March 2017

Viewing posts from March , 2017

Verizon Dark Reading

It was interesting to hear a recent presentation on the result of Verizon’s 10 years of research in to cyber breach reporting. Chris Novak of Verizon’s RISK team recently presented on “the real costs of a security breach”. He described how they had identified how 9 out of 10 breaches fit in to 9 basic patterns.

  • Point of Sale (PoS) intrusions
  • Payment card skimmers
  • Web-App attacks
  • Crimeware
  • Cyber espionage
  • DoS attacks
  • Insider misuse Physical theft and loss
  • Miscellaneous errors

He stated that the top impacts to a business are the legal and investigations costs post a breach, due to the impact of liability determinations. Regulated investigations are the most expensive. So it still stands that the cost of prevention greatly outweighs the cost of managing a breach. He spoke about their efforts to view the costs and the fact that they had to follow the tail, the impact, for years after the breach. Consideration was given to the cost of everything from the technical investigation, the requirement for legal counsel to customer care and external communications. He interestingly spoke about when Verizon go in to a company to assist post breach to speak about the long term remediation, messaging and introduction of future controls, many of the original staff involved had left the company for one reason or another. This is an unexpected impact of the negative way in which the staff involved are tainted following the incident.

It was also interesting to hear their assessment, from real world cases, of how quickly a threat actor took to compromise a victim, “the time to compromise is almost always days or less”. Comparing that in to how quickly the victim identifies the attack, he stated only 15-20% of companies identified the intrusion in “days or less”. The norm was months and up to 7 to 8 months in a lot of cases. It proves the need for proactive capabilities and preventative activity.

Verizon’s Data Breach Investigation Report is a great source of what is happening with online criminality and associated victims.

Xanadata is a data analytics company, specialising in building systems that analyse data at extreme throughputs addressing markets such as cyber security, e-discovery and BI analytics. It develops and builds custom hardware and software to allow organisations to rapidly identify vulnerabilities, threats and risks caused by systems connecting to the Internet.



I was listening again this week to the Down the Rabbit Hole weekly podcast . There have been a couple of recurring themes of late; leaders in the technology world and skills shortages. I have no doubt they are connected subjects. IT is no longer a supporting function but a core part of any organisation, there are very few companies that could continue to operate without Internet connectivity and networked computers.

Why do we need great leaders in technology and cyber security? As a community if we don’t we will not have a voice in the boardroom and we will not develop from where we currently are. We won’t be able to influence change or deal with cyber security issues strategically through long-term objectives and planning. It also means we will not be able to ensure that continuity planning is covered for the areas that are important to us, such as spotting, developing and encouraging young talent. Getting them to consider cyber security as a great career choice.

As a leader, whether you are a CISO, manager, team lead, or aspire to be leader in the future, you also act as a figurehead, somebody others can look up to and aspire to be. A point, brought out in the podcast, is that a leader is not necessarily the most senior person or the individual with the most experience. It’s not someone who is a “technical expert with a team”. They are the kind of person that attract bright people and inspire others. The person they spoke about on the podcast was Richard Branson, a person who has been successful in a number of industries.

Here are some of the points that immediately came to mind when I thought of what a leader is, this was gained through my experience of 25 years in law enforcement:

  • Being a mentor to others (as well as ensuring being mentored yourself)
  • Making good decisions and where possible avoid bad ones, but being given and give others permission to fail, in order to encourage innovation and growth
  • Taking time to grow your knowledge, experience and capabilities, which applies to all not just a leader
  • Always accepting and seeking feedback (360 feedback works well)
  • Leading by example
  • Ensuring constant two way communication with your staff, your peers and seniors, including delivering the difficult messages directly
  • Actively listen to the other person, give them time to make their point and air their grievances
  • Be open and honest in order to build mutual trust and respect
  • Create a culture of openness where staff are encouraged to challenge, also encouraged not only to identify the problems but to help find and deliver the solutions to the problems they discover
  • Seek out those who are willing to learn, challenge and motivate them and allow them opportunities to develop outside their role to help them grow. Especially with those who have initiative, have a passion for technology, but also those who have an analytical mind set, who can ingest and distil information
  • Prioritise your tasks, do what is important and needs resolution now. Don’t necessarily start each day emptying your inbox or answering emails
  • Set milestones and constantly review tasks, activities and projects, also understand what success looks like and when you achieve it
  • Establish if you are the right person to deal with the problem and identify if there are other parts of your organisation, or beyond, that might help making informed decisions or deal with the issue, technology may not always be the answer to the problem
  • Encourage your staff to take on your functions or grow in to your role, work yourself out of a job, encourage talent, train for the future and grow the staff in your organisation, build a pipeline
  • Take time out for yourself i.e. get a hobby

What do good leaders achieve for their business:

  • Identifies what the problem is we are trying to resolve and concentrates on that issue
  • Identifies the solution to problems, understands the value of that solution to the business (ROI) and sets measurements to help understand if that product is delivering against the problem
  • Sets and codifies the mission and constantly encourages their teams to do the same, empowering individuals to act
  • Understanding risk and what it means to your organisation
  • Recognises and praises success, it increases engagement
  • Ensures lessons learnt are captured and propagated across your organisation and community
  • Understands the business and its culture in order to deliver against the objectives within that environment, “you can’t deliver cyber security in a vacuum”
  • Understands the questions the board needs answering and presents them with responses that helps them to make the right or better decisions, in a language that they understand

When considering risk the model I am most familiar with is that used by UK law enforcement officers College of Policing . The model they use is the “National Decision Model”, full details can be found if you click here.

From the model the recommended questions we need to ask when dealing with risk and develop a working strategy are:

  • Do I need to take action immediately?
  • Do I need to seek more information?
  • What could go wrong (and what could go well)?
  • What is causing the situation?
  • How probable is the risk of harm?
  • How serious would it be?
  • Is that level of risk acceptable?
  • Is this a situation for us alone to deal with?
  • Am I the appropriate person to deal with this?
  • What am I trying to achieve?
  • Will my action resolve the situation?

In the podcast they said “leadership is a craft in itself”, the principals can be taught, but it needs nurturing and practice. A CISO also needs the technical understanding to deliver against the role. Adding the two together creates a unique individual who adds great value to any organisation.

“Tell me and I forget, teach me and I remember, involve me and I learn”– Benjamin Franklin

Xanadata is a data analytics company, specialising in building systems that analyse data at extreme throughputs addressing markets such as cyber security, e-discovery and BI analytics. It develops and builds custom hardware and software to allow organisations to rapidly identify vulnerabilities, threats and risks caused by systems connecting to the Internet. Contact us to understand how Xanadata’s products and services can help you to understand the threats and vulnerabilities impacting your business today.

Original blog written by Kevin Williams for Team Cymru. Blog reproduced, in part, with thanks to Team Cymru:



One of the ways I keep up with what is new and current thinking in the cyber security world when I am on the road is by listening to the “Through the Security Rabbit Hole” podcast.

As I was listening to one of the recent presentations, I was considering what a cyber security strategy should look like. So here goes:

All/every employee must understand the organisation’s mission. Additionally all employees must understand their responsibility to help secure the company to achieve the mission. (This is particularly notable for phishing attacks.)


Have people at the board and all levels that own the cyber security problem, its implementation and response.

Understand your adversary and how they will attack you. Know your systems, all its end points, and all of its vulnerabilities. Have proactive intelligence on who is scanning you and try to identify why. Understand what normal looks like so you can spot abnormalities. Build trust groups internally and externally to understand your threat vectors and changes in attack methodologies, as well as exchanging ideas and best practice.

Identify and isolate what is important to you, such as your IPR (Intellectual Property Rights), customer data, financial data, etc.

Review current access and limit access to sensitive data to only those who actually need to access it and need to know the content. Not those who think they should have access. Identify your critical infrastructure and lock it down.

Be proactive and not reactive to the threats and vulnerabilities. Know when a wheel nut has come loose, don’t wait for the wheel to fall off before responding. Be as proactive in knowing what is leaving your network as to knowing what is trying to enter your systems.

Recognise your risks, relevant to your mission and ambitions, and have clearly defined boundaries as to what your risk appetite is.

For example:

  1. Is it OK for your website to be down for 30secs, 30mins, 30hours?
  2. Who are you going to call in a crisis, where is your documented IR plan written down and who can access it?
  3. What do your agreements say they will do to assist you in crisis, think about reviewing their contracts?
  4. What is your press statement going to look like and who is your talking head going to be?
  5. Plan for breaches, anticipate breaches, rehearse and exercise your response, don’t wait till it happens so that you have to make decisions in crisis.
  6. What will be your single public message? (lots of good examples out there deployed in recent events)
  7. How will your staff, vendors and outsourced capability respond on Christmas Eve or even Christmas Day if you need help?

Understand how you are going to communicate during a crisis, if your systems are “owned” by a miscreant, it is no use using the corporate email system to decide and share your battle plan.

  1. Patch management
  2. Good password rules
  3. Regular pen testing
  4. Sans top 20 critical security controls

In the UK, I always find it is worth reviewing what the UK Government has on the subject on their site on best practice for cyber security advice.

When it goes wrong, know whom you are going to call.

Lastly, it’s all about the people, not the technology; your people are your asset.  But never forget they can be exploited and can be a vulnerability, so invest time in educating them and getting their buy in.

Xanadata is a data analytics company, specialising in building systems that analyse data at extreme throughputs addressing markets such as cyber security, e-discovery and BI analytics. It develops and builds custom hardware and software to allow organisations to rapidly identify vulnerabilities, threats and risks caused by systems connecting to the Internet. Contact us to help you understand your systems, all its end points and all of its vulnerabilities.

Original blog written by Kevin Williams for Team Cymru. Blog reproduced with thanks to Team Cymru: