Articles & Presentations

Friday, July 25, 2014

Continued - Proof our industry is broken

Continuing on the PoneMon study...

The following figure shows where the interviewees get their information.



Seriously? You ask CERT and Law Enforcement for more details? If you are relying on CERT as your #1 source, I think you're doing it wrong. CERT has it's place, I have used them for disclosure of a Card Key Exploit, but for "New" and "Emerging" threats? Really??? The government continues to rank poorly in their audits and are not nimble enough to be at all useful until those of us doing the actual work, that are found at the BOTTOM of this list, have already found, discussed, analyzed and published information of new and emerging threats... Who found out about the Target Breach or Heartbleed from the Feds emails before another source?

Asking your industry peers what they think was 2nd. Better, but why wouldn't your own security research be #1 and the places you consume data or read #2 & #3, which made the bottom of the list? Who are these people they interviewed? More on that later...

The following diagram shows the value they placed on how they keep up with the threat landscape... Ohhh Boyyyyyyy...


Casual conversation with security leaders was very important (thinking Executive round tables here), followed by research from independent third parties, then independent security blogs followed by security blogs and conferences which only rated 4.85 on a scale of 1-11, 1 being good.

Really? Data you get from conferences only gets a 40% on how they keep up on the threat landscape? What conferences are these folks attending? Well it's clear they are not attending, let's say it's due to lack of budget to fly to Vegas for the week long 3 Con overwhelm known as BSides, BlackHat and DefCon. If you use Point of Sale systems, there are more than enough talks to keep you up on PoS threats... Malware analysis talks too, just not enough malware APT discovery or proper logging talks (IMHO).

Analyst reports scored poorly coming in at 6.19, sorry Gartner and 451 Group.. They don't see your value it seems. Oddly Security Vendor security research and blogs came in even lower at 7.17 and 7.57 respectively. This is sad as some of the BEST data you can get for Malware Management is from these reports... Did I already state 40% say APT is their #1 concern? #FAIL. Reports from 2 years ago would have led you to detect the Target breach and other PoS fails. You seriously need to adopt "The Malware Management Framework" (dot Org) people!

If APT, malware, bad JuJu or whatever you want to call unwanted software being on your system is your #1 concern, vendors reports, blogs and research are KEY to tweaking your tools or Security Operations Center to be better at Detection & Response and Incident Response.

Left turn - On Security Operations Centers...

From another Ponemon report that was recently mentioned in SC Magazine, I would actually agree with this statistic and finding, assuming the SOC is doing the defensive stuff I am talking about, which they should be. I have however, seen some poorly skilled staff is SOC's I have assessed.

"A recent study from the Ponemon Institute revealed that companies investing in a comprehensive SOC saw a 20 percent better ROI on their security spend. These organizations saved on average $4 million more than their SOC-less peers."


Why? Probably because these people are focused at Detection and Response, the in the trenches people that can focus at finding bad JuJu by nefarious ne'er-do-wells, OK, Bad Actors ;-). I guess the interviewees for this Ponemon report did not read that Ponemon report...

Back to the original Ponemon report...



Roughly 48% was the average that the companies were 'disappointed' with the protection a security solution they purchased. Maybe their evaluation process, if they even have one, or their list of requirements was poor, or they didn't dedicate the resources to properly evaluate the product, if at all. I would say roughly 48% of the products I evaluate get tossed for poor performance, installation difficulty, user interface or excessive price for value, and failing to pass muster. Do a better job evaluating products and quit believing the sales person or vendor pitch as gospel, take 30, 60 or 90 days and do it right! A fool with a tool is still a fool... But it was in the Magic Quadrant... Maybe that is why Analyst reports scored poorly... They bought the MQ product and were 48% dissatisfied.

For some reason 80% felt Threat Modeling was essential and very important. Not enough info on what they think this means, so I'll pass on this one. The only point I want to make here is that was their highest score across all things surveyed, odd.

The conclusions of the report are beyond comment. Since the study was sponsored by Websense, let's just assume the conclusions leaned to their favor. I would say the conclusions from these two posts are FAR different, other than I agree, OVERHAUL your security solutions.

So who are the people interviewed?



Only 11% were non supervisors, managers, directors or vice presidents... Really? People like us that protect you only made up 11% or so? OK, I am supervisorial type, so let's add them in to raise it to 30%. Less than 1/3 of the interviewees are the doers, in the trench people?

I would venture to say if you were to ask only the 30% with the same company's, country and counts, the results of this survey would be FAR different. Sadly, these are the people we work for. It explains why breaches like:

Target, Neiman Marcus, Michael, Specs, a Goodwill, PF Changs, Sony, TJX, etc.. Etc.. Etc... Keep happening and take so damn long to detect. The 60% need to attend more local ISSA, OWASP, NAISG, InfraGard and ISACA meetings and attend more BSides and other local conferences and read more from people like us that share what you actually DO need to do to cut down on breaches and the costs associated with them.

#InfoSec #HackerHurricane