The truth is like poetry…most people hate poetry

0

Prevention is possible and defence is doable

Having been at Cylance since the beginning, Eric has been at the forefront of a stunning journey along with founder Stuart McClure and the inaugural team, setting out to shift the economics of cyberwarfare and force attacks to be highly targeted and thereby, expensive.

Speaking in Canberra at the Australian Cyber Security Centre Conference this March, Eric made it clear at the outset “I want to make a rant against the Cybersecurity industry. I think we are all brain washed by all this stuff that is continually thrown at us. Defence is doable – but like putting Man on the Moon, you first have to believe it is possible. If the cybersecurity industry does not believe it is possible then what are ‘we’ all doing for a living. Though one size does not fit all and one person’s security is different from another.”

As a proud product of the US Government, Eric was an exploit developer and coder, and after a 12 year Federal Government career, was appointed as Department of Homeland Security’s Deputy Director and Chief Technical Analyst for the Control Systems Security Program.

“Most organisations will already have 80 per cent of what they need in terms of security – it is a case of the more you know the less you need. The process of assessment should be based on the business case of ‘annualised loss expectancy’.” With a reference to a concept of operations, Eric recommends, “ask what is the minimal path to the maximum damage.” Similar in process to red teaming, “identify the task of bringing the organisation down and the most likely method that would be taken to achieve that mission. It is not going to be just one exploit. Most vendors are only solving individual pieces of the problem. By taking several exploits and chaining them together, in a kill chain or attack tree, the security practitioner can build a concept of operations to determine what impact these attack chains would have on the business if they were to occur. This is the singular loss expectancy. The next question is how many times per year would this event likely to occur, what is the likely cost impact and what is the likelihood of it reoccurring if we don’t defend against it. Security practitioners are often very bad at articulating the value of the return on investment in security, in a business context. The solution is in the math. We should automate as much as humanly possible.”…Click HERE to read full article.

Share.