At Tripwire we spend a lot of time trying to stay in tune with the security industry’s top influencers. In our effort to compile a list of people we thought were valuable to follow primarily on Twitter and on also their blogs, we thought we’d share the list with our readers. For each person we selected, we gave our reasons as to why we thought these people were valuable contributors to the security industry, plus we asked each one to offer their security tip for the New Year. Feel free to follow each individually, or if you like, we’ve created a Twitter list so you can easily follow all 25.

Agree with us? Disagree with us? I’m sure you’ve got a Twitter list of your own. Who should be on this list that we didn’t even consider?

Richard Bejtlich

1) Richard Bejtlich @taosecurity

Blog: TaoSecurity

Bejtich’s motto for his blog is “Know your network before an intruder does.” The wise security sage is constantly dropping knowledge on forensics, network security monitoring, and intelligent methods of incident response. Good advice that is expressed in his blog and book Extrusion Detection: Security Monitoring for Internal Intrusions.

Bejtlich’s security tip for 2012:

Improve your incident detection and response program by answering two critical questions:

1. How many systems have been compromised in any given time period; and

2. How much time elapsed between incident identification and containment for each system?

Use the answers to improve and guide your overall security program.

Bill Brenner

2) Bill Brenner @BillBrenner70

Blog: CSO Security and Risk: Salted Hash

The Tripwire team reads Brenner’s blog religiously and was quite honored when he picked up many of our videos from last year’s RSA. If you get tired reading about security, Brenner’s other blog OCD Diaries is all about his own struggles with fear, anxiety, addiction, and depression, plus a lot about his love of heavy metal music.

Brenner’s security tip for 2012:

Stop fretting over your employees using consumer devices like Androids and iPads in the workplace. The technology isn’t going anywhere, and securing it is doable if you devote the proper security resources to the task. Stop grousing and start integrating these things into your security program.

Graham Cluley

3) Graham Cluley @gcluley

Blog: Naked Security

If there’s a virus scare, Internet hoax, or some other social media security scare, you’ll see Cluley very publicly shaking some sense into a usually uninformed public. His writings appeal to both the general public, and the security wonks. We interviewed him at the 2010 RSA conference about how to protect yourself from social media malware.

Cluley’s security tip for 2012:

Businesses can do more to raise their awareness of threats. Exploit the great technology of the Internet to keep abreast of the latest security threats that your company may need to protect itself against.

Don’t underestimate the power of encryption. If all your other defenses fail, and hackers manage to breach your systems, then properly encrypted data will be useless to intruders. And don’t just encrypt the data that PCI says you have to encrypt – encrypt all of the personal identifiable information that you may hold about your customers, partners and staff to avoid embarrassing incidents.

Josh Corman

4) Josh Corman @joshcorman

Blog: Cognitive Dissidents

Corman always challenges the status quo, not just to swim against the current, but for making a better security community. For example, in a Tripwire interview at RSA in 2011 he pointed out that because of compliance concerns the security industry is more afraid of the auditor than the attacker. We also like Corman’s flair for theatrics as evidenced by his Zombie-inspired presentation at RSA.

Corman’s security tip for 2012:

Conventional defenses designed for legacy IT have fallen flat in the face of unconventional adversaries and the changing landscape. The only thing that hasn’t changed is how we approach security. It is time to assume “best practices” aren’t…and aggressively seek more adaptive strategies that rise to our new challenges.

Mike Dahn

5) Mike Dahn @mikd

Blog: Chaordic Mind

As one of the founders of Security B-Sides, a community-run security group, Dahn is a security industry connector. One element that’s consistent with Dahn and Security B-Sides members is their drive to collaborate and improve security for all. They don’t just have a job in security, they’re truly passionate about the subject and are very open to engaging in discussions about security practices, which in itself is a highly debatable topic.

Dahn’s security tip for 2012:

Collaborate, Innovate, Articulate is the new CIA triad for CIOs. To succeed we must: be inclusive, experiment with new approaches, and communicate the vision clearly.

Jack Daniel

6) Jack Daniel @jack_daniel

Blog: Uncommon Sense Security

No, he’s not Rip Van Winkle or a lead singer for ZZ Top. He is though one of the founders of Security B-Sides, and his long gray whiskers are evidence of his many years in the security community. We love his pragmatic attitude to not just security, but towards security experts when they try to conflate their successes and hide their failures.

Daniel’s security tip for 2012:

Having the right people is more important than having the right tools. “Having the right people” requires hiring the right people, investing
in them, and retaining them – three processes we often get wrong.

