Advanced Security: From Barrier to Enabler

Advanced Security – Part 1: Evolving Security from Business Barrier to Enabler

Advanced Security – Part 2

Organizations are increasingly concerned that historical industry best-practices are being stressed by the acceleration of new malware and the increasing reports of compromise via stealthy targeted attacks.

Advanced Security Enabler

Attackers are laser-focused leveraging indirect and multi-pronged exploits to steal data or wreak havoc.

“This is fundamentally due to cybercriminals doing their homework on organizations and waging a fierce, persistent campaign to find any possible way to get a foothold in the organization.”, JD Sherry, VP Trend Micro

The insider threat has primarily morphed into phishing attacks which can leverage multiple internal security weaknesses and vulnerabilities to traverse the network and ex-filtrate data or intellectual property un-detected.

At the same time the attack surface is broad since security is horizontal and increasingly distributed – it covers many threat vectors across all extended business functions and essential services throughout the whole multi-location information technology and building infrastructure. Chances are that when the infrastructure was originally deployed it was secure, clean and, well organized. But as weeks, months, and even years pass, tactical changes in technology and the IT environment have probably occurred, weakening the security posture and opening it up to attack.

Complexity Fragmentation

The result is that security infrastructure becomes much more complex and fragmented making it harder to protect. Attackers don’t discriminate and will take advantage of any gap in protection to reach their end goal. The bad guys continually evolve and innovate. All potential threat vectors need to be holistically examined and addressed across the extended enterprise. Without a proactive but practical security strategy and vital life cycle management processes in place – the system will inevitably become vulnerable and fail.

Addressing Multi-Dimensional Threats

The terms “advanced persistent threat” (APT) and “defense in depth” have been completely overhyped in the press and are distracting organizations from the very real problem of managing targeted attacks in a rational and balanced fashion.

Many organizations lack a complete understanding of defense in depth which limits budget and can lead to revenue impacting events. Many well-intended vendors seeking to position their solutions confuse the concept of defense in depth even further.

Defense in depth requires a strategic security approach that is adaptive, establishes business-driven rules and — leverages people, process and systems harmoniously. Integration is vital as a holistic security management system.

People Process Policy Technology

Enabling Business by Integrating Policy, People, Process and Technology

The Advanced Security Series of blogs will take a multi-pronged approach to effectively addressing this increasing threat together with associated significant challenges by establishing a practical core foundation that supports a clearer definition of defense-in-depth as well as discussing the advanced security best-practices and continuous improvement processes needed.

Evolving From Business Barrier to Enabler

How do organizations cut through the hype, filter the noise – of fear, uncertainty and, doubt (FUD) and deal with real and present threats? How do organizations develop an affordable and practical defensible security posture that supports the business based upon available budget and resources and – enables it to grow competitively while managing risk and protecting critical assets? How do organizations develop a continuous cycle to consolidate, integrate and organize mission critical infrastructure into a sustainable core while still enabling healthy chaos = innovation and rapid deployment on the edge?

The secret to success in security is typically simplicity, to have a well-designed and organized infrastructure that provides the appropriate layer of controls while enabling users a consistent ‘policy managed’ experience regardless of location, network transport or device. The challenge is in achieving and maintaining that goal.

“Security is a business enabler, you can drive faster with good brakes.”, Nigel Willson

Security done right is a business enabler that dramatically reduces total cost of ownership (TCO) providing a tangible Return on Security Investment (ROSI). IT complexity and fragmentation replaced by an adaptive modular and flexible architecture enables agility and improves your competitive edge — so the business can refocus quickly as new opportunities emerge.

Back to Basic Security Principles

The primary purpose of creating a security architecture is to ensure that business strategy and IT security are aligned. As such, the security architecture allows traceability from the business strategy down to the underlying technology. However, many IT organizations have moved away from formal security architecture governance in favor of rapid deployment cycles and tactical changes which over time risk diverging into complexity and fragmentation – with unresolved security exceptions. As previously stated, complexity not only leads to insecurity and the increasing potential for human error but also increased cost of operations.


A Blueprint to Evolve, become Agile, Multi-functional, and Competitive

A security architecture is a design document describing the security components that will protect the enterprise, and the ways they relate and interact with each other. It represents a strategic planning horizon and guide that defines the desired state of an organization’s infrastructure. The architecture sets the context for planning, design, and implementation. It enables a company to evolve and to become agile, multi-functional, and competitive, allowing the seamless adoption of new capabilities and applications into a common infrastructure. Security architecture also facilitates budgeting for security solutions and personnel.

In summary, the security architecture provides:

  • A way to evaluate applicability of new technologies, products, and services
  • A framework for technology decision-making
  • A macro view of IT systems and components, from the security perspective
  • A statement of direction for IT
  • A way to reduce and manage risk in the most cost-effective manner
  • A way to facilitate compatibility and easier administration of systems
  • A blueprint for future network growth
  • A way to create and document consensus
  • A methodology to force consideration of all design factors
  • A guide for the creation of an enabling infrastructure for unforeseen new applications

Adaptive Security Architecture Lifecycle

The security architecture is used as a baseline for consensus and direction but it needs to be active and capable of being updated. This process allows the security architecture to adapt and be agile to support the needs of the business. It evolves and sets future objectives.

System technology and users, data and information in the systems, risks associated with the system, business drivers, and security requirements are ever-changing. Many types of changes affect security: technological developments (whether adopted by the system owner or available for use by others); connection to external networks; a change in the value or use of information; or the emergence of a new threat. Creating an adaptive modular architecture leads to agility and flexibility as the organization grows.

Security RDA Evolution

Reference Design Architecture: Security Transformation

At the same time, using the architecture to develop an annual plan sets the stage for the projects that need to occur that year, and the improvements begin to converge towards and track with the architecture. Finally, with the proactive asset, risk, and policy management and infrastructure improvements, the security-risk profile is also managed, resulting in risk reduction. In this manner, not only does the security architecture drive the IT and network infrastructure direction, but it also enables the illustration of tangible results, winning continued support for the program.

Coming Soon

In Advanced Security – Part 2 we will further develop the theme of building a core foundation leveraging architecture and design principles together with defining a defensible security posture leveraging defense in depth as well as discuss advanced security best practices.

Nige the Security Guy Bio


Nigel is a Chief Security Architect with 30 years of international experience in Security Operations, Management, Research, Development and Security Services. He started his career as an assembler programmer who was contracted by the US DoD to develop secure operating systems with multi-level security and preclude covert channels. Nigel is a passionate evangelist who loves working with organizations to share thought leadership and practical strategy to help defend against advanced targeted threats.

Thanks for your Interest!

Nige the Security Guy.


Advanced Defense Posture Assessment

Advanced Defense Posture Assessment: Analytical Tradecraft to Evolve Detection Capability and Precision

NG-OPS Advanced Defense
Defensible Security Posture
APT Detection Framework

Multi-dimensional Targeted Threats continue to evolve and exploit vulnerabilities that lead to significant loss of data and resources for organizations of all regions and sizes. These attacks are very much today’s news. They represent a danger to an organization’s intellectual property, financial assets and reputation.

Advanced Defense Posture
The era of advanced threats calls for a new approach to information security. When dedicated cyber adversaries have the means and methods to elude commonly used defenses, such as signature based detection, it is clear that conventional approaches are no longer sufficient.

“Breaches happen in hours but often go un-detected for weeks or even months.”

Advanced targeted threats present challenges that are distinct from traditional security risks. There are too many entry points in today’s virtual enterprise, too many individual endpoint security solutions triggering alerts, too much security threat intelligence to process in real-time. More importantly, there are too few trained personnel who can spot and respond to advanced threats.

The pain points all cry out for a common holistic solution: Advanced Defense based upon Actionable Intelligence and ever evolving Analytical Tradecraft to continually improve detection capability and precision.

