Thursday, March 5, 2015

The Reporting Killchain


In 2013 at ISSA International in Nashville, TN, I gave a talk on using "big data" tools for security compliance and continuous monitoring over traditional security toolsets.  The talk pulled directly from a project I had been working on for a large US government agency that ultimately failed regardless of the agreed value it provided to the organization (I actually got an award from that agency for the work!).  The outputs and experience from that provided me some insights that ultimately have taken me the past couple of years to reconcile and mature into the "Reporting Killchain".

Obviously, the name is intended to be a "tongue & cheek" reference to the "Cyber Killchain" we often hear referenced in so many articles, blogs, and presentations.  By all means, I think it is one of many valid concepts to reference for developing a comprehensive security strategy.  But the reality is that so many organizations claiming they're "attacking the cyber killchain" is a more than just laughable...its downright sad!

My Experience...

In the project I mentioned above for that agency, we were tasked with implementing a continuous monitoring tool for FISMA and other security requirements.  A ton of tools were analyzed and ultimately none of them were purchased.  The money was reallocated to something else and we were left holding the responsibility to make something work.  We ended up turning to an existing project to leverage a "big data" tool (vendor is unimportant) which already had much of the data we might need being aggregated into it and which had zero cost for us to use.  Why didn't we use that in the first place...well...we'll to get more into that in a coming blog post.

Before we transition though, the reality was that "big data" tool "off the shelf" would not meet the requirements to provide the level of monitoring and reporting we were required to provide.  Though that tool had a "FISMA" app/plugin we could use, it only covered approximately 20 of the several hundred controls we were ultimately required to monitor!  That was only IF you sent the right sources into it.  We knew we had a lot of work to do!

"The Reporting Killchain"

The concept finds its roots in organizational behavior and by all accounts is very much a "thank you captain obvious" for many of you.  Still, this concept is meant to bridge the gap between security practitioners and "the organization" as well as to hopefully be point of reflection for those finding themselves unsuccessful or outright jaded in their efforts to improve their organization's security postures.  What I've tried to do is boil down some key points in the "reporting process" where needs, ideas, goals, etc. get shot down, bogged, down, and fail to move forward.

These breaking points have been described to me time and time again by countless other colleagues and professionals and are present in, if not directly responsible for, every single breach or security incident that I've ever seen!  I don't say that to be dramatic.  Almost every major breach I've read about had some point in its reporting killchain where the outcome could have been drastically different had the message passed through the chain transparently.

Over the next few blog posts, I'll drill down into each of the points of this "Reporting Killchain" in what I hope will be an engaging discussion on how we as security practitioners can break it for the sake of our sanity!
Read more »

"The Reporting Killchain: It's Killing Your Security"

Presented at Chattanooga ISSA, 3 March 2015


Think your organization is ready to attack the “Cyber Killchain”? Yeah right! You haven’t even tackled your Reporting Killchain!  What is that? It’s the process your organization takes to get information from the bottom to the top of your organization and back.  Chances are its like playing the old telephone game but even more pathetic and less direct!  Don’t be na├»ve enough to think you can begin to make your organization more secure until you put the information before the politics, bureaucracy, and mind numbing process.

Don’t worry, this isn’t a talk about organizational behavior, structure, or business best practice.  Nevermind that in doing so you’ll simultaneously improve organizational communication, morale, and security visibility. This is a discussion on methods you can use to hack your organizations reporting chain and put the power of the information before the process.  Lets look at how to use existing reporting tools to crunch more than just machine data.  Lets use them to further cultivate human generated data to create real organizational security intelligence! We’ll show you how to use existing reporting tools to do non-destructive analysis to create true multi-level reporting that can’t get shot down, watered down, or otherwise manipulated before it gets to the CEO! Lets attack the Reporting Killchain that’s keeping your organization from being more secure!

Read more »