOne

2015 seemed to be the year that the general public, governments, and the IT industry woke up to opposing sides of a common goal: protecting human safety and human rights when technology can be used to cause harm. We saw this highlighted in the unprecedented unification of big and small businesses with security researchers to oppose the overly broad Wassenaar language that regulates the export of intrusion software technology and tools, which can be used by defenders as well as criminals. We also saw a broad interest increase among technologists, consumers, and mainstream media in hackable vehicles and other technology that is part of everyone's daily life. We also saw some significant data breaches across enterprise and government targets, driving up both the awareness of internet security threats, as well as the understanding that all infrastructure is vulnerable to attack, especially when there is something significant worth protecting.


Wendy Nather (@RCISCwendy), Research Director at the Retail Cyber Intelligence Sharing Center

I totally agree with Rick [see above] that there’s no such thing as a cybersecurity sprint. If you think of it as a cybersecurity lifestyle (nobody is Born This Way), you’ll understand why it’s so hard to change an organization's habits permanently, and why so many are subsisting on the equivalent of junk food (AV).


Kurt Opsahl (@kurtopsahl), Deputy Executive Director and General Counsel of the Electronic Frontier Foundation

2015 illustrated the challenges and opportunities presented by the Internet of Things. We saw vendors add connectivity to goods, introducing new capabilities, but also new attack surfaces. The challenge was for vendors, sometimes new to inosec, to react well to vulnerability reports, and fix the problems. Tesla showed how to do it well when its CTO shared the stage at DEF CON with security researchers, and Volkswagen showed the challenges remaining, when a paper, suppressed for two years by legal action, was finally unveiled this summer.


Tod Beardsley (@todb), Security Research Manager at Rapid7

2015 saw a marked interest in the security of non-computer devices, such as smartphones and cars, and I believe that this will inform where research – both legitimate and criminal – will go in 2016. We are on the hockey stick of growth for the population of connected devices, and we have an opportunity, now, to get ahead of the security problems that so far have plagued non-traditional computers ranging from toys to personal tools to industrial control systems.


Rebekah Brown (@pdxbek), Threat Intelligence Lead at Rapid7

Communication is HARD! In infosec, we often have great answers to problems, but our messages don’t always get across – not to end users, not to the Board, sometimes not even to other teams we work with day in and day out. In 2015, we saw more and more people focus on the nuanced skill sets that enable better communication of security issues.


Jen Ellis (@infosecjen), Vice President of Community and Public Affairs at Rapid7

In the wake of the Sony breach and several widespread, high profile vulnerability disclosures last year, we entered 2015 with a noticeably pronounced emphasis on cybersecurity in the Government. The White House issued three legislative proposals, held a cybersecurity summit, and signed a new Executive Order, all before the end of February. Since then, we’ve seen the OPM breach drive huge dialogue on cybersecurity across the Government sphere – every office and agency is now building a position on this topic. Congress has passed three cybersecurity information sharing bills, and introduced dozens of other bills with cybersecurity provisions, and a number of agencies in the Administration have been engaged in debate over new export controls for intrusion technologies.


While cybersecurity legislation is not, in and of itself, new or surprising, the shift in tone and focus is. Firstly, cybersecurity is a far more widespread priority across both branches of Government in a way we have not previously seen; and secondly, there is a much greater desire and emphasis on engaging the security community in the discussion. The Legislature and Administration is actively seeking security expertise to work with as they try to navigate the complexities of the landscape to build productive policy. We have seen this in the engagement to find the right approach to implementing the Wassenaar Arrangement in the US. And in various Congressional offices seeking assistance from security professionals to vet legislative language.  We’ve seen the Departments of Justice and Commerce both actively engaging the security community on multiple fronts, as has the Federal Trade Commission (FTC) and the Food and Drug Administration (FDA), and countless others.  We even saw an exemption for security research approved for the Digital Millennium Copyright Act (DMCA) this year.


Trey Ford (@treyford), Global Security Strategist at Rapid7

Less is more.


Security professionals need to be more deliberate in upward communications. Your title doesn’t matter (CISO to Security Manager) — when communicating to senior executives, give a clear, simple and consistent message. Too much data, too much distraction and reactionary reporting and commitment to technical accuracy is killing us.


Guillaume Ross (@gepeto42), Senior Security Consultant at Rapid7

The highlight for me has been seeing more coverage in the regular news, as well as more interest from executives in general with regards to infosec/cybersecurity. It felt that for a few years, security was stagnating, or even getting worse, as environments started becoming more complex as companies adopted a mix of Cloud services, authentication beyond their perimeter and to new types of devices with varied levels of controls. PCI DSS pushed compliance forward while leaving security in the back seat, but now it feels like the balance is truly shifting towards actually caring about security. While things like this can’t happen in a very short period of time, it does feel like the pace of acceptance for security, as well as for the need not to have perfect security but ways to mitigate the inevitable incident, has accelerated in the last year.


Corey Thomas, President and CEO at Rapid7

The key learning for me in 2015 for the infosec industry is that the bottleneck has shifted from awareness to skills and expertise.

If I had a nickel for every time I read about the “security skills shortage”…well, suffice to say that everyone seems to lament the lack of strong talent in this industry, and the low number of eager young graduates seeking to start a security career. So what better topic to explore by way of follow-up to the 2-part blog: Security Budget Tips from CISOs, for CISOs? (To recap: I’m interviewing CISOs for their guidance on select infosec issues.)


human-tower.jpgHiring and managing a capable workforce is arguably just as integral – and, dare I say, challenging – as setting a budget plan. (Personal aside: management has been core to many of my past roles, I’m quite passionate about people!) Any good business leader knows that without the right people on your team, you’ll never get to where you need to go.


First off, let’s ask: Is the talent gap fact or fiction? Is it real, or is mass hysteria making us blind to the fact that the emperor isn’t wearing any clothes? By way of response, here are some soundbites from the CISO interviews I conducted:


  • “Finding the right people is near impossible.”
  • “My company is based in NYC, where a lot of talent tends to pool, and we almost always get outbid by the highest paying firms, typically banks.”
  • “There just aren’t enough people coming into [this profession] anymore. Those that do don’t have the right depth or experience.”
  • “I have high expectations from my security people, and yet I’m getting applicants who want to be architects and can’t tell me what a three-tier design looks like. Or someone who calls himself a senior appsec guy, but can’t tell me any of the OWASP top 10.”


