Categories
Articles

NIS 2 Directive: cybersecurity improvement for all

The final text of the revised European Network and Information Security Directive (NIS 2 Directive) has now been published. This doesn’t formally apply in the UK, but does have some helpful comments on using data protection law to support network and information security. I’ve blogged about these previously but, since the final version significantly changes […]

Categories
Articles

ECJ: Legitimate Interest in accessing registries

European Data Protection Regulators have been expressing their concerns for nearly twenty years about public records of domain name ownership (commonly referred to as WHOIS data). A recent case (C37-20) on public records of company ownership (required under money-laundering legislation) suggests that the European Court of Justice would have similar doubts. But its comments on […]

Categories
Articles

Automation: Two ways

Earlier in the year, Networkshop included a presentation on Juniper’s Mist AI system for managing wifi networks. I was going to look at it – as an application I don’t know – as a test for my model for thinking about network/security automation. That may still happen, but first it has taken me down an […]

Categories
Articles

Knowledge Management for Security & Incident Response

Knowledge Management (KM) isn’t a topic I remember being presented at a FIRST conference before, but Rebecca Taylor (video) made a good case for its relevance. Security and incident response use and produce a lot of information – a Knowledge Management approach could help us use it better. Most teams quickly recognise the benefits of […]

Categories
Articles

Making CSIRTs (even) better

Incident Response Teams are, as the name indicates, responsive. Often they will try to provide whatever services their constituency asks for, or seems to need. However over time that can result in a mismatch between what the team offers and what its resources, capabilities and authority can actually deliver. That leads frustration, both among disappointed […]

Categories
Articles

Ransomware: an emotional experience

Tony Kirtley’s FIRST conference talk (video) explored how the Kubler-Ross model of grieving can help understand the emotional effects of a ransomware attack, both to avoid negative consequences and, where possible, to use natural emotions to support positive responses: Denial: in a ransomware attack, denial should be short-lived, as the nature of the problem will […]

Categories
Articles

Trust or Mutual Benefit?

The theme of this year’s FIRST conference is “Strength Together”. Since I first attended the conference in 1999, we’ve always said the basis for working together was “trust”. However that’s a notoriously slippery word – lawyers, computer scientists and psychologists mean very different things from common language – and I wonder whether security and incident […]

Categories
Articles

Incident response in the cloud

My first reaction to Mehmet Surmeli’s FIRST Conference presentation on Incident Response in the Cloud (video) was “here we go again”. So much seemed awfully familiar from my early days of on-premises incident investigations more than twenty years ago: incomplete logs, tools not designed for security, opaque corners of the target infrastructure, even the dreaded […]

Categories
Articles

The future of automated incident response

My post about automating incident response prompted a fascinating chat with a long-standing friend-colleague who knows far more about Incident Response technology than I ever did. With many thanks to Aaron Kaplan (AK), here’s a summary of our discussion… Developments in automated defence AK: Using Machine Learning (“AI”) in cyber-defence will be a gradual journey. […]

Categories
Articles

Effective Threat Hunting

Threat hunting is perhaps the least mechanical of security activities: according to Joe Slowik’s FIRST presentation (video) the whole point is to find things that made it past our automated defences. But that doesn’t mean it should rely entirely on human intuition. Our hunting will be much more effective if we think first about which […]