Archive for the ‘Security’ Category

Cyber Effectiveness and the CED KPI

Thursday, November 22nd, 2018

Cyber effectiveness and the CED KPI - and its Cyber Event Days Key Performance Indicator - are inextricably linked with one another.

Improving one improves the other - CED improvements result in better cyber effectiveness.

In fact it is Cyber Event Days - the KPI - which reveals the diagnostic of what to do next to improve the effectiveness of Cyber programs, but if only you know what to look for and how to use it.

  • For some, CED KPI measures are in the low single digits.
  • For others CED measures are in the tens-of-thousands.
  • But for most, CED measures are mostly between the two extremes.

So what is this CED (Cyber Event Days) KPI?


The Top 15 Cyber Spending Countries

Wednesday, October 3rd, 2018

Do you know which are the top 15 Cyber Spending Countries of the world?

We did not know the answer to the question prior to completing our most recent research.

But now we know.

And we have to say we are a bit surprised at some of the answers.

We are especially in awe of the differences in spend on cyber by Country.

But it is not just spend by country that is instructive to look at, it is also spend by region of the world that is illuminating.

Some of our findings from our most recent cyber spend research include the following:


Cyber’s ODI Operating Model – The Future of Cyber Security

Wednesday, August 8th, 2018

Cyber's ODI Operating Model is the emerging future of cyber security.

This operating data intelligence (ODI) operating model will take over Cyber operations and be driven by data.

However, as an actual set of realized practices today, Cyber’s ODI does not yet exist in full regalia and will not for some time.

Despite being emergent, ODI is the unstoppable future of Cyber.

Let’s take the covers off Cyber's ODI and peek at what it is, why it is the future of Cyber, and what to expect of it.

But before we do, let’s review today’s dominant Cyber operating models.


Cyber’s ESD Operating Model – Balancing Risk-Reward for the Digital Value Chain

Thursday, June 28th, 2018

Cyber's ESD Operating Model (Eco Stack Defense) is a balancing act – with real world consequences – played out every day by organizations around the world.

For enterprises with the least effective cyber security results, the ESD Eco Stack is an unknown, unseen and unused operating model. For those with the most effective results, Cyber's ESD is standard operating procedure.

Where do you fit?

Wellington’s ongoing research reveals global population breakouts of 20 percent at the bottom, 68 percent in the middle, and 12 percent at the top, going from least to most cyber effective.

Whether you are in the bottom, in the middle, or at the top, understanding and improving your ESD Eco Stack effectiveness is the same thing as becoming more cyber effective.

Read further to discover what Cyber’s ESD Eco Stack is, why it’s important, and what you should consider doing about it.


Cyber’s CDA Operating Model – Both Ends Against the Middle

Friday, June 15th, 2018

For Cyber security, Cyber's CDA Operating Model is, in practice, both ends operating against the middle.

Both ends of CDA are focused on one thing, and one thing only: appropriate controls to manage the risk of using digital.

In the case of CDA, one of its ends consists of all the activities focused on prevention, while those at the other end are focused on improvement.

Stuck in the middle are all the activities focused on detection.

The effectiveness of any enterprise cyber program is measured by how quickly the turn-around time is from one end of CDA to the other end.

Reducing this time close to zero – which can be approached but like any asymptote is impossible to achieve – is a sine-qua-non for cyber security.

Effective cyber security managers do CDA better than others, and those who keep the dance between its two ends in harmony are among industry leaders.


Lots and Lots of Cyber Security Companies

Sunday, June 3rd, 2018

There are lots and lots of cyber security companies.

Did I say there are lots of them?

There are lots and lots of cyber security companies

We are compiling data on cyber security companies, and we recently passed more than 800 such companies. We are still counting.

The more we dig into this segment of the digital landscape, the more we find unseen numbers of cyber security companies around the world. Locating one or two leads to finding another five to ten cyber security companies we had not been seen before.

As we continue to survey the number of companies delivering cyber security services, products, subscriptions and managed - fixed fee - services, we are amassing troves of information.

For example, we've found the following:

  • 10 percent of cyber security companies are pure startups with fewer than 10 employees and less than $1 million in revenue
  • Another 10 percent of cyber security companies are established companies with more than 1,000 employees and more than $250 million in revenue
  • The other 80 percent of cyber security companies fall somewhere between these two with between 10 employees and 1,000, and between $1 million and $250 million in revenue


Cyber Security Operating Models and Cyber Effectiveness

Monday, May 21st, 2018

Cyber Security Operating Models and Cyber Effectiveness.

Operating Models for Cyber Security

An operating model involves all the resources available to an organization to operate: it is used to express how companies deliver value to stakeholders and customers, it beneficiaries, and how organizations are structured to operate day-to-day.

As such, operating models are an expression of the effectiveness and efficiency of the use and allocation of resources to achieve stated aims and objectives.

When it comes to cyber security the common aims and objectives often include:

  • Keeping the name of the CEO and the company out of the limelight for having been 'compromised'
  • Staying ahead of the attacks and vulnerabilities to achieve the above
  • Engaging risk-appropriate controls to accelerate digital transformation projects

These are a few of the common objectives for cyber security.

Others are those normally associated with its measures, such as rates of patches applied, numbers of data loss/compromise events, and number of unresolved cyber event sequences among others.


2018 Cyber Security Spend Report

Monday, May 7th, 2018

Wellington Research's 2018 Cyber Security Spend Report is now available.

Featuring global market spend for all things cyber, the report covers aggregate spending on cyber security from now through 2022.

In addition, the report covers the allocation of spend on cyber across its many different procedures that are more or less automated by security products and services. Furthermore, the report covers the allocation of spend up and down the enterprise Eco-stacks, from spending on cyber for end-to-end value chain business processes to spending on cyber for digital infrastructures.

The 2018 Cyber Security Spend Report delivers a look at current market spend white spaces and discusses some of the factors influencing spend - going forward - for cyber security from our ongoing research.

Broad Spectrum Security Force Multipliers and Market Adoption

Saturday, March 10th, 2018

Broad spectrum force multipliers amplify the amount of work involved to produce more output.

Examples of force multipliers in our daily lives are pulleys, levers, wheels, axles, gears, ramps, wedges, screws and hydraulics - such as brake lines on automobiles - that exert more force for the level of effort. Some of the more exotic forms of force multipliers are power plants that covert one form of latent energy into another through the use of machines that do the conversion work.

What about digital security?

What are some of the force multipliers - agents that amplify the work done to produce more output - of digital security?

A few of the many force multipliers of digital security include:

  • Active Directory
  • Anomaly detection
  • Antivirus and anti-malware systems
  • Certificate key management systems
  • OAuth and OpenID
  • SIEM



Security’s Insecurity Problems

Saturday, February 3rd, 2018

Security's insecurity problems. Do you know what they are?

The problems are related to what our five senses do and all these offer. They are related to physical sensors designed and used by people and all these deliver. It's problems are related to neurons and synapses and all they convey. And security's insecurity problems are related to the human Limbic system with its learning, memory and autonomic processes. And, there is growing evidence that security insecurity is related to health, food and other fundamental human needs. Farther afield, security's insecurity problems are related to transcription, DNA expression, gene encoding and metabolic reactions.

Are you lost yet?

After all this is a pretty broad set of topics without seeming rhyme or theme.

Can you tell what security's insecurity problems are?

More hints:

  • Security refers to being free of potential harm or threat
  • Most often this free from potential harm is from an external force or agent
  • Sometimes it can be free from internal harm
  • Insecurity is its opposite

Q1: How do you know these things?

Q2: When do you know these things?

Q3: Can we have security and insecurity simultaneously?


Will Enterprise IT Security Ever Converge?

Sunday, December 24th, 2017

Will the current state of enterprise IT security every converge? And if it does, should it?

The funding, direction and delivery of enterprise IT security is currently split between different departments. And, what's interesting to note is that this splitting of the IT security function is expressly established by design among most enterprises.

The three primary organizational buckets from which enterprise IT security is delivered at most enterprises include:

  • The IT operations department
  • Business units and operations
  • The IT security group

The extent of the divisions among these three very different stakeholder groups is reinforced by separate budgets that fund and operate enterprise IT security.

