Breaking the Log Jam – Data for Informed Cyber-Insurance

SC Magazine UK| May 2, 2018 

Feat. Dr. Mike Lloyd, RedSeal CTO

The problem of cyber-insurance is lack of data for understanding risk: but third party technologies can measure and quantify the defensive state and breach risk of each organisation by using standardised, repeatable yardsticks.

Cyber-security is approaching an inflection point, where several major forces are combining to produce a much-needed breakthrough.  The reason why: cyber-insurance.

Are You Ready for GDPR?

Intelligent CISO | May 1, 2018 | Page 36 -39

Feat. Dr. Mike Lloyd, RedSeal CTO

With a recent Veritas study indicating that more than half of organisations are yet to start work on meeting the minimum requirements set by the General Data Protection Regulation (GDPR), the clock is well and truly ticking away. The EU’s GDPR comes into force in May so it’s vital that CISOs focus on the impending deadline and look into the future to avoid the significant fines that can be imposed.

Here we speak to industry experts to ask what those companies who have some catching up to do really need to know about demonstrating their compliance to GDPR.

Using Pizza To Understand The Cloud

Forbes | April 4, 2018

By Dr. Mike Lloyd, RedSeal CTO

It’s a tech evangelist’s worst nightmare. I was forced to explain something complex to a non-technical audience who would rather be doing almost anything else. I found myself in front of a sales force while they were in a vacation mood — possibly involving alcohol. We reward our sales overachievers with a vacation. It’s mostly focused on celebrating their success, but with some light company business thrown in. I was the speaker for a late afternoon session, on the topic of the cloud — and the next item on the agenda was the bar.

My assigned topic was cloud networks — a topic familiar to all, but still fuzzy, just like real clouds. It’s been several years since the famed survey that showed people thought bad weather was a problem for cloud computing.

Who Says Software-Defined Security Is What We Want?

Forbes | Dec 21, 2017

By Dr. Mike Lloyd, RedSeal CTO

Gartner’s Hype Cycle is always a fun read. For the 2017 version, I’d like to draw your attention to the dot for Software-Defined Security — you can find it sliding down the precipitous slope from the Peak of Inflated Expectations to the Trough of Disillusionment.

It’s easy to trace the rise and fall. Back in 2014, there was no Software-Defined-Security marker, but Gartner’s annual chart of hype, hope and hallucination had an entry for Software-Defined Anything (way over on the far left), where dreams turn into … well, more dreams (at least for a while). The intervening years saw Software-Defined Security charge up that first hill of expectations, crest over and eventually slide down.

Uber Hack: A Bad Breach, But A Worse Cover-Up

The Uber hack is a public lesson that a breach may be bad, but a cover-up is worse.  (See Nixon, Richard.)  It was a foolish mistake to try to hide an attack of this scale, but then, the history of security is a process where we all slowly learn from foolish mistakes.  We live in an evolutionary arms race – our defenses are forced to improve, so the attackers mutate their methods and move on.  Academically, we know what it takes to achieve ideal security, but in the real world, it’s too expensive and invasive to be practical.  (See quantum cryptography for one example.)  Companies rushing to grow and make profits (like Uber) aggressively try to cut corners, but end up finding out the hard way which corners cannot safely be cut.

It’s likely that the stolen data was, in fact, deleted.  Why?  On the one hand, we would likely have seen bad actors using or selling the data if it were still available.  That is, from the attacker’s point of view, data like this is more like milk than cheese – it doesn’t age well.  Many breaches are only detected when we see bad guys using what they have stolen, but nobody has reported a series of thefts or impersonations that track back to victims whose connection is that they used Uber.

But we can also see that the data was likely deleted when we think about the motives of the attackers.  Our adversaries are thoughtful people, looking for maximum payout for minimum risk.  They really don’t care about our names, or trip histories, or even credit card numbers – they just want to turn data into money, using the best risk-reward tradeoff they can find.  They had three choices: use the data, delete it, or both (by taking Uber’s hush money, but releasing the data anyway).  The problem with “both” is thieves are worried about reputation – indeed, they care more about that than most.  (“To live outside the law, you must be honest” – Bob Dylan.)   Once you’ve found a blackmail victim, the one thing you don’t do is give up your power over them – if the attackers took the money but then released the data anyway, they could be sure Uber would not pay them again if they broke in again.  The cost/benefit analysis is clear – taking a known pot of money for a cover-up is safer and more repeatable than the uncertain rewards of using the stolen data directly.

Perfect Cybersecurity Makes No Business Sense

Forbes | September 21, 2017

By Dr. Mike Lloyd, RedSeal CTO

We’re going through a shift in thinking in cybersecurity. In the old days, we thought one solid line of defense was enough — keep the bad guys out and life would be good. Then we found out that bad guys are wily and would find different ways in. The result was security sprawl: so many technologies, so many ways to defend, but no way to do it all, no way to hire enough experts in all these different techniques.

Keep Up with the Basics

RedSeal Blog - Keep Up with the Basics

I just came across a WSJ Pro article titled “Inside the NSA: Companies Need to Follow the Basics,” and figured I could offer an “amen.” The NSA gets points for seeing things clearly – but then, I suppose that is their job, whether we like it or not! The area they discuss isn’t easy to write about; in fact, it’s similar to the challenge that investment magazines face. Every month, they have to write about what’s new and interesting as if it will help readers make money, when the best advice is rather boring — buy and hold.  What are these magazines supposed to do?  Make another cover article out of “Indexing – Still the Great Deal It’s Always Been?”

The same thing happens in network defense. Props to Rob Sloan, the author (and WSJ Pro) for making news out of the point that what we need to do is go back to the basics, and do them well … and then do them well again.  The biggest challenge we face in defending our networks is just getting around to doing all the things we already know how to do. Our enemies don’t need to be James Bond villains in super-secret lairs with super-weapons – we leave out many “Welcome to Our Network” mats in the form of unpatched systems and easily evaded perimeters.

The article clearly lays out what we need to do to up our defensive game: first, we have to pay attention to the basics. Second, we have to pay attention to the basics. And yes, third, we have to pay attention to the basics (just like “location, location, location” for real estate). We’re all overwhelmed, but as the article points out, 98% coverage for any given issue isn’t good enough. We need to prioritize and find the 2% we missed, by gathering all our inventory, not just most of it, and testing every asset.

And then, after all that preventative work, we still need to plan for digital resilience. Resilience starts from all that inventory, and mapping of how your business functions and what is critical in your infrastructure. After that, it’s about hardening. And after that, it’s about testing your readiness so you can bounce back from the inevitable assaults. This is exactly what the RedSeal Digital Resilience score measures. We directly quantify the quality of your inventory, then look at hardening, and then at attack readiness.

So, I value the NSA’s perspectives, as reported in the article. The folks at NSA are among the government’s thought leaders for digital resilience. While government execution of cyber ideas isn’t above criticism, their networks are some of the very biggest, and their adversaries are some of the most motivated.  For folks in the intelligence community, it’s not paranoia – people really are out to get them, and they plan accordingly.  We should listen to their advice.

Business Agility And Security Automation (Or, How The Government Sometimes Gets It Right)

Forbes | July 11, 2017

By Dr. Mike Lloyd, RedSeal CTO

A healthy, growing business is a risky business. Why? Modern businesses must innovate, change and grow continuously to stay ahead of the competition. Normally, we look at business agility as a good thing — a differentiator; a challenge to be embraced; a way to shake the invisible hand that drives our world. But from a security viewpoint, all this change is a problem, especially for cybersecurity.

Don’t Let Complex Networks Ground Your Operations

Forbes | April 25, 2017

By Dr. Mike Lloyd, RedSeal CTO

The Wall Street Journal recently wrote (paywall) about the fragile nature of airline IT infrastructure. They highlighted the way that a single point of failure, such as a failed router, can ripple out to impact global operations. This can happen to any of us when we can’t track which objectives depend on particular technology pieces in our complex environments.

While the WSJ article pinpointed the problem in one specific industry and characterized it as an issue with “aging” technology, the problem is both more widespread and subtle than that. Working at RedSeal, I get to see inside the networks of many different types of organizations — civilian, military, global, tiny. One thing they all share: complexity.

Security Automation: Game Changer to Boost IT Productivity and Network Resilience

INFORMATION AGE | April 19, 2017

By Dr. Mike Lloyd, RedSeal CTO

Pick up a newspaper on any given day in 2017 and you’re likely to read the latest chapter in a long-running story: security professionals versus the hackers. Recent revelations around Russian state-sponsored involvement in the 2013 Yahoo hack, and the WikiLeaks-managed exposure of a trove of CIA-developed exploits, means those hackers could even be government employees.

This is a story without an end – a battle which is just getting started. That’s bad news for IT leaders already stretched to the limit by a lack of human resources in their security departments.