Careers & People

9/29/2014
12:25 PM
Jason Polancich
Jason Polancich
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Can We Talk? Finding A Common Security Language

How engineers can get beyond the crippling vocabulary and semantic barrier of infosec and actually communicate about cyber risk with bosses and business colleagues.

Put yourself in the shoes of your CEO.

Good morning, Mr. or Ms. CEO! Quick question -- and I need you to think fast: What’s the top cyber risk to your enterprise this quarter, and how does it affect your business’s bottom line?

It might help to think back to your last status meeting with your security team. In the meeting are all your department heads, including your CFO, COO, CMO, CTO, and CSO.

Imagine that you’ve come to the half-hour set aside for the CSO and his lead infosec engineers, and, on the slides, you see one summarizing your IT security and cyber defense spending over the first half of the year. Things like antivirus, malware detection, and anti-phishing show up, as do $ symbols followed by healthy numbers beside things like IDS/IPS, firewalls, signature detection, log aggregation, netflow analysis, and packet inspection.

Then you see a slide summarizing your top cyber security issues over the first half of the year: words and phrases like Zeus, Citadel Trojan, Backoff POS, Man-in-the-Middle, Dorking, Beaconing, Packet Reflection.

So, what is the top cyber risk to your enterprise this quarter, and how does it really affect your business’s bottom line?

Imagine you still can’t answer? You wouldn’t be alone.

Today’s enterprises, and their CEOs and board members, are increasingly impacted by everyday cybercrime. However, despite swelling budgets and ever-expanding resource allocations, many enterprises are actually losing ground in the fight to protect vital business operations from cyberharm.

While there are many reasons for this, none is as puzzling as the inability of executives and other senior management to communicate with their own security professionals. One major reason for this dysfunction hides in plain sight: There is no mutually understood, shared, and high-level language between the two sides via which both can really connect, perform critical analysis, make efficient and faster decisions, develop strategies, and, ultimately, work with less friction.

In short, it’s as if there’s a conversation going on where one side is speaking French, one side Russian, and they’re working through an English translator who’s using pocket travel guides for both languages.

In other business domains, such as sales or financial performance, there are time-tested and well-understood standards for expressing concepts and data -- in words. For example, things like “Run Rate” or “Debt-to-Equity Ratio” allow those people pulling the levers and pushing the buttons in an organization’s financial operations to percolate up important reporting for business leaders to use when steering the enterprise ship.

This is all made possible by a shared language of terms and classifications.

For the area of business where cyber security and business overlap, there’s no common, intuitive, business intelligence or key performance indicator (KPI) language that security professionals and business leaders share to communicate effectively. No common or generally accepted business terms and metric specifications in place to routinely track, analyze, and express how cybercrime affects a business. And, for the leaders and security professionals alike, this gap affects both sides equally.

How do businesses get things tracking?
There is no silver bullet that will work for every organization. But there are simple, practical ways to help the two sides begin communicating better. To start, enterprises can establish a standard, high-level cyber ontology within their organizations. In other words, create a specification for how cyber concepts are described and tracked. This will enable engineers on the security side to express lower-level, cyber operations information in ways that management can leverage for planning, strategy, and, more fundamentally, good old-fashioned discourse.

Once established, data can be gathered together, mapped to this specification, and then analyzed and exchanged. It sounds simplistic, but too few organizations diligently collect cyber data in this manner, and thus they lose out on the opportunity to create a common language for expressing important concepts.

For example, most cyberthreats and hits that an organization suffers can be expressed in terms of: Who did what to whom (or against what), how it was done, and what happened as a result? For example:

  • Actor
  • Target
  • Effect
  • Practice

From here, as things occur, macro-level categories of items can be created underneath each of the high-level groupings such as:

  • Actor. State-Sponsored, Organized Crime, Hacktivist, etc.
  • Target. Web Servers, Point of Sale (POS) System, Cloud Storage, etc.
  • Effect. Website Downtime, Data Stolen/Leaked, Vandalism, etc.
  • Practice. Network Intrusion, Social Engineering, Malware, etc.