Although there is not total harmonization across enterprises, the responsibilities for IT security tend to follow predictable lines of focus across most enterprises.

These lines of focus tend to include:


Is SIEM Dead – or is SIEM being Transformed?

Saturday, November 11th, 2017

Is SIEM dead - or is SIEM being transformed?

For those not familiar with it, SIEM is a combination of security event management (SEM) and security information management (SIM).

It is two parts - SEM and SIM - that when joined together make for something else entirely.

SEM.  The SEM part of SIEM is focused on quasi real-time monitoring and correlation of security-relevant events and alerting and notification necessary to warn human operators - typically a trained security analyst - to pay attention and take action.

SIM.  The SIM part of SIEM is focused on storage and post-event analysis of SEM related data and reporting - often lumped together with security forensics - about the data aggregated through a SEM system.

The now commonplace rapid-fire media coverage of cyber-attacks, one after another, raises the question: is SIEM up to the job or not?

Let's find out whether SIEM is dead or simply being transformed.


No CMDB – Problem or Opportunity?

Saturday, October 14th, 2017

Do you have no CMDB and does this represent a problem or opportunity for you?

For those not familiar with the term, CMDB stands for Configuration Management DataBase. Traditionally, such a database contains relevant information about the IT infrastructure, IT services, and the relationships between the two.

Increasingly, CMDB  encompasses the relationships - and digital services - external to the enterprise.

Such digital services as containers, APIs, virtual services, third-party service providers, Cloud services, managed services, and supply-chain services are but some of the external digital services the enterprise increasingly relies on for operations.

So what is the relevance of a CMDB?

Let's find out.


Can You Say Security as a Service?

Sunday, September 17th, 2017

Security as a service is the future of security and it's future is now.

In the old days we used to code a lot. "What's that", you say? It was the day when we tweaked toggles on the front-end of the machine to bootload the system image, or loaded a paper tape to a memory location, loaded a card deck that had been punched at a teletypewriter, and used PDP LA 36 DEC Writers with a modem to type in programs.

We used vi, emacs, notepad, and XEDIT among many other editors. We invented many different assemblers, microcode, Fortran, Basic, Algol, Forth, C, APL, and Java among many other programming languages. And we learned how to manipulate and move data from one state to another, from one repository to another, and developed business workflwo software applications to automation business functions an d then later automate end-to-end business processes. And although we still code a lot today, what we do is changing from writing algorithms to move date, to using algorithms that operate on data to develop more predictive algorithms for interpreting data in this virtuous ML cycle that builds on past breakthroughs in ML.

And therein lies the rub for security. The future of security lies not in more whack-a-mole alternatives - although there are still a few breakthroughs to be made - but in where its code runs. In the old days security code ran on the local network. That's where real men ran security after all. Today it doesn't.  In fact, if security code is running on the local network it means the mediation the security control is implementing is one that cannot easily be scaled, inspected, analyzed, replicated, debugged, updated, modified, upgraded, or replaced.


Bots Change Security – Are You Ready?

Wednesday, August 2nd, 2017

Bots change security - at least that's the view of most forecasters.

But what does it mean that bots change security, and what kind of bots? Are we talking about:

  • Programmed scripted bots, as in robotic process automation otherwise known as RPA?
  • Programmed machine- and data- learning pattern recognition and response bots?
  • Human learning bots using natural language processing (NLP)?
  • As yet unseen artificial intelligence bot?

Exactly what kinds of bots makes a difference, and where these are applied makes a bigger difference.

Let's find out more.


Dealing with the Security Vendor Merry-Go-Round

Saturday, April 1st, 2017

I had the opportunity to listen to a number of security vendors pitch their stuff and some of the recent Merry-Go-Round sounds pretty impressive until you start digging into it. Here are a few of the stories with names and specifics redacted to protect the innocent.

Vendor One

This provider of security stuff energized their strategy around machine learning and data science and made it the centerpiece of their products. And, truth be told, it's actually quite a good strategy.

I'm not sure about the execution as I did not have the opportunity to get my fingers, hands, and brain dirty playing with the stuff and have not had the opportunity to talk with some of their customers who've had the opportunity to do likewise. What I don't know is whether any customers have yet used it as the vendor would not provide any insight into customer uses: usually not a good sign. I sure hope they move to reality soon.

