Saturday, April 29, 2017

Agile Security

I recently helped SANS review curriculum for an exciting new course coming out soon on a topic near and dear to my heart. While reviewing this course I started thinking about how security processes might evolve. I've often thought about the term Agile Security but not sure people would buy into this idea. It could be a great time for security teams to revisit how they operate. It could be the evolution of the cloud is driving the need to reconsider security perspectives. If what you are doing works just fine then don't change a thing. However, if you find the need to move faster and respond to threats more quickly, consider the following.


Agile: A word that makes some software engineers cringe because use of the word has transformed - like many other abused and overused words in the technical space by consultants and people jumping on bandwagons to sell products and services. But agile as a word is not the problem. It's the people who are talking about agile but doing quite the opposite. Agile just means you have a process that gets out of the way so you can work fast and adjust your plans quickly as your needs change. This is most important in a security environment with 0-days and rapidly evolving threats to organizations. 

Consider the transformation that occurred in the software industry. When I got my master’s degree in software engineering I took classes with and from people who worked at Boeing. We discussed how to write lengthy, detailed requirements documents with very precise numbered hierarchies. The document would cover every single implementation detail. In theory, this very thorough coverage of the requirements would save money.

Of course, when building something like an airplane details are crucially important. Lives are at stake. The same would apply for medical devices and software. But we were writing similar documents for internal business applications and web sites at the time. Companies would charge sometimes millions of dollars to spend three months or longer writing "Requirements Specifications".

In the end...when the programmers got the specifications, they didn't really work as planned and threw most of the spec out the window by the end of the project. Or worse, the developers followed the specifications precisely even though they didn't meet the need or solve the problem. Often the team would stumble upon information not known at the time of writing the requirements and would find that certain aspects of the requirements were not technically feasible or cost-effective.

About that very same time the idea of Extreme Programming was evolving. I read a book and thought, well this is much more practical. I started a business and wrote my own form of task tracking system much like what Version One is today. My former co-workers who are groaning at the thought of Version One should consider whether they would rather use Microsoft Project...not me, but to each his or her own. Version One has a list of tasks and you can mark the status of each task, track dependencies, time and more. In my case I had contractors working on billable assignments so I added in a time tracker. They could hit a button to start and stop work on a task so I could create very detailed invoices for customers. I could also arrange the tasks in priority order and break them down into small enough pieces so I could see precise progress. In the event priorities changed I could move a task at the bottom of the list up to the top at any given moment and adjust the deliverables and schedule.

How does this relate to security? In large organizations, many security teams are writing lengthy documents that I equate to the old software requirements specifications. And just like those specifications, I can tell you from the trenches of the development teams in these large organizations...you're lucky if people even know they exist. Sorry. It's true. Even if they do the most well-intentioned employee will have a hard time remembering and following all your rules.

What to do? I would suggest that security people learn from the software development processes how to move faster. Instead of writing documents, create agile backlogs. Create the "Epics" or large work items that need to be completed to maintain security in your organization. Prioritize and fund the Epics. Create stories for the Epics. This may be before or after funding, but either way the stories will evolve over the life of any project. Prioritize the stories. Assign the stories to teams. The teams work the stories in 2, 3 or 4 week sprints. Make sure you work the must-have stories at the beginning so you don't have a half-baked project at the end when the money runs out and you deliver nothing.

Before you hire some expensive consultant to make this all more complicated than it needs to be (which I have experienced), see if you can work with these definitions as a starting point. If you are talking about how to implement the process instead of doing work, the process is failing. Keep it simple and focus on whatever helps get work done most quickly and accurately - and exclude extraneous things that get in the way of getting work done.

1. Team: A team of people with certain expertise or assigned to a project or product.

2. Backlog: Typically associated with a team. A backlog contains the work items assigned to a team. The work items should be in priority order from most to least important. Most large companies have multiple backlogs and teams.

3. Backlog Owner: The person who creates the stories in the backlog. When a story is completed the backlog owner gets a demo of the deliverable and "accepts" the work or sends it back for additional fixes before it is accepted. The team closes the stories after the backlog owner accepts the deliverables. The backlog owner is generally a product manager in the case of a product or a technical owner in the case of architectural or security requirements.

4. Epic: Typically, an epic is a project or subset of work that requires approval and budget. Business executives fund "Epics" just as you would for any other project or initiative.

5. Stories: Deliverables associated with an Epic. The story should define WHAT in business terms not HOW in technical terms. Each story should be short and describe how the deliverable will be tested and demonstrated to the backlog owner to prove that the work was completed as required.

6. Sprint: A 2, 3 or 4-week period. A team commits to complete however many stories it can each sprint from the top of the backlog. If a story takes longer than one sprint to complete, break it into multiple smaller stories.

7. Sprint Planning: At the beginning of each sprint the team holds a planning meeting and commits to as many stories from the top of the backlog as will be possible to complete. In my case I had my each team member prepare their individual commitments in advance so these meetings were typically short.

8. Demo or Sprint Review: At the end of the sprint the team demonstrates the deliverables of each story to the backlog owner and stories are closed. 

I'm not going to get into planning poker, capacity planning, retrospectives, cards and Fibonacci numbers right now. If you just start with the above that will get you going. Keep it simple and focus on getting work done versus lengthy process discussions and meeting overload. Once you master the above you can get fancy. I do believe in certain methods for poker planning and capacity planning that help keep projects on track but the main points for now:

  • Put the requirements into a backlog instead of a document.
  • Define requirements in business terms (what, not how).
  • Break down the work into small pieces.
  • Demonstrate work as it is completed and prove it works.
  • Prioritize and adjust as needed.

My definition of Agile Security. In a nut shell.

But wait. We're not done. If you put all sorts of things in a backlog that define your requirements and deliverables, how will you enforce your policies?

Write software. You may have an overarching document that defines security policies. Preferably it is on an internal web site - or better yet in a database - and adjusted quickly as policy requirements change. Then, turn as many of those requirements as possible into software that at least monitors for infractions in an automated way, but preferably enforces adherence to policies up front. I have some ideas about this in a white paper on event driven security automation.

What, you don't want to write software? Hire a software programmer. This is the convergence of software and security. I predict that security people who embrace this wonderful relationship with those pesky software developers who are causing all your security headaches will be most successful in the future. And those pesky software developers probably need to learn a thing or two about security!

Epilogue:

Before I tell you that Agile or Scrum or whatever your favorite word is for what is basically a Work Breakdown Structure is the silver bullet that will solve all your problems and all your security initiatives will be completed on time and under budget, I will tell you that Agile has a flaw when not properly managed. You need to have a beginning and an end of a project and make sure things are prioritized correctly to actually achieve a deliverable. Time and money are not endless. Some agile teams assume they are and operate as such. 

Make sure you have a way to determine whether your epic and stories can be completed within your time and budget and manage to that time and budget. This means your backlog truly needs be prioritized so the must-haves are the top and the things at the end of the list can be cut if not completed when time and money runs out on the project. There is also an art to managing people's time and keeping distractions away from the team - one of which can turn out to be your "scrum master" if they are more focused on process than deliverables. Additionally, it's a good idea to understand points, burn downs, capacity planning and how to use those in your estimation process to keep the project on track. 

But generally, I think agile, scrum and extreme programming concepts are better than alternatives for many projects.

Tuesday, April 11, 2017

Making A Difference

Maybe this blog post will motivate someone who's feeling a bit frustrated when they land here...and inspire that person to keep going when they feel like giving up.

Some days a person can feel like, "What's the point?" You might have some goals that start to feel unattainable, or maybe you are rethinking your goals altogether. "Why am I doing this anyway?"

At these moments you feel like dropping out. Quitting. What's the difference. What does it matter? The frustration starts to boil over and maybe, you think, it would be better to quit and become a barista or a bar tender on a remote island and enjoy the beach instead. Life could be so much simpler.

I was having one of these moments at a certain large company - the company doesn't matter because these things happen everywhere. It felt like I was being blocked from moving to a new department. At the same time I am being blocked, I get an email thanking me and telling me how much the company appreciates five years of my life via some automated email generation system that lets me pick out a gift. It feels very artificial but I'm sure the intention was genuine by whomever designed that system.

I start thinking why do I work so hard and why do I do all these things? Everything is a struggle. Maybe I should just quit running the Seattle AWS Meet Up because it's all so much work and I'm not sure why I'm doing it anymore. I just like the technology and the people but maybe I just need a break...and suddenly - AWS contacts me and says they want to make me an AWS Hero.

What? What's that...I didn't even respond to the emails at first. I thought it was someone trying to sell me something and playing to my ego. I'm no hero. This can't be real. But AWS got through to me and then I looked it up and thought, wow, that is really nice! Someone does appreciate all the hard work. Check out all the AWS Heroes and if you know any of them, it's nice if you let them know you appreciate their work. Maybe even offer to help!

As for that job, I asked some people to give me reviews in our HR system to show how my actions were helping people within the company. I worked with people across all lines of business on a daily basis. I also wrote a blog post explaining how I had helped fix a problematic process at the company. Coincidentally, the company approved the transfer to the new department the same day. I was very excited about the move and working in that department seemed pretty cool. I was optimistic about fixing some things that we all felt were broken.

Then another thing happened shortly after that...WatchGuard Technologies contacted me to offer a pretty cool job. Again, I expose that I am a complete and total nerd and one of my favorite things is looking at network traffic and related logs. I wanted to work on threat intelligence, network logs and security automation. I'm into data and correlation and baselines and anomalies. I think about predictive analysis and real time and scalability and data sharing to help stop the bad guys faster. I think the cloud can facilitate doing these things. I was writing a paper related to that very topic when I was contacted. WatchGuard works with network logs and firewalls so this was a great fit.

Initially I worked on helping the company move to AWS. Now I'm writing for WatchGuard's security blog: Secplicity and doing security research. This so far is a pretty cool gig and I'm excited to be doing it. I once listened to a presentation by the former commander of the Blue Angels. He said something I really liked - when you come to work you should be thinking "Excited to be here". And I am. But sometimes when looking at all the security threats and breaches you think wow, can I ever make a difference? Do people even get security? Do they care?

I was looking for some links related to my Target Breach white paper for a blog post and that's when I noticed something. People are referencing my paper in their research. You can see some links at the bottom of the page. Wow! That's super cool because when I wrote the paper I wanted to understand myself exactly what caused this breach and explain it to other people in the simplest way possible. I wanted to take security breaches out of this esoteric realm and break it down so more people would understand exactly how it happened, and as a result how to protect their systems and networks. I stepped through the breach and each point along the way that facilitated the attack.

And it seems that perhaps, in some small way, this has helped some people gain a better understanding of security and references to the paper are helping to spread the knowledge further to others. It seems like the effort might be helping students learn more about how these attacks are happening. Maybe it will help some of them to go on and better secure their networks and reduce the attack vectors in their employers' environments. Maybe it will help vendors and companies improve security as well.

And as for me, it made me feel like, in some small way, I was making a difference.

And that made my day. And it keeps me going.

-----

References to Target Breach White Paper:

http://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/

https://bol.bna.com/wake-up-call-ashley-madison-lawyers-up-after-breach/

https://issuu.com/pbcwu/docs/identity_theft_prevention_and_mitig

https://www.termpaperwarehouse.com/essay-on/Books-of-Ark/420534

https://www.nist.gov/sites/default/files/documents/2016/09/16/rapid7_rfi_response.pdf

https://engineering.jhu.edu/jhuisi/wp-content/uploads/sites/63/2017/02/Identity-Enabled-Transactions-Based-on-the-EMVCo-Payment-Tokenization-Specification-Capstone-Project.pdf

https://freedompenguin.com/articles/opinion/how-big-is-your-target/

https://www.law360.com/ip/articles/746452/tips-for-guarding-ip-against-cyberespionage

http://repository.law.umich.edu/cgi/viewcontent.cgi?article=1164&context=mjlr

http://www.bucks.edu/media/bcccmedialibrary/con-ed/itacademy/The%20Target%20Breach.pdf