Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2014 > April

That thought of “how did I get so old?” happens so quickly.  Some reference to something from the past celebrating an anniversary will immediately trigger it.  So when I saw the CNN article “Happy 30th, Dr. Jones: 10 Things a Hero Taught Us”, I immediately cringed.  Has it been 30 years already since Raiders of the Lost Ark was released?  I was even more deflated when I found it was 30 years since Temple of Doom was released.  UGH!  Raiders of the Lost Ark was released in 1981.  I am even older than I first thought.  But I comforted myself with the “I am not older; I am better” internal speech all of us old timers are so readily able to spin.  Then I sighed and clicked on the link to find out what the indomitable hero Dr. Henry Walton “Indiana” Jones Jr. has taught us.


Read the article above first and then see what can GRC and Security programs can learn from the legendary Dr. Jones.


  1. Sometimes you have to try even when the odds don’t look good:  This should be the mantra for every grass roots initiative.  When you know it is the right thing for the organization, sometimes it takes a persistent thrashing to finally get everyone in line and moving in the same direction.
  2. Keep it simple:  Why get into a sword fight with an immense warrior when you have a pistol and a lack of time to mess around?  Eloquence through simplicity.  Don’t overcomplicate things or make efforts complex if they don’t have to be.  Those simple, quick wins towards a larger strategic vision will pay off.
  3. When all else fails, run like h***:   This is a bit hard to spin into the positive but I take this as following your gut.  When issues seem insurmountable, then you have to go with your instincts and go towards the strategy you think is best and deal with the consequences.  At least make your decisions based on solid information at hand and use your intuitions and experience to make the best choice.  Sometimes that is all risk management has to go on.
  4. Don’t knock it before you try it:  Many times organizations can get stuck in a rut.  'GRC is too complex and complicated' or 'Security is an IT thing' are quotes you don't want to hear in your organization.  Organizations are going to have to embrace change and force issues.  Understand the objectives and don’t worry about the label.  Get the job done.
  5. Sometimes you have to take chances:  This is hard thing for risk adverse people.  However, GRC and Security SHOULD BE focused on building confidence to take controlled risks.  Organizations that can control risk can take on more risk to reap the benefits.  Many opportunities have inherent risks and building the confidence in how your organization can manage that risk is essential in realizing the rewards.
  6. Take criticism gracefully:  This is extremely important for those GRC and Security programs getting off the ground.  Continuous improvement should be a recurring theme and listening to those outside the program can provide insight into what needs to be changed.
  7. A smile can go a long way:  I really like this one.  GRC and Security shouldn’t be considered the grim “bad cop” of the organization.  Risk management processes should be a partner in making the business successful.  Risk and compliance functions cannot be ‘all stick and no carrot’.  Smile at the business and they will smile back.
  8. Befriend interesting people:  Breaking down silos – as all GRC programs tend to do – will require building relationships with people across the organization.  Security is the same way - we need tighter relationships with our business counterparts.  The experience those people bring to the table is invaluable for a GRC and Security to achieve its ultimate objectives.  Those interesting people will help you get over those organizational challenges or give you views that will move your program forward.
  9. Sometimes you just have to have a sad day:  Every GRC and Security professional has had that ‘sad day’.  It is only normal to have setbacks and challenges that seem insurmountable.   The good news is item #10.
  10. You can conquer anything you set your mind to:  Just like Indiana Jones, GRC snd Security teams are extremely resourceful.  Risk and compliance processes today require ingenuity but, evidenced by the great work I have seen at our customers, they are getting it done and conquering many different challenges.


Indiana Jones was a fairly successful risk manager.  He took a lot of risks, he generally achieved his objectives and most importantly he kept his skin intact.  In fact, on some days, a pit of snakes in the middle of desert would be a welcome change to the regulatory briefing paper sitting on our desk waiting to be read or that new vulnerability released that will require multiple days of research to determine the remediation plan.   As long as you keep your hat on and your whip handy, you too can outrun large rolling boulders whether it is an upcoming regulatory change or a dangerous security threat.

In my experience, security professionals are excellent at working problems.  Give them a few suspicious alerts, a few failed logins, some sneaky looking network traffic and then get out of their way.  Like bloodhounds on the trail of the fox, they aren’t afraid of sticking their nose on the scent and then following it to its very end.  They will dig in deep to figure out what happened, when it happened and what to do about it.   In my blog post “Alarm Fatigue”, I lamented the fact that security functions have a lot of noise coming their way.   The noise has a high frequency with variable amplitude resulting in a cacophony that would confuse even the most disciplined and skilled bloodhound.  Ok – so I am mixing analogies there with scent and sound but you get the picture.


Now, when it comes to working through a continuous input of data, there are a few algorithms that can be considered.  Those of you with programming backgrounds will recognize the obvious.

First In, First Out (FIFO):  As a piece of data is presented, it is analyzed, processed and then passed on as output.  This is pretty straightforward.  Think of Lucy and Ethel in the candy wrapping fiasco in I Love Lucy.  As the piece of candy comes out of the machine, you wrap it and then move to the next.  Lucy and Ethel find out firsthand what can happen when the flow starts picking up speed.


Last In, First Out (LIFO):  This process gathers data until it has a nice big pile.  Then the one on the top is picked up, reviewed and worked.  The next one on the stack is handled and so forth.   Many people do this with their email after a vacation…start at the latest email and then work their way back until they realize this is a futile effort and give up.


All In, None Out (AINO):  Pretty self-explanatory.  This is the “black hole” method.


None In, None Out (NINO):  Again – pretty self-explanatory.  This is the “deny everything” model.


Some In, Some Out (SISO):  I call this the “selective issues management” model.  Let’s pick what can be solved, work it out and ignore the rest.


So security teams have a few options to ‘work the problems’.  None of these really work effectively.  FIFO just handles everything serially.   Big problems will eventually get worked but there will be a lot of effort expended to get there.  LIFO can result in big problems sitting unnoticed, buried under a sea of meaningless issues until the problem ends up in a security blog and front page news.  The other three are just silly but unfortunately they have been seen in operation.  So security teams have a process challenge…I mean…opportunity.


The next opportunity is the ever growing need of more and more visibility into what is happening on the network, hosts and applications in the enterprise.  Security tools usually help with filtering some of this stream of data – alerts, notifications, rules, “anomaly detection”, etc.  However, today we are learning frequently that this filtering can miss extremely important pieces of data that indicate a security issue.  We know the signatures and profiles that these alerts and notifications are built on aren’t keeping up with the threats we see and therefore, issues sometimes are never even identified and put into the queue.  Additionally, today’s happily secured application using well-recognized, industry standard encryption could be tomorrow’s bleeding wound in the enterprise. (Thank you Heartbleed)  Security is many times finding the needle in a stack of needles (a well-used phrase used today).   You just never know which needle you need to look for.  So security teams are faced with need to gather, store and organize EVERYTHING just in case.


What security needs today is an All In, Priority Out (AIPO) model.   This means the data that may need to be analyzed is collected, organized, normalized and available when needed but issues are pushed into the queue based on solid prioritization models.  The inputs into the security “work-the-problem” process must have dimensions added from a constant churn of data.   Let’s take a very simple example (I apologize for the simplicity but it is just a blog – not a dissertation).


Problem:  Beaconing traffic to a known C2 IP from an internal host.  Alert looks something like “ connecting to”.  (See the First Watch report on VOHO).

  • Zero Dimension: Internal host communicating with known bad actor.
  • First dimension: is John Smith’s laptop.
  • Second dimension: John Smith is an IT employee who works in the Database group.
  • Third Dimension: jsmith is John’s username in the internal domain and has administrative access to database clusters across the enterprise.
  • Fourth Dimension:  Access logs show jsmith has been extremely active in accessing databases at strange hours.
  • Fifth Dimension: Account jsmith created a manual backup of DATABASE_XYZ which contains personal information gathered by the HR department as part of the health insurance enrollment process.


The dimensions go on and on put you get the idea.  Each dimension ratchets up the priority but it requires taking in “all” (loosely defined) data pertinent to the problem.  None of this data resides in one place; none of it is readily accessible in most organizations but all of it is necessary to take that problem and push it through the process.  So we do have the need for an “All In” method.   However, once you start taking in everything, any of the other methods will fall short very quickly.  Hence, the only way to solve this is the “Priority Out” model.  And priority requires lots of dimensions – both technical AND business oriented.


Priority queues are not a new idea.  However, the need to chain together priority queues from multiple dimensions is what we need today.  It can’t just be technical dimensions either – it has to be connected to people and business processes.  We also need more and more data (the “All In” part of AIPO) to create the context necessary to create the “Priority Out” part of the equation.


What model does your security team take when it comes to working the problems?  FIFO? LIFO? I am confident you won’t claim and of the other methods.  How close are you to an AIPO Model?

Hello and greetings from sunny Phoenix, Arizona - my home and the glorious location for this year’s RSA Archer Summit being held

from June 10 – 12. 



In my last Summit blog, I talked about the amazing location of this year’s Summit - the JW Marriott Desert Ridge Resort and Spa, and just to remind you, it is soooo beautiful (wait until you see those golf course, pool and garden views). Plus, I truly see the hotel’s dedication to providing first class customer service and care to each guest.  My wife and I are already having a great time at the hotel (as you can see), and no, you don’t want to see me in a Speedo…



During the Summit, you can collaborate with over 1,000 of the most strategic GRC professionals in the industry –– your peers. Hear straight from customers who have used Archer to overcome GRC challenges. Talk with Archer product experts and influence the product roadmap. Hear Carey Lohrenz, aviation pioneer and the first female F-14 Tomcat fighter pilot as one of our keynote speakers. Take great ideas and real value back to your business.


In true Letterman style, here is our Top Ten List for attending the RSA Archer Summit:





By the way, I'm the GRC Strategist for the RSA Archer Business Continuity and Audit Management solutions, so if you have any

questions, just email me at  Come for a sneak peek at our new

and very exciting Audit 4 solution coming in Q2 2014.

Who doesn’t remember lying in the grass on a clear summer night and feeling a sense of awe looking up at the night sky blistering with sparkling points of light?  It doesn’t matter if you are child, an adult or a scholarly astronomer, the sight of such amazing beauty and expanse in our universe is truly mind boggling.


Last week, EMC released its 7th study of the Digital Universe.  For those of us that spend our days investigating, building, securing and living in the digital world, the report is a captivating exploration of the only part of our universe that we – meaning Man – are responsible for and control. The concept is absolutely fascinating.  We mere mortals have created a universe that, just like our physical universe, is expanding, growing and deepening on a scale of sheer incomprehensible magnitude.   The Digital Universe is a portal into our world – capturing moments in time from Ellen DeGeneres' Oscar selfie to the latest temperature of Internet connected refrigerators.  Step into that portal and you will be forever sucked into an endless exploration of an amazing world.


This reminds me of the famous Star Trek opening line: Space – the final frontier… But Space is only the first 3 dimensions.  Add Time and you have what most people think of the tangible, understandable dimensions. But we have another dimension that is becoming more and more important. Does the digital universe represent the 5th dimension beyond space and time?  When something happens, will we, in the future, want to know where it happened, when it happened and what was captured in the digital universe about the event?  Think of some of the latest epic, historical events – the Arab Spring, the Tsunami in Japan, the disappearance of flight 370…


When our grandchildren and their grandchildren study these events, will the discussion be limited to where it happened and when?  Who was involved and what happened?  In history classes when I grew up, we were taught dates and places.  We focused on what happened with a removed, post-event perspective.  Important people and what they were like were most often a combination of memories, remembrances and recollections.  Plato, Alexander the Great, Charlemagne and other figures in history, even modern day figures, have a level of historical perception.  With the digital universe, data is being captured globally in real-time as events unfold.  Think of a history class where the event actually is explained by recreating not only space and time, but the digital footprint of the event.  Twitter feeds, news articles, cell phone videos, Facebook posts…the list of inputs is almost endless – all sequenced together to capture the space, time and digital trail and reveal the event with boundless perspectives, views and data.  The Digital Universe – the 5th Dimension – is an amazing, as-the-event-happens capture of history.  We, my friends, have gone over the precipice of something truly colossal and we have the data to show for it.


Last year, I used my blog series “the space between the 1s and 0s” to put my perspective on the report.  This year the report again shows how big that space is, where it is headed and what challenges and opportunities we face.  Bytes - next frontier…We are not going boldly going where no man has gone before.  We are building a strange new world, spawning new civilizations and creating a new universe for Man to explore.  We have created our own 5th Dimension.


I am pleased to add to my little corner of the digital universe with my new Twitter account:  @steveschlarman.  Please feel free to follow me.  Is the Digital Universe our 5th Dimension? Pretty deep question…let me pose that to Twitter and see what I get in response.

By now, you most likely have heard of the announcement of the Heartbleed vulnerability in versions of OpenSSL.  Actually, by this time, your executives, your front line managers and your mother-in-law have probably heard of the Heartbleed vulnerability given it has hit every major new source (WSJ, CNET, CNN)  While this ubiquitous software is a foundation for many web applications, most people will relegate this as “someone else’s problem”. However, many companies utilize OpenSSL within their own infrastructures to secure internal applications.  Even if you aren’t affected by this specific vulnerability, the noise created by Heartbleed should again prompt you to think about your own vulnerability management program.


I have written quite a bit in the past on the importance and various aspects of vulnerability risk management.  (See my latest series on VRM – 1, 2, 3).  My key point is managing vulnerabilities has (and always will be) a critical part of a dynamic security strategy.   Creating a plan to stay on top of vulnerabilities as they emerge (like Heartbleed) can be a challenge.  I outlined one scenario not too long ago in this blog entry regarding the 22 year old X Windows vulnerability.  With proper processes and the right enabling technologies, companies can quickly respond to emerging threats.


When we took a look at Heartbleed, Jason Creech, our product manager for the RSA Archer Vulnerability Risk Management (VRM) module, provided some excellent insight into how VRM fits into this picture.  Vulnerability Scanners can and often provide a list of installed software on devices. Some, but not all, can check for what version is installed as a “potential exposure list”.   VRM’s data warehouse can store data from multiple scan vendors and, when coupled with the Vulnerability Analytics (VA) Query Engine, can be a key differentiator for your vulnerability risk program.


For example, in the case of Heartbleed, versions of OpenSSL 1.0.1 before “g” are susceptible to this new vulnerability.   Since VRM’s Vulnerability Analytics Data Warehouse stores previously gathered scan data for the device inventory, security administrators can use the VA query engine to search for devices using the installed software version criteria.   Using a simple query (installed_software:openssl), VA can check for systems that have openssl installed if the data has been provided by the scan vendors.  More sophisticated queries (e.g. ‘installed_software: openssl NOT installed_software:"openssl 1.0.1g" NOT installed_software:"openssl 0.9.8e") can drill into the data to find those systems with the exact impacted versions.   Coupled with the business context coming from RSA Archer, security teams can quickly identify criticality HIGH systems.



Using the alert functions within VA, notifications can also be enabled to notify system owners based on this query.  Very quickly, the security team can identify vulnerable systems, fire off notifications to system owners and begin implementing response or mitigating controls.


In my previous blogs on vulnerability risk management, I spoke of the need to track key metrics (Metrics that Matter).  An additional metric to add to the list is the speed at which a security team can link an emerging threat, like Heartbleed or the many other vulnerabilities that seemingly parade non-stop at us, to internal affected systems.   That speed will directly affect the company’s ability to reduce exploit surfaces and drive tangible actions to manage emerging security risks.  Having the ability to quickly mine existing scan data – like the process I just described using VRM - eliminates the time needed to build and execute singular scans to identify affected systems.  The ability to fuse business context to potentially vulnerable systems drives priority and is one of the short cuts to identifying risk in a heartbeat.


Watch this video to find out how our Vulnerability Risk Management solution helps organizations manage vulnerabilities and implement processes to stay on top of emerging issues like Heartbleed.

Based on a recent Govloop Survey, Four Points and RSA have developed this white paper to detail the changing threat landscape that faces our Federal Government and compiled a list of best practices to help your agency automate Disaster Recovery/Continuity Operations Plans


Agencies can no longer afford to rely on manually created, fixed plans. No one can predict when a potential threat will become a real event, but taxpayers, oversight agencies, and legislators will expect fast, comprehensive responses and a quick restoration of services after an interruption. Delivering that level of response requires use of an enterprise grade, automated toolset.


The Archer toolset consists of a cluster of modules covering the elements of COOP – policy, risk, compliance, vulnerability, and enterprise management. You choose the relevant modules and create a customized plan without the need for coding. Plus, creating a complete COOP plan is fast because of Archer’s intuitive user interface and drag-and-drop building.


Read more about COOP best practices in the attached white paper.


GovLoop, in partnership with RSA and Four Points, conducted a survey of 204 public sector professionals exploring how to create an effective Continuity of Operations (COOP) program. The findings from the survey are highlighted in our executive research brief. The research brief provides an overview of COOP in the public sector and specifically highlights:


  • Four common public sector COOP challenges
  • Discussion on manual versus automated COOP functions
  • Highlights six best practices for COOP adoption
  • Explores desired functionality for COOP solutions


The survey also included qualitative data that highlighted the challenges and best practices from our government audience. “The CISO handles policies, but all parts of the Executive Management Team or anyone else for that matter can review the updated plans once they are uploaded to the SharePoint site, or by viewing the hardcopy binder in their area,” said one survey participant. “Automated workflows and approvals ensure a path to a system of record for transactional authorization,” added another.

To read the full report download the PDF

Patrick Potter, your on-the-Phoenix-scene travel and GRC reporter here again, and let me just say that living in Phoenix near the location of this year's RSA Archer Summit has its benefits! My wife Maryann and I have stayed and dined before at the 240,000 square feet, $313 81315million JW Marriott Resort and Spa where the RSA Archer Summit is being hosted and have loved it!  Recently, as part of my reporter duties, we went for a behind the scenes tour of the 5-star restaurants, the 22 lakes, pools, fountains and lazy river, 36 holes of on-site championship golf, the bee farm (yes, the resort actually has a bee farm it uses to produce the honey for its honey brown ale beer), and finally, the 41 room spa - whew!  Do we look relaxed or what?


If you haven't signed up for the RSA Archer Summit yet, do it now!  This venue is amazing and a great place to bring family and friends along with you.  Of course, the real reason you're coming is for the GRC Summit.  If you’ve had the opportunity to attend a past RSA Archer GRC Summit, you know first-hand the business and personal value that this event provides. If you are considering attending for the first time, watch this video to hear from past attendees. If you have been before, remind yourself of the opportunity that lies ahead.




I'm the GRC Strategist for the RSA Archer Business Continuity and Audit Management solutions, so if you have any questions, just email me at  Oh, and come to the RSA Archer GRC Summit to see a sneek peek at our new and very exciting Audit 4 solution coming in Q2 2014. 


See you at the Summit!

Filter Blog

By date: By tag: