Source: Teknovation.biz | Tom Ballard | July 12, 2017
With the event only a few months away, details about the second annual “EDGE Security Conference” are coming together.
Set for October 17 and 18 at the Knoxville Convention Center, this year’s event features daily keynote presentations by well-known speakers plus a line-up of other industry experts that currently totals about 30. The first day of the conference will feature Charlie Miller and Chris Valasek, the renowned “White Hat” Hackers that are responsible for the Jeep Cherokee hack, while day two is keynoted by Major General Brett Williams who formerly headed the U.S. Cyber Command.
“The success of our first EDGE empowered us to build upon last year’s speaker quality in order to feature even more impressive content this year,” says Mike Mangione, Vice President of Business Strategy and Marketing for Sword & Shield Enterprise Security.
The Knoxville-based company is the presenting sponsor, but Mangione emphasizes that EDGE is an industry conference and community event.
“It’s important to us to build a platform that offers balanced information from multiple perspectives to make this conference a valuable use of time for our attendees,” he notes. “We will even have some of our industry competitors speaking, sponsoring and exhibiting.”
Last year’s inaugural EDGE conference drew about 350 people. The goal for this year’s event is 600 to 700 attendees. EDGE is well on its way to fulfilling this aspiration, with more than 200 pre-registered at the early bird price. To accommodate the larger crowd, Sword & Shield moved the conference to the Knoxville Convention Center.
“Our overall theme is to create true collaboration where complex business security problems meet real-world solutions,” Mangione says, adding that many cybersecurity conferences are very theoretical. “We want attendees to be able to go back to their offices and immediately implement solutions they heard about at EDGE.”
During our recent interview, Mangione talked about a focus on converging two communities – those in cybersecurity and the Knoxville area.
“EDGE is a boost for the city,” he says. “There are not many easily accessible cybersecurity conferences on the East Coast. This is an opportunity to bring a cybersecurity focus to a location that is already a center for impressive technical resources.”
As previously reported in several articles on teknovation.biz, there is an on-going effort to brand the region’s strengths under a new initiative named the Cyber and Information Security Consortium. John McNeely, President and Chief Executive Officer of Sword & Shield, is a major player in that effort that also includes CISCO Systems, Oak Ridge National Laboratory, University of Tennessee, and Pellissippi State Community College.
That focus includes having those within the region, as well as those from other areas, to understand why Knoxville is an ideal location for a premier security conference.
“Part of our goal with EDGE is to bring more awareness of Knoxville’s strengths – technology generally and cyber security specifically,” Mangione added. “It just makes sense.”
With just one year of branding, one might think that recruiting speakers to EDGE could be a challenge, but the opposite is true.
“This year, they are finding us,” Mangione says. “We’re excited about the quality of the content we’ll be able to provide our attendees. It’s going to be a great conference.”
Go to the conference website to see an updated list that as of the writing of this article included:
- Chris Poulin, Principal and Director of Booz Allen Hamilton;
- Stephen Fridakis, Chief Information Security Officer for HBO;
- Ben Johnson, Co-Founder of Carbon Black;
- Larry Bray, Security Advisor at BIMASS;
- William Dixon, Vice President with Stroz Friedberg’s Security Science Practice; and
- Paul Coggin, Cybersecurity Research Scientist at Wells Fargo.
Source: CNS | May 2 ,2017
Travis Howerton, senior director of Transformation, is representing Consolidated Nuclear Security (CNS) on the Cyber and Information Security Consortium. The group is a non-profit corporation formed last year by Oak Ridge National Laboratory (ORNL) and the University of Tennessee (UT), along with Cisco Systems, Y-12 National Security Complex, Sword & Shield Enterprise Security, the East Tennessee Economic Council, and other private corporations, to position the region as a national leader in the development and deployment of cutting-edge cyber security technologies.
“The consortium is still in early phases,” said Howerton. “Membership is growing, and they do two big get-togethers per year. We are working at the state level now to gain grant money to expand capabilities.”