As entries are made, other data can also be added. Enrichment data and simple metadata, such as date and time, and specific micro-level information, such as "Malware: Citadel Trojan," can be entered and then analyzed. Everything from simple summary rollups to time series analysis, and more can then be performed against this data in ways that resemble traditional KPI-driven formats found in sales or financial performance.

What’s more, once data is collected in a standard format, it’s very easy to connect it to KPI-type data from the other key business domains to create insights into how your business, your suppliers, your customers, and more are being affected by cyber events. IT and security budgets become more amenable to fine-grained assessment and continuous quality checks and improvements.

In other words, security engineers and those who lead them can begin to talk the same, shared, data-driven language. It’s a simple, inexpensive approach with big, persistent results.

Jason Polancich is co-founder, app designer and digital marketing lead for Musubu.io. Polancich is also a linguist, software engineer, data scientist, and intelligence analyst. He originally founded HackSurfer/SurfWatch Labs (Pre-VC), a cyber analytics firm founded in 2013 ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
10/4/2014 | 9:03:38 AM
Re: Intriguing but I'm not yet convinced
Same here! Thanks.
SDiver
50%
50%
SDiver,
User Rank: Strategist
10/3/2014 | 2:21:48 PM
Re: Intriguing but I'm not yet convinced
In any case, I appreciate the discussion Jason.  Take care.
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
10/3/2014 | 1:19:57 PM
Re: Intriguing but I'm not yet convinced
Well, on this point, I cant argue with you at all.

Wth the JP Morgans, Targets and Home Depots becoming poster children on a weekly basis now, it's hard for me to believe cyber concerns have not become major, daily leadership opportunities for CEOs. That said, you're likely right that the "it wont happen to me" attitude will persist for some time to come. The unfortunate reality, though, is that, for pretty much every business, it will happen to them. It's only a matter of time.
SDiver
50%
50%
SDiver,
User Rank: Strategist
10/3/2014 | 12:25:14 PM
Re: Intriguing but I'm not yet convinced
Hello Jason,


Like you, I also have to convey 'cyber-security' message to CEO's and also, like you, I attempt to present information that addresses business risk.  However, I am convinced that many CEO's simply refuse to take an interest in cyber risk management because:  1) They're too focused on compliance-based risk such as PCI, 2) They think they're hidden from any type of attack for a variety of reasons, or 3) they think that security will negatively impact their customers.

You're recommendions are excellent but nothing new; I've seen these types of indicators in risk assessments before. Please don't misunderstand; I encourage you to continue to help spread the message.

Perhaps the crux of my argument is that even the best business intelligence reports, risk assessments, etc. are useless if the CEO is not interested in cyber risk management in the first place.  While I agree that security experts need to improve their business communication it is painfully clear that CEO's need to change their attitude about cyber risks.  I personally believe that the Home Depot CEO is criminally negligable as a result of the breach because he was warned by many experts; some of whom I know professionally and will vouch for their security and business experience. 

One example.  I know somebody who is absolutely convinced that Microsoft's two-factor authentication is safe from attack and feels that no additional reasonable security measure is needed despite the information I provided to him regarding the vulnerabilities in RSA tokens and Microsoft Active Directory.  I assure you, your business intelligence reports won't change his mind because he doesn't want to spend any more money.

I'm sorry to be pessimistic but I am convinced that CEO's need to be a little more flexible and accept the fact that they may be at risk.  As the old saying goes, it's impossible to argue with a closed mind.
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
10/1/2014 | 3:12:05 PM
Re: Intriguing but I'm not yet convinced
SDiver,

Correct. Implcit in the piece above is that this sort of approach is just a starting point. That said, it's a starting point where there is little already established along these lines in most enterprises today.

Further to your points, when we consult with orgnizations, we often talk of this kind of approach developing into a kind of business intelligence practice for cyber at the same level as is typically and traditionally in domain areas  like the financial performance of a business, its products, people, etc.

Can that sort of biz intell and analysis "crystal ball" every thing that may happen with the accuracy required to, as you mention, not be dimissed? Absolutely not. But can you imagine a successfuly business who is turning a blind eye to a financial perf business intelligence approach? I cant. Again, the approach outlined is designed to address one (I think, missing) part of a comprehensive, multi-layered and multi-dimensiional cyber strategy with many, many pieces and parts. It's a puzzle and each individual pieces is a little bit of the overall picture.

