Article: Crypto Wars II
By Luther Martin – ISSA member, Silicon Valley Chapter
and Amy Vosters
The debate over whether or not to give US law
enforcement officials the ability to decrypt encrypted
messaging has recently been revisited after a twentyyear
break. The results may be surprising.
The Best Articles of 2016 DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
1. January 2017
Volume 15 Issue 1
Machine Learning: A Primer for Security
Enterprise Security Architecture: Key for Aligning
Security Goals with Business Goals
The Role of the Adjunct in Educating the Security Practitioner
Fragmentation in Mobile Devices
Gaining Confidence in the Cloud
Crypto Wars II
The Best Articles
of 2016
3. From the President
January 2017 | ISSA Journal – 3
International Board Officers
President
Andrea C. Hoy, CISM, CISSP, MBA,
Distinguished Fellow
Vice President
Justin White
Secretary/Director of Operations
Anne M. Rogers
CISSP, Fellow
Treasurer/Chief Financial Officer
Pamela Fusco
Distinguished Fellow
Board of Directors
Debbie Christofferson, CISM, CISSP,
CIPP/IT, Distinguished Fellow
Mary Ann Davidson
Distinguished Fellow
Rhonda Farrell, Fellow
Geoff Harris, CISSP, ITPC, BSc, DipEE,
CEng, CLAS, Fellow
DJ McArthur, CISSP, HiTrust CCSFP,
EnCE, GCIH, CEH, CPT
Shawn Murray, C|CISO, CISSP, CRISC,
FITSP-A, C|EI, Senior Member
Alex Wood, Senior Member
Keyaan Williams, Fellow
Stefano Zanero, PhD, Fellow
The Information Systems Security Asso-
ciation, Inc. (ISSA)® is a not-for-profit,
international organization of information
security professionals and practitioners. It
provides educational forums, publications
and peer interaction opportunities that en-
hance the knowledge, skill and professional
growth of its members.
With active participation from individuals
and chapters all over the world, the ISSA
is the largest international, not-for-profit
association specifically for security pro-
fessionals. Members include practitioners
at all levels of the security field in a broad
range of industries, such as communica-
tions, education, healthcare, manufactur-
ing, financial, and government.
The ISSA International Board consists of
some of the most influential people in the
security industry. With an internation-
al communications network developed
throughout the industry, the ISSA is fo-
cused on maintaining its position as the
preeminent trusted global information se-
curity community.
The primary goal of the ISSA is to promote
management practices that will ensure the
confidentiality, integrity and availability of
information resources. The ISSA facilitates
interaction and education to create a more
successful environment for global informa-
tion systems security and for the profes-
sionals involved.
F
rom a cybersecurity profession-
al’s perspective, we probably
can relate to the differentiation
of having a “good” year versus a “hap-
py” one. Many of us remember notable
events in 2016 that probably did not
make anyone “happy.” Those in our
Healthcare SIG might recall cancer-care
service provider 21st
Century Oncol-
ogy’s announcement that 2.2 million
patients may have had their personal
information affected by a breach in Oc-
tober 2015: hackers had access to patient
names, Social Security numbers, doc-
tors, diagnosis and treatment informa-
tion, along with insurance information.
Even the loss of one password-protected
laptop led to 200,000 patients’ sensitive
information being exposed in the Pre-
miere Healthcare case. Maybe it was
the Yahoo breach announcements of
500 million accounts being stolen by a
state-sponsored actor, then later in De-
cember one billion accounts!
Meanwhile it was a “good year” from the
perspective of heightened awareness of
cybersecurity and privacy issues by the
average person on the street. As well,
leading companies—and more impor-
tantly their boards—have been address-
ing and providing better protection of
sensitive personal and company infor-
mation.
In 2016, with consumers embracing
the Internet of Things, hackers brought
us Mirai, causing possibly the largest
DDoS attack known to date, delivering
665 Gigabits per second and 143 million
packets per second of unwanted traffic
via hijacked IoT devices to the Krebs on
Security blog.
The increase in regulations, as well as
privacy concerns, meant an increase in
regulatory compliance, leading many
companies to address information se-
curity budget in-
creases. In the first
six months of 2016,
even the US federal government had
hired 3,000+ new cybersecurity/IT
professionals as part of its first Federal
Cybersecurity Workforce Strategy. And
the president’s 2017 budget contains a
proposed $3.1 billion to overhaul diffi-
cult-to-secure systems.
So looking forward, ISSA aims to con-
tinue providing timely and thought-pro-
voking information and educational
resources. And more importantly, we
want to provide the peer/industry net-
working necessary to give you a global
helping hand.
Our global Special Interest Groups
(SIGS) are ready to ring in the new year
with exciting webinars and meetings.
We had two very successful joint events
in December, one the IEEE Women in
Engineering Internet of Things World
Forum, the other with SANS Connect.
ISSA members can look forward to
more of these events throughout 2017.
For CISOs, our excellent CISO Execu-
tive Forum is set up by a committee of
your peers and overseen by CISO Exec-
utive Forum chair and International di-
rector Debbie Christofferson. This year’s
with be at RSA; in partnership with the
IAPP conference in Washington, DC;
at Black Hat in Las Vegas; and the ISSA
International Conference in San Diego.
And be sure to join us January 24 for
this year’s first ISSA web conference
where we discuss more of what to expect
in 2017!
To our ISSA members across the globe:
have a Happy and Good New Year!
Moving forward,
Happy New Year! Bonne annee’! Szczesliwego Nowego
Roku! Feliz año nuevo! Manigong Bagong Taon! Felice
Anno Nuovo or Buon anno! Mutlu Yillar! Ein glückliches
neues Jahr! Hauoli Makahiki hou! And Shanah tovah
u’metuka (הנש הבוט )הקותמו or hopes for a
good and sweet year!
Andrea Hoy, International President
4. The information and articles in this mag-
azine have not been subjected to any
formal testing by Information Systems
Security Association, Inc. The implemen-
tation, use and/or selection of software,
hardware, or procedures presented
within this publication and the results
obtained from such selection or imple-
mentation, is the responsibility of the
reader.
Articles and information will be present-
ed as technically correct as possible, to
the best knowledge of the author and
editors. If the reader intends to make
use of any of the information presented
in this publication, please verify and test
any and all procedures selected. Techni-
cal inaccuracies may arise from printing
errors, new developments in the indus-
try, and/or changes/enhancements to
hardware or software components.
The opinions expressed by the authors
who contribute to the ISSA Journal are
their own and do not necessarily reflect
the official policy of ISSA. Articles may
be submitted by members of ISSA. The
articles should be within the scope of in-
formation systems security, and should
be a subject of interest to the members
and based on the author’s experience.
Please call or write for more information.
Upon publication, all letters, stories, and
articles become the property of ISSA
and may be distributed to, and used by,
all of its members.
ISSA is a not-for-profit, independent cor-
poration and is not owned in whole or in
part by any manufacturer of software or
hardware. All corporate information se-
curity professionals are welcome to join
ISSA. For information on joining ISSA
and for membership rates, see www.
issa.org.
All product names and visual represen-
tations published in this magazine are
the trademarks/registered trademarks
of their respective manufacturers.
4 – ISSA Journal | January 2017
editor@issa.org
The Best Articles of 2016
Thom Barrie – Editor, the ISSA Journal Editor: Thom Barrie
editor@issa.org
Advertising: vendor@issa.org
866 349 5818 +1 206 388 4584
Editorial Advisory Board
Phillip Griffin, Fellow
Michael Grimaila, Fellow
John Jordan, Senior Member
Mollie Krehnke, Fellow
Joe Malec, Fellow
Donn Parker, Distinguished Fellow
Kris Tanaka
Joel Weise – Chairman,
Distinguished Fellow
Branden Williams,
Distinguished Fellow
Services Directory
Website
webmaster@issa.org
866 349 5818 +1 206 388 4584
Chapter Relations
chapter@issa.org
866 349 5818 +1 206 388 4584
Member Relations
member@issa.org
866 349 5818 +1 206 388 4584
Executive Director
execdir@issa.org
866 349 5818 +1 206 388 4584
Advertising and Sponsorships
vendor@issa.org
866 349 5818 +1 206 388 4584
W
e’d like
to ac-
knowl-
edge the passing
of 2016, not with
reminiscing the
breaches, malware,
privacy invasions,
legislations—Andrea, Geordie, and
Randy help us out with that—but by cel-
ebrating the articles the Editorial Advi-
sory Board deemed the best of the year.
The 2016 Article of the Year
“Machine Learning: A Primer for Se-
curity” by Stephan Jou [Toronto Chap-
ter]. Stephan lays out the workings of
machine learning and artificial intel-
ligence, painting a clear picture of this
growing technology that some argue is
still not ready for prime time. But the
promise of combining big data and ma-
chine learning—whether for analyzing
unimaginably huge amounts of data for
business processes or picking up on the
bad actors knocking, poking, and prod-
ding our infrastructures—has me excit-
ed to see how 2017 plays out in this field.
The Best of 2016
“Enterprise Security Architecture: Key
for Aligning Security Goals with Busi-
ness Goals,” by Seetharaman Jegana-
than—Seetharaman deserves an hon-
orable mention as his article was a very
close runner up.
“The Role of the Adjunct in Educating
the Security Practitioner,” by Karen
Quagliata [St. Louis Chapter].
“Fragmentation in Mobile Devices,” by
Ken Smith.
“Gaining Confidence in the Cloud,” by
Phillip Griffin [Raleigh Chapter] and
Jeff Stapleton [Fort Worth Chapter].
“Crypto Wars II,” by Luther Martin [Sil-
icon Valley Chapter] and Amy Vosters.
Congratulations to our best authors of
the year! A number are already plan-
ning to submit further works in the up-
coming year.
Readers’ Choice for 2016
So, these are the board’s choices. Do
you concur? Please take a look through
the year and let us know your top three
or four selections. We’d love to have a
Readers’ Choice. Some of my favorites
not mentioned are “Impact of Social
Media on Cybersecurity Employment
and How to Use It to Improve Your Ca-
reer,” Tim Howard [South Texas Chap-
ter]; “Stop Delivery of Phishing Emails,”
Gary Landau [Los Angeles Chapter];
“Beware the Blockchain,” Karen Mar-
tin; “The Race against Cyber Crime Is
Lost without Artificial Intelligence,”
Keith Moore [Capitol of Texas Chapter];
and “Why Information Security Teams
Fail,” Jason Lang.
Let me know at editor@issa.org.
It’s been a great year in the ISSA Journal.
Here’s looking forward to an even bet-
ter year. Do you have an article to share.
Bring it on.
—Thom
5. Sabett’s Brief
By Randy V. Sabett – ISSA Senior Member, Northern Virginia Chapter
(Not) The Best of Cybersecurity,
2016 Version
S
o how many cybersecurity “Best of
2016” lists have you seen over the
past few weeks? Well, this won’t be
one of those lists, because as I’ve done
in prior years, I’m going to cover events
that I think were notable but that weren’t
necessarily “best of.” And, as in past
years, my wife thinks that this is a silly
approach, but here goes anyway…
First off, the Internet has survived an-
other year. Despite all of the predictions
of gloom and doom that have been pos-
ited over the past decade or more, we’re
still plugging away with the same basic
infrastructure we’ve had for several de-
cades. To some extent, this survival is a
testament to its original design—adapt-
able to changing conditions and attacks.
Turning to a legislative event from very
early in the year, the passage of the Con-
solidated Appropriations Act of 2016
included the Cybersecurity Information
Sharing Act (CISA). CISA created a vol-
untary process for sharing cybersecu-
rity information without legal barriers
or threats of litigation. DHS and DOJ
released additional guidance on infor-
mation sharing under CISA in February
and June. Based on personal experience
in 2016, I find CISA has influenced a
number of decisions to share informa-
tion, including B2B, B2G, and G2B.
Continuing for a moment on the gov-
ernment side of things, in February the
Administration released the Cyberse-
curity National Action Plan (“CNAP”).
The CNAP provides a combination
of near-term tactical actions and lon-
ger-term strategy components intended
to “enhance cybersecurity awareness
and protections, protect privacy, main-
tain public safety as well as economic
and national security, and empower
Americans to take better control of their
digital security.”1
Good stuff, but proper
implementation will be critical.
On the commercial side, businesses
continued to be subjected to a variety
of ever-evolving threats, including the
incredible rise in both frequency and
insidiousness of ransomware. 2016
saw ransomware evolve from phish-
ing-based attacks on individual ma-
chines into an attack mechanism that
threatened entire networks. In particu-
lar, SamSam (which exploits unpatched
servers, moves laterally to any machine
it finds, and then encrypts the entire
network) proved to be particularly over-
whelming. Only robust patching and
diligent backups offer resiliency.
In 2016, we saw cybersecurity become
an integral part of the due diligence
process for most M&A transactions
(and personal experience bore this out).
In fact, according to a recent survey, 85
percent of public company directors and
officers say that an M&A transaction in
which they were involved would likely
or very likely be affected by “major se-
curity vulnerabilities.” In addition, 22
percent say that they wouldn’t acquire
a company that had a high-profile data
breach, while 52 percent said they would
still go through with the transaction but
only at a significantly reduced value.2
This interest in cybersecurity diligence
is not just theoretical: in the midst of
an October M&A transaction involv-
ing Verizon and Yahoo!, news broke of
a Yahoo! breach that had occurred ap-
proximately two years earlier. This event
raised speculation around what it might
do to the deal. To me, the bigger question
will be how the overall scope of the due
1 https://www.whitehouse.gov/the-press-
office/2016/02/09/fact-sheet-cybersecurity-national-
action-plan.
2 https://www.nyse.com/publicdocs/Cybersecurity_and_
the_M_and_A_Due_Diligence_Process.pdf.
diligence process
will be influenced
by cybersecurity in
future deals.
To round out the year, I will end on a
hopefully positive note. In December,
the findings of the Commission on En-
hancing National Cybersecurity were
released.3
The Commission had been
tasked with developing recommenda-
tions for ways to strengthen cybersecu-
rity across both the federal government
and the private sector. In a statement,
President Obama stated that “[t]he
Commission’s recommendations...make
clear that there is much more to do and
the next administration, Congress, the
private sector, and the general public
need to build on this progress.”
Amen to that—all stakeholders must
meaningfully participate and address
cybersecurity so that everyone benefits.
Let’s hope that 2017 sees that partici-
pation increase. With that, I hope that
your holiday season has been enjoyable
and that your new year is off to a great
start. Now I’m headed off to the refrig-
erator to come up with a top 10 list of
leftovers for my wife. Looking forward
to hearing from you in 2017!
About the Author
RandyV.Sabett,J.D.,CISSP,isViceChair
of the Privacy & Data Protection practice
group at Cooley LLP, and a member of
the Boards of Directors of ISSA NOVA,
MissionLink, and the Georgetown Cy-
bersecurity Law Institute. He was named
the ISSA Professional of the Year for
2013, and chosen as a Best Cybersecurity
Lawyer by Washingtonian Magazine for
2015-2016. He can be reached at rsabett@
cooley.com.
3 https://www.nist.gov/cybercommission.
January 2017 | ISSA Journal – 5
6. I
f you are going
to be at RSA
Conference this
year, or perhaps you
picked up a print
copy and are reading this in the shad-
ow of one of the expo halls, take a mo-
ment to think about all the vendors on
the floor who are selling amazing kit.
If you have not walked the floor yet, be
sure to allocate a few hours to do so. I
like to start at the edges because that’s
often where some of the best new stuff is.
But remember, buyer beware. Snake oil
salesmen work everywhere!
As you speak to these vendors and un-
derstand how their products work, you
might get caught up in the excitement of
new kit and new capabilities, so much
that you lose rational thought for a mo-
ment. I mean, how else do you end up
with three timeshares at the end of a lav-
ish Las Vegas weekend? Before you sign
on the dotted line, think about the prob-
lem that the kit is trying to solve and see
if you have already solved it elsewhere
(or should solve it elsewhere).
Sometimes we forget our roots, but
that’s understandable as our industry
has grown from nothing to what you see
around you in the expo halls over the
last twenty years. Those of us who have
been around that long certainly remem-
ber security as something one of the IT
guys did, that and building tools to help
us manage our growing infrastructure
on a small scale—often times in the
same manner that the big vendors do to-
day. Before you run to your finance guy
for budget, let’s look at a couple basic
things we all need to master first.
How’s your logging?
PCI DSS may have been the first step in
forcing companies to capture good and
usable logging information, but DevOps
is the new darling on the block. Compa-
nies I work with tend to check the box
for PCI to close that nagging require-
ment but have expanded their informa-
tion generation capabilities dramatical-
ly to gain extremely important insight
into their infrastructure as it runs.
Getting rich logging information to do
both user behavior analysis and to gain
valuable insights into your infrastruc-
ture in real time will power your intel-
ligence-gathering capabilities. Many of
the products you will see on the fringe
this year are going to make the case to
shift from SIEM (security information
event management) to UEBA (user and
entity behavior analytics). If you don’t
have solid—and I mean really solid—
logging capabilities baked into every
layer of your infrastructure, these tools
won’t work as advertised. In fact, any
tool you see that promises to look for
trends, to do machine learning to alert
you on anomalies, or to just make you
more efficient will struggle to work if
you are terrible at logging.
Show me machine learning!
I was at an expo a few months ago and
had a string of vendors tell me about
their machine learning capabilities.
They show a graph with fifty bars on it,
all of which are under a value of, say,
ten except for one that is at a thousand.
Then they point to it and say MACHINE
LEARNING! For the record, that is
anomaly detection. My godson who
is almost three can do the exact same
thing and make you laugh when he does
it. Machine learning would be pointing
to one of the small bars and telling an
analyst to look at that one. Challenge
your vendors to go beyond the glitz and
buzzwords. Vaporware is just as present
today as it has ever been. Machine learn-
ing is a fantastic tool, but be sure you are
covering your anomaly detection basics
first.
How’s your debt?
Technical debt exists everywhere. It’s
that patch you decided to leave off the
list, or that coding workaround you
built to solve a latency issue, or a default
password you left in an application to
make support easier. Good companies
know exactly how far in debt they are
and work to pay this debt back. No com-
pany will always be debt free, but man-
aging this debt will help you understand
how to deploy your limited resourc-
es. Sometimes it’s a system that has a
known flaw in it, but it takes an attacker
twenty minutes to compromise. Sounds
like that virtual resource will only exist
for ten to fifteen minutes at a time until
you can address the root cause!
This year’s RSA Conference is geared
up to be the biggest ever. Tweet me at
@BrandenWilliams with a comment
about the article before February 18,
2017, and you could be the lucky winner
of a $25 Amazon gift card! Look for me
around the expo, in a session, or decom-
pressing in the airport lounge on Friday
as I hurry home for the weekend!
About the Author
Branden R. Williams, DBA, CISSP,
CISM, is a seasoned infosec and pay-
ments executive, ISSA Distinguished
Fellow, and regularly assists top global
firms with their information security and
technology initiatives. Read his blog, buy
his books, or reach him directly at http://
www.brandenwilliams.com/.
Sweat the Small Stuff
By Branden R. Williams – ISSA Distinguished Fellow, North Texas Chapter
Herding Cats
6 – ISSA Journal | January 2017
7. Open Forum
Executive Juris Doctor: Rewarding
and Influential Career Path
I
wanted to write in support of Randy
V. Sabett’s column, “Who’s Ready
for a JD?,” in the October issue of
the ISSA Journal. I agree we need more
people with legal education in the secu-
rity profession, although I will take the
position that one does not need to be a
full-blown, bar-certified Juris Doctor
(JD). I was told while in law school that
70 percent of JDs don’t practice law. So,
if you don’t have the desire to be bar-cer-
tified and practice law, a JD may not be
the best option for you.
In late 2005, I looked at the future of the
security industry and saw that every-
thing we do in security would have an
ever-increasing legal implication. Be-
cause of that, I decided I needed a better
legal education. I did not have any inter-
est in practicing law, so I did not want
to go the JD route. I was looking for a
Master’s in legal studies, but at that time
none existed (there are several Master’s
of legal studies degrees today). I came
across an Executive Juris Doctor (EJD)
degree distance learning program.
As I describe it, it’s a law degree for peo-
ple who want the same legal education
that lawyers get but who have no inter-
est in practicing law. You take courses
in the same substantive courses JD stu-
dents take (e.g., torts, contracts, crimi-
nal law, and civil procedure to name a
few), but because it is not bar eligible,
you don’t take the full course load a JD
student would take like wills and trusts
or corporations, and there is flexibly to
specialize. In my case, I specialized in
law and technology and took courses in
cyberlaw and intellectual property.
I have reaped huge rewards for having
this legal education as a security profes-
sional. I have published and presented
on legal topics in security since 2009. I
was twice published in the ISSA Journal,
one on e-discovery, the other on social
media policy. Being able to take a law
and translate it into business processes
or technical controls is very hard to do
if you do not understand how to read
law, how courts will interpret the law,
or even understanding rulings coming
down from the courts. And laws per-
meate our entire profession—CFAA,
ECPA, HIPAA (which are actually reg-
ulations effectuated by legislation), etc.
But, there are other advantages for hav-
ing a legal education. Much like we in
the security industry have our own vo-
cabulary, so too do lawyers; being able
to speak to lawyers in a language they
understand is very important today. For
example, I explain to people that the
word “risk” means nothing to a lawyer,
but when you use the term “liability,”
you can get a lawyer’s attention. As a
security professional, when I speak to
lawyers using their lexicon, most law-
yers light up and become very interested
in what I have to say and become very
willing to help me.
Getting a lawyer’s attention and support
has another advantage—that of stake-
holder in security. Rather than trying
to futilely drive security initiatives with
finance, marketing, or technology de-
partments or even executive manage-
ment, I use the legal department as my
driving stakeholder. Their job is to pro-
tect the organization from liability and
lawsuits, and they usually have the ear
of the CEO and the board. So, if they are
aware of security issues that are creating
liability for the organization, they can
be your biggest advocate for advancing
change.
But, I would warn you not to jump into
a legal education lightly. There is a tre-
mendous amount of reading and a good
bit of writing that goes with a legal edu-
cation. Also, I pursued my legal educa-
tion going to school full time and work-
ing full time, so I slept about four hours
a night for the first nine months I was
in school. Be prepared for the amount of
time that will be required from you.
That being said, I can say having a legal
education has been very advantageous
in my career as a security professional,
and it is something I am glad I pursued.
About the Author
Dr. Jon J. Banks, EJD, GPEN, CEH,
OSWP, CISSP is a Sr. Security Architect
at Link Technologies with 19 years of ex-
perience building information security
architectures and programs. Since 2009,
Dr. Banks has used his legal education to
give back to our profession by publishing,
presenting, and teaching on various top-
ics in law and information security. He
can be reached at jonb@linktechconsult-
ing.com.
By Jon J. Banks – ISSA member, Denver Chapter
The Open Forum is a vehicle for individuals to provide opinions or commentaries on infosec ideas, technologies, strategies,
legislation, standards, and other topics of interest to the ISSA community. The views expressed in this column are the author’s
and do not reflect the position of the ISSA, the ISSA Journal, or the Editorial Advisory Board.
January 2017 | ISSA Journal – 7
8. Security in the News
News That You Can Use…
Compiled by Joel Weise – ISSA Distinguished Fellow, Vancouver, BC, Chapter and
Kris Tanaka – ISSA member, Portland Chapter
It’s Time to Pull Out Your Crystal Ball
What do you think is going to happen with security and technology in 2017? Will things be better, worse, or will
they remain status quo? Here is an assortment of forecast articles for your consideration. To me, these predic-
tions are less about the future and more about a replay of 2016. What do we have to look forward to according to
security experts? More of the same: The Internet of Things, more viruses and APTs, cloud everything, DoS attacks,
ransomware, etc. My personal favorite? Dronejacking. I previously mentioned this to friends at an unnamed online
retailer, but in spite of demonstrated attack scenarios they thought it was not possible. As always, it might be
fun to hold on to these links and revisit them in December to see how accurate they really were. Here’s to the
future and keeping cybersafe in 2017! Cheers!
http://www.forbes.com/sites/gilpress/2016/12/12/2017-predictions-for-ai-big-data-iot-cybersecurity-and-jobs-from-se-
nior-tech-executives/ - 5ff851ee62e9
http://www.usatoday.com/story/money/columnist/2016/12/17/think-cyberthreats-bad-now-theyll-get-worse-2017-spear-
phishing-etc/95262574/
http://www.infosecisland.com/blogview/24860-Top-10-Cloud-and-Security-Predictions-for-2017.html
https://blog.radware.com/security/2016/12/cyber-security-predictions-2017/
http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2017.pdf
http://www.csoonline.com/article/3150997/security/what-2017-has-in-store-for-cybersecurity.html
https://www.scmagazine.com/gazing-ahead-security-predictions-part-2/article/578976/
Biggest Data Breaches and Hacks of 2016: Yahoo Data Breach, DNC Hacking, and More
http://www.techtimes.com/articles/190021/20161225/biggest-data-breaches-and-hacks-of-2016-yahoo-data-breach-dnc-
hacking-and-more.htm
In addition to looking forward, the new year is also a time of reflection and taking stock of what transpired
over the past year. Here’s a quick look at some of the biggest data breaches and hacks that took place in 2016.
And just in case you haven’t seen it before, check out this frequently updated, interactive infographic from In-
formation is Beautiful. http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Major Cyberattacks on Health Care Grew 63 Percent in 2016
http://www.darkreading.com/attacks-breaches/major-cyberattacks-on-healthcare-grew-63--in-2016/d/d-id/1327779
The Internet of Things continues to open up new attack vectors, particularly in the healthcare industry as secu-
rity experts reported a surge in medical device hijacking in 2016. The industry will continue to face challenges
in 2017, thanks to predictions of unprecedented levels of ransomware and the increasing ability of hackers to
launch multiple attacks at once.
Cybersecurity Confidence Gets a C-. How to Improve Your Grade in 2017
http://www.csoonline.com/article/3151078/security/cybersecurity-confidence-gets-a-c-how-to-improve-your-grade-
in-2017.html
How do you feel about detecting and mitigating cyber threats in your organization? If your answer is “not very
confident,” you are in good company. According to a new survey, global confidence in cybersecurity is dropping,
while challenges, such as the expanding threat environment, are increasing. Although it is easy to get discour-
aged, especially when we continue to see article after article revealing new breaches and cyberattacks, there
are ways we can improve.
Five Ways Cybersecurity Is Nothing Like the Way Hollywood Portrays It
http://www.networkworld.com/article/3151064/security/five-ways-cybersecurity-is-nothing-like-the-way-hollywood-por-
trays-it.html
Cybersecurity is cool. Just take a look at how many television shows and movies have woven it into their scripts
and storylines. But just how accurate is their portrayal of the industry? Yes, Hollywood usually tends to glam-
orize things. We all know our day-to-day work lives rarely involve fist-fights and elaborate stunts found in action
movies. But the increasing popularity around cybersecurity, even in fictional form, is a good thing. Awareness
is one of the best weapons in the fight against the “bad guys.”
Increasing the Cybersecurity Workforce Won’t Solve Everything
http://www.csoonline.com/article/3153079/security/increasing-the-cybersecurity-workforce-wont-solve-everything.html
The word is out—we all need to focus on cybersecurity, improving our security posture and infrastructure. Even
the US government is receiving recommendations and guidelines on how to make this goal a reality. Unfortunate-
ly, many of the proposed plans will take time and additional resources. What can you do while you are waiting
for these “new” solutions to make an impact? Increase security awareness at all levels in your organization.
As you have heard many times before, all it takes is just one click. Make sure the humans on your network are
prepared to make the right choices.
8 – ISSA Journal | January 2017
9. I
t’s been a huge year for information
security in the public eye. It seemed
like security was constantly in the
news for massive corporate security
breaches, election email leaks, or draco-
nian new cyber laws.
We had Apple vs. the FBI. Tempers
flared. People got hysterical. And that
was just the FBI’s legal team. Not all
the commentary was credible. The well-
known encryption experts the National
Sheriffs’ Association stated that Apple
was “putting profit over safety” and this
had “nothing to do with privacy.” Aww
bless.
Yahoo announced yet another huge
breach. It’s sad to see the once mighty
Internet giant slowly transitioning from
respected Internet pioneer to a honey-
pot experiment with live customer data.
The official line was that Yahoo had been
the victim of “state-sponsored” attacks.
That sounds a lot better than being re-
peatedly caught out with obsolete se-
curity controls like MD5 encryption to
protect customer passwords. To be fair,
MD5 encryption can be considered very
strong. But only if your threat model
is focused on Russian cryptographers
attacking through a star gate from the
1990s.
James Clapper announced his resigna-
tion. The man who with a straight face
denied to the US Congress that data was
being collected on millions of Amer-
icans is leaving the building. His exit
interview would have been a hoot. Have
you held anything
back? Is there any clas-
sified information that
you’ve failed to return?
Um, “Not wittingly.”
Under Clapper’s direc-
tion, national security
objectives have pros-
pered. However, tech-
nologies we all depend
on have been weak-
ened, exposing us to
risk from cyber crim-
inals and repressive
regimes. The profits of
US companies have suffered as they’ve
struggled to convince global customers
that their data is safe with a US com-
pany. If you’re a US citizen, you might
think the national security trade off was
worth it. However, if you live anywhere
else in the world, or you’re a US com-
pany who has lost customers, then you
might have a different view.
In November the most intrusive pow-
ers ever proposed for the UK intelli-
gence services were made law in the UK.
Critics protested that the new law gave
too many government agencies access
to people’s browsing history without
the need for a warrant. In fact, the list
of agencies that can access browsing
data without a warrant is so large that
it might have been quicker just to list
those that can’t. On the plus side we can
all sleep safely knowing that the Welsh
Ambulance Services National Health
Service Trust knows what we’re doing
online. Privacy activists took the UK
government to the European Court of
Justice, which ruled
in December that
government agen-
cies needed inde-
pendent judicial
oversight and that
access had to be in response to serious
crime. If you swap “web history” with
“that special bedroom drawer,” then the
judgment is entirely consistent with re-
al-world privacy.
There were persisting concerns about
the security weaknesses of voting ma-
chines in the US elections. We should
be grateful that the winner of this part-
ly automated vote count wasn’t Select *.
The FBI learned that Hillary Clinton’s
campaign chief John Podesta’s email
had been compromised. Unfortunately
all their agents were busy ogling An-
thony Weiner’s laptop, so they just left a
message with Podesta’s IT helpdesk. It’s
a mystery why Weiner’s laptop deserved
thousands of hours of agent time and
the compromise of Podesta’s email by
a foreign power didn’t merit an agency
visit.
2016 was also the year that the burgeon-
ing Internet of trash really started to
stink. Brian Kreb’s website was hit with
the largest distributed denial of service
attack ever: a great amorphous pudding
of hijacked IP-enabled household appli-
ances. People started waking up to the
risks. Some even asked, what’s the point
of a rice cooker having an IP address?
Here’s to 2017.
About the Author
Geordie Stewart, MSc, CISSP, is the
Principle Security Consultant at Risk
Intelligence and is a regular speaker and
writer on the topic of security awareness.
His blog is available at www.risk-intelli-
gence.co.uk/blog, and he may be reached
at geordie@risk-intelligence.co.uk.
Security Awareness
Security in the News in 2016
By Geordie Stewart – ISSA member, UK Chapter
Image used with permission
January 2017 | ISSA Journal – 9
10. Crypto Corner
A Feeble Attempt at Humor
By Luther Martin – ISSA member, Silicon Valley Chapter
some hiring manager thought that be-
ing able to understand and laugh at this
particular joke was a good criterion to
use for selecting employees. Really.
Here is the joke, reproduced as well as
my memory allows. This one requires
more thought than the first one. You
should not feel bad if you do not under-
stand it right away. But even if you do
understand it, you might want to feel
lucky that you did not end up working
for this particular company.
Three cryptographers walk into a bar.
The bartender says, “Are you all hav-
ing beer tonight?”
“Hmm,” says the first cryptographer,
“I don’t know.”
“Hmm,” says the second cryptogra-
pher, “I don’t know.”
“Yes,” says the third cryptographer.
I’m not sure where explaining this joke
ranks compared to other pointless in-
terview questions, like asking how many
ping-pong balls it would take to fill a
school bus or asking why manhole cov-
ers are round, but it seems to me like it is
roughly just as useful.
This joke actually made me laugh. It also
made me wonder exactly how the discus-
sion went among the people doing inter-
views that led to this particular element
being added to their interview process. I
assume that nobody starts with the goal
of making a bad decision, but using this
as part of an interview seemed as good
an example of something resulting from
a bad decision as anything I have ever
seen.
The third and final example of humor is
another one that I had the dubious hon-
or of creating. It is even harder to un-
derstand than the previous joke—unless
I
n f o r m a t i o n
security pro-
fessionals in
general, and cryp-
tographers in partic-
ular, are not known for their senses of
humor. This could be because the most
common personality type in informa-
tion security is MBTI type INTJ. People
of type INTJ tend to be very competent
but coldly rational. The characters Greg
House from the TV show House and
Sherlock Holmes from the TV show
Sherlock are examples of how INTJs may
come across to most people.
But this does not mean that we do not
appreciate humor when we see it. Every
ten years or so, I come across examples
of humor that seem to appeal to some
security professionals and to almost all
cryptographers. Here are three exam-
ples.
The word “rogue” is often misspelled as
“rouge.” I first noticed this back in the
dot-com era when a discussion started
on a mailing list about how to handle
“rouge CAs.” After other list members
exchanged a few messages, I could not
help asking what these “rouge CAs”
were. I asked if they were described in
some document that I had not “red,” but
suggested that they were probably real,
rather than something that someone
would just “makeup.”
Only one other list member seemed to
understand my attempt at humor, while
many others tried to provide serious
answers to my obviously (at least to me)
flippant questions. This might have been
when I first suspected that humor might
be quite rare in some parts of the securi-
ty industry. It also might not have been
as funny as I thought it was at the time.
Several years later, I heard a joke in a
rather unusual context. Apparently
you spent time in college studying the
theory of computation, of course.
Several years ago I had to give a talk in
Pittsburgh one morning, and then drive
to Cincinnati that afternoon for a meet-
ing the next day. The roads through that
part of the US are notoriously bumpy
and busy, and when I finally made it
to Cincinnati that evening, I was very
tired. When I went to check in at my ho-
tel, I was greeted by an enthusiastic and
cheerful young woman.
“How are you today?” she asked.
“I’m tired,” I replied, perhaps a bit too
truthfully.
Not realizing that I was a cryptogra-
pher, she misattributed another pro-
fession to me.
“Being a traveling salesman can be
tough,” she said.
“Yes,” I said, “it can be. And the worst
part is how NP-hard the car seats can
get.”
“What?”
“Never mind.”
What have I learned from my many
years of experience in the security in-
dustry? Apparently not enough. I still
have a bad habit of starting talks with a
joke, no matter how many times it ends
up failing miserably. But isn’t that what
we should expect from an INTJ?
About the author
Luther Martin is a Distinguished Tech-
nologist at Hewlett Packard Enterprise
and the author of the first attempt at hu-
mor published in the ISSA Journal (“The
Information Security Life Cycle,” March
2008). You can reach him at luther.mar-
tin@hpe.com.
10 – ISSA Journal | January 2017
11. SECURE ANY CLOUD WITH ARMOR ANYWHERE
Start Your Secure Cloud Journey Here
Armor Anywhere is a managed, scalable security solution
designed for data within public, private, hybrid or on-premise
cloud environments. Installed at the OS level and managed by a
team of experienced security experts, it prevents data breaches
so you can realize your multi-cloud strategy.
How it works: cut along the dotted line and apply to your hosting
infrastructure responsible for sensitive and regulated data.
Managed Security for any cloud. Anywhere.
armor.com | (US) 1 877 262 3473 | (UK) 800 500 3167
12. Association News
Through January 13, 2017 – For information:
www.issa.org/events/EventDetails.aspx?id=712365&group=
T
he second research report from the groundbreaking
global study of cybersecurity professionals by ISSA
and independent industry analyst firm Enterprise
Strategy Group (ESG) has been released.
In aggregate 54 percent of cybersecurity professionals sur-
veyed admitted that their organizations experienced at least
one type of security event over the past year. Yet, surprisingly,
none of the top contributors to these cyber attacks and data
breaches are related to cyber technology. Rather they point
to human issues such as a lack of enough cybersecurity staff
members as well as a lack of employee training and board-
room prioritization.
Further supporting this finding, 69 percent of cybersecurity
professionals say the global cybersecurity skills shortage has
had an impact on the organization they work for leading to
excessive workloads, inappropriate skill levels, high turnover
and an acute shortage especially in the areas of security ana-
lytics, application security, and cloud security.
In this time with fluid world events, such as the US presiden-
tial transition, cybersecurity professionals surveyed also send
a strong message to national government: the vast majority
believe that their nation’s critical infrastructure is extreme-
ly vulnerable or vulnerable to some type of significant cyber
attack and want government more involved in cybersecurity
strategies and defenses. Going further they recommend spe-
cific actions government should take, leading with providing
better ways to share security information with the private
sector, incentives to organizations that improve cybersecu-
rity, and funding for cybersecurity training and education.
“There’s lots of research indicating a global cybersecurity
skills shortage, but there was almost nothing that looked at
the associated ramifications. Based upon the two ESG/ISSA
reports, we now know that beyond the personnel shortage
alone, cybersecu-
rity professionals
aren’t receiving
appropriate lev-
els of training,
face an increas-
ing workload,
and don’t always
receive adequate
support from the business,” said Jon Oltsik, ESG senior prin-
cipal analyst. “Simply stated, these findings represent an exis-
tential threat. How can we expect cybersecurity professionals
to mitigate risk and stay ahead of cyber threats when they are
understaffed, underskilled, and burned-out?”
Based upon the data collected from the first global survey to
capture the voice of cybersecurity professionals on the state
of their profession, this final report of the two-part series, ti-
tled “Through the Eyes of Cybersecurity Professionals: An-
nual Research Report (Part II),” concludes:
• The clear majority (92 percent) believe that an average or-
ganization is vulnerable to some type of cyber attack or
data breach
• People and organizational issues contribute to the on-
slaught of security incidents
• Most organizations are feeling the effect of the global cy-
bersecurity skills shortage
• Cybersecurity professionals have several suggestions to
help improve the current situation
• Sixty-two percent believe critical infrastructure is very
vulnerable to cyber attacks
• Sixty-six percent believe government cybersecurity strate-
gy tends to be incoherent and incomplete
• Eighty-nine percent of cybersecurity professionals want
more help from their governments
“The results gleaned from this research are both alarming
and enlightening. Alarming in the sense that if we don’t
collectively pay attention to the cries for help, we will put
businesses unnecessarily at risk. Enlightening in that orga-
nizations need to be willing to invest in their cybersecurity
professionals, with clearly defined career paths and skills de-
velopment in order to hire and retain qualified employees,”
said Candy Alexander, cybersecurity consultant and chair
of ISSA’s Cybersecurity Career Lifecycle. “This research data
will help ISSA and other professional groups to clearly define
career paths for our profession.”
The Voice of Cybersecurity Professionals (Part II)
Research Reveals “Human” Issues as Top
Cybersecurity and Business Risk
Figure 1 – Impact of cybersecurity skills shortage
Has the global cybersecurity skills shortage impacted
your organization over the past few years?
12 – ISSA Journal | January 2017
13. CSCL Pre-Professional Virtual Meet-Ups
ISSA.org => Learn => Web Events => CSCL Meet-Ups
S
o, you think you want to work in cyberse-
curity? Not sure which way to go? Not sure
if you’re doing all you need to do to be suc-
cessful? Check out Pre-Professional Virtual Meet-
Ups to help guide you through the maze of cybersecurity.
January 19, 2017: 2:00 p.m. – 3:30 p.m. EDT. Future Chal-
lenges: Are You Ready?
This discussion will look at the history of security and tech-
nology in order to identify what has changed and what hasn’t
as well as lessons learned from our past to help prepare for
our future. We will review methodologies, technologies, and
business practices. Are the challenges really all that different?