In a word: Yes. It’s real.

The security community, on the whole, is full of skeptics, so it’s pretty far-fetched to think that security professionals would all fall victim to a myth, even if it is widely propagated. The perceived “talent meccas” like NYC and Silicon Valley compete heavily to attract qualified individuals. Conversely, CISOs who weren’t based in a large metropolis said that company location was a huge impediment to hiring, particularly at the lower levels where applicants are ostensibly younger. One interview subject, however, was an outlier: “[My company] is fortunate because people want to work here. We’re in an unusual position: people know and love us.”


Which brings us to the first takeaway:

Culture! It Matters.

It’s not surprising that brand awareness and company reputation can affect the number of job applicants. But even CISOs at smaller, less well known organizations benefit from upping their public profile. “When you’re out recruiting, reputation will lead,” a CISO told me. “People will inevitably look you up, so have a consistent persona. Leadership honesty and transparency matters – these people can smell BS a mile away.” This is one of many reasons security leadership should prioritize live events, speaking, and recruiting.


Getting publicity for security efforts requires interacting with people outside of the security team. “We’ve worked at publicizing what it’s like to work here,” said another. “That strategy has been effective. It’s helped to communicate what we’re doing in terms of security, and it’s given me a chance to work with our editorial department, PR, and some of the engineering teams. You just can’t be siloed as a security professional.” (Remember the CISO who called his job a “matrix discipline”?)


Nothing Lasts Forever

Not only will it help with retention, but having a strong culture also pays off (no pun intended) during contract negotiations. Although money talks, it’s not always the #1 selling point – especially for young professionals looking to build a strong foundation for their career by developing their knowledge base. Personalized guidance and continuous learning are core to retention.


“I like to emphasize that, after three years here, you’ll be a security ninja,” said a CISO. “I’ll spend the money to give my team career guidance, to make sure the people who deserve it get to go to DEF CON each year.” Another echoed this mentality: “I like to work with entry level candidates on a 2-5 year growth path. I realize they may not be here forever, but I want to focus on giving them the right tools and a good experience.”


Several of the CISOs I spoke with had similar personal contracts with their team, “Please don’t leave without letting me help.” Many of my past teammates allowed me to coach them, make introductions, provide personal endorsement, and even coach them through the negotiation process. Teams with enough trust to discuss growth, development, and transitions with their management have reputations in the industry- they are families people seek to join.


Always Be Recruiting

As I emphasized in my budgeting blogs, having the right headcount is key. And you shouldn’t rely exclusively on recruiters to source candidates.


“To steal from Glengarry Glen Ross: Always be recruiting,” one CISO told me. “I met a history student and ended up hiring him because I thought he had the right skillset. If you’re the kind of person who doesn’t need a recipe to cook, then you might survive in security. I want someone with just the right level of insanity.”


The moral of that particular story was that talent can come from unexpected places, and a lot of the CISOs I spoke with said that looking in the usual places can also be worthwhile. Consistently sourcing qualified candidates will ensure that you aren’t left hanging in the wake of an unexpected employee departure. Let’s face it: attrition is inevitable.


Another CISO advised: “Take the three best security professionals you know, and ask them to work for you. If they won’t, then ask for the three best people they know.” I asked another interview subject what recruiting tactics have worked for him. “What works is getting my staff to find friends,” he responded. “I send them to trainings where they can meet people and, hopefully, convert them. HR can only do so much in terms of hiring. I pay 5k USD to anyone who makes a referral we hire.”


Colleges, of course, are fertile hunting grounds. “I like to pull in two to three college interns each summer,” a CISO told me. “Those that show promise, we will groom and take on at the end of their school year. Admittedly, they’re starting off with grunt work: risk analysis if someone wants to open a firewall, or figuring out what caused an alarm.”


The “always be recruiting” mantra doesn’t just apply externally, either. Several CISOs recommended looking within your organization: “I try to ID testers, or QA people who are hungry to learn more. Then I train them up, if the role is right.” Some companies have a strong culture of growth and internal promotion, while others look down on, “poaching from other teams,” – your partner in HR or people and culture can guide you.




Obviously this is going to be a multi-parter? Stay tuned for the rest!


If you've got ideas you want to share, experience, tips or tricks- reach out!


hunting-incident-response-cyber-security.jpgThe concept of hunting for threats is being hyped by media and vendors – creating a marketing smokescreen of confusion around what hunting is, how it works, and what value looks like when hunting is done effectively. Your security team’s ability to hunt is primarily affected by the maturity of your security program, your threat profile, and your resources.

Hunting is searching for malice on your network

The security lifecycle can be described in a number of ways, I think a good way of describing the cybersecurity framework might be “PREVENT-DETECT-CORRECT.”


Hunting powers all three stages, by digging through mountains of data to detect and identify irregularities, in an effort to inform more effective correction and prevention. If we were to define hunting:


“The act of using what you know about the network and what you know about attacker to identify anomalies indicating malice without any specific indicator or signature.”


We want to make bad actors work harder to get in (informing prevention), get caught quickly (better instrument detection), and make it expensive for them to find their way back into the organization (correct or instrument the soft spots in the business where attackers now risk getting caught and held accountable.)


Detecting known IOCs (indicators of compromise) isn’t really hunting

Many vendors claim they offer a hunting solution where what they’re actually doing is basic signature detection. Here’s an example: a vendor adds a newly published indicator of compromise, such as a file hash, from some random threat intelligence feed to a tool that searches for this indicator across the network.


The act of identifying when a new IOC hits is not hunting, it is an alert. As alert validation takes place those indicators are tuned, and the signal-to-noise ratio tells the analyst whether the indicator is finding malice, or if they are wasting their time on a bad IOC.


Hunting allows an analyst to identify evidence of malicious activity without existing threat intelligence signatures. By gathering large amounts of specific metadata throughout a network, analysts can perform techniques such as frequency analysis to determine the rarity of an artifact. These techniques may equip teams that are ready and able. For those that are not yet ready to hunt, we recommend partnering with experts to make this form of intelligence useful.


Stated simply, lots of alerts do not mean lots of value… it often means lots of time (and money) wasted.


Hunting is only part of threat prevention and detection

While this blog post is not a getting started guide, there is a bit of, “getting ready to do,” before you start hunting.


We will assume you have all the minimum data sets ready for hunting to begin from the network (firewall, proxy, VPN and other sources … WITH XFF-headers enabled), server (Windows, Linux/UNIX, big iron, etc – Auth, event, security, configuration, etc), service (DNS, HTTP, SMTP, etc), and security (network and application scanning, malware, file integrity, endpoint configuration, IDS/IDP, honey traps, tarpits, etc) logs flowing somewhere easily queried.


We will assume your program has all of the patching, hardening, scanning, vulnerability discovery, network segmentation, access control audits including employee add/remove/changes, strong authentication and other standard control sets.


Before pursuing commodity intelligence offerings, there are some strategic conversations to be had:

  • What are your key business challenges and concerns?
  • Where are the soft targets in your organization?
  • How success will be defined in your hunting program?
  • Do you have buy-in from business partners (IT server/endpoint/browser/line of business application/email/chat) teams confirming investigations and corrective guidance will be implemented?


For those doing this already, sorry for reinforcing the obvious. If these questions give you pause, we should probably talk.


Hiring experienced threat analysts for hunting is harder than you think

It’s extremely hard to hire quality threat analysts that are good hunters, and they come at a hefty price tag. Threat detection is growing faster than the market can supply specialists because it typically takes years of training and experience for an analyst to develop the experience through threat detection and response activities required to sniff out unknown threats. Even if they can afford the expense, many companies won’t be able to offer analysts the environment and career path they are looking for. One way to get hunting expertise for your team without having to build a highly specialized team is to work with a security services provider who offers hunting as part of their threat analysis and incident response packages. Rapid7's Analytic Response Services are a great example of this type of service. You'll also get a cost advantage because the technology and staffing required to stand up a 24/7 SOC will be spread over many clients.


Hunting primarily makes sense for high value target organizations and security vendors


Because having an in-house hunting team is costly, it makes sense in specific situations:

  • High value target organizations seeing attacks that nobody has ever seen before.
  • Mature security organizations who want to augment for immature detection methods
  • Security monitoring vendors who are researching and adding unknown attacks to their detection methods


At Rapid7, our team of highly skilled incident responders hunts both on our own internal network and those of the customers that hire us. This helps us augment gaps in existing monitoring tools and build new detection methods for Rapid7 UserInsight, our user behavior analytics solution.


Invest in security initiatives that fits your capabilities and resources

When you build out your security program, look for technology that is a good fit for your team’s resource constraints and skill level. I see a lot of technologies in the market that require highly mature security teams that only exist in the largest enterprises and government agencies. Employing these in your organization will fail if your tools don’t match your maturity, resources, and skills. Our Program Assessment and Development Services can help assess where you are, build a road map of the steps that fit your threat profile and resources, and help you sell the plan to the executives and the board.


With Rapid7 UserInsight, we’ve focused on building a tool for companies that don’t have large scale teams for incident response but need great detection and investigation to detect and investigate stealthy attacks such as phishing, credential theft, and lateral movement. And once your team’s maturity grows, you can also use hunting techniques with UserInsight’s investigations feature. If you’re interested in learning more, check out the videos on the UserInsight page.

In January 2015, Rapid7 worked with Jack Chadowitz and published research related to Automated Tank Gauges (ATGs) and their exposure on the public Internet.  This past September, Jack reached out to us again, this time with a slightly different request.  The goal was to reassess the exposure of these devices and see if the exposure had changed, and if so, how and why, but also to see if there were other ways of identifying potentially exposed devices that may have skewed our original results.


Scan Details


As you may recall, in the original study, we sent a TLS-350 Get In-Tank Inventory Report request (I20100) to all hosts on the public IPv4 Internet with 10001/TCP open.  A device speaking TLS-350 and supporting this function will respond with something similar to:


OCT  1, 2015  6:07 PM
<station number><station name>
<streety address>   
1  REGULAR               4812      4771     4708    44.45     0.00    71.95
2  PLUS                  3546      3507     5974    35.83     0.00    75.15
3  PREMIUM               3377      3344     6143    35.31     0.00    73.92


In this most recent study we completed on October 1, 2015, we repeated this request, but made the following additional requests:


  • TLS-350 System Revision Level request (I90200).  A device speaking TLS-350 and supporting this function will respond with something similar to:


OCT  1, 2015  6:18 PM
VERSION 131.02
SOFTWARE# 346330-100-B  
S-MODULE# 330140-145-a
0.10 AUTO
0.10 AUTO


  • TLS-250 Inventory Report on all Tanks request (200).  A device speaking TLS-250 and supporting this function will respond with something similar to the TLS-350 Get In-Tank Inventory Report response
  • TLS-250 Revision Level request (980).  A device speaking TLS-250 and supporting this function will respond with something similar to the TLS-350 System Revision Level response.


While there are literally hundreds of other TLS-250 or TLS-350 or other ATG TLS protocol variant commands we could be sending and attempting, the goal of these studies was to identify ATGs with unprotected dangerous functionality or sensitive information.  Attempting more of these commands likely would have identified more ATGs, however these protocols are not well documented, and, like so many other IoT things, we aren't so sure how resilient they are to repeated poking so it is best to play nice.  Plus, these ATGs are connected to tanks full of untold gallons of flammable liquid, so excess caution is not totally unwarranted.




When analyzing the data from January and October's ATG studies, each response to a particular request was categorized as follows:


  • Good: response appears to be a valid, non-error response for the protocol in question
  • Error: response appears to be a valid, error response for the protocol in question
  • Unknown: unknown data was received after connecting and attempting request
  • Empty: no data was received; either connection failed or no response upon connecting and attempting request


With this knowledge, we observed the following:


Data PointJanuary Initial TLS-350
October Enhanced TLS-250/TLS-350Notes
Default ATG TLS-250/TLS-350 port (10001/TCP) open17122851070728Our blacklist also increased by ~35m between these scans
Responded Unknown/Empty for all requestsn/a106422599.4% of the devices with 10001/TCP open are not ATGs
Responded Good for TLS-350 Get In-Tank Inventory Report request58935214This shows the change between January and now most accurately, though it is caused partially by blacklist increases and predominantly by natural fluctuation.
Responded Good or Error for at least one TLS-250 or TLS-350 requestn/a6502This is rough representation of the number of ATGs that are likely directly exposed but not necessarily exposing sensitive data/functionality over TLS-250 or TLS-350
Responded Good for at least one TLS-250 or TLS-350 requestn/a6483This is a rough representation of the number of ATGs that are exposing sensitive data/functionality over TLS-250 or TLS-350 in some way.
Responded Unknown for all requestsn/a5260These devices are all likely not ATGs
Responded Error for at least one TLS-250 or TLS-350 requestn/a804These devices are all likely ATGs, all speaking TLS-250 or TLS-250, but our request was rejected an unknown reason
Empty for all TLS-250 requests, responded Good for TLS-350 Get In-Tank Inventory Report request, but Error for TLS-350 System Revision Level requestn/a4This response profile aligns with how GasPot behaves


As you can see from the table above, things haven't changed all that much.  While the one data point that can be compared dropped by ~13%, combined with the fact that the number is so small to begin with (~5-6k), that our blacklist grew by ~5% (+~35m), and that what is exposed where changes all the time on the public Internet, I view this as an insignificant change.




While the drop in exposed, vulnerable ATGs in the last 10 months is insignificant, one fact becomes readily apparent and should be alarming -- there are over 5000 improperly protected, IoT-style devices connected to tanks storing millions of gallons of flammable, valuable liquids all over the world.  Jack Chadowitz, the community member we've been working with on this, recently presented his findings from this work at the 2015 ICS Cyber Security Conference in Georgia.


As mentioned in the original publication we did back in January, there are a variety of solutions to protect these exposed ATGs, including using VPN or firewall-based solutions or simply configuring a secure password.  We cannot draw any conclusions about the number of ATGs protected by VPN or firewall-based solutions because it is assumed that these solutions would prevent 10001/TCP from being found open in the first place.  Regarding the use of passwords as a solution, we can make a stretch observation.  We assume that any device with 10001/TCP open that either did not respond (Empty) or received an Unknown response to all of our TLS-250 and TLS-350 requests is either not an ATG or is an ATG that is secured through other manners, from that we propose that any device that responded Good or Error is an ATG of some sort.  We know that there were 804 devices with 10001/TCP open that responded Error, and there are several reasons why we'd get Error, including us sending an ATG request that the device just happened to not support or considered invalid, or if there was authentication configured.  In other words, some of those 804 devices may be using authentication, but how many is unknown and likely few.


To aid in identifying potentially vulnerable devices on your networks, we've added a simplistic Metasploit module for detecting and interacting with ATGs.  This was written and tested against GasPot, a honeypot simulating some ATG functionality, however it is likely to work on real ATGs as well; still, use at your own risk.


We welcome your feedback!

UBAcover.pngHey everyone! I'm pleased to announce that we've put together another pretty fun research report here in the not-terribly-secret overground labs here at Rapid7: Understanding User Behavior Analytics. You can download it over here.


Modern enterprise breaches tend to make heavy use of misbehaving user accounts. Not the users -- the people typing at keyboards or poking at their smartphones -- but user accounts. The distinction between the people and their virtual proxies is important to keep in mind, since both human users and machine-controlled services are attractive targets for takeover by intruders. In fact, user account impersonation through either purloined passwords, weak authentication controls, or pass-the-hash attacks, continues to be the number one method that both criminal intruders and professional penetration testers rely on to gain and extend control over a target network.


Because user accounts are such a central aspect of breach activity, the burgeoning field of User Behavior Analytics (UBA) has become a critical component of modern security program at many organizations.


This paper is intended to serve as an introduction to the key concepts that make up UBA, and is backed by the data collected by Rapid7's UserInsight UBA platform. Since UserInsight is now tracking over a million users across a wide array of medium-to-large enterprise networks, we believe that this paper can provide IT and information security practitioners some solid insight into what a typical network looks like from a UBA perspective.


So, feel free to sign up for my webcast later today. If you manage to catch it live or snag the recording (link TBA), you'll hear all about:


  • The security-relevant differences between human- and computer-controlled accounts
  • How cloud-based services can impact, but ultimately enhance, your internal security controls
  • The encroaching mobile device population, and how you can marshal them in defense of the enterprise
  • How and why lateral movement is so darn useful for attackers, how it's a key indicator of anomalous account behavior.


If you're responsible for detecting, preventing, and responding to data breaches, snag the paper to get up to speed on what's going on in user behavior analytics and what UBA can do to make your job easier when it comes to spotting bad guys posing as legitimate users on your network. If you have any questions on UBA, feel free to yammer at me on Twitter.

First, if you aren't listening to the Risky Business podcast, fix that. Patrick Gray is my go-to source for infosec news.


In the News:

The insight we get into breaches is sparse, so be armed with these stories.

Every once in a while, we get an opportunity to use consumer goods for security and technology discussions- these articles should go in your quiver.


Technically Relevant:


Of Interest to Management:


Slightly Less Random

The CIA’s manual for how to be a terrible employeeemployee-of-the-month.png

(if this sounds like some place you've worked or consulted ... I'd rather you not leave that in the comments.)


As always, hope this is helpful!



Take the 10 Minute Survey here.


Incident Detection and Response is a growing challenge - security teams are often understaffed, the attack surface for intruders is expanding, and it's difficult to detect stealthy user-based attacks.


We want to learn more about your organization’s security team, including the challenges you’re facing today and plans for the future. Your feedback helps shape the products Rapid7 offers to make your job easier.


By taking this survey, you’ll receive a report with our full findings, and have a chance to win an Apple Watch. Feel free to share the link with your security colleagues. Thank you for being a part of the Rapid7 community!

CISO Series: Budgeting Part II


Hopefully you’ve read (and maybe even benefitted from) Part I of my CISO Budgeting blog. To recap, I interviewed a group of CISOs about how they use budgetary discussions for career growth, and what advice they’d give to others looking to set a budget plan. There were five key takeaways that came out of these interviews; here were the first three:


  1. Whatever you do, don’t under deliver.
  2. Budgets are about more than just the cost of technology.
  3. Prioritize your budget effectively. Understand what’s “must do” vs. “could do.”


Below are the remaining two.


Key Takeaways


4. It is a good time for security.

5Lw8Fa9.jpgThe conversation has changed, in a big way. Preaching that “we really need to do this” has been replaced. “The era of the mega breach has captured the attention of my business,” said one CISO, referring to the fact that when partners, customers, or even competitors are in the news, security typically skyrockets to the top of the business agenda.


Most of the CISOs I spoke with said that, while panic-inducing, large-scale breaches have contributed to a heavy atmosphere of FUD (fear, uncertainty, and doubt), they’ve also made security a boardroom topic. And that’s a reality they often use to their advantage. However, the question of just how much FUD is appropriate was a point of some contention.


On the one hand, certain CISOs acknowledged the underlying validity and usefulness: “Just because it’s FUD doesn’t mean it’s not true. I turn it on a little bit when finance pushes back on budget – when they ask, ‘Why are you telling me that you need this now, when it hasn’t been a priority in the past?’ I simply tell them that it’s stuff we should have been doing all along, and that we need to prevent ourselves from becoming a headline. For instance, we don’t want to skimp on human capital when it comes to analysis and response.”


Conversely, some of the interview subjects felt that using FUD tactics was an unfair and unproductive way to approach budget discussions. One CISO, for example, acknowledged that “security has historically been met with skepticism, and hasn’t gotten proper credibility with regards to delivering business value.” He added that, while the so-called “era of the mega breach” has certainly affected that perception, “if I don’t run security well, or if I operate from a position of FUD, then I won’t earn the right level of trust from my colleagues. These are partnerships that have to be built well in order for me to be successful.” Another echoed the same sentiment: “In order to get the business rallied around what I’m doing, I have talk like a business guy.”


All the interview subjects were in agreement that budgetary discussions have become easier (if still not easy) thanks to the increased level of security awareness. A side effect of this unfortunate reality is that it has given CISOs more organizational visibility – which means they must set expectations accordingly. Any security practitioner knows that there is no silver bullet when it comes to preventing attacks; the important thing is to manage risk. “There’s no such thing as being invulnerable,” said one. “I manage risk, so it’s just about managing how vulnerable we are.” Put another way, enabling the business to make informed decisions with regards to accepting or mitigating risk is the path to success. Most of the people in finance are not comfortable making that call.


5. Work on those soft skills.


In the course of their work, CISOs must employ one critical business tactic above all others: strategically navigating the political landscape of the business. This means approaching even tough budget conversations with patience, savvy, and empathy.


“I understand that I’m the personal trainer you didn’t ask for,” one CISO said. “I’m coming in and telling you that your eating habits suck, you’re 30 pounds overweight, and you need to work out more – all without you asking.” Another added, “As a security executive, you want to be able to generate demand for your services; that means executing well from a tactical perspective. Make people want to engage with you.”


Strong interpersonal skills are critical at the CISO level, but they’re not qualities that are strongly emphasized throughout the course of a security professional’s career. “Too often, as security professionals, we feel like the king of our domain,” an interview subject told me. “It’s important to behave like a subject matter expert while still showing empathy; it’s easy to transcend into over-confidence or even arrogance. Security is no longer a silo discipline, it’s a matrix discipline that requires input from different parties. Bring people in, make them feel like they’re part of the solution – it’s almost like a Jedi mind trick.”


The necessity of building trust throughout the organization was a theme in nearly every interview I conducted. Time and again, the CISOs I spoke with underscored the importance of having productive discussions, effective interactions, and forging strong relationships – all of which come into play when it’s time to plan a budget.


“Building trust with finance is huge,” said one. “I cultivated a relationship with the managing director early on, and it really paid off when I needed money down the line. Just do the gauntlet; be ready to answer the same question a million times, and wear a smile the whole time because you will, eventually, get there.” Many agreed that dealing with finance is often frustrating, and that patience is core to those conversations: “It’s a little bit of a chess game; mostly finance just wants a good explanation of what you’re going to do with the money. So be ready to explain it in layman’s terms. And remember, value is measured in managing risk.”




So there it is, folks. If you’re a security professional approaching budget-planning time, hopefully the wisdom and experiences of these seasoned CISOs will help guide you on your journey. It is by no means an easy process (I’d be hard-pressed to find any interview subject who exhibited enthusiasm about setting a budget plan) but it’s a great opportunity to demonstrate aptitude for prioritizing, building trust, understanding the needs of the business, collaborating effectively, and gaining stakeholder buy-in.


For my part, conducting these interviews reminded me of how strongly connected security professionals feel to their colleagues. We see ourselves as a part of a larger web, small yet not insignificant, and integral to the success of the business. On the whole, the CISOs I spoke with displayed a great desire to provide sound guidance and deliver proven value, not just to further their own career paths but also because, to them, security is a way of life. The quote that sprang to my mind is from the Dalai Lama, who told us to “be the change.” It’s doubtful that he was talking specifically about CISOs, but it certainly applies.


Up next: CISOs discuss the so-called “Talent Gap.” Does it exist? What does it mean? How can we cope with it?


If you’ve got thoughts, feedback, or know people you’d like heard and contributing to this project…let us know!




What is SQL Injection?

Posted by treyford Employee Nov 11, 2015

The SQL Injection is one of the oldest and most embarrassing vulnerabilities web enabled code faces. It is so old that there really is no excuse for only a niche of people (namely web security professionals) to understand how it works. Every time I think we've beat this topic to death, SQL Injection finds its way back into the news. This post is my attempt to help anyone and everyone understand how it works and why it's such a persistent problem.


The SQL Injection vulnerability is a failure to separate code (or instructions) from data (or information).

While this sounds simple in theory, in practice there's more to keep track of at the technical level, which is why this vulnerability is so persistent.


What is SQL?

SQL, or “Structured Query Language” is an international standard for managing data held in a database. More on that at Wikipedia.


Where did SQL Injection come from?

It was December 25, 1998 (Christmas Day), we were given the gift of the SQL Injection by "rfp" (Rain Forrest Puppy, also known as Jeff Forristal, on Twitter: @j4istal) where he discovered and announced it in Phrack issue 54, titled, “NT Web Technology Vulnerabilities.


So what exactly is SQL Injection, and how does it work?

SQL Injection is a vulnerability where web-enabled software (like a website or web service) mistakenly allows a user to send commands directly to a database that runs behind the scenes. This allows a range of dangerous things to happen: Bad actors can take websites offline, alter or manipulate records, run operating system level commands, or download information (like stealing passwords, emails, or credit card records.)


Conceptually, I *really like* the “fill-in-the-blank” explanation idea for SQL Injection, it works with almost anyone- it was taken MichaelGG from here.

"You go to court and write your name as "Michael, you are now free to go". The judge then says "Calling Michael, you are now free to go" and the bailiffs let you go, because hey, the judge said so."


SQL Injection and Separating Data from Instruction can be also visually explained. I like these:



(from xkcd: Exploits of a Mom)


How do I prevent SQL Injection?

Preventing SQL Injection is probably best explained by resources designed by and for folks that develop code. Before you throw a report at developers, help get them on board. Explain how embarrassing this particular vulnerability is to the business, how very real the threats are, and how mistakes made here are almost guaranteed headlines in a way that gets people fired.


Resources to share with developers on SQLi

- Bobby Tables

- OWASP's SQL Injection Prevention Cheat Sheet


SQL Injection Hall of Shame

While I am not a fan of victim shaming, it is important to have examples you can point to. One good resource I’ve used is Code Curmudgeon's Hall of Shame.


Want more information? We have a handy video explainer on SQL Injections right here:


As always, I welcome feedback, clarification, and additional resources!



*special thanks to @angus_tx for the 'translate server error' image


Getting Started with VERIS

Posted by treyford Employee Nov 9, 2015

We did a webcast with @hrbrmstr @gdbassett from the Verizon team last week, discussing how to get started VERIS, the Vocabulary for Event Recording and Incident Sharing.

If you missed that webcast- check it out!


If you joined us, thanks for coming out. We've attached an Excel spreadsheet with a couple of examples to help you get started at VERIS level 2, a couple of layouts to consider using... and we will be providing some updates. Special thanks to Judy Nowak for her hard work on the spreadsheet -- be looking for a blog post from her in the near future!


On our webcast, we did a (laughably un-)scientific survey of how folks were tracking incidents in their organization. There's going to be a sample bias, but the questions we asked here would be useful with your own management.... so discuss them with your team and boss!



Here are some additional resources for getting started with VERIS:



If you fancy yourself hungering for something a bit more technical and have data you’re ready to play with- here are VERIS R Resources:


UPDATE: 13 November -- Gabe recorded a video on getting started analyzing incidents using VERIS in Microsoft Excel

If you'd like to work through the example, use the VERISMM example file attached below!


If you've got questions, let us know! We'll be posting more content to help you get rolling shortly.


In the News

Man Who Tried to Hire Hacker to Wipe Out Court Fines Sentenced to 2-4 Years in Prison| SoftPedia


Hackers Claim Million-Dollar Bounty for iOS Zero Day Attack | Wired

(Just in case you missed this publicity stunt...)


The cost of immaturity | The Economist

At first, this article irritated me... and I'm one that speaks regularly on the room we have to mature the profession. That said, it's a conversation starter, and this is in a HUGE publication.


Technically Relevant

Apple Doesn’t Want Talks About Hacking on Apple TV | Motherboard - Vice

Some of you speak at conferences, many aspire to. As you prepare, set aside the rockstar aspirations, and consider if your delivery would be a good representation of our profession to the general public.


vBulletin password hack fuels fears of serious Internet-wide 0-day attacks | Ars Technica

"Developers of the vBulletin software package for website forums released a security patch Monday night, just hours after reports surfaced that a hack on the developers' site leaked password data and other sensitive information belonging to almost 480,000 subscribers.” - Followed by a mandatory password reset.


Google makes Symantec an offer it can’t refuse | Ars Technica

They're all about those certs.... no kidding.


Of Interest to Management

Facebook data transfers threatened by Safe Harbour ruling | BBC

(This keeps coming in discussions)


Please take care in what 3rd party code you run from your website… worth a discussion.

PageFair hack serves up fake flash update to 500 sites | ThreatPost



Slightly Less Random
Hackers gonna hack, but why? Maybe Freud has the answer | Guardian Try to face palm gently, Mary (with a straight face) explains that, "hackers hack because of a cyber-sexual urge to penetrate."


The recent vBulletin hack is the most recent case of a compromise being labeled as a ‘sophisticated attack.’ Predictably, the internet exploded with people complaining about this label, stating that it was just SQL Injection. The same thing occurred with the news of the TalkTalk breach. Before that, the Playstation Network breach comes to mind, although there have surely been many in between. I will issue my mea culpa right now. I have publically blasted people for this in the past. But today I stopped and thought about it for a minute — there are a few relevant points that need to be addressed in this argument.


The first point is that it is a fallacy to say an attack isn’t sophisticated just because it is SQLi.

SQLi is a category of vulnerability, and has a broad range of application. A SQLi can be very simple, or very difficult to pull off. It can sometimes involve pulling together several different behavioral elements to get the data you are looking for.  Of course, sometimes it doesn’t. The point is, unless we have the details about that particular SQLi, how can we truly say it wasn’t sophisticated? We seem to operate under the assumption that all SQLi is exploited just by running SQLmap against a page and then winning. That is far from being always true.


The second point is the fallacy of who gets to determine what is a “sophisticated attack.”

As Information Security experts, I think that we feel that is our sole purview. Nobody else may determine how sophisticated or lame an attack was but us. By the same logic applied to these SQL injection attacks, we should be calling out every buffer overflow thusly. “Your 0-day isn’t sophisticated, it’s just an SEH overwrite. You don’t even have to use a stack pivot.” Think how absolutely pedantic and elitist that sounds.


I know what you’re saying right now. “But Cosine, they’re just using the term ‘sophisticated’ to make it sound okay that they got breached.” Here’s where a third and fourth fallacy come in. Let’s keep taking them in order.


The third fallacy here is that security is easy.

Yes, there is PR spin here, no doubt. If security were that easy, there wouldn’t be so many great jobs out there for us, and I’d have to get a more honest line of work. The horror! We have made great strides in the past decade with initiatives like SDLCs, education on secure coding and best practices.  It takes a long time to move an entire industry though. There are also economic realities that companies have to deal with, and developers and sys-admins face incredible pressure to meet business deadlines and objectives. This ties in to fallacy number four.


Fallacy number four is that this kind of engagement is useful in any real or meaningful way.

It is negative reinforcement at the very best, and outright shaming tactics at its worst. Shaming is not the most effective means of teaching or correcting behavior. Imagine if you were in math class and your teacher said to the whole class: “Jimmy/Susie can’t solve a simple inverted matrix problem. Why don’t they get it?” Would that have helped you? Would you have done better at the next inverted matrix problem? Maybe you would have. Chances are equally good you would have slunk down in your desk, and prayed nobody noticed you for the rest of the class. Chance are also good that you would feel stupid, and start to give up on yourself, doing even worse in your math class. So why do we resort to this behavior in InfoSec?


My belief is that we are really disappointed in ourselves. We are not changing the world of IT as fast as we would like, or maybe even thought we would. Maybe we thought, deep down, that we’d have SQLi eradicated by now. The fact that we have not eradicated most SQLi by now is our fault though. There may be blame to pass on to other parties as well, but this is our job.


If developers are still not following best practices for secure coding, it’s because we haven’t engaged them well enough.


If businesses are still pressuring their sysadmins and devs to push things out fast, and bypass security checks, then that’s on us too.


We need to do a better job of education. If that math student can’t solve an inverted matrix, that’s on the teacher to do something about. We need to be good teachers. We need to engage in a positive way. Yes, it is really hard, especially when we see the same mistakes time and time again. This is what we signed up for though. It’s time to tighten the belt and dive in.


When we see a rash of SQLi breaches, it’s time to step up education campaigns on SQLi and how to fix and/or mitigate it. When we see these breaches, we need to hold it up as an example of why these things matter. Not to shame those who were hit, but rather to show the consequences.


I believe in us. I believe in our industry and the incredibly intelligent professionals in it. I believe we can change the course of this ship.


First, we have to accept that it is going to take time. It’s going to take a lot of time.


We need to stop every so often and evaluate how we are engaging with people. Are we being positive? Are we offering real solutions, or helpful insight, or are we just criticizing?


Think of yourselves as teachers, and keep that image in your mind. Every time you want to be harsh, or critical ask yourself “is this really helping?”


We’ll still slip up, all of us. The important thing is that we keep taking a deep breath, and re-evaluate our own behavior. Cheers!

Today's story about the ongoing issues law enforcement is running into with Apple's encrypted-by-default design illustrates a major difference between the iPhone and the Android security models. Encryption by default on older Apple devices makes it impossible for anyone without the password to decrypt the phone. This, in turn, becomes a problem for law enforcement, since it means that barring an exploitable boot-time vulnerability, no one can peek in on personal data stored on an iPhone. This leaves not only law enforcement with a compelling reason and a court order, but also criminal and espionage organizations out in the cold. Of course, an individual or rogue element in a law enforcement organization also cannot spy on most iPhone users' stored data with or without judicial oversight. This is itself a pretty strong guarantee of civil liberties, and helps protect Fourth Amendment guarantees in the U.S.


The fact that the U.S. Department of Justice is still asking for Apple's help, and Apple's statements that it's technically unfeasible to help the DoJ, is good news for end users who are concerned with personal privacy. I can appreciate the government's frustration with device encryption in cases where they suspect the evidence is there and the device's owner is being uncooperative. But, the fact is that if there is a backdoor to device encryption, or other means for law enforcement to subvert encryption with a court order, it would mean there is a technical capability for anyone to do the same as soon as the mechanism became known, and judicial oversight and good intentions become optional.


Unfortunately, Android phones do not enjoy this level of across-the-board privacy protection. According to the Android Compatibility Definition, there are many, many mid-range and lower-end devices that are exempt from encryption by default, even in Marshmallow, the latest named release. Section 9.9 exempts devices that don't meet a minimum performance threshold, and other devices may define a default (and therefore, discoverable) password to the encryption key in certain implementation circumstances.


The lack of encryption-by-default on Android is problematic from a civil liberties perspective. Android devices are less expensive than iPhones, and account for over 80% of all smartphones. So, while iPhone continues to provide the safer default configuration, the vast majority of people who use smartphones as their primary Internet device will not enjoy the privacy-enhancing benefits of on-board encryption.


It's a shame that there exists this haves and have-nots dichotomy when it comes to default privacy guarantees. I'm hopeful that people who value the security of their privacy are aware of the differences between Android devices, and how they compare to their Apple counterparts. While it's possible to enable local disk encryption on many Android devices, end users rarely poke into settings beyond the defaults. Put simply, people shouldn't have to be rich enough to afford, or expert enough to configure, a device for basic privacy and security in order to enjoy their benefits.

CISO Series: Budgeting


I have provided a brief overview of the genesis of the CISO series, and now it is time to tackle our first topic: security budgets. Whether you’re the CISO of a large public company or leading security at an early-stage startup, rich in headcount or forced to be tight with the purse strings, reporting into the CIO, COO, or elsewhere in the organization, the fact remains that budget conversations are among the most critical and strategic conversations a security executive can have. Often times, setting a budget plan equates to prioritizing security projects for the business, which gives even more weight to the process.


In this series, we have captured some recommendations for CISOs seeking to use budgetary discussions for career growth; the takeaways often bleed into one another, so don’t be surprised when you see overlap. The crux is that, as a CISO, you must make a case for budget in terms which are easily understood by upper management, while sidestepping the common stigmas that still plague security teams today (getting past that house of ‘no’ banner). Use empowerment, rather than fear, to your advantage.


Of the many CISOs I’ve spoken to, all proved that they take their role seriously, especially the fiduciary duty to stakeholders, customers, and all aspects of the business ecosystem.


Key Takeaways


1. Whatever you do, don’t under deliver.


over-promise-and-under-deliver.pngOne CISO labeled this the “deadly sin” of budgeting, and for good reason: in nearly all the discussions I had, CISOs agreed that promising the moon to get more budget will come back to bite you. “Do not ask for more budget than you will effectively be able to use,” another underscored. “You need to gain trust, especially if you’re new to the position. Convince the board that you’re effectively running security by not allowing money to be spent without results.”


In the same vein, CISOs have to spend the money that they ask for – so coming in significantly under budget will not win you points either, especially if your company reports to the street. “I’m hyper aware of forecast, versus budget,” one interview subject explained. “Where I work, the budget is mostly guesswork; the forecast is what really matters. I have a weekly meeting with finance to walk through department spend: what’s been delayed, what might not be happening, and where we can pull from to compensate for the fact that some work may not be starting.”


