Randy Marchany

CISO

Virginia Tech


Will Corporate Security Models Move Toward the EDU Security Model?

Posted on: 29 Jul 2016

No network is impenetrable, a reality that business executives and security professionals alike must accept. The traditional perimeter focused approach to cybersecurity has often failed to prevent intrusions, especially in an application-focused paradigm. While prevention is crucial, timely incident detection of anomalous behaviors for data ex-filtration are key. Continuous monitoring assumes the attackers are already…

“The Internet of Cows”

Posted on: 04 May 2016

Glenn Fink, a security researcher at Pacific Northwest Labs, did a presentation called the “Internet of Cows” at a recent IEEE conference where he showed how dairy farming has become an automated, internet accessible business process. He took the discussion one step further by saying that cows make great human surrogates in the privacy debates surrounding IoT. He…

The 20 Critical Controls – A Practical Security Strategy – Part 2

Posted on: 11 Jun 2015

In my last article, I talked about using the 20 Critical Controls as a practical security strategy.  I showed how the controls map to a wide variety of international and national standards.  I also mentioned a great www site, www.auditscripts.com, where you can download 3 excellent spreadsheets to help you measure your progress in the…

The 20 Critical Controls – A Practical Security Strategy – Part 1

Posted on: 20 Jan 2015

Back in the late 1990’s, I was fortunate to be part of a team of cyber security experts who were asked to develop a list of the Top 10 Internet Security Threats. “On February 15, 2000, thirty Internet experts met with President Clinton to identify actions needed to defeat the wave of distributed denial of…

Application Security – Redux

Posted on: 07 Nov 2014

When you’re on a roll, ride it out. I’ve been on the “Redux” train for a couple of days. I usually do this when I review our security architecture initiatives at the end of the year. Way back in 2000, I said in a USA Today interview that it wouldn’t surprise me if there were…

Deja Vu All Over Again – DDoS Amplification Attacks

Posted on: 04 Nov 2014

Yep, it’s time to use this title again. This time we’re talking about Distributed Denial of Service (DDoS) amplification attacks. One of the lists I monitor posted the following: Christian Rossow has done some great work on DDoS.  The two interesting papers are: “Exit from Hell? Reducing the Impact of Amplification DDoS Attacks,” read here. The…

Cloud Security: How I Learned to Love a Data Exfiltration Service

Posted on: 02 Oct 2014

Ok, I know the title sounds a little negative. I’m not against cloud services at all. We use cloud services here for a wide variety of business and personal purposes. Having said that, there are a couple of issues that bother me about the cloud and while some are philosophical, some are technical as well.…

Announcing the Marriage of the IT Security Office and the Network Management Group

Posted on: 24 Jul 2014

Ok, maybe it’s not a marriage but more along the lines of living together. In a previous article, I spoke about moving to a Continuous Monitoring security model, which focuses on monitoring outbound traffic. As we move to completing our monitoring infrastructure, I’ve been pleased with the results so far and excited by the challenges discovered…

When is it a Breach?

Posted on: 26 Jun 2014

One of the most difficult decisions a CISO has to make is the one that says the organization suffered a data breach. A data breach starts a chain of events that could eventually result in loss of company reputation, financial expenditures for credit monitoring of affected individuals, and possible regulatory and legal fines. Not surprisingly, the…

Heartbeat, Heartbleed or Heartache?

Posted on: 08 May 2014

You almost have to be on some deserted island with no Internet access to have not heard about the OpenSSL Heartbleed vulnerability. This vulnerability is very serious and pervasive because of a few simple reasons: 1) it allows attackers to be able to dump a target’s memory which can include among other things, usernames/passwords, emails…