Saturday, December 30, 2017

Alfidi Capital at Data Connectors San Francisco 2017

I fondly remember my first Data Connectors conference a few years back, so of course I had to make a repeat appearance when the show returned to the San Francisco Bay Area in 2017. Tech sector trackers like yours truly get to hear straight from small firms that would otherwise fly under the radar at larger conferences. The concepts I discovered probably work best in a listicle, but I need to relate these things to my own experience in business. Prepare yourselves for some definitions.

Malvertising is a recent weaponization of the ad networks and pop-ups that the business world has grown to trust. Malware isn't just for spam email links anymore, and now it penetrates our networks through buffer overflows, code injections, and stack pivots. Root cause analysis (RCA) of malware  vulnerabilities means looking at gaps where firewalls should exist. Rectifying said gaps requires strong mobile threat defense within enterprise mobility management (EMM), because I suspect that mobile apps and platforms still do not receive the security attention they deserve. Mobile consumption of Web data now exceeds desktop consumption, but security spending in the mobile sector has not caught up.

One vendor at the conference had a very compelling demo on countering malicious profiles. Such demos are effective sales techniques for endpoint detection and response (EDR) solutions. The proliferation of mobile within enterprises means these solutions must now incorporate entity modeling for real-time simulation of all devices on the network. A complete network map gives network defenders information asymmetry over attackers. An end-to-end encryption (E2EE) system prevents a malicious profile attacker from breaking open a packet in the event they penetrate the network, and such an attempt is the kind of abnormal activity the security information and event management (SIEM) would catch.

Strong data security enables business continuity and disaster recovery (BCDR) plans. Regular BCDR auditing will establish a recovery time objective (RTO) and recovery point objective (RPO) as loss-minimization baselines. Lowering the RTO and RPO will save money, so a Cloudonomics analysis must show the ROI impact of spending on resilience solutions.

Virus publishers now produce viruses for sale at dirt cheap prices. They also offer customer service to buyers. Illegal enterprises have now adopted the practices of mature business models. It's ransomware-as-a-service on the dark Web. I believe there is a market for automated countermeasures that hit back at attackers, but there is legal risk because those active counterattacks may themselves be considered malware. The tech sector really needs to collaborate with the US federal government and sort this out.

Speaking of government help, the US's NIST maintains a National Vulnerability Database (NVD) for automating data security. The NIST also maintains a Computer Security Resource Center (CSRC) with a large library of standards publications. Anyone supervising an information security operations center (ISOC) should incorporate those database updates into their network defense protocols and drills. Building an ISOC from scratch starts with the CIS Critical Security Controls, aka the SANS Top 20.

Gartner's continuous adaptive risk and trust assessment (CARTA) interprets cybersecurity governance in the language of business practitioners. A good business rule management system (BRMS) makes adaptiveness easy by generating continuous analytics. The BRMS should produce user and entity behavior analytics (UEBA) tracking system anomalies.

The average time to detect an organization's data breach is measured in months, leaving a huge window of vulnerability. Just like the market for automated counterattacks, there is certainly a a market for automated forensics solutions that accelerate attack reviews to discover vectors and data anomalies. Sandboxing is one way to identify indicators of compromise.

The ISO/IEC 27001 information security standards should guide a CISO's design effort, along with the NIST, CIS, and CARTA approaches. The ever-helpful Gartner people also have a Market Guide for Mobile Threat Defense Solutions just in case the CARTA approach doesn't identify the most obvious vendors.

I will conclude with an observation about what sells in cybersecurity. Solutions vendors tout their deep learning automated analytics, advanced heuristics, and other factors appealing to people enamored with buzzwords. All such factors are amenable to optimization via machine learning (ML), which is fast becoming a fundamental investment. The CISO is the decision maker in security purchases, and must now have a minimal competence in data science just to accurately evaluate the effectiveness of ML-driven security solutions.

There's a lot to know for anyone who buys, sells, or operates cybersecurity systems. Organizations that get security right will make a lot of money. That is why I will continue to attend these Data Connectors events.