Andy Ellis

7) Andy Ellis @csoandy

Blog: Protecting a Better Internet

As CSO for Akamai, Ellis has more insight on web traffic than you do. He’s extremely responsive and conversational on Twitter. We just wish that was the case for his fantastic but limited writings on his blog. Hey Andy, open up your blog for comments.

Ellis’ security tip for 2012:

Practice Security Judo: find requirements the business wants, and make those improve your security. For example, use PCI not to implement against checkboxes, but to build a good, efficient security model.

Adam Ely

8) Adam Ely @adamely

Blogs: Dark Reading, InformationWeek, NetworkComputing

As Director of Information Security for TiVo, Ely is chock full of great “how to” security advice usually from his own experience. He must implement much of the advice he doles out. We’re guessing the lack of comments on his blog posts has to do with everyone agreeing with his recommendations. Or maybe not. Security wonks are never that agreeable.

Ely’s security tip for 2012:

Organizations are facing more threats than ever as criminals continue to evolve and expand their attack methods. Automation of security operations and response allows for quick and consistent action while freeing staff to focus on matters requiring manual intervention.

Jermiah Grossman

9) Jermiah Grossman @jeremiahg

Blog: Jeremiah Grossman

Whether online or in a dark alley, you don’t want to mess with Grossman. He’s the founder and CTO of WhiteHat Security and a black belt in Brazilian Jiu-Jitsu. He’s got all his security bases covered. While very active on Twitter, 2011 was one of his weakest years blogging and he’s been doing it for a decade! We caught up with Grossman and his colleague at the 2010 RSA conference where he doled out advice on protecting your site through dynamic and static analysis.

Grossman’s security tip for 2012:

Businesses should be thinking very strongly about “Web application security,” for two reasons:

1) Of the websites WhiteHat Security has assessed in 2011, 8 in 10 contained serious exploitable vulnerabilities.

2) While the problem of vulnerable websites has been known for most of the last decade, it has only been in the last 2 – 3 that the bulk of corporate compromises, and much of the data stolen, has originated at the Web layer — a layer where firewalls, anti-virus, and SSL offer little protection. So at the very least, it is recommended that businesses hack themselves first, so they’ll know what the bad guys do, or eventually will, about their websites.

Andrew Hay

10) Andrew Hay @andrewsmhay

Blog: Andrew Hay

Active blogger, Hay writes a lot about M&A in the security space for The 451 Group. We’ve talked to him about that and security bloggers’ responsibility to the rest of the industry. While interested in the marketplace, his security head is firmly placed in SIEM, forensics, and incident response.

Hay’s security tip for 2012:

If you want your business to prosper you need to look beyond the buzzwords, marketecture and compliance checkboxes to find the “best fit” for your organization as opposed to the “best deal.” By cutting corners now, you risk major financial and brand pains later.

Chris Hoff

11) Chris Hoff @beaker

Blog: Rational Survivability

At 54,000+ tweets, Hoff is one of our most prolific tweeters and one of the most respected security voices when it comes to virtualization and the cloud. He’s a great interviewee as you can see in interviews conducted with Hoff at RSA back in 2010, 2011, and most recently VMworld 2011. Given that “cloud” is one of the hottest (or most abused) topics in security, Hoff’s expertise is in high demand.

Hoff’s security tip for 2012:

The overwhelming scope of how technology is critical to the business further highlights the need to break down the silos of traditional IT and IT security and become much more inclusive of the sorts of information sources not included in the way in which “security” is managed.

Being able to focus on the things that matter most means that investing in decision support, analytics, intelligence and risk management solutions that enable transparency, visibility and integration to take advantage of the wealth of information that exists from disparate and seemingly unrelated data sources is critical.

Brian Honan

12) Brian Honan @BrianHonan

Blog: Security Watch

If the UN had a security team, Honan would be Ireland’s ambassador. He’s established an incident response team in Ireland, contributes to SANS Institute, and is an advisor or member to probably a dozen different security groups.

Honan’s security tip for 2012:

The major breaches of the past 12 to 18 months have shown that attackers are no longer targeting our technical defenses but are focusing on the human element by using phishing emails, social engineering, or relying on badly trained personnel. Ensure your security staff is properly trained in the technologies used to protect your systems and implement a comprehensive security awareness program amongst all staff so they are more aware of the threats facing them and ultimately the business.

George Hulme

13) George Hulme @georgevhulme

Blogs: Threat Post, InformationWeek

If you thought Chris Hoff tweeted a lot, then start following seasoned IT security journalist, Hulme. While spinning 71K+ tweets, Hulme’s fully public tweets are usually chock full of valuable security tips and industry alerts.

Hulme’s security tip for 2012:

Take the time to classify, based on business criticality, your networked devices and data in early 2012. This one step will help your organization make smarter decisions as more data and computing functions move to outsourced services and cloud computing.

Alex Hutton

14) Alex Hutton @alexhutton

Blog: The New School of Information Security

Focused mostly on risk management, Hutton looks to the security community to contribute their knowledge and data for the betterment of all. We talked to him about sharing and standardizing risk and incident reports at RSA 2011. He used to be with Verizon Business where he was integral member of the team ahtat published the annual Data Breach Investigation Report (DBIR). Listen to his analysis of that report on Martin McKeay’s Network Security Podcast.

Hutton’s security tip for 2012:

Get on top of consumerization. This won’t be easy for those security programs that are looking for “shelfware” to do all their work for them, but the payoff for allowing consumer device use can be significant.

Josh Corman

15) Andrew Jaquith @arj

Blog: Perimeter STAR Team blog

Formerly with Forrester Research, Jaquith is now CTO of Perimeter E-Security. He writes about timely issues such as data leak prevention and portable devices in the enterprise. We also enjoy his thought-provoking tweets, such as his desire to kill the phrase “employee-liable smartphones.”

Jaquith’s security tip for 2012:

If you are a US-based business, start protecting data as if you were a German company. As the recent Facebook and Google settlements showed, EU-style privacy protection regulations and statutes are coming. Centralizing how you collect, manage, and dispose of personally identifying customer data will be an important enterprise initiative for 2012.

For individuals, the most important thing you can do is lock down your browser. Turn off all plugins, helper objects, Java runtimes and other add-ons in your browser of choice. And use a tool like NoScript to enable JavaScript only for sites you trust. If you are really paranoid, restrict financial transactions for when you are using a more secure OS, such as iOS on an iPad, in combination with a good password safe such as 1Password.

Kim Gene

16) Gene Kim @realgenekim

Blog: Gene Kim

How could we not include the founder of Tripwire? While he’s passionate about security and compliance, his real learnings come from studying companies with incredibly successful IT operations and great kung fu.

Kim’s security tip for 2012:

In 2012 we must stop rewarding information security managers that force meaningless work into the IT organization. Instead, we need to reward them for how much meaningless work they can take out of the IT organization. For example, focusing not on firefighting around the systems in production, but creating a bulletproof process for how those systems get created before they’re deployed. This would be a huge step in making information security critical to Development and IT Operations, by enabling a safe system of work that protects the security and availability of the business — not just the systems.

Brian Krebs

17) Brian Krebs @briankrebs

Blog: Krebs on Security

With his 14+ years writing for The Washington Post, Krebs has become one of the most popular voices in security, not just to the industry, but to the general public as well. Krebs broke into security after becoming a cyberattack victim himself.

Krebs’ security tip for 2012:

Understand where your key assets are and who has access to them; audit those accounts in real time to spot anomalies; run those employees through extra security training, focusing on social engineering attacks. Don’t store sensitive data unless you have to, and if you do, encrypt it. And plan for the inevitable: Make sure that when there is a breach that you have the ability to look back and see what was touched, how they got in, and what they got.

Martin McKeay

18) Martin McKeay @mckeay

Blog: Network Security Podcast

If there’s one security podcast you should be listening to, it’s the Network Security Podcast. McKeay knows everyone in the industry mostly because he’s interviewed them, or he invites them on as co-hosts of his show. We interviewed him at 2011 RSA about the “cloud” being overhyped and in 2010 about trying to protect everything.

McKeay’s security tip for 2012:

Get back to basics. When we look at studies such as the Verizon Data Breach Investigation Report, basic security measures such as basic log management, patching, network access controls, and users with too many rights continue to be some of the biggest sources of compromises today. Rather than look at new technologies and solutions, we need to find ways we can address basic security concerns first and worry about “exotic” technologies such as data leak prevention and network access control once the basics have been addressed. The basics aren’t sexy, but they’re what’s actually effective.

Allison Miller

19) Allison Miller @selenakyle

Formerly at PayPal, Miller is a risk management practitioner that’s seen more transactional data than you have. She’s got insights that many can’t even fathom. Now at Tagged, she’s taking her quantitative knowledge from fraud and applying it to other security problems such as spam, account security, and product security.

Miller’s security tip for 2012:

Compliance obligations continue to drive investment in security technology & operations, but lately more businesses are choosing to offer stronger security options to their customers within their core products. This trend is a great win for consumers, and with encouraging uptake from end users, it lights the way to a future in which security is a competitive advantage in the market for consumer-facing technology.

Rich Mogull

20) Rich Mogull @rmogull

Blog: Securosis Blog
If the security business doesn’t work out, Mogull and his business partner Mike Rothman have a stand-up comedy career to fall back on. If you ever get a chance to see them speak, go. They’re really funny and irreverent. Here’s my interview with them at RSA 2011 talking about security’s only consistency is human behavior. You can also hear Mogull as a recurring co-host on McKeay’s Network Security Podcast.

Mogull’s security tip for 2012:

Don’t f*ck up!

Stick to the basics. Get onto a modern operating system like Windows 7 or OS X Lion and stop pretending you can secure XP. Add in some network segregation. Then you can start thinking about getting fancy.

Mike Murray

21) Mike Murray @mmurray

Blog: MAD Security Blog and The Hacker Academy

Murray is an active security practitioner who has worked as a CISO before starting his own consulting business focused primarily on employee training and team building. Much of that work involves building awareness of security vulnerabilities and social engineering techniques.

Murray’s security tip for 2012:

The biggest thing you can do to improve security across your enterprise is to focus on your people and their behavior. Traditional “security awareness” approaches don’t cut it – you need to take a behavior-based approach to enhancing your security. User behavior causes an overwhelming amount of the security issues that we see in the industry – organizations need to focus on changing that behavior.

Wendy Nather

22) Wendy Nather @451wendy

Blog: The 451 Group

Having worked in both education and banking, Nather joined The 451 Group as an analyst covering both application security and security services. She, along with many of the people on this list, is a co-author of “The Cloud Security Rules.”

Nather’s security tip for 2012:

Don’t forget the basics. If you have operational discipline and a strong relationship with your providers, you’ll be able to make better use of the security technology you buy, and you’ll adapt faster to anything that comes along.

Bob Rudis

23) Bob Rudis @hrbrmstr

Blog: rud.is

Rudis is the Director of Enterprise Information Security and IT Risk Management at Liberty Mutual. Rudis is a security pro with a sense of reality and humor (see RLRAA – Real Life Risk Assessment Acronyms). While he does shoot for “security utopia” he understands a business’ needs, and what they can actually implement, even when they fail (see Why Didn’t They Just…?).

Don’t be hungry when you follow Rudis. As an avid cook, he shares his public tweets between discussions of security and food. You’ll find his writings on risk management everywhere, plus he maintains two more blogs on food and fitness.

Rudis’ security tip for 2012:

Organizations should (a) develop/maintain/enhance an information risk/operational risk practice; (b) de-homogenize/diversify endpoint & server environments; (c) isolate/compartmentalize critical business applications.

“A” enables prioritization (and — if quant-based — provides solid backing for implementation of discrete security controls), “B” will help reduce impact of attacks (which will, unfortunately, succeed) and “C” will help prevent successful defense breaches from getting at the heart of business operations.

Ben Tomhave

24) Ben Tomhave @falconsview

Blog: The Falcon’s View

Security consultant Tomhave loves to rail against conventional wisdom especially when it’s not so wise. Over the past couple years we spoke to him about trying not to protect everything, and the general public’s interest in data loss prevention.

Tomhave’s security tip for 2012:

Security leaders need to continue maturing their GRC programs in 2012, elevating their role and position in the business while reducing their operational responsibilities and promoting legally defensible survivability strategies that role up into quality operational risk measurements as part of an overall evidence-based enterprise risk management approach.

Chris Wysopal

25) Chris Wysopal @WeldPond

Blog: Veracode Blog

Wysopal sleeps and dreams security for applications and developers. He’s passionate about disclosing software security vulnerabilities and has prepared industry guidelines for companies and developers. He also co-authored L0phtCrack, a password auditing and recovery application used by more than 6,000 government and commercial institutions.

Wysopal’s security tip for 2012:

Scan all your web applications to detect the top five most common vulnerabilities. Attackers are going after any web app now to breach or embarrass your company.

Categories

Tags , ,


40 Comments

Leave a Reply

David Spark

David Spark has contributed 156 posts to The State of Security.

View all posts by David Spark >