Monday, November 17, 2014

Response to "Can a CISO Serve Jail Time?"

I just read a story titled Can a CISO Serve Jail Time? Having been Chief Security Officer (CSO) of Mandiant prior to the FireEye acquisition, I thought I would share my thoughts on this question.

In brief, being a CISO or CSO is a tough job. Attempts to criminalize CSOs would destroy the profession.

Security is one of the few roles where global, distributed opponents routinely conduct criminal acts against business operations. Depending on the enterprise, the offenders could be nation state adversaries largely beyond the reach of any party, to include the nation state hosting the enterprise. Even criminal adversaries can remain largely untouchable.

I cannot think of another business function that suffers similar disadvantages. If a commercial competitor took actions against a business using predatory pricing, or via other illegal business measures, the state would investigate and possibly prosecute the offending competitor. For actions across national boundaries, one might see issues raised at the World Trade Organization (WTO), assuming the two hosting countries are WTO members.

These pressures are different from those faced by other elements of the business. When trying to hire and retain staff, human resources doesn't face off against criminals. When trying to close a deal, sales people don't compete with military hackers. (The exception might be transactions involving Chinese or Russian companies,) When creating a brand campaign, marketing people might have to worry about negative attention from hacktivists, but if the foe crosses a line the state might prosecute the offender.

The sad reality is that no organization can prevent all intrusions. The best outcome is to prevent as many intrusions as possible, and react quickly and effectively to those compromises that occur. As long as the security team contains and removes the intruder before he can accomplish his mission, the organization wins.

We will continue to see organizations fined for poor security practices. The Federal Trade Commission, Securities and Exchange Commission, and Federal Communications Commission are all very active in the digital security arena. If prosecutors seek jail time for CSOs who suffer compromises, I would expect CSOs will leave their jobs. They already face an unfair fight. We don't need to add the threat of jail time to the list of problems confronting security staff.

Monday, November 10, 2014

Thank You for the Review and Inclusion in Cybersecurity Canon

I just read The Cybersecurity Canon: The Practice of Network Security Monitoring at the Palo Alto Networks blog. Rick Howard, their CSO, wrote the post, which marks the inclusion of my fourth book in Palo Alto's Cybersecurity Canon. According to the company's description, the Canon is:

a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in a cybersecurity professional’s education that will make the practitioner incomplete.

The Canon candidates include both fiction and nonfiction, and for a book to make it into the canon, must accurately depict the history of the cybercrime community, characterize key places or significant milestones in the community, or precisely describe technical details that do not exaggerate the craft.

It looks like my book is only the second technical book to be included. The first appears to be the CERT Guide to Insider Threats.

I am incredibly thankful for the positive and thorough coverage of my newest book, The Practice of Network Security Monitoring (PNSM). It is clear Rick spent a lot of time reading the book and digesting the contents. Even the post headings, such as "Network Security Monitoring Is More Than Just a Set Of Tools," "Operate Like You Are Compromised: Kill Chain Analysis," "Network Security Monitoring as a Decision Tool, Not a Reaction Process," "Incident Response and Threat Intelligence Go Together," and so on communicate key themes in my book.

With his background at the Army CERT, Counterpane, and iDefense, it's clear Rick converted his experiences defending significant networks into a worldview that resonates with that in PNSM.

Rick also emphasizes one of the goals of the book, which is to get anyone started on the road to network instrumentation. I wrote the book, and teach a class -- Black Hat, 8-9 December, near DC -- for this very purpose.

I wanted to add a bit more detail to the last section of the blog for the benefit of those who have not yet read PNSM. Rick mentions some of the tools incorporated in Security Onion, but I wanted to be sure readers understand the full spectrum of SO capabilities. I captured that in Figure 6-1, reproduced below.

While I don't cover all of these tools in PNSM, as Rick wrote, I show how to leverage core SO capabilities to detect and respond to intrusions.

If you would like a copy of PNSM, consider buying from the No Starch Web site, using discount code NSM101 to save 30%. One benefit over buying from the publisher is getting the digital and print editions in a bundle.

Thank you again to Rick Howard and Palo Alto Networks for including PNSM in the Cybersecurity Canon.