So, I'll pass on judging where along the path this vendor is in transforming what has been a pile of disconnected point products into something that can be powered by patterns found in data. But, I'm hoping they get there.


Artificial Intelligence – Cybersecurity’s Future

Saturday, February 25th, 2017

There was some controversy emerging from the most recent RSA conference when the CTO of RSA - Zulfikar Ramzan - was quoted saying "I think it (the technology of machine learning) moves the needle," he said on Wednesday. "The real open question to me is how much has that needle actually moved in practice?" What he did not address is the intelligence that is going to change the entire industry.

This is probably an understandable reaction to the state of the market for security products and services today with all manner of technology product vendors and service providers claiming their "solution" uses the latest ... machine learning, cognitive (my favorite marketing buzzword term) and artificial intelligence ... take your pick, powered security Swiss Army knife. Moreover, this has been going on now for a few years as new end-point detection and recovery systems have hit the market powered by AI, and all manner of other security tools.

The point Zulfikar is/was trying to make is that it is hard trying - for some- to decrypt marketing buzz from reality when it comes to the latest AI-powered security tools. But I think this attitude is condescending. Most IT security buyers that have been around more than a few years have specially equipped radar for BS and can smell it in the air. What did not get covered at the RSA conference is the huge impact AI is going to have on the entire industry, impacts that will not be too far in the future.


The Changing Nature of SOCs

Thursday, December 29th, 2016

Security Operations Centers (SOCs) are largely confined to use by big businesses and governments, especially large federal governments and large enterprises among the global 1,000.

Unfortunately, the resources - and available security talent - that are common among global 1,000 and large federal governments are not common among local governments, small businesses, and most healthcare service delivery institutions. And the numbers back this up, if data breaches are representative performance indicators.

Data Breach and Cybercrime Indicators

For example, the data breach statistics of the Identity Theft Resource Center reveals it is the combination of medical, healthcare and business sectors that account for the largest share - averaging almost eight-in-ten (79 percent) - of data breach events tracked by the center between 2012 and 2016.

By comparison, the data from Hackmageddon for November 2016 reveals that 80 plus percent of cyberattacks it tracks are due to cybercrime, with the majority of these directed at three industry sectors: hotel and hospitality sector (23.5 percent), the retail sector (17.6 percent), and the entertainment sector (11.8 percent).


Security’s Universal Truths

Tuesday, November 22nd, 2016

Security's Universal Truths

There are several universal truths about security, including:

  • There are no silver bullets
  • There is no perimeter
  • There is no security, only degrees of risk
  • If you turn off the power, you might have no risk, and even then I'm not sure
  • Security is not secrecy

Silver Bullets and the Long Ranger

The first one is obvious. We've been living with this - and continue to live with it - for more than three decades. Since before and after so-called "trusted systems" of thirty years ago - look it up here - and through the present, we fundamentally do not trust any one control to be an absolute when it comes to "security", a word we use with abandon.

Nevertheless, because we use the word security with abandon, it becomes short-hand for "Just fix it", "I don't have time", and "It better work" among other things. As a result, despite the fact we know rationally there are no silver bullets, our day-to-day life experience says we aim for, promise, and then fall on our swords when the silver bullets don't work their magic. By the way, who is that masked man?


The Digital Transformation of Security

Thursday, October 20th, 2016

The digital transformation of security is underway: are you prepared for it?

Our security practices of have grown up and around the combination of procedures/technologies tools that we use to implement it. We are very proud of our defense in depth security approaches. We revel in their coverage and speak of their architectures. The only problem is they don't work. If they did, we wouldn't be on the defensive worried about where our systems/networks/data have been compromised most recently.

Identity and access

For instance, one of our most common process/technology buckets involves vetting someone is who they claim to be (have you ever heard of a user id and a password?) and then making programmatic decisions about what that account/person/software process acting on behalf of that account/person can do/access/etc.

Better known by its moniker IAM - identity and access management - we use combinations of procedures and technologies to identify people, data, network systems and components, software services, systems and assets, and crytographically sealed data among other purposes.