Lastly, Im not sure the logic you use below around the whole Target-HVAC supplier vector doesnt sorta throw the baby out with the bathwater, so to speak. Meaning, convincing the "CEO of the risk the effect would be hard to define" becomes more and more easy a proposiiton over time as a dedicated data and intell analysis approach proves its merit as part of solving the overall puzzle (as, for example,  financial performance, market intell, logistics, business intelligence does)


Good comments and thanks for the dialog!

 

Jason
SDiver
50%
50%
SDiver,
User Rank: Strategist
10/1/2014 | 2:40:16 PM
Intriguing but I'm not yet convinced
Jason, I appreciate your article I think it's a start but I don't think you go far enough.

Take the Target breach, for example.  The idea of combining company operations with a third party HVAC system in the same network segment was obviously considered a great idea at the time for saving money but I'm sure we all agree that Target now seriously regrets this decision.

If I was the CISO at Target I'm sure my concerns, even express through the "Threat Categories" model you linked to would have been dismissed because the idea of data compromise seems so abstract.  CEO's obviously understand and can picture the risks of shoplifting, robbery, etc. but stealing money and personal information through an electronic means is far more abstract.  Many people simply have a hard time of understanding this concept.  Even if you could convince the CEO of the risk the effect would be hard to define.  An attacker could compromise the system through the HVAC network but what would be gained?  Customer data?  Proprietary information?  Security experts can theorize what can happen but evidence would be difficult without a thorough (and expensive) penetration test.  I'm sure you'll agree that CEO's would not be open to shelling out money for a pen test every time a network infrastructure modification is proposed.

I look forward to your response.  Thank you.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/30/2014 | 9:09:44 AM
Re: Other Side Of The Coin
I wrote a column about the "geek gap" in 1997. Back then it wasn't focused on security, but general IT. I guess it shouldn't be suprising given the advances in technology in the past 17 years, that the chasm has not decreased (and it probably has increased). Your point is well taken about  the  attention paid in the cybersec market to "tooling and tech solutions as opposed to productivity and analysis that has formed the basis for other key business domains." Never too late to start, though.
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
9/30/2014 | 9:01:49 AM
Re: Other Side Of The Coin
Marilyn, this is purely based on my own experiences. for the better part of the last two decades ive spent a big portion of time in close querters meeting with, working for, building things for, consulting to and finally sitting on the same side of the table as leadership exectuvies. i can tell you that, in every role, the understanding gap is palpable on the exec side. they may well sense the danger and urgency around topics, but the level of understanding and grasp required to steer strategy and budget effectively is still shallow water at best. Part of the problem is there is so much attention paid in the cybersec market to tooling and tech solutions as opposed to productivity and analysis that has formed the basis for other key business domains.

 

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/30/2014 | 7:19:42 AM
Re: Other Side Of The Coin
Thanks, Jason. I find it interesting that you think that the C-suite has "the longest road to travel" in understanding the security domain. Why is that? Surely, today infosec issues are front and center. Is it merely because of the language barrier? Or is there something more fundamental? 
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
9/29/2014 | 5:07:45 PM
Re: Other Side Of The Coin
Marilyn,

yes, ive used this approach a lot over the years, many times to convince organizations that expensive, complex, sophisticated approaches are not only often not necessary, they are noften ot even as effective as simple spreadsheets and a diligent data collection approach. it's actually what led me to start my latest company. where's the cyber business intelligence that typically brings org domains, at all levels top-to-bottom, together around plannign and managing success?



this all works especially well for connetcing the C-suite as they traditionally have the longest road to travel in not only understanding the domain, but in making informed decisions based on accurate, intuitive data. in other words, charts and graphs and simple analytics that come out of this type of data collection, when presented in clear, visual ways, leads often to immediate breakthroughs and encourages an ongoiing "closing of the gap" in communcations. vocabulary + data. The number one net result? much, much faster decision-making, whether it's incident reponse, budgeting, acquisition or any number of places where accuracy matters.

 

Jason
Page 1 / 2   >   >>
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.