Monday, February 17, 2014

Two new #InfoSec books that could transform your way of thinking

Happiness is having great colleagues and collaborators.  I'm very happy to recommend to you two new books by three of my favorite colleagues -- Jay Jacobs (@jayjacobs), Bob Rudis (@hrbrmstr), and Adam Shostack (@adamshostack).  These books not only do a great job covering the topics, they could also transform your way of thinking.

Data-driven Security -- Analysis, Visualization, and Dashboards

As Technical Editor for this book, I've read every single word, examined every figure, and run every single line of code, so I can safely say that I know the book backward and forwards.  Here is my short summary of this book and its value proposition:
Data-driven Security is an ideal "on-ramp" for all information security professionals who want to expand their skills into the basics of statistical data analysis and visualization using R and Python.  With these new skills as stepping stones and building blocks, it could transform the way you think about or manage information security. 

One key to its value proposition is that it is a well-designed on-ramp aimed directly at front-line information security professionals.  I hear a lot of people saying that data science is too esoteric or too academic or out of reach (mathematically) for information security professionals.  Clearly, it's foreign territory and most InfoSec professionals lack many of the prerequisites for many of the data science books or courses (e.g. basic statistics, scientific programming).  Data-driven Security can help you get over these barriers in a way that is fairly smooth.

Bob and Jay write in an accessible, informal style using the language (and humor) of information security.  They are careful to explain key terms along the way and demystify concepts where necessary.  Most of all, they provide you relevant examples which they walk through step by step. Nearly everything is explained through examples that the reader can run while reading the book, and I'd say that running the example code yourself (learning by doing) is essential to get full value from the book.

The second key to its value proposition is they encourage readers to use these skills as stepping stones and building blocks for more ambitious projects.  If you stop with the examples given in the book, a skeptical reader might say "So what? These results won't make much difference to my security program." But it's up to the reader to take the skills and methods they learn through the book to take on projects that are more complicated and will have a more significant impact.  That requires imagination and a pioneering spirit, including willingness to fail or to endure frustration if they don't work out as hoped.  In other words, the "transformation in your way of thinking" that I mention in the title of this blog post will come when (some of) you take the giant step of applying and experimenting with these methods in your own world.  The transformation may be something as simple as:

  • Before: "Data science is something other people do, but we don't, and besides it doesn't have much relevance to information security, as far as I know."
  • After: "Data science is something I do as part of my day-to-day job.  Though I'm still learning, I can show examples of how it has made a huge difference in our performance or decision-making."

This is an introductory book, so they survey a lot of topics without going into much detail on any of them.  While topics like machine learning are discussed, reading this book won't help you win a data science contest on  They also don't talk much about how an entire information security program at the CISO or CIO level could be transformed using data-driven approaches.  That would need a whole separate book (or two!).

Resources and Conversations

In addition to the book, they have a web site with a blog and resources.  For example, here's their Data-driven Security video podcast ep. 1 that I participated in with Jay, Bob, Michael Roytman, and Alex Pinto.

They also did new podcast on the most recent episode of Down the Rabbit Hole podcast where discuss the ideas in their book and the general topic of how information security might be transformed using a data-driven approach.

If you want to talk to Bob and Jay directly, they will be at the RSA Conference and Metricon (Friday, Feb 28).

Threat Modeling: Designing for Security

This book I haven't read yet, so my recommendation is based on my relationship with the author, previous conversations while it was under development, and reading the Table of Contents plus preview text.  Even so, I'm very excited about it and I'm offering a strong endorsement.

This is how I summarized the book in a tweet earlier this week:
Jeebus! @adamshostack drops a Daisy Cutter #knowledgeBomb on the topic of #ThreatModeling
(In case you don't get the reference, "Daisy Cutter" bombs are very heavy bombs that are designed for maximum blast damage over a sizable area, nominally aimed at clearing forest for helicopter landing areas.)

Threat modeling is another area in information security that many practitioners believe is too hard, too esoteric, or inaccessible to them, or maybe not worth the effort.  Threat Modeling covers the topic from every possible direction and with great thoroughness.  I can't tell how far he goes into probabilistic analysis of threat agents or attacks -- one of my main interests -- so I looking forward to that when I read the book.

The main value proposition, I believe, is that threat modeling is an essential feature of a mature information security program and it can provide many benefits many specific tasks and projects within security.  (In the Ten Dimensions framework, I would put threat modeling at the heart of Dimension 2: Effective Threat Intelligence.)

Here's one way this book could transform your thinking:
  • Before: "Threat modeling?  What's that?  No, we don't 'model' threats.  We know what they are, but why bother modeling them?"
  • After: "Threat modeling is an integral part of how we manage information security to achieve high performance.  We make smarter decisions, focus our resources better, and, most of all, we are more pro-active in preventing security vulnerabilities and preparing for emerging threats."
(Disclosure: I was a guest blogger for a few years at Adam's web site for his previous book: New School of Information Security.)

Resources and Conversations

Adam has a web site for the book and related resources.  He's presenting at B-Sides San Francisco on Tuesday afternoon, just before my talk on unexpected consequences.  He'll also be presenting elsewhere in the Bay Area after RSA Conference.  You can sign up for a limited-volume mailing list here.

No comments:

Post a Comment