Unsurprisingly, the human element plays a large part in determining how much a security team can reasonably deliver. Projects rarely finish on time, be fully aware in planning how other teams impact your ability to execute and deliver. Moreover, security professionals are in high demand but short supply, and some degree of turnover is inevitable – so plan with attrition in mind.


So, in financial conversations, how do you set expectations accordingly? It’s all about delivering value; CISOs who have had successful budget discussions said they focused on efforts that support business initiatives, as these find the most support and help to gain internal champions. “I create a prioritized list of initiatives, and IT often has final say over what’s above or below the line,” says a CISO. “They can sometimes see security as simply a cost center, so I always make a point to schedule a conversation that underscores which parts are crucial to the business.”


“The budget plan you deliver may be carried to higher echelons,” adds another, “so understand how the influence you exert can gain you a seat at the adults’ table.”


The idea that a CISO’s job hinges on influence, rather than command and control, is one that resonated throughout nearly all the interviews (they must be more of a personal trainer than a drill sergeant). To establish clout, one interview subject said, “I try to present my teams as force multipliers. In other words, what can they deliver that will magnify the impact of other key business initiatives? I don’t necessarily mean from a revenue or cost reduction standpoint, more so in the ability of the business to be compliant with contractual obligations that the business is already under.”


2. Budgets are about more than just the cost of technology.


2713670.jpgWhile under delivering can be a serious setback, that’s wasn’t the only cardinal sin of budgeting that CISOs underscored. Another common mistake: “starting with the technology – simply looking at the solutions you have in place and not taking external factors into account.”


Why is this a problem, exactly? “The best way to screw up budget is to look at all the different tools and solutions you have,” explains one CISO. “You then say, ‘Oh I need an antimalware solution because I don’t have one, so I’m going to go ahead and budget for that.’ I call this silo budgeting, and it will mess things up. Give other departments the chance to add input. During the discovery process, talk to partner teams to capture their requirements, concerns, and success criteria. Perfect compliance with that guidance won’t be required, but it can help inform your strategy and earn you internal champions. Their participation will help ensure that the business sees value. And when the business sees value, everybody wins.”


Avoiding a myopic, technology-driven view of budget not only ensures a stronger security program, it also helps in conversations with finance. “You will need to justify your decisions,” was something that several CISOs told me. “There’s often a perception that things have been done a certain way in the past, so people will ask, ‘Why do you need more money or more headcount now?’ Have those conversations early, and be patient when having them. [One CISO used a sock puppet analogy here.] And remember, the world has changed and breaches have huge repercussions, which you can use to your advantage.” (We’ll explore this concept more in takeaway #4.)


Another added: “Look at the business plan and let that inform your security strategy. Evaluate the basics – what you need to do to keep the lights on – as well as what you can do to protect and acquire revenue. What revenue streams may be generated, and what controls do you have in place to protect those revenue streams? What risk might be introduced into the organization, based on the direction that the business is going to take?” One CISO factored IoT issues into his strategic plan. “Be aware of what you connect to the Internet,” he advised, alluding to the fact that more Internet connectivity will create more entry points for attackers. 


Headcount is also a key element. Several of the CISOs I spoke to were at high-growth organizations, but even those that weren’t echoed the need to consider the human element in order to maintain or get to scale. One CISO emphasized the importance of the decision to keep in-house work versus hiring an external agency: “Does it make sense for me to hire technicians for my data center, or can I pool the work? Should I outsource this service, which would support the SMB community?” Regardless of whether it’s your team, a partner, or a contractor, hours equal dollars spent. It’s just a question of what makes the most sense from a resource perspective. “I look closely at the scope of effort and say, okay here’s what I believe the hours will be,” recommended a CISO. “That way I can estimate the amount of money it will require. Once the list is vetted, we start plugging in capital dollars – hardware and software licensing, consulting, special services, and so on to get a final number.”


3. Prioritize your budget effectively. Understand what’s “must do” vs. “could do.”


“Some things need to get done. Period.”


2713729.jpgBudgeting is an exercise between wants and needs. In nearly every conversation I had, CISOs felt the pain of having to say goodbye to projects that simply didn’t warrant time or money that particular year. The trick is to prioritize accordingly. One CISO shared his team’s strategy, which was highly effective: “My team looks at what we want to do over the next 18 months. It’s not a laundry list, it’s a targeted game plan that we hash out, argue over, and discuss at length. If we don’t think we can complete a particular initiative, then we cut it – we’re not going to ask for the money if we can’t deliver.”


In most cases, the CFO planning group and IT weigh in after priorities have been determined. A strong strategy is to establish a collaborative dialogue in which security can explain the underlying rationale, to gain buy-in from other parties. As one CISO explained, “We draw a line with IT. While projects below the line can still be funded, the understanding is that they simply aren’t a high priority. That’s when we start plugging in numbers.”


“When projects are not well understood, they get cut and security suffers,” adds another. “That’s on me, because it means I didn’t establish the value well enough.” Lower priority activities typically included general maintenance, such as systems nearing end of life and other routine enhancements perceived as taking more time than they are worth.


There is an art to building the case for a higher priority activity. Compliance mandates, unsurprisingly, tend to float to the top. Many of the CISOs I spoke to acknowledged that PCI almost always falls above the line and one “sprinkles PCI data throughout” his network in order to be strategic about leveraging compliance to his advantage. One freely admitted that “compliance does not equal security, but it certainly helps to lay the groundwork.” Another added, “External clients are excellent motivators – you don’t have to sell the business on something if their biggest client will.” Then there are the CISOs who have high profile projects, such as building a SOC, in which case it’s less arduous to get stakeholder buy-in: “Adding an incident management team was a big company initiative when we were building the SOC.”


CISOs must inevitably capitulate, to a certain extent. “A lot of what we’re driven to do is to use our enterprise licensing better,” a CISO at a large corporation told me. “That can be counter to good security, so my job is to look at how we can be cost effective while still being focused on more advanced threat detection and response.”

In the News:

Technically Relevant:

Management Interest:

Slightly Less Random


  • Royals crowned kings of improbability and MLB
    • Some of you don’t follow sporty-ball, and I guess that that’s okay. The season for America’s favorite past time (Baseball) just ended, as the Kansas City Royals won the World Series in New York against the Mets. It was a great game that ended in extra innings, after an amazing come back… So if you see blue and white KC stuff around- that’s why.

Filter Blog

By date: By tag: