has a really special place in my heart, he has made many contributions
to the information assurance community, but one, the use of rubrics to
help guide the peer review of GIAC Gold papers means a lot to me. It
means a lot to you as well, because it created a state change for
higher quality in the Gold program. So those of us at the Security
Leadership Laboratory are excited that he has chosen to be a part of
the Thought Leadership Project and we thank him for his time.
Kees, we usually start with a short bio, can you give us one?
Kees Leune is a certified information security professional who
teaches, writes and speaks on information security strategy and
incident handling, and sometimes dabbles in penetration testing. He
works as information security officer for a regional college in the New
York metro area and operates Leune Consultancy, LLC (an information
security strategy consultancy). Kees is a SANS mentor and a GIAC Gold
adviser. Kees’ writings can be found at http://www.leune.org/blog/kees and he can be followed on Twitter as @leune.
you, that is an excellent short and to the point bio. Now, would you
kindly point to some URLs of papers or presentations you have written
that are available on the web:
Got it, would you please list your top three “must read” books or papers that you did not write, but you recommend for others:
The Cuckoo’s Egg,
by Clifford Stoll. The Cuckoo’s Egg is Stoll’s report on how he, as a
physicist, was hired as a system administrator and tasked with
resolving a budgeting issue. In the end, he tracked down an
Presenting to Win,
by Jerry Weissman. All information security professionals must be able
to tell stories. Whether those stories are technical reports on how to
exploit a newly discovered 0-day, or executive briefings on compliance
and fund allocations, this book will help prepare the story and assist
in developing an appropriate presentation to support it.
It Sounded Good When We Started,
by Phillips and O’Bryan. A book on project management. It presents a
number of case studies, augmented with highly actionable tips,
detailing why technical projects have a tendency to fail.
you Kees, I will order the last two books today since I have some long
plane flights in the days ahead. May I ask how did you become
interested in the field of information security?
started getting interested in information security when I read the book
“The Cuckoo’s Egg”, by Clifford Stoll. I got a hold of the book in my
last year of high school and it pretty much determined my path through
college. At the same time (1992) I gained access to this thing called
the Internet. My first job started me with focusing my career on
information security, and 12 years later, I am still here.
you worked on security products before the product you are working on
today? If so, please list them and describe the highlights of some of
I have worked with many different
products in the arena, from early SIM tools (e.g., Cisco MARS) to
NetFlow-based technology (e.g., NFSEN), anti-malware, forensics
software, penetration testing toolkits, etc. Today, I rarely touch
technology for operational purposes.
Sounds like you
had a special gift to be where the action is going to be! What product
are you working on today? What are some of its unique characteristics?
What differentiates it from the competition?
one of my biggest fears was to admit that I am a manager. As much as I
feared it then, I cannot deny it now. The products I work on are
mostly intangibles, such as policy development and implementation,
business continuity planning, incident management, etc. A tool in which
I have invested a lot of time is called AIRT, it is a web-based console
designed to support incident response managers in handling their
caseload and assign their resources effectively.
Can you tell us more about AIRT, are there any large companies using it in production? Where do you get it?
Since AIRT is freely available for download at http://www.leune.com/airt,
and it does not require any registration, actual use is hard to
estimate. Based on conversations with people in the field, we know that
it is predominantly in use by European computer security incident
response teams, such as national CSIRTs, and several national research
and education network CSIRT teams. Some US teams have also expressed
interest and may be using it, but I cannot say that for sure.
Since you have spent a lot of time on continuity planning, do you have any actionable tips you are willing to share?
planning is something most of us who work in a (C)ISO role must spend a
significant amount of time thinking about. Effective continuity
planning requires a lot of insight into systems operations,
interdependencies, geographical locations, connectivity issues,
architecture concerns, etc. One actionable tip that I have found
to be very effective is to go past the planning phase and actually test
your plan. It would be great if you can do a fully functional exercise,
but in reality that is both extremely expensive and hard to plan.
FEMA’s Emergency Management Institute offers online training materials for disaster preparedness, and one of the modules they offer (for free and online) is Exercise Design. I highly recommend reviewing that training material and applying it to your organization.
actionable tip is to make sure that you meet one-on-one with all
systems owners (on the business side) at least once a year to engage
them in a dialogue about business continuity planning. Ask them to come
up with contingency plans for their departments in case IT services are
not available at all, or run at a lower grade.
these same business owners, I have found it highly useful to have
worked with them to develop a minimal services baseline. That baseline
outlines clearly what services (and at which levels) they need to have
available to be able to function at all.
Same thing for policy development, if you could share three tips with a newbie, what would they be?
development is something that is much harder than most people imagine.
Writing up a policy is easy, but obtaining buy-in and commitment is a
whole different ballgame. I have adopted a “policy life cycle” in that
a policy is only written when there is a real and documented need for
it. Once the need has been established, it is time to start meeting
with key deciders to gauge their opinions, learn about their concerns,
and capture their desires. I have found that one-on-one meetings are
much more effective than calling a large meeting with 5-10 people all
at once. It does take a lot more effort initially on my part, but
it pays back greatly in the end. When starting these meetings, make
sure to go to them, rather than ask them to come to you. Keeping people
in their own environment makes them much more inclined to agree with
you. After the need has been established and stakeholder feedback has
been collected, it is time to draft the policy. When writing it, keep
it minimal, simple, and use plain language. A policy should last for
3-5 years, so don’t include many specifics about the technology
choices, etc. Mostly, it should delineate responsibilities and provide
(mandatory) direction. Make sure to include who determines penalties
for non-compliance, policy enforcement, and who is allowed to grant
permission to deviate from the policy.
The drafts get circulated
to the same stakeholders and when agreement has been reached, go to a
copy editor for clean-up. The final draft is submitted to senior
executive management for authorization and approval, which triggers the
dissemination part. Policies are useless if nobody knows about them,
therefore they must be communicated. How to do that depends on your
organization, but using existing newsletters, email blasts, posters,
staff meetings, intranets, etc., are all possibilities.
policy has been written, approved, implemented and communicated, it is
time to monitor for compliance, and schedule a review cycle.
What do you think the security products in your space will look like in two years, what will they be able to do?
has been a long time since I have seen truly new products in the
marketplace. In two years, I do not think that will change much and we
will continue to see more of the same. The trend to outsource services
will continue (yesterday we called it ASP, today we call it Cloud). The
burden of compliance will increase and, while the number of compromises
will increase, we will hear less about them.
that is a cheery peek into the future! Please share your impression of
the defensive information community. Are we making progress against the
bad guys? Are we losing ground?
security is one of the hardest fields there is. As in any “combat
operation”, defenders have to defend against all possible attacks,
while attackers only have to be successful in one. I think that at the
corporate level, we are making some progress against the wide-spread
and well-known attacks, however not so at the national level, and we
are failing overall in defending against custom-designed penetration
attempts. We should continue to invest time in research as to how we
can change the fundamental paradigm of information security defense.
The GIAC Gold paper series is an excellent initiative that brings in
many bright minds from all over the world who address certain problems
without necessarily trying to immediately convert it into a marketable
product. It may be my background in academia, but fundamental research
(rather than vulnerability chasing) is something that deserves much
Please share your thoughts
concerning the most dangerous threats information security
professionals will be facing in the next year to eighteen months.
most dangerous threats that will be faced by information security
professionals in the next 18 months are customized attacks (especially
against end-users, end-points and web-based applications). Attacks such
as the recent one targeting Google will increase and the prizes will
become more valuable. Attackers will go after valuable corporate
assets, or critical parts of national infrastructures. One bright spot
is that victims of such attacks seem to be more willing to share
details with the community at large. The Google incident is one
example, but before that, the Apache Foundation did something similar.
I hope we will see more of this going forward.
What is your biggest source of frustration as a member of the defensive information community?
a member of the defensive information security community, one of my
greatest frustrations is denial. Specifically, I mean denying that
there is a structural need to deploy more protection of assets,
especially in local and state governments, and with companies that are
large, but not big enough to make it into the Fortune 500. The other
source of frustration is that very few breaches are turned in to usable
material for case studies. Reports such as the Verizon Breach Report,
and the fact that some organizations are willing to share more
information about incidents (see above) is encouraging.
like to give our interview candidates a bully pulpit, a chance to share
what is on their mind, what makes their heart burn, even if it is
totally unrelated to the rest of the interview. Please share the core
message you want people to know.
security professional, whether you are a practitioner, a consultant, or
a manager, must realize that secure information is not a goal. It is a
tool, just like there are more tools that contribute to realizing an
Please tell us something about yourself, what do you do when you are not in front of a computer?
am a husband and a father of two. Since I love what I do, I am very
rarely truly away from work-related things. When I do get away from
technology, I like to spend time with the family, read books, and
(before I had children) travel. Although recently not active, I am a
fully licensed amateur radio operator.