Security Metrics as a Process

Recently, I was presented with an interesting challenge within my organization. Quite honestly, the challenge is not anything new or specific to this organization; it is a systematic problem within the Information Security function. The concept of Information Security metrics is, in my opinion, largely based on snake oil sales. Unfortunately, it perpetuates as a nebulous science, complicated further by inconsistency and contention on resources that fail to see the value of the art.

If you had to read that last sentence multiple times to catch the meaning, well then you are at the same wavelength that our decision makers are at when it comes to the metrics that we define as a horizontal function. The statement is based on opinion, contains fancy words, and yet somehow dos not address the challenge in quantitative terms.

This is the crux of my challenge, and one that I hope can translate into my dissertation in organizational management. Metrics can be defined by nearly everyone; effective metrics cannot. The practice of arriving at effective security metrics will take many resources: human, financial, temporal, and technological.

Like the Information Security function itself, the effective metrics process is a process, not a product. Borrowing from Andrew Jaquith's book Security Metrics: Replacing Fear, Uncertainty, and Doubt, I believe he is correct when he defines the criteria for an effective metric:

• Consistently Measured


• Cheap to Gather


• Expressed as a Cardinal Number or Percentage


• Expressed using at least One Unit of Measure


• Contexually specific

Surprisingly to me at this point, is the noticable lack of material on the subject of Information Security Metrics. Outside of Andrew Jaquith's book and the works of ISO 27004, which is yet to be published, I have yet to find good material on the topic.

What I would be interested to see, is what practioners in the field use to measure their effectiveness in Information Security as a process.

First Stripe

Thursday marked an important day in my brazilian jiu-jitsu training. Along with a handful of other students, I received my first promotion in the gentle art. As many of you have heard or read, I felt I had plateaued in my training, and was struggling for answers. In the ceremony, Luis "Sucuri" Togno explained how this was natural for students, and further went on to explain how proud he was of all of his students.

The interesting thing about Team Alliance from my vantage point is that, unlike many schools, Luis is very interested in the student's advancing through strict adherence to the details of each technique. He does not promote in order to run a profitable business and maintain student tuition. This is extremely important for the real world defense of the art and the skills of the practitioner. Too often we read about students at other schools being promoted to blue after 6 months or so. However, in many cases, these students do not understand the roots of the art, the accomplished fighters, or the reasons why details are so important.

I am proud to have received my bar and stripe this week, and sincerely look forward to the day I can look back on this and provide that new student, struggling in his or her own training and provide the motivation to continue on, regardless of how difficult it may seem.

Check out Alliance of Charlotte and reach out to Luis "Sucuri" Togno for more information about the academy.

Good night!

New Alliance BJJ YouTube Channel

Well, my professor and friend Luis "Sucuri" Togno has done it again. With very little discretionary time on his hands, he has somehow managed to find time to help Brazilian Jiu-Jitsu practioners around the world by creating a YouTube channel which demonstrates world-class techniques. The Alliance of Charlotte channel can be found here.

For those in the Charlotte, NC area looking for a rewarding and challenging experience in martial arts, highly encourage you to consider Alliance. Alliance of Charlotte's website is located in the SouthPark area, over by Angry Ale's and The Press Box.

Even if you are unsure of whether the academy is right for you, Sucuri offers a 30-day free trial.

Tuscan Whole Milk

Quite possibly the best milk ever created. If you don't believe me, check out the Amazon.com reviews...

http://www.amazon.com/Tuscan-Whole-Milk-Gallon-128/dp/B00032G1S0

North Carolina BJJ State Championships

Over the weekend, Team Alliance participated in the North Carolina Brazilian Jiu-Jitsu State Championships. Overall, I think the team did pretty well, taking yet another State team title. One of the highlights of the tournament for me was when a Team Alliance member was down 6-0 in points with a minute left, when he pulled this gem of a move to submit his opponent:



It was the first time I had ever seen a flying triangle in real competition, and the circumstances by which it was executed was truly amazing. Congratulations to all of my teammates on an impressive display of skill and dedication.

Good to Great?

It is truly going to be a sad day for many Circuit City employees around the United States, as Circuit City has apparently decided to close 155 stores and withdraw from 12 markets.

Recently, I completed reading the book Good to Great by Jim Collins. Between the time I began reading it, and tonight, I have seen several of the companies profiled in this book do a complete 180. Companies, such as Fannie Mae, Circuit City, Kroger, etc. were highlighted in Jim's books. Now, I am not questioning the power of the analysis of Jim's team, and the facts do not lie about their performance. The point I am trying to make is that something happened to these companies that made them stop being great.

Are we in an age whereby large, monolithic organizations can simply steamroll the competition? The images of Walmart, Best Buy, and Bank of America spreading their business model across the landscape like a swarm of locusts. Landing where they wish, devouring all of the vegetation, and leaving permanent scarring across rural America.

I am not naive, and I understand that at this point, cost is a very important consideration for consumers. However, it makes me wonder how much these monolithic organizations are capturing, compiling, and ultimately leaving vulnerable for hackers and other mal-intended organizations.

To put it in perspective, consider the role that Microsoft plays in the world of personal computing. From my perspective -- and for the sake of this argument -- Microsoft is playing the same role that a Walmart or Best Buy is playing. However, ironically as it sounds, we do not hear the same pleas for choice as we do when we think of retail organizations. There is an entire community of people that choose the open source community for their computing needs. While the attractiveness of low cost is one factor, this is not the true motivation for many of the open source projects out there.

I could go on and on about this topic, the social impacts of the "locust swarm"; however, what I am truly searching for is a follow up book from Jim Collins that takes the same approach as his book Good to Great to perform a post mortem on the original 11 companies to see how the leadership and management has changed.

Training and Dinner With Carlson Gracie Jr.

I just got back from a training seminar led by 4th degree black belt and the "Prince of Jiu-Jitsu", Carlson Gracie Jr.. What an incredible experience and honor! The seminar brought out many students from different academies and several of Charlotte's finest law enforcement officers, most of whom train at Alliance Jiu-Jitsu of Charlotte.

Afterwords, I was invited by my professor, Luis "Sucuri" Togno to go to dinner with he and Carlson Jr. While much of the conversation was in Portuguese, I did have an opportunity to discuss a number of topics related to Jiu-Jitsu. In addition, Sucuri asked me if I would like to go to Brazil with some of the students next year to train. I suppose the hard work and dedication to the art is translating nicely for my instructor, and I truly appreciate what he has already done for me.

All I can say is that I continue to be pleased and excited about the whole experience. For those people who are seeking some solid, tangible real-world martial arts skills and live in Charlotte, I have nothing but positive things to say about Team Alliance of Charlotte, and would highly encourage you to give it a try.

So for those people that are curious how BJJ relates to the security world, let me quickly summarize why I think my experiences in BJJ is relevant to the security world:

BJJ is a gentle art of fighting, and while books like Sun Tzu's Art of War draw parallels to business, management, etc., BJJ is all about leveraging your knowledge with the least amount of perceived effort. I have witnessed first hand the seemingly impossible odds of a 150-pound fighter tear into someone with 50 to 60 pounds. Initially, with a wrestling background, I thought I could outmuscle my training opponents. In the security world, it is not the one that has the high-tech technology running on autopilot that defends the shareholder value, it is the one that has the ability to effortlessly transition from "move to move", a concept known as Defense in Depth. As an ethical hacker, I have been able to circumvent my client's perimeters protected by large, expensive systems, and I have been halted by some inexpensive, modular systems. Therefore, it is all about the leverage, not the muscle in many situations.

I hope the readers of this blog will bear with me when I seemingly go on these tangents. While my primary purpose for blogging is to educate readers regarding information security and technology, it is important to note that we draw conclusions as a result of the culmination of our life's experiences. There will be plenty of time for straight security talk, and I promise I will try to keep the tangents to a minimum, or at least draw the parallels to the spirit of this blog.

Best Regards...

Acronym Soup In Security Certifications

A few weeks ago, Shon Harris asked the White Hat Hacking group to comment on the state of the industry from a certification perspective, and in particular, how fractured the industry is with respects to certification bodies (including vendor-neutral versus vendor-heavy).

Here is the snip of my response at the time:

Actually, I am skeptical that we will ever have a certification track that will effectively capture the industry. As you mention, vendor-concentrated certifications demonstrate knowledge on a particular platform or product; however, in my opinion, information security is so fluid and nebulous that it is similiar to trying to have an intelligence (adjective, not noun) certification.

From a personal perspective, I have always found it more impressive if someone can teach as well as simply speak facts. Therefore, I would hope that a measure of a practitioner's value to an organization could be viewed, not by a single or suite of certifications, but rather the lifelong pursuit of the advancement of the profession. I think there is a very good parallel to this in practice throughout history today with the various martial arts.

I think ISC(2) and others have dabbled in this approach, but in my opinion, it needs to be refined. If I was holding the "magic wand", I would suggest that everyone study, teach, and contribute to the community through volunteering or charitable contributions to maintain a credential. Ultimately, I believe this would do more for the industry than any certification can provide alone.

Thoughts?

I wanted to throw it out to a wider audience to get some additional perspectives on the whole notion of requiring mentoring, teaching, or volunteer work as a condition of a security credential. It is one thing to have a bunch of acronyms after one's name, and I am not trying to diminish the accomplishments of those that are dedicated enough to obtain many certifications or advance their careers.

However, how would hiring managers feel about the merits of a technical certification(s), versus a more rounded certification which included charity work as a prerequisite?

I would love to hear opinions on this one.

Is the Election Over Yet?

Without publicly leaning to the left or right, I have to be honest.... I am through with the political advertisements for this election cycle. Everywhere I turn, it is smear and boast, smear and boast. Print ads, radio spots, and television commercials: media overload! There is even a 30-minute infomercial from one of the candidates! I am wondering if these candidates are taking cues from Billy Mays and Tony Little ("YEAH, BABY!")
. Unfortunately, these "in-your-face" ads are effective to a certain degree, which is why they continue en masse.

Would I feel any better if the candidates focused on the issues... I mean REALLY focused on the issues? Probably not. In my opinion, there is no substitute to solid research undertaken in the privacy and comfort of one's own home. Let me draw my own conclusions. Steer me... Yes, preach to me... not so much.

Geico's Motorcycle Commercial Earworm

Ok, so this commercial has been an earworm since I saw it, but in case you may be in the same predicament as I was....

"Hurt You" by The Sounds

Maybe it is a guilty pleasure, or a throwback to the Depeche Mode / Red Flag / Talking Heads hybrid sound. I am quite certain it is not the cavemen in the commercial though (don't want to see another spinoff TV show created!).

On a somewhat separate, yet similar thought... How do these marketing folks find these gems? I am having a hard time believing it is trial and error sampling. At one point, I believe I had a box set of songs from commercials, TV shows, and other advertisement campaigns. I suppose I am just curious as to how marketers "connect" with a specific audience -- and specifically -- whether or not Geico was intending to connect with my specific demographic for this particular advertisement. If so, I believe there is a great deal of application in how we, as security practitioners, connect with business and technology demographics in the workplace.

Without further adieu, here is the commercial: