Cymbel Corporation is a Pinnacle Group Company

What should you expect from a vCISO engagement?

Organizations are facing ever-increasing challenges related to security and compliance. Security issues are in the news every day with targeted attacks, phishing, malware, and especially ransomware on the increase. A last-minute reaction-based strategy is no longer sufficient, and cyber insurance will not pay for your breach if you have not done due diligence to protect your organization. But where do you start?

Your IT department is already overworked, and the TCO of a security staff is not in the budget. You need a reliable CISO function, but that can be cost-prohibitive in today’s market.

CSOonline.com says “A vCISO is an outsourced security practitioner or provider who offers their time and insight to an organization on an ongoing basis, usually part-time and remotely”

This definition leaves a lot of room for prescribing the methodology and direction a vCISO engagement could take. There are certainly a lot of functions that can be reasonably assigned to that role, but there are a few basic components to a vCISO framework that are essential and should be the foundation of any vCISO engagement. Let’s take a quick look at those basic functions.

  • Understanding Business Drivers and Direction
  • Initial Risk Assessment
  • Developed Gap Analysis and Prioritized Risk List
  • Understand the Organizational Compliance Requirements
  • Strategic Security and Compliance Plan
  • Tactical Risk Mitigation Plan with Punch List
  • Ongoing Emerging Risk and Threats Analysis
  • Pragmatic guidance on security and compliance issues informed by business needs and objectives

These basic functions should be the foundation of any vCISO engagement and framework. They encompass the functions of a CISO and can be performed by a virtual CISO without the cost of an FTE and the requirement of a full-time onsite person for that role.

Benefits of virtualizing this function can include:

  • Cost savings over an FTE CISO
  • Experienced resources that have seen real risk and threats in a wide variety of industries
  • The benefit of “external” recommendations to leadership
  • Strategies and methodologies already proven in the real world

Cost savings over an FTE CISO

Finding an experienced and successful CISO in today’s market is becoming increasingly difficult. Affording that resource as a Full-Time Employee can be even more difficult and is not always realistic for small to medium-sized organizations. A good vCISO engagement can be far more affordable.

Experienced resources that have seen real risk and threats in a wide variety of industries

Many of the resources available from reputable security providers bring a wide breadth of experience in a variety of settings and industries to the table. This is an enormous asset to organizations due to the resource’s ability to recognize a wide variety of risk and to correctly prioritize and address it.

 The benefit of “external” recommendations to leadership

Leadership often ignores or trivializes recommendations that come from within. Even excellent advice from internal staff often gets minimalized while that same advice often gets traction if the source is an external trusted partner. This is not a good trait of organizational leadership, but it is often the case. The person with the plane ticket is often paid more attention, and their advice often carries more weight. vCISO resources typically have years of meaningful experience communicating risk and strategy to leadership.

Strategies and methodologies already proven in the real world

Due to their experience level, a vCISO resource can bring proven strategies to the engagement and can help the organization to focus on significant strategic initiatives that are within the budget and risk tolerance levels of the organization. This is akin to a medical student who has read many books of surgical process versus a seasoned surgeon who has performed thousands of surgical procedures.

Conclusion:

Hiring a CISO function is becoming a more common requirement for organizations and acquiring and keeping a seasoned, experienced person for that role is increasingly difficult and expensive. Utilizing a reliable organization to provide experienced vCISO engagements can be a viable and successful strategy.

about:
Eddie “the Y3t1” Mize is CSO and Director of Information Security for The Pinnacle Group
He has over 36 years’ experience in the Computer Industry as well as over 22 years’ experience in Information Security. He is an integration and security specialist with years of experience building Information Security Programs. He has led numerous PenTest and Red Team events for a wide variety of industries and served on Cisco’s Enterprise Advisory Board for Information Security.

Eddie is a frequent security speaker on real-world information security and compliance, mobile security, red-team/penetration testing techniques, and cloud security. He is a security evangelist, podcast SME, DEFCON speaker & Staff Goon, and is a “Distinguished Speaker” for the CiscoLIVE conferences. Eddie’s work has been published in Network World, Pentest Magazine, and Hakin9 Magazine.

Read More

Drive Innovation And Business Value By Streamlining Your It Processes With The Pinnacle Groups’ Total-It Managed Services Offering

The Pinnacle Group’s managed services division provides managed infrastructure, monitoring and management and data protection services customized to fit your business needs.

