Using Pizza To Understand The Cloud
Forbes | April 4, 2018
By Dr. Mike Lloyd, RedSeal CTO
Tag Archive for: Mike Lloyd
Who Says Software-Defined Security Is What We Want?
Forbes | Dec 21, 2017
By Dr. Mike Lloyd, RedSeal CTO
Uber Hack: A Bad Breach, But A Worse Cover-Up
The Uber hack is a public lesson that a breach may be bad, but a cover-up is worse. (See Nixon, Richard.) It was a foolish mistake to try to hide an attack of this scale, but then, the history of security is a process where we all slowly learn from foolish mistakes. We live in an evolutionary arms race – our defenses are forced to improve, so the attackers mutate their methods and move on. Academically, we know what it takes to achieve ideal security, but in the real world, it’s too expensive and invasive to be practical. (See quantum cryptography for one example.) Companies rushing to grow and make profits (like Uber) aggressively try to cut corners, but end up finding out the hard way which corners cannot safely be cut.
It’s likely that the stolen data was, in fact, deleted. Why? On the one hand, we would likely have seen bad actors using or selling the data if it were still available. That is, from the attacker’s point of view, data like this is more like milk than cheese – it doesn’t age well. Many breaches are only detected when we see bad guys using what they have stolen, but nobody has reported a series of thefts or impersonations that track back to victims whose connection is that they used Uber.
But we can also see that the data was likely deleted when we think about the motives of the attackers. Our adversaries are thoughtful people, looking for maximum payout for minimum risk. They really don’t care about our names, or trip histories, or even credit card numbers – they just want to turn data into money, using the best risk-reward tradeoff they can find. They had three choices: use the data, delete it, or both (by taking Uber’s hush money, but releasing the data anyway). The problem with “both” is thieves are worried about reputation – indeed, they care more about that than most. (“To live outside the law, you must be honest” – Bob Dylan.) Once you’ve found a blackmail victim, the one thing you don’t do is give up your power over them – if the attackers took the money but then released the data anyway, they could be sure Uber would not pay them again if they broke in again. The cost/benefit analysis is clear – taking a known pot of money for a cover-up is safer and more repeatable than the uncertain rewards of using the stolen data directly.
Perfect Cybersecurity Makes No Business Sense
Forbes | September 21, 2017
By Dr. Mike Lloyd, RedSeal CTO
We’re going through a shift in thinking in cybersecurity. In the old days, we thought one solid line of defense was enough — keep the bad guys out and life would be good. Then we found out that bad guys are wily and would find different ways in. The result was security sprawl: so many technologies, so many ways to defend, but no way to do it all, no way to hire enough experts in all these different techniques.
Keep Up with the Basics
I just came across a WSJ Pro article titled “Inside the NSA: Companies Need to Follow the Basics,” and figured I could offer an “amen.” The NSA gets points for seeing things clearly – but then, I suppose that is their job, whether we like it or not! The area they discuss isn’t easy to write about; in fact, it’s similar to the challenge that investment magazines face. Every month, they have to write about what’s new and interesting as if it will help readers make money, when the best advice is rather boring — buy and hold. What are these magazines supposed to do? Make another cover article out of “Indexing – Still the Great Deal It’s Always Been?”
The same thing happens in network defense. Props to Rob Sloan, the author (and WSJ Pro) for making news out of the point that what we need to do is go back to the basics, and do them well … and then do them well again. The biggest challenge we face in defending our networks is just getting around to doing all the things we already know how to do. Our enemies don’t need to be James Bond villains in super-secret lairs with super-weapons – we leave out many “Welcome to Our Network” mats in the form of unpatched systems and easily evaded perimeters.
The article clearly lays out what we need to do to up our defensive game: first, we have to pay attention to the basics. Second, we have to pay attention to the basics. And yes, third, we have to pay attention to the basics (just like “location, location, location” for real estate). We’re all overwhelmed, but as the article points out, 98% coverage for any given issue isn’t good enough. We need to prioritize and find the 2% we missed, by gathering all our inventory, not just most of it, and testing every asset.
