Executive Breakfast Briefing with Former DHS Secretary Michael Chertoff
Recently Mandiant hosted its first Executive Breakfast briefing event in Houston, Texas. The event featured former DHS Secretary Michael Chertoff and me, with Michael Graven acting as facilitator. During the two hour meeting the Secretary and I presented different aspects of digital security challenges and solutions to our attendees. We then participated in a lively question-and-answer session with Michael and the audience. In this post I would like to mention a few topics that seemed most interesting to the participants based on their questions.
I started my talk by posing three questions to the group:
- What would you do if your organization received a notification from an official third party (think Federal Bureau of Investigation or a military intelligence unit) that your organization’s data was in the hands of a foreign adversary?
- How, and how often, do you check to see if your organization is compromised?
- How many incidents did your organization experience last year, and how did your time from detection to response (and containment) change during the year?
In these questions lie the core to modern digital security. The first question relates to the fact that the vast majority of targeted persistent threat victims first learn of their plight from a third party. If you have not experienced this situation before, the worst time to determine how you would react is when you first receive the notification!
The second question involves the difference between the current practices of checking for vulnerabilities versus the more critical, but neglected need to check for compromise. Many organizations must regularly assess their environments to discover vulnerabilities, but unfortunately finding vulnerability means finding a theoretically exploitable flaw. Instead, organizations should routinely and constantly evaluate their environment to find compromised systems – vulnerabilities that an intruder exercised to assert his will and accomplish his mission.
The third question represents what I believe is the key security metric for any organization. Counting incidents and time to respond helps develop a security “scoreboard” that shows, to the best of the security team’s ability, one key aspect of how well the group is performing. Without this data, it’s tough to know whether the security of the organization is improving or declining. One can count many other aspects of security, but those tend to be input-centric rather than output-centric like these two measures.
Our next Executive Breakfast Briefing is scheduled for Wednesday, February 22 in Washington, DC. General Michael V. Hayden, former Director of the Central Intelligence Agency and of the National Security Agency/Central Security Service, will provide an overview of how targeted intrusions, including nation-state sponsored attackers such as the advanced persistent threat (APT) are compromising government agencies and the most sensitive corporate information and intellectual property at Fortune 500 companies across the USA.
I will also be attending this event and hope to see you there. You can register for the event here: http://www.mandiant.com/news_events/forms/dc_executive_briefing_2012
If you have any comments or questions, please post them below.