Howerton said the consortium has a variety of roles and interests, including peer networking and recruiting of cyber talent; workforce development (partnering with colleges and universities on a talent pipeline, just signing an agreement with Pellissippi State Community College); and public awareness of policy issues (currently working with UT’s Baker Center on education about cyber issues). Most of the research and development is driven by ORNL, but there are some longer-term interests based on CNS work.
“Right now, it is a chance for CNS to be seen in the community and working with others on an initiative that could solve some meaningful problems in our area and grow jobs over the mid to long term.
Source: Daily Energy Insider| | April 25, 2017
The U.S. Department of Energy (DOE) recently released the findings and recommendations from Liberty Eclipse, a multi-state cyber-energy preparedness exercise hosted by DOE and the National Association of State Energy Officials (NASEO) in December 2016.
The exercise simulated a cyber attack on the energy infrastructure, including electricity, gasoline, jet fuel, heating oil, and other energy services, of several Northeast and Mid-Atlantic states. It brought together officials from State Energy Offices, Public Utility Commissions, State Emergency Management Agencies, private sector energy supply owners and operators, DOE and other federal agency representatives and critical energy infrastructure stakeholders.
“The results of this exercise reaffirm the importance of energy emergency mitigation and response planning,” David Terry, executive director of NASEO, said. “This type of planning enhances states’ capacity to respond to energy supply disruptions, facilitates sharing of best practices, and aides in identifying ways to mitigate risks in the future.”
Liberty Eclipse was developed in response to direction from Congress under the Fixing America’s Surface Transportation Act (FAST Act). The FAST Act calls for increased coordination among DOE, states and the oil and gas industry to develop energy assurance and emergency plans, training, and exercises.
In order to develop energy emergency response plans, states use U.S. State Energy Program (SEP) funds at the direction of their governors. State Energy Offices and their partners then engage with experts from DOE’s Office of Electricity Delivery and Energy Reliability and the private sector to support Emergency Support Function #12, the federal emergency support function for energy, through programs such as the Liberty Eclipse Exercise.
Source: Forbes | Tech Council and Juliette Rizkallah | April 25, 2017
Data breaches. First, they were the concerns of CISOs and CIOs. Some even lost their jobs after overmediatized breaches. Then CEOs got the spotlight, especially as brand reputations were damaged and customers left angry and churning. Today, board members are increasingly more involved in discussions around companies’ cybersecurity and measures needed to prevent being thrown into the next big headline..
We've come a long way from the days where board members would ask: Are we secure? They are now requesting scorecards that measure company security posture. They are also asking more questions related to regulations and how security controls can help demonstrate compliance. Soon, we will see boards demanding quarterly cybersecurity briefings -- some directly presented by the CISO -- rather than relying on the occasional update from the company security committee.
Because cybersecurity has experienced a "personality transformation" in recent years, the nature of boards’ attention to cybersecurity is also evolving. Before, it was all about the hardware of the enterprise -- its networks, firewalls and physical location itself. Fast-forward to 2017, and cybersecurity is now wholly centered on the less tangible and harder-to-control pieces: identities. Hackers today prefer people (through social engineering, phishing and other sneaky ways of getting a human to make a mistake) as their attack target du jour, and views on security and the attention of board members have shifted to identity.
This is an important shift, and, interestingly enough, board members will most likely play three very different roles when dealing with identity.
Boards As Targets
As we saw with the now-infamous breach of Colin Powell's email, which exposed a Salesforce M&A target list, board members are and will continue to be hackers’ targets. Board members communicate regularly via email with the companies they advise. Many times, they use their personal email accounts to communicate, which are typically less secure than corporate accounts. Most of the time their communication deals with very sensitive data: M&As, new market entry, personnel reshuffling and reorganization, and the usual financial data. That information, which is usually protected by a company’s full security infrastructure, is just sent over email via a file attachment to a group of directors, easily identifiable and therefore increasingly targeted.
A survey presented by Diligent Corporation's Dottie Schindlinger at the NYSE Governance Services Cyber Risk Board Forum in February reported that 60% of board directors use personal email regularly to communicate with fellow directors and executive management; 48% use their personal PCs or other devices to download board books and company documents; and 22% of them store these documents long-term on their devices.
The survey also reports that despite the mounting risk surrounding board communications, the main driver in deciding how communications between a board and its company are conducted remains with the board chairmen and not the IT department -- making board members that much more susceptible to a data breach.
7 Cities That Could Become the World’s Cybersecurity Capital
Source: Fortune | Jeff John Roberts | April 6, 2017
The film industry has Hollywood, the banks have Wall Street, and tech has Silicon Valley. But so far the fast-growing cybersecurity industry—slated to pull in more than $100 billion a year by 2020—has no obvious place to call home.
If you believe in the theory of economic clusters, popularized in a 1998 HBR article by professor Michael Porter, the cyber business is exactly the sort of industry that could give rise to a regional hub or cluster—a "Cybercon Valley" if you will.
Clusters, recall, represent a geographic region where an intangible mix of people, education, and economic factors create an interdependent network of businesses and institutions. As those ties become stronger, it becomes virtually impossible for a competing city to disrupt or replace the cluster. That's why, despite innumerable efforts to copy them, there's still only one Silicon Valley or Hollywood.
What makes the race to build a regional cyber center so interesting is that there are all sorts of places right now claiming they have the secret sauce to win the crown. But so far, there is no obvious winner.
If a dominant cyber hub does emerge, it will likely have most or all of the following attributes: proximity to a research university; a large population of hackers or military types; access to angel and venture capital; a culture of cooperation and entrepreneurship.
To figure out which cities fit this bill, Fortune talked to investors, entrepreneurs, and academics. Based on those conversations, here are seven leading contenders: five in the United States and two abroad.
The choices here are subjective, of course, and it's possible a place not on this list could emerge as the winner. (Other names that have come up in discussion include the likes of Seattle, San Antonio, and Huntsville, Ala.).
But for now, here are the seven cities most destined to become the capital of the cybersecurity industry.
The name of Georgia's biggest city came up again and again in discussions about serious cyber tech centers. Its boosters pointed to the presence of Georgia Tech, a vibrant corporate and funding eco-system, and local champions like Tom Noonan, who one VC dubbed the "godfather of Atlanta's cyber-scene."
The city also has some remarkable companies that are not named Coca-Cola or CNN. These include Pindrop—a fast-growing startup backed by the likes of GV and Andreessen Horowitz—which uses sophisticated analytics to root out phone fraud.
"I’ve voted with my dollars and feet on two places that have better a chance than Silicon Valley [of being the leading cyber center]," says David Cowan, a well-known partner at Bessemer Venture Partners, while talking up the benefits of the D.C. area. (The other place, according to Cowan is Tel Aviv.)
The obvious advantages include proximity to the defense industry and to elite military talent with the hacking skills in demand at many cyber companies. Meanwhile, local governments—like nearby Howard County—are flexing their political pull to make the region the cyber center of gravity.
Not everyone buys D.C.'s cyber-story, however. Martin Casado, a partner at Andreessen Horowitz, cautions the area is tilted heavily to "people from government who want to sell to government," which complicates an organic business ecosystem.
Casado, the D.C. skeptic, is a bigger booster of his home turf. He and several entrepreneurs made the case that Silicon Valley is destined to be the world's cyber capital for the very same reasons it is the world's tech capital: its unique mix of capital, entrepreneurship, elite developers, and tech geniuses.
"Having created companies in Silicon Valley, I can say starting a company here is like getting a job somewhere else," Casado says. "I jumped easily from Stanford to starting a company. From HR to finance to legal to funding—that whole network exists. It's such a self-fulfilling ecosystem."
Casado downplays theabsence of a major military presence in the Valley, saying it's not an essential ingredient for a cyber cluster. The presence of next generation cyber titans, such as Tanium and Palantir, suggests he might be right.
Israel's capital is another place that came up in every single discussion of leading cybersecurity centers. Tel Aviv is a powerhouse in other tech fields, including ad-tech, but is especially notable in cyber thanks to big names Check Point and Forescout as well as Team8, a security-focused incubator.
Many people attribute Tel Aviv's cyber prowess to its universal military service, which includes the famous SigInt and code-cracking outfit known as Unit 8200. According to Cowan, the unit creates a "great flow of talent that produces 1000 cyber warriors every year."
Boston is another place that comes up when people talk about cyber centers—though its place on the list may have more to do with past glories than present reality. The area helped to pioneer the cybersecurity industry in the 1980's with the likes of RSA (now owned by Dell), but lost momentum amid the general ascendance of the west coast tech scene.
Still, the Boston area's research prowess remains world class, and has produced some newer cybersecurity stars, including IPO-bound Carbon Black and the software analysis firm Veracode, which was acquired last month by CA Technologies.
Britain is known for its top-notch intelligence services, including GCHQ, which has helped to make London a player in the cybersecurity industry. The city's role as a global financial and diplomatic center also serves to support a cyber ecosystem, though it lacks the easy access to venture capital that is fueling the U.S. industry.
Its notable companies include fast-growing Darktrace, which helps companies track online intruders, and Digital Shadows, which scours the internet for digital risks to firms.
This small city is a dark horse when it comes to winning the race to be a cyber capital. But while some scoff at the idea of Augusta emerging as a major player (skeptics point to the city's out-of-the-way location and small size), it does have some distinct advantages—most notably nearby Fort Gordon, which the Pentagon designated as the new home of the Army's Cyber Command.
Brooks Keel, the President of Augusta University, says the town is preparing for “cyber tsunami” of approximately 4000 families, and the school will provide complementaryeducation to support this. Meanwhile, Augusta is hoping a $50 million cyber grant from the state and presence of firms like Unisys and Ratheon will lead to a bonanza of spin-offs and startups.
So what city will take the cyber capital crown? Possibly none of them. Or to put it in a more positive way, all of them.
That's because, as the venture capitalists Cowan and Casado pointed out, the cybersecurity industry might continue to flourish without a dominant region. In their views, the industry is not like Hollywood, which requires a specific economic infrastructure to make a movie, but one in which successful firms can emerge from all over.
"I’ve seen good cyber companies built everywhere," says Cowan. That amounts to good news for all of the cities on the list, and many others as well.
Source: EurekaPress | ORNL Release | April 6, 2017
Virginia-based Lenvio Inc. has exclusively licensed a cyber security technology from the Department of Energy’s Oak Ridge National Laboratory that can quickly detect malicious behavior in software not previously identified as a threat.
The platform, known as Hyperion, uses sophisticated algorithms to seek out both legitimate and malicious software behavior, identify malware such as viruses or executable files undetected by standard methods, and ultimately help reduce the risk of cyberattacks.
Hyperion’s development began over a decade ago as an experiment by ORNL cybersecurity researchers to explore the emerging science of software behavior computation.
They determined that the behavior approach outperforms signature detection, which only searches for syntactic patterns that are easily hidden within a program’s code, according to ORNL’s Stacy Prowell, chief cyber security research scientist.
“These behaviors can be automatically checked for known malicious operations as well as domain-specific problems,” Prowell said. “Hyperion helps detect vulnerabilities and can uncover malicious content before it has a chance to execute.”
Hyperion introduces behavior computation as a new weapon for enterprise-level customers in the fight against large-scale cybersecurity threats.
“For us, software with unknown behavior has unknown security, which is problematic for global cybersecurity,” said B.K. Gogia, Lenvio’s chief executive officer. “Current methods are increasingly overwhelmed by the sophistication of attacks often precipitated by stealthy zero-day or sleeper code vulnerabilities. With Hyperion, we’re offering a new class of cyber protection.”
The Transition to Practice program, which is part of the Department of Homeland Security’s Science and Technology Directorate, had selected the technology for its market-transition program. TTP identifies promising technologies in national laboratories and helps transition them into product-level capabilities for commercial markets. As a result of participation in TTP, Hyperion was licensed non-exclusively by R&K Cyber Solutions in 2015.
Lenvio, which launched as a spin-off company from R&K in April 2016, has invested substantial funds and time to transform Hyperion from proof-of-concept into a capable and reliable commercial product. The previous non-exclusive license to R&K was discontinued by mutual agreement, and the exclusive license for Hyperion was awarded to Lenvio.
“Obtaining an exclusive technology license from ORNL helps us secure a more competitive position to commercialize Hyperion as we grow our company,” Gogia said.
Lenvio will continue to work with ORNL on co-authored publications and exploring opportunities for joint research and development.
The licensed intellectual property includes a copyright on the computer code and two patent-pending technologies invented by Kirk Sayre, Rima Awad, Stacy Prowell and former ORNL employee Stephen Lindberg of the Computational Sciences and Engineering Division and former ORNL employee Richard Willems of the Electrical and Electronics Systems Research Division. Others contributing to the technology were David Heise, Kelly Huffer, Mark Pleszkoch, Joel Reed and former ORNL employee Logan Lamb of the Computational Sciences and Engineering Division and Rick Linger, former ORNL Hyperion team member who is now Lenvio’s chief technology officer.
This technology was funded, in part, by DOE’s Office of Electricity Delivery and Energy Reliability’s (OE) Cybersecurity for Energy Delivery Systems Program to help reduce the risk that a cyber incident might disrupt energy delivery. Since 2010, OE has invested more than $210 million in a wide range of cybersecurity research, development and demonstration projects that are led by industry, universities and national laboratories. As a result, more than 35 new tools and technologies that OE investments have helped support are now being used to further advance the resilience of the nation’s energy delivery systems.
We’re entering a world of deepening complexity and far vaster breadth when it comes to security for the modern enterprise. With companies integrating legacy data centers, manufacturing facilities, and networks with the cloud and the Internet of Things (IoT), all connecting to an uncontrollable mass of independently governed endpoints, CIOs and CISOs face a constant challenge of trying to decide what to protect and how to protect it.
When thinking about how companies should choose to spend their security dollars, I find the framework created by the National Institute of Standards and Technology (NIST) to be a great guide, although many security professionals also rely on ISO 27001. The NIST framework offers five main functions companies need to be able to address in their approach to cybersecurity: 1) Identify; 2) Protect; 3) Detect; 4) Respond; and 5) Recover. Within this excellent taxonomy of security capabilities, categories like asset management, risk management, and governance are under the identify function, access control, maintenance, and data security fall under protect, while monitoring and anomalous events fall under detect. Respond includes response planning, communications, and mitigation, while recover includes communications taken in the wake of an attack, recovery planning, and improvements to systems and procedures.
Keeping your balance when designing a security portfolio is just as hard as it looks
I highly recommend keeping that framework in mind as you approach decisions about your security spend, but it’s crucial to note that it doesn’t address how to balance your spending across those categories and functions. Yet, the question of how to spread your limited dollars and resources over these categories to ensure your business is as protected as possible is paramount for today’s corporate landscape.
The NIST framework does provide some focus on portfolio analysis, including both the assets you need protected and the security used to protect them. This focus is mainly in the framework’s Risk Assessment section, where there are guides offered for such things as system security plan development, contingency planning, conducting risk assessments, and mapping information types to security categories to name just a few. The NIST framework, just as with other structures like it, helps companies to organize a holistic approach to security. But the portfolio and product analysis framework needs more fleshing out, which is part of the reason for this series of articles. It’s also important to remember that even with a strong security portfolio, there still needs to be security officer(s) matching the needs of the business to the framework and available technologies. Also, in this series we are focusing on analysis of technology products primarily. It is vital to remember that a fully realized vision for security must integrate people, process, and technology products. We are assuming that the people and process aspects are being designed carefully as well in combination with an analysis of technology products.
