Tuesday, October 25, 2011

Playing Sudoku in your metrics


This has been percolating in my head for a bit so figured I might as well get it out =). One of the best apps for the iPhone is Sudoku2 by fingerarts. If you aren’t familiar with the Sudoku here is a screenshot.

Each of the smaller boxes needs to have just one of the numbers 1 – 9 while each line vertical and horizontal line can also only have just one of the numbers 1 – 9. It really becomes a process of elimination based on the number you are trying to solve for and where it can go. For example, when I took the screenshot I was solving for 1s. Take a look at the bottom left box. Based on the intersection of other 1s, the 1s in this box have to be in the first vertical column although it isn’t known which of the two it might be (yellow cirlce). Because the ones are in that column though if you look at the top left box there is only one open box where the 1 could go (black 1). By filling that in there is only one open square in the top right square (red 1). And on you go through all the numbers.

There was always a tickle in the back of my mind that there was a security analogy with Sudoku but it didn’t really hit me until a few months ago when I was trying to figure out a way to create a metric-y type view of some virus and incident data.

Wednesday, October 19, 2011

What's the value of chasing alerts and other musings

I don’t know what your thoughts on this are but I’m trying to work out an illustration on how the churn related to the hamster wheel of your run of the mill incident detection and response doesn’t really lead to a whole lot of increased security posture or reduced risk – at least not directly or by itself. Don’t get me wrong, that work needs to be done and isn’t a trivial component of your overall program. At the same time I think this is one of those things where activity doesn’t necessarily indicate/translate/equal accomplishment. Great – you cleaned X machines with Y malware. Next week it will be N machines with Z malware. Soooo….does that mean you are more or less secure than the month before?

I’m of the general opinion that an improved security posture/reduced risk/reduced exposure is a by-product of doing analysis on the information gathered from your incidents and using that to drive change in either various configuration settings or policies (or both). Not rocket science or an original thought really. Hopefully that makes some sense.

Monday, October 17, 2011

Do you need a visionary or remodeler?

While watching Holmes on Homes this evening with the wife I was reminded of a comment Rich Mogull made after Steve Jobs passed; that we don’t have a Steve Jobs of security. The intersection of the two things is which does the security industry need? For those that aren’t familiar with the show it is basically about a general contractor, Mike Holmes, and his team who goes into houses and fixes what others have jacked up; either the initial builder or other contractors who have come in after the fact to do remodeling, expansion projects, whatever. This usually involves peeling back successive layers around the problem spots until the issues are found, remediated (in our vernacular), and the area brought back to a pristine state.

Part of the problem in my mind is our networks aren’t very tangible. No doubt we can touch routing gear, systems, etc. However, it is one thing to point out where the flow of water from the roof can pool around your foundation leading to issues and somewhat of another to point at where elements of your defense in depth implementation/points of possible exposure are weaker than others. Especially to non technical folks whose eyes glaze over quickly.

In the end I guess the answer to my original question is it isn’t an either/or. The industry could use folks better at both roles – visionaries and folks that can spot the issues and correct them. The more appropriate question is probably what does your company need and what role are you playing about either end of that need spectrum?