An all too familiar scene repeated itself two weeks ago. My good friend & CISO of a mid-sized technology company, lets call him Alok, went into a budget planning meeting and came out as a shadow of his former self. To be more precise a 85% version of the Alok that I know. He had just been handed a 15% reduction in budget.

Like most managers, Alok, started taking stock of his mini-empire and prioritizing things that he could do without. Luckily he had already expected a cut and so had planned ahead. Unluckily, he had planned for a 6% reduction not a 15% reduction. After some brainstorming and taking some tough decisions he had cut costs by 10%. Now began his quest for the elusive final 5%. His organization had started the transition from being a network security centric organization to a more application security centric organization around 15 months ago. So, a solution posed by one of his managers was to drop the security engineering process integration program and replace it with a set of static analysis tools they had just evaluated. This strategy had paid of handsomely for them in the network security field. Ron, one of the leading application architects in the organization was opposed to the idea. Thus started a turf war, which left some angry, most frustrated and everyone confused.

Unlike most managers, Alok reached out for advice. He asked me to share my experience with customers in similar budgetary situations & maturity. This is how our conversation went:

Alok: So I think the automated security tools can help us reduce risk and save us money. Unfortunately, I have to reduce budget and I’m thinking of buying <snip> tool to drive efficiency. What do you think?

Akshay: I’m sorry that you have had a budget cut. A lot of my clients have been facing a similar situation. Before I answer your question can you tell me what value you expect to derive from the tool?

Alok: We are looking to get standardized security bugs and find all the vulnerabilities that exist in our code base.

Akshay: Do you know how the tool compares to a manual security code review. I mean, what kind of coverage does it give you? And is that coverage good enough for your organization?

Alok: No, we haven’t examined that. Assume that it is. Should we go ahead? You know I can get more done with less by buying the tool and getting rid of my contingent vendor staff.

Akshay: Well, the tool that you mentioned will need to be used by both your development team and your security team. Have you considered the cost of training people to use it?

Alok: No. What other impacts and costs may there be?

Akshay: I imagine the development staff  is also being reduced. I imagine that they will resist taking on additional work while having to let go off people. In my experience when clients by static analysis or other tools , a large portion of them end up as shelfware. Not enough thought is given to how to integrate this in existing into development lifecycles. Application security is fundamentally a process problem and you can’t solve it just by using tools.

In my opinion, this is a great time for forward looking organizations to re-engineer their development process to integrate security into the process. People are the biggest resistors of change. Culture change is the toughest challenge when moving to a SDL like process. The prevailing lean development team, a more malleable workforce and forward looking leadership can and should be leveraged in these tough economic times to make the organization healthier for the future.

- Akshay

You’ve probably heard of the famous  Heisenberg Uncertainty Principle  in Quantum physics. It states

“The more precisely the position is determined, the less precisely the momentum is known in this instant, and vice versa.”
–Heisenberg, uncertainty paper, 1927

This principle is related to the observer effect. In physics, the term observer effect refers to changes that the act of observation will make on the phenomenon being observed.

Ok, now to get to the point. As a business manager responsible for P&L, I am asked to produce several performance metrics or revenue metrics. Some of these metrics are simple and straightforward  Key Performance Indicators (KPIs). KPIs can include net revenue, profit, # of new customers or in our case customer satisfaction numbers.

The problem with metrics crops up when we need to measure a property and no mechanism exists to measure it quickly or the metric is not representative of the property being measured. In general this happens when the following scenarios arise:

1. Metric is not available: No mechanism is in place to measure the property at that time.
2. Property is not measurable: No metrics are available to capture the property.
3. Deliver unplanned metrics quickly: Metrics that the system was not designed to capture need to be measured quickly.
4. CSF masquerading as KPI: Critical Success Factors are vital elements for a strategy to be successful and should not be confused with KPIs which quantify strategic performance.  The metric being asked for is a CSF not a KPI.

In simple words, the amount of effort required to measure the metric changes the amount of effort we can dedicate to create the metric. The act of measuring the metric changes it.  For example, in the economic downturn several teams have had to reduce headcount. If this barebones team is now asked to capture  information on how a recently released tool is being used by customers without that mechanism already in place, then they cannot deliver that metric without additional effort that will impact the overall KPIs.The problem that arises is what I’ve dubbed the Akshay’s Uncertainty Principle:

In a resource constrained environment, a new or modified metric cannot be measured without impacting the metric itself.

- Akshay

If you like this post, subscribe to the RSS feed 

Jack Louis of Outpost24 passed away on Sunday as a result of a house fire in Sweden. He was known for the security scan tool Unicornscan. Some of you may remember him from Sockstress, a vulnerability that can trigger denial of service on any system listens for remote connections using TCP. Jack and my paths had crossed a few times in both competitively and intellectually fulfilling ways.

- Akshay

So I’ve been quite amazed by the amount of discussion and feedback i have received from colleagues and peers on my original post on creating fundamental change through competition. I will be posting some of the written replies that I received and which people have kindly consented to having me post.

Here is a response sent to me by my friend Olav Opedal with Microsoft’s Information Security group:

I believe the change has already happened, but you haven’t seen much of it translated into off the shelf products. The change that I see, is based on the use of applied mathematical solutions found in other science branches, such as using power-law distributions describing social networks to define who should have access to what along with physics heat models applied to network traffic. With this, I mean using real time multi-dimensional analysis of network traffic, user actions, content and context of transmissions etc to determine a probability of appropriateness of the actions. In other words using mathematical models to find the change point as soon as possible, and discard anomalies that has little effect on the CIA triangle. One thing that is clear, is that information must be given an economic value to enable a decision point to be set for action versus inaction.

So does all information need to be given economic value? If so, can all information be given economic value? This is an interesting train of thought to follow.

- Akshay

If you like this post, Subscribe in a reader

So how do you take your average developer who scoffs at security from the careless and brash aka Kevin,  to the poster child  for good development practices aka  Kevlarr. Well, the Microsoft SDL team has the answer for you. The team recently started publishing a series of web comics detailing the travails of the dev team at Contoso who are under attack from the League of Malware. Along the way they battle with foes such as Spam Bot and Social Engineer while getting help from Vigil and Nforcer. Strip 11 of this interesting attempt to socialize security is below:

Socializing security is essential for organizations to drive culture change from one based on FUD to one based on an understanding of security needs. People are the most complex part of the security puzzle. Most people take the easy way out and will avoid the things they fear or don’t understand. Every CIO should ask the what his/her organizations plans around socializing security are. So what are they?

- Akshay

If you like this post, Subscribe in a reader

One of the challenges that I have been focusing my team on this fiscal year has been creating new solutions that leverage the learning that Microsoft IT has had in deploying technology or solving problems. Microsoft IT generally has to deploy new technologies from Microsoft several months before they are generally available for general release in a process known as dogfooding. Often it needs to develop and deploy solutions multiple times as the product cycles through from betas to release candidates to the released version. Customers will find solutions that will leverage this deep expertise and experience useful in speeding up the architecture & deployments of their solutions.

In this series Microsoft IT Solutions, I will be detailing some of this innovation coming out of Microsoft’s InfoSec group. The first of the series is Full Drive Encryption using BitLocker®. I asked Richard Lewis, Security Architect on my team & the creator of this solution kit to describe the BitLocker FDE solution. Here is his description:

The InfoSec team recently created and delivered the BitLocker Service Kit for the Core I/O Service Line under the Security, Identity and Access Management (SIAM) portfolio. SIAM is a portfolio offering from Microsoft Services.  SIAM is divided into six offerings that address particular security IT capabilities – the BitLocker Service Kit was created under the Enterprise Data Security Optimization IT capability.

The BitLocker Service Kit provides Microsoft Services sales and delivery roles with the resources they need to sell and deliver comprehensive Full Volume Encryption solutions based on Windows Bitlocker Drive Encryption. Ultimately this Service Kit helps Microsoft Services accelerate their customer’s BitLocker deployment timeline and therefore Windows Vista deployment, decrease the risk of data loss, and increase customer satisfaction. Overall this kit contains over twenty different documents such as checklists, guides, worksheets, operation guides, architecture and design documents to help our sales and delivery consultants to deploy BitLocker in an optimized manner.

The resource who led creation of this service kit was also involved in the MSIT BitLocker deployment and is currently helping a large financial services organization deploy BitLocker to over 100,000+ desktops. Learning and feedback from the MSIT internal BitLocker deployment were instrumental in creation of this Service Kit and will continue to be used as InfoSec goes in the field and helps Microsoft customers with their BitLocker deployments. This kit demonstrates that IP from MSIT projects add value to our products & ultimately our customers. 

Drop me a note if you would like some additional details on this solution kit or the innovation process within Microsoft.

- Akshay

Today, it was revealed that a departing contractor left Fannie Mae with a parting gift – a Logic Bomb designed to take 4000 of the financial giants servers & their data. Since this news broke, a number of concerned CIOs have requested my team for some guidance on how to deal with logic bombs. So here is a quick lesson on these malicious attacks.

A Logic Bomb is a malicious piece of code inserted into a software system that executes when certain conditions are met most commonly a set date. A Logic Bomb that goes off on a particular date is called Time Bomb.

In this case the attack was successful because the contractor’s authorization to access systems was not revoked after he was let go. In technical identity management systems like ILM this is known as deprovisioning.

Logic Bombs are usually indistinguishable from normal code and are inserted into the system by a programmer who has authority to the system. They are a type of insidious attacks called insider attacks. These are the most difficult class of attacks to detect and mitigate. The CSI/FBI 2005 Computer Crime and Security Survey indicated that 56% of organizations reported some level of security breach from within their organization.  So a note to all you CIOs/CSOs, if you think that only your internet facing assets face a high risk of attack… think again.

What can you do to avoid a fate like Fannie Mae. Sadly your options are limited and dependent on a strict adherence to process. This is what you can do (in order of immediate to long term):

• Deprovision user accounts for individuals who have been let go while they are on premises or even before you inform them
• For programmers, create a copy of their files and code before they leave. These can be compared with copies of files and code after a few days to look for changes.
• After a person with access to critical digital assets including systems and code leaves the org, invest in having a peer double check for logic bombs that may have been left behind
• Change access credentials to critical systems periodically and consider two factor authentication.
• Use an identity management system to manage provisioning & deprovisioning user accounts
• Invest in a multi-tiered logging and auditing systems with separation of duties between the monitored and monitoring parties. This ensures a trail of evidence for prosecution in the case that you are indicted.

Plan ahead to deny the ability to the disgruntled to plant log bombs; failing that defuse the logic bombs,;failing that hit the deck and hope that the script has a bug.

- Akshay

If you like this post, Subscribe in a reader

Today I had a thought provoking conversation with Dr. Peter Diamandis, Chairman and CEO of Zero Gravity Corporation & X Prize Foundation, on radical & fundamental change. Change that advances the status quo rather than relying on incremental change for gradual advance.

Arguably the Ansari X Prize (and others in the hopper) have achieved some breakthrough successes. Most notable achievements of the X Prize are:

• Achieving fundamental advancement in technology using competition driven philanthropy
• High rate of investment with respect to prize money. An example Diamandis provided was $100 million invested in Ansari X prize for a $10 million prize
• Booster to commercial adoption resulting from the advancement made. An example is the rapid kick start of transatlantic commercial air services after Lindbergh’s successful attempt at the Orteig Prize in 1927

Now this brings me to a theme of recurrent conversation between my friend Eric Rachner and I. It is my belief that there has not been a fundamental change in the field of information security in the last decade. Sure things have become better, people are more aware, tools are easier & more reliable & dozens of new vulnerabilities are being found everyday. A thinking practitioner of the craft will reflect and agree that though there have several neat innovation like the vulnerability marketplace, security development lifecycle etc., most of the effort is spent chasing technical bits & byte issues. Once, as we walked over to get dinner, Microsoft’s InfoSec Director Chris H. expressed this sentiment concisely for me, “Organizations have to constantly fight to demonstrate miniscule changes in their risk meter.”

So I got to thinking, what would constitute a fundamental change in infosec. Something worthy of an X prize (or a mini version of the X prize for sake of argument). Before I go into my idea, let me qualify that security being a state of a system, a conversation about it would be incomplete without defining the system. “Achieving security” is like aspiring to a noun. So here is my first stab at a problem worthy of the InfoSec X Prize

To win the InfoSec X Prize a  team must successfully create a system that will in real time analyze security alerts from the world’s largest internet retailer and  take corrective response with an accuracy rate of 99% when compared 10 man years of manual analysis by InfoSec experts.

I will be coming up with additional X Prize ideas and post them periodically. I would be very interesting in knowing what solution you consider worthy of such a prize. Drop me a note and remember that the following constraints would apply to the solution worthy of the Infosec X Prize  :

• Must be achievable between 5-8 years of X Prize being instituted
• Non-government/private organizations should be able to develop the solution
• Solution should represent a revolutionary change in field of information security

- Akshay

Today while reading the repercussions of the Madoff scandal, I received an email informing me that a microfinance (MF)  loan that I had made to a person in Central Asia to purchase livestock had been paid back in full and on time. In a week of bad financial news marked by financial greed at the top, it was heartening to realize the integrity of few at the bottom. 

As of now the microfinance industry (MFI) seems to be bucking the trend of the global financial crisis. Repayment is still fairly high at 97-98% (according to Women’s World Banking). It seems that the size of MF market is insulating it from a downturn – the MF market is several times smaller than the losses in the current global financial crisis. Another factor protects MFIs as they do not serve the poorest of the poor. MFIs in general are geared towards mobilizing the entrepreneurial poor who are more economically active.

As the crisis develops further, there is an increasing risk that the MFIs may also see a liquidity crunch owing to recession in the US & Europe, increasing default rates and difficulty in raising funds from investors. One trend seems certain though, the growth rate of the MFI will slow from the rapid expansions it has seen due to commercialization & product diversification. Hopefully this will give the industry some breathing space to mature further and come out of this crisis stronger.

In any case, that one email buoyed my spirit and while all may not be well, all is not bad either.

- Akshay

Business during economic downturns brings to the surface the tiny fractures that were unnoticeable during the good times. It is a fertile ground to relearn some of the lessons of the past & form wisdom for the future. I am going to try and capture some of the learning during this new series Business During Downturn.

The past few months have convinced me that individuals & organizations that pay close attention to the basics fare better going into a economic downturn. In particular, establishing and maintaining the sanctity of the chain of trust is very essential. The chain of trust is a relationship aspect of interdependent entities. It is based upon the credibility, accuracy and timeliness of business inputs like data, forecasting & assumptions which are then sent up the chain to act as inputs for decision making. An economic downturn breeds anxiety, performance pressures and uncertainty & so maintaining trust is essential for survival. I have recently felt the need for paying attention to 3 chains of trust in particular.

First is the trust between a salesman and sales management. Revenue forecasting is the key activity that helps the organization plan to survive and adapt to change. On the basis of this projection further trust (say with creditors) is established. The sales team need to redouble their efforts to adhere to the sales basics and stabilize projections within parameters acceptable to the org. I have observed that this is one of the biggest self-feeding problems. Wrong projections quickly add additional pressure to the relationship between a salesperson and their manager. Sales managers in turn find their relationship with their managers deteriorate leading to increased supervision, more administrative tasks, less flexibility… all the undesirables during a tough period. Sales people successful in good times but inaccurate in bad times find it hard to gain back the trust when conditions improve for the better.

Second is the trust between an organization and their suppliers/creditors. Some organizations misrepresent the situation to their creditors or set up false expectations with them. In my opinion, people forget that they are dealing with other people. People working for the creditor also have accountabilities and are much less likely to support you during a downturn and the subsequent upturn if they feel that they have been misled, their time abused or subjected to unnecessary stress. I saw a CEO deal with this effectively by instructing his staff to always answer a creditors inquiry in a timely manner, give a conservative payment schedule, share the assumptions that may positively or negatively impact the information and most importantly reiterate how they were committed to long-term relationship (and how their behavior was different than the competition). The CEO ensured the message was consistent across ranks and this had the added benefit of improving morale within his org. It better prepared his staff for taking calls from creditors. Everyone knows that talking to your creditor is like visiting your dentist.

Third is the trust delegated to the employees especially the sales force. Very often managers will ask employees to take tough decisions or be creative only to second guess the decision. This erodes the trust the employee has in his management and increases the sense of chaos. The manager needs to examine his issues around control & trust or to take back the decision making authority. The long term implications of this for a sales person is that they lose credibility with the client and eventually the client knows that negotiated agreements with the sales person are not the final negotiated position. Their boss will play game…

I’d be very interested in your observations and lessons in this economic cycle. Feel free to drop me a note.

- akshay