This is the first article in a series on building the right cybersecurity portfolio for your business. This piece includes the first two steps (Determine Needs, Allocate Spending According to Risk) companies should take when creating that portfolio. Subsequent articles will cover steps three through five (Design Your Portfolio, Choose the Right Products, Rebalance as Needed). This graphic shows all the steps:
Steps to creating a balanced security portfolio
I’ve written previously about modern enterprise security, and have compared proper security to anatomy and the human body, with companies needing a brain for comprehensive and analysis, eyes for searching and scanning for threats, ears for listening for abnormalities, waiting rooms for behavioral analysis, walls and locks for perimeter defense, and arms and hands to respond immediately to threats. And while this analogy works very well for thinking about what a specific product provides, I believe there’s another analogy more apt for thinking about your security spend.
Source: The Brookings Institution | Stuart Brotman | March 20, 2017
For the first time in 25 years, Congress conducted hearings last month to reauthorize the National Telecommunications and Information Administration (NTIA). This Department of Commerce agency is tasked with advising the president on matters related to telecommunications and information policy. Consequently, its influence reaches the White House, either directly or through its sub-cabinet reporting structure. This makes NTIA a unique agency with two masters, able to speak on behalf of the executive branch or even the president himself under appropriate circumstances.
NTIA was created in 1978, when the executive branch reorganized the functions of the former White House Office of Telecommunications Policy and the Commerce Department’s Office of Telecommunications, consolidating policymaking and technical authority within the newly-formed agency. Unlike the Federal Communications Commission, NTIA has no real regulatory responsibilities. Rather, it serves as the federal government’s strategic planning arm for telecommunications and information policy. Here, NTIA can complement and supplement what the FCC does, and in some cases, become involved in matters that lie outside the jurisdiction delegated to the FCC by Congress in the Communications Act of 1934, as amended (e.g., federal government spectrum management).
History shows the power and influence of NTIA largely depends on the vision of its head, who holds the dual titles of NTIA Administrator and Assistant Secretary of Commerce for Communications and Information. The founding NTIA Administrator, Henry Geller, brought to the agency a wealth of experience based on his prior service as FCC General Counsel and as an attorney in the Department of Justice Antitrust Division. The Geller NTIA assembled a dream team of engineers, economists, lawyers, and social scientists who provided invaluable analytic advice to the FCC in a range of proceedings dealing with competition and deregulation. It also gave input to Congress and the Justice Department as it began to restructure AT&T, which laid the foundation for the break-up of Ma Bell in the early 1980s.
Another notable period where NTIA had significant influence was during the Clinton Administration, when Larry Irving served in both Clinton terms as NTIA Administrator. Irving focused the agency’s efforts on studying the development of the internet, with particular attention paid to emerging inequities in internet access based on geographic and socio-economic factors. This notion of a digital divide has become an enduring benchmark for formulating policies and evaluating progress to close digital access gaps.
And during the Obama Administration, NTIA Administrator Larry Strickling made the agency the key player in developing a global multi-stakeholder process that enabled the successful transition of the internet’s Domain Name System from the federal government to the Internet Corporation for Assigned Names and Numbers (ICANN). The Strickling NTIA also ably administered over $4 billion in stimulus funding that Congress allocated for broadband development under the American Recovery and Reinvestment Act of 2009.
NTIA’s current budget appropriation is $39.5 million. This represents the tremendous bang for the buck that NTIA has delivered, as illustrated by these examples spanning several decades. The vital role that telecommunications and information plays in job creation and economic growth makes an easy case for why the agency should continue to receive sufficient financial resources. Equally important, the Trump administration’s to-be-named NTIA Administrator should bring a zeal for keeping the agency both relevant to our times and important to the President’s own policy initiatives.
Source: Teknovation.biz | Tom Ballard | March 10, 2017
Two big cybersecurity events are planned for the first week in April, both in Oak Ridge.
Ahead of the 12th Annual Cyber and Information Security Research (CISR) Conference that begins with a reception the evening of April 4, the new Cyber and Information Security Consortium (CISC) will hold its second workshop at the same venue – Oak Ridge National Laboratory (ORNL).
CISC, a non-profit organization, grew from efforts by several Knoxville and Oak Ridge organizations to capitalize on some of the region’s unique cyber and information security assets. The key drivers included private sector firms like Cisco Systems, which has more than 50 employees locally, and Sword & Shield Enterprise Security Inc., a growing national information security provider as well as public research entities like the University of Tennessee (UT) and ORNL.
After holding its first gathering a year ago during the CISR conference, the CISC group convened more formally in the fall in conjunction with Sword & Shield’s EDGE conference. CISC also held a micro-event during “Innov865 Week” last September and has hosted several brown bag lunches.
The collaborative relationship continues this year with CISC again piggybacking on the long-standing and well-attended conference hosted by ORNL.
From 1 to 5 p.m. April 4, CISC will hold a meeting targeted at C-suite executives interested in cybersecurity. There will be a panel focused on strategic attack and response trends that includes Fred Cobb of Sword & Shield, Travis Howerton of Consolidated Nuclear Security LLC, Bob Jackson of Sedgwick Claims Management Services Inc., and Tony Rucci of Information International Associates.
Stuart Brotman, a UT Professor and Senior Fellow with The Brookings Institution, will lead a discussion on how to navigate the boardroom from a cyber perspective. There will also be structured networking as CISC begins building its Executive Peer Forums for C-level security professionals.
For more information and to register for the CISC event, click here.
The CISR conference that begins with an opening reception after the CISC workshop also includes two full days of sessions, research paper presentations, a conference banquet, vendor interaction, and networking. The first full day features a technology showcase, while the second will include technology demonstrations.
To register for the CISR conference, click here. Registration closes on March 31.
Source: Forbes | Tony Bradley | March 9, 2017
Most company executives and security professionals have a reasonable understanding of cybersecurity. Even if they don’t fully understand the mechanics under the hood, they at least realize that there is a vast and aggressive threat landscape out there, and that their networks are under virtually constant siege from attackers. When you ask how they feel about their security, though, and how confident they are in their ability to successfully detect and block attacks, the response shows a startling disconnect between reality and their perception.
Last month at the RSA Security Conference in San Francisco, I had an opportunity to attend a panel discussion hosted by Arctic Wolf Networks. We met at Marianne’s--an eclectic little semi-secret room at the back of The Cavalier restaurant. The room is apparently themed after the cover of the Rolling Stones’ Beggar’s Banquet album and named for British rock icon Marianne Faithful.
We were served coffee and orange juice and breakfast burritos, and then we sat and listened while a handful of security experts discussed this very issue in a panel discussion titled Cybersecurity Dissonance: Perception vs. Reality. The panel was comprised of David Monahan, Research Director at EMA Research, Dan Limon, Senior Systems Administrator for The Pasha Group, and Charles Muller, Director of IT at Threshold Enterprise. The session was led by Arctic Wolf CEO and co-founder Brian NeSmith.
The discussion centered around the results from a recent study on cybersecurity dissonance. The study found that almost everyone—95 percent to be precise—believes that their security posture is above average. Roughly nine in ten respondents believe that perimeter security tools are capable of combatting all cybersecurity threats, and nine out of ten also state that they have personnel dedicated solely to managing security.
On the reality side of that equation, however, 63 percent admit they cannot stop zero day threats. Nearly three out of four report that their role is too broad and it’s difficult to focus on IT security as much as they really should. The study also found that nearly 80 percent of security alerts are not addressed within the first hour after a trigger occurs.
There appears to be a disconnect. If two-thirds of those surveyed know they’re not equipped to defend against zero day threats, and three-fourths know they’re not doing everything they can for IT security, how can it be possible that 95 percent feel their security is above average and almost all of those surveyed seem to feel their perimeter security controls are sufficient to stop all threats?
The short answer is simply that it’s human nature. It’s human nature to have an inflated sense of success or achievement. NeSmith pointed out the parallel with asking people if they keep themselves in good health. Many will answer, “Absolutely,” without hesitating. As NeSmith pointed out, though, you get a different picture when you follow up to ask how often they eat fast food, or how regularly they actually exercise. There is a disconnect where we know what we’re supposed to do, and we feel comfortable judging others for not doing those things while simultaneously feeling like we are better than we really are despite any evidence to support that assumption.