2016 Security Review and Predictions
for 2017
2-Hour live event Tuesday, January 24, 2017
9 a.m. US-Pacific/ 12 p.m. US-Eastern/ 5 p.m. London
2016 was a monumental year in cybersecurity: from email
hacking impacting the US political world to the October DNS
attacksandtheongoingriseofransomwareandIoTconcerns.
“Cyber” is huge right now. How will this growing spotlight on
security translate in terms of media and regulatory attention?
And what kinds of threats will dominate the 2017 landscape?
Join us, make notes, and then check back in a year to see how
we did!
Generously sponsored by
For more information on this or other webinars:
ISSA.org => Web Events => International Web Conferences
ISSA.org => Learn => CISO Executive Forum
T
he CISO Executive Forum is a peer-to-peer event. The
unique strength of this event is that members can feel
free to share concerns, successes, and feedback in a
peer-only environment. Membership is by invitation only
and subject to approval. Membership criteria will act as a
guideline for approval.
The 2017 venues will be the following:
San Francisco, CA
Innovation and Technology
February 11-12, 2017
Washington DC
Information Security, Privacy, and Legal Collaboration
April 20-21, 2017
Las Vegas, NV
Security Awareness and Training—Enlisting Your Entire
Workforce into Your Security Team
July 23-24, 2017
San Diego, CA
Payment Str ategies: The Game Has Changed
October 11-12, 2017
For information on sponsorship opportunities, contact Joe
Cavarretta, jcavarretta@issa.org.
ISSA CISO Virtual Mentoring Series
L
EARN FROM THE EXPERTS! If you’re seeking a
career in cybersecurity and are on the path to becom-
ing a CISO, check out the 19 webinars from April 2015
through December 2016!
ISSA.org => Learn => Web Events => CISO Mentoring We-
binar Series
ISSA.org => Career => Career Center
Looking to Begin or Advance Your
Career?
T
he ISSA Career Center offers a listing of current
job openings in the infosec, assurance, privacy,
and risk fields. Visit the Career Center to look for
a new opportunity, post your resume, or post an open-
ing.
Questions? Email Monique dela Cruz at mdelacruz@
issa.org.
The report also lays out the “Top 5 Research Implications” as
a guideline for cybersecurity professionals and the organiza-
tions they work for. “Assume your organization will experi-
ence one or several cyber attacks or data breaches and take
the cybersecurity skills shortage into account as part of every
initiative and decision. Push for more all inclusive cybersecu-
rity training and, as importantly, get involved in educating
and lobbying business executives and government legislators
alike,” recommended Oltsik.
Leslie Kesselring, ISSA Public Relations Consultant
—“Through the Eyes of Cybersecurity Professionals: Annual
Research Report (Part I)”: http://www.issa.org/esgsurvey/.
—“Through the Eyes of Cybersecurity Professionals: Annual
Research Report (Part II)”: https://www.issa.org/page/is-
saesg_survey_P2.
January 2017 | ISSA Journal – 13
14. ISSA
DEVELOPING AND CONNECTING
CYBERSECURITY LEADERS GLOBALLY
Machine
Learning:
A Primer for Security
By Stephan Jou – ISSA member, Toronto Chapter
“Machine learning is revolutionizing the security landscape.”
The author examines how machine learning can be leveraged to address the practical challenges
of delivering lower-cost security by resolving more threats faster, with fewer resources. It will
focus on machine learning security techniques that work at typical levels of data volumes, from
those operating with “small data” to those implementing data lakes.
P
opular responses to that statement are all over the
map. Some say machine learning is vastly over hyped
in our market, while others contend it is the combi-
nation of machine learning with access to more data that is
the main reason to be optimistic about security in the future.
In the day-to-day world of data security, analytics practi-
tioners who have embraced machine learning are regularly
catching bad actors, such as externally compromised ac-
counts or malicious insiders. We do this by using machine
learning and analytics to detect indicators of compromise
and predict which employees or associates are likely to leave
with stolen data. We succeed when we define what is normal,
then determine anomalies using machine learning. Machines
are simply faster at repetitive tasks like finding inconsisten-
cies in the patterns of data usage, and machines do not tire
from scouring through billions of data events per day.
At present, the cybersecurity industry is still behind the curve
in demonstrating the kind of success that machine learning
has achieved in some other industries. But with rapidly grow-
ing volumes of data and better behavioral monitoring aimed
at leveraging data, big data, and data lakes, machine learning
and security clearly will achieve more breakthroughs together.
There are two good reasons why machine learning is useful
to security. First, it can reduce the cost of standing up and
maintaining a security system. In this industry, we’ve spent
billions, yet we clearly need better tools to protect our data.
The bad guys still have better tools than the good guys, and
it still costs too much to investigate and respond to security
incidents. The nature of defense is that it simply takes time to
build up resistance, only to have a new attack render that de-
fense ineffective or obsolete. This leads to the second reason
that machine learning is important: it can reduce the time
required to detect and respond to a breach once the inevitable
occurs. Proper use of machine learning can have a measur-
able impact on deployment time and cost, as well as dwell
time from incident to response.
In this article, I will examine how we leverage machine
learning to address the practical challenges of delivering low-
er-cost security by resolving more threats faster, with fewer
resources. I will focus on machine learning security tech-
2016 Article of the Year
14 – ISSA Journal | January 2017
15. niques that work at typical levels of data volumes, from those
operating with “small data” to those of us implementing data
lakes. My purpose is to empower security teams to make use
of machine learning to automate what skilled experts can do:
prioritize risks so that experts can focus attention on those
high-threat anomalies that signify targeted attacks, compro-
mised accounts, and insider threats.
Automate and learn: What machine learning does
best
The concept of machine learning is based on the idea that
we can use software to automate the building of analytical
models and have them iteratively learn, without requiring
constant tuning and configuring. Machine learning, if im-
plemented properly, learns by observing your company’s par-
ticular data. It should not require rules, tool kits, or a team
of data scientists and integrators to endlessly examine the
datasets in order to become operational. Similarly, the soft-
ware should not require a team with system administration
or DevOps skills to architect a big data infrastructure. Many
companies’ experiences with analytics date back to when sci-
entists and integrators had to spend months, or even years, to
understand the business and how every aspect of the dataset
intersected with users and machines. This is no longer the
case. Modern machine learning works with the data in your
organization, observing it persistently through continuous
user, file, and machine monitoring.
Further, machine learning can react automatically to typical
business changes by detecting and reacting appropriately to
shifting behavior. This is often a surprise to companies ac-
customed to bringing in teams of consultants and having
to re-engage them when a new business unit is created or a
merger occurs. It is expected that if there are new behaviors;
the old software must be configured; rules constantly rewrit-
ten; new thresholds created. But if done correctly, machine
learning can learn—then automatically continue to learn—
based on updated data flowing through the system. Just as a
teacher doesn’t have to tell an equa-
tion how to compute the average
grade score for the population of a
class, the same equation for com-
puting averages will work in class-
rooms everywhere—or when class-
es are added or removed.
Math is magical, but not magic.
The fact is, math cannot do any-
thing that a human can’t do, given
enough time and persistence. Math
simply expresses what is happen-
ing in an automated fashion using
equations. In machine learning, such equations are imple-
mented as software algorithms that can run continuously and
tirelessly. There is plenty of mystique around the seemingly
limitless capabilities of “magical” algorithms that are, in real-
ity, far less responsible for what machine learning can do for
security than the data itself. In fact, connecting the data to
the math (a process known as feature engineering) and then
implementing the math at scale (using appropriate big data
technologies) is where the real magic of machine learning for
security lies.
Cost and time essentials
One way to understand how machine learning can have an
impact on cost is to look at the steps required to install and
use an analytical product. We all know there is fixed time
associated with installation and configuration, but it is the
Automatic means no
rules must be fine-
tuned, no thresholds
must be tweaked, no
maintenance must
be performed when
your business shifts.
January 2017 | ISSA Journal – 15
Machine Learning: A Primer for Security | Stephan Jou
16. pendent on the capabilities of the analytics. The real cost dis-
parity emerges when we ask questions such as:
• Do I need to set thresholds?
• Will we have to write rules?
• Am I paying service fees for these capabilities?
• How easy is it?
To get value from the system, you obviously want to ask the
essential question: How long before we can actually learn
something about a breach? By asking and answering this, we
can know time to value.
To obtain the answer, we need to focus on how machine
learning extracts value. It’s popular to focus attention on the
algorithm, most likely because recently algorithms such as
Deep Learning have been achieving exciting successes in the
news. And it’s naturally easy to get lost in that excitement!
However, more important than the algorithm is a focus on
the right data and correspondent use case appropriate for
your particular organization. Getting the right datasets for
the job and applying the right principles will trump any giv-
en algorithm, every time. With this approach, we can allow
machine learning to do what it does best: find evidence, and
connect the dots between pieces of evidence, to create a true
picture of what is happening.
This “connecting of dots” is important because it allows us
to show corroboration across datasets. When security profes-
sionals talk about alert fatigue, they are really referring to the
need for better corroboration so they can reduce the number
of results the system fires. Simply put, when we have alert fa-
tigue, the math is not helping us compress the results that
the system is finding. But math can help compress billions
of events per day into dozens of incidents by effectively scor-
ing all events, and then corroborating multiple-scored events
together. A machine learning implementation further means
that this approach to reduce false positives and alert fatigue
can be done automatically, to give us the reduced cost and fast-
er time to value we’re looking for. But how does that work?
The value of a score: Probabilistic methods vs.
rules and thresholds
One important machine-learning technique is using probabi-
listic statistical methods1
to score events for risky indicators,
rather than to rely on rules with thresholds that either fire or
do not fire.
When we talk about scoring an event, we are simply talking
about computing a number, for example, between zero and
100. This contrasts with relying on rules that issue a Bool-
ean alert. Boolean alerts either fire or do not fire, based on
parameters and thresholds the operator has set. The problem
with this approach is that since alerts either fire or do not
fire, as the alerts accumulate (in your SIEM, for example), the
best we can do is count them. Having 10 alerts, all with lim-
1 For a good overview of probabilistic and statistical methods as it applies to machine
learning, see: Murphy, K. P. 2012. Machine Learning: A Probabilistic Approach,
Cambridge, Massachusetts: MIT Press.
tuning and training of the analytics that has been historically
costly.
There are many steps involved in the process between decid-
ing to start to build a security analytics-enabled process, to
receiving valid analytics that can detect and respond to inci-
dents. Choosing the right approach can significantly reduce
the time and the cost between the project start and when val-
ue can be provided. Specifically, choosing a proper machine
learning-based approach that does not require manual tun-
ing, customization, building of rules, etc., can greatly accel-
erate the time to value (figure 1).
Whether total deployment time is fast (a couple of hours or
few days) or painfully slow (as long as a year!) is largely de-
Figure 1 – Time to value: Security analytics using rules, versus security
analytics using machine learning
Don’t Miss This Web Conference
2016 Security Review and
Predictions for 2017
2-Hour live event Tuesday, January 24, 2017
9 a.m. US-Pacific/ 12 p.m. US-Eastern/ 5 p.m. London
2016 was a monumental year in cybersecurity: from
email hacking impacting the US political world to
the October DNS attacks and the ongoing rise of
ransomware and IoT concerns. “Cyber” is huge right
now. How will this growing spotlight on security
translate in terms of media and regulatory attention?
And what kinds of threats will dominate the 2017
landscape? Join us, make notes, and then check back in
a year to see how we did!
Generously sponsored by
For more information on this or other webinars:
ISSA.org => Web Events => International Web Conferences
16 – ISSA Journal | January 2017
Machine Learning: A Primer for Security | Stephan Jou
17. are trained to look for—bad or at least
“weird” things happening to their data.
Finally, we can collect and score all of the
events and compute their likelihood of
causing us problems. In this way, we cre-
ate a system that can learn automatically.
This automatic learning is an important
component of why the machine learning
approach works. Automatic means no
rules must be fine-tuned, no thresholds
must be tweaked, no maintenance must
ited severity information and context,
delivers little information that is helpful.
When we score events for risk, we can as-
sign them meaning—for example, 0% is
no risk, while 100% is the most extreme
risk—and then more smartly aggregate
risk values to get a combined picture of
the risks associated. Risk scores can give
additional context by being associated
with not only a particular activity, but
also with the assets, people, and ma-
chines involved. Mathematical weight-
ing helps us tune and train our model for
specific activities, people, assets, and end
points on a per-behavior pattern basis.
Aggregating scores, rather than simply
counting alerts, is more effective because
we can define a weighted representation
of how risky behavior is. In contrast, if
all you have is an alert, you can only say
that “X” things happened. While it’s true
that we can label events, labeling things
either good or bad does not help. In
fact, it can be risky. It quickly becomes
easy to ignore low probability events or
trick the system into ignoring them. You
can see why it is possible to get 10,000
alerts when the threshold is set too low,
for example. In a typical medium-size
business environment, it is quite likely
to have the data present us with billions
of “events”—multiple bits of evidence of
what is happening to the data. Machine
learning can work quickly to distill these
billions of events to tell the difference
between low- and incredibly high-risk
events, and then connect them together
for a picture, or handful of pictures, that
can tell us what is going on. Here, math
helps us compress the results, so instead
of having alert fatigue or a group of pat-
terns with arbitrary values, we have a
clear picture using statistics of what is
anomalous.
In addition to using scoring, effective
machine learning in data security lets
us use probabilistic math rather than
thresholds. Probabilistic methods are
better than thresholds because they tell
us not just about badness, but the prob-
ability or degree of badness. We can
compute all of the events, not just those
arbitrarily deemed likely to be interest-
ing. We can much more accurately assess
the overall risk posture of any entity and
actually measure what security experts
be performed when your business shifts.
But how does machine learning pull off
this trick?
How machines learn
Machines don’t learn in a vacuum; ma-
chines learn by continually observing
data. Given enough data, machines can
turn data into patterns. Observation of
patterns can lead to generalizations, a
process accomplished by taking exam-
January 2017 | ISSA Journal – 17
Machine Learning: A Primer for Security | Stephan Jou
18. As a human, when given a set of observations that look like
figure 2, you might eventually conclude (or learn) that cats
generally have longer tails and whiskers than dogs.
There are two broad classes of machine learning: supervised
learning and unsupervised learning.
In supervised learning, we are given the answers. In our cat
and dog example, suppose that whenever we are given a whis-
ker length and tail length, we are also told whether the animal
is a cat or a dog; this is an example of supervised learning.
Rather than simply asking us to “find me dogs and cats,” the
data told us what these animals are. Since we, in turn, advised
the algorithm about whisker and tail length, this class of al-
gorithm is known as supervised learning. It requires accurate
examples.
The model, represented visually by the dotted line (figure 3),
states that if the tail and whisker length is to the left of the
dotted line, declare the animal to be a dog. If it’s on the right,
call it a cat.
Using the learned model shown in figure 3, we can start to
make predictions. When we see animal X, and measure its
tail and whisker length, we would predict that it’s a cat, since
it is to the right of the dotted line (figure 4). X’s long whiskers
and long tail give it away!
In unsupervised learning, we hope that a grouping (or cluster-
ing) pattern emerges based solely on the input data, without
any output labels (figure 5). The data tells the story, self-or-
ganizing into clusters. In general, unsupervised learning is a
much harder problem than when output labels are available.
ples and creating general statements or truths. This learning
process is true not just of machines, but of humans. Machine
learning is nothing more than algorithms2
that automate this
same learning process that we as humans do naturally.
Consider that when we as humans see something, we know
what we probably saw because it is most similar to what we’ve
seen before. This is actually an example of a machine learning
algorithm known as “nearest neighbor” (or k-nearest neigh-
bors, for the picky).
Here is an example of applying machine learning to deter-
mine whether an animal is a cat or a dog. By fitting points to
a line we can observe that when we see an animal and it has
long whiskers (cats) and longer tails (also cats), it is more like-
ly to be a cat than a dog. The more examples we see, the more
generalizations prove the rule. While it’s true that sometimes
a cat has a short tail and occasionally a dog has really long
whiskers, it is mostly not the case. Clusters emerge showing
cats and dogs. Children quickly recognize by this method
what is a cat and what is a dog. Algorithms, when given ex-
amples, can be created to do the same thing, using math to
automate this process.
Suppose we go around our neighborhood and measure the
whisker lengths and tail lengths, in inches, for the first 14 pets
we see. We may end up with a set of data points like the fol-
lowing (table 1):
Whisker Length
(input)
Tail Length
(input)
Cat or Dog?
(output)
5 6 Cat
5.7 11 Cat
4.3 9.5 Cat
4.2 7 Cat
6.4 8 Cat
5.9 10 Cat
5.2 9 Cat
2.3 5 Dog
2.5 3 Dog
4 9.5 Cat
2.1 7 Dog
1.3 9 Dog
3.4 7.5 Dog
Table 1 – Whisker and tail lengths of sample pets
2 There are many good books that introduce the concepts of machine learning.
The following book is short and very readable, and does not require a deep math
background: Adriaans, P. and Zantinge D., 1996. Data Mining, England: Addison-
Wesley Longman. The following is a great reference for those more comfortable with
mathematical notation. Tan, P.-N.; Kumar, V. and Steinbach, M. 2006. Introduction
to Data Mining, Boston: Addison-Wesley Longman. For the coders, try: Conway, D.
and White, J. M. 2012. Machine Learning for Hackers, O’Reilly.
Figure 2 – A plot of neighborhood
dogs and cats, and their tail and
whisker lengths, in inches.
Figure 3 – A simple model that
distinguishes between dogs and cats,
based on tail and whisker length.
Figure 4 – Predicting with a model Figure 5 – Data points without labels
18 – ISSA Journal | January 2017
Machine Learning: A Primer for Security | Stephan Jou
19. But how do we determine the right features? Selecting fea-
tures requires knowledge. For example, we might include our
historical experience or studies from industry organizations
such as CERT, academic research, or our own brainstorming.
This type of knowledge is the reason we need experts who can
take what is in their heads and ask machines to automate it.
Creating good features is a far better use of people skills and
money, anyone would agree, than hiring expensive hunters to
sift through a sea of alerts. Machine learning simply allows
us to automate typical patterns so that our highly qualified
hunters can focus on the edge cases specific to the company
and the business.
Online vs. offline learning
There are two modes of machine learning: online and offline.
Offline learning is when models learn based on a static data-
set that does not change. Once the models have complet-
ed their learning on the static dataset, we can then deploy
those models to create scores on real-time data. Traditional
credit-card fraud detection is an example of offline learning.
Credit card companies can take a year of credit card trans-
actions and have models learn what patterns of fraud look
like. The learning can take many days or weeks to actually
complete. Once completed, those models can be applied in
real time as credit-card transactions occur, to flag potentially
fraudulent transactions. But the learning part was done off–
line from a static dataset.
Online learning occurs when we take a live dataset and si-
multaneously learn from it as the data comes in, while si-
multaneously deploying models to score activity in real time.
This process is quite a bit harder, since we are taking data as
it comes in, using live data to get smarter and run models at
the same time. This is the nature of modern, machine learn-
ing-based, credit card fraud detection. It notices what you
personally do or do not do. It involves individualized data,
simultaneously scoring activity. We use machine learning
online to learn and react at the same time.
This distinction is important because, for security, many of
our use cases require learning new patterns as quickly as pos-
sible. We do not always have the luxury of using offline ma-
chine learning to collect months and years of data. Instead, it
is often more desirable to have models that learn as quickly as
possible, as data comes in, and also react as quickly as possi-
ble, as data changes.
Historically, much of the machine learning we have done is
offline because it has been hard to move and analyze data fast
enough to run at scale. But now, with big data technologies
such as Hadoop,3
HBase,4
Kafka,5
Spark,6
and others, we are
able to learn and score as data streams into our system. The
speed and volume of our data feeds are so much greater than
ever before. Online learning (building the models) and scor-
3 Hadoop – http://hadoop.apache.org.
4 HBase – https://hbase.apache.org.
5 Kafka – http://kafka.apache.org.
6 Spark – http://spark.apache.org.
Unsupervised learning means we do not have any “labels,”
so we are not told the “answers.” In other words, we observe
a set of whisker and tail lengths from 14 animals, but we do
not know which are cats and which are dogs. Instead, all we
might know (if we’re lucky!) is that there are exactly two types
of animals. We might still arrive at a good model to distin-
guish between dogs and cats (such as the one illustrated in
Figure 4), but this is clearly a harder problem!
In general, security use cases require a mix of supervised and
unsupervised learning because datasets sometimes have la-
bels, and sometimes have not. An example of datasets where
we have a lot of labels is malware: we have many examples of
malware in the wild, so for many malware use cases, we can
use supervised learning to learn by example. An example of
datasets where we have little to no labels is anything related
to insider threat or APT; there is generally not enough data
available to rely on supervised learning methods.
The importance of the input
The input that you give your machine learning model matters
significantly. In trying to distinguish cats from dogs, know-
ing to focus on whisker and tail lengths allowed our machine
learning to be successful. If we had chosen less meaningful
inputs—such as trying to distinguish cats from dogs by the
number of legs—we would have been less successful.
The process of picking and designing the right inputs for a
model is critically important to succeeding with analytics.
For security use cases, research and experience must guide
the feature engineering process so that the right model inputs
are chosen. For example, we know from CERT, Mandiant,
and others that good indicators of insider threat and lateral
movement are related to unusually high volumes of traffic.
Our own research has discovered that the ratio of an individ-
ual’s writes to and reads from an intellectual property reposi-
tory—something we affectionately call the “mooch ratio”—is
a valuable, predictable input as well. By observing such indi-
cators, an effective machine-learning system can predict who
might be getting ready to steal data.
As you can see, the most important part of data science is
selecting the inputs to feed the algorithm. It’s an important
enough process to have its own special name: feature engi-
neering. Feature engineering, not algorithm selection, is
where data scientists spend most of their time and energy.
This process involves taking data—for example, raw firewall,
source code, application logs, or app logs—understanding the
semantics of the dataset, and picking the right columns or
calculated columns that will help surface interesting stories
related to our use case. A feature is little more than a column
that feeds the algorithm. Picking the right column or features
gets us 90 percent of the way to an effective model, while
picking the algorithm only gets us the remaining 10 percent.
Why? If we are trying to distinguish between cats and dogs,
and all we have as inputs are the number of legs, the fanciest
algorithm in the world is still going to fail.
January 2017 | ISSA Journal – 19
Machine Learning: A Primer for Security | Stephan Jou
20. to search, for example, on terabytes of data per day. And for
this, we have widely available big data-suitable technologies
like Solr7
and Elasticsearch.8
Such technology lets us scalably
index across all analyses from all detected threats, from all
datasets in the data lake. Technologies like Kibana are now
readily available to give us a friendly UI and API to search
and visualize our results.
However, visualizing big data is hard. You can imagine how a
pie chart of a thousand users, in which each bar corresponds
to one person, leads to a sea of color (figure 6).
Visualization in the data lake is obviously an enormous field
for research involving the challenge of how to take huge
amounts of data and convey meaning. It requires under-
standing, aggregating, summarizing, and the ability to drill
down into different levels of detail. Techniques from visual-
ization research—like focus-and-context visualization or an
understanding of visual cognition and biological precepts—
all come into play here. In other words, visualization is more
than just the drawing of the picture; the analytics underneath
the picture is equally important.
In figure 7, we can see the result of processing more than 45
billion events. We can see that the most important events
happened in February and March. Visualization on a large
amount of data must tell us a story. By using machine learn-
ing and visualization tools, we see the end of a pipeline of
analytics using computed risk scores to generate this picture
from the raw data. As we learned, math using machine learn-
ing is behind the tail end of a picture that shows risk over
time.
The “matrix” visualization at the top represents 45 billion
events. However, the underlying machine learning analysis
has processed the events to 7,535 “stories,” each with varying
levels of risk, which appears in the visualization as areas oc-
cupied by squares. Notice how quickly you see that two of the
highest risk time periods occurred in mid-to-late February.
Additional interactivity allows the user to zoom in and focus
on that specific time region for more detail.
7 Solr – http://lucene.apache.org/solr/.
8 Elasticsearch – https://www.elastic.co/products/elasticsearch.
ing (running the models) on terabytes of data a day is now
technically possible, whereas it would have been impossible
a decade ago.
Leveraging the data lake
A final reason that machine learning is more important to se-
curity now than ever becomes clear when we consider its use
with data lakes. Data lakes matter because they can be input
sources for the storage of data logs, as well a repository of an
organization’s intellectual property around which we build
protection. Clearly, we need big data analytics and automated
methods in order to see what threats are happening in this
realm. Increasingly, big data lakes are giving us the oppor-
tunity to analyze, detect, and predict threats—beyond seeing
what has happened—for compliance and forensics purposes.
This trend has occurred, in part, because data has gotten too
big to store in a SIEM. As we know, most SIEMs can practical-
ly store only a few months of data; anything older is dropped
or stored where it is not available for analysis. Increasingly,
organizations have focused on Hadoop and related technolo-
gies as a more cost-effective way to act as the system of record
for log files. But how can we better detect threats
once we are storing data (e.g., log files) in our
Hadoop data lake?
Search, visualize, detect, predict—and
repeat
As with any data, we want to be able to search,
visualize, detect, and predict threats. With ma-
chine learning, we want to combine human ex-
pertise with automated analyses for faster, more
accurate results. All of these tasks are harder on
big data, which requires newer technologies to
be capable of handling them at scale.
Data lakes let us search across and join all our
datasets into a single query. We want to be able
Figure 6 – A pie chart showing the top 100 most active tweeters.
Source: http://chandoo.org/wp/2009/08/28/nightmarish-pie-charts/
Figure 7 – A big data interactive visualization from Interset
20 – ISSA Journal | January 2017
Machine Learning: A Primer for Security | Stephan Jou
21. moves. It turns out that the combination of humans and com-
puters together produces stronger chess play than either hu-
mans alone or computers alone.
Why is the combination of humans with computers so pow-
erful for playing chess? It turns out that computers are gener-
ally better at calculating lots of moves, of being consistently
tactical, and not making mistakes. Humans, however, tend to
have a better holistic feel for the game. They see broad themes
and are better able to identify an edge, excelling in strategic
play.
What is perhaps best, of course, is humans and computers
working together. Why spend time looking at log files and
billions of events when computers are so good at these tasks?
Why look to an algorithm for a strategy on use cases? A skilled
cyber hunter fed with amazing data sources and machine
learning will save time, because the math never gets tired and
rarely, if ever, makes a mistake. This leaves our experts far
more free to focus on edge cases and provide feedback and
guidance back to the system on new models and features.
Better together, the human expert with proper machine learn-
ing tools is the winning combination that makes the future of
security analytics so optimistic, compelling, and powerful.
References
—Adriaans, P. and Zantinge D., 1996. Data Mining, En-
gland: Addison-Wesley Longman
—Conway, D. and White, J. M. 2012. Machine Learning for
Hackers, Cambridge: O’Reilly Press.
—Guyon, I.; Gunn, S.; Nikravesh, M. and Zadeh, L. A. 2006.
Feature Extraction: Foundations and Applications, Nether-
lands: Springer.
—Marz, N. and Warren, J. 2015. Big Data: Principles and
Best Practices of scalable Real-Time Data Systems, NY:
Manning Publications.
—Murphy, K. P. 2012. Machine Learning: A Probabilistic
Approach, Cambridge, Massachusetts: MIT Press.
—O’Neil, C. and Schutt, R. 2013. Doing Data Science:
Straight Talk from the Frontline, Cambridge: O’Reilly Press.
—Tan, P.-N.; Kumar, V. and Steinbach, M. 2006. Introduc-
tion to Data Mining, Boston: Addison-Wesley Longman.
—Tufte, E. R. 1983. The Visual Display of Quantitative Infor-
mation, Connecticut: Graphics Press.
—Zumel, N. and Mount, J. 2014. Practical Data Science with
R, NY: Manning Publications.
About the Author
Stephan Jou is CTO at Interset. He was pre-
viously with IBM and Cognos and holds an
M.Sc. in Computational Neuroscience and
Biomedical Engineering and a dual B.Sc. in
Computer Science and Human Physiology
from the University of Toronto. He may be
reached at sjou@interset.com.
Here, every visualization supports large amounts of data,
with machine learning and the analytics working behind
the scenes to surface and compresses billions of events into
dozens of stories we can understand. Further, these visual-
izations can be interactive, provided you have the right tech-
nology to support that interactivity with filtering done using,
for example, fast search.
Taming big data
Just as we need big data tools to search and visualize, we need
tools to detect and predict that are suited to the data lake
realm. It’s still important to allow humans to inject business
context and priorities, as well as human intuition, into the
process. But clearly, standard rules engines may struggle to
keep up with the volumes and velocities of the data lake. They
are simply not going to scale to the size volume and velocity
of a big data engine. Fortunately, just as with search and vi-
sualization, there are technologies to support rules engines at
scale. Kafka, Spark, and Storm are good examples of technol-
ogies which understand how to move data at scale, process
patterns at scale, and trigger rules.
We also use different math because small-data math does not
apply to big datasets. To illustrate, remember how in high
school statistics we would always have to make sure our sam-
ple size was large enough to be statistically significant? A typ-
ical rule was to make sure you had at least a sample size of 20!
Back then, it was hard to get data, but that is no longer true.
Standard frequentist methods are sometimes not appropriate
for large datasets, where a Bayesian approach may be better
at dealing with large, messy, data. We also had to invent ways
of compressing large amounts of data into small, actionable
results that we could visualize, investigate, and plug into
workflow. This is best done using math and statistics, and not
counting, because as covered earlier, simply adding up scores
tells us little that is meaningful. We must use statistical ways
of computing and comparing use-principled math and statis-
tics. These are essential technology tools for the data lake. But
what about our human experts? Where do we fit in?
Humans and machines: Better together
With big data and data lakes, machine learning can be far
more automated than ever before and as unsupervised as we
allow, while still accepting feedback such as in a semi-super-
vised system. Because data is simply becoming bigger, it is
safe to argue that the data lake is inevitable. With machine
learning to help us automate and learn—and with the right
technologies to help us search, visualize, and detect threats—
our human experts take on a new, more expert and guiding
role.
Here is how I think the security professional is evolving. Ad-
vanced chess,9
sometimes called Centaur chess, is a form of
chess where the players are actually teams of humans with
computer programs. The human players are fully in con-
trol but use chess programs to analyze and explore possible
9 Centaur Chess – https://en.wikipedia.org/wiki/Advanced_Chess.
January 2017 | ISSA Journal – 21
Machine Learning: A Primer for Security | Stephan Jou
22. In this article, the author shares his insights about why security architecture is critical for
organizations and how it can be developed using a practical framework-based approach.
By Seetharaman Jeganathan
Enterprise Security
Architecture: Key for Aligning
Security Goals with Business
Goals
22 – ISSA Journal | January 2017
ISSA
DEVELOPING AND CONNECTING
CYBERSECURITY LEADERS GLOBALLY
Abstract
Enterprise security architecture is an essential process that
aims to integrate security as a part of business and technolo-
gy initiatives handled by any organization. When the security
goals and objectives are aligned with organizational business
goals and objectives, any organization can make informed
decisions about business ventures and protect organizational
assets from ever-emerging security threats and risks. In this
article, the author shares his insights about why security ar-
chitecture is critical for organizations and how it can be de-
veloped using a practical framework-based approach.
Introduction
E
nterprise security architecture (ESA) is a design pro-
cess where the current state of enterprise security is
analyzed, gaps are identified based on effective risk
management processes, and the identified gaps are fulfilled
by applying cost-effective security controls. It is a life-cycle
process that enables any organization to protect itself from
advanced security threats. Until recently, ESA was a major
technology effort wherein the IT technical team owned the
definition, implementation, and operation of security pro-
cesses and controls. However, this model has created a vac-
uum with respect to business involvement and has failed to
align the IT security functions with the organizational goals
and objectives [11].
Security goals and objectives
Traditionally, information security functions have been pro-
viding confidentiality, integrity, availability, and accountabil-
ity services to information systems and infrastructure. These
services are often referred to as primary goals for informa-
tion security functions. The primary objective is to secure the
overall IT system and business functions as well as support
growth of the underlying business. ESA is a key enabling
factor to ensure that the security goals and objectives are
achieved as per the expectations of the senior management
[11].
Why security architecture?
• Security architecture is a key in aligning security func-
tions with the organization’s business functions
• Without a clearly defined architecture, security solutions
cannot be balanced between over protection and under
protection
• Security architecture functions enable accountability and
help obtain support and commitment from senior man-
agement
23. Even though the proposed security architecture framework
is a part of the enterprise architecture, it can also be rolled
out separately as a new initiative for organizations that are
not matured yet with respect to enterprise architecture. In
the sections below, the author shares his practical experienc-
es in implementing the proposed framework with several of
his industry customers. The primary goal of the framework is
to provide an organization-wide security architecture review
process to ensure that security is an integral part of all busi-
ness critical systems and processes [2][7].
Note: Since this article focuses on security architecture in general
rather than information security architecture specifically, it will be
appropriate to include corporate security, personnel security, and
physical security aspects in this exercise.
People factor
This area focuses on several actors (people) who must operate
together to effectively roll out the proposed framework. The
enterprise security architecture group (ESAG) or enterprise
security review board (ESRB) is a governance body that must
be formed if not available already, as an initial step. The effec-
tiveness of the framework will be dependent vis-a-vis the in-
volvement and participation of the identified team members.
They must fulfill their required roles and responsibilities as
effectively as possible. Human resources being expensive as-
sets for organizations, it is indispensable to get adequate sup-
port and commitment from the senior management to effec-
tively utilize human resources to protect the interests of the
stakeholders. Senior management support can be obtained by
developing a charter of this proposed ESA group by identi-
fying key roles and responsibilities of the group members. It
is important to map the goals and objectives of this group to
the overall organizational business goals and objectives and
portray how this group will enable or support the growth of
the underlying business functions [1].
Figure 2 depicts the proposed people factor top-down ap-
proach model to form the ESA group.
• Security architecture functions support IT functions
during changes in the business processes
• Security architecture provides a snapshot of an organiza-
tion’s security posture at any point of time [9]
Enterprise security architecture framework
Figure 1 shows the proposed enterprise security architecture
framework discussed throughout this paper.
The framework begins with defining the security strategy,
based on risk profile of the organization. An organization’s
security requirements are derived mainly from security
threats and risks faced by the organization [4]. These require-
ments are analyzed in the framework to clearly define a se-
curity strategy for the organization. The framework leverag-
es three major factors; people, processes, and technology to
implement the defined strategy across the organization. It is
supported by other essential elements such as organizational
governance, risk management, and IT governance bodies to
effectively achieve total security of the organization. The au-
thor has referenced “The Business Model for Information Se-
curity” (BMIS) model and designed this article with exclusive
focus on the security architecture function. The BMIS model
was originally created by Dr. Laree Kiely and Terry Benzel
at the USC Marshall School of Business Institute for Critical
Information Infrastructure Protection. Later in 2008, ISA-
CA adopted this model and has been promoting its concepts
globally.
Figure 1 – Enterprise security architecture framework
TOTAL SECURITY
Organizational Governance
Executives, Board of Directors, Stakeholders
Enterprise Risk Management
Chief Risk Officer, Risk management Group
Enterprise IT / Security Governance
CIO, CISO, CSO, etc.
Enterprise Architecture
Enterprise Architects
Enterprise Security Architecture
Framework
Security Strategy
Company Assets
Information Security
Corporate Security
Physical Security
Organizational Entities
IT
Functions
Business
Units
Business
Partners
Customers
Enterprise
Security
Architecture
Group
Enterprise
Security
Governance
Board
Senior
Management
• Board Members
• Stakeholders
• Chief Risk Officer
• Chief Security Officer
• Corporate Security Head
• Chief Information Security Officer
• BU Heads
• Security Architec ts
• Information Risk Manager(s)
• Information Security Manager(s)
• Corporate Security Group Members
Figure 2 – People factor (top-down approach) model
January 2017 | ISSA Journal – 23
Enterprise Security Architecture: Key for Aligning Security Goals with Business Goals | Seetharaman Jeganathan
24. The ESA group must consist of people representing all busi-
ness units of the organization such as HR, finance, R&D, IT,
products, manufacturing, etc. It is important to note that the
focus of this group is not only securing the information sys-
tems but also securing the organization with a holistic ap-
proach. Business insights and guidance are essential to derive
a holistic “organization wide” security approach. A top-down
approach will provide necessary commitment and oversight
from senior management; also, when there is a disagreement
between business groups, senior management can liaise and
resolve critical issues. It is extremely important for this group
to cascade the architectural functions and decisions to the
entire organization below and/or above them. The head of
this group or its representatives must conduct regular “con-
nect meetings” with the business units to provide security
architecture oversights and guidance for all their technology
and business initiatives [1]
One of the primary expectations and outcomes of this work-
ing group should be developing security policies and stan-
dards for all organizational functions wherein security is a
key requirement. Security policies are directions by the se-
nior management to the organization on what is allowed and
what is not allowed from the security standpoint. Security
standards are guidelines developed to substantiate/support
each policy and set directions for business units on how to
adhere to the required policies [8].
Note: The author is highly inspired by the series of books, In-
formation Security Policies Made Simple, by Charles Cresson
Wood and recommends them as reference material(s) to create
relevant security policies by any organization. However, the
samples provided in the book should be used as an inspira-
tion and must not be adopted directly without careful review.
The teams working on defining the policies must also take into
consideration industry regulations, country-specific laws, and
compliance requirements before defining the policies.
Process factor
This area focuses on how the security architecture review
process should work in real time at any given organization.
The need for an organization-wide risk management pro-
cess is now more than ever because information systems and
technology are widely used for business functions across the
world. Information systems are subject to serious security
threats. Threat agents exploit known and unknown vulner-
abilities and cause damages to information systems. This
will impact the confidentiality, integrity, availability, and
accountability goals of security functions. Security breach-
es even cause permanent damage to organizations and can
make them go out of business. Recent laws and compliance
requirements make senior management personally account-
able for any negligence in securing their customer’s personal-
ly identifiable information (PII), financial data, and personal
health information (PHI) in the healthcare industry. There-
fore, it is critical and of utmost importance that the senior
management, mid-level, and lower-level employees of an
organization understand their roles and responsibilities in
protecting organization’s resources effectively from security
risks [1].
Enterprise risk management is focused on managing risks
faced by the organization. Security risks are one among sev-
eral others risks faced, but security risks are more severe than
the others. Organizations generally follow widely known
risk management frameworks (NIST, ISACA, etc.) or cus-
tom-made frameworks specific to the organization based on
its culture, laws, and compliance requirements. The author
discusses and illustrates this article based on the NIST (SP
800-39) risk management process, which suggests that risk
management is carried out as a holistic, organization-wide
activity that addresses risk from the strategic level to the tac-
tical level. This enables organizations to make informed deci-
sions about their security activities based on the outcome of
the risk management process already in place [10].
Figure 3 depicts the NIST risk management process and
multi-tiered organization-wide risk management approach.
Note: As the scope of this paper is not to detail the NIST risk
management process, readers are encouraged to read the NIST
SP 800-39 document to understand the risk management
framework.
An important discussion in SP 800-39 is that information
security architecture is an integral part of an organization’s
enterprise architecture. However, the author from his experi-
ence suggests that organizations that do not have a matured
enterprise architecture yet must also roll out the security ar-
chitecture processes in their IT program initiatives. The pri-
mary purpose of the security architecture review process is to
ensure that specific security requirements are reviewed and
cost-effective security solutions (management, operational,
and technical) are suggested/designed for qualified risks that
must be mitigated as per the risk management strategy. Or-
ganizational security requirements could also arise from oth-
er factors such as policies, standards, laws, and compliance
regulations among others. These requirements must also flow
Figure 3 – NIST risk management process
Strategic Risk
Tactical Risk
Multitiered Organization-Wide Risk Management
Risk Management Process
Tier 1
Organization
Tier 2
Mission / Business
Processes
Tier 3
Information
Systems
Assess
Frame
Monitor Respond
24 – ISSA Journal | January 2017
Enterprise Security Architecture: Key for Aligning Security Goals with Business Goals | Seetharaman Jeganathan