Security Principles & Maxims
When discussing security architecture with my clients I find it useful to have a handy canned definition of what architecture means when I use the term. This is the definition I use and I think it most...
View ArticleUser-Sourced Security Monitoring
One of the constant challenges I face delivering big systems is meeting the protective monitoring requirements. A lot of the requirement to spot technical events (low level network probing, back door...
View ArticleZones of Trust
The key security design decision is the balance to be taken at every step of a system design between trust and inconvenience.For every system to system, subsystem to subsystem and component to...
View ArticleSecurity defect triage in delivery projects
The guys at Recx asked me to look at a draft of their recent blog post ‘The Business v Security Bugs – Risk Management of Software Security Vulnerabilities by ISVs where they describe some of the...
View ArticleSecurity and Systems Engineering
In my experience when a business brings security people into their systems engineering process they are trying to solve a problem. Usually there has either been a painful security incident or some...
View ArticleDocumenting an As-Is Security Architecture, part one
This is the first of a two part post, part two is available here.The following list is a set of activities that need to completed at least once to document an existing As-Is security architecture view...
View ArticleDocumenting an As-Is Security Architecture, part two
This is a continuation from part one.Documenting current environmentsThis activity is focused on identifying the physical and logical environments in scope for the business architecture.A logical and...
View ArticleCross-Domain Gateway Functions
Cross-Domain Gateways are a concept from multi-level government and military networks that are increasingly being deployed into traditionally flat commercial networks. I’ve spoken before about ‘trust...
View ArticleWe need to talk about IT
It has long been a truism of security practitioners that security is not an IT problem. This is an attempt to lift the gaze of the security team from technology to the wider business. A laudable and...
View ArticleMeasuring Black Boxes, part one
I have been attempting to capture the process or to be more accurate the heuristics of how I analyse security architectures. This was originally driven by the time it took me to document my conclusions...
View ArticleSOC Value Chain & Delivery Models
I was recently working with a firm to develop their Security Operations Centre (SOC) from a good but limited capability to a mature enterprise capability. While working through the maturity assessment,...
View ArticleThe security opportunity in Digital
Four years ago I discussed some of the characteristics of cyber security that made the use of the term useful, this was at a time when the use of cyber security was widely derided by practitioners of...
View ArticleThe Future of Security Automation.
It is entirely possible I am about to have a flying car moment. Recently I have been asked by a variety of product vendors and security consultancies for my opinions on the future direction of security...
View ArticleA change to the cyber risk landscape
On June 27th 2017 a cyber-attack called ‘NotPetya’ was launched against a large number of firms. The attack was notable for three reasons; it used a third-party software update mechanism to spread, it...
View ArticleGood security is a conversation, not an argument. Part Two.
In my previous post, I outlined why I feel the lack of good conversations between security practitioners and other people in their organisations leads to poor outcomes. A crucial part of the challenge...
View ArticleManaging Identity Consciously
I had cause recently to participate in a workshop considering identity across an enterprise and I wanted to share some of my thinking which was unexpectedly useful. Identity is a slippery thing, it has...
View Article