Kill your clone*

*Borrowed from Ethan Suplee

Stop worrying about making huge jumps and focus on just making progress.

The premise – everyday a clone is made of you. You fight yesterday’s clone at the end of today. You only have to be the tiniest bit better to win. Kill your clone every day.

I love this concept – so often we chase the big breakthrough or the next big thing. How often have you beaten yourself up for not achieving enough or not hitting some arbitrary goal?

How often have you compared yourself to an ‘overnight success’ and wondered why you haven’t made that leap, while forgetting the the overnight success is likely result of thousands of hours of work before it happened?

The key to success in pretty much all aspects of life is consistent, realistic and hopefully predictable (at least to some extent) progress.

Not only do you need to focus on the process of continuous progress, but also get great at celebrating the wins, even small ones. In the world of lifting things, a 1kg personal best is 1kg more than you have ever lifted. Celebrate this!

In the world of security a win could be a reduction in the average time to patch, or your programme being approved, or even a component of your programme being approved, or hiring an awesome new member of the team etc.

It’s too easy to get caught up in what we have not done and how much we have to do, and forget the progress we have made. One of the things we try to do as a team is to highlight our progress and regularly look back at where we were 3/6/12 months ago. This is a really great tool for reminding your teams just how much you have achieved!

Security is hard. We all work hard, we feel a lot of pressure. Many of us worry – is a breach coming, we have so much to do, will our organisation stand by us if there is a breach etc.

Focusing on what you are achieving, on the progress you are making. Keep aiming for continuous progress, break all your big goals into small achievable chunks. Celebrate the wins – not just for yourself, but with your team!

For me this approach really helps my own morale and helps me make progress in all areas of life. In the work environment really promoting and celebrating progress works wonders for your teams morale and how engaged they are in achieving their goals.

K

It’s human nature

We spend a lot of time in the security industry complaining about stuff. Two of the top complaints that I see and hear are;

  • Why do people keep investing in shiny new ‘silver bullets’ when they have not yet achieved the above…

It’s easy to blame ‘the industry’ and ‘security teams’ for this. However while this may be true, we also need to recognise that it is human nature at play.

As is often the case – the security industry isn’t as special or unique as we like to think. It’s likely to become a theme, but I see so many parallels between the health and fitness industry and the security industry.

One the one side you have human nature and the seemingly ever increasing number of people looking for the quick fix.

This is fed by an industry that thrives on selling the magic pills and powders to get you in shape with little or no effort. Or the 20 minute ab workouts etc.

The outcome for consumers is millions of people not happy with themselves and not getting healthy despite spending their hard earned cash and following the advice from magazines and influencers.

The outcome from an industry standpoint is huge profits selling supplements, workouts and health advice that is mostly bullsh*t, while raking in the profits and keeping customers on the merry-go-round.

This is made worse by huge amounts of ‘peer pressure’ from social media and advertising etc making people believe they are not good enough if they don’t achieve the carefully curated and sometimes outright fake imagery in adverts and on social media.

In reality the solution is simple, but not easy. It you want to be fit, healthy and resilient, eat well, do the fitness… Consistently. Every week, every year.

Contrast this with the security industry.

On the consumer side we want immediate and easy results so are tempted by the latest shiny advertising stating how solution X will solve our problems. Our jobs are hard so it’s understandable people can be tempted by promises of an easy solution to securing our organisations.

On the industry side we have so many companies trying to sell the dream. Whether this be with products that frankly don’t work properly, or by completely mis-selling things that may be good once you have a high level of maturity, but are next to useless if deployed before all your fundamental security is in order.

We also have to realise that for most companies selling ‘security’, as with the fitness industry, they never want us to be ‘done’ or ‘satisfied’ as they need us to keep jumping on the next product bandwagon or the next Gartner magic quadrant.

This is again made worse by ‘peer pressure’ either from satisfied customers telling us how the solution fixed their issues, or from our own exec teams asking why we have not deployed solution X after they saw an advert in the FT or economist. That’s right, security firms are not adverse to advertising their solution to non security folk in the hope that will apply more pressure to security teams.

Again, as with your own health and fitness, the solution is relatively simple, but not at all easy.

Work with your teams and wider organisation to build foundational security. Do this consistently, with rigour day after day, year after year. This will get your organisation into a great place. Then if you want to, and your risk appetite requires it you can assess the shiny ‘advanced’ security magic to layer on top of your solid foundations.

So next time you’re tempted by a shiny new amazing security solution, don’t beat yourself up. But try to stay the course – assess what your organisation needs and ruthlessly focus on the fundamental / foundational security you need.

K

Foundations or Fundamentals. NOT Basics

A short one, but important.

We often talk about not doing the basics.

Organisations being breached due to failing to implement the basics.

We ask why have we still not get the basics sorted.

They are not basic.

The critical security things we need to always get right from patching to managing user rights should be considered the foundations of good security or the fundamental controls.

Without a strong foundation no security programme will deliver what is required.

While foundational, they should not be considered easy.

Take patching as an example. Ensuring a fully patched environment across 1000s or more servers, network devices, office devices, end points etc. without impacting availability and likely while liaising with many different teams. This is not as easy as it sounds when you just say ‘patch your environment’

So yes as an industry, and as organisations we must do better, but we must also recognise the size of the challenge and the focus required to achieve the goal. We must achieve foundational security across our organisations not just at a point in time, but consistently, efficiently and on an ongoing basis.

To achieve this we need to help our boards and leadership teams understand the scale of the issue, and the reasons why it is important. We must engage across our organisations to ensure secure processes are embedded across our teams.

Calling this basic doesn’t help people understand it is anything but.

K

13 Security Myths Busted.. My thoughts.

I was recently sent a link to an article covering what were described as ’13 security myths – busted’ and asked my opinion.  As it was a fairly light and interesting I thought I would share the article and my thoughts;

The original article can be found here;

http://www.networkworld.com/slideshow/86918/13-of-the-biggest-security-myths-busted.html?source=NWWNLE_nlt_afterdark_2013-02-21

Have a read of the myths and why they thin they are myths, read my thoughts below, and it would be great to hear your thoughts.

1. AV – Possibly not super efficient, but I think still necessary – they kind of mix apples and oranges with the targeted attack comment, as it is not designed for that, but it still prevents the vast majority of malware, and general attacks.  Possibly and an environment where literally no one runs with admin privileges and there is strong white listing you could do without AV, but generally I’d say it is still relevant and required.

2. This one is hard to know as there is so much FUD around.  It is clear that in many circumstances (stuxnet etc, Chinese APT , US government espionage etc.) that governments are investing huge sums of money and employing extremely bright people to attack and defend in cyber land.  I suspect much will never be known as the NSA / Mi6 / <insert secret government money pit here> are by definition very secretive.  Remember all the speculation around the NSAs ability to crack encryption in the past..

3. Totally agree – just look at most businesses and the trouble they have getting control of authentication via AD / IAM.  However, many are moving in the right direction though so maybe soon we’ll have everything in IAM and / or AD..

4. I think this one proves itself incorrect in the text – Risk management is needed, you just need to work on understanding your adversaries and the actual risks you face, which includes understanding their motivations and the value they place on your data and IP.

5. This I totally agree with.  I have already highlighted I don’t really like the fact we as an industry use the term ‘best practice’ all over our standards and policy documents etc – who defines what it is? Is it best in any specific environment with it’s support skill sets and technology stack etc?

6. Half agree they are a fact of life, however you can have effective responses and strategies around privilege control and application controls etc. to massively mitigate the risks these pose.

7. I can’t comment on this one, but most national infrastructures are inadequately protected and tend to rely on old legacy systems for many of their functions so this is probably try in the UK for much supporting infrastructure as well.

8. Completely agree with this.  Compliance is a useful checklist, but compliance with standards should be a by product of good secure design and processes, not something we strive for as a product in itself.  If provides a driver but is very much the wrong focus if you want to be secure rather than compliant.

9. Agree – CISO may own security policy and strategy etc., but security is everyone’s problem and everyone should be accountable for performing their duties with security and security policies in mind.  I’m a big fan of security awareness training as a regular thing to help educate people and keep security at the forefront of the way we do business.

10. Likely has been true, in the same way as Mac / Linux are ‘safer’ than Windows, as it has not been the focus of as much malicious attention and has not been carrying as much functionality and valuable data.  This is rapidly shifting though as we rely more and more on mobile devices for everything from banking to shopping to actual business.  So I think this one is rapidly if not already becoming a myth.

11. Agree – you can likely never be 100% secure if you want to have a life or business online.  I think it was an American who coined ‘eternal vigilance is the price of freedom’  we should work to be secure, but freedom both individually and as a business is too important and hard won to give up.  Obviously some personal freedoms to do whatever you want with corporate devices have to be given up, but I think my point stands as a general concept.  As the guy in the article says (and I do above) work to understand your adversaries, their motivations and tools.

12. Agree with this one also – continuous monitoring, trending and learning are key to understanding and preventing or at least capturing todays advanced long term threats such as APTs.

13. I agree with this final one as well, and have actually blogged about this before.  We live in an ‘assume you have or will be breached’ world.  Put the detective measures and controls in place to ensure you rapidly detect and minimise the damage from any breach.  Read last years Verizon data breach report..

It would be great to hear your thoughts on this light article.

K

What is your current desktop strategy? part 2 – VDI strategy

Following from my previous post I wanted to cover some of the areas / themes that should be included or at least considered when creating your virtual desktop (VDI or vDesktop) strategy.

There are currently a variety of drivers for virtual desktops ensuring that this topic remains one of the key discussion points when ICT departments and C-levels talk about IT strategy.  These drivers range from data security and centralised management to the increasing prevalence of BYOD (Bring your own Device), and are aided by the increasing flexibility and maturity of the technical VDI solutions.  As such, even if you don’t yet plan to implement this technology you should be very aware of it and be formulating your strategy.  If you are already have implemented, or are planning to implement, a VDI solution then you should already have a firm strategy, and vision, in place.  Either way I hope this proves to be a useful reference.

The below list is likely not exhaustive, and includes both very high level strategic considerations, along with some more technical concerns.

1. What are you trying to achieve?

–         Ensure the goals are clearly articulated, such as cost reduction, business enabler, improved security, and centralisation.

2. Clearly define use cases

–         Is VDI critical to achieve these or just one option?

–         Is this a tactical or overall strategic solution?

3. How does this align with other plans / strategies

–         Plans to roll out or upgrade to Windows 7 and 8

–         Plans to enable remote / mobile working

–         Support of BYOD initiatives

4. What is the wider business case / benefit of the strategy?

–         User satisfaction

–         ROI (Return On Investment)

5. What is the endpoint strategy

–         Thick clients

–         Thin Clients

–         Mobile Clients

–         BYOD

–         Do the proposed solutions have clients for all supported endpoints?  Can access be provided via a browser?

–         What are the plans for managing the endpoints?

6. Do the users require the ability to be able to work offline?

7. How will images be managed?

–         Single or multiple images?

–         Maintaining ‘gold’ images?

8. How will profiles be manages?

–         Do users require individual and persistent profiles / workspaces?

–         Can static / mandatory profiles be used in some / all instances?

9. How do currently deployed technologies match up with those required to deploy and manage the VDI solution?

–         Propose transition plans

10. How do current skill sets match up to those required to support and manage the VDI solution?

–         Propose training plans

11. What are the impacts to;

–         Storage

–         Network – LAN / WAN

–         Do these impact cost and business case?

12. Are the vendors being considered suitable partners?

–         Do they design for and target businesses of your size and in your segment

–         Are they healthy financially?

–         Do they have strategic, long term plans?

–         Is there a healthy ‘eco system’ of applications and other vendors around the solution?

13. How available and resilient will the solution be?

–         Resilient infrastructure?

–         Multi-site?

–         Backed up?

14. Scalability and flexibility

–         How does the solution scale?

–         What operating systems do you require it to support?

–         Are 64 as well as 32-bit operating systems supported?

15. What are the licensing implications of virtualising your current operating system and application estate?

16. What are the user and business expectations around areas such as;

–         Multi media

–         3d

–         Audio

–         Telecoms

–         Unified communications

–         Video conferencing

17. Will supporting technologies such as application virtualisation be part of the strategy?

18. How compatibility issues such as requirement for local licensing dongles will be dealt with.

19. …

As a final note, it is a common issue in VDI plans and deployments for organisations to focus on the technology, features, and products in the market without first having a clear vision and defined strategy.

Remember – vision and strategy first for any large programs of work!

K

What is your current Desktop strategy? part 1 – VDI options compared

If you are currently evaluating or planning to evaluate VDI (Virtual Desktop Infrastructure) solutions for your businesses it can be hard to know where to start, with various vendors currently offering mature solutions that will all meet the majority of businesses VDI requirements.  These include;

– Citrix Xendesktop

– Citrix VDI in a box

– VMware View

– Microsoft VDI

– Quest vWorkspace

When tasked with looking for a VDI solution for your company the first thing you should do, indeed the first thing you should do for most if not all projects, is understand the requirements from the solution.  For something like this that may be adding quite a lot of new functionality and future options to the business, this is likely to incorporate some of the usual solid requirements such as;

–         Number of users

–         Performance and scalability

–         Ease of management

–         Interoperability with existing user and management applications

–         Integration with existing infrastructure

–         …

In addition to the ‘solid’ requirements there will likely be a lot of potential ‘requirements’ that are effectively potential benefits the solution could bring to the business such as;

–         Improved data security

–         Improved resilience of the workstation environment

–         Improved agility of the workstation environment

–         Enabling BYOD

–         Improved productivity

–         Enabling ‘work from anywhere’

–         …

The next thing to do is to assess the various VDI products on the market in order to choose the best one for your environment.  Given the variety of solutions available, some Hypervisor independent, some dependant, some easier to manage and deploy, some with lower costs it can be a daunting and more importantly resource intensive task to assess and test all of the viable options.

This is where the very helpful and impartial ‘VDI smackdown’ from the guys at PQR comes in.  This document is kept reasonably up to date with version 1.3 released earlier this year.  This can be found here;

http://www.pqr.com/images/stories/Downloads/whitepapers/vdi%20smackdown.pdf

Note – free registration may be required to download the PDF.

The white paper covers topics including;

–         Desktop virtualisation concepts

–         Pros and cons of VDI (virtual desktop infrastructure)

–         Comparison of the different VDI vendors solutions and their features.

Overall this document is well worth a read if you are planning to embark on a new or upgrade VDI project or indeed if you just wish to learn more about VDI and the features currently available.

An upcoming post will cover some of the areas I think need to be considered when creating you virtual desktop strategy.

K