Cyber Strategy

Deep Thoughts on Enterprise Cyber Risk

1*R5JZhwYoI1imwip9bpTlfA

Fake Risk Graphs generated from http://sporkforge.com


I started writing this blog right after the release of Senator Warren’s report on Equifax and completely failed. I tried to pack every relevant anecdote I had experienced while meeting cyber risk companies, being CEO of Tenable, running an intrusion detection company and being a penetration tester.

Read More…

Have Meltdown or Spectre made you change ANY of your cyber security strategies?

1*TQewK00duGbvgqHIiK3U0Q

Both of these vulnerabilities have been upon us for just under a week now and yet I’ve only really heard cyber hygiene (patch your systems and monitor for trouble) discussed as viable approaches to this problem. Cyber hygiene is indeed very important, but there are many strategic and tactical issues that should be on the table for discussion in response to these vulnerabilitiesand vulnerabilities like them we will face in the future. In this blog, I will look at this from a cyber practitioner’s point of view and recommend some strategies you’ve looked at in the past but perhaps your organization hasn’t adopted yet.

Read More…

ABS, SDS & TIG — Three New Cyber Emerging Market Categories You Should Know



0*WZQR4nN5JP1T6AEF
The cyber industry continues to innovate and offer new ways to help organizations stay secure and compliant. Over the past few months I’ve observed analyst, media and pundit coverage of three new cyber product categoriessoftware defined segmentationthreat intelligence gateways and automated breach simulation. All three offer many new ways to increase the effectiveness and efficiency of your security programs. I will discuss each briefly and reference relevant Gula Tech Adventures portfolio companies in these new categories.
Read More…

How do you monitor “East — West” Network Traffic?

0*r8a0VRvEElkOP_-1
If your organization does not have a strategy for monitoring network communications between each of the network nodes, you are potentially missing a wide variety of malicious lateral movement and not collecting forensics which could be analyzed after an attack. In this post I will examine what east-west traffic monitoring means, how various organizations are dealing with this problem.
Read More…

What is your reason for not patching MS17–010 — the main vulnerability behind WannaCry?

0*UvcKlP7mpNCZORDZ
In April 14 2017, Shadow Brokers released information about an exploit tool written by the NSA called Eternal Blue. This tool exploited a zero day in Microsoft Windows covered by their MS17–010 update. The patch proceeded the disclosure as Microsoft issued MS17–010 on March 14, 2017. The WannaCry worm first got heavily noticed on Friday, May 12, 2017.
Read More…

DHS and Cyber Security Readiness

0*cKiFTPEblljA4bQ3

(Cover artwork from Senator Coburn’s report on DHS)

report from Senator Tom Coburn about the Department of Homeland Security details a variety of concerns about the organization’s ability to counter cyber attacks. ZDNet wrote an unflattering article about the cyber shortcomings with the headline “ New Report : DHS is a mess of cybersecurity incompetence”. The main points of the article are:

Read More…

CERT’s Blacklist Ecosystem Analysis: 2016 Update

0*bZjN9yQ4oqW-t-Nm
If you are not aware of CERT’s work in tracking the “IOC”, “threat sharing” and “threat feed” space, I highly suggest you take a look at their most recent update to the Blacklist Ecosystem Analysis paper.
Read More…

RSA 2017 Vendor Vocabulary — “Agent-less” Solutions and “Machine Learning”


0*dPdSViVxqeoVT6du
As we prepare to descend on San Fransisco for the 2017 RSA conference, I wanted to take a moment and write a bit about a two terms cyber security vendors are using and the types of questions you should ask as a potential buyer, investor, partner or acquirer of these solutions. These terms are “Agent-less” and “Machine Learning”.
Read More…

While Visiting RSA 2017, Don’t Forget About Testing Security Controls


0*UU5ZoDh5zxElbWEh
If you are going to RSA and walk the vendor floor, keep in mind that the vast majority the vendors you will meet are not designed to work together. You may be able to centralize their logs and even orchestrate a cohesive incident response to an event, but you won’t automatically know if you are PCI Compliant, if you have a gaping hole in your NIST Cyber Security Framework program or if your span port is down and all of your DLPs and IPSes are now blind. An answer to this is to look for solutions that can measure your defenses across all of your defensive technologies and identify gaps in your security specified by frameworks written in house, or by vetted industry experts and groups such as PCI, NIST and CIS.
Read More…