I'm presenting at SIRAcon today: "How to aggregate ground-truth metrics & indicators into a performance index". It will be recorded and will be available to SIRA members on the SIRA web site. Here are the slides. Here is the blog post with background and tutorial.
I'm at the 3rd day of Workshop on Economics of Information Security (WEIS) at Penn State. The focus of this day is to provide input and ideas to the Science & Technology (S&T) Directorate in US Department of Homeland Security regarding R&D on cyber economics and incentives.
I've decided to split this blog to separate my academic posts from my industry posts. I'm going to be blogging more about my dissertation and related works in progress, and I suspect that most of my industry readers won't be interested and I don't want to dilute my posts on industry topics -- information security, risk, performance metrics, etc.
Google's Blogger has worked well for me, but I've decided to move to Octopress. I'll spare you all the details of the decision process but here's a post that describes the process and benefits. I'm also following in the footsteps of others in my community (e.g. Securitymetrics.org, Data Driven Security, and Adam Elkus).
The industry blog with be renamed "Meritology Blog" and will have a meritology.com URL. The academic blog will be "Exploring Possibility Space" and will have an exploringpossibilityspace.com URL. I aim to move all the Blogger posts to these so that the archives are available under both.
I'll let you know when this goes live, and hopefully there will be redirection once the move is complete.
Since I won last year, I wasn't going to enter this year. But my imagination started turning and this came out. Hope you enjoy it.
Bruce Schneier's 7th Annual Movie Plot Contest
Theme: NSA wins! But how? (full description and all entries are here)
Creative Destruction June 2014 – March 2015: Stock market booms. June 2014: Snowden revelations trigger international political scandals. July: Feinstein-Rogers Intelligence Reform Bill passes, breaks up NSA. “Largest garage sale in history”. Headline: “NSA Nuked” August: 10,000 NSA workers are laid off. September – December: Open Source projects, Working Groups see influx of volunteers. September – November: “NSA garage sale” draws small contractors and public-private partnerships spread over 50 states. Private equity firms are buyers – Flatiron Partners, Narsil Capital, and Tech Disruptions. September – November 2014: Flurry of privacy and security scandals hit big firms. Lawsuits, investigations, and criminal indictments follow. November: “Alt Apps Group” formed: “Secure, private, and ad-free”. Most members are majority owned by Flatiron, Narsil Capital, or Tech Disruptions. July – December: Symantec goes on buying spree: Webroot, Cloudflare, StackExchange, Disqus, Rapid7, and MaaS360 – all funded by Flatiron, Narsil Capital, or Tech Disruptions. December: Puerto Rico Bridge Initiative announces completion of 50GB fiber optic cable. January 2015: Private equity firms, led by Flatiron, make offer for Symantec. February: Loren Reynolds, rookie Equity Analyst at JPMorgan Chase working on Symantec project, is accidentally copied on email from Flatiron:
“Confirming that Launch has been accelerated to March. Don’t use email anymore.”
Loren is puzzled by the distribution list:
Puerto Rico Bridge Initiative (PRBI)
Economic Development Corporation Utah (EDCU)
Fatherly (formerly GoDaddy)
March: Traffic and membership surges at Alt Apps Group members. Fatherly achieves 70% share in Certificate Authority market.
March: Loren receives email from friend Zoltin, networking expert:
“PRBI isn’t 50GB. It’s 75TB – the highest capacity in the world!!! WTF! There’s more. Same capacity cables to Bermuda and to Azores. Looks like they are bypassing US-Europe cables. Big news: Big data center on PR now complete.”
April: Google earnings due 4/15; then Facebook, Apple, Twitter, Microsoft, and Verizon on 4/22. April: Over beers, Loren hears rumors of large short positions in technology stocks from a few “weird” hedge funds. April 4: Loren receives email from Sarah:
“EDCU is gatekeeper on NSA Utah Data Center.”
April 15: Google disappoints. Earnings down 40% on flat revenue. Stock falls 30%, overall market falls 10%.
April 20: Loren discovers link between former NSA executives and Flatiron, Narsil Capital, and Tech Disruptions. Finds NSA people behind tech firm scandals in the previous Fall 2014. Tip of the iceberg, she suspects. April 21: Loren sends IM to her husband, an Assistant DA in the Southern District of NY:
“Must see you ASAP. NSA & GCHQ live on. They’ve gone legit – running private businesses and funds. THEY ARE KILLING THE INTERNET AD BUSINESS.”
After clicking “send”, her computer freezes. She reaches for her smart phone to call her husband, but the directory is empty. She dials the number manually, but gets an “out of service” signal, followed by “low battery”. The phone dies. Running down seven flights of stairs, Loren races to her car. She jumps in, starts the engine, and backs out with a screech. One turn from the exit the car engine suddenly cuts out and brakes lock. The car crashes into a cement pillar. The airbag fails to deploy. Loren is out cold.
[This has a few lines added, so it's beyond 500 word limit. But the entry on Bruce's site is below the limit.]
Though it's sponsored by Juniper Networks, I don't see any evidence that the analysis or report were slanted. This report should be useful for people in industry, government, and academia (a rare feat!).
While they do a broad survey of the cybercrime ecosystem, they examine botnets and zero-day exploit markets in detail. What's important about this report is that it provides a thorough analysis of the innovation capabilities and trajectories in the cybercrime ecosystem. This is vital to understand to guide investment decisions, architecture decisions, and R&D decisions beyond a 1 year time horizon.
Here's a timeline that documents the growing sophistication and innovation capability:
Black Market timeline (part 1) -- click to enlarge
Black Market timeline (part 2) -- click to enlarge
The NIST CSF is a catalog of information security practices, organized into categories and maturity tiers. I've criticized the NIST-CSF here, here, and here, and proposed an alternative -- the Ten Dimensions. Jack has posted commentary and critiques here, here and here. Jack has the advantage of participating in all five workshops, plus several side meetings with various players.
Here's a diagram of Jack's framework:
I like Jack's B-sides framework. I see a lot of overlap between it and my Ten Dimensions. They aren't identical but the same themes come through in both. His has the advantage of simpler interpretation (top-down layer cake, half as many dimensions). It has short-comings as well. In it's current form, it lacks performance measurement and, in my opinion, as inadequate attention to "Effective Response, Recovery, & Resilience", "Effective External Engagement", "Optimize Cost of Risk", and organization learning loops.
When ever you do any kind of measurement, it's important to understand the uncertainties associated with it. Two characteristics of measurement that are inverse to uncertainties are 'precision' and 'accuracy' (also known as 'fidelity'). The following graphic, from this blog post, nicely demonstrate the difference between these two characteristics.
Other measurement characteristics include stability (repeatability from measurement to measurement), resolution (number of significant digits), sensitivity (ability to detect very small signals), linearity, range (from smallest valid value to largest valid value), and sampling rate (time slice or number of samples to establish a valid measurement).