Brad Garnett

Welcome to my Digital Forensics and Incident Response oasis!

Digital Forensics, Incident Response, and Information Security

The Cyber FUD CrowdSpace

Hello Reader,

How would you like your Cyber? The continuous buzzwords and marketing spin infiltrating cyber security "products" is growing rapidly. If a company called, ACME Cyber Inc. developed a unique game-changing product, hopefully the first call would more than likely be to ACME Cyber legal counsel that regularly handles patents, trademarks, and intellectual property (If you are an entrepreneur, get a good patent attorney). (Author's Note: As a forensic consultant, I regularly work with clients and perform digital forensic examinations for IP, breach of contract, etc. If you are a small business owner, make sure you are doing something to monitor your electronic assets, as it'll save you headaches long term).

Yesterday, Brian Krebs published a very detailed report titled, "Sources: Security Firm Norse Corp. Imploding". This blog post is going to focus on what I am referring to as "The People, Process, Product Cyber Pie", with an emphasis on the cyber product FUD.

                                              Figure 1: The People, Process, Product Cyber Pie

                                            Figure 1: The People, Process, Product Cyber Pie

If you are an information security professional, who works in the trenches then "you've got this!" and you may have developed your own model.  A good friend and colleague (Brian Moran), posted an article on his blog a few weeks ago titled "Cyber Security Snake Oil". Brian M's article highlights an example and recent surge in monetizing publicly available threat intelligence data spun into "cyber product". Yesterday, Robert M Lee also published an excellent follow-up to the Krebs' article on his blog  related to threat intelligence and the lessons learned from Norse. Robert is an ICS/SCADA expert and is a SANS certified instructor. If you are doing cyber threat intelligence you should follow him.

If you are a business owner, executive, or partner it is important for you to understand capabilities and limitations of the security product your vendor is selling you. A security product is only a small piece of your overall cyber security landscape. If you are missing people (most important asset) and/or the established processes, you are doing it wrong. As a consultant, I work with clients (many of whom possess regulated data) who need IT security or forensic technology services. Depending on the case or incident, terminology and a simplistic approach are everything when a client is responding to, or investigating the matter. Whether it's verbal or written recommendations post-incident, the client wants to know what they can fiscally and practically apply to their environment, so they can prevent, or minimize the risk of "badness" moving forward. Aside from the investigatory goals, I also recommend tangible solutions that the client can implement and have a much better security posture moving forward. Every engagement is unique, or in the words of David Cowen, "an amazing adventure". It is a combination of the right people following the established process using "the product" as a tool (not the silver-bullet). Remember, it doesn't matter how many hammers you have, if you don't have people to use those hammers. The same holds true for cyber security. If you are a SBO who doesn't have the resources to obtain an internal IT security team work with a reputable IT security vendor, or contact me. Establish a process and work with these folks to compliment your security product.

Earlier, I mentioned the importance of knowing capabilities and limitations of security products. Businesses rely on trusted relationships with product vendors to ensure procurements occur and the vendor is adequately servicing their needs. Trust, but verify is very important when it comes to cyber security. Every company has many moving organizational parts that affect service levels for end-customers (i.e. your business). Cyber security vendors should be product and subject matter experts, not just product knowledgeable alone. When considering a cyber security product solution consider:

  1. Cost: How much is this going to cost me over a year? 3 years? I would encourage you to avoid long, multi-year contracts where possible. Cyber security changes daily and what might be a justifiable, long term expense today, will be an antiquated solution tomorrow. What additional costs would be involved in the implementation (e.g. training, infrastructure upgrades, etc.) and on-going maintenance? Again, work with a trusted IT security advisor.
  2. ROI: How much will this add to my bottom-line in a year? What about the intangible risks (i.e. "cyber product A" helped prevent a known attack that would've resulted in proprietary/regulated data from being stolen, which is very hard to assign a $ amount. Especially for the known unknowns, such as company's reputation, long-term viability, etc.)?
  3. Flexibility: How easy is the product to implement within your existing infrastructure? Will you be required to upgrade any existing systems within your IT infrastructure? It is important to understand current requirements and how it will effectively integrate into your existing infrastructure.
  4. Metrics: How will you measure the product's success and/or failures? Thwarting an attack would be measured as a success, but what about if it doesn't stop an attack? Does that necessarily make it a failure?  Establish qualitative and quantitative analytics for improving and controlling the overall implementation.

At the end of the day, you have to make an organizational decision on what is best for your business. Do not rely on shiny "cyber product X" alone to solve your IT security issues. When a client tells me that product X is already doing that for them, I usually encourage the client to make sure they are conversationally versed in the products capabilities and limitations. The layered security approach is what we recommend (a firewall alone isn't going to secure your network). Work with your trusted IT security advisor to implement solutions that utilize people, process, and even products. Some of the best product implementations (no endorsements) that are on the market started as internal solutions to solve complex problems, which then became productized as a solution for end-customers. 

Now, a quick word on processes as I know I've just touched on the term. No, there is not a single definition, but they could be workloads, policy/compliance implementations, training, auditing, analysis, incident response, QA/QC tasks, etc. A process can simply be defined as the things your people do to contribute to your overall cyber security posture (i.e. how are your employees {people} using your tools {product} to protect your business). 

 

Now, some light-hearted fun...


If you are charlatan and wish to opine, please visit for free Cyber Attribution Services! Or directly here.


 

In closing, don't cut corners on funding people and processes, while increasing expenditures on "shiny, cyber security products" to outsource your good, hard-working IT security folks! As the old saying goes, "don't bite off more than one can chew." If you are needing services or a consultation, please contact me.

Questions or Feedback? Leave a comment below, tweet, or contact me via email .

All the time for now folks...