(PRWEB) March 13, 2014 – The Pinnacle Group, a leading national provider of enterprise computing solutions, announces the launch of their Total-IT Managed Services division focused specifically on delivering innovation and value through a blend of cloud based compute and storage, state of the art management and monitoring tools, data backup solutions and business continuity/disaster recovery planning services.

As the Pinnacle Group begins its new service CEO, Michael Fedele, believes the company is well positioned to provide customized managed services solutions to its customers that will allow for improvements in operational efficiencies and drive business growth by reducing time to market, improving IT reliability and focusing IT resources on activities that result in innovation and significant growth

According to The Pinnacle Group CEO Michael Fedele, “Allowing business to focus on their core mission is the emphasis of our managed services division. We are excited to be offering services that will drive business growth through improvements in efficiency and innovation.”

About the Pinnacle Group
The Pinnacle Group specializes in business-focused technology solutions for mid to large-size organizations. Through a unique and tailored approach for each engagement, The Pinnacle Group combines a wide range of technical expertise with heavy emphasis on overall operations to create the optimal partnership of technology and operational excellence. The Pinnacle Group’s corporate headquarters are located in Stamford, Connecticut with offices throughout the United States.

###
For more information contact us by calling Ray Sage, Director of Managed Services at 760-431-9116 x104 or emailing: RSage(at)thepinnaclegroup(dot)com

Read More

The TPG and NetEnrich partnership is the definition of a trusted business partner.

STAMFORD, CT – OCTOBER 28, 2014 – The Pinnacle Group, a full service provider of tailored IT support services and a CRN SP500 company, today announced a strategic alliance with NetEnrich, Inc., a pure-play IT operations services provider for enterprises worldwide. The new business relationship enables The Pinnacle Group to deliver world-class remote IT infrastructure monitoring and management services to enterprise clients throughout the U.S. and Canada.

“The Pinnacle Group’s consultative, business-driven approach to IT solutions is an excellent match with NetEnrich’s more than 10 years of delivering outstanding remote IT services,” said Michael Fedele, President of The Pinnacle Group. “Our rock-solid stability and longevity, combined with the IT operations expertise of NetEnrich, will ensure now, more than ever, that we are meeting the growing needs of our customers for remote IT monitoring and management services.”

The Pinnacle Group was recently named to CRN’s 2014 Solution Provider 500 list (SP500) by The Channel Company. This annual list ranks the top revenue-generating technology integrators in the US and Canada. NetEnrich’s IT Operations Platform (ITOP) was named as one of CRN’s “Must-See” Managed Services Products, one of only 10 solutions selected from among the IT industry’s top cloud and systems management software companies.

“The Pinnacle Group is a first-class IT services firm that understands the business value technology can bring to enterprises,” said Justin Crotty, senior vice president and general manager, NetEnrich. “By teaming with NetEnrich, The Pinnacle Group is able to expand its IT services capabilities and deliver superior customer support.”

About The Pinnacle Group
The Pinnacle Group is a full-spectrum, business-to-technology solutions provider with over 30 years of experience in every aspect of information technology. The company’s unique approach to IT services comes from considering each client’s business requirements first, rather than starting from a purely technologically driven perspective. This ensures The Pinnacle Group’s proven track record of engineering full spectrum, customized IT solutions that are driven purely by the customer’s true business needs. The Pinnacle Group is based in Stamford, Connecticut, with regional and satellite offices across the United States.

About NetEnrich
Founded in 2004, NetEnrich Inc. is an enterprise-level IT operations services provider, focused on remote service delivery. The company is headquartered in Silicon Valley, California, and supports more than 1,000 clients. While NetEnrich focuses on remote service delivery, its go-to-market channel partners, which include VARs, system integrators and solution providers, provide the local IT consultancy, architectural know-how, deployment services and last-mile support. NetEnrich offers a secure ISO 27001 certified IT Operations Center working 24x7x365.

Sharon Hebert
Director of Business Development
The Pinnacle Group
1-877-431-9116 x 200

Read More

Dakota Cloud Recovery Partners with The Pinnacle Group For Cloud Data Protection Managed Services

The Pinnacle Group will resell Dakota Cloud Recovery solutions as its Cloud Data Protection Managed Services. Together, this partnership brings nationwide customers an enterprise-class IT solution with secure cloud data protection at Dakota Cloud Data Centers.

Rapid City, SD and Stamford, CT February 10, 2015

Dakota Cloud Recovery, the leading provider of secured enterprise-class cloud data protection solutions for mid-size customers announces a strategic partnership with The Pinnacle Group, a full service provider of tailored IT support services and a CRN SP500 company. The Pinnacle Group will resell Dakota Cloud Recovery solutions as its Cloud Data Protection Managed Services. Together, this partnership brings nationwide customers an enterprise-class IT solution with secure cloud data protection at Dakota Cloud Data Centers.

The partnership ensures customer data is protected and rapidly recoverable through the following secure, cloud-managed services:

    • Cloud Data Protection – Providing the most secure cloud data protection solutions for backup, retention and data recovery.
    • Rapid Cloud Recovery – Restores data in minutes with Dakota high-performance Cloud and on-premise recovery appliances.
    • Simple Managed Services – Reduce downtime and improve SLAs with Pinnacle’s affordable monthly-managed cloud data protection services.

“We are delighted to partner with Dakota Cloud Recovery to meet customers’ growing demand for Cloud Data Protection, “said Michael Fedele, President of The Pinnacle Group. “With more than 10 years of experience and 1,500+ customers, Dakota’s NetApp-based enterprise cloud is well-suited for our customers.”

“Managed Services, particularly for Data Recovery is growing significantly among small to mid-size businesses. Dakota Cloud Recovery has a strong unique offering that brings cloud services and data protection expertise that customers and systems integrators can easily tap into,” said Camberley Bates, Managing Director & Analyst, Evaluator Group. “The value to customers is a local and trusted source to make sure their business is fully protected.”

“The Pinnacle Group has been a trusted provider of total IT solutions,” said Casey Parker, President of Dakota Cloud Recovery. “We are pleased to bring our enterprise-class cloud solutions along with their innovative affordable managed-services to our joint customers.”

About the Pinnacle Group
The Pinnacle Group specializes in business-focused technology solutions for mid to large-size organizations. Through a unique and tailored approach for each engagement, The Pinnacle Group combines a wide range of technical expertise with heavy emphasis on overall operations to create the optimal partnership of technology and operational excellence. The Pinnacle Group’s corporate headquarters are located in Stamford, Connecticut with offices throughout the United States.

About Dakota Cloud Recovery
Dakota Cloud Recovery is a leading provider of secured enterprise-class cloud data protection solutions for small and mid-size customers. Our innovative monthly-managed services eliminate costly investments in storage and backup software allowing customers to take advantage of our fault-tolerant cloud data centers at mid-market pricing. Dakota Cloud Recovery is passionate about customer support. Our engineers are data protection experts, an extension of your IT staff.

Sharon Hebert
Director of Business Development
The Pinnacle Group
1-877-431-9116 x 200

Read More

Your Ears as a Security Control

Recently, I was at a customer site to discuss monitoring, correlation, and alerting. They told a tale that I have heard so many times, all I could do was sit there and nod my head sympathetically. They described a failed SIEM (Security Information and Event Management) implementation that they had recently gone through. After hearing the tale and asking several questions, I discovered that the vendor had not bothered to LISTEN to the IT staff before suggesting a SIEM product and proceeding with implementation.

They did not LISTEN to the goals of the organization or the IT staff’s initiatives to support those goals. They did not LISTEN to a list of existing security controls and tools that had already been stood up and were working independently of each other. They did not LISTEN to what leadership needed to see on reports and in the way of metrics in order to feel that their money was well spent on the product. They did not LISTEN to the business objectives that IT needed to serve and meet in order to be successful. They did not LISTEN to a list of previous attacks that had been thwarted and how they were discovered and prevented.

It occurs to me that in the world of InfoSec we do a lot of fear mongering to sell products and services (not to imply that there is not a real and present danger to be aware of and to address). What we often seem to miss, is the need to use our ears as a sensor to determine objectives, historical successes and failures, existing controls, and human and financial resources to assist in choosing the correct strategies and tools to provide real security and peace of mind for customers. In a defense-in-depth strategy, shouldn’t our ears be one of the first controls employed?

– y3t1

about:
Eddie “the Y3t1” Mize is CSO and Director of Information Security for The Pinnacle Group
He has over 31 years experience in the Computer Industry as well as over 18 years experience in Information Security. He is an integration and security specialist with years of experience building Information Security Programs. He has led numerous PenTest and Red Team events for a wide variety of industries and served on Cisco’s Enterprise Advisory Board for Information Security.

Eddie is a frequent security speaker on real world information security and compliance, mobile security, red-team/penetration testing techniques, and cloud security. He is a security evangelist, podcast SME and DEFCON speaker and Staff Goon and is a “Distinguished Speaker” for the CiscoLIVE conferences. Eddie’s work has been published in Network World, Pentest Magazine, and Hakin9 Magazine.

Read More

Burnin’ Down the House

“Oh my God! The office is on fire!” David exclaimed to his wife as he hung up the phone and drug himself out of bed.

This was the moment he had dreaded for years. So many irreplaceable documents stored there. So much data to be lost.

The fire department had called and alerted him in the middle of the night and he was busy throwing on his clothes and rushing to the car to drive downtown. As he arrived, he saw several emergency vehicles and curls of smoke still rising from what was left of the south end of the building. That was where the documents storage room was and his heart sank. In the end, most of what the fire did not destroy was soaked from the attempts to quell the fire.

The organization lost many key documents and records in the fire. The possibility of a fire had been discussed in a few meetings over the years and some precautions had been taken, but in retrospect, they were woefully inadequate. David realized that there should have been a comprehensive fire prevention plan that included a response team and procedure in the event of a fire or disaster like this.

Over the next few months, all the office talk was of the fire and the amount of damage it caused. The local news had run a story and it was the talk of the little town. The organization’s reputation had taken a serious hit. A special internal committee had been formed to discuss the fire, its effects and impact, and prevention of future incidents. So much attention was given to the event that David was certain real steps would be taken to prevent a repeat.

After a couple months the committee members got busy with their day to day jobs and the “adrenaline” that permeated everything right after the fire started to die down. Slowly, everything returned to “Business as Usual” and David noticed that none of the remediation and planning discussed in the committee meetings right after the fire had been implemented. He started to ask around the office about progress on the controls to prevent future events. He was met with indifference and phrases like “Lightning never strikes twice in the same place!”.

In the end, not much had changed and people rarely discussed the fire or the massive financial and reputational damage it had done to the organization. David often thought how outrageous it was that no real change had been triggered by the event. He thought about how vulnerable the organization was to a repeat.

Ridiculous right?

I have watched the “FIRE” of a data breach ravage many organizations and yet this is typical of their reaction and lack of real response.
Don’t let your organization burn twice.

– y3t1

Read More

SOLVED!!!

I was recently fortunate enough to be the face of The Pinnacle Group’s CryptoChallenge at DerbyCon in Louisville Kentucky. I am always amazed to watch the depth of talent brought to bear in these type challenges and I marvel at the process of watching these big brains crunch away at complex mathematic and observational puzzles. This event was no exception. 

The prizes were four 4TB USB3 Hard Drives and a winners certificate. I knew right away that it was going to be amazing as L0stBoy (the creator of the DEF CON Mystery Box Challenge and the DEF CON badges for several years) quickly assembled a team and went to work on it. He started off with no computer and was working out all the encoded and hidden messages by hand on paper. UNBELIEVABLE! Then I found out the RenderMan (of aircraft navigation vulnerability fame among other things) had thrown his proverbial derby in the ring as well and knew it would be exciting.

During the next 24 hours at least 4 teams labored away solving a variety of hidden and cryptographic challenges and despite a web service provider glitch, Team L0stBoy and his L0stCateers had solved the puzzle and came to me and excitedly whispered the answer in my ear by 2:30am the next morning to take first place. The team consisted of L0st, Mouse, Crypt, Leah, John, Dragorn, Clutch, and Ellen.

I had visited their decrypt den (a hotel conference space they have taken over) at one point and was amazed at the talent they had assembled as well as their progress. I was peppered with questions by the team and had to be careful not to reveal anything by my body language or lack of response. I knew their team was keenly observing my every move and nuance.

I was really excited when they took first place but not as excited as they were. There was the obligatory group photo and much rejoicing and congratulations ensued.

darthnullThe next morning I got a text that Darth Null was looking for me and sure enough, he came up to my booth and whispered the answer. He was very reserved but I was quite psyched that he had solved it all alone. A job very well done indeed!

rendermanNext was RenderMan who also flew solo and again a celebration and another drive.

spencerscottDuring the contest a young man named Spencer Scott had approached me several times to report his progress and ask questions. He also completed his challenge solo and as I understand it, it was his first con and CryptoChallenge. I was Very proud of him and hope to see him again and again at other cons and participating in future challenges.

Thanks to all who played, assisted, and participated and thanks to Dave Kennedy and the entire DerbyCon crew for facilitating this!

– y3t1

Read More

Tip of the ‘Berg

If you know me, you know that I regularly preach the need for full scope penetration testing (internal and external with physical, digital, and social engineering attack methods). If I do not think and act as the bad guys do, I will likely miss attack vectors they may not.

I have done numerous external-ONLY penetration test assessments over the years. Many were very limited in scope and prompted by some compliance requirement or by a member of leadership who read about a breach and then decided to “have a look at our external network”.

These have some value of course, but often miss the largest areas of risk for an organization. Many breaches come from within the network perimeter. They often occur as a result of poorly trained staff freely volunteering information such as credentials to the network or access to restricted areas. Other times they come from disgruntled employees or contractors exploiting massive internal weaknesses and vulnerabilities and social engineering tactics. External-only testing does nothing to expose these risks.

That being said, I have performed many of these limited scope external tests and I am continually amazed at something that often occurs. Many times, the result of these test are some fairly alarming findings. These findings are on hosts that are supposed to be the most secure face of the network. They are public facing and ostensibly demonstrate the most secure surface of the network. The thing that alarms me is that the majority of the time, there is a rush to remediate these findings alone. No further assessment is performed and these findings do not seem to prompt further examination. If these findings exist on the most secure portion of the network, doesn’t it stand to reason that the remainder of the network harbors even greater vulnerabilities and poses even greater risk?

On the rare occasion that these findings prompted the organization to look deeper into their internal network and beyond at their other security controls and training, the results found on the external testing paled in comparison to the risks identified inside.

This is the “Tip of the Iceberg” syndrome. Where we see a bit of ice on the surface, we can be fairly certain it is indicative of a huge mass of ice (risk) submerged and out of sight.

Read More

Do Diligence?

As I travel around speaking, performing network assessments, and discussing security with various corporate leaders, I often hear a fairly consistent and disturbing mantra.

“If you find vulnerabilities and risks in our environment, then we will have to fix it.”

The prevailing wisdom from a security and compliance perspective seems to be.  “If we don’t know about it, we are not responsible for the risk it represents”.

Let me just clear this up…

W R O N G !!!!!!!!!!

When (not if) you are breached, that excuse will fall very flat to a board of directors, shareholders, and others you are accountable to. The old adage comes to mind, “ignorance of the law is no excuse” and this holds true in information security as well.

Not only is the IT Leadership at risk, but punitive measures can reach to the very top of the organization as we learned with the Target breach:

From Forbes.com article
Target CEO Fired – Can You Be Fired If Your Company Is Hacked? – by Eric Basu

“A common perspective is that cyber security is primarily the responsibility of the IT department. If a data breach incident occurred, the senior IT executive was the only one to take the fall, and usually only if there was incompetence involved vs. simply bad luck.”

“Target’s CEO Gregg Steinhafel, a 35-year employee of the company with the last six at the helm, resigned in light of the recent holiday-season credit-card security breach that affected 40 million customers.”

Consider the similarity between a digital risk and a small area of cancer in the body. Often times, if the cancer is discovered early, it can be a fairly simple procedure to remove and mitigate. This is also true of risk in a digital environment. Failure to identify and treat either one can result in consequences that far outweigh the cost of treatment or remediation.

Imagine me telling my general practitioner that I would prefer he not check for cancer because…

“If I don’t know about it, I am not responsible for the risk it represents”.

Read More

Complaints site aims to right consumer wrongs

People angry with companies and governments can now share their pain via a crowd-sourced complaints site.

Created by notorious tech entrepreneur John McAfee, the Brownlist aims to find solutions for people treated badly by organisations.

Mr McAfee said the site was a way to channel impotent anger into something more positive.

Ultimately, he said, the site could spur direct action against arrogant firms to make them change their ways.

Read More

Read More