At Tripwire we spend a lot of time trying to stay in tune with the security industry’s top influencers. In our effort to compile a list of people we thought were valuable to follow primarily on Twitter and on also their blogs, we thought we’d share the list with our readers. For each person we selected, we gave our reasons as to why we thought these people were valuable contributors to the security industry, plus we asked each one to offer their security tip for the New Year. Feel free to follow each individually, or if you like, we’ve created a Twitter list so you can easily follow all 25.
Agree with us? Disagree with us? I’m sure you’ve got a Twitter list of your own. Who should be on this list that we didn’t even consider?
Bejtich’s motto for his blog is “Know your network before an intruder does.” The wise security sage is constantly dropping knowledge on forensics, network security monitoring, and intelligent methods of incident response. Good advice that is expressed in his blog and book Extrusion Detection: Security Monitoring for Internal Intrusions.
Bejtlich’s security tip for 2012:
Improve your incident detection and response program by answering two critical questions:
1. How many systems have been compromised in any given time period; and
2. How much time elapsed between incident identification and containment for each system?
Use the answers to improve and guide your overall security program.
The Tripwire team reads Brenner’s blog religiously and was quite honored when he picked up many of our videos from last year’s RSA. If you get tired reading about security, Brenner’s other blog OCD Diaries is all about his own struggles with fear, anxiety, addiction, and depression, plus a lot about his love of heavy metal music.
Brenner’s security tip for 2012:
Stop fretting over your employees using consumer devices like Androids and iPads in the workplace. The technology isn’t going anywhere, and securing it is doable if you devote the proper security resources to the task. Stop grousing and start integrating these things into your security program.
If there’s a virus scare, Internet hoax, or some other social media security scare, you’ll see Cluley very publicly shaking some sense into a usually uninformed public. His writings appeal to both the general public, and the security wonks. We interviewed him at the 2010 RSA conference about how to protect yourself from social media malware.
Cluley’s security tip for 2012:
Businesses can do more to raise their awareness of threats. Exploit the great technology of the Internet to keep abreast of the latest security threats that your company may need to protect itself against.
Don’t underestimate the power of encryption. If all your other defenses fail, and hackers manage to breach your systems, then properly encrypted data will be useless to intruders. And don’t just encrypt the data that PCI says you have to encrypt – encrypt all of the personal identifiable information that you may hold about your customers, partners and staff to avoid embarrassing incidents.
Corman always challenges the status quo, not just to swim against the current, but for making a better security community. For example, in a Tripwire interview at RSA in 2011 he pointed out that because of compliance concerns the security industry is more afraid of the auditor than the attacker. We also like Corman’s flair for theatrics as evidenced by his Zombie-inspired presentation at RSA.
Corman’s security tip for 2012:
Conventional defenses designed for legacy IT have fallen flat in the face of unconventional adversaries and the changing landscape. The only thing that hasn’t changed is how we approach security. It is time to assume “best practices” aren’t…and aggressively seek more adaptive strategies that rise to our new challenges.
As one of the founders of Security B-Sides, a community-run security group, Dahn is a security industry connector. One element that’s consistent with Dahn and Security B-Sides members is their drive to collaborate and improve security for all. They don’t just have a job in security, they’re truly passionate about the subject and are very open to engaging in discussions about security practices, which in itself is a highly debatable topic.
Dahn’s security tip for 2012:
Collaborate, Innovate, Articulate is the new CIA triad for CIOs. To succeed we must: be inclusive, experiment with new approaches, and communicate the vision clearly.
Having the right people is more important than having the right tools. “Having the right people” requires hiring the right people, investing
in them, and retaining them – three processes we often get wrong.
As CSO for Akamai, Ellis has more insight on web traffic than you do. He’s extremely responsive and conversational on Twitter. We just wish that was the case for his fantastic but limited writings on his blog. Hey Andy, open up your blog for comments.
Ellis’ security tip for 2012:
Practice Security Judo: find requirements the business wants, and make those improve your security. For example, use PCI not to implement against checkboxes, but to build a good, efficient security model.
As Director of Information Security for TiVo, Ely is chock full of great “how to” security advice usually from his own experience. He must implement much of the advice he doles out. We’re guessing the lack of comments on his blog posts has to do with everyone agreeing with his recommendations. Or maybe not. Security wonks are never that agreeable.
Ely’s security tip for 2012:
Organizations are facing more threats than ever as criminals continue to evolve and expand their attack methods. Automation of security operations and response allows for quick and consistent action while freeing staff to focus on matters requiring manual intervention.
Businesses should be thinking very strongly about “Web application security,” for two reasons:
1) Of the websites WhiteHat Security has assessed in 2011, 8 in 10 contained serious exploitable vulnerabilities.
2) While the problem of vulnerable websites has been known for most of the last decade, it has only been in the last 2 – 3 that the bulk of corporate compromises, and much of the data stolen, has originated at the Web layer — a layer where firewalls, anti-virus, and SSL offer little protection. So at the very least, it is recommended that businesses hack themselves first, so they’ll know what the bad guys do, or eventually will, about their websites.
If you want your business to prosper you need to look beyond the buzzwords, marketecture and compliance checkboxes to find the “best fit” for your organization as opposed to the “best deal.” By cutting corners now, you risk major financial and brand pains later.
The overwhelming scope of how technology is critical to the business further highlights the need to break down the silos of traditional IT and IT security and become much more inclusive of the sorts of information sources not included in the way in which “security” is managed.
Being able to focus on the things that matter most means that investing in decision support, analytics, intelligence and risk management solutions that enable transparency, visibility and integration to take advantage of the wealth of information that exists from disparate and seemingly unrelated data sources is critical.
If the UN had a security team, Honan would be Ireland’s ambassador. He’s established an incident response team in Ireland, contributes to SANS Institute, and is an advisor or member to probably a dozen different security groups.
Honan’s security tip for 2012:
The major breaches of the past 12 to 18 months have shown that attackers are no longer targeting our technical defenses but are focusing on the human element by using phishing emails, social engineering, or relying on badly trained personnel. Ensure your security staff is properly trained in the technologies used to protect your systems and implement a comprehensive security awareness program amongst all staff so they are more aware of the threats facing them and ultimately the business.
If you thought Chris Hoff tweeted a lot, then start following seasoned IT security journalist, Hulme. While spinning 71K+ tweets, Hulme’s fully public tweets are usually chock full of valuable security tips and industry alerts.
Hulme’s security tip for 2012:
Take the time to classify, based on business criticality, your networked devices and data in early 2012. This one step will help your organization make smarter decisions as more data and computing functions move to outsourced services and cloud computing.
Get on top of consumerization. This won’t be easy for those security programs that are looking for “shelfware” to do all their work for them, but the payoff for allowing consumer device use can be significant.
Formerly with Forrester Research, Jaquith is now CTO of Perimeter E-Security. He writes about timely issues such as data leak prevention and portable devices in the enterprise. We also enjoy his thought-provoking tweets, such as his desire to kill the phrase “employee-liable smartphones.”
Jaquith’s security tip for 2012:
If you are a US-based business, start protecting data as if you were a German company. As the recent Facebook and Google settlements showed, EU-style privacy protection regulations and statutes are coming. Centralizing how you collect, manage, and dispose of personally identifying customer data will be an important enterprise initiative for 2012.
How could we not include the founder of Tripwire? While he’s passionate about security and compliance, his real learnings come from studying companies with incredibly successful IT operations and great kung fu.
Kim’s security tip for 2012:
In 2012 we must stop rewarding information security managers that force meaningless work into the IT organization. Instead, we need to reward them for how much meaningless work they can take out of the IT organization. For example, focusing not on firefighting around the systems in production, but creating a bulletproof process for how those systems get created before they’re deployed. This would be a huge step in making information security critical to Development and IT Operations, by enabling a safe system of work that protects the security and availability of the business — not just the systems.
With his 14+ years writing for The Washington Post, Krebs has become one of the most popular voices in security, not just to the industry, but to the general public as well. Krebs broke into security after becoming a cyberattack victim himself.
Krebs’ security tip for 2012:
Understand where your key assets are and who has access to them; audit those accounts in real time to spot anomalies; run those employees through extra security training, focusing on social engineering attacks. Don’t store sensitive data unless you have to, and if you do, encrypt it. And plan for the inevitable: Make sure that when there is a breach that you have the ability to look back and see what was touched, how they got in, and what they got.
Get back to basics. When we look at studies such as the Verizon Data Breach Investigation Report, basic security measures such as basic log management, patching, network access controls, and users with too many rights continue to be some of the biggest sources of compromises today. Rather than look at new technologies and solutions, we need to find ways we can address basic security concerns first and worry about “exotic” technologies such as data leak prevention and network access control once the basics have been addressed. The basics aren’t sexy, but they’re what’s actually effective.
Formerly at PayPal, Miller is a risk management practitioner that’s seen more transactional data than you have. She’s got insights that many can’t even fathom. Now at Tagged, she’s taking her quantitative knowledge from fraud and applying it to other security problems such as spam, account security, and product security.
Miller’s security tip for 2012:
Compliance obligations continue to drive investment in security technology & operations, but lately more businesses are choosing to offer stronger security options to their customers within their core products. This trend is a great win for consumers, and with encouraging uptake from end users, it lights the way to a future in which security is a competitive advantage in the market for consumer-facing technology.
Stick to the basics. Get onto a modern operating system like Windows 7 or OS X Lion and stop pretending you can secure XP. Add in some network segregation. Then you can start thinking about getting fancy.
Murray is an active security practitioner who has worked as a CISO before starting his own consulting business focused primarily on employee training and team building. Much of that work involves building awareness of security vulnerabilities and social engineering techniques.
Murray’s security tip for 2012:
The biggest thing you can do to improve security across your enterprise is to focus on your people and their behavior. Traditional “security awareness” approaches don’t cut it – you need to take a behavior-based approach to enhancing your security. User behavior causes an overwhelming amount of the security issues that we see in the industry – organizations need to focus on changing that behavior.
Having worked in both education and banking, Nather joined The 451 Group as an analyst covering both application security and security services. She, along with many of the people on this list, is a co-author of “The Cloud Security Rules.”
Nather’s security tip for 2012:
Don’t forget the basics. If you have operational discipline and a strong relationship with your providers, you’ll be able to make better use of the security technology you buy, and you’ll adapt faster to anything that comes along.
Don’t be hungry when you follow Rudis. As an avid cook, he shares his public tweets between discussions of security and food. You’ll find his writings on risk management everywhere, plus he maintains two more blogs on food and fitness.
Rudis’ security tip for 2012:
Organizations should (a) develop/maintain/enhance an information risk/operational risk practice; (b) de-homogenize/diversify endpoint & server environments; (c) isolate/compartmentalize critical business applications.
“A” enables prioritization (and — if quant-based — provides solid backing for implementation of discrete security controls), “B” will help reduce impact of attacks (which will, unfortunately, succeed) and “C” will help prevent successful defense breaches from getting at the heart of business operations.
Security leaders need to continue maturing their GRC programs in 2012, elevating their role and position in the business while reducing their operational responsibilities and promoting legally defensible survivability strategies that role up into quality operational risk measurements as part of an overall evidence-based enterprise risk management approach.
Wysopal sleeps and dreams security for applications and developers. He’s passionate about disclosing software security vulnerabilities and has prepared industry guidelines for companies and developers. He also co-authored L0phtCrack, a password auditing and recovery application used by more than 6,000 government and commercial institutions.
Wysopal’s security tip for 2012:
Scan all your web applications to detect the top five most common vulnerabilities. Attackers are going after any web app now to breach or embarrass your company.