Detection Precision versus Cost

This blog is a part of the new Smart Practices Series complemented by the NG-OPS Advanced Security Series which will drill into greater details on the methodology and concepts used by these proposed advanced best-practices. Advanced Defense takes your organization to the next-level of detection capability.

Potential Benefits

  • Baseline and Validate Defensible Security Posture
  • Benchmark against Advanced Defense Reference Architecture (see NG-OPS Advanced Defense series)
  • Identify Gaps in Detection Capability, Visibility, Precision
  • Develop Advanced Defense Strategy & Roadmap with Continuous Analytical Improvement


  • Leverage Intrusion Kill Chain
  • Advanced Defense Reference Architecture
  • APT Detection Framework
  • Defensible Actions Matrix
  • Develop Advanced Defense Strategy & Roadmap

Advanced Defense

Today’s cyber security paradigm is a reactive cycle: when a threat is exposed, it is analyzed and a counter-solution is designed with response times varying from weeks to years. The trouble is that attackers can easily reuse pieces of previous malware, modify them, and create a brand new threat, bypassing the newly updated security measures.

In today’s threat environment the only constant is change. In fact, everything is changing – the way our users work, the types of adversaries we face, and the techniques hackers use to infiltrate our networks. Such threats have become even more sophisticated than ever, bringing new risks and uncertainties that require more visibility in operations.

Attack vs Defense

The Attacker versus Defender View

The need for an Advanced Defense mindset is evident across the industry. Technologies will continue to improve but in parallel we do need to ensure that we also evolve and improve our security detection capability and precision, processes as well as invaluable resources and skills.

“Attackers are constantly evaluating their methods and improvising new techniques.
Defenders must think in those same fluid terms to keep pace.”

Advanced Defense Posture (ADP) Assessment

An ADP assessment evaluates your organization’s evolving ability to detect, contain, investigate and respond to a targeted or advanced threat. The assessment methodology is designed to help organizations to, as follows:

  • Understand defensible security posture
  • Benchmark and validate ability to address stealthy targeted threats
  • Take proactive actions to continually improve detection capability and precision
  • Use a set of indicators or behaviors to enhance situational awareness.

Leveraging the Intrusion Kill Chain

The Advanced Defense Posture assessment makes use of the Intrusion Kill Chain. In any targeted attack there are typically a pre-defined set of phases that act as a ‘signature’. The importance is not that this is a linear flow – some phases may occur in parallel, and the order of earlier phases can be interchanged – but rather how far along an adversary has progressed in order to be able to quickly detect, contain and, respond.

Intrusion Kill Chain

Simplified View of Intrusion Kill Chain

The intrusion kill chain becomes a model for actionable intelligence to help align organizational defensive capabilities to the specific processes an adversary undertakes to target your organization.

The end goal of this is to analyze the data for patterns of attack methods, behaviors of distinct hostile actors, and other indicators which can inform the development of unique adaptive and agile responses. The assessment addresses key questions, for example:

  • What scenarios do we need to be able to detect?
  • What are our options for detecting them?
  • What are the strengths and weaknesses of our detection program today?
  • What is our detection stance against specific actors?
  • What is our overall plan for detection across our enterprise?

ADP Assessment Methodology

The ADP assessment process should include:

ADP-A Methodology

Advanced Defense Posture Assessment Methodology
  • Baseline Current Defensive Posture
    • Conduct discovery sessions to clearly identify defensible architecture, key assets/services and, posture
    • Document baseline across Intrusion Kill Chain using APT Detection Framework
  • Reference Architecture Analysis
    • Identify tools, tactics, techniques  gaps and improvements in detection capability/precision using Advanced Defense Reference Architecture to establish goal  (see NG-OPS Advanced Defense series)
  • Identify Defensible Actions Matrix
    • Determine detection toolset, i.e., tactics, techniques and, procedures to Detect, Deny, Contain, Disrupt Eradicate, Deceive or, Recover
  • Develop Advanced Defense Strategy & Roadmap
    • Develop Advanced Defense Strategy & Roadmap to remediate gaps, deploy improvements and, leverage continuous improvement  (see NG-OPS Advanced Defense series)


Recent incidents clearly demonstrate that cybercriminals can conduct operations that involve intrusion, lateral movement, and data exfiltration in complex networks secured to current best-practices. Attackers can adapt their attack techniques to the unique circumstances of targeted environment.

This level of resourcefulness points to the realization that current best-practices and regulatory compliance are a necessary minimum baseline but are not sufficient alone. Today there is an increasing need for organizations to progressively evolve and advance from current security posture to a more defensible and advanced defense program with visibility, validation and, vigilance.

My solutions include the adoption of a security architectural and design foundation approach that compartmentalizes breaches into managed zones on networks and on endpoints. To strategically leverage the Adaptive Zone Defense series of blogs to develop an innovative architecture foundation with well-organized applications and services, managed communications and – good visibility to flows and logs that can actually detect the cyber kill chain activity and stop the breach.

This requires an ongoing lifecycle process with evolving actionable intelligence and analytical tradecraft to take the now legacy, rapidly deployed and complex infrastructure to consolidate it into a new core foundation based on the architecture/design blueprint, while continually evolving the blueprint based on new business requirements, technology solutions and, regulatory requirements, for more information see: Adaptive Security Lifecycle.

Coming Soon

  • APT Detection Indicators – Part 4: Behavioral Indicators Lifecycle
  • APT Threat Analytics – Part 3: Targets, Threat Actors, Scenarios & Modeling
  • NG-OPS Advanced Defense – Part 2: Analytical Tradecraft Practices
  • NG-OPS Advanced Defense – Part 3: Network Profiling and Validation

Thanks for your interest!

Nige the Security Guy.

vCISO Smart Practices – Part 1

vCISO Smart Practices – Part 1: Enabling Success via Collaboration Infrastructure

The Internet of Things offers a tremendous opportunity for businesses to truly transform themselves by realizing the potential of data that is sitting, untapped, in existing infrastructures. The challenge to unlocking that data is the evolution towards a Secure Collaboration Infrastructure.

vCISO Smart Practices

This blog introduces our vCISO Smart Practices series which kickoff with a fundamental discussion on the importance and value of human collaboration and teamwork as a foundational cross-discipline cross-functional ‘Architecture Team’. We also offer an introduction to the blog author, Nige the Security Guy (@NigeSecurityGuy).

This blog series will later address a truly distributed security architecture that supports the Collaboration Infrastructure and applies Smart Practices to that as we evolve rapidly towards the new and exciting yet challenging IOT.

“Training often gives people solutions to problems already solved.
Collaboration addresses challenges no one has overcome before.” Marcia Conner

Sharing and Reciprocity

Collaboration and sharing is a sophisticated skill that asks people who work together to look beyond personal interests towards outcomes benefiting the whole. Collaboration and sharing is a great way to address complex challenges, since it has the potential to tap communal creativity and unleash true innovation and earn genuine buy-in.


Collaboration, at the conceptual level, involves:

  • Awareness – We become part of a working entity with a shared purpose
  • Motivation – We drive to gain consensus in problem solving or development
  • Participation – We participate in collaboration and we expect others to participate
  • Mediation – We negotiate and we collaborate together and find a middle point
  • Reciprocity – We share and we expect sharing in return through reciprocity
  • Reflection – We think and we consider alternatives
  • Engagement – We proactively engage rather than wait and see

Together we can build a safe and increasingly more secure environment …

 “Security done right is a business enabler that dramatically reduces total cost of ownership (TCO) providing a tangible Return on Security Investment (ROSI).

IT complexity and fragmentation replaced by an adaptive modular and flexible architecture enables agility and improves your competitive edge — so the business can refocus quickly as new opportunities emerge.” Nigel P. Willson

People Process Policy Technology

A critical success factor towards successfully deploying a collaboration infrastructure is orchestrated policy, focused resources and, well-defined process that fully leverages and unlocks technology. As a creative solutions-focused, charismatic, and passionate security evangelist Nigel Willson is available to consult as a Trusted Security Services Partner to collaboratively assist organizations to iteratively improve and optimize their security as a virtual team member in the role of vCISO, IT Security Strategist and, Architect.

Nige the Security Guy: Professional Profile

Architect Blueprint

Nigel P. Willson
Principal Security Architect
AT&T Security Solutions

Nigel Willson is a Principal Security Architect at AT&T with 30 years of experience in Security Operations, Management, Research, Development and Security Services providing thought leadership, architecture/design and practical strategy.

Nigel has responsibilities as Security SME for AT&T complex cyber security solutions across the portfolio of security consulting, managed security services and mobile security solutions.

He specializes in collaboration as both a Trusted Advisor and Virtual Chief Information Security Officer (vCISO) helping companies to evolve and improve their security capability maturity and posture in the following areas:

  • IT Security Governance, Strategy, Roadmap
  • Security Architecture & Design (including adaptive security architecture lifecycle)
  • Security Operations (including advanced threats, detection frameworks, defensible posture)
  • Threat Intelligence & Risk Management (focused on business processes)
  • Security Research & Analyst
  • Regulatory Compliance

AT&T Security Solutions is the AT&T Advanced Enterprise Solutions customer facing security opportunity team. His participation is consistently solicited by AT&T teams and AT&T customers as both a Trusted Advisor and Security SME in both the private and public sectors. Nigel joined AT&T as a Practice Director, Security via the acquisition of Callisma (AT&T Consulting Solutions) in 2005.

Prior to joining AT&T, Nigel worked as a Practice Director, Security for Avaya Converged Security as well as TCS America responsible for the development of discrete security consulting services and leading teams of security consultants. He previously worked as the Director, Security for The Walt Disney Company focused on global Internet Security for 27 business units including ABC, Disney On-Line, and ESPN.

Nigel is a former assembler programmer and reverse engineer (ethical hacker) with a diverse international background. He has worked on U.S. DoD projects developing security products and technology for the World-Wide Military Command and Control System (WWMCCS) and Military Airlift Command Deployment Flow (MACDF).


He is a published author of many security guides, books, magazine articles and currently operates a security-focused NigeSecurityGuy blog providing impartial practical advice and methodology on security architecture, assessments and, advanced persistent threats (APTs). Nigel also operates the ‘Solving the APT Defense Puzzle’ group on Linked-In, a reference library of useful research and topics.

Nigel was recently selected as a finalist in the InfoSec Europe 2014 Security Bloggers awards and was invited to publish an article on Leveraging Security as a Business Enabler.

Nigel’s passion is taking blog readers Back to Basics to focus on key security principles to develop a strong architectural foundation (Security Architecture Series) and from that add advanced threat defense (APT Strategy Guide) as well as security operations optimization (NG-OPS Strategy Guide).

Never doubt that a small group of thoughtful, committed citizens can change the world. Indeed, it is the only thing that ever has.”

Background Summary

  • International Background — 30 years international experience gained as security expert across England, Australia, France and, the USA.
  • Strategic Architect – Cloud-Orientated Architecture, BYOD, Mobile, Security Operations, Risk, Intelligence, Analytics, Metrics, Visualization – Situational Awareness: Detect, Contain, Investigate, Eradicate, Recover
  • Director, Security @ Disney – Establish strategic architecture team, develop successful proactive security management program.
  • Published Author – Author and co-author of many security guides, books and, magazine articles.
  • Security Consultant — 15 years thought leadership and strategy experience consulting to Fortune 500 companies.
  • Security Engineer – Developed new security protocols and products for U.S. Department of Defense (DoD), e.g., MACDF and WWMCCS. Used in Gulf War. Worked on multi-level security and covert channel prevention.
  • Reverse Engineer – Original assembler programmer, ethical hacker and reverse engineer who could analyze code and manipulate any technology, protocol or system.
  • Awards Plaque: AT&T April 2008: In Recognition of Unwavering Commitment, Steadfast Leadership and Outstanding Performance on the California State University ITRP program.

Next Generation Operations

Thanks for your Interest!

Nige the Security Guy.