var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', 'securityeverafter.com']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();

Saturday, March 25, 2017

Distraction as a Service


I recently posted the 
below on the SANS Internet Storm Center.

Have you noticed that some security projects never seem to get finished? Despite the best of intentions, often times they linger, sometimes for years. I believe that distractions play a role in security projects being delayed and ultimately never being completed. If not monitored closely, nothing will get moved from the to do list to the this security project is finally done list.

For me, it has always been natural to accept every new project that needs attention. I want to be helpful and perceived as a good team player and I bet you do as well. I found that it is easier to say yes to every request for help than to say no. I suspect that "why yes I do have a minute" and "of course I can help you with that problem” sound very familiar. I have found this behavior can also carry potential for a negative reputation as an information security professional when it impacts the delivery of security projects.

While it is normal to want to help, it is not always natural to remain focused immediately after a distraction occurs. I have determined to ask the question "what is the next action I can take right now?” immediately after a distraction. I found this behavior helpful to remain both mission focused and results oriented. With some intentional discipline and focus on the impact of distractions on security projects, the impact of unplanned distractions can be minimized.

It is impossible to enumerate all of the ways distractions can impact a security project. It is very possible to more quickly recognize them when they occur and put measures in place to reduce the impact of distractions severely impacting productivity. Are distractions keeping you from closing out projects and ultimately preventing you from providing full value to your organization?

Please leave what works for you in the comments section below.

Russell Eubanks

@russelleubanks

Tuesday, March 14, 2017

What's On Your Not To Do List?


I recently posted the 
below on the SANS Internet Storm Center.

In our craft, there are more than ample opportunities to occupy our time. There are so many things you CAN do. How can you ensure focus on the things that actually make the biggest impact? I suggest that often times you take on more work than what you are able to complete. Many times there is so much work to do that nothing ever seems to get completed. 


I readily remember several cases where a combination of my ambition, auditors and loss of key team members facilitated this behavior in me. One in particular was a very important compliance project deadline that had no tolerance for schedule slippage. The internal auditors wanted to review the project in detail ahead of the external auditors coming to inspect the project. All while the solution was still being deployed. Lots of stress and long hours are my biggest memories of this project. While important at the time, looking back now I struggle to remember many of those details. What I do remember are the other projects that suffered neglect during this heroic effort.

Risk assessments inform you of clear and present problems. Project deadlines are looming and start pile up. Demands from your leaders come in unexpected waves. What is a strategy to position you for success? Consider writing down your projects. On paper. Start to document their priority, their deadlines along with the stakeholder expectations. Regularly and diligently track your progress and communicate them clearly up, down and horizontally to your peers, focusing on the opportunity cost of what is being neglected. 

Many times this extra clarity will help in terms of someone deciding for you that the project that seems so important right now should go on your "not to do" list instead. I am a BIG fan of the not to do list as it helps clearly communicate opportunity cost in terms of risk to the most important projects and initiatives. The clarity that comes from this exercise is worth far more than the effort to put it all together.

What ONE thing will you choose to focus on when you return to work on Monday morning? What TWO things best belong on your "not to do" list? Whether you enter them in our comments section below or keep them to yourself, consider adopting this approach while on your Monday morning commute to work.

Russell Eubanks
@russelleubanks

Saturday, March 11, 2017

Unauthorized Change Detected!


I recently posted the 
below on the SANS Internet Storm Center.

How do you detect what has changed in your environment? Is it possible to think beyond the alerts you get from your tools and consider what changes that you absolutely need to know about when they occur? When systems in your environment move from “normal" to "abnormal", would you even notice?
Occasionally I have a credit card transaction denied. The most common reason for this is being in a part of the country that is outside my normal travel and spending patterns. When that happens, the panic quickly subsides and I recognize that something in my baseline has changed.
How can pattern and trend analysis apply in monitoring and defending your networks? Consider developing a similar baseline to detect possible unauthorized changes. This practice may very well help you detect changes that occur that do not follow the proper change control process and also give you deeper insight into the activities on your network. A practical step of creating a monthly calendar appointment named “What is missing from my baseline?” would help remind you to answer this question on an recurring basis. This will also help you develop a more meaningful relationship with your system administrators and application developers by asking them questions and learning more about these systems - both of which are highly encouraged. 
To detect patterns and trends, consider developing a rolling 30, 60 or 90 day history in a few critical areas to show not only the current status, but also how they compare to recent activity over time. This insight will help identify patterns that exist beyond the point in time alerts that we regularly receive. Not every area requires this extended analysis, but in some cases showing a trend over time reveals pattens that would otherwise go unrecognized and unnoticed.
Consider the following for your baseline
Administrative logins after normal business hours
Administrative logins outside of approved change windows
Badge access to your building after normal business hours
Systems that restart outside of approved change windows
Services that restart outside approved change windows
Please use the comments area to share what’s in your baseline!
Russell Eubanks