3 Days Left to Get MacBook Air, $400 Amazon Gift Card, or Take $400 Off with OnDemand Training

Thought Leaders

Table of Contents

Kees Leune, Leune Consultancy, LLC

Stephen Northcutt - February 13th, 2010

Kees has a really special place in my heart, he has made many contributions to the information assurance community, but one, the use of rubrics to help guide the peer review of GIAC Gold papers means a lot to me. It means a lot to you as well, because it created a state change for higher quality in the Gold program. So those of us at the Security Leadership Laboratory are excited that he has chosen to be a part of the Thought Leadership Project and we thank him for his time.

Kees, we usually start with a short bio, can you give us one?

Dr. Kees Leune is a certified information security professional who teaches, writes and speaks on information security strategy and incident handling, and sometimes dabbles in penetration testing. He works as information security officer for a regional college in the New York metro area and operates Leune Consultancy, LLC (an information security strategy consultancy). Kees is a SANS mentor and a GIAC Gold adviser. Kees’ writings can be found at http://www.leune.org/blog/kees and he can be followed on Twitter as @leune.

Thank you, that is an excellent short and to the point bio. Now, would you kindly point to some URLs of papers or presentations you have written that are available on the web:

Many published (and unpublished) papers are available at http://www.leune.com/pages/publications.html. Other writing is available on my blog (see above).

Got it, would you please list your top three “must read” books or papers that you did not write, but you recommend for others:
  • The Cuckoo’s Egg, by Clifford Stoll. The Cuckoo’s Egg is Stoll’s report on how he, as a physicist, was hired as a system administrator and tasked with resolving a budgeting issue. In the end, he tracked down an international spy.
  • Presenting to Win, by Jerry Weissman. All information security professionals must be able to tell stories. Whether those stories are technical reports on how to exploit a newly discovered 0-day, or executive briefings on compliance and fund allocations, this book will help prepare the story and assist in developing an appropriate presentation to support it.
  • It Sounded Good When We Started, by Phillips and O’Bryan. A book on project management. It presents a number of case studies, augmented with highly actionable tips, detailing why technical projects have a tendency to fail.

Thank you Kees, I will order the last two books today since I have some long plane flights in the days ahead. May I ask how did you become interested in the field of information security?

I started getting interested in information security when I read the book “The Cuckoo’s Egg”, by Clifford Stoll. I got a hold of the book in my last year of high school and it pretty much determined my path through college. At the same time (1992) I gained access to this thing called the Internet. My first job started me with focusing my career on information security, and 12 years later, I am still here.

Have you worked on security products before the product you are working on today? If so, please list them and describe the highlights of some of these products.

I have worked with many different products in the arena, from early SIM tools (e.g., Cisco MARS) to NetFlow-based technology (e.g., NFSEN), anti-malware, forensics software, penetration testing toolkits, etc. Today, I rarely touch technology for operational purposes.

Sounds like you had a special gift to be where the action is going to be! What product are you working on today? What are some of its unique characteristics? What differentiates it from the competition?

Years ago, one of my biggest fears was to admit that I am a manager. As much as I feared it then, I cannot deny it now. The products I work on are mostly intangibles, such as policy development and implementation, business continuity planning, incident management, etc. A tool in which I have invested a lot of time is called AIRT, it is a web-based console designed to support incident response managers in handling their caseload and assign their resources effectively.

Can you tell us more about AIRT, are there any large companies using it in production? Where do you get it?

Since AIRT is freely available for download at http://www.leune.com/airt, and it does not require any registration, actual use is hard to estimate. Based on conversations with people in the field, we know that it is predominantly in use by European computer security incident response teams, such as national CSIRTs, and several national research and education network CSIRT teams. Some US teams have also expressed interest and may be using it, but I cannot say that for sure.

Since you have spent a lot of time on continuity planning, do you have any actionable tips you are willing to share?

Continuity planning is something most of us who work in a (C)ISO role must spend a significant amount of time thinking about. Effective continuity planning requires a lot of insight into systems operations, interdependencies, geographical locations, connectivity issues, architecture concerns, etc. One actionable tip that I have found to be very effective is to go past the planning phase and actually test your plan. It would be great if you can do a fully functional exercise, but in reality that is both extremely expensive and hard to plan. FEMA’s Emergency Management Institute offers online training materials for disaster preparedness, and one of the modules they offer (for free and online) is Exercise Design. I highly recommend reviewing that training material and applying it to your organization.

Another actionable tip is to make sure that you meet one-on-one with all systems owners (on the business side) at least once a year to engage them in a dialogue about business continuity planning. Ask them to come up with contingency plans for their departments in case IT services are not available at all, or run at a lower grade.

Finally, for these same business owners, I have found it highly useful to have worked with them to develop a minimal services baseline. That baseline outlines clearly what services (and at which levels) they need to have available to be able to function at all.

Same thing for policy development, if you could share three tips with a newbie, what would they be?

Policy development is something that is much harder than most people imagine. Writing up a policy is easy, but obtaining buy-in and commitment is a whole different ballgame. I have adopted a “policy life cycle” in that a policy is only written when there is a real and documented need for it. Once the need has been established, it is time to start meeting with key deciders to gauge their opinions, learn about their concerns, and capture their desires. I have found that one-on-one meetings are much more effective than calling a large meeting with 5-10 people all at once. It does take a lot more effort initially on my part, but it pays back greatly in the end. When starting these meetings, make sure to go to them, rather than ask them to come to you. Keeping people in their own environment makes them much more inclined to agree with you. After the need has been established and stakeholder feedback has been collected, it is time to draft the policy. When writing it, keep it minimal, simple, and use plain language. A policy should last for 3-5 years, so don’t include many specifics about the technology choices, etc. Mostly, it should delineate responsibilities and provide (mandatory) direction. Make sure to include who determines penalties for non-compliance, policy enforcement, and who is allowed to grant permission to deviate from the policy.

The drafts get circulated to the same stakeholders and when agreement has been reached, go to a copy editor for clean-up. The final draft is submitted to senior executive management for authorization and approval, which triggers the dissemination part. Policies are useless if nobody knows about them, therefore they must be communicated. How to do that depends on your organization, but using existing newsletters, email blasts, posters, staff meetings, intranets, etc., are all possibilities.

Once the policy has been written, approved, implemented and communicated, it is time to monitor for compliance, and schedule a review cycle.

What do you think the security products in your space will look like in two years, what will they be able to do?

It has been a long time since I have seen truly new products in the marketplace. In two years, I do not think that will change much and we will continue to see more of the same. The trend to outsource services will continue (yesterday we called it ASP, today we call it Cloud). The burden of compliance will increase and, while the number of compromises will increase, we will hear less about them.

Well, that is a cheery peek into the future! Please share your impression of the defensive information community. Are we making progress against the bad guys? Are we losing ground?

Defensive information security is one of the hardest fields there is. As in any “combat operation”, defenders have to defend against all possible attacks, while attackers only have to be successful in one. I think that at the corporate level, we are making some progress against the wide-spread and well-known attacks, however not so at the national level, and we are failing overall in defending against custom-designed penetration attempts. We should continue to invest time in research as to how we can change the fundamental paradigm of information security defense. The GIAC Gold paper series is an excellent initiative that brings in many bright minds from all over the world who address certain problems without necessarily trying to immediately convert it into a marketable product. It may be my background in academia, but fundamental research (rather than vulnerability chasing) is something that deserves much more attention.

Please share your thoughts concerning the most dangerous threats information security professionals will be facing in the next year to eighteen months.

The most dangerous threats that will be faced by information security professionals in the next 18 months are customized attacks (especially against end-users, end-points and web-based applications). Attacks such as the recent one targeting Google will increase and the prizes will become more valuable. Attackers will go after valuable corporate assets, or critical parts of national infrastructures. One bright spot is that victims of such attacks seem to be more willing to share details with the community at large. The Google incident is one example, but before that, the Apache Foundation did something similar. I hope we will see more of this going forward.

What is your biggest source of frustration as a member of the defensive information community?

As a member of the defensive information security community, one of my greatest frustrations is denial. Specifically, I mean denying that there is a structural need to deploy more protection of assets, especially in local and state governments, and with companies that are large, but not big enough to make it into the Fortune 500. The other source of frustration is that very few breaches are turned in to usable material for case studies. Reports such as the Verizon Breach Report, and the fact that some organizations are willing to share more information about incidents (see above) is encouraging.

We like to give our interview candidates a bully pulpit, a chance to share what is on their mind, what makes their heart burn, even if it is totally unrelated to the rest of the interview. Please share the core message you want people to know.

Any information security professional, whether you are a practitioner, a consultant, or a manager, must realize that secure information is not a goal. It is a tool, just like there are more tools that contribute to realizing an organization’s mission.

Please tell us something about yourself, what do you do when you are not in front of a computer?

I am a husband and a father of two. Since I love what I do, I am very rarely truly away from work-related things. When I do get away from technology, I like to spend time with the family, read books, and (before I had children) travel. Although recently not active, I am a fully licensed amateur radio operator.