And then, after all that preventative work, we still need to plan for digital resilience. Resilience starts from all that inventory, and mapping of how your business functions and what is critical in your infrastructure. After that, it’s about hardening. And after that, it’s about testing your readiness so you can bounce back from the inevitable assaults. This is exactly what the RedSeal Digital Resilience score measures. We directly quantify the quality of your inventory, then look at hardening, and then at attack readiness.
So, I value the NSA’s perspectives, as reported in the article. The folks at NSA are among the government’s thought leaders for digital resilience. While government execution of cyber ideas isn’t above criticism, their networks are some of the very biggest, and their adversaries are some of the most motivated. For folks in the intelligence community, it’s not paranoia – people really are out to get them, and they plan accordingly. We should listen to their advice.
Business Agility And Security Automation (Or, How The Government Sometimes Gets It Right)
Forbes | July 11, 2017
By Dr. Mike Lloyd, RedSeal CTO
A healthy, growing business is a risky business. Why? Modern businesses must innovate, change and grow continuously to stay ahead of the competition. Normally, we look at business agility as a good thing — a differentiator; a challenge to be embraced; a way to shake the invisible hand that drives our world. But from a security viewpoint, all this change is a problem, especially for cybersecurity.
Don’t Let Complex Networks Ground Your Operations
Forbes | April 25, 2017
By Dr. Mike Lloyd, RedSeal CTO
The Wall Street Journal recently wrote (paywall) about the fragile nature of airline IT infrastructure. They highlighted the way that a single point of failure, such as a failed router, can ripple out to impact global operations. This can happen to any of us when we can’t track which objectives depend on particular technology pieces in our complex environments.
While the WSJ article pinpointed the problem in one specific industry and characterized it as an issue with “aging” technology, the problem is both more widespread and subtle than that. Working at RedSeal, I get to see inside the networks of many different types of organizations — civilian, military, global, tiny. One thing they all share: complexity.
Security Automation: Game Changer to Boost IT Productivity and Network Resilience
INFORMATION AGE | April 19, 2017
By Dr. Mike Lloyd, RedSeal CTO
Pick up a newspaper on any given day in 2017 and you’re likely to read the latest chapter in a long-running story: security professionals versus the hackers. Recent revelations around Russian state-sponsored involvement in the 2013 Yahoo hack, and the WikiLeaks-managed exposure of a trove of CIA-developed exploits, means those hackers could even be government employees.
This is a story without an end – a battle which is just getting started. That’s bad news for IT leaders already stretched to the limit by a lack of human resources in their security departments.
Banks Must Focus More on Cyber-Risk
DARK READING | April 5, 2017
By Dr. Mike Lloyd, RedSeal CTO
In late 2016, just after the distributed denial-of-service attack on the DNS infrastructure, I sat in my hotel room staring at a cryptic URL error on my laptop after attempting to buy a train ticket, wondering what it meant. Was my credit card compromised? Did I have a ticket? Should I do anything to protect my identity and financial security?
Every day, millions of Americans conduct billions of digital financial transactions with the corner grocery store, online retailers, and banks. We buy things and pay for them; we pay rent, credit card, and utility bills; and we scan smartphone screens at payment readers. Online financial interactions are continuous, intertwined, and essential to everyday life. They are also under ever-more threats from cyberattack. What can be done to defend against the constant barrage of successful exploits?
Negative Unemployment: That Giant Sucking Sound In Security
FORBES | March 21, 2017
By Dr. Mike Lloyd, RedSeal CTO
Businesses everywhere are facing the fact: the security talent pool is dry. I spoke to a manager recently who had hired a security analyst after eight months of searching. Each month he had reduced the requirements and increased the salary. Needless to say, in the end, he was getting less than he wanted for a lot more money. If you are a security professional, this seems great – we have one of the few jobs that are not about to be replaced with automation, and there’s no end in sight to the skills shortage.
But if we take a wider view, this is a big economic problem. Security work is either not getting done, or is being done by people who